/mandos/trunk : revision 742

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to initramfs-tools-hook

Committer: Teddy Hogeborn
Date: 2015-03-10 18:03:38 UTC
Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9

Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

initramfs-tools-hook

CONFDIR="/conf/conf.d/mandos"

MANDOSDIR="/lib/mandos"

PLUGINDIR="${MANDOSDIR}/plugins.d"

PLUGINHELPERDIR="${MANDOSDIR}/plugin-helpers"

HOOKDIR="${MANDOSDIR}/network-hooks.d"

# Make directories

install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \

"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}" \

"${DESTDIR}${PLUGINHELPERDIR}"

"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"

install --owner=${mandos_user} --group=${mandos_group} --directory \

--mode=u=rwx "${DESTDIR}${PLUGINDIR}"

100

esac

101

done

102

100

103

# Copy the packaged plugin helpers

104

for file in "$libdir"/mandos/plugin-helpers/*; do

105

base="`basename \"$file\"`"

106

# Is this plugin overridden?

107

if [ -e "/etc/mandos/plugin-helpers/$base" ]; then

108

continue

109

110

case "$base" in

111

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

112

: ;;

113

"*") : ;;

114

*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;

115

esac

116

done

117

118

101

# Copy any user-supplied plugins

119

102

for file in /etc/mandos/plugins.d/*; do

120

103

base="`basename \"$file\"`"

126

109

esac

127

110

done

128

111

129

# Copy any user-supplied plugin helpers

130

for file in /etc/mandos/plugin-helpers/*; do

131

base="`basename \"$file\"`"

132

case "$base" in

133

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

134

: ;;

135

"*") : ;;

136

*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;

137

esac

138

done

139

140

112

# Get DEVICE from initramfs.conf and other files

141

113

. /etc/initramfs-tools/initramfs.conf

142

114

for conf in /etc/initramfs-tools/conf.d/*; do

219

191

if [ -d "$file" ]; then

220

192

continue

221

193

222

case "$file" in

223

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

224

: ;;

225

"*") : ;;

226

227

cp --archive --sparse=always "$file" \

228

"${DESTDIR}${CONFDIR}"

229

chown ${mandos_user}:${mandos_group} \

230

"${DESTDIR}${CONFDIR}/`basename \"$file\"`"

231

;;

232

esac

194

cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"

195

chown ${mandos_user}:${mandos_group} \

196

"${DESTDIR}${CONFDIR}/`basename \"$file\"`"

233

197

done

234

# Use Diffie-Hellman parameters file if available

235

if [ -e "${DESTDIR}${CONFDIR}"/dhparams.pem ]; then

236

sed --in-place \

237

--expression="1i--options-for=mandos-client:--dh-params=${CONFDIR}/dhparams.pem" \

238

"${DESTDIR}/${CONFDIR}/plugin-runner.conf"

239

240

198

241

199

# /lib/mandos/plugin-runner will drop priviliges, but needs access to

242

200

# its plugin directory and its config file. However, since almost all

Older »