Replaced htpdate with tlsdate for time synchronization

TODO: IP rotation of tlsdate server IPs in /etc/hosts

conf/rootfs.excludes

@@ -121,7 +121,6 @@
 /etc/skel/
 /etc/locale.gen
 /etc/timezone
-/etc/tlsdate/
 /etc/sgml/
 /etc/ca-certificates/
 /etc/ca-certificates.conf

doc/changelog.txt

@@ -5,6 +5,7 @@
   * Xorg server 1.13
   * Firewire SBP-2 module is blacklisted to prevent Firewire RAM access
 
+  * Replaced htpdate with tlsdate for time synchronization
   * Added "gentoo=obfs" boot parameter for obfsproxy Tor bridges
   * Added "gentoo=xkms" boot parameter for forcing X modesetting driver
   * More robust Xorg autoconfiguration

doc/info.txt

@@ -22,12 +22,12 @@ HKP(S)
   + [alt: x-hkp://pool.sks-keyservers.net]
   + [alt: x-hkp://keys.gnupg.net]
 
+tlsdate
+  + www.google.com
+
 NTP [disabled]
   + [0-3].pool.ntp.org
 
-HTP
-  + {google,msn,yahoo,facebook,myspace}.com
-
 
 
 SSL/TLS implementations

src/etc/NetworkManager/dispatcher.d/01-htp

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-exec 1>/dev/null 2>&1
-
-iface=$1
-action=$2
-
-case ${action} in
-*up)
-        # htpdate doesn't bind itself to interfaces, it resolves
-        # hostnames every time it sends a HEAD request.
-        # The custom version sets the time once the network
-        # is available, and uses adjtime afterwards.
-        if ! /etc/init.d/htpdate -q status; then
-            logger -p 6 -t nm.dispatch "Starting HTP service (${iface})"
-            /etc/init.d/htpdate -q start
-        fi
-        ;;
-esac

src/etc/NetworkManager/dispatcher.d/01-tlsdated

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+exec 1>/dev/null 2>&1
+
+iface=$1
+action=$2
+
+case ${action} in
+*up)
+        # tlsdated doesn't bind itself to interfaces
+        if ! /etc/init.d/tlsdated -q status; then
+            logger -p 6 -t nm.dispatch "Starting tlsdated service (${iface})"
+            /etc/init.d/tlsdated -qS start
+        fi
+        ;;
+esac

src/etc/NetworkManager/dispatcher.d/02-tor

@@ -11,7 +11,7 @@ case ${action} in
         # changing IPs/interfaces well
         if ! /etc/init.d/tor -q status; then
             logger -p 6 -t nm.dispatch "Starting Tor service (${iface})"
-            /etc/init.d/tor -q start
+            /etc/init.d/tor -qS start
         else
             logger -p 6 -t nm.dispatch "Restarting Tor service (${iface})"
             /etc/init.d/tor -qs restart

src/etc/conf.d/htpdate

@@ -1,6 +0,0 @@
-SERVERS="google.com facebook.com yahoo.com msn.com"
-
-# minimal 5min interval (divided between servers)
-HTPDATE_OPTS="-D -s -4 -l -u htp:htp -m 300"
-
-PROXY="-P 127.0.0.1:8118"

src/etc/conf.d/tlsdated

@@ -0,0 +1,8 @@
+# Host is synced with /etc/hosts and /usr/local/sbin/fw-reload
+TLSDATED_CMD="/usr/bin/tlsdate -tl -H www.google.com"
+
+# Additional tlsdated options (don't write to HW RTC)
+TLSDATED_OPTS="-w"
+
+# Timestamp directory (pass "-c" above if changed)
+TLSDATED_CACHE_DIR="/var/cache/tlsdated"

src/etc/hosts

@@ -4,3 +4,7 @@
 
 # hostname, dnsdomainname, hostname -f
 127.0.0.1	liberte.local liberte
+
+# tlsdate IPs
+# TODO: IP rotation (in /etc/init.d/lockdown)
+74.125.136.104	www.google.com

src/etc/init.d/lockdown

@@ -15,7 +15,8 @@ depend() {
     # using /var/run
     after bootmisc
 
-    # fw-reload needs /var/run/usage-profile
+    # fw-reload needs /var/run/usage-profile,
+    # and also extracts IPs from /etc/hosts
     before iptables
 }
 

src/etc/init.d/tordate

@@ -1,14 +0,0 @@
-#!/sbin/runscript
-
-description="Sets date from Tor consensus and handles Tor restarts."
-
-command=/usr/local/sbin/tordate
-command_background="true"
-pidfile=/var/run/tordate.pid
-
-depend() {
-    # need /var
-    need   localmount
-
-    before NetworkManager tor
-}

src/root/helpers/vfy-htp-servers

@@ -1,51 +0,0 @@
-#!/bin/sh -e
-
-# Character classes in regexps
-export LC_ALL=C
-
-# SERVERS contains list of HTP servers
-# NOTE: contains just "google.com" during fresh build
-. /etc/conf.d/htpdate
-
-# Time discrepancy tolerance and connection retries per server
-maxdiff=60
-retries=3
-
-# RFC 1123 Date: header regexp
-# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.3.1
-datere='[[:alpha:]]{3}, [[:digit:]]{2} [[:alpha:]]{3} [[:digit:]]{4} [[:digit:]:]{8} GMT'
-
-
-# Gather timestamps in seconds-since-epoch format
-htpdates=
-for htp in ${SERVERS}; do
-    echo -ne "${htp}:\t"
-
-    # Try to get the header several times (-f skips proxy headers)
-    htpdate=
-    count=${retries}
-    while [ -z "${htpdate}"  -a  ${count} -ne 0 ]; do
-        htpdate=`curl -sfI ${htp} | sed -rn "s/^Date: (${datere})\r\$/\1/p"`
-        count=$((count - 1))
-    done
-
-    # Fail if unsuccessful
-    if [ -z "${htpdate}" ]; then
-        echo "failed after ${retries} attempts"
-        exit 1
-    fi
-
-
-    # Add seconds-since-epoch timestamp
-    echo "${htpdate}"
-    htpdates="${htpdates} "`date +%s -ud "${htpdate}"`
-done
-
-
-htpmin=`echo ${htpdates} | tr ' ' '\n' | sort -n | head -n 1`
-htpmax=`echo ${htpdates} | tr ' ' '\n' | sort -n | tail -n 1`
-
-if [ $((htpmax - htpmin)) -gt ${maxdiff} ]; then
-    echo "HTP servers disagreement > ${maxdiff}s"
-    exit 1
-fi

src/root/setup

@@ -335,10 +335,6 @@ eselect opengl set xorg-x11
 eselect xvmc   set xorg-x11
 
 
-sinfo "Verifying HTP servers"
-${noroot} ${helpdir}/vfy-htp-servers
-
-
 # /usr/local/share/ca-certificates is implicitly trusted
 sinfo "Refreshing trusted certificates list"
 find -L /etc/ssl/certs -maxdepth 1 -type l -delete
@@ -361,7 +357,7 @@ sinfo "Configuring start-up services"
 svcsysinit="udev"
 svcboot="consolefont irqbalance haveged metalog
          iptables consolekit lockdown fbinit"
-svcdefault="liberte identity cabled persist xconfig vmconfig spindown tordate
+svcdefault="liberte identity cabled persist xconfig vmconfig spindown
             acpid smartd laptop_mode gpm
             nscd autofs NetworkManager privoxy
             udev-postmount"
@@ -428,7 +424,6 @@ usermod -G wheel,plugdev,lp,games,vmware,vboxguest anon
 usermod -G legion                                  cable
 
 useradd -c nscd    -d /dev/null -s /sbin/nologin -r nscd || [ $? = 9 ]
-useradd -c htpdate -d /dev/null -s /sbin/nologin -r htp  || [ $? = 9 ]
 useradd -c slay    -d /dev/null -s /sbin/nologin -r slay || [ $? = 9 ]
 
 

src/usr/local/portage/net-misc/htpdate/Manifest

@@ -1,5 +0,0 @@
-AUX htpdate-1.0.4-robustness.patch 6075 SHA256 dc036cf506deeb52817a8d8a6d6983a93af7da46a9b62605d5c344e0a7f77546 SHA512 819d42146d63c8e84741dad5b01ef3576e176b0ecf8053cb139c3e0ef355ba002122894c929948bd52c16c28dc87f9c28a1a566d7509e5c8cb3fdf1cf3c8dc51 WHIRLPOOL 5be74d105ce80ca1772f5c5b933d6a91ae10b0ee4b41dbc7e615de4c318785e1fe1874733ffc4ad8dd10dde66e85bea182bae896a5bbc6620cd2a4e4ffe0d4c3
-AUX htpdate.conf 356 SHA256 9386c071864fa3bfacf8a8de7aec05871a48bf7b4f3162f6128dcce3cb1e99ac SHA512 bf265e0152a2431e4f1f73a9214d819430a7f72fa703e39bade5b9ab34c36826830ce5ad98a4add2e45a91d1c1921ecdb9d481022c6c8805c7882612599aa316 WHIRLPOOL d81922de2a745c85b23bae517a30343b492c44a7d67179c10c25423b25e3d890740786b84a47fb1274b620c439a0e94efb20b1b8a4db95f96567baebdd0194d1
-AUX htpdate.init 322 SHA256 f4cef9927fec927269efbb1f00b8cd6ddca486de3a5349d00b62128bf51567a8 SHA512 f7f8e65e8a8676fe3b1efb31c983b7079666bb4c24fe2d035b6c973bd099da24cd893dcedeb194f5337f7bc5a0970726724e8de41b97636162dd87a2cf3dc2fd WHIRLPOOL 6eed4d509cee5d4b2dbdd4792c3887b0c231caafd1b2457b4e89776d37c0a16fdee17899cbfd9ab219bb492bc8d2674e803b9fff5c9bf2f26cc740d63bcae06c
-DIST htpdate-1.0.4.tar.gz 16474 SHA256 8c59b3f66a429eb3be038f66eb9f942398fca9002fe2c3f027010c815f91dedd SHA512 062d0fc9619312ad87dd0e508400bd6f3d64e0a7fab3bb58c55ccdbfb171030dc25f5909b0ca6d37b28e39eeb67c020e6b1c67017f8c16ef54c0e5f671bc2fb1 WHIRLPOOL 3e08faedf98201668bc387da9c1d2f2c5ed33bb55f5082b23f2754ad981b1a60295c030046b62100b4a0080be075d38b3c11c940156fb5255effe8a980c8731a
-EBUILD htpdate-1.0.4-r5.ebuild 996 SHA256 35f24f74da79701b96562790ff1a24805b027525c5e29c673e5f11bf68f75002 SHA512 a75986563ecfc80917badc1b861828eda98609e14d6c6726509ebd799910f92c144b78f45479319c1654a30a05c66776c542d638a289f41f3f40eb81e215ca31 WHIRLPOOL 4759ac71366f8bf922dd523859e2a96ec24d69f2e17c30573fe492907c81303508d19e9bf2fb02a09b7427764885fd4cefb7eba6562182b93d4277cce42f1caf

src/usr/local/portage/net-misc/htpdate/files/htpdate-1.0.4-robustness.patch

@@ -1,199 +0,0 @@
---- htpdate.c	2012-08-29 11:17:21.000000000 +0000
-+++ htpdate.c	2012-08-29 11:43:03.000000000 +0000
-@@ -30,6 +30,18 @@
- 	http://www.gnu.org/copyleft/gpl.html
- */
- 
-+/*
-+	Modifications by mk@dee.su:
-+
-+	+ Set the time once able to do so, even if not in first poll cycle
-+	+ Ignore error responses (usually by proxies)
-+	+ Better error handling during communication
-+	+ Buffer overflow prevention when copying Date: header contents
-+	+ Added -T <tagfile> option to specify output file with initial time step
-+	+ Fixed umask setting
-+	+ Fixed group privileges dropping
-+ */
-+
- /* Needed to avoid implicit warnings from strptime */
- #define _GNU_SOURCE
- 
-@@ -144,6 +156,7 @@
- static long getHTTPdate( char *host, char *port, char *proxy, char *proxyport, char *httpversion, int ipversion, int when ) {
- 	int					server_s;
- 	int					rc;
-+	int					success = 0;
- 	struct addrinfo		hints, *res, *res0;
- 	struct tm			tm;
- 	struct timeval		timevalue = {LONG_MAX, 0};
-@@ -240,7 +253,8 @@
- 	/* Receive data from the web server
- 	   The return code from recv() is the number of bytes received
- 	*/
--	if ( recv(server_s, buffer, BUFFERSIZE, 0) != -1 ) {
-+	buffer[BUFFERSIZE-1] = '\0';
-+	if ( recv(server_s, buffer, BUFFERSIZE-1, 0) != -1 ) {
- 
- 		/* Assuming that network delay (server->htpdate) is neglectable,
- 		   the received web server time "should" match the local time.
-@@ -261,13 +275,16 @@
- 			timeofday.tv_usec - when;
- 
- 		/* Look for the line that contains Date: */
--		if ( (pdate = strstr(buffer, "Date: ")) != NULL ) {
--			strncpy(remote_time, pdate + 11, 24);
-+		if ( strncmp(buffer, "HTTP/1.1 2", 10) != 0  &&  strncmp(buffer, "HTTP/1.1 3", 10) != 0 ) {
-+			printlog( 1, "Ignoring error/proxy response" );
-+		} else if ( (pdate = strstr(buffer, "\nDate: ")) != NULL  &&  buffer+BUFFERSIZE - pdate > 12 + 24 ) {
-+			strncpy(remote_time, pdate + 12, 24);
- 
- 			if ( strptime( remote_time, "%d %b %Y %T", &tm) != NULL) {
- 				/* Web server timestamps are without daylight saving */
- 				tm.tm_isdst = 0;
- 				timevalue.tv_sec = mktime(&tm);
-+				success = 1;
- 			} else {
- 				printlog( 1, "%s unknown time format", host );
- 			}
-@@ -289,7 +306,7 @@
- 	/* Return the time delta between web server time (timevalue)
- 	   and system time (timeofday)
- 	*/
--	return( timevalue.tv_sec - timeofday.tv_sec + gmtoffset );
-+	return success ? ( timevalue.tv_sec - timeofday.tv_sec + gmtoffset ) : LONG_MAX;
- 			
- }
- 
-@@ -387,7 +404,7 @@
- 	puts("htpdate version "VERSION"\n\
- Usage: htpdate [-046abdhlqstxD] [-i pid file] [-m minpoll] [-M maxpoll]\n\
-          [-p precision] [-P <proxyserver>[:port]] [-u user[:group]]\n\
--         <host[:port]> ...\n\n\
-+         [-T <timeshiftfile>] <host[:port]> ...\n\n\
-   -0    HTTP/1.0 request\n\
-   -4    Force IPv4 name resolution only\n\
-   -6    Force IPv6 name resolution only\n\
-@@ -405,6 +422,7 @@
-   -q    query only, don't make time changes (default)\n\
-   -s    set time\n\
-   -t    turn off sanity time check\n\
-+  -T    output time delta after initial shift with -s\n\
-   -u    run daemon as user\n\
-   -x    adjust kernel clock\n\
-   host  web server hostname or ip address (maximum of 16)\n\
-@@ -448,7 +466,7 @@
- 	signal(SIGHUP, SIG_IGN);
- 
- 	/* Change the file mode mask */
--	umask(0);
-+	umask(022);
- 
- 	/* Change the current working directory */
- 	if ( chdir("/") < 0 ) {
-@@ -480,8 +498,25 @@
- }
- 
- 
-+static void writetagfile( char *tagfile, double timedelta ) {
-+	FILE *file = fopen ( tagfile, "w" );
-+
-+	if ( !file )
-+		printlog (1, "could not create %s", tagfile);
-+
-+	else {
-+		if ( fprintf( file, "%.3f\n", timedelta ) < 0 )
-+			printlog (1, "could not write time delta to %s", tagfile);
-+
-+		if ( fclose( file ) )
-+			printlog (1, "could not successfully close %s", tagfile);
-+	}
-+}
-+
-+
- int main( int argc, char *argv[] ) {
- 	char				*host = NULL, *proxy = NULL, *proxyport = NULL;
-+	char				*tagfile = NULL;
- 	char				*port;
- 	char				*httpversion = DEFAULT_HTTP_VERSION;
- 	char				*pidfile = DEFAULT_PID_FILE;
-@@ -500,6 +535,7 @@
- 	int					maxsleep = DEFAULT_MAX_SLEEP;
- 	int					sleeptime = minsleep;
- 	int					sw_uid = 0, sw_gid = 0;
-+	int					hassettime = 0;
- 	time_t				starttime = 0;
- 
- 	struct passwd		*pw;
-@@ -510,7 +546,7 @@
- 
- 
- 	/* Parse the command line switches and arguments */
--	while ( (param = getopt(argc, argv, "046abdhi:lm:p:qstu:xDM:P:") ) != -1)
-+	while ( (param = getopt(argc, argv, "046abdhi:lm:p:qstu:xDM:P:T:") ) != -1)
- 	switch( param ) {
- 
- 		case '0':			/* HTTP/1.0 */
-@@ -604,6 +640,9 @@
- 			proxyport = DEFAULT_PROXY_PORT;
- 			splithostport( &proxy, &proxyport );
- 			break;
-+		case 'T':
-+			tagfile = (char *)optarg;
-+			break;
- 		case '?':
- 			return 1;
- 		default:
-@@ -638,8 +677,8 @@
- 	}
- 
- 	/* Now we are root, we drop the privileges (if specified) */
--	if ( sw_uid ) seteuid( sw_uid );
- 	if ( sw_gid ) setegid( sw_gid );
-+	if ( sw_uid ) seteuid( sw_uid );
- 
-     /* Calculate GMT offset from local timezone */
-     time(&gmtoffset);
-@@ -758,7 +797,7 @@
- 		}
- 
- 		/* Do I really need to change the time?  */
--		if ( sumtimes || !daemonize ) {
-+		if ( sumtimes || !daemonize || setmode == 2 ) {
- 			/* If a precision was specified and the time offset is small
- 			   (< +-1 second), adjust the time with the value of precision
- 			*/
-@@ -768,10 +807,21 @@
- 			/* Correct the clock, if not in "adjtimex" mode */
- 			if ( setclock( timeavg, setmode ) < 0 )
- 					printlog( 1, "Time change failed" );
-+			/* After first correction, do not step through time, only adjust */
-+			else if ( setmode == 2 ) {
-+				hassettime = 1;
-+				setmode = 1;
-+			}
- 
- 			/* Drop root privileges again */
- 			if ( sw_uid ) seteuid( sw_uid );
- 
-+			/* Create a tag file if requested */
-+			if ( tagfile && hassettime ) {
-+				writetagfile( tagfile, timeavg );
-+				tagfile = NULL;
-+			}
-+
- 			if ( daemonize ) {
- 				if ( starttime ) {
- 					/* Calculate systematic clock drift */
-@@ -814,11 +864,6 @@
- 			exit(1);
- 	}
- 
--	/* After first poll cycle do not step through time, only adjust */
--	if ( setmode != 3 ) {
--		setmode = 1;
--	}
--
- 	} while ( daemonize );		/* end of infinite while loop */
- 
- 	exit(0);

src/usr/local/portage/net-misc/htpdate/files/htpdate.conf

@@ -1,12 +0,0 @@
-# config file for /etc/init.d/htpdate
-
-# Add at least one http server to use:
-SERVERS="google.com"
-
-# If you are using a proxy server to connect to the
-# internet comment out the following line and insert the
-# address and port of your proxy server.
-#PROXY="-P <proxy>:<port>"
-
-# Set additional options, see 'man htpdate' for refernce
-HTPDATE_OPTS="-D -s"

src/usr/local/portage/net-misc/htpdate/files/htpdate.init

@@ -1,15 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: $
-
-description="HTP time daemon"
-
-command=/usr/sbin/htpdate
-command_args="${HTPDATE_OPTS} ${PROXY} ${SERVERS}"
-pidfile=/var/run/htpdate.pid
-
-depend() {
-    need net
-    use dns logger
-}

src/usr/local/portage/net-misc/htpdate/htpdate-1.0.4-r5.ebuild

@@ -1,46 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: $
-
-EAPI="4"
-inherit eutils toolchain-funcs
-
-DESCRIPTION="Synchronize local workstation with time offered by remote webservers"
-HOMEPAGE="http://www.clevervest.com/htp/"
-SRC_URI="http://www.clevervest.com/htp/archive/c/${P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm hppa ~mips ppc ~ppc64 s390 sh x86"
-IUSE=""
-
-DEPEND=""
-RDEPEND=""
-
-src_unpack() {
-	unpack ${A}
-	cd "${S}"
-	gunzip htpdate.8.gz || die
-}
-
-src_prepare() {
-	epatch "${FILESDIR}"/${P}-robustness.patch
-}
-
-src_compile() {
-	emake CFLAGS="-Wall ${CFLAGS} ${LDFLAGS}" CC="$(tc-getCC)" || die
-}
-
-src_install() {
-	dosbin htpdate || die
-	doman htpdate.8
-	dodoc README Changelog
-
-	newconfd "${FILESDIR}"/htpdate.conf htpdate
-	newinitd "${FILESDIR}"/htpdate.init htpdate
-}
-
-pkg_postinst() {
-	einfo "If you would like to run htpdate as a daemon set"
-	einfo "appropriate http servers in /etc/conf.d/htpdate!"
-}

src/usr/local/sbin/fw-reload

@@ -4,6 +4,11 @@ luser=anon
 nofw=nofw
 cable=cable
 
+# Assumes the actual IP is in /etc/hosts (cf. /etc/conf.d/tlsdated)
+# Using "nobody" instead of a dedicated user (#447018)
+tlsdate=nobody
+tlsdateip=www.google.com
+
 # ReachableAddresses ports in /etc/tor/torrc [uid=tor]
 # (allow high ports in order to support most bridges)
 torports=80,443,1024:65535
@@ -92,10 +97,9 @@ iptables -A OUTPUT -p icmp --icmp-type echo-reply   -m state --state ESTABLISHED
 iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner tor      --syn -d 127.0.0.1 --dport 9080 -j ACCEPT
 iptables -A OUTPUT       -p tcp                               --syn -d 127.0.0.1 --dport 9080 -j LOGREJECT
 
-# Privoxy access only for main user, HTP and cables daemon
+# Privoxy access only for main user and cables daemon
 iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner ${luser} --syn -d 127.0.0.1 --dport 8118 -j ACCEPT
 iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner ${cable} --syn -d 127.0.0.1 --dport 8118 -j ACCEPT
-iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner htp      --syn -d 127.0.0.1 --dport 8118 -j ACCEPT
 iptables -A OUTPUT       -p tcp                               --syn -d 127.0.0.1 --dport 8118 -j LOGREJECT
 
 # Tor access via SOCKS only for main user and Privoxy
@@ -129,6 +133,9 @@ if [ ${luser} = ${nofw} ]; then
     iptables -A OUTPUT -p tcp -m owner --uid-owner privoxy --syn --dport domain -j ACCEPT
 fi
 
+# Time synchronization via tlsdate
+iptables -A OUTPUT -p tcp -m owner --uid-owner ${tlsdate} --syn -d ${tlsdateip} --dport https   -j ACCEPT
+
 # VPN connections (root-initiated)
 iptables -A OUTPUT -p tcp -m owner --uid-owner root    --syn -m multiport --dports ${vpntports} -j ACCEPT
 iptables -A OUTPUT -p udp -m owner --uid-owner root          -m multiport --dports ${vpnuports} -j ACCEPT

src/usr/local/sbin/test-liberte

@@ -43,6 +43,7 @@ fi
 webhost=torproject.org
 webip=38.229.72.16
 
+tlsdatehost=https://www.google.com
 onionhost=3g2upl4pq6kufc4m.onion
 
 ccuser=`cat /home/anon/persist/security/cable/certs/username`
@@ -64,11 +65,9 @@ stest fail "Fetch .org via HTTP proxy as root"                     curl -fsSI -x
 stest fail "Fetch .org via HTTP proxy as nofw"     sudo -n -u nofw curl -fsSI -x 127.0.0.1:8118                ${webhost}
 stest pass "Fetch .org via HTTP proxy as anon"     sudo -n -u anon curl -fsSI -x 127.0.0.1:8118                ${webhost}
 stest pass "Fetch .org via HTTP proxy as cable"    sudo -n -u cable curl -fsSI -x 127.0.0.1:8118               ${webhost}
-stest pass "Fetch .org via HTTP proxy as htp"      sudo -n -u htp  curl -fsSI -x 127.0.0.1:8118                ${webhost}
 stest fail "Fetch .org via SOCKS proxy as root"                    curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
 stest fail "Fetch .org via SOCKS proxy as nofw"    sudo -n -u nofw curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
 stest fail "Fetch .org via SOCKS proxy as cable"   sudo -n -u cable curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
-stest fail "Fetch .org via SOCKS proxy as htp"     sudo -n -u htp  curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
 stest pass "Fetch .org via SOCKS proxy as anon"    sudo -n -u anon curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
 stest pass "Fetch .org via SOCKS proxy as privoxy" sudo -n -u privoxy curl -fsSI --socks5-hostname 127.0.0.1:9050 ${webhost}
 stest fail "Fetch .org via SOCKS proxy w/ local DNS as root"                 curl -fsSI --socks5 127.0.0.1:9050 ${webhost}
@@ -82,6 +81,9 @@ stest pass "Fetch .org w/o proxy as nofw"          sudo -n -u nofw curl -fsSI -x
 stest fail "Fetch .org w/o proxy as anon"          sudo -n -u anon curl -fsSI -x "" ${webhost}
 stest fail "Fetch .org w/o proxy as tor"           sudo -n -u tor  curl -fsSI -x "" ${webhost}
 
+stest fail "Fetch tlsdate w/o proxy as anon"       sudo -n -u anon   curl -fsSI -x "" ${tlsdatehost}
+stest pass "Fetch tlsdate w/o proxy as nobody"     sudo -n -u nobody curl -fsSI -x "" ${tlsdatehost}
+
 # Darknet access via HTTP/SOCKS
 stest pass "Fetch .onion via HTTP  proxy as anon"  sudo -n -u anon curl -fsSI -x 127.0.0.1:8118                ${onionhost}
 stest pass "Fetch .onion via SOCKS proxy as anon"  sudo -n -u anon curl -fsSI --socks5-hostname 127.0.0.1:9050 ${onionhost}

src/usr/local/sbin/tordate

@@ -1,97 +0,0 @@
-#!/bin/sh -e
-
-# This script is executed with root privileges,
-# so be careful with externally supplied files.
-
-export LC_ALL=C
-
-
-# inotify timeout handles race conditions
-# NOTE: overlayfs (v13) has no file-level inotify support,
-#       but directory-level events work, which is enough for
-#       Tor, which writes and renames temporary files
-inotifytimeout=15
-dirwait=15
-
-tordir=/var/lib/tor/data
-consensus=${tordir}/cached-microdesc-consensus
-uvconsensus=${tordir}/unverified-microdesc-consensus
-descriptors=${tordir}/cached-microdescs.new
-
-tag=tordate
-datere='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
-
-
-# ${tordir} must exist for inotifywaits below
-while [ ! -e ${tordir} ]; do
-    sleep ${dirwait}
-done
-
-
-# Delegate time setting to other daemons if Tor connections work
-if [ -e ${descriptors} ]; then
-    logger -p 6 -t ${tag} "Tor has already opened a circuit"
-else
-
-    # Wait for the consensus file, which contains a valid time interval
-    while ! grep -qs "^valid-until ${datere}"'$' ${consensus} ${uvconsensus}; do
-        inotifywait -qq -t ${inotifytimeout} -e close_write -e moved_to ${tordir} || :
-    done
-
-    # Use unverified consensus if possible (when time is far off into future, or when
-    # it wasn't removed yet), but work with a hardlink to prevent removal in-process
-    if [ ! -e ${consensus} ]  &&  ln -fT ${uvconsensus} ${uvconsensus}.bak 2>/dev/null; then
-        logger -p 6 -t ${tag} "Using unverified Tor consensus"
-        consensus=${uvconsensus}.bak
-    else
-        while ! grep -qs "^valid-until ${datere}"'$' ${consensus}; do
-            inotifywait -qq -t ${inotifytimeout} -e close_write -e moved_to ${tordir} || :
-        done
-    fi
-
-
-    # Get various date points in Tor's format, and do some sanity checks
-    vstart=`sed -n "/^valid-after \(${datere}\)"'$/s//\1/p; t q; b; :q q' ${consensus}`
-    vend=`sed -n "/^valid-until \(${datere}\)"'$/s//\1/p; t q; b; :q q' ${consensus}`
-    vendchk=`date -ud "${vstart} -0300" +'%F %T'`
-
-    rm -f ${uvconsensus}.bak
-
-    if [ x"${vstart}" = x  -o  x"${vend}" = x  -o  x"${vend}" != x"${vendchk}" ]; then
-        logger -p 3 -t ${tag} "Unexpected valid-until: [${vend}] is not [${vendchk}]"
-    else
-
-        # Check whether current time is in (conservative) range
-        curdate=`date -u +'%F %T'`
-        vendcons=`date -ud "${vstart} -0230" +'%F %T'`
-
-        order="${vstart}
-${curdate}
-${vendcons}"
-        ordersrt=`echo "${order}" | sort`
-
-        if [ "${order}" = "${ordersrt}" ]; then
-            logger -p 6 -t ${tag} "Current time is in valid Tor range"
-        else
-
-            # Estimate time to the middle of the range
-            vmid=`date -ud "${vstart} -0130" +'%F %T'`
-            logger -p 6 -t ${tag} "Setting time to middle of valid Tor range: [${vmid}]"
-            date -us "${vmid}" 1>/dev/null
-
-
-            # Tor is unreliable with picking a circuit after time change
-            if /etc/init.d/tor -q status; then
-                logger -p 6 -t ${tag} "Restarting Tor service"
-                /etc/init.d/tor -qs restart
-            fi
-
-        fi
-
-    fi
-
-fi
-
-
-# Prevent error message when stopping the service (#380073)
-/etc/init.d/tordate -qs zap

src/var/lib/portage/world

@@ -110,8 +110,6 @@ net-misc/networkmanager-pptp
 net-misc/networkmanager-openvpn
 net-misc/networkmanager-vpnc
 gnome-extra/nm-applet
-# net-misc/ntp
-net-misc/htpdate
 net-misc/tlsdate
 net-misc/tor
 net-misc/connect