/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-keygen

  • Committer: Teddy Hogeborn
  • Date: 2019-02-11 06:14:29 UTC
  • Revision ID: teddy@recompile.se-20190211061429-n6n5zk29iatshlb3
Fix Debian package dependencies

* debian/control (Build-Depends): Changed GnuTLS dependencies to
                                  "libgnutls30 (>= 3.3.0),
                                  libgnutls28-dev (>= 3.6.6) |
                                  libgnutls28-dev (<< 3.6.0)".  (We
                                  can't depend on the virtual package
                                  "gnutls-dev", since we need the
                                  version restrictions.)
  (Package: mandos/Depends): Remove dependency on libgnutls28-dev
                             package.
  (Package: mandos/Suggests): New; set to "libc6-dev,
                              c-compiler". (Used to find value of
                              "SO_BINDTODEVICE").
  (Package: mandos-client/Depends): Don't depend on openssl anymore;
                                    instead depend on either a
                                    gnutls-bin (>= 3.6.6) (in which
                                    case TLS key generation will
                                    work), or on libgnutls30 (<<
                                    3.6.0) (in which case TLS key
                                    generation will not be needed).

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
3
3
# Mandos key generator - create new keys for a Mandos client
4
4
5
 
# Copyright © 2008-2018 Teddy Hogeborn
6
 
# Copyright © 2008-2018 Björn Påhlsson
 
5
# Copyright © 2008-2019 Teddy Hogeborn
 
6
# Copyright © 2008-2019 Björn Påhlsson
7
7
8
8
# This file is part of Mandos.
9
9
#
23
23
# Contact the authors at <mandos@recompile.se>.
24
24
25
25
 
26
 
VERSION="1.7.20"
 
26
VERSION="1.8.2"
27
27
 
28
28
KEYDIR="/etc/keys/mandos"
29
29
KEYTYPE=RSA
187
187
    
188
188
    # Create temporary gpg batch file
189
189
    BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
 
190
    TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
190
191
fi
191
192
 
192
193
if [ "$mode" = password ]; then
201
202
trap "
202
203
set +e; \
203
204
test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \
 
205
test -n \"$TLS_PRIVKEYTMP\" && shred --remove \"$TLS_PRIVKEYTMP\"; \
204
206
shred --remove \"$RINGDIR\"/sec* 2>/dev/null;
205
207
test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \
206
208
rm --recursive --force \"$RINGDIR\";
241
243
        echo -n "Started: "
242
244
        date
243
245
    fi
244
 
    
245
 
    # Backup any old key files
246
 
    if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
247
 
        2>/dev/null; then
248
 
        shred --remove "$TLS_PRIVKEYFILE"
249
 
    fi
250
 
    if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
251
 
        2>/dev/null; then
252
 
        rm --force "$TLS_PUBKEYFILE"
253
 
    fi
254
 
 
255
 
    ## Generate TLS private key
256
 
 
257
 
    # First try certtool from GnuTLS
258
 
    if ! certtool --generate-privkey --password='' \
259
 
         --outfile "$TLS_PRIVKEYFILE" --sec-param ultra \
260
 
         --key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
261
 
        # Otherwise try OpenSSL
262
 
        if ! openssl genpkey -algorithm X25519 -out \
263
 
             /etc/keys/mandos/tls-privkey.pem; then
264
 
            rm --force /etc/keys/mandos/tls-privkey.pem
265
 
            # None of the commands succeded; give up
266
 
            return 1
 
246
 
 
247
    # Generate TLS private key
 
248
    if certtool --generate-privkey --password='' \
 
249
                --outfile "$TLS_PRIVKEYTMP" --sec-param ultra \
 
250
                --key-type="$TLS_KEYTYPE" --pkcs8 --no-text 2>/dev/null; then
 
251
        
 
252
        # Backup any old key files
 
253
        if cp --backup=numbered --force "$TLS_PRIVKEYFILE" "$TLS_PRIVKEYFILE" \
 
254
              2>/dev/null; then
 
255
            shred --remove "$TLS_PRIVKEYFILE" 2>/dev/null || :
267
256
        fi
268
 
    fi
269
 
 
270
 
    ## TLS public key
271
 
 
272
 
    # First try certtool from GnuTLS
273
 
    if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
274
 
         --outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
275
 
         2>/dev/null; then
276
 
        # Otherwise try OpenSSL
277
 
        if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
278
 
             -out "$TLS_PUBKEYFILE" -pubout; then
 
257
        if cp --backup=numbered --force "$TLS_PUBKEYFILE" "$TLS_PUBKEYFILE" \
 
258
              2>/dev/null; then
279
259
            rm --force "$TLS_PUBKEYFILE"
280
 
            # None of the commands succeded; give up
281
 
            return 1
 
260
        fi
 
261
        cp --archive "$TLS_PRIVKEYTMP" "$TLS_PRIVKEYFILE"
 
262
        shred --remove "$TLS_PRIVKEYTMP" 2>/dev/null || :
 
263
 
 
264
        ## TLS public key
 
265
 
 
266
        # First try certtool from GnuTLS
 
267
        if ! certtool --password='' --load-privkey="$TLS_PRIVKEYFILE" \
 
268
             --outfile="$TLS_PUBKEYFILE" --pubkey-info --no-text \
 
269
             2>/dev/null; then
 
270
            # Otherwise try OpenSSL
 
271
            if ! openssl pkey -in "$TLS_PRIVKEYFILE" \
 
272
                 -out "$TLS_PUBKEYFILE" -pubout; then
 
273
                rm --force "$TLS_PUBKEYFILE"
 
274
                # None of the commands succeded; give up
 
275
                return 1
 
276
            fi
282
277
        fi
283
278
    fi
284
279
    
301
296
    # Backup any old key files
302
297
    if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
303
298
        2>/dev/null; then
304
 
        shred --remove "$SECKEYFILE"
 
299
        shred --remove "$SECKEYFILE" 2>/dev/null || :
305
300
    fi
306
301
    if cp --backup=numbered --force "$PUBKEYFILE" "$PUBKEYFILE" \
307
302
        2>/dev/null; then
369
364
    
370
365
    test -n "$FINGERPRINT"
371
366
    
372
 
    KEY_ID="$(certtool --key-id --hash=sha256 \
 
367
    if [ -r "$TLS_PUBKEYFILE" ]; then
 
368
       KEY_ID="$(certtool --key-id --hash=sha256 \
373
369
                       --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
374
370
 
375
 
    if [ -z "$KEY_ID" ]; then
376
 
        KEY_ID=$(openssl pkey -pubin -in /tmp/tls-pubkey.pem \
377
 
                         -outform der \
378
 
                     | openssl sha256 \
379
 
                     | sed --expression='s/^.*[^[:xdigit:]]//')
 
371
       if [ -z "$KEY_ID" ]; then
 
372
           KEY_ID=$(openssl pkey -pubin -in "$TLS_PUBKEYFILE" \
 
373
                            -outform der \
 
374
                        | openssl sha256 \
 
375
                        | sed --expression='s/^.*[^[:xdigit:]]//')
 
376
       fi
 
377
       test -n "$KEY_ID"
380
378
    fi
381
 
    test -n "$KEY_ID"
382
379
    
383
380
    FILECOMMENT="Encrypted password for a Mandos client"
384
381
    
419
416
    cat <<-EOF
420
417
        [$KEYNAME]
421
418
        host = $KEYNAME
422
 
        key_id = $KEY_ID
 
419
        EOF
 
420
    if [ -n "$KEY_ID" ]; then
 
421
        echo "key_id = $KEY_ID"
 
422
    fi
 
423
    cat <<-EOF
423
424
        fingerprint = $FINGERPRINT
424
425
        secret =
425
426
        EOF
443
444
set +e
444
445
# Remove the password file, if any
445
446
if [ -n "$SECFILE" ]; then
446
 
    shred --remove "$SECFILE"
 
447
    shred --remove "$SECFILE" 2>/dev/null
447
448
fi
448
449
# Remove the key rings
449
450
shred --remove "$RINGDIR"/sec* 2>/dev/null