/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
24
24
endif
25
25
#COVERAGE=--coverage
26
26
OPTIMIZE=-Os -fno-strict-aliasing
27
 
LANGUAGE=-std=gnu99
 
27
LANGUAGE=-std=gnu11
28
28
htmldir=man
29
 
version=1.6.4
 
29
version=1.6.9
30
30
SED=sed
31
31
 
32
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
69
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
70
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
71
71
        getconf LFS_LDFLAGS)
 
72
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
73
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
72
74
 
73
75
# Do not change these two
74
76
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
106
108
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
107
109
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
108
110
        plugins.d/plymouth
109
 
CPROGS=plugin-runner $(PLUGINS)
 
111
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
 
112
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
110
113
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
111
114
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
112
115
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
239
242
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
240
243
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
241
244
 
 
245
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
 
246
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
 
247
                ) $(LOADLIBES) $(LDLIBS) -o $@
 
248
 
242
249
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
243
250
        check run-client run-server install install-html \
244
251
        install-server install-client-nokey install-client uninstall \
264
271
        @echo "# ignored.  The messages are caused by not running as root, but   #"
265
272
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
266
273
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
267
 
        @echo "# From plugin-runner: setuid: Operation not permitted             #"
 
274
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
 
275
        @echo "#                     setuid: Operation not permitted             #"
268
276
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
269
 
        @echo "# From mandos-client: setuid: Operation not permitted             #"
270
 
        @echo "#                     seteuid: Operation not permitted            #"
271
 
        @echo "#                     klogctl: Operation not permitted            #"
 
277
        @echo "# From mandos-client:                                             #"
 
278
        @echo "#             Failed to raise privileges: Operation not permitted #"
 
279
        @echo "#             Warning: network hook \"*\" exited with status *      #"
272
280
        @echo "###################################################################"
 
281
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
273
282
        ./plugin-runner --plugin-dir=plugins.d \
 
283
                --plugin-helper-dir=plugin-helpers \
274
284
                --config-file=plugin-runner.conf \
275
285
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
 
286
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
276
287
                $(CLIENTARGS)
277
288
 
278
289
# Used by run-client
293
304
        install --directory confdir
294
305
        install --mode=u=rw $< $@
295
306
# Add a client password
296
 
        ./mandos-keygen --dir keydir --password >> $@
 
307
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
297
308
statedir:
298
309
        install --directory statedir
299
310
 
349
360
install-client-nokey: all doc
350
361
        install --directory $(LIBDIR)/mandos $(CONFDIR)
351
362
        install --directory --mode=u=rwx $(KEYDIR) \
352
 
                $(LIBDIR)/mandos/plugins.d
 
363
                $(LIBDIR)/mandos/plugins.d \
 
364
                $(LIBDIR)/mandos/plugin-helpers
353
365
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
354
366
                install --mode=u=rwx \
355
367
                        --directory "$(CONFDIR)/plugins.d"; \
 
368
                install --directory "$(CONFDIR)/plugin-helpers"; \
356
369
        fi
357
370
        install --mode=u=rwx,go=rx --directory \
358
371
                "$(CONFDIR)/network-hooks.d"
378
391
        install --mode=u=rwxs,go=rx \
379
392
                --target-directory=$(LIBDIR)/mandos/plugins.d \
380
393
                plugins.d/plymouth
 
394
        install --mode=u=rwxs,go=rx \
 
395
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
 
396
                plugin-helpers/mandos-client-iprouteadddel
381
397
        install initramfs-tools-hook \
382
398
                $(INITRAMFSTOOLS)/hooks/mandos
383
399
        install --mode=u=rw,go=r initramfs-tools-hook-conf \