/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to debian/mandos-client.postinst

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 08:41:14 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 372.
  • Revision ID: teddy@recompile.se-20190210084114-u91mijrxtifvzra5
Bug fix: Only create TLS key with certtool, and read correct key file

* debian/mandos-client.postinst (create_keys): Remove any bad keys
                                               created by 1.8.0-1.
                                               Only create TLS keys if
                                               certtool succeeds.
* debian/mandos.postinst (configure): Remove any bad keys from
                                      clients.conf, and inform the
                                      user if any were found.
* debian/mandos.templates (mandos/removed_bad_key_ids): New message.
* mandos (MandosServer.handle_ipc): Do not trust a key_id with a known
                                    bad key ID.
* mandos-keygen (keygen): Only create TLS keys if certtool succeeds.
  (password): Bug fix: Generate key_id correctly, and only output
              key_id if TLS key exists.

Show diffs side-by-side

added added

removed removed

Lines of Context:
71
71
             --load-privkey=/etc/keys/mandos/tls-privkey.pem \
72
72
             --outfile=/dev/null --pubkey-info --no-text \
73
73
             2>/dev/null; then
74
 
            shred --remove -- /etc/keys/mandos/tls-privkey.pem \
75
 
                  2>/dev/null || :
76
 
            rm --force -- /etc/keys/mandos/tls-pubkey.pem
 
74
            shred --remove -- /etc/keys/mandos/tls-privkey.pem
 
75
            rm -- /etc/keys/mandos/tls-pubkey.pem
77
76
        fi
78
77
    fi
79
78
 
94
93
        local umask=$(umask)
95
94
        umask 077
96
95
        cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
97
 
        shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
 
96
        shred --remove -- "$TLS_PRIVKEYTMP"
98
97
 
99
98
        # First try certtool from GnuTLS
100
99
        if ! certtool --password='' \
123
122
        db_go
124
123
        db_stop
125
124
    else
126
 
        shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
 
125
        shred --remove -- "$TLS_PRIVKEYTMP"
127
126
    fi
128
127
}
129
128