[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 208e5e41e74d60e416bffac4e9e71906203c7484
Author: orbea riseup net>
AuthorDate: Fri Dec 29 14:24:27 2023 +
Commit: orbea riseup net>
CommitDate: Fri Dec 29 14:24:27 2023 +
URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=208e5e41
net-vpn/tor: add 0.4.7.16-r1
Signed-off-by: orbea riseup.net>
net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 +
net-vpn/tor/tor-0.4.7.16-r1.ebuild | 170 +++
2 files changed, 507 insertions(+)
diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
new file mode 100644
index 000..2b473bf
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
@@ -0,0 +1,337 @@
+From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574
+Gentoo Bug: https://bugs.gentoo.org/920063
+From: Pierre Bourdon
+Date: Sat, 30 Apr 2022 11:52:59 +0200
+Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64
+
+New glibc versions not sign-extending 32 bit negative constants seems to
+not be a thing on AArch64. I suspect that this might not be the only
+architecture where the sign-extensions is happening, and the correct fix
+might be instead to use a proper 32 bit comparison for the first openat
+parameter. For now, band-aid fix this so the sandbox can work again on
+AArch64.
+--- a/src/lib/sandbox/sandbox.c
b/src/lib/sandbox/sandbox.c
+@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void)
+ static int
+ libc_negative_constant_needs_cast(void)
+ {
++#if defined(__aarch64__) && defined(__LP64__)
++ /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
++ return 0;
++#else
+ return is_libc_at_least(2, 27);
++#endif
+ }
+
+ /** Allow a single file to be opened. If use_openat is true,
+--
+GitLab
+
+
+From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon
+Date: Sat, 30 Apr 2022 13:02:16 +0200
+Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at
+ variant on Aarch64
+
+The chown/chmod/rename syscalls have never existed on AArch64, and libc
+implements the POSIX functions via the fchownat/fchmodat/renameat
+syscalls instead.
+
+Add new filter functions for fchownat/fchmodat/renameat, not made
+architecture specific since the syscalls exists everywhere else too.
+However, in order to limit seccomp filter space usage, we only insert
+rules for one of {chown, chown32, fchownat} depending on the
+architecture (resp. {chmod, fchmodat}, {rename, renameat}).
+--- a/src/lib/sandbox/sandbox.c
b/src/lib/sandbox/sandbox.c
+@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ return 0;
+ }
+
++static int
++sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next) {
++smp_param_t *param = elem->param;
++
++if (param != NULL && param->prot == 1 && param->syscall
++== SCMP_SYS(fchmodat)) {
++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++ if (rc != 0) {
++log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
++"libseccomp error %d", rc);
++return rc;
++ }
++}
++ }
++
++ return 0;
++}
++
+ #ifdef __i386__
+ static int
+ sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ }
+ #endif /* defined(__i386__) */
+
++static int
++sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next) {
++smp_param_t *param = elem->param;
++
++if (param != NULL && param->prot == 1 && param->syscall
++== SCMP_SYS(fchownat)) {
++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++ if (rc != 0) {
++log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
++"libseccomp error %d", rc);
++return rc;
++ }
++}
++ }
++
++ return 0;
++}
++
+ /**
+ * Function responsible for setting up the rename syscall for
+ * the seccomp filter sandbox.
+@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ return 0;
+ }
+
++/**
++ * Function responsible for setting up the renameat syscall for
++ * the seccomp filter sandbox.
++ */
++static int
++sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next)
[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 5443c47ba7bbf6a875fd5e5e02ae93d1a3f20128 Author: orbea riseup net> AuthorDate: Wed Apr 26 15:25:20 2023 + Commit: orbea riseup net> CommitDate: Wed Apr 26 15:25:32 2023 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=5443c47b net-vpn/tor: treeclean Bug: https://bugs.gentoo.org/903001 Upstream-PR: https://github.com/gentoo/gentoo/pull/30622 Upstream-Commit: https://github.com/gentoo/gentoo/commit/93d2cce2f2111f1c219587443a1b676ce2ff561c Signed-off-by: orbea riseup.net> net-vpn/tor/Manifest | 3 - net-vpn/tor/files/README.gentoo | 8 -- net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 - net-vpn/tor/files/tor-0.4.6.7-libressl.patch | 123 net-vpn/tor/files/tor.confd | 3 - net-vpn/tor/files/tor.initd-r9 | 37 -- net-vpn/tor/files/tor.service| 38 --- net-vpn/tor/files/torrc-r2 | 7 -- net-vpn/tor/metadata.xml | 17 --- net-vpn/tor/tor-0.4.7.13-r1.ebuild | 138 --- 10 files changed, 405 deletions(-) diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest deleted file mode 100644 index 05ebc39..000 --- a/net-vpn/tor/Manifest +++ /dev/null @@ -1,3 +0,0 @@ -DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be -DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0 -DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo deleted file mode 100644 index 35214ac..000 --- a/net-vpn/tor/files/README.gentoo +++ /dev/null @@ -1,8 +0,0 @@ -We created a configuration file for tor, /etc/tor/torrc, but you can -change it according to your needs. Use the torrc.sample that is in -that directory as a guide. Also, to have privoxy work with tor -just add the following line - -forward-socks4a / localhost:9050 . - -to /etc/privoxy/config. Notice the . at the end! diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch deleted file mode 100644 index 5f9e258..000 --- a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.0 -0400 -+++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400 -@@ -12,6 +12,11 @@ - ## Tor will look for this file in various places based on your platform: - ## https://www.torproject.org/docs/faq#torrc - -+## Default username and group the server will run as -+User tor -+ -+PIDFile /run/tor/tor.pid -+ - ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't - ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only - ## as a relay, and not make any local application connections yourself. -@@ -42,6 +47,7 @@ - #Log notice syslog - ## To send all messages to stderr: - #Log debug stderr -+Log warn syslog - - ## Uncomment this to start the process in the background... or use - ## --runasdaemon 1 on the command line. This is ignored on Windows; -@@ -51,6 +57,7 @@ - ## The directory for keeping all the keys/etc. By default, we store - ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. - #DataDirectory @LOCALSTATEDIR@/lib/tor -+DataDirectory /var/lib/tor/data - - ## The port on which Tor will listen for local connections from Tor - ## controller applications, as documented in control-spec.txt. diff --git a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch b/net-vpn/tor/files/tor-0.4.6.7-libressl.patch deleted file mode 100644 index d481ae2..000 --- a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch +++ /dev/null @@ -1,123 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/lib/tls/x509_openssl.c a/src/lib/tls/x509_openssl.c.orig -+++ b/src/lib/tls/x509_openssl.c -@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity, - cert_key = X509_get_pubkey(cert->cert); - if (check_rsa_1024 &&
[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 47a88659300993df0096c720dd93d9bb914ea5d2
Author: orbea riseup net>
AuthorDate: Thu Mar 17 14:53:37 2022 +
Commit: Quentin Retornaz retornaz com>
CommitDate: Sat Mar 19 22:32:34 2022 +
URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=47a88659
net-vpn/tor: Added
Signed-off-by: orbea riseup.net>
Closes: https://github.com/gentoo/libressl/pull/391
Signed-off-by: Quentin Retornaz retornaz.com>
net-vpn/tor/Manifest | 2 +
net-vpn/tor/files/0.4.6.7-libressl.patch | 123 +++
net-vpn/tor/files/README.gentoo | 8 ++
net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 ++
net-vpn/tor/files/tor.confd | 3 +
net-vpn/tor/files/tor.initd-r9 | 37 +++
net-vpn/tor/files/tor.service| 38 +++
net-vpn/tor/files/torrc-r2 | 7 ++
net-vpn/tor/metadata.xml | 13 +++
net-vpn/tor/tor-0.4.6.7.ebuild | 109
10 files changed, 371 insertions(+)
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 000..e10ad5e
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,2 @@
+DIST tor-0.4.6.7.tar.gz 7790727 BLAKE2B
da6b0fe0de6a334713cf881dece6ef5a932b0f4374a7dde1e1cb78b4b43944fd6156d84bd98c8be734a7cf81b99cb36187544028c3e4800d38d11d7286d19e12
SHA512
e5f9e235fc4b96f5e63e0bfa4ca412d0d11299a31cb77cae1c199b276d0dfbf3656657ddf910b22625dd49eb726d487666e80e8889db78c9edebbab0d80d9e03
+DIST tor-0.4.6.7.tar.gz.asc 833 BLAKE2B
2054c094cc8ce28bfc8822fa6b0ac5a028b41c96160d135da53112c4fcb7ae048e8d48b58f164dd33c6c7dd851aaa71173b2aa36f70411fc7cc2b67d346ce00b
SHA512
d45caaa4795d05f1f1a558192c5eedff608c74be0ef933e0ff7a4f68123a109e38e7fe26222c66dfc8966a07f458eeadf77d7f4731d88389595b59413140e9a3
diff --git a/net-vpn/tor/files/0.4.6.7-libressl.patch
b/net-vpn/tor/files/0.4.6.7-libressl.patch
new file mode 100644
index 000..d481ae2
--- /dev/null
+++ b/net-vpn/tor/files/0.4.6.7-libressl.patch
@@ -0,0 +1,123 @@
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/tls/x509_openssl.c
+--- a/src/lib/tls/x509_openssl.c.orig
b/src/lib/tls/x509_openssl.c
+@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
+ cert_key = X509_get_pubkey(cert->cert);
+ if (check_rsa_1024 && cert_key) {
+ RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (rsa && RSA_bits(rsa) == 1024) {
+ #else
+ if (rsa && BN_num_bits(rsa->n) == 1024) {
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_rsa_openssl.c
+--- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig
b/src/lib/crypt_ops/crypto_rsa_openssl.c
+@@ -47,7 +47,7 @@ struct crypto_pk_t
+ int
+ crypto_pk_key_is_private(const crypto_pk_t *k)
+ {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (!k || !k->key)
+ return 0;
+
+@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
+
+ const BIGNUM *e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *n, *d;
+ RSA_get0_key(env->key, , , );
+ #else
+@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
+ const BIGNUM *a_n, *a_e;
+ const BIGNUM *b_n, *b_e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *a_d, *b_d;
+ RSA_get0_key(a->key, _n, _e, _d);
+ RSA_get0_key(b->key, _n, _e, _d);
+@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
+ tor_assert(env);
+ tor_assert(env->key);
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ /* It's so stupid that there's no other way to check that n is valid
+* before calling RSA_bits().
+*/
+@@ -572,7 +572,7 @@ static bool
+ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ {
+ const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+
+ #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
+ n = RSA_get0_n(rsa);
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_dh_openssl.c
+--- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig
b/src/lib/crypt_ops/crypto_dh_openssl.c
+@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
+ /* Copy into a temporary DH object, just so that DH_check() can be called.
*/
+ if (!(dh = DH_new()))
+ goto out;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ BIGNUM *dh_p, *dh_g;
+ if (!(dh_p = BN_dup(p)))
+ goto out;
+@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
+ goto err;
+ }
+
+-#ifdef OPENSSL_1_1_API
++#if
