j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Explicitly mention that LibreSSL can be used as well.

Browse source 
# Conflicts:
#	doc/tinc.texi
#	m4/openssl.m4
This commit is contained in:
Guus Sliepen 2016-04-10 14:47:21 +02:00
parent d7f6737cfc
commit 5cbc12b3d4
3 changed files with 32 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

4
doc/tinc.conf.5.in
View file

@ -549,7 +549,7 @@ variables can be specified, in which case each address will be tried until a wor
connection has been established. connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish .It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets. The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised. Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying Furthermore, specifying
.Qq none .Qq none
will turn off packet encryption. will turn off packet encryption.
@ -566,7 +566,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo). 10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1 .It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets. The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised. Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying Furthermore, specifying
.Qq none .Qq none
will turn off packet authentication. will turn off packet authentication.

39
doc/tinc.texi
View file

@ -334,13 +334,13 @@ as explained in the rest of the documentation.
@cindex requirements @cindex requirements
@cindex libraries @cindex libraries
Before you can configure or build tinc, you need to have the OpenSSL, zlib, Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL, zlib,
lzo, curses and readline libraries installed on your system. If you try to lzo, curses and readline libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an error configure tinc without having them installed, configure will give you an error
message, and stop. message, and stop.
@menu @menu
* OpenSSL:: * LibreSSL/OpenSSL::
* zlib:: * zlib::
* lzo:: * lzo::
* libcurses:: * libcurses::
@ -349,12 +349,13 @@ message, and stop.
@c ================================================================== @c ==================================================================
@node OpenSSL @node LibreSSL/OpenSSL
@subsection OpenSSL @subsection LibreSSL/OpenSSL
@cindex LibreSSL
@cindex OpenSSL @cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the LibreSSL or the OpenSSL library.
If this library is not installed, you wil get an error when configuring If this library is not installed, you wil get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries tinc for build. Support for running tinc with other cryptographic libraries
@ -364,21 +365,23 @@ You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions available. Make sure you install the development AND runtime versions
of this package. of this package.
If you have to install OpenSSL manually, you can get the source code If your operating system comes neither with LibreSSL or OpenSSL, you have to
from @url{http://www.openssl.org/}. Instructions on how to configure, install one manually. It is recommended that you get the latest version of
build and install this package are included within the package. Please LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
make sure you build development and runtime libraries (which is the configure, build and install this package are included within the package.
Please make sure you build development and runtime libraries (which is the
default). default).
If you installed the OpenSSL libraries from source, it may be necessary If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the to let configure know where they are, by passing configure one of the
--with-openssl-* parameters. --with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
are using LibreSSL.
@example @example
--with-openssl=DIR OpenSSL library and headers prefix --with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory --with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include) (Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory --with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib) (Default is OPENSSL_DIR/lib)
@end example @end example
@ -1312,7 +1315,7 @@ tried until a working connection has been established.
@cindex Cipher @cindex Cipher
@item Cipher = <@var{cipher}> (blowfish) @item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol. The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
Any cipher supported by OpenSSL is recognized. Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption. Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode. It is best to use only those ciphers which support CBC mode.
This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR. This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
@ -1332,7 +1335,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
@cindex Digest @cindex Digest
@item Digest = <@var{digest}> (sha1) @item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets using the legacy protocol. The digest algorithm used to authenticate UDP packets using the legacy protocol.
Any digest supported by OpenSSL is recognized. Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication. Furthermore, specifying "none" will turn off packet authentication.
This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256. This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
@ -3174,7 +3177,7 @@ eavesdroppers cannot get and cannot change any information at all from the
packets they can intercept. The encryption algorithm and message authentication packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the authentication codes is also adjustable. The length of the key for the
encryption algorithm is always the default length used by OpenSSL. encryption algorithm is always the default length used by LibreSSL/OpenSSL.
The SPTPS protocol is described in @ref{Simple Peer-to-Peer Security}. The SPTPS protocol is described in @ref{Simple Peer-to-Peer Security}.
For comparison, this is how SPTPS UDP packets look: For comparison, this is how SPTPS UDP packets look:
@ -3201,7 +3204,7 @@ this cannot be changed.
In August 2000, we discovered the existence of a security hole in all versions In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys. uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc

18
m4/openssl.m4
View file

@ -1,4 +1,4 @@
dnl Check to find the OpenSSL headers/libraries dnl Check to find the LibreSSL/OpenSSL headers/libraries
AC_DEFUN([tinc_OPENSSL], AC_DEFUN([tinc_OPENSSL],
[ [
@ -10,47 +10,47 @@ AC_DEFUN([tinc_OPENSSL],
[], [],
[AC_CHECK_LIB(dl, dlopen, [AC_CHECK_LIB(dl, dlopen,
[LIBS="$LIBS -ldl"], [LIBS="$LIBS -ldl"],
[AC_MSG_ERROR([OpenSSL depends on libdl.]); break] [AC_MSG_ERROR([LibreSSL/OpenSSL depends on libdl.]); break]
)] )]
) )
;; ;;
esac esac
AC_ARG_WITH(openssl, AC_ARG_WITH(openssl,
AS_HELP_STRING([--with-openssl=DIR], [OpenSSL base directory, or:]), AS_HELP_STRING([--with-openssl=DIR], [LibreSSL/OpenSSL base directory, or:]),
[openssl="$withval" [openssl="$withval"
CPPFLAGS="$CPPFLAGS -I$withval/include" CPPFLAGS="$CPPFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"] LDFLAGS="$LDFLAGS -L$withval/lib"]
) )
AC_ARG_WITH(openssl-include, AC_ARG_WITH(openssl-include,
AS_HELP_STRING([--with-openssl-include=DIR], [OpenSSL headers directory (without trailing /openssl)]), AS_HELP_STRING([--with-openssl-include=DIR], [LibreSSL/OpenSSL headers directory (without trailing /openssl)]),
[openssl_include="$withval" [openssl_include="$withval"
CPPFLAGS="$CPPFLAGS -I$withval"] CPPFLAGS="$CPPFLAGS -I$withval"]
) )
AC_ARG_WITH(openssl-lib, AC_ARG_WITH(openssl-lib,
AS_HELP_STRING([--with-openssl-lib=DIR], [OpenSSL library directory]), AS_HELP_STRING([--with-openssl-lib=DIR], [LibreSSL/OpenSSL library directory]),
[openssl_lib="$withval" [openssl_lib="$withval"
LDFLAGS="$LDFLAGS -L$withval"] LDFLAGS="$LDFLAGS -L$withval"]
) )
AC_CHECK_HEADERS([openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h], AC_CHECK_HEADERS([openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h],
[], [],
[AC_MSG_ERROR([OpenSSL header files not found.]); break] [AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break]
) )
AC_CHECK_LIB(crypto, EVP_EncryptInit_ex, AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
[LIBS="-lcrypto $LIBS"], [LIBS="-lcrypto $LIBS"],
[AC_MSG_ERROR([OpenSSL libraries not found.])] [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
) )
AC_CHECK_FUNCS([RAND_status EVP_EncryptInit_ex], , AC_CHECK_FUNCS([RAND_status EVP_EncryptInit_ex], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
) )
AC_CHECK_DECLS([OpenSSL_add_all_algorithms], , AC_CHECK_DECLS([OpenSSL_add_all_algorithms], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>] [#include <openssl/evp.h>]
) )
]) ])