Import Upstream version 1.0.31
This commit is contained in:
parent
1077a20a8c
commit
81ce06b6c9
22 changed files with 250 additions and 93 deletions
2
COPYING
2
COPYING
|
@ -1,4 +1,4 @@
|
|||
Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen and others.
|
||||
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.
|
||||
See the AUTHORS file for a complete list.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under
|
||||
|
|
25
ChangeLog
25
ChangeLog
|
@ -1,3 +1,28 @@
|
|||
Version 1.0.31 January 15 2017
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (1):
|
||||
Releasing 1.0.31.
|
||||
|
||||
Élie Bouttier (1):
|
||||
Remove ExecStop in tinc@.service
|
||||
|
||||
Version 1.0.30 October 30 2016
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (11):
|
||||
Allow non-empty lines after status code from a HTTP proxy.
|
||||
Fix proxy reply parsing broken by the previous commit.
|
||||
Log only the first line of a proxy request rejection message.
|
||||
Delay sending the real ID request until after a proxy request is granted.
|
||||
Use AES256 and SHA256 by default, also for the meta-connections.
|
||||
Enforce maximum amount of bytes sent/received on meta-connections.
|
||||
Fix bit shifting arithmetic so the code actually does what the last commit message says.
|
||||
Really fix byte budget calculation.
|
||||
Use AES in CTR mode instead of OFB mode for meta-connections.
|
||||
Use CFB mode for meta-connections to improve security.
|
||||
Releasing 1.0.30.
|
||||
|
||||
Version 1.0.29 October 09 2016
|
||||
------------------------------------------------------------------------
|
||||
|
||||
|
|
14
NEWS
14
NEWS
|
@ -1,3 +1,17 @@
|
|||
Version 1.0.31 January 15 2017
|
||||
|
||||
* Remove ExecStop in tinc@.service.
|
||||
|
||||
Thanks to Élie Bouttier for his contribution to this version of tinc.
|
||||
|
||||
Version 1.0.30 October 30 2016
|
||||
|
||||
* Fix troubles connecting to some HTTP proxies.
|
||||
|
||||
* Add mitigations for the Sweet32 attack when using a 64-bit block cipher.
|
||||
|
||||
* Use AES256 and SHA256 as the default encryption and digest algorithms.
|
||||
|
||||
Version 1.0.29 October 9 2016
|
||||
|
||||
* Fix UDP communication with peers with link-local IPv6 addresses.
|
||||
|
|
25
README
25
README
|
@ -1,7 +1,7 @@
|
|||
This is the README file for tinc version 1.0.29. Installation
|
||||
This is the README file for tinc version 1.0.31. Installation
|
||||
instructions may be found in the INSTALL file.
|
||||
|
||||
tinc is Copyright (C) 1998-2016 by:
|
||||
tinc is Copyright (C) 1998-2017 by:
|
||||
|
||||
Ivo Timmermans,
|
||||
Guus Sliepen <guus@tinc-vpn.org>,
|
||||
|
@ -39,6 +39,8 @@ practice and that the default length of the HMAC for packets is too short in
|
|||
his opinion. We do not know of a way to exploit these weaknesses, but these
|
||||
issues are being addressed in the tinc 1.1 branch.
|
||||
|
||||
The Sweet32 attack affects versions of tinc prior to 1.0.30.
|
||||
|
||||
Cryptography is a hard thing to get right. We cannot make any
|
||||
guarantees. Time, review and feedback are the only things that can
|
||||
prove the security of any cryptographic product. If you wish to review
|
||||
|
@ -52,22 +54,25 @@ Some configuration variables have different names now. Most notably "TapDevice"
|
|||
should be changed into "Device", and "Device" should be changed into
|
||||
"BindToDevice".
|
||||
|
||||
|
||||
Compatibility
|
||||
-------------
|
||||
|
||||
Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
versions of tinc.
|
||||
Version 1.0.31 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
versions of tinc. Note that since version 1.0.30, tinc requires all nodes in
|
||||
the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the
|
||||
AES256 and SHA256 algorithms.
|
||||
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you
|
||||
need to install this library first; grab it from
|
||||
http://www.openssl.org/. You will need version 0.9.7 or later. If
|
||||
this library is not installed on you system, configure will fail. The
|
||||
manual in doc/tinc.texi contains more detailed information on how to
|
||||
install this library.
|
||||
Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you need to
|
||||
install this library first; grab it from http://www.openssl.org/. You will
|
||||
need version 1.0.1 or later with support for AES256 and SHA256 enabled. If
|
||||
this library is not installed on you system, configure will fail. The manual
|
||||
in doc/tinc.texi contains more detailed information on how to install this
|
||||
library. Alternatively, you may also use LibreSSL.
|
||||
|
||||
Since 1.0pre6, the zlib library is used for optional compression. You can
|
||||
find it at http://www.gzip.org/zlib/. Because of a possible exploit in
|
||||
|
|
1
THANKS
1
THANKS
|
@ -15,6 +15,7 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* David Pflug
|
||||
* Delf Eldkraft
|
||||
* dnk
|
||||
* Élie Bouttier
|
||||
* Enrique Zanardi
|
||||
* Florent Clairambault
|
||||
* Florian Weik
|
||||
|
|
28
config.guess
vendored
28
config.guess
vendored
|
@ -2,7 +2,7 @@
|
|||
# Attempt to guess a canonical system name.
|
||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2016-04-02'
|
||||
timestamp='2016-10-02'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -186,9 +186,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
|||
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
|
||||
esac
|
||||
# The Operating System including object format, if it has switched
|
||||
# to ELF recently, or will in the future.
|
||||
# to ELF recently (or will in the future) and ABI.
|
||||
case "${UNAME_MACHINE_ARCH}" in
|
||||
arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax)
|
||||
earm*)
|
||||
os=netbsdelf
|
||||
;;
|
||||
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
|
||||
eval $set_cc_for_build
|
||||
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ELF__
|
||||
|
@ -997,6 +1000,9 @@ EOF
|
|||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
||||
;;
|
||||
mips64el:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
openrisc*:Linux:*:*)
|
||||
echo or1k-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
|
@ -1029,6 +1035,9 @@ EOF
|
|||
ppcle:Linux:*:*)
|
||||
echo powerpcle-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
riscv32:Linux:*:* | riscv64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
s390:Linux:*:* | s390x:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
|
||||
exit ;;
|
||||
|
@ -1408,18 +1417,17 @@ esac
|
|||
cat >&2 <<EOF
|
||||
$0: unable to guess system type
|
||||
|
||||
This script, last modified $timestamp, has failed to recognize
|
||||
the operating system you are using. It is advised that you
|
||||
download the most up to date version of the config scripts from
|
||||
This script (version $timestamp), has failed to recognize the
|
||||
operating system you are using. If your script is old, overwrite
|
||||
config.guess and config.sub with the latest versions from:
|
||||
|
||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
|
||||
and
|
||||
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
|
||||
|
||||
If the version you run ($0) is already up to date, please
|
||||
send the following data and any information you think might be
|
||||
pertinent to <config-patches@gnu.org> in order to provide the needed
|
||||
information to handle your system.
|
||||
If $0 has already been updated, send the following data and any
|
||||
information you think might be pertinent to config-patches@gnu.org to
|
||||
provide the necessary information to handle your system.
|
||||
|
||||
config.guess timestamp = $timestamp
|
||||
|
||||
|
|
|
@ -36,6 +36,10 @@
|
|||
/* Darwin (MacOS/X) */
|
||||
#undef HAVE_DARWIN
|
||||
|
||||
/* Define to 1 if you have the declaration of `EVP_aes_256_cfb', and to 0 if
|
||||
you don't. */
|
||||
#undef HAVE_DECL_EVP_AES_256_CFB
|
||||
|
||||
/* Define to 1 if you have the declaration of `freeaddrinfo', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_FREEADDRINFO
|
||||
|
@ -52,6 +56,10 @@
|
|||
don't. */
|
||||
#undef HAVE_DECL_GETNAMEINFO
|
||||
|
||||
/* Define to 1 if you have the declaration of `OpenSSL_add_all_algorithms',
|
||||
and to 0 if you don't. */
|
||||
#undef HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
|
||||
|
||||
/* Define to 1 if you have the declaration of `res_init', and to 0 if you
|
||||
don't. */
|
||||
#undef HAVE_DECL_RES_INIT
|
||||
|
|
22
config.sub
vendored
22
config.sub
vendored
|
@ -2,7 +2,7 @@
|
|||
# Configuration validation subroutine script.
|
||||
# Copyright 1992-2016 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2016-03-30'
|
||||
timestamp='2016-11-04'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -117,7 +117,7 @@ case $maybe_os in
|
|||
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
|
||||
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
|
||||
kopensolaris*-gnu* | \
|
||||
kopensolaris*-gnu* | cloudabi*-eabi* | \
|
||||
storm-chaos* | os2-emx* | rtmk-nova*)
|
||||
os=-$maybe_os
|
||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
|
||||
|
@ -301,6 +301,7 @@ case $basic_machine in
|
|||
| open8 | or1k | or1knd | or32 \
|
||||
| pdp10 | pdp11 | pj | pjl \
|
||||
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
||||
| pru \
|
||||
| pyramid \
|
||||
| riscv32 | riscv64 \
|
||||
| rl78 | rx \
|
||||
|
@ -428,6 +429,7 @@ case $basic_machine in
|
|||
| orion-* \
|
||||
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
||||
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
||||
| pru-* \
|
||||
| pyramid-* \
|
||||
| riscv32-* | riscv64-* \
|
||||
| rl78-* | romp-* | rs6000-* | rx-* \
|
||||
|
@ -643,6 +645,14 @@ case $basic_machine in
|
|||
basic_machine=m68k-bull
|
||||
os=-sysv3
|
||||
;;
|
||||
e500v[12])
|
||||
basic_machine=powerpc-unknown
|
||||
os=$os"spe"
|
||||
;;
|
||||
e500v[12]-*)
|
||||
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
os=$os"spe"
|
||||
;;
|
||||
ebmon29k)
|
||||
basic_machine=a29k-amd
|
||||
os=-ebmon
|
||||
|
@ -1022,7 +1032,7 @@ case $basic_machine in
|
|||
ppc-* | ppcbe-*)
|
||||
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
;;
|
||||
ppcle | powerpclittle | ppc-le | powerpc-little)
|
||||
ppcle | powerpclittle)
|
||||
basic_machine=powerpcle-unknown
|
||||
;;
|
||||
ppcle-* | powerpclittle-*)
|
||||
|
@ -1032,7 +1042,7 @@ case $basic_machine in
|
|||
;;
|
||||
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
|
||||
;;
|
||||
ppc64le | powerpc64little | ppc64-le | powerpc64-little)
|
||||
ppc64le | powerpc64little)
|
||||
basic_machine=powerpc64le-unknown
|
||||
;;
|
||||
ppc64le-* | powerpc64little-*)
|
||||
|
@ -1389,7 +1399,7 @@ case $os in
|
|||
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
|
||||
| -chorusos* | -chorusrdb* | -cegcc* \
|
||||
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
||||
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||
| -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
||||
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
||||
|
@ -1399,7 +1409,7 @@ case $os in
|
|||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
|
||||
| -onefs* | -tirtos*)
|
||||
| -onefs* | -tirtos* | -phoenix* | -fuchsia*)
|
||||
# Remember, each alternative MUST END IN *, to match a version number.
|
||||
;;
|
||||
-qnx*)
|
||||
|
|
46
configure
vendored
46
configure
vendored
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for tinc 1.0.29.
|
||||
# Generated by GNU Autoconf 2.69 for tinc 1.0.31.
|
||||
#
|
||||
#
|
||||
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
|
||||
|
@ -577,8 +577,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='tinc'
|
||||
PACKAGE_TARNAME='tinc'
|
||||
PACKAGE_VERSION='1.0.29'
|
||||
PACKAGE_STRING='tinc 1.0.29'
|
||||
PACKAGE_VERSION='1.0.31'
|
||||
PACKAGE_STRING='tinc 1.0.31'
|
||||
PACKAGE_BUGREPORT=''
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -1331,7 +1331,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures tinc 1.0.29 to adapt to many kinds of systems.
|
||||
\`configure' configures tinc 1.0.31 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1402,7 +1402,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of tinc 1.0.29:";;
|
||||
short | recursive ) echo "Configuration of tinc 1.0.31:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1528,7 +1528,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
tinc configure 1.0.29
|
||||
tinc configure 1.0.31
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -1993,7 +1993,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by tinc $as_me 1.0.29, which was
|
||||
It was created by tinc $as_me 1.0.31, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2857,7 +2857,7 @@ fi
|
|||
|
||||
# Define the identity of the package.
|
||||
PACKAGE='tinc'
|
||||
VERSION='1.0.29'
|
||||
VERSION='1.0.31'
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
|
@ -7172,6 +7172,32 @@ done
|
|||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_OpenSSL_add_all_algorithms" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS $ac_have_decl
|
||||
_ACEOF
|
||||
if test $ac_have_decl = 1; then :
|
||||
|
||||
else
|
||||
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
|
||||
fi
|
||||
ac_fn_c_check_decl "$LINENO" "EVP_aes_256_cfb" "ac_cv_have_decl_EVP_aes_256_cfb" "#include <openssl/evp.h>
|
||||
|
||||
"
|
||||
if test "x$ac_cv_have_decl_EVP_aes_256_cfb" = xyes; then :
|
||||
ac_have_decl=1
|
||||
else
|
||||
ac_have_decl=0
|
||||
fi
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_EVP_AES_256_CFB $ac_have_decl
|
||||
_ACEOF
|
||||
if test $ac_have_decl = 1; then :
|
||||
|
||||
else
|
||||
as_fn_error $? "Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version." "$LINENO" 5; break
|
||||
|
@ -7781,7 +7807,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by tinc $as_me 1.0.29, which was
|
||||
This file was extended by tinc $as_me 1.0.31, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -7847,7 +7873,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
tinc config.status 1.0.29
|
||||
tinc config.status 1.0.31
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
dnl Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_PREREQ(2.61)
|
||||
AC_INIT([tinc], [1.0.29])
|
||||
AC_INIT([tinc], [1.0.31])
|
||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
|
|
|
@ -8,7 +8,6 @@ Type=simple
|
|||
WorkingDirectory=/etc/tinc/%i
|
||||
ExecStart=/usr/sbin/tincd -n %i -D
|
||||
ExecReload=/usr/sbin/tincd -n %i -kHUP
|
||||
ExecStop=/usr/sbin/tincd -n %i -k
|
||||
TimeoutStopSec=5
|
||||
Restart=always
|
||||
RestartSec=60
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.Dd 2016-04-10
|
||||
.Dd 2016-10-29
|
||||
.Dt TINC.CONF 5
|
||||
.\" Manual page created by:
|
||||
.\" Ivo Timmermans
|
||||
|
@ -468,7 +468,7 @@ Multiple
|
|||
.Va Address
|
||||
variables can be specified, in which case each address will be tried until a working
|
||||
connection has been established.
|
||||
.It Va Cipher Li = Ar cipher Pq blowfish
|
||||
.It Va Cipher Li = Ar cipher Pq aes-256-cbc
|
||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||
Any cipher supported by LibreSSL or OpenSSL is recognised.
|
||||
Furthermore, specifying
|
||||
|
@ -483,7 +483,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
|||
This option sets the level of compression used for UDP packets.
|
||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||
10 (fast lzo) and 11 (best lzo).
|
||||
.It Va Digest Li = Ar digest Pq sha1
|
||||
.It Va Digest Li = Ar digest Pq sha256
|
||||
The digest algorithm used to authenticate UDP packets.
|
||||
Any digest supported by LibreSSL or OpenSSL is recognised.
|
||||
Furthermore, specifying
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
This is tinc.info, produced by makeinfo version 6.1 from tinc.texi.
|
||||
This is tinc.info, produced by makeinfo version 6.3 from tinc.texi.
|
||||
|
||||
INFO-DIR-SECTION Networking tools
|
||||
START-INFO-DIR-ENTRY
|
||||
* tinc: (tinc). The tinc Manual.
|
||||
END-INFO-DIR-ENTRY
|
||||
|
||||
This is the info manual for tinc version 1.0.27, a Virtual Private
|
||||
This is the info manual for tinc version 1.0.29, a Virtual Private
|
||||
Network daemon.
|
||||
|
||||
Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen
|
||||
Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen
|
||||
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
|
||||
|
||||
Permission is granted to make and distribute verbatim copies of this
|
||||
|
@ -1053,7 +1053,7 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
|
|||
can be specified, in which case each address will be tried until a
|
||||
working connection has been established.
|
||||
|
||||
Cipher = <CIPHER> (blowfish)
|
||||
Cipher = <CIPHER> (aes-256-cbc)
|
||||
The symmetric cipher algorithm used to encrypt UDP packets. Any
|
||||
cipher supported by LibreSSL or OpenSSL is recognized.
|
||||
Furthermore, specifying "none" will turn off packet encryption. It
|
||||
|
@ -1070,7 +1070,7 @@ Compression = <LEVEL> (0)
|
|||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9
|
||||
(best zlib), 10 (fast lzo) and 11 (best lzo).
|
||||
|
||||
Digest = <DIGEST> (sha1)
|
||||
Digest = <DIGEST> (sha256)
|
||||
The digest algorithm used to authenticate UDP packets. Any digest
|
||||
supported by LibreSSL or OpenSSL is recognized. Furthermore,
|
||||
specifying "none" will turn off packet authentication.
|
||||
|
@ -2683,33 +2683,33 @@ Node: How connections work23220
|
|||
Node: Configuration files24442
|
||||
Node: Main configuration variables25936
|
||||
Node: Host configuration variables42193
|
||||
Node: Scripts47720
|
||||
Node: How to configure50986
|
||||
Node: Generating keypairs52244
|
||||
Node: Network interfaces52743
|
||||
Node: Example configuration54591
|
||||
Node: Running tinc59916
|
||||
Node: Runtime options60506
|
||||
Node: Signals63808
|
||||
Node: Debug levels64999
|
||||
Node: Solving problems65935
|
||||
Node: Error messages67487
|
||||
Node: Sending bug reports71496
|
||||
Node: Technical information72443
|
||||
Node: The connection72674
|
||||
Node: The UDP tunnel72986
|
||||
Node: The meta-connection76047
|
||||
Node: The meta-protocol77516
|
||||
Node: Security82533
|
||||
Node: Authentication protocol83675
|
||||
Node: Encryption of network packets88720
|
||||
Node: Security issues90096
|
||||
Node: Platform specific information91735
|
||||
Node: Interface configuration91963
|
||||
Node: Routes94434
|
||||
Node: About us96448
|
||||
Node: Contact information96623
|
||||
Node: Authors97026
|
||||
Node: Concept Index97431
|
||||
Node: Scripts47725
|
||||
Node: How to configure50991
|
||||
Node: Generating keypairs52249
|
||||
Node: Network interfaces52748
|
||||
Node: Example configuration54596
|
||||
Node: Running tinc59921
|
||||
Node: Runtime options60511
|
||||
Node: Signals63813
|
||||
Node: Debug levels65004
|
||||
Node: Solving problems65940
|
||||
Node: Error messages67492
|
||||
Node: Sending bug reports71501
|
||||
Node: Technical information72448
|
||||
Node: The connection72679
|
||||
Node: The UDP tunnel72991
|
||||
Node: The meta-connection76052
|
||||
Node: The meta-protocol77521
|
||||
Node: Security82538
|
||||
Node: Authentication protocol83680
|
||||
Node: Encryption of network packets88725
|
||||
Node: Security issues90101
|
||||
Node: Platform specific information91740
|
||||
Node: Interface configuration91968
|
||||
Node: Routes94439
|
||||
Node: About us96453
|
||||
Node: Contact information96628
|
||||
Node: Authors97031
|
||||
Node: Concept Index97436
|
||||
|
||||
End Tag Table
|
||||
|
|
|
@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
|
|||
tried until a working connection has been established.
|
||||
|
||||
@cindex Cipher
|
||||
@item Cipher = <@var{cipher}> (blowfish)
|
||||
@item Cipher = <@var{cipher}> (aes-256-cbc)
|
||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||
Any cipher supported by LibreSSL or OpenSSL is recognized.
|
||||
Furthermore, specifying "none" will turn off packet encryption.
|
||||
|
@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
|||
10 (fast lzo) and 11 (best lzo).
|
||||
|
||||
@cindex Digest
|
||||
@item Digest = <@var{digest}> (sha1)
|
||||
@item Digest = <@var{digest}> (sha256)
|
||||
The digest algorithm used to authenticate UDP packets.
|
||||
Any digest supported by LibreSSL or OpenSSL is recognized.
|
||||
Furthermore, specifying "none" will turn off packet authentication.
|
||||
|
|
|
@ -49,7 +49,7 @@ AC_DEFUN([tinc_OPENSSL],
|
|||
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
)
|
||||
|
||||
AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
|
||||
AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
|
||||
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
[#include <openssl/evp.h>]
|
||||
)
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
connection.c -- connection list management
|
||||
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2000-2005 Ivo Timmermans
|
||||
2008 Max Rijevski <maksuf@gmail.com>
|
||||
|
||||
|
@ -91,6 +91,8 @@ void free_connection_partially(connection_t *c) {
|
|||
c->outbufstart = 0;
|
||||
c->last_ping_time = 0;
|
||||
c->last_flushed_time = 0;
|
||||
c->inbudget = 0;
|
||||
c->outbudget = 0;
|
||||
|
||||
if(c->inctx) {
|
||||
EVP_CIPHER_CTX_cleanup(c->inctx);
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
connection.h -- header for connection.c
|
||||
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2000-2005 Ivo Timmermans
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
|
@ -41,7 +41,8 @@ typedef struct connection_status_t {
|
|||
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
||||
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
|
||||
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
|
||||
unsigned int unused:23;
|
||||
unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */
|
||||
unsigned int unused:22;
|
||||
} connection_status_t;
|
||||
|
||||
#include "edge.h"
|
||||
|
@ -70,6 +71,8 @@ typedef struct connection_t {
|
|||
const EVP_CIPHER *outcipher; /* Cipher we will use to send data to him */
|
||||
EVP_CIPHER_CTX *inctx; /* Context of encrypted meta data that will come from him to us */
|
||||
EVP_CIPHER_CTX *outctx; /* Context of encrypted meta data that will be sent from us to him */
|
||||
uint64_t inbudget; /* Encrypted bytes send budget */
|
||||
uint64_t outbudget; /* Encrypted bytes receive budget */
|
||||
char *inkey; /* His symmetric meta key + iv */
|
||||
char *outkey; /* Our symmetric meta key + iv */
|
||||
int inkeylength; /* Length of his key + iv */
|
||||
|
|
18
src/meta.c
18
src/meta.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
meta.c -- handle the meta communication
|
||||
Copyright (C) 2000-2015 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2000-2005 Ivo Timmermans
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
|
||||
|
@ -62,6 +62,14 @@ bool send_meta(connection_t *c, const char *buffer, int length) {
|
|||
|
||||
/* Add our data to buffer */
|
||||
if(c->status.encryptout) {
|
||||
/* Check encryption limits */
|
||||
if(length > c->outbudget) {
|
||||
ifdebug(META) logger(LOG_ERR, "Byte limit exceeded for encryption to %s (%s)", c->name, c->hostname);
|
||||
return false;
|
||||
} else {
|
||||
c->outbudget -= length;
|
||||
}
|
||||
|
||||
result = EVP_EncryptUpdate(c->outctx, (unsigned char *)c->outbuf + c->outbufstart + c->outbuflen,
|
||||
&outlen, (unsigned char *)buffer, length);
|
||||
if(!result || outlen < length) {
|
||||
|
@ -175,6 +183,14 @@ bool receive_meta(connection_t *c) {
|
|||
/* Decrypt */
|
||||
|
||||
if(c->status.decryptin && !decrypted) {
|
||||
/* Check decryption limits */
|
||||
if(lenin > c->inbudget) {
|
||||
ifdebug(META) logger(LOG_ERR, "Byte limit exceeded for decryption from %s (%s)", c->name, c->hostname);
|
||||
return false;
|
||||
} else {
|
||||
c->inbudget -= lenin;
|
||||
}
|
||||
|
||||
result = EVP_DecryptUpdate(c->inctx, (unsigned char *)inbuf, &lenout, (unsigned char *)c->buffer + oldlen, lenin);
|
||||
if(!result || lenout != lenin) {
|
||||
logger(LOG_ERR, "Error while decrypting metadata from %s (%s): %s",
|
||||
|
|
|
@ -650,14 +650,25 @@ static bool setup_myself(void) {
|
|||
}
|
||||
free(cipher);
|
||||
} else
|
||||
myself->incipher = EVP_bf_cbc();
|
||||
myself->incipher = EVP_aes_256_cbc();
|
||||
|
||||
if(myself->incipher)
|
||||
myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
|
||||
else
|
||||
myself->inkeylength = 1;
|
||||
|
||||
myself->connection->outcipher = EVP_bf_ofb();
|
||||
/* We need to use a stream mode for the meta protocol. Use AES for this,
|
||||
but try to match the key size with the one from the cipher selected
|
||||
by Cipher.
|
||||
*/
|
||||
|
||||
int keylen = EVP_CIPHER_key_length(myself->incipher);
|
||||
if(keylen <= 16)
|
||||
myself->connection->outcipher = EVP_aes_128_cfb();
|
||||
else if(keylen <= 24)
|
||||
myself->connection->outcipher = EVP_aes_192_cfb();
|
||||
else
|
||||
myself->connection->outcipher = EVP_aes_256_cfb();
|
||||
|
||||
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
|
||||
keylifetime = 3600;
|
||||
|
@ -681,9 +692,9 @@ static bool setup_myself(void) {
|
|||
|
||||
free(digest);
|
||||
} else
|
||||
myself->indigest = EVP_sha1();
|
||||
myself->indigest = EVP_sha256();
|
||||
|
||||
myself->connection->outdigest = EVP_sha1();
|
||||
myself->connection->outdigest = EVP_sha256();
|
||||
|
||||
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
|
||||
if(myself->indigest) {
|
||||
|
|
|
@ -41,9 +41,8 @@
|
|||
#include "xalloc.h"
|
||||
|
||||
bool send_id(connection_t *c) {
|
||||
if(proxytype && c->outgoing)
|
||||
if(!send_proxyrequest(c))
|
||||
return false;
|
||||
if(proxytype && c->outgoing && !c->status.proxy_passed)
|
||||
return send_proxyrequest(c);
|
||||
|
||||
return send_request(c, "%d %s %d", ID, myself->connection->name,
|
||||
myself->connection->protocol_version);
|
||||
|
@ -114,6 +113,21 @@ bool id_h(connection_t *c) {
|
|||
return send_metakey(c);
|
||||
}
|
||||
|
||||
static uint64_t byte_budget(const EVP_CIPHER *cipher) {
|
||||
/* Hopefully some failsafe way to calculate the maximum amount of bytes to
|
||||
send/receive with a given cipher before we might run into birthday paradox
|
||||
attacks. Because we might use different modes, the block size of the mode
|
||||
might be 1 byte. In that case, use the IV length. Ensure the whole thing
|
||||
is limited to what can be represented with a 64 bits integer.
|
||||
*/
|
||||
|
||||
int ivlen = EVP_CIPHER_iv_length(cipher);
|
||||
int blklen = EVP_CIPHER_block_size(cipher);
|
||||
int len = blklen > 1 ? blklen : ivlen > 1 ? ivlen : 8;
|
||||
int bits = len * 4 - 1;
|
||||
return bits < 64 ? UINT64_C(1) << bits : UINT64_MAX;
|
||||
}
|
||||
|
||||
bool send_metakey(connection_t *c) {
|
||||
bool x;
|
||||
|
||||
|
@ -196,6 +210,7 @@ bool send_metakey(connection_t *c) {
|
|||
return false;
|
||||
}
|
||||
|
||||
c->outbudget = byte_budget(c->outcipher);
|
||||
c->status.encryptout = true;
|
||||
}
|
||||
|
||||
|
@ -274,6 +289,7 @@ bool metakey_h(connection_t *c) {
|
|||
return false;
|
||||
}
|
||||
|
||||
c->inbudget = byte_budget(c->incipher);
|
||||
c->status.decryptin = true;
|
||||
} else {
|
||||
c->incipher = NULL;
|
||||
|
|
17
src/proxy.c
17
src/proxy.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
proxy.c -- Proxy handling functions.
|
||||
Copyright (C) 2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
Copyright (C) 2015-2016 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -194,6 +194,8 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
|||
|
||||
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
||||
c->allow_request = ID;
|
||||
c->status.proxy_passed = true;
|
||||
send_id(c);
|
||||
return 8;
|
||||
} else {
|
||||
logger(LOG_ERR, "Proxy request rejected");
|
||||
|
@ -249,6 +251,8 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
|||
} else {
|
||||
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
|
||||
c->allow_request = ID;
|
||||
c->status.proxy_passed = true;
|
||||
send_id(c);
|
||||
return replen;
|
||||
}
|
||||
|
||||
|
@ -256,7 +260,12 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
|||
char *p = memchr(c->buffer, '\n', c->buflen);
|
||||
if(!p || p - c->buffer >= c->buflen)
|
||||
return 0;
|
||||
p = memchr(p + 1, '\n', c->buflen - (p + 1 - c->buffer));
|
||||
|
||||
while((p = memchr(p + 1, '\n', c->buflen - (p + 1 - c->buffer)))) {
|
||||
if(p > c->buffer + 3 && !memcmp(p - 3, "\r\n\r\n", 4))
|
||||
break;
|
||||
}
|
||||
|
||||
if(!p)
|
||||
return 0;
|
||||
|
||||
|
@ -270,8 +279,12 @@ int receive_proxy_meta(connection_t *c, int start, int lenin) {
|
|||
logger(LOG_DEBUG, "Proxy request granted");
|
||||
replen = p + 1 - c->buffer;
|
||||
c->allow_request = ID;
|
||||
c->status.proxy_passed = true;
|
||||
send_id(c);
|
||||
return replen;
|
||||
} else {
|
||||
p = memchr(c->buffer, '\n', c->buflen);
|
||||
p[-1] = 0;
|
||||
logger(LOG_ERR, "Proxy request rejected: %s", c->buffer + 9);
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
tincd.c -- the main file for tincd
|
||||
Copyright (C) 1998-2005 Ivo Timmermans
|
||||
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2008 Max Rijevski <maksuf@gmail.com>
|
||||
2009 Michael Tokarev <mjt@tls.msk.ru>
|
||||
2010 Julien Muchembled <jm@jmuchemb.eu>
|
||||
|
@ -583,7 +583,7 @@ int main(int argc, char **argv) {
|
|||
|
||||
if(show_version) {
|
||||
printf("%s version %s\n", PACKAGE, VERSION);
|
||||
printf("Copyright (C) 1998-2016 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
printf("Copyright (C) 1998-2017 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
"See the AUTHORS file for a complete list.\n\n"
|
||||
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
||||
"and you are welcome to redistribute it under certain conditions;\n"
|
||||
|
|
Loading…
Reference in a new issue