about summary refs log tree commit diff
path: root/nixpkgs/pkgs/tools/security/tor
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/tools/security/tor')
-rw-r--r--nixpkgs/pkgs/tools/security/tor/default.nix89
-rw-r--r--nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch26
-rw-r--r--nixpkgs/pkgs/tools/security/tor/tor-arm.nix55
-rw-r--r--nixpkgs/pkgs/tools/security/tor/torsocks.nix34
-rw-r--r--nixpkgs/pkgs/tools/security/tor/update.nix71
5 files changed, 275 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/tor/default.nix b/nixpkgs/pkgs/tools/security/tor/default.nix
new file mode 100644
index 000000000000..215ab63328fc
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tor/default.nix
@@ -0,0 +1,89 @@
+{ stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks
+, libseccomp, systemd, libcap, lzma, zstd, scrypt
+
+# for update.nix
+, writeScript
+, common-updater-scripts
+, bash
+, coreutils
+, curl
+, gnugrep
+, gnupg
+, gnused
+, nix
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tor";
+  version = "0.4.2.7";
+
+  src = fetchurl {
+    url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
+    sha256 = "0v82ngwwmmcb7i9563bgsmrjy6xp83xyhqhaljygd0pkvlsxi886";
+  };
+
+  outputs = [ "out" "geoip" ];
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ libevent openssl zlib lzma zstd scrypt ] ++
+    stdenv.lib.optionals stdenv.isLinux [ libseccomp systemd libcap ];
+
+  patches = [ ./disable-monotonic-timer-tests.patch ];
+
+  NIX_CFLAGS_LINK = stdenv.lib.optionalString stdenv.cc.isGNU "-lgcc_s";
+
+  postPatch = ''
+    substituteInPlace contrib/client-tools/torify \
+      --replace 'pathfind torsocks' true          \
+      --replace 'exec torsocks' 'exec ${torsocks}/bin/torsocks'
+
+    patchShebangs ./scripts/maint/checkShellScripts.sh
+  '';
+
+  enableParallelBuilding = true;
+
+  doCheck = true;
+
+  postInstall = ''
+    mkdir -p $geoip/share/tor
+    mv $out/share/tor/geoip{,6} $geoip/share/tor
+    rm -rf $out/share/tor
+  '';
+
+  passthru.updateScript = import ./update.nix {
+    inherit (stdenv) lib;
+    inherit
+      writeScript
+      common-updater-scripts
+      bash
+      coreutils
+      curl
+      gnupg
+      gnugrep
+      gnused
+      nix
+    ;
+  };
+
+  meta = with stdenv.lib; {
+    homepage = "https://www.torproject.org/";
+    repositories.git = "https://git.torproject.org/git/tor";
+    description = "Anonymizing overlay network";
+
+    longDescription = ''
+      Tor helps improve your privacy by bouncing your communications around a
+      network of relays run by volunteers all around the world: it makes it
+      harder for somebody watching your Internet connection to learn what sites
+      you visit, and makes it harder for the sites you visit to track you. Tor
+      works with many of your existing applications, including web browsers,
+      instant messaging clients, remote login, and other applications based on
+      the TCP protocol.
+    '';
+
+    license = licenses.bsd3;
+
+    maintainers = with maintainers;
+      [ phreedom doublec thoughtpolice joachifm ];
+    platforms = platforms.unix;
+  };
+}
diff --git a/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch b/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch
new file mode 100644
index 000000000000..a95a373bbb64
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch
@@ -0,0 +1,26 @@
+diff --git a/src/test/test_util.c b/src/test/test_util.c
+index 0d86a5ab5..e93c6ba89 100644
+--- a/src/test/test_util.c
++++ b/src/test/test_util.c
+@@ -5829,13 +5829,9 @@ test_util_monotonic_time(void *arg)
+   /* We need to be a little careful here since we don't know the system load.
+    */
+   tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_GE, 175);
+-  tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_LT, 1000);
+   tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_GE, 125);
+-  tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_LT, 1000);
+   tt_u64_op(nsec2-nsec1, OP_GE, 175000000);
+-  tt_u64_op(nsec2-nsec1, OP_LT, 1000000000);
+   tt_u64_op(nsecc2-nsecc1, OP_GE, 125000000);
+-  tt_u64_op(nsecc2-nsecc1, OP_LT, 1000000000);
+ 
+   tt_u64_op(msec1, OP_GE, nsec1 / 1000000);
+   tt_u64_op(usec1, OP_GE, nsec1 / 1000);
+@@ -5849,7 +5845,6 @@ test_util_monotonic_time(void *arg)
+   uint64_t coarse_stamp_diff =
+     monotime_coarse_stamp_units_to_approx_msec(stamp2-stamp1);
+   tt_u64_op(coarse_stamp_diff, OP_GE, 120);
+-  tt_u64_op(coarse_stamp_diff, OP_LE, 1200);
+ 
+   {
+     uint64_t units = monotime_msec_to_approx_coarse_stamp_units(5000);
diff --git a/nixpkgs/pkgs/tools/security/tor/tor-arm.nix b/nixpkgs/pkgs/tools/security/tor/tor-arm.nix
new file mode 100644
index 000000000000..896ab50562d8
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tor/tor-arm.nix
@@ -0,0 +1,55 @@
+{ stdenv, fetchurl, makeWrapper
+, python2Packages, ncurses, lsof, nettools
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tor-arm";
+  version = "1.4.5.0";
+
+  src = fetchurl {
+    url = "https://www.atagar.com/arm/resources/static/arm-${version}.tar.bz2";
+    sha256 = "1yi87gdglkvi1a23hv5c3k7mc18g0rw7b05lfcw81qyxhlapf3pw";
+  };
+
+  nativeBuildInputs = [ makeWrapper python2Packages.python ];
+
+  outputs = [ "out" "man" ];
+
+  postPatch = ''
+    substituteInPlace ./setup.py --replace "/usr/bin" "$out/bin"
+    substituteInPlace ./src/util/connections.py \
+      --replace "lsof -wnPi"   "${lsof}/bin/lsof"
+    substituteInPlace ./src/util/torTools.py \
+      --replace "netstat -npl" "${nettools}/bin/netstat -npl" \
+      --replace "lsof -wnPi"   "${lsof}/bin/lsof"
+
+    substituteInPlace ./arm --replace '"$0" = /usr/bin/arm' 'true'
+    substituteInPlace ./arm --replace "python" "${python2Packages.python}/bin/python"
+
+    for i in ./install ./arm ./src/gui/controller.py ./src/cli/wizard.py ./src/resources/torrcOverride/override.h ./src/resources/torrcOverride/override.py ./src/resources/arm.1 ./setup.py; do
+      substituteInPlace $i --replace "/usr/share" "$out/share"
+    done
+
+    # fixes man page installation
+    substituteInPlace ./setup.py --replace "src/resoureces" "src/resources"
+  '';
+
+  installPhase = ''
+    mkdir -p $out/share/arm $out/bin $out/libexec
+    python setup.py install --prefix=$out --docPath $out/share/doc/arm
+    cp -R src/TorCtl $out/libexec
+
+    wrapProgram $out/bin/arm \
+      --prefix PYTHONPATH : "$(toPythonPath $out):$out/libexec:$PYTHONPATH" \
+      --set TERMINFO "${ncurses.out}/share/terminfo" \
+      --set TERM "xterm"
+  '';
+
+  meta = {
+    description = "A terminal status monitor for Tor relays";
+    homepage    = "https://www.atagar.com/arm/";
+    license     = stdenv.lib.licenses.gpl3;
+    platforms   = stdenv.lib.platforms.unix;
+    maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/tools/security/tor/torsocks.nix b/nixpkgs/pkgs/tools/security/tor/torsocks.nix
new file mode 100644
index 000000000000..2ce4c9806eb3
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tor/torsocks.nix
@@ -0,0 +1,34 @@
+{ stdenv, fetchgit, autoreconfHook, libcap }:
+
+stdenv.mkDerivation rec {
+  pname = "torsocks";
+  version = "2.3.0";
+
+  src = fetchgit {
+    url    = meta.repositories.git;
+    rev    = "refs/tags/v${version}";
+    sha256 = "0x0wpcigf22sjxg7bm0xzqihmsrz51hl4v8xf91qi4qnmr4ny1hb";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  postPatch = ''
+    # Patch torify_app()
+    sed -i \
+      -e 's,\(local app_path\)=`which $1`,\1=`type -P $1`,' \
+      -e 's,\(local getcap\)=.*,\1=${libcap}/bin/getcap,' \
+      src/bin/torsocks.in
+  '';
+
+  doInstallCheck = true;
+  installCheckTarget = "check-recursive";
+
+  meta = {
+    description      = "Wrapper to safely torify applications";
+    homepage         = "https://github.com/dgoulet/torsocks";
+    repositories.git = "https://git.torproject.org/torsocks.git";
+    license          = stdenv.lib.licenses.gpl2;
+    platforms        = stdenv.lib.platforms.unix;
+    maintainers      = with stdenv.lib.maintainers; [ phreedom thoughtpolice ];
+  };
+}
diff --git a/nixpkgs/pkgs/tools/security/tor/update.nix b/nixpkgs/pkgs/tools/security/tor/update.nix
new file mode 100644
index 000000000000..c944883d4178
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/tor/update.nix
@@ -0,0 +1,71 @@
+{ lib
+, writeScript
+, common-updater-scripts
+, bash
+, coreutils
+, curl
+, gnugrep
+, gnupg
+, gnused
+, nix
+}:
+
+with lib;
+
+let
+  downloadPageUrl = "https://dist.torproject.org";
+
+  # See https://www.torproject.org/docs/signing-keys.html
+  signingKeys = [
+    # Roger Dingledine
+    "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
+    "F65C E37F 04BA 5B36 0AE6 EE17 C218 5258 19F7 8451"
+    # Nick Mathewson
+    "2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB"
+    "B117 2656 DFF9 83C3 042B C699 EB5A 896A 2898 8BF5"
+  ];
+in
+
+writeScript "update-tor" ''
+#! ${bash}/bin/bash
+
+set -eu -o pipefail
+
+export PATH=${makeBinPath [
+  common-updater-scripts
+  coreutils
+  curl
+  gnugrep
+  gnupg
+  gnused
+  nix
+]}
+
+srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \
+  | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \
+  | sort -Vu \
+  | tail -n1)
+srcFile=$srcBase
+srcUrl=${downloadPageUrl}/$srcBase
+
+srcName=''${srcBase/.tar.gz/}
+srcVers=(''${srcName//-/ })
+version=''${srcVers[1]}
+
+sigUrl=$srcUrl.asc
+sigFile=''${sigUrl##*/}
+
+# upstream does not support byte ranges ...
+[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
+[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
+
+export GNUPGHOME=$PWD/gnupg
+mkdir -m 700 -p "$GNUPGHOME"
+
+gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
+gpg --batch --verify "$sigFile" "$srcFile"
+
+sha256=$(nix-hash --type sha256 --flat --base32 "$srcFile")
+
+update-source-version tor "$version" "$sha256"
+''
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 19:36:39 +0000