net-vpn/tor: Added

Signed-off-by: orbea <orbea@riseup.net>
Closes: https://github.com/gentoo/libressl/pull/391
Signed-off-by: Quentin Retornaz <gentoo@retornaz.com>

10 files changed, 371 insertions, 0 deletions

diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 0000000..e10ad5e
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,2 @@
+DIST tor-0.4.6.7.tar.gz 7790727 BLAKE2B da6b0fe0de6a334713cf881dece6ef5a932b0f4374a7dde1e1cb78b4b43944fd6156d84bd98c8be734a7cf81b99cb36187544028c3e4800d38d11d7286d19e12 SHA512 e5f9e235fc4b96f5e63e0bfa4ca412d0d11299a31cb77cae1c199b276d0dfbf3656657ddf910b22625dd49eb726d487666e80e8889db78c9edebbab0d80d9e03
+DIST tor-0.4.6.7.tar.gz.asc 833 BLAKE2B 2054c094cc8ce28bfc8822fa6b0ac5a028b41c96160d135da53112c4fcb7ae048e8d48b58f164dd33c6c7dd851aaa71173b2aa36f70411fc7cc2b67d346ce00b SHA512 d45caaa4795d05f1f1a558192c5eedff608c74be0ef933e0ff7a4f68123a109e38e7fe26222c66dfc8966a07f458eeadf77d7f4731d88389595b59413140e9a3
diff --git a/net-vpn/tor/files/0.4.6.7-libressl.patch b/net-vpn/tor/files/0.4.6.7-libressl.patch
new file mode 100644
index 0000000..d481ae2
--- /dev/null
+++ b/net-vpn/tor/files/0.4.6.7-libressl.patch
@@ -0,0 +1,123 @@
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/tls/x509_openssl.c
+--- a/src/lib/tls/x509_openssl.c.orig
++++ b/src/lib/tls/x509_openssl.c
+@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
+   cert_key = X509_get_pubkey(cert->cert);
+   if (check_rsa_1024 && cert_key) {
+     RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+     if (rsa && RSA_bits(rsa) == 1024) {
+ #else
+     if (rsa && BN_num_bits(rsa->n) == 1024) {
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_rsa_openssl.c
+--- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
+@@ -47,7 +47,7 @@ struct crypto_pk_t
+ int
+ crypto_pk_key_is_private(const crypto_pk_t *k)
+ {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   if (!k || !k->key)
+     return 0;
+ 
+@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
+ 
+   const BIGNUM *e;
+ 
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   const BIGNUM *n, *d;
+   RSA_get0_key(env->key, &n, &e, &d);
+ #else
+@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
+   const BIGNUM *a_n, *a_e;
+   const BIGNUM *b_n, *b_e;
+ 
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   const BIGNUM *a_d, *b_d;
+   RSA_get0_key(a->key, &a_n, &a_e, &a_d);
+   RSA_get0_key(b->key, &b_n, &b_e, &b_d);
+@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
+   tor_assert(env);
+   tor_assert(env->key);
+ 
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   /* It's so stupid that there's no other way to check that n is valid
+    * before calling RSA_bits().
+    */
+@@ -572,7 +572,7 @@ static bool
+ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ {
+   const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
+   n = RSA_get0_n(rsa);
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_dh_openssl.c
+--- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_dh_openssl.c
+@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
+   /* Copy into a temporary DH object, just so that DH_check() can be called. */
+   if (!(dh = DH_new()))
+       goto out;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   BIGNUM *dh_p, *dh_g;
+   if (!(dh_p = BN_dup(p)))
+     goto out;
+@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
+     goto err;
+   }
+ 
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ 
+   if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
+     goto err;
+@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh)
+ int
+ crypto_dh_generate_public(crypto_dh_t *dh)
+ {
+-#ifndef OPENSSL_1_1_API
++#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
+  again:
+ #endif
+   if (!DH_generate_key(dh->dh)) {
+@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
+     return -1;
+     /* LCOV_EXCL_STOP */
+   }
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
+    * recreating the DH object.  I have no idea what sort of aliasing madness
+    * can occur here, so do the check, and just bail on failure.
+@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+ 
+   const BIGNUM *dh_pub;
+ 
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+   const BIGNUM *dh_priv;
+   DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+     if (crypto_dh_generate_public(dh)<0)
+       return -1;
+     else {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+       DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+       dh_pub = dh->dh->pub_key;
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
new file mode 100644
index 0000000..35214ac
--- /dev/null
+++ b/net-vpn/tor/files/README.gentoo
@@ -0,0 +1,8 @@
+We created a configuration file for tor, /etc/tor/torrc, but you can
+change it according to your needs.  Use the torrc.sample that is in
+that directory as a guide.  Also, to have privoxy work with tor
+just add the following line
+
+forward-socks4a / localhost:9050 .
+
+to /etc/privoxy/config.  Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
new file mode 100644
index 0000000..5f9e258
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
@@ -0,0 +1,31 @@
+diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
+--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in	2015-10-19 11:12:53.000000000 -0400
++++ tor-0.2.7.4-rc/src/config/torrc.sample.in	2015-10-21 21:18:49.151973113 -0400
+@@ -12,6 +12,11 @@
+ ## Tor will look for this file in various places based on your platform:
+ ## https://www.torproject.org/docs/faq#torrc
+ 
++## Default username and group the server will run as
++User tor
++
++PIDFile /run/tor/tor.pid
++
+ ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+ ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+ ## as a relay, and not make any local application connections yourself.
+@@ -42,6 +47,7 @@
+ #Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
++Log warn syslog
+ 
+ ## Uncomment this to start the process in the background... or use
+ ## --runasdaemon 1 on the command line. This is ignored on Windows;
+@@ -51,6 +57,7 @@
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+ #DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory   /var/lib/tor/data
+ 
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
new file mode 100644
index 0000000..4195bf3
--- /dev/null
+++ b/net-vpn/tor/files/tor.confd
@@ -0,0 +1,3 @@
+#
+# Set the file limit
+rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9
new file mode 100644
index 0000000..c1639c2
--- /dev/null
+++ b/net-vpn/tor/files/tor.initd-r9
@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command=/usr/bin/tor
+pidfile=/run/tor/tor.pid
+command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
+retry=${GRACEFUL_TIMEOUT:-60}
+stopsig=INT
+command_progress=yes
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file"
+description_reload="Reload the configuration"
+
+checkconfig() {
+	${command} --verify-config --hush > /dev/null 2>&1
+	if [ $? -ne 0 ] ; then
+		eerror "Tor configuration (/etc/tor/torrc) is not valid."
+		eerror "Example is in /etc/tor/torrc.sample"
+		return 1
+	fi
+}
+
+start_pre() {
+	checkconfig || return 1
+	checkpath -d -m 0755 -o tor:tor /run/tor
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading Tor configuration"
+	start-stop-daemon -s HUP --pidfile ${pidfile}
+	eend $?
+}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
new file mode 100644
index 0000000..1663824
--- /dev/null
+++ b/net-vpn/tor/files/tor.service
@@ -0,0 +1,38 @@
+# tor.service -- this systemd configuration file for Tor sets up a
+# relatively conservative, hardened Tor service.  You may need to
+# edit it if you are making changes to your Tor configuration that it
+# does not allow.  Package maintainers: this should be a starting point
+# for your tor.service; it is not the last point.
+
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
+
+# Hardening
+Group=tor
+RuntimeDirectory=tor
+RuntimeDirectoryMode=0770
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2
new file mode 100644
index 0000000..b308104
--- /dev/null
+++ b/net-vpn/tor/files/torrc-r2
@@ -0,0 +1,7 @@
+#
+# Minimal torrc so tor will work out of the box
+#
+User tor
+PIDFile /run/tor/tor.pid
+Log notice syslog
+DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
new file mode 100644
index 0000000..c1b2764
--- /dev/null
+++ b/net-vpn/tor/metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>blueness@gentoo.org</email>
+		<name>Anthony G. Basile</name>
+	</maintainer>
+	<use>
+		<flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
+		<flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag>
+		<flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
+	</use>
+</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.4.6.7.ebuild b/net-vpn/tor/tor-0.4.6.7.ebuild
new file mode 100644
index 0000000..e29cdd7
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.6.7.ebuild
@@ -0,0 +1,109 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+PYTHON_COMPAT=( python3_{8,9} )
+inherit flag-o-matic python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+	https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+	verify-sig? ( https://dist.torproject.org/${MY_PF}.tar.gz.asc )"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+	KEYWORDS="amd64 arm arm64 ~mips ppc ppc64 ~riscv x86 ~ppc-macos"
+fi
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/torproject.org.asc
+
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-tor )"
+DEPEND="
+	dev-libs/libevent:=[ssl]
+	sys-libs/zlib
+	caps? ( sys-libs/libcap )
+	man? ( app-text/asciidoc )
+	dev-libs/openssl:0=[-bindist(-)]
+	lzma? ( app-arch/xz-utils )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+	systemd? ( sys-apps/systemd )
+	zstd? ( app-arch/zstd )"
+RDEPEND="
+	acct-user/tor
+	acct-group/tor
+	${DEPEND}
+	selinux? ( sec-policy/selinux-tor )"
+
+# bug #764260
+DEPEND+="
+	test? (
+		${DEPEND}
+		${PYTHON_DEPS}
+	)"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+	"${FILESDIR}"/${PV}-libressl.patch
+)
+
+DOCS=()
+
+RESTRICT="!test? ( test )"
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+src_configure() {
+	use doc && DOCS+=( README ChangeLog ReleaseNotes doc/HACKING )
+	export ac_cv_lib_cap_cap_init=$(usex caps)
+	econf \
+		--localstatedir="${EPREFIX}/var" \
+		--disable-all-bugs-are-fatal \
+		--enable-system-torrc \
+		--disable-android \
+		--disable-html-manual \
+		--disable-libfuzzer \
+		--enable-missing-doc-warnings \
+		--disable-module-dirauth \
+		--enable-pic \
+		--disable-rust \
+		--disable-restart-debugging \
+		--disable-zstd-advanced-apis  \
+		$(use_enable man asciidoc) \
+		$(use_enable man manpage) \
+		$(use_enable lzma) \
+		$(use_enable scrypt libscrypt) \
+		$(use_enable seccomp) \
+		$(use_enable server module-relay) \
+		$(use_enable systemd) \
+		$(use_enable tor-hardening gcc-hardening) \
+		$(use_enable tor-hardening linker-hardening) \
+		$(use_enable test unittests) \
+		$(use_enable test coverage) \
+		$(use_enable zstd)
+}
+
+src_install() {
+	default
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r9 tor
+	systemd_dounit "${FILESDIR}"/tor.service
+
+	keepdir /var/lib/tor
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r2 torrc
+}