/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • mto: (237.7.304 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
14
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
17
 
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
 
# The sanitizing options are available in GCC 4.9 and above.
19
 
ifeq ($(shell test $(shell $(CC) -dumpversion) \> 4.9-; echo $$?),0)
20
 
SANITIZE:=-fsanitize=address -fsanitize=undefined -fsanitize=shift \
21
 
        -fsanitize=integer-divide-by-zero -fsanitize=unreachable \
22
 
        -fsanitize=vla-bound -fsanitize=null -fsanitize=return \
23
 
        -fsanitize=signed-integer-overflow
24
 
# GCC 5.3 has some more sanitizing options
25
 
ifeq ($(shell test $(shell $(CC) -dumpversion) \> 5.3-; echo $$?),0)
26
 
SANITIZE+=-fsanitize=bounds -fsanitize=alignment \
27
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
28
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
29
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
30
 
        -fsanitize=enum
31
 
endif
32
 
else
33
 
SANITIZE:=
34
 
endif
35
17
LINK_FORTIFY_LD=-z relro -z now
36
18
LINK_FORTIFY=
37
19
 
42
24
endif
43
25
#COVERAGE=--coverage
44
26
OPTIMIZE=-Os -fno-strict-aliasing
45
 
LANGUAGE=-std=gnu11
 
27
LANGUAGE=-std=gnu99
46
28
htmldir=man
47
 
version=1.7.3
 
29
version=1.6.9
48
30
SED=sed
49
31
 
50
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
87
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
88
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
89
71
        getconf LFS_LDFLAGS)
90
 
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
91
 
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
92
72
 
93
73
# Do not change these two
94
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
95
 
        $(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
96
 
        $(GPGME_CFLAGS) -DVERSION='"$(version)"'
 
74
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
 
75
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
 
76
        -DVERSION='"$(version)"'
97
77
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
98
78
 
99
79
# Commands to format a DocBook <refentry> document into a manual page
126
106
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
127
107
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
128
108
        plugins.d/plymouth
129
 
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
130
 
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 
109
CPROGS=plugin-runner $(PLUGINS)
131
110
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
132
111
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
133
112
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
260
239
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
261
240
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
262
241
 
263
 
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
264
 
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
265
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
266
 
 
267
242
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
268
243
        check run-client run-server install install-html \
269
244
        install-server install-client-nokey install-client uninstall \
298
273
        @echo "###################################################################"
299
274
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
300
275
        ./plugin-runner --plugin-dir=plugins.d \
301
 
                --plugin-helper-dir=plugin-helpers \
302
276
                --config-file=plugin-runner.conf \
303
277
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
304
278
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
378
352
install-client-nokey: all doc
379
353
        install --directory $(LIBDIR)/mandos $(CONFDIR)
380
354
        install --directory --mode=u=rwx $(KEYDIR) \
381
 
                $(LIBDIR)/mandos/plugins.d \
382
 
                $(LIBDIR)/mandos/plugin-helpers
 
355
                $(LIBDIR)/mandos/plugins.d
383
356
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
384
357
                install --mode=u=rwx \
385
358
                        --directory "$(CONFDIR)/plugins.d"; \
386
 
                install --directory "$(CONFDIR)/plugin-helpers"; \
387
359
        fi
388
360
        install --mode=u=rwx,go=rx --directory \
389
361
                "$(CONFDIR)/network-hooks.d"
409
381
        install --mode=u=rwxs,go=rx \
410
382
                --target-directory=$(LIBDIR)/mandos/plugins.d \
411
383
                plugins.d/plymouth
412
 
        install --mode=u=rwxs,go=rx \
413
 
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
414
 
                plugin-helpers/mandos-client-iprouteadddel
415
384
        install initramfs-tools-hook \
416
385
                $(INITRAMFSTOOLS)/hooks/mandos
417
386
        install --mode=u=rw,go=r initramfs-tools-hook-conf \