/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
1
WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
4
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
#DEBUG:=-ggdb3 -fsanitize=address 
 
13
#DEBUG=-ggdb3
14
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
15
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
16
 
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
17
 
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
18
 
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
19
 
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
20
 
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
21
 
        -fsanitize=return -fsanitize=signed-integer-overflow \
22
 
        -fsanitize=bounds -fsanitize=alignment \
23
 
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
24
 
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
25
 
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
26
 
        -fsanitize=enum
27
 
# Check which sanitizing options can be used
28
 
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
29
 
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
30
 
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
31
 
LINK_FORTIFY_LD:=-z relro -z now
32
 
LINK_FORTIFY:=
 
15
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
17
LINK_FORTIFY_LD=-z relro -z now
 
18
LINK_FORTIFY=
33
19
 
34
20
# If BROKEN_PIE is set, do not build with -pie
35
21
ifndef BROKEN_PIE
37
23
LINK_FORTIFY += -pie
38
24
endif
39
25
#COVERAGE=--coverage
40
 
OPTIMIZE:=-Os -fno-strict-aliasing
41
 
LANGUAGE:=-std=gnu11
42
 
htmldir:=man
43
 
version:=1.7.18
44
 
SED:=sed
 
26
OPTIMIZE=-Os -fno-strict-aliasing
 
27
LANGUAGE=-std=gnu11
 
28
htmldir=man
 
29
version=1.6.9
 
30
SED=sed
45
31
 
46
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
47
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
 
32
USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
33
GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))
48
34
 
49
35
## Use these settings for a traditional /usr/local install
50
 
# PREFIX:=$(DESTDIR)/usr/local
51
 
# CONFDIR:=$(DESTDIR)/etc/mandos
52
 
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
53
 
# MANDIR:=$(PREFIX)/man
54
 
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
55
 
# STATEDIR:=$(DESTDIR)/var/lib/mandos
56
 
# LIBDIR:=$(PREFIX)/lib
 
36
# PREFIX=$(DESTDIR)/usr/local
 
37
# CONFDIR=$(DESTDIR)/etc/mandos
 
38
# KEYDIR=$(DESTDIR)/etc/mandos/keys
 
39
# MANDIR=$(PREFIX)/man
 
40
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
41
# STATEDIR=$(DESTDIR)/var/lib/mandos
 
42
# LIBDIR=$(PREFIX)/lib
57
43
##
58
44
 
59
45
## These settings are for a package-type install
60
 
PREFIX:=$(DESTDIR)/usr
61
 
CONFDIR:=$(DESTDIR)/etc/mandos
62
 
KEYDIR:=$(DESTDIR)/etc/keys/mandos
63
 
MANDIR:=$(PREFIX)/share/man
64
 
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
65
 
STATEDIR:=$(DESTDIR)/var/lib/mandos
66
 
LIBDIR:=$(shell \
 
46
PREFIX=$(DESTDIR)/usr
 
47
CONFDIR=$(DESTDIR)/etc/mandos
 
48
KEYDIR=$(DESTDIR)/etc/keys/mandos
 
49
MANDIR=$(PREFIX)/share/man
 
50
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
51
STATEDIR=$(DESTDIR)/var/lib/mandos
 
52
LIBDIR=$(shell \
67
53
        for d in \
68
54
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
69
55
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
74
60
        done)
75
61
##
76
62
 
77
 
SYSTEMD:=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
78
 
TMPFILES:=$(DESTDIR)$(shell pkg-config systemd --variable=tmpfilesdir)
 
63
SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)
79
64
 
80
 
GNUTLS_CFLAGS:=$(shell pkg-config --cflags-only-I gnutls)
81
 
GNUTLS_LIBS:=$(shell pkg-config --libs gnutls)
82
 
AVAHI_CFLAGS:=$(shell pkg-config --cflags-only-I avahi-core)
83
 
AVAHI_LIBS:=$(shell pkg-config --libs avahi-core)
84
 
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
85
 
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
65
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
 
66
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
 
67
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
 
68
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
 
69
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
70
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
86
71
        getconf LFS_LDFLAGS)
87
 
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
88
 
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
 
72
LIBNL3_CFLAGS=$(shell pkg-config --cflags-only-I libnl-route-3.0)
 
73
LIBNL3_LIBS=$(shell pkg-config --libs libnl-route-3.0)
89
74
 
90
75
# Do not change these two
91
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
92
 
        $(OPTIMIZE) $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) \
93
 
        $(GPGME_CFLAGS) -DVERSION='"$(version)"'
 
76
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
 
77
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
 
78
        -DVERSION='"$(version)"'
94
79
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
95
80
 
96
81
# Commands to format a DocBook <refentry> document into a manual page
117
102
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
118
103
        $<; $(HTMLPOST) $@)
119
104
# Fix citerefentry links
120
 
HTMLPOST:=$(SED) --in-place \
 
105
HTMLPOST=$(SED) --in-place \
121
106
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
122
107
 
123
 
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
108
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
124
109
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
125
110
        plugins.d/plymouth
126
 
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
127
 
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
128
 
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
129
 
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
111
PLUGIN_HELPERS=plugin-helpers/mandos-client-iprouteadddel
 
112
CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 
113
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
114
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
130
115
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
131
116
        plugins.d/mandos-client.8mandos \
132
117
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
133
118
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
134
119
        plugins.d/plymouth.8mandos intro.8mandos
135
120
 
136
 
htmldocs:=$(addsuffix .xhtml,$(DOCS))
 
121
htmldocs=$(addsuffix .xhtml,$(DOCS))
137
122
 
138
 
objects:=$(addsuffix .o,$(CPROGS))
 
123
objects=$(addsuffix .o,$(CPROGS))
139
124
 
140
125
all: $(PROGS) mandos.lsm
141
126
 
253
238
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
254
239
                $@)
255
240
 
256
 
# Need to add the GnuTLS, Avahi and GPGME libraries, and can't use
257
 
# -fsanitize=leak because GnuTLS and GPGME both leak memory.
258
241
plugins.d/mandos-client: plugins.d/mandos-client.c
259
 
        $(CC) $(filter-out -fsanitize=leak,$(CFLAGS)) $(strip\
260
 
                ) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH) $^ $(strip\
261
 
                ) -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
242
        $(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
262
243
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
263
244
 
264
245
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
287
268
run-client: all keydir/seckey.txt keydir/pubkey.txt
288
269
        @echo "###################################################################"
289
270
        @echo "# The following error messages are harmless and can be safely     #"
290
 
        @echo "# ignored:                                                        #"
 
271
        @echo "# ignored.  The messages are caused by not running as root, but   #"
 
272
        @echo "# you should NOT run \"make run-client\" as root unless you also    #"
 
273
        @echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
291
274
        @echo "# From plugin-runner: setgid: Operation not permitted             #"
292
275
        @echo "#                     setuid: Operation not permitted             #"
293
276
        @echo "# From askpass-fifo:  mkfifo: Permission denied                   #"
294
277
        @echo "# From mandos-client:                                             #"
295
278
        @echo "#             Failed to raise privileges: Operation not permitted #"
296
279
        @echo "#             Warning: network hook \"*\" exited with status *      #"
297
 
        @echo "#                                                                 #"
298
 
        @echo "# (The messages are caused by not running as root, but you should #"
299
 
        @echo "# NOT run \"make run-client\" as root unless you also unpacked and  #"
300
 
        @echo "# compiled Mandos as root, which is also NOT recommended.)        #"
301
280
        @echo "###################################################################"
302
281
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
303
282
        ./plugin-runner --plugin-dir=plugins.d \
344
323
        elif install --directory --mode=u=rwx $(STATEDIR); then \
345
324
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
346
325
        fi
347
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" -a -d "$(TMPFILES)" ]; then \
348
 
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
349
 
                        $(TMPFILES)/mandos.conf; \
350
 
        fi
351
326
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
352
327
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
353
328
                mandos-ctl
389
364
                $(LIBDIR)/mandos/plugin-helpers
390
365
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
391
366
                install --mode=u=rwx \
392
 
                        --directory "$(CONFDIR)/plugins.d" \
393
 
                        "$(CONFDIR)/plugin-helpers"; \
 
367
                        --directory "$(CONFDIR)/plugins.d"; \
 
368
                install --directory "$(CONFDIR)/plugin-helpers"; \
394
369
        fi
395
370
        install --mode=u=rwx,go=rx --directory \
396
371
                "$(CONFDIR)/network-hooks.d"
416
391
        install --mode=u=rwxs,go=rx \
417
392
                --target-directory=$(LIBDIR)/mandos/plugins.d \
418
393
                plugins.d/plymouth
419
 
        install --mode=u=rwx,go=rx \
 
394
        install --mode=u=rwxs,go=rx \
420
395
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
421
396
                plugin-helpers/mandos-client-iprouteadddel
422
397
        install initramfs-tools-hook \