Import Upstream version 1.0.35

This commit is contained in:
Guus Sliepen 2019-08-26 13:44:49 +02:00
parent b28bb7b29b
commit a04a7bcd67
44 changed files with 4173 additions and 2323 deletions

43
README
View file

@ -1,4 +1,4 @@
This is the README file for tinc version 1.0.34. Installation
This is the README file for tinc version 1.0.35. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2018 by:
@ -41,24 +41,25 @@ issues are being addressed in the tinc 1.1 branch.
The Sweet32 attack affects versions of tinc prior to 1.0.30.
On September 6th, 2018, Michael Yonly contacted us and provided
proof-of-concept code that allowed a remote attacker to create an
authenticated, one-way connection with a node, and also that there was a
possibility for a man-in-the-middle to force UDP packets from a node to be sent
in plaintext. The first issue was trivial to exploit on tinc versions prior to
1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this
weakness much harder to exploit. These issues have been fixed in tinc 1.0.35.
The new protocol in the tinc 1.1 branch is not susceptible to these issues.
Cryptography is a hard thing to get right. We cannot make any
guarantees. Time, review and feedback are the only things that can
prove the security of any cryptographic product. If you wish to review
tinc or give us feedback, you are strongly encouraged to do so.
Changes to configuration file format since 1.0pre5
--------------------------------------------------
Some configuration variables have different names now. Most notably "TapDevice"
should be changed into "Device", and "Device" should be changed into
"BindToDevice".
Compatibility
-------------
Version 1.0.31 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.0.35 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. Note that since version 1.0.30, tinc requires all nodes in
the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the
AES256 and SHA256 algorithms.
@ -67,21 +68,21 @@ AES256 and SHA256 algorithms.
Requirements
------------
Since 1.0pre3, we use OpenSSL for all cryptographic functions. So you need to
install this library first; grab it from http://www.openssl.org/. You will
need version 1.0.1 or later with support for AES256 and SHA256 enabled. If
this library is not installed on you system, configure will fail. The manual
in doc/tinc.texi contains more detailed information on how to install this
library. Alternatively, you may also use LibreSSL.
The OpenSSL library is used for all cryptographic functions. You can find it at
https://www.openssl.org/. You will need version 1.0.1 or later with support for
AES256 and SHA256 enabled. If this library is not installed on your system, the
configure script will fail. The manual in doc/tinc.texi contains more detailed
information on how to install this library. Alternatively, you may also use the
LibreSSL library.
Since 1.0pre6, the zlib library is used for optional compression. You can
find it at http://www.gzip.org/zlib/. Because of a possible exploit in
The zlib library is used for optional compression. You can
find it at https://zlib.net/. Because of a possible exploit in
earlier versions we recommend that you download version 1.1.4 or later.
Since 1.0, the lzo library is also used for optional compression. You can
find it at http://www.oberhumer.com/opensource/lzo/.
The LZO library is also used for optional compression. You can
find it at https://www.oberhumer.com/opensource/lzo/.
In order to compile tinc, you will need a GNU C compiler environment.
In order to compile tinc, you will need a C99 compliant compiler.
Features