10
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
-Wvolatile-register-var -Woverlength-strings
13
#DEBUG:=-ggdb3 -fsanitize=address
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
## Check which sanitizing options can be used
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
# echo 'int main(){}' | $(CC) --language=c $(option) \
18
# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
17
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
19
21
-fsanitize=shift -fsanitize=integer-divide-by-zero \
23
25
-fsanitize=object-size -fsanitize=float-divide-by-zero \
24
26
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
27
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
27
# Check which sanitizing options can be used
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
-o /dev/null >/dev/null 2>&1 && echo $(option)))
28
-fsanitize=enum -fsanitize-address-use-after-scope
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
31
33
LINK_FORTIFY_LD:=-z relro -z now
40
42
OPTIMIZE:=-Os -fno-strict-aliasing
41
43
LANGUAGE:=-std=gnu11
46
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
48
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
49
|| getent passwd nobody || echo 65534)))
50
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
51
|| getent group nogroup || echo 65534)))
49
53
## Use these settings for a traditional /usr/local install
50
54
# PREFIX:=$(DESTDIR)/usr/local
62
67
KEYDIR:=$(DESTDIR)/etc/keys/mandos
63
68
MANDIR:=$(PREFIX)/share/man
64
69
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
70
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
65
71
STATEDIR:=$(DESTDIR)/var/lib/mandos
86
92
getconf LFS_LDFLAGS)
87
93
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
94
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
95
GLIB_CFLAGS:=$(shell pkg-config --cflags glib-2.0)
96
GLIB_LIBS:=$(shell pkg-config --libs glib-2.0)
90
98
# Do not change these two
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
$(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
$(GPGME_CFLAGS) -DVERSION='"$(version)"'
94
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
99
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
100
$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
101
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
102
) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
96
104
# Commands to format a DocBook <refentry> document into a manual page
97
105
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
103
111
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
105
113
if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
106
&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
107
man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
114
&& command -v man >/dev/null; then LANG=en_US.UTF-8 \
115
MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
116
$(notdir $@); fi >/dev/null)
110
118
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
111
119
--param make.year.ranges 1 \
124
132
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
133
plugins.d/plymouth
126
134
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
127
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
135
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
128
137
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
138
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
139
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
140
dracut-module/password-agent.8mandos \
131
141
plugins.d/mandos-client.8mandos \
132
142
plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
143
plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
205
215
overview.xml legalnotice.xml
218
dracut-module/password-agent.8mandos: \
219
dracut-module/password-agent.xml common.ent \
220
overview.xml legalnotice.xml
222
dracut-module/password-agent.8mandos.xhtml: \
223
dracut-module/password-agent.xml common.ent \
224
overview.xml legalnotice.xml
208
227
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
210
229
mandos-options.xml \
253
272
--expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
256
# Need to add the GnuTLS, Avahi and GPGME libraries, and can't use
257
# -fsanitize=leak because GnuTLS and GPGME both leak memory.
275
# Need to add the GnuTLS, Avahi and GPGME libraries
258
276
plugins.d/mandos-client: plugins.d/mandos-client.c
259
$(CC) $(filter-out -fsanitize=leak,$(CFLAGS)) $(strip\
260
) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH) $^ $(strip\
261
) -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
262
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
277
$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
278
) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
279
) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
282
# Need to add the libnl-route library
264
283
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
265
284
$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
266
285
) $(LOADLIBES) $(LDLIBS) -o $@
287
# Need to add the GLib and pthread libraries
288
dracut-module/password-agent: dracut-module/password-agent.c
289
$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
290
) $(LOADLIBES) $(LDLIBS) -o $@
268
292
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
269
293
check run-client run-server install install-html \
270
294
install-server install-client-nokey install-client uninstall \
279
303
maintainer-clean: clean
280
304
-rm --force --recursive keydir confdir statedir
284
308
./mandos-ctl --check
309
./mandos-keygen --version
310
./plugin-runner --version
311
./plugin-helpers/mandos-client-iprouteadddel --version
312
./dracut-module/password-agent --test
286
314
# Run the client with a local config and key
287
run-client: all keydir/seckey.txt keydir/pubkey.txt
315
run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem
288
316
@echo "###################################################################"
289
317
@echo "# The following error messages are harmless and can be safely #"
290
318
@echo "# ignored: #"
303
331
./plugin-runner --plugin-dir=plugins.d \
304
332
--plugin-helper-dir=plugin-helpers \
305
333
--config-file=plugin-runner.conf \
306
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
334
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
307
335
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
310
338
# Used by run-client
311
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
339
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
312
340
install --directory keydir
313
341
./mandos-keygen --dir keydir --force
321
349
confdir/mandos.conf: mandos.conf
322
350
install --directory confdir
323
351
install --mode=u=rw,go=r $^ $@
324
confdir/clients.conf: clients.conf keydir/seckey.txt
352
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
325
353
install --directory confdir
326
354
install --mode=u=rw $< $@
327
355
# Add a client password
396
424
"$(CONFDIR)/network-hooks.d"
397
425
install --mode=u=rwx,go=rx \
398
426
--target-directory=$(LIBDIR)/mandos plugin-runner
427
install --mode=u=rwx,go=rx \
428
--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock
399
429
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
401
431
install --mode=u=rwx,go=rx \
421
451
plugin-helpers/mandos-client-iprouteadddel
422
452
install initramfs-tools-hook \
423
453
$(INITRAMFSTOOLS)/hooks/mandos
424
install --mode=u=rw,go=r initramfs-tools-hook-conf \
425
$(INITRAMFSTOOLS)/conf-hooks.d/mandos
454
install --mode=u=rw,go=r initramfs-tools-conf \
455
$(INITRAMFSTOOLS)/conf.d/mandos-conf
456
install --mode=u=rw,go=r initramfs-tools-conf-hook \
457
$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
426
458
install initramfs-tools-script \
427
459
$(INITRAMFSTOOLS)/scripts/init-premount/mandos
460
install initramfs-tools-script-stop \
461
$(INITRAMFSTOOLS)/scripts/local-premount/mandos
462
install --directory $(DRACUTMODULE)
463
install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
464
dracut-module/ask-password-mandos.path \
465
dracut-module/ask-password-mandos.service
466
install --mode=u=rwxs,go=rx \
467
--target-directory=$(DRACUTMODULE) \
468
dracut-module/module-setup.sh \
469
dracut-module/cmdline-mandos.sh \
470
dracut-module/password-agent
428
471
install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
429
472
gzip --best --to-stdout mandos-keygen.8 \
430
473
> $(MANDIR)/man8/mandos-keygen.8.gz
442
485
> $(MANDIR)/man8/askpass-fifo.8mandos.gz
443
486
gzip --best --to-stdout plugins.d/plymouth.8mandos \
444
487
> $(MANDIR)/man8/plymouth.8mandos.gz
488
gzip --best --to-stdout dracut-module/password-agent.8mandos \
489
> $(MANDIR)/man8/password-agent.8mandos.gz
446
491
install-client: install-client-nokey
447
492
# Post-installation stuff
448
493
-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
449
update-initramfs -k all -u
494
if command -v update-initramfs >/dev/null; then \
495
update-initramfs -k all -u; \
496
elif command -v dracut >/dev/null; then \
497
for initrd in $(DESTDIR)/boot/initr*-$(shell uname --kernel-release); do \
498
if [ -w "$$initrd" ]; then \
499
chmod go-r "$$initrd"; \
500
dracut --force "$$initrd"; \
450
504
echo "Now run mandos-keygen --password --dir $(KEYDIR)"
452
506
uninstall: uninstall-server uninstall-client
479
533
$(INITRAMFSTOOLS)/hooks/mandos \
480
534
$(INITRAMFSTOOLS)/conf-hooks.d/mandos \
481
535
$(INITRAMFSTOOLS)/scripts/init-premount/mandos \
536
$(INITRAMFSTOOLS)/scripts/local-premount/mandos \
537
$(DRACUTMODULE)/ask-password-mandos.path \
538
$(DRACUTMODULE)/ask-password-mandos.service \
539
$(DRACUTMODULE)/module-setup.sh \
540
$(DRACUTMODULE)/cmdline-mandos.sh \
541
$(DRACUTMODULE)/password-agent \
482
542
$(MANDIR)/man8/mandos-keygen.8.gz \
483
543
$(MANDIR)/man8/plugin-runner.8mandos.gz \
484
544
$(MANDIR)/man8/mandos-client.8mandos.gz
487
547
$(MANDIR)/man8/splashy.8mandos.gz \
488
548
$(MANDIR)/man8/askpass-fifo.8mandos.gz \
489
549
$(MANDIR)/man8/plymouth.8mandos.gz \
550
$(MANDIR)/man8/password-agent.8mandos.gz \
490
551
-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
491
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
492
update-initramfs -k all -u
552
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
553
if command -v update-initramfs >/dev/null; then \
554
update-initramfs -k all -u; \
555
elif command -v dracut >/dev/null; then \
556
for initrd in $(DESTDIR)/boot/initr*-$(shell uname --kernel-release); do \
557
test -w "$$initrd" && dracut --force "$$initrd"; \
494
561
purge: purge-server purge-client
504
571
-rmdir $(CONFDIR)
506
573
purge-client: uninstall-client
507
-shred --remove $(KEYDIR)/seckey.txt
574
-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
508
575
-rm --force $(CONFDIR)/plugin-runner.conf \
509
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
576
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
577
$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
510
578
-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)
added
removed
Makefile
