[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 208e5e41e74d60e416bffac4e9e71906203c7484 Author: orbea riseup net> AuthorDate: Fri Dec 29 14:24:27 2023 + Commit: orbea riseup net> CommitDate: Fri Dec 29 14:24:27 2023 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=208e5e41 net-vpn/tor: add 0.4.7.16-r1 Signed-off-by: orbea riseup.net> net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 + net-vpn/tor/tor-0.4.7.16-r1.ebuild | 170 +++ 2 files changed, 507 insertions(+) diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch new file mode 100644 index 000..2b473bf --- /dev/null +++ b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch @@ -0,0 +1,337 @@ +From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574 +Gentoo Bug: https://bugs.gentoo.org/920063 +From: Pierre Bourdon +Date: Sat, 30 Apr 2022 11:52:59 +0200 +Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64 + +New glibc versions not sign-extending 32 bit negative constants seems to +not be a thing on AArch64. I suspect that this might not be the only +architecture where the sign-extensions is happening, and the correct fix +might be instead to use a proper 32 bit comparison for the first openat +parameter. For now, band-aid fix this so the sandbox can work again on +AArch64. +--- a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c +@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void) + static int + libc_negative_constant_needs_cast(void) + { ++#if defined(__aarch64__) && defined(__LP64__) ++ /* Existing glibc versions always sign-extend to 64 bits on AArch64. */ ++ return 0; ++#else + return is_libc_at_least(2, 27); ++#endif + } + + /** Allow a single file to be opened. If use_openat is true, +-- +GitLab + + +From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001 +From: Pierre Bourdon +Date: Sat, 30 Apr 2022 13:02:16 +0200 +Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at + variant on Aarch64 + +The chown/chmod/rename syscalls have never existed on AArch64, and libc +implements the POSIX functions via the fchownat/fchmodat/renameat +syscalls instead. + +Add new filter functions for fchownat/fchmodat/renameat, not made +architecture specific since the syscalls exists everywhere else too. +However, in order to limit seccomp filter space usage, we only insert +rules for one of {chown, chown32, fchownat} depending on the +architecture (resp. {chmod, fchmodat}, {rename, renameat}). +--- a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c +@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + return 0; + } + ++static int ++sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next) { ++smp_param_t *param = elem->param; ++ ++if (param != NULL && param->prot == 1 && param->syscall ++== SCMP_SYS(fchmodat)) { ++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat), ++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); ++ if (rc != 0) { ++log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received " ++"libseccomp error %d", rc); ++return rc; ++ } ++} ++ } ++ ++ return 0; ++} ++ + #ifdef __i386__ + static int + sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + } + #endif /* defined(__i386__) */ + ++static int ++sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next) { ++smp_param_t *param = elem->param; ++ ++if (param != NULL && param->prot == 1 && param->syscall ++== SCMP_SYS(fchownat)) { ++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat), ++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); ++ if (rc != 0) { ++log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received " ++"libseccomp error %d", rc); ++return rc; ++ } ++} ++ } ++ ++ return 0; ++} ++ + /** + * Function responsible for setting up the rename syscall for + * the seccomp filter sandbox. +@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + return 0; + } + ++/** ++ * Function responsible for setting up the renameat syscall for ++ * the seccomp filter sandbox. ++ */ ++static int ++sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next)
[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 5443c47ba7bbf6a875fd5e5e02ae93d1a3f20128 Author: orbea riseup net> AuthorDate: Wed Apr 26 15:25:20 2023 + Commit: orbea riseup net> CommitDate: Wed Apr 26 15:25:32 2023 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=5443c47b net-vpn/tor: treeclean Bug: https://bugs.gentoo.org/903001 Upstream-PR: https://github.com/gentoo/gentoo/pull/30622 Upstream-Commit: https://github.com/gentoo/gentoo/commit/93d2cce2f2111f1c219587443a1b676ce2ff561c Signed-off-by: orbea riseup.net> net-vpn/tor/Manifest | 3 - net-vpn/tor/files/README.gentoo | 8 -- net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 - net-vpn/tor/files/tor-0.4.6.7-libressl.patch | 123 net-vpn/tor/files/tor.confd | 3 - net-vpn/tor/files/tor.initd-r9 | 37 -- net-vpn/tor/files/tor.service| 38 --- net-vpn/tor/files/torrc-r2 | 7 -- net-vpn/tor/metadata.xml | 17 --- net-vpn/tor/tor-0.4.7.13-r1.ebuild | 138 --- 10 files changed, 405 deletions(-) diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest deleted file mode 100644 index 05ebc39..000 --- a/net-vpn/tor/Manifest +++ /dev/null @@ -1,3 +0,0 @@ -DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be -DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0 -DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo deleted file mode 100644 index 35214ac..000 --- a/net-vpn/tor/files/README.gentoo +++ /dev/null @@ -1,8 +0,0 @@ -We created a configuration file for tor, /etc/tor/torrc, but you can -change it according to your needs. Use the torrc.sample that is in -that directory as a guide. Also, to have privoxy work with tor -just add the following line - -forward-socks4a / localhost:9050 . - -to /etc/privoxy/config. Notice the . at the end! diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch deleted file mode 100644 index 5f9e258..000 --- a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.0 -0400 -+++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400 -@@ -12,6 +12,11 @@ - ## Tor will look for this file in various places based on your platform: - ## https://www.torproject.org/docs/faq#torrc - -+## Default username and group the server will run as -+User tor -+ -+PIDFile /run/tor/tor.pid -+ - ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't - ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only - ## as a relay, and not make any local application connections yourself. -@@ -42,6 +47,7 @@ - #Log notice syslog - ## To send all messages to stderr: - #Log debug stderr -+Log warn syslog - - ## Uncomment this to start the process in the background... or use - ## --runasdaemon 1 on the command line. This is ignored on Windows; -@@ -51,6 +57,7 @@ - ## The directory for keeping all the keys/etc. By default, we store - ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. - #DataDirectory @LOCALSTATEDIR@/lib/tor -+DataDirectory /var/lib/tor/data - - ## The port on which Tor will listen for local connections from Tor - ## controller applications, as documented in control-spec.txt. diff --git a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch b/net-vpn/tor/files/tor-0.4.6.7-libressl.patch deleted file mode 100644 index d481ae2..000 --- a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch +++ /dev/null @@ -1,123 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/lib/tls/x509_openssl.c a/src/lib/tls/x509_openssl.c.orig -+++ b/src/lib/tls/x509_openssl.c -@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity, - cert_key = X509_get_pubkey(cert->cert); - if (check_rsa_1024 &&
[gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
commit: 47a88659300993df0096c720dd93d9bb914ea5d2 Author: orbea riseup net> AuthorDate: Thu Mar 17 14:53:37 2022 + Commit: Quentin Retornaz retornaz com> CommitDate: Sat Mar 19 22:32:34 2022 + URL:https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=47a88659 net-vpn/tor: Added Signed-off-by: orbea riseup.net> Closes: https://github.com/gentoo/libressl/pull/391 Signed-off-by: Quentin Retornaz retornaz.com> net-vpn/tor/Manifest | 2 + net-vpn/tor/files/0.4.6.7-libressl.patch | 123 +++ net-vpn/tor/files/README.gentoo | 8 ++ net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 ++ net-vpn/tor/files/tor.confd | 3 + net-vpn/tor/files/tor.initd-r9 | 37 +++ net-vpn/tor/files/tor.service| 38 +++ net-vpn/tor/files/torrc-r2 | 7 ++ net-vpn/tor/metadata.xml | 13 +++ net-vpn/tor/tor-0.4.6.7.ebuild | 109 10 files changed, 371 insertions(+) diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest new file mode 100644 index 000..e10ad5e --- /dev/null +++ b/net-vpn/tor/Manifest @@ -0,0 +1,2 @@ +DIST tor-0.4.6.7.tar.gz 7790727 BLAKE2B da6b0fe0de6a334713cf881dece6ef5a932b0f4374a7dde1e1cb78b4b43944fd6156d84bd98c8be734a7cf81b99cb36187544028c3e4800d38d11d7286d19e12 SHA512 e5f9e235fc4b96f5e63e0bfa4ca412d0d11299a31cb77cae1c199b276d0dfbf3656657ddf910b22625dd49eb726d487666e80e8889db78c9edebbab0d80d9e03 +DIST tor-0.4.6.7.tar.gz.asc 833 BLAKE2B 2054c094cc8ce28bfc8822fa6b0ac5a028b41c96160d135da53112c4fcb7ae048e8d48b58f164dd33c6c7dd851aaa71173b2aa36f70411fc7cc2b67d346ce00b SHA512 d45caaa4795d05f1f1a558192c5eedff608c74be0ef933e0ff7a4f68123a109e38e7fe26222c66dfc8966a07f458eeadf77d7f4731d88389595b59413140e9a3 diff --git a/net-vpn/tor/files/0.4.6.7-libressl.patch b/net-vpn/tor/files/0.4.6.7-libressl.patch new file mode 100644 index 000..d481ae2 --- /dev/null +++ b/net-vpn/tor/files/0.4.6.7-libressl.patch @@ -0,0 +1,123 @@ +Fix build with opaque structs in LibreSSL 3.5 + +Index: src/lib/tls/x509_openssl.c +--- a/src/lib/tls/x509_openssl.c.orig b/src/lib/tls/x509_openssl.c +@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity, + cert_key = X509_get_pubkey(cert->cert); + if (check_rsa_1024 && cert_key) { + RSA *rsa = EVP_PKEY_get1_RSA(cert_key); +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + if (rsa && RSA_bits(rsa) == 1024) { + #else + if (rsa && BN_num_bits(rsa->n) == 1024) { +Fix build with opaque structs in LibreSSL 3.5 + +Index: src/lib/crypt_ops/crypto_rsa_openssl.c +--- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig b/src/lib/crypt_ops/crypto_rsa_openssl.c +@@ -47,7 +47,7 @@ struct crypto_pk_t + int + crypto_pk_key_is_private(const crypto_pk_t *k) + { +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + if (!k || !k->key) + return 0; + +@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env) + + const BIGNUM *e; + +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + const BIGNUM *n, *d; + RSA_get0_key(env->key, , , ); + #else +@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_ + const BIGNUM *a_n, *a_e; + const BIGNUM *b_n, *b_e; + +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + const BIGNUM *a_d, *b_d; + RSA_get0_key(a->key, _n, _e, _d); + RSA_get0_key(b->key, _n, _e, _d); +@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env) + tor_assert(env); + tor_assert(env->key); + +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + /* It's so stupid that there's no other way to check that n is valid +* before calling RSA_bits(). +*/ +@@ -572,7 +572,7 @@ static bool + rsa_private_key_too_long(RSA *rsa, int max_bits) + { + const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp; +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + + #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1) + n = RSA_get0_n(rsa); +Fix build with opaque structs in LibreSSL 3.5 + +Index: src/lib/crypt_ops/crypto_dh_openssl.c +--- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig b/src/lib/crypt_ops/crypto_dh_openssl.c +@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU + /* Copy into a temporary DH object, just so that DH_check() can be called. */ + if (!(dh = DH_new())) + goto out; +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + BIGNUM *dh_p, *dh_g; + if (!(dh_p = BN_dup(p))) + goto out; +@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g) + goto err; + } + +-#ifdef OPENSSL_1_1_API ++#if