[arch-commits] Commit in tor/repos (4 files)
Giovanni Scafora
giovanni at archlinux.org
Fri Nov 20 15:53:47 UTC 2009
Date: Friday, November 20, 2009 @ 10:53:46
Author: giovanni
Revision: 59163
Merged revisions 59145 via svnmerge from
svn+ssh://gerolde.archlinux.org/srv/svn-packages/tor/trunk
........
r59145 | andrea | 2009-11-20 06:32:38 -0800 (ven, 20 nov 2009) | 2 lines
upgpkg: tor 0.2.1.20-2
made tor to work with openssl 0.9.8l (FS#17185); set dir permission from .install
........
Added:
tor/repos/extra-x86_64/openssl-0.9.8l.patch
(from rev 59145, tor/trunk/openssl-0.9.8l.patch)
Modified:
tor/repos/extra-x86_64/ (properties)
tor/repos/extra-x86_64/PKGBUILD
tor/repos/extra-x86_64/tor.install
----------------------+
PKGBUILD | 43 +++++++++++----------
openssl-0.9.8l.patch | 99 +++++++++++++++++++++++++++++++++++++++++++++++++
tor.install | 18 ++++----
3 files changed, 131 insertions(+), 29 deletions(-)
Property changes on: tor/repos/extra-x86_64
___________________________________________________________________
Modified: svnmerge-integrated
- /tor/trunk:1-57069
+ /tor/trunk:1-59162
Modified: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2009-11-20 15:49:31 UTC (rev 59162)
+++ extra-x86_64/PKGBUILD 2009-11-20 15:53:46 UTC (rev 59163)
@@ -4,7 +4,7 @@
pkgname=tor
pkgver=0.2.1.20
-pkgrel=1
+pkgrel=2
pkgdesc="Anonymizing overlay network"
arch=('i686' 'x86_64')
url="http://www.torproject.org/"
@@ -13,27 +13,30 @@
backup=('etc/tor/torrc' 'etc/tor/torrc-dist' 'etc/tor/tor-tsocks.conf')
install=tor.install
source=(http://www.torproject.org/dist/tor-${pkgver}.tar.gz
- tor.conf
- tor.rc)
-md5sums=('0d62ee2332fdd95de43debac7435df19' '56c75d4e8a66f34167d31e38c43793dd'\
- '4e39d56f462fc9f59e91715ac1b994c0')
-sha1sums=('bfc6c7e9ccee23abc4e97ca4ba98aa3ad7784262' '091385e9604d2ec519c1092ca875885c04c62a7c'\
- '978588d0078465b6383422772d187e92963eb41f')
+ 'tor.conf'
+ 'tor.rc'
+ 'openssl-0.9.8l.patch')
+md5sums=('0d62ee2332fdd95de43debac7435df19'
+ '56c75d4e8a66f34167d31e38c43793dd'
+ '4e39d56f462fc9f59e91715ac1b994c0'
+ 'b508b4d7ca39e19ba6f4f896d94464aa')
build() {
- cd "$srcdir/$pkgname-$pkgver"
+ cd ${srcdir}/${pkgname}-${pkgver}
+
+ patch -Np1 -i ${srcdir}/openssl-0.9.8l.patch || return 1
- ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var || return 1
- make || return 1
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --localstatedir=/var || return 1
+ make || return 1
+ make DESTDIR="$pkgdir" install || return 1
- install -d "$pkgdir/var/lib" || return 1
- install -o43 -g43 -d -m0700 "$pkgdir/var/lib/tor" || return 1
-
- make DESTDIR="$pkgdir" install || return 1
- mv "$pkgdir/etc/tor/torrc.sample" "$pkgdir/etc/tor/torrc-dist" || return 1
-
- install -D -m644 "$srcdir/tor.conf" "$pkgdir/etc/tor/torrc" || return 1
- install -D -m755 "$srcdir/tor.rc" "$pkgdir/etc/rc.d/tor" || return 1
-
- install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tor/LICENSE" || return 1
+ install -d ${pkgdir}/var/lib/tor || return 1
+
+ mv "$pkgdir/etc/tor/torrc.sample" "$pkgdir/etc/tor/torrc-dist" || return 1
+ install -D -m644 "$srcdir/tor.conf" "$pkgdir/etc/tor/torrc" || return 1
+ install -D -m755 "$srcdir/tor.rc" "$pkgdir/etc/rc.d/tor" || return 1
+
+ install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tor/LICENSE" || return 1
}
Copied: tor/repos/extra-x86_64/openssl-0.9.8l.patch (from rev 59145, tor/trunk/openssl-0.9.8l.patch)
===================================================================
--- extra-x86_64/openssl-0.9.8l.patch (rev 0)
+++ extra-x86_64/openssl-0.9.8l.patch 2009-11-20 15:53:46 UTC (rev 59163)
@@ -0,0 +1,99 @@
+# This patch makes TOR work with openssl 0.9.8l, which
+# fixed a security issue.
+#
+# Patch taken from the upstream SVN:
+# http://archives.seul.org/or/cvs/Nov-2009/msg00029.html
+#
+diff --git a/src/common/tortls.c b/src/common/tortls.c
+index c6b11e9..bcc6780 100644
+--- a/src/common/tortls.c
++++ b/src/common/tortls.c
+@@ -154,6 +154,7 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
+ const char *cname,
+ const char *cname_sign,
+ unsigned int lifetime);
++static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
+
+ /** Global tls context. We keep it here because nobody else needs to
+ * touch it. */
+@@ -904,6 +905,36 @@ tor_tls_set_renegotiate_callback(tor_tls_t *tls,
+ #endif
+ }
+
++/** If this version of openssl requires it, turn on renegotiation on
++ * <b>tls</b>. (Our protocol never requires this for security, but it's nice
++ * to use belt-and-suspenders here.)
++ */
++static void
++tor_tls_unblock_renegotiation(tor_tls_t *tls)
++{
++#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++ /* Yes, we know what we are doing here. No, we do not treat a renegotiation
++ * as authenticating any earlier-received data. */
++ tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
++#else
++ (void)tls;
++#endif
++}
++
++/** If this version of openssl supports it, turn off renegotiation on
++ * <b>tls</b>. (Our protocol never requires this for security, but it's nice
++ * to use belt-and-suspenders here.)
++ */
++void
++tor_tls_block_renegotiation(tor_tls_t *tls)
++{
++#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
++ tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
++#else
++ (void)tls;
++#endif
++}
++
+ /** Return whether this tls initiated the connect (client) or
+ * received it (server). */
+ int
+@@ -1026,6 +1057,9 @@ tor_tls_handshake(tor_tls_t *tls)
+ } else {
+ r = SSL_connect(tls->ssl);
+ }
++ /* We need to call this here and not earlier, since OpenSSL has a penchant
++ * for clearing its flags when you say accept or connect. */
++ tor_tls_unblock_renegotiation(tls);
+ r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO);
+ if (ERR_peek_error() != 0) {
+ tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN,
+diff --git a/src/common/tortls.h b/src/common/tortls.h
+index d006909..871fec3 100644
+--- a/src/common/tortls.h
++++ b/src/common/tortls.h
+@@ -65,6 +65,7 @@ int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
+ int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
+ int tor_tls_handshake(tor_tls_t *tls);
+ int tor_tls_renegotiate(tor_tls_t *tls);
++void tor_tls_block_renegotiation(tor_tls_t *tls);
+ int tor_tls_shutdown(tor_tls_t *tls);
+ int tor_tls_get_pending_bytes(tor_tls_t *tls);
+ size_t tor_tls_get_forced_write_size(tor_tls_t *tls);
+diff --git a/src/or/connection_or.c b/src/or/connection_or.c
+index b4e8092..2a52b3f 100644
+--- a/src/or/connection_or.c
++++ b/src/or/connection_or.c
+@@ -844,6 +844,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
+
+ /* Don't invoke this again. */
+ tor_tls_set_renegotiate_callback(tls, NULL, NULL);
++ tor_tls_block_renegotiation(tls);
+
+ if (connection_tls_finish_handshake(conn) < 0) {
+ /* XXXX_TLS double-check that it's ok to do this from inside read. */
+@@ -1087,6 +1088,7 @@ connection_tls_finish_handshake(or_connection_t *conn)
+ connection_or_init_conn_from_address(conn, &conn->_base.addr,
+ conn->_base.port, digest_rcvd, 0);
+ }
++ tor_tls_block_renegotiation(conn->tls);
+ return connection_or_set_state_open(conn);
+ } else {
+ conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
+--
+1.5.6.5
Modified: extra-x86_64/tor.install
===================================================================
--- extra-x86_64/tor.install 2009-11-20 15:49:31 UTC (rev 59162)
+++ extra-x86_64/tor.install 2009-11-20 15:53:46 UTC (rev 59163)
@@ -1,19 +1,19 @@
post_install() {
echo "-> Tor has been preconfigured to run as a client only."
echo "-> Tor is experimental software. Do not rely on it for strong anonymity."
- post_upgrade $1
+ groupadd -g 43 tor &>/dev/null
+ useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor &> /dev/null
+ chown tor:tor var/lib/tor &> /dev/null
+ chmod 700 var/lib/tor &> /dev/null
}
post_upgrade() {
- if [ ! `grep '^tor:' /etc/group` ]; then
- groupadd -g 43 tor &>/dev/null;
- fi
-
- id tor &>/dev/null || \
- useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor
+ getent group tor &>/dev/null || groupadd -g 43 tor &>/dev/null
+ getent passwd tor &>/dev/null || useradd -u 43 -g tor -d /var/lib/tor -s /bin/false tor &> /dev/null
+ chown tor:tor var/lib/tor &> /dev/null
}
pre_remove() {
- userdel tor &> /dev/null
- groupdel tor &> /dev/null
+ getent passwd tor &>/dev/null || userdel tor &> /dev/null
+ getent group tor &>/dev/null || groupdel tor &> /dev/null
}
More information about the arch-commits
mailing list