[arch-commits] Commit in tor/trunk (PKGBUILD openssl-0.9.8l.patch tor.install)

Andrea Scarpino andrea at archlinux.org
Fri Nov 20 09:32:38 EST 2009


    Date: Friday, November 20, 2009 @ 09:32:38
  Author: andrea
Revision: 59145

upgpkg: tor 0.2.1.20-2
    made tor to work with openssl 0.9.8l (FS#17185); set dir permission from .install

Added:
  tor/trunk/openssl-0.9.8l.patch
Modified:
  tor/trunk/PKGBUILD
  tor/trunk/tor.install

----------------------+
 PKGBUILD             |   43 +++++++++++----------
 openssl-0.9.8l.patch |   99 +++++++++++++++++++++++++++++++++++++++++++++++++
 tor.install          |   18 ++++----
 3 files changed, 131 insertions(+), 29 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2009-11-20 14:24:22 UTC (rev 59144)
+++ PKGBUILD	2009-11-20 14:32:38 UTC (rev 59145)
@@ -4,7 +4,7 @@
 
 pkgname=tor
 pkgver=0.2.1.20
-pkgrel=1
+pkgrel=2
 pkgdesc="Anonymizing overlay network"
 arch=('i686' 'x86_64')
 url="http://www.torproject.org/"
@@ -13,27 +13,30 @@
 backup=('etc/tor/torrc' 'etc/tor/torrc-dist' 'etc/tor/tor-tsocks.conf')
 install=tor.install
 source=(http://www.torproject.org/dist/tor-${pkgver}.tar.gz
-       tor.conf
-       tor.rc)
-md5sums=('0d62ee2332fdd95de43debac7435df19' '56c75d4e8a66f34167d31e38c43793dd'\
-         '4e39d56f462fc9f59e91715ac1b994c0')
-sha1sums=('bfc6c7e9ccee23abc4e97ca4ba98aa3ad7784262' '091385e9604d2ec519c1092ca875885c04c62a7c'\
-         '978588d0078465b6383422772d187e92963eb41f')
+	'tor.conf'
+	'tor.rc'
+	'openssl-0.9.8l.patch')
+md5sums=('0d62ee2332fdd95de43debac7435df19'
+         '56c75d4e8a66f34167d31e38c43793dd'
+         '4e39d56f462fc9f59e91715ac1b994c0'
+         'b508b4d7ca39e19ba6f4f896d94464aa')
 
 build() {
-    cd "$srcdir/$pkgname-$pkgver"
+  cd ${srcdir}/${pkgname}-${pkgver}
+  
+  patch -Np1 -i ${srcdir}/openssl-0.9.8l.patch || return 1
 
-    ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var || return 1
-    make || return 1
+  ./configure --prefix=/usr \
+    --sysconfdir=/etc \
+    --localstatedir=/var || return 1
+  make || return 1
+  make DESTDIR="$pkgdir" install || return 1
 
-    install -d "$pkgdir/var/lib" || return 1
-    install -o43 -g43 -d -m0700 "$pkgdir/var/lib/tor" || return 1
-
-    make DESTDIR="$pkgdir" install || return 1
-    mv "$pkgdir/etc/tor/torrc.sample" "$pkgdir/etc/tor/torrc-dist" || return 1
-
-    install -D -m644 "$srcdir/tor.conf" "$pkgdir/etc/tor/torrc" || return 1
-    install -D -m755 "$srcdir/tor.rc" "$pkgdir/etc/rc.d/tor" || return 1
-    
-    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tor/LICENSE" || return 1
+  install -d ${pkgdir}/var/lib/tor || return 1
+  
+  mv "$pkgdir/etc/tor/torrc.sample" "$pkgdir/etc/tor/torrc-dist" || return 1
+  install -D -m644 "$srcdir/tor.conf" "$pkgdir/etc/tor/torrc" || return 1
+  install -D -m755 "$srcdir/tor.rc" "$pkgdir/etc/rc.d/tor" || return 1
+  
+  install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tor/LICENSE" || return 1
 }

Added: openssl-0.9.8l.patch
===================================================================
--- openssl-0.9.8l.patch	                        (rev 0)
+++ openssl-0.9.8l.patch	2009-11-20 14:32:38 UTC (rev 59145)
@@ -0,0 +1,99 @@
+# This patch makes TOR work with openssl 0.9.8l, which
+# fixed a security issue.
+# 
+# Patch taken from the upstream SVN:
+# http://archives.seul.org/or/cvs/Nov-2009/msg00029.html
+#
+diff --git a/src/common/tortls.c b/src/common/tortls.c
+index c6b11e9..bcc6780 100644
+--- a/src/common/tortls.c
++++ b/src/common/tortls.c
+@@ -154,6 +154,7 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
+                                         const char *cname,
+                                         const char *cname_sign,
+                                         unsigned int lifetime);
++static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
+ 
+ /** Global tls context. We keep it here because nobody else needs to
+  * touch it. */
+@@ -904,6 +905,36 @@ tor_tls_set_renegotiate_callback(tor_tls_t *tls,
+ #endif
+ }
+ 
++/** If this version of openssl requires it, turn on renegotiation on
++ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
++ * to use belt-and-suspenders here.)
++ */
++static void
++tor_tls_unblock_renegotiation(tor_tls_t *tls)
++{
++#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++  /* Yes, we know what we are doing here.  No, we do not treat a renegotiation
++   * as authenticating any earlier-received data. */
++  tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
++#else
++  (void)tls;
++#endif
++}
++
++/** If this version of openssl supports it, turn off renegotiation on
++ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
++ * to use belt-and-suspenders here.)
++ */
++void
++tor_tls_block_renegotiation(tor_tls_t *tls)
++{
++#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++  tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
++#else
++  (void)tls;
++#endif
++}
++
+ /** Return whether this tls initiated the connect (client) or
+  * received it (server). */
+ int
+@@ -1026,6 +1057,9 @@ tor_tls_handshake(tor_tls_t *tls)
+   } else {
+     r = SSL_connect(tls->ssl);
+   }
++  /* We need to call this here and not earlier, since OpenSSL has a penchant
++   * for clearing its flags when you say accept or connect. */
++  tor_tls_unblock_renegotiation(tls);
+   r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO);
+   if (ERR_peek_error() != 0) {
+     tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN,
+diff --git a/src/common/tortls.h b/src/common/tortls.h
+index d006909..871fec3 100644
+--- a/src/common/tortls.h
++++ b/src/common/tortls.h
+@@ -65,6 +65,7 @@ int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
+ int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
+ int tor_tls_handshake(tor_tls_t *tls);
+ int tor_tls_renegotiate(tor_tls_t *tls);
++void tor_tls_block_renegotiation(tor_tls_t *tls);
+ int tor_tls_shutdown(tor_tls_t *tls);
+ int tor_tls_get_pending_bytes(tor_tls_t *tls);
+ size_t tor_tls_get_forced_write_size(tor_tls_t *tls);
+diff --git a/src/or/connection_or.c b/src/or/connection_or.c
+index b4e8092..2a52b3f 100644
+--- a/src/or/connection_or.c
++++ b/src/or/connection_or.c
+@@ -844,6 +844,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
+ 
+   /* Don't invoke this again. */
+   tor_tls_set_renegotiate_callback(tls, NULL, NULL);
++  tor_tls_block_renegotiation(tls);
+ 
+   if (connection_tls_finish_handshake(conn) < 0) {
+     /* XXXX_TLS double-check that it's ok to do this from inside read. */
+@@ -1087,6 +1088,7 @@ connection_tls_finish_handshake(or_connection_t *conn)
+       connection_or_init_conn_from_address(conn, &conn->_base.addr,
+                                            conn->_base.port, digest_rcvd, 0);
+     }
++    tor_tls_block_renegotiation(conn->tls);
+     return connection_or_set_state_open(conn);
+   } else {
+     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
+-- 
+1.5.6.5

Modified: tor.install
===================================================================
--- tor.install	2009-11-20 14:24:22 UTC (rev 59144)
+++ tor.install	2009-11-20 14:32:38 UTC (rev 59145)
@@ -1,19 +1,19 @@
 post_install() {
   echo "-> Tor has been preconfigured to run as a client only."
   echo "-> Tor is experimental software. Do not rely on it for strong anonymity."
-  post_upgrade $1
+  groupadd -g 43 tor &>/dev/null
+  useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor &> /dev/null
+  chown tor:tor var/lib/tor &> /dev/null
+  chmod 700 var/lib/tor &> /dev/null
 }
 
 post_upgrade() {
-  if [ ! `grep '^tor:' /etc/group` ]; then
-    groupadd -g 43 tor &>/dev/null;
-  fi
-
-  id tor &>/dev/null || \
-    useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor
+  getent group tor &>/dev/null || groupadd -g 43 tor &>/dev/null
+  getent passwd tor &>/dev/null || useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor &> /dev/null
+  chown tor:tor var/lib/tor &> /dev/null
 }
 
 pre_remove() {
-  userdel tor &> /dev/null
-  groupdel tor &> /dev/null
+  getent passwd tor &>/dev/null || userdel tor &> /dev/null
+  getent group tor &>/dev/null || groupdel tor &> /dev/null
 }



More information about the arch-commits mailing list