/mandos/trunk : revision 1298

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

Committer: Teddy Hogeborn
Date: 2024-09-09 04:24:39 UTC
Revision ID: teddy@recompile.se-20240909042439-j85mr20uli2hnyis

Eliminate compiler warnings

Many programs use nested functions, which now result in a linker
warning about executable stack.  Hide this warning.  Also, rewrite a
loop in the plymouth plugin to avoid warning about signed overflow.
This change also makes the plugin pick the alphabetically first
process entry instead of the last, in case many plymouth processes are
found (which should be unlikely).

* Makefile (plugin-runner, dracut-module/password-agent,
  plugins.d/password-prompt, plugins.d/mandos-client,
  plugins.d/plymouth): New target; set LDFLAGS to add "-Xlinker
  --no-warn-execstack".
* plugins.d/plymouth.c (get_pid): When no pid files are found, and we
  are looking through the process list, go though it from the start
  instead of from the end, i.e. in normal alphabetical order and not
  in reverse order.

files added:
debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-keygen

#!/bin/sh -e

# Mandos key generator - create a new OpenPGP key for a Mandos client

# Mandos key generator - create new keys for a Mandos client

# This file is part of Mandos.

# Contact the authors at <mandos@recompile.se>.

VERSION="1.7.19"

VERSION="1.8.16"

KEYDIR="/etc/keys/mandos"

KEYTYPE=RSA

KEYEMAIL=""

KEYCOMMENT=""

KEYEXPIRE=0

TLS_KEYTYPE=ed25519

FORCE=no

SSH=yes

KEYCOMMENT_ORIG="$KEYCOMMENT"

# Parse options

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force,no-ssh \

TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:T:fS \

--longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,tls-keytype:,force,no-ssh \

--name "$0" -- "$@"`

help(){

-v, --version Show program's version number and exit

-h, --help Show this help message and exit

-d DIR, --dir DIR Target directory for key files

-t TYPE, --type TYPE Key type. Default is RSA.

-t TYPE, --type TYPE OpenPGP key type. Default is RSA.

-l BITS, --length BITS

Key length in bits. Default is 4096.

OpenPGP key length in bits. Default is 4096.

-s TYPE, --subtype TYPE

Subkey type. Default is RSA.

OpenPGP subkey type. Default is RSA.

-L BITS, --sublength BITS

Subkey length in bits. Default is 4096.

OpenPGP subkey length in bits. Default 4096.

-n NAME, --name NAME Name of key. Default is the FQDN.

-e ADDRESS, --email ADDRESS

Email address of key. Default is empty.

Email address of OpenPGP key. Default empty.

-c TEXT, --comment TEXT

Comment field for key. The default is empty.

Comment field for OpenPGP key. Default empty.

-x TIME, --expire TIME

Key expire time. Default is no expiration.

OpenPGP key expire time. Default is none.

See gpg(1) for syntax.

-T TYPE, --tls-keytype TYPE

TLS key type. Default is ed25519.

-f, --force Force overwriting old key files.

Password creation options:

106

109

-e|--email) KEYEMAIL="$2"; shift 2;;

107

110

-c|--comment) KEYCOMMENT="$2"; shift 2;;

108

111

-x|--expire) KEYEXPIRE="$2"; shift 2;;

112

-T|--tls-keytype) TLS_KEYTYPE="$2"; shift 2;;

109

113

-f|--force) FORCE=yes; shift;;

110

114

-S|--no-ssh) SSH=no; shift;;

111

115

-v|--version) echo "$0 $VERSION"; exit;;

121

125

122

126

SECKEYFILE="$KEYDIR/seckey.txt"

123

127

PUBKEYFILE="$KEYDIR/pubkey.txt"

128

TLS_PRIVKEYFILE="$KEYDIR/tls-privkey.pem"

129

TLS_PUBKEYFILE="$KEYDIR/tls-pubkey.pem"

124

130

125

131

# Check for some invalid values

126

132

if [ ! -d "$KEYDIR" ]; then

141

147

echo "Empty key type" >&2

142

148

exit 1

143

149

144

150

145

151

if [ -z "$KEYNAME" ]; then

146

152

echo "Empty key name" >&2

147

153

exit 1

148

154

149

155

150

156

if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then

151

157

echo "Invalid key length" >&2

152

158

exit 1

153

159

154

160

155

161

if [ -z "$KEYEXPIRE" ]; then

156

162

echo "Empty key expiration" >&2

157

163

exit 1

158

164

159

165

160

166

# Make FORCE be 0 or 1

161

167

case "$FORCE" in

162

168

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;

163

169

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;

164

170

esac

165

166

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \

171

172

if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \

173

|| [ -e "$TLS_PRIVKEYFILE" ] \

174

|| [ -e "$TLS_PUBKEYFILE" ]; } \

167

175

&& [ "$FORCE" -eq 0 ]; then

168

176

echo "Refusing to overwrite old key files; use --force" >&2

169

177

exit 1

170

178

171

179

172

180

# Set lines for GnuPG batch file

173

181

if [ -n "$KEYCOMMENT" ]; then

174

182

KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"

176

184

if [ -n "$KEYEMAIL" ]; then

177

185

KEYEMAILLINE="Name-Email: $KEYEMAIL"

178

186

179

187

180

188

# Create temporary gpg batch file

181

189

BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"

190

TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"

182

191

183

192

184

193

if [ "$mode" = password ]; then

193

202

trap "

194

203

set +e; \

195

204

test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \

205

test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \

196

206

shred --remove \"$RINGDIR\"/sec* 2>/dev/null;

197

207

test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \

198

208

rm --recursive --force \"$RINGDIR\";

223

233

%no-protection

224

234

%commit

225

235

EOF

226

236

227

237

if tty --quiet; then

228

238

cat <<-EOF

229

239

Note: Due to entropy requirements, key generation could take

233

243

echo -n "Started: "

234

244

date

235

245

236

246

247

# Generate TLS private key

248

if certtool --generate-privkey --password='' \

249

--outfile "$TLS_PRIVKEYTMP" --sec-param ultra \

250

--key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then

251

252

# Backup any old key files

253

if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \

254

2>/dev/null; then

255

shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :

256

257

if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \

258

2>/dev/null; then

259

rm --force "$TLS_PUBKEYFILE"

260

261

cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"

262

shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :

263

264

## TLS public key

265

266

# First try certtool from GnuTLS

267

if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \

268

--outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \

269

2>/dev/null; then

270

# Otherwise try OpenSSL

271

if ! openssl pkey -in "$TLS_PRIVKEYFILE" \

272

-out "$TLS_PUBKEYFILE" -pubout; then

273

rm --force "$TLS_PUBKEYFILE"

274

# None of the commands succeded; give up

275

return 1

276

277

278

279

237

280

# Make sure trustdb.gpg exists;

238

281

# this is a workaround for Debian bug #737128

239

282

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

244

287

--homedir "$RINGDIR" --trust-model always \

245

288

--gen-key "$BATCHFILE"

246

289

rm --force "$BATCHFILE"

247

290

248

291

if tty --quiet; then

249

292

echo -n "Finished: "

250

293

date

251

294

252

295

253

296

# Backup any old key files

254

297

if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \

255

298

2>/dev/null; then

256

shred --remove "$SECKEYFILE"

299

shred --remove "$SECKEYFILE" 2>/dev/null || :

257

300

258

301

if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \

259

302

2>/dev/null; then

260

303

rm --force "$PUBKEYFILE"

261

304

262

305

263

306

FILECOMMENT="Mandos client key for $KEYNAME"

264

307

if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then

265

308

FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"

266

309

267

310

268

311

if [ -n "$KEYEMAIL" ]; then

269

312

FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"

270

313

271

314

272

315

# Export key from key rings to key files

273

316

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

274

317

--homedir "$RINGDIR" --armor --export-options export-minimal \

280

323

281

324

282

325

if [ "$mode" = password ]; then

283

326

284

327

# Make SSH be 0 or 1

285

328

case "$SSH" in

286

329

[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;

287

330

[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;

288

331

esac

289

332

290

333

if [ $SSH -eq 1 ]; then

291

334

for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do

292

335

set +e

303

346

304

347

done

305

348

306

349

307

350

# Import key into temporary key rings

308

351

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

309

352

--homedir "$RINGDIR" --trust-model always --armor \

311

354

gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

312

355

--homedir "$RINGDIR" --trust-model always --armor \

313

356

--import "$PUBKEYFILE"

314

357

315

358

# Get fingerprint of key

316

359

FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \

317

360

--enable-dsa2 --homedir "$RINGDIR" --trust-model always \

318

361

--fingerprint --with-colons \

319

362

| sed --quiet \

320

363

--expression='/^fpr:/{s/^fpr:.*:\$[0-9A-Z]*\$:\$/\\1/p;q}'`"

321

364

322

365

test -n "$FINGERPRINT"

323

366

367

if [ -r "$TLS_PUBKEYFILE" ]; then

368

KEY_ID="$(certtool --key-id --hash=sha256 \

369

--infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"

370

371

if [ -z "$KEY_ID" ]; then

372

KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \

373

-outform der \

374

| openssl sha256 \

375

| sed --expression='s/^.*[^[:xdigit:]]//')

376

377

test -n "$KEY_ID"

378

379

324

380

FILECOMMENT="Encrypted password for a Mandos client"

325

381

326

382

while [ ! -s "$SECFILE" ]; do

327

383

if [ -n "$PASSFILE" ]; then

328

cat "$PASSFILE"

384

cat -- "$PASSFILE"

329

385

else

330

386

tty --quiet && stty -echo

331

387

echo -n "Enter passphrase: " >/dev/tty

341

397

echo "Passphrase mismatch" >&2

342

398

touch "$RINGDIR"/mismatch

343

399

else

344

echo -n "$first"

400

printf "%s" "$first"

345

401

346

402

fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \

347

403

--homedir "$RINGDIR" --trust-model always --armor \

356

412

357

413

358

414

done

359

415

360

416

cat <<-EOF

361

417

[$KEYNAME]

362

418

host = $KEYNAME

419

EOF

420

if [ -n "$KEY_ID" ]; then

421

echo "key_id = $KEY_ID"

422

423

cat <<-EOF

363

424

fingerprint = $FINGERPRINT

364

425

secret =

365

426

EOF

383

444

set +e

384

445

# Remove the password file, if any

385

446

if [ -n "$SECFILE" ]; then

386

shred --remove "$SECFILE"

447

shred --remove "$SECFILE" 2>/dev/null

387

448

388

449

# Remove the key rings

389

450

shred --remove "$RINGDIR"/sec* 2>/dev/null

Older »