diff options
author | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2020-09-11 07:46:59 +0200 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2020-12-30 07:50:44 +0100 |
commit | 88665763001b1e3b2a7bce8b4c89f2d94c5fead1 (patch) | |
tree | 8fdd76bf5aa46acc1d0315662e4863b15d592a87 /pkgs/tools | |
parent | 35c4d1d0795ed02cec20849765a00db1475ff241 (diff) | |
download | nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar.gz nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar.bz2 nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar.lz nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar.xz nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.tar.zst nixpkgs-88665763001b1e3b2a7bce8b4c89f2d94c5fead1.zip |
nixos/tor: improve type-checking and hardening
Fixes #77395. Fixes #82790.
Diffstat (limited to 'pkgs/tools')
-rw-r--r-- | pkgs/tools/security/tor/default.nix | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/pkgs/tools/security/tor/default.nix b/pkgs/tools/security/tor/default.nix index 04bf598d132..e46fd4790a3 100644 --- a/pkgs/tools/security/tor/default.nix +++ b/pkgs/tools/security/tor/default.nix @@ -1,5 +1,6 @@ { stdenv, fetchurl, pkgconfig, libevent, openssl, zlib, torsocks , libseccomp, systemd, libcap, lzma, zstd, scrypt, nixosTests +, writeShellScript # for update.nix , writeScript @@ -12,7 +13,21 @@ , gnused , nix }: - +let + tor-client-auth-gen = writeShellScript "tor-client-auth-gen" '' + PATH="${stdenv.lib.makeBinPath [coreutils gnugrep openssl]}" + pem="$(openssl genpkey -algorithm x25519)" + + printf private_key=descriptor:x25519: + echo "$pem" | grep -v " PRIVATE KEY" | + base64 -d | tail --bytes=32 | base32 | tr -d = + + printf public_key=descriptor:x25519: + echo "$pem" | openssl pkey -in /dev/stdin -pubout | + grep -v " PUBLIC KEY" | + base64 -d | tail --bytes=32 | base32 | tr -d = + ''; +in stdenv.mkDerivation rec { pname = "tor"; version = "0.4.4.6"; @@ -52,6 +67,7 @@ stdenv.mkDerivation rec { mkdir -p $geoip/share/tor mv $out/share/tor/geoip{,6} $geoip/share/tor rm -rf $out/share/tor + ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen ''; passthru = { |