diff options
author | anthraxx | 2016-11-13 02:25:37 +0100 |
---|---|---|
committer | anthraxx | 2016-11-13 02:25:37 +0100 |
commit | f412f343efe010252571ff1f489f2706de756238 (patch) | |
tree | 9cb9125dc858fe4bbe4ccb38a5a60017531f607e | |
parent | 7185056f6b60d2e53b9c30cfad7f731846f783a1 (diff) | |
download | aur-tlsdate.tar.gz |
upgpkg: tlsdate 0.0.13-2 (sslv3 patch)
-rw-r--r-- | .SRCINFO | 16 | ||||
-rw-r--r-- | PKGBUILD | 79 | ||||
-rw-r--r-- | no_sslv3.patch | 251 | ||||
-rw-r--r-- | tlsdate.install | 23 | ||||
-rw-r--r-- | tlsdate.service | 2 |
5 files changed, 305 insertions, 66 deletions
@@ -1,29 +1,29 @@ pkgbase = tlsdate - pkgdesc = A secure rdate replacement to update local time over HTTPS + pkgdesc = Secure rdate replacement to update local time over HTTPS pkgver = 0.0.13 - pkgrel = 1 + pkgrel = 2 url = https://github.com/ioerror/tlsdate install = tlsdate.install arch = i686 arch = x86_64 - arch = armv7h - arch = armv6l - arch = armv6h license = BSD depends = openssl depends = ca-certificates depends = libevent depends = dbus depends = zlib + depends = libseccomp options = emptydirs backup = etc/conf.d/tlsdate backup = etc/tlsdate/tlsdated.conf source = https://github.com/ioerror/tlsdate/archive/tlsdate-0.0.13.tar.gz source = tlsdate.conf.d source = tlsdate.service - sha256sums = 90efdff87504b5159cb6a3eefa9ddd43723c073d49c4b3febba9e48fc1292bf9 - sha256sums = 1498a74913feb66c6e2e7d982f43b07fc48881947543969668a75ef4323503aa - sha256sums = deaac31649fa6dc6fc54ca3dec231cbdb2a58c6d4aa08cf5498599f42a100472 + source = no_sslv3.patch + sha512sums = 6ec9940884d2f7fb18d546c3081300355437208eb0c6e335dd056edd10b4383c211a49f00da84f68affa96a912be8071cbae941f117d5e96020ded4a0226bc33 + sha512sums = 0639dd4c7f4df14465da7a5efc8a59fa59bb0155ed0f453cab9cbcc74f22c320080b71ad5361ff2ebf83d64e8c205fbe605deb69a0cb503be5412eff5f1ac220 + sha512sums = 2b06abe8d7bc2133ca4f8d7cfbf63de4c2fad8356ea8d3f53e6d1c161c2ff86089c4d64f7de7ca6c6222db254ecaaccbc4706012fee50319d83860bfb3a2eab0 + sha512sums = 038590ebef55adae75a82fd4f697306ea56f9486f1b7ff1f9eb4c292f8ea2a960b720db72e100d1bb70f5b5e1391369a1fd9ce2e8b756e79152937289c159294 pkgname = tlsdate @@ -1,55 +1,54 @@ -# Maintainer: skydrome <skydrome@tormail.org> +# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org> +# Contributor: skydrome <skydrome@tormail.org> pkgname=tlsdate pkgver=0.0.13 -pkgrel=1 -pkgdesc="A secure rdate replacement to update local time over HTTPS" -arch=('i686' 'x86_64' 'armv7h' 'armv6l' 'armv6h') -url="https://github.com/ioerror/tlsdate" +pkgrel=2 +pkgdesc='Secure rdate replacement to update local time over HTTPS' +url='https://github.com/ioerror/tlsdate' +arch=('i686' 'x86_64') license=('BSD') -depends=('openssl' 'ca-certificates' 'libevent' 'dbus' 'zlib') -options=('emptydirs') -install='tlsdate.install' +depends=('openssl' 'ca-certificates' 'libevent' 'dbus' 'zlib' 'libseccomp') backup=('etc/conf.d/tlsdate' 'etc/tlsdate/tlsdated.conf') -source=("https://github.com/ioerror/tlsdate/archive/tlsdate-${pkgver}.tar.gz" - #"tlsdate-$pkgver.zip::https://github.com/ioerror/tlsdate/archive/master.zip" - 'tlsdate.conf.d' - 'tlsdate.service') - -sha256sums=('90efdff87504b5159cb6a3eefa9ddd43723c073d49c4b3febba9e48fc1292bf9' - '1498a74913feb66c6e2e7d982f43b07fc48881947543969668a75ef4323503aa' - 'deaac31649fa6dc6fc54ca3dec231cbdb2a58c6d4aa08cf5498599f42a100472') +options=('emptydirs') +install=tlsdate.install +source=(https://github.com/ioerror/tlsdate/archive/tlsdate-${pkgver}.tar.gz + tlsdate.conf.d + tlsdate.service + no_sslv3.patch) +sha512sums=('6ec9940884d2f7fb18d546c3081300355437208eb0c6e335dd056edd10b4383c211a49f00da84f68affa96a912be8071cbae941f117d5e96020ded4a0226bc33' + '0639dd4c7f4df14465da7a5efc8a59fa59bb0155ed0f453cab9cbcc74f22c320080b71ad5361ff2ebf83d64e8c205fbe605deb69a0cb503be5412eff5f1ac220' + '2b06abe8d7bc2133ca4f8d7cfbf63de4c2fad8356ea8d3f53e6d1c161c2ff86089c4d64f7de7ca6c6222db254ecaaccbc4706012fee50319d83860bfb3a2eab0' + '038590ebef55adae75a82fd4f697306ea56f9486f1b7ff1f9eb4c292f8ea2a960b720db72e100d1bb70f5b5e1391369a1fd9ce2e8b756e79152937289c159294') prepare() { - cd "$srcdir/$pkgname-$pkgname-$pkgver" - #cd "$srcdir/tlsdate-master" - ./autogen.sh + cd ${pkgname}-${pkgname}-${pkgver} + patch -p1 < "${srcdir}/no_sslv3.patch" + ./autogen.sh } build() { - cd "$srcdir/$pkgname-$pkgname-$pkgver" - #cd "$srcdir/tlsdate-master" - - #--disable-seccomp-filter \ - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --sysconfdir=/etc \ - --with-dbus-group=tlsdate \ - --with-unpriv-group=tlsdate \ - --with-unpriv-user=tlsdate - make + cd ${pkgname}-${pkgname}-${pkgver} + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/etc \ + --with-dbus-client-group=tlsdate \ + --with-unpriv-group=tlsdate \ + --with-unpriv-user=tlsdate \ + --without-polarssl + make } package() { - cd "$srcdir/$pkgname-$pkgname-$pkgver" - #cd "$srcdir/tlsdate-master" - - make DESTDIR="$pkgdir" install - rm -rf "$pkgdir/usr/lib/libtlsdate_compat.a" - install -dm750 "$pkgdir/var/cache/tlsdated" - install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tlsdate/LICENSE" - install -Dm644 "$srcdir/tlsdate.conf.d" "$pkgdir/etc/conf.d/tlsdate" - install -Dm644 "$srcdir/tlsdate.service" "$pkgdir/usr/lib/systemd/system/tlsdate.service" + cd ${pkgname}-${pkgname}-${pkgver} + make DESTDIR="${pkgdir}" install + install -Dm 644 README -t "${pkgdir}/usr/share/doc/${pkgname}" + install -Dm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}" + install -Dm 644 "${srcdir}/tlsdate.conf.d" "${pkgdir}/etc/conf.d/tlsdate" + install -Dm 644 "${srcdir}/tlsdate.service" -t "${pkgdir}/usr/lib/systemd/system" + install -d "${pkgdir}/var/cache/tlsdated" } + +# vim: ts=2 sw=2 et: diff --git a/no_sslv3.patch b/no_sslv3.patch new file mode 100644 index 000000000000..d009103cbf8b --- /dev/null +++ b/no_sslv3.patch @@ -0,0 +1,251 @@ +From b1afb00818c8d269c52d4b914e62fd5a9985df69 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Wed, 27 Apr 2016 21:10:03 +0200 +Subject: [PATCH] Drop explicit support SSLv3 and TLSv1 + +There is no addedd value in using only SSLv3 or TLSv1. With current openssl +implementation the sslv3 functions can be disabled and TLSv1 functions may be +removed as well. Further the TLSv1 function offers the TLSv1 protocol while +we have today upto TLSv1.2. + +Therefore I remove the explicit SSLv3 and TLSv1 functions and use only SSLv23 +function which is the only one which supports multiple SSL versions. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + man/tlsdate.1 | 4 +--- + src/tlsdate-helper-plan9.c | 38 ++++++++++++-------------------------- + src/tlsdate-helper.c | 44 +++++++++++++++----------------------------- + src/tlsdate-helper.h | 2 -- + src/tlsdate.c | 6 +----- + src/tlsdate.h | 2 -- + 6 files changed, 29 insertions(+), 67 deletions(-) + +diff --git a/man/tlsdate.1 b/man/tlsdate.1 +index b052e48..fce06cd 100644 +--- a/man/tlsdate.1 ++++ b/man/tlsdate.1 +@@ -5,7 +5,7 @@ + .SH NAME + tlsdate \- secure parasitic rdate replacement + .SH SYNOPSIS +-.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \ ++.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] \ + [\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport] + .SH DESCRIPTION + .B tlsdate +@@ -30,8 +30,6 @@ Set remote hostname (default: 'google.com') + Do not set the system clock to the time of the remote server + .IP "\-p | \-\-port [port]" + Set remote port (default: '443') +-.IP "\-P | \-\-protocol [sslv23|sslv3|tlsv1]" +-Set protocol to use when communicating with server (default: 'tlsv1') + .IP "\-C | \-\-certdir [dirname]" + Set the local directory where certificates are located + (default: '/etc/ssl/certs') +diff --git a/src/tlsdate-helper-plan9.c b/src/tlsdate-helper-plan9.c +index 3c532aa..369d168 100644 +--- a/src/tlsdate-helper-plan9.c ++++ b/src/tlsdate-helper-plan9.c +@@ -974,23 +974,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) + SSL_library_init(); + + ctx = NULL; +- if (0 == strcmp("sslv23", protocol)) +- { +- verb ("V: using SSLv23_client_method()\n"); +- ctx = SSL_CTX_new(SSLv23_client_method()); +- } else if (0 == strcmp("sslv3", protocol)) +- { +- verb ("V: using SSLv3_client_method()\n"); +- ctx = SSL_CTX_new(SSLv3_client_method()); +- } else if (0 == strcmp("tlsv1", protocol)) +- { +- verb ("V: using TLSv1_client_method()\n"); +- ctx = SSL_CTX_new(TLSv1_client_method()); +- } else +- die("Unsupported protocol `%s'\n", protocol); +- ++ verb ("V: using SSLv23_client_method()\n"); ++ ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) +- die("OpenSSL failed to support protocol `%s'\n", protocol); ++ die("OpenSSL failed to support protocol `sslv23'\n"); + + verb("V: Using OpenSSL for SSL\n"); + if (ca_racket) +@@ -1077,20 +1064,19 @@ main(int argc, char **argv) + int timewarp; + int leap; + +- if (argc != 12) ++ if (argc != 11) + return 1; + host = argv[1]; + hostname_to_verify = argv[1]; + port = argv[2]; +- protocol = argv[3]; +- ca_cert_container = argv[6]; +- ca_racket = (0 != strcmp ("unchecked", argv[4])); +- verbose = (0 != strcmp ("quiet", argv[5])); +- setclock = (0 == strcmp ("setclock", argv[7])); +- showtime = (0 == strcmp ("showtime", argv[8])); +- timewarp = (0 == strcmp ("timewarp", argv[9])); +- leap = (0 == strcmp ("leapaway", argv[10])); +- proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]); ++ ca_cert_container = argv[5]; ++ ca_racket = (0 != strcmp ("unchecked", argv[3])); ++ verbose = (0 != strcmp ("quiet", argv[4])); ++ setclock = (0 == strcmp ("setclock", argv[6])); ++ showtime = (0 == strcmp ("showtime", argv[7])); ++ timewarp = (0 == strcmp ("timewarp", argv[8])); ++ leap = (0 == strcmp ("leapaway", argv[9])); ++ proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]); + + if (timewarp) + { +diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c +index 877c67e..1fe48d9 100644 +--- a/src/tlsdate-helper.c ++++ b/src/tlsdate-helper.c +@@ -1129,23 +1129,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) + SSL_library_init(); + + ctx = NULL; +- if (0 == strcmp("sslv23", protocol)) +- { +- verb ("V: using SSLv23_client_method()"); +- ctx = SSL_CTX_new(SSLv23_client_method()); +- } else if (0 == strcmp("sslv3", protocol)) +- { +- verb ("V: using SSLv3_client_method()"); +- ctx = SSL_CTX_new(SSLv3_client_method()); +- } else if (0 == strcmp("tlsv1", protocol)) +- { +- verb ("V: using TLSv1_client_method()"); +- ctx = SSL_CTX_new(TLSv1_client_method()); +- } else +- die("Unsupported protocol `%s'", protocol); +- ++ verb ("V: using SSLv23_client_method()"); ++ ctx = SSL_CTX_new(SSLv23_client_method()); + if (ctx == NULL) +- die("OpenSSL failed to support protocol `%s'", protocol); ++ die("OpenSSL failed to support protocol `sslv23'"); + + verb("V: Using OpenSSL for SSL"); + if (ca_racket) +@@ -1257,23 +1244,22 @@ main(int argc, char **argv) + int leap; + int http; + +- if (argc != 13) ++ if (argc != 12) + return 1; + host = argv[1]; + hostname_to_verify = argv[1]; + port = argv[2]; +- protocol = argv[3]; +- ca_cert_container = argv[6]; +- ca_racket = (0 != strcmp ("unchecked", argv[4])); +- verbose = (0 != strcmp ("quiet", argv[5])); +- verbose_debug = (0 != strcmp ("verbose", argv[5])); +- setclock = (0 == strcmp ("setclock", argv[7])); +- showtime = (0 == strcmp ("showtime", argv[8])); +- showtime_raw = (0 == strcmp ("showtime=raw", argv[8])); +- timewarp = (0 == strcmp ("timewarp", argv[9])); +- leap = (0 == strcmp ("leapaway", argv[10])); +- proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]); +- http = (0 == (strcmp("http", argv[12]))); ++ ca_cert_container = argv[5]; ++ ca_racket = (0 != strcmp ("unchecked", argv[3])); ++ verbose = (0 != strcmp ("quiet", argv[4])); ++ verbose_debug = (0 != strcmp ("verbose", argv[4])); ++ setclock = (0 == strcmp ("setclock", argv[6])); ++ showtime = (0 == strcmp ("showtime", argv[7])); ++ showtime_raw = (0 == strcmp ("showtime=raw", argv[7])); ++ timewarp = (0 == strcmp ("timewarp", argv[8])); ++ leap = (0 == strcmp ("leapaway", argv[9])); ++ proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]); ++ http = (0 == (strcmp("http", argv[11]))); + + /* Initalize warp_time with RECENT_COMPILE_DATE */ + clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0); +diff --git a/src/tlsdate-helper.h b/src/tlsdate-helper.h +index 64e4092..810ee7e 100644 +--- a/src/tlsdate-helper.h ++++ b/src/tlsdate-helper.h +@@ -118,8 +118,6 @@ static const char *hostname_to_verify; + + static const char *port; + +-static const char *protocol; +- + static char *proxy; + + static const char *ca_cert_container; +diff --git a/src/tlsdate.c b/src/tlsdate.c +index dd7f993..c85ca35 100644 +--- a/src/tlsdate.c ++++ b/src/tlsdate.c +@@ -88,7 +88,6 @@ usage (void) + " [-n|--dont-set-clock]\n" + " [-H|--host] [hostname|ip]\n" + " [-p|--port] [port number]\n" +- " [-P|--protocol] [sslv23|sslv3|tlsv1]\n" + " [-C|--certcontainer] [dirname|filename]\n" + " [-v|--verbose]\n" + " [-V|--showtime] [human|raw]\n" +@@ -108,7 +107,6 @@ main (int argc, char **argv) + int setclock; + const char *host; + const char *port; +- const char *protocol; + const char *ca_cert_container; + int timewarp; + int leap; +@@ -117,7 +115,6 @@ main (int argc, char **argv) + + host = DEFAULT_HOST; + port = DEFAULT_PORT; +- protocol = DEFAULT_PROTOCOL; + ca_cert_container = DEFAULT_CERTFILE; + verbose = 0; + ca_racket = 1; +@@ -176,7 +173,7 @@ main (int argc, char **argv) + port = optarg; + break; + case 'P': +- protocol = optarg; ++ /* ignore for compatibility */ + break; + case 'n': + setclock = 0; +@@ -219,7 +216,6 @@ main (int argc, char **argv) + "tlsdate", + host, + port, +- protocol, + (ca_racket ? "racket" : "unchecked"), + (verbose ? "verbose" : "quiet"), + ca_cert_container, +diff --git a/src/tlsdate.h b/src/tlsdate.h +index 52305eb..d236b67 100644 +--- a/src/tlsdate.h ++++ b/src/tlsdate.h +@@ -27,7 +27,6 @@ + #define DEFAULT_HOST "google.com" + #define DEFAULT_PORT "443" + #define DEFAULT_PROXY "none" +-#define DEFAULT_PROTOCOL "tlsv1" + #define DEFAULT_CERTDIR "/etc/ssl/certs" + #define DEFAULT_CERTFILE TLSDATE_CERTFILE + #define DEFAULT_DAEMON_CACHEDIR "/var/cache/tlsdated" +@@ -239,7 +238,6 @@ typedef struct + time_t manual_time; + char *host; + char *port; +- char *protocol; + } tlsdate_options_t; + + #endif /* TLSDATE_H */ diff --git a/tlsdate.install b/tlsdate.install index 621d5c042b30..ce46b6e1215e 100644 --- a/tlsdate.install +++ b/tlsdate.install @@ -1,23 +1,12 @@ post_install() { - getent passwd tlsdate &>/dev/null || { - echo -n ">>> Creating tlsdate system user... " - useradd --system --no-create-home \ - --user-group \ - --home /var/cache/tlsdated \ - tlsdate && - echo "ok" || echo "fail" - } - chown -R tlsdate:tlsdate /var/cache/tlsdated + getent group tlsdate &> /dev/null || groupadd tlsdate + getent passwd tlsdate &> /dev/null || \ + useradd -M -r -d /var/cache/tlsdate -g tlsdate -s /bin/nologin tlsdate + chown -R tlsdate:tlsdate /var/cache/tlsdated } post_upgrade() { - chown -R tlsdate:tlsdate /var/cache/tlsdated + post_install } -pre_remove() { - getent passwd tlsdate &>/dev/null && { - echo -n ">>> Removing tlsdate system user... " - userdel tlsdate - echo "ok" - } -} +# vim: ts=2 sw=2 et: diff --git a/tlsdate.service b/tlsdate.service index afbb5208e824..e48cf50ccec2 100644 --- a/tlsdate.service +++ b/tlsdate.service @@ -1,5 +1,5 @@ [Unit] -Description=Secure parasitic time daemon +Description=Secure parasitic rdate replacement After=network.target [Service] |