/mandos/release : revision 237.7.290

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2015-03-10 18:03:38 UTC
mto: (237.7.304 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9

Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \

-Wunused -Wuninitialized -Wstrict-overflow=5 \

-Wsuggest-attribute=pure -Wsuggest-attribute=const \

-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \

-Wredundant-decls -Wnested-externs -Winline -Wvla \

-Wvolatile-register-var -Woverlength-strings

#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)

## Check which sanitizing options can be used

#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \

# echo 'int main(){}' | $(CC) --language=c $(option) \

# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))

# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>

ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \

-fsanitize=shift -fsanitize=integer-divide-by-zero \

-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \

-fsanitize=return -fsanitize=signed-integer-overflow \

-fsanitize=bounds -fsanitize=alignment \

-fsanitize=object-size -fsanitize=float-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum

#DEBUG=-ggdb3

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD:=-z relro -z now

LINK_FORTIFY:=

# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD=-z relro -z now

LINK_FORTIFY=

# If BROKEN_PIE is set, do not build with -pie

ifndef BROKEN_PIE

LINK_FORTIFY += -pie

endif

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

htmldir:=man

version:=1.8.4

SED:=sed

OPTIMIZE=-Os -fno-strict-aliasing

LANGUAGE=-std=gnu99

htmldir=man

version=1.6.9

SED=sed

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \

|| getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \

|| getent group nogroup || echo 65534)))

USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# CONFDIR:=$(DESTDIR)/etc/mandos

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

# PREFIX=$(DESTDIR)/usr/local

# CONFDIR=$(DESTDIR)/etc/mandos

# KEYDIR=$(DESTDIR)/etc/mandos/keys

# MANDIR=$(PREFIX)/man

# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools

# STATEDIR=$(DESTDIR)/var/lib/mandos

# LIBDIR=$(PREFIX)/lib

## These settings are for a package-type install

PREFIX:=$(DESTDIR)/usr

CONFDIR:=$(DESTDIR)/etc/mandos

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools

STATEDIR:=$(DESTDIR)/var/lib/mandos

LIBDIR:=$(shell \

PREFIX=$(DESTDIR)/usr

CONFDIR=$(DESTDIR)/etc/mandos

KEYDIR=$(DESTDIR)/etc/keys/mandos

MANDIR=$(PREFIX)/share/man

INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools

STATEDIR=$(DESTDIR)/var/lib/mandos

LIBDIR=$(shell \

for d in \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \

done)

SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)

SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \

getconf LFS_LDFLAGS)

LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)

LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)

# Do not change these two

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \

) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

$(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \

-DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

100

# Commands to format a DocBook <refentry> document into a manual page

101

DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \

121

100

/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \

122

101

$<; $(HTMLPOST) $@)

123

102

# Fix citerefentry links

124

HTMLPOST:=$(SED) --in-place \

103

HTMLPOST=$(SED) --in-place \

125

104

--expression='s/$<a class="citerefentry" href="$$"><span class="citerefentry"><span class="refentrytitle">$$[^<]*$$<\/span>($$[^)]*$$)<\/span><\/a>$/\1\3.\5\2\3\4\5\6/g'

126

105

127

PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \

106

PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \

128

107

plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \

129

108

plugins.d/plymouth

130

PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel

131

CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)

132

PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

133

DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

109

CPROGS=plugin-runner $(PLUGINS)

110

PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

111

DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

134

112

mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \

135

113

plugins.d/mandos-client.8mandos \

136

114

plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \

137

115

plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \

138

116

plugins.d/plymouth.8mandos intro.8mandos

139

117

140

htmldocs:=$(addsuffix .xhtml,$(DOCS))

118

htmldocs=$(addsuffix .xhtml,$(DOCS))

141

119

142

objects:=$(addsuffix .o,$(CPROGS))

120

objects=$(addsuffix .o,$(CPROGS))

143

121

144

122

all: $(PROGS) mandos.lsm

145

123

257

235

--expression='s/$mandos_$[0-9.]\+$\.orig\.tar\.gz$/\1$(version)\2/' \

258

236

$@)

259

237

260

# Need to add the GnuTLS, Avahi and GPGME libraries

261

238

plugins.d/mandos-client: plugins.d/mandos-client.c

262

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

263

) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\

264

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

265

) $(LDLIBS) -o $@

266

267

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

268

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

269

) $(LOADLIBES) $(LDLIBS) -o $@

239

$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\

240

) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@

270

241

271

242

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

272

243

check run-client run-server install install-html \

287

258

./mandos-ctl --check

288

259

289

260

# Run the client with a local config and key

290

run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem

261

run-client: all keydir/seckey.txt keydir/pubkey.txt

291

262

@echo "###################################################################"

292

263

@echo "# The following error messages are harmless and can be safely #"

293

@echo "# ignored: #"

264

@echo "# ignored. The messages are caused by not running as root, but #"

265

@echo "# you should NOT run \"make run-client\" as root unless you also #"

266

@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"

294

267

@echo "# From plugin-runner: setgid: Operation not permitted #"

295

268

@echo "# setuid: Operation not permitted #"

296

269

@echo "# From askpass-fifo: mkfifo: Permission denied #"

297

270

@echo "# From mandos-client: #"

298

271

@echo "# Failed to raise privileges: Operation not permitted #"

299

272

@echo "# Warning: network hook \"*\" exited with status * #"

300

@echo "# #"

301

@echo "# (The messages are caused by not running as root, but you should #"

302

@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"

303

@echo "# compiled Mandos as root, which is also NOT recommended.) #"

304

273

@echo "###################################################################"

305

274

# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring

306

275

./plugin-runner --plugin-dir=plugins.d \

307

--plugin-helper-dir=plugin-helpers \

308

276

--config-file=plugin-runner.conf \

309

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \

277

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \

310

278

--env-for=mandos-client:GNOME_KEYRING_CONTROL= \

311

279

$(CLIENTARGS)

312

280

313

281

# Used by run-client

314

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

282

keydir/seckey.txt keydir/pubkey.txt: mandos-keygen

315

283

install --directory keydir

316

284

./mandos-keygen --dir keydir --force

317

285

324

292

confdir/mandos.conf: mandos.conf

325

293

install --directory confdir

326

294

install --mode=u=rw,go=r $^ $@

327

confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem

295

confdir/clients.conf: clients.conf keydir/seckey.txt

328

296

install --directory confdir

329

297

install --mode=u=rw $< $@

330

298

# Add a client password

347

315

elif install --directory --mode=u=rwx $(STATEDIR); then \

348

316

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

349

317

350

if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \

351

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

352

$(TMPFILES)/mandos.conf; \

353

354

318

install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos

355

319

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

356

320

mandos-ctl

388

352

install-client-nokey: all doc

389

353

install --directory $(LIBDIR)/mandos $(CONFDIR)

390

354

install --directory --mode=u=rwx $(KEYDIR) \

391

$(LIBDIR)/mandos/plugins.d \

392

$(LIBDIR)/mandos/plugin-helpers

355

$(LIBDIR)/mandos/plugins.d

393

356

if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \

394

357

install --mode=u=rwx \

395

--directory "$(CONFDIR)/plugins.d" \

396

"$(CONFDIR)/plugin-helpers"; \

358

--directory "$(CONFDIR)/plugins.d"; \

397

359

398

360

install --mode=u=rwx,go=rx --directory \

399

361

"$(CONFDIR)/network-hooks.d"

400

362

install --mode=u=rwx,go=rx \

401

363

--target-directory=$(LIBDIR)/mandos plugin-runner

402

install --mode=u=rwx,go=rx \

403

--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock

404

364

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

405

365

mandos-keygen

406

366

install --mode=u=rwx,go=rx \

421

381

install --mode=u=rwxs,go=rx \

422

382

--target-directory=$(LIBDIR)/mandos/plugins.d \

423

383

plugins.d/plymouth

424

install --mode=u=rwx,go=rx \

425

--target-directory=$(LIBDIR)/mandos/plugin-helpers \

426

plugin-helpers/mandos-client-iprouteadddel

427

384

install initramfs-tools-hook \

428

385

$(INITRAMFSTOOLS)/hooks/mandos

429

install --mode=u=rw,go=r initramfs-tools-conf \

430

$(INITRAMFSTOOLS)/conf.d/mandos-conf

431

install --mode=u=rw,go=r initramfs-tools-conf-hook \

432

$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos

386

install --mode=u=rw,go=r initramfs-tools-hook-conf \

387

$(INITRAMFSTOOLS)/conf-hooks.d/mandos

433

388

install initramfs-tools-script \

434

389

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

435

install initramfs-tools-script-stop \

436

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

437

390

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

438

391

gzip --best --to-stdout mandos-keygen.8 \

439

392

> $(MANDIR)/man8/mandos-keygen.8.gz

513

466

-rmdir $(CONFDIR)

514

467

515

468

purge-client: uninstall-client

516

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

469

-shred --remove $(KEYDIR)/seckey.txt

517

470

-rm --force $(CONFDIR)/plugin-runner.conf \

518

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \

519

$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt

471

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt

520

472

-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)

Older »