/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
 
14
 
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
 
## Check which sanitizing options can be used
16
 
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
 
#       echo 'int main(){}' | $(CC) --language=c $(option) \
18
 
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
19
 
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
 
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
 
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
22
 
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
23
 
        -fsanitize=return -fsanitize=signed-integer-overflow \
24
 
        -fsanitize=bounds -fsanitize=alignment \
25
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
26
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
 
        -fsanitize=enum -fsanitize-address-use-after-scope
29
 
 
 
13
#DEBUG=-ggdb3
30
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
 
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
33
 
LINK_FORTIFY_LD:=-z relro -z now
34
 
LINK_FORTIFY:=
 
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
LINK_FORTIFY_LD=-z relro -z now
 
18
LINK_FORTIFY=
35
19
 
36
20
# If BROKEN_PIE is set, do not build with -pie
37
21
ifndef BROKEN_PIE
39
23
LINK_FORTIFY += -pie
40
24
endif
41
25
#COVERAGE=--coverage
42
 
OPTIMIZE:=-Os -fno-strict-aliasing
43
 
LANGUAGE:=-std=gnu11
44
 
FEATURES:=-D_FILE_OFFSET_BITS=64
45
 
htmldir:=man
46
 
version:=1.8.7
47
 
SED:=sed
48
 
PKG_CONFIG?=pkg-config
49
 
 
50
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
51
 
        || getent passwd nobody || echo 65534)))
52
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
53
 
        || getent group nogroup || echo 65534)))
54
 
 
55
 
LINUXVERSION:=$(shell uname --kernel-release)
 
26
OPTIMIZE=-Os -fno-strict-aliasing
 
27
LANGUAGE=-std=gnu99
 
28
htmldir=man
 
29
version=1.6.9
 
30
SED=sed
 
31
 
 
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
33
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
56
34
 
57
35
## Use these settings for a traditional /usr/local install
58
 
# PREFIX:=$(DESTDIR)/usr/local
59
 
# CONFDIR:=$(DESTDIR)/etc/mandos
60
 
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
61
 
# MANDIR:=$(PREFIX)/man
62
 
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
63
 
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
64
 
# STATEDIR:=$(DESTDIR)/var/lib/mandos
65
 
# LIBDIR:=$(PREFIX)/lib
 
36
# PREFIX=$(DESTDIR)/usr/local
 
37
# CONFDIR=$(DESTDIR)/etc/mandos
 
38
# KEYDIR=$(DESTDIR)/etc/mandos/keys
 
39
# MANDIR=$(PREFIX)/man
 
40
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
41
# STATEDIR=$(DESTDIR)/var/lib/mandos
 
42
# LIBDIR=$(PREFIX)/lib
66
43
##
67
44
 
68
45
## These settings are for a package-type install
69
 
PREFIX:=$(DESTDIR)/usr
70
 
CONFDIR:=$(DESTDIR)/etc/mandos
71
 
KEYDIR:=$(DESTDIR)/etc/keys/mandos
72
 
MANDIR:=$(PREFIX)/share/man
73
 
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
74
 
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
75
 
STATEDIR:=$(DESTDIR)/var/lib/mandos
76
 
LIBDIR:=$(shell \
 
46
PREFIX=$(DESTDIR)/usr
 
47
CONFDIR=$(DESTDIR)/etc/mandos
 
48
KEYDIR=$(DESTDIR)/etc/keys/mandos
 
49
MANDIR=$(PREFIX)/share/man
 
50
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
51
STATEDIR=$(DESTDIR)/var/lib/mandos
 
52
LIBDIR=$(shell \
77
53
        for d in \
78
 
        "/usr/lib/`dpkg-architecture \
79
 
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
54
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
80
55
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
81
56
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
82
57
                        echo "$(DESTDIR)$$d"; \
85
60
        done)
86
61
##
87
62
 
88
 
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
89
 
                        --variable=systemdsystemunitdir)
90
 
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
91
 
                        --variable=tmpfilesdir)
 
63
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
92
64
 
93
 
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
94
 
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
95
 
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
96
 
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
97
 
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
98
 
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
65
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 
66
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
 
67
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
 
68
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
 
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
99
71
        getconf LFS_LDFLAGS)
100
 
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
101
 
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
102
 
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
103
 
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
104
72
 
105
73
# Do not change these two
106
74
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
107
 
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
108
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
109
 
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
75
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
 
76
        -DVERSION='"$(version)"'
 
77
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
110
78
 
111
79
# Commands to format a DocBook <refentry> document into a manual page
112
80
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
118
86
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
119
87
        $(notdir $<); \
120
88
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
121
 
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
122
 
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
123
 
        $(notdir $@); fi >/dev/null)
 
89
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
 
90
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
 
91
        fi >/dev/null)
124
92
 
125
93
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
126
94
        --param make.year.ranges                1 \
132
100
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
133
101
        $<; $(HTMLPOST) $@)
134
102
# Fix citerefentry links
135
 
HTMLPOST:=$(SED) --in-place \
 
103
HTMLPOST=$(SED) --in-place \
136
104
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
137
105
 
138
 
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
106
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
139
107
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
140
108
        plugins.d/plymouth
141
 
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
142
 
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
143
 
        $(PLUGIN_HELPERS)
144
 
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
145
 
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
109
CPROGS=plugin-runner $(PLUGINS)
 
110
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
111
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
146
112
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
147
 
        dracut-module/password-agent.8mandos \
148
113
        plugins.d/mandos-client.8mandos \
149
114
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
150
115
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
151
116
        plugins.d/plymouth.8mandos intro.8mandos
152
117
 
153
 
htmldocs:=$(addsuffix .xhtml,$(DOCS))
 
118
htmldocs=$(addsuffix .xhtml,$(DOCS))
154
119
 
155
 
objects:=$(addsuffix .o,$(CPROGS))
 
120
objects=$(addsuffix .o,$(CPROGS))
156
121
 
157
122
all: $(PROGS) mandos.lsm
158
123
 
222
187
                overview.xml legalnotice.xml
223
188
        $(DOCBOOKTOHTML)
224
189
 
225
 
dracut-module/password-agent.8mandos: \
226
 
                dracut-module/password-agent.xml common.ent \
227
 
                overview.xml legalnotice.xml
228
 
        $(DOCBOOKTOMAN)
229
 
dracut-module/password-agent.8mandos.xhtml: \
230
 
                dracut-module/password-agent.xml common.ent \
231
 
                overview.xml legalnotice.xml
232
 
        $(DOCBOOKTOHTML)
233
 
 
234
190
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
235
191
                                        common.ent \
236
192
                                        mandos-options.xml \
279
235
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
280
236
                $@)
281
237
 
282
 
# Need to add the GnuTLS, Avahi and GPGME libraries
283
238
plugins.d/mandos-client: plugins.d/mandos-client.c
284
 
        $(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
285
 
                ) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
286
 
                ) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
287
 
                ) $(LDLIBS) -o $@
288
 
 
289
 
# Need to add the libnl-route library
290
 
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
291
 
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
292
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
293
 
 
294
 
# Need to add the GLib and pthread libraries
295
 
dracut-module/password-agent: dracut-module/password-agent.c
296
 
        $(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
297
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
 
239
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
240
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
298
241
 
299
242
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
300
243
        check run-client run-server install install-html \
310
253
maintainer-clean: clean
311
254
        -rm --force --recursive keydir confdir statedir
312
255
 
313
 
check: all
 
256
check:  all
314
257
        ./mandos --check
315
258
        ./mandos-ctl --check
316
 
        ./mandos-keygen --version
317
 
        ./plugin-runner --version
318
 
        ./plugin-helpers/mandos-client-iprouteadddel --version
319
 
        ./dracut-module/password-agent --test
320
259
 
321
260
# Run the client with a local config and key
322
 
run-client: all keydir/seckey.txt keydir/pubkey.txt \
323
 
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
324
 
        @echo '######################################################'
325
 
        @echo '# The following error messages are harmless and can  #'
326
 
        @echo '#  be safely ignored:                                #'
327
 
        @echo '## From plugin-runner:                               #'
328
 
        @echo '# setgid: Operation not permitted                    #'
329
 
        @echo '# setuid: Operation not permitted                    #'
330
 
        @echo '## From askpass-fifo:                                #'
331
 
        @echo '# mkfifo: Permission denied                          #'
332
 
        @echo '## From mandos-client:                               #'
333
 
        @echo '# Failed to raise privileges: Operation not permi... #'
334
 
        @echo '# Warning: network hook "*" exited with status *     #'
335
 
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
336
 
        @echo '# Failed to bring up interface "*": Operation not... #'
337
 
        @echo '#                                                    #'
338
 
        @echo '# (The messages are caused by not running as root,   #'
339
 
        @echo '# but you should NOT run "make run-client" as root   #'
340
 
        @echo '# unless you also unpacked and compiled Mandos as    #'
341
 
        @echo '# root, which is also NOT recommended.)              #'
342
 
        @echo '######################################################'
 
261
run-client: all keydir/seckey.txt keydir/pubkey.txt
 
262
        @echo "###################################################################"
 
263
        @echo "# The following error messages are harmless and can be safely     #"
 
264
        @echo "# ignored.  The messages are caused by not running as root, but   #"
 
265
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
 
266
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
 
267
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
268
        @echo "#                     setuid: Operation not permitted             #"
 
269
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
 
270
        @echo "# From mandos-client:                                             #"
 
271
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
272
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
273
        @echo "###################################################################"
343
274
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
344
275
        ./plugin-runner --plugin-dir=plugins.d \
345
 
                --plugin-helper-dir=plugin-helpers \
346
276
                --config-file=plugin-runner.conf \
347
 
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
 
277
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
348
278
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
349
279
                $(CLIENTARGS)
350
280
 
351
281
# Used by run-client
352
 
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
 
282
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
353
283
        install --directory keydir
354
284
        ./mandos-keygen --dir keydir --force
355
285
 
362
292
confdir/mandos.conf: mandos.conf
363
293
        install --directory confdir
364
294
        install --mode=u=rw,go=r $^ $@
365
 
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
 
295
confdir/clients.conf: clients.conf keydir/seckey.txt
366
296
        install --directory confdir
367
297
        install --mode=u=rw $< $@
368
298
# Add a client password
385
315
        elif install --directory --mode=u=rwx $(STATEDIR); then \
386
316
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
387
317
        fi
388
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
389
 
                        -a -d "$(TMPFILES)" ]; then \
390
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
391
 
                        $(TMPFILES)/mandos.conf; \
392
 
        fi
393
318
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
394
319
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
395
320
                mandos-ctl
427
352
install-client-nokey: all doc
428
353
        install --directory $(LIBDIR)/mandos $(CONFDIR)
429
354
        install --directory --mode=u=rwx $(KEYDIR) \
430
 
                $(LIBDIR)/mandos/plugins.d \
431
 
                $(LIBDIR)/mandos/plugin-helpers
 
355
                $(LIBDIR)/mandos/plugins.d
432
356
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
433
357
                install --mode=u=rwx \
434
 
                        --directory "$(CONFDIR)/plugins.d" \
435
 
                        "$(CONFDIR)/plugin-helpers"; \
 
358
                        --directory "$(CONFDIR)/plugins.d"; \
436
359
        fi
437
360
        install --mode=u=rwx,go=rx --directory \
438
361
                "$(CONFDIR)/network-hooks.d"
439
362
        install --mode=u=rwx,go=rx \
440
363
                --target-directory=$(LIBDIR)/mandos plugin-runner
441
 
        install --mode=u=rwx,go=rx \
442
 
                --target-directory=$(LIBDIR)/mandos \
443
 
                mandos-to-cryptroot-unlock
444
364
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
445
365
                mandos-keygen
446
366
        install --mode=u=rwx,go=rx \
461
381
        install --mode=u=rwxs,go=rx \
462
382
                --target-directory=$(LIBDIR)/mandos/plugins.d \
463
383
                plugins.d/plymouth
464
 
        install --mode=u=rwx,go=rx \
465
 
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
466
 
                plugin-helpers/mandos-client-iprouteadddel
467
384
        install initramfs-tools-hook \
468
385
                $(INITRAMFSTOOLS)/hooks/mandos
469
 
        install --mode=u=rw,go=r initramfs-tools-conf \
470
 
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
471
 
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
472
 
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
 
386
        install --mode=u=rw,go=r initramfs-tools-hook-conf \
 
387
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos
473
388
        install initramfs-tools-script \
474
389
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
475
 
        install initramfs-tools-script-stop \
476
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
477
 
        install --directory $(DRACUTMODULE)
478
 
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
479
 
                dracut-module/ask-password-mandos.path \
480
 
                dracut-module/ask-password-mandos.service
481
 
        install --mode=u=rwxs,go=rx \
482
 
                --target-directory=$(DRACUTMODULE) \
483
 
                dracut-module/module-setup.sh \
484
 
                dracut-module/cmdline-mandos.sh \
485
 
                dracut-module/password-agent
486
390
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
487
391
        gzip --best --to-stdout mandos-keygen.8 \
488
392
                > $(MANDIR)/man8/mandos-keygen.8.gz
500
404
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
501
405
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
502
406
                > $(MANDIR)/man8/plymouth.8mandos.gz
503
 
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
504
 
                > $(MANDIR)/man8/password-agent.8mandos.gz
505
407
 
506
408
install-client: install-client-nokey
507
409
# Post-installation stuff
508
410
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
509
 
        if command -v update-initramfs >/dev/null; then \
510
 
            update-initramfs -k all -u; \
511
 
        elif command -v dracut >/dev/null; then \
512
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
513
 
                if [ -w "$$initrd" ]; then \
514
 
                    chmod go-r "$$initrd"; \
515
 
                    dracut --force "$$initrd"; \
516
 
                fi; \
517
 
            done; \
518
 
        fi
 
411
        update-initramfs -k all -u
519
412
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
520
413
 
521
414
uninstall: uninstall-server uninstall-client
548
441
                $(INITRAMFSTOOLS)/hooks/mandos \
549
442
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
550
443
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
551
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
552
 
                $(DRACUTMODULE)/ask-password-mandos.path \
553
 
                $(DRACUTMODULE)/ask-password-mandos.service \
554
 
                $(DRACUTMODULE)/module-setup.sh \
555
 
                $(DRACUTMODULE)/cmdline-mandos.sh \
556
 
                $(DRACUTMODULE)/password-agent \
557
444
                $(MANDIR)/man8/mandos-keygen.8.gz \
558
445
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
559
446
                $(MANDIR)/man8/mandos-client.8mandos.gz
562
449
                $(MANDIR)/man8/splashy.8mandos.gz \
563
450
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
564
451
                $(MANDIR)/man8/plymouth.8mandos.gz \
565
 
                $(MANDIR)/man8/password-agent.8mandos.gz \
566
452
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
567
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
568
 
        if command -v update-initramfs >/dev/null; then \
569
 
            update-initramfs -k all -u; \
570
 
        elif command -v dracut >/dev/null; then \
571
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
572
 
                test -w "$$initrd" && dracut --force "$$initrd"; \
573
 
            done; \
574
 
        fi
 
453
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
 
454
        update-initramfs -k all -u
575
455
 
576
456
purge: purge-server purge-client
577
457
 
586
466
        -rmdir $(CONFDIR)
587
467
 
588
468
purge-client: uninstall-client
589
 
        -shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
 
469
        -shred --remove $(KEYDIR)/seckey.txt
590
470
        -rm --force $(CONFDIR)/plugin-runner.conf \
591
 
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
592
 
                $(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
 
471
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
593
472
        -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)