diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/pkgs/tools/security/tor')
5 files changed, 291 insertions, 0 deletions
diff --git a/infra/libkookie/nixpkgs/pkgs/tools/security/tor/default.nix b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/default.nix new file mode 100644 index 000000000000..04bf598d132a --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/default.nix @@ -0,0 +1,96 @@ +{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks +, libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests + +# for update.nix +, writeScript +, common-updater-scripts +, bash +, coreutils +, curl +, gnugrep +, gnupg +, gnused +, nix +}: + +stdenv.mkDerivation rec { + pname = "tor"; + version = "0.4.4.6"; + + src = fetchurl { + url = "https://dist.torproject.org/${pname}-${version}.tar.gz"; + sha256 = "1p0zpqmbskygx0wmiijhprg8r45n2wqbbjl7kv4gbb83b0alq5az"; + }; + + outputs = [ "out" "geoip" ]; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ libevent openssl zlib lzma zstd scrypt ] ++ + stdenv.lib.optionals stdenv.isLinux [ libseccomp systemd libcap ]; + + patches = [ ./disable-monotonic-timer-tests.patch ]; + + # cross compiles correctly but needs the following + configureFlags = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) + "--disable-tool-name-check"; + + NIX_CFLAGS_LINK = stdenv.lib.optionalString stdenv.cc.isGNU "-lgcc_s"; + + postPatch = '' + substituteInPlace contrib/client-tools/torify \ + --replace 'pathfind torsocks' true \ + --replace 'exec torsocks' 'exec ${torsocks}/bin/torsocks' + + patchShebangs ./scripts/maint/checkShellScripts.sh + ''; + + enableParallelBuilding = true; + + doCheck = true; + + postInstall = '' + mkdir -p $geoip/share/tor + mv $out/share/tor/geoip{,6} $geoip/share/tor + rm -rf $out/share/tor + ''; + + passthru = { + tests.tor = nixosTests.tor; + updateScript = import ./update.nix { + inherit (stdenv) lib; + inherit + writeScript + common-updater-scripts + bash + coreutils + curl + gnupg + gnugrep + gnused + nix + ; + }; + }; + + meta = with stdenv.lib; { + homepage = "https://www.torproject.org/"; + repositories.git = "https://git.torproject.org/git/tor"; + description = "Anonymizing overlay network"; + + longDescription = '' + Tor helps improve your privacy by bouncing your communications around a + network of relays run by volunteers all around the world: it makes it + harder for somebody watching your Internet connection to learn what sites + you visit, and makes it harder for the sites you visit to track you. Tor + works with many of your existing applications, including web browsers, + instant messaging clients, remote login, and other applications based on + the TCP protocol. + ''; + + license = licenses.bsd3; + + maintainers = with maintainers; + [ phreedom thoughtpolice joachifm prusnak ]; + platforms = platforms.unix; + }; +} diff --git a/infra/libkookie/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch new file mode 100644 index 000000000000..a95a373bbb64 --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch @@ -0,0 +1,26 @@ +diff --git a/src/test/test_util.c b/src/test/test_util.c +index 0d86a5ab5..e93c6ba89 100644 +--- a/src/test/test_util.c ++++ b/src/test/test_util.c +@@ -5829,13 +5829,9 @@ test_util_monotonic_time(void *arg) + /* We need to be a little careful here since we don't know the system load. + */ + tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_GE, 175); +- tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_LT, 1000); + tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_GE, 125); +- tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_LT, 1000); + tt_u64_op(nsec2-nsec1, OP_GE, 175000000); +- tt_u64_op(nsec2-nsec1, OP_LT, 1000000000); + tt_u64_op(nsecc2-nsecc1, OP_GE, 125000000); +- tt_u64_op(nsecc2-nsecc1, OP_LT, 1000000000); + + tt_u64_op(msec1, OP_GE, nsec1 / 1000000); + tt_u64_op(usec1, OP_GE, nsec1 / 1000); +@@ -5849,7 +5845,6 @@ test_util_monotonic_time(void *arg) + uint64_t coarse_stamp_diff = + monotime_coarse_stamp_units_to_approx_msec(stamp2-stamp1); + tt_u64_op(coarse_stamp_diff, OP_GE, 120); +- tt_u64_op(coarse_stamp_diff, OP_LE, 1200); + + { + uint64_t units = monotime_msec_to_approx_coarse_stamp_units(5000); diff --git a/infra/libkookie/nixpkgs/pkgs/tools/security/tor/tor-arm.nix b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/tor-arm.nix new file mode 100644 index 000000000000..896ab50562d8 --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/tor-arm.nix @@ -0,0 +1,55 @@ +{ stdenv, fetchurl, makeWrapper +, python2Packages, ncurses, lsof, nettools +}: + +stdenv.mkDerivation rec { + pname = "tor-arm"; + version = "1.4.5.0"; + + src = fetchurl { + url = "https://www.atagar.com/arm/resources/static/arm-${version}.tar.bz2"; + sha256 = "1yi87gdglkvi1a23hv5c3k7mc18g0rw7b05lfcw81qyxhlapf3pw"; + }; + + nativeBuildInputs = [ makeWrapper python2Packages.python ]; + + outputs = [ "out" "man" ]; + + postPatch = '' + substituteInPlace ./setup.py --replace "/usr/bin" "$out/bin" + substituteInPlace ./src/util/connections.py \ + --replace "lsof -wnPi" "${lsof}/bin/lsof" + substituteInPlace ./src/util/torTools.py \ + --replace "netstat -npl" "${nettools}/bin/netstat -npl" \ + --replace "lsof -wnPi" "${lsof}/bin/lsof" + + substituteInPlace ./arm --replace '"$0" = /usr/bin/arm' 'true' + substituteInPlace ./arm --replace "python" "${python2Packages.python}/bin/python" + + for i in ./install ./arm ./src/gui/controller.py ./src/cli/wizard.py ./src/resources/torrcOverride/override.h ./src/resources/torrcOverride/override.py ./src/resources/arm.1 ./setup.py; do + substituteInPlace $i --replace "/usr/share" "$out/share" + done + + # fixes man page installation + substituteInPlace ./setup.py --replace "src/resoureces" "src/resources" + ''; + + installPhase = '' + mkdir -p $out/share/arm $out/bin $out/libexec + python setup.py install --prefix=$out --docPath $out/share/doc/arm + cp -R src/TorCtl $out/libexec + + wrapProgram $out/bin/arm \ + --prefix PYTHONPATH : "$(toPythonPath $out):$out/libexec:$PYTHONPATH" \ + --set TERMINFO "${ncurses.out}/share/terminfo" \ + --set TERM "xterm" + ''; + + meta = { + description = "A terminal status monitor for Tor relays"; + homepage = "https://www.atagar.com/arm/"; + license = stdenv.lib.licenses.gpl3; + platforms = stdenv.lib.platforms.unix; + maintainers = [ stdenv.lib.maintainers.thoughtpolice ]; + }; +} diff --git a/infra/libkookie/nixpkgs/pkgs/tools/security/tor/torsocks.nix b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/torsocks.nix new file mode 100644 index 000000000000..381377032d6e --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/torsocks.nix @@ -0,0 +1,43 @@ +{ stdenv, fetchgit, fetchurl, autoreconfHook, libcap }: + +stdenv.mkDerivation rec { + pname = "torsocks"; + version = "2.3.0"; + + src = fetchgit { + url = meta.repositories.git; + rev = "refs/tags/v${version}"; + sha256 = "0x0wpcigf22sjxg7bm0xzqihmsrz51hl4v8xf91qi4qnmr4ny1hb"; + }; + + nativeBuildInputs = [ autoreconfHook ]; + + patches = stdenv.lib.optional stdenv.isDarwin + (fetchurl { + url = "https://trac.torproject.org/projects/tor/raw-attachment/ticket/28538/0001-Fix-macros-for-accept4-2.patch"; + sha256 = "97881f0b59b3512acc4acb58a0d6dfc840d7633ead2f400fad70dda9b2ba30b0"; + }); + + postPatch = '' + # Patch torify_app() + sed -i \ + -e 's,\(local app_path\)=`which $1`,\1=`type -P $1`,' \ + src/bin/torsocks.in + '' + stdenv.lib.optionalString stdenv.isLinux '' + sed -i \ + -e 's,\(local getcap\)=.*,\1=${libcap}/bin/getcap,' \ + src/bin/torsocks.in + ''; + + doInstallCheck = true; + installCheckTarget = "check-recursive"; + + meta = { + description = "Wrapper to safely torify applications"; + homepage = "https://github.com/dgoulet/torsocks"; + repositories.git = "https://git.torproject.org/torsocks.git"; + license = stdenv.lib.licenses.gpl2; + platforms = stdenv.lib.platforms.unix; + maintainers = with stdenv.lib.maintainers; [ phreedom thoughtpolice ]; + }; +} diff --git a/infra/libkookie/nixpkgs/pkgs/tools/security/tor/update.nix b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/update.nix new file mode 100644 index 000000000000..c944883d4178 --- /dev/null +++ b/infra/libkookie/nixpkgs/pkgs/tools/security/tor/update.nix @@ -0,0 +1,71 @@ +{ lib +, writeScript +, common-updater-scripts +, bash +, coreutils +, curl +, gnugrep +, gnupg +, gnused +, nix +}: + +with lib; + +let + downloadPageUrl = "https://dist.torproject.org"; + + # See https://www.torproject.org/docs/signing-keys.html + signingKeys = [ + # Roger Dingledine + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451" + # Nick Mathewson + "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB" + "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5" + ]; +in + +writeScript "update-tor" '' +#! ${bash}/bin/bash + +set -eu -o pipefail + +export PATH=${makeBinPath [ + common-updater-scripts + coreutils + curl + gnugrep + gnupg + gnused + nix +]} + +srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \ + | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \ + | sort -Vu \ + | tail -n1) +srcFile=$srcBase +srcUrl=${downloadPageUrl}/$srcBase + +srcName=''${srcBase/.tar.gz/} +srcVers=(''${srcName//-/ }) +version=''${srcVers[1]} + +sigUrl=$srcUrl.asc +sigFile=''${sigUrl##*/} + +# upstream does not support byte ranges ... +[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl" +[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl" + +export GNUPGHOME=$PWD/gnupg +mkdir -m 700 -p "$GNUPGHOME" + +gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)} +gpg --batch --verify "$sigFile" "$srcFile" + +sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile") + +update-source-version tor "$version" "$sha256" +'' |