lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.29

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:47 +02:00
parent d08a5d8f0b
commit 1077a20a8c
39 changed files with 865 additions and 375 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
ChangeLog
View file

@ -1,11 +1,30 @@
Version 1.0.29 October 09 2016
------------------------------------------------------------------------
Guus Sliepen (11):
Preserve IPv6 scope_id in edges.
Ensure compatibility with OpenSSL 1.1.0.
Add -Wall to CFLAGS.
Check return value of RSA_generate_key_ex().
Force nul-termination of strings after vsnprintf().
Log warnings about dropped packets only with debug level 5 or higher.
Add a copy of ax_append_flag.m4.
Add ax_require_defined.m4.
Fix possibly unitialized variable.
Fix compiler warnings about format string errors on BSD.
Releasing 1.0.29.
Version 1.0.28 April 10 2016
------------------------------------------------------------------------
Guus Sliepen (5):
Guus Sliepen (8):
Fix compiling bsd/device.c on systems without utun.
Really remove use of __DATE__ and __TIME__ to facilitate reproducible builds.
Add systemd service files.
Update .gitignore.
Ensure the service files are in the tarball.
Explicitly mention that LibreSSL can be used as well.
Update links in the documentation.
Releasing 1.0.28.
Version 1.0.27 April 10 2016
@ -118,7 +137,20 @@ VittGam (1):
Version 1.0.24 May 11 2014
------------------------------------------------------------------------
Guus Sliepen (13):
Guus Sliepen (26):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init().
@ -138,40 +170,22 @@ Steffan Karger (3):
Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1):
fix documentation typo
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
refs/tags/1.0.23-android-1 March 11 2014
------------------------------------------------------------------------
Guus Sliepen (13):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
Version 1.0.23 October 19 2013
------------------------------------------------------------------------

5
Makefile.in
View file

@ -90,8 +90,11 @@ host_triplet = @host@
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

10
NEWS
View file

@ -1,3 +1,13 @@
Version 1.0.29 October 9 2016
* Fix UDP communication with peers with link-local IPv6 addresses.
* Ensure compatibility with OpenSSL 1.1.0.
* Ensure autoreconf can be run without requiring autoconf-archive.
* Log warnings about dropped packets only at debug level 5.
Version 1.0.28 April 10 2016
* Fix compilation on BSD platforms.

4
README
View file

@ -1,4 +1,4 @@
This is the README file for tinc version 1.0.28. Installation
This is the README file for tinc version 1.0.29. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2016 by:
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility
-------------
Version 1.0.28 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.

3
aclocal.m4 vendored
View file

@ -1463,8 +1463,11 @@ AC_SUBST([am__untar])
]) # _AM_PROG_TAR
m4_include([m4/attribute.m4])
m4_include([m4/ax_append_flag.m4])
m4_include([m4/ax_cflags_warn_all.m4])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/ax_require_defined.m4])
m4_include([m4/lzo.m4])
m4_include([m4/openssl.m4])
m4_include([m4/zlib.m4])

111
config.guess vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright 1992-2015 Free Software Foundation, Inc.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2015-08-20'
timestamp='2016-04-02'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -27,7 +27,7 @@ timestamp='2015-08-20'
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
#
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
#
# Please send patches to <config-patches@gnu.org>.
@ -50,7 +50,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright 1992-2015 Free Software Foundation, Inc.
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -237,6 +237,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;;
*:LibertyBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
exit ;;
*:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;;
@ -268,42 +272,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in
"EV4 (21064)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"EV4.5 (21064)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"EV5 (21164)")
UNAME_MACHINE="alphaev5" ;;
UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)")
UNAME_MACHINE="alphaev56" ;;
UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)")
UNAME_MACHINE="alphapca56" ;;
UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)")
UNAME_MACHINE="alphapca57" ;;
UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)")
UNAME_MACHINE="alphaev6" ;;
UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)")
UNAME_MACHINE="alphaev67" ;;
UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)")
UNAME_MACHINE="alphaev69" ;;
UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)")
UNAME_MACHINE="alphaev7" ;;
UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)")
UNAME_MACHINE="alphaev79" ;;
UNAME_MACHINE=alphaev79 ;;
esac
# A Pn.n version is a patched version.
# A Vn.n version is a released version.
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$?
trap '' 0
@ -376,16 +380,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
SUN_ARCH="i386"
SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
SUN_ARCH="x86_64"
SUN_ARCH=x86_64
fi
fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@ -410,7 +414,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in
sun3)
echo m68k-sun-sunos${UNAME_RELEASE}
@ -635,13 +639,13 @@ EOF
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
32) HP_ARCH="hppa2.0n" ;;
64) HP_ARCH="hppa2.0w" ;;
'') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
32) HP_ARCH=hppa2.0n ;;
64) HP_ARCH=hppa2.0w ;;
'') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;;
esac
fi
@ -680,11 +684,11 @@ EOF
exit (0);
}
EOF
(CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
(CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;;
esac
if [ ${HP_ARCH} = "hppa2.0w" ]
if [ ${HP_ARCH} = hppa2.0w ]
then
eval $set_cc_for_build
@ -697,12 +701,12 @@ EOF
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23
if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__
then
HP_ARCH="hppa2.0w"
HP_ARCH=hppa2.0w
else
HP_ARCH="hppa64"
HP_ARCH=hppa64
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@ -807,14 +811,14 @@ EOF
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@ -896,7 +900,7 @@ EOF
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
@ -919,7 +923,7 @@ EOF
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
@ -965,6 +969,9 @@ EOF
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
k1om:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
@ -1120,7 +1127,7 @@ EOF
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
# prints for the "djgpp" host, or else GDB configury will decide that
# prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
@ -1269,6 +1276,9 @@ EOF
SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE}
exit ;;
SX-ACE:SUPER-UX:*:*)
echo sxace-nec-superux${UNAME_RELEASE}
exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
@ -1282,9 +1292,9 @@ EOF
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
@ -1306,7 +1316,7 @@ EOF
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
if test "$UNAME_PROCESSOR" = "x86"; then
if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386
UNAME_MACHINE=pc
fi
@ -1337,7 +1347,7 @@ EOF
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
if test "$cputype" = "386"; then
if test "$cputype" = 386; then
UNAME_MACHINE=i386
else
UNAME_MACHINE="$cputype"
@ -1379,7 +1389,7 @@ EOF
echo i386-pc-xenix
exit ;;
i*86:skyos:*:*)
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;;
i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos
@ -1390,6 +1400,9 @@ EOF
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
amd64:Isilon\ OneFS:*:*)
echo x86_64-unknown-onefs
exit ;;
esac
cat >&2 <<EOF
@ -1399,9 +1412,9 @@ This script, last modified $timestamp, has failed to recognize
the operating system you are using. It is advised that you
download the most up to date version of the config scripts from
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
and
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
If the version you run ($0) is already up to date, please
send the following data and any information you think might be

16
config.h.in
View file

@ -21,6 +21,9 @@
/* Define to 1 if you have the `asprintf' function. */
#undef HAVE_ASPRINTF
/* Define to 1 if you have the `BN_GENCB_new' function. */
#undef HAVE_BN_GENCB_NEW
/* Unknown BSD variant */
#undef HAVE_BSD
@ -62,6 +65,12 @@
/* DragonFly */
#undef HAVE_DRAGONFLY
/* Define to 1 if you have the `ERR_remove_state' function. */
#undef HAVE_ERR_REMOVE_STATE
/* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
#undef HAVE_EVP_CIPHER_CTX_NEW
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
#undef HAVE_EVP_ENCRYPTINIT_EX
@ -233,12 +242,15 @@
/* Define to 1 if you have the `random' function. */
#undef HAVE_RANDOM
/* Define to 1 if you have the `RAND_pseudo_bytes' function. */
#undef HAVE_RAND_PSEUDO_BYTES
/* Define to 1 if you have the `RAND_bytes' function. */
#undef HAVE_RAND_BYTES
/* Define to 1 if you have the <resolv.h> header file. */
#undef HAVE_RESOLV_H
/* Define to 1 if you have the `RSA_set0_key' function. */
#undef HAVE_RSA_SET0_KEY
/* Define to 1 if you have the `select' function. */
#undef HAVE_SELECT

20
config.sub vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright 1992-2015 Free Software Foundation, Inc.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2015-08-20'
timestamp='2016-03-30'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -33,7 +33,7 @@ timestamp='2015-08-20'
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
@ -53,8 +53,7 @@ timestamp='2015-08-20'
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
Usage: $0 [OPTION] CPU-MFR-OPSYS
$0 [OPTION] ALIAS
Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
Canonicalize a configuration name.
@ -68,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright 1992-2015 Free Software Foundation, Inc.
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -521,7 +520,7 @@ case $basic_machine in
basic_machine=i386-pc
os=-aros
;;
asmjs)
asmjs)
basic_machine=asmjs-unknown
;;
aux)
@ -1383,7 +1382,7 @@ case $os in
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -bitrig* | -openbsd* | -solidbsd* \
| -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
@ -1399,7 +1398,8 @@ case $os in
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
| -onefs* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1531,6 +1531,8 @@ case $os in
;;
-nacl*)
;;
-ios)
;;
-none)
;;
*)

124
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.28.
# Generated by GNU Autoconf 2.69 for tinc 1.0.29.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.28'
PACKAGE_STRING='tinc 1.0.28'
PACKAGE_VERSION='1.0.29'
PACKAGE_STRING='tinc 1.0.29'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@ -1331,7 +1331,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures tinc 1.0.28 to adapt to many kinds of systems.
\`configure' configures tinc 1.0.29 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1402,7 +1402,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.28:";;
short | recursive ) echo "Configuration of tinc 1.0.29:";;
esac
cat <<\_ACEOF
@ -1441,11 +1441,11 @@ Optional Packages:
--with-lzo=DIR lzo base directory, or:
--with-lzo-include=DIR lzo headers directory
--with-lzo-lib=DIR lzo library directory
--with-openssl=DIR OpenSSL base directory, or:
--with-openssl=DIR LibreSSL/OpenSSL base directory, or:
--with-openssl-include=DIR
OpenSSL headers directory (without trailing
LibreSSL/OpenSSL headers directory (without trailing
/openssl)
--with-openssl-lib=DIR OpenSSL library directory
--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
Some influential environment variables:
CC C compiler command
@ -1528,7 +1528,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
tinc configure 1.0.28
tinc configure 1.0.29
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -1993,7 +1993,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.28, which was
It was created by tinc $as_me 1.0.29, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2857,7 +2857,7 @@ fi
# Define the identity of the package.
PACKAGE='tinc'
VERSION='1.0.28'
VERSION='1.0.29'
cat >>confdefs.h <<_ACEOF
@ -5376,6 +5376,79 @@ if test -d /sw/lib ; then
fi
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking CFLAGS for maximum warnings" >&5
$as_echo_n "checking CFLAGS for maximum warnings... " >&6; }
if ${ac_cv_cflags_warn_all+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_cv_cflags_warn_all="no, unknown"
ac_save_CFLAGS="$CFLAGS"
for ac_arg in "-warn all % -warn all" "-pedantic % -Wall" "-xstrconst % -v" "-std1 % -verbose -w0 -warnprotos" "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" "-ansi -ansiE % -fullwarn" "+ESlit % +w1" "-Xc % -pvctl,fullmsg" "-h conform % -h msglevel 2" #
do CFLAGS="$ac_save_CFLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'`
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ac_cv_cflags_warn_all=`echo $ac_arg | sed -e 's,.*% *,,'` ; break
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
done
CFLAGS="$ac_save_CFLAGS"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cflags_warn_all" >&5
$as_echo "$ac_cv_cflags_warn_all" >&6; }
case ".$ac_cv_cflags_warn_all" in
.ok|.ok,*) ;;
.|.no|.no,*) ;;
*) if ${CFLAGS+:} false; then :
case " $CFLAGS " in
*" $ac_cv_cflags_warn_all "*)
{ { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$ac_cv_cflags_warn_all"; } >&5
(: CFLAGS already contains $ac_cv_cflags_warn_all) 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
*)
{ { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$ac_cv_cflags_warn_all\""; } >&5
(: CFLAGS="$CFLAGS $ac_cv_cflags_warn_all") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
CFLAGS="$CFLAGS $ac_cv_cflags_warn_all"
;;
esac
else
CFLAGS="$ac_cv_cflags_warn_all"
fi
;;
esac
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Check whether --enable-hardening was given.
if test "${enable_hardening+set}" = set; then :
enableval=$enable_hardening;
@ -6981,7 +7054,7 @@ $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
LIBS="$LIBS -ldl"
else
as_fn_error $? "OpenSSL depends on libdl." "$LINENO" 5; break
as_fn_error $? "LibreSSL/OpenSSL depends on libdl." "$LINENO" 5; break
fi
@ -7029,7 +7102,7 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
_ACEOF
else
as_fn_error $? "OpenSSL header files not found." "$LINENO" 5; break
as_fn_error $? "LibreSSL/OpenSSL header files not found." "$LINENO" 5; break
fi
@ -7075,12 +7148,12 @@ $as_echo "$ac_cv_lib_crypto_EVP_EncryptInit_ex" >&6; }
if test "x$ac_cv_lib_crypto_EVP_EncryptInit_ex" = xyes; then :
LIBS="-lcrypto $LIBS"
else
as_fn_error $? "OpenSSL libraries not found." "$LINENO" 5
as_fn_error $? "LibreSSL/OpenSSL libraries not found." "$LINENO" 5
fi
for ac_func in RAND_pseudo_bytes EVP_EncryptInit_ex
for ac_func in RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -7090,7 +7163,7 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
_ACEOF
else
as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
fi
done
@ -7101,10 +7174,23 @@ done
if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
else
as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
fi
for ac_func in BN_GENCB_new ERR_remove_state RSA_set0_key
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
done
# Check whether --enable-jumbograms was given.
if test "${enable_jumbograms+set}" = set; then :
@ -7695,7 +7781,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by tinc $as_me 1.0.28, which was
This file was extended by tinc $as_me 1.0.29, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -7761,7 +7847,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
tinc config.status 1.0.28
tinc config.status 1.0.29
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

4
configure.ac
View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.28])
AC_INIT([tinc], [1.0.29])
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
AC_CONFIG_HEADERS([config.h])
@ -152,6 +152,8 @@ fi
dnl Compiler hardening flags
dnl No -fstack-protector-all because it doesn't work on all platforms or architectures.
AX_CFLAGS_WARN_ALL(CFLAGS)
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"])

5
distro/Makefile.in
View file

@ -91,8 +91,11 @@ host_triplet = @host@
subdir = distro
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

5
doc/Makefile.in
View file

@ -89,8 +89,11 @@ host_triplet = @host@
subdir = doc
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

6
doc/tinc.conf.5.in
View file

@ -470,7 +470,7 @@ variables can be specified, in which case each address will be tried until a wor
connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised.
Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet encryption.
@ -485,7 +485,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised.
Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet authentication.
@ -657,7 +657,7 @@ its connection to the virtual network device.
.El
.Sh SEE ALSO
.Xr tincd 8 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa https://www.tinc-vpn.org/ ,
.Pa http://www.tldp.org/LDP/nag2/ .
.Pp
The full documentation for

231
doc/tinc.info
View file

@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or
receive data packets.
For an up to date list of supported platforms, please check the list
on our website: <http://www.tinc-vpn.org/platforms/>.
on our website: <https://www.tinc-vpn.org/platforms/>.

File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
@ -219,12 +219,8 @@ File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration o
2.1.3 Configuration of OpenBSD kernels
--------------------------------------
For OpenBSD version 2.9 and higher, the tun driver is included in the
default kernel configuration. There is also a kernel patch from
<http://diehard.n-r-g.com/stuff/openbsd/> which adds a tap device to
OpenBSD which should work with tinc, but with recent versions of
OpenBSD, a tun device can act as a tap device by setting the link0
option with ifconfig.
Recent versions of OpenBSD come with both tun and tap devices enabled in
the default kernel configuration.

File: tinc.info, Node: Configuration of NetBSD kernels, Next: Configuration of Solaris kernels, Prev: Configuration of OpenBSD kernels, Up: Configuring the kernel
@ -247,7 +243,7 @@ For Solaris 8 (SunOS 5.8) and higher, the tun driver may or may not be
included in the default kernel configuration. If it isn't, the source
can be downloaded from <http://vtun.sourceforge.net/tun/>. For x86 and
sparc64 architectures, precompiled versions can be found at
<http://www.monkey.org/~dugsong/fragroute/>. If the 'net/if_tun.h'
<https://www.monkey.org/~dugsong/fragroute/>. If the 'net/if_tun.h'
header file is missing, install it from the source package.

@ -274,7 +270,8 @@ File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin
------------------------------
You will need to install the latest TAP-Win32 driver from OpenVPN. You
can download it from <http://openvpn.sourceforge.net>. Using the
can download it from
<https://openvpn.net/index.php/open-source/downloads.html>. Using the
Network Connections control panel, configure the TAP-Win32 network
interface in the same way as you would do from the tinc-up script, as
explained in the rest of the documentation.
@ -285,25 +282,25 @@ File: tinc.info, Node: Libraries, Prev: Configuring the kernel, Up: Preparati
2.2 Libraries
=============
Before you can configure or build tinc, you need to have the OpenSSL,
zlib and lzo libraries installed on your system. If you try to
Before you can configure or build tinc, you need to have the LibreSSL or
OpenSSL, zlib and lzo libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an
error message, and stop.
* Menu:
* OpenSSL::
* LibreSSL/OpenSSL::
* zlib::
* lzo::

File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries
File: tinc.info, Node: LibreSSL/OpenSSL, Next: zlib, Up: Libraries
2.2.1 OpenSSL
-------------
2.2.1 LibreSSL/OpenSSL
----------------------
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when
configuring tinc for build. Support for running tinc with other
@ -313,19 +310,22 @@ cryptographic libraries installed _may_ be added in the future.
if available. Make sure you install the development AND runtime
versions of this package.
If you have to install OpenSSL manually, you can get the source code
from <http://www.openssl.org/>. Instructions on how to configure, build
and install this package are included within the package. Please make
sure you build development and runtime libraries (which is the default).
If your operating system comes neither with LibreSSL or OpenSSL, you
have to install one manually. It is recommended that you get the latest
version of LibreSSL from <http://www.libressl.org/>. Instructions on
how to configure, build and install this package are included within the
package. Please make sure you build development and runtime libraries
(which is the default).
If you installed the OpenSSL libraries from source, it may be
necessary to let configure know where they are, by passing configure one
of the -with-openssl-* parameters.
If you installed the LibreSSL or OpenSSL libraries from source, it
may be necessary to let configure know where they are, by passing
configure one of the -with-openssl-* parameters. Note that you even
have to use -with-openssl-* if you are using LibreSSL.
--with-openssl=DIR OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory
--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory
--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib)
License
@ -334,7 +334,7 @@ License
The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL
<http://www.openssl.org/support/faq.html#LEGAL2>, we include an
<https://www.openssl.org/support/faq.html#LEGAL2>, we include an
exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable:
@ -347,13 +347,13 @@ everyone to create a statically or dynamically linked executable:
also present the following exemption:
Hereby I grant a special exception to the tinc VPN project
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL
library (http://www.openssl.org).
(https://www.tinc-vpn.org/) to link the LZO library with the
OpenSSL library (https://www.openssl.org).
Markus F.X.J. Oberhumer

File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
File: tinc.info, Node: zlib, Next: lzo, Prev: LibreSSL/OpenSSL, Up: Libraries
2.2.2 zlib
----------
@ -373,10 +373,9 @@ if available. Make sure you install the development AND runtime
versions of this package.
If you have to install zlib manually, you can get the source code
from <http://www.gzip.org/zlib/>. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
from <http://www.zlib.net/>. Instructions on how to configure, build
and install this package are included within the package. Please make
sure you build development and runtime libraries (which is the default).

File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
@ -398,7 +397,7 @@ if available. Make sure you install the development AND runtime
versions of this package.
If you have to install lzo manually, you can get the source code from
<http://www.oberhumer.com/opensource/lzo/>. Instructions on how to
<https://www.oberhumer.com/opensource/lzo/>. Instructions on how to
configure, build and install this package are included within the
package. Please make sure you build development and runtime libraries
(which is the default).
@ -416,9 +415,7 @@ startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to
compile tinc for yourself, you can use the source. The source is
distributed under the GNU General Public License (GPL). Download the
source from the download page (http://www.tinc-vpn.org/download/), which
has the checksums of these files listed; you may wish to check these
with md5sum before continuing.
source from the download page (https://www.tinc-vpn.org/download/).
Tinc comes in a convenient autoconf/automake package, which you can
just treat the same as any other package. Which is just untar it, type
@ -456,13 +453,13 @@ File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Wind
3.1.1 Darwin (Mac OS X) build environment
-----------------------------------------
In order to build tinc on Darwin, you need to install the Mac OS X
Developer Tools from <http://developer.apple.com/tools/macosxtools.html>
and preferably a recent version of Fink from
<http://www.finkproject.org/>.
In order to build tinc on Darwin, you need to install Xcode from
<https://developer.apple.com/xcode/>. It might also help to install a
recent version of Fink from <http://www.finkproject.org/>.
After installation use fink to download and install the following
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
You need to download and install LibreSSL (or OpenSSL) and LZO,
either directly from their websites (see *note Libraries::) or using
Fink.

File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
@ -471,7 +468,7 @@ File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Window
----------------------------------------
If Cygwin hasn't already been installed, install it directly from
<http://www.cygwin.com/>.
<https://www.cygwin.com/>.
When tinc is compiled in a Cygwin environment, it can only be run in
this environment, but all programs, including those started outside the
@ -485,7 +482,8 @@ File: tinc.info, Node: MinGW (Windows) build environment, Prev: Cygwin (Window
---------------------------------------
You will need to install the MinGW environment from
<http://www.mingw.org>.
<http://www.mingw.org>. You also need to download and install LibreSSL
(or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows, it
is not necessary to keep MinGW installed.
@ -1057,9 +1055,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
Cipher = <CIPHER> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any
cipher supported by OpenSSL is recognized. Furthermore, specifying
"none" will turn off packet encryption. It is best to use only
those ciphers which support CBC mode.
cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption. It
is best to use only those ciphers which support CBC mode.
ClampMSS = <yes|no> (yes)
This option specifies whether tinc should clamp the maximum segment
@ -1074,8 +1072,8 @@ Compression = <LEVEL> (0)
Digest = <DIGEST> (sha1)
The digest algorithm used to authenticate UDP packets. Any digest
supported by OpenSSL is recognized. Furthermore, specifying "none"
will turn off packet authentication.
supported by LibreSSL or OpenSSL is recognized. Furthermore,
specifying "none" will turn off packet authentication.
IndirectData = <yes|no> (no)
This option specifies whether other tinc daemons besides the one
@ -1137,7 +1135,7 @@ Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
Prefixlength is the number of bits set to 1 in the netmask part;
for example: netmask 255.255.255.0 would become /24, 255.255.252.0
becomes /22. This conforms to standard CIDR notation as described
in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt)
in RFC1519 (https://www.ietf.org/rfc/rfc1519.txt)
A Subnet can be given a weight to indicate its priority over
identical Subnets owned by different nodes. The default weight is
@ -2098,7 +2096,7 @@ intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the
message authentication codes is also adjustable. The length of the key
for the encryption algorithm is always the default length used by
OpenSSL.
LibreSSL/OpenSSL.
* Menu:
@ -2256,8 +2254,8 @@ In August 2000, we discovered the existence of a security hole in all
versions of tinc up to and including 1.0pre2. This had to do with the
way we exchanged keys. Since then, we have been working on a new
authentication scheme to make tinc as secure as possible. The current
version uses the OpenSSL library and uses strong authentication with RSA
keys.
version uses the LibreSSL or OpenSSL library and uses strong
authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security
analysis of tinc 1.0pre4. Due to a lack of sequence numbers and a
@ -2393,12 +2391,12 @@ File: tinc.info, Node: Contact information, Next: Authors, Up: About us
8.1 Contact information
=======================
Tinc's website is at <http://www.tinc-vpn.org/>, this server is located
Tinc's website is at <https://www.tinc-vpn.org/>, this server is located
in the Netherlands.
We have an IRC channel on the FreeNode and OFTC IRC networks.
Connect to irc.freenode.net (http://www.freenode.net/) or irc.oftc.net
(http://www.oftc.net/) and join channel #tinc.
Connect to irc.freenode.net (https://freenode.net/) or irc.oftc.net
(https://www.oftc.net/) and join channel #tinc.

File: tinc.info, Node: Authors, Prev: Contact information, Up: About us
@ -2515,7 +2513,8 @@ Concept Index
(line 206)
* KEY_CHANGED: The meta-protocol. (line 63)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 35)
* LibreSSL: LibreSSL/OpenSSL. (line 6)
* license: LibreSSL/OpenSSL. (line 38)
* LocalDiscovery: Main configuration variables.
(line 212)
* lzo: lzo. (line 6)
@ -2542,7 +2541,7 @@ Concept Index
* Network Administrators Guide: Configuration introduction.
(line 15)
* NODE: Scripts. (line 71)
* OpenSSL: OpenSSL. (line 6)
* OpenSSL: LibreSSL/OpenSSL. (line 6)
* options: Runtime options. (line 9)
* PEM format: Host configuration variables.
(line 69)
@ -2656,61 +2655,61 @@ Node: Introduction1105
Node: Virtual Private Networks1915
Node: tinc3639
Node: Supported platforms5166
Node: Preparations5866
Node: Configuring the kernel6122
Node: Configuration of Linux kernels6532
Node: Configuration of FreeBSD kernels7387
Node: Configuration of OpenBSD kernels7852
Node: Configuration of NetBSD kernels8460
Node: Configuration of Solaris kernels8865
Node: Configuration of Darwin (Mac OS X) kernels9527
Node: Configuration of Windows10346
Node: Libraries10860
Node: OpenSSL11248
Node: zlib13536
Node: lzo14564
Node: Installation15546
Node: Building and installing tinc16561
Node: Darwin (Mac OS X) build environment17221
Node: Cygwin (Windows) build environment17803
Node: MinGW (Windows) build environment18391
Node: System files18915
Node: Device files19180
Node: Other files19596
Node: Configuration20209
Node: Configuration introduction20520
Node: Multiple networks21788
Node: How connections work23214
Node: Configuration files24436
Node: Main configuration variables25930
Node: Host configuration variables42187
Node: Scripts47690
Node: How to configure50956
Node: Generating keypairs52214
Node: Network interfaces52713
Node: Example configuration54561
Node: Running tinc59886
Node: Runtime options60476
Node: Signals63778
Node: Debug levels64969
Node: Solving problems65905
Node: Error messages67457
Node: Sending bug reports71466
Node: Technical information72413
Node: The connection72644
Node: The UDP tunnel72956
Node: The meta-connection76017
Node: The meta-protocol77486
Node: Security82503
Node: Authentication protocol83636
Node: Encryption of network packets88681
Node: Security issues90057
Node: Platform specific information91684
Node: Interface configuration91912
Node: Routes94383
Node: About us96397
Node: Contact information96572
Node: Authors96976
Node: Concept Index97381
Node: Preparations5867
Node: Configuring the kernel6123
Node: Configuration of Linux kernels6533
Node: Configuration of FreeBSD kernels7388
Node: Configuration of OpenBSD kernels7853
Node: Configuration of NetBSD kernels8210
Node: Configuration of Solaris kernels8615
Node: Configuration of Darwin (Mac OS X) kernels9278
Node: Configuration of Windows10097
Node: Libraries10637
Node: LibreSSL/OpenSSL11046
Node: zlib13588
Node: lzo14620
Node: Installation15603
Node: Building and installing tinc16513
Node: Darwin (Mac OS X) build environment17173
Node: Cygwin (Windows) build environment17738
Node: MinGW (Windows) build environment18327
Node: System files18921
Node: Device files19186
Node: Other files19602
Node: Configuration20215
Node: Configuration introduction20526
Node: Multiple networks21794
Node: How connections work23220
Node: Configuration files24442
Node: Main configuration variables25936
Node: Host configuration variables42193
Node: Scripts47720
Node: How to configure50986
Node: Generating keypairs52244
Node: Network interfaces52743
Node: Example configuration54591
Node: Running tinc59916
Node: Runtime options60506
Node: Signals63808
Node: Debug levels64999
Node: Solving problems65935
Node: Error messages67487
Node: Sending bug reports71496
Node: Technical information72443
Node: The connection72674
Node: The UDP tunnel72986
Node: The meta-connection76047
Node: The meta-protocol77516
Node: Security82533
Node: Authentication protocol83675
Node: Encryption of network packets88720
Node: Security issues90096
Node: Platform specific information91735
Node: Interface configuration91963
Node: Routes94434
Node: About us96448
Node: Contact information96623
Node: Authors97026
Node: Concept Index97431

End Tag Table

86
doc/tinc.texi
View file

@ -186,7 +186,7 @@ packets.
@cindex release
For an up to date list of supported platforms, please check the list on
our website:
@uref{http://www.tinc-vpn.org/platforms/}.
@uref{https://www.tinc-vpn.org/platforms/}.
@c
@c
@ -268,12 +268,7 @@ The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_t
@node Configuration of OpenBSD kernels
@subsection Configuration of OpenBSD kernels
For OpenBSD version 2.9 and higher,
the tun driver is included in the default kernel configuration.
There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/}
which adds a tap device to OpenBSD which should work with tinc,
but with recent versions of OpenBSD,
a tun device can act as a tap device by setting the link0 option with ifconfig.
Recent versions of OpenBSD come with both tun and tap devices enabled in the default kernel configuration.
@c ==================================================================
@ -293,7 +288,7 @@ Tunneling IPv6 may not work on NetBSD's tun device.
For Solaris 8 (SunOS 5.8) and higher,
the tun driver may or may not be included in the default kernel configuration.
If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}.
For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}.
For x86 and sparc64 architectures, precompiled versions can be found at @uref{https://www.monkey.org/~dugsong/fragroute/}.
If the @file{net/if_tun.h} header file is missing, install it from the source package.
@ -317,7 +312,7 @@ You can also omit the number, in which case the first free number will be chosen
@subsection Configuration of Windows
You will need to install the latest TAP-Win32 driver from OpenVPN.
You can download it from @uref{http://openvpn.sourceforge.net}.
You can download it from @uref{https://openvpn.net/index.php/open-source/downloads.html}.
Using the Network Connections control panel,
configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script,
as explained in the rest of the documentation.
@ -329,24 +324,25 @@ as explained in the rest of the documentation.
@cindex requirements
@cindex libraries
Before you can configure or build tinc, you need to have the OpenSSL,
Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL,
zlib and lzo libraries installed on your system. If you try to configure tinc without
having them installed, configure will give you an error message, and stop.
@menu
* OpenSSL::
* LibreSSL/OpenSSL::
* zlib::
* lzo::
@end menu
@c ==================================================================
@node OpenSSL
@subsection OpenSSL
@node LibreSSL/OpenSSL
@subsection LibreSSL/OpenSSL
@cindex LibreSSL
@cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
@ -356,21 +352,23 @@ You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions
of this package.
If you have to install OpenSSL manually, you can get the source code
from @url{http://www.openssl.org/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
If your operating system comes neither with LibreSSL or OpenSSL, you have to
install one manually. It is recommended that you get the latest version of
LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
configure, build and install this package are included within the package.
Please make sure you build development and runtime libraries (which is the
default).
If you installed the OpenSSL libraries from source, it may be necessary
If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the
--with-openssl-* parameters.
--with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
are using LibreSSL.
@example
--with-openssl=DIR OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory
--with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory
--with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib)
@end example
@ -381,7 +379,7 @@ to let configure know where they are, by passing configure one of the
The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL
@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we
@uref{https://www.openssl.org/support/faq.html#LEGAL2}, we
include an exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable:
@ -397,8 +395,8 @@ we also present the following exemption:
@quotation
Hereby I grant a special exception to the tinc VPN project
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(http://www.openssl.org).
(https://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(https://www.openssl.org).
Markus F.X.J. Oberhumer
@end quotation
@ -423,7 +421,7 @@ available. Make sure you install the development AND runtime versions
of this package.
If you have to install zlib manually, you can get the source code
from @url{http://www.gzip.org/zlib/}. Instructions on how to configure,
from @url{http://www.zlib.net/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
@ -447,7 +445,7 @@ available. Make sure you install the development AND runtime versions
of this package.
If you have to install lzo manually, you can get the source code
from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the
default).
@ -473,9 +471,7 @@ system startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to compile tinc
for yourself, you can use the source. The source is distributed under
the GNU General Public License (GPL). Download the source from the
@uref{http://www.tinc-vpn.org/download/, download page}, which has
the checksums of these files listed; you may wish to check these with
md5sum before continuing.
@uref{https://www.tinc-vpn.org/download/, download page}.
Tinc comes in a convenient autoconf/automake package, which you can just
treat the same as any other package. Which is just untar it, type
@ -512,19 +508,18 @@ The documentation that comes along with your distribution will tell you how to d
@node Darwin (Mac OS X) build environment
@subsection Darwin (Mac OS X) build environment
In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and
preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
In order to build tinc on Darwin, you need to install Xcode from @uref{https://developer.apple.com/xcode/}.
It might also help to install a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
You need to download and install LibreSSL (or OpenSSL) and LZO,
either directly from their websites (see @ref{Libraries}) or using Fink.
@c ==================================================================
@node Cygwin (Windows) build environment
@subsection Cygwin (Windows) build environment
If Cygwin hasn't already been installed, install it directly from
@uref{http://www.cygwin.com/}.
@uref{https://www.cygwin.com/}.
When tinc is compiled in a Cygwin environment, it can only be run in this environment,
but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
@ -535,6 +530,7 @@ It will also support all features.
@subsection MinGW (Windows) build environment
You will need to install the MinGW environment from @uref{http://www.mingw.org}.
You also need to download and install LibreSSL (or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows,
it is not necessary to keep MinGW installed.
@ -1149,7 +1145,7 @@ tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognized.
Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
@ -1168,7 +1164,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
@cindex Digest
@item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognized.
Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
@cindex IndirectData
@ -1239,7 +1235,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
Prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@uref{https://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@cindex Subnet weight
A Subnet can be given a weight to indicate its priority over identical Subnets
@ -2254,7 +2250,7 @@ eavesdroppers cannot get and cannot change any information at all from the
packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the
encryption algorithm is always the default length used by OpenSSL.
encryption algorithm is always the default length used by LibreSSL/OpenSSL.
@menu
* Authentication protocol::
@ -2413,7 +2409,7 @@ the MACLength configuration variable.
In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and
tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
@ -2586,14 +2582,14 @@ Adding routes to IPv6 subnets:
@section Contact information
@cindex website
Tinc's website is at @url{http://www.tinc-vpn.org/},
Tinc's website is at @url{https://www.tinc-vpn.org/},
this server is located in the Netherlands.
@cindex IRC
We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to
@uref{http://www.freenode.net/, irc.freenode.net}
@uref{https://freenode.net/, irc.freenode.net}
or
@uref{http://www.oftc.net/, irc.oftc.net}
@uref{https://www.oftc.net/, irc.oftc.net}
and join channel #tinc.

2
doc/tincd.8.in
View file

@ -207,7 +207,7 @@ If you find any bugs, report them to tinc@tinc-vpn.org.
A lot, especially security auditing.
.Sh SEE ALSO
.Xr tinc.conf 5 ,
.Pa http://www.tinc-vpn.org/ ,
.Pa https://www.tinc-vpn.org/ ,
.Pa http://www.cabal.org/ .
.Pp
The full documentation for tinc is maintained as a Texinfo manual.

5
m4/Makefile.in
View file

@ -90,8 +90,11 @@ host_triplet = @host@
subdir = m4
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

69
m4/ax_append_flag.m4 Normal file
View file

@ -0,0 +1,69 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE])
#
# DESCRIPTION
#
# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space
# added in between.
#
# If FLAGS-VARIABLE is not specified, the current language's flags (e.g.
# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains
# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly
# FLAG.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_APPEND_FLAG],
[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])dnl
AS_VAR_SET_IF(FLAGS,
[case " AS_VAR_GET(FLAGS) " in
*" $1 "*)
AC_RUN_LOG([: FLAGS already contains $1])
;;
*)
AC_RUN_LOG([: FLAGS="$FLAGS $1"])
AS_VAR_SET(FLAGS, ["AS_VAR_GET(FLAGS) $1"])
;;
esac],
[AS_VAR_SET(FLAGS,["$1"])])
AS_VAR_POPDEF([FLAGS])dnl
])dnl AX_APPEND_FLAG

122
m4/ax_cflags_warn_all.m4 Normal file
View file

@ -0,0 +1,122 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_cflags_warn_all.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
# AX_CXXFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
# AX_FCFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
#
# DESCRIPTION
#
# Try to find a compiler option that enables most reasonable warnings.
#
# For the GNU compiler it will be -Wall (and -ansi -pedantic) The result
# is added to the shellvar being CFLAGS, CXXFLAGS, or FCFLAGS by default.
#
# Currently this macro knows about the GCC, Solaris, Digital Unix, AIX,
# HP-UX, IRIX, NEC SX-5 (Super-UX 10), Cray J90 (Unicos 10.0.0.8), and
# Intel compilers. For a given compiler, the Fortran flags are much more
# experimental than their C equivalents.
#
# - $1 shell-variable-to-add-to : CFLAGS, CXXFLAGS, or FCFLAGS
# - $2 add-value-if-not-found : nothing
# - $3 action-if-found : add value to shellvariable
# - $4 action-if-not-found : nothing
#
# NOTE: These macros depend on AX_APPEND_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2010 Rhys Ulerich <rhys.ulerich@gmail.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 15
AC_DEFUN([AX_FLAGS_WARN_ALL],[dnl
AS_VAR_PUSHDEF([FLAGS],[_AC_LANG_PREFIX[]FLAGS])dnl
AS_VAR_PUSHDEF([VAR],[ac_cv_[]_AC_LANG_ABBREV[]flags_warn_all])dnl
AC_CACHE_CHECK([m4_ifval($1,$1,FLAGS) for maximum warnings],
VAR,[VAR="no, unknown"
ac_save_[]FLAGS="$[]FLAGS"
for ac_arg dnl
in "-warn all % -warn all" dnl Intel
"-pedantic % -Wall" dnl GCC
"-xstrconst % -v" dnl Solaris C
"-std1 % -verbose -w0 -warnprotos" dnl Digital Unix
"-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" dnl AIX
"-ansi -ansiE % -fullwarn" dnl IRIX
"+ESlit % +w1" dnl HP-UX C
"-Xc % -pvctl[,]fullmsg" dnl NEC SX-5 (Super-UX 10)
"-h conform % -h msglevel 2" dnl Cray C (Unicos)
#
do FLAGS="$ac_save_[]FLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'`
AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
[VAR=`echo $ac_arg | sed -e 's,.*% *,,'` ; break])
done
FLAGS="$ac_save_[]FLAGS"
])
AS_VAR_POPDEF([FLAGS])dnl
AX_REQUIRE_DEFINED([AX_APPEND_FLAG])
case ".$VAR" in
.ok|.ok,*) m4_ifvaln($3,$3) ;;
.|.no|.no,*) m4_default($4,[m4_ifval($2,[AX_APPEND_FLAG([$2], [$1])])]) ;;
*) m4_default($3,[AX_APPEND_FLAG([$VAR], [$1])]) ;;
esac
AS_VAR_POPDEF([VAR])dnl
])dnl AX_FLAGS_WARN_ALL
dnl implementation tactics:
dnl the for-argument contains a list of options. The first part of
dnl these does only exist to detect the compiler - usually it is
dnl a global option to enable -ansi or -extrawarnings. All other
dnl compilers will fail about it. That was needed since a lot of
dnl compilers will give false positives for some option-syntax
dnl like -Woption or -Xoption as they think of it is a pass-through
dnl to later compile stages or something. The "%" is used as a
dnl delimiter. A non-option comment can be given after "%%" marks
dnl which will be shown but not added to the respective C/CXXFLAGS.
AC_DEFUN([AX_CFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([C])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([C])
])
AC_DEFUN([AX_CXXFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([C++])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([C++])
])
AC_DEFUN([AX_FCFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([Fortran])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([Fortran])
])

37
m4/ax_require_defined.m4 Normal file
View file

@ -0,0 +1,37 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_require_defined.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_REQUIRE_DEFINED(MACRO)
#
# DESCRIPTION
#
# AX_REQUIRE_DEFINED is a simple helper for making sure other macros have
# been defined and thus are available for use. This avoids random issues
# where a macro isn't expanded. Instead the configure script emits a
# non-fatal:
#
# ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found
#
# It's like AC_REQUIRE except it doesn't expand the required macro.
#
# Here's an example:
#
# AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG])
#
# LICENSE
#
# Copyright (c) 2014 Mike Frysinger <vapier@gentoo.org>
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved. This file is offered as-is, without any
# warranty.
#serial 1
AC_DEFUN([AX_REQUIRE_DEFINED], [dnl
m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])])
])dnl AX_REQUIRE_DEFINED

22
m4/openssl.m4
View file

@ -1,4 +1,4 @@
dnl Check to find the OpenSSL headers/libraries
dnl Check to find the LibreSSL/OpenSSL headers/libraries
AC_DEFUN([tinc_OPENSSL],
[
@ -10,47 +10,49 @@ AC_DEFUN([tinc_OPENSSL],
[],
[AC_CHECK_LIB(dl, dlopen,
[LIBS="$LIBS -ldl"],
[AC_MSG_ERROR([OpenSSL depends on libdl.]); break]
[AC_MSG_ERROR([LibreSSL/OpenSSL depends on libdl.]); break]
)]
)
;;
esac
AC_ARG_WITH(openssl,
AS_HELP_STRING([--with-openssl=DIR], [OpenSSL base directory, or:]),
AS_HELP_STRING([--with-openssl=DIR], [LibreSSL/OpenSSL base directory, or:]),
[openssl="$withval"
CPPFLAGS="$CPPFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"]
)
AC_ARG_WITH(openssl-include,
AS_HELP_STRING([--with-openssl-include=DIR], [OpenSSL headers directory (without trailing /openssl)]),
AS_HELP_STRING([--with-openssl-include=DIR], [LibreSSL/OpenSSL headers directory (without trailing /openssl)]),
[openssl_include="$withval"
CPPFLAGS="$CPPFLAGS -I$withval"]
)
AC_ARG_WITH(openssl-lib,
AS_HELP_STRING([--with-openssl-lib=DIR], [OpenSSL library directory]),
AS_HELP_STRING([--with-openssl-lib=DIR], [LibreSSL/OpenSSL library directory]),
[openssl_lib="$withval"
LDFLAGS="$LDFLAGS -L$withval"]
)
AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h,
[],
[AC_MSG_ERROR([OpenSSL header files not found.]); break]
[AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break]
)
AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
[LIBS="-lcrypto $LIBS"],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
[AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
)
AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include <openssl/rsa.h>])
])

5
src/Makefile.in
View file

@ -105,8 +105,11 @@ sbin_PROGRAMS = tincd$(EXEEXT)
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

2
src/avl_tree.c
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by
library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>.
*/

2
src/avl_tree.h
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by
library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>.
*/

11
src/bsd/device.c
View file

@ -198,18 +198,19 @@ static bool setup_device(void) {
// Guess what the corresponding interface is called
char *realname;
char *realname = NULL;
#if defined(HAVE_FDEVNAME)
realname = fdevname(device_fd) ? : device;
realname = fdevname(device_fd);
#elif defined(HAVE_DEVNAME)
struct stat buf;
if(!fstat(device_fd, &buf))
realname = devname(buf.st_rdev, S_IFCHR) ? : device;
#else
realname = device;
realname = devname(buf.st_rdev, S_IFCHR);
#endif
if(!realname)
realname = device;
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
iface = xstrdup(strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname);
else if(strcmp(iface, strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname))

3
src/dropin.c
View file

@ -1,7 +1,7 @@
/*
dropin.c -- a set of drop-in replacements for libc functions
Copyright (C) 2000-2005 Ivo Timmermans,
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -140,6 +140,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) {
va_copy(aq, ap);
status = vsnprintf(*buf, len, fmt, aq);
buf[len - 1] = 0;
va_end(aq);
if(status >= 0)

3
src/logger.c
View file

@ -1,6 +1,6 @@
/*
logger.c -- logging code
Copyright (C) 2004-2006 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2004-2016 Guus Sliepen <guus@tinc-vpn.org>
2004-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -109,6 +109,7 @@ void logger(int priority, const char *format, ...) {
char message[4096];
const char *messages[] = {message};
vsnprintf(message, sizeof(message), format, ap);
message[sizeof message - 1] = 0;
ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL);
}
#else

4
src/net.c
View file

@ -246,7 +246,7 @@ static void check_dead_connections(void) {
if(c->status.active) {
if(c->status.pinged) {
ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds",
c->name, c->hostname, (long)now - c->last_ping_time);
c->name, c->hostname, (long)(now - c->last_ping_time));
c->status.timeout = true;
terminate_connection(c, true);
} else if(c->last_ping_time + pinginterval <= now) {
@ -275,7 +275,7 @@ static void check_dead_connections(void) {
if(c->status.active) {
ifdebug(CONNECTIONS) logger(LOG_INFO,
"%s (%s) could not flush for %ld seconds (%d bytes remaining)",
c->name, c->hostname, (long)now - c->last_flushed_time, c->outbuflen);
c->name, c->hostname, (long)(now - c->last_flushed_time), c->outbuflen);
c->status.timeout = true;
terminate_connection(c, true);
}

22
src/net_packet.c
View file

@ -1,7 +1,7 @@
/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
len = 64;
memset(packet.data, 0, 14);
RAND_pseudo_bytes(packet.data + 14, len - 14);
RAND_bytes(packet.data + 14, len - 14);
packet.len = len;
if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1;
@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(n->incipher) {
outpkt = pkt[nextpkt++];
if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
|| !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
|| !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|| !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
@ -336,16 +336,16 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(inpkt->seqno != n->received_seqno + 1) {
if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
if(n->farfuture++ < replaywin >> 2) {
logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
return;
}
logger(LOG_WARNING, "Lost %d packets from %s (%s)",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Lost %d packets from %s (%s)",
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin);
} else if (inpkt->seqno <= n->received_seqno) {
if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
ifdebug(TRAFFIC) logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, inpkt->seqno, n->received_seqno);
return;
}
@ -479,10 +479,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
if(n->outcipher) {
outpkt = pkt[nextpkt++];
if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
|| !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
|| !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|| !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;

48
src/net_setup.c
View file

@ -1,7 +1,7 @@
/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
@ -48,11 +48,22 @@
char *myport;
devops_t devops;
#ifndef HAVE_RSA_SET0_KEY
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
BN_free(r->n); r->n = n;
BN_free(r->e); r->e = e;
BN_free(r->d); r->d = d;
return 1;
}
#endif
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *pubname;
char *hcfname;
char *key;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
if(!c->rsa_key) {
c->rsa_key = RSA_new();
@ -62,12 +73,19 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
if(BN_hex2bn(&n, key) != strlen(key)) {
free(key);
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false;
}
BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key);
BN_hex2bn(&e, "FFFF");
if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
return false;
}
return true;
}
@ -158,27 +176,39 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) {
FILE *fp;
char *fname, *key, *pubkey;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL);
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
if(BN_hex2bn(&d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!");
if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
free(pubkey);
BN_free(d);
logger(LOG_ERR, "Invalid PublicKey for myself!");
return false;
}
free(pubkey);
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
BN_hex2bn(&e, "FFFF");
if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
BN_free(d);
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
return false;
}
return true;
}
@ -623,7 +653,7 @@ static bool setup_myself(void) {
myself->incipher = EVP_bf_cbc();
if(myself->incipher)
myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else
myself->inkeylength = 1;
@ -657,7 +687,7 @@ static bool setup_myself(void) {
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) {
if(myself->inmaclength > myself->indigest->md_size) {
if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!");
return false;
} else if(myself->inmaclength < 0) {

21
src/netutl.c
View file

@ -1,7 +1,7 @@
/*
netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -231,6 +231,25 @@ void sockaddrunmap(sockaddr_t *sa) {
}
}
void sockaddr_setport(sockaddr_t *sa, const char *port) {
uint16_t portnum = htons(atoi(port));
if(!portnum)
return;
switch(sa->sa.sa_family) {
case AF_INET:
sa->in.sin_port = portnum;
break;
case AF_INET6:
sa->in6.sin6_port = portnum;
break;
case AF_UNKNOWN:
free(sa->unknown.port);
sa->unknown.port = xstrdup(port);
default:
return;
}
}
/* Subnet mask handling */
int maskcmp(const void *va, const void *vb, int masklen) {

3
src/netutl.h
View file

@ -1,7 +1,7 @@
/*
netutl.h -- header file for netutl.c
Copyright (C) 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -34,6 +34,7 @@ extern int sockaddrcmp_noport(const sockaddr_t *, const sockaddr_t *);
extern void sockaddrunmap(sockaddr_t *);
extern void sockaddrfree(sockaddr_t *);
extern void sockaddrcpy(sockaddr_t *, const sockaddr_t *);
extern void sockaddr_setport(sockaddr_t *, const char *);
extern int maskcmp(const void *, const void *, int);
extern void maskcpy(void *, const void *, int, int);
extern void mask(void *, int, int);

16
src/node.c
View file

@ -1,6 +1,6 @@
/*
node.c -- node tree management
Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -57,8 +57,10 @@ node_t *new_node(void) {
if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree();
EVP_CIPHER_CTX_init(&n->inctx);
EVP_CIPHER_CTX_init(&n->outctx);
n->inctx = EVP_CIPHER_CTX_new();
n->outctx = EVP_CIPHER_CTX_new();
if(!n->inctx || !n->outctx)
abort();
n->mtu = MTU;
n->maxmtu = MTU;
@ -80,8 +82,8 @@ void free_node(node_t *n) {
sockaddrfree(&n->address);
EVP_CIPHER_CTX_cleanup(&n->inctx);
EVP_CIPHER_CTX_cleanup(&n->outctx);
EVP_CIPHER_CTX_free(n->outctx);
EVP_CIPHER_CTX_free(n->inctx);
if(n->mtuevent)
event_del(n->mtuevent);
@ -172,8 +174,8 @@ void dump_nodes(void) {
for(node = node_tree->head; node; node = node->next) {
n = node->data;
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0,
n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression,
n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
}

6
src/node.h
View file

@ -1,6 +1,6 @@
/*
node.h -- header for node.c
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -50,12 +50,12 @@ typedef struct node_t {
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
char *inkey; /* Cipher key and iv */
int inkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX inctx; /* Cipher context */
EVP_CIPHER_CTX *inctx; /* Cipher context */
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
char *outkey; /* Cipher key and iv */
int outkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX outctx; /* Cipher context */
EVP_CIPHER_CTX *outctx; /* Cipher context */
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
int inmaclength; /* Length of MAC */

7
src/protocol.c
View file

@ -1,7 +1,7 @@
/*
protocol.c -- handle the meta-protocol, basic functions
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -75,10 +75,11 @@ bool send_request(connection_t *c, const char *format, ...) {
input buffer anyway */
va_start(args, format);
len = vsnprintf(buffer, MAXBUFSIZE, format, args);
len = vsnprintf(buffer, sizeof buffer, format, args);
buffer[sizeof buffer - 1] = 0;
va_end(args);
if(len < 0 || len > MAXBUFSIZE - 1) {
if(len < 0 || len > sizeof buffer - 1) {
logger(LOG_ERR, "Output buffer overflow while sending request to %s (%s)",
c->name, c->hostname);
return false;

80
src/protocol_auth.c
View file

@ -1,7 +1,7 @@
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -125,8 +125,11 @@ bool send_metakey(connection_t *c) {
c->outkey = xrealloc(c->outkey, len);
if(!c->outctx)
c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
if(!c->outctx) {
c->outctx = EVP_CIPHER_CTX_new();
if(!c->outctx)
abort();
}
/* Copy random data to the buffer */
@ -177,17 +180,17 @@ bool send_metakey(connection_t *c) {
/* Send the meta key */
x = send_request(c, "%d %d %d %d %d %s", METAKEY,
c->outcipher ? c->outcipher->nid : 0,
c->outdigest ? c->outdigest->type : 0, c->outmaclength,
c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
c->outcompression, buffer);
/* Further outgoing requests are encrypted with the key we just generated */
if(c->outcipher) {
if(!EVP_EncryptInit(c->outctx, c->outcipher,
(unsigned char *)c->outkey + len - c->outcipher->key_len,
(unsigned char *)c->outkey + len - c->outcipher->key_len -
c->outcipher->iv_len)) {
(unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
(unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
EVP_CIPHER_iv_length(c->outcipher))) {
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@ -223,8 +226,11 @@ bool metakey_h(connection_t *c) {
c->inkey = xrealloc(c->inkey, len);
if(!c->inctx)
c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
if(!c->inctx) {
c->inctx = EVP_CIPHER_CTX_new();
if(!c->inctx)
abort();
}
/* Convert the challenge from hexadecimal back to binary */
@ -260,9 +266,9 @@ bool metakey_h(connection_t *c) {
}
if(!EVP_DecryptInit(c->inctx, c->incipher,
(unsigned char *)c->inkey + len - c->incipher->key_len,
(unsigned char *)c->inkey + len - c->incipher->key_len -
c->incipher->iv_len)) {
(unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
(unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
EVP_CIPHER_iv_length(c->incipher))) {
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@ -283,7 +289,7 @@ bool metakey_h(connection_t *c) {
return false;
}
if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
return false;
}
@ -367,22 +373,29 @@ bool challenge_h(connection_t *c) {
bool send_chal_reply(connection_t *c) {
char hash[EVP_MAX_MD_SIZE * 2 + 1];
EVP_MD_CTX ctx;
EVP_MD_CTX *ctx;
/* Calculate the hash from the challenge we received */
if(!EVP_DigestInit(&ctx, c->indigest)
|| !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|| !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
ctx = EVP_MD_CTX_create();
if(!ctx)
abort();
if(!EVP_DigestInit(ctx, c->indigest)
|| !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
EVP_MD_CTX_destroy(ctx);
/* Convert the hash to a hexadecimal formatted string */
bin2hex(hash, hash, c->indigest->md_size);
hash[c->indigest->md_size * 2] = '\0';
bin2hex(hash, hash, EVP_MD_size(c->indigest));
hash[EVP_MD_size(c->indigest) * 2] = '\0';
/* Send the reply */
@ -392,7 +405,7 @@ bool send_chal_reply(connection_t *c) {
bool chal_reply_h(connection_t *c) {
char hishash[MAX_STRING_SIZE];
char myhash[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
EVP_MD_CTX *ctx;
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
@ -402,7 +415,7 @@ bool chal_reply_h(connection_t *c) {
/* Check if the length of the hash is all right */
if(strlen(hishash) != c->outdigest->md_size * 2) {
if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply length");
return false;
@ -410,24 +423,31 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */
if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false;
}
/* Calculate the hash from the challenge we sent */
if(!EVP_DigestInit(&ctx, c->outdigest)
|| !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
|| !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
ctx = EVP_MD_CTX_create();
if(!ctx)
abort();
if(!EVP_DigestInit(ctx, c->outdigest)
|| !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
EVP_MD_CTX_destroy(ctx);
/* Verify the incoming hash with the calculated hash */
if(memcmp(hishash, myhash, c->outdigest->md_size)) {
if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply");
@ -516,7 +536,6 @@ static void send_everything(connection_t *c) {
bool ack_h(connection_t *c) {
char hisport[MAX_STRING_SIZE];
char *hisaddress;
int weight, mtu;
uint32_t options;
node_t *n;
@ -585,9 +604,8 @@ bool ack_h(connection_t *c) {
c->edge = new_edge();
c->edge->from = myself;
c->edge->to = n;
sockaddr2str(&c->address, &hisaddress, NULL);
c->edge->address = str2sockaddr(hisaddress, hisport);
free(hisaddress);
sockaddrcpy(&c->edge->address, &c->address);
sockaddr_setport(&c->edge->address, hisport);
c->edge->weight = (weight + c->estimated_weight) / 2;
c->edge->connection = c;
c->edge->options = c->options;

12
src/protocol_key.c
View file

@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
}
if(to->incipher)
EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window
mykeyused = true;
@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key,
to->incipher ? to->incipher->nid : 0,
to->indigest ? to->indigest->type : 0, to->inmaclength,
to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression);
}
@ -268,7 +268,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname);
return true;
@ -288,7 +288,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname);
return true;
@ -305,7 +305,7 @@ bool ans_key_h(connection_t *c) {
from->outcompression = compression;
if(from->outcipher)
if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true;

39
src/tincd.c
View file

@ -336,7 +336,7 @@ static bool parse_options(int argc, char **argv) {
/* This function prettyprints the key generation process */
static void indicator(int a, int b, void *p) {
static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) {
case 0:
fprintf(stderr, ".");
@ -368,21 +368,50 @@ static void indicator(int a, int b, void *p) {
default:
fprintf(stderr, "?");
}
return 1;
}
#ifndef HAVE_BN_GENCB_NEW
BN_GENCB *BN_GENCB_new(void) {
return xmalloc_and_zero(sizeof(BN_GENCB));
}
void BN_GENCB_free(BN_GENCB *cb) {
free(cb);
}
#endif
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
BIGNUM *e = NULL;
RSA *rsa_key;
FILE *f;
char *pubname, *privname;
BN_GENCB *cb;
int result;
fprintf(stderr, "Generating %d bits keys:\n", bits);
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
if(!rsa_key) {
cb = BN_GENCB_new();
if(!cb)
abort();
BN_GENCB_set(cb, indicator, NULL);
rsa_key = RSA_new();
BN_hex2bn(&e, "10001");
if(!rsa_key || !e)
abort();
result = RSA_generate_key_ex(rsa_key, bits, e, cb);
BN_free(e);
BN_GENCB_free(cb);
if(!result) {
fprintf(stderr, "Error during key generation!\n");
return false;
} else
@ -702,7 +731,11 @@ end:
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
#ifdef HAVE_ERR_REMOVE_STATE
// OpenSSL claims this function was deprecated in 1.0.0,
// but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
ERR_remove_state(0);
#endif
ERR_free_strings();
exit_configuration(&config_tree);

1
src/xmalloc.c
View file

@ -155,6 +155,7 @@ int xvasprintf(char **strp, const char *fmt, va_list ap) {
int result = vsnprintf(buf, sizeof buf, fmt, ap);
if(result < 0)
exit(xalloc_exit_failure);
buf[sizeof buf - 1] = 0;
*strp = xstrdup(buf);
#else
int result = vasprintf(strp, fmt, ap);