upgpkg: tlsdate 0.0.13-2 (sslv3 patch)

5 files changed, 305 insertions, 66 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 49d57eebbde4..af5a1ccda4cf 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,29 +1,29 @@
 pkgbase = tlsdate
-	pkgdesc = A secure rdate replacement to update local time over HTTPS
+	pkgdesc = Secure rdate replacement to update local time over HTTPS
 	pkgver = 0.0.13
-	pkgrel = 1
+	pkgrel = 2
 	url = https://github.com/ioerror/tlsdate
 	install = tlsdate.install
 	arch = i686
 	arch = x86_64
-	arch = armv7h
-	arch = armv6l
-	arch = armv6h
 	license = BSD
 	depends = openssl
 	depends = ca-certificates
 	depends = libevent
 	depends = dbus
 	depends = zlib
+	depends = libseccomp
 	options = emptydirs
 	backup = etc/conf.d/tlsdate
 	backup = etc/tlsdate/tlsdated.conf
 	source = https://github.com/ioerror/tlsdate/archive/tlsdate-0.0.13.tar.gz
 	source = tlsdate.conf.d
 	source = tlsdate.service
-	sha256sums = 90efdff87504b5159cb6a3eefa9ddd43723c073d49c4b3febba9e48fc1292bf9
-	sha256sums = 1498a74913feb66c6e2e7d982f43b07fc48881947543969668a75ef4323503aa
-	sha256sums = deaac31649fa6dc6fc54ca3dec231cbdb2a58c6d4aa08cf5498599f42a100472
+	source = no_sslv3.patch
+	sha512sums = 6ec9940884d2f7fb18d546c3081300355437208eb0c6e335dd056edd10b4383c211a49f00da84f68affa96a912be8071cbae941f117d5e96020ded4a0226bc33
+	sha512sums = 0639dd4c7f4df14465da7a5efc8a59fa59bb0155ed0f453cab9cbcc74f22c320080b71ad5361ff2ebf83d64e8c205fbe605deb69a0cb503be5412eff5f1ac220
+	sha512sums = 2b06abe8d7bc2133ca4f8d7cfbf63de4c2fad8356ea8d3f53e6d1c161c2ff86089c4d64f7de7ca6c6222db254ecaaccbc4706012fee50319d83860bfb3a2eab0
+	sha512sums = 038590ebef55adae75a82fd4f697306ea56f9486f1b7ff1f9eb4c292f8ea2a960b720db72e100d1bb70f5b5e1391369a1fd9ce2e8b756e79152937289c159294
 
 pkgname = tlsdate
 
diff --git a/PKGBUILD b/PKGBUILD
index c3dd635890e7..91e9185ea571 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,55 +1,54 @@
-# Maintainer: skydrome <skydrome@tormail.org>
+# Maintainer: Levente Polyak <anthraxx[at]archlinux[dot]org>
+# Contributor: skydrome <skydrome@tormail.org>
 
 pkgname=tlsdate
 pkgver=0.0.13
-pkgrel=1
-pkgdesc="A secure rdate replacement to update local time over HTTPS"
-arch=('i686' 'x86_64' 'armv7h' 'armv6l' 'armv6h')
-url="https://github.com/ioerror/tlsdate"
+pkgrel=2
+pkgdesc='Secure rdate replacement to update local time over HTTPS'
+url='https://github.com/ioerror/tlsdate'
+arch=('i686' 'x86_64')
 license=('BSD')
-depends=('openssl' 'ca-certificates' 'libevent' 'dbus' 'zlib')
-options=('emptydirs')
-install='tlsdate.install'
+depends=('openssl' 'ca-certificates' 'libevent' 'dbus' 'zlib' 'libseccomp')
 backup=('etc/conf.d/tlsdate'
         'etc/tlsdate/tlsdated.conf')
-source=("https://github.com/ioerror/tlsdate/archive/tlsdate-${pkgver}.tar.gz"
-        #"tlsdate-$pkgver.zip::https://github.com/ioerror/tlsdate/archive/master.zip"
-        'tlsdate.conf.d'
-        'tlsdate.service')
-
-sha256sums=('90efdff87504b5159cb6a3eefa9ddd43723c073d49c4b3febba9e48fc1292bf9'
-            '1498a74913feb66c6e2e7d982f43b07fc48881947543969668a75ef4323503aa'
-            'deaac31649fa6dc6fc54ca3dec231cbdb2a58c6d4aa08cf5498599f42a100472')
+options=('emptydirs')
+install=tlsdate.install
+source=(https://github.com/ioerror/tlsdate/archive/tlsdate-${pkgver}.tar.gz
+        tlsdate.conf.d
+        tlsdate.service
+        no_sslv3.patch)
+sha512sums=('6ec9940884d2f7fb18d546c3081300355437208eb0c6e335dd056edd10b4383c211a49f00da84f68affa96a912be8071cbae941f117d5e96020ded4a0226bc33'
+            '0639dd4c7f4df14465da7a5efc8a59fa59bb0155ed0f453cab9cbcc74f22c320080b71ad5361ff2ebf83d64e8c205fbe605deb69a0cb503be5412eff5f1ac220'
+            '2b06abe8d7bc2133ca4f8d7cfbf63de4c2fad8356ea8d3f53e6d1c161c2ff86089c4d64f7de7ca6c6222db254ecaaccbc4706012fee50319d83860bfb3a2eab0'
+            '038590ebef55adae75a82fd4f697306ea56f9486f1b7ff1f9eb4c292f8ea2a960b720db72e100d1bb70f5b5e1391369a1fd9ce2e8b756e79152937289c159294')
 
 prepare() {
-    cd "$srcdir/$pkgname-$pkgname-$pkgver"
-    #cd "$srcdir/tlsdate-master"
-    ./autogen.sh
+  cd ${pkgname}-${pkgname}-${pkgver}
+  patch -p1 < "${srcdir}/no_sslv3.patch"
+  ./autogen.sh
 }
 
 build() {
-    cd "$srcdir/$pkgname-$pkgname-$pkgver"
-    #cd "$srcdir/tlsdate-master"
-
-    #--disable-seccomp-filter \
-    ./configure \
-        --prefix=/usr \
-        --sbindir=/usr/bin \
-        --sysconfdir=/etc \
-        --with-dbus-group=tlsdate \
-        --with-unpriv-group=tlsdate \
-        --with-unpriv-user=tlsdate
-    make
+  cd ${pkgname}-${pkgname}-${pkgver}
+  ./configure \
+      --prefix=/usr \
+      --sbindir=/usr/bin \
+      --sysconfdir=/etc \
+      --with-dbus-client-group=tlsdate \
+      --with-unpriv-group=tlsdate \
+      --with-unpriv-user=tlsdate \
+      --without-polarssl
+  make
 }
 
 package() {
-    cd "$srcdir/$pkgname-$pkgname-$pkgver"
-    #cd "$srcdir/tlsdate-master"
-
-    make DESTDIR="$pkgdir" install
-    rm -rf "$pkgdir/usr/lib/libtlsdate_compat.a"
-    install -dm750 "$pkgdir/var/cache/tlsdated"
-    install -Dm644 LICENSE "$pkgdir/usr/share/licenses/tlsdate/LICENSE"
-    install -Dm644 "$srcdir/tlsdate.conf.d"  "$pkgdir/etc/conf.d/tlsdate"
-    install -Dm644 "$srcdir/tlsdate.service" "$pkgdir/usr/lib/systemd/system/tlsdate.service"
+  cd ${pkgname}-${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  install -Dm 644 README -t "${pkgdir}/usr/share/doc/${pkgname}"
+  install -Dm 644 LICENSE -t "${pkgdir}/usr/share/licenses/${pkgname}"
+  install -Dm 644 "${srcdir}/tlsdate.conf.d" "${pkgdir}/etc/conf.d/tlsdate"
+  install -Dm 644 "${srcdir}/tlsdate.service" -t "${pkgdir}/usr/lib/systemd/system"
+  install -d "${pkgdir}/var/cache/tlsdated"
 }
+
+# vim: ts=2 sw=2 et:
diff --git a/no_sslv3.patch b/no_sslv3.patch
new file mode 100644
index 000000000000..d009103cbf8b
--- /dev/null
+++ b/no_sslv3.patch
@@ -0,0 +1,251 @@
+From b1afb00818c8d269c52d4b914e62fd5a9985df69 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 27 Apr 2016 21:10:03 +0200
+Subject: [PATCH] Drop explicit support SSLv3 and TLSv1
+
+There is no addedd value in using only SSLv3 or TLSv1. With current openssl
+implementation the sslv3 functions can be disabled and TLSv1 functions may be
+removed as well. Further the TLSv1 function offers the TLSv1 protocol while
+we have today upto TLSv1.2.
+
+Therefore I remove the explicit SSLv3 and TLSv1 functions and use only SSLv23
+function which is the only one which supports multiple SSL versions.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ man/tlsdate.1              |  4 +---
+ src/tlsdate-helper-plan9.c | 38 ++++++++++++--------------------------
+ src/tlsdate-helper.c       | 44 +++++++++++++++-----------------------------
+ src/tlsdate-helper.h       |  2 --
+ src/tlsdate.c              |  6 +-----
+ src/tlsdate.h              |  2 --
+ 6 files changed, 29 insertions(+), 67 deletions(-)
+
+diff --git a/man/tlsdate.1 b/man/tlsdate.1
+index b052e48..fce06cd 100644
+--- a/man/tlsdate.1
++++ b/man/tlsdate.1
+@@ -5,7 +5,7 @@
+ .SH NAME
+ tlsdate \- secure parasitic rdate replacement
+ .SH SYNOPSIS
+-.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \
++.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] \
+ [\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport]
+ .SH DESCRIPTION
+ .B tlsdate
+@@ -30,8 +30,6 @@ Set remote hostname (default: 'google.com')
+ Do not set the system clock to the time of the remote server
+ .IP "\-p | \-\-port [port]"
+ Set remote port (default: '443')
+-.IP "\-P | \-\-protocol [sslv23|sslv3|tlsv1]"
+-Set protocol to use when communicating with server (default: 'tlsv1')
+ .IP "\-C | \-\-certdir [dirname]"
+ Set the local directory where certificates are located
+ (default: '/etc/ssl/certs')
+diff --git a/src/tlsdate-helper-plan9.c b/src/tlsdate-helper-plan9.c
+index 3c532aa..369d168 100644
+--- a/src/tlsdate-helper-plan9.c
++++ b/src/tlsdate-helper-plan9.c
+@@ -974,23 +974,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion)
+   SSL_library_init();
+ 
+   ctx = NULL;
+-  if (0 == strcmp("sslv23", protocol))
+-  {
+-    verb ("V: using SSLv23_client_method()\n");
+-    ctx = SSL_CTX_new(SSLv23_client_method());
+-  } else if (0 == strcmp("sslv3", protocol))
+-  {
+-    verb ("V: using SSLv3_client_method()\n");
+-    ctx = SSL_CTX_new(SSLv3_client_method());
+-  } else if (0 == strcmp("tlsv1", protocol))
+-  {
+-    verb ("V: using TLSv1_client_method()\n");
+-    ctx = SSL_CTX_new(TLSv1_client_method());
+-  } else
+-    die("Unsupported protocol `%s'\n", protocol);
+-
++  verb ("V: using SSLv23_client_method()\n");
++  ctx = SSL_CTX_new(SSLv23_client_method());
+   if (ctx == NULL)
+-    die("OpenSSL failed to support protocol `%s'\n", protocol);
++    die("OpenSSL failed to support protocol `sslv23'\n");
+ 
+   verb("V: Using OpenSSL for SSL\n");
+   if (ca_racket)
+@@ -1077,20 +1064,19 @@ main(int argc, char **argv)
+   int timewarp;
+   int leap;
+ 
+-  if (argc != 12)
++  if (argc != 11)
+     return 1;
+   host = argv[1];
+   hostname_to_verify = argv[1];
+   port = argv[2];
+-  protocol = argv[3];
+-  ca_cert_container = argv[6];
+-  ca_racket = (0 != strcmp ("unchecked", argv[4]));
+-  verbose = (0 != strcmp ("quiet", argv[5]));
+-  setclock = (0 == strcmp ("setclock", argv[7]));
+-  showtime = (0 == strcmp ("showtime", argv[8]));
+-  timewarp = (0 == strcmp ("timewarp", argv[9]));
+-  leap = (0 == strcmp ("leapaway", argv[10]));
+-  proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]);
++  ca_cert_container = argv[5];
++  ca_racket = (0 != strcmp ("unchecked", argv[3]));
++  verbose = (0 != strcmp ("quiet", argv[4]));
++  setclock = (0 == strcmp ("setclock", argv[6]));
++  showtime = (0 == strcmp ("showtime", argv[7]));
++  timewarp = (0 == strcmp ("timewarp", argv[8]));
++  leap = (0 == strcmp ("leapaway", argv[9]));
++  proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]);
+ 
+   if (timewarp)
+   {
+diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c
+index 877c67e..1fe48d9 100644
+--- a/src/tlsdate-helper.c
++++ b/src/tlsdate-helper.c
+@@ -1129,23 +1129,10 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
+   SSL_library_init();
+ 
+   ctx = NULL;
+-  if (0 == strcmp("sslv23", protocol))
+-  {
+-    verb ("V: using SSLv23_client_method()");
+-    ctx = SSL_CTX_new(SSLv23_client_method());
+-  } else if (0 == strcmp("sslv3", protocol))
+-  {
+-    verb ("V: using SSLv3_client_method()");
+-    ctx = SSL_CTX_new(SSLv3_client_method());
+-  } else if (0 == strcmp("tlsv1", protocol))
+-  {
+-    verb ("V: using TLSv1_client_method()");
+-    ctx = SSL_CTX_new(TLSv1_client_method());
+-  } else
+-    die("Unsupported protocol `%s'", protocol);
+-
++  verb ("V: using SSLv23_client_method()");
++  ctx = SSL_CTX_new(SSLv23_client_method());
+   if (ctx == NULL)
+-    die("OpenSSL failed to support protocol `%s'", protocol);
++    die("OpenSSL failed to support protocol `sslv23'");
+ 
+   verb("V: Using OpenSSL for SSL");
+   if (ca_racket)
+@@ -1257,23 +1244,22 @@ main(int argc, char **argv)
+   int leap;
+   int http;
+ 
+-  if (argc != 13)
++  if (argc != 12)
+     return 1;
+   host = argv[1];
+   hostname_to_verify = argv[1];
+   port = argv[2];
+-  protocol = argv[3];
+-  ca_cert_container = argv[6];
+-  ca_racket = (0 != strcmp ("unchecked", argv[4]));
+-  verbose = (0 != strcmp ("quiet", argv[5]));
+-  verbose_debug = (0 != strcmp ("verbose", argv[5]));
+-  setclock = (0 == strcmp ("setclock", argv[7]));
+-  showtime = (0 == strcmp ("showtime", argv[8]));
+-  showtime_raw = (0 == strcmp ("showtime=raw", argv[8]));
+-  timewarp = (0 == strcmp ("timewarp", argv[9]));
+-  leap = (0 == strcmp ("leapaway", argv[10]));
+-  proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]);
+-  http = (0 == (strcmp("http", argv[12])));
++  ca_cert_container = argv[5];
++  ca_racket = (0 != strcmp ("unchecked", argv[3]));
++  verbose = (0 != strcmp ("quiet", argv[4]));
++  verbose_debug = (0 != strcmp ("verbose", argv[4]));
++  setclock = (0 == strcmp ("setclock", argv[6]));
++  showtime = (0 == strcmp ("showtime", argv[7]));
++  showtime_raw = (0 == strcmp ("showtime=raw", argv[7]));
++  timewarp = (0 == strcmp ("timewarp", argv[8]));
++  leap = (0 == strcmp ("leapaway", argv[9]));
++  proxy = (0 == strcmp ("none", argv[10]) ? NULL : argv[10]);
++  http = (0 == (strcmp("http", argv[11])));
+ 
+   /* Initalize warp_time with RECENT_COMPILE_DATE */
+   clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0);
+diff --git a/src/tlsdate-helper.h b/src/tlsdate-helper.h
+index 64e4092..810ee7e 100644
+--- a/src/tlsdate-helper.h
++++ b/src/tlsdate-helper.h
+@@ -118,8 +118,6 @@ static const char *hostname_to_verify;
+ 
+ static const char *port;
+ 
+-static const char *protocol;
+-
+ static char *proxy;
+ 
+ static const char *ca_cert_container;
+diff --git a/src/tlsdate.c b/src/tlsdate.c
+index dd7f993..c85ca35 100644
+--- a/src/tlsdate.c
++++ b/src/tlsdate.c
+@@ -88,7 +88,6 @@ usage (void)
+            " [-n|--dont-set-clock]\n"
+            " [-H|--host] [hostname|ip]\n"
+            " [-p|--port] [port number]\n"
+-           " [-P|--protocol] [sslv23|sslv3|tlsv1]\n"
+            " [-C|--certcontainer] [dirname|filename]\n"
+            " [-v|--verbose]\n"
+            " [-V|--showtime] [human|raw]\n"
+@@ -108,7 +107,6 @@ main (int argc, char **argv)
+   int setclock;
+   const char *host;
+   const char *port;
+-  const char *protocol;
+   const char *ca_cert_container;
+   int timewarp;
+   int leap;
+@@ -117,7 +115,6 @@ main (int argc, char **argv)
+ 
+   host = DEFAULT_HOST;
+   port = DEFAULT_PORT;
+-  protocol = DEFAULT_PROTOCOL;
+   ca_cert_container = DEFAULT_CERTFILE;
+   verbose = 0;
+   ca_racket = 1;
+@@ -176,7 +173,7 @@ main (int argc, char **argv)
+           port = optarg;
+           break;
+         case 'P':
+-          protocol = optarg;
++          /* ignore for compatibility */
+           break;
+         case 'n':
+           setclock = 0;
+@@ -219,7 +216,6 @@ main (int argc, char **argv)
+           "tlsdate",
+           host,
+           port,
+-          protocol,
+           (ca_racket ? "racket" : "unchecked"),
+           (verbose ? "verbose" : "quiet"),
+           ca_cert_container,
+diff --git a/src/tlsdate.h b/src/tlsdate.h
+index 52305eb..d236b67 100644
+--- a/src/tlsdate.h
++++ b/src/tlsdate.h
+@@ -27,7 +27,6 @@
+ #define DEFAULT_HOST "google.com"
+ #define DEFAULT_PORT "443"
+ #define DEFAULT_PROXY "none"
+-#define DEFAULT_PROTOCOL "tlsv1"
+ #define DEFAULT_CERTDIR "/etc/ssl/certs"
+ #define DEFAULT_CERTFILE TLSDATE_CERTFILE
+ #define DEFAULT_DAEMON_CACHEDIR "/var/cache/tlsdated"
+@@ -239,7 +238,6 @@ typedef struct
+   time_t manual_time;
+   char *host;
+   char *port;
+-  char *protocol;
+ } tlsdate_options_t;
+ 
+ #endif /* TLSDATE_H */
diff --git a/tlsdate.install b/tlsdate.install
index 621d5c042b30..ce46b6e1215e 100644
--- a/tlsdate.install
+++ b/tlsdate.install
@@ -1,23 +1,12 @@
 post_install() {
-    getent passwd tlsdate &>/dev/null || {
-        echo -n ">>> Creating tlsdate system user... "
-        useradd --system --no-create-home \
-                --user-group \
-                --home /var/cache/tlsdated \
-                tlsdate &&
-        echo "ok" || echo "fail"
-    }
-    chown -R tlsdate:tlsdate /var/cache/tlsdated
+  getent group tlsdate &> /dev/null || groupadd tlsdate
+  getent passwd tlsdate &> /dev/null || \
+    useradd -M -r -d /var/cache/tlsdate -g tlsdate -s /bin/nologin tlsdate
+  chown -R tlsdate:tlsdate /var/cache/tlsdated
 }
 
 post_upgrade() {
-    chown -R tlsdate:tlsdate /var/cache/tlsdated
+  post_install
 }
 
-pre_remove() {
-    getent passwd tlsdate &>/dev/null && {
-        echo -n ">>> Removing tlsdate system user... "
-        userdel tlsdate
-        echo "ok"
-    }
-}
+# vim: ts=2 sw=2 et:
diff --git a/tlsdate.service b/tlsdate.service
index afbb5208e824..e48cf50ccec2 100644
--- a/tlsdate.service
+++ b/tlsdate.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=Secure parasitic time daemon
+Description=Secure parasitic rdate replacement
 After=network.target
 
 [Service]