commit: 4939c97f09d69cc8eb5c19b3d02e9dda03043499 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Thu Aug 31 23:30:20 2023 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Thu Aug 31 23:30:27 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=4939c97f
net-vpn/tor: new package Upstream-PR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/754 Signed-off-by: orbea <orbea <AT> riseup.net> net-vpn/tor/Manifest | 12 ++ net-vpn/tor/files/README.gentoo | 8 + net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 ++++ net-vpn/tor/files/tor-0.4.7.13-libressl.patch | 202 +++++++++++++++++++++++ net-vpn/tor/files/tor-0.4.7.13-opensslconf.patch | 55 ++++++ net-vpn/tor/files/tor.confd | 3 + net-vpn/tor/files/tor.initd-r9 | 37 +++++ net-vpn/tor/files/tor.service | 38 +++++ net-vpn/tor/files/torrc-r2 | 7 + net-vpn/tor/metadata.xml | 17 ++ net-vpn/tor/tor-0.4.7.13-r1.ebuild | 150 +++++++++++++++++ net-vpn/tor/tor-0.4.7.14.ebuild | 164 ++++++++++++++++++ net-vpn/tor/tor-0.4.8.4.ebuild | 186 +++++++++++++++++++++ net-vpn/tor/tor-0.4.8.5.ebuild | 186 +++++++++++++++++++++ 14 files changed, 1096 insertions(+) diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest new file mode 100644 index 0000000..b419a4d --- /dev/null +++ b/net-vpn/tor/Manifest @@ -0,0 +1,12 @@ +DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be +DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0 +DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc +DIST tor-0.4.7.14.tar.gz 8220496 BLAKE2B 909bf9bbff68179f4aa66a875cd42b1ecebe2767c1789f46c0cc9cb67eaeb6777d1f42d68caa89cfad424069f50953c57461d39edbd776dfed453226f6e2250f SHA512 3c11ae3f765351122984675401dd7d2015914e15257a2308020937d394d6375bf532a080bb2c4274ac068484edcd688c24c2264e206a28ef3d4d1161eca15436 +DIST tor-0.4.7.14.tar.gz.sha256sum 86 BLAKE2B 41e0ceb68f7de77dcd74b7c48b733e18f2a452d82e588425a1fb25c92017208dd5c2dca588d32910ca13a6366ae1d1f76f758b76bf217e8bdad37f24a63436f3 SHA512 cf54d1021948ca11e240e31c64942e15683eea3df043d26d3293f92fef08a09253cad56120c2198c5099fcb5ae5ce8fc0bbd864d3cab869c885cfdc2af014b36 +DIST tor-0.4.7.14.tar.gz.sha256sum.asc 1321 BLAKE2B 0ed3a4ab5c119f097367c2f2b88bd4f688382a7922ddac62aae5e6c128f017aaf5863b2214198bd217d6266e2d3d04e0f7ab06201fa183bd93841e37bfebac2a SHA512 61f56c43c043a1b83fcb0252e0b6fb2cca29e39eb5041ac0b6337560839851bcd515ab314bd25e25d77c51408228cf5f39e5065d928ab73ee5851b86c3d46162 +DIST tor-0.4.8.4.tar.gz 8288772 BLAKE2B e283d828fede259b1186b45214d466ff7ee79c835d68d0253537cd44b4dfdc4effe97ffb864d788eb0c65e7c09dc79673b1f191662c3641917a36af935cb9e7f SHA512 a27380b3e0f33148fe86aa8815a9ff6476fe1531427990508d7cbe1770ddedbde56ac797674154a7ca590eb7ce08ebc56e0a4d84f9e27f6eaf1faf3a836faa8b +DIST tor-0.4.8.4.tar.gz.sha256sum 85 BLAKE2B 83a237b60e9a5217e61da9f12c53e2cdb59e329af88b255b74a6225cf4055d99fe3c2028aea519e496e4a3c4204fe2ea098899a31d91d21bc311fc2fc90f2f32 SHA512 34cdc256cf0e0907cea8eb4bb7b93c22750609241a3296cd229525193e4f429180bfafeee8ae08f992e4a56821dbc32ba7f58ee31abab274a4dac0730df0d42f +DIST tor-0.4.8.4.tar.gz.sha256sum.asc 1321 BLAKE2B 6771028385a9d13ff00314ac98b6b03a3ff532385157e5157869eeddd188e9a1a27ef9c233d40f666d3e7c5f9a8c801d4e9402ea4bbeb7260e88240a389d6fe9 SHA512 bd29b25c271ca8c11ffd3580e54218a1057053ed988e0c9b433365b4fedf718c0a4b6e6f183f280d7d06e2249a4a9440247346afad640b70d62c542131d62410 +DIST tor-0.4.8.5.tar.gz 8237202 BLAKE2B 71a4807284ecefc4a18d6bc15ce798844304f860338b786590779fb171f851d630e8af3114dbc84fe854561e0085dcb147b4dd87787988a8fb6c3628bfcc8175 SHA512 37be85e4e707682c5234ec471cb18775b3681eae2293df9c1d1192157147e4f3a08f00c33b2fc9574bbfc4f8d3fa3f4063413bbfbc536832df4a258076632be1 +DIST tor-0.4.8.5.tar.gz.sha256sum 85 BLAKE2B eddb6cf660e9e5b0eef20477d4536a0063bf8dcd0da75238514e620a9f6046431d656d4492f3765f14ff99175525dc4ae5c66f7f5ed0e1f7efe69e8f3b2a9583 SHA512 bda3ebb7ae915519e3ef4f3465045abb14e1cc3322ce2c9813c1189bcc33ef45f9aeecfd59bfb13cbb07e5dfd56fc7794f6fcaf18b752c8207d0e70934cc1e11 +DIST tor-0.4.8.5.tar.gz.sha256sum.asc 716 BLAKE2B 5748744112694c1d7cd2b6e622f9469308595422cd44a1142985880e32b3a5cadfe7410b2c1b5bc59a001fb3d086246a76074314b53eb0ae38e37ea4736f66c5 SHA512 55cf2c7fc92d33afc4f569a0c27fb187d757d441b706e2562a3da6eb6032498e24450199927bcddcfaa697f7e2273dd2f4a047ef35ea3e53287ae4208432bdf9 diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo new file mode 100644 index 0000000..35214ac --- /dev/null +++ b/net-vpn/tor/files/README.gentoo @@ -0,0 +1,8 @@ +We created a configuration file for tor, /etc/tor/torrc, but you can +change it according to your needs. Use the torrc.sample that is in +that directory as a guide. Also, to have privoxy work with tor +just add the following line + +forward-socks4a / localhost:9050 . + +to /etc/privoxy/config. Notice the . at the end! diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch new file mode 100644 index 0000000..5f9e258 --- /dev/null +++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch @@ -0,0 +1,31 @@ +diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in +--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.000000000 -0400 ++++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400 +@@ -12,6 +12,11 @@ + ## Tor will look for this file in various places based on your platform: + ## https://www.torproject.org/docs/faq#torrc + ++## Default username and group the server will run as ++User tor ++ ++PIDFile /run/tor/tor.pid ++ + ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't + ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only + ## as a relay, and not make any local application connections yourself. +@@ -42,6 +47,7 @@ + #Log notice syslog + ## To send all messages to stderr: + #Log debug stderr ++Log warn syslog + + ## Uncomment this to start the process in the background... or use + ## --runasdaemon 1 on the command line. This is ignored on Windows; +@@ -51,6 +57,7 @@ + ## The directory for keeping all the keys/etc. By default, we store + ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. + #DataDirectory @LOCALSTATEDIR@/lib/tor ++DataDirectory /var/lib/tor/data + + ## The port on which Tor will listen for local connections from Tor + ## controller applications, as documented in control-spec.txt. diff --git a/net-vpn/tor/files/tor-0.4.7.13-libressl.patch b/net-vpn/tor/files/tor-0.4.7.13-libressl.patch new file mode 100644 index 0000000..bba0c45 --- /dev/null +++ b/net-vpn/tor/files/tor-0.4.7.13-libressl.patch @@ -0,0 +1,202 @@ +Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/598 +Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/da52d7206a4a8e4fa8b5e80b5ed73de50fbe8692 +Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/713 +Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/9850dc59c0db5cbcadc314be8d324a992880fce1 + +From f3dabd705f26c56076934323f24b5b05ecdfd39c Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" <[email protected]> +Date: Tue, 5 Jul 2022 11:37:30 -0400 +Subject: [PATCH 1/2] LibreSSL 3.5 compatibility + +LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to +https://undeadly.org/cgi?action=article;sid=20220116121253, this is the +intention of OpenBSD developers. + +According to #40630, many special cases are needed to compile Tor against +LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a +small number of #defines are required when using OpenSSL 1.1 compatibility +mode. One additional workaround is required for LibreSSL 3.4 compatibility. + +Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1. +--- + configure.ac | 2 +- + src/lib/crypt_ops/compat_openssl.h | 22 +++++++++++++--------- + src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +-- + src/lib/crypt_ops/crypto_rsa_openssl.c | 8 +++++--- + 4 files changed, 20 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 8baae007cf..6ab7903010 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1022,7 +1022,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + AC_MSG_CHECKING([for OpenSSL < 1.0.1]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <openssl/opensslv.h> +-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL ++#if OPENSSL_VERSION_NUMBER < 0x1000100fL + #error "too old" + #endif + ]], [[]])], +diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h +index 0f56f338b5..c5eccdb015 100644 +--- a/src/lib/crypt_ops/compat_openssl.h ++++ b/src/lib/crypt_ops/compat_openssl.h +@@ -20,32 +20,36 @@ + * \brief compatibility definitions for working with different openssl forks + **/ + +-#if !defined(LIBRESSL_VERSION_NUMBER) && \ +- OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1) ++#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1) + #error "We require OpenSSL >= 1.0.1" + #endif + +-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \ +- ! defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) + /* We define this macro if we're trying to build with the majorly refactored + * API in OpenSSL 1.1 */ + #define OPENSSL_1_1_API + #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */ + +-#ifndef OPENSSL_1_1_API +-#define OpenSSL_version(v) SSLeay_version(v) +-#define tor_OpenSSL_version_num() SSLeay() ++/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */ ++#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) + #define RAND_OpenSSL() RAND_SSLeay() + #define STATE_IS_SW_SERVER_HELLO(st) \ + (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \ + ((st) == SSL3_ST_SW_SRVR_HELLO_B)) + #define OSSL_HANDSHAKE_STATE int + #define CONST_IF_OPENSSL_1_1_API +-#else /* defined(OPENSSL_1_1_API) */ +-#define tor_OpenSSL_version_num() OpenSSL_version_num() ++#else + #define STATE_IS_SW_SERVER_HELLO(st) \ + ((st) == TLS_ST_SW_SRVR_HELLO) + #define CONST_IF_OPENSSL_1_1_API const ++#endif ++ ++/* OpenSSL 1.1 and LibreSSL both have these APIs */ ++#ifndef OPENSSL_1_1_API ++#define OpenSSL_version(v) SSLeay_version(v) ++#define tor_OpenSSL_version_num() SSLeay() ++#else /* defined(OPENSSL_1_1_API) */ ++#define tor_OpenSSL_version_num() OpenSSL_version_num() + #endif /* !defined(OPENSSL_1_1_API) */ + + #endif /* defined(ENABLE_OPENSSL) */ +diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h +index c6f63ffa08..96a37721dd 100644 +--- a/src/lib/crypt_ops/crypto_openssl_mgt.h ++++ b/src/lib/crypt_ops/crypto_openssl_mgt.h +@@ -54,8 +54,7 @@ + #define DISABLE_ENGINES + #endif + +-#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \ +- !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) + /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require + * setting up various callbacks. + * +diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c +index a21c4a65cf..544d72e6ca 100644 +--- a/src/lib/crypt_ops/crypto_rsa_openssl.c ++++ b/src/lib/crypt_ops/crypto_rsa_openssl.c +@@ -572,7 +572,9 @@ static bool + rsa_private_key_too_long(RSA *rsa, int max_bits) + { + const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp; +-#ifdef OPENSSL_1_1_API ++#if defined(OPENSSL_1_1_API) && \ ++ (!defined(LIBRESSL_VERSION_NUMBER) || \ ++ LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0)) + + #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1) + n = RSA_get0_n(rsa); +@@ -591,7 +593,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits) + + if (RSA_bits(rsa) > max_bits) + return true; +-#else /* !defined(OPENSSL_1_1_API) */ ++#else /* !defined(OPENSSL_1_1_API) && ... */ + n = rsa->n; + e = rsa->e; + p = rsa->p; +@@ -600,7 +602,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits) + dmp1 = rsa->dmp1; + dmq1 = rsa->dmq1; + iqmp = rsa->iqmp; +-#endif /* defined(OPENSSL_1_1_API) */ ++#endif /* defined(OPENSSL_1_1_API) && ... */ + + if (n && BN_num_bits(n) > max_bits) + return true; +-- +GitLab + + +From b1545b6d18fbef6c790e2731a814fa54230d8857 Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" <[email protected]> +Date: Tue, 19 Jul 2022 16:18:29 -0400 +Subject: [PATCH 2/2] Changes file for #40630 (LibreSSL 3.5 compatibility) + +--- + changes/issue40630 | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 changes/issue40630 + +diff --git a/changes/issue40630 b/changes/issue40630 +new file mode 100644 +index 0000000000..faf04941b6 +--- /dev/null ++++ b/changes/issue40630 +@@ -0,0 +1,3 @@ ++ o Minor features (portability, compilation): ++ - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility. ++ Fixes issue 40630; patch by Alex Xu (Hello71). +-- +GitLab + +From 9850dc59c0db5cbcadc314be8d324a992880fce1 Mon Sep 17 00:00:00 2001 +From: orbea <[email protected]> +Date: Mon, 29 May 2023 12:56:37 -0700 +Subject: [PATCH] tls: Disable a warning with LibreSSL >= 3.8.0 + +Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL +3.8. + +Based on a patch from OpenBSD. + +https://github.com/openbsd/ports/commit/33fe251a08cb11f30ce6094a2e0759c3bb63ed16 + +These functions are deprecated since OpenSSL 3.0. + +https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html +--- + src/lib/tls/tortls_openssl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c +index 12260c09d3..c0a89ac272 100644 +--- a/src/lib/tls/tortls_openssl.c ++++ b/src/lib/tls/tortls_openssl.c +@@ -340,8 +340,10 @@ tor_tls_init(void) + SSL_load_error_strings(); + #endif /* defined(OPENSSL_1_1_API) */ + +-#if (SIZEOF_VOID_P >= 8 && \ +- OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1)) ++#if (SIZEOF_VOID_P >= 8 && \ ++ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \ ++ (!defined(LIBRESSL_VERSION_NUMBER) || \ ++ LIBRESSL_VERSION_NUMBER < 0x3080000fL)) + long version = tor_OpenSSL_version_num(); + + /* LCOV_EXCL_START : we can't test these lines on the same machine */ +-- +GitLab + diff --git a/net-vpn/tor/files/tor-0.4.7.13-opensslconf.patch b/net-vpn/tor/files/tor-0.4.7.13-opensslconf.patch new file mode 100644 index 0000000..a92c9a3 --- /dev/null +++ b/net-vpn/tor/files/tor-0.4.7.13-opensslconf.patch @@ -0,0 +1,55 @@ +https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/754 + +From 48f8d6918977673125d53a85d19d709136106739 Mon Sep 17 00:00:00 2001 +From: orbea <[email protected]> +Date: Thu, 31 Aug 2023 14:35:52 -0700 +Subject: [PATCH] crypt_openssl_mgt: define DISABLE_ENGINES after + OPENSSL_NO_ENGINE + +With LibreSSL-3.8.1 these engines are no long available causing a build +failure, but LibreSSL correctly defines OPENSSL_NO_ENGINE as part of its +opensslfeatures.h. However Tor includes crypto_openssl_mgt.h before any +of the openssl includes which would define OPENSSL_NO_ENGINE and then +fails to define DISABLE_ENGINES. + +As the define is used in only a single .c file it is best to move it +there. + +Signed-off-by: orbea <[email protected]> +--- + src/lib/crypt_ops/crypto_openssl_mgt.c | 5 +++++ + src/lib/crypt_ops/crypto_openssl_mgt.h | 5 ----- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.c b/src/lib/crypt_ops/crypto_openssl_mgt.c +index 6c01cb6aa8..ca12a82518 100644 +--- a/src/lib/crypt_ops/crypto_openssl_mgt.c ++++ b/src/lib/crypt_ops/crypto_openssl_mgt.c +@@ -40,6 +40,11 @@ ENABLE_GCC_WARNING("-Wredundant-decls") + + #include <string.h> + ++#ifdef OPENSSL_NO_ENGINE ++/* Android's OpenSSL seems to have removed all of its Engine support. */ ++#define DISABLE_ENGINES ++#endif ++ + #ifndef NEW_THREAD_API + /** A number of preallocated mutexes for use by OpenSSL. */ + static tor_mutex_t **openssl_mutexes_ = NULL; +diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h +index 96a37721dd..eac0ec1977 100644 +--- a/src/lib/crypt_ops/crypto_openssl_mgt.h ++++ b/src/lib/crypt_ops/crypto_openssl_mgt.h +@@ -49,11 +49,6 @@ + #define OPENSSL_V_SERIES(a,b,c) \ + OPENSSL_VER((a),(b),(c),0,0) + +-#ifdef OPENSSL_NO_ENGINE +-/* Android's OpenSSL seems to have removed all of its Engine support. */ +-#define DISABLE_ENGINES +-#endif +- + #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) + /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require + * setting up various callbacks. diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd new file mode 100644 index 0000000..4195bf3 --- /dev/null +++ b/net-vpn/tor/files/tor.confd @@ -0,0 +1,3 @@ +# +# Set the file limit +rc_ulimit="-n 30000" diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9 new file mode 100644 index 0000000..c1639c2 --- /dev/null +++ b/net-vpn/tor/files/tor.initd-r9 @@ -0,0 +1,37 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +command=/usr/bin/tor +pidfile=/run/tor/tor.pid +command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\"" +retry=${GRACEFUL_TIMEOUT:-60} +stopsig=INT +command_progress=yes + +extra_commands="checkconfig" +extra_started_commands="reload" +description="Anonymizing overlay network for TCP" +description_checkconfig="Check for valid config file" +description_reload="Reload the configuration" + +checkconfig() { + ${command} --verify-config --hush > /dev/null 2>&1 + if [ $? -ne 0 ] ; then + eerror "Tor configuration (/etc/tor/torrc) is not valid." + eerror "Example is in /etc/tor/torrc.sample" + return 1 + fi +} + +start_pre() { + checkconfig || return 1 + checkpath -d -m 0755 -o tor:tor /run/tor +} + +reload() { + checkconfig || return 1 + ebegin "Reloading Tor configuration" + start-stop-daemon -s HUP --pidfile ${pidfile} + eend $? +} diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service new file mode 100644 index 0000000..1663824 --- /dev/null +++ b/net-vpn/tor/files/tor.service @@ -0,0 +1,38 @@ +# tor.service -- this systemd configuration file for Tor sets up a +# relatively conservative, hardened Tor service. You may need to +# edit it if you are making changes to your Tor configuration that it +# does not allow. Package maintainers: this should be a starting point +# for your tor.service; it is not the last point. + +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target + +[Service] +Type=notify +NotifyAccess=all +ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config +ExecStart=/usr/bin/tor -f /etc/tor/torrc +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=60 +Restart=on-failure +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +Group=tor +RuntimeDirectory=tor +RuntimeDirectoryMode=0770 +PrivateTmp=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/tor +ReadWriteDirectories=-/var/log/tor +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2 new file mode 100644 index 0000000..b308104 --- /dev/null +++ b/net-vpn/tor/files/torrc-r2 @@ -0,0 +1,7 @@ +# +# Minimal torrc so tor will work out of the box +# +User tor +PIDFile /run/tor/tor.pid +Log notice syslog +DataDirectory /var/lib/tor/data diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml new file mode 100644 index 0000000..fcc4644 --- /dev/null +++ b/net-vpn/tor/metadata.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="person"> + <email>[email protected]</email> + <name>John Helmert III</name> + </maintainer> + <maintainer type="person"> + <email>[email protected]</email> + <name>Sam James</name> + </maintainer> + <use> + <flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag> + <flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag> + <flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag> + </use> +</pkgmetadata> diff --git a/net-vpn/tor/tor-0.4.7.13-r1.ebuild b/net-vpn/tor/tor-0.4.7.13-r1.ebuild new file mode 100644 index 0000000..e8765e1 --- /dev/null +++ b/net-vpn/tor/tor-0.4.7.13-r1.ebuild @@ -0,0 +1,150 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc +inherit autotools python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"; +SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) +" +S="${WORKDIR}/${MY_PF}" + +LICENSE="BSD GPL-2" +SLOT="0" +if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86 ~ppc-macos" +fi +IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd" +RESTRICT="!test? ( test )" + +DEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + sys-libs/zlib + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + dev-libs/openssl:=[-bindist(-)] + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd ) + zstd? ( app-arch/zstd ) +" +RDEPEND=" + acct-user/tor + acct-group/tor + ${DEPEND} + selinux? ( sec-policy/selinux-tor ) +" +DEPEND+=" + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" +BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20221213 )" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch + "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + # Only needed for libressl patch + eautoreconf +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + # This option is enabled by default upstream w/ zstd, surprisingly. + # zstd upstream says this shouldn't be relied upon and it may + # break API & ABI at any point, so Tor tries to fake static-linking + # to make it work, but then requires a rebuild on any new zstd version + # even when its standard ABI hasn't changed. + # See bug #727406 and bug #905708. + --disable-zstd-advanced-apis + + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable tor-hardening gcc-hardening) + $(use_enable tor-hardening linker-hardening) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +} diff --git a/net-vpn/tor/tor-0.4.7.14.ebuild b/net-vpn/tor/tor-0.4.7.14.ebuild new file mode 100644 index 0000000..2eae9e1 --- /dev/null +++ b/net-vpn/tor/tor-0.4.7.14.ebuild @@ -0,0 +1,164 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc +inherit python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"; + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"; + inherit autotools git-r3 +else + SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) + " + + S="${WORKDIR}/${MY_PF}" + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )" +fi + +LICENSE="BSD GPL-2" +SLOT="0" +IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd" +RESTRICT="!test? ( test )" + +DEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + sys-libs/zlib + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + dev-libs/openssl:=[-bindist(-)] + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd ) + zstd? ( app-arch/zstd ) +" +RDEPEND=" + acct-user/tor + acct-group/tor + ${DEPEND} + selinux? ( sec-policy/selinux-tor ) +" +DEPEND+=" + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch + "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default + fi +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + fi +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + # This option is enabled by default upstream w/ zstd, surprisingly. + # zstd upstream says this shouldn't be relied upon and it may + # break API & ABI at any point, so Tor tries to fake static-linking + # to make it work, but then requires a rebuild on any new zstd version + # even when its standard ABI hasn't changed. + # See bug #727406 and bug #905708. + --disable-zstd-advanced-apis + + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable tor-hardening gcc-hardening) + $(use_enable tor-hardening linker-hardening) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +} diff --git a/net-vpn/tor/tor-0.4.8.4.ebuild b/net-vpn/tor/tor-0.4.8.4.ebuild new file mode 100644 index 0000000..49a860f --- /dev/null +++ b/net-vpn/tor/tor-0.4.8.4.ebuild @@ -0,0 +1,186 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc +inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"; + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"; + inherit autotools git-r3 +else + SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) + " + + S="${WORKDIR}/${MY_PF}" + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )" +fi + +# BSD in general, but for PoW, needs --enable-gpl (GPL-3 per --version) +# We also already had GPL-2 listed here for the init script, but obviously +# that's different from the actual binary. +LICENSE="BSD GPL-2 GPL-3" +SLOT="0" +IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd" +RESTRICT="!test? ( test )" + +DEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + sys-libs/zlib + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + dev-libs/openssl:=[-bindist(-)] + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd ) + zstd? ( app-arch/zstd ) +" +RDEPEND=" + acct-user/tor + acct-group/tor + ${DEPEND} + selinux? ( sec-policy/selinux-tor ) +" +DEPEND+=" + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default + fi +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + fi +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + # Unless someone asks & has a compelling reason, just always + # build in GPL mode for pow, given we don't want yet another USE + # flag combination to have to test just for the sake of it. + # (PoW requires GPL.) + --enable-gpl + --enable-module-pow + + # This option is enabled by default upstream w/ zstd, surprisingly. + # zstd upstream says this shouldn't be relied upon and it may + # break API & ABI at any point, so Tor tries to fake static-linking + # to make it work, but then requires a rebuild on any new zstd version + # even when its standard ABI hasn't changed. + # See bug #727406 and bug #905708. + --disable-zstd-advanced-apis + + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable tor-hardening gcc-hardening) + $(use_enable tor-hardening linker-hardening) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_test() { + local skip_tests=( + # Fails in sandbox + :sandbox/open_filename + :sandbox/openat_filename + ) + + # The makefile runs these by parallel by chunking them with a script + # but that means we lose verbosity and can't skip individual tests easily + # either. + edo ./src/test/test --verbose "${skip_tests[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +} diff --git a/net-vpn/tor/tor-0.4.8.5.ebuild b/net-vpn/tor/tor-0.4.8.5.ebuild new file mode 100644 index 0000000..49a860f --- /dev/null +++ b/net-vpn/tor/tor-0.4.8.5.ebuild @@ -0,0 +1,186 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc +inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"; + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"; + inherit autotools git-r3 +else + SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) + " + + S="${WORKDIR}/${MY_PF}" + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )" +fi + +# BSD in general, but for PoW, needs --enable-gpl (GPL-3 per --version) +# We also already had GPL-2 listed here for the init script, but obviously +# that's different from the actual binary. +LICENSE="BSD GPL-2 GPL-3" +SLOT="0" +IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd" +RESTRICT="!test? ( test )" + +DEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + sys-libs/zlib + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + dev-libs/openssl:=[-bindist(-)] + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd ) + zstd? ( app-arch/zstd ) +" +RDEPEND=" + acct-user/tor + acct-group/tor + ${DEPEND} + selinux? ( sec-policy/selinux-tor ) +" +DEPEND+=" + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default + fi +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + fi +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + # Unless someone asks & has a compelling reason, just always + # build in GPL mode for pow, given we don't want yet another USE + # flag combination to have to test just for the sake of it. + # (PoW requires GPL.) + --enable-gpl + --enable-module-pow + + # This option is enabled by default upstream w/ zstd, surprisingly. + # zstd upstream says this shouldn't be relied upon and it may + # break API & ABI at any point, so Tor tries to fake static-linking + # to make it work, but then requires a rebuild on any new zstd version + # even when its standard ABI hasn't changed. + # See bug #727406 and bug #905708. + --disable-zstd-advanced-apis + + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable tor-hardening gcc-hardening) + $(use_enable tor-hardening linker-hardening) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_test() { + local skip_tests=( + # Fails in sandbox + :sandbox/open_filename + :sandbox/openat_filename + ) + + # The makefile runs these by parallel by chunking them with a script + # but that means we lose verbosity and can't skip individual tests easily + # either. + edo ./src/test/test --verbose "${skip_tests[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +}
