/mandos/trunk : revision 1243

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen.xml

Committer: Teddy Hogeborn
Date: 2021-03-21 20:46:40 UTC
Revision ID: teddy@recompile.se-20210321204640-lpsyen8jr9lw1jma

Some cleanup of GnuTLS interface

Rename opaque internal GnuTLS structures named *_int to also start
with underscore (_), as is the custom in Python programs.

Decode byte strings from UTF-8 where needed.  (Fixing, among other
things, all "DEBUG: GnuTLS" lines having a "b'" prefix in Python 3.)

Simplify calling C functions by:
1. Using the "_as_parameter_" attribute to store the ctypes object.
2. Creating and using helper classes to automatically create pointers
   or cast typed pointers to pointers to void.
3. Providing the "from_param()" method on relevant classes.

Remove "restype" attribute on C functions where "errcheck" attribute
is already set.

* mandos (gnutls.session_int): Rename to start with "_".
  (gnutls.openpgp_crt_int): - '' -
  (gnutls.Error.__init__): Decode byte string from gnutls.strerror().
  (gnutls.PointerTo): New helper class.
  (gnutls.CastToVoidPointer): - '' -
  (gnutls.With_from_param): - '' -
  (gnutls.Credentials): Inherit from "With_from_param" and store the
  ctypes object in the "_as_parameter_" attribute instead of
  "_c_object".
  (gnutls._error_code): Use "gnutls.E_SUCCESS" instead of the unadorned
  numerical constant "0".
  (gnutls._retry_on_error): - '' -
  (gnutls.priority_set_direct.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.init.argtypes): Use "PointerTo(ClientSession)" instead of
  "ctypes.POINTER(session_t)", and change all callers to match.
  (gnutls.set_default_priority.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.record_send.argtypes): - '' -
  (gnutls.certificate_allocate_credentials.argtypes): Use
  "PointerTo(Credentials)" instead of
  "ctypes.POINTER(certificate_credentials_t)", and change all callers
  to match.
  (gnutls.certificate_free_credentials.argtypes): Use "Credentials"
  instead of "certificate_credentials_t", and change all callers to
  match.
  (gnutls.handshake_set_private_extensions.argtypes): Use
  "ClientSession" instead of "session_t", and change all callers to
  match.
  (gnutls.credentials_set.argtypes): Use
  "CastToVoidPointer(Credentials)" instead of "ctypes.c_void_p", and
  change all callers to match.
  (gnutls.certificate_type_get.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (gnutls.certificate_get_peers.argtypes): - '' -
  (gnutls.deinit.argtypes): - '' -
  (gnutls.handshake.argtypes): - '' -
  (gnutls.handshake.restype): Change from "_error_code" to
  "ctypes.c_int".
  (gnutls.transport_set_ptr.argtypes): Use "ClientSession" instead of
  "session_t", and change all callers to match.
  (gnutls.bye.argtypes): - '' -
  (gnutls.bye.restype): Change from "_error_code" to "ctypes.c_int".
  (gnutls.certificate_type_get2.argtypes): Use "ClientSession" instead
  of "session_t", and change all callers to match.
  (ClientHandler.handle): Decode "key_id" bytes to string before
  logging it in the debug log.
  (main.debug_gnutls): Decode GnuTLS log message from bytes to string
  before logging it in the debug log.

files added:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf-hook

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-keygen">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY TIMESTAMP "2019-07-18">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

190

191

TLS and OpenPGP keys used by

191

192

<citerefentry><refentrytitle>mandos-client</refentrytitle>

192

193

<manvolnum>8mandos</manvolnum></citerefentry>. The keys are

193

normally written to /etc/mandos for later installation into the

194

initrd image, but this, and most other things, can be changed

195

with command line options.

194

normally written to /etc/keys/mandos for later installation into

195

the initrd image, but this, and most other things, can be

196

changed with command line options.

196

197

</para>

197

198

<para>

198

199

This program can also be used with the

235

236

<replaceable>DIRECTORY</replaceable></option></term>

236

237

237

238

<para>

238

Target directory for key files. Default is

239

<filename class="directory">/etc/mandos</filename>.

239

Target directory for key files. Default is <filename

240

class="directory">/etc/keys/mandos</filename>.

240

241

</para>

241

242

</listitem>

242

243

</varlistentry>

354

355

355

356

<para>

356

357

Prompt for a password and encrypt it with the key already

357

present in either <filename>/etc/mandos</filename> or the

358

directory specified with the <option>--dir</option>

358

present in either <filename>/etc/keys/mandos</filename> or

359

the directory specified with the <option>--dir</option>

359

360

option. Outputs, on standard output, a section suitable

360

361

for inclusion in <citerefentry><refentrytitle

361

362

>mandos-clients.conf</refentrytitle><manvolnum

362

363

>8</manvolnum></citerefentry>. The host name or the name

363

364

specified with the <option>--name</option> option is used

364

365

for the section header. All other options are ignored,

365

and no key is created.

366

and no key is created. Note: white space is stripped from

367

the beginning and from the end of the password; See <xref

368

linkend="bugs"/>.

366

369

</para>

367

370

</listitem>

368

371

</varlistentry>

374

377

375

378

<para>

376

379

The same as <option>--password</option>, but read from

377

<replaceable>FILE</replaceable>, not the terminal.

380

<replaceable>FILE</replaceable>, not the terminal, and

381

white space is not stripped from the password in any way.

378

382

</para>

379

383

</listitem>

380

384

</varlistentry>

441

445

</para>

442

446

443

447

444

<term><filename>/etc/mandos/seckey.txt</filename></term>

448

<term><filename>/etc/keys/mandos/seckey.txt</filename></term>

445

449

446

450

<para>

447

451

OpenPGP secret key file which will be created or

450

454

</listitem>

451

455

</varlistentry>

452

456

453

<term><filename>/etc/mandos/pubkey.txt</filename></term>

457

<term><filename>/etc/keys/mandos/pubkey.txt</filename></term>

454

458

455

459

<para>

456

460

OpenPGP public key file which will be created or

488

492

489

493

490

494

495

<para>

496

The <option>--password</option>/<option>-p</option> option

497

strips white space from the start and from the end of the

498

password before using it. If this is a problem, use the

499

<option>--passfile</option> option instead, which does not do

500

this.

501

</para>

491

502

<xi:include href="bugs.xml"/>

492

503

</refsect1>

493

504

515

526

</informalexample>

516

527

517

528

<para>

518

Prompt for a password, encrypt it with the key in <filename

519

class="directory">/etc/mandos</filename> and output a section

520

suitable for <filename>clients.conf</filename>.

529

Prompt for a password, encrypt it with the keys in <filename

530

class="directory">/etc/keys/mandos</filename> and output a

531

section suitable for <filename>clients.conf</filename>.

521

532

</para>

522

533

<para>

523

534

<userinput>&COMMANDNAME; --password</userinput>

525

536

</informalexample>

526

537

527

538

<para>

528

Prompt for a password, encrypt it with the key in the

539

Prompt for a password, encrypt it with the keys in the

529

540

<filename>client-key</filename> directory and output a section

530

541

suitable for <filename>clients.conf</filename>.

531

542

</para>

Older »