/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
 
14
 
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
 
## Check which sanitizing options can be used
16
 
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
 
#       echo 'int main(){}' | $(CC) --language=c $(option) \
18
 
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
19
 
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
 
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
 
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
22
 
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
23
 
        -fsanitize=return -fsanitize=signed-integer-overflow \
24
 
        -fsanitize=bounds -fsanitize=alignment \
25
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
26
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
 
        -fsanitize=enum -fsanitize-address-use-after-scope
29
 
 
 
13
#DEBUG=-ggdb3
30
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
 
FORTIFY:=-D_FORTIFY_SOURCE=3 -fstack-protector-all -fPIC
33
 
LINK_FORTIFY_LD:=-z relro -z now
34
 
LINK_FORTIFY:=
 
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
LINK_FORTIFY_LD=-z relro -z now
 
18
LINK_FORTIFY=
35
19
 
36
20
# If BROKEN_PIE is set, do not build with -pie
37
21
ifndef BROKEN_PIE
39
23
LINK_FORTIFY += -pie
40
24
endif
41
25
#COVERAGE=--coverage
42
 
OPTIMIZE:=-Os -fno-strict-aliasing
43
 
LANGUAGE:=-std=gnu11
44
 
FEATURES:=-D_FILE_OFFSET_BITS=64
45
 
htmldir:=man
46
 
version:=1.8.14
47
 
SED:=sed
48
 
PKG_CONFIG?=pkg-config
49
 
 
50
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
51
 
        || getent passwd nobody || echo 65534)))
52
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
53
 
        || getent group nogroup || echo 65534)))
54
 
 
55
 
LINUXVERSION:=$(shell uname --kernel-release)
 
26
OPTIMIZE=-Os -fno-strict-aliasing
 
27
LANGUAGE=-std=gnu99
 
28
htmldir=man
 
29
version=1.6.9
 
30
SED=sed
 
31
 
 
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
33
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
56
34
 
57
35
## Use these settings for a traditional /usr/local install
58
 
# PREFIX:=$(DESTDIR)/usr/local
59
 
# CONFDIR:=$(DESTDIR)/etc/mandos
60
 
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
61
 
# MANDIR:=$(PREFIX)/man
62
 
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
63
 
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
64
 
# STATEDIR:=$(DESTDIR)/var/lib/mandos
65
 
# LIBDIR:=$(PREFIX)/lib
 
36
# PREFIX=$(DESTDIR)/usr/local
 
37
# CONFDIR=$(DESTDIR)/etc/mandos
 
38
# KEYDIR=$(DESTDIR)/etc/mandos/keys
 
39
# MANDIR=$(PREFIX)/man
 
40
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
41
# STATEDIR=$(DESTDIR)/var/lib/mandos
 
42
# LIBDIR=$(PREFIX)/lib
66
43
##
67
44
 
68
45
## These settings are for a package-type install
69
 
PREFIX:=$(DESTDIR)/usr
70
 
CONFDIR:=$(DESTDIR)/etc/mandos
71
 
KEYDIR:=$(DESTDIR)/etc/keys/mandos
72
 
MANDIR:=$(PREFIX)/share/man
73
 
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
74
 
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
75
 
STATEDIR:=$(DESTDIR)/var/lib/mandos
76
 
LIBDIR:=$(shell \
 
46
PREFIX=$(DESTDIR)/usr
 
47
CONFDIR=$(DESTDIR)/etc/mandos
 
48
KEYDIR=$(DESTDIR)/etc/keys/mandos
 
49
MANDIR=$(PREFIX)/share/man
 
50
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
51
STATEDIR=$(DESTDIR)/var/lib/mandos
 
52
LIBDIR=$(shell \
77
53
        for d in \
78
 
        "/usr/lib/`dpkg-architecture \
79
 
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
54
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
80
55
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
81
56
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
82
57
                        echo "$(DESTDIR)$$d"; \
85
60
        done)
86
61
##
87
62
 
88
 
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
89
 
                        --variable=systemdsystemunitdir)
90
 
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
91
 
                        --variable=tmpfilesdir)
92
 
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
93
 
                        --variable=sysusersdir)
 
63
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
94
64
 
95
 
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
96
 
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
97
 
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
98
 
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
99
 
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
100
 
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
65
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 
66
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
 
67
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
 
68
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
 
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
101
71
        getconf LFS_LDFLAGS)
102
 
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
103
 
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
104
 
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
105
 
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
106
72
 
107
73
# Do not change these two
108
74
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
109
 
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
110
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
111
 
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
75
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
 
76
        -DVERSION='"$(version)"'
 
77
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
112
78
 
113
79
# Commands to format a DocBook <refentry> document into a manual page
114
80
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
120
86
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
121
87
        $(notdir $<); \
122
88
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
123
 
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
124
 
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
125
 
        $(notdir $@); fi >/dev/null)
 
89
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
 
90
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
 
91
        fi >/dev/null)
126
92
 
127
93
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
128
94
        --param make.year.ranges                1 \
134
100
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
135
101
        $<; $(HTMLPOST) $@)
136
102
# Fix citerefentry links
137
 
HTMLPOST:=$(SED) --in-place \
 
103
HTMLPOST=$(SED) --in-place \
138
104
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
139
105
 
140
 
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
106
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
141
107
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
142
108
        plugins.d/plymouth
143
 
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
144
 
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
145
 
        $(PLUGIN_HELPERS)
146
 
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
147
 
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
109
CPROGS=plugin-runner $(PLUGINS)
 
110
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
111
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
148
112
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
149
 
        dracut-module/password-agent.8mandos \
150
113
        plugins.d/mandos-client.8mandos \
151
114
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
152
115
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
153
116
        plugins.d/plymouth.8mandos intro.8mandos
154
117
 
155
 
htmldocs:=$(addsuffix .xhtml,$(DOCS))
156
 
 
157
 
objects:=$(addsuffix .o,$(CPROGS))
158
 
 
159
 
.PHONY: all
 
118
htmldocs=$(addsuffix .xhtml,$(DOCS))
 
119
 
 
120
objects=$(addsuffix .o,$(CPROGS))
 
121
 
160
122
all: $(PROGS) mandos.lsm
161
123
 
162
 
.PHONY: doc
163
124
doc: $(DOCS)
164
125
 
165
 
.PHONY: html
166
126
html: $(htmldocs)
167
127
 
168
128
%.5: %.xml common.ent legalnotice.xml
227
187
                overview.xml legalnotice.xml
228
188
        $(DOCBOOKTOHTML)
229
189
 
230
 
dracut-module/password-agent.8mandos: \
231
 
                dracut-module/password-agent.xml common.ent \
232
 
                overview.xml legalnotice.xml
233
 
        $(DOCBOOKTOMAN)
234
 
dracut-module/password-agent.8mandos.xhtml: \
235
 
                dracut-module/password-agent.xml common.ent \
236
 
                overview.xml legalnotice.xml
237
 
        $(DOCBOOKTOHTML)
238
 
 
239
190
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
240
191
                                        common.ent \
241
192
                                        mandos-options.xml \
284
235
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
285
236
                $@)
286
237
 
287
 
# Need to add the GnuTLS, Avahi and GPGME libraries
288
 
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
289
 
        ) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
290
 
plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \
291
 
        ) $(AVAHI_LIBS) $(GPGME_LIBS)
292
 
 
293
 
# Need to add the libnl-route library
294
 
plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)
295
 
plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)
296
 
 
297
 
# Need to add the GLib and pthread libraries
298
 
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
299
 
# Note: -lpthread is unnecessary with the GNU C library 2.34 or later
300
 
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
301
 
 
302
 
.PHONY: clean
 
238
plugins.d/mandos-client: plugins.d/mandos-client.c
 
239
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
240
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
 
241
 
 
242
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
 
243
        check run-client run-server install install-html \
 
244
        install-server install-client-nokey install-client uninstall \
 
245
        uninstall-server uninstall-client purge purge-server \
 
246
        purge-client
 
247
 
303
248
clean:
304
249
        -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
305
250
 
306
 
.PHONY: distclean
307
251
distclean: clean
308
 
.PHONY: mostlyclean
309
252
mostlyclean: clean
310
 
.PHONY: maintainer-clean
311
253
maintainer-clean: clean
312
254
        -rm --force --recursive keydir confdir statedir
313
255
 
314
 
.PHONY: check
315
 
check: all
 
256
check:  all
316
257
        ./mandos --check
317
258
        ./mandos-ctl --check
318
 
        ./mandos-keygen --version
319
 
        ./plugin-runner --version
320
 
        ./plugin-helpers/mandos-client-iprouteadddel --version
321
 
        ./dracut-module/password-agent --test
322
259
 
323
260
# Run the client with a local config and key
324
 
.PHONY: run-client
325
 
run-client: all keydir/seckey.txt keydir/pubkey.txt \
326
 
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
327
 
        @echo '######################################################'
328
 
        @echo '# The following error messages are harmless and can  #'
329
 
        @echo '#  be safely ignored:                                #'
330
 
        @echo '## From plugin-runner:                               #'
331
 
        @echo '# setgid: Operation not permitted                    #'
332
 
        @echo '# setuid: Operation not permitted                    #'
333
 
        @echo '## From askpass-fifo:                                #'
334
 
        @echo '# mkfifo: Permission denied                          #'
335
 
        @echo '## From mandos-client:                               #'
336
 
        @echo '# Failed to raise privileges: Operation not permi... #'
337
 
        @echo '# Warning: network hook "*" exited with status *     #'
338
 
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
339
 
        @echo '# Failed to bring up interface "*": Operation not... #'
340
 
        @echo '#                                                    #'
341
 
        @echo '# (The messages are caused by not running as root,   #'
342
 
        @echo '# but you should NOT run "make run-client" as root   #'
343
 
        @echo '# unless you also unpacked and compiled Mandos as    #'
344
 
        @echo '# root, which is also NOT recommended.)              #'
345
 
        @echo '######################################################'
 
261
run-client: all keydir/seckey.txt keydir/pubkey.txt
 
262
        @echo "###################################################################"
 
263
        @echo "# The following error messages are harmless and can be safely     #"
 
264
        @echo "# ignored.  The messages are caused by not running as root, but   #"
 
265
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
 
266
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
 
267
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
268
        @echo "#                     setuid: Operation not permitted             #"
 
269
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
 
270
        @echo "# From mandos-client:                                             #"
 
271
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
272
        @echo "#             Warning: network hook \"*\" exited with status *      #"
 
273
        @echo "###################################################################"
346
274
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
347
275
        ./plugin-runner --plugin-dir=plugins.d \
348
 
                --plugin-helper-dir=plugin-helpers \
349
276
                --config-file=plugin-runner.conf \
350
 
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
 
277
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
351
278
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
352
279
                $(CLIENTARGS)
353
280
 
354
281
# Used by run-client
355
 
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
 
282
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
356
283
        install --directory keydir
357
284
        ./mandos-keygen --dir keydir --force
358
 
        if ! [ -e keydir/tls-privkey.pem ]; then \
359
 
                install --mode=u=rw /dev/null keydir/tls-privkey.pem; \
360
 
        fi
361
 
        if ! [ -e keydir/tls-pubkey.pem ]; then \
362
 
                install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \
363
 
        fi
364
285
 
365
286
# Run the server with a local config
366
 
.PHONY: run-server
367
287
run-server: confdir/mandos.conf confdir/clients.conf statedir
368
288
        ./mandos --debug --no-dbus --configdir=confdir \
369
289
                --statedir=statedir $(SERVERARGS)
372
292
confdir/mandos.conf: mandos.conf
373
293
        install --directory confdir
374
294
        install --mode=u=rw,go=r $^ $@
375
 
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
 
295
confdir/clients.conf: clients.conf keydir/seckey.txt
376
296
        install --directory confdir
377
297
        install --mode=u=rw $< $@
378
298
# Add a client password
380
300
statedir:
381
301
        install --directory statedir
382
302
 
383
 
.PHONY: install
384
303
install: install-server install-client-nokey
385
304
 
386
 
.PHONY: install-html
387
305
install-html: html
388
306
        install --directory $(htmldir)
389
307
        install --mode=u=rw,go=r --target-directory=$(htmldir) \
390
308
                $(htmldocs)
391
309
 
392
 
.PHONY: install-server
393
310
install-server: doc
394
311
        install --directory $(CONFDIR)
395
312
        if install --directory --mode=u=rwx --owner=$(USER) \
398
315
        elif install --directory --mode=u=rwx $(STATEDIR); then \
399
316
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
400
317
        fi
401
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
402
 
                        -a -d "$(TMPFILES)" ]; then \
403
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
404
 
                        $(TMPFILES)/mandos.conf; \
405
 
        fi
406
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
407
 
                        -a -d "$(SYSUSERS)" ]; then \
408
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
409
 
                        $(SYSUSERS)/mandos.conf; \
410
 
        fi
411
318
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
412
319
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
413
320
                mandos-ctl
442
349
        gzip --best --to-stdout intro.8mandos \
443
350
                > $(MANDIR)/man8/intro.8mandos.gz
444
351
 
445
 
.PHONY: install-client-nokey
446
352
install-client-nokey: all doc
447
353
        install --directory $(LIBDIR)/mandos $(CONFDIR)
448
354
        install --directory --mode=u=rwx $(KEYDIR) \
449
 
                $(LIBDIR)/mandos/plugins.d \
450
 
                $(LIBDIR)/mandos/plugin-helpers
451
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
452
 
                        -a -d "$(SYSUSERS)" ]; then \
453
 
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
454
 
                        $(SYSUSERS)/mandos-client.conf; \
455
 
        fi
 
355
                $(LIBDIR)/mandos/plugins.d
456
356
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
457
357
                install --mode=u=rwx \
458
 
                        --directory "$(CONFDIR)/plugins.d" \
459
 
                        "$(CONFDIR)/plugin-helpers"; \
 
358
                        --directory "$(CONFDIR)/plugins.d"; \
460
359
        fi
461
360
        install --mode=u=rwx,go=rx --directory \
462
361
                "$(CONFDIR)/network-hooks.d"
463
362
        install --mode=u=rwx,go=rx \
464
363
                --target-directory=$(LIBDIR)/mandos plugin-runner
465
 
        install --mode=u=rwx,go=rx \
466
 
                --target-directory=$(LIBDIR)/mandos \
467
 
                mandos-to-cryptroot-unlock
468
364
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
469
365
                mandos-keygen
470
366
        install --mode=u=rwx,go=rx \
485
381
        install --mode=u=rwxs,go=rx \
486
382
                --target-directory=$(LIBDIR)/mandos/plugins.d \
487
383
                plugins.d/plymouth
488
 
        install --mode=u=rwx,go=rx \
489
 
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
490
 
                plugin-helpers/mandos-client-iprouteadddel
491
384
        install initramfs-tools-hook \
492
385
                $(INITRAMFSTOOLS)/hooks/mandos
493
 
        install --mode=u=rw,go=r initramfs-tools-conf \
494
 
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
495
 
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
496
 
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
 
386
        install --mode=u=rw,go=r initramfs-tools-hook-conf \
 
387
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos
497
388
        install initramfs-tools-script \
498
389
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
499
 
        install initramfs-tools-script-stop \
500
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
501
 
        install --directory $(DRACUTMODULE)
502
 
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
503
 
                dracut-module/ask-password-mandos.path \
504
 
                dracut-module/ask-password-mandos.service
505
 
        install --mode=u=rwxs,go=rx \
506
 
                --target-directory=$(DRACUTMODULE) \
507
 
                dracut-module/module-setup.sh \
508
 
                dracut-module/cmdline-mandos.sh \
509
 
                dracut-module/password-agent
510
390
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
511
391
        gzip --best --to-stdout mandos-keygen.8 \
512
392
                > $(MANDIR)/man8/mandos-keygen.8.gz
524
404
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
525
405
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
526
406
                > $(MANDIR)/man8/plymouth.8mandos.gz
527
 
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
528
 
                > $(MANDIR)/man8/password-agent.8mandos.gz
529
407
 
530
 
.PHONY: install-client
531
408
install-client: install-client-nokey
532
409
# Post-installation stuff
533
410
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
534
 
        if command -v update-initramfs >/dev/null; then \
535
 
            update-initramfs -k all -u; \
536
 
        elif command -v dracut >/dev/null; then \
537
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
538
 
                if [ -w "$$initrd" ]; then \
539
 
                    chmod go-r "$$initrd"; \
540
 
                    dracut --force "$$initrd"; \
541
 
                fi; \
542
 
            done; \
543
 
        fi
 
411
        update-initramfs -k all -u
544
412
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
545
413
 
546
 
.PHONY: uninstall
547
414
uninstall: uninstall-server uninstall-client
548
415
 
549
 
.PHONY: uninstall-server
550
416
uninstall-server:
551
417
        -rm --force $(PREFIX)/sbin/mandos \
552
418
                $(PREFIX)/sbin/mandos-ctl \
559
425
        update-rc.d -f mandos remove
560
426
        -rmdir $(CONFDIR)
561
427
 
562
 
.PHONY: uninstall-client
563
428
uninstall-client:
564
429
# Refuse to uninstall client if /etc/crypttab is explicitly configured
565
430
# to use it.
576
441
                $(INITRAMFSTOOLS)/hooks/mandos \
577
442
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
578
443
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
579
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
580
 
                $(DRACUTMODULE)/ask-password-mandos.path \
581
 
                $(DRACUTMODULE)/ask-password-mandos.service \
582
 
                $(DRACUTMODULE)/module-setup.sh \
583
 
                $(DRACUTMODULE)/cmdline-mandos.sh \
584
 
                $(DRACUTMODULE)/password-agent \
585
444
                $(MANDIR)/man8/mandos-keygen.8.gz \
586
445
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
587
446
                $(MANDIR)/man8/mandos-client.8mandos.gz
590
449
                $(MANDIR)/man8/splashy.8mandos.gz \
591
450
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
592
451
                $(MANDIR)/man8/plymouth.8mandos.gz \
593
 
                $(MANDIR)/man8/password-agent.8mandos.gz \
594
452
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
595
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
596
 
        if command -v update-initramfs >/dev/null; then \
597
 
            update-initramfs -k all -u; \
598
 
        elif command -v dracut >/dev/null; then \
599
 
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
600
 
                test -w "$$initrd" && dracut --force "$$initrd"; \
601
 
            done; \
602
 
        fi
 
453
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
 
454
        update-initramfs -k all -u
603
455
 
604
 
.PHONY: purge
605
456
purge: purge-server purge-client
606
457
 
607
 
.PHONY: purge-server
608
458
purge-server: uninstall-server
609
459
        -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \
610
460
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
615
465
                $(DESTDIR)/var/run/mandos.pid
616
466
        -rmdir $(CONFDIR)
617
467
 
618
 
.PHONY: purge-client
619
468
purge-client: uninstall-client
620
 
        -shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
 
469
        -shred --remove $(KEYDIR)/seckey.txt
621
470
        -rm --force $(CONFDIR)/plugin-runner.conf \
622
 
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
623
 
                $(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
 
471
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
624
472
        -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)