From 1077a20a8c25f508ffd75b8883d7a91507a8e30a Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Mon, 26 Aug 2019 13:44:47 +0200 Subject: [PATCH] Import Upstream version 1.0.29 --- ChangeLog | 68 +++++++----- Makefile.in | 5 +- NEWS | 10 ++ README | 4 +- aclocal.m4 | 3 + config.guess | 111 ++++++++++--------- config.h.in | 16 ++- config.sub | 20 ++-- configure | 124 +++++++++++++++++---- configure.ac | 4 +- distro/Makefile.in | 5 +- doc/Makefile.in | 5 +- doc/tinc.conf.5.in | 6 +- doc/tinc.info | 231 +++++++++++++++++++-------------------- doc/tinc.texi | 86 +++++++-------- doc/tincd.8.in | 2 +- m4/Makefile.in | 5 +- m4/ax_append_flag.m4 | 69 ++++++++++++ m4/ax_cflags_warn_all.m4 | 122 +++++++++++++++++++++ m4/ax_require_defined.m4 | 37 +++++++ m4/openssl.m4 | 22 ++-- src/Makefile.in | 5 +- src/avl_tree.c | 2 +- src/avl_tree.h | 2 +- src/bsd/device.c | 11 +- src/dropin.c | 3 +- src/logger.c | 3 +- src/net.c | 4 +- src/net_packet.c | 22 ++-- src/net_setup.c | 48 ++++++-- src/netutl.c | 21 +++- src/netutl.h | 3 +- src/node.c | 16 +-- src/node.h | 6 +- src/protocol.c | 7 +- src/protocol_auth.c | 80 ++++++++------ src/protocol_key.c | 12 +- src/tincd.c | 39 ++++++- src/xmalloc.c | 1 + 39 files changed, 865 insertions(+), 375 deletions(-) create mode 100644 m4/ax_append_flag.m4 create mode 100644 m4/ax_cflags_warn_all.m4 create mode 100644 m4/ax_require_defined.m4 diff --git a/ChangeLog b/ChangeLog index 3a9889f..746db24 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,30 @@ +Version 1.0.29 October 09 2016 +------------------------------------------------------------------------ + +Guus Sliepen (11): + Preserve IPv6 scope_id in edges. + Ensure compatibility with OpenSSL 1.1.0. + Add -Wall to CFLAGS. + Check return value of RSA_generate_key_ex(). + Force nul-termination of strings after vsnprintf(). + Log warnings about dropped packets only with debug level 5 or higher. + Add a copy of ax_append_flag.m4. + Add ax_require_defined.m4. + Fix possibly unitialized variable. + Fix compiler warnings about format string errors on BSD. + Releasing 1.0.29. + Version 1.0.28 April 10 2016 ------------------------------------------------------------------------ -Guus Sliepen (5): +Guus Sliepen (8): Fix compiling bsd/device.c on systems without utun. Really remove use of __DATE__ and __TIME__ to facilitate reproducible builds. Add systemd service files. Update .gitignore. + Ensure the service files are in the tarball. + Explicitly mention that LibreSSL can be used as well. + Update links in the documentation. Releasing 1.0.28. Version 1.0.27 April 10 2016 @@ -118,7 +137,20 @@ VittGam (1): Version 1.0.24 May 11 2014 ------------------------------------------------------------------------ -Guus Sliepen (13): +Guus Sliepen (26): + Mention in the manual that multiple Address staments are allowed. + If no Port is specified, set myport to actual port of first listening socket. + Enable compiler hardening flags by default. + Update support for Solaris. + Include for PATH_MAX. + Stricter check for raw socket support. + Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. + Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. + Don't enable -fstack-protector-all. + Remove or lower the priority of some debug messages. + Clarify StrictSubnets. + Attribution for various contributors. + Handle errors from TAP-Win32/64 adapter in a better way. Remove useless variable 'hard' from try_harder(). Merge pull request #14 from luckyhacky/master Add an autoconf check for res_init(). @@ -138,40 +170,22 @@ Steffan Karger (3): Use cryptographically strong random when generating keys. Check RAND_bytes() return value, fail when getting random fails. +Florent Clairambault (2): + Adding "conf.d" configuration dir support. + Adding some documentation around the /etc/tinc/$NET/conf.d directory. + Armin Fisslthaler (1): reload /etc/resolv.conf in SIGALRM handler Loic Dachary (1): fix documentation typo -luckyhacky (1): - update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl - -refs/tags/1.0.23-android-1 March 11 2014 ------------------------------------------------------------------------- - -Guus Sliepen (13): - Mention in the manual that multiple Address staments are allowed. - If no Port is specified, set myport to actual port of first listening socket. - Enable compiler hardening flags by default. - Update support for Solaris. - Include for PATH_MAX. - Stricter check for raw socket support. - Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. - Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. - Don't enable -fstack-protector-all. - Remove or lower the priority of some debug messages. - Clarify StrictSubnets. - Attribution for various contributors. - Handle errors from TAP-Win32/64 adapter in a better way. - -Florent Clairambault (2): - Adding "conf.d" configuration dir support. - Adding some documentation around the /etc/tinc/$NET/conf.d directory. - Vilbrekin (1): Update android build instructions. Disable PIE as this is not supported on some devices. +luckyhacky (1): + update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl + Version 1.0.23 October 19 2013 ------------------------------------------------------------------------ diff --git a/Makefile.in b/Makefile.in index 667c6c4..a421b51 100644 --- a/Makefile.in +++ b/Makefile.in @@ -90,8 +90,11 @@ host_triplet = @host@ subdir = . ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_cflags_warn_all.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \ - $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ diff --git a/NEWS b/NEWS index dab9631..73a4a62 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +Version 1.0.29 October 9 2016 + + * Fix UDP communication with peers with link-local IPv6 addresses. + + * Ensure compatibility with OpenSSL 1.1.0. + + * Ensure autoreconf can be run without requiring autoconf-archive. + + * Log warnings about dropped packets only at debug level 5. + Version 1.0.28 April 10 2016 * Fix compilation on BSD platforms. diff --git a/README b/README index 2e094c1..e0e5817 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -This is the README file for tinc version 1.0.28. Installation +This is the README file for tinc version 1.0.29. Installation instructions may be found in the INSTALL file. tinc is Copyright (C) 1998-2016 by: @@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into Compatibility ------------- -Version 1.0.28 is compatible with 1.0pre8, 1.0 and later, but not with older +Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older versions of tinc. diff --git a/aclocal.m4 b/aclocal.m4 index 00e29e2..a7af1d9 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1463,8 +1463,11 @@ AC_SUBST([am__untar]) ]) # _AM_PROG_TAR m4_include([m4/attribute.m4]) +m4_include([m4/ax_append_flag.m4]) +m4_include([m4/ax_cflags_warn_all.m4]) m4_include([m4/ax_check_compile_flag.m4]) m4_include([m4/ax_check_link_flag.m4]) +m4_include([m4/ax_require_defined.m4]) m4_include([m4/lzo.m4]) m4_include([m4/openssl.m4]) m4_include([m4/zlib.m4]) diff --git a/config.guess b/config.guess index 1659250..0967f2a 100755 --- a/config.guess +++ b/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-04-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ timestamp='2015-08-20' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -237,6 +237,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -268,42 +272,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -376,16 +380,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -410,7 +414,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -635,13 +639,13 @@ EOF sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -680,11 +684,11 @@ EOF exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -697,12 +701,12 @@ EOF # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -807,14 +811,14 @@ EOF echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -896,7 +900,7 @@ EOF exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -919,7 +923,7 @@ EOF EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -965,6 +969,9 @@ EOF ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -1120,7 +1127,7 @@ EOF # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1269,6 +1276,9 @@ EOF SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1282,9 +1292,9 @@ EOF UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in @@ -1306,7 +1316,7 @@ EOF exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1337,7 +1347,7 @@ EOF # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1379,7 +1389,7 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1390,6 +1400,9 @@ EOF x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 < header file. */ #undef HAVE_RESOLV_H +/* Define to 1 if you have the `RSA_set0_key' function. */ +#undef HAVE_RSA_SET0_KEY + /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT diff --git a/config.sub b/config.sub index 1acc966..8d39c4b 100755 --- a/config.sub +++ b/config.sub @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-03-30' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ timestamp='2015-08-20' # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,8 +53,7 @@ timestamp='2015-08-20' me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. @@ -68,7 +67,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -521,7 +520,7 @@ case $basic_machine in basic_machine=i386-pc os=-aros ;; - asmjs) + asmjs) basic_machine=asmjs-unknown ;; aux) @@ -1383,7 +1382,7 @@ case $os in | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ @@ -1399,7 +1398,8 @@ case $os in | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1531,6 +1531,8 @@ case $os in ;; -nacl*) ;; + -ios) + ;; -none) ;; *) diff --git a/configure b/configure index f4b8736..0492945 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tinc 1.0.28. +# Generated by GNU Autoconf 2.69 for tinc 1.0.29. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tinc' PACKAGE_TARNAME='tinc' -PACKAGE_VERSION='1.0.28' -PACKAGE_STRING='tinc 1.0.28' +PACKAGE_VERSION='1.0.29' +PACKAGE_STRING='tinc 1.0.29' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1331,7 +1331,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tinc 1.0.28 to adapt to many kinds of systems. +\`configure' configures tinc 1.0.29 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1402,7 +1402,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tinc 1.0.28:";; + short | recursive ) echo "Configuration of tinc 1.0.29:";; esac cat <<\_ACEOF @@ -1441,11 +1441,11 @@ Optional Packages: --with-lzo=DIR lzo base directory, or: --with-lzo-include=DIR lzo headers directory --with-lzo-lib=DIR lzo library directory - --with-openssl=DIR OpenSSL base directory, or: + --with-openssl=DIR LibreSSL/OpenSSL base directory, or: --with-openssl-include=DIR - OpenSSL headers directory (without trailing + LibreSSL/OpenSSL headers directory (without trailing /openssl) - --with-openssl-lib=DIR OpenSSL library directory + --with-openssl-lib=DIR LibreSSL/OpenSSL library directory Some influential environment variables: CC C compiler command @@ -1528,7 +1528,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tinc configure 1.0.28 +tinc configure 1.0.29 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1993,7 +1993,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tinc $as_me 1.0.28, which was +It was created by tinc $as_me 1.0.29, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2857,7 +2857,7 @@ fi # Define the identity of the package. PACKAGE='tinc' - VERSION='1.0.28' + VERSION='1.0.29' cat >>confdefs.h <<_ACEOF @@ -5376,6 +5376,79 @@ if test -d /sw/lib ; then fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking CFLAGS for maximum warnings" >&5 +$as_echo_n "checking CFLAGS for maximum warnings... " >&6; } +if ${ac_cv_cflags_warn_all+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_cflags_warn_all="no, unknown" +ac_save_CFLAGS="$CFLAGS" +for ac_arg in "-warn all % -warn all" "-pedantic % -Wall" "-xstrconst % -v" "-std1 % -verbose -w0 -warnprotos" "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" "-ansi -ansiE % -fullwarn" "+ESlit % +w1" "-Xc % -pvctl,fullmsg" "-h conform % -h msglevel 2" # +do CFLAGS="$ac_save_CFLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'` + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_cflags_warn_all=`echo $ac_arg | sed -e 's,.*% *,,'` ; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +CFLAGS="$ac_save_CFLAGS" + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cflags_warn_all" >&5 +$as_echo "$ac_cv_cflags_warn_all" >&6; } + + +case ".$ac_cv_cflags_warn_all" in + .ok|.ok,*) ;; + .|.no|.no,*) ;; + *) if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $ac_cv_cflags_warn_all "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$ac_cv_cflags_warn_all"; } >&5 + (: CFLAGS already contains $ac_cv_cflags_warn_all) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$ac_cv_cflags_warn_all\""; } >&5 + (: CFLAGS="$CFLAGS $ac_cv_cflags_warn_all") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $ac_cv_cflags_warn_all" + ;; + esac +else + CFLAGS="$ac_cv_cflags_warn_all" +fi + ;; +esac + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + # Check whether --enable-hardening was given. if test "${enable_hardening+set}" = set; then : enableval=$enable_hardening; @@ -6981,7 +7054,7 @@ $as_echo "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes; then : LIBS="$LIBS -ldl" else - as_fn_error $? "OpenSSL depends on libdl." "$LINENO" 5; break + as_fn_error $? "LibreSSL/OpenSSL depends on libdl." "$LINENO" 5; break fi @@ -7029,7 +7102,7 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : _ACEOF else - as_fn_error $? "OpenSSL header files not found." "$LINENO" 5; break + as_fn_error $? "LibreSSL/OpenSSL header files not found." "$LINENO" 5; break fi @@ -7075,12 +7148,12 @@ $as_echo "$ac_cv_lib_crypto_EVP_EncryptInit_ex" >&6; } if test "x$ac_cv_lib_crypto_EVP_EncryptInit_ex" = xyes; then : LIBS="-lcrypto $LIBS" else - as_fn_error $? "OpenSSL libraries not found." "$LINENO" 5 + as_fn_error $? "LibreSSL/OpenSSL libraries not found." "$LINENO" 5 fi - for ac_func in RAND_pseudo_bytes EVP_EncryptInit_ex + for ac_func in RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -7090,7 +7163,7 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then : _ACEOF else - as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break + as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break fi done @@ -7101,10 +7174,23 @@ done if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then : else - as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break + as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break fi + for ac_func in BN_GENCB_new ERR_remove_state RSA_set0_key +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + # Check whether --enable-jumbograms was given. if test "${enable_jumbograms+set}" = set; then : @@ -7695,7 +7781,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tinc $as_me 1.0.28, which was +This file was extended by tinc $as_me 1.0.29, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7761,7 +7847,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tinc config.status 1.0.28 +tinc config.status 1.0.29 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 0ef0c80..3ec5068 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([tinc], [1.0.28]) +AC_INIT([tinc], [1.0.29]) AC_CONFIG_SRCDIR([src/tincd.c]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall]) AC_CONFIG_HEADERS([config.h]) @@ -152,6 +152,8 @@ fi dnl Compiler hardening flags dnl No -fstack-protector-all because it doesn't work on all platforms or architectures. +AX_CFLAGS_WARN_ALL(CFLAGS) + AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) AS_IF([test "x$enable_hardening" != "xno"], [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"]) diff --git a/distro/Makefile.in b/distro/Makefile.in index 1058df8..90430cc 100644 --- a/distro/Makefile.in +++ b/distro/Makefile.in @@ -91,8 +91,11 @@ host_triplet = @host@ subdir = distro ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_cflags_warn_all.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \ - $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ diff --git a/doc/Makefile.in b/doc/Makefile.in index 8755f72..81abf5b 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -89,8 +89,11 @@ host_triplet = @host@ subdir = doc ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_cflags_warn_all.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \ - $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index e5b59d7..e2e206e 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -470,7 +470,7 @@ variables can be specified, in which case each address will be tried until a wor connection has been established. .It Va Cipher Li = Ar cipher Pq blowfish The symmetric cipher algorithm used to encrypt UDP packets. -Any cipher supported by OpenSSL is recognised. +Any cipher supported by LibreSSL or OpenSSL is recognised. Furthermore, specifying .Qq none will turn off packet encryption. @@ -485,7 +485,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), 10 (fast lzo) and 11 (best lzo). .It Va Digest Li = Ar digest Pq sha1 The digest algorithm used to authenticate UDP packets. -Any digest supported by OpenSSL is recognised. +Any digest supported by LibreSSL or OpenSSL is recognised. Furthermore, specifying .Qq none will turn off packet authentication. @@ -657,7 +657,7 @@ its connection to the virtual network device. .El .Sh SEE ALSO .Xr tincd 8 , -.Pa http://www.tinc-vpn.org/ , +.Pa https://www.tinc-vpn.org/ , .Pa http://www.tldp.org/LDP/nag2/ . .Pp The full documentation for diff --git a/doc/tinc.info b/doc/tinc.info index 0dcb528..d5acd43 100644 --- a/doc/tinc.info +++ b/doc/tinc.info @@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or receive data packets. For an up to date list of supported platforms, please check the list -on our website: . +on our website: .  File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top @@ -219,12 +219,8 @@ File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration o 2.1.3 Configuration of OpenBSD kernels -------------------------------------- -For OpenBSD version 2.9 and higher, the tun driver is included in the -default kernel configuration. There is also a kernel patch from - which adds a tap device to -OpenBSD which should work with tinc, but with recent versions of -OpenBSD, a tun device can act as a tap device by setting the link0 -option with ifconfig. +Recent versions of OpenBSD come with both tun and tap devices enabled in +the default kernel configuration.  File: tinc.info, Node: Configuration of NetBSD kernels, Next: Configuration of Solaris kernels, Prev: Configuration of OpenBSD kernels, Up: Configuring the kernel @@ -247,7 +243,7 @@ For Solaris 8 (SunOS 5.8) and higher, the tun driver may or may not be included in the default kernel configuration. If it isn't, the source can be downloaded from . For x86 and sparc64 architectures, precompiled versions can be found at -. If the 'net/if_tun.h' +. If the 'net/if_tun.h' header file is missing, install it from the source package.  @@ -274,7 +270,8 @@ File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin ------------------------------ You will need to install the latest TAP-Win32 driver from OpenVPN. You -can download it from . Using the +can download it from +. Using the Network Connections control panel, configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script, as explained in the rest of the documentation. @@ -285,25 +282,25 @@ File: tinc.info, Node: Libraries, Prev: Configuring the kernel, Up: Preparati 2.2 Libraries ============= -Before you can configure or build tinc, you need to have the OpenSSL, -zlib and lzo libraries installed on your system. If you try to +Before you can configure or build tinc, you need to have the LibreSSL or +OpenSSL, zlib and lzo libraries installed on your system. If you try to configure tinc without having them installed, configure will give you an error message, and stop. * Menu: -* OpenSSL:: +* LibreSSL/OpenSSL:: * zlib:: * lzo::  -File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries +File: tinc.info, Node: LibreSSL/OpenSSL, Next: zlib, Up: Libraries -2.2.1 OpenSSL -------------- +2.2.1 LibreSSL/OpenSSL +---------------------- For all cryptography-related functions, tinc uses the functions provided -by the OpenSSL library. +by the LibreSSL or the OpenSSL library. If this library is not installed, you will get an error when configuring tinc for build. Support for running tinc with other @@ -313,19 +310,22 @@ cryptographic libraries installed _may_ be added in the future. if available. Make sure you install the development AND runtime versions of this package. - If you have to install OpenSSL manually, you can get the source code -from . Instructions on how to configure, build -and install this package are included within the package. Please make -sure you build development and runtime libraries (which is the default). + If your operating system comes neither with LibreSSL or OpenSSL, you +have to install one manually. It is recommended that you get the latest +version of LibreSSL from . Instructions on +how to configure, build and install this package are included within the +package. Please make sure you build development and runtime libraries +(which is the default). - If you installed the OpenSSL libraries from source, it may be -necessary to let configure know where they are, by passing configure one -of the -with-openssl-* parameters. + If you installed the LibreSSL or OpenSSL libraries from source, it +may be necessary to let configure know where they are, by passing +configure one of the -with-openssl-* parameters. Note that you even +have to use -with-openssl-* if you are using LibreSSL. - --with-openssl=DIR OpenSSL library and headers prefix - --with-openssl-include=DIR OpenSSL headers directory + --with-openssl=DIR LibreSSL/OpenSSL library and headers prefix + --with-openssl-include=DIR LibreSSL/OpenSSL headers directory (Default is OPENSSL_DIR/include) - --with-openssl-lib=DIR OpenSSL library directory + --with-openssl-lib=DIR LibreSSL/OpenSSL library directory (Default is OPENSSL_DIR/lib) License @@ -334,7 +334,7 @@ License The complete source code of tinc is covered by the GNU GPL version 2. Since the license under which OpenSSL is distributed is not directly compatible with the terms of the GNU GPL -, we include an +, we include an exemption to the GPL (see also the file COPYING.README) to allow everyone to create a statically or dynamically linked executable: @@ -347,13 +347,13 @@ everyone to create a statically or dynamically linked executable: also present the following exemption: Hereby I grant a special exception to the tinc VPN project - (http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL - library (http://www.openssl.org). + (https://www.tinc-vpn.org/) to link the LZO library with the + OpenSSL library (https://www.openssl.org). Markus F.X.J. Oberhumer  -File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries +File: tinc.info, Node: zlib, Next: lzo, Prev: LibreSSL/OpenSSL, Up: Libraries 2.2.2 zlib ---------- @@ -373,10 +373,9 @@ if available. Make sure you install the development AND runtime versions of this package. If you have to install zlib manually, you can get the source code -from . Instructions on how to configure, -build and install this package are included within the package. Please -make sure you build development and runtime libraries (which is the -default). +from . Instructions on how to configure, build +and install this package are included within the package. Please make +sure you build development and runtime libraries (which is the default).  File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries @@ -398,7 +397,7 @@ if available. Make sure you install the development AND runtime versions of this package. If you have to install lzo manually, you can get the source code from -. Instructions on how to +. Instructions on how to configure, build and install this package are included within the package. Please make sure you build development and runtime libraries (which is the default). @@ -416,9 +415,7 @@ startup scripts and sample configurations. If you cannot use one of the precompiled packages, or you want to compile tinc for yourself, you can use the source. The source is distributed under the GNU General Public License (GPL). Download the -source from the download page (http://www.tinc-vpn.org/download/), which -has the checksums of these files listed; you may wish to check these -with md5sum before continuing. +source from the download page (https://www.tinc-vpn.org/download/). Tinc comes in a convenient autoconf/automake package, which you can just treat the same as any other package. Which is just untar it, type @@ -456,13 +453,13 @@ File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Wind 3.1.1 Darwin (Mac OS X) build environment ----------------------------------------- -In order to build tinc on Darwin, you need to install the Mac OS X -Developer Tools from -and preferably a recent version of Fink from -. +In order to build tinc on Darwin, you need to install Xcode from +. It might also help to install a +recent version of Fink from . - After installation use fink to download and install the following -packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. + You need to download and install LibreSSL (or OpenSSL) and LZO, +either directly from their websites (see *note Libraries::) or using +Fink.  File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc @@ -471,7 +468,7 @@ File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Window ---------------------------------------- If Cygwin hasn't already been installed, install it directly from -. +. When tinc is compiled in a Cygwin environment, it can only be run in this environment, but all programs, including those started outside the @@ -485,7 +482,8 @@ File: tinc.info, Node: MinGW (Windows) build environment, Prev: Cygwin (Window --------------------------------------- You will need to install the MinGW environment from -. +. You also need to download and install LibreSSL +(or OpenSSL) and LZO. When tinc is compiled using MinGW it runs natively under Windows, it is not necessary to keep MinGW installed. @@ -1057,9 +1055,9 @@ Address = [] [recommended] Cipher = (blowfish) The symmetric cipher algorithm used to encrypt UDP packets. Any - cipher supported by OpenSSL is recognized. Furthermore, specifying - "none" will turn off packet encryption. It is best to use only - those ciphers which support CBC mode. + cipher supported by LibreSSL or OpenSSL is recognized. + Furthermore, specifying "none" will turn off packet encryption. It + is best to use only those ciphers which support CBC mode. ClampMSS = (yes) This option specifies whether tinc should clamp the maximum segment @@ -1074,8 +1072,8 @@ Compression = (0) Digest = (sha1) The digest algorithm used to authenticate UDP packets. Any digest - supported by OpenSSL is recognized. Furthermore, specifying "none" - will turn off packet authentication. + supported by LibreSSL or OpenSSL is recognized. Furthermore, + specifying "none" will turn off packet authentication. IndirectData = (no) This option specifies whether other tinc daemons besides the one @@ -1137,7 +1135,7 @@ Subnet = Prefixlength is the number of bits set to 1 in the netmask part; for example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes /22. This conforms to standard CIDR notation as described - in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt) + in RFC1519 (https://www.ietf.org/rfc/rfc1519.txt) A Subnet can be given a weight to indicate its priority over identical Subnets owned by different nodes. The default weight is @@ -2098,7 +2096,7 @@ intercept. The encryption algorithm and message authentication algorithm can be changed in the configuration. The length of the message authentication codes is also adjustable. The length of the key for the encryption algorithm is always the default length used by -OpenSSL. +LibreSSL/OpenSSL. * Menu: @@ -2256,8 +2254,8 @@ In August 2000, we discovered the existence of a security hole in all versions of tinc up to and including 1.0pre2. This had to do with the way we exchanged keys. Since then, we have been working on a new authentication scheme to make tinc as secure as possible. The current -version uses the OpenSSL library and uses strong authentication with RSA -keys. +version uses the LibreSSL or OpenSSL library and uses strong +authentication with RSA keys. On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc 1.0pre4. Due to a lack of sequence numbers and a @@ -2393,12 +2391,12 @@ File: tinc.info, Node: Contact information, Next: Authors, Up: About us 8.1 Contact information ======================= -Tinc's website is at , this server is located +Tinc's website is at , this server is located in the Netherlands. We have an IRC channel on the FreeNode and OFTC IRC networks. -Connect to irc.freenode.net (http://www.freenode.net/) or irc.oftc.net -(http://www.oftc.net/) and join channel #tinc. +Connect to irc.freenode.net (https://freenode.net/) or irc.oftc.net +(https://www.oftc.net/) and join channel #tinc.  File: tinc.info, Node: Authors, Prev: Contact information, Up: About us @@ -2515,7 +2513,8 @@ Concept Index (line 206) * KEY_CHANGED: The meta-protocol. (line 63) * libraries: Libraries. (line 6) -* license: OpenSSL. (line 35) +* LibreSSL: LibreSSL/OpenSSL. (line 6) +* license: LibreSSL/OpenSSL. (line 38) * LocalDiscovery: Main configuration variables. (line 212) * lzo: lzo. (line 6) @@ -2542,7 +2541,7 @@ Concept Index * Network Administrators Guide: Configuration introduction. (line 15) * NODE: Scripts. (line 71) -* OpenSSL: OpenSSL. (line 6) +* OpenSSL: LibreSSL/OpenSSL. (line 6) * options: Runtime options. (line 9) * PEM format: Host configuration variables. (line 69) @@ -2656,61 +2655,61 @@ Node: Introduction1105 Node: Virtual Private Networks1915 Node: tinc3639 Node: Supported platforms5166 -Node: Preparations5866 -Node: Configuring the kernel6122 -Node: Configuration of Linux kernels6532 -Node: Configuration of FreeBSD kernels7387 -Node: Configuration of OpenBSD kernels7852 -Node: Configuration of NetBSD kernels8460 -Node: Configuration of Solaris kernels8865 -Node: Configuration of Darwin (Mac OS X) kernels9527 -Node: Configuration of Windows10346 -Node: Libraries10860 -Node: OpenSSL11248 -Node: zlib13536 -Node: lzo14564 -Node: Installation15546 -Node: Building and installing tinc16561 -Node: Darwin (Mac OS X) build environment17221 -Node: Cygwin (Windows) build environment17803 -Node: MinGW (Windows) build environment18391 -Node: System files18915 -Node: Device files19180 -Node: Other files19596 -Node: Configuration20209 -Node: Configuration introduction20520 -Node: Multiple networks21788 -Node: How connections work23214 -Node: Configuration files24436 -Node: Main configuration variables25930 -Node: Host configuration variables42187 -Node: Scripts47690 -Node: How to configure50956 -Node: Generating keypairs52214 -Node: Network interfaces52713 -Node: Example configuration54561 -Node: Running tinc59886 -Node: Runtime options60476 -Node: Signals63778 -Node: Debug levels64969 -Node: Solving problems65905 -Node: Error messages67457 -Node: Sending bug reports71466 -Node: Technical information72413 -Node: The connection72644 -Node: The UDP tunnel72956 -Node: The meta-connection76017 -Node: The meta-protocol77486 -Node: Security82503 -Node: Authentication protocol83636 -Node: Encryption of network packets88681 -Node: Security issues90057 -Node: Platform specific information91684 -Node: Interface configuration91912 -Node: Routes94383 -Node: About us96397 -Node: Contact information96572 -Node: Authors96976 -Node: Concept Index97381 +Node: Preparations5867 +Node: Configuring the kernel6123 +Node: Configuration of Linux kernels6533 +Node: Configuration of FreeBSD kernels7388 +Node: Configuration of OpenBSD kernels7853 +Node: Configuration of NetBSD kernels8210 +Node: Configuration of Solaris kernels8615 +Node: Configuration of Darwin (Mac OS X) kernels9278 +Node: Configuration of Windows10097 +Node: Libraries10637 +Node: LibreSSL/OpenSSL11046 +Node: zlib13588 +Node: lzo14620 +Node: Installation15603 +Node: Building and installing tinc16513 +Node: Darwin (Mac OS X) build environment17173 +Node: Cygwin (Windows) build environment17738 +Node: MinGW (Windows) build environment18327 +Node: System files18921 +Node: Device files19186 +Node: Other files19602 +Node: Configuration20215 +Node: Configuration introduction20526 +Node: Multiple networks21794 +Node: How connections work23220 +Node: Configuration files24442 +Node: Main configuration variables25936 +Node: Host configuration variables42193 +Node: Scripts47720 +Node: How to configure50986 +Node: Generating keypairs52244 +Node: Network interfaces52743 +Node: Example configuration54591 +Node: Running tinc59916 +Node: Runtime options60506 +Node: Signals63808 +Node: Debug levels64999 +Node: Solving problems65935 +Node: Error messages67487 +Node: Sending bug reports71496 +Node: Technical information72443 +Node: The connection72674 +Node: The UDP tunnel72986 +Node: The meta-connection76047 +Node: The meta-protocol77516 +Node: Security82533 +Node: Authentication protocol83675 +Node: Encryption of network packets88720 +Node: Security issues90096 +Node: Platform specific information91735 +Node: Interface configuration91963 +Node: Routes94434 +Node: About us96448 +Node: Contact information96623 +Node: Authors97026 +Node: Concept Index97431  End Tag Table diff --git a/doc/tinc.texi b/doc/tinc.texi index 414c0ca..90cc380 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -186,7 +186,7 @@ packets. @cindex release For an up to date list of supported platforms, please check the list on our website: -@uref{http://www.tinc-vpn.org/platforms/}. +@uref{https://www.tinc-vpn.org/platforms/}. @c @c @@ -268,12 +268,7 @@ The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_t @node Configuration of OpenBSD kernels @subsection Configuration of OpenBSD kernels -For OpenBSD version 2.9 and higher, -the tun driver is included in the default kernel configuration. -There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/} -which adds a tap device to OpenBSD which should work with tinc, -but with recent versions of OpenBSD, -a tun device can act as a tap device by setting the link0 option with ifconfig. +Recent versions of OpenBSD come with both tun and tap devices enabled in the default kernel configuration. @c ================================================================== @@ -293,7 +288,7 @@ Tunneling IPv6 may not work on NetBSD's tun device. For Solaris 8 (SunOS 5.8) and higher, the tun driver may or may not be included in the default kernel configuration. If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}. -For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}. +For x86 and sparc64 architectures, precompiled versions can be found at @uref{https://www.monkey.org/~dugsong/fragroute/}. If the @file{net/if_tun.h} header file is missing, install it from the source package. @@ -317,7 +312,7 @@ You can also omit the number, in which case the first free number will be chosen @subsection Configuration of Windows You will need to install the latest TAP-Win32 driver from OpenVPN. -You can download it from @uref{http://openvpn.sourceforge.net}. +You can download it from @uref{https://openvpn.net/index.php/open-source/downloads.html}. Using the Network Connections control panel, configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script, as explained in the rest of the documentation. @@ -329,24 +324,25 @@ as explained in the rest of the documentation. @cindex requirements @cindex libraries -Before you can configure or build tinc, you need to have the OpenSSL, +Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL, zlib and lzo libraries installed on your system. If you try to configure tinc without having them installed, configure will give you an error message, and stop. @menu -* OpenSSL:: +* LibreSSL/OpenSSL:: * zlib:: * lzo:: @end menu @c ================================================================== -@node OpenSSL -@subsection OpenSSL +@node LibreSSL/OpenSSL +@subsection LibreSSL/OpenSSL +@cindex LibreSSL @cindex OpenSSL For all cryptography-related functions, tinc uses the functions provided -by the OpenSSL library. +by the LibreSSL or the OpenSSL library. If this library is not installed, you will get an error when configuring tinc for build. Support for running tinc with other cryptographic libraries @@ -356,21 +352,23 @@ You can use your operating system's package manager to install this if available. Make sure you install the development AND runtime versions of this package. -If you have to install OpenSSL manually, you can get the source code -from @url{http://www.openssl.org/}. Instructions on how to configure, -build and install this package are included within the package. Please -make sure you build development and runtime libraries (which is the +If your operating system comes neither with LibreSSL or OpenSSL, you have to +install one manually. It is recommended that you get the latest version of +LibreSSL from @url{http://www.libressl.org/}. Instructions on how to +configure, build and install this package are included within the package. +Please make sure you build development and runtime libraries (which is the default). -If you installed the OpenSSL libraries from source, it may be necessary +If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary to let configure know where they are, by passing configure one of the ---with-openssl-* parameters. +--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you +are using LibreSSL. @example ---with-openssl=DIR OpenSSL library and headers prefix ---with-openssl-include=DIR OpenSSL headers directory +--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix +--with-openssl-include=DIR LibreSSL/OpenSSL headers directory (Default is OPENSSL_DIR/include) ---with-openssl-lib=DIR OpenSSL library directory +--with-openssl-lib=DIR LibreSSL/OpenSSL library directory (Default is OPENSSL_DIR/lib) @end example @@ -381,7 +379,7 @@ to let configure know where they are, by passing configure one of the The complete source code of tinc is covered by the GNU GPL version 2. Since the license under which OpenSSL is distributed is not directly compatible with the terms of the GNU GPL -@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we +@uref{https://www.openssl.org/support/faq.html#LEGAL2}, we include an exemption to the GPL (see also the file COPYING.README) to allow everyone to create a statically or dynamically linked executable: @@ -397,8 +395,8 @@ we also present the following exemption: @quotation Hereby I grant a special exception to the tinc VPN project -(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library -(http://www.openssl.org). +(https://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library +(https://www.openssl.org). Markus F.X.J. Oberhumer @end quotation @@ -423,7 +421,7 @@ available. Make sure you install the development AND runtime versions of this package. If you have to install zlib manually, you can get the source code -from @url{http://www.gzip.org/zlib/}. Instructions on how to configure, +from @url{http://www.zlib.net/}. Instructions on how to configure, build and install this package are included within the package. Please make sure you build development and runtime libraries (which is the default). @@ -447,7 +445,7 @@ available. Make sure you install the development AND runtime versions of this package. If you have to install lzo manually, you can get the source code -from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure, +from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure, build and install this package are included within the package. Please make sure you build development and runtime libraries (which is the default). @@ -473,9 +471,7 @@ system startup scripts and sample configurations. If you cannot use one of the precompiled packages, or you want to compile tinc for yourself, you can use the source. The source is distributed under the GNU General Public License (GPL). Download the source from the -@uref{http://www.tinc-vpn.org/download/, download page}, which has -the checksums of these files listed; you may wish to check these with -md5sum before continuing. +@uref{https://www.tinc-vpn.org/download/, download page}. Tinc comes in a convenient autoconf/automake package, which you can just treat the same as any other package. Which is just untar it, type @@ -512,19 +508,18 @@ The documentation that comes along with your distribution will tell you how to d @node Darwin (Mac OS X) build environment @subsection Darwin (Mac OS X) build environment -In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools -from @uref{http://developer.apple.com/tools/macosxtools.html} and -preferably a recent version of Fink from @uref{http://www.finkproject.org/}. +In order to build tinc on Darwin, you need to install Xcode from @uref{https://developer.apple.com/xcode/}. +It might also help to install a recent version of Fink from @uref{http://www.finkproject.org/}. -After installation use fink to download and install the following packages: -autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. +You need to download and install LibreSSL (or OpenSSL) and LZO, +either directly from their websites (see @ref{Libraries}) or using Fink. @c ================================================================== @node Cygwin (Windows) build environment @subsection Cygwin (Windows) build environment If Cygwin hasn't already been installed, install it directly from -@uref{http://www.cygwin.com/}. +@uref{https://www.cygwin.com/}. When tinc is compiled in a Cygwin environment, it can only be run in this environment, but all programs, including those started outside the Cygwin environment, will be able to use the VPN. @@ -535,6 +530,7 @@ It will also support all features. @subsection MinGW (Windows) build environment You will need to install the MinGW environment from @uref{http://www.mingw.org}. +You also need to download and install LibreSSL (or OpenSSL) and LZO. When tinc is compiled using MinGW it runs natively under Windows, it is not necessary to keep MinGW installed. @@ -1149,7 +1145,7 @@ tried until a working connection has been established. @cindex Cipher @item Cipher = <@var{cipher}> (blowfish) The symmetric cipher algorithm used to encrypt UDP packets. -Any cipher supported by OpenSSL is recognized. +Any cipher supported by LibreSSL or OpenSSL is recognized. Furthermore, specifying "none" will turn off packet encryption. It is best to use only those ciphers which support CBC mode. @@ -1168,7 +1164,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), @cindex Digest @item Digest = <@var{digest}> (sha1) The digest algorithm used to authenticate UDP packets. -Any digest supported by OpenSSL is recognized. +Any digest supported by LibreSSL or OpenSSL is recognized. Furthermore, specifying "none" will turn off packet authentication. @cindex IndirectData @@ -1239,7 +1235,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e. Prefixlength is the number of bits set to 1 in the netmask part; for example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes /22. This conforms to standard CIDR notation as described in -@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519} +@uref{https://www.ietf.org/rfc/rfc1519.txt, RFC1519} @cindex Subnet weight A Subnet can be given a weight to indicate its priority over identical Subnets @@ -2254,7 +2250,7 @@ eavesdroppers cannot get and cannot change any information at all from the packets they can intercept. The encryption algorithm and message authentication algorithm can be changed in the configuration. The length of the message authentication codes is also adjustable. The length of the key for the -encryption algorithm is always the default length used by OpenSSL. +encryption algorithm is always the default length used by LibreSSL/OpenSSL. @menu * Authentication protocol:: @@ -2413,7 +2409,7 @@ the MACLength configuration variable. In August 2000, we discovered the existence of a security hole in all versions of tinc up to and including 1.0pre2. This had to do with the way we exchanged keys. Since then, we have been working on a new authentication scheme to make -tinc as secure as possible. The current version uses the OpenSSL library and +tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and uses strong authentication with RSA keys. On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc @@ -2586,14 +2582,14 @@ Adding routes to IPv6 subnets: @section Contact information @cindex website -Tinc's website is at @url{http://www.tinc-vpn.org/}, +Tinc's website is at @url{https://www.tinc-vpn.org/}, this server is located in the Netherlands. @cindex IRC We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to -@uref{http://www.freenode.net/, irc.freenode.net} +@uref{https://freenode.net/, irc.freenode.net} or -@uref{http://www.oftc.net/, irc.oftc.net} +@uref{https://www.oftc.net/, irc.oftc.net} and join channel #tinc. diff --git a/doc/tincd.8.in b/doc/tincd.8.in index d200c48..195869b 100644 --- a/doc/tincd.8.in +++ b/doc/tincd.8.in @@ -207,7 +207,7 @@ If you find any bugs, report them to tinc@tinc-vpn.org. A lot, especially security auditing. .Sh SEE ALSO .Xr tinc.conf 5 , -.Pa http://www.tinc-vpn.org/ , +.Pa https://www.tinc-vpn.org/ , .Pa http://www.cabal.org/ . .Pp The full documentation for tinc is maintained as a Texinfo manual. diff --git a/m4/Makefile.in b/m4/Makefile.in index 0933f92..25242d4 100644 --- a/m4/Makefile.in +++ b/m4/Makefile.in @@ -90,8 +90,11 @@ host_triplet = @host@ subdir = m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_cflags_warn_all.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \ - $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ diff --git a/m4/ax_append_flag.m4 b/m4/ax_append_flag.m4 new file mode 100644 index 0000000..1d38b76 --- /dev/null +++ b/m4/ax_append_flag.m4 @@ -0,0 +1,69 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE]) +# +# DESCRIPTION +# +# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space +# added in between. +# +# If FLAGS-VARIABLE is not specified, the current language's flags (e.g. +# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains +# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly +# FLAG. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_APPEND_FLAG], +[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX +AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])dnl +AS_VAR_SET_IF(FLAGS, + [case " AS_VAR_GET(FLAGS) " in + *" $1 "*) + AC_RUN_LOG([: FLAGS already contains $1]) + ;; + *) + AC_RUN_LOG([: FLAGS="$FLAGS $1"]) + AS_VAR_SET(FLAGS, ["AS_VAR_GET(FLAGS) $1"]) + ;; + esac], + [AS_VAR_SET(FLAGS,["$1"])]) +AS_VAR_POPDEF([FLAGS])dnl +])dnl AX_APPEND_FLAG diff --git a/m4/ax_cflags_warn_all.m4 b/m4/ax_cflags_warn_all.m4 new file mode 100644 index 0000000..1f07799 --- /dev/null +++ b/m4/ax_cflags_warn_all.m4 @@ -0,0 +1,122 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_cflags_warn_all.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# AX_CXXFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# AX_FCFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# +# DESCRIPTION +# +# Try to find a compiler option that enables most reasonable warnings. +# +# For the GNU compiler it will be -Wall (and -ansi -pedantic) The result +# is added to the shellvar being CFLAGS, CXXFLAGS, or FCFLAGS by default. +# +# Currently this macro knows about the GCC, Solaris, Digital Unix, AIX, +# HP-UX, IRIX, NEC SX-5 (Super-UX 10), Cray J90 (Unicos 10.0.0.8), and +# Intel compilers. For a given compiler, the Fortran flags are much more +# experimental than their C equivalents. +# +# - $1 shell-variable-to-add-to : CFLAGS, CXXFLAGS, or FCFLAGS +# - $2 add-value-if-not-found : nothing +# - $3 action-if-found : add value to shellvariable +# - $4 action-if-not-found : nothing +# +# NOTE: These macros depend on AX_APPEND_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2010 Rhys Ulerich +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 15 + +AC_DEFUN([AX_FLAGS_WARN_ALL],[dnl +AS_VAR_PUSHDEF([FLAGS],[_AC_LANG_PREFIX[]FLAGS])dnl +AS_VAR_PUSHDEF([VAR],[ac_cv_[]_AC_LANG_ABBREV[]flags_warn_all])dnl +AC_CACHE_CHECK([m4_ifval($1,$1,FLAGS) for maximum warnings], +VAR,[VAR="no, unknown" +ac_save_[]FLAGS="$[]FLAGS" +for ac_arg dnl +in "-warn all % -warn all" dnl Intel + "-pedantic % -Wall" dnl GCC + "-xstrconst % -v" dnl Solaris C + "-std1 % -verbose -w0 -warnprotos" dnl Digital Unix + "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" dnl AIX + "-ansi -ansiE % -fullwarn" dnl IRIX + "+ESlit % +w1" dnl HP-UX C + "-Xc % -pvctl[,]fullmsg" dnl NEC SX-5 (Super-UX 10) + "-h conform % -h msglevel 2" dnl Cray C (Unicos) + # +do FLAGS="$ac_save_[]FLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'` + AC_COMPILE_IFELSE([AC_LANG_PROGRAM], + [VAR=`echo $ac_arg | sed -e 's,.*% *,,'` ; break]) +done +FLAGS="$ac_save_[]FLAGS" +]) +AS_VAR_POPDEF([FLAGS])dnl +AX_REQUIRE_DEFINED([AX_APPEND_FLAG]) +case ".$VAR" in + .ok|.ok,*) m4_ifvaln($3,$3) ;; + .|.no|.no,*) m4_default($4,[m4_ifval($2,[AX_APPEND_FLAG([$2], [$1])])]) ;; + *) m4_default($3,[AX_APPEND_FLAG([$VAR], [$1])]) ;; +esac +AS_VAR_POPDEF([VAR])dnl +])dnl AX_FLAGS_WARN_ALL +dnl implementation tactics: +dnl the for-argument contains a list of options. The first part of +dnl these does only exist to detect the compiler - usually it is +dnl a global option to enable -ansi or -extrawarnings. All other +dnl compilers will fail about it. That was needed since a lot of +dnl compilers will give false positives for some option-syntax +dnl like -Woption or -Xoption as they think of it is a pass-through +dnl to later compile stages or something. The "%" is used as a +dnl delimiter. A non-option comment can be given after "%%" marks +dnl which will be shown but not added to the respective C/CXXFLAGS. + +AC_DEFUN([AX_CFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([C]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([C]) +]) + +AC_DEFUN([AX_CXXFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([C++]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([C++]) +]) + +AC_DEFUN([AX_FCFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([Fortran]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([Fortran]) +]) diff --git a/m4/ax_require_defined.m4 b/m4/ax_require_defined.m4 new file mode 100644 index 0000000..cae1111 --- /dev/null +++ b/m4/ax_require_defined.m4 @@ -0,0 +1,37 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_require_defined.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_REQUIRE_DEFINED(MACRO) +# +# DESCRIPTION +# +# AX_REQUIRE_DEFINED is a simple helper for making sure other macros have +# been defined and thus are available for use. This avoids random issues +# where a macro isn't expanded. Instead the configure script emits a +# non-fatal: +# +# ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found +# +# It's like AC_REQUIRE except it doesn't expand the required macro. +# +# Here's an example: +# +# AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG]) +# +# LICENSE +# +# Copyright (c) 2014 Mike Frysinger +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 1 + +AC_DEFUN([AX_REQUIRE_DEFINED], [dnl + m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])]) +])dnl AX_REQUIRE_DEFINED diff --git a/m4/openssl.m4 b/m4/openssl.m4 index 254ea4f..bb1f146 100644 --- a/m4/openssl.m4 +++ b/m4/openssl.m4 @@ -1,4 +1,4 @@ -dnl Check to find the OpenSSL headers/libraries +dnl Check to find the LibreSSL/OpenSSL headers/libraries AC_DEFUN([tinc_OPENSSL], [ @@ -10,47 +10,49 @@ AC_DEFUN([tinc_OPENSSL], [], [AC_CHECK_LIB(dl, dlopen, [LIBS="$LIBS -ldl"], - [AC_MSG_ERROR([OpenSSL depends on libdl.]); break] + [AC_MSG_ERROR([LibreSSL/OpenSSL depends on libdl.]); break] )] ) ;; esac AC_ARG_WITH(openssl, - AS_HELP_STRING([--with-openssl=DIR], [OpenSSL base directory, or:]), + AS_HELP_STRING([--with-openssl=DIR], [LibreSSL/OpenSSL base directory, or:]), [openssl="$withval" CPPFLAGS="$CPPFLAGS -I$withval/include" LDFLAGS="$LDFLAGS -L$withval/lib"] ) AC_ARG_WITH(openssl-include, - AS_HELP_STRING([--with-openssl-include=DIR], [OpenSSL headers directory (without trailing /openssl)]), + AS_HELP_STRING([--with-openssl-include=DIR], [LibreSSL/OpenSSL headers directory (without trailing /openssl)]), [openssl_include="$withval" CPPFLAGS="$CPPFLAGS -I$withval"] ) AC_ARG_WITH(openssl-lib, - AS_HELP_STRING([--with-openssl-lib=DIR], [OpenSSL library directory]), + AS_HELP_STRING([--with-openssl-lib=DIR], [LibreSSL/OpenSSL library directory]), [openssl_lib="$withval" LDFLAGS="$LDFLAGS -L$withval"] ) AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h, [], - [AC_MSG_ERROR([OpenSSL header files not found.]); break] + [AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break] ) AC_CHECK_LIB(crypto, EVP_EncryptInit_ex, [LIBS="-lcrypto $LIBS"], - [AC_MSG_ERROR([OpenSSL libraries not found.])] + [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])] ) - AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], , - [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], + AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], , + [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], ) AC_CHECK_DECL([OpenSSL_add_all_algorithms], , - [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], + [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], [#include ] ) + + AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include ]) ]) diff --git a/src/Makefile.in b/src/Makefile.in index 97402d6..98b93fd 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -105,8 +105,11 @@ sbin_PROGRAMS = tincd$(EXEEXT) subdir = src ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/ax_append_flag.m4 \ + $(top_srcdir)/m4/ax_cflags_warn_all.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \ - $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ diff --git a/src/avl_tree.c b/src/avl_tree.c index a4103ac..0d122bf 100644 --- a/src/avl_tree.c +++ b/src/avl_tree.c @@ -26,7 +26,7 @@ the code. Mail me if you found a bug. Cleaned up and incorporated some of the ideas from the red-black tree - library for inclusion into tinc (http://www.tinc-vpn.org/) by + library for inclusion into tinc (https://www.tinc-vpn.org/) by Guus Sliepen . */ diff --git a/src/avl_tree.h b/src/avl_tree.h index f442934..4171264 100644 --- a/src/avl_tree.h +++ b/src/avl_tree.h @@ -26,7 +26,7 @@ the code. Mail me if you found a bug. Cleaned up and incorporated some of the ideas from the red-black tree - library for inclusion into tinc (http://www.tinc-vpn.org/) by + library for inclusion into tinc (https://www.tinc-vpn.org/) by Guus Sliepen . */ diff --git a/src/bsd/device.c b/src/bsd/device.c index 46879e4..95e65f9 100644 --- a/src/bsd/device.c +++ b/src/bsd/device.c @@ -198,18 +198,19 @@ static bool setup_device(void) { // Guess what the corresponding interface is called - char *realname; + char *realname = NULL; #if defined(HAVE_FDEVNAME) - realname = fdevname(device_fd) ? : device; + realname = fdevname(device_fd); #elif defined(HAVE_DEVNAME) struct stat buf; if(!fstat(device_fd, &buf)) - realname = devname(buf.st_rdev, S_IFCHR) ? : device; -#else - realname = device; + realname = devname(buf.st_rdev, S_IFCHR); #endif + if(!realname) + realname = device; + if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) iface = xstrdup(strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname); else if(strcmp(iface, strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname)) diff --git a/src/dropin.c b/src/dropin.c index eb17aca..a99c828 100644 --- a/src/dropin.c +++ b/src/dropin.c @@ -1,7 +1,7 @@ /* dropin.c -- a set of drop-in replacements for libc functions Copyright (C) 2000-2005 Ivo Timmermans, - 2000-2011 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -140,6 +140,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) { va_copy(aq, ap); status = vsnprintf(*buf, len, fmt, aq); + buf[len - 1] = 0; va_end(aq); if(status >= 0) diff --git a/src/logger.c b/src/logger.c index 6765cc5..3f60edb 100644 --- a/src/logger.c +++ b/src/logger.c @@ -1,6 +1,6 @@ /* logger.c -- logging code - Copyright (C) 2004-2006 Guus Sliepen + Copyright (C) 2004-2016 Guus Sliepen 2004-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -109,6 +109,7 @@ void logger(int priority, const char *format, ...) { char message[4096]; const char *messages[] = {message}; vsnprintf(message, sizeof(message), format, ap); + message[sizeof message - 1] = 0; ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL); } #else diff --git a/src/net.c b/src/net.c index 06351bf..b82dae8 100644 --- a/src/net.c +++ b/src/net.c @@ -246,7 +246,7 @@ static void check_dead_connections(void) { if(c->status.active) { if(c->status.pinged) { ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds", - c->name, c->hostname, (long)now - c->last_ping_time); + c->name, c->hostname, (long)(now - c->last_ping_time)); c->status.timeout = true; terminate_connection(c, true); } else if(c->last_ping_time + pinginterval <= now) { @@ -275,7 +275,7 @@ static void check_dead_connections(void) { if(c->status.active) { ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) could not flush for %ld seconds (%d bytes remaining)", - c->name, c->hostname, (long)now - c->last_flushed_time, c->outbuflen); + c->name, c->hostname, (long)(now - c->last_flushed_time), c->outbuflen); c->status.timeout = true; terminate_connection(c, true); } diff --git a/src/net_packet.c b/src/net_packet.c index 5f6d9d5..18eaf34 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2015 Guus Sliepen + 2000-2016 Guus Sliepen 2010 Timothy Redaelli 2010 Brandon Black @@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) { len = 64; memset(packet.data, 0, 14); - RAND_pseudo_bytes(packet.data + 14, len - 14); + RAND_bytes(packet.data + 14, len - 14); packet.len = len; if(i >= 4 && n->mtuprobes <= 10) packet.priority = -1; @@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { if(n->incipher) { outpkt = pkt[nextpkt++]; - if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) - || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL) + || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s", n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); return; @@ -336,16 +336,16 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { if(inpkt->seqno != n->received_seqno + 1) { if(inpkt->seqno >= n->received_seqno + replaywin * 8) { if(n->farfuture++ < replaywin >> 2) { - logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)", + ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)", n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture); return; } - logger(LOG_WARNING, "Lost %d packets from %s (%s)", + ifdebug(TRAFFIC) logger(LOG_WARNING, "Lost %d packets from %s (%s)", inpkt->seqno - n->received_seqno - 1, n->name, n->hostname); memset(n->late, 0, replaywin); } else if (inpkt->seqno <= n->received_seqno) { if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) { - logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d", + ifdebug(TRAFFIC) logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d", n->name, n->hostname, inpkt->seqno, n->received_seqno); return; } @@ -479,10 +479,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { if(n->outcipher) { outpkt = pkt[nextpkt++]; - if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) - || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, + if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL) + || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen, (unsigned char *) &inpkt->seqno, inpkt->len) - || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { + || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s", n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); goto end; diff --git a/src/net_setup.c b/src/net_setup.c index 50d5680..6c50f9d 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -1,7 +1,7 @@ /* net_setup.c -- Setup. Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2015 Guus Sliepen + 2000-2016 Guus Sliepen 2006 Scott Lamb 2010 Brandon Black @@ -48,11 +48,22 @@ char *myport; devops_t devops; +#ifndef HAVE_RSA_SET0_KEY +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { + BN_free(r->n); r->n = n; + BN_free(r->e); r->e = e; + BN_free(r->d); r->d = d; + return 1; +} +#endif + bool read_rsa_public_key(connection_t *c) { FILE *fp; char *pubname; char *hcfname; char *key; + BIGNUM *n = NULL; + BIGNUM *e = NULL; if(!c->rsa_key) { c->rsa_key = RSA_new(); @@ -62,12 +73,19 @@ bool read_rsa_public_key(connection_t *c) { /* First, check for simple PublicKey statement */ if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) { - if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) { + if(BN_hex2bn(&n, key) != strlen(key)) { + free(key); logger(LOG_ERR, "Invalid PublicKey for %s!", c->name); return false; } - BN_hex2bn(&c->rsa_key->e, "FFFF"); free(key); + BN_hex2bn(&e, "FFFF"); + if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) { + BN_free(e); + BN_free(n); + logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name); + return false; + } return true; } @@ -158,27 +176,39 @@ bool read_rsa_public_key(connection_t *c) { static bool read_rsa_private_key(void) { FILE *fp; char *fname, *key, *pubkey; + BIGNUM *n = NULL; + BIGNUM *e = NULL; + BIGNUM *d = NULL; if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { myself->connection->rsa_key = RSA_new(); // RSA_blinding_on(myself->connection->rsa_key, NULL); - if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) { + if(BN_hex2bn(&d, key) != strlen(key)) { logger(LOG_ERR, "Invalid PrivateKey for myself!"); free(key); return false; } free(key); if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { + BN_free(d); logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); return false; } - if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) { - logger(LOG_ERR, "Invalid PublicKey for myself!"); + if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) { free(pubkey); + BN_free(d); + logger(LOG_ERR, "Invalid PublicKey for myself!"); return false; } free(pubkey); - BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); + BN_hex2bn(&e, "FFFF"); + if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) { + BN_free(d); + BN_free(e); + BN_free(n); + logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!"); + return false; + } return true; } @@ -623,7 +653,7 @@ static bool setup_myself(void) { myself->incipher = EVP_bf_cbc(); if(myself->incipher) - myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len; + myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher); else myself->inkeylength = 1; @@ -657,7 +687,7 @@ static bool setup_myself(void) { if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) { if(myself->indigest) { - if(myself->inmaclength > myself->indigest->md_size) { + if(myself->inmaclength > EVP_MD_size(myself->indigest)) { logger(LOG_ERR, "MAC length exceeds size of digest!"); return false; } else if(myself->inmaclength < 0) { diff --git a/src/netutl.c b/src/netutl.c index 2abbe86..e473f17 100644 --- a/src/netutl.c +++ b/src/netutl.c @@ -1,7 +1,7 @@ /* netutl.c -- some supporting network utility code Copyright (C) 1998-2005 Ivo Timmermans - 2000-2015 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -231,6 +231,25 @@ void sockaddrunmap(sockaddr_t *sa) { } } +void sockaddr_setport(sockaddr_t *sa, const char *port) { + uint16_t portnum = htons(atoi(port)); + if(!portnum) + return; + switch(sa->sa.sa_family) { + case AF_INET: + sa->in.sin_port = portnum; + break; + case AF_INET6: + sa->in6.sin6_port = portnum; + break; + case AF_UNKNOWN: + free(sa->unknown.port); + sa->unknown.port = xstrdup(port); + default: + return; + } +} + /* Subnet mask handling */ int maskcmp(const void *va, const void *vb, int masklen) { diff --git a/src/netutl.h b/src/netutl.h index 7fc41e8..bab6717 100644 --- a/src/netutl.h +++ b/src/netutl.h @@ -1,7 +1,7 @@ /* netutl.h -- header file for netutl.c Copyright (C) 1998-2005 Ivo Timmermans - 2000-2009 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,6 +34,7 @@ extern int sockaddrcmp_noport(const sockaddr_t *, const sockaddr_t *); extern void sockaddrunmap(sockaddr_t *); extern void sockaddrfree(sockaddr_t *); extern void sockaddrcpy(sockaddr_t *, const sockaddr_t *); +extern void sockaddr_setport(sockaddr_t *, const char *); extern int maskcmp(const void *, const void *, int); extern void maskcpy(void *, const void *, int, int); extern void mask(void *, int, int); diff --git a/src/node.c b/src/node.c index cf70f83..19f3730 100644 --- a/src/node.c +++ b/src/node.c @@ -1,6 +1,6 @@ /* node.c -- node tree management - Copyright (C) 2001-2011 Guus Sliepen , + Copyright (C) 2001-2016 Guus Sliepen , 2001-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -57,8 +57,10 @@ node_t *new_node(void) { if(replaywin) n->late = xmalloc_and_zero(replaywin); n->subnet_tree = new_subnet_tree(); n->edge_tree = new_edge_tree(); - EVP_CIPHER_CTX_init(&n->inctx); - EVP_CIPHER_CTX_init(&n->outctx); + n->inctx = EVP_CIPHER_CTX_new(); + n->outctx = EVP_CIPHER_CTX_new(); + if(!n->inctx || !n->outctx) + abort(); n->mtu = MTU; n->maxmtu = MTU; @@ -80,8 +82,8 @@ void free_node(node_t *n) { sockaddrfree(&n->address); - EVP_CIPHER_CTX_cleanup(&n->inctx); - EVP_CIPHER_CTX_cleanup(&n->outctx); + EVP_CIPHER_CTX_free(n->outctx); + EVP_CIPHER_CTX_free(n->inctx); if(n->mtuevent) event_del(n->mtuevent); @@ -172,8 +174,8 @@ void dump_nodes(void) { for(node = node_tree->head; node; node = node->next) { n = node->data; logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)", - n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0, - n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression, + n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0, + n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression, n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-", n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu); } diff --git a/src/node.h b/src/node.h index f9ef3c1..69ed12f 100644 --- a/src/node.h +++ b/src/node.h @@ -1,6 +1,6 @@ /* node.h -- header for node.c - Copyright (C) 2001-2012 Guus Sliepen , + Copyright (C) 2001-2016 Guus Sliepen , 2001-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -50,12 +50,12 @@ typedef struct node_t { const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */ char *inkey; /* Cipher key and iv */ int inkeylength; /* Cipher key and iv length */ - EVP_CIPHER_CTX inctx; /* Cipher context */ + EVP_CIPHER_CTX *inctx; /* Cipher context */ const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/ char *outkey; /* Cipher key and iv */ int outkeylength; /* Cipher key and iv length */ - EVP_CIPHER_CTX outctx; /* Cipher context */ + EVP_CIPHER_CTX *outctx; /* Cipher context */ const EVP_MD *indigest; /* Digest type for MAC of packets received from him */ int inmaclength; /* Length of MAC */ diff --git a/src/protocol.c b/src/protocol.c index 5b8b7ba..eadca13 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -1,7 +1,7 @@ /* protocol.c -- handle the meta-protocol, basic functions Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2015 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -75,10 +75,11 @@ bool send_request(connection_t *c, const char *format, ...) { input buffer anyway */ va_start(args, format); - len = vsnprintf(buffer, MAXBUFSIZE, format, args); + len = vsnprintf(buffer, sizeof buffer, format, args); + buffer[sizeof buffer - 1] = 0; va_end(args); - if(len < 0 || len > MAXBUFSIZE - 1) { + if(len < 0 || len > sizeof buffer - 1) { logger(LOG_ERR, "Output buffer overflow while sending request to %s (%s)", c->name, c->hostname); return false; diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 8fa9b93..13dae1d 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2015 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -125,8 +125,11 @@ bool send_metakey(connection_t *c) { c->outkey = xrealloc(c->outkey, len); - if(!c->outctx) - c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); + if(!c->outctx) { + c->outctx = EVP_CIPHER_CTX_new(); + if(!c->outctx) + abort(); + } /* Copy random data to the buffer */ @@ -177,17 +180,17 @@ bool send_metakey(connection_t *c) { /* Send the meta key */ x = send_request(c, "%d %d %d %d %d %s", METAKEY, - c->outcipher ? c->outcipher->nid : 0, - c->outdigest ? c->outdigest->type : 0, c->outmaclength, + c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0, + c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength, c->outcompression, buffer); /* Further outgoing requests are encrypted with the key we just generated */ if(c->outcipher) { if(!EVP_EncryptInit(c->outctx, c->outcipher, - (unsigned char *)c->outkey + len - c->outcipher->key_len, - (unsigned char *)c->outkey + len - c->outcipher->key_len - - c->outcipher->iv_len)) { + (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher), + (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) - + EVP_CIPHER_iv_length(c->outcipher))) { logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; @@ -223,8 +226,11 @@ bool metakey_h(connection_t *c) { c->inkey = xrealloc(c->inkey, len); - if(!c->inctx) - c->inctx = xmalloc_and_zero(sizeof(*c->inctx)); + if(!c->inctx) { + c->inctx = EVP_CIPHER_CTX_new(); + if(!c->inctx) + abort(); + } /* Convert the challenge from hexadecimal back to binary */ @@ -260,9 +266,9 @@ bool metakey_h(connection_t *c) { } if(!EVP_DecryptInit(c->inctx, c->incipher, - (unsigned char *)c->inkey + len - c->incipher->key_len, - (unsigned char *)c->inkey + len - c->incipher->key_len - - c->incipher->iv_len)) { + (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher), + (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) - + EVP_CIPHER_iv_length(c->incipher))) { logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; @@ -283,7 +289,7 @@ bool metakey_h(connection_t *c) { return false; } - if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { + if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) { logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname); return false; } @@ -367,22 +373,29 @@ bool challenge_h(connection_t *c) { bool send_chal_reply(connection_t *c) { char hash[EVP_MAX_MD_SIZE * 2 + 1]; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; /* Calculate the hash from the challenge we received */ - if(!EVP_DigestInit(&ctx, c->indigest) - || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) - || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) { + ctx = EVP_MD_CTX_create(); + if(!ctx) + abort(); + + if(!EVP_DigestInit(ctx, c->indigest) + || !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) + || !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) { + EVP_MD_CTX_destroy(ctx); logger(LOG_ERR, "Error during calculation of response for %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } + EVP_MD_CTX_destroy(ctx); + /* Convert the hash to a hexadecimal formatted string */ - bin2hex(hash, hash, c->indigest->md_size); - hash[c->indigest->md_size * 2] = '\0'; + bin2hex(hash, hash, EVP_MD_size(c->indigest)); + hash[EVP_MD_size(c->indigest) * 2] = '\0'; /* Send the reply */ @@ -392,7 +405,7 @@ bool send_chal_reply(connection_t *c) { bool chal_reply_h(connection_t *c) { char hishash[MAX_STRING_SIZE]; char myhash[EVP_MAX_MD_SIZE]; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name, @@ -402,7 +415,7 @@ bool chal_reply_h(connection_t *c) { /* Check if the length of the hash is all right */ - if(strlen(hishash) != c->outdigest->md_size * 2) { + if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) { logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply length"); return false; @@ -410,24 +423,31 @@ bool chal_reply_h(connection_t *c) { /* Convert the hash to binary format */ - if(!hex2bin(hishash, hishash, c->outdigest->md_size)) { + if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) { logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash"); return false; } /* Calculate the hash from the challenge we sent */ - if(!EVP_DigestInit(&ctx, c->outdigest) - || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) - || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) { + ctx = EVP_MD_CTX_create(); + if(!ctx) + abort(); + + if(!EVP_DigestInit(ctx, c->outdigest) + || !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key)) + || !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) { + EVP_MD_CTX_destroy(ctx); logger(LOG_ERR, "Error during calculation of response from %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } + EVP_MD_CTX_destroy(ctx); + /* Verify the incoming hash with the calculated hash */ - if(memcmp(hishash, myhash, c->outdigest->md_size)) { + if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) { logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong challenge reply"); @@ -516,7 +536,6 @@ static void send_everything(connection_t *c) { bool ack_h(connection_t *c) { char hisport[MAX_STRING_SIZE]; - char *hisaddress; int weight, mtu; uint32_t options; node_t *n; @@ -585,9 +604,8 @@ bool ack_h(connection_t *c) { c->edge = new_edge(); c->edge->from = myself; c->edge->to = n; - sockaddr2str(&c->address, &hisaddress, NULL); - c->edge->address = str2sockaddr(hisaddress, hisport); - free(hisaddress); + sockaddrcpy(&c->edge->address, &c->address); + sockaddr_setport(&c->edge->address, hisport); c->edge->weight = (weight + c->estimated_weight) / 2; c->edge->connection = c; c->edge->options = c->options; diff --git a/src/protocol_key.c b/src/protocol_key.c index 4f1e1b7..5f71d1c 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) { } if(to->incipher) - EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); + EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher)); // Reset sequence number and late packet window mykeyused = true; @@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) { return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, myself->name, to->name, key, - to->incipher ? to->incipher->nid : 0, - to->indigest ? to->indigest->type : 0, to->inmaclength, + to->incipher ? EVP_CIPHER_nid(to->incipher) : 0, + to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength, to->incompression); } @@ -268,7 +268,7 @@ bool ans_key_h(connection_t *c) { return true; } - if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) { + if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) { logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); return true; @@ -288,7 +288,7 @@ bool ans_key_h(connection_t *c) { return true; } - if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) { + if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) { logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", from->name, from->hostname); return true; @@ -305,7 +305,7 @@ bool ans_key_h(connection_t *c) { from->outcompression = compression; if(from->outcipher) - if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) { + if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) { logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s", from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); return true; diff --git a/src/tincd.c b/src/tincd.c index f106f5f..aaf40e2 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -336,7 +336,7 @@ static bool parse_options(int argc, char **argv) { /* This function prettyprints the key generation process */ -static void indicator(int a, int b, void *p) { +static int indicator(int a, int b, BN_GENCB *cb) { switch (a) { case 0: fprintf(stderr, "."); @@ -368,21 +368,50 @@ static void indicator(int a, int b, void *p) { default: fprintf(stderr, "?"); } + + return 1; } +#ifndef HAVE_BN_GENCB_NEW +BN_GENCB *BN_GENCB_new(void) { + return xmalloc_and_zero(sizeof(BN_GENCB)); +} + +void BN_GENCB_free(BN_GENCB *cb) { + free(cb); +} +#endif + /* Generate a public/private RSA keypair, and ask for a file to store them in. */ static bool keygen(int bits) { + BIGNUM *e = NULL; RSA *rsa_key; FILE *f; char *pubname, *privname; + BN_GENCB *cb; + int result; fprintf(stderr, "Generating %d bits keys:\n", bits); - rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); - if(!rsa_key) { + cb = BN_GENCB_new(); + if(!cb) + abort(); + BN_GENCB_set(cb, indicator, NULL); + + rsa_key = RSA_new(); + BN_hex2bn(&e, "10001"); + if(!rsa_key || !e) + abort(); + + result = RSA_generate_key_ex(rsa_key, bits, e, cb); + + BN_free(e); + BN_GENCB_free(cb); + + if(!result) { fprintf(stderr, "Error during key generation!\n"); return false; } else @@ -702,7 +731,11 @@ end: EVP_cleanup(); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); +#ifdef HAVE_ERR_REMOVE_STATE + // OpenSSL claims this function was deprecated in 1.0.0, + // but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly. ERR_remove_state(0); +#endif ERR_free_strings(); exit_configuration(&config_tree); diff --git a/src/xmalloc.c b/src/xmalloc.c index 39dc03c..a1b1fe8 100644 --- a/src/xmalloc.c +++ b/src/xmalloc.c @@ -155,6 +155,7 @@ int xvasprintf(char **strp, const char *fmt, va_list ap) { int result = vsnprintf(buf, sizeof buf, fmt, ap); if(result < 0) exit(xalloc_exit_failure); + buf[sizeof buf - 1] = 0; *strp = xstrdup(buf); #else int result = vasprintf(strp, fmt, ap);