aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authororbea <orbea@riseup.net>2023-05-29 12:40:40 -0700
committerorbea <orbea@riseup.net>2023-05-29 12:43:25 -0700
commit4597341593df993c9c1f8b4ee8cf441d3a3873f1 (patch)
tree1519963aa845da7b05d3ac5b4a5bb8e8ee7ce3f1 /net-vpn/tor
parentdev-perl/Net-SSLeay: Fix build with LibreSSL-3.8.0 (diff)
downloadlibressl-4597341593df993c9c1f8b4ee8cf441d3a3873f1.tar.gz
libressl-4597341593df993c9c1f8b4ee8cf441d3a3873f1.tar.bz2
libressl-4597341593df993c9c1f8b4ee8cf441d3a3873f1.zip
net-vpn/tor: new package, add 0.4.7.13-r1
Signed-off-by: orbea <orbea@riseup.net>
Diffstat (limited to 'net-vpn/tor')
-rw-r--r--net-vpn/tor/Manifest3
-rw-r--r--net-vpn/tor/files/README.gentoo8
-rw-r--r--net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch31
-rw-r--r--net-vpn/tor/files/tor-0.4.7.13-libressl-3.8.0.patch27
-rw-r--r--net-vpn/tor/files/tor-0.4.7.13-libressl.patch161
-rw-r--r--net-vpn/tor/files/tor.confd3
-rw-r--r--net-vpn/tor/files/tor.initd-r937
-rw-r--r--net-vpn/tor/files/tor.service38
-rw-r--r--net-vpn/tor/files/torrc-r27
-rw-r--r--net-vpn/tor/metadata.xml17
-rw-r--r--net-vpn/tor/tor-0.4.7.13-r1.ebuild150
11 files changed, 482 insertions, 0 deletions
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 0000000..05ebc39
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,3 @@
+DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be
+DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0
+DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
new file mode 100644
index 0000000..35214ac
--- /dev/null
+++ b/net-vpn/tor/files/README.gentoo
@@ -0,0 +1,8 @@
+We created a configuration file for tor, /etc/tor/torrc, but you can
+change it according to your needs. Use the torrc.sample that is in
+that directory as a guide. Also, to have privoxy work with tor
+just add the following line
+
+forward-socks4a / localhost:9050 .
+
+to /etc/privoxy/config. Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
new file mode 100644
index 0000000..5f9e258
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
@@ -0,0 +1,31 @@
+diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
+--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.000000000 -0400
++++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400
+@@ -12,6 +12,11 @@
+ ## Tor will look for this file in various places based on your platform:
+ ## https://www.torproject.org/docs/faq#torrc
+
++## Default username and group the server will run as
++User tor
++
++PIDFile /run/tor/tor.pid
++
+ ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+ ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+ ## as a relay, and not make any local application connections yourself.
+@@ -42,6 +47,7 @@
+ #Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
++Log warn syslog
+
+ ## Uncomment this to start the process in the background... or use
+ ## --runasdaemon 1 on the command line. This is ignored on Windows;
+@@ -51,6 +57,7 @@
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+ #DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory /var/lib/tor/data
+
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor-0.4.7.13-libressl-3.8.0.patch b/net-vpn/tor/files/tor-0.4.7.13-libressl-3.8.0.patch
new file mode 100644
index 0000000..f752aa6
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.4.7.13-libressl-3.8.0.patch
@@ -0,0 +1,27 @@
+Based on OpenBSD patch.
+
+https://github.com/openbsd/ports/commit/33fe251a08cb11f30ce6094a2e0759c3bb63ed16
+
+From: orbea <orbea@riseup.net>
+Date: Mon, 29 May 2023 11:59:15 -0700
+Subject: [PATCH] tls: Disable a warning with LibreSSL >= 3.8.0
+
+---
+ src/lib/tls/tortls_openssl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/lib/tls/tortls_openssl.c
++++ b/src/lib/tls/tortls_openssl.c
+@@ -340,8 +340,10 @@ tor_tls_init(void)
+ SSL_load_error_strings();
+ #endif /* defined(OPENSSL_1_1_API) */
+
+-#if (SIZEOF_VOID_P >= 8 && \
+- OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
++#if (SIZEOF_VOID_P >= 8 && \
++ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
++ (!defined(LIBRESSL_VERSION_NUMBER) || \
++ LIBRESSL_VERSION_NUMBER < 0x3080000fL))
+ long version = tor_OpenSSL_version_num();
+
+ /* LCOV_EXCL_START : we can't test these lines on the same machine */
diff --git a/net-vpn/tor/files/tor-0.4.7.13-libressl.patch b/net-vpn/tor/files/tor-0.4.7.13-libressl.patch
new file mode 100644
index 0000000..76d52fd
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.4.7.13-libressl.patch
@@ -0,0 +1,161 @@
+Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/598
+Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/da52d7206a4a8e4fa8b5e80b5ed73de50fbe8692
+
+From f3dabd705f26c56076934323f24b5b05ecdfd39c Mon Sep 17 00:00:00 2001
+From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
+Date: Tue, 5 Jul 2022 11:37:30 -0400
+Subject: [PATCH 1/2] LibreSSL 3.5 compatibility
+
+LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to
+https://undeadly.org/cgi?action=article;sid=20220116121253, this is the
+intention of OpenBSD developers.
+
+According to #40630, many special cases are needed to compile Tor against
+LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a
+small number of #defines are required when using OpenSSL 1.1 compatibility
+mode. One additional workaround is required for LibreSSL 3.4 compatibility.
+
+Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1.
+---
+ configure.ac | 2 +-
+ src/lib/crypt_ops/compat_openssl.h | 22 +++++++++++++---------
+ src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +--
+ src/lib/crypt_ops/crypto_rsa_openssl.c | 8 +++++---
+ 4 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8baae007cf..6ab7903010 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1022,7 +1022,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ AC_MSG_CHECKING([for OpenSSL < 1.0.1])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <openssl/opensslv.h>
+-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL
++#if OPENSSL_VERSION_NUMBER < 0x1000100fL
+ #error "too old"
+ #endif
+ ]], [[]])],
+diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h
+index 0f56f338b5..c5eccdb015 100644
+--- a/src/lib/crypt_ops/compat_openssl.h
++++ b/src/lib/crypt_ops/compat_openssl.h
+@@ -20,32 +20,36 @@
+ * \brief compatibility definitions for working with different openssl forks
+ **/
+
+-#if !defined(LIBRESSL_VERSION_NUMBER) && \
+- OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
++#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
+ #error "We require OpenSSL >= 1.0.1"
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \
+- ! defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
+ /* We define this macro if we're trying to build with the majorly refactored
+ * API in OpenSSL 1.1 */
+ #define OPENSSL_1_1_API
+ #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
+
+-#ifndef OPENSSL_1_1_API
+-#define OpenSSL_version(v) SSLeay_version(v)
+-#define tor_OpenSSL_version_num() SSLeay()
++/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */
++#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ #define RAND_OpenSSL() RAND_SSLeay()
+ #define STATE_IS_SW_SERVER_HELLO(st) \
+ (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
+ ((st) == SSL3_ST_SW_SRVR_HELLO_B))
+ #define OSSL_HANDSHAKE_STATE int
+ #define CONST_IF_OPENSSL_1_1_API
+-#else /* defined(OPENSSL_1_1_API) */
+-#define tor_OpenSSL_version_num() OpenSSL_version_num()
++#else
+ #define STATE_IS_SW_SERVER_HELLO(st) \
+ ((st) == TLS_ST_SW_SRVR_HELLO)
+ #define CONST_IF_OPENSSL_1_1_API const
++#endif
++
++/* OpenSSL 1.1 and LibreSSL both have these APIs */
++#ifndef OPENSSL_1_1_API
++#define OpenSSL_version(v) SSLeay_version(v)
++#define tor_OpenSSL_version_num() SSLeay()
++#else /* defined(OPENSSL_1_1_API) */
++#define tor_OpenSSL_version_num() OpenSSL_version_num()
+ #endif /* !defined(OPENSSL_1_1_API) */
+
+ #endif /* defined(ENABLE_OPENSSL) */
+diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
+index c6f63ffa08..96a37721dd 100644
+--- a/src/lib/crypt_ops/crypto_openssl_mgt.h
++++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
+@@ -54,8 +54,7 @@
+ #define DISABLE_ENGINES
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \
+- !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
+ /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require
+ * setting up various callbacks.
+ *
+diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c
+index a21c4a65cf..544d72e6ca 100644
+--- a/src/lib/crypt_ops/crypto_rsa_openssl.c
++++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
+@@ -572,7 +572,9 @@ static bool
+ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ {
+ const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) && \
++ (!defined(LIBRESSL_VERSION_NUMBER) || \
++ LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0))
+
+ #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
+ n = RSA_get0_n(rsa);
+@@ -591,7 +593,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
+
+ if (RSA_bits(rsa) > max_bits)
+ return true;
+-#else /* !defined(OPENSSL_1_1_API) */
++#else /* !defined(OPENSSL_1_1_API) && ... */
+ n = rsa->n;
+ e = rsa->e;
+ p = rsa->p;
+@@ -600,7 +602,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ dmp1 = rsa->dmp1;
+ dmq1 = rsa->dmq1;
+ iqmp = rsa->iqmp;
+-#endif /* defined(OPENSSL_1_1_API) */
++#endif /* defined(OPENSSL_1_1_API) && ... */
+
+ if (n && BN_num_bits(n) > max_bits)
+ return true;
+--
+GitLab
+
+
+From b1545b6d18fbef6c790e2731a814fa54230d8857 Mon Sep 17 00:00:00 2001
+From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
+Date: Tue, 19 Jul 2022 16:18:29 -0400
+Subject: [PATCH 2/2] Changes file for #40630 (LibreSSL 3.5 compatibility)
+
+---
+ changes/issue40630 | 3 +++
+ 1 file changed, 3 insertions(+)
+ create mode 100644 changes/issue40630
+
+diff --git a/changes/issue40630 b/changes/issue40630
+new file mode 100644
+index 0000000000..faf04941b6
+--- /dev/null
++++ b/changes/issue40630
+@@ -0,0 +1,3 @@
++ o Minor features (portability, compilation):
++ - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility.
++ Fixes issue 40630; patch by Alex Xu (Hello71).
+--
+GitLab
+
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
new file mode 100644
index 0000000..4195bf3
--- /dev/null
+++ b/net-vpn/tor/files/tor.confd
@@ -0,0 +1,3 @@
+#
+# Set the file limit
+rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9
new file mode 100644
index 0000000..c1639c2
--- /dev/null
+++ b/net-vpn/tor/files/tor.initd-r9
@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command=/usr/bin/tor
+pidfile=/run/tor/tor.pid
+command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
+retry=${GRACEFUL_TIMEOUT:-60}
+stopsig=INT
+command_progress=yes
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file"
+description_reload="Reload the configuration"
+
+checkconfig() {
+ ${command} --verify-config --hush > /dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ eerror "Tor configuration (/etc/tor/torrc) is not valid."
+ eerror "Example is in /etc/tor/torrc.sample"
+ return 1
+ fi
+}
+
+start_pre() {
+ checkconfig || return 1
+ checkpath -d -m 0755 -o tor:tor /run/tor
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading Tor configuration"
+ start-stop-daemon -s HUP --pidfile ${pidfile}
+ eend $?
+}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
new file mode 100644
index 0000000..1663824
--- /dev/null
+++ b/net-vpn/tor/files/tor.service
@@ -0,0 +1,38 @@
+# tor.service -- this systemd configuration file for Tor sets up a
+# relatively conservative, hardened Tor service. You may need to
+# edit it if you are making changes to your Tor configuration that it
+# does not allow. Package maintainers: this should be a starting point
+# for your tor.service; it is not the last point.
+
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
+
+# Hardening
+Group=tor
+RuntimeDirectory=tor
+RuntimeDirectoryMode=0770
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2
new file mode 100644
index 0000000..b308104
--- /dev/null
+++ b/net-vpn/tor/files/torrc-r2
@@ -0,0 +1,7 @@
+#
+# Minimal torrc so tor will work out of the box
+#
+User tor
+PIDFile /run/tor/tor.pid
+Log notice syslog
+DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
new file mode 100644
index 0000000..fcc4644
--- /dev/null
+++ b/net-vpn/tor/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>ajak@gentoo.org</email>
+ <name>John Helmert III</name>
+ </maintainer>
+ <maintainer type="person">
+ <email>sam@gentoo.org</email>
+ <name>Sam James</name>
+ </maintainer>
+ <use>
+ <flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
+ <flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag>
+ <flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
+ </use>
+</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.4.7.13-r1.ebuild b/net-vpn/tor/tor-0.4.7.13-r1.ebuild
new file mode 100644
index 0000000..e7d732a
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.7.13-r1.ebuild
@@ -0,0 +1,150 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc
+inherit autotools python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
+SRC_URI="
+ https://www.torproject.org/dist/${MY_PF}.tar.gz
+ https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+ verify-sig? (
+ https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
+ https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
+ )
+"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+ KEYWORDS="amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86 ~ppc-macos"
+fi
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ >=dev-libs/libevent-2.1.12-r1:=[ssl]
+ sys-libs/zlib
+ caps? ( sys-libs/libcap )
+ man? ( app-text/asciidoc )
+ dev-libs/openssl:=[-bindist(-)]
+ lzma? ( app-arch/xz-utils )
+ scrypt? ( app-crypt/libscrypt )
+ seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+ systemd? ( sys-apps/systemd )
+ zstd? ( app-arch/zstd )
+"
+RDEPEND="
+ acct-user/tor
+ acct-group/tor
+ ${DEPEND}
+ selinux? ( sec-policy/selinux-tor )
+"
+DEPEND+="
+ test? (
+ ${DEPEND}
+ ${PYTHON_DEPS}
+ )
+"
+BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20221213 )"
+
+DOCS=()
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+ "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch
+ "${FILESDIR}"/${PN}-0.4.7.13-libressl-3.8.0.patch
+)
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_unpack() {
+ if use verify-sig; then
+ cd "${DISTDIR}" || die
+ verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
+ verify-sig_verify_unsigned_checksums \
+ ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
+ cd "${WORKDIR}" || die
+ fi
+
+ default
+}
+
+src_prepare() {
+ default
+
+ # Running shellcheck automagically isn't useful for ebuild testing.
+ echo "exit 0" > scripts/maint/checkShellScripts.sh || die
+
+ # Only needed for libressl patch
+ eautoreconf
+}
+
+src_configure() {
+ use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
+
+ export ac_cv_lib_cap_cap_init=$(usex caps)
+ export tor_cv_PYTHON="${EPYTHON}"
+
+ local myeconfargs=(
+ --localstatedir="${EPREFIX}/var"
+ --disable-all-bugs-are-fatal
+ --enable-system-torrc
+ --disable-android
+ --disable-coverage
+ --disable-html-manual
+ --disable-libfuzzer
+ --enable-missing-doc-warnings
+ --disable-module-dirauth
+ --enable-pic
+ --disable-restart-debugging
+
+ # This option is enabled by default upstream w/ zstd, surprisingly.
+ # zstd upstream says this shouldn't be relied upon and it may
+ # break API & ABI at any point, so Tor tries to fake static-linking
+ # to make it work, but then requires a rebuild on any new zstd version
+ # even when its standard ABI hasn't changed.
+ # See bug #727406 and bug #905708.
+ --disable-zstd-advanced-apis
+
+ $(use_enable man asciidoc)
+ $(use_enable man manpage)
+ $(use_enable lzma)
+ $(use_enable scrypt libscrypt)
+ $(use_enable seccomp)
+ $(use_enable server module-relay)
+ $(use_enable systemd)
+ $(use_enable tor-hardening gcc-hardening)
+ $(use_enable tor-hardening linker-hardening)
+ $(use_enable test unittests)
+ $(use_enable zstd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+ readme.gentoo_create_doc
+
+ newconfd "${FILESDIR}"/tor.confd tor
+ newinitd "${FILESDIR}"/tor.initd-r9 tor
+ systemd_dounit "${FILESDIR}"/tor.service
+
+ keepdir /var/lib/tor
+
+ fperms 750 /var/lib/tor
+ fowners tor:tor /var/lib/tor
+
+ insinto /etc/tor/
+ newins "${FILESDIR}"/torrc-r2 torrc
+}