/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-08-06 00:53:13 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 350.
  • Revision ID: teddy@recompile.se-20160806005313-q9n4b1b7707hnjj4
Makefile: Replace "-fsanitize=address" with "-fsanitize=leak"

The Address Sanitizer is a debugging feature, not a security feature -
it has security issues:  <http://seclists.org/oss-sec/2016/q1/363>
Therefore, it should only be used when debugging.  Replace it with
"-fsanitize=leak", which is needed since -fsanitize=address no longer
includes it implicitly.

* Makefile (DEBUG): Add "-fsanitize=address".
  (ALL_SANITIZE_OPTIONS): Replace "-fsanitize=address" with
                          "-fsanitize=leak".

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2014-03-05">
 
5
<!ENTITY TIMESTAMP "2016-07-10">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
36
38
      <year>2012</year>
37
39
      <year>2013</year>
38
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
39
43
      <holder>Teddy Hogeborn</holder>
40
44
      <holder>Björn Påhlsson</holder>
41
45
    </copyright>
98
102
      </arg>
99
103
      <sbr/>
100
104
      <arg>
 
105
        <option>--dh-params <replaceable>FILE</replaceable></option>
 
106
      </arg>
 
107
      <sbr/>
 
108
      <arg>
101
109
        <option>--delay <replaceable>SECONDS</replaceable></option>
102
110
      </arg>
103
111
      <sbr/>
311
319
        <listitem>
312
320
          <para>
313
321
            Sets the number of bits to use for the prime number in the
314
 
            TLS Diffie-Hellman key exchange.  Default is 1024.
 
322
            TLS Diffie-Hellman key exchange.  The default value is
 
323
            selected automatically based on the OpenPGP key.  Note
 
324
            that if the <option>--dh-params</option> option is used,
 
325
            the values from that file will be used instead.
 
326
          </para>
 
327
        </listitem>
 
328
      </varlistentry>
 
329
      
 
330
      <varlistentry>
 
331
        <term><option>--dh-params=<replaceable
 
332
        >FILE</replaceable></option></term>
 
333
        <listitem>
 
334
          <para>
 
335
            Specifies a PEM-encoded PKCS#3 file to read the parameters
 
336
            needed by the TLS Diffie-Hellman key exchange from.  If
 
337
            this option is not given, or if the file for some reason
 
338
            could not be used, the parameters will be generated on
 
339
            startup, which will take some time and processing power.
 
340
            Those using servers running under time, power or processor
 
341
            constraints may want to generate such a file in advance
 
342
            and use this option.
315
343
          </para>
316
344
        </listitem>
317
345
      </varlistentry>
444
472
  
445
473
  <refsect1 id="environment">
446
474
    <title>ENVIRONMENT</title>
 
475
    <variablelist>
 
476
      <varlistentry>
 
477
        <term><envar>MANDOSPLUGINHELPERDIR</envar></term>
 
478
        <listitem>
 
479
          <para>
 
480
            This environment variable will be assumed to contain the
 
481
            directory containing any helper executables.  The use and
 
482
            nature of these helper executables, if any, is
 
483
            purposefully not documented.
 
484
        </para>
 
485
        </listitem>
 
486
      </varlistentry>
 
487
    </variablelist>
447
488
    <para>
448
 
      This program does not use any environment variables, not even
449
 
      the ones provided by <citerefentry><refentrytitle
 
489
      This program does not use any other environment variables, not
 
490
      even the ones provided by <citerefentry><refentrytitle
450
491
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
451
492
    </citerefentry>.
452
493
    </para>
652
693
    </variablelist>
653
694
  </refsect1>
654
695
  
655
 
<!--   <refsect1 id="bugs"> -->
656
 
<!--     <title>BUGS</title> -->
657
 
<!--     <para> -->
658
 
<!--     </para> -->
659
 
<!--   </refsect1> -->
 
696
  <refsect1 id="bugs">
 
697
    <title>BUGS</title>
 
698
    <xi:include href="../bugs.xml"/>
 
699
  </refsect1>
660
700
  
661
701
  <refsect1 id="example">
662
702
    <title>EXAMPLE</title>
748
788
    <para>
749
789
      It will also help if the checker program on the server is
750
790
      configured to request something from the client which can not be
751
 
      spoofed by someone else on the network, unlike unencrypted
752
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
791
      spoofed by someone else on the network, like SSH server key
 
792
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
793
      echo (<quote>ping</quote>) replies.
753
794
    </para>
754
795
    <para>
755
796
      <emphasis>Note</emphasis>: This makes it completely insecure to
801
842
      </varlistentry>
802
843
      <varlistentry>
803
844
        <term>
804
 
          <ulink url="http://www.gnu.org/software/gnutls/"
805
 
          >GnuTLS</ulink>
 
845
          <ulink url="https://www.gnutls.org/">GnuTLS</ulink>
806
846
        </term>
807
847
      <listitem>
808
848
        <para>
814
854
      </varlistentry>
815
855
      <varlistentry>
816
856
        <term>
817
 
          <ulink url="http://www.gnupg.org/related_software/gpgme/"
 
857
          <ulink url="https://www.gnupg.org/related_software/gpgme/"
818
858
                 >GPGME</ulink>
819
859
        </term>
820
860
        <listitem>
858
898
      </varlistentry>
859
899
      <varlistentry>
860
900
        <term>
861
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
862
 
          Protocol Version 1.1</citetitle>
 
901
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
 
902
          Protocol Version 1.2</citetitle>
863
903
        </term>
864
904
      <listitem>
865
905
        <para>
866
 
          TLS 1.1 is the protocol implemented by GnuTLS.
 
906
          TLS 1.2 is the protocol implemented by GnuTLS.
867
907
        </para>
868
908
      </listitem>
869
909
      </varlistentry>
880
920
      </varlistentry>
881
921
      <varlistentry>
882
922
        <term>
883
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
 
923
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
884
924
          Security</citetitle>
885
925
        </term>
886
926
      <listitem>