/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
 
14
 
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
 
## Check which sanitizing options can be used
16
 
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
 
#       echo 'int main(){}' | $(CC) --language=c $(option) \
18
 
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
19
 
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
 
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
 
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
22
 
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
23
 
        -fsanitize=return -fsanitize=signed-integer-overflow \
24
 
        -fsanitize=bounds -fsanitize=alignment \
25
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
26
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
 
        -fsanitize=enum -fsanitize-address-use-after-scope
29
 
 
 
13
#DEBUG=-ggdb3
30
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
 
FORTIFY:=-D_FORTIFY_SOURCE=3 -fstack-protector-all -fPIC
33
 
LINK_FORTIFY_LD:=-z relro -z now
34
 
LINK_FORTIFY:=
 
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
LINK_FORTIFY_LD=-z relro -z now
 
18
LINK_FORTIFY=
35
19
 
36
20
# If BROKEN_PIE is set, do not build with -pie
37
21
ifndef BROKEN_PIE
39
23
LINK_FORTIFY += -pie
40
24
endif
41
25
#COVERAGE=--coverage
42
 
OPTIMIZE:=-Os -fno-strict-aliasing
43
 
LANGUAGE:=-std=gnu11
44
 
FEATURES:=-D_FILE_OFFSET_BITS=64
45
 
htmldir:=man
46
 
version:=1.8.15
47
 
SED:=sed
48
 
PKG_CONFIG?=pkg-config
49
 
 
50
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
51
 
        || getent passwd nobody || echo 65534)))
52
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
53
 
        || getent group nogroup || echo 65534)))
54
 
 
55
 
LINUXVERSION:=$(shell uname --kernel-release)
 
26
OPTIMIZE=-Os -fno-strict-aliasing
 
27
LANGUAGE=-std=gnu11
 
28
htmldir=man
 
29
version=1.6.9
 
30
SED=sed
 
31
 
 
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
33
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
56
34
 
57
35
## Use these settings for a traditional /usr/local install
58
 
# PREFIX:=$(DESTDIR)/usr/local
59
 
# CONFDIR:=$(DESTDIR)/etc/mandos
60
 
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
61
 
# MANDIR:=$(PREFIX)/man
62
 
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
63
 
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
64
 
# STATEDIR:=$(DESTDIR)/var/lib/mandos
65
 
# LIBDIR:=$(PREFIX)/lib
 
36
# PREFIX=$(DESTDIR)/usr/local
 
37
# CONFDIR=$(DESTDIR)/etc/mandos
 
38
# KEYDIR=$(DESTDIR)/etc/mandos/keys
 
39
# MANDIR=$(PREFIX)/man
 
40
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
41
# STATEDIR=$(DESTDIR)/var/lib/mandos
 
42
# LIBDIR=$(PREFIX)/lib
66
43
##
67
44
 
68
45
## These settings are for a package-type install
69
 
PREFIX:=$(DESTDIR)/usr
70
 
CONFDIR:=$(DESTDIR)/etc/mandos
71
 
KEYDIR:=$(DESTDIR)/etc/keys/mandos
72
 
MANDIR:=$(PREFIX)/share/man
73
 
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
74
 
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
75
 
STATEDIR:=$(DESTDIR)/var/lib/mandos
76
 
LIBDIR:=$(shell \
 
46
PREFIX=$(DESTDIR)/usr
 
47
CONFDIR=$(DESTDIR)/etc/mandos
 
48
KEYDIR=$(DESTDIR)/etc/keys/mandos
 
49
MANDIR=$(PREFIX)/share/man
 
50
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
51
STATEDIR=$(DESTDIR)/var/lib/mandos
 
52
LIBDIR=$(shell \
77
53
        for d in \
78
 
        "/usr/lib/`dpkg-architecture \
79
 
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
54
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
80
55
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
81
56
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
82
57
                        echo "$(DESTDIR)$$d"; \
85
60
        done)
86
61
##
87
62
 
88
 
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
89
 
                        --variable=systemdsystemunitdir)
90
 
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
91
 
                        --variable=tmpfilesdir)
92
 
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
93
 
                        --variable=sysusersdir)
 
63
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
94
64
 
95
 
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
96
 
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
97
 
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
98
 
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
99
 
GPGME_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gpgme 2>/dev/null \
100
 
        || gpgme-config --cflags; getconf LFS_CFLAGS)
101
 
GPGME_LIBS:=$(shell $(PKG_CONFIG) --libs gpgme 2>/dev/null \
102
 
        || gpgme-config --libs; getconf LFS_LIBS; \
 
65
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 
66
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
 
67
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
 
68
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
 
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
103
71
        getconf LFS_LDFLAGS)
104
 
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
105
 
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
106
 
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
107
 
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
 
72
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
73
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
108
74
 
109
75
# Do not change these two
110
76
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
111
 
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
112
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
113
 
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
77
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
 
78
        -DVERSION='"$(version)"'
 
79
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
114
80
 
115
81
# Commands to format a DocBook <refentry> document into a manual page
116
82
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
122
88
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
123
89
        $(notdir $<); \
124
90
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
125
 
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
126
 
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
127
 
        $(notdir $@); fi >/dev/null)
 
91
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
 
92
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
 
93
        fi >/dev/null)
128
94
 
129
95
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
130
96
        --param make.year.ranges                1 \
136
102
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
137
103
        $<; $(HTMLPOST) $@)
138
104
# Fix citerefentry links
139
 
HTMLPOST:=$(SED) --in-place \
 
105
HTMLPOST=$(SED) --in-place \
140
106
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
141
107
 
142
 
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
108
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
143
109
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
144
110
        plugins.d/plymouth
145
 
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
146
 
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
147
 
        $(PLUGIN_HELPERS)
148
 
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
149
 
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
111
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
 
112
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 
113
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
114
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
150
115
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
151
 
        dracut-module/password-agent.8mandos \
152
116
        plugins.d/mandos-client.8mandos \
153
117
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
154
118
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
155
119
        plugins.d/plymouth.8mandos intro.8mandos
156
120
 
157
 
htmldocs:=$(addsuffix .xhtml,$(DOCS))
158
 
 
159
 
objects:=$(addsuffix .o,$(CPROGS))
160
 
 
161
 
.PHONY: all
 
121
htmldocs=$(addsuffix .xhtml,$(DOCS))
 
122
 
 
123
objects=$(addsuffix .o,$(CPROGS))
 
124
 
162
125
all: $(PROGS) mandos.lsm
163
126
 
164
 
.PHONY: doc
165
127
doc: $(DOCS)
166
128
 
167
 
.PHONY: html
168
129
html: $(htmldocs)
169
130
 
170
131
%.5: %.xml common.ent legalnotice.xml
229
190
                overview.xml legalnotice.xml
230
191
        $(DOCBOOKTOHTML)
231
192
 
232
 
dracut-module/password-agent.8mandos: \
233
 
                dracut-module/password-agent.xml common.ent \
234
 
                overview.xml legalnotice.xml
235
 
        $(DOCBOOKTOMAN)
236
 
dracut-module/password-agent.8mandos.xhtml: \
237
 
                dracut-module/password-agent.xml common.ent \
238
 
                overview.xml legalnotice.xml
239
 
        $(DOCBOOKTOHTML)
240
 
 
241
193
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
242
194
                                        common.ent \
243
195
                                        mandos-options.xml \
286
238
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
287
239
                $@)
288
240
 
289
 
# Need to add the GnuTLS, Avahi and GPGME libraries
290
 
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
291
 
        ) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
292
 
plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \
293
 
        ) $(AVAHI_LIBS) $(GPGME_LIBS)
294
 
 
295
 
# Need to add the libnl-route library
296
 
plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)
297
 
plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)
298
 
 
299
 
# Need to add the GLib and pthread libraries
300
 
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
301
 
# Note: -lpthread is unnecessary with the GNU C library 2.34 or later
302
 
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
303
 
 
304
 
.PHONY: clean
 
241
plugins.d/mandos-client: plugins.d/mandos-client.c
 
242
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
243
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
 
244
 
 
245
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
 
246
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
 
247
                ) $(LOADLIBES) $(LDLIBS) -o $@
 
248
 
 
249
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
 
250
        check run-client run-server install install-html \
 
251
        install-server install-client-nokey install-client uninstall \
 
252
        uninstall-server uninstall-client purge purge-server \
 
253
        purge-client
 
254
 
305
255
clean:
306
256
        -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
307
257
 
308
 
.PHONY: distclean
309
258
distclean: clean
310
 
.PHONY: mostlyclean
311
259
mostlyclean: clean
312
 
.PHONY: maintainer-clean
313
260
maintainer-clean: clean
314
261
        -rm --force --recursive keydir confdir statedir
315
262
 
316
 
.PHONY: check
317
 
check: all
 
263
check:  all
318
264
        ./mandos --check
319
265
        ./mandos-ctl --check
320
 
        ./mandos-keygen --version
321
 
        ./plugin-runner --version
322
 
        ./plugin-helpers/mandos-client-iprouteadddel --version
323
 
        ./dracut-module/password-agent --test
324
266
 
325
267
# Run the client with a local config and key
326
 
.PHONY: run-client
327
 
run-client: all keydir/seckey.txt keydir/pubkey.txt \
328
 
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
329
 
        @echo '######################################################'
330
 
        @echo '# The following error messages are harmless and can  #'
331
 
        @echo '#  be safely ignored:                                #'
332
 
        @echo '## From plugin-runner:                               #'
333
 
        @echo '# setgid: Operation not permitted                    #'
334
 
        @echo '# setuid: Operation not permitted                    #'
335
 
        @echo '## From askpass-fifo:                                #'
336
 
        @echo '# mkfifo: Permission denied                          #'
337
 
        @echo '## From mandos-client:                               #'
338
 
        @echo '# Failed to raise privileges: Operation not permi... #'
339
 
        @echo '# Warning: network hook "*" exited with status *     #'
340
 
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
341
 
        @echo '# Failed to bring up interface "*": Operation not... #'
342
 
        @echo '#                                                    #'
343
 
        @echo '# (The messages are caused by not running as root,   #'
344
 
        @echo '# but you should NOT run "make run-client" as root   #'
345
 
        @echo '# unless you also unpacked and compiled Mandos as    #'
346
 
        @echo '# root, which is also NOT recommended.)              #'
347
 
        @echo '######################################################'
 
268
run-client: all keydir/seckey.txt keydir/pubkey.txt
 
269
        @echo "###################################################################"
 
270
        @echo "# The following error messages are harmless and can be safely     #"
 
271
        @echo "# ignored.  The messages are caused by not running as root, but   #"
 
272
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
 
273
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
 
274
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
275
        @echo "#                     setuid: Operation not permitted             #"
 
276
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
 
277
        @echo "# From mandos-client:                                             #"
 
278
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
279
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
280
        @echo "###################################################################"
348
281
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
349
282
        ./plugin-runner --plugin-dir=plugins.d \
350
283
                --plugin-helper-dir=plugin-helpers \
351
284
                --config-file=plugin-runner.conf \
352
 
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
 
285
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
353
286
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
354
287
                $(CLIENTARGS)
355
288
 
356
289
# Used by run-client
357
 
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
 
290
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
358
291
        install --directory keydir
359
292
        ./mandos-keygen --dir keydir --force
360
 
        if ! [ -e keydir/tls-privkey.pem ]; then \
361
 
                install --mode=u=rw /dev/null keydir/tls-privkey.pem; \
362
 
        fi
363
 
        if ! [ -e keydir/tls-pubkey.pem ]; then \
364
 
                install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \
365
 
        fi
366
293
 
367
294
# Run the server with a local config
368
 
.PHONY: run-server
369
295
run-server: confdir/mandos.conf confdir/clients.conf statedir
370
296
        ./mandos --debug --no-dbus --configdir=confdir \
371
297
                --statedir=statedir $(SERVERARGS)
374
300
confdir/mandos.conf: mandos.conf
375
301
        install --directory confdir
376
302
        install --mode=u=rw,go=r $^ $@
377
 
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
 
303
confdir/clients.conf: clients.conf keydir/seckey.txt
378
304
        install --directory confdir
379
305
        install --mode=u=rw $< $@
380
306
# Add a client password
382
308
statedir:
383
309
        install --directory statedir
384
310
 
385
 
.PHONY: install
386
311
install: install-server install-client-nokey
387
312
 
388
 
.PHONY: install-html
389
313
install-html: html
390
314
        install --directory $(htmldir)
391
315
        install --mode=u=rw,go=r --target-directory=$(htmldir) \
392
316
                $(htmldocs)
393
317
 
394
 
.PHONY: install-server
395
318
install-server: doc
396
319
        install --directory $(CONFDIR)
397
320
        if install --directory --mode=u=rwx --owner=$(USER) \
400
323
        elif install --directory --mode=u=rwx $(STATEDIR); then \
401
324
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
402
325
        fi
403
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
404
 
                        -a -d "$(TMPFILES)" ]; then \
405
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
406
 
                        $(TMPFILES)/mandos.conf; \
407
 
        fi
408
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
409
 
                        -a -d "$(SYSUSERS)" ]; then \
410
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
411
 
                        $(SYSUSERS)/mandos.conf; \
412
 
        fi
413
326
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
414
327
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
415
328
                mandos-ctl
444
357
        gzip --best --to-stdout intro.8mandos \
445
358
                > $(MANDIR)/man8/intro.8mandos.gz
446
359
 
447
 
.PHONY: install-client-nokey
448
360
install-client-nokey: all doc
449
361
        install --directory $(LIBDIR)/mandos $(CONFDIR)
450
362
        install --directory --mode=u=rwx $(KEYDIR) \
451
363
                $(LIBDIR)/mandos/plugins.d \
452
364
                $(LIBDIR)/mandos/plugin-helpers
453
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
454
 
                        -a -d "$(SYSUSERS)" ]; then \
455
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
456
 
                        $(SYSUSERS)/mandos-client.conf; \
457
 
        fi
458
365
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
459
366
                install --mode=u=rwx \
460
 
                        --directory "$(CONFDIR)/plugins.d" \
461
 
                        "$(CONFDIR)/plugin-helpers"; \
 
367
                        --directory "$(CONFDIR)/plugins.d"; \
 
368
                install --directory "$(CONFDIR)/plugin-helpers"; \
462
369
        fi
463
370
        install --mode=u=rwx,go=rx --directory \
464
371
                "$(CONFDIR)/network-hooks.d"
465
372
        install --mode=u=rwx,go=rx \
466
373
                --target-directory=$(LIBDIR)/mandos plugin-runner
467
 
        install --mode=u=rwx,go=rx \
468
 
                --target-directory=$(LIBDIR)/mandos \
469
 
                mandos-to-cryptroot-unlock
470
374
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
471
375
                mandos-keygen
472
376
        install --mode=u=rwx,go=rx \
487
391
        install --mode=u=rwxs,go=rx \
488
392
                --target-directory=$(LIBDIR)/mandos/plugins.d \
489
393
                plugins.d/plymouth
490
 
        install --mode=u=rwx,go=rx \
 
394
        install --mode=u=rwxs,go=rx \
491
395
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
492
396
                plugin-helpers/mandos-client-iprouteadddel
493
397
        install initramfs-tools-hook \
494
398
                $(INITRAMFSTOOLS)/hooks/mandos
495
 
        install --mode=u=rw,go=r initramfs-tools-conf \
496
 
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
497
 
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
498
 
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
 
399
        install --mode=u=rw,go=r initramfs-tools-hook-conf \
 
400
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos
499
401
        install initramfs-tools-script \
500
402
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
501
 
        install initramfs-tools-script-stop \
502
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
503
 
        install --directory $(DRACUTMODULE)
504
 
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
505
 
                dracut-module/ask-password-mandos.path \
506
 
                dracut-module/ask-password-mandos.service
507
 
        install --mode=u=rwxs,go=rx \
508
 
                --target-directory=$(DRACUTMODULE) \
509
 
                dracut-module/module-setup.sh \
510
 
                dracut-module/cmdline-mandos.sh \
511
 
                dracut-module/password-agent
512
403
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
513
404
        gzip --best --to-stdout mandos-keygen.8 \
514
405
                > $(MANDIR)/man8/mandos-keygen.8.gz
526
417
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
527
418
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
528
419
                > $(MANDIR)/man8/plymouth.8mandos.gz
529
 
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
530
 
                > $(MANDIR)/man8/password-agent.8mandos.gz
531
420
 
532
 
.PHONY: install-client
533
421
install-client: install-client-nokey
534
422
# Post-installation stuff
535
423
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
536
 
        if command -v update-initramfs >/dev/null; then \
537
 
            update-initramfs -k all -u; \
538
 
        elif command -v dracut >/dev/null; then \
539
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
540
 
                if [ -w "$$initrd" ]; then \
541
 
                    chmod go-r "$$initrd"; \
542
 
                    dracut --force "$$initrd"; \
543
 
                fi; \
544
 
            done; \
545
 
        fi
 
424
        update-initramfs -k all -u
546
425
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
547
426
 
548
 
.PHONY: uninstall
549
427
uninstall: uninstall-server uninstall-client
550
428
 
551
 
.PHONY: uninstall-server
552
429
uninstall-server:
553
430
        -rm --force $(PREFIX)/sbin/mandos \
554
431
                $(PREFIX)/sbin/mandos-ctl \
561
438
        update-rc.d -f mandos remove
562
439
        -rmdir $(CONFDIR)
563
440
 
564
 
.PHONY: uninstall-client
565
441
uninstall-client:
566
442
# Refuse to uninstall client if /etc/crypttab is explicitly configured
567
443
# to use it.
578
454
                $(INITRAMFSTOOLS)/hooks/mandos \
579
455
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
580
456
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
581
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
582
 
                $(DRACUTMODULE)/ask-password-mandos.path \
583
 
                $(DRACUTMODULE)/ask-password-mandos.service \
584
 
                $(DRACUTMODULE)/module-setup.sh \
585
 
                $(DRACUTMODULE)/cmdline-mandos.sh \
586
 
                $(DRACUTMODULE)/password-agent \
587
457
                $(MANDIR)/man8/mandos-keygen.8.gz \
588
458
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
589
459
                $(MANDIR)/man8/mandos-client.8mandos.gz
592
462
                $(MANDIR)/man8/splashy.8mandos.gz \
593
463
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
594
464
                $(MANDIR)/man8/plymouth.8mandos.gz \
595
 
                $(MANDIR)/man8/password-agent.8mandos.gz \
596
465
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
597
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
598
 
        if command -v update-initramfs >/dev/null; then \
599
 
            update-initramfs -k all -u; \
600
 
        elif command -v dracut >/dev/null; then \
601
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
602
 
                test -w "$$initrd" && dracut --force "$$initrd"; \
603
 
            done; \
604
 
        fi
 
466
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
 
467
        update-initramfs -k all -u
605
468
 
606
 
.PHONY: purge
607
469
purge: purge-server purge-client
608
470
 
609
 
.PHONY: purge-server
610
471
purge-server: uninstall-server
611
472
        -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \
612
473
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
617
478
                $(DESTDIR)/var/run/mandos.pid
618
479
        -rmdir $(CONFDIR)
619
480
 
620
 
.PHONY: purge-client
621
481
purge-client: uninstall-client
622
 
        -shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
 
482
        -shred --remove $(KEYDIR)/seckey.txt
623
483
        -rm --force $(CONFDIR)/plugin-runner.conf \
624
 
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
625
 
                $(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
 
484
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
626
485
        -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)