/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \

-Wunused -Wuninitialized -Wstrict-overflow=5 \

-Wsuggest-attribute=pure -Wsuggest-attribute=const \

-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \

-Wredundant-decls -Wnested-externs -Winline -Wvla \

-Wvolatile-register-var -Woverlength-strings

#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)

## Check which sanitizing options can be used

#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \

# echo 'int main(){}' | $(CC) --language=c $(option) \

# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))

# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>

ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \

-fsanitize=shift -fsanitize=integer-divide-by-zero \

-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \

-fsanitize=return -fsanitize=signed-integer-overflow \

-fsanitize=bounds -fsanitize=alignment \

-fsanitize=object-size -fsanitize=float-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum

#DEBUG=-ggdb3

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD:=-z relro -z now

LINK_FORTIFY:=

# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD=-z relro -z now

LINK_FORTIFY=

# If BROKEN_PIE is set, do not build with -pie

ifndef BROKEN_PIE

LINK_FORTIFY += -pie

endif

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

htmldir:=man

version:=1.8.4

SED:=sed

OPTIMIZE=-Os -fno-strict-aliasing

LANGUAGE=-std=gnu11

htmldir=man

version=1.6.9

SED=sed

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))

USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# CONFDIR:=$(DESTDIR)/etc/mandos

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

# PREFIX=$(DESTDIR)/usr/local

# CONFDIR=$(DESTDIR)/etc/mandos

# KEYDIR=$(DESTDIR)/etc/mandos/keys

# MANDIR=$(PREFIX)/man

# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools

# STATEDIR=$(DESTDIR)/var/lib/mandos

# LIBDIR=$(PREFIX)/lib

## These settings are for a package-type install

PREFIX:=$(DESTDIR)/usr

CONFDIR:=$(DESTDIR)/etc/mandos

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools

STATEDIR:=$(DESTDIR)/var/lib/mandos

LIBDIR:=$(shell \

PREFIX=$(DESTDIR)/usr

CONFDIR=$(DESTDIR)/etc/mandos

KEYDIR=$(DESTDIR)/etc/keys/mandos

MANDIR=$(PREFIX)/share/man

INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools

STATEDIR=$(DESTDIR)/var/lib/mandos

LIBDIR=$(shell \

for d in \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \

done)

SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)

SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \

getconf LFS_LDFLAGS)

LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)

LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)

LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)

LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)

# Do not change these two

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

$(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \

-DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

# Commands to format a DocBook <refentry> document into a manual page

118

102

/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \

119

103

$<; $(HTMLPOST) $@)

120

104

# Fix citerefentry links

121

HTMLPOST:=$(SED) --in-place \

105

HTMLPOST=$(SED) --in-place \

122

106

--expression='s/$<a class="citerefentry" href="$$"><span class="citerefentry"><span class="refentrytitle">$$[^<]*$$<\/span>($$[^)]*$$)<\/span><\/a>$/\1\3.\5\2\3\4\5\6/g'

123

107

124

PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \

108

PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \

125

109

plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \

126

110

plugins.d/plymouth

127

PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel

128

CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)

129

PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

130

DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

111

PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel

112

CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)

113

PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

114

DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

131

115

mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \

132

116

plugins.d/mandos-client.8mandos \

133

117

plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \

134

118

plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \

135

119

plugins.d/plymouth.8mandos intro.8mandos

136

120

137

htmldocs:=$(addsuffix .xhtml,$(DOCS))

121

htmldocs=$(addsuffix .xhtml,$(DOCS))

138

122

139

objects:=$(addsuffix .o,$(CPROGS))

123

objects=$(addsuffix .o,$(CPROGS))

140

124

141

125

all: $(PROGS) mandos.lsm

142

126

254

238

--expression='s/$mandos_$[0-9.]\+$\.orig\.tar\.gz$/\1$(version)\2/' \

255

239

$@)

256

240

257

# Need to add the GnuTLS, Avahi and GPGME libraries

258

241

plugins.d/mandos-client: plugins.d/mandos-client.c

259

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

260

) $(GPGME_CFLAGS) -lrt $(GNUTLS_LIBS) $(strip\

261

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

262

) $(LDLIBS) -o $@

242

$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\

243

) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@

263

244

264

245

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

265

246

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

284

265

./mandos-ctl --check

285

266

286

267

# Run the client with a local config and key

287

run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem

268

run-client: all keydir/seckey.txt keydir/pubkey.txt

288

269

@echo "###################################################################"

289

270

@echo "# The following error messages are harmless and can be safely #"

290

@echo "# ignored: #"

271

@echo "# ignored. The messages are caused by not running as root, but #"

272

@echo "# you should NOT run \"make run-client\" as root unless you also #"

273

@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"

291

274

@echo "# From plugin-runner: setgid: Operation not permitted #"

292

275

@echo "# setuid: Operation not permitted #"

293

276

@echo "# From askpass-fifo: mkfifo: Permission denied #"

294

277

@echo "# From mandos-client: #"

295

278

@echo "# Failed to raise privileges: Operation not permitted #"

296

279

@echo "# Warning: network hook \"*\" exited with status * #"

297

@echo "# #"

298

@echo "# (The messages are caused by not running as root, but you should #"

299

@echo "# NOT run \"make run-client\" as root unless you also unpacked and #"

300

@echo "# compiled Mandos as root, which is also NOT recommended.) #"

301

280

@echo "###################################################################"

302

281

# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring

303

282

./plugin-runner --plugin-dir=plugins.d \

304

283

--plugin-helper-dir=plugin-helpers \

305

284

--config-file=plugin-runner.conf \

306

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \

285

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \

307

286

--env-for=mandos-client:GNOME_KEYRING_CONTROL= \

308

287

$(CLIENTARGS)

309

288

310

289

# Used by run-client

311

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

290

keydir/seckey.txt keydir/pubkey.txt: mandos-keygen

312

291

install --directory keydir

313

292

./mandos-keygen --dir keydir --force

314

293

321

300

confdir/mandos.conf: mandos.conf

322

301

install --directory confdir

323

302

install --mode=u=rw,go=r $^ $@

324

confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem

303

confdir/clients.conf: clients.conf keydir/seckey.txt

325

304

install --directory confdir

326

305

install --mode=u=rw $< $@

327

306

# Add a client password

344

323

elif install --directory --mode=u=rwx $(STATEDIR); then \

345

324

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

346

325

347

if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \

348

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

349

$(TMPFILES)/mandos.conf; \

350

351

326

install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos

352

327

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

353

328

mandos-ctl

389

364

$(LIBDIR)/mandos/plugin-helpers

390

365

if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \

391

366

install --mode=u=rwx \

392

--directory "$(CONFDIR)/plugins.d" \

393

"$(CONFDIR)/plugin-helpers"; \

367

--directory "$(CONFDIR)/plugins.d"; \

368

install --directory "$(CONFDIR)/plugin-helpers"; \

394

369

395

370

install --mode=u=rwx,go=rx --directory \

396

371

"$(CONFDIR)/network-hooks.d"

397

372

install --mode=u=rwx,go=rx \

398

373

--target-directory=$(LIBDIR)/mandos plugin-runner

399

install --mode=u=rwx,go=rx \

400

--target-directory=$(LIBDIR)/mandos mandos-to-cryptroot-unlock

401

374

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

402

375

mandos-keygen

403

376

install --mode=u=rwx,go=rx \

418

391

install --mode=u=rwxs,go=rx \

419

392

--target-directory=$(LIBDIR)/mandos/plugins.d \

420

393

plugins.d/plymouth

421

install --mode=u=rwx,go=rx \

394

install --mode=u=rwxs,go=rx \

422

395

--target-directory=$(LIBDIR)/mandos/plugin-helpers \

423

396

plugin-helpers/mandos-client-iprouteadddel

424

397

install initramfs-tools-hook \

425

398

$(INITRAMFSTOOLS)/hooks/mandos

426

install --mode=u=rw,go=r initramfs-tools-conf \

427

$(INITRAMFSTOOLS)/conf.d/mandos-conf

428

install --mode=u=rw,go=r initramfs-tools-conf-hook \

429

$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos

399

install --mode=u=rw,go=r initramfs-tools-hook-conf \

400

$(INITRAMFSTOOLS)/conf-hooks.d/mandos

430

401

install initramfs-tools-script \

431

402

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

432

install initramfs-tools-script-stop \

433

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

434

403

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

435

404

gzip --best --to-stdout mandos-keygen.8 \

436

405

> $(MANDIR)/man8/mandos-keygen.8.gz

510

479

-rmdir $(CONFDIR)

511

480

512

481

purge-client: uninstall-client

513

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

482

-shred --remove $(KEYDIR)/seckey.txt

514

483

-rm --force $(CONFDIR)/plugin-runner.conf \

515

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \

516

$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt

484

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt

517

485

-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)

Older »