j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity

Updating HEAD branch #5; Last files from CABAL.

Browse source
This commit is contained in:
Ivo Timmermans 2002-04-09 15:28:45 +00:00
parent 462ab530e5
commit af23dfa5ef
12 changed files with 1427 additions and 744 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
AUTHORS
View file

@ -5,3 +5,9 @@ Ivo Timmermans <itimmermans@bigfoot.com>
These files are from other sources:
* lib/pidfile.h and lib/pidfile.c are by Martin Schulze, taken from
the syslog 1.3 sources.
Also some of the macro files in the directory m4, and their
accompanying files in lib, were taken from GNU fileutils.
Please see the file THANKS for more information on contributions from
users.

28
Makefile.am
View file

@ -2,25 +2,23 @@
AUTOMAKE_OPTIONS = gnu
SUBDIRS = m4 intl lib src doc po redhat debian
SUBDIRS = m4 intl lib src doc po
ACLOCAL_AMFLAGS =
EXTRA_DIST = system.h ABOUT-NLS
EXTRA_DIST = system.h COPYING.README depcomp
CVS_CREATED = configure aclocal.m4 config.h.in config.guess \
CVS_CREATED = ABOUT-NLS configure aclocal.m4 config.h.in config.guess \
config.sub install-sh ltconfig ltmain.sh missing mkinstalldirs \
stamp-h.in m4/Makefile.am ChangeLog
stamp-h.in m4/Makefile.am ChangeLog po/Makefile.in.in \
po/tinc.pot src/.libs intl depcomp
ChangeLog:
rm -f ChangeLog
rcs2log -u "zarq Ivo Timmermans itimmermans@bigfoot.com" \
-u "guus Guus Sliepen guus@sliepen.warande.net" | \
sed -e 's,/home/CVS/tinc/,,g' > $@
cvs2cl -U cvsusers --fsf
cvs-clean: maintainer-clean
for f in $(CVS_CREATED) `find -name Makefile.in` ; do\
rm -f "$$f"; \
for f in $(CVS_CREATED) `find . -name Makefile.in` tinc-$(VERSION).tar.gz; do\
rm -Rf "$$f"; \
done
deb:
@ -29,5 +27,11 @@ deb:
rpm: dist
cp $(distdir).tar.gz /usr/src/redhat/SOURCES/
cp redhat/tinc.spec /usr/src/redhat/SOURCES/
cd /usr/src/redhat/SOURCES/
rpm -bi tinc.spec
cd /usr/src/redhat/SOURCES/ && rpm -bb tinc.spec
release:
rm -f ChangeLog
$(MAKE) ChangeLog
echo "Please edit the NEWS file now..."
/usr/bin/editor NEWS
$(MAKE) dist

150
NEWS
View file

@ -1,6 +1,152 @@
version 1.0pre7 Apr 7 2002
* Don't do blocking read()s when getting a signal.
* Remove RSA key checking code, since it sometimes thinks perfectly good RSA
keys are bad.
* Fix handling of subnets when prefixlength isn't divisible by 8.
version 1.0pre6 Mar 27 2002
* Improvement of redundant links:
* Non-blocking connects.
* Protocol broadcast messages can no longer go into an infinite loop.
* Graph algorithm updated to look harder for direct connections.
* Good support for routing IPv6 packets over the VPN. Works on Linux,
FreeBSD, possibly OpenBSD but not on Solaris.
* Support for tunnels over IPv6 networks. Works on all supported
operating systems.
* Optional compression of UDP connections using zlib.
* Optionally let UDP connections inherit TOS field of tunneled packets.
* Optionally start scripts when certain hosts become (un)reachable.
version 1.0pre5 Feb 9 2002
* Security enhancements:
* Added sequence number and optional message authentication code to
the packets.
* Configurable encryption cipher and digest algorithms.
* More robust handling of dis- and reconnects.
* Added a "switch" and a "hub" mode to allow bridging setups.
* Preliminary support for routing of IPv6 packets.
* Supports Linux, FreeBSD, OpenBSD and Solaris.
It looks like this might be the last release before 1.0.
version 1.0pre4 Jan 17 2001
* Updated documentation; the documentation now reflects the
configuration as it is.
* Some internal changes to make tinc scale better for large
networks, such as using AVL trees instead of linked lists for the
connection list.
* RSA keys can be stored in separate files if needed. See the
documentation for more information.
* tinc has now been reported to run on Linux PowerPC and FreeBSD x86.
version 1.0pre3 Oct 31 2000
* The protocol has been redesigned, and although some details are
still under discussion, this is secure. Care has been taken to
resist most, if not all, attacks.
* Unfortunately this protocol is not compatible with earlier versions,
nor are earlier versions compatible with this version. Because the
older protocol has huge security flaws, we feel that not
implementing backwards compatibility is justified.
* Some data about the protocol:
* It uses public/private RSA keys for authentication (this is the
actual fix for the security hole).
* All cryptographic functions have been taken out of tinc, instead
it uses the OpenSSL library functions.
* Offers support for multiple subnets per tinc daemon.
* New is also the support for the universal tun/tap device. This
means better portability to FreeBSD and Solaris.
* tinc is tested to compile on Solaris, Linux x86, Linux alpha.
* tinc now uses the OpenSSL library for cryptographic operations.
More information on getting and installing OpenSSL is in the manual.
This also means that the GMP library is no longer required.
* Further, thanks to Enrique Zanardi, we have Spanish messages; Matias
Carrasco provided us with a Spanish translation of the manual.
What still needs to be done before 1.0:
* Documentation. Especially since the protocol has changed, and a lot
of configuration directives have been added.
version 1.0pre2 May 31 2000
* Internationalized, Dutch translation available
* Many sanity checks on the meta protocol added
* This version has been internationalized; and a Dutch translation has
been included.
* Two configuration variables have been added:
* VpnMask - the IP network mask for the entire VPN, not just our
subnet (as given by MyVirtualIP). The Redhat and Debian packages
use this variable in their system startup scripts, but it is
ignored by tinc.
* Hostnames - if set to `yes', look up the names of IP addresses
trying to connect to us. Default set to `no', to prevent lockups
during lookups.
* The system startup scripts for Debian and Redhat use
/etc/tinc/nets.boot to find out which networks need to be started
during system boot.
* Fixes to prevent denial of service attacks by sending random data
after connecting (and even when the connection has been established),
either random garbage or just nonsensical protocol fields.
* tinc will retry to connect upon startup, does not quit if it doesn't
work the first time.
* Hosts that are disconnected implicitly if we lose a connection get
deleted from the internal list, to prevent hogging eachother with
add and delete requests when the connection is restored.
What still needs to be done before 1.0:
* Documentation.
* Failover ConnectTo lines, try another one if the first doesn't work.
version 1.0pre1 May 12 2000
* New meta-protocol

102
README
View file

@ -1,9 +1,13 @@
This is the README file for tinc version 1.0.
Installation instructions may be found in the INSTALL file.
This is the README file for tinc version 1.0pre7. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998,1999,2000 Ivo Timmermans
<itimmermans@bigfoot.com>, Guus Sliepen <guus@sliepen.warande.net> and
others. For a complete list of authors see the AUTHORS file.
tinc is Copyright (C) 1998-2002 by:
Ivo Timmermans <itimmermans@bigfoot.com>,
Guus Sliepen <guus@sliepen.warande.net>,
and others.
For a complete list of authors see the AUTHORS file.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -11,6 +15,36 @@ the Free Software Foundation; either version 2 of the License, or (at
your option) any later version. See the file COPYING for more details.
Security statement
------------------
In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and
uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
1.0pre4. Due to a lack of sequence numbers and a message authentication code
for each packet, an attacker could possibly disrupt certain network services or
launch a denial of service attack by replaying intercepted packets. The current
version adds sequence numbers and message authentication codes to prevent such
attacks.
Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can
prove the security of any cryptographic product. If you wish to review
tinc or give us feedback, you are stronly encouraged to do so.
Changes to configuration file format since 1.0pre5
--------------------------------------------------
Some configuration variables have different names now. Most notably "TapDevice"
should be changed into "Device", and "Device" should be changed into
"BindToDevice".
Requirements
------------
@ -21,6 +55,14 @@ this library is not installed on you system, configure will fail. The
manual in doc/tinc.texi contains more detailed information on how to
install this library.
Since 1.0pre6, the zlib library is used for optional compression. You need this
library whether or not you plan to enable the compression. You can find it at
http://www.gzip.org/zlib/. Because of a possible exploit in earlier versions we
recommand that you download version 1.1.4 or later.
In order to compile tinc, you will also need autoconf, automake, GNU make, m4
and gettext.
Features
--------
@ -30,18 +72,46 @@ use this feature, you may supply a netname via the -n or --net
options. The standard locations for the config files will then be
/etc/tinc/<net>/. Because of this feature, tinc will send packets
directly to their destinations, instead of to the uplink. If this
behaviour is undesirable (for instance because of firewalls or
other restrictions), please use an older version of tinc (I would
recommend tinc-0.2.19).
behaviour is undesirable (for instance because of firewalls or other
restrictions), please use an older version of tinc (I would recommend
tinc-0.2.19).
In this version, MAC addresses are stripped off before encoding and
sending a packet. When the packet reaches its destination, the MAC
addresses are rebuilt again. They then have the form
FE:FD:aa:bb:cc:dd. aa, bb, cc and dd are taken from the destination
and source IP address. See the manual for more detailed information.
In order to force the kernel to accept received packets, the
destination MAC address will be set to FE:FD:00:00:00:00 upon
reception. The MAC address of the ethertap or tun/tap interface must
also be set to this address. See the manual for more detailed
information.
tincd regenerates its encryption key pairs. It does this on the first
activity after the keys have expired. This period is adjustable in the
configuration file, and the default time is 3600 seconds (one
hour). If you send a USR2 signal to the daemon, it'll regenerate
immediately.
configuration file, and the default time is 3600 seconds (one hour).
This version supports multiple subnets at once. They are also sorted
on subnet mask size. This means that it is possible to have
overlapping subnets on the VPN, as long as their subnet mask sizes
differ.
Since pre5, tinc can operate in several routing modes. The default mode,
"router", works exactly like the older version, and uses Subnet lines to
determine the destination of packets. The other two modes, "switch" and "hub",
allow the tinc daemons to work together like a single network switch or hub.
This is useful for bridging networks. The latter modes only work properly on
Linux and FreeBSD.
The algorithms used for encryption and generating message authentication codes
can now be changed in the configuration files. All cipher and digest algorithms
supported by OpenSSL can be used. Useful ciphers are "blowfish" (default),
"bf-ofb", "des", "des3", etcetera. Useful digests are "sha1" (default), "md5",
etcetera.
Support for routing IPv6 packets has been added. Just add Subnet lines with
IPv6 addresses (without using :: abbreviations) and use ifconfig or ip (from
the iproute package) to give the virtual network interface corresponding IPv6
addresses. Autoconfiguration will not work in router mode. Tunneling IPv6
packets only works on Linux, FreeBSD and possibly OpenBSD.
It is also possible to make tunnels to other tinc daemons over IPv6 networks.
In order to enable this feature the option "AddressFamily = any" or
"AddressFamily = ipv6" must be added to the tinc.conf file. The host
configuration files should contain IPv6 addresses for the "Address" variables,
or hostnames which have an AAAA or A6 record.

9
THANKS
View file

@ -1,4 +1,4 @@
I would like to thank
We would like to thank
* Hans Bayle (for making some useful coding suggestions and fixing a
bug or two)
@ -14,7 +14,12 @@ I would like to thank
* Cris van Pelt (small fixes)
* Enrique Zanardi (for the Spanish translation)
* Matias Carrasco (for the Spanish translation of the manual)
* Jamie Briggs (for finding a lot of socket leaks)
* Armijn Hemel (for being our very own PR manager)
* Jerome Etienne (for a thorough security analysis of tinc)
* Mark Glines (for his compression patch)
for their help, support and ideas. Thank you guys!
And especially Guus Sliepen, for starting this whole project...
Ivo Timmermans
Guus Sliepen

14
TODO
View file

@ -1,9 +1,5 @@
Things left to do to make cabal superstable:
--------------------------------------------
* Check for connection loops. Inter-daemon
connections should always satisfy the
tree property.
* Redundancy: multiple ConnectTo lines, if
one fails others might be tried.
* Allow connects to hosts that use
nodirectdata.
TODO LIST
1.0:
* A nice, secure and stable release

7
autogen.sh
View file

@ -4,7 +4,12 @@
DIE=0
srcdir="`pwd`"
if ${MAKE:-gmake} -q -C . autogen.sh 2> /dev/null
then
alias make=${MAKE:-gmake}
fi
srcdir="`/bin/pwd`"
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
echo

104
configure.in
View file

@ -1,9 +1,9 @@
dnl Process this file with autoconf to produce a configure script.
dnl $Id: configure.in,v 1.16 2000/10/19 20:39:04 zarq Exp $
dnl $Id: configure.in,v 1.17 2002/04/09 15:28:45 zarq Exp $
AC_INIT(src/tincd.c)
AM_INIT_AUTOMAKE(tinc, 1.0pre3)
AM_INIT_AUTOMAKE(tinc, 1.0-cvs)
AM_CONFIG_HEADER(config.h)
dnl Include the macros from the m4/ directory
@ -14,7 +14,7 @@ AM_ACLOCAL_INCLUDE(m4)
# in the latter don't make it into the configure-time tests.
AC_DEFINE([_GNU_SOURCE], [__USE_BSD])
ALL_LINGUAS="es nl"
ALL_LINGUAS="nl"
dnl Checks for programs.
AC_PROG_CC
@ -25,15 +25,45 @@ AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MAKE_SET
jm_PERL
AM_PROG_LIBTOOL
AC_ISC_POSIX
dnl Check and set OS
AC_CANONICAL_HOST
case $host_os in
*linux*)
AC_DEFINE(HAVE_LINUX)
[ rm -f src/device.c; ln -sf linux/device.c src/device.c ]
;;
*freebsd*)
AC_DEFINE(HAVE_FREEBSD)
[ rm -f src/device.c; ln -sf freebsd/device.c src/device.c ]
;;
*solaris*)
AC_DEFINE(HAVE_SOLARIS)
[ rm -f src/device.c; ln -sf solaris/device.c src/device.c ]
;;
*openbsd*)
AC_DEFINE(HAVE_OPENBSD)
[ rm -f src/device.c; ln -sf openbsd/device.c src/device.c ]
;;
*netbsd*)
AC_DEFINE(HAVE_NETBSD)
[ rm -f src/device.c; ln -sf netbsd/device.c src/device.c ]
;;
esac
AC_CACHE_SAVE
dnl Checks for libraries.
dnl Checks for header files.
AC_HEADER_STDC
AC_CHECK_HEADERS(fcntl.h limits.h sys/ioctl.h syslog.h unistd.h sys/time.h linux/if_tun.h)
AC_CHECK_HEADERS([fcntl.h limits.h sys/ioctl.h syslog.h unistd.h \
sys/time.h malloc.h strings.h sys/file.h])
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
@ -46,12 +76,14 @@ dnl Checks for library functions.
AC_FUNC_MEMCMP
AC_FUNC_ALLOCA
AC_TYPE_SIGNAL
AC_CHECK_FUNCS(ftime socket select strtol strerror)
AC_CHECK_FUNCS([ftime socket select strtol strerror flock unsetenv \
asprintf putenv strdup fcloseall daemon strsignal get_current_dir_name])
jm_FUNC_MALLOC
jm_FUNC_REALLOC
AM_GNU_GETTEXT
dnl Support for SunOS
AC_CHECK_FUNC(socket, [], [
@ -61,39 +93,33 @@ AC_CHECK_FUNC(gethostbyname, [], [
AC_CHECK_LIB(nsl, gethostbyname)
])
AC_CACHE_SAVE
dnl From the autoconf manual
AC_CHECK_FUNCS(syslog)
if test $ac_cv_func_syslog = no; then
# syslog is not in the default libraries. See if it's in some other.
for lib in bsd socket inet; do
AC_CHECK_LIB($lib, syslog, [AC_DEFINE(HAVE_SYSLOG)
LIBS="$LIBS $lib"; break])
done
fi
AC_CHECK_LIB(dl, dlopen, [
LIBS="$LIBS -ldl"
])
dnl Crypto stuff
libcrypto=none
AC_CHECK_LIB(crypto, SHA1_version, [
libcrypto=yes
])
if test $libcrypto = none; then
AC_MSG_ERROR(It seems like OpenSSL is not installed on this system.)
else
LIBS="$LIBS -lcrypto"
fi
dnl Check for TUN/TAP support in the kernel
dnl These are defined in files in m4/
tinc_TUNTAP
tinc_OPENSSL
tinc_ZLIB
AC_OUTPUT([Makefile src/Makefile
doc/Makefile doc/es/Makefile intl/Makefile lib/Makefile
m4/Makefile po/Makefile.in redhat/Makefile debian/Makefile])
dnl Check if support for jumbograms is requested
AC_ARG_ENABLE(jumbograms,
[ --enable-jumbograms enable support for jumbograms (packets up to 9000 bytes)],
[ AC_DEFINE(ENABLE_JUMBOGRAMS) ]
)
dnl Check if checkpoint tracing has to be enabled
AC_ARG_ENABLE(tracing,
[ --enable-tracing enable checkpoint tracing (debugging only)],
[ AC_DEFINE(ENABLE_TRACING) ]
)
AC_SUBST(INCLUDES)
AC_OUTPUT(Makefile
src/Makefile
doc/Makefile
doc/es/Makefile
intl/Makefile
lib/Makefile
m4/Makefile
po/Makefile.in
)

11
lib/Makefile.am
View file

@ -1,16 +1,15 @@
## Process this file with automake to produce Makefile.in
# $Id: Makefile.am,v 1.4 2000/10/20 16:42:22 zarq Exp $
# $Id: Makefile.am,v 1.5 2002/04/09 15:28:45 zarq Exp $
noinst_LIBRARIES = libvpn.a
INCLUDES = -I. -I$(top_builddir) -I$(top_srcdir)/intl
INCLUDES = @INCLUDES@ -I. -I$(top_builddir) -I$(top_srcdir)/intl
libvpn_a_SOURCES = xmalloc.c pidfile.c utils.c getopt.c getopt1.c \
list.c error.c
libvpn_a_SOURCES = xmalloc.c pidfile.c utils.c getopt.c getopt1.c list.c avl_tree.c dropin.c
libvpn_a_LIBADD = @LIBOBJS@ @ALLOCA@
libvpn_a_DEPENDENCIES = $(libvpn_a_LIBADD)
noinst_HEADERS = xalloc.h pidfile.h utils.h getopt.h list.h error.h
noinst_HEADERS = xalloc.h pidfile.h utils.h getopt.h list.h avl_tree.h dropin.h
EXTRA_DIST = README
EXTRA_DIST = README

20
po/POTFILES.in
View file

@ -6,10 +6,28 @@
lib/pidfile.c
lib/utils.c
src/conf.c
src/genauth.c
src/connection.c
src/meta.c
src/net.c
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/protocol.c
src/protocol_auth.c
src/protocol_edge.c
src/protocol_key.c
src/protocol_misc.c
src/protocol_subnet.c
src/subnet.c
src/tincd.c
src/process.c
src/route.c
src/node.c
src/edge.c
src/graph.c
src/linux/device.c
src/freebsd/device.c
src/solaris/device.c
src/netbsd/device.c
src/openbsd/device.c

1693
po/nl.po
View file

File diff suppressed because it is too large Load diff

27
src/Makefile.am
View file

@ -1,22 +1,31 @@
## Produce this file with automake to get Makefile.in
# $Id: Makefile.am,v 1.5 2000/10/18 20:12:08 zarq Exp $
# $Id: Makefile.am,v 1.6 2002/04/09 15:28:45 zarq Exp $
sbin_PROGRAMS = tincd genauth
sbin_PROGRAMS = tincd
genauth_SOURCES = genauth.c
tincd_SOURCES = conf.c connlist.c meta.c net.c netutl.c protocol.c subnet.c tincd.c
EXTRA_DIST = linux/device.c freebsd/device.c openbsd/device.c solaris/device.c
INCLUDES = -I$(top_builddir) -I$(top_srcdir)/cipher -I$(top_srcdir)/lib -I$(top_srcdir)/intl
tincd_SOURCES = conf.c connection.c device.c edge.c event.c graph.c meta.c net.c net_packet.c net_setup.c \
net_socket.c netutl.c node.c process.c protocol.c protocol_auth.c protocol_edge.c protocol_misc.c \
protocol_key.c protocol_subnet.c route.c subnet.c tincd.c
noinst_HEADERS = conf.h connlist.h meta.h net.h netutl.h protocol.h subnet.h
INCLUDES = @INCLUDES@ -I$(top_builddir) -I$(top_srcdir)/lib -I$(top_srcdir)/intl
noinst_HEADERS = conf.h connection.h device.h edge.h event.h graph.h meta.h net.h netutl.h node.h process.h \
protocol.h route.h subnet.h
LIBS = @LIBS@ @INTLLIBS@
tincd_LDADD = \
$(top_builddir)/lib/libvpn.a
genauth_LDADD = $(top_builddir)/lib/libvpn.a
localedir = $(datadir)/locale
CFLAGS = @CFLAGS@ -DPKGLIBDIR=$(pkglibdir) -DCONFDIR=\"@sysconfdir@\" -DLOCALEDIR=\"$(localedir)\"
CFLAGS = @CFLAGS@ -DPKGLIBDIR=$(pkglibdir) -DCONFDIR=\"$(sysconfdir)\" \
-DLOCALEDIR=\"$(localedir)\" -DLOCALSTATEDIR=\"$(localstatedir)\"
dist-hook:
rm -f `find . -type l`
lint: $(tincd_SOURCES)
lclint -nullassign -nullret +trytorecover +posixlib -skipansiheaders -skipposixheaders +gnuextensions -I/usr/include -I/usr/lib/gcc-lib/i386-linux/2.95.2/include -I. -I/home/zarq/p/tinc/cvs/cabal/src -I.. -I.. -I/home/zarq/p/tinc/cvs/cabal/lib -I/home/zarq/p/tinc/cvs/cabal/intl -D_POSIX_SOURCE -D__ELF__ -Dunix -D__i386__ -Dlinux -DHAVE_CONFIG_H -DPKGLIBDIR=/usr/local/lib/tinc -DCONFDIR=\"/usr/local/etc\" -DLOCALEDIR=\"/usr/local/share/locale\" $^