=== modified file 'Makefile' --- Makefile 2013-10-13 17:05:59 +0000 +++ Makefile 2013-10-22 19:44:27 +0000 @@ -56,10 +56,10 @@ getconf LFS_LDFLAGS) # Do not change these two -CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ +CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \ -DVERSION='"$(version)"' -LDFLAGS=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag)) +LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag)) # Commands to format a DocBook document into a manual page DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \ @@ -436,7 +436,7 @@ $(DESTDIR)/etc/dbus-1/system.d/mandos.conf $(DESTDIR)/etc/default/mandos \ $(DESTDIR)/etc/init.d/mandos \ - $(DESTDIR)/var/run/mandos.pid + $(DESTDIR)/run/mandos.pid -rmdir $(CONFDIR) purge-client: uninstall-client === modified file 'debian/compat' --- debian/compat 2008-09-17 00:34:09 +0000 +++ debian/compat 2013-10-20 15:25:09 +0000 @@ -1,1 +1,1 @@ -7 +9 === modified file 'debian/control' --- debian/control 2013-10-05 19:34:40 +0000 +++ debian/control 2013-10-24 20:21:45 +0000 @@ -4,20 +4,20 @@ Maintainer: Mandos Maintainers Uploaders: Teddy Hogeborn , Björn Påhlsson -Build-Depends: debhelper (>= 8.9.7), docbook-xml, docbook-xsl, +Build-Depends: debhelper (>= 9), docbook-xml, docbook-xsl, libavahi-core-dev, libgpgme11-dev, libgnutls-dev, xsltproc, pkg-config -Standards-Version: 3.9.3 +Standards-Version: 3.9.4 Vcs-Bzr: http://ftp.recompile.se/pub/mandos/trunk Vcs-Browser: http://bzr.recompile.se/loggerhead/mandos/trunk/files Homepage: http://www.recompile.se/mandos -DM-Upload-Allowed: yes Package: mandos Architecture: all Depends: ${misc:Depends}, python (>=2.6), python-gnutls, python-dbus, python-avahi, python-gobject, avahi-daemon, adduser, - python-urwid, python (>=2.7) | python-argparse, gnupg (<< 2) + python-urwid, python (>=2.7) | python-argparse, gnupg (<< 2), + initscripts (>= 2.88dsf-13.3) Recommends: fping Description: server giving encrypted passwords to Mandos clients This is the server part of the Mandos system, which allows === modified file 'debian/copyright' --- debian/copyright 2012-06-01 21:48:12 +0000 +++ debian/copyright 2013-10-20 15:25:09 +0000 @@ -4,8 +4,8 @@ Source: Files: * -Copyright: Copyright © 2008-2012 Teddy Hogeborn - Copyright © 2008-2012 Björn Påhlsson +Copyright: Copyright © 2008-2013 Teddy Hogeborn + Copyright © 2008-2013 Björn Påhlsson License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as === modified file 'init.d-mandos' --- init.d-mandos 2012-06-01 21:48:12 +0000 +++ init.d-mandos 2013-10-20 15:25:09 +0000 @@ -23,7 +23,7 @@ NAME=mandos DAEMON=/usr/sbin/$NAME DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid +PIDFILE=/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed === modified file 'mandos' --- mandos 2013-10-13 17:05:59 +0000 +++ mandos 2013-10-22 19:24:01 +0000 @@ -11,8 +11,8 @@ # "AvahiService" class, and some lines in "main". # # Everything else is -# Copyright © 2008-2012 Teddy Hogeborn -# Copyright © 2008-2012 Björn Påhlsson +# Copyright © 2008-2013 Teddy Hogeborn +# Copyright © 2008-2013 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -172,7 +172,13 @@ def password_encode(self, password): # Passphrase can not be empty and can not contain newlines or # NUL bytes. So we prefix it and hex encode it. - return b"mandos" + binascii.hexlify(password) + encoded = b"mandos" + binascii.hexlify(password) + if len(encoded) > 2048: + # GnuPG can't handle long passwords, so encode differently + encoded = (b"mandos" + password.replace(b"\\", b"\\\\") + .replace(b"\n", b"\\n") + .replace(b"\0", b"\\x00")) + return encoded def encrypt(self, data, password): passphrase = self.password_encode(password) @@ -2343,7 +2349,7 @@ "port": "", "debug": "False", "priority": - "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224", + "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160", "servicename": "Mandos", "use_dbus": "True", "use_ipv6": "True", @@ -2450,7 +2456,7 @@ socketfd=(server_settings["socket"] or None)) if not foreground: - pidfilename = "/var/run/mandos.pid" + pidfilename = "/run/mandos.pid" pidfile = None try: pidfile = open(pidfilename, "w") === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2012-06-23 00:58:49 +0000 +++ mandos-clients.conf.xml 2013-10-20 15:25:09 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ /etc/mandos/clients.conf"> - + %common; ]> @@ -117,7 +117,7 @@ How long to wait for external approval before resorting to use the value. The - default is 0s, i.e. not to wait. + default is PT0S, i.e. not to wait. The format of TIME is the same === modified file 'mandos-keygen' --- mandos-keygen 2013-10-13 17:05:59 +0000 +++ mandos-keygen 2013-10-22 19:24:01 +0000 @@ -2,8 +2,8 @@ # # Mandos key generator - create a new OpenPGP key for a Mandos client # -# Copyright © 2008-2012 Teddy Hogeborn -# Copyright © 2008-2012 Björn Påhlsson +# Copyright © 2008-2013 Teddy Hogeborn +# Copyright © 2008-2013 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -30,7 +30,7 @@ SUBKEYLENGTH=4096 KEYNAME="`hostname --fqdn 2>/dev/null || hostname`" KEYEMAIL="" -KEYCOMMENT="Mandos client key" +KEYCOMMENT="" KEYEXPIRE=0 FORCE=no KEYCOMMENT_ORIG="$KEYCOMMENT" @@ -64,15 +64,14 @@ -l BITS, --length BITS Key length in bits. Default is 4096. -s TYPE, --subtype TYPE - Subkey type. Default is ELG-E. + Subkey type. Default is RSA. -L BITS, --sublength BITS Subkey length in bits. Default is 4096. -n NAME, --name NAME Name of key. Default is the FQDN. -e ADDRESS, --email ADDRESS Email address of key. Default is empty. -c TEXT, --comment TEXT - Comment field for key. The default value is - "Mandos client key". + Comment field for key. The default is empty. -x TIME, --expire TIME Key expire time. Default is no expiration. See gpg(1) for syntax. @@ -204,10 +203,10 @@ cat >"$BATCHFILE" <<-EOF Key-Type: $KEYTYPE Key-Length: $KEYLENGTH - #Key-Usage: encrypt,sign,auth + Key-Usage: sign,auth Subkey-Type: $SUBKEYTYPE Subkey-Length: $SUBKEYLENGTH - #Subkey-Usage: encrypt,sign,auth + Subkey-Usage: encrypt Name-Real: $KEYNAME $KEYCOMMENTLINE $KEYEMAILLINE @@ -294,10 +293,10 @@ cat "$PASSFILE" else tty --quiet && stty -echo - echo -n "Enter passphrase: " + echo -n "Enter passphrase: " >&2 read first tty --quiet && echo >&2 - echo -n "Repeat passphrase: " + echo -n "Repeat passphrase: " >&2 read second if tty --quiet; then echo >&2 === modified file 'mandos-keygen.xml' --- mandos-keygen.xml 2013-09-29 15:52:19 +0000 +++ mandos-keygen.xml 2013-10-22 19:24:01 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -288,8 +288,7 @@ TEXT - Comment field for key. The default value is - Mandos client key. + Comment field for key. Default is empty. === modified file 'mandos-monitor' --- mandos-monitor 2013-10-13 17:05:59 +0000 +++ mandos-monitor 2013-10-20 15:25:09 +0000 @@ -3,8 +3,8 @@ # # Mandos Monitor - Control and monitor the Mandos server # -# Copyright © 2009-2012 Teddy Hogeborn -# Copyright © 2009-2012 Björn Påhlsson +# Copyright © 2009-2013 Teddy Hogeborn +# Copyright © 2009-2013 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by === modified file 'mandos-options.xml' --- mandos-options.xml 2013-06-23 15:13:06 +0000 +++ mandos-options.xml 2013-10-24 20:21:45 +0000 @@ -46,10 +46,11 @@ not run in debug mode. - + GnuTLS priority string for the TLS handshake. The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224. + >SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224: + +SIGN-RSA-RMD160. See gnutls_priority_init 3 for the syntax. @@ -58,6 +59,17 @@ communication impossible. + + GnuTLS priority string for the TLS handshake. + The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See + gnutls_priority_init + 3 for the syntax. + Warning: changing this may make the + TLS handshake fail, making server-client + communication impossible. + + Zeroconf service name. The default is Mandos. This only needs to be === modified file 'mandos.conf' --- mandos.conf 2013-06-23 15:13:06 +0000 +++ mandos.conf 2013-10-22 19:24:01 +0000 @@ -23,7 +23,7 @@ ;debug = False # GnuTLS priority for the TLS handshake. See gnutls_priority_init(3). -;priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224 +;priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160 # Zeroconf service name. You need to change this if you for some # reason want to run more than one server on the same *host*. === modified file 'mandos.conf.xml' --- mandos.conf.xml 2012-05-26 22:21:17 +0000 +++ mandos.conf.xml 2013-10-24 20:21:45 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ /etc/mandos/mandos.conf"> - + %common; ]> @@ -36,6 +36,7 @@ 2009 2011 2012 + 2013 Teddy Hogeborn Björn Påhlsson @@ -120,7 +121,8 @@ - + === modified file 'mandos.xml' --- mandos.xml 2012-06-17 14:55:31 +0000 +++ mandos.xml 2013-10-24 20:21:45 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -36,6 +36,7 @@ 2010 2011 2012 + 2013 Teddy Hogeborn Björn Påhlsson @@ -233,7 +234,8 @@ - + @@ -516,7 +518,7 @@ - /var/run/mandos.pid + /run/mandos.pid The file containing the process id of the === modified file 'plugin-runner.c' --- plugin-runner.c 2013-08-27 21:47:35 +0000 +++ plugin-runner.c 2013-10-20 15:25:09 +0000 @@ -2,8 +2,8 @@ /* * Mandos plugin runner - Run Mandos plugins * - * Copyright © 2008-2012 Teddy Hogeborn - * Copyright © 2008-2012 Björn Påhlsson + * Copyright © 2008-2013 Teddy Hogeborn + * Copyright © 2008-2013 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/mandos-client.c' --- plugins.d/mandos-client.c 2013-10-05 19:34:40 +0000 +++ plugins.d/mandos-client.c 2013-10-20 15:25:09 +0000 @@ -9,8 +9,8 @@ * "browse_callback", and parts of "main". * * Everything else is - * Copyright © 2008-2012 Teddy Hogeborn - * Copyright © 2008-2012 Björn Påhlsson + * Copyright © 2008-2013 Teddy Hogeborn + * Copyright © 2008-2013 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/mandos-client.xml' --- plugins.d/mandos-client.xml 2013-06-23 15:13:06 +0000 +++ plugins.d/mandos-client.xml 2013-10-20 15:25:09 +0000 @@ -2,7 +2,7 @@ - + %common; ]> @@ -34,6 +34,7 @@ 2008 2009 2012 + 2013 Teddy Hogeborn Björn Påhlsson === modified file 'plugins.d/password-prompt.c' --- plugins.d/password-prompt.c 2013-10-05 19:34:40 +0000 +++ plugins.d/password-prompt.c 2013-10-20 15:25:09 +0000 @@ -2,8 +2,8 @@ /* * Password-prompt - Read a password from the terminal and print it * - * Copyright © 2008-2012 Teddy Hogeborn - * Copyright © 2008-2012 Björn Påhlsson + * Copyright © 2008-2013 Teddy Hogeborn + * Copyright © 2008-2013 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as === modified file 'plugins.d/plymouth.c' --- plugins.d/plymouth.c 2013-08-27 21:47:35 +0000 +++ plugins.d/plymouth.c 2013-10-20 15:25:09 +0000 @@ -2,8 +2,8 @@ /* * Plymouth - Read a password from Plymouth and output it * - * Copyright © 2010-2012 Teddy Hogeborn - * Copyright © 2010-2012 Björn Påhlsson + * Copyright © 2010-2013 Teddy Hogeborn + * Copyright © 2010-2013 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as