/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to debian/mandos-client.postinst

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 08:41:14 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 372.
  • Revision ID: teddy@recompile.se-20190210084114-u91mijrxtifvzra5
Bug fix: Only create TLS key with certtool, and read correct key file

* debian/mandos-client.postinst (create_keys): Remove any bad keys
                                               created by 1.8.0-1.
                                               Only create TLS keys if
                                               certtool succeeds.
* debian/mandos.postinst (configure): Remove any bad keys from
                                      clients.conf, and inform the
                                      user if any were found.
* debian/mandos.templates (mandos/removed_bad_key_ids): New message.
* mandos (MandosServer.handle_ipc): Do not trust a key_id with a known
                                    bad key ID.
* mandos-keygen (keygen): Only create TLS keys if certtool succeeds.
  (password): Bug fix: Generate key_id correctly, and only output
              key_id if TLS key exists.

Show diffs side-by-side

added added

removed removed

Lines of Context:
22
22
# Update the initial RAM file system image
23
23
update_initramfs()
24
24
{
25
 
    if command -v update-initramfs >/dev/null; then
26
 
        update-initramfs -k all -u
27
 
    elif command -v dracut >/dev/null; then
28
 
        dracut_version="`dpkg-query --showformat='${Version}' --show dracut`"
29
 
        if dpkg --compare-versions "$dracut_version" lt 043-1 \
30
 
                && bash -c '. /etc/dracut.conf; . /etc/dracut.conf.d/*; [ "$hostonly" != yes ]'; then
31
 
            echo 'Dracut is not configured to use hostonly mode!' >&2
32
 
            return 1
33
 
        fi
34
 
        # Logic taken from dracut.postinst
35
 
        for kernel in /boot/vmlinu[xz]-*; do
36
 
            kversion="${kernel#/boot/vmlinu[xz]-}"
37
 
            # Dracut preserves old permissions of initramfs image
38
 
            # files, so we adjust permissions before creating new
39
 
            # initramfs image containing secret keys.
40
 
            chmod go-r /boot/initrd.img-"$kversion"
41
 
            if [ "$kversion" != "*" ]; then
42
 
                /etc/kernel/postinst.d/dracut "$kversion"
43
 
            fi
44
 
        done
45
 
    fi
 
25
    update-initramfs -u -k all
46
26
    
47
27
    if dpkg --compare-versions "$2" lt-nl "1.0.10-1"; then
48
28
        # Make old initrd.img files unreadable too, in case they were
91
71
             --load-privkey=/etc/keys/mandos/tls-privkey.pem \
92
72
             --outfile=/dev/null --pubkey-info --no-text \
93
73
             2>/dev/null; then
94
 
            shred --remove -- /etc/keys/mandos/tls-privkey.pem \
95
 
                  2>/dev/null || :
96
 
            rm --force -- /etc/keys/mandos/tls-pubkey.pem
 
74
            shred --remove -- /etc/keys/mandos/tls-privkey.pem
 
75
            rm -- /etc/keys/mandos/tls-pubkey.pem
97
76
        fi
98
77
    fi
99
78
 
114
93
        local umask=$(umask)
115
94
        umask 077
116
95
        cp --archive "$TLS_PRIVKEYTMP" /etc/keys/mandos/tls-privkey.pem
117
 
        shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
 
96
        shred --remove -- "$TLS_PRIVKEYTMP"
118
97
 
119
98
        # First try certtool from GnuTLS
120
99
        if ! certtool --password='' \
143
122
        db_go
144
123
        db_stop
145
124
    else
146
 
        shred --remove -- "$TLS_PRIVKEYTMP" 2>/dev/null || :
 
125
        shred --remove -- "$TLS_PRIVKEYTMP"
147
126
    fi
148
127
}
149
128