/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: Teddy Hogeborn
  • Date: 2019-02-10 03:50:20 UTC
  • Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu
http://bugs.debian.org/879538
http://bugs.debian.org/916673
Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

Show diffs side-by-side

added added

removed removed

Lines of Context:
Makefile
10
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
12
12
        -Wvolatile-register-var -Woverlength-strings
13
 
 
14
 
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
 
## Check which sanitizing options can be used
16
 
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
 
#       echo 'int main(){}' | $(CC) --language=c $(option) \
18
 
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
 
13
#DEBUG:=-ggdb3 -fsanitize=address 
 
14
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
 
15
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
16
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
19
17
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
18
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
19
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
25
23
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
26
24
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
25
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
 
        -fsanitize=enum -fsanitize-address-use-after-scope
29
 
 
30
 
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
 
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
 
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
26
        -fsanitize=enum
 
27
# Check which sanitizing options can be used
 
28
SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
29
        echo 'int main(){}' | $(CC) --language=c $(option) /dev/stdin \
 
30
        -o /dev/null >/dev/null 2>&1 && echo $(option)))
33
31
LINK_FORTIFY_LD:=-z relro -z now
34
32
LINK_FORTIFY:=
35
33
 
42
40
OPTIMIZE:=-Os -fno-strict-aliasing
43
41
LANGUAGE:=-std=gnu11
44
42
htmldir:=man
45
 
version:=1.8.4
 
43
version:=1.7.20
46
44
SED:=sed
47
45
 
48
 
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
49
 
        || getent passwd nobody || echo 65534)))
50
 
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
51
 
        || getent group nogroup || echo 65534)))
 
46
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))
 
47
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nogroup || echo 65534)))
52
48
 
53
49
## Use these settings for a traditional /usr/local install
54
50
# PREFIX:=$(DESTDIR)/usr/local
56
52
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
57
53
# MANDIR:=$(PREFIX)/man
58
54
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
59
 
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
60
55
# STATEDIR:=$(DESTDIR)/var/lib/mandos
61
56
# LIBDIR:=$(PREFIX)/lib
62
57
##
67
62
KEYDIR:=$(DESTDIR)/etc/keys/mandos
68
63
MANDIR:=$(PREFIX)/share/man
69
64
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
70
 
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
71
65
STATEDIR:=$(DESTDIR)/var/lib/mandos
72
66
LIBDIR:=$(shell \
73
67
        for d in \
92
86
        getconf LFS_LDFLAGS)
93
87
LIBNL3_CFLAGS:=$(shell pkg-config --cflags-only-I libnl-route-3.0)
94
88
LIBNL3_LIBS:=$(shell pkg-config --libs libnl-route-3.0)
95
 
GLIB_CFLAGS:=$(shell pkg-config --cflags glib-2.0)
96
 
GLIB_LIBS:=$(shell pkg-config --libs glib-2.0)
97
89
 
98
90
# Do not change these two
99
 
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \
 
91
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(SANITIZE) $(COVERAGE) \
100
92
        $(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'
101
 
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
102
 
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
93
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
103
94
 
104
95
# Commands to format a DocBook <refentry> document into a manual page
105
96
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
111
102
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
112
103
        $(notdir $<); \
113
104
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
114
 
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
115
 
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
116
 
        $(notdir $@); fi >/dev/null)
 
105
        && type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \
 
106
        man --warnings --encoding=UTF-8 --local-file $(notdir $@); \
 
107
        fi >/dev/null)
117
108
 
118
109
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
119
110
        --param make.year.ranges                1 \
132
123
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
133
124
        plugins.d/plymouth
134
125
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
135
 
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
136
 
        $(PLUGIN_HELPERS)
 
126
CPROGS:=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
137
127
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
138
128
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
139
129
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
140
 
        dracut-module/password-agent.8mandos \
141
130
        plugins.d/mandos-client.8mandos \
142
131
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
143
132
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
215
204
                overview.xml legalnotice.xml
216
205
        $(DOCBOOKTOHTML)
217
206
 
218
 
dracut-module/password-agent.8mandos: \
219
 
                dracut-module/password-agent.xml common.ent \
220
 
                overview.xml legalnotice.xml
221
 
        $(DOCBOOKTOMAN)
222
 
dracut-module/password-agent.8mandos.xhtml: \
223
 
                dracut-module/password-agent.xml common.ent \
224
 
                overview.xml legalnotice.xml
225
 
        $(DOCBOOKTOHTML)
226
 
 
227
207
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
228
208
                                        common.ent \
229
209
                                        mandos-options.xml \
272
252
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
273
253
                $@)
274
254
 
275
 
# Need to add the GnuTLS, Avahi and GPGME libraries
 
255
# Need to add the GnuTLS, Avahi and GPGME libraries, and can't use
 
256
# -fsanitize=leak because GnuTLS and GPGME both leak memory.
276
257
plugins.d/mandos-client: plugins.d/mandos-client.c
277
 
        $(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\
278
 
                ) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\
279
 
                ) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\
280
 
                ) $(LDLIBS) -o $@
 
258
        $(CC) $(filter-out -fsanitize=leak,$(CFLAGS)) $(strip\
 
259
        ) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) $(strip\
 
260
                ) $(CPPFLAGS) $(LDFLAGS) $(TARGET_ARCH) $^ $(strip\
 
261
                ) -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
 
262
                ) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
281
263
 
282
 
# Need to add the libnl-route library
283
264
plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c
284
265
        $(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\
285
266
                ) $(LOADLIBES) $(LDLIBS) -o $@
286
267
 
287
 
# Need to add the GLib and pthread libraries
288
 
dracut-module/password-agent: dracut-module/password-agent.c
289
 
        $(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\
290
 
                ) $(LOADLIBES) $(LDLIBS) -o $@
291
 
 
292
268
.PHONY : all doc html clean distclean mostlyclean maintainer-clean \
293
269
        check run-client run-server install install-html \
294
270
        install-server install-client-nokey install-client uninstall \
303
279
maintainer-clean: clean
304
280
        -rm --force --recursive keydir confdir statedir
305
281
 
306
 
check: all
 
282
check:  all
307
283
        ./mandos --check
308
284
        ./mandos-ctl --check
309
 
        ./mandos-keygen --version
310
 
        ./plugin-runner --version
311
 
        ./plugin-helpers/mandos-client-iprouteadddel --version
312
 
        ./dracut-module/password-agent --test
313
285
 
314
286
# Run the client with a local config and key
315
287
run-client: all keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem
453
425
                $(INITRAMFSTOOLS)/hooks/mandos
454
426
        install --mode=u=rw,go=r initramfs-tools-conf \
455
427
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
456
 
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
457
 
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
458
428
        install initramfs-tools-script \
459
429
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
460
430
        install initramfs-tools-script-stop \
461
431
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
462
 
        install --directory $(DRACUTMODULE)
463
 
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
464
 
                dracut-module/ask-password-mandos.path \
465
 
                dracut-module/ask-password-mandos.service
466
 
        install --mode=u=rwxs,go=rx \
467
 
                --target-directory=$(DRACUTMODULE) \
468
 
                dracut-module/module-setup.sh \
469
 
                dracut-module/cmdline-mandos.sh \
470
 
                dracut-module/password-agent
471
432
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
472
433
        gzip --best --to-stdout mandos-keygen.8 \
473
434
                > $(MANDIR)/man8/mandos-keygen.8.gz
485
446
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
486
447
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
487
448
                > $(MANDIR)/man8/plymouth.8mandos.gz
488
 
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
489
 
                > $(MANDIR)/man8/password-agent.8mandos.gz
490
449
 
491
450
install-client: install-client-nokey
492
451
# Post-installation stuff
493
452
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
494
 
        if command -v update-initramfs >/dev/null; then \
495
 
            update-initramfs -k all -u; \
496
 
        elif command -v dracut >/dev/null; then \
497
 
            for initrd in $(DESTDIR)/boot/initr*-$(shell uname --kernel-release); do \
498
 
                if [ -w "$$initrd" ]; then \
499
 
                    chmod go-r "$$initrd"; \
500
 
                    dracut --force "$$initrd"; \
501
 
                fi; \
502
 
            done; \
503
 
        fi
 
453
        update-initramfs -k all -u
504
454
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
505
455
 
506
456
uninstall: uninstall-server uninstall-client
533
483
                $(INITRAMFSTOOLS)/hooks/mandos \
534
484
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
535
485
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
536
 
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
537
 
                $(DRACUTMODULE)/ask-password-mandos.path \
538
 
                $(DRACUTMODULE)/ask-password-mandos.service \
539
 
                $(DRACUTMODULE)/module-setup.sh \
540
 
                $(DRACUTMODULE)/cmdline-mandos.sh \
541
 
                $(DRACUTMODULE)/password-agent \
542
486
                $(MANDIR)/man8/mandos-keygen.8.gz \
543
487
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
544
488
                $(MANDIR)/man8/mandos-client.8mandos.gz
547
491
                $(MANDIR)/man8/splashy.8mandos.gz \
548
492
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
549
493
                $(MANDIR)/man8/plymouth.8mandos.gz \
550
 
                $(MANDIR)/man8/password-agent.8mandos.gz \
551
494
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
552
 
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
553
 
        if command -v update-initramfs >/dev/null; then \
554
 
            update-initramfs -k all -u; \
555
 
        elif command -v dracut >/dev/null; then \
556
 
            for initrd in $(DESTDIR)/boot/initr*-$(shell uname --kernel-release); do \
557
 
                test -w "$$initrd" && dracut --force "$$initrd"; \
558
 
            done; \
559
 
        fi
 
495
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)
 
496
        update-initramfs -k all -u
560
497
 
561
498
purge: purge-server purge-client
562
499