lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Debian changes 1.0.29-1

Browse source 
tinc (1.0.29-1) unstable; urgency=medium

  * New upstream release.
  * Bump debian/compat.
This commit is contained in:
Guus Sliepen 2016-10-10 22:30:25 +02:00
commit 502cecde93
44 changed files with 907 additions and 400 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
ChangeLog
View file

@ -1,11 +1,30 @@
Version 1.0.29 October 09 2016
------------------------------------------------------------------------
Guus Sliepen (11):
Preserve IPv6 scope_id in edges.
Ensure compatibility with OpenSSL 1.1.0.
Add -Wall to CFLAGS.
Check return value of RSA_generate_key_ex().
Force nul-termination of strings after vsnprintf().
Log warnings about dropped packets only with debug level 5 or higher.
Add a copy of ax_append_flag.m4.
Add ax_require_defined.m4.
Fix possibly unitialized variable.
Fix compiler warnings about format string errors on BSD.
Releasing 1.0.29.
Version 1.0.28 April 10 2016 Version 1.0.28 April 10 2016
------------------------------------------------------------------------ ------------------------------------------------------------------------
Guus Sliepen (5): Guus Sliepen (8):
Fix compiling bsd/device.c on systems without utun. Fix compiling bsd/device.c on systems without utun.
Really remove use of __DATE__ and __TIME__ to facilitate reproducible builds. Really remove use of __DATE__ and __TIME__ to facilitate reproducible builds.
Add systemd service files. Add systemd service files.
Update .gitignore. Update .gitignore.
Ensure the service files are in the tarball.
Explicitly mention that LibreSSL can be used as well.
Update links in the documentation.
Releasing 1.0.28. Releasing 1.0.28.
Version 1.0.27 April 10 2016 Version 1.0.27 April 10 2016
@ -118,7 +137,20 @@ VittGam (1):
Version 1.0.24 May 11 2014 Version 1.0.24 May 11 2014
------------------------------------------------------------------------ ------------------------------------------------------------------------
Guus Sliepen (13): Guus Sliepen (26):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Remove useless variable 'hard' from try_harder(). Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init(). Add an autoconf check for res_init().
@ -138,40 +170,22 @@ Steffan Karger (3):
Use cryptographically strong random when generating keys. Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails. Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1): Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1): Loic Dachary (1):
fix documentation typo fix documentation typo
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
refs/tags/1.0.23-android-1 March 11 2014
------------------------------------------------------------------------
Guus Sliepen (13):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Vilbrekin (1): Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices. Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
Version 1.0.23 October 19 2013 Version 1.0.23 October 19 2013
------------------------------------------------------------------------ ------------------------------------------------------------------------

5
Makefile.in
View file

@ -90,8 +90,11 @@ host_triplet = @host@
subdir = . subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

10
NEWS
View file

@ -1,3 +1,13 @@
Version 1.0.29 October 9 2016
* Fix UDP communication with peers with link-local IPv6 addresses.
* Ensure compatibility with OpenSSL 1.1.0.
* Ensure autoreconf can be run without requiring autoconf-archive.
* Log warnings about dropped packets only at debug level 5.
Version 1.0.28 April 10 2016 Version 1.0.28 April 10 2016
* Fix compilation on BSD platforms. * Fix compilation on BSD platforms.

4
README
View file

@ -1,4 +1,4 @@
This is the README file for tinc version 1.0.28. Installation This is the README file for tinc version 1.0.29. Installation
instructions may be found in the INSTALL file. instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2016 by: tinc is Copyright (C) 1998-2016 by:
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility Compatibility
------------- -------------
Version 1.0.28 is compatible with 1.0pre8, 1.0 and later, but not with older Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. versions of tinc.

3
aclocal.m4 vendored
View file

@ -1463,8 +1463,11 @@ AC_SUBST([am__untar])
]) # _AM_PROG_TAR ]) # _AM_PROG_TAR
m4_include([m4/attribute.m4]) m4_include([m4/attribute.m4])
m4_include([m4/ax_append_flag.m4])
m4_include([m4/ax_cflags_warn_all.m4])
m4_include([m4/ax_check_compile_flag.m4]) m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_link_flag.m4]) m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/ax_require_defined.m4])
m4_include([m4/lzo.m4]) m4_include([m4/lzo.m4])
m4_include([m4/openssl.m4]) m4_include([m4/openssl.m4])
m4_include([m4/zlib.m4]) m4_include([m4/zlib.m4])

111
config.guess vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh #! /bin/sh
# Attempt to guess a canonical system name. # Attempt to guess a canonical system name.
# Copyright 1992-2015 Free Software Foundation, Inc. # Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2015-08-20' timestamp='2016-04-02'
# This file is free software; you can redistribute it and/or modify it # This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by # under the terms of the GNU General Public License as published by
@ -27,7 +27,7 @@ timestamp='2015-08-20'
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
# #
# You can get the latest version of this script from: # You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
# #
# Please send patches to <config-patches@gnu.org>. # Please send patches to <config-patches@gnu.org>.
@ -50,7 +50,7 @@ version="\
GNU config.guess ($timestamp) GNU config.guess ($timestamp)
Originally written by Per Bothner. Originally written by Per Bothner.
Copyright 1992-2015 Free Software Foundation, Inc. Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -237,6 +237,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;; exit ;;
*:LibertyBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
exit ;;
*:ekkoBSD:*:*) *:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;; exit ;;
@ -268,42 +272,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in case "$ALPHA_CPU_TYPE" in
"EV4 (21064)") "EV4 (21064)")
UNAME_MACHINE="alpha" ;; UNAME_MACHINE=alpha ;;
"EV4.5 (21064)") "EV4.5 (21064)")
UNAME_MACHINE="alpha" ;; UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)") "LCA4 (21066/21068)")
UNAME_MACHINE="alpha" ;; UNAME_MACHINE=alpha ;;
"EV5 (21164)") "EV5 (21164)")
UNAME_MACHINE="alphaev5" ;; UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)") "EV5.6 (21164A)")
UNAME_MACHINE="alphaev56" ;; UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)") "EV5.6 (21164PC)")
UNAME_MACHINE="alphapca56" ;; UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)") "EV5.7 (21164PC)")
UNAME_MACHINE="alphapca57" ;; UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)") "EV6 (21264)")
UNAME_MACHINE="alphaev6" ;; UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)") "EV6.7 (21264A)")
UNAME_MACHINE="alphaev67" ;; UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)") "EV6.8CB (21264C)")
UNAME_MACHINE="alphaev68" ;; UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)") "EV6.8AL (21264B)")
UNAME_MACHINE="alphaev68" ;; UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)") "EV6.8CX (21264D)")
UNAME_MACHINE="alphaev68" ;; UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)") "EV6.9A (21264/EV69A)")
UNAME_MACHINE="alphaev69" ;; UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)") "EV7 (21364)")
UNAME_MACHINE="alphaev7" ;; UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)") "EV7.9 (21364A)")
UNAME_MACHINE="alphaev79" ;; UNAME_MACHINE=alphaev79 ;;
esac esac
# A Pn.n version is a patched version. # A Pn.n version is a patched version.
# A Vn.n version is a released version. # A Vn.n version is a released version.
# A Tn.n version is a released field test version. # A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel. # A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r. # 1.2 uses "1.2" for uname -r.
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code. # Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$? exitcode=$?
trap '' 0 trap '' 0
@ -376,16 +380,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;; exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build eval $set_cc_for_build
SUN_ARCH="i386" SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects. # If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers. # This test works for both compilers.
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null grep IS_64BIT_ARCH >/dev/null
then then
SUN_ARCH="x86_64" SUN_ARCH=x86_64
fi fi
fi fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@ -410,7 +414,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;; exit ;;
sun*:*:4.2BSD:*) sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in case "`/bin/arch`" in
sun3) sun3)
echo m68k-sun-sunos${UNAME_RELEASE} echo m68k-sun-sunos${UNAME_RELEASE}
@ -635,13 +639,13 @@ EOF
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in case "${sc_cpu_version}" in
523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0 532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in case "${sc_kernel_bits}" in
32) HP_ARCH="hppa2.0n" ;; 32) HP_ARCH=hppa2.0n ;;
64) HP_ARCH="hppa2.0w" ;; 64) HP_ARCH=hppa2.0w ;;
'') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;; esac ;;
esac esac
fi fi
@ -680,11 +684,11 @@ EOF
exit (0); exit (0);
} }
EOF EOF
(CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;; fi ;;
esac esac
if [ ${HP_ARCH} = "hppa2.0w" ] if [ ${HP_ARCH} = hppa2.0w ]
then then
eval $set_cc_for_build eval $set_cc_for_build
@ -697,12 +701,12 @@ EOF
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23 # => hppa64-hp-hpux11.23
if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__ grep -q __LP64__
then then
HP_ARCH="hppa2.0w" HP_ARCH=hppa2.0w
else else
HP_ARCH="hppa64" HP_ARCH=hppa64
fi fi
fi fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV} echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@ -807,14 +811,14 @@ EOF
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;; exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;; exit ;;
5000:UNIX_System_V:4.*:*) 5000:UNIX_System_V:4.*:*)
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;; exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@ -896,7 +900,7 @@ EOF
exit ;; exit ;;
*:GNU/*:*:*) *:GNU/*:*:*)
# other systems with GNU libc and userland # other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;; exit ;;
i*86:Minix:*:*) i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix echo ${UNAME_MACHINE}-pc-minix
@ -919,7 +923,7 @@ EOF
EV68*) UNAME_MACHINE=alphaev68 ;; EV68*) UNAME_MACHINE=alphaev68 ;;
esac esac
objdump --private-headers /bin/sh | grep -q ld.so.1 objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC} echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;; exit ;;
arc:Linux:*:* | arceb:Linux:*:*) arc:Linux:*:* | arceb:Linux:*:*)
@ -965,6 +969,9 @@ EOF
ia64:Linux:*:*) ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC} echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;; exit ;;
k1om:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*) m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC} echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;; exit ;;
@ -1120,7 +1127,7 @@ EOF
# uname -m prints for DJGPP always 'pc', but it prints nothing about # uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586. # the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub # Note: whatever this is, it MUST be the same as what config.sub
# prints for the "djgpp" host, or else GDB configury will decide that # prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build. # this is a cross-build.
echo i586-pc-msdosdjgpp echo i586-pc-msdosdjgpp
exit ;; exit ;;
@ -1269,6 +1276,9 @@ EOF
SX-8R:SUPER-UX:*:*) SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE} echo sx8r-nec-superux${UNAME_RELEASE}
exit ;; exit ;;
SX-ACE:SUPER-UX:*:*)
echo sxace-nec-superux${UNAME_RELEASE}
exit ;;
Power*:Rhapsody:*:*) Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE} echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;; exit ;;
@ -1282,9 +1292,9 @@ EOF
UNAME_PROCESSOR=powerpc UNAME_PROCESSOR=powerpc
fi fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null grep IS_64BIT_ARCH >/dev/null
then then
case $UNAME_PROCESSOR in case $UNAME_PROCESSOR in
@ -1306,7 +1316,7 @@ EOF
exit ;; exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*) *:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p` UNAME_PROCESSOR=`uname -p`
if test "$UNAME_PROCESSOR" = "x86"; then if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386 UNAME_PROCESSOR=i386
UNAME_MACHINE=pc UNAME_MACHINE=pc
fi fi
@ -1337,7 +1347,7 @@ EOF
# "uname -m" is not consistent, so use $cputype instead. 386 # "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86 # is converted to i386 for consistency with other x86
# operating systems. # operating systems.
if test "$cputype" = "386"; then if test "$cputype" = 386; then
UNAME_MACHINE=i386 UNAME_MACHINE=i386
else else
UNAME_MACHINE="$cputype" UNAME_MACHINE="$cputype"
@ -1379,7 +1389,7 @@ EOF
echo i386-pc-xenix echo i386-pc-xenix
exit ;; exit ;;
i*86:skyos:*:*) i*86:skyos:*:*)
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;; exit ;;
i*86:rdos:*:*) i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos echo ${UNAME_MACHINE}-pc-rdos
@ -1390,6 +1400,9 @@ EOF
x86_64:VMkernel:*:*) x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx echo ${UNAME_MACHINE}-unknown-esx
exit ;; exit ;;
amd64:Isilon\ OneFS:*:*)
echo x86_64-unknown-onefs
exit ;;
esac esac
cat >&2 <<EOF cat >&2 <<EOF
@ -1399,9 +1412,9 @@ This script, last modified $timestamp, has failed to recognize
the operating system you are using. It is advised that you the operating system you are using. It is advised that you
download the most up to date version of the config scripts from download the most up to date version of the config scripts from
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
and and
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
If the version you run ($0) is already up to date, please If the version you run ($0) is already up to date, please
send the following data and any information you think might be send the following data and any information you think might be

16
config.h.in
View file

@ -21,6 +21,9 @@
/* Define to 1 if you have the `asprintf' function. */ /* Define to 1 if you have the `asprintf' function. */
#undef HAVE_ASPRINTF #undef HAVE_ASPRINTF
/* Define to 1 if you have the `BN_GENCB_new' function. */
#undef HAVE_BN_GENCB_NEW
/* Unknown BSD variant */ /* Unknown BSD variant */
#undef HAVE_BSD #undef HAVE_BSD
@ -62,6 +65,12 @@
/* DragonFly */ /* DragonFly */
#undef HAVE_DRAGONFLY #undef HAVE_DRAGONFLY
/* Define to 1 if you have the `ERR_remove_state' function. */
#undef HAVE_ERR_REMOVE_STATE
/* Define to 1 if you have the `EVP_CIPHER_CTX_new' function. */
#undef HAVE_EVP_CIPHER_CTX_NEW
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */ /* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
#undef HAVE_EVP_ENCRYPTINIT_EX #undef HAVE_EVP_ENCRYPTINIT_EX
@ -233,12 +242,15 @@
/* Define to 1 if you have the `random' function. */ /* Define to 1 if you have the `random' function. */
#undef HAVE_RANDOM #undef HAVE_RANDOM
/* Define to 1 if you have the `RAND_pseudo_bytes' function. */ /* Define to 1 if you have the `RAND_bytes' function. */
#undef HAVE_RAND_PSEUDO_BYTES #undef HAVE_RAND_BYTES
/* Define to 1 if you have the <resolv.h> header file. */ /* Define to 1 if you have the <resolv.h> header file. */
#undef HAVE_RESOLV_H #undef HAVE_RESOLV_H
/* Define to 1 if you have the `RSA_set0_key' function. */
#undef HAVE_RSA_SET0_KEY
/* Define to 1 if you have the `select' function. */ /* Define to 1 if you have the `select' function. */
#undef HAVE_SELECT #undef HAVE_SELECT

20
config.sub vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh #! /bin/sh
# Configuration validation subroutine script. # Configuration validation subroutine script.
# Copyright 1992-2015 Free Software Foundation, Inc. # Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2015-08-20' timestamp='2016-03-30'
# This file is free software; you can redistribute it and/or modify it # This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by # under the terms of the GNU General Public License as published by
@ -33,7 +33,7 @@ timestamp='2015-08-20'
# Otherwise, we print the canonical config type on stdout and succeed. # Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from: # You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages # This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases # and recognize all the CPU types, system types and aliases
@ -53,8 +53,7 @@ timestamp='2015-08-20'
me=`echo "$0" | sed -e 's,.*/,,'` me=`echo "$0" | sed -e 's,.*/,,'`
usage="\ usage="\
Usage: $0 [OPTION] CPU-MFR-OPSYS Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
$0 [OPTION] ALIAS
Canonicalize a configuration name. Canonicalize a configuration name.
@ -68,7 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\ version="\
GNU config.sub ($timestamp) GNU config.sub ($timestamp)
Copyright 1992-2015 Free Software Foundation, Inc. Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -521,7 +520,7 @@ case $basic_machine in
basic_machine=i386-pc basic_machine=i386-pc
os=-aros os=-aros
;; ;;
asmjs) asmjs)
basic_machine=asmjs-unknown basic_machine=asmjs-unknown
;; ;;
aux) aux)
@ -1383,7 +1382,7 @@ case $os in
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -bitrig* | -openbsd* | -solidbsd* \ | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
@ -1399,7 +1398,8 @@ case $os in
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
| -onefs* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number. # Remember, each alternative MUST END IN *, to match a version number.
;; ;;
-qnx*) -qnx*)
@ -1531,6 +1531,8 @@ case $os in
;; ;;
-nacl*) -nacl*)
;; ;;
-ios)
;;
-none) -none)
;; ;;
*) *)

124
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.28. # Generated by GNU Autoconf 2.69 for tinc 1.0.29.
# #
# #
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='tinc' PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc' PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.28' PACKAGE_VERSION='1.0.29'
PACKAGE_STRING='tinc 1.0.28' PACKAGE_STRING='tinc 1.0.29'
PACKAGE_BUGREPORT='' PACKAGE_BUGREPORT=''
PACKAGE_URL='' PACKAGE_URL=''
@ -1331,7 +1331,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures tinc 1.0.28 to adapt to many kinds of systems. \`configure' configures tinc 1.0.29 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1402,7 +1402,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.28:";; short | recursive ) echo "Configuration of tinc 1.0.29:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@ -1441,11 +1441,11 @@ Optional Packages:
--with-lzo=DIR lzo base directory, or: --with-lzo=DIR lzo base directory, or:
--with-lzo-include=DIR lzo headers directory --with-lzo-include=DIR lzo headers directory
--with-lzo-lib=DIR lzo library directory --with-lzo-lib=DIR lzo library directory
--with-openssl=DIR OpenSSL base directory, or: --with-openssl=DIR LibreSSL/OpenSSL base directory, or:
--with-openssl-include=DIR --with-openssl-include=DIR
OpenSSL headers directory (without trailing LibreSSL/OpenSSL headers directory (without trailing
/openssl) /openssl)
--with-openssl-lib=DIR OpenSSL library directory --with-openssl-lib=DIR LibreSSL/OpenSSL library directory
Some influential environment variables: Some influential environment variables:
CC C compiler command CC C compiler command
@ -1528,7 +1528,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
tinc configure 1.0.28 tinc configure 1.0.29
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@ -1993,7 +1993,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.28, which was It was created by tinc $as_me 1.0.29, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@ -2857,7 +2857,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE='tinc' PACKAGE='tinc'
VERSION='1.0.28' VERSION='1.0.29'
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
@ -5376,6 +5376,79 @@ if test -d /sw/lib ; then
fi fi
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking CFLAGS for maximum warnings" >&5
$as_echo_n "checking CFLAGS for maximum warnings... " >&6; }
if ${ac_cv_cflags_warn_all+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_cv_cflags_warn_all="no, unknown"
ac_save_CFLAGS="$CFLAGS"
for ac_arg in "-warn all % -warn all" "-pedantic % -Wall" "-xstrconst % -v" "-std1 % -verbose -w0 -warnprotos" "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" "-ansi -ansiE % -fullwarn" "+ESlit % +w1" "-Xc % -pvctl,fullmsg" "-h conform % -h msglevel 2" #
do CFLAGS="$ac_save_CFLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'`
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ac_cv_cflags_warn_all=`echo $ac_arg | sed -e 's,.*% *,,'` ; break
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
done
CFLAGS="$ac_save_CFLAGS"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cflags_warn_all" >&5
$as_echo "$ac_cv_cflags_warn_all" >&6; }
case ".$ac_cv_cflags_warn_all" in
.ok|.ok,*) ;;
.|.no|.no,*) ;;
*) if ${CFLAGS+:} false; then :
case " $CFLAGS " in
*" $ac_cv_cflags_warn_all "*)
{ { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$ac_cv_cflags_warn_all"; } >&5
(: CFLAGS already contains $ac_cv_cflags_warn_all) 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
*)
{ { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$ac_cv_cflags_warn_all\""; } >&5
(: CFLAGS="$CFLAGS $ac_cv_cflags_warn_all") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
CFLAGS="$CFLAGS $ac_cv_cflags_warn_all"
;;
esac
else
CFLAGS="$ac_cv_cflags_warn_all"
fi
;;
esac
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Check whether --enable-hardening was given. # Check whether --enable-hardening was given.
if test "${enable_hardening+set}" = set; then : if test "${enable_hardening+set}" = set; then :
enableval=$enable_hardening; enableval=$enable_hardening;
@ -6981,7 +7054,7 @@ $as_echo "$ac_cv_lib_dl_dlopen" >&6; }
if test "x$ac_cv_lib_dl_dlopen" = xyes; then : if test "x$ac_cv_lib_dl_dlopen" = xyes; then :
LIBS="$LIBS -ldl" LIBS="$LIBS -ldl"
else else
as_fn_error $? "OpenSSL depends on libdl." "$LINENO" 5; break as_fn_error $? "LibreSSL/OpenSSL depends on libdl." "$LINENO" 5; break
fi fi
@ -7029,7 +7102,7 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
_ACEOF _ACEOF
else else
as_fn_error $? "OpenSSL header files not found." "$LINENO" 5; break as_fn_error $? "LibreSSL/OpenSSL header files not found." "$LINENO" 5; break
fi fi
@ -7075,12 +7148,12 @@ $as_echo "$ac_cv_lib_crypto_EVP_EncryptInit_ex" >&6; }
if test "x$ac_cv_lib_crypto_EVP_EncryptInit_ex" = xyes; then : if test "x$ac_cv_lib_crypto_EVP_EncryptInit_ex" = xyes; then :
LIBS="-lcrypto $LIBS" LIBS="-lcrypto $LIBS"
else else
as_fn_error $? "OpenSSL libraries not found." "$LINENO" 5 as_fn_error $? "LibreSSL/OpenSSL libraries not found." "$LINENO" 5
fi fi
for ac_func in RAND_pseudo_bytes EVP_EncryptInit_ex for ac_func in RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new
do : do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -7090,7 +7163,7 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
_ACEOF _ACEOF
else else
as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
fi fi
done done
@ -7101,10 +7174,23 @@ done
if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then : if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
else else
as_fn_error $? "Missing OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
fi fi
for ac_func in BN_GENCB_new ERR_remove_state RSA_set0_key
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
fi
done
# Check whether --enable-jumbograms was given. # Check whether --enable-jumbograms was given.
if test "${enable_jumbograms+set}" = set; then : if test "${enable_jumbograms+set}" = set; then :
@ -7695,7 +7781,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by tinc $as_me 1.0.28, which was This file was extended by tinc $as_me 1.0.29, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -7761,7 +7847,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
tinc config.status 1.0.28 tinc config.status 1.0.29
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

4
configure.ac
View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script. dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61) AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.28]) AC_INIT([tinc], [1.0.29])
AC_CONFIG_SRCDIR([src/tincd.c]) AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
@ -152,6 +152,8 @@ fi
dnl Compiler hardening flags dnl Compiler hardening flags
dnl No -fstack-protector-all because it doesn't work on all platforms or architectures. dnl No -fstack-protector-all because it doesn't work on all platforms or architectures.
AX_CFLAGS_WARN_ALL(CFLAGS)
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"], AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"]) [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"])

7
debian/changelog vendored
View file

@ -1,3 +1,10 @@
tinc (1.0.29-1) unstable; urgency=medium
* New upstream release.
* Bump debian/compat.
-- Guus Sliepen <guus@debian.org> Mon, 10 Oct 2016 22:30:25 +0200
tinc (1.0.28-1) unstable; urgency=medium tinc (1.0.28-1) unstable; urgency=medium
* New upstream release. * New upstream release.

2
debian/compat vendored
View file

@ -1 +1 @@
9 10

2
debian/rules vendored
View file

@ -1,7 +1,7 @@
#!/usr/bin/make -f #!/usr/bin/make -f
%: %:
dh $@ --parallel --with systemd dh $@
override_dh_auto_configure: override_dh_auto_configure:
dh_auto_configure -- --enable-uml --enable-vde --with-systemdsystemunitdir=/lib/systemd/system dh_auto_configure -- --enable-uml --enable-vde --with-systemdsystemunitdir=/lib/systemd/system

54
debian/tinc.if-post-down vendored
View file

@ -2,28 +2,38 @@
set -e set -e
if [ "$IF_TINC_NET" ] ; then if [ "$METHOD" = loopback -o -z "$IF_TINC_NET" ]; then
EXTRA="" exit 0
if [ -n "$IF_TINC_PIDFILE" ]; then
EXTRA="--pidfile=$IF_TINC_PIDFILE"
else
IF_TINC_PIDFILE=/var/run/tinc.$IF_TINC_NET.pid
fi
/usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA
sleep 0.1
i=0;
while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
if [ ! -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then
echo 'Failed to stop tinc daemon!'
exit 1
fi
sleep 0.1
i=$(($i+1))
done
fi fi
# Determine location of the PID file
EXTRA=""
if [ -n "$IF_TINC_PIDFILE" ]; then
EXTRA="--pidfile=$IF_TINC_PIDFILE"
else
IF_TINC_PIDFILE=/var/run/tinc.$IF_TINC_NET.pid
fi
# Stop the tinc daemon
/usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA
# Wait for it to shut down properly
sleep 0.1
i=0;
while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
if [ ! -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then
echo 'Failed to stop tinc daemon!'
exit 1
fi
sleep 0.1
i=$(($i+1))
done
exit 0 exit 0

2
debian/tinc.if-pre-up vendored
View file

@ -2,7 +2,7 @@
set -e set -e
if [ -z "$IF_TINC_NET" ]; then if [ "$METHOD" = loopback -o -z "$IF_TINC_NET" ]; then
exit 0 exit 0
fi fi

5
distro/Makefile.in
View file

@ -91,8 +91,11 @@ host_triplet = @host@
subdir = distro subdir = distro
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

5
doc/Makefile.in
View file

@ -89,8 +89,11 @@ host_triplet = @host@
subdir = doc subdir = doc
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

6
doc/tinc.conf.5.in
View file

@ -470,7 +470,7 @@ variables can be specified, in which case each address will be tried until a wor
connection has been established. connection has been established.
.It Va Cipher Li = Ar cipher Pq blowfish .It Va Cipher Li = Ar cipher Pq blowfish
The symmetric cipher algorithm used to encrypt UDP packets. The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised. Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying Furthermore, specifying
.Qq none .Qq none
will turn off packet encryption. will turn off packet encryption.
@ -485,7 +485,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo). 10 (fast lzo) and 11 (best lzo).
.It Va Digest Li = Ar digest Pq sha1 .It Va Digest Li = Ar digest Pq sha1
The digest algorithm used to authenticate UDP packets. The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised. Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying Furthermore, specifying
.Qq none .Qq none
will turn off packet authentication. will turn off packet authentication.
@ -657,7 +657,7 @@ its connection to the virtual network device.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr tincd 8 , .Xr tincd 8 ,
.Pa http://www.tinc-vpn.org/ , .Pa https://www.tinc-vpn.org/ ,
.Pa http://www.tldp.org/LDP/nag2/ . .Pa http://www.tldp.org/LDP/nag2/ .
.Pp .Pp
The full documentation for The full documentation for

231
doc/tinc.info
View file

@ -147,7 +147,7 @@ will most likely compile and run, but it will not be able to send or
receive data packets. receive data packets.
For an up to date list of supported platforms, please check the list For an up to date list of supported platforms, please check the list
on our website: <http://www.tinc-vpn.org/platforms/>. on our website: <https://www.tinc-vpn.org/platforms/>.
 
File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top File: tinc.info, Node: Preparations, Next: Installation, Prev: Introduction, Up: Top
@ -219,12 +219,8 @@ File: tinc.info, Node: Configuration of OpenBSD kernels, Next: Configuration o
2.1.3 Configuration of OpenBSD kernels 2.1.3 Configuration of OpenBSD kernels
-------------------------------------- --------------------------------------
For OpenBSD version 2.9 and higher, the tun driver is included in the Recent versions of OpenBSD come with both tun and tap devices enabled in
default kernel configuration. There is also a kernel patch from the default kernel configuration.
<http://diehard.n-r-g.com/stuff/openbsd/> which adds a tap device to
OpenBSD which should work with tinc, but with recent versions of
OpenBSD, a tun device can act as a tap device by setting the link0
option with ifconfig.
 
File: tinc.info, Node: Configuration of NetBSD kernels, Next: Configuration of Solaris kernels, Prev: Configuration of OpenBSD kernels, Up: Configuring the kernel File: tinc.info, Node: Configuration of NetBSD kernels, Next: Configuration of Solaris kernels, Prev: Configuration of OpenBSD kernels, Up: Configuring the kernel
@ -247,7 +243,7 @@ For Solaris 8 (SunOS 5.8) and higher, the tun driver may or may not be
included in the default kernel configuration. If it isn't, the source included in the default kernel configuration. If it isn't, the source
can be downloaded from <http://vtun.sourceforge.net/tun/>. For x86 and can be downloaded from <http://vtun.sourceforge.net/tun/>. For x86 and
sparc64 architectures, precompiled versions can be found at sparc64 architectures, precompiled versions can be found at
<http://www.monkey.org/~dugsong/fragroute/>. If the 'net/if_tun.h' <https://www.monkey.org/~dugsong/fragroute/>. If the 'net/if_tun.h'
header file is missing, install it from the source package. header file is missing, install it from the source package.
 
@ -274,7 +270,8 @@ File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin
------------------------------ ------------------------------
You will need to install the latest TAP-Win32 driver from OpenVPN. You You will need to install the latest TAP-Win32 driver from OpenVPN. You
can download it from <http://openvpn.sourceforge.net>. Using the can download it from
<https://openvpn.net/index.php/open-source/downloads.html>. Using the
Network Connections control panel, configure the TAP-Win32 network Network Connections control panel, configure the TAP-Win32 network
interface in the same way as you would do from the tinc-up script, as interface in the same way as you would do from the tinc-up script, as
explained in the rest of the documentation. explained in the rest of the documentation.
@ -285,25 +282,25 @@ File: tinc.info, Node: Libraries, Prev: Configuring the kernel, Up: Preparati
2.2 Libraries 2.2 Libraries
============= =============
Before you can configure or build tinc, you need to have the OpenSSL, Before you can configure or build tinc, you need to have the LibreSSL or
zlib and lzo libraries installed on your system. If you try to OpenSSL, zlib and lzo libraries installed on your system. If you try to
configure tinc without having them installed, configure will give you an configure tinc without having them installed, configure will give you an
error message, and stop. error message, and stop.
* Menu: * Menu:
* OpenSSL:: * LibreSSL/OpenSSL::
* zlib:: * zlib::
* lzo:: * lzo::
 
File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries File: tinc.info, Node: LibreSSL/OpenSSL, Next: zlib, Up: Libraries
2.2.1 OpenSSL 2.2.1 LibreSSL/OpenSSL
------------- ----------------------
For all cryptography-related functions, tinc uses the functions provided For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when If this library is not installed, you will get an error when
configuring tinc for build. Support for running tinc with other configuring tinc for build. Support for running tinc with other
@ -313,19 +310,22 @@ cryptographic libraries installed _may_ be added in the future.
if available. Make sure you install the development AND runtime if available. Make sure you install the development AND runtime
versions of this package. versions of this package.
If you have to install OpenSSL manually, you can get the source code If your operating system comes neither with LibreSSL or OpenSSL, you
from <http://www.openssl.org/>. Instructions on how to configure, build have to install one manually. It is recommended that you get the latest
and install this package are included within the package. Please make version of LibreSSL from <http://www.libressl.org/>. Instructions on
sure you build development and runtime libraries (which is the default). how to configure, build and install this package are included within the
package. Please make sure you build development and runtime libraries
(which is the default).
If you installed the OpenSSL libraries from source, it may be If you installed the LibreSSL or OpenSSL libraries from source, it
necessary to let configure know where they are, by passing configure one may be necessary to let configure know where they are, by passing
of the -with-openssl-* parameters. configure one of the -with-openssl-* parameters. Note that you even
have to use -with-openssl-* if you are using LibreSSL.
--with-openssl=DIR OpenSSL library and headers prefix --with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory --with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include) (Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory --with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib) (Default is OPENSSL_DIR/lib)
License License
@ -334,7 +334,7 @@ License
The complete source code of tinc is covered by the GNU GPL version 2. The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL compatible with the terms of the GNU GPL
<http://www.openssl.org/support/faq.html#LEGAL2>, we include an <https://www.openssl.org/support/faq.html#LEGAL2>, we include an
exemption to the GPL (see also the file COPYING.README) to allow exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable: everyone to create a statically or dynamically linked executable:
@ -347,13 +347,13 @@ everyone to create a statically or dynamically linked executable:
also present the following exemption: also present the following exemption:
Hereby I grant a special exception to the tinc VPN project Hereby I grant a special exception to the tinc VPN project
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL (https://www.tinc-vpn.org/) to link the LZO library with the
library (http://www.openssl.org). OpenSSL library (https://www.openssl.org).
Markus F.X.J. Oberhumer Markus F.X.J. Oberhumer
 
File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries File: tinc.info, Node: zlib, Next: lzo, Prev: LibreSSL/OpenSSL, Up: Libraries
2.2.2 zlib 2.2.2 zlib
---------- ----------
@ -373,10 +373,9 @@ if available. Make sure you install the development AND runtime
versions of this package. versions of this package.
If you have to install zlib manually, you can get the source code If you have to install zlib manually, you can get the source code
from <http://www.gzip.org/zlib/>. Instructions on how to configure, from <http://www.zlib.net/>. Instructions on how to configure, build
build and install this package are included within the package. Please and install this package are included within the package. Please make
make sure you build development and runtime libraries (which is the sure you build development and runtime libraries (which is the default).
default).
 
File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
@ -398,7 +397,7 @@ if available. Make sure you install the development AND runtime
versions of this package. versions of this package.
If you have to install lzo manually, you can get the source code from If you have to install lzo manually, you can get the source code from
<http://www.oberhumer.com/opensource/lzo/>. Instructions on how to <https://www.oberhumer.com/opensource/lzo/>. Instructions on how to
configure, build and install this package are included within the configure, build and install this package are included within the
package. Please make sure you build development and runtime libraries package. Please make sure you build development and runtime libraries
(which is the default). (which is the default).
@ -416,9 +415,7 @@ startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to If you cannot use one of the precompiled packages, or you want to
compile tinc for yourself, you can use the source. The source is compile tinc for yourself, you can use the source. The source is
distributed under the GNU General Public License (GPL). Download the distributed under the GNU General Public License (GPL). Download the
source from the download page (http://www.tinc-vpn.org/download/), which source from the download page (https://www.tinc-vpn.org/download/).
has the checksums of these files listed; you may wish to check these
with md5sum before continuing.
Tinc comes in a convenient autoconf/automake package, which you can Tinc comes in a convenient autoconf/automake package, which you can
just treat the same as any other package. Which is just untar it, type just treat the same as any other package. Which is just untar it, type
@ -456,13 +453,13 @@ File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Wind
3.1.1 Darwin (Mac OS X) build environment 3.1.1 Darwin (Mac OS X) build environment
----------------------------------------- -----------------------------------------
In order to build tinc on Darwin, you need to install the Mac OS X In order to build tinc on Darwin, you need to install Xcode from
Developer Tools from <http://developer.apple.com/tools/macosxtools.html> <https://developer.apple.com/xcode/>. It might also help to install a
and preferably a recent version of Fink from recent version of Fink from <http://www.finkproject.org/>.
<http://www.finkproject.org/>.
After installation use fink to download and install the following You need to download and install LibreSSL (or OpenSSL) and LZO,
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. either directly from their websites (see *note Libraries::) or using
Fink.
 
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
@ -471,7 +468,7 @@ File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Window
---------------------------------------- ----------------------------------------
If Cygwin hasn't already been installed, install it directly from If Cygwin hasn't already been installed, install it directly from
<http://www.cygwin.com/>. <https://www.cygwin.com/>.
When tinc is compiled in a Cygwin environment, it can only be run in When tinc is compiled in a Cygwin environment, it can only be run in
this environment, but all programs, including those started outside the this environment, but all programs, including those started outside the
@ -485,7 +482,8 @@ File: tinc.info, Node: MinGW (Windows) build environment, Prev: Cygwin (Window
--------------------------------------- ---------------------------------------
You will need to install the MinGW environment from You will need to install the MinGW environment from
<http://www.mingw.org>. <http://www.mingw.org>. You also need to download and install LibreSSL
(or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows, it When tinc is compiled using MinGW it runs natively under Windows, it
is not necessary to keep MinGW installed. is not necessary to keep MinGW installed.
@ -1057,9 +1055,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
Cipher = <CIPHER> (blowfish) Cipher = <CIPHER> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any The symmetric cipher algorithm used to encrypt UDP packets. Any
cipher supported by OpenSSL is recognized. Furthermore, specifying cipher supported by LibreSSL or OpenSSL is recognized.
"none" will turn off packet encryption. It is best to use only Furthermore, specifying "none" will turn off packet encryption. It
those ciphers which support CBC mode. is best to use only those ciphers which support CBC mode.
ClampMSS = <yes|no> (yes) ClampMSS = <yes|no> (yes)
This option specifies whether tinc should clamp the maximum segment This option specifies whether tinc should clamp the maximum segment
@ -1074,8 +1072,8 @@ Compression = <LEVEL> (0)
Digest = <DIGEST> (sha1) Digest = <DIGEST> (sha1)
The digest algorithm used to authenticate UDP packets. Any digest The digest algorithm used to authenticate UDP packets. Any digest
supported by OpenSSL is recognized. Furthermore, specifying "none" supported by LibreSSL or OpenSSL is recognized. Furthermore,
will turn off packet authentication. specifying "none" will turn off packet authentication.
IndirectData = <yes|no> (no) IndirectData = <yes|no> (no)
This option specifies whether other tinc daemons besides the one This option specifies whether other tinc daemons besides the one
@ -1137,7 +1135,7 @@ Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
Prefixlength is the number of bits set to 1 in the netmask part; Prefixlength is the number of bits set to 1 in the netmask part;
for example: netmask 255.255.255.0 would become /24, 255.255.252.0 for example: netmask 255.255.255.0 would become /24, 255.255.252.0
becomes /22. This conforms to standard CIDR notation as described becomes /22. This conforms to standard CIDR notation as described
in RFC1519 (http://www.ietf.org/rfc/rfc1519.txt) in RFC1519 (https://www.ietf.org/rfc/rfc1519.txt)
A Subnet can be given a weight to indicate its priority over A Subnet can be given a weight to indicate its priority over
identical Subnets owned by different nodes. The default weight is identical Subnets owned by different nodes. The default weight is
@ -2098,7 +2096,7 @@ intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the algorithm can be changed in the configuration. The length of the
message authentication codes is also adjustable. The length of the key message authentication codes is also adjustable. The length of the key
for the encryption algorithm is always the default length used by for the encryption algorithm is always the default length used by
OpenSSL. LibreSSL/OpenSSL.
* Menu: * Menu:
@ -2256,8 +2254,8 @@ In August 2000, we discovered the existence of a security hole in all
versions of tinc up to and including 1.0pre2. This had to do with the versions of tinc up to and including 1.0pre2. This had to do with the
way we exchanged keys. Since then, we have been working on a new way we exchanged keys. Since then, we have been working on a new
authentication scheme to make tinc as secure as possible. The current authentication scheme to make tinc as secure as possible. The current
version uses the OpenSSL library and uses strong authentication with RSA version uses the LibreSSL or OpenSSL library and uses strong
keys. authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security On the 29th of December 2001, Jerome Etienne posted a security
analysis of tinc 1.0pre4. Due to a lack of sequence numbers and a analysis of tinc 1.0pre4. Due to a lack of sequence numbers and a
@ -2393,12 +2391,12 @@ File: tinc.info, Node: Contact information, Next: Authors, Up: About us
8.1 Contact information 8.1 Contact information
======================= =======================
Tinc's website is at <http://www.tinc-vpn.org/>, this server is located Tinc's website is at <https://www.tinc-vpn.org/>, this server is located
in the Netherlands. in the Netherlands.
We have an IRC channel on the FreeNode and OFTC IRC networks. We have an IRC channel on the FreeNode and OFTC IRC networks.
Connect to irc.freenode.net (http://www.freenode.net/) or irc.oftc.net Connect to irc.freenode.net (https://freenode.net/) or irc.oftc.net
(http://www.oftc.net/) and join channel #tinc. (https://www.oftc.net/) and join channel #tinc.
 
File: tinc.info, Node: Authors, Prev: Contact information, Up: About us File: tinc.info, Node: Authors, Prev: Contact information, Up: About us
@ -2515,7 +2513,8 @@ Concept Index
(line 206) (line 206)
* KEY_CHANGED: The meta-protocol. (line 63) * KEY_CHANGED: The meta-protocol. (line 63)
* libraries: Libraries. (line 6) * libraries: Libraries. (line 6)
* license: OpenSSL. (line 35) * LibreSSL: LibreSSL/OpenSSL. (line 6)
* license: LibreSSL/OpenSSL. (line 38)
* LocalDiscovery: Main configuration variables. * LocalDiscovery: Main configuration variables.
(line 212) (line 212)
* lzo: lzo. (line 6) * lzo: lzo. (line 6)
@ -2542,7 +2541,7 @@ Concept Index
* Network Administrators Guide: Configuration introduction. * Network Administrators Guide: Configuration introduction.
(line 15) (line 15)
* NODE: Scripts. (line 71) * NODE: Scripts. (line 71)
* OpenSSL: OpenSSL. (line 6) * OpenSSL: LibreSSL/OpenSSL. (line 6)
* options: Runtime options. (line 9) * options: Runtime options. (line 9)
* PEM format: Host configuration variables. * PEM format: Host configuration variables.
(line 69) (line 69)
@ -2656,61 +2655,61 @@ Node: Introduction1105
Node: Virtual Private Networks1915 Node: Virtual Private Networks1915
Node: tinc3639 Node: tinc3639
Node: Supported platforms5166 Node: Supported platforms5166
Node: Preparations5866 Node: Preparations5867
Node: Configuring the kernel6122 Node: Configuring the kernel6123
Node: Configuration of Linux kernels6532 Node: Configuration of Linux kernels6533
Node: Configuration of FreeBSD kernels7387 Node: Configuration of FreeBSD kernels7388
Node: Configuration of OpenBSD kernels7852 Node: Configuration of OpenBSD kernels7853
Node: Configuration of NetBSD kernels8460 Node: Configuration of NetBSD kernels8210
Node: Configuration of Solaris kernels8865 Node: Configuration of Solaris kernels8615
Node: Configuration of Darwin (Mac OS X) kernels9527 Node: Configuration of Darwin (Mac OS X) kernels9278
Node: Configuration of Windows10346 Node: Configuration of Windows10097
Node: Libraries10860 Node: Libraries10637
Node: OpenSSL11248 Node: LibreSSL/OpenSSL11046
Node: zlib13536 Node: zlib13588
Node: lzo14564 Node: lzo14620
Node: Installation15546 Node: Installation15603
Node: Building and installing tinc16561 Node: Building and installing tinc16513
Node: Darwin (Mac OS X) build environment17221 Node: Darwin (Mac OS X) build environment17173
Node: Cygwin (Windows) build environment17803 Node: Cygwin (Windows) build environment17738
Node: MinGW (Windows) build environment18391 Node: MinGW (Windows) build environment18327
Node: System files18915 Node: System files18921
Node: Device files19180 Node: Device files19186
Node: Other files19596 Node: Other files19602
Node: Configuration20209 Node: Configuration20215
Node: Configuration introduction20520 Node: Configuration introduction20526
Node: Multiple networks21788 Node: Multiple networks21794
Node: How connections work23214 Node: How connections work23220
Node: Configuration files24436 Node: Configuration files24442
Node: Main configuration variables25930 Node: Main configuration variables25936
Node: Host configuration variables42187 Node: Host configuration variables42193
Node: Scripts47690 Node: Scripts47720
Node: How to configure50956 Node: How to configure50986
Node: Generating keypairs52214 Node: Generating keypairs52244
Node: Network interfaces52713 Node: Network interfaces52743
Node: Example configuration54561 Node: Example configuration54591
Node: Running tinc59886 Node: Running tinc59916
Node: Runtime options60476 Node: Runtime options60506
Node: Signals63778 Node: Signals63808
Node: Debug levels64969 Node: Debug levels64999
Node: Solving problems65905 Node: Solving problems65935
Node: Error messages67457 Node: Error messages67487
Node: Sending bug reports71466 Node: Sending bug reports71496
Node: Technical information72413 Node: Technical information72443
Node: The connection72644 Node: The connection72674
Node: The UDP tunnel72956 Node: The UDP tunnel72986
Node: The meta-connection76017 Node: The meta-connection76047
Node: The meta-protocol77486 Node: The meta-protocol77516
Node: Security82503 Node: Security82533
Node: Authentication protocol83636 Node: Authentication protocol83675
Node: Encryption of network packets88681 Node: Encryption of network packets88720
Node: Security issues90057 Node: Security issues90096
Node: Platform specific information91684 Node: Platform specific information91735
Node: Interface configuration91912 Node: Interface configuration91963
Node: Routes94383 Node: Routes94434
Node: About us96397 Node: About us96448
Node: Contact information96572 Node: Contact information96623
Node: Authors96976 Node: Authors97026
Node: Concept Index97381 Node: Concept Index97431
 
End Tag Table End Tag Table

86
doc/tinc.texi
View file

@ -186,7 +186,7 @@ packets.
@cindex release @cindex release
For an up to date list of supported platforms, please check the list on For an up to date list of supported platforms, please check the list on
our website: our website:
@uref{http://www.tinc-vpn.org/platforms/}. @uref{https://www.tinc-vpn.org/platforms/}.
@c @c
@c @c
@ -268,12 +268,7 @@ The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_t
@node Configuration of OpenBSD kernels @node Configuration of OpenBSD kernels
@subsection Configuration of OpenBSD kernels @subsection Configuration of OpenBSD kernels
For OpenBSD version 2.9 and higher, Recent versions of OpenBSD come with both tun and tap devices enabled in the default kernel configuration.
the tun driver is included in the default kernel configuration.
There is also a kernel patch from @uref{http://diehard.n-r-g.com/stuff/openbsd/}
which adds a tap device to OpenBSD which should work with tinc,
but with recent versions of OpenBSD,
a tun device can act as a tap device by setting the link0 option with ifconfig.
@c ================================================================== @c ==================================================================
@ -293,7 +288,7 @@ Tunneling IPv6 may not work on NetBSD's tun device.
For Solaris 8 (SunOS 5.8) and higher, For Solaris 8 (SunOS 5.8) and higher,
the tun driver may or may not be included in the default kernel configuration. the tun driver may or may not be included in the default kernel configuration.
If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}. If it isn't, the source can be downloaded from @uref{http://vtun.sourceforge.net/tun/}.
For x86 and sparc64 architectures, precompiled versions can be found at @uref{http://www.monkey.org/~dugsong/fragroute/}. For x86 and sparc64 architectures, precompiled versions can be found at @uref{https://www.monkey.org/~dugsong/fragroute/}.
If the @file{net/if_tun.h} header file is missing, install it from the source package. If the @file{net/if_tun.h} header file is missing, install it from the source package.
@ -317,7 +312,7 @@ You can also omit the number, in which case the first free number will be chosen
@subsection Configuration of Windows @subsection Configuration of Windows
You will need to install the latest TAP-Win32 driver from OpenVPN. You will need to install the latest TAP-Win32 driver from OpenVPN.
You can download it from @uref{http://openvpn.sourceforge.net}. You can download it from @uref{https://openvpn.net/index.php/open-source/downloads.html}.
Using the Network Connections control panel, Using the Network Connections control panel,
configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script, configure the TAP-Win32 network interface in the same way as you would do from the tinc-up script,
as explained in the rest of the documentation. as explained in the rest of the documentation.
@ -329,24 +324,25 @@ as explained in the rest of the documentation.
@cindex requirements @cindex requirements
@cindex libraries @cindex libraries
Before you can configure or build tinc, you need to have the OpenSSL, Before you can configure or build tinc, you need to have the LibreSSL or OpenSSL,
zlib and lzo libraries installed on your system. If you try to configure tinc without zlib and lzo libraries installed on your system. If you try to configure tinc without
having them installed, configure will give you an error message, and stop. having them installed, configure will give you an error message, and stop.
@menu @menu
* OpenSSL:: * LibreSSL/OpenSSL::
* zlib:: * zlib::
* lzo:: * lzo::
@end menu @end menu
@c ================================================================== @c ==================================================================
@node OpenSSL @node LibreSSL/OpenSSL
@subsection OpenSSL @subsection LibreSSL/OpenSSL
@cindex LibreSSL
@cindex OpenSSL @cindex OpenSSL
For all cryptography-related functions, tinc uses the functions provided For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the LibreSSL or the OpenSSL library.
If this library is not installed, you will get an error when configuring If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries tinc for build. Support for running tinc with other cryptographic libraries
@ -356,21 +352,23 @@ You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions available. Make sure you install the development AND runtime versions
of this package. of this package.
If you have to install OpenSSL manually, you can get the source code If your operating system comes neither with LibreSSL or OpenSSL, you have to
from @url{http://www.openssl.org/}. Instructions on how to configure, install one manually. It is recommended that you get the latest version of
build and install this package are included within the package. Please LibreSSL from @url{http://www.libressl.org/}. Instructions on how to
make sure you build development and runtime libraries (which is the configure, build and install this package are included within the package.
Please make sure you build development and runtime libraries (which is the
default). default).
If you installed the OpenSSL libraries from source, it may be necessary If you installed the LibreSSL or OpenSSL libraries from source, it may be necessary
to let configure know where they are, by passing configure one of the to let configure know where they are, by passing configure one of the
--with-openssl-* parameters. --with-openssl-* parameters. Note that you even have to use --with-openssl-* if you
are using LibreSSL.
@example @example
--with-openssl=DIR OpenSSL library and headers prefix --with-openssl=DIR LibreSSL/OpenSSL library and headers prefix
--with-openssl-include=DIR OpenSSL headers directory --with-openssl-include=DIR LibreSSL/OpenSSL headers directory
(Default is OPENSSL_DIR/include) (Default is OPENSSL_DIR/include)
--with-openssl-lib=DIR OpenSSL library directory --with-openssl-lib=DIR LibreSSL/OpenSSL library directory
(Default is OPENSSL_DIR/lib) (Default is OPENSSL_DIR/lib)
@end example @end example
@ -381,7 +379,7 @@ to let configure know where they are, by passing configure one of the
The complete source code of tinc is covered by the GNU GPL version 2. The complete source code of tinc is covered by the GNU GPL version 2.
Since the license under which OpenSSL is distributed is not directly Since the license under which OpenSSL is distributed is not directly
compatible with the terms of the GNU GPL compatible with the terms of the GNU GPL
@uref{http://www.openssl.org/support/faq.html#LEGAL2}, we @uref{https://www.openssl.org/support/faq.html#LEGAL2}, we
include an exemption to the GPL (see also the file COPYING.README) to allow include an exemption to the GPL (see also the file COPYING.README) to allow
everyone to create a statically or dynamically linked executable: everyone to create a statically or dynamically linked executable:
@ -397,8 +395,8 @@ we also present the following exemption:
@quotation @quotation
Hereby I grant a special exception to the tinc VPN project Hereby I grant a special exception to the tinc VPN project
(http://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library (https://www.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(http://www.openssl.org). (https://www.openssl.org).
Markus F.X.J. Oberhumer Markus F.X.J. Oberhumer
@end quotation @end quotation
@ -423,7 +421,7 @@ available. Make sure you install the development AND runtime versions
of this package. of this package.
If you have to install zlib manually, you can get the source code If you have to install zlib manually, you can get the source code
from @url{http://www.gzip.org/zlib/}. Instructions on how to configure, from @url{http://www.zlib.net/}. Instructions on how to configure,
build and install this package are included within the package. Please build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the make sure you build development and runtime libraries (which is the
default). default).
@ -447,7 +445,7 @@ available. Make sure you install the development AND runtime versions
of this package. of this package.
If you have to install lzo manually, you can get the source code If you have to install lzo manually, you can get the source code
from @url{http://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure, from @url{https://www.oberhumer.com/opensource/lzo/}. Instructions on how to configure,
build and install this package are included within the package. Please build and install this package are included within the package. Please
make sure you build development and runtime libraries (which is the make sure you build development and runtime libraries (which is the
default). default).
@ -473,9 +471,7 @@ system startup scripts and sample configurations.
If you cannot use one of the precompiled packages, or you want to compile tinc If you cannot use one of the precompiled packages, or you want to compile tinc
for yourself, you can use the source. The source is distributed under for yourself, you can use the source. The source is distributed under
the GNU General Public License (GPL). Download the source from the the GNU General Public License (GPL). Download the source from the
@uref{http://www.tinc-vpn.org/download/, download page}, which has @uref{https://www.tinc-vpn.org/download/, download page}.
the checksums of these files listed; you may wish to check these with
md5sum before continuing.
Tinc comes in a convenient autoconf/automake package, which you can just Tinc comes in a convenient autoconf/automake package, which you can just
treat the same as any other package. Which is just untar it, type treat the same as any other package. Which is just untar it, type
@ -512,19 +508,18 @@ The documentation that comes along with your distribution will tell you how to d
@node Darwin (Mac OS X) build environment @node Darwin (Mac OS X) build environment
@subsection Darwin (Mac OS X) build environment @subsection Darwin (Mac OS X) build environment
In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools In order to build tinc on Darwin, you need to install Xcode from @uref{https://developer.apple.com/xcode/}.
from @uref{http://developer.apple.com/tools/macosxtools.html} and It might also help to install a recent version of Fink from @uref{http://www.finkproject.org/}.
preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages: You need to download and install LibreSSL (or OpenSSL) and LZO,
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. either directly from their websites (see @ref{Libraries}) or using Fink.
@c ================================================================== @c ==================================================================
@node Cygwin (Windows) build environment @node Cygwin (Windows) build environment
@subsection Cygwin (Windows) build environment @subsection Cygwin (Windows) build environment
If Cygwin hasn't already been installed, install it directly from If Cygwin hasn't already been installed, install it directly from
@uref{http://www.cygwin.com/}. @uref{https://www.cygwin.com/}.
When tinc is compiled in a Cygwin environment, it can only be run in this environment, When tinc is compiled in a Cygwin environment, it can only be run in this environment,
but all programs, including those started outside the Cygwin environment, will be able to use the VPN. but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
@ -535,6 +530,7 @@ It will also support all features.
@subsection MinGW (Windows) build environment @subsection MinGW (Windows) build environment
You will need to install the MinGW environment from @uref{http://www.mingw.org}. You will need to install the MinGW environment from @uref{http://www.mingw.org}.
You also need to download and install LibreSSL (or OpenSSL) and LZO.
When tinc is compiled using MinGW it runs natively under Windows, When tinc is compiled using MinGW it runs natively under Windows,
it is not necessary to keep MinGW installed. it is not necessary to keep MinGW installed.
@ -1149,7 +1145,7 @@ tried until a working connection has been established.
@cindex Cipher @cindex Cipher
@item Cipher = <@var{cipher}> (blowfish) @item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognized. Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption. Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode. It is best to use only those ciphers which support CBC mode.
@ -1168,7 +1164,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
@cindex Digest @cindex Digest
@item Digest = <@var{digest}> (sha1) @item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets. The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognized. Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication. Furthermore, specifying "none" will turn off packet authentication.
@cindex IndirectData @cindex IndirectData
@ -1239,7 +1235,7 @@ MAC addresses are notated like 0:1a:2b:3c:4d:5e.
Prefixlength is the number of bits set to 1 in the netmask part; for Prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in /22. This conforms to standard CIDR notation as described in
@uref{http://www.ietf.org/rfc/rfc1519.txt, RFC1519} @uref{https://www.ietf.org/rfc/rfc1519.txt, RFC1519}
@cindex Subnet weight @cindex Subnet weight
A Subnet can be given a weight to indicate its priority over identical Subnets A Subnet can be given a weight to indicate its priority over identical Subnets
@ -2254,7 +2250,7 @@ eavesdroppers cannot get and cannot change any information at all from the
packets they can intercept. The encryption algorithm and message authentication packets they can intercept. The encryption algorithm and message authentication
algorithm can be changed in the configuration. The length of the message algorithm can be changed in the configuration. The length of the message
authentication codes is also adjustable. The length of the key for the authentication codes is also adjustable. The length of the key for the
encryption algorithm is always the default length used by OpenSSL. encryption algorithm is always the default length used by LibreSSL/OpenSSL.
@menu @menu
* Authentication protocol:: * Authentication protocol::
@ -2413,7 +2409,7 @@ the MACLength configuration variable.
In August 2000, we discovered the existence of a security hole in all versions In August 2000, we discovered the existence of a security hole in all versions
of tinc up to and including 1.0pre2. This had to do with the way we exchanged of tinc up to and including 1.0pre2. This had to do with the way we exchanged
keys. Since then, we have been working on a new authentication scheme to make keys. Since then, we have been working on a new authentication scheme to make
tinc as secure as possible. The current version uses the OpenSSL library and tinc as secure as possible. The current version uses the LibreSSL or OpenSSL library and
uses strong authentication with RSA keys. uses strong authentication with RSA keys.
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
@ -2586,14 +2582,14 @@ Adding routes to IPv6 subnets:
@section Contact information @section Contact information
@cindex website @cindex website
Tinc's website is at @url{http://www.tinc-vpn.org/}, Tinc's website is at @url{https://www.tinc-vpn.org/},
this server is located in the Netherlands. this server is located in the Netherlands.
@cindex IRC @cindex IRC
We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to We have an IRC channel on the FreeNode and OFTC IRC networks. Connect to
@uref{http://www.freenode.net/, irc.freenode.net} @uref{https://freenode.net/, irc.freenode.net}
or or
@uref{http://www.oftc.net/, irc.oftc.net} @uref{https://www.oftc.net/, irc.oftc.net}
and join channel #tinc. and join channel #tinc.

2
doc/tincd.8.in
View file

@ -207,7 +207,7 @@ If you find any bugs, report them to tinc@tinc-vpn.org.
A lot, especially security auditing. A lot, especially security auditing.
.Sh SEE ALSO .Sh SEE ALSO
.Xr tinc.conf 5 , .Xr tinc.conf 5 ,
.Pa http://www.tinc-vpn.org/ , .Pa https://www.tinc-vpn.org/ ,
.Pa http://www.cabal.org/ . .Pa http://www.cabal.org/ .
.Pp .Pp
The full documentation for tinc is maintained as a Texinfo manual. The full documentation for tinc is maintained as a Texinfo manual.

5
m4/Makefile.in
View file

@ -90,8 +90,11 @@ host_triplet = @host@
subdir = m4 subdir = m4
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

69
m4/ax_append_flag.m4 Normal file
View file

@ -0,0 +1,69 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE])
#
# DESCRIPTION
#
# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space
# added in between.
#
# If FLAGS-VARIABLE is not specified, the current language's flags (e.g.
# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains
# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly
# FLAG.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_APPEND_FLAG],
[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])dnl
AS_VAR_SET_IF(FLAGS,
[case " AS_VAR_GET(FLAGS) " in
*" $1 "*)
AC_RUN_LOG([: FLAGS already contains $1])
;;
*)
AC_RUN_LOG([: FLAGS="$FLAGS $1"])
AS_VAR_SET(FLAGS, ["AS_VAR_GET(FLAGS) $1"])
;;
esac],
[AS_VAR_SET(FLAGS,["$1"])])
AS_VAR_POPDEF([FLAGS])dnl
])dnl AX_APPEND_FLAG

122
m4/ax_cflags_warn_all.m4 Normal file
View file

@ -0,0 +1,122 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_cflags_warn_all.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
# AX_CXXFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
# AX_FCFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
#
# DESCRIPTION
#
# Try to find a compiler option that enables most reasonable warnings.
#
# For the GNU compiler it will be -Wall (and -ansi -pedantic) The result
# is added to the shellvar being CFLAGS, CXXFLAGS, or FCFLAGS by default.
#
# Currently this macro knows about the GCC, Solaris, Digital Unix, AIX,
# HP-UX, IRIX, NEC SX-5 (Super-UX 10), Cray J90 (Unicos 10.0.0.8), and
# Intel compilers. For a given compiler, the Fortran flags are much more
# experimental than their C equivalents.
#
# - $1 shell-variable-to-add-to : CFLAGS, CXXFLAGS, or FCFLAGS
# - $2 add-value-if-not-found : nothing
# - $3 action-if-found : add value to shellvariable
# - $4 action-if-not-found : nothing
#
# NOTE: These macros depend on AX_APPEND_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2010 Rhys Ulerich <rhys.ulerich@gmail.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 15
AC_DEFUN([AX_FLAGS_WARN_ALL],[dnl
AS_VAR_PUSHDEF([FLAGS],[_AC_LANG_PREFIX[]FLAGS])dnl
AS_VAR_PUSHDEF([VAR],[ac_cv_[]_AC_LANG_ABBREV[]flags_warn_all])dnl
AC_CACHE_CHECK([m4_ifval($1,$1,FLAGS) for maximum warnings],
VAR,[VAR="no, unknown"
ac_save_[]FLAGS="$[]FLAGS"
for ac_arg dnl
in "-warn all % -warn all" dnl Intel
"-pedantic % -Wall" dnl GCC
"-xstrconst % -v" dnl Solaris C
"-std1 % -verbose -w0 -warnprotos" dnl Digital Unix
"-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" dnl AIX
"-ansi -ansiE % -fullwarn" dnl IRIX
"+ESlit % +w1" dnl HP-UX C
"-Xc % -pvctl[,]fullmsg" dnl NEC SX-5 (Super-UX 10)
"-h conform % -h msglevel 2" dnl Cray C (Unicos)
#
do FLAGS="$ac_save_[]FLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'`
AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
[VAR=`echo $ac_arg | sed -e 's,.*% *,,'` ; break])
done
FLAGS="$ac_save_[]FLAGS"
])
AS_VAR_POPDEF([FLAGS])dnl
AX_REQUIRE_DEFINED([AX_APPEND_FLAG])
case ".$VAR" in
.ok|.ok,*) m4_ifvaln($3,$3) ;;
.|.no|.no,*) m4_default($4,[m4_ifval($2,[AX_APPEND_FLAG([$2], [$1])])]) ;;
*) m4_default($3,[AX_APPEND_FLAG([$VAR], [$1])]) ;;
esac
AS_VAR_POPDEF([VAR])dnl
])dnl AX_FLAGS_WARN_ALL
dnl implementation tactics:
dnl the for-argument contains a list of options. The first part of
dnl these does only exist to detect the compiler - usually it is
dnl a global option to enable -ansi or -extrawarnings. All other
dnl compilers will fail about it. That was needed since a lot of
dnl compilers will give false positives for some option-syntax
dnl like -Woption or -Xoption as they think of it is a pass-through
dnl to later compile stages or something. The "%" is used as a
dnl delimiter. A non-option comment can be given after "%%" marks
dnl which will be shown but not added to the respective C/CXXFLAGS.
AC_DEFUN([AX_CFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([C])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([C])
])
AC_DEFUN([AX_CXXFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([C++])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([C++])
])
AC_DEFUN([AX_FCFLAGS_WARN_ALL],[dnl
AC_LANG_PUSH([Fortran])
AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
AC_LANG_POP([Fortran])
])

37
m4/ax_require_defined.m4 Normal file
View file

@ -0,0 +1,37 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_require_defined.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_REQUIRE_DEFINED(MACRO)
#
# DESCRIPTION
#
# AX_REQUIRE_DEFINED is a simple helper for making sure other macros have
# been defined and thus are available for use. This avoids random issues
# where a macro isn't expanded. Instead the configure script emits a
# non-fatal:
#
# ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found
#
# It's like AC_REQUIRE except it doesn't expand the required macro.
#
# Here's an example:
#
# AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG])
#
# LICENSE
#
# Copyright (c) 2014 Mike Frysinger <vapier@gentoo.org>
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved. This file is offered as-is, without any
# warranty.
#serial 1
AC_DEFUN([AX_REQUIRE_DEFINED], [dnl
m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])])
])dnl AX_REQUIRE_DEFINED

22
m4/openssl.m4
View file

@ -1,4 +1,4 @@
dnl Check to find the OpenSSL headers/libraries dnl Check to find the LibreSSL/OpenSSL headers/libraries
AC_DEFUN([tinc_OPENSSL], AC_DEFUN([tinc_OPENSSL],
[ [
@ -10,47 +10,49 @@ AC_DEFUN([tinc_OPENSSL],
[], [],
[AC_CHECK_LIB(dl, dlopen, [AC_CHECK_LIB(dl, dlopen,
[LIBS="$LIBS -ldl"], [LIBS="$LIBS -ldl"],
[AC_MSG_ERROR([OpenSSL depends on libdl.]); break] [AC_MSG_ERROR([LibreSSL/OpenSSL depends on libdl.]); break]
)] )]
) )
;; ;;
esac esac
AC_ARG_WITH(openssl, AC_ARG_WITH(openssl,
AS_HELP_STRING([--with-openssl=DIR], [OpenSSL base directory, or:]), AS_HELP_STRING([--with-openssl=DIR], [LibreSSL/OpenSSL base directory, or:]),
[openssl="$withval" [openssl="$withval"
CPPFLAGS="$CPPFLAGS -I$withval/include" CPPFLAGS="$CPPFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"] LDFLAGS="$LDFLAGS -L$withval/lib"]
) )
AC_ARG_WITH(openssl-include, AC_ARG_WITH(openssl-include,
AS_HELP_STRING([--with-openssl-include=DIR], [OpenSSL headers directory (without trailing /openssl)]), AS_HELP_STRING([--with-openssl-include=DIR], [LibreSSL/OpenSSL headers directory (without trailing /openssl)]),
[openssl_include="$withval" [openssl_include="$withval"
CPPFLAGS="$CPPFLAGS -I$withval"] CPPFLAGS="$CPPFLAGS -I$withval"]
) )
AC_ARG_WITH(openssl-lib, AC_ARG_WITH(openssl-lib,
AS_HELP_STRING([--with-openssl-lib=DIR], [OpenSSL library directory]), AS_HELP_STRING([--with-openssl-lib=DIR], [LibreSSL/OpenSSL library directory]),
[openssl_lib="$withval" [openssl_lib="$withval"
LDFLAGS="$LDFLAGS -L$withval"] LDFLAGS="$LDFLAGS -L$withval"]
) )
AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h, AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h,
[], [],
[AC_MSG_ERROR([OpenSSL header files not found.]); break] [AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break]
) )
AC_CHECK_LIB(crypto, EVP_EncryptInit_ex, AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
[LIBS="-lcrypto $LIBS"], [LIBS="-lcrypto $LIBS"],
[AC_MSG_ERROR([OpenSSL libraries not found.])] [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
) )
AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], , AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
) )
AC_CHECK_DECL([OpenSSL_add_all_algorithms], , AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
[AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>] [#include <openssl/evp.h>]
) )
AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include <openssl/rsa.h>])
]) ])

5
src/Makefile.in
View file

@ -105,8 +105,11 @@ sbin_PROGRAMS = tincd$(EXEEXT)
subdir = src subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \

2
src/avl_tree.c
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug. the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>. Guus Sliepen <guus@tinc-vpn.org>.
*/ */

2
src/avl_tree.h
View file

@ -26,7 +26,7 @@
the code. Mail me if you found a bug. the code. Mail me if you found a bug.
Cleaned up and incorporated some of the ideas from the red-black tree Cleaned up and incorporated some of the ideas from the red-black tree
library for inclusion into tinc (http://www.tinc-vpn.org/) by library for inclusion into tinc (https://www.tinc-vpn.org/) by
Guus Sliepen <guus@tinc-vpn.org>. Guus Sliepen <guus@tinc-vpn.org>.
*/ */

11
src/bsd/device.c
View file

@ -198,18 +198,19 @@ static bool setup_device(void) {
// Guess what the corresponding interface is called // Guess what the corresponding interface is called
char *realname; char *realname = NULL;
#if defined(HAVE_FDEVNAME) #if defined(HAVE_FDEVNAME)
realname = fdevname(device_fd) ? : device; realname = fdevname(device_fd);
#elif defined(HAVE_DEVNAME) #elif defined(HAVE_DEVNAME)
struct stat buf; struct stat buf;
if(!fstat(device_fd, &buf)) if(!fstat(device_fd, &buf))
realname = devname(buf.st_rdev, S_IFCHR) ? : device; realname = devname(buf.st_rdev, S_IFCHR);
#else
realname = device;
#endif #endif
if(!realname)
realname = device;
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
iface = xstrdup(strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname); iface = xstrdup(strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname);
else if(strcmp(iface, strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname)) else if(strcmp(iface, strrchr(realname, '/') ? strrchr(realname, '/') + 1 : realname))

3
src/dropin.c
View file

@ -1,7 +1,7 @@
/* /*
dropin.c -- a set of drop-in replacements for libc functions dropin.c -- a set of drop-in replacements for libc functions
Copyright (C) 2000-2005 Ivo Timmermans, Copyright (C) 2000-2005 Ivo Timmermans,
2000-2011 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -140,6 +140,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) {
va_copy(aq, ap); va_copy(aq, ap);
status = vsnprintf(*buf, len, fmt, aq); status = vsnprintf(*buf, len, fmt, aq);
buf[len - 1] = 0;
va_end(aq); va_end(aq);
if(status >= 0) if(status >= 0)

3
src/logger.c
View file

@ -1,6 +1,6 @@
/* /*
logger.c -- logging code logger.c -- logging code
Copyright (C) 2004-2006 Guus Sliepen <guus@tinc-vpn.org> Copyright (C) 2004-2016 Guus Sliepen <guus@tinc-vpn.org>
2004-2005 Ivo Timmermans 2004-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -109,6 +109,7 @@ void logger(int priority, const char *format, ...) {
char message[4096]; char message[4096];
const char *messages[] = {message}; const char *messages[] = {message};
vsnprintf(message, sizeof(message), format, ap); vsnprintf(message, sizeof(message), format, ap);
message[sizeof message - 1] = 0;
ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL); ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL);
} }
#else #else

4
src/net.c
View file

@ -246,7 +246,7 @@ static void check_dead_connections(void) {
if(c->status.active) { if(c->status.active) {
if(c->status.pinged) { if(c->status.pinged) {
ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds", ifdebug(CONNECTIONS) logger(LOG_INFO, "%s (%s) didn't respond to PING in %ld seconds",
c->name, c->hostname, (long)now - c->last_ping_time); c->name, c->hostname, (long)(now - c->last_ping_time));
c->status.timeout = true; c->status.timeout = true;
terminate_connection(c, true); terminate_connection(c, true);
} else if(c->last_ping_time + pinginterval <= now) { } else if(c->last_ping_time + pinginterval <= now) {
@ -275,7 +275,7 @@ static void check_dead_connections(void) {
if(c->status.active) { if(c->status.active) {
ifdebug(CONNECTIONS) logger(LOG_INFO, ifdebug(CONNECTIONS) logger(LOG_INFO,
"%s (%s) could not flush for %ld seconds (%d bytes remaining)", "%s (%s) could not flush for %ld seconds (%d bytes remaining)",
c->name, c->hostname, (long)now - c->last_flushed_time, c->outbuflen); c->name, c->hostname, (long)(now - c->last_flushed_time), c->outbuflen);
c->status.timeout = true; c->status.timeout = true;
terminate_connection(c, true); terminate_connection(c, true);
} }

22
src/net_packet.c
View file

@ -1,7 +1,7 @@
/* /*
net_packet.c -- Handles in- and outgoing VPN packets net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu> 2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
len = 64; len = 64;
memset(packet.data, 0, 14); memset(packet.data, 0, 14);
RAND_pseudo_bytes(packet.data + 14, len - 14); RAND_bytes(packet.data + 14, len - 14);
packet.len = len; packet.len = len;
if(i >= 4 && n->mtuprobes <= 10) if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1; packet.priority = -1;
@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(n->incipher) { if(n->incipher) {
outpkt = pkt[nextpkt++]; outpkt = pkt[nextpkt++];
if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
|| !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len) (unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s", ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return; return;
@ -336,16 +336,16 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(inpkt->seqno != n->received_seqno + 1) { if(inpkt->seqno != n->received_seqno + 1) {
if(inpkt->seqno >= n->received_seqno + replaywin * 8) { if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
if(n->farfuture++ < replaywin >> 2) { if(n->farfuture++ < replaywin >> 2) {
logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)", ifdebug(TRAFFIC) logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture); n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
return; return;
} }
logger(LOG_WARNING, "Lost %d packets from %s (%s)", ifdebug(TRAFFIC) logger(LOG_WARNING, "Lost %d packets from %s (%s)",
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname); inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
memset(n->late, 0, replaywin); memset(n->late, 0, replaywin);
} else if (inpkt->seqno <= n->received_seqno) { } else if (inpkt->seqno <= n->received_seqno) {
if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) { if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d", ifdebug(TRAFFIC) logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, inpkt->seqno, n->received_seqno); n->name, n->hostname, inpkt->seqno, n->received_seqno);
return; return;
} }
@ -479,10 +479,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
if(n->outcipher) { if(n->outcipher) {
outpkt = pkt[nextpkt++]; outpkt = pkt[nextpkt++];
if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
|| !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len) (unsigned char *) &inpkt->seqno, inpkt->len)
|| !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s", ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end; goto end;

48
src/net_setup.c
View file

@ -1,7 +1,7 @@
/* /*
net_setup.c -- Setup. net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -48,11 +48,22 @@
char *myport; char *myport;
devops_t devops; devops_t devops;
#ifndef HAVE_RSA_SET0_KEY
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
BN_free(r->n); r->n = n;
BN_free(r->e); r->e = e;
BN_free(r->d); r->d = d;
return 1;
}
#endif
bool read_rsa_public_key(connection_t *c) { bool read_rsa_public_key(connection_t *c) {
FILE *fp; FILE *fp;
char *pubname; char *pubname;
char *hcfname; char *hcfname;
char *key; char *key;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
if(!c->rsa_key) { if(!c->rsa_key) {
c->rsa_key = RSA_new(); c->rsa_key = RSA_new();
@ -62,12 +73,19 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */ /* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) { if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) { if(BN_hex2bn(&n, key) != strlen(key)) {
free(key);
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name); logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false; return false;
} }
BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key); free(key);
BN_hex2bn(&e, "FFFF");
if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
return false;
}
return true; return true;
} }
@ -158,27 +176,39 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) { static bool read_rsa_private_key(void) {
FILE *fp; FILE *fp;
char *fname, *key, *pubkey; char *fname, *key, *pubkey;
BIGNUM *n = NULL;
BIGNUM *e = NULL;
BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
myself->connection->rsa_key = RSA_new(); myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL); // RSA_blinding_on(myself->connection->rsa_key, NULL);
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) { if(BN_hex2bn(&d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!"); logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key); free(key);
return false; return false;
} }
free(key); free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false; return false;
} }
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) { if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!");
free(pubkey); free(pubkey);
BN_free(d);
logger(LOG_ERR, "Invalid PublicKey for myself!");
return false; return false;
} }
free(pubkey); free(pubkey);
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); BN_hex2bn(&e, "FFFF");
if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
BN_free(d);
BN_free(e);
BN_free(n);
logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
return false;
}
return true; return true;
} }
@ -623,7 +653,7 @@ static bool setup_myself(void) {
myself->incipher = EVP_bf_cbc(); myself->incipher = EVP_bf_cbc();
if(myself->incipher) if(myself->incipher)
myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len; myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else else
myself->inkeylength = 1; myself->inkeylength = 1;
@ -657,7 +687,7 @@ static bool setup_myself(void) {
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) { if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) { if(myself->indigest) {
if(myself->inmaclength > myself->indigest->md_size) { if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!"); logger(LOG_ERR, "MAC length exceeds size of digest!");
return false; return false;
} else if(myself->inmaclength < 0) { } else if(myself->inmaclength < 0) {

21
src/netutl.c
View file

@ -1,7 +1,7 @@
/* /*
netutl.c -- some supporting network utility code netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2015 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -231,6 +231,25 @@ void sockaddrunmap(sockaddr_t *sa) {
} }
} }
void sockaddr_setport(sockaddr_t *sa, const char *port) {
uint16_t portnum = htons(atoi(port));
if(!portnum)
return;
switch(sa->sa.sa_family) {
case AF_INET:
sa->in.sin_port = portnum;
break;
case AF_INET6:
sa->in6.sin6_port = portnum;
break;
case AF_UNKNOWN:
free(sa->unknown.port);
sa->unknown.port = xstrdup(port);
default:
return;
}
}
/* Subnet mask handling */ /* Subnet mask handling */
int maskcmp(const void *va, const void *vb, int masklen) { int maskcmp(const void *va, const void *vb, int masklen) {

3
src/netutl.h
View file

@ -1,7 +1,7 @@
/* /*
netutl.h -- header file for netutl.c netutl.h -- header file for netutl.c
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -34,6 +34,7 @@ extern int sockaddrcmp_noport(const sockaddr_t *, const sockaddr_t *);
extern void sockaddrunmap(sockaddr_t *); extern void sockaddrunmap(sockaddr_t *);
extern void sockaddrfree(sockaddr_t *); extern void sockaddrfree(sockaddr_t *);
extern void sockaddrcpy(sockaddr_t *, const sockaddr_t *); extern void sockaddrcpy(sockaddr_t *, const sockaddr_t *);
extern void sockaddr_setport(sockaddr_t *, const char *);
extern int maskcmp(const void *, const void *, int); extern int maskcmp(const void *, const void *, int);
extern void maskcpy(void *, const void *, int, int); extern void maskcpy(void *, const void *, int, int);
extern void mask(void *, int, int); extern void mask(void *, int, int);

16
src/node.c
View file

@ -1,6 +1,6 @@
/* /*
node.c -- node tree management node.c -- node tree management
Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -57,8 +57,10 @@ node_t *new_node(void) {
if(replaywin) n->late = xmalloc_and_zero(replaywin); if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree(); n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree(); n->edge_tree = new_edge_tree();
EVP_CIPHER_CTX_init(&n->inctx); n->inctx = EVP_CIPHER_CTX_new();
EVP_CIPHER_CTX_init(&n->outctx); n->outctx = EVP_CIPHER_CTX_new();
if(!n->inctx || !n->outctx)
abort();
n->mtu = MTU; n->mtu = MTU;
n->maxmtu = MTU; n->maxmtu = MTU;
@ -80,8 +82,8 @@ void free_node(node_t *n) {
sockaddrfree(&n->address); sockaddrfree(&n->address);
EVP_CIPHER_CTX_cleanup(&n->inctx); EVP_CIPHER_CTX_free(n->outctx);
EVP_CIPHER_CTX_cleanup(&n->outctx); EVP_CIPHER_CTX_free(n->inctx);
if(n->mtuevent) if(n->mtuevent)
event_del(n->mtuevent); event_del(n->mtuevent);
@ -172,8 +174,8 @@ void dump_nodes(void) {
for(node = node_tree->head; node; node = node->next) { for(node = node_tree->head; node; node = node->next) {
n = node->data; n = node->data;
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)", logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0, n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression, n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-", n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu); n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
} }

6
src/node.h
View file

@ -1,6 +1,6 @@
/* /*
node.h -- header for node.c node.h -- header for node.c
Copyright (C) 2001-2012 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -50,12 +50,12 @@ typedef struct node_t {
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */ const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
char *inkey; /* Cipher key and iv */ char *inkey; /* Cipher key and iv */
int inkeylength; /* Cipher key and iv length */ int inkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX inctx; /* Cipher context */ EVP_CIPHER_CTX *inctx; /* Cipher context */
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/ const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
char *outkey; /* Cipher key and iv */ char *outkey; /* Cipher key and iv */
int outkeylength; /* Cipher key and iv length */ int outkeylength; /* Cipher key and iv length */
EVP_CIPHER_CTX outctx; /* Cipher context */ EVP_CIPHER_CTX *outctx; /* Cipher context */
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */ const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
int inmaclength; /* Length of MAC */ int inmaclength; /* Length of MAC */

7
src/protocol.c
View file

@ -1,7 +1,7 @@
/* /*
protocol.c -- handle the meta-protocol, basic functions protocol.c -- handle the meta-protocol, basic functions
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -75,10 +75,11 @@ bool send_request(connection_t *c, const char *format, ...) {
input buffer anyway */ input buffer anyway */
va_start(args, format); va_start(args, format);
len = vsnprintf(buffer, MAXBUFSIZE, format, args); len = vsnprintf(buffer, sizeof buffer, format, args);
buffer[sizeof buffer - 1] = 0;
va_end(args); va_end(args);
if(len < 0 || len > MAXBUFSIZE - 1) { if(len < 0 || len > sizeof buffer - 1) {
logger(LOG_ERR, "Output buffer overflow while sending request to %s (%s)", logger(LOG_ERR, "Output buffer overflow while sending request to %s (%s)",
c->name, c->hostname); c->name, c->hostname);
return false; return false;

80
src/protocol_auth.c
View file

@ -1,7 +1,7 @@
/* /*
protocol_auth.c -- handle the meta-protocol, authentication protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2015 Guus Sliepen <guus@tinc-vpn.org> 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -125,8 +125,11 @@ bool send_metakey(connection_t *c) {
c->outkey = xrealloc(c->outkey, len); c->outkey = xrealloc(c->outkey, len);
if(!c->outctx) if(!c->outctx) {
c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); c->outctx = EVP_CIPHER_CTX_new();
if(!c->outctx)
abort();
}
/* Copy random data to the buffer */ /* Copy random data to the buffer */
@ -177,17 +180,17 @@ bool send_metakey(connection_t *c) {
/* Send the meta key */ /* Send the meta key */
x = send_request(c, "%d %d %d %d %d %s", METAKEY, x = send_request(c, "%d %d %d %d %d %s", METAKEY,
c->outcipher ? c->outcipher->nid : 0, c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
c->outdigest ? c->outdigest->type : 0, c->outmaclength, c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
c->outcompression, buffer); c->outcompression, buffer);
/* Further outgoing requests are encrypted with the key we just generated */ /* Further outgoing requests are encrypted with the key we just generated */
if(c->outcipher) { if(c->outcipher) {
if(!EVP_EncryptInit(c->outctx, c->outcipher, if(!EVP_EncryptInit(c->outctx, c->outcipher,
(unsigned char *)c->outkey + len - c->outcipher->key_len, (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
(unsigned char *)c->outkey + len - c->outcipher->key_len - (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
c->outcipher->iv_len)) { EVP_CIPHER_iv_length(c->outcipher))) {
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s", logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
@ -223,8 +226,11 @@ bool metakey_h(connection_t *c) {
c->inkey = xrealloc(c->inkey, len); c->inkey = xrealloc(c->inkey, len);
if(!c->inctx) if(!c->inctx) {
c->inctx = xmalloc_and_zero(sizeof(*c->inctx)); c->inctx = EVP_CIPHER_CTX_new();
if(!c->inctx)
abort();
}
/* Convert the challenge from hexadecimal back to binary */ /* Convert the challenge from hexadecimal back to binary */
@ -260,9 +266,9 @@ bool metakey_h(connection_t *c) {
} }
if(!EVP_DecryptInit(c->inctx, c->incipher, if(!EVP_DecryptInit(c->inctx, c->incipher,
(unsigned char *)c->inkey + len - c->incipher->key_len, (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
(unsigned char *)c->inkey + len - c->incipher->key_len - (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
c->incipher->iv_len)) { EVP_CIPHER_iv_length(c->incipher))) {
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s", logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
@ -283,7 +289,7 @@ bool metakey_h(connection_t *c) {
return false; return false;
} }
if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname); logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
return false; return false;
} }
@ -367,22 +373,29 @@ bool challenge_h(connection_t *c) {
bool send_chal_reply(connection_t *c) { bool send_chal_reply(connection_t *c) {
char hash[EVP_MAX_MD_SIZE * 2 + 1]; char hash[EVP_MAX_MD_SIZE * 2 + 1];
EVP_MD_CTX ctx; EVP_MD_CTX *ctx;
/* Calculate the hash from the challenge we received */ /* Calculate the hash from the challenge we received */
if(!EVP_DigestInit(&ctx, c->indigest) ctx = EVP_MD_CTX_create();
|| !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) if(!ctx)
|| !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) { abort();
if(!EVP_DigestInit(ctx, c->indigest)
|| !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s", logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
} }
EVP_MD_CTX_destroy(ctx);
/* Convert the hash to a hexadecimal formatted string */ /* Convert the hash to a hexadecimal formatted string */
bin2hex(hash, hash, c->indigest->md_size); bin2hex(hash, hash, EVP_MD_size(c->indigest));
hash[c->indigest->md_size * 2] = '\0'; hash[EVP_MD_size(c->indigest) * 2] = '\0';
/* Send the reply */ /* Send the reply */
@ -392,7 +405,7 @@ bool send_chal_reply(connection_t *c) {
bool chal_reply_h(connection_t *c) { bool chal_reply_h(connection_t *c) {
char hishash[MAX_STRING_SIZE]; char hishash[MAX_STRING_SIZE];
char myhash[EVP_MAX_MD_SIZE]; char myhash[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx; EVP_MD_CTX *ctx;
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name, logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
@ -402,7 +415,7 @@ bool chal_reply_h(connection_t *c) {
/* Check if the length of the hash is all right */ /* Check if the length of the hash is all right */
if(strlen(hishash) != c->outdigest->md_size * 2) { if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply length"); c->hostname, "wrong challenge reply length");
return false; return false;
@ -410,24 +423,31 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */ /* Convert the hash to binary format */
if(!hex2bin(hishash, hishash, c->outdigest->md_size)) { if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash"); logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false; return false;
} }
/* Calculate the hash from the challenge we sent */ /* Calculate the hash from the challenge we sent */
if(!EVP_DigestInit(&ctx, c->outdigest) ctx = EVP_MD_CTX_create();
|| !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) if(!ctx)
|| !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) { abort();
if(!EVP_DigestInit(ctx, c->outdigest)
|| !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
|| !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s", logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false; return false;
} }
EVP_MD_CTX_destroy(ctx);
/* Verify the incoming hash with the calculated hash */ /* Verify the incoming hash with the calculated hash */
if(memcmp(hishash, myhash, c->outdigest->md_size)) { if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply"); c->hostname, "wrong challenge reply");
@ -516,7 +536,6 @@ static void send_everything(connection_t *c) {
bool ack_h(connection_t *c) { bool ack_h(connection_t *c) {
char hisport[MAX_STRING_SIZE]; char hisport[MAX_STRING_SIZE];
char *hisaddress;
int weight, mtu; int weight, mtu;
uint32_t options; uint32_t options;
node_t *n; node_t *n;
@ -585,9 +604,8 @@ bool ack_h(connection_t *c) {
c->edge = new_edge(); c->edge = new_edge();
c->edge->from = myself; c->edge->from = myself;
c->edge->to = n; c->edge->to = n;
sockaddr2str(&c->address, &hisaddress, NULL); sockaddrcpy(&c->edge->address, &c->address);
c->edge->address = str2sockaddr(hisaddress, hisport); sockaddr_setport(&c->edge->address, hisport);
free(hisaddress);
c->edge->weight = (weight + c->estimated_weight) / 2; c->edge->weight = (weight + c->estimated_weight) / 2;
c->edge->connection = c; c->edge->connection = c;
c->edge->options = c->options; c->edge->options = c->options;

12
src/protocol_key.c
View file

@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
} }
if(to->incipher) if(to->incipher)
EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window // Reset sequence number and late packet window
mykeyused = true; mykeyused = true;
@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key, myself->name, to->name, key,
to->incipher ? to->incipher->nid : 0, to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
to->indigest ? to->indigest->type : 0, to->inmaclength, to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression); to->incompression);
} }
@ -268,7 +268,7 @@ bool ans_key_h(connection_t *c) {
return true; return true;
} }
if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) { if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname); from->hostname);
return true; return true;
@ -288,7 +288,7 @@ bool ans_key_h(connection_t *c) {
return true; return true;
} }
if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) { if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname); from->name, from->hostname);
return true; return true;
@ -305,7 +305,7 @@ bool ans_key_h(connection_t *c) {
from->outcompression = compression; from->outcompression = compression;
if(from->outcipher) if(from->outcipher)
if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) { if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s", logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true; return true;

39
src/tincd.c
View file

@ -336,7 +336,7 @@ static bool parse_options(int argc, char **argv) {
/* This function prettyprints the key generation process */ /* This function prettyprints the key generation process */
static void indicator(int a, int b, void *p) { static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) { switch (a) {
case 0: case 0:
fprintf(stderr, "."); fprintf(stderr, ".");
@ -368,21 +368,50 @@ static void indicator(int a, int b, void *p) {
default: default:
fprintf(stderr, "?"); fprintf(stderr, "?");
} }
return 1;
} }
#ifndef HAVE_BN_GENCB_NEW
BN_GENCB *BN_GENCB_new(void) {
return xmalloc_and_zero(sizeof(BN_GENCB));
}
void BN_GENCB_free(BN_GENCB *cb) {
free(cb);
}
#endif
/* /*
Generate a public/private RSA keypair, and ask for a file to store Generate a public/private RSA keypair, and ask for a file to store
them in. them in.
*/ */
static bool keygen(int bits) { static bool keygen(int bits) {
BIGNUM *e = NULL;
RSA *rsa_key; RSA *rsa_key;
FILE *f; FILE *f;
char *pubname, *privname; char *pubname, *privname;
BN_GENCB *cb;
int result;
fprintf(stderr, "Generating %d bits keys:\n", bits); fprintf(stderr, "Generating %d bits keys:\n", bits);
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
if(!rsa_key) { cb = BN_GENCB_new();
if(!cb)
abort();
BN_GENCB_set(cb, indicator, NULL);
rsa_key = RSA_new();
BN_hex2bn(&e, "10001");
if(!rsa_key || !e)
abort();
result = RSA_generate_key_ex(rsa_key, bits, e, cb);
BN_free(e);
BN_GENCB_free(cb);
if(!result) {
fprintf(stderr, "Error during key generation!\n"); fprintf(stderr, "Error during key generation!\n");
return false; return false;
} else } else
@ -702,7 +731,11 @@ end:
EVP_cleanup(); EVP_cleanup();
ENGINE_cleanup(); ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data(); CRYPTO_cleanup_all_ex_data();
#ifdef HAVE_ERR_REMOVE_STATE
// OpenSSL claims this function was deprecated in 1.0.0,
// but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
ERR_remove_state(0); ERR_remove_state(0);
#endif
ERR_free_strings(); ERR_free_strings();
exit_configuration(&config_tree); exit_configuration(&config_tree);

1
src/xmalloc.c
View file

@ -155,6 +155,7 @@ int xvasprintf(char **strp, const char *fmt, va_list ap) {
int result = vsnprintf(buf, sizeof buf, fmt, ap); int result = vsnprintf(buf, sizeof buf, fmt, ap);
if(result < 0) if(result < 0)
exit(xalloc_exit_failure); exit(xalloc_exit_failure);
buf[sizeof buf - 1] = 0;
*strp = xstrdup(buf); *strp = xstrdup(buf);
#else #else
int result = vasprintf(strp, fmt, ap); int result = vasprintf(strp, fmt, ap);