From: openbsd@systemfailure.net Subject: [Update] net/tor 0.4.9.5 To: ports@openbsd.org,Pascal Stumpf Date: Mon, 16 Feb 2026 10:59:08 +0000 Hi, Please find attached a patch updating net/tor to the latest stable version. According to the release announcement [*], this is the first stable version of the 0.4.9.x series. Among many changes, it brings two major features: - A new cryptographic protocol named "Counter Galois Onion", which provides improved resistance to several types of tagging attacks, as well as better forward secrecy and stronger protection against forgery - A feature called "Happy Families", which will enable a significant reduction in bandwidth usage Best regards. -- [*] https://forum.torproject.org/t/stable-release-0-4-9-5/21227 Index: Makefile =================================================================== RCS file: /cvs/ports/net/tor/Makefile,v diff -u -p -r1.176 Makefile --- Makefile 30 Jan 2026 19:47:51 -0000 1.176 +++ Makefile 14 Feb 2026 22:40:50 -0000 @@ -1,6 +1,6 @@ COMMENT= anonymity service using onion routing -DISTNAME= tor-0.4.8.22 +DISTNAME= tor-0.4.9.5 CATEGORIES= net HOMEPAGE= https://www.torproject.org/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/tor/distinfo,v diff -u -p -r1.141 distinfo --- distinfo 30 Jan 2026 19:47:51 -0000 1.141 +++ distinfo 14 Feb 2026 22:40:50 -0000 @@ -1,2 +1,2 @@ -SHA256 (tor-0.4.8.22.tar.gz) = yIYg2SeKJ549In/2CXW4SqQTWSEfjs/2hgGZI7mSkzI= -SIZE (tor-0.4.8.22.tar.gz) = 10625231 +SHA256 (tor-0.4.9.5.tar.gz) = yUnC+Gs0jmSJGXb2seScF3ZVsj35cZMEm/G4zTCZ4Xk= +SIZE (tor-0.4.9.5.tar.gz) = 10810648 Index: patches/patch-configure_ac =================================================================== RCS file: /cvs/ports/net/tor/patches/patch-configure_ac,v diff -u -p -r1.22 patch-configure_ac --- patches/patch-configure_ac 11 Nov 2025 19:24:37 -0000 1.22 +++ patches/patch-configure_ac 14 Feb 2026 22:40:50 -0000 @@ -2,7 +2,7 @@ disable -fasynchronous-unwind-tables as Index: configure.ac --- configure.ac.orig +++ configure.ac -@@ -1483,13 +1483,6 @@ fi +@@ -1499,13 +1499,6 @@ fi CFLAGS="$saved_CFLAGS" AC_SUBST(F_OMIT_FRAME_POINTER) Index: patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c =================================================================== RCS file: patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c diff -N patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c --- patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c 11 Mar 2022 19:47:53 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,59 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/lib/crypt_ops/crypto_dh_openssl.c ---- src/lib/crypt_ops/crypto_dh_openssl.c.orig -+++ src/lib/crypt_ops/crypto_dh_openssl.c -@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU - /* Copy into a temporary DH object, just so that DH_check() can be called. */ - if (!(dh = DH_new())) - goto out; --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - BIGNUM *dh_p, *dh_g; - if (!(dh_p = BN_dup(p))) - goto out; -@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g) - goto err; - } - --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - - if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) { - goto err; -@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh) - int - crypto_dh_generate_public(crypto_dh_t *dh) - { --#ifndef OPENSSL_1_1_API -+#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER) - again: - #endif - if (!DH_generate_key(dh->dh)) { -@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh) - return -1; - /* LCOV_EXCL_STOP */ - } --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without - * recreating the DH object. I have no idea what sort of aliasing madness - * can occur here, so do the check, and just bail on failure. -@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si - - const BIGNUM *dh_pub; - --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - const BIGNUM *dh_priv; - DH_get0_key(dh->dh, &dh_pub, &dh_priv); - #else -@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si - if (crypto_dh_generate_public(dh)<0) - return -1; - else { --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - DH_get0_key(dh->dh, &dh_pub, &dh_priv); - #else - dh_pub = dh->dh->pub_key; Index: patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c =================================================================== RCS file: patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c diff -N patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c --- patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c 29 Aug 2023 20:25:19 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,41 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/lib/crypt_ops/crypto_rsa_openssl.c ---- src/lib/crypt_ops/crypto_rsa_openssl.c.orig -+++ src/lib/crypt_ops/crypto_rsa_openssl.c -@@ -47,7 +47,7 @@ struct crypto_pk_t - int - crypto_pk_key_is_private(const crypto_pk_t *k) - { --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - if (!k || !k->key) - return 0; - -@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env) - - const BIGNUM *e; - --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - const BIGNUM *n, *d; - RSA_get0_key(env->key, &n, &e, &d); - #else -@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_ - const BIGNUM *a_n, *a_e; - const BIGNUM *b_n, *b_e; - --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - const BIGNUM *a_d, *b_d; - RSA_get0_key(a->key, &a_n, &a_e, &a_d); - RSA_get0_key(b->key, &b_n, &b_e, &b_d); -@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env) - tor_assert(env); - tor_assert(env->key); - --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - /* It's so stupid that there's no other way to check that n is valid - * before calling RSA_bits(). - */ Index: patches/patch-src_lib_tls_x509_openssl_c =================================================================== RCS file: patches/patch-src_lib_tls_x509_openssl_c diff -N patches/patch-src_lib_tls_x509_openssl_c --- patches/patch-src_lib_tls_x509_openssl_c 11 Mar 2022 19:47:53 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/lib/tls/x509_openssl.c ---- src/lib/tls/x509_openssl.c.orig -+++ src/lib/tls/x509_openssl.c -@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity, - cert_key = X509_get_pubkey(cert->cert); - if (check_rsa_1024 && cert_key) { - RSA *rsa = EVP_PKEY_get1_RSA(cert_key); --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - if (rsa && RSA_bits(rsa) == 1024) { - #else - if (rsa && BN_num_bits(rsa->n) == 1024) { Index: patches/patch-src_test_test_crypto_c =================================================================== RCS file: patches/patch-src_test_test_crypto_c diff -N patches/patch-src_test_test_crypto_c --- patches/patch-src_test_test_crypto_c 29 Aug 2023 20:25:19 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/test/test_crypto.c ---- src/test/test_crypto.c.orig -+++ src/test/test_crypto.c -@@ -187,7 +187,7 @@ test_crypto_dh(void *arg) - dh4 = crypto_dh_new_openssl_tls(); - tt_assert(DH_generate_key(dh4)); - const BIGNUM *pk=NULL; --#ifdef OPENSSL_1_1_API -+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER) - const BIGNUM *sk=NULL; - DH_get0_key(dh4, &pk, &sk); - #else Index: patches/patch-src_test_test_crypto_openssl_c =================================================================== RCS file: patches/patch-src_test_test_crypto_openssl_c diff -N patches/patch-src_test_test_crypto_openssl_c --- patches/patch-src_test_test_crypto_openssl_c 11 Mar 2022 19:47:53 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,14 +0,0 @@ -Fix build with opaque structs in LibreSSL 3.5 - -Index: src/test/test_crypto_openssl.c ---- src/test/test_crypto_openssl.c.orig -+++ src/test/test_crypto_openssl.c -@@ -49,7 +49,7 @@ test_crypto_rng_engine(void *arg) - ; - } - --#ifndef OPENSSL_1_1_API -+#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER) - #define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX)) - #define EVP_ENCODE_CTX_free(ctx) tor_free(ctx) - #endif