Created build for tlsdate as alternative to NTPD

build-scripts/tlsdate.build

@@ -0,0 +1,61 @@
+#! /bin/bash
+
+# tlsdate 0.0.13
+# Source: https://github.com/ioerror/tlsdate/archive/tlsdate-0.0.13.tar.gz
+#
+# $BUILD = Directory to temporarily install
+# $PKGS  = Directory to store built packages
+
+# use system certs
+sed -i Makefile.am \
+	-e 's|/tlsdate/ca-roots/tlsdate-ca-roots.conf|/ssl/certs/ca-certificates.crt|'
+sh ./autogen.sh
+
+patch -Np0 -i ../patches/tlsdate-void/libressl-no-sslv3.patch
+patch -Np0 -i ../patches/tlsdate-void/libressl-sslstate.patch
+patch -Np0 -i ../patches/tlsdate-void/sandbox.patch
+
+export CFLAGS=" -fcommon"
+ac_cv_func_clock_gettime=yes \
+./configure --prefix=/usr --disable-static --sysconfdir=/etc --with-polarssl=no $BUILDTRUPLE 
+
+read -p "Press Enter to compile" &&
+make -j2 && 
+unset CFLAGS
+
+read -p "Press Enter to install" &&
+# if not using a package manager:
+# make install
+
+# if using pkgtools from Slackware, then:
+sudo -S make DESTDIR=$BUILD install
+sudo -S rm ${BUILD}/etc/tlsdate/ca-roots/tlsdate-ca-roots.conf
+
+read -p "Press Enter to create pakage description."
+cd $BUILD && sudo mkdir -v install &&
+cat > /tmp/slack-desc << "EOF"
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in.  You must
+# make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':'.
+
+       |-----handy-ruler------------------------------------------------------|
+tlsdate: tlsdate (secure parasitic rdate replacement)
+tlsdate:
+tlsdate: tlsdate sets the local clock by securely connecting with TLS to
+tlsdate: remote servers and extracting the remote time out of the secure
+tlsdate: handshake. Unlike ntpdate, tlsdate uses TCP, for instance connecting
+tlsdate: to a remote HTTPS or TLS enabled service, and provides some
+tlsdate: protection against adversaries that try to feed you malicious time
+tlsdate: information.
+tlsdate:
+tlsdate: Homepage: https://github.com/ioerror/tlsdate
+tlsdate:
+EOF
+sudo mv /tmp/slack-desc install/ &&
+
+read -p "Enter to build package" &&
+sudo -S makepkg -l y -c n $PKGS/tlsdate-0.0.13-$(uname -m)-mlfs.txz &&
+sudo -S rm -rf $BUILD/*

patches/tlsdate-void/libressl-no-sslv3.patch

@@ -0,0 +1,57 @@
+--- src/tlsdate.c.orig	2016-03-30 23:41:39.121031885 +0200
++++ src/tlsdate.c	2016-03-30 23:41:49.442032351 +0200
+@@ -88,7 +88,7 @@
+            " [-n|--dont-set-clock]\n"
+            " [-H|--host] [hostname|ip]\n"
+            " [-p|--port] [port number]\n"
+-           " [-P|--protocol] [sslv23|sslv3|tlsv1]\n"
++           " [-P|--protocol] [sslv23|tlsv1]\n"
+            " [-C|--certcontainer] [dirname|filename]\n"
+            " [-v|--verbose]\n"
+            " [-V|--showtime] [human|raw]\n"
+--- man/tlsdate.1.orig	2016-03-30 23:42:18.100033647 +0200
++++ man/tlsdate.1	2016-03-30 23:42:35.659034441 +0200
+@@ -5,7 +5,7 @@
+ .SH NAME
+ tlsdate \- secure parasitic rdate replacement
+ .SH SYNOPSIS
+-.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \
++.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|tlsv1]] \
+ [\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport]
+ .SH DESCRIPTION
+ .B tlsdate
+@@ -30,7 +30,7 @@
+ Do not set the system clock to the time of the remote server
+ .IP "\-p | \-\-port [port]"
+ Set remote port (default: '443')
+-.IP "\-P | \-\-protocol [sslv23|sslv3|tlsv1]"
++.IP "\-P | \-\-protocol [sslv23|tlsv1]"
+ Set protocol to use when communicating with server (default: 'tlsv1')
+ .IP "\-C | \-\-certdir [dirname]"
+ Set the local directory where certificates are located
+--- src/tlsdate-helper-plan9.c.orig	2016-03-30 23:43:12.577036110 +0200
++++ src/tlsdate-helper-plan9.c	2016-03-30 23:43:32.403037006 +0200
+@@ -978,10 +978,6 @@
+   {
+     verb ("V: using SSLv23_client_method()\n");
+     ctx = SSL_CTX_new(SSLv23_client_method());
+-  } else if (0 == strcmp("sslv3", protocol))
+-  {
+-    verb ("V: using SSLv3_client_method()\n");
+-    ctx = SSL_CTX_new(SSLv3_client_method());
+   } else if (0 == strcmp("tlsv1", protocol))
+   {
+     verb ("V: using TLSv1_client_method()\n");
+--- src/tlsdate-helper.c.orig	2016-03-30 23:33:02.056008510 +0200
++++ src/tlsdate-helper.c	2016-03-30 23:34:46.400013227 +0200
+@@ -1133,10 +1133,6 @@
+   {
+     verb ("V: using SSLv23_client_method()");
+     ctx = SSL_CTX_new(SSLv23_client_method());
+-  } else if (0 == strcmp("sslv3", protocol))
+-  {
+-    verb ("V: using SSLv3_client_method()");
+-    ctx = SSL_CTX_new(SSLv3_client_method());
+   } else if (0 == strcmp("tlsv1", protocol))
+   {
+     verb ("V: using TLSv1_client_method()");

patches/tlsdate-void/libressl-sslstate.patch

@@ -0,0 +1,11 @@
+--- src/tlsdate-helper.c.orig
++++ src/tlsdate-helper.c
+@@ -374,7 +374,7 @@
+ openssl_time_callback (const SSL* ssl, int where, int ret)
+ {
+   if (where == SSL_CB_CONNECT_LOOP &&
+-      (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B))
++      (SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_A || SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_B))
+   {
+     // XXX TODO: If we want to trust the remote system for time,
+     // can we just read that time out of the remote system and if the

patches/tlsdate-void/sandbox.patch

@@ -0,0 +1,27 @@
+--- src/seccomp.c.orig	2018-12-20 16:56:30.070932156 +0100
++++ src/seccomp.c	2018-12-20 16:57:19.849670660 +0100
+@@ -43,6 +43,14 @@
+ #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
+ #elif defined(__x86_64__)
+ #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
++#elif defined(__aarch64__)
++#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
++#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)
++#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE
++#elif defined(__powerpc64__)
++#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64
++#elif defined(__powerpc__)
++#  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC
+ #elif defined(__arm__)
+ # ifndef EM_ARM
+ #   define EM_ARM 40
+@@ -87,7 +89,9 @@
+     SC_ALLOW (exit_group),
+     SC_ALLOW (exit),
+ 
++#ifdef __NR_open
+     SC_DENY (open, EINVAL),
++#endif
+     SC_DENY (fcntl, EINVAL),
+     SC_DENY (fstat, EINVAL),
+ #ifdef __NR_mmap