Import Upstream version 1.0.31
This commit is contained in:
parent
1077a20a8c
commit
81ce06b6c9
22 changed files with 250 additions and 93 deletions
2
COPYING
2
COPYING
|
@ -1,4 +1,4 @@
|
||||||
Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen and others.
|
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
|
||||||
See the AUTHORS file for a complete list.
|
See the AUTHORS file for a complete list.
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify it under
|
This program is free software; you can redistribute it and/or modify it under
|
||||||
|
|
25
ChangeLog
25
ChangeLog
|
@ -1,3 +1,28 @@
|
||||||
|
Version 1.0.31 January 15 2017
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Guus Sliepen (1):
|
||||||
|
Releasing 1.0.31.
|
||||||
|
|
||||||
|
Élie Bouttier (1):
|
||||||
|
Remove ExecStop in tinc@.service
|
||||||
|
|
||||||
|
Version 1.0.30 October 30 2016
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Guus Sliepen (11):
|
||||||
|
Allow non-empty lines after status code from a HTTP proxy.
|
||||||
|
Fix proxy reply parsing broken by the previous commit.
|
||||||
|
Log only the first line of a proxy request rejection message.
|
||||||
|
Delay sending the real ID request until after a proxy request is granted.
|
||||||
|
Use AES256 and SHA256 by default, also for the meta-connections.
|
||||||
|
Enforce maximum amount of bytes sent/received on meta-connections.
|
||||||
|
Fix bit shifting arithmetic so the code actually does what the last commit message says.
|
||||||
|
Really fix byte budget calculation.
|
||||||
|
Use AES in CTR mode instead of OFB mode for meta-connections.
|
||||||
|
Use CFB mode for meta-connections to improve security.
|
||||||
|
Releasing 1.0.30.
|
||||||
|
|
||||||
Version 1.0.29 October 09 2016
|
Version 1.0.29 October 09 2016
|
||||||
------------------------------------------------------------------------
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
14
NEWS
14
NEWS
|
@ -1,3 +1,17 @@
|
||||||
|
Version 1.0.31 January 15 2017
|
||||||
|
|
||||||
|
* Remove ExecStop in tinc@.service.
|
||||||
|
|
||||||
|
Thanks to Élie Bouttier for his contribution to this version of tinc.
|
||||||
|
|
||||||
|
Version 1.0.30 October 30 2016
|
||||||
|
|
||||||
|
* Fix troubles connecting to some HTTP proxies.
|
||||||
|
|
||||||
|
* Add mitigations for the Sweet32 attack when using a 64-bit block cipher.
|
||||||
|
|
||||||
|
* Use AES256 and SHA256 as the default encryption and digest algorithms.
|
||||||
|
|
||||||
Version 1.0.29 October 9 2016
|
Version 1.0.29 October 9 2016
|
||||||
|
|
||||||
* Fix UDP communication with peers with link-local IPv6 addresses.
|
* Fix UDP communication with peers with link-local IPv6 addresses.
|
||||||
|
|
25
README
25
README
|
@ -1,7 +1,7 @@
|
||||||
This is the README file for tinc version 1.0.29. Installation
|
This is the README file for tinc version 1.0.31. Installation
|
||||||
instructions may be found in the INSTALL file.
|
instructions may be found in the INSTALL file.
|
||||||
|
|
||||||
tinc is Copyright (C) 1998-2016 by:
|
tinc is Copyright (C) 1998-2017 by:
|
||||||
|
|
||||||
Ivo Timmermans,
|
Ivo Timmermans,
|
||||||
Guus Sliepen <guus@tinc-vpn.org>,
|
Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
|
@ -39,6 +39,8 @@ practice and that the default length of the HMAC for packets is too short in
|
||||||
his opinion. We do not know of a way to exploit these weaknesses, but these
|
his opinion. We do not know of a way to exploit these weaknesses, but these
|
||||||
issues are being addressed in the tinc 1.1 branch.
|
issues are being addressed in the tinc 1.1 branch.
|
||||||
|
|
||||||
|
The Sweet32 attack affects versions of tinc prior to 1.0.30.
|
||||||
|
|
||||||
Cryptography is a hard thing to get right. We cannot make any
|
Cryptography is a hard thing to get right. We cannot make any
|
||||||
guarantees. Time, review and feedback are the only things that can
|
guarantees. Time, review and feedback are the only things that can
|
||||||
prove the security of any cryptographic product. If you wish to review
|
prove the security of any cryptographic product. If you wish to review
|
||||||
|
@ -52,22 +54,25 @@ Some configuration variables have different names now. Most notably "TapDevice"
|
||||||
should be changed into "Device", and "Device" should be changed into
|
should be changed into "Device", and "Device" should be changed into
|
||||||
"BindToDevice".
|
"BindToDevice".
|
||||||
|
|
||||||
|
|
||||||
Compatibility
|
Compatibility
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older
|
Version 1.0.31 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||||
versions of tinc.
|
versions of tinc. Note that since version 1.0.30, tinc requires all nodes in
|
||||||
|
the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the
|
||||||
|
AES256 and SHA256 algorithms.
|
||||||
|
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you
|
Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you need to
|
||||||
need to install this library first; grab it from
|
install this library first; grab it from http://www.openssl.org/. You will
|
||||||
http://www.openssl.org/. You will need version 0.9.7 or later. If
|
need version 1.0.1 or later with support for AES256 and SHA256 enabled. If
|
||||||
this library is not installed on you system, configure will fail. The
|
this library is not installed on you system, configure will fail. The manual
|
||||||
manual in doc/tinc.texi contains more detailed information on how to
|
in doc/tinc.texi contains more detailed information on how to install this
|
||||||
install this library.
|
library. Alternatively, you may also use LibreSSL.
|
||||||
|
|
||||||
Since 1.0pre6, the zlib library is used for optional compression. You can
|
Since 1.0pre6, the zlib library is used for optional compression. You can
|
||||||
find it at http://www.gzip.org/zlib/. Because of a possible exploit in
|
find it at http://www.gzip.org/zlib/. Because of a possible exploit in
|
||||||
|
|
1
THANKS
1
THANKS
|
@ -15,6 +15,7 @@ We would like to thank the following people for their contributions to tinc:
|
||||||
* David Pflug
|
* David Pflug
|
||||||
* Delf Eldkraft
|
* Delf Eldkraft
|
||||||
* dnk
|
* dnk
|
||||||
|
* Élie Bouttier
|
||||||
* Enrique Zanardi
|
* Enrique Zanardi
|
||||||
* Florent Clairambault
|
* Florent Clairambault
|
||||||
* Florian Weik
|
* Florian Weik
|
||||||
|
|
28
config.guess
vendored
28
config.guess
vendored
|
@ -2,7 +2,7 @@
|
||||||
# Attempt to guess a canonical system name.
|
# Attempt to guess a canonical system name.
|
||||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||||
|
|
||||||
timestamp='2016-04-02'
|
timestamp='2016-10-02'
|
||||||
|
|
||||||
# This file is free software; you can redistribute it and/or modify it
|
# This file is free software; you can redistribute it and/or modify it
|
||||||
# under the terms of the GNU General Public License as published by
|
# under the terms of the GNU General Public License as published by
|
||||||
|
@ -186,9 +186,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||||
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
|
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
|
||||||
esac
|
esac
|
||||||
# The Operating System including object format, if it has switched
|
# The Operating System including object format, if it has switched
|
||||||
# to ELF recently, or will in the future.
|
# to ELF recently (or will in the future) and ABI.
|
||||||
case "${UNAME_MACHINE_ARCH}" in
|
case "${UNAME_MACHINE_ARCH}" in
|
||||||
arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax)
|
earm*)
|
||||||
|
os=netbsdelf
|
||||||
|
;;
|
||||||
|
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
|
||||||
eval $set_cc_for_build
|
eval $set_cc_for_build
|
||||||
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||||
| grep -q __ELF__
|
| grep -q __ELF__
|
||||||
|
@ -997,6 +1000,9 @@ EOF
|
||||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
||||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
||||||
;;
|
;;
|
||||||
|
mips64el:Linux:*:*)
|
||||||
|
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||||
|
exit ;;
|
||||||
openrisc*:Linux:*:*)
|
openrisc*:Linux:*:*)
|
||||||
echo or1k-unknown-linux-${LIBC}
|
echo or1k-unknown-linux-${LIBC}
|
||||||
exit ;;
|
exit ;;
|
||||||
|
@ -1029,6 +1035,9 @@ EOF
|
||||||
ppcle:Linux:*:*)
|
ppcle:Linux:*:*)
|
||||||
echo powerpcle-unknown-linux-${LIBC}
|
echo powerpcle-unknown-linux-${LIBC}
|
||||||
exit ;;
|
exit ;;
|
||||||
|
riscv32:Linux:*:* | riscv64:Linux:*:*)
|
||||||
|
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||||
|
exit ;;
|
||||||
s390:Linux:*:* | s390x:Linux:*:*)
|
s390:Linux:*:* | s390x:Linux:*:*)
|
||||||
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
|
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
|
||||||
exit ;;
|
exit ;;
|
||||||
|
@ -1408,18 +1417,17 @@ esac
|
||||||
cat >&2 <<EOF
|
cat >&2 <<EOF
|
||||||
$0: unable to guess system type
|
$0: unable to guess system type
|
||||||
|
|
||||||
This script, last modified $timestamp, has failed to recognize
|
This script (version $timestamp), has failed to recognize the
|
||||||
the operating system you are using. It is advised that you
|
operating system you are using. If your script is old, overwrite
|
||||||
download the most up to date version of the config scripts from
|
config.guess and config.sub with the latest versions from:
|
||||||
|
|
||||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
|
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
|
||||||
and
|
and
|
||||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
|
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
|
||||||
|
|
||||||
If the version you run ($0) is already up to date, please
|
If $0 has already been updated, send the following data and any
|
||||||
send the following data and any information you think might be
|
information you think might be pertinent to config-patches@gnu.org to
|
||||||
pertinent to <config-patches@gnu.org> in order to provide the needed
|
provide the necessary information to handle your system.
|
||||||
information to handle your system.
|
|
||||||
|
|
||||||
config.guess timestamp = $timestamp
|
config.guess timestamp = $timestamp
|
||||||
|
|
||||||
|
|
|
@ -36,6 +36,10 @@
|
||||||
/* Darwin (MacOS/X) */
|
/* Darwin (MacOS/X) */
|
||||||
#undef HAVE_DARWIN
|
#undef HAVE_DARWIN
|
||||||
|
|
||||||
|
/* Define to 1 if you have the declaration of `EVP_aes_256_cfb', and to 0 if
|
||||||
|
you don't. */
|
||||||
|
#undef HAVE_DECL_EVP_AES_256_CFB
|
||||||
|
|
||||||
/* Define to 1 if you have the declaration of `freeaddrinfo', and to 0 if you
|
/* Define to 1 if you have the declaration of `freeaddrinfo', and to 0 if you
|
||||||
don't. */
|
don't. */
|
||||||
#undef HAVE_DECL_FREEADDRINFO
|
#undef HAVE_DECL_FREEADDRINFO
|
||||||
|
@ -52,6 +56,10 @@
|
||||||
don't. */
|
don't. */
|
||||||
#undef HAVE_DECL_GETNAMEINFO
|
#undef HAVE_DECL_GETNAMEINFO
|
||||||
|
|
||||||
|
/* Define to 1 if you have the declaration of `OpenSSL_add_all_algorithms',
|
||||||
|
and to 0 if you don't. */
|
||||||
|
#undef HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
|
||||||
|
|
||||||
/* Define to 1 if you have the declaration of `res_init', and to 0 if you
|
/* Define to 1 if you have the declaration of `res_init', and to 0 if you
|
||||||
don't. */
|
don't. */
|
||||||
#undef HAVE_DECL_RES_INIT
|
#undef HAVE_DECL_RES_INIT
|
||||||
|
|
22
config.sub
vendored
22
config.sub
vendored
|
@ -2,7 +2,7 @@
|
||||||
# Configuration validation subroutine script.
|
# Configuration validation subroutine script.
|
||||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||||
|
|
||||||
timestamp='2016-03-30'
|
timestamp='2016-11-04'
|
||||||
|
|
||||||
# This file is free software; you can redistribute it and/or modify it
|
# This file is free software; you can redistribute it and/or modify it
|
||||||
# under the terms of the GNU General Public License as published by
|
# under the terms of the GNU General Public License as published by
|
||||||
|
@ -117,7 +117,7 @@ case $maybe_os in
|
||||||
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
|
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
|
||||||
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||||
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
|
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
|
||||||
kopensolaris*-gnu* | \
|
kopensolaris*-gnu* | cloudabi*-eabi* | \
|
||||||
storm-chaos* | os2-emx* | rtmk-nova*)
|
storm-chaos* | os2-emx* | rtmk-nova*)
|
||||||
os=-$maybe_os
|
os=-$maybe_os
|
||||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
|
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
|
||||||
|
@ -301,6 +301,7 @@ case $basic_machine in
|
||||||
| open8 | or1k | or1knd | or32 \
|
| open8 | or1k | or1knd | or32 \
|
||||||
| pdp10 | pdp11 | pj | pjl \
|
| pdp10 | pdp11 | pj | pjl \
|
||||||
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
||||||
|
| pru \
|
||||||
| pyramid \
|
| pyramid \
|
||||||
| riscv32 | riscv64 \
|
| riscv32 | riscv64 \
|
||||||
| rl78 | rx \
|
| rl78 | rx \
|
||||||
|
@ -428,6 +429,7 @@ case $basic_machine in
|
||||||
| orion-* \
|
| orion-* \
|
||||||
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
||||||
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
||||||
|
| pru-* \
|
||||||
| pyramid-* \
|
| pyramid-* \
|
||||||
| riscv32-* | riscv64-* \
|
| riscv32-* | riscv64-* \
|
||||||
| rl78-* | romp-* | rs6000-* | rx-* \
|
| rl78-* | romp-* | rs6000-* | rx-* \
|
||||||
|
@ -643,6 +645,14 @@ case $basic_machine in
|
||||||
basic_machine=m68k-bull
|
basic_machine=m68k-bull
|
||||||
os=-sysv3
|
os=-sysv3
|
||||||
;;
|
;;
|
||||||
|
e500v[12])
|
||||||
|
basic_machine=powerpc-unknown
|
||||||
|
os=$os"spe"
|
||||||
|
;;
|
||||||
|
e500v[12]-*)
|
||||||
|
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||||
|
os=$os"spe"
|
||||||
|
;;
|
||||||
ebmon29k)
|
ebmon29k)
|
||||||
basic_machine=a29k-amd
|
basic_machine=a29k-amd
|
||||||
os=-ebmon
|
os=-ebmon
|
||||||
|
@ -1022,7 +1032,7 @@ case $basic_machine in
|
||||||
ppc-* | ppcbe-*)
|
ppc-* | ppcbe-*)
|
||||||
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
|
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||||
;;
|
;;
|
||||||
ppcle | powerpclittle | ppc-le | powerpc-little)
|
ppcle | powerpclittle)
|
||||||
basic_machine=powerpcle-unknown
|
basic_machine=powerpcle-unknown
|
||||||
;;
|
;;
|
||||||
ppcle-* | powerpclittle-*)
|
ppcle-* | powerpclittle-*)
|
||||||
|
@ -1032,7 +1042,7 @@ case $basic_machine in
|
||||||
;;
|
;;
|
||||||
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
|
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||||
;;
|
;;
|
||||||
ppc64le | powerpc64little | ppc64-le | powerpc64-little)
|
ppc64le | powerpc64little)
|
||||||
basic_machine=powerpc64le-unknown
|
basic_machine=powerpc64le-unknown
|
||||||
;;
|
;;
|
||||||
ppc64le-* | powerpc64little-*)
|
ppc64le-* | powerpc64little-*)
|
||||||
|
@ -1389,7 +1399,7 @@ case $os in
|
||||||
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
|
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
|
||||||
| -chorusos* | -chorusrdb* | -cegcc* \
|
| -chorusos* | -chorusrdb* | -cegcc* \
|
||||||
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
||||||
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
| -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||||
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
||||||
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
||||||
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
||||||
|
@ -1399,7 +1409,7 @@ case $os in
|
||||||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
|
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
|
||||||
| -onefs* | -tirtos*)
|
| -onefs* | -tirtos* | -phoenix* | -fuchsia*)
|
||||||
# Remember, each alternative MUST END IN *, to match a version number.
|
# Remember, each alternative MUST END IN *, to match a version number.
|
||||||
;;
|
;;
|
||||||
-qnx*)
|
-qnx*)
|
||||||
|
|
46
configure
vendored
46
configure
vendored
|
@ -1,6 +1,6 @@
|
||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# Guess values for system-dependent variables and create Makefiles.
|
# Guess values for system-dependent variables and create Makefiles.
|
||||||
# Generated by GNU Autoconf 2.69 for tinc 1.0.29.
|
# Generated by GNU Autoconf 2.69 for tinc 1.0.31.
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
|
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
|
||||||
|
@ -577,8 +577,8 @@ MAKEFLAGS=
|
||||||
# Identity of this package.
|
# Identity of this package.
|
||||||
PACKAGE_NAME='tinc'
|
PACKAGE_NAME='tinc'
|
||||||
PACKAGE_TARNAME='tinc'
|
PACKAGE_TARNAME='tinc'
|
||||||
PACKAGE_VERSION='1.0.29'
|
PACKAGE_VERSION='1.0.31'
|
||||||
PACKAGE_STRING='tinc 1.0.29'
|
PACKAGE_STRING='tinc 1.0.31'
|
||||||
PACKAGE_BUGREPORT=''
|
PACKAGE_BUGREPORT=''
|
||||||
PACKAGE_URL=''
|
PACKAGE_URL=''
|
||||||
|
|
||||||
|
@ -1331,7 +1331,7 @@ if test "$ac_init_help" = "long"; then
|
||||||
# Omit some internal or obsolete options to make the list less imposing.
|
# Omit some internal or obsolete options to make the list less imposing.
|
||||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||||
cat <<_ACEOF
|
cat <<_ACEOF
|
||||||
\`configure' configures tinc 1.0.29 to adapt to many kinds of systems.
|
\`configure' configures tinc 1.0.31 to adapt to many kinds of systems.
|
||||||
|
|
||||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||||
|
|
||||||
|
@ -1402,7 +1402,7 @@ fi
|
||||||
|
|
||||||
if test -n "$ac_init_help"; then
|
if test -n "$ac_init_help"; then
|
||||||
case $ac_init_help in
|
case $ac_init_help in
|
||||||
short | recursive ) echo "Configuration of tinc 1.0.29:";;
|
short | recursive ) echo "Configuration of tinc 1.0.31:";;
|
||||||
esac
|
esac
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
|
|
||||||
|
@ -1528,7 +1528,7 @@ fi
|
||||||
test -n "$ac_init_help" && exit $ac_status
|
test -n "$ac_init_help" && exit $ac_status
|
||||||
if $ac_init_version; then
|
if $ac_init_version; then
|
||||||
cat <<\_ACEOF
|
cat <<\_ACEOF
|
||||||
tinc configure 1.0.29
|
tinc configure 1.0.31
|
||||||
generated by GNU Autoconf 2.69
|
generated by GNU Autoconf 2.69
|
||||||
|
|
||||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||||
|
@ -1993,7 +1993,7 @@ cat >config.log <<_ACEOF
|
||||||
This file contains any messages produced by compilers while
|
This file contains any messages produced by compilers while
|
||||||
running configure, to aid debugging if configure makes a mistake.
|
running configure, to aid debugging if configure makes a mistake.
|
||||||
|
|
||||||
It was created by tinc $as_me 1.0.29, which was
|
It was created by tinc $as_me 1.0.31, which was
|
||||||
generated by GNU Autoconf 2.69. Invocation command line was
|
generated by GNU Autoconf 2.69. Invocation command line was
|
||||||
|
|
||||||
$ $0 $@
|
$ $0 $@
|
||||||
|
@ -2857,7 +2857,7 @@ fi
|
||||||
|
|
||||||
# Define the identity of the package.
|
# Define the identity of the package.
|
||||||
PACKAGE='tinc'
|
PACKAGE='tinc'
|
||||||
VERSION='1.0.29'
|
VERSION='1.0.31'
|
||||||
|
|
||||||
|
|
||||||
cat >>confdefs.h <<_ACEOF
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
@ -7172,6 +7172,32 @@ done
|
||||||
|
|
||||||
"
|
"
|
||||||
if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
|
if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
|
||||||
|
ac_have_decl=1
|
||||||
|
else
|
||||||
|
ac_have_decl=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
#define HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS $ac_have_decl
|
||||||
|
_ACEOF
|
||||||
|
if test $ac_have_decl = 1; then :
|
||||||
|
|
||||||
|
else
|
||||||
|
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
|
||||||
|
fi
|
||||||
|
ac_fn_c_check_decl "$LINENO" "EVP_aes_256_cfb" "ac_cv_have_decl_EVP_aes_256_cfb" "#include <openssl/evp.h>
|
||||||
|
|
||||||
|
"
|
||||||
|
if test "x$ac_cv_have_decl_EVP_aes_256_cfb" = xyes; then :
|
||||||
|
ac_have_decl=1
|
||||||
|
else
|
||||||
|
ac_have_decl=0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
#define HAVE_DECL_EVP_AES_256_CFB $ac_have_decl
|
||||||
|
_ACEOF
|
||||||
|
if test $ac_have_decl = 1; then :
|
||||||
|
|
||||||
else
|
else
|
||||||
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
|
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
|
||||||
|
@ -7781,7 +7807,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||||
# report actual input values of CONFIG_FILES etc. instead of their
|
# report actual input values of CONFIG_FILES etc. instead of their
|
||||||
# values after options handling.
|
# values after options handling.
|
||||||
ac_log="
|
ac_log="
|
||||||
This file was extended by tinc $as_me 1.0.29, which was
|
This file was extended by tinc $as_me 1.0.31, which was
|
||||||
generated by GNU Autoconf 2.69. Invocation command line was
|
generated by GNU Autoconf 2.69. Invocation command line was
|
||||||
|
|
||||||
CONFIG_FILES = $CONFIG_FILES
|
CONFIG_FILES = $CONFIG_FILES
|
||||||
|
@ -7847,7 +7873,7 @@ _ACEOF
|
||||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||||
ac_cs_version="\\
|
ac_cs_version="\\
|
||||||
tinc config.status 1.0.29
|
tinc config.status 1.0.31
|
||||||
configured by $0, generated by GNU Autoconf 2.69,
|
configured by $0, generated by GNU Autoconf 2.69,
|
||||||
with options \\"\$ac_cs_config\\"
|
with options \\"\$ac_cs_config\\"
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
dnl Process this file with autoconf to produce a configure script.
|
dnl Process this file with autoconf to produce a configure script.
|
||||||
|
|
||||||
AC_PREREQ(2.61)
|
AC_PREREQ(2.61)
|
||||||
AC_INIT([tinc], [1.0.29])
|
AC_INIT([tinc], [1.0.31])
|
||||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||||
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
|
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
|
||||||
AC_CONFIG_HEADERS([config.h])
|
AC_CONFIG_HEADERS([config.h])
|
||||||
|
|
|
@ -8,7 +8,6 @@ Type=simple
|
||||||
WorkingDirectory=/etc/tinc/%i
|
WorkingDirectory=/etc/tinc/%i
|
||||||
ExecStart=/usr/sbin/tincd -n %i -D
|
ExecStart=/usr/sbin/tincd -n %i -D
|
||||||
ExecReload=/usr/sbin/tincd -n %i -kHUP
|
ExecReload=/usr/sbin/tincd -n %i -kHUP
|
||||||
ExecStop=/usr/sbin/tincd -n %i -k
|
|
||||||
TimeoutStopSec=5
|
TimeoutStopSec=5
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=60
|
RestartSec=60
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
.Dd 2016-04-10
|
.Dd 2016-10-29
|
||||||
.Dt TINC.CONF 5
|
.Dt TINC.CONF 5
|
||||||
.\" Manual page created by:
|
.\" Manual page created by:
|
||||||
.\" Ivo Timmermans
|
.\" Ivo Timmermans
|
||||||
|
@ -468,7 +468,7 @@ Multiple
|
||||||
.Va Address
|
.Va Address
|
||||||
variables can be specified, in which case each address will be tried until a working
|
variables can be specified, in which case each address will be tried until a working
|
||||||
connection has been established.
|
connection has been established.
|
||||||
.It Va Cipher Li = Ar cipher Pq blowfish
|
.It Va Cipher Li = Ar cipher Pq aes-256-cbc
|
||||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||||
Any cipher supported by LibreSSL or OpenSSL is recognised.
|
Any cipher supported by LibreSSL or OpenSSL is recognised.
|
||||||
Furthermore, specifying
|
Furthermore, specifying
|
||||||
|
@ -483,7 +483,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
||||||
This option sets the level of compression used for UDP packets.
|
This option sets the level of compression used for UDP packets.
|
||||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||||
10 (fast lzo) and 11 (best lzo).
|
10 (fast lzo) and 11 (best lzo).
|
||||||
.It Va Digest Li = Ar digest Pq sha1
|
.It Va Digest Li = Ar digest Pq sha256
|
||||||
The digest algorithm used to authenticate UDP packets.
|
The digest algorithm used to authenticate UDP packets.
|
||||||
Any digest supported by LibreSSL or OpenSSL is recognised.
|
Any digest supported by LibreSSL or OpenSSL is recognised.
|
||||||
Furthermore, specifying
|
Furthermore, specifying
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
This is tinc.info, produced by makeinfo version 6.1 from tinc.texi.
|
This is tinc.info, produced by makeinfo version 6.3 from tinc.texi.
|
||||||
|
|
||||||
INFO-DIR-SECTION Networking tools
|
INFO-DIR-SECTION Networking tools
|
||||||
START-INFO-DIR-ENTRY
|
START-INFO-DIR-ENTRY
|
||||||
* tinc: (tinc). The tinc Manual.
|
* tinc: (tinc). The tinc Manual.
|
||||||
END-INFO-DIR-ENTRY
|
END-INFO-DIR-ENTRY
|
||||||
|
|
||||||
This is the info manual for tinc version 1.0.27, a Virtual Private
|
This is the info manual for tinc version 1.0.29, a Virtual Private
|
||||||
Network daemon.
|
Network daemon.
|
||||||
|
|
||||||
Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen
|
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen
|
||||||
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
||||||
|
|
||||||
Permission is granted to make and distribute verbatim copies of this
|
Permission is granted to make and distribute verbatim copies of this
|
||||||
|
@ -1053,7 +1053,7 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
|
||||||
can be specified, in which case each address will be tried until a
|
can be specified, in which case each address will be tried until a
|
||||||
working connection has been established.
|
working connection has been established.
|
||||||
|
|
||||||
Cipher = <CIPHER> (blowfish)
|
Cipher = <CIPHER> (aes-256-cbc)
|
||||||
The symmetric cipher algorithm used to encrypt UDP packets. Any
|
The symmetric cipher algorithm used to encrypt UDP packets. Any
|
||||||
cipher supported by LibreSSL or OpenSSL is recognized.
|
cipher supported by LibreSSL or OpenSSL is recognized.
|
||||||
Furthermore, specifying "none" will turn off packet encryption. It
|
Furthermore, specifying "none" will turn off packet encryption. It
|
||||||
|
@ -1070,7 +1070,7 @@ Compression = <LEVEL> (0)
|
||||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9
|
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9
|
||||||
(best zlib), 10 (fast lzo) and 11 (best lzo).
|
(best zlib), 10 (fast lzo) and 11 (best lzo).
|
||||||
|
|
||||||
Digest = <DIGEST> (sha1)
|
Digest = <DIGEST> (sha256)
|
||||||
The digest algorithm used to authenticate UDP packets. Any digest
|
The digest algorithm used to authenticate UDP packets. Any digest
|
||||||
supported by LibreSSL or OpenSSL is recognized. Furthermore,
|
supported by LibreSSL or OpenSSL is recognized. Furthermore,
|
||||||
specifying "none" will turn off packet authentication.
|
specifying "none" will turn off packet authentication.
|
||||||
|
@ -2683,33 +2683,33 @@ Node: How connections work23220
|
||||||
Node: Configuration files24442
|
Node: Configuration files24442
|
||||||
Node: Main configuration variables25936
|
Node: Main configuration variables25936
|
||||||
Node: Host configuration variables42193
|
Node: Host configuration variables42193
|
||||||
Node: Scripts47720
|
Node: Scripts47725
|
||||||
Node: How to configure50986
|
Node: How to configure50991
|
||||||
Node: Generating keypairs52244
|
Node: Generating keypairs52249
|
||||||
Node: Network interfaces52743
|
Node: Network interfaces52748
|
||||||
Node: Example configuration54591
|
Node: Example configuration54596
|
||||||
Node: Running tinc59916
|
Node: Running tinc59921
|
||||||
Node: Runtime options60506
|
Node: Runtime options60511
|
||||||
Node: Signals63808
|
Node: Signals63813
|
||||||
Node: Debug levels64999
|
Node: Debug levels65004
|
||||||
Node: Solving problems65935
|
Node: Solving problems65940
|
||||||
Node: Error messages67487
|
Node: Error messages67492
|
||||||
Node: Sending bug reports71496
|
Node: Sending bug reports71501
|
||||||
Node: Technical information72443
|
Node: Technical information72448
|
||||||
Node: The connection72674
|
Node: The connection72679
|
||||||
Node: The UDP tunnel72986
|
Node: The UDP tunnel72991
|
||||||
Node: The meta-connection76047
|
Node: The meta-connection76052
|
||||||
Node: The meta-protocol77516
|
Node: The meta-protocol77521
|
||||||
Node: Security82533
|
Node: Security82538
|
||||||
Node: Authentication protocol83675
|
Node: Authentication protocol83680
|
||||||
Node: Encryption of network packets88720
|
Node: Encryption of network packets88725
|
||||||
Node: Security issues90096
|
Node: Security issues90101
|
||||||
Node: Platform specific information91735
|
Node: Platform specific information91740
|
||||||
Node: Interface configuration91963
|
Node: Interface configuration91968
|
||||||
Node: Routes94434
|
Node: Routes94439
|
||||||
Node: About us96448
|
Node: About us96453
|
||||||
Node: Contact information96623
|
Node: Contact information96628
|
||||||
Node: Authors97026
|
Node: Authors97031
|
||||||
Node: Concept Index97431
|
Node: Concept Index97436
|
||||||
|
|
||||||
End Tag Table
|
End Tag Table
|
||||||
|
|
|
@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
|
||||||
tried until a working connection has been established.
|
tried until a working connection has been established.
|
||||||
|
|
||||||
@cindex Cipher
|
@cindex Cipher
|
||||||
@item Cipher = <@var{cipher}> (blowfish)
|
@item Cipher = <@var{cipher}> (aes-256-cbc)
|
||||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||||
Any cipher supported by LibreSSL or OpenSSL is recognized.
|
Any cipher supported by LibreSSL or OpenSSL is recognized.
|
||||||
Furthermore, specifying "none" will turn off packet encryption.
|
Furthermore, specifying "none" will turn off packet encryption.
|
||||||
|
@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||||
10 (fast lzo) and 11 (best lzo).
|
10 (fast lzo) and 11 (best lzo).
|
||||||
|
|
||||||
@cindex Digest
|
@cindex Digest
|
||||||
@item Digest = <@var{digest}> (sha1)
|
@item Digest = <@var{digest}> (sha256)
|
||||||
The digest algorithm used to authenticate UDP packets.
|
The digest algorithm used to authenticate UDP packets.
|
||||||
Any digest supported by LibreSSL or OpenSSL is recognized.
|
Any digest supported by LibreSSL or OpenSSL is recognized.
|
||||||
Furthermore, specifying "none" will turn off packet authentication.
|
Furthermore, specifying "none" will turn off packet authentication.
|
||||||
|
|
|
@ -49,7 +49,7 @@ AC_DEFUN([tinc_OPENSSL],
|
||||||
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||||
)
|
)
|
||||||
|
|
||||||
AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
|
AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
|
||||||
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||||
[#include <openssl/evp.h>]
|
[#include <openssl/evp.h>]
|
||||||
)
|
)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
connection.c -- connection list management
|
connection.c -- connection list management
|
||||||
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
2000-2005 Ivo Timmermans
|
2000-2005 Ivo Timmermans
|
||||||
2008 Max Rijevski <maksuf@gmail.com>
|
2008 Max Rijevski <maksuf@gmail.com>
|
||||||
|
|
||||||
|
@ -91,6 +91,8 @@ void free_connection_partially(connection_t *c) {
|
||||||
c->outbufstart = 0;
|
c->outbufstart = 0;
|
||||||
c->last_ping_time = 0;
|
c->last_ping_time = 0;
|
||||||
c->last_flushed_time = 0;
|
c->last_flushed_time = 0;
|
||||||
|
c->inbudget = 0;
|
||||||
|
c->outbudget = 0;
|
||||||
|
|
||||||
if(c->inctx) {
|
if(c->inctx) {
|
||||||
EVP_CIPHER_CTX_cleanup(c->inctx);
|
EVP_CIPHER_CTX_cleanup(c->inctx);
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
connection.h -- header for connection.c
|
connection.h -- header for connection.c
|
||||||
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
2000-2005 Ivo Timmermans
|
2000-2005 Ivo Timmermans
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
@ -41,7 +41,8 @@ typedef struct connection_status_t {
|
||||||
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
||||||
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
|
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
|
||||||
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
|
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
|
||||||
unsigned int unused:23;
|
unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */
|
||||||
|
unsigned int unused:22;
|
||||||
} connection_status_t;
|
} connection_status_t;
|
||||||
|
|
||||||
#include "edge.h"
|
#include "edge.h"
|
||||||
|
@ -70,6 +71,8 @@ typedef struct connection_t {
|
||||||
const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */
|
const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */
|
||||||
EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */
|
EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */
|
||||||
EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */
|
EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */
|
||||||
|
uint64_t inbudget; /* Encrypted bytes send budget */
|
||||||
|
uint64_t outbudget; /* Encrypted bytes receive budget */
|
||||||
char *inkey; /* His symmetric meta key + iv */
|
char *inkey; /* His symmetric meta key + iv */
|
||||||
char *outkey; /* Our symmetric meta key + iv */
|
char *outkey; /* Our symmetric meta key + iv */
|
||||||
int inkeylength; /* Length of his key + iv */
|
int inkeylength; /* Length of his key + iv */
|
||||||
|
|
18
src/meta.c
18
src/meta.c
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
meta.c -- handle the meta communication
|
meta.c -- handle the meta communication
|
||||||
Copyright (C) 2000-2015 Guus Sliepen <guus@tinc-vpn.org>,
|
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||||
2000-2005 Ivo Timmermans
|
2000-2005 Ivo Timmermans
|
||||||
2006 Scott Lamb <slamb@slamb.org>
|
2006 Scott Lamb <slamb@slamb.org>
|
||||||
|
|
||||||
|
@ -62,6 +62,14 @@ bool send_meta(connection_t *c, const char *buffer, int length) {
|
||||||
|
|
||||||
/* Add our data to buffer */
|
/* Add our data to buffer */
|
||||||
if(c->status.encryptout) {
|
if(c->status.encryptout) {
|
||||||
|
/* Check encryption limits */
|
||||||
|
if(length > c->outbudget) {
|
||||||
|
ifdebug(META) logger(LOG_ERR, "Byte limit exceeded for encryption to %s (%s)", c->name, c->hostname);
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
c->outbudget -= length;
|
||||||
|
}
|
||||||
|
|
||||||
result = EVP_EncryptUpdate(c->outctx, (unsigned char *)c->outbuf + c->outbufstart + c->outbuflen,
|
result = EVP_EncryptUpdate(c->outctx, (unsigned char *)c->outbuf + c->outbufstart + c->outbuflen,
|
||||||
&outlen, (unsigned char *)buffer, length);
|
&outlen, (unsigned char *)buffer, length);
|
||||||
if(!result || outlen < length) {
|
if(!result || outlen < length) {
|
||||||
|
@ -175,6 +183,14 @@ bool receive_meta(connection_t *c) {
|
||||||
/* Decrypt */
|
/* Decrypt */
|
||||||
|
|
||||||
if(c->status.decryptin && !decrypted) {
|
if(c->status.decryptin && !decrypted) {
|
||||||
|
/* Check decryption limits */
|
||||||
|
if(lenin > c->inbudget) {
|
||||||
|
ifdebug(META) logger(LOG_ERR, "Byte limit exceeded for decryption from %s (%s)", c->name, c->hostname);
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
c->inbudget -= lenin;
|
||||||
|
}
|
||||||
|
|
||||||
result = EVP_DecryptUpdate(c->inctx, (unsigned char *)inbuf, &lenout, (unsigned char *)c->buffer + oldlen, lenin);
|
result = EVP_DecryptUpdate(c->inctx, (unsigned char *)inbuf, &lenout, (unsigned char *)c->buffer + oldlen, lenin);
|
||||||
if(!result || lenout != lenin) {
|
if(!result || lenout != lenin) {
|
||||||
logger(LOG_ERR, "Error while decrypting metadata from %s (%s): %s",
|
logger(LOG_ERR, "Error while decrypting metadata from %s (%s): %s",
|
||||||
|
|
|
@ -650,14 +650,25 @@ static bool setup_myself(void) {
|
||||||
}
|
}
|
||||||
free(cipher);
|
free(cipher);
|
||||||
} else
|
} else
|
||||||
myself->incipher = EVP_bf_cbc();
|
myself->incipher = EVP_aes_256_cbc();
|
||||||
|
|
||||||
if(myself->incipher)
|
if(myself->incipher)
|
||||||
myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
|
myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
|
||||||
else
|
else
|
||||||
myself->inkeylength = 1;
|
myself->inkeylength = 1;
|
||||||
|
|
||||||
myself->connection->outcipher = EVP_bf_ofb();
|
/* We need to use a stream mode for the meta protocol. Use AES for this,
|
||||||
|
but try to match the key size with the one from the cipher selected
|
||||||
|
by Cipher.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int keylen = EVP_CIPHER_key_length(myself->incipher);
|
||||||
|
if(keylen <= 16)
|
||||||
|
myself->connection->outcipher = EVP_aes_128_cfb();
|
||||||
|
else if(keylen <= 24)
|
||||||
|
myself->connection->outcipher = EVP_aes_192_cfb();
|
||||||
|
else
|
||||||
|
myself->connection->outcipher = EVP_aes_256_cfb();
|
||||||
|
|
||||||
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
|
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
|
||||||
keylifetime = 3600;
|
keylifetime = 3600;
|
||||||
|
@ -681,9 +692,9 @@ static bool setup_myself(void) {
|
||||||
|
|
||||||
free(digest);
|
free(digest);
|
||||||
} else
|
} else
|
||||||
myself->indigest = EVP_sha1();
|
myself->indigest = EVP_sha256();
|
||||||
|
|
||||||
myself->connection->outdigest = EVP_sha1();
|
myself->connection->outdigest = EVP_sha256();
|
||||||
|
|
||||||
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
|
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
|
||||||
if(myself->indigest) {
|
if(myself->indigest) {
|
||||||
|
|
|
@ -41,9 +41,8 @@
|
||||||
#include "xalloc.h"
|
#include "xalloc.h"
|
||||||
|
|
||||||
bool send_id(connection_t *c) {
|
bool send_id(connection_t *c) {
|
||||||
if(proxytype && c->outgoing)
|
if(proxytype && c->outgoing && !c->status.proxy_passed)
|
||||||
if(!send_proxyrequest(c))
|
return send_proxyrequest(c);
|
||||||
return false;
|
|
||||||
|
|
||||||
return send_request(c, "%d %s %d", ID, myself->connection->name,
|
return send_request(c, "%d %s %d", ID, myself->connection->name,
|
||||||
myself->connection->protocol_version);
|
myself->connection->protocol_version);
|
||||||
|
@ -114,6 +113,21 @@ bool id_h(connection_t *c) {
|
||||||
return send_metakey(c);
|
return send_metakey(c);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static uint64_t byte_budget(const EVP_CIPHER *cipher) {
|
||||||
|
/* Hopefully some failsafe way to calculate the maximum amount of bytes to
|
||||||
|
send/receive with a given cipher before we might run into birthday paradox
|
||||||
|
attacks. Because we might use different modes, the block size of the mode
|
||||||
|
might be 1 byte. In that case, use the IV length. Ensure the whole thing
|
||||||
|
is limited to what can be represented with a 64 bits integer.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int ivlen = EVP_CIPHER_iv_length(cipher);
|
||||||
|
int blklen = EVP_CIPHER_block_size(cipher);
|
||||||
|
int len = blklen > 1 ? blklen : ivlen > 1 ? ivlen : 8;
|
||||||
|
int bits = len * 4 - 1;
|
||||||
|
return bits < 64 ? UINT64_C(1) << bits : UINT64_MAX;
|
||||||
|
}
|
||||||
|
|
||||||
bool send_metakey(connection_t *c) {
|
bool send_metakey(connection_t *c) {
|
||||||
bool x;
|
bool x;
|
||||||
|
|
||||||
|
@ -196,6 +210,7 @@ bool send_metakey(connection_t *c) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c->outbudget = byte_budget(c->outcipher);
|
||||||
c->status.encryptout = true;
|
c->status.encryptout = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -274,6 +289,7 @@ bool metakey_h(connection_t *c) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
c->inbudget = byte_budget(c->incipher);
|
||||||
c->status.decryptin = true;
|
c->status.decryptin = true;
|
||||||
} else {
|
} else {
|
||||||
c->incipher = NULL;
|
c->incipher = NULL;
|
||||||
|
|
17
src/proxy.c
17
src/proxy.c
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
proxy.c -- Proxy handling functions.
|
proxy.c -- Proxy handling functions.
|
||||||
Copyright (C) 2015 Guus Sliepen <guus@tinc-vpn.org>
|
Copyright (C) 2015-2016 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
This program is free software; you can redistribute it and/or modify
|
||||||
it under the terms of the GNU General Public License as published by
|
it under the terms of the GNU General Public License as published by
|
||||||
|
@ -194,6 +194,8 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
||||||
|
|
||||||
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
||||||
c->allow_request = ID;
|
c->allow_request = ID;
|
||||||
|
c->status.proxy_passed = true;
|
||||||
|
send_id(c);
|
||||||
return 8;
|
return 8;
|
||||||
} else {
|
} else {
|
||||||
logger(LOG_ERR, "Proxy request rejected");
|
logger(LOG_ERR, "Proxy request rejected");
|
||||||
|
@ -249,6 +251,8 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
||||||
} else {
|
} else {
|
||||||
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
||||||
c->allow_request = ID;
|
c->allow_request = ID;
|
||||||
|
c->status.proxy_passed = true;
|
||||||
|
send_id(c);
|
||||||
return replen;
|
return replen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -256,7 +260,12 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
||||||
char *p = memchr(c->buffer, '\n', c->buflen);
|
char *p = memchr(c->buffer, '\n', c->buflen);
|
||||||
if(!p || p - c->buffer >= c->buflen)
|
if(!p || p - c->buffer >= c->buflen)
|
||||||
return 0;
|
return 0;
|
||||||
p = memchr(p + 1, '\n', c->buflen - (p + 1 - c->buffer));
|
|
||||||
|
while((p = memchr(p + 1, '\n', c->buflen - (p + 1 - c->buffer)))) {
|
||||||
|
if(p > c->buffer + 3 && !memcmp(p - 3, "\r\n\r\n", 4))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if(!p)
|
if(!p)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
@ -270,8 +279,12 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
||||||
logger(LOG_DEBUG, "Proxy request granted");
|
logger(LOG_DEBUG, "Proxy request granted");
|
||||||
replen = p + 1 - c->buffer;
|
replen = p + 1 - c->buffer;
|
||||||
c->allow_request = ID;
|
c->allow_request = ID;
|
||||||
|
c->status.proxy_passed = true;
|
||||||
|
send_id(c);
|
||||||
return replen;
|
return replen;
|
||||||
} else {
|
} else {
|
||||||
|
p = memchr(c->buffer, '\n', c->buflen);
|
||||||
|
p[-1] = 0;
|
||||||
logger(LOG_ERR, "Proxy request rejected: %s", c->buffer + 9);
|
logger(LOG_ERR, "Proxy request rejected: %s", c->buffer + 9);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
tincd.c -- the main file for tincd
|
tincd.c -- the main file for tincd
|
||||||
Copyright (C) 1998-2005 Ivo Timmermans
|
Copyright (C) 1998-2005 Ivo Timmermans
|
||||||
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
|
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
|
||||||
2008 Max Rijevski <maksuf@gmail.com>
|
2008 Max Rijevski <maksuf@gmail.com>
|
||||||
2009 Michael Tokarev <mjt@tls.msk.ru>
|
2009 Michael Tokarev <mjt@tls.msk.ru>
|
||||||
2010 Julien Muchembled <jm@jmuchemb.eu>
|
2010 Julien Muchembled <jm@jmuchemb.eu>
|
||||||
|
@ -583,7 +583,7 @@ int main(int argc, char **argv) {
|
||||||
|
|
||||||
if(show_version) {
|
if(show_version) {
|
||||||
printf("%s version %s\n", PACKAGE, VERSION);
|
printf("%s version %s\n", PACKAGE, VERSION);
|
||||||
printf("Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen and others.\n"
|
printf("Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||||
"See the AUTHORS file for a complete list.\n\n"
|
"See the AUTHORS file for a complete list.\n\n"
|
||||||
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
||||||
"and you are welcome to redistribute it under certain conditions;\n"
|
"and you are welcome to redistribute it under certain conditions;\n"
|
||||||
|
|
Loading…
Reference in a new issue