Compare commits

...

84 commits

Author SHA1 Message Date
lagertonne
3189f2ad9c Trying to apply patches...
Some checks failed
continuous-integration/drone/push Build is failing
2022-04-25 13:50:45 +02:00
lagertonne
8e732eefc2 Make patches more flat
All checks were successful
continuous-integration/drone/push Build is passing
2022-04-25 13:36:15 +02:00
lagertonne
d787d2479a Add patches for alternative ciphersuite
All checks were successful
continuous-integration/drone/push Build is passing
2022-04-25 13:11:44 +02:00
lagertonne
56d25e7bd6 fix broken focal build
All checks were successful
continuous-integration/drone/push Build is passing
2022-04-23 15:45:38 +02:00
lagertonne
093206d6f2 Make package installation noninteractive
Some checks failed
continuous-integration/drone/push Build is failing
2022-04-23 15:37:43 +02:00
lagertonne
5a8168ab4c Add focal building
Some checks reported errors
continuous-integration/drone/push Build was killed
2022-04-23 15:18:13 +02:00
lagertonne
ce9368f414 Add .drone.yml
All checks were successful
continuous-integration/drone/push Build is passing
2022-04-23 10:57:20 +02:00
lagertonne
bb0afc8780 Add debian files 2022-04-23 10:57:20 +02:00
lagertonne
cf5509bd45 upstream: 1.18 2022-04-23 10:57:20 +02:00
Shengjing Zhu
8e468ffc54 Import Debian changes 1.1~pre17-1.1
tinc (1.1~pre17-1.1) experimental; urgency=medium

  * Non-maintainer upload.
  * Fix systemd service install path. Closes: #910618
  * Fix typo in --enable-miniupnpc option.
2019-08-26 13:44:53 +02:00
Guus Sliepen
150c40db86 Import Debian changes 1.1~pre17-1
tinc (1.1~pre17-1) experimental; urgency=medium

  * New upstream release.
    - Includes fixes for CVE-2018-16737, CVE-2018-16738.
    - The GUI is no longer part of upstream, so has been removed.
  * Link with the miniupnpc library.
  * Bump Standards-Version.
  * Bump debian/compat.
2019-08-26 13:44:53 +02:00
Guus Sliepen
46616ac501 Import Debian changes 1.1~pre15-1
tinc (1.1~pre15-1) experimental; urgency=medium

  * New upstream release.
  * Bump Standards-Version.
  * Bump debian/compat.
  * Don't use while loops checking PID files anymore, the tinc CLI will
    wait properly for the daemon to start or stop. Closes: #772379, #832784
  * Clean up scripts as suggested by Dominik George. Closes: #832781
  * Test for /etc/default/tinc before trying to source it. Closes: #777262
2019-08-26 13:44:52 +02:00
Guus Sliepen
3c37b83332 Import Debian changes 1.1~pre14-16-g15b868e-1
tinc (1.1~pre14-16-g15b868e-1) experimental; urgency=medium

  * New upstream release.
    - Use the latest git version in order to compile with OpenSSL 1.1.0.
  * Bump debian/compat and Standards-Version.
  * Fix the version number in configure.ac.
  * Make the build reproducible.
2019-08-26 13:44:52 +02:00
Guus Sliepen
03136efdbe Import Debian changes 1.1~pre12-1
tinc (1.1~pre12-1) experimental; urgency=medium

  * New upstream release.
  * Bump Standards-Version.
  * Depend on python-wxgtk3.0 for the GUI.
  * Use dh --with python2.
  * Add Build-Depends for dh-python.
  * Update links in debian/control and debian/copyright.
2019-08-26 13:44:52 +02:00
Guus Sliepen
ff4039db4b Import Debian changes 1.1~pre11-1
tinc (1.1~pre11-1) experimental; urgency=medium

  * New upstream release.
  * Update NEWS.Debian to reflect that tincctl has been renamed to tinc.
    Closes: #729889
  * Warn about incompatibility with previous 1.1preX releases, and that new
    Ed25519 keys should be generated.
  * Add native systemd service files.
  * Automatically convert networks listed in nets.boot to systemd service
    instances on upgrade.
  * Don't restart tinc on upgrade for now.
2019-08-26 13:44:52 +02:00
Guus Sliepen
edfe2872c3 Import Debian changes 1.1~pre9-1
tinc (1.1~pre9-1) experimental; urgency=low

  * New upstream release.
2019-08-26 13:44:51 +02:00
Guus Sliepen
43bffaeb98 Import Debian changes 1.1~pre8-2
tinc (1.1~pre8-2) experimental; urgency=low

  * Run make clean after the configure step to get rid of .o files that were
    accidentily left in the orig.tar.gz.
2019-08-26 13:44:51 +02:00
Guus Sliepen
b0db4c75f6 Import Debian changes 1.1~pre8-1
tinc (1.1~pre8-1) experimental; urgency=low

  * New upstream release.
    - Handles whitespace between command line flags and optional arguments.
      Closes: #710267
  * Bump Standards-Version.
  * Source /lib/lsb/init-functions in the init.d script.
  * Don't use texi2html anymore, use automake's install-html target which uses
    makeinfo.
2019-08-26 13:44:51 +02:00
Guus Sliepen
5c54f47af6 Import Debian changes 1.1~pre7-2
tinc (1.1~pre7-2) experimental; urgency=low

  [ Gian Piero Carrubba ]
  * Init script fails to pass extra arguments to tincd. Closes: #704701
    + Remove the '--' as it is passed unaltered to tincd, preventing it to read
      trailing parameters.
    + Pass extra arguments also when restarting the daemon.
  * Set process limits when started by ifupdown. Closes: #704702

  [ Guus Sliepen ]
  * Check whether the tincd process is still running in the if-post-down script.
    Closes: #704708
2019-08-26 13:44:51 +02:00
Guus Sliepen
a62bf04cde Import Debian changes 1.1~pre7-1
tinc (1.1~pre7-1) experimental; urgency=high

  * New upstream release.
    - Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
2019-08-26 13:44:50 +02:00
Guus Sliepen
2127705d53 Import Debian changes 1.1~pre6-1
tinc (1.1~pre6-1) experimental; urgency=low

  * New upstream release.
2019-08-26 13:44:50 +02:00
Guus Sliepen
e9142bd3a6 Import Debian changes 1.1~pre4-1
tinc (1.1~pre4-1) experimental; urgency=low

  [ Gian Piero ]
  * Allow resource limits to be set in /etc/default/tinc. Closes: #690685

  [ Guus Sliepen ]
  * New upstream release.
2019-08-26 13:44:50 +02:00
Guus Sliepen
cfba637f96 Import Debian changes 1.1~pre3-1
tinc (1.1~pre3-1) experimental; urgency=low

  * New upstream release.
  * Bump Standards-Version.
  * Enable parallel builds.
  * Bump debian/compat to 9, so tinc gets build with hardening flags.
  * Move tinc-gui to its own package.
2019-08-26 13:44:50 +02:00
Michael Tokarev
446afddf38 Import Debian changes 1.1~pre2-2
tinc (1.1~pre2-2) experimental; urgency=low

  * add forgotten build-depend on libncurses5-dev for new `tincctl top'
  * add libevent-dev build dependency
  * remove build dependency on gettext
2019-08-26 13:44:49 +02:00
Michael Tokarev
cf2ac65444 Import Debian changes 1.1~pre2-1
tinc (1.1~pre2-1) experimental; urgency=low

  * first cut of 1.1-tobe.
    Rewrote control scripts et al to use tincctl.
  * build-depend on libssl >>1.0.0 to get proper EC support
  * remove crypto-related symlinks from src/ in clean --
    probably should go into upstream makefile instead
2019-08-26 13:44:49 +02:00
Guus Sliepen
36f0d3c816 Import Debian changes 1.0.35-2
tinc (1.0.35-2) unstable; urgency=medium

  * Bump Standards-Version and Build-Depend on debhelper-compat (= 12).
  * Remove calls to dh_installinit and dh_systemd_start from debian/rules,
    compat level 12 does the right thing by default.
  * Ensure we clean up doc/tinc.info.
2019-08-26 13:44:49 +02:00
Guus Sliepen
ecd1f6f67a Import Debian changes 1.0.35-1
tinc (1.0.35-1) unstable; urgency=medium

  * New upstream release.
    - Includes fixes for CVE-2018-16737, CVE-2018-16738, CVE-2018-16758.
2019-08-26 13:44:49 +02:00
Guus Sliepen
f8e1f5a528 Import Debian changes 1.0.34-1
tinc (1.0.34-1) unstable; urgency=medium

  [ Guus Sliepen ]
  * New upstream release.
    - Fixes a potential segmentation fault when connecting to an IPv6
      peer via a proxy. Closes: #887401
  * Add support for the $EXTRA variable in /etc/default/tinc when using
    systemd. Closes: #887116

  [ Benda Xu ]
  * Prevent possible incorrect IPv6 checksums due to function inlining.
    Closes: #891400
2019-08-26 13:44:48 +02:00
Guus Sliepen
66e86a419b Import Debian changes 1.0.33-1
tinc (1.0.33-1) unstable; urgency=medium

  * New upstream release.
  * Test for /etc/default/tinc before trying to source it. Closes: #777262
  * Use --runstatedir=/run.
2019-08-26 13:44:48 +02:00
Guus Sliepen
ac78971aab Import Debian changes 1.0.32-1
tinc (1.0.32-1) unstable; urgency=medium

  * New upstream release.
  * Add a note to new nets.boot files that it is not used with systemd.
    Closes: #841052
  * In the post-down script, read the pid file only once. Closes: #832784
  * Explicitly use /bin/sleep from coreutils. Closes: #772379
  * Bump Standards-Version.
2019-08-26 13:44:48 +02:00
Guus Sliepen
2989322746 Import Debian changes 1.0.31-1+deb9u1
tinc (1.0.31-1+deb9u1) stretch-security; urgency=high

  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
2019-08-26 13:44:48 +02:00
Guus Sliepen
11d9efef1b Import Debian changes 1.0.31-1
tinc (1.0.31-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version.
  * Bump debian/compat.
  * Add missing Depends: lsb-base.
2019-08-26 13:44:47 +02:00
Guus Sliepen
dcd38ec07d Import Debian changes 1.0.29-2
tinc (1.0.29-2) unstable; urgency=medium

  * Rebuild with libssl-dev from unstable.
2019-08-26 13:44:47 +02:00
Guus Sliepen
502cecde93 Import Debian changes 1.0.29-1
tinc (1.0.29-1) unstable; urgency=medium

  * New upstream release.
  * Bump debian/compat.
2019-08-26 13:44:47 +02:00
Guus Sliepen
e537caa7b1 Import Debian changes 1.0.28-1
tinc (1.0.28-1) unstable; urgency=medium

  * New upstream release.
    - Fixes FTBFS on kfreebsd.
  * Systemd service files are now provided by upstream.
2019-08-26 13:44:47 +02:00
Aron Xu
02fdd053f1 Import Debian changes 1.0.28-1~bpo8+1
tinc (1.0.28-1~bpo8+1) jessie-backports; urgency=medium

  * Rebuild for jessie-backports.

tinc (1.0.28-1) unstable; urgency=medium

  * New upstream release.
    - Fixes FTBFS on kfreebsd.
  * Systemd service files are now provided by upstream.
2019-08-26 13:44:47 +02:00
Guus Sliepen
a83439b023 Import Debian changes 1.0.27-2
tinc (1.0.27-2) unstable; urgency=medium

  * Fix tinc@.service.
2019-08-26 13:44:46 +02:00
Guus Sliepen
c167efd01b Import Debian changes 1.0.27-1
tinc (1.0.27-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version.
  * Add native systemd unit files.
  * Automatically convert networks listed in nets.boot to systemd service
    instances on upgrade.
2019-08-26 13:44:46 +02:00
Guus Sliepen
088ed763df Import Debian changes 1.0.26-1
tinc (1.0.26-1) unstable; urgency=medium

  * New upstream release.
  * Use the contents, not the presence, of the pidfile to check that tincd is
    shut down properly. Closes: #774682
  * Bump Standards-Version.
2019-08-26 13:44:46 +02:00
Guus Sliepen
4d11e18342 Import Debian changes 1.0.24-2.1+deb8u1
tinc (1.0.24-2.1+deb8u1) jessie-security; urgency=medium

  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
2019-08-26 13:44:46 +02:00
Micah Anderson
1e23c12b1d Import Debian changes 1.0.24-2.1
tinc (1.0.24-2.1) unstable; urgency=medium

  * NMU after getting go ahead from guus on #tinc
  * Add a -dbg package which contains the debugging symbols for tinc
    Thanks hark@puscii.nl (Closes: #752561)
2019-08-26 13:44:45 +02:00
Guus Sliepen
c0d04cc168 Import Debian changes 1.0.24-2
tinc (1.0.24-2) unstable; urgency=medium

  * Improve the init script: stopping tinc now waits for the process to
    terminate. If that doesn't happen in 5 seconds, it will send the TERM
    signal again (which helps if tinc is waiting for a script to finish
    executing). It now also detects whether the process mentioned in the PID
    file is actually running, and if not it will exit early and without
    warnings. Closes: #748107
2019-08-26 13:44:45 +02:00
Micah Anderson
a0bb9d443f Import Debian changes 1.0.24-2~bpo70+1
tinc (1.0.24-2~bpo70+1) wheezy-backports; urgency=medium

  * Backport to wheezy-backports.
  * Add myself to Uploaders.

tinc (1.0.24-2) unstable; urgency=medium

  * Improve the init script: stopping tinc now waits for the process to
    terminate. If that doesn't happen in 5 seconds, it will send the TERM
    signal again (which helps if tinc is waiting for a script to finish
    executing). It now also detects whether the process mentioned in the PID
    file is actually running, and if not it will exit early and without
    warnings. Closes: #748107
2019-08-26 13:44:45 +02:00
Guus Sliepen
cce24e0be4 Import Debian changes 1.0.24-1
tinc (1.0.24-1) unstable; urgency=medium

  [ Guus Sliepen ]
  * New upstream release
  * Add a debian/watch file.
  * Bump Standards-Version.

  [ Gian Piero Carrubba ]
  * Allow resource limits to be set in /etc/default/tinc.
    Closes: #690685, #704702
2019-08-26 13:44:45 +02:00
Guus Sliepen
e53cefdf85 Import Debian changes 1.0.23-2
tinc (1.0.23-2) unstable; urgency=low

  * Use if-statements instead of && in shell scripts. Closes: #731279
    The && operator does not clear the error status, and if the next statement
    in a shell script does not change the error status it would cause the
    script to prematurely exit. Thanks to Peter Reinholdtsen for spotting it.
  * Use absolute path to tincd in the if-post-down script.
2019-08-26 13:44:45 +02:00
Guus Sliepen
d7b49da4e6 Import Debian changes 1.0.23-1
tinc (1.0.23-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:44 +02:00
Guus Sliepen
c09679c3ba Import Debian changes 1.0.23-1~bpo70+1
tinc (1.0.23-1~bpo70+1) wheezy-backports; urgency=low

  * Rebuild for wheezy-backports.

tinc (1.0.23-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:44 +02:00
Guus Sliepen
854118c85f Import Debian changes 1.0.22-1
tinc (1.0.22-1) unstable; urgency=low

  * New upstream release.
    - Handles whitespace between command line flags and optional arguments.
      Closes: #710267
  * Bump Standards-Version.
  * Source /lib/lsb/init-functions in the init.d script.
  * Don't use texi2html anymore, use automake's install-html target which uses
    makeinfo.
2019-08-26 13:44:44 +02:00
Guus Sliepen
a7e5217cf7 Import Debian changes 1.0.22-1~bpo70+1
tinc (1.0.22-1~bpo70+1) wheezy-backports; urgency=low

  * Rebuilt for wheezy-backports.

tinc (1.0.22-1) unstable; urgency=low

  * New upstream release.
    - Handles whitespace between command line flags and optional arguments.
      Closes: #710267
  * Bump Standards-Version.
  * Source /lib/lsb/init-functions in the init.d script.
  * Don't use texi2html anymore, use automake's install-html target which uses
    makeinfo.
2019-08-26 13:44:44 +02:00
Guus Sliepen
e8daab5950 Import Debian changes 1.0.21-1
tinc (1.0.21-1) unstable; urgency=low

  * New upstream release.
    - Includes fix for CVE-2013-1428.
2019-08-26 13:44:43 +02:00
Guus Sliepen
6698135e07 Import Debian changes 1.0.19-3
tinc (1.0.19-3) unstable; urgency=high

  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
2019-08-26 13:44:43 +02:00
Michael Tokarev
4343b5a2fa Import Debian changes 1.0.19-3~bpo60+1
tinc (1.0.19-3~bpo60+1) squeeze-backports; urgency=high

  * Rebuild for squeeze-backports.
  * Build-depend on libvdeplug2-dev, not libvdeplug-dev,
    as it is how it is named in squeeze.

tinc (1.0.19-3) unstable; urgency=high

  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
2019-08-26 13:44:43 +02:00
Guus Sliepen
a797a94c81 Import Debian changes 1.0.19-2
tinc (1.0.19-2) unstable; urgency=low

  * Fix behaviour of tinc-pidfile. Closes: #679130
  * Enable parallel building in debian/rules.
2019-08-26 13:44:43 +02:00
Michael Tokarev
cc0493ea17 Import Debian changes 1.0.19-2~bpo60+1
tinc (1.0.19-2~bpo60+1) squeeze-backports; urgency=low

  * Rebuild for squeeze-backports.
  * Build-depend on libvdeplug2-dev, not libvdeplug-dev,
    as it is how it is named in squeeze.

tinc (1.0.19-2) unstable; urgency=low

  * Fix behaviour of tinc-pidfile. Closes: #679130
  * Enable parallel building in debian/rules.
2019-08-26 13:44:43 +02:00
Guus Sliepen
06acdce080 Import Debian changes 1.0.19-1
tinc (1.0.19-1) unstable; urgency=low

  * New upstream release.
  * Bump debian/compat so tinc gets built with hardening flags.
  * Allow tinc-pidfile in /etc/network/interfaces.
2019-08-26 13:44:42 +02:00
Guus Sliepen
8ce89f6ef0 Import Debian changes 1.0.18-1
tinc (1.0.18-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:42 +02:00
Michael Tokarev
c63e635d89 Import Debian changes 1.0.18-1~bpo60+1
tinc (1.0.18-1~bpo60+1) squeeze-backports; urgency=low

  * Rebuild for squeeze-backports.
  * Build-Depend on libvdeplug-dev | libvdeplug2-dev, to compensate
    for package rename in wheezy.

tinc (1.0.18-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:42 +02:00
Guus Sliepen
c078db2fd8 Import Debian changes 1.0.17-1
tinc (1.0.17-1) unstable; urgency=low

  * New upstream release.
  * Enable support for UML and VDE.
2019-08-26 13:44:42 +02:00
Guus Sliepen
94e6f906d5 Import Debian changes 1.0.16-1
tinc (1.0.16-1) unstable; urgency=low

  * New upstream release.
  * Mention alarm option in /etc/init.d/tinc's usage information.
    Closes: #631761
2019-08-26 13:44:41 +02:00
Michael Tokarev
5a84bb737c Import Debian changes 1.0.16-1~bpo60+1
tinc (1.0.16-1~bpo60+1) squeeze-backports; urgency=low

  * Rebuild for squeeze-backports, no changes.

tinc (1.0.16-1) unstable; urgency=low

  * New upstream release.
  * Mention alarm option in /etc/init.d/tinc's usage information.
    Closes: #631761
2019-08-26 13:44:41 +02:00
Guus Sliepen
2ad1dc3fd7 Import Debian changes 1.0.15-1
tinc (1.0.15-1) unstable; urgency=low

  * New upstream release.
  * Send SIGALRM to running tinc daemons whenever an interface is brought up
    with the ifupdown framework. Based on a patch from Joachim Breitner.
    Closes: #629880
  * Allow tinc daemons to be started using ifupdown.
2019-08-26 13:44:41 +02:00
Guus Sliepen
3f653aaa2d Import Debian changes 1.0.14-1
tinc (1.0.14-1) unstable; urgency=low

  * New upstream release.
  * Bump Standards-Version.
2019-08-26 13:44:41 +02:00
Guus Sliepen
f01c927470 Import Debian changes 1.0.14-1~bpo60+1
tinc (1.0.14-1~bpo60+1) squeeze-backports; urgency=low

  * Rebuild for squeeze-backports.

tinc (1.0.14-1) unstable; urgency=low

  * New upstream release.
  * Bump Standards-Version.
2019-08-26 13:44:40 +02:00
Guus Sliepen
dc781ea51d Import Debian changes 1.0.13-1+squeeze1
tinc (1.0.13-1+squeeze1) squeeze-security; urgency=high

  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
2019-08-26 13:44:40 +02:00
Guus Sliepen
0fd2ac248d Import Debian changes 1.0.13-1
tinc (1.0.13-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:40 +02:00
Guus Sliepen
2006358f32 Import Debian changes 1.0.13-1~bpo50
tinc (1.0.13-1~bpo50) lenny-backports; urgency=low

  * New upstream release.
2019-08-26 13:44:40 +02:00
Guus Sliepen
3cfe4d82fb Import Debian changes 1.0.12-2
tinc (1.0.12-2) unstable; urgency=low

  * Remove debconf questions. Closes: #572116
    Apparently debconf may not be used to ask a question at install time and
    use the answer at upgrade time. Instead of kludging around this
    restriction, no questions are asked anymore, and tinc will now always be
    restarted when upgrading.
  * Wait up to 5 seconds for tinc daemon to stop before restarting it.
2019-08-26 13:44:40 +02:00
Guus Sliepen
0dd8a42607 Import Debian changes 1.0.12-1
tinc (1.0.12-1) unstable; urgency=low

  * New upstream release.
  * Bump Standards-Version.
  * Migrate from CDBS to debhelper.
  * Convert source package to 3.0 (quilt) format.
  * Remove useless tinc.modules.
  * Use init.d script from Michael Tokarev, allowing per-network arguments to
    tincd.
  * Remove update-rc.d calls from postinst and postrm.
  * Let the init.d script depend on $remote_fs.
2019-08-26 13:44:39 +02:00
Guus Sliepen
08ed40f17e Import Debian changes 1.0.12-1~bpo50
tinc (1.0.12-1~bpo50) lenny-backports; urgency=low

  * New upstream release.
  * Keep debian/ from 1.0.11-1~bpo50.
  * Use init.d script from Michael Tokarev, allowing per-network arguments to
    tincd.
  * Let the init.d script depend on $remote_fs.

tinc (1.0.11-1~bpo50+1) lenny-backports; urgency=low

  * Rebuild for lenny-backports.
2019-08-26 13:44:39 +02:00
Guus Sliepen
7e336e415f Import Debian changes 1.0.11-1
tinc (1.0.11-1) unstable; urgency=low

  * New upstream release.
  * Cope with texi2html arbitrarily changing its output directory.
    Closes: #552927
  * Do not stop tinc when configuring a new version, just restart after
    the upgrade.
2019-08-26 13:44:39 +02:00
Guus Sliepen
b96e4c6b19 Import Debian changes 1.0.11-1~bpo50+1
tinc (1.0.11-1~bpo50+1) lenny-backports; urgency=low

  * Rebuild for lenny-backports.

tinc (1.0.11-1) unstable; urgency=low

  * New upstream release.
  * Cope with texi2html arbitrarily changing its output directory.
    Closes: #552927
  * Do not stop tinc when configuring a new version, just restart after
    the upgrade.
2019-08-26 13:44:39 +02:00
Guus Sliepen
445df16805 Import Debian changes 1.0.10-1
tinc (1.0.10-1) unstable; urgency=low

  * New upstream release.
  * Include Russian debconf translation. Closes: #548759
2019-08-26 13:44:38 +02:00
Guus Sliepen
4812d2eb3d Import Debian changes 1.0.9-1
tinc (1.0.9-1) unstable; urgency=low

  * New upstream release.
    - Binds IPv6 sockets only to IPv6. Closes: #440150
  * Update copyright file. Closes: #482566
2019-08-26 13:44:38 +02:00
Guus Sliepen
19f25e5e7d Import Debian changes 1.0.8-2
tinc (1.0.8-2) unstable; urgency=low

  * Include Portugese debconf translation. Closes: #434191
2019-08-26 13:44:38 +02:00
Guus Sliepen
74be525b2f Import Debian changes 1.0.8-1
tinc (1.0.8-1) unstable; urgency=low

  * New upstream release. Closes: #173987
  * Include german debconf translation. Closes: #412351
  * Build-Depend on texinfo. Closes: #424209
2019-08-26 13:44:38 +02:00
Guus Sliepen
be5fbb7e93 Import Debian changes 1.0.7-1
tinc (1.0.7-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:37 +02:00
Guus Sliepen
bcb4501d84 Import Debian changes 1.0.6-1
tinc (1.0.6-1) unstable; urgency=low

  * New upstream release.
2019-08-26 13:44:37 +02:00
Guus Sliepen
c473eb1653 Import Debian changes 1.0.5-1
tinc (1.0.5-1) unstable; urgency=low

  * New upstream release. Closes: #391610
  * Add an LSB section to the init script.
2019-08-26 13:44:37 +02:00
Guus Sliepen
2cb3185582 Import Debian changes 1.0.4-4
tinc (1.0.4-4) unstable; urgency=low

  * Include swedish debconf translation. Closes: #332963
  * Remove nets.boot on purge. Closes: #333303
2019-08-26 13:44:37 +02:00
Guus Sliepen
23459e1237 Import Debian changes 1.0.4-3
tinc (1.0.4-3) unstable; urgency=low

  * Depend on debconf | debconf-2.0.
  * Include vietnamese debconf translation. Closes: #322305
  * Include japanese debconf translation. Closes: #319591
2019-08-26 13:44:37 +02:00
Guus Sliepen
458d509a4f Import Debian changes 1.0.4-2
tinc (1.0.4-2) unstable; urgency=low

  * Compensate for change in texinfo's output directory. Closes: #318562
  * Include Czech translation of the debconf questions. Closes: #312982
2019-08-26 13:44:36 +02:00
Guus Sliepen
64f9c3df1b Import Debian changes 1.0.4-1
tinc (1.0.4-1) unstable; urgency=low

  * New upstream release. Closes: #294819
  * Update french translation of debconf template. Closes: #293371, #296148
  * Allow dashes in nets.boot. Closes: #296281
2019-08-26 13:44:36 +02:00
Guus Sliepen
6f5ff440c9 Import Debian changes 1.0.3-4
tinc (1.0.3-4) unstable; urgency=low

  * Call debconf early in postinst so it won't get confused by output
    from other commands in the postinst script. Closes: #292920
  * If MAKEDEV doesn't know about net/tun, fall back to tun.

tinc (1.0.3-3) unstable; urgency=low

  * Fix clean rule in debian/rules.

tinc (1.0.3-2) unstable; urgency=low

  * Don't check for /dev/tap* in postinst if we don't create them anyway.
  * MAKEDEV expects net/tun instead of tun.
  * Don't ask if /dev/net/tun should be created, just do it.
    Closes: #259489, #292450
  * Move $EXTRA from init.d/tinc to /etc/default/tinc. Closes: #281366

tinc (1.0.3-1) unstable; urgency=low

  * New upstream release.
  * Adopting the package from Ivo.
  * Use invoke-rc.d, and tell user to do so as well. Closes: #223276
  * Let force-reload do the same thing as reload. Closes: #230180

tinc (1.0.2-2) unstable; urgency=low

  * debian/control: Oops, really make that automake1.7.

tinc (1.0.2-1) unstable; urgency=low

  * New upstream release:
      * Fix broken replies to CHAL_RESP.  (Closes: #217646)
  * debian/control: Updated automake build dependency to automake1.7.
    (Closes: #219360)

tinc (1.0.1-2) unstable; urgency=low

  * debian/dirs: Removed, moved contents to tinc.dirs.
    (Closes: #208591)
  * debian/docs: Renamed to tinc.docs.
  * debian/rules: Install the contents of doc/sample-config.tar.gz in
    /usr/share/doc/tinc/examples instead of /etc/tinc.
  * debian/Makefile*: Removed.

tinc (1.0.1-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/001_openbsd_device.c.patch: Removed.

tinc (1.0release-1) unstable; urgency=low

  * New upstream version.  (Closes: #204639)
      * Fixes switching back to normal logging mode when killing with
        SIGINT twice.  (Closes: #175633)
      * Uses one SSL context struct for each connection, speeding up
        encrypting/decrypting data; don't throw away out of sequence
        packets.  (Closes: #188874)
      * Fixes handling of broadcast messages.  (Closes: #175632)
  * debian/rules: Use cdbs.
  * debian/control: Build-Depend on cdbs, liblzo-dev.
  * debian/patches/001_openbsd_device.c.patch: Sync openbsd/device.c to
    latest CVS version.

tinc (1.0pre8-6) unstable; urgency=low

  * debian/po/fr.po: Added French debconf translation.  (Closes: #201803)

tinc (1.0pre8-5) unstable; urgency=low

  * debian/*: Change to po-debconf, thanks to From: Michel Grentzinger
    <mic.grentz@online.fr> for the patch:
      - change debhelper dependency to 4.1.16 (according to man
        po-debconf),
      - manually add nl translation in old tinc.templates (master),
      - run debconf-gettextize debian/tinc.templates,
      - move old templates files (debian/tinc.templates.*),
      - change construction "If you say no" to "If you refuse",
  * debian/rules: Call po2debconf.
  * debian/rules: Don't copy COPYING.README to the package.
  * debian/control: Update Standards-Version.
  * debian/conffiles: Removed.
  * debian/postinst: No longer use mknod directly, use MAKEDEV.

tinc (1.0pre8-4) unstable; urgency=low

  * src/net.h, src/net_packet.c, src/net_setup.c: Apply fix from CVS
    for OpenSSL-related memory leaks.  (Closes: #189432)

tinc (1.0pre8-3) unstable; urgency=low

  * m4/openssl.m4: Updated to CVS version.  (Closes: #184400)

tinc (1.0pre8-2) unstable; urgency=low

  * debian/postinst: Create /dev/net/tun if it doesn't exist.
  * debian/tinc.modules: Add alias for /dev/net/tun.
  * debian/rules: Install tinc.modules.
  * These things together: (Closes: #151967, #153156)

tinc (1.0pre8-1) unstable; urgency=low

  * New upstream version.
  * debian/rules:
      - DEB_BUILD_OPTIONS support.
      - Enable --enable-tracing by default.

tinc (1.0pre7-3) unstable; urgency=low

  * Properly install _all_ info pages. (Closes: #144718)
2019-08-26 13:44:36 +02:00
Ivo Timmermans
0f3c45c5cc Import Debian changes 1.0pre7-2
tinc (1.0pre7-2) unstable; urgency=low

  * Dutch translation wasn't being installed.

tinc (1.0pre7-1) unstable; urgency=medium

  * New upstream release.

tinc (1.0pre6-3) unstable; urgency=medium

  * Synched with upstream CVS.
  * Added build dependency on zlib1g-dev. (Closes: #141705)

tinc (1.0pre6-2) unstable; urgency=low

  * The Section was non-US again, so changed it back to main/net.

tinc (1.0pre6-1) unstable; urgency=low

  * New upstream release.
  * Fixed text in debian/copyright

tinc (1.0pre5-4) unstable; urgency=low

  * Added a debconf question for restarting on upgrade.
  * Added reload option to init.d, start with EXTRA='-d' default.
  * Moved from non-US to main.
  * Install example configuration files.
  * The HTML documentation wasn't installed; fixed.

tinc (1.0pre5-3) unstable; urgency=low

  * Config variables are now treated case sentitivly again.
  * Added a forgotten xstrdup.

tinc (1.0pre5-2) unstable; urgency=low

  * MaxTimeout accidentally wasn't configurable. (Closes: #119653)

tinc (1.0pre5-1) unstable; urgency=low

  * New upstream version. (Closes: #119653)
  * Init script redone in sh.

tinc (1.0pre4-1.cvs010621.6) unstable; urgency=low

  * Somehow po-Makefile.in.in.diff got lost, readded. (Closes: #119157)

tinc (1.0pre4-1.cvs010621.5) unstable; urgency=low

  * Fix a typo in postinst that let it MAKEDEV even on devfs.
    (Closes: #116034)

tinc (1.0pre4-1.cvs010621.4) unstable; urgency=low

  * Ask before creating the device files. (Closes: #111099)
  * Add a section to the info file.

tinc (1.0pre4-1.cvs010621.3) unstable; urgency=low

  * Build and install html documentation. (Closes: #106843)
  * Remove build-time dependency on libc6-dev.

tinc (1.0pre4-1.cvs010621.2) unstable; urgency=low

  * Changed location of the pidfile. (Closes: #102798)

tinc (1.0pre4-1.cvs010621.1) unstable; urgency=low

  * New upstream version. (Closes: #98730)
  * Rebuilding automatically inserted new config.{sub|guess}.
    (Closes: #98165)
  * Updated Standards-Version.
  * Don't include a sample configuration file.

tinc (1.0pre3-5) unstable; urgency=low

  * Fixed an error in the init script that prevented tinc from
    starting correctly.

tinc (1.0pre3-4) unstable; urgency=low

  * Change build-depends for OpenSSL to libssl096-dev
    (Closes: #84197, #84873).

tinc (1.0pre3-3) unstable; urgency=low

  * Set architecture to any (really this time!) (Closes: #80451).
  * Section set to non-US

tinc (1.0pre3-2) unstable; urgency=low

  * Set architecture to any (Closes: #80451).
  * Added tinc.modules with some useful module aliases.

tinc (1.0pre3-1) unstable; urgency=low

  * New upstream version (1.0pre3) (Closes: #71274).
  * Better Depends and Build-Depends lines.
  * Dropped dependencies on libgmp, added libssl.
  * doc-base.tinc: New file.
  * Deleted the file shlibs, as there on longer is a libblowfish.
  * Patch po/Makefile.in.in from po-Makefile.in.in.diff if necessary.
  * Use dh_perl to get accurate perl dependencies.

tinc (1.0pre2-1.1) unstable; urgency=low

  * NMU at Ivo's request as his application is being processed, and his
    sponsor is based in the US.

tinc (1.0pre2-1) unstable; urgency=low

  * postinst creates a file /etc/tinc/nets.boot, containing all networks
    to be started upon system startup;
  * init.d script starts all networks from that list.
  * postinst script creates tap devices.

tinc (1.0pre1-0.4) unstable; urgency=low

  * postinst script.

tinc (1.0pre1-0.3) unstable; urgency=low

  * system startup script.

tinc (1.0pre1-0.2) unstable; urgency=low

  * Included the blowfish license.

tinc (1.0pre1-0.1) unstable; urgency=low

  * Initial Release.
2019-08-26 13:44:36 +02:00
117 changed files with 11919 additions and 24731 deletions

74
.drone.yml Normal file
View file

@ -0,0 +1,74 @@
kind: pipeline
name: default
steps:
- name: Build Bullseye
image: debian:bullseye
volumes:
- name: finished_files
path: /deb_files
commands:
- apt update
- apt -y upgrade
- apt -y install --no-install-recommends build-essential equivs devscripts git rename
- git clean -f -d -x
- mk-build-deps --install --tool='apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes' debian/control
- dpkg-buildpackage -b -uc
- rename 's/\.deb/_bullseye\.deb/' ../*.deb
- mkdir -p /deb_files/bullseye/
- cp ../tinc*.deb /deb_files/bullseye/
- find /deb_files/
- name: Build Buster
image: debian:buster
volumes:
- name: finished_files
path: /deb_files
commands:
- apt update
- apt -y upgrade
- apt -y install --no-install-recommends build-essential equivs devscripts git rename
- git clean -f -d -x
- mk-build-deps --install --tool='apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes' debian/control
- dpkg-buildpackage -b -uc
- rename 's/\.deb/_buster\.deb/' ../*.deb
- mkdir -p /deb_files/buster/
- cp ../tinc*.deb /deb_files/buster/
- find /deb_files/
- name: Build Ubuntu Focal
image: ubuntu:focal
volumes:
- name: finished_files
path: /deb_files
commands:
- apt update
- apt -y upgrade
- DEBIAN_FRONTEND=noninteractive apt -y install --no-install-recommends build-essential equivs devscripts git rename
- git clean -f -d -x
- mk-build-deps --install --tool='apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes' debian/control
- dpkg-buildpackage -b -uc
- rename 's/\.deb/_focal\.deb/' ../*.deb
- mkdir -p /deb_files/focal/
- cp ../tinc*.deb /deb_files/focal/
- find /deb_files/
- name: gitea_release
image: plugins/gitea-release
volumes:
- name: finished_files
path: /deb_files
settings:
api_key:
from_secret: GITEA_KEY
base_url: https://git.neulandlabor.de/
files:
- /deb_files/buster/*
- /deb_files/bullseye/*
- /deb_files/focal/*
when:
event: tag
volumes:
- name: finished_files
temp: {}

View file

@ -1,4 +1,4 @@
Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.
Copyright (C) 1998-2021 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.
This program is free software; you can redistribute it and/or modify it under

26258
ChangeLog

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
AUTOMAKE_OPTIONS = gnu
SUBDIRS = src doc test systemd
SUBDIRS = src doc test systemd bash_completion.d
ACLOCAL_AMFLAGS = -I m4

View file

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -145,8 +145,8 @@ am__recursive_targets = \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir distdir-am dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \
$(LISP)config.h.in
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \
config.h.in
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
@ -208,6 +208,8 @@ am__relativize = \
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
# Exists only to be overridden by the user if desired.
AM_DISTCHECK_DVI_TARGET = dvi
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
@ -323,7 +325,7 @@ top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = gnu
SUBDIRS = src doc test systemd
SUBDIRS = src doc test systemd bash_completion.d
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = COPYING.README README.android
all: config.h
@ -568,6 +570,10 @@ dist-xz: distdir
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-zstd: distdir
tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@ -610,6 +616,8 @@ distcheck: dist
eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
*.tar.zst*) \
zstd -dc $(distdir).tar.zst | $(am__untar) ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
@ -625,7 +633,7 @@ distcheck: dist
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
@ -786,7 +794,7 @@ uninstall-am:
am--refresh check check-am clean clean-cscope clean-generic \
cscope cscopelist-am ctags ctags-am dist dist-all dist-bzip2 \
dist-gzip dist-lzip dist-shar dist-tarZ dist-xz dist-zip \
distcheck distclean distclean-generic distclean-hdr \
dist-zstd distcheck distclean distclean-generic distclean-hdr \
distclean-tags distcleancheck distdir distuninstallcheck dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-dvi install-dvi-am \

20
NEWS
View file

@ -1,3 +1,23 @@
# Version 1.1pre18 June 27 2021
* Check all Address statements when making outgoing connections.
* Make more variables safe for use in invitations.
* Allow "tinc --force join" to accept all variables sent in an invitation.
* Make sure the stop command works on Windows if tincd is running in the
foreground.
* Handle DOS line endings in invitation files.
* Double-quote node names in dump graph output.
* Prevent large amounts of UDP probes being sent consecutively.
* Try harder to reconnect with unreachable nodes.
* Generate tinc-up.bat on Windows.
* Fix a possible infinite loop when adding Subnets to a running tincd.
* Allow a tun/tap filedescriptor to be passed through a UNIX socket.
* Use auto-clone tun/tap devices as default on FreeBSD and DragonFlyBSD.
Thanks to Fabian Maurer, Ilia Pavlikhin, Maciej S. Szmigiero, Pacien
Tran-Girard, Aaron Li, Andreas Rammhold, Rosen Penev, Shengjing Zhu, Werner
Schreiber, iczero and leptonyu for their contributions to this version of tinc.
# Version 1.1pre17 October 8 2018
* Prevent oracle attacks in the legacy protocol (CVE-2018-16737,

6
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.1pre17. Installation
This is the README file for tinc version 1.1pre18. Installation
instructions may be found in the INSTALL file.
tinc is Copyright © 1998-2018 Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others.
tinc is Copyright © 1998-2021 Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others.
For a complete list of authors see the AUTHORS file.
@ -46,7 +46,7 @@ versions, the security might only be as good as that of the oldest version.
Compatibility
-------------
Version 1.1pre17 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.1pre18 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.
When the ExperimentalProtocol option is used, tinc is still compatible with

21
THANKS
View file

@ -1,9 +1,11 @@
We would like to thank the following people for their contributions to tinc:
* Aaron Li
* Alexander Reil and Gemeinde Berg
* Alexander Ried
* Alexis Hildebrandt
* Allesandro Gatti
* Andreas Rammhold
* Andreas van Cranenburgh
* Andrew Hahn
* Anthony G. Basile
@ -26,17 +28,23 @@ We would like to thank the following people for their contributions to tinc:
* Enrique Zanardi
* Erik Tews
* Etienne Dechamps
* Fabian Maurer
* Florent Clairambault
* Florian Forster
* Florian Klink
* Florian Weik
* Flynn Marquardt
* Franz Pletz
* Fufu Fang
* Gary Kessler and Claudia Gonzalez
* Grzegorz Dymarek
* Gusariev Oleksandr
* Hans Bayle
* Harvest
* Huai An Hsu
* iczero
* Ilia Pavlikhin
* Ivan Mirić
* Ivo Smits
* Ivo van Dong
* James Cook
@ -49,17 +57,21 @@ We would like to thank the following people for their contributions to tinc:
* Jeroen Domburg
* Jeroen Ubbink
* Jerome Etienne
* Jiang Sheng
* Jochen Voss
* Jo-Philipp Wich
* Julien Muchembled
* Lavrans Laading
* leptonyu
* Loïc Dachary
* Loïc Grenié
* Lubomír Bulej
* luckyhacky
* LunarShaddow
* Maciej S. Szmigiero
* Mads Kiilerich
* Marc A. Lehmann
* Marco Oggioni
* Mark Glines
* Mark Petryk
* Markus Goetz
@ -78,20 +90,26 @@ We would like to thank the following people for their contributions to tinc:
* Nathan Stratton Treadway
* Nick Hibma
* Nick Patavalis
* Pacien Tran-Girard
* Patrick Helms
* Paul Littlefield
* Philipp Babel
* Pierre Emeriaud
* Pierre-Olivier Mercier
* Rafael Sadowski
* Rafał Leśniak
* René Rüthlein
* Rhosyn Celyn
* Robert van der Meulen
* Robert Waniek
* Rosen Penev
* Rumko
* Ryan Miller
* Sam Bryan
* Samuel Thibault
* Saverio Proto
* Scott Lamb
* Shengjing Zhu
* Steffan Karger
* Stig Fagrell
* Sven-Haegar Koch
@ -104,8 +122,11 @@ We would like to thank the following people for their contributions to tinc:
* Tonnerre Lombard
* Ulrich Seifert
* Vil Brekin
* Vincent Laurent
* Vittorio Gambaletta
* Volker Augustin
* Wendy Willard
* Werner Schreiber
* Wessel Dankers
* William A. Kennington III
* William McArthur

55
aclocal.m4 vendored
View file

@ -1,6 +1,6 @@
# generated automatically by aclocal 1.16.1 -*- Autoconf -*-
# generated automatically by aclocal 1.16.3 -*- Autoconf -*-
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -20,7 +20,7 @@ You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically 'autoreconf'.])])
# Copyright (C) 2002-2018 Free Software Foundation, Inc.
# Copyright (C) 2002-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.16'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.16.1], [],
m4_if([$1], [1.16.3], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@ -51,14 +51,14 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.16.1])dnl
[AM_AUTOMAKE_VERSION([1.16.3])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# AM_AUX_DIR_EXPAND -*- Autoconf -*-
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -110,7 +110,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd`
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2018 Free Software Foundation, Inc.
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -141,7 +141,7 @@ AC_CONFIG_COMMANDS_PRE(
Usually this means the macro was only invoked conditionally.]])
fi])])
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -332,7 +332,7 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
# Generate code to set up dependency tracking. -*- Autoconf -*-
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -371,7 +371,9 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
done
if test $am_rc -ne 0; then
AC_MSG_FAILURE([Something went wrong bootstrapping makefile fragments
for automatic dependency tracking. Try re-running configure with the
for automatic dependency tracking. If GNU make was not used, consider
re-running the configure script with MAKE="gmake" (or whatever is
necessary). You can also try re-running configure with the
'--disable-dependency-tracking' option to at least be able to build
the package (albeit without support for automatic dependency tracking).])
fi
@ -398,7 +400,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
# Do all the work for Automake. -*- Autoconf -*-
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -595,7 +597,7 @@ for _am_header in $config_headers :; do
done
echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -616,7 +618,7 @@ if test x"${install_sh+set}" != xset; then
fi
AC_SUBST([install_sh])])
# Copyright (C) 2003-2018 Free Software Foundation, Inc.
# Copyright (C) 2003-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -637,7 +639,7 @@ AC_SUBST([am__leading_dot])])
# Check to see how 'make' treats includes. -*- Autoconf -*-
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -680,7 +682,7 @@ AC_SUBST([am__quote])])
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
# Copyright (C) 1997-2018 Free Software Foundation, Inc.
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -701,12 +703,7 @@ AC_DEFUN([AM_MISSING_HAS_RUN],
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
AC_REQUIRE_AUX_FILE([missing])dnl
if test x"${MISSING+set}" != xset; then
case $am_aux_dir in
*\ * | *\ *)
MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
*)
MISSING="\${SHELL} $am_aux_dir/missing" ;;
esac
MISSING="\${SHELL} '$am_aux_dir/missing'"
fi
# Use eval to expand $SHELL
if eval "$MISSING --is-lightweight"; then
@ -719,7 +716,7 @@ fi
# Helper functions for option handling. -*- Autoconf -*-
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -748,7 +745,7 @@ AC_DEFUN([_AM_SET_OPTIONS],
AC_DEFUN([_AM_IF_OPTION],
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -795,7 +792,7 @@ AC_LANG_POP([C])])
# For backward compatibility.
AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -814,7 +811,7 @@ AC_DEFUN([AM_RUN_LOG],
# Check to make sure that the build environment is sane. -*- Autoconf -*-
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -895,7 +892,7 @@ AC_CONFIG_COMMANDS_PRE(
rm -f conftest.file
])
# Copyright (C) 2009-2018 Free Software Foundation, Inc.
# Copyright (C) 2009-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -955,7 +952,7 @@ AC_SUBST([AM_BACKSLASH])dnl
_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl
])
# Copyright (C) 2001-2018 Free Software Foundation, Inc.
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -983,7 +980,7 @@ fi
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
AC_SUBST([INSTALL_STRIP_PROGRAM])])
# Copyright (C) 2006-2018 Free Software Foundation, Inc.
# Copyright (C) 2006-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -1002,7 +999,7 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
# Check how to create a tarball. -*- Autoconf -*-
# Copyright (C) 2004-2018 Free Software Foundation, Inc.
# Copyright (C) 2004-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,

View file

@ -0,0 +1,2 @@
bash_completiondir = @datarootdir@/bash-completion/completions/
dist_bash_completion_DATA = tinc

View file

@ -0,0 +1,490 @@
# Makefile.in generated by automake 1.16.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = bash_completion.d
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/ax_append_flag.m4 \
$(top_srcdir)/m4/ax_cflags_warn_all.m4 \
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 \
$(top_srcdir)/m4/ax_code_coverage.m4 \
$(top_srcdir)/m4/ax_require_defined.m4 \
$(top_srcdir)/m4/curses.m4 $(top_srcdir)/m4/libgcrypt.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/miniupnpc.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/readline.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(dist_bash_completion_DATA) \
$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(bash_completiondir)"
DATA = $(dist_bash_completion_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CODE_COVERAGE_CFLAGS = @CODE_COVERAGE_CFLAGS@
CODE_COVERAGE_CPPFLAGS = @CODE_COVERAGE_CPPFLAGS@
CODE_COVERAGE_CXXFLAGS = @CODE_COVERAGE_CXXFLAGS@
CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@
CODE_COVERAGE_LDFLAGS = @CODE_COVERAGE_LDFLAGS@
CODE_COVERAGE_LIBS = @CODE_COVERAGE_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CURSES_LIBS = @CURSES_LIBS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
GCOV = @GCOV@
GENHTML = @GENHTML@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LCOV = @LCOV@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MINIUPNPC_LIBS = @MINIUPNPC_LIBS@
MKDIR_P = @MKDIR_P@
OBJEXT = @OBJEXT@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
READLINE_LIBS = @READLINE_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
systemd_path = @systemd_path@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
bash_completiondir = @datarootdir@/bash-completion/completions/
dist_bash_completion_DATA = tinc
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu bash_completion.d/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu bash_completion.d/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-dist_bash_completionDATA: $(dist_bash_completion_DATA)
@$(NORMAL_INSTALL)
@list='$(dist_bash_completion_DATA)'; test -n "$(bash_completiondir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(bash_completiondir)'"; \
$(MKDIR_P) "$(DESTDIR)$(bash_completiondir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(bash_completiondir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(bash_completiondir)" || exit $$?; \
done
uninstall-dist_bash_completionDATA:
@$(NORMAL_UNINSTALL)
@list='$(dist_bash_completion_DATA)'; test -n "$(bash_completiondir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(bash_completiondir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(bash_completiondir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-dist_bash_completionDATA
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-dist_bash_completionDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic cscopelist-am \
ctags-am distclean distclean-generic distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dist_bash_completionDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-dist_bash_completionDATA
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

92
bash_completion.d/tinc Normal file
View file

@ -0,0 +1,92 @@
_tinc() {
local cur prev opts confvars commands nets
COMPREPLY=()
cur="${COMP_WORDS[COMP_CWORD]}"
prev="${COMP_WORDS[COMP_CWORD-1]}"
opts="-c -d -D -K -n -o -L -R -U --config --no-detach --debug --net --option --mlock --logfile --pidfile --chroot --user --help --version"
confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding FWMark GraphDumpFile Hostnames IffOneQueue IndirectData Interface InvitationExpire KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode MTUInfoInterval Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryKeepaliveInterval UDPDiscoveryInterval UDPDiscoveryTimeout UDPInfoInterval UDPRcvBuf UDPSndBuf UPnP UPnPDiscoverWait UPnPRefreshPeriod VDEGroup VDEPort Weight"
commands="add connect debug del disconnect dump edit export export-all generate-ed25519-keys generate-keys generate-rsa-keys get help import info init invite join list log network pcap pid purge reload restart retry set sign start stop top verify version"
case ${prev} in
-c|--config)
compopt -o dirnames 2>/dev/null
return 0
;;
-n|--net)
nets=""
pushd /etc/tinc >/dev/null 2>/dev/null
for dir in *; do
if [[ -f "$dir/tinc.conf" ]]; then
nets="$nets $dir"
fi
done
popd >/dev/null 2>/dev/null
COMPREPLY=( $(compgen -W "${nets}" -- ${cur}) )
return 0
;;
-o|--option)
compopt -o nospace
COMPREPLY=( $(compgen -W "${confvars}" -- ${cur}) )
if [[ ${#COMPREPLY[*]} == 1 ]] ; then
COMPREPLY=$COMPREPLY=
fi
return 0
;;
-U|--user)
COMPREPLY=( $(compgen -u ${cur}) )
return 0
;;
--logfile|--pidfile)
compopt -o filenames 2>/dev/null
COMPREPLY=( $(compgen -f ${cur}) )
return 0
esac
if [[ ${cur} == -* ]] ; then
COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
return 0
fi
if [[ $1 == "d" ]]; then
if [[ -z ${cur} ]] ; then
COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
fi
return 0
fi
COMPREPLY=( $(compgen -W "${commands}" -- ${cur}) )
case $prev in
get|set|add|del)
COMPREPLY=( $(compgen -W "${confvars}" -- ${cur}) )
return 0
;;
dump|list|reachable)
COMPREPLY=( $(compgen -W "reachable nodes edges subnets connections graph invitations" -- ${cur}) )
return 0
;;
network)
nets=""
pushd /etc/tinc >/dev/null 2>/dev/null
for dir in *; do
if [[ -f "$dir/tinc.conf" ]]; then
nets="$nets $dir"
fi
done
popd >/dev/null 2>/dev/null
COMPREPLY=( $(compgen -W "${nets}" -- ${cur}) )
return 0
;;
esac
if [[ -z ${cur} ]] ; then
COMPREPLY=( $(compgen -W "${opts} ${commands}" -- ${cur}) )
fi
return 0
}
_tincd() {
_tinc d;
}
_tincctl() {
_tinc ctl;
}
complete -F _tincd tincd
complete -F _tincctl tinc

View file

@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@ -53,7 +53,7 @@ func_file_conv ()
MINGW*)
file_conv=mingw
;;
CYGWIN*)
CYGWIN* | MSYS*)
file_conv=cygwin
;;
*)
@ -67,7 +67,7 @@ func_file_conv ()
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/*)
cygwin/* | msys/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)

View file

@ -33,9 +33,6 @@
/* Define to 1 if you have the <curses.h> header file. */
#undef HAVE_CURSES_H
/* Cygwin */
#undef HAVE_CYGWIN
/* Define to 1 if you have the `daemon' function. */
#undef HAVE_DAEMON
@ -264,6 +261,9 @@
/* Solaris/SunOS */
#undef HAVE_SOLARIS
/* Define to 1 if you have the <stddef.h> header file. */
#undef HAVE_STDDEF_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@ -381,9 +381,6 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
@ -422,9 +419,6 @@
/* Define to 1 if you need to in order for `stat' and other things to work. */
#undef _POSIX_SOURCE
/* Enable BSD extensions */
#undef __USE_BSD
/* Defined if the __malloc__ attribute is not supported. */
#undef __malloc__

977
configure vendored

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script.
origcflags="$CFLAGS"
AC_PREREQ(2.61)
AC_PREREQ(2.69)
AC_INIT([tinc], m4_esyscmd_s((git describe || echo UNKNOWN) | sed 's/release-//'))
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([std-options subdir-objects nostdinc silent-rules -Wall])
@ -10,14 +10,11 @@ AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AM_SILENT_RULES([yes])
# Enable GNU extensions.
# Define this here, not in acconfig's @TOP@ section, since definitions
# in the latter don't make it into the configure-time tests.
AC_GNU_SOURCE
AC_DEFINE([__USE_BSD], 1, [Enable BSD extensions])
AC_USE_SYSTEM_EXTENSIONS
dnl Checks for programs.
AC_PROG_CC_C99
AC_PROG_CC
AC_PROG_CC_STDC
AC_PROG_CPP
AC_PROG_INSTALL
AM_PROG_CC_C_O
@ -65,8 +62,7 @@ case $host_os in
AC_DEFINE(HAVE_BSD, 1, [Unknown BSD variant])
;;
*cygwin*)
cygwin=true
AC_DEFINE(HAVE_CYGWIN, 1, [Cygwin])
AC_MSG_ERROR("Cygwin is no longer supported. Use MinGW to build native Windows binaries.")
;;
*mingw*)
mingw=true
@ -95,6 +91,7 @@ AC_ARG_ENABLE(vde,
AS_HELP_STRING([--enable-vde], [enable support for Virtual Distributed Ethernet]),
[ AS_IF([test "x$enable_vde" = "xyes"],
[ AC_CHECK_HEADERS(libvdeplug_dyn.h, [], [AC_MSG_ERROR([VDE plug header files not found.]); break])
AC_CHECK_LIB(dl, dlopen, [LIBS="$LIBS -ldl"], [AC_MSG_ERROR([VDE plug depends on libdl.]); break])
AC_DEFINE(ENABLE_VDE, 1, [Support for VDE])
vde=true
],
@ -168,7 +165,7 @@ AS_IF([test "x$enable_hardening" != "xno"],
dnl Checks for header files.
dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
AC_CHECK_HEADERS([syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h sys/un.h sys/wait.h netdb.h arpa/inet.h dirent.h getopt.h])
AC_CHECK_HEADERS([syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h sys/un.h sys/wait.h netdb.h arpa/inet.h dirent.h getopt.h stddef.h])
AC_CHECK_HEADERS([net/if.h net/if_types.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h],
[], [], [#include "$srcdir/src/have.h"]
)
@ -189,7 +186,6 @@ AC_CHECK_TYPES([struct ether_header, struct arphdr, struct ether_arp, struct ip,
)
dnl Checks for library functions.
AC_TYPE_SIGNAL
AC_CHECK_FUNCS([asprintf daemon fchmod flock fork gettimeofday mlockall putenv recvmmsg strsignal nanosleep unsetenv vsyslog devname fdevname],
[], [], [#include "$srcdir/src/have.h"]
)
@ -266,6 +262,6 @@ if test "x$runstatedir" = "x"; then
AC_SUBST([runstatedir], ['${localstatedir}/run'])
fi
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile test/Makefile systemd/Makefile])
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile test/Makefile test/testlib.sh systemd/Makefile bash_completion.d/Makefile])
AC_OUTPUT

43
debian/NEWS vendored Normal file
View file

@ -0,0 +1,43 @@
tinc (1.1~pre11-1) experimental; urgency=medium
This package now provides a native systemd service file, allowing multiple
instances of tinc to be managed. Existing networks listed in
/etc/tinc/nets.boot will be converted to service instances once during this
upgrade. Afterwards, you can enable and disable networks using:
systemctl enable tinc@<netname>
systemctl disable tinc@<netname>
If you do not have systemd installed, the SysV init script will continue to
work as usual. For more information, see README.Debian.
Please note that tinc 1.1pre11 is backwards compatible with tinc 1.0.x, but
is not backwards compatible with 1.1pre1 to 1.1pre10 nodes if
ExperimentalProtocol is enabled, which is the default.
If you have more than one node running an 1.1 prerelease version in your VPN,
make sure you upgrade them all at the same time, or disable the new protocol
by adding the following line to tinc.conf:
ExperimentalProtocol = no
If you do want to use the new protocol, be aware that this version of tinc
switched to Ed25519 keys. You can generate a new Ed25519 keypair by running
the following command:
tinc -n <netname> generate-ed25519-keys
You have to manually restart tinc after this upgrade.
-- Guus Sliepen <guus@debian.org> Sat, 08 Jan 2015 14:02:27 +0100
tinc (1.1~pre2-1) experimental; urgency=low
tinc-1.1 has separate control utility, tinc (without the d), which is now
used to start/stop tinc instances, to reload configuration, to get various
information about running tincd (including dump of nodes and connections)
and so on. tincd still reacts to some signals as before, but this usage is
deprecated. In particular, -k option is now gone. Also, node/connection/etc
dumps are produced on tincctl stdout, not into syslog.
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 07 Aug 2011 13:16:17 +0400

78
debian/README.Debian vendored Normal file
View file

@ -0,0 +1,78 @@
tinc for Debian
---------------
The manual for tinc is also available as info pages, type `info tinc'
to read it.
There are several ways in which tinc may be automatically started at boot:
Systemd
-------
Since 1.1~pre11-1, the tinc package comes with native systemd service files.
To enable and start a net, call:
systemctl enable tinc@<netname>
systemctl start tinc@<netname>
This will cause a tincd to be started which uses the configuration from
/etc/tinc/<netname>, and also makes sure that it will be started next time your
system boots.
Apart from controlling individual instances, you can also start/stop/reload all
enabled instances simultaneously by omitting @<netname>, for example:
systemctl reload tinc
Note that when you have systemd installed on your system, the file
/etc/tinc/nets.boot will not be used anymore to automatically start tinc
daemons. If the variable EXTRA is defined in /etc/default/tinc, it will be
passed on to tinc. The variable LIMITS is however not used.
The service files that come with this package start tinc unconditionally.
However, tinc does support socket activation. If you wish to write a socket
unit for tinc, use the ListenStream option to specify on which port(s) and
address(es) tinc should listen.
SysVinit
--------
The system startup script for tinc, /etc/init.d/tinc, uses the file
/etc/tinc/nets.boot to find out which networks have to be started. Use one
netname per line. Lines starting with a # are ignored.
/etc/network/interfaces
-----------------------
You can create a stanza in /etc/network/interfaces, and add a line with
"tinc-net <netname>". This will cause a tincd to be started which uses the
configuration from /etc/tinc/<netname>. You can use an inet static (with
address and netmask options) or inet dhcp stanza, in which case the ifup will
configure the VPN interface and you do not need to have a tinc-up script.
The following options are also recognized and map directly to the corresponding
command line options for tincd:
tinc-config <directory>
tinc-debug <level>
tinc-mlock yes
tinc-logfile <filename>
tinc-chroot yes
tinc-user <username>
An example stanza:
iface vpn inet static
address 192.168.2.42
netmask 255.255.0.0
tinc-net myvpn
tinc-debug 1
tinc-mlock yes
tinc-user nobody
This will start a tinc daemon that reads its configuration from
/etc/tinc/myvpn, logs at debug level 1, locks itself in RAM, runs as user
nobody, and creates a network interface called "vpn". Ifup then sets the
address and netmask on that interface.
-- Guus Sliepen <guus@debian.org>, Thu, 8 January 2015, 13:37:46 +0100

663
debian/changelog vendored Normal file
View file

@ -0,0 +1,663 @@
tinc (1.1~pre18-1) experimental; urgency=medium
* New upstream release.
- The patch for EVP_DecryptUpdate is no longer necessary.
* Disable support for VDE.
-- Guus Sliepen <guus@debian.org> Sun, 27 Jun 2021 20:10:22 +0200
tinc (1.1~pre17-1.2) experimental; urgency=medium
* Non-maintainer upload.
* Add patch to fix EVP_DecryptUpdate issue. Closes: #923438
-- Don Armstrong <don@debian.org> Sun, 31 May 2020 15:11:34 -0700
tinc (1.1~pre17-1.1) experimental; urgency=medium
* Non-maintainer upload.
* Fix systemd service install path. Closes: #910618
* Fix typo in --enable-miniupnpc option.
-- Shengjing Zhu <zhsj@debian.org> Wed, 10 Oct 2018 10:58:42 +0800
tinc (1.1~pre17-1) experimental; urgency=medium
* New upstream release.
- Includes fixes for CVE-2018-16737, CVE-2018-16738.
- The GUI is no longer part of upstream, so has been removed.
* Link with the miniupnpc library.
* Bump Standards-Version.
* Bump debian/compat.
-- Guus Sliepen <guus@debian.org> Mon, 08 Oct 2018 16:32:57 +0200
tinc (1.1~pre15-1) experimental; urgency=medium
* New upstream release.
* Bump Standards-Version.
* Bump debian/compat.
* Don't use while loops checking PID files anymore, the tinc CLI will
wait properly for the daemon to start or stop. Closes: #772379, #832784
* Clean up scripts as suggested by Dominik George. Closes: #832781
* Test for /etc/default/tinc before trying to source it. Closes: #777262
-- Guus Sliepen <guus@debian.org> Tue, 05 Sep 2017 21:03:51 +0200
tinc (1.1~pre12-1) experimental; urgency=medium
* New upstream release.
* Bump Standards-Version.
* Depend on python-wxgtk3.0 for the GUI.
* Use dh --with python2.
* Add Build-Depends for dh-python.
* Update links in debian/control and debian/copyright.
-- Guus Sliepen <guus@debian.org> Sun, 24 Apr 2016 14:51:14 +0200
tinc (1.1~pre11-1) experimental; urgency=medium
* New upstream release.
* Update NEWS.Debian to reflect that tincctl has been renamed to tinc.
Closes: #729889
* Warn about incompatibility with previous 1.1preX releases, and that new
Ed25519 keys should be generated.
* Add native systemd service files.
* Automatically convert networks listed in nets.boot to systemd service
instances on upgrade.
* Don't restart tinc on upgrade for now.
-- Guus Sliepen <guus@debian.org> Thu, 08 Jan 2015 14:51:34 +0100
tinc (1.1~pre9-1) experimental; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Sun, 08 Sep 2013 18:00:28 +0200
tinc (1.1~pre8-2) experimental; urgency=low
* Run make clean after the configure step to get rid of .o files that were
accidentily left in the orig.tar.gz.
-- Guus Sliepen <guus@debian.org> Wed, 14 Aug 2013 16:13:43 +0200
tinc (1.1~pre8-1) experimental; urgency=low
* New upstream release.
- Handles whitespace between command line flags and optional arguments.
Closes: #710267
* Bump Standards-Version.
* Source /lib/lsb/init-functions in the init.d script.
* Don't use texi2html anymore, use automake's install-html target which uses
makeinfo.
-- Guus Sliepen <guus@debian.org> Wed, 14 Aug 2013 15:34:41 +0200
tinc (1.1~pre7-2) experimental; urgency=low
[ Gian Piero Carrubba ]
* Init script fails to pass extra arguments to tincd. Closes: #704701
+ Remove the '--' as it is passed unaltered to tincd, preventing it to read
trailing parameters.
+ Pass extra arguments also when restarting the daemon.
* Set process limits when started by ifupdown. Closes: #704702
[ Guus Sliepen ]
* Check whether the tincd process is still running in the if-post-down script.
Closes: #704708
-- Guus Sliepen <guus@debian.org> Wed, 01 May 2013 10:41:31 +0200
tinc (1.1~pre7-1) experimental; urgency=high
* New upstream release.
- Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
-- Guus Sliepen <guus@debian.org> Tue, 23 Apr 2013 11:37:38 +0200
tinc (1.1~pre6-1) experimental; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Wed, 20 Feb 2013 16:53:33 +0100
tinc (1.1~pre4-1) experimental; urgency=low
[ Gian Piero Carrubba ]
* Allow resource limits to be set in /etc/default/tinc. Closes: #690685
[ Guus Sliepen ]
* New upstream release.
-- Guus Sliepen <guus@debian.org> Wed, 05 Dec 2012 23:05:01 +0100
tinc (1.1~pre3-1) experimental; urgency=low
* New upstream release.
* Bump Standards-Version.
* Enable parallel builds.
* Bump debian/compat to 9, so tinc gets build with hardening flags.
* Move tinc-gui to its own package.
-- Guus Sliepen <guus@debian.org> Sun, 14 Oct 2012 23:51:21 +0200
tinc (1.1~pre2-2) experimental; urgency=low
* add forgotten build-depend on libncurses5-dev for new `tincctl top'
* add libevent-dev build dependency
* remove build dependency on gettext
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 07 Aug 2011 17:32:39 +0400
tinc (1.1~pre2-1) experimental; urgency=low
* first cut of 1.1-tobe.
Rewrote control scripts et al to use tincctl.
* build-depend on libssl >>1.0.0 to get proper EC support
* remove crypto-related symlinks from src/ in clean --
probably should go into upstream makefile instead
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 07 Aug 2011 12:57:15 +0400
tinc (1.0.19-2) unstable; urgency=low
* Fix behaviour of tinc-pidfile. Closes: #679130
* Enable parallel building in debian/rules.
-- Guus Sliepen <guus@debian.org> Tue, 26 Jun 2012 18:28:34 +0200
tinc (1.0.19-1) unstable; urgency=low
* New upstream release.
* Bump debian/compat so tinc gets built with hardening flags.
* Allow tinc-pidfile in /etc/network/interfaces.
-- Guus Sliepen <guus@debian.org> Mon, 25 Jun 2012 20:29:22 +0200
tinc (1.0.18-1) unstable; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Sun, 25 Mar 2012 18:52:15 +0200
tinc (1.0.17-1) unstable; urgency=low
* New upstream release.
* Enable support for UML and VDE.
-- Guus Sliepen <guus@debian.org> Sat, 10 Mar 2012 14:50:00 +0100
tinc (1.0.16-1) unstable; urgency=low
* New upstream release.
* Mention alarm option in /etc/init.d/tinc's usage information.
Closes: #631761
-- Guus Sliepen <guus@debian.org> Sat, 23 Jul 2011 14:37:56 +0200
tinc (1.0.15-1) unstable; urgency=low
* New upstream release.
* Send SIGALRM to running tinc daemons whenever an interface is brought up
with the ifupdown framework. Based on a patch from Joachim Breitner.
Closes: #629880
* Allow tinc daemons to be started using ifupdown.
-- Guus Sliepen <guus@debian.org> Fri, 24 Jun 2011 18:21:51 +0200
tinc (1.0.14-1) unstable; urgency=low
* New upstream release.
* Bump Standards-Version.
-- Guus Sliepen <guus@debian.org> Mon, 09 May 2011 00:25:37 +0200
tinc (1.0.13-1) unstable; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Tue, 13 Apr 2010 12:06:36 +0200
tinc (1.0.12-2) unstable; urgency=low
* Remove debconf questions. Closes: #572116
Apparently debconf may not be used to ask a question at install time and
use the answer at upgrade time. Instead of kludging around this
restriction, no questions are asked anymore, and tinc will now always be
restarted when upgrading.
* Wait up to 5 seconds for tinc daemon to stop before restarting it.
-- Guus Sliepen <guus@debian.org> Tue, 02 Mar 2010 14:01:36 +0100
tinc (1.0.12-1) unstable; urgency=low
* New upstream release.
* Bump Standards-Version.
* Migrate from CDBS to debhelper.
* Convert source package to 3.0 (quilt) format.
* Remove useless tinc.modules.
* Use init.d script from Michael Tokarev, allowing per-network arguments to
tincd.
* Remove update-rc.d calls from postinst and postrm.
* Let the init.d script depend on $remote_fs.
-- Guus Sliepen <guus@debian.org> Thu, 04 Feb 2010 00:56:45 +0100
tinc (1.0.11-1) unstable; urgency=low
* New upstream release.
* Cope with texi2html arbitrarily changing its output directory.
Closes: #552927
* Do not stop tinc when configuring a new version, just restart after
the upgrade.
-- Guus Sliepen <guus@debian.org> Sun, 01 Nov 2009 20:37:16 +0100
tinc (1.0.10-1) unstable; urgency=low
* New upstream release.
* Include Russian debconf translation. Closes: #548759
-- Guus Sliepen <guus@debian.org> Sun, 18 Oct 2009 16:31:49 +0200
tinc (1.0.9-1) unstable; urgency=low
* New upstream release.
- Binds IPv6 sockets only to IPv6. Closes: #440150
* Update copyright file. Closes: #482566
-- Guus Sliepen <guus@debian.org> Fri, 26 Dec 2008 13:25:05 +0100
tinc (1.0.8-2) unstable; urgency=low
* Include Portugese debconf translation. Closes: #434191
-- Guus Sliepen <guus@debian.org> Tue, 14 Aug 2007 13:50:27 +0200
tinc (1.0.8-1) unstable; urgency=low
* New upstream release. Closes: #173987
* Include german debconf translation. Closes: #412351
* Build-Depend on texinfo. Closes: #424209
-- Guus Sliepen <guus@debian.org> Wed, 16 May 2007 17:59:16 +0200
tinc (1.0.7-1) unstable; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Fri, 5 Jan 2007 15:55:42 +0100
tinc (1.0.6-1) unstable; urgency=low
* New upstream release.
-- Guus Sliepen <guus@debian.org> Mon, 18 Dec 2006 15:41:03 +0100
tinc (1.0.5-1) unstable; urgency=low
* New upstream release. Closes: #391610
* Add an LSB section to the init script.
-- Guus Sliepen <guus@debian.org> Tue, 14 Nov 2006 16:32:20 +0100
tinc (1.0.4-4) unstable; urgency=low
* Include swedish debconf translation. Closes: #332963
* Remove nets.boot on purge. Closes: #333303
-- Guus Sliepen <guus@debian.org> Mon, 17 Oct 2005 12:34:32 +0200
tinc (1.0.4-3) unstable; urgency=low
* Depend on debconf | debconf-2.0.
* Include vietnamese debconf translation. Closes: #322305
* Include japanese debconf translation. Closes: #319591
-- Guus Sliepen <guus@debian.org> Thu, 29 Sep 2005 11:15:34 +0200
tinc (1.0.4-2) unstable; urgency=low
* Compensate for change in texinfo's output directory. Closes: #318562
* Include Czech translation of the debconf questions. Closes: #312982
-- Guus Sliepen <guus@debian.org> Sat, 16 Jul 2005 11:42:04 +0200
tinc (1.0.4-1) unstable; urgency=low
* New upstream release. Closes: #294819
* Update french translation of debconf template. Closes: #293371, #296148
* Allow dashes in nets.boot. Closes: #296281
-- Guus Sliepen <guus@debian.org> Wed, 4 May 2005 21:56:22 +0200
tinc (1.0.3-4) unstable; urgency=low
* Call debconf early in postinst so it won't get confused by output
from other commands in the postinst script. Closes: #292920
* If MAKEDEV doesn't know about net/tun, fall back to tun.
-- Guus Sliepen <guus@debian.org> Mon, 31 Jan 2005 13:27:16 +0100
tinc (1.0.3-3) unstable; urgency=low
* Fix clean rule in debian/rules.
-- Guus Sliepen <guus@debian.org> Thu, 27 Jan 2005 23:16:59 +0000
tinc (1.0.3-2) unstable; urgency=low
* Don't check for /dev/tap* in postinst if we don't create them anyway.
* MAKEDEV expects net/tun instead of tun.
* Don't ask if /dev/net/tun should be created, just do it.
Closes: #259489, #292450
* Move $EXTRA from init.d/tinc to /etc/default/tinc. Closes: #281366
-- Guus Sliepen <guus@debian.org> Thu, 27 Jan 2005 14:10:02 +0100
tinc (1.0.3-1) unstable; urgency=low
* New upstream release.
* Adopting the package from Ivo.
* Use invoke-rc.d, and tell user to do so as well. Closes: #223276
* Let force-reload do the same thing as reload. Closes: #230180
-- Guus Sliepen <guus@debian.org> Fri, 1 Oct 2004 21:04:14 +0200
tinc (1.0.2-2) unstable; urgency=low
* debian/control: Oops, really make that automake1.7.
-- Ivo Timmermans <ivo@debian.org> Sat, 8 Nov 2003 21:53:04 +0100
tinc (1.0.2-1) unstable; urgency=low
* New upstream release:
* Fix broken replies to CHAL_RESP. (Closes: #217646)
* debian/control: Updated automake build dependency to automake1.7.
(Closes: #219360)
-- Ivo Timmermans <ivo@debian.org> Sat, 8 Nov 2003 19:56:04 +0100
tinc (1.0.1-2) unstable; urgency=low
* debian/dirs: Removed, moved contents to tinc.dirs.
(Closes: #208591)
* debian/docs: Renamed to tinc.docs.
* debian/rules: Install the contents of doc/sample-config.tar.gz in
/usr/share/doc/tinc/examples instead of /etc/tinc.
* debian/Makefile*: Removed.
-- Ivo Timmermans <ivo@debian.org> Wed, 10 Sep 2003 12:19:32 +0200
tinc (1.0.1-1) unstable; urgency=low
* New upstream release.
* debian/patches/001_openbsd_device.c.patch: Removed.
-- Ivo Timmermans <ivo@debian.org> Thu, 14 Aug 2003 17:03:28 +0200
tinc (1.0release-1) unstable; urgency=low
* New upstream version. (Closes: #204639)
* Fixes switching back to normal logging mode when killing with
SIGINT twice. (Closes: #175633)
* Uses one SSL context struct for each connection, speeding up
encrypting/decrypting data; don't throw away out of sequence
packets. (Closes: #188874)
* Fixes handling of broadcast messages. (Closes: #175632)
* debian/rules: Use cdbs.
* debian/control: Build-Depend on cdbs, liblzo-dev.
* debian/patches/001_openbsd_device.c.patch: Sync openbsd/device.c to
latest CVS version.
-- Ivo Timmermans <ivo@debian.org> Sun, 10 Aug 2003 16:13:29 +0200
tinc (1.0pre8-6) unstable; urgency=low
* debian/po/fr.po: Added French debconf translation. (Closes: #201803)
-- Ivo Timmermans <ivo@debian.org> Fri, 18 Jul 2003 10:03:20 +0200
tinc (1.0pre8-5) unstable; urgency=low
* debian/*: Change to po-debconf, thanks to From: Michel Grentzinger
<mic.grentz@online.fr> for the patch:
- change debhelper dependency to 4.1.16 (according to man
po-debconf),
- manually add nl translation in old tinc.templates (master),
- run debconf-gettextize debian/tinc.templates,
- move old templates files (debian/tinc.templates.*),
- change construction "If you say no" to "If you refuse",
* debian/rules: Call po2debconf.
* debian/rules: Don't copy COPYING.README to the package.
* debian/control: Update Standards-Version.
* debian/conffiles: Removed.
* debian/postinst: No longer use mknod directly, use MAKEDEV.
-- Ivo Timmermans <ivo@debian.org> Tue, 15 Jul 2003 20:13:47 +0200
tinc (1.0pre8-4) unstable; urgency=low
* src/net.h, src/net_packet.c, src/net_setup.c: Apply fix from CVS
for OpenSSL-related memory leaks. (Closes: #189432)
-- Ivo Timmermans <ivo@debian.org> Mon, 5 May 2003 15:00:29 +0200
tinc (1.0pre8-3) unstable; urgency=low
* m4/openssl.m4: Updated to CVS version. (Closes: #184400)
-- Ivo Timmermans <ivo@debian.org> Thu, 13 Mar 2003 17:24:42 +0100
tinc (1.0pre8-2) unstable; urgency=low
* debian/postinst: Create /dev/net/tun if it doesn't exist.
* debian/tinc.modules: Add alias for /dev/net/tun.
* debian/rules: Install tinc.modules.
* These things together: (Closes: #151967, #153156)
-- Ivo Timmermans <ivo@debian.org> Wed, 13 Nov 2002 22:45:38 +0100
tinc (1.0pre8-1) unstable; urgency=low
* New upstream version.
* debian/rules:
- DEB_BUILD_OPTIONS support.
- Enable --enable-tracing by default.
-- Ivo Timmermans <ivo@debian.org> Tue, 17 Sep 2002 13:50:44 +0200
tinc (1.0pre7-3) unstable; urgency=low
* Properly install _all_ info pages. (Closes: #144718)
-- Ivo Timmermans <ivo@debian.org> Wed, 29 May 2002 14:01:21 +0200
tinc (1.0pre7-2) unstable; urgency=low
* Dutch translation wasn't being installed.
-- Ivo Timmermans <ivo@debian.org> Thu, 11 Apr 2002 09:26:14 +0200
tinc (1.0pre7-1) unstable; urgency=medium
* New upstream release.
-- Ivo Timmermans <ivo@debian.org> Tue, 9 Apr 2002 16:04:46 +0200
tinc (1.0pre6-3) unstable; urgency=medium
* Synched with upstream CVS.
* Added build dependency on zlib1g-dev. (Closes: #141705)
-- Ivo Timmermans <ivo@debian.org> Mon, 8 Apr 2002 21:19:31 +0200
tinc (1.0pre6-2) unstable; urgency=low
* The Section was non-US again, so changed it back to main/net.
-- Ivo Timmermans <ivo@debian.org> Thu, 28 Mar 2002 07:26:10 +0100
tinc (1.0pre6-1) unstable; urgency=low
* New upstream release.
* Fixed text in debian/copyright
-- Ivo Timmermans <ivo@debian.org> Wed, 27 Mar 2002 23:10:07 +0100
tinc (1.0pre5-4) unstable; urgency=low
* Added a debconf question for restarting on upgrade.
* Added reload option to init.d, start with EXTRA='-d' default.
* Moved from non-US to main.
* Install example configuration files.
* The HTML documentation wasn't installed; fixed.
-- Ivo Timmermans <ivo@debian.org> Tue, 26 Mar 2002 20:14:19 +0100
tinc (1.0pre5-3) unstable; urgency=low
* Config variables are now treated case sentitivly again.
* Added a forgotten xstrdup.
-- Ivo Timmermans <ivo@debian.org> Fri, 15 Feb 2002 12:35:17 +0100
tinc (1.0pre5-2) unstable; urgency=low
* MaxTimeout accidentally wasn't configurable. (Closes: #119653)
-- Ivo Timmermans <ivo@debian.org> Wed, 13 Feb 2002 13:36:54 +0100
tinc (1.0pre5-1) unstable; urgency=low
* New upstream version. (Closes: #119653)
* Init script redone in sh.
-- Ivo Timmermans <ivo@debian.org> Sun, 10 Feb 2002 16:39:53 +0100
tinc (1.0pre4-1.cvs010621.6) unstable; urgency=low
* Somehow po-Makefile.in.in.diff got lost, readded. (Closes: #119157)
-- Ivo Timmermans <ivo@debian.org> Thu, 15 Nov 2001 17:00:03 +0100
tinc (1.0pre4-1.cvs010621.5) unstable; urgency=low
* Fix a typo in postinst that let it MAKEDEV even on devfs.
(Closes: #116034)
-- Ivo Timmermans <ivo@debian.org> Thu, 18 Oct 2001 09:35:16 +0200
tinc (1.0pre4-1.cvs010621.4) unstable; urgency=low
* Ask before creating the device files. (Closes: #111099)
* Add a section to the info file.
-- Ivo Timmermans <ivo@debian.org> Fri, 12 Oct 2001 20:47:09 +0200
tinc (1.0pre4-1.cvs010621.3) unstable; urgency=low
* Build and install html documentation. (Closes: #106843)
* Remove build-time dependency on libc6-dev.
-- Ivo Timmermans <ivo@debian.org> Mon, 30 Jul 2001 22:03:52 +0200
tinc (1.0pre4-1.cvs010621.2) unstable; urgency=low
* Changed location of the pidfile. (Closes: #102798)
-- Ivo Timmermans <ivo@debian.org> Sun, 1 Jul 2001 01:57:43 +0200
tinc (1.0pre4-1.cvs010621.1) unstable; urgency=low
* New upstream version. (Closes: #98730)
* Rebuilding automatically inserted new config.{sub|guess}.
(Closes: #98165)
* Updated Standards-Version.
* Don't include a sample configuration file.
-- Ivo Timmermans <ivo@debian.org> Thu, 21 Jun 2001 14:08:49 +0200
tinc (1.0pre3-5) unstable; urgency=low
* Fixed an error in the init script that prevented tinc from
starting correctly.
-- Ivo Timmermans <ivo@debian.org> Thu, 8 Feb 2001 02:45:09 +0100
tinc (1.0pre3-4) unstable; urgency=low
* Change build-depends for OpenSSL to libssl096-dev
(Closes: #84197, #84873).
-- Ivo Timmermans <ivo@debian.org> Sun, 4 Feb 2001 22:43:22 +0100
tinc (1.0pre3-3) unstable; urgency=low
* Set architecture to any (really this time!) (Closes: #80451).
* Section set to non-US
-- Ivo Timmermans <ivo@debian.org> Tue, 23 Jan 2001 22:52:53 +0100
tinc (1.0pre3-2) unstable; urgency=low
* Set architecture to any (Closes: #80451).
* Added tinc.modules with some useful module aliases.
-- Ivo Timmermans <ivo@debian.org> Sat, 13 Jan 2001 16:10:57 +0100
tinc (1.0pre3-1) unstable; urgency=low
* New upstream version (1.0pre3) (Closes: #71274).
* Better Depends and Build-Depends lines.
* Dropped dependencies on libgmp, added libssl.
* doc-base.tinc: New file.
* Deleted the file shlibs, as there on longer is a libblowfish.
* Patch po/Makefile.in.in from po-Makefile.in.in.diff if necessary.
* Use dh_perl to get accurate perl dependencies.
-- Ivo Timmermans <ivo@debian.org> Thu, 9 Nov 2000 21:58:40 +0100
tinc (1.0pre2-1.1) unstable; urgency=low
* NMU at Ivo's request as his application is being processed, and his
sponsor is based in the US.
-- J.H.M. Dassen (Ray) <jdassen@debian.org> Wed, 28 Jun 2000 21:52:30 +0200
tinc (1.0pre2-1) unstable; urgency=low
* postinst creates a file /etc/tinc/nets.boot, containing all networks
to be started upon system startup;
* init.d script starts all networks from that list.
* postinst script creates tap devices.
-- Ivo Timmermans <itimmermans@bigfoot.com> Tue, 16 May 2000 00:06:25 +0200
tinc (1.0pre1-0.4) unstable; urgency=low
* postinst script.
-- Ivo Timmermans <itimmermans@bigfoot.com> Mon, 15 May 2000 19:22:05 +0200
tinc (1.0pre1-0.3) unstable; urgency=low
* system startup script.
-- Ivo Timmermans <itimmermans@bigfoot.com> Sun, 14 May 2000 22:58:02 +0200
tinc (1.0pre1-0.2) unstable; urgency=low
* Included the blowfish license.
-- Ivo Timmermans <itimmermans@bigfoot.com> Fri, 21 Apr 2000 17:07:50 +0200
tinc (1.0pre1-0.1) unstable; urgency=low
* Initial Release.
-- Ivo Timmermans <itimmermans@bigfoot.com> Fri, 21 Apr 2000 17:07:50 +0200

1
debian/compat vendored Normal file
View file

@ -0,0 +1 @@
11

16
debian/control vendored Normal file
View file

@ -0,0 +1,16 @@
Source: tinc
Section: net
Priority: optional
Maintainer: Guus Sliepen <guus@debian.org>
Standards-Version: 4.2.1
Build-Depends: libssl-dev (>>1.0.0), debhelper (>= 11), texinfo, zlib1g-dev, liblzo2-dev, libncurses5-dev, libreadline-dev, libminiupnpc-dev, quilt
Homepage: https://www.tinc-vpn.org/
Package: tinc
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Virtual Private Network daemon
tinc is a daemon with which you can create a virtual private network
(VPN). One daemon can handle multiple connections, so you can
create an entire (moderately sized) VPN with only one daemon per
participating computer.

34
debian/copyright vendored Normal file
View file

@ -0,0 +1,34 @@
This package was debianized by Ivo Timmermans <ivo@debian.org> on
Fri, 21 Apr 2000 17:07:50 +0200.
It was downloaded from https://www.tinc-vpn.org/
Upstream Authors:
Guus Sliepen <guus@tinc-vpn.org>
Ivo Timmermans
Copyright (C) 1998-2005 Ivo Timmermans
1998-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
On Debian GNU/Linux systems, the complete text of the GNU General Public
License version 2 can be found in /usr/share/common-licenses/GPL-2.
The following applies to tinc:
This program is released under the GPL with the additional exemption
that compiling, linking, and/or using OpenSSL is allowed. You may
provide binary packages linked to the OpenSSL libraries, provided that
all other requirements of the GPL are met.
The following applies to the LZO library:
Hereby I grant a special exception to the tinc VPN project
(https://wwww.tinc-vpn.org/) to link the LZO library with the OpenSSL library
(https://openssl.org).
Markus F.X.J. Oberhumer

10
debian/doc-base.tinc vendored Normal file
View file

@ -0,0 +1,10 @@
Document: tinc
Title: tinc Manual
Author: Ivo Timmermans, Guus Sliepen
Abstract: This manual describes how to set up a Virtual Private
Network with tinc.
Section: System/Security
Format: HTML
Files: /usr/share/doc/tinc/tinc.html/*
Index: /usr/share/doc/tinc/tinc.html/index.html

1
debian/info vendored Normal file
View file

@ -0,0 +1 @@
doc/tinc.info

View file

@ -0,0 +1,879 @@
From cc521f3d5f3a0c758163c871e75f5e533e86771b Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon, 2 Aug 2021 23:53:13 +0200
Subject: [PATCH 01/10] Add AES-256-GCM support to SPTPS.
This also adds a simple cipher suite negotiation, where peers announce the
ciphers they support, and their preferred cipher. Since we need to bump the
SPTPS version anyway, also prefer little endian over network byte order.
---
doc/SPTPS | 45 +++++--
src/invitation.c | 11 +-
src/protocol_auth.c | 25 +++-
src/protocol_key.c | 30 ++++-
src/sptps.c | 310 +++++++++++++++++++++++++++++++++-----------
src/sptps.h | 44 ++++++-
src/sptps_test.c | 13 +-
7 files changed, 382 insertions(+), 96 deletions(-)
diff --git a/doc/SPTPS b/doc/SPTPS
index 2d8fee5b..2da27604 100644
--- a/doc/SPTPS
+++ b/doc/SPTPS
@@ -18,8 +18,8 @@ Stream record layer
A record consists of these fields:
-- uint32_t seqno (network byte order)
-- uint16_t length (network byte order)
+- uint32_t seqno (little endian)
+- uint16_t length (little endian)
- uint8_t type
- opaque data[length]
- opaque hmac[HMAC_SIZE] (HMAC over all preceding fields)
@@ -45,8 +45,8 @@ Datagram record layer
A record consists of these fields:
-- uint16_t length (network byte order)
-- uint32_t seqno (network byte order)
+- uint16_t length (little endian)
+- uint32_t seqno (little endian)
- uint8_t type
- opaque data[length]
- opaque hmac[HMAC_SIZE] (HMAC over all preceding fields)
@@ -75,7 +75,7 @@ SIG ->
...encrypt and HMAC using session keys from now on...
App ->
- <- App
+ <- App
...
...
@@ -91,7 +91,7 @@ ACK ->
...encrypt and HMAC using new session keys from now on...
App ->
- <- App
+ <- App
...
...
---------------------
@@ -102,7 +102,11 @@ connection.
Key EXchange message:
-- uint8_t kex_version (always 0 in this version of SPTPS)
+- uint8_t kex_version (always 1 in this version of SPTPS)
+- uint8_t
+ - high 4 bits: public key algorithm
+ - low 4 bits: preferred cipher suite
+- uint16_t bitmask of cipher suites supported
- opaque nonce[32] (random number)
- opaque ecdh_key[ECDH_SIZE]
@@ -162,9 +166,34 @@ The expanded key is used as follows:
Where initiator_cipher_key is the key used by session initiator to encrypt
messages sent to the responder.
+Public key suites
+-----------------
+
+0: Ed25519 + SHA512
+1: Ed448 + SHAKE256?
+
+Symmetric cipher suites
+-----------------------
+
+Value in parentheses is the static priority used to break ties in cipher suite
+negotiation. We favor those algorithms that run faster without hardware
+acceleration.
+
+0: Chacha20-Poly1305 (1)
+1: AES256-GCM (0)
+
+Cipher suite selection
+----------------------
+
+Public key suites are required to match on both sides. The symmetric suite is chosen as follows:
+
+1. AND the supported cipher suite bitmasks
+2. If both preferred cipher suites are possible, choose the one with the highest static priority.
+3. If only one is possible, choose that one.
+4. If none is possible, choose the suite from the resulting bitmask that has the highest static priority.
+
TODO:
-----
- Document format of ECDH public key, ECDSA signature
-- Document how CTR mode is used
- Refer to TLS RFCs where appropriate
diff --git a/src/invitation.c b/src/invitation.c
index cff9e727..6c49af48 100644
--- a/src/invitation.c
+++ b/src/invitation.c
@@ -1399,7 +1399,16 @@ next:
}
// Start an SPTPS session
- if(!sptps_start(&sptps, NULL, true, false, key, hiskey, "tinc invitation", 15, invitation_send, invitation_receive)) {
+ sptps_params_t params = {
+ .initiator = true,
+ .mykey = key,
+ .hiskey = hiskey,
+ .label = "tinc invitation",
+ .send_data = invitation_send,
+ .receive_record = invitation_receive,
+ };
+
+ if(!sptps_start(&sptps, &params)) {
ecdsa_free(hiskey);
ecdsa_free(key);
return 1;
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 22254575..050b266c 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -412,7 +412,17 @@ bool id_h(connection_t *c, const char *request) {
c->protocol_minor = 2;
- return sptps_start(&c->sptps, c, false, false, invitation_key, c->ecdsa, "tinc invitation", 15, send_meta_sptps, receive_invitation_sptps);
+ sptps_params_t params = {
+ .handle = c,
+ .initiator = false,
+ .mykey = invitation_key,
+ .hiskey = c->ecdsa,
+ .label = "tinc invitation",
+ .send_data = send_meta_sptps,
+ .receive_record = receive_invitation_sptps,
+ };
+
+ return sptps_start(&c->sptps, &params);
}
/* Check if identity is a valid name */
@@ -507,7 +517,18 @@ bool id_h(connection_t *c, const char *request) {
snprintf(label, labellen, "tinc TCP key expansion %s %s", c->name, myself->name);
}
- return sptps_start(&c->sptps, c, c->outgoing, false, myself->connection->ecdsa, c->ecdsa, label, labellen, send_meta_sptps, receive_meta_sptps);
+ sptps_params_t params = {
+ .handle = c,
+ .initiator = c->outgoing,
+ .mykey = myself->connection->ecdsa,
+ .hiskey = c->ecdsa,
+ .label = label,
+ .labellen = sizeof(label),
+ .send_data = send_meta_sptps,
+ .receive_record = receive_meta_sptps,
+ };
+
+ return sptps_start(&c->sptps, &params);
} else {
return send_metakey(c);
}
diff --git a/src/protocol_key.c b/src/protocol_key.c
index 740d2fb4..da53c16c 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -128,7 +128,20 @@ bool send_req_key(node_t *to) {
to->status.waitingforkey = true;
to->last_req_key = now.tv_sec;
to->incompression = myself->incompression;
- return sptps_start(&to->sptps, to, true, true, myself->connection->ecdsa, to->ecdsa, label, labellen, send_initial_sptps_data, receive_sptps_record);
+
+ sptps_params_t params = {
+ .handle = to,
+ .initiator = true,
+ .datagram = true,
+ .mykey = myself->connection->ecdsa,
+ .hiskey = to->ecdsa,
+ .label = label,
+ .labellen = sizeof(label),
+ .send_data = send_initial_sptps_data,
+ .receive_record = receive_sptps_record,
+ };
+
+ return sptps_start(&to->sptps, &params);
}
return send_request(to->nexthop->connection, "%d %s %s", REQ_KEY, myself->name, to->name);
@@ -249,7 +262,20 @@ static bool req_key_ext_h(connection_t *c, const char *request, node_t *from, no
from->status.validkey = false;
from->status.waitingforkey = true;
from->last_req_key = now.tv_sec;
- sptps_start(&from->sptps, from, false, true, myself->connection->ecdsa, from->ecdsa, label, labellen, send_sptps_data_myself, receive_sptps_record);
+
+ sptps_params_t params = {
+ .handle = from,
+ .initiator = false,
+ .datagram = true,
+ .mykey = myself->connection->ecdsa,
+ .hiskey = from->ecdsa,
+ .label = label,
+ .labellen = sizeof(label),
+ .send_data = send_sptps_data_myself,
+ .receive_record = receive_sptps_record,
+ };
+
+ sptps_start(&from->sptps, &params);
sptps_receive_data(&from->sptps, buf, len);
send_mtu_info(myself, from, MTU);
return true;
diff --git a/src/sptps.c b/src/sptps.c
index a0483c34..33c41424 100644
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -28,6 +28,10 @@
#include "sptps.h"
#include "random.h"
+#ifdef HAVE_OPENSSL
+#include <openssl/evp.h>
+#endif
+
unsigned int sptps_replaywin = 16;
/*
@@ -90,25 +94,159 @@ static void warning(sptps_t *s, const char *format, ...) {
va_end(ap);
}
+static bool cipher_init(uint8_t suite, void **ctx, const uint8_t *key, bool key_half) {
+ switch(suite) {
+ case SPTPS_CHACHA_POLY1305:
+ *ctx = chacha_poly1305_init();
+ return ctx && chacha_poly1305_set_key(*ctx, key + (key_half ? CHACHA_POLY1305_KEYLEN : 0));
+
+ case SPTPS_AES256_GCM:
+#ifdef HAVE_OPENSSL
+ *ctx = EVP_CIPHER_CTX_new();
+
+ if(!ctx) {
+ return false;
+ }
+
+ return EVP_EncryptInit_ex(*ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)
+ && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 4, NULL)
+ && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? 32 : 0), key);
+#endif
+
+ default:
+ return false;
+ }
+}
+
+static void cipher_exit(uint8_t suite, void *ctx) {
+ switch(suite) {
+ case SPTPS_CHACHA_POLY1305:
+ chacha_poly1305_exit(ctx);
+ break;
+
+ case SPTPS_AES256_GCM:
+#ifdef HAVE_OPENSSL
+ EVP_CIPHER_CTX_free(ctx);
+ break;
+#endif
+
+ default:
+ break;
+ }
+}
+
+static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
+ switch(suite) {
+ case SPTPS_CHACHA_POLY1305:
+ chacha_poly1305_encrypt(ctx, seqno, in, inlen, out, outlen);
+ return true;
+
+ case SPTPS_AES256_GCM:
+#ifdef HAVE_OPENSSL
+ {
+ if(!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
+ return false;
+ }
+
+ int outlen1 = 0, outlen2 = 0;
+
+ if(!EVP_EncryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
+ return false;
+ }
+
+ if(!EVP_EncryptFinal_ex(ctx, out + outlen1, &outlen2)) {
+ return false;
+ }
+
+ outlen1 += outlen2;
+
+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, out + outlen1)) {
+ return false;
+ }
+
+ outlen1 += 16;
+
+ if(outlen) {
+ *outlen = outlen1;
+ }
+
+ return true;
+ }
+
+#endif
+
+ default:
+ return false;
+ }
+}
+
+static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
+ switch(suite) {
+ case SPTPS_CHACHA_POLY1305:
+ return chacha_poly1305_decrypt(ctx, seqno, in, inlen, out, outlen);
+
+ case SPTPS_AES256_GCM:
+#ifdef HAVE_OPENSSL
+ {
+ if(inlen < 16) {
+ return false;
+ }
+
+ inlen -= 16;
+
+ if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
+ return false;
+ }
+
+ int outlen1 = 0, outlen2 = 0;
+
+ if(!EVP_DecryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
+ return false;
+ }
+
+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void *)(in + inlen))) {
+ return false;
+ }
+
+ if(!EVP_DecryptFinal_ex(ctx, out + outlen1, &outlen2)) {
+ return false;
+ }
+
+ if(outlen) {
+ *outlen = outlen1 + outlen2;
+ }
+
+ return true;
+ }
+
+#endif
+
+ default:
+ return false;
+ }
+}
+
+
// Send a record (datagram version, accepts all record types, handles encryption and authentication).
static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
- uint8_t *buffer = alloca(len + 21UL);
-
+ uint8_t *buffer = alloca(len + SPTPS_DATAGRAM_OVERHEAD);
// Create header with sequence number, length and record type
uint32_t seqno = s->outseqno++;
- uint32_t netseqno = ntohl(seqno);
- memcpy(buffer, &netseqno, 4);
+ memcpy(buffer, &seqno, 4);
buffer[4] = type;
memcpy(buffer + 5, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
- return s->send_data(s->handle, type, buffer, len + 21UL);
+ if(!cipher_encrypt(s->cipher_suite, s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL)) {
+ return error(s, EINVAL, "Failed to encrypt message");
+ }
+
+ return s->send_data(s->handle, type, buffer, len + SPTPS_DATAGRAM_OVERHEAD);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer, len + 5UL);
+ return s->send_data(s->handle, type, buffer, len + SPTPS_DATAGRAM_HEADER);
}
}
// Send a record (private version, accepts all record types, handles encryption and authentication).
@@ -117,11 +255,11 @@ static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_
return send_record_priv_datagram(s, type, data, len);
}
- uint8_t *buffer = alloca(len + 19UL);
+ uint8_t *buffer = alloca(len + SPTPS_OVERHEAD);
// Create header with sequence number, length and record type
uint32_t seqno = s->outseqno++;
- uint16_t netlen = htons(len);
+ uint16_t netlen = len;
memcpy(buffer, &netlen, 2);
buffer[2] = type;
@@ -129,11 +267,14 @@ static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
- return s->send_data(s->handle, type, buffer, len + 19UL);
+ if(!cipher_encrypt(s->cipher_suite, s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL)) {
+ return error(s, EINVAL, "Failed to encrypt message");
+ }
+
+ return s->send_data(s->handle, type, buffer, len + SPTPS_OVERHEAD);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer, len + 3UL);
+ return s->send_data(s->handle, type, buffer, len + SPTPS_HEADER);
}
}
@@ -161,7 +302,7 @@ static bool send_kex(sptps_t *s) {
return false;
}
- s->mykex = realloc(s->mykex, 1 + 32 + keylen);
+ s->mykex = realloc(s->mykex, 4 + 32 + keylen);
if(!s->mykex) {
return error(s, errno, strerror(errno));
@@ -169,16 +310,18 @@ static bool send_kex(sptps_t *s) {
// Set version byte to zero.
s->mykex[0] = SPTPS_VERSION;
+ s->mykex[1] = s->preferred_suite;
+ memcpy(s->mykex + 2, &s->cipher_suites, 2);
// Create a random nonce.
- randomize(s->mykex + 1, 32);
+ randomize(s->mykex + 4, 32);
// Create a new ECDH public key.
- if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
+ if(!(s->ecdh = ecdh_generate_public(s->mykex + 4 + 32))) {
return error(s, EINVAL, "Failed to generate ECDH public key");
}
- return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
+ return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 4 + 32 + keylen);
}
// Send a SIGnature record, containing an Ed25519 signature over both KEX records.
@@ -192,9 +335,9 @@ static bool send_sig(sptps_t *s) {
uint8_t *sig = alloca(siglen);
msg[0] = s->initiator;
- memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
- memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
- memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
+ memcpy(msg + 1, s->mykex, 4 + 32 + keylen);
+ memcpy(msg + 1 + (4 + 32 + keylen), s->hiskex, 4 + 32 + keylen);
+ memcpy(msg + 1 + 2 * (4 + 32 + keylen), s->label, s->labellen);
// Sign the result.
if(!ecdsa_sign(s->mykey, msg, msglen, sig)) {
@@ -207,16 +350,6 @@ static bool send_sig(sptps_t *s) {
// Generate key material from the shared secret created from the ECDHE key exchange.
static bool generate_key_material(sptps_t *s, const uint8_t *shared, size_t len) {
- // Initialise cipher and digest structures if necessary
- if(!s->outstate) {
- s->incipher = chacha_poly1305_init();
- s->outcipher = chacha_poly1305_init();
-
- if(!s->incipher || !s->outcipher) {
- return error(s, EINVAL, "Failed to open cipher");
- }
- }
-
// Allocate memory for key material
size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
@@ -261,14 +394,8 @@ static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
return error(s, EIO, "Invalid ACK record length");
}
- if(s->initiator) {
- if(!chacha_poly1305_set_key(s->incipher, s->key)) {
- return error(s, EINVAL, "Failed to set counter");
- }
- } else {
- if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
- return error(s, EINVAL, "Failed to set counter");
- }
+ if(!cipher_init(s->cipher_suite, &s->incipher, s->key, s->initiator)) {
+ return error(s, EINVAL, "Failed to initialize cipher");
}
free(s->key);
@@ -278,14 +405,51 @@ static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
return true;
}
+static uint8_t select_cipher_suite(uint16_t mask, uint8_t pref1, uint8_t pref2) {
+ // Check if there is a viable preference, if so select the lowest one
+ uint8_t selection = 255;
+
+ if(mask & (1U << pref1)) {
+ selection = pref1;
+ }
+
+ if(pref2 < selection && (mask & (1U << pref2))) {
+ selection = pref2;
+ }
+
+ // Otherwise, select the lowest cipher suite both sides support
+ if(selection == 255) {
+ selection = 0;
+
+ while(!(mask & 1U)) {
+ selection++;
+ mask >>= 1;
+ }
+ }
+
+ return selection;
+}
+
// Receive a Key EXchange record, respond by sending a SIG record.
static bool receive_kex(sptps_t *s, const uint8_t *data, uint16_t len) {
// Verify length of the HELLO record
- if(len != 1 + 32 + ECDH_SIZE) {
+ if(len != 4 + 32 + ECDH_SIZE) {
return error(s, EIO, "Invalid KEX record length");
}
- // Ignore version number for now.
+ if(data[0] != SPTPS_VERSION) {
+ return error(s, EIO, "Incompatible SPTPS version");
+ }
+
+ uint16_t suites;
+ memcpy(&suites, data + 2, 2);
+ suites &= s->cipher_suites;
+
+ if(!suites) {
+ return error(s, EIO, "No matching cipher suites");
+ }
+
+ s->cipher_suite = select_cipher_suite(suites, s->preferred_suite, data[1] & 0xf);
// Make a copy of the KEX message, send_sig() and receive_sig() need it
if(s->hiskex) {
@@ -322,9 +486,9 @@ static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
uint8_t *msg = alloca(msglen);
msg[0] = !s->initiator;
- memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
- memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
- memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
+ memcpy(msg + 1, s->hiskex, 4 + 32 + keylen);
+ memcpy(msg + 1 + (4 + 32 + keylen), s->mykex, 4 + 32 + keylen);
+ memcpy(msg + 1 + 2 * (4 + 32 + keylen), s->label, s->labellen);
// Verify signature.
if(!ecdsa_verify(s->hiskey, msg, msglen, data)) {
@@ -334,7 +498,7 @@ static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
// Compute shared secret.
uint8_t shared[ECDH_SHARED_SIZE];
- if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
+ if(!ecdh_compute_shared(s->ecdh, s->hiskex + 4 + 32, shared)) {
return error(s, EINVAL, "Failed to compute ECDH shared secret");
}
@@ -360,15 +524,8 @@ static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
return false;
}
- // TODO: only set new keys after ACK has been set/received
- if(s->initiator) {
- if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
- return error(s, EINVAL, "Failed to set key");
- }
- } else {
- if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
- return error(s, EINVAL, "Failed to set key");
- }
+ if(!cipher_init(s->cipher_suite, &s->outcipher, s->key, !s->initiator)) {
+ return error(s, EINVAL, "Failed to initialize cipher");
}
return true;
@@ -518,15 +675,13 @@ bool sptps_verify_datagram(sptps_t *s, const void *vdata, size_t len) {
const uint8_t *data = vdata;
uint32_t seqno;
memcpy(&seqno, data, 4);
- seqno = ntohl(seqno);
if(!sptps_check_seqno(s, seqno, false)) {
return false;
}
uint8_t *buffer = alloca(len);
- size_t outlen;
- return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
+ return cipher_decrypt(s->cipher_suite, s->incipher, seqno, data + 4, len - 4, buffer, NULL);
}
// Receive incoming data, datagram version.
@@ -537,7 +692,6 @@ static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t
uint32_t seqno;
memcpy(&seqno, data, 4);
- seqno = ntohl(seqno);
data += 4;
len -= 4;
@@ -563,7 +717,7 @@ static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t
uint8_t *buffer = alloca(len);
size_t outlen;
- if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
+ if(!cipher_decrypt(s->cipher_suite, s->incipher, seqno, data, len, buffer, &outlen)) {
return error(s, EIO, "Failed to decrypt and verify packet");
}
@@ -635,10 +789,9 @@ size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
// Get the length bytes
memcpy(&s->reclen, s->inbuf, 2);
- s->reclen = ntohs(s->reclen);
// If we have the length bytes, ensure our buffer can hold the whole request.
- s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
+ s->inbuf = realloc(s->inbuf, s->reclen + SPTPS_OVERHEAD);
if(!s->inbuf) {
return error(s, errno, strerror(errno));
@@ -651,7 +804,7 @@ size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
}
// Read up to the end of the record.
- size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
+ size_t toread = s->reclen + (s->instate ? SPTPS_OVERHEAD : SPTPS_HEADER) - s->buflen;
if(toread > len) {
toread = len;
@@ -662,7 +815,7 @@ size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
s->buflen += toread;
// If we don't have a whole record, exit.
- if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
+ if(s->buflen < s->reclen + (s->instate ? SPTPS_OVERHEAD : SPTPS_HEADER)) {
return total_read;
}
@@ -672,13 +825,13 @@ size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
// Check HMAC and decrypt.
if(s->instate) {
- if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
+ if(!cipher_decrypt(s->cipher_suite, s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
return error(s, EINVAL, "Failed to decrypt and verify record");
}
}
// Append a NULL byte for safety.
- s->inbuf[s->reclen + 3UL] = 0;
+ s->inbuf[s->reclen + SPTPS_HEADER] = 0;
uint8_t type = s->inbuf[2];
@@ -704,16 +857,18 @@ size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
}
// Start a SPTPS session.
-bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
+bool sptps_start(sptps_t *s, const sptps_params_t *params) {
// Initialise struct sptps
memset(s, 0, sizeof(*s));
- s->handle = handle;
- s->initiator = initiator;
- s->datagram = datagram;
- s->mykey = mykey;
- s->hiskey = hiskey;
+ s->handle = params->handle;
+ s->initiator = params->initiator;
+ s->datagram = params->datagram;
+ s->mykey = params->mykey;
+ s->hiskey = params->hiskey;
s->replaywin = sptps_replaywin;
+ s->cipher_suites = params->cipher_suites ? params->cipher_suites & SPTPS_ALL_CIPHER_SUITES : SPTPS_ALL_CIPHER_SUITES;
+ s->preferred_suite = params->preferred_suite;
if(s->replaywin) {
s->late = malloc(s->replaywin);
@@ -725,13 +880,16 @@ bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_
memset(s->late, 0, s->replaywin);
}
- s->label = malloc(labellen);
+ s->labellen = params->labellen ? params->labellen : strlen(params->label);
+ s->label = malloc(s->labellen);
if(!s->label) {
return error(s, errno, strerror(errno));
}
- if(!datagram) {
+ memcpy(s->label, params->label, s->labellen);
+
+ if(!s->datagram) {
s->inbuf = malloc(7);
if(!s->inbuf) {
@@ -741,11 +899,9 @@ bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_
s->buflen = 0;
}
- memcpy(s->label, label, labellen);
- s->labellen = labellen;
- s->send_data = send_data;
- s->receive_record = receive_record;
+ s->send_data = params->send_data;
+ s->receive_record = params->receive_record;
// Do first KEX immediately
s->state = SPTPS_KEX;
@@ -755,8 +911,8 @@ bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_
// Stop a SPTPS session.
bool sptps_stop(sptps_t *s) {
// Clean up any resources.
- chacha_poly1305_exit(s->incipher);
- chacha_poly1305_exit(s->outcipher);
+ cipher_exit(s->cipher_suite, s->incipher);
+ cipher_exit(s->cipher_suite, s->outcipher);
ecdh_free(s->ecdh);
free(s->inbuf);
free(s->mykex);
diff --git a/src/sptps.h b/src/sptps.h
index 96edc366..b9ec11fd 100644
--- a/src/sptps.h
+++ b/src/sptps.h
@@ -26,7 +26,7 @@
#include "ecdh.h"
#include "ecdsa.h"
-#define SPTPS_VERSION 0
+#define SPTPS_VERSION 1
// Record types
#define SPTPS_HANDSHAKE 128 // Key exchange and authentication
@@ -34,7 +34,10 @@
#define SPTPS_CLOSE 130 // Application closed the connection
// Overhead for datagrams
-#define SPTPS_DATAGRAM_OVERHEAD 21
+static const size_t SPTPS_OVERHEAD = 19;
+static const size_t SPTPS_HEADER = 3;
+static const size_t SPTPS_DATAGRAM_OVERHEAD = 21;
+static const size_t SPTPS_DATAGRAM_HEADER = 5;
typedef bool (*send_data_t)(void *handle, uint8_t type, const void *data, size_t len);
typedef bool (*receive_record_t)(void *handle, uint8_t type, const void *data, uint16_t len);
@@ -47,9 +50,40 @@ typedef enum sptps_state_t {
SPTPS_ACK = 4, // Waiting for an ACKnowledgement record
} sptps_state_t;
+// Public key suites
+enum {
+ SPTPS_ED25519 = 0,
+};
+
+// Cipher suites
+enum {
+ SPTPS_CHACHA_POLY1305 = 0,
+ SPTPS_AES256_GCM = 1,
+ SPTPS_ALL_CIPHER_SUITES = 0x3,
+};
+
+typedef struct sptps_params {
+ void *handle;
+ bool initiator;
+ bool datagram;
+ uint8_t preferred_suite;
+ uint16_t cipher_suites;
+ ecdsa_t *mykey;
+ ecdsa_t *hiskey;
+ const void *label;
+ size_t labellen;
+ send_data_t send_data;
+ receive_record_t receive_record;
+} sptps_params_t;
+
typedef struct sptps {
bool initiator;
bool datagram;
+ uint8_t preferred_suite;
+ uint16_t cipher_suites;
+
+ uint8_t pk_suite;
+ uint8_t cipher_suite;
sptps_state_t state;
uint8_t *inbuf;
@@ -57,7 +91,7 @@ typedef struct sptps {
uint16_t reclen;
bool instate;
- chacha_poly1305_ctx_t *incipher;
+ void *incipher;
uint32_t inseqno;
uint32_t received;
unsigned int replaywin;
@@ -65,7 +99,7 @@ typedef struct sptps {
uint8_t *late;
bool outstate;
- chacha_poly1305_ctx_t *outcipher;
+ void *outcipher;
uint32_t outseqno;
ecdsa_t *mykey;
@@ -87,7 +121,7 @@ extern unsigned int sptps_replaywin;
extern void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap);
extern void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap);
extern void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap);
-extern bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record);
+extern bool sptps_start(sptps_t *s, const struct sptps_params *params);
extern bool sptps_stop(sptps_t *s);
extern bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len);
extern size_t sptps_receive_data(sptps_t *s, const void *data, size_t len);
diff --git a/src/sptps_test.c b/src/sptps_test.c
index 249f2e4f..e77ab9c7 100644
--- a/src/sptps_test.c
+++ b/src/sptps_test.c
@@ -562,7 +562,18 @@ static int run_test(int argc, char *argv[]) {
sptps_t s;
- if(!sptps_start(&s, &sock, initiator, datagram, mykey, hiskey, "sptps_test", 10, send_data, receive_record)) {
+ sptps_params_t params = {
+ .handle = &sock,
+ .initiator = initiator,
+ .datagram = datagram,
+ .mykey = mykey,
+ .hiskey = hiskey,
+ .label = "sptps_test",
+ .send_data = send_data,
+ .receive_record = receive_record,
+ };
+
+ if(!sptps_start(&s, &params)) {
free(mykey);
free(hiskey);
return 1;
--
2.36.0

View file

@ -0,0 +1,91 @@
From 1d0eea4899f9642a3945c07b9266e660b9f9ce71 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue, 3 Aug 2021 00:38:37 +0200
Subject: [PATCH 02/10] Add cipher suite selection options to sptps_test.
---
src/sptps_test.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/src/sptps_test.c b/src/sptps_test.c
index e77ab9c7..32ed62d3 100644
--- a/src/sptps_test.c
+++ b/src/sptps_test.c
@@ -127,6 +127,8 @@ static struct option const long_options[] = {
{"replay-window", required_argument, NULL, 'W'},
{"special", no_argument, NULL, 's'},
{"verbose", required_argument, NULL, 'v'},
+ {"cipher-suites", required_argument, NULL, 'M'},
+ {"preferred-cipher", required_argument, NULL, 'P'},
{"help", no_argument, NULL, 1},
{NULL, 0, NULL, 0}
};
@@ -136,19 +138,21 @@ static void usage(void) {
"Usage: %s [options] my_ed25519_key_file his_ed25519_key_file [host] port\n"
"\n"
"Valid options are:\n"
- " -d, --datagram Enable datagram mode.\n"
- " -q, --quit Quit when EOF occurs on stdin.\n"
- " -r, --readonly Only send data from the socket to stdout.\n"
+ " -d, --datagram Enable datagram mode.\n"
+ " -q, --quit Quit when EOF occurs on stdin.\n"
+ " -r, --readonly Only send data from the socket to stdout.\n"
#ifdef HAVE_LINUX
- " -t, --tun Use a tun device instead of stdio.\n"
+ " -t, --tun Use a tun device instead of stdio.\n"
#endif
- " -w, --writeonly Only send data from stdin to the socket.\n"
- " -L, --packet-loss RATE Fake packet loss of RATE percent.\n"
- " -R, --replay-window N Set replay window to N bytes.\n"
- " -s, --special Enable special handling of lines starting with #, ^ and $.\n"
- " -v, --verbose Display debug messages.\n"
- " -4 Use IPv4.\n"
- " -6 Use IPv6.\n"
+ " -w, --writeonly Only send data from stdin to the socket.\n"
+ " -L, --packet-loss RATE Fake packet loss of RATE percent.\n"
+ " -R, --replay-window N Set replay window to N bytes.\n"
+ " -M, --cipher-suites MASK Set the mask of allowed cipher suites.\n"
+ " -P, --preferred-suite N Set the preferred cipher suite.\n"
+ " -s, --special Enable special handling of lines starting with #, ^ and $.\n"
+ " -v, --verbose Display debug messages.\n"
+ " -4 Use IPv4.\n"
+ " -6 Use IPv6.\n"
"\n"
"Report bugs to tinc@tinc-vpn.org.\n";
@@ -326,6 +330,8 @@ static int run_test(int argc, char *argv[]) {
int r;
int option_index = 0;
bool quit = false;
+ unsigned long cipher_suites = SPTPS_ALL_CIPHER_SUITES;
+ unsigned long preferred_suite = 0;
while((r = getopt_long(argc, argv, "dqrstwL:W:v46", long_options, &option_index)) != EOF) {
switch(r) {
@@ -366,6 +372,14 @@ static int run_test(int argc, char *argv[]) {
sptps_replaywin = atoi(optarg);
break;
+ case 'M': /* cipher suites */
+ cipher_suites = strtoul(optarg, NULL, 0);
+ break;
+
+ case 'P': /* preferred cipher */
+ preferred_suite = strtoul(optarg, NULL, 0);
+ break;
+
case 'v': /* be verbose */
verbose = true;
break;
@@ -571,6 +585,8 @@ static int run_test(int argc, char *argv[]) {
.label = "sptps_test",
.send_data = send_data,
.receive_record = receive_record,
+ .cipher_suites = cipher_suites,
+ .preferred_suite = preferred_suite,
};
if(!sptps_start(&s, &params)) {
--
2.36.0

View file

@ -0,0 +1,285 @@
From c0f0610037847ea2abae1e7a826d36a55f9dfa36 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue, 3 Aug 2021 00:39:05 +0200
Subject: [PATCH 03/10] Let sptps_speed benchmark all cipher suites.
---
src/sptps_speed.c | 212 +++++++++++++++++++++++++++-------------------
1 file changed, 125 insertions(+), 87 deletions(-)
diff --git a/src/sptps_speed.c b/src/sptps_speed.c
index c7c6e546..45bbeb5c 100644
--- a/src/sptps_speed.c
+++ b/src/sptps_speed.c
@@ -168,22 +168,76 @@ static int run_benchmark(int argc, char *argv[]) {
fprintf(stderr, "%28.2lf op/s\n", rate);
ecdh_free(ecdh1);
- // SPTPS authentication phase
-
int fd[2];
+ struct pollfd pfd[2] = {{fd[0], POLLIN}, {fd[1], POLLIN}};
+
+ sptps_params_t params1 = {
+ .handle = fd + 0,
+ .initiator = true,
+ .datagram = false,
+ .mykey = key1,
+ .hiskey = key2,
+ .label = "sptps_speed",
+ .send_data = send_data,
+ .receive_record = receive_record,
+ };
+
+ sptps_params_t params2 = {
+ .handle = fd + 1,
+ .initiator = false,
+ .datagram = false,
+ .mykey = key2,
+ .hiskey = key1,
+ .label = "sptps_speed",
+ .send_data = send_data,
+ .receive_record = receive_record,
+ };
+
+ static const char *suite_names[] = {
+ "Chacha20-Poly1305",
+ "AES-256-GCM",
+ };
+
+ for(uint8_t suite = 0; suite < 2; suite++) {
+ fprintf(stderr, "\nCipher suite %u (%s):\n", suite, suite_names[suite]);
+ params1.preferred_suite = params2.preferred_suite = suite;
+
+ // SPTPS authentication phase
+
+ fprintf(stderr, "SPTPS/TCP authenticate for %lg seconds: ", duration);
+
+ if(socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) {
+ fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno));
+ return 1;
+ }
- if(socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) {
- fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno));
- return 1;
- }
+ pfd[0].fd = fd[0], pfd[1].fd = fd[1];
+ params1.datagram = params2.datagram = false;
- struct pollfd pfd[2] = {{fd[0], POLLIN, 0}, {fd[1], POLLIN, 0}};
+ for(clock_start(); clock_countto(duration);) {
+ sptps_start(&sptps1, &params1);
+ sptps_start(&sptps2, &params2);
- fprintf(stderr, "SPTPS/TCP authenticate for %lg seconds: ", duration);
+ while(poll(pfd, 2, 0)) {
+ if(pfd[0].revents) {
+ receive_data(&sptps1);
+ }
- for(clock_start(); clock_countto(duration);) {
- sptps_start(&sptps1, fd + 0, true, false, key1, key2, "sptps_speed", 11, send_data, receive_record);
- sptps_start(&sptps2, fd + 1, false, false, key2, key1, "sptps_speed", 11, send_data, receive_record);
+ if(pfd[1].revents) {
+ receive_data(&sptps2);
+ }
+ }
+
+ sptps_stop(&sptps1);
+ sptps_stop(&sptps2);
+ }
+
+ fprintf(stderr, "%10.2lf op/s\n", rate * 2);
+
+ // SPTPS data
+
+ sptps_start(&sptps1, &params1);
+ sptps_start(&sptps2, &params2);
while(poll(pfd, 2, 0)) {
if(pfd[0].revents) {
@@ -195,65 +249,68 @@ static int run_benchmark(int argc, char *argv[]) {
}
}
- sptps_stop(&sptps1);
- sptps_stop(&sptps2);
- }
+ fprintf(stderr, "SPTPS/TCP transmit for %lg seconds: ", duration);
- fprintf(stderr, "%10.2lf op/s\n", rate * 2);
+ for(clock_start(); clock_countto(duration);) {
+ if(!sptps_send_record(&sptps1, 0, buf1, 1451)) {
+ abort();
+ }
- // SPTPS data
+ receive_data(&sptps2);
+ }
- sptps_start(&sptps1, fd + 0, true, false, key1, key2, "sptps_speed", 11, send_data, receive_record);
- sptps_start(&sptps2, fd + 1, false, false, key2, key1, "sptps_speed", 11, send_data, receive_record);
+ rate *= 2 * 1451 * 8;
- while(poll(pfd, 2, 0)) {
- if(pfd[0].revents) {
- receive_data(&sptps1);
+ if(rate > 1e9) {
+ fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9);
+ } else if(rate > 1e6) {
+ fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6);
+ } else if(rate > 1e3) {
+ fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3);
}
- if(pfd[1].revents) {
- receive_data(&sptps2);
- }
- }
+ sptps_stop(&sptps1);
+ sptps_stop(&sptps2);
- fprintf(stderr, "SPTPS/TCP transmit for %lg seconds: ", duration);
+ close(fd[0]);
+ close(fd[1]);
- for(clock_start(); clock_countto(duration);) {
- if(!sptps_send_record(&sptps1, 0, buf1, 1451)) {
- abort();
+ // SPTPS datagram authentication phase
+
+ if(socketpair(AF_UNIX, SOCK_DGRAM, 0, fd)) {
+ fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno));
+ return 1;
}
- receive_data(&sptps2);
- }
+ pfd[0].fd = fd[0], pfd[1].fd = fd[1];
+ params1.datagram = params2.datagram = true;
- rate *= 2 * 1451 * 8;
+ fprintf(stderr, "SPTPS/UDP authenticate for %lg seconds: ", duration);
- if(rate > 1e9) {
- fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9);
- } else if(rate > 1e6) {
- fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6);
- } else if(rate > 1e3) {
- fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3);
- }
+ for(clock_start(); clock_countto(duration);) {
+ sptps_start(&sptps1, &params1);
+ sptps_start(&sptps2, &params2);
- sptps_stop(&sptps1);
- sptps_stop(&sptps2);
+ while(poll(pfd, 2, 0)) {
+ if(pfd[0].revents) {
+ receive_data(&sptps1);
+ }
- // SPTPS datagram authentication phase
+ if(pfd[1].revents) {
+ receive_data(&sptps2);
+ }
+ }
- close(fd[0]);
- close(fd[1]);
+ sptps_stop(&sptps1);
+ sptps_stop(&sptps2);
+ }
- if(socketpair(AF_UNIX, SOCK_DGRAM, 0, fd)) {
- fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno));
- return 1;
- }
+ fprintf(stderr, "%10.2lf op/s\n", rate * 2);
- fprintf(stderr, "SPTPS/UDP authenticate for %lg seconds: ", duration);
+ // SPTPS datagram data
- for(clock_start(); clock_countto(duration);) {
- sptps_start(&sptps1, fd + 0, true, true, key1, key2, "sptps_speed", 11, send_data, receive_record);
- sptps_start(&sptps2, fd + 1, false, true, key2, key1, "sptps_speed", 11, send_data, receive_record);
+ sptps_start(&sptps1, &params1);
+ sptps_start(&sptps2, &params2);
while(poll(pfd, 2, 0)) {
if(pfd[0].revents) {
@@ -265,54 +322,35 @@ static int run_benchmark(int argc, char *argv[]) {
}
}
- sptps_stop(&sptps1);
- sptps_stop(&sptps2);
- }
-
- fprintf(stderr, "%10.2lf op/s\n", rate * 2);
+ fprintf(stderr, "SPTPS/UDP transmit for %lg seconds: ", duration);
- // SPTPS datagram data
-
- sptps_start(&sptps1, fd + 0, true, true, key1, key2, "sptps_speed", 11, send_data, receive_record);
- sptps_start(&sptps2, fd + 1, false, true, key2, key1, "sptps_speed", 11, send_data, receive_record);
-
- while(poll(pfd, 2, 0)) {
- if(pfd[0].revents) {
- receive_data(&sptps1);
- }
+ for(clock_start(); clock_countto(duration);) {
+ if(!sptps_send_record(&sptps1, 0, buf1, 1451)) {
+ abort();
+ }
- if(pfd[1].revents) {
receive_data(&sptps2);
}
- }
- fprintf(stderr, "SPTPS/UDP transmit for %lg seconds: ", duration);
+ rate *= 2 * 1451 * 8;
- for(clock_start(); clock_countto(duration);) {
- if(!sptps_send_record(&sptps1, 0, buf1, 1451)) {
- abort();
+ if(rate > 1e9) {
+ fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9);
+ } else if(rate > 1e6) {
+ fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6);
+ } else if(rate > 1e3) {
+ fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3);
}
- receive_data(&sptps2);
- }
-
- rate *= 2 * 1451 * 8;
+ sptps_stop(&sptps1);
+ sptps_stop(&sptps2);
- if(rate > 1e9) {
- fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9);
- } else if(rate > 1e6) {
- fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6);
- } else if(rate > 1e3) {
- fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3);
+ close(fd[0]);
+ close(fd[1]);
}
- sptps_stop(&sptps1);
- sptps_stop(&sptps2);
-
// Clean up
- close(fd[0]);
- close(fd[1]);
ecdsa_free(key1);
ecdsa_free(key2);
--
2.36.0

View file

@ -0,0 +1,219 @@
From 9d423c31024e37655aac014662cb5bee82c26464 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon, 9 Aug 2021 21:55:09 +0200
Subject: [PATCH 04/10] If we link with OpenSSL, use it for Chacha20-Poly1305
as well.
---
src/sptps.c | 128 ++++++++++++++++++++++++++++++++--------------------
1 file changed, 78 insertions(+), 50 deletions(-)
diff --git a/src/sptps.c b/src/sptps.c
index 33c41424..55b9e5ca 100644
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -96,12 +96,26 @@ static void warning(sptps_t *s, const char *format, ...) {
static bool cipher_init(uint8_t suite, void **ctx, const uint8_t *key, bool key_half) {
switch(suite) {
+#ifndef HAVE_OPENSSL
+
case SPTPS_CHACHA_POLY1305:
*ctx = chacha_poly1305_init();
return ctx && chacha_poly1305_set_key(*ctx, key + (key_half ? CHACHA_POLY1305_KEYLEN : 0));
+#else
+
+ case SPTPS_CHACHA_POLY1305:
+ *ctx = EVP_CIPHER_CTX_new();
+
+ if(!ctx) {
+ return false;
+ }
+
+ return EVP_EncryptInit_ex(*ctx, EVP_chacha20_poly1305(), NULL, NULL, NULL)
+ && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
+ && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? CHACHA_POLY1305_KEYLEN : 0), key);
+
case SPTPS_AES256_GCM:
-#ifdef HAVE_OPENSSL
*ctx = EVP_CIPHER_CTX_new();
if(!ctx) {
@@ -109,8 +123,8 @@ static bool cipher_init(uint8_t suite, void **ctx, const uint8_t *key, bool key_
}
return EVP_EncryptInit_ex(*ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)
- && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 4, NULL)
- && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? 32 : 0), key);
+ && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
+ && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? 64 : 0), key);
#endif
default:
@@ -120,12 +134,16 @@ static bool cipher_init(uint8_t suite, void **ctx, const uint8_t *key, bool key_
static void cipher_exit(uint8_t suite, void *ctx) {
switch(suite) {
+#ifndef HAVE_OPENSSL
+
case SPTPS_CHACHA_POLY1305:
chacha_poly1305_exit(ctx);
break;
+#else
+
+ case SPTPS_CHACHA_POLY1305:
case SPTPS_AES256_GCM:
-#ifdef HAVE_OPENSSL
EVP_CIPHER_CTX_free(ctx);
break;
#endif
@@ -136,43 +154,48 @@ static void cipher_exit(uint8_t suite, void *ctx) {
}
static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
+ uint8_t nonce[12] = {seqno, seqno >> 8, seqno >> 16, seqno >> 24};
+
switch(suite) {
+#ifndef HAVE_OPENSSL
+
case SPTPS_CHACHA_POLY1305:
chacha_poly1305_encrypt(ctx, seqno, in, inlen, out, outlen);
return true;
- case SPTPS_AES256_GCM:
-#ifdef HAVE_OPENSSL
- {
- if(!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
- return false;
- }
+#else
- int outlen1 = 0, outlen2 = 0;
+ case SPTPS_CHACHA_POLY1305:
+ case SPTPS_AES256_GCM: {
+ if(!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, nonce)) {
+ return false;
+ }
- if(!EVP_EncryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
- return false;
- }
+ int outlen1 = 0, outlen2 = 0;
- if(!EVP_EncryptFinal_ex(ctx, out + outlen1, &outlen2)) {
- return false;
- }
+ if(!EVP_EncryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
+ return false;
+ }
- outlen1 += outlen2;
+ if(!EVP_EncryptFinal_ex(ctx, out + outlen1, &outlen2)) {
+ return false;
+ }
- if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, out + outlen1)) {
- return false;
- }
+ outlen1 += outlen2;
- outlen1 += 16;
+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, out + outlen1)) {
+ return false;
+ }
- if(outlen) {
- *outlen = outlen1;
- }
+ outlen1 += 16;
- return true;
+ if(outlen) {
+ *outlen = outlen1;
}
+ return true;
+ }
+
#endif
default:
@@ -181,44 +204,49 @@ static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
}
static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
+ uint8_t nonce[12] = {seqno, seqno >> 8, seqno >> 16, seqno >> 24};
+
switch(suite) {
+#ifndef HAVE_OPENSSL
+
case SPTPS_CHACHA_POLY1305:
return chacha_poly1305_decrypt(ctx, seqno, in, inlen, out, outlen);
- case SPTPS_AES256_GCM:
-#ifdef HAVE_OPENSSL
- {
- if(inlen < 16) {
- return false;
- }
+#else
- inlen -= 16;
+ case SPTPS_CHACHA_POLY1305:
+ case SPTPS_AES256_GCM: {
+ if(inlen < 16) {
+ return false;
+ }
- if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
- return false;
- }
+ inlen -= 16;
- int outlen1 = 0, outlen2 = 0;
+ if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, nonce)) {
+ return false;
+ }
- if(!EVP_DecryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
- return false;
- }
+ int outlen1 = 0, outlen2 = 0;
- if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void *)(in + inlen))) {
- return false;
- }
+ if(!EVP_DecryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
+ return false;
+ }
- if(!EVP_DecryptFinal_ex(ctx, out + outlen1, &outlen2)) {
- return false;
- }
+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void *)(in + inlen))) {
+ return false;
+ }
- if(outlen) {
- *outlen = outlen1 + outlen2;
- }
+ if(!EVP_DecryptFinal_ex(ctx, out + outlen1, &outlen2)) {
+ return false;
+ }
- return true;
+ if(outlen) {
+ *outlen = outlen1 + outlen2;
}
+ return true;
+ }
+
#endif
default:
--
2.36.0

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,117 @@
From d64b9c4a2f48ce7533e9f7a8f5f6e890764515ab Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue, 10 Aug 2021 23:08:04 +0200
Subject: [PATCH 06/10] Ensure we are compatible with LibreSSL.
---
src/sptps.c | 66 ++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 53 insertions(+), 13 deletions(-)
diff --git a/src/sptps.c b/src/sptps.c
index 33e88ed9..7c8d20b7 100644
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -107,26 +107,26 @@ static bool cipher_init(uint8_t suite, void **ctx, const uint8_t *key, bool key_
#else
case SPTPS_CHACHA_POLY1305:
- *ctx = EVP_CIPHER_CTX_new();
+#ifdef EVP_F_EVP_AEAD_CTX_INIT
+ *ctx = malloc(sizeof(EVP_AEAD_CTX));
- if(!ctx) {
- return false;
- }
+ return *ctx && EVP_AEAD_CTX_init(*ctx, EVP_aead_chacha20_poly1305(), key + (key_half ? CIPHER_KEYLEN : 0), 32, 16, NULL);
+#else
+ *ctx = EVP_CIPHER_CTX_new();
- return EVP_EncryptInit_ex(*ctx, EVP_chacha20_poly1305(), NULL, NULL, NULL)
- && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
+ return *ctx
+ && EVP_EncryptInit_ex(*ctx, EVP_chacha20_poly1305(), NULL, NULL, NULL)
+ && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL)
&& EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? CIPHER_KEYLEN : 0), key);
+#endif
case SPTPS_AES256_GCM:
*ctx = EVP_CIPHER_CTX_new();
- if(!ctx) {
- return false;
- }
-
- return EVP_EncryptInit_ex(*ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)
- && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
- && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? 64 : 0), key);
+ return *ctx
+ && EVP_EncryptInit_ex(*ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)
+ && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL)
+ && EVP_EncryptInit_ex(*ctx, NULL, NULL, key + (key_half ? CIPHER_KEYLEN : 0), key);
#endif
default:
@@ -145,6 +145,12 @@ static void cipher_exit(uint8_t suite, void *ctx) {
#else
case SPTPS_CHACHA_POLY1305:
+#ifdef EVP_F_EVP_AEAD_CTX_INIT
+ EVP_AEAD_CTX_cleanup(ctx);
+ free(ctx);
+ break;
+#endif
+
case SPTPS_AES256_GCM:
EVP_CIPHER_CTX_free(ctx);
break;
@@ -176,6 +182,23 @@ static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
#else
case SPTPS_CHACHA_POLY1305:
+#ifdef EVP_F_EVP_AEAD_CTX_INIT
+ {
+ size_t outlen1;
+
+ if(!EVP_AEAD_CTX_seal(ctx, out, &outlen1, inlen + 16, nonce, sizeof(nonce), in, inlen, NULL, 0)) {
+ return false;
+ }
+
+ if(outlen) {
+ *outlen = outlen1;
+ }
+
+ return true;
+ }
+
+#endif
+
case SPTPS_AES256_GCM: {
if(!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, nonce)) {
return false;
@@ -239,6 +262,23 @@ static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
#else
case SPTPS_CHACHA_POLY1305:
+#ifdef EVP_F_EVP_AEAD_CTX_INIT
+ {
+ size_t outlen1;
+
+ if(!EVP_AEAD_CTX_open(ctx, out, &outlen1, inlen, nonce, sizeof(nonce), in, inlen + 16, NULL, 0)) {
+ return false;
+ }
+
+ if(outlen) {
+ *outlen = outlen1;
+ }
+
+ return true;
+ }
+
+#endif
+
case SPTPS_AES256_GCM: {
if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, nonce)) {
return false;
--
2.36.0

View file

@ -0,0 +1,26 @@
From 948be5b4a813e814e36be23a63817df283e8db91 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue, 10 Aug 2021 23:08:52 +0200
Subject: [PATCH 07/10] Fix infinite loop on SPTPS errors when running
sptps_test in datagram mode.
---
src/sptps_test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/sptps_test.c b/src/sptps_test.c
index 32ed62d3..7e5977ed 100644
--- a/src/sptps_test.c
+++ b/src/sptps_test.c
@@ -721,6 +721,8 @@ static int run_test(int argc, char *argv[]) {
free(mykey);
free(hiskey);
return 1;
+ } else {
+ break;
}
}
--
2.36.0

View file

@ -0,0 +1,40 @@
From 440bf1e9e484ac9800308dafbb5089e400df3522 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun, 22 Aug 2021 22:16:42 +0200
Subject: [PATCH 08/10] Fix documentation of default cipher algorithm used for
the legacy protocol.
---
doc/tinc.conf.5.in | 2 +-
doc/tinc.texi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index d7aa7d99..0cfdd089 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -562,7 +562,7 @@ Multiple
.Va Address
variables can be specified, in which case each address will be tried until a working
connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
diff --git a/doc/tinc.texi b/doc/tinc.texi
index 2e519d1c..ab3dca23 100644
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1328,7 +1328,7 @@ Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying @samp{none} will turn off packet encryption.
--
2.36.0

View file

@ -0,0 +1,230 @@
From 4e64f72feb99b7933e907fb0fab93368749db779 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun, 22 Aug 2021 22:44:04 +0200
Subject: [PATCH 09/10] Make the ExperimentalProtocol option obsolete.
Remove mentions of it from the documentation, but keep supporting the
option for now, as this makes it easier to test compatibility with the
legacy protocol.
---
README.md | 8 ++++----
doc/tinc.conf.5.in | 18 +++---------------
doc/tinc.texi | 21 ++++++---------------
src/tincctl.c | 2 +-
test/integration/algorithms.py | 4 ++--
test/integration/legacy_protocol.py | 4 ++--
test/integration/splice.py | 4 ++--
7 files changed, 20 insertions(+), 41 deletions(-)
diff --git a/README.md b/README.md
index 11129f79..9e3a64a4 100644
--- a/README.md
+++ b/README.md
@@ -55,12 +55,12 @@ versions, the security might only be as good as that of the oldest version.
## Compatibility
-Version 1.1pre18 is compatible with 1.0pre8, 1.0 and later, but not with older
+Version 1.1pre18 is compatible with 1.0 and later, but not with older
versions of tinc.
-When the ExperimentalProtocol option is used, tinc is still compatible with
-1.0.X, 1.1pre11 and later, but not with any version between 1.1pre1 and
-1.1pre10.
+Note that this pre-release version of tinc 1.1 might be incompatible with older
+pre-release versions as the new cryptographic protocol might still undergo
+changes.
## Requirements
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index 0cfdd089..a5a56ed5 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -287,15 +287,6 @@ When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
.It Va Ed25519PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ed25519_key.priv Pc
The file in which the private Ed25519 key of this tinc daemon resides.
-This is only used if
-.Va ExperimentalProtocol
-is enabled.
-.It Va ExperimentalProtocol Li = yes | no Pq yes
-When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
-Ephemeral ECDH will be used for key exchanges,
-and Ed25519 will be used instead of RSA for authentication.
-When enabled, an Ed25519 key must have been generated before with
-.Nm tinc generate-ed25519-keys .
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
@@ -569,8 +560,7 @@ Furthermore, specifying
.Qq none
will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
.It Va ClampMSS Li = yes | no Pq yes
This option specifies whether tinc should clamp the maximum segment size (MSS)
of TCP packets to the path MTU. This helps in situations where ICMP
@@ -585,8 +575,7 @@ Any digest supported by LibreSSL or OpenSSL is recognised.
Furthermore, specifying
.Qq none
will turn off packet authentication.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
.It Va IndirectData Li = yes | no Pq no
When set to yes, only nodes which already have a meta connection to you
will try to establish direct communication with you.
@@ -596,8 +585,7 @@ The length of the message authentication code used to authenticate UDP packets.
Can be anything from
.Qq 0
up to the length of the digest produced by the digest algorithm.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
.It Va PMTU Li = Ar mtu Po 1514 Pc
This option controls the initial path MTU to this node.
.It Va PMTUDiscovery Li = yes | no Po yes Pc
diff --git a/doc/tinc.texi b/doc/tinc.texi
index ab3dca23..c1e62a52 100644
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1025,15 +1025,6 @@ packets for nodes for which we do not have a meta connection with are also dropp
@cindex Ed25519PrivateKeyFile
@item Ed25519PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ed25519_key.priv})
The file in which the private Ed25519 key of this tinc daemon resides.
-This is only used if ExperimentalProtocol is enabled.
-
-@cindex ExperimentalProtocol
-@item ExperimentalProtocol = <yes|no> (yes)
-When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
-Ephemeral ECDH will be used for key exchanges,
-and Ed25519 will be used instead of RSA for authentication.
-When enabled, an Ed25519 key must have been generated before with
-@command{tinc generate-ed25519-keys}.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
@@ -1333,7 +1324,7 @@ The symmetric cipher algorithm used to encrypt UDP packets using the legacy prot
Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying @samp{none} will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
-This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
+This option only affects communication using the legacy protocol.
@cindex ClampMSS
@item ClampMSS = <yes|no> (yes)
@@ -1352,7 +1343,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
The digest algorithm used to authenticate UDP packets using the legacy protocol.
Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying @samp{none} will turn off packet authentication.
-This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
+This option only affects communication using the legacy protocol.
@cindex IndirectData
@item IndirectData = <yes|no> (no)
@@ -1365,7 +1356,7 @@ It is best to leave this option out or set it to no.
The length of the message authentication code used to authenticate UDP packets using the legacy protocol.
Can be anything from 0
up to the length of the digest produced by the digest algorithm.
-This option has no effect for connections using the SPTPS protocol, which never truncate MACs.
+This option only affects communication using the legacy protocol.
@cindex PMTU
@item PMTU = <@var{mtu}> (1514)
@@ -3030,9 +3021,9 @@ Therefore, tinc also authenticates the data.
Finally, tinc uses sequence numbers (which themselves are also authenticated) to prevent an attacker from replaying valid packets.
Since version 1.1pre3, tinc has two protocols used to protect your data; the legacy protocol, and the new Simple Peer-to-Peer Security (SPTPS) protocol.
-The SPTPS protocol is designed to address some weaknesses in the legacy protocol.
-The new authentication protocol is used when two nodes connect to each other that both have the ExperimentalProtocol option set to yes,
-otherwise the legacy protocol will be used.
+The SPTPS protocol is designed to address some weaknesses in the legacy protocol,
+and is used automatically if both sides support it.
+Once two nodes have connected with the new protocol, rollback to the legacy protocol is not allowed.
@menu
* Legacy authentication protocol::
diff --git a/src/tincctl.c b/src/tincctl.c
index 9b39f2ce..2032b33a 100644
--- a/src/tincctl.c
+++ b/src/tincctl.c
@@ -1651,7 +1651,7 @@ const var_t variables[] = {
{"DeviceType", VAR_SERVER},
{"DirectOnly", VAR_SERVER | VAR_SAFE},
{"Ed25519PrivateKeyFile", VAR_SERVER},
- {"ExperimentalProtocol", VAR_SERVER},
+ {"ExperimentalProtocol", VAR_SERVER | VAR_OBSOLETE},
{"Forwarding", VAR_SERVER},
{"FWMark", VAR_SERVER},
{"GraphDumpFile", VAR_SERVER | VAR_OBSOLETE},
diff --git a/test/integration/algorithms.py b/test/integration/algorithms.py
index b056c7d5..52e0f820 100755
--- a/test/integration/algorithms.py
+++ b/test/integration/algorithms.py
@@ -23,7 +23,7 @@ def init(ctx: Test, digest: str, cipher: str) -> T.Tuple[Tinc, Tinc]:
set Digest {digest}
set Cipher {cipher}
"""
- foo.cmd(stdin=stdin)
+ foo.cmd("--force", stdin=stdin)
foo.start()
stdin = f"""
@@ -35,7 +35,7 @@ def init(ctx: Test, digest: str, cipher: str) -> T.Tuple[Tinc, Tinc]:
set Digest {digest}
set Cipher {cipher}
"""
- bar.cmd(stdin=stdin)
+ bar.cmd("--force", stdin=stdin)
foo.add_script(bar.script_up)
bar.add_script(foo.script_up)
diff --git a/test/integration/legacy_protocol.py b/test/integration/legacy_protocol.py
index 845ac345..f7ab1bd2 100755
--- a/test/integration/legacy_protocol.py
+++ b/test/integration/legacy_protocol.py
@@ -73,14 +73,14 @@ with Test("foo 1.1, bar 1.1") as context:
with Test("foo 1.1, bar 1.0") as context:
foo_node, bar_node = init(context)
- bar_node.cmd("set", "ExperimentalProtocol", "no")
+ bar_node.cmd("--force", "set", "ExperimentalProtocol", "no")
foo_node.cmd("del", f"{bar_node}.Ed25519PublicKey")
bar_node.cmd("del", f"{foo_node}.Ed25519PublicKey")
run_keys_test(foo_node, bar_node, empty=True)
with Test("bar 1.0 must not be allowed to connect") as context:
foo_node, bar_node = init(context)
- bar_node.cmd("set", "ExperimentalProtocol", "no")
+ bar_node.cmd("--force", "set", "ExperimentalProtocol", "no")
bar_up = bar_node.add_script(Script.SUBNET_UP)
bar_node.cmd("start")
diff --git a/test/integration/splice.py b/test/integration/splice.py
index 578845fb..868ffbc3 100755
--- a/test/integration/splice.py
+++ b/test/integration/splice.py
@@ -28,7 +28,7 @@ def init(ctx: Test, *options: str) -> T.Tuple[Tinc, Tinc]:
set Subnet 10.96.96.1
{custom}
"""
- foo.cmd(stdin=stdin)
+ foo.cmd("--force", stdin=stdin)
stdin = f"""
init {bar}
@@ -39,7 +39,7 @@ def init(ctx: Test, *options: str) -> T.Tuple[Tinc, Tinc]:
set Subnet 10.96.96.2
{custom}
"""
- bar.cmd(stdin=stdin)
+ bar.cmd("--force", stdin=stdin)
foo.add_script(Script.SUBNET_UP)
bar.add_script(Script.SUBNET_UP)
--
2.36.0

View file

@ -0,0 +1,322 @@
From f4db140a8ffc63b575181299c3964e4634606280 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue, 31 Aug 2021 16:27:47 +0200
Subject: [PATCH 10/10] Move poly1305_get_tag() into poly1305.c, hide
poly1305_init().
The crypto library on Windows exposes a symbol named poly1305_init(),
which clashes with ours. We can avoid this by moving poly1305_get_tag()
to poly1305.[ch], where it belongs better, and this allows us to make
all the lower-level Poly1305 functions static.
Also remove the support for associated data while we are at it, since we
are never using it.
---
src/chacha-poly1305/chacha.h | 1 -
src/chacha-poly1305/chachapoly.c | 58 ++++----------------------------
src/chacha-poly1305/chachapoly.h | 6 ++--
src/chacha-poly1305/poly1305.c | 54 +++++++++++++++++++++++++----
src/chacha-poly1305/poly1305.h | 20 +----------
src/sptps.c | 4 +--
6 files changed, 58 insertions(+), 85 deletions(-)
diff --git a/src/chacha-poly1305/chacha.h b/src/chacha-poly1305/chacha.h
index a137ab6b..d4784f49 100644
--- a/src/chacha-poly1305/chacha.h
+++ b/src/chacha-poly1305/chacha.h
@@ -31,4 +31,3 @@ void chacha_encrypt_bytes(struct chacha_ctx *x, const unsigned char *m,
unsigned char *c, uint32_t bytes);
#endif /* CHACHA_H */
-
diff --git a/src/chacha-poly1305/chachapoly.c b/src/chacha-poly1305/chachapoly.c
index 9a6620ce..68f04edd 100644
--- a/src/chacha-poly1305/chachapoly.c
+++ b/src/chacha-poly1305/chachapoly.c
@@ -53,52 +53,6 @@ static int memcmp_eq(const void *av, const void *bv, int n) {
return res;
}
-/**
- * Poly1305 tag generation. This concatenates a string according to the rules
- * outlined in RFC 7539 and calculates the tag.
- *
- * \param poly_key 32 byte secret one-time key for poly1305
- * \param ad associated data
- * \param ad_len associated data length in bytes
- * \param ct ciphertext
- * \param ct_len ciphertext length in bytes
- * \param tag pointer to 16 bytes for tag storage
- */
-static void poly1305_get_tag(unsigned char *poly_key, const void *ad,
- int ad_len, const void *ct, int ct_len, unsigned char *tag) {
- struct poly1305_context poly;
- unsigned left_over;
- uint64_t len;
- unsigned char pad[16];
-
- poly1305_init(&poly, poly_key);
- memset(&pad, 0, sizeof(pad));
-
- /* associated data and padding */
- poly1305_update(&poly, ad, ad_len);
- left_over = ad_len % 16;
-
- if(left_over) {
- poly1305_update(&poly, pad, 16 - left_over);
- }
-
- /* payload and padding */
- poly1305_update(&poly, ct, ct_len);
- left_over = ct_len % 16;
-
- if(left_over) {
- poly1305_update(&poly, pad, 16 - left_over);
- }
-
- /* lengths */
- len = ad_len;
- poly1305_update(&poly, (unsigned char *)&len, 8);
- len = ct_len;
- poly1305_update(&poly, (unsigned char *)&len, 8);
-
- poly1305_finish(&poly, tag);
-}
-
int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) {
assert(key_len == 128 || key_len == 256);
@@ -108,7 +62,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) {
}
int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
- const void *ad, int ad_len, void *input, int input_len,
+ void *input, int input_len,
void *output, void *tag, int tag_len, int encrypt) {
unsigned char poly_key[CHACHA_BLOCKLEN];
unsigned char calc_tag[POLY1305_TAGLEN];
@@ -121,7 +75,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
/* check tag if decrypting */
if(encrypt == 0 && tag_len) {
- poly1305_get_tag(poly_key, ad, ad_len, input, input_len, calc_tag);
+ poly1305_get_tag(poly_key, input, input_len, calc_tag);
if(memcmp_eq(calc_tag, tag, tag_len) != 0) {
return CHACHAPOLY_INVALID_MAC;
@@ -135,7 +89,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
/* add tag if encrypting */
if(encrypt && tag_len) {
- poly1305_get_tag(poly_key, ad, ad_len, output, input_len, calc_tag);
+ poly1305_get_tag(poly_key, output, input_len, calc_tag);
memcpy(tag, calc_tag, tag_len);
}
@@ -143,7 +97,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
}
int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
- const void *ad, int ad_len, void *input, int input_len,
+ void *input, int input_len,
void *output, void *tag, int tag_len, int encrypt) {
unsigned char keystream[CHACHA_BLOCKLEN];
unsigned char calc_tag[POLY1305_TAGLEN];
@@ -159,7 +113,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
/* check tag if decrypting */
if(encrypt == 0 && tag_len) {
- poly1305_get_tag(keystream, ad, ad_len, input, input_len, calc_tag);
+ poly1305_get_tag(keystream, input, input_len, calc_tag);
if(memcmp_eq(calc_tag, tag, tag_len) != 0) {
return CHACHAPOLY_INVALID_MAC;
@@ -174,7 +128,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
/* add tag if encrypting */
if(encrypt && tag_len) {
- poly1305_get_tag(keystream, ad, ad_len, output, input_len, calc_tag);
+ poly1305_get_tag(keystream, output, input_len, calc_tag);
memcpy(tag, calc_tag, tag_len);
}
diff --git a/src/chacha-poly1305/chachapoly.h b/src/chacha-poly1305/chachapoly.h
index ffc9576d..5d01f525 100644
--- a/src/chacha-poly1305/chachapoly.h
+++ b/src/chacha-poly1305/chachapoly.h
@@ -52,8 +52,6 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len);
*
* \param ctx context data
* \param nonce nonce (12 bytes)
- * \param ad associated data
- * \param ad_len associated data length in bytes
* \param input plaintext/ciphertext input
* \param input_len input length in bytes;
* \param output plaintext/ciphertext output
@@ -65,7 +63,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len);
* failed when decrypting
*/
int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
- const void *ad, int ad_len, void *input, int input_len,
+ void *input, int input_len,
void *output, void *tag, int tag_len, int encrypt);
/**
@@ -76,7 +74,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
* chachapoly_crypt.
*/
int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
- const void *ad, int ad_len, void *input, int input_len,
+ void *input, int input_len,
void *output, void *tag, int tag_len, int encrypt);
#endif
diff --git a/src/chacha-poly1305/poly1305.c b/src/chacha-poly1305/poly1305.c
index 0c90564c..b25435a7 100644
--- a/src/chacha-poly1305/poly1305.c
+++ b/src/chacha-poly1305/poly1305.c
@@ -5,6 +5,20 @@ public domain
#include "poly1305.h"
+/* use memcpy() to copy blocks of memory (typically faster) */
+#define USE_MEMCPY 1
+/* use unaligned little-endian load/store (can be faster) */
+#define USE_UNALIGNED 0
+
+struct poly1305_context {
+ uint32_t r[5];
+ uint32_t h[5];
+ uint32_t pad[4];
+ size_t leftover;
+ unsigned char buffer[POLY1305_BLOCK_SIZE];
+ unsigned char final;
+};
+
#if (USE_UNALIGNED == 1)
#define U8TO32(p) \
(*((uint32_t *)(p)))
@@ -33,7 +47,7 @@ U32TO8(unsigned char *p, uint32_t v) {
}
#endif
-void
+static void
poly1305_init(struct poly1305_context *st, const unsigned char key[32]) {
/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
st->r[0] = (U8TO32(&key[ 0])) & 0x3ffffff;
@@ -131,7 +145,7 @@ poly1305_blocks(struct poly1305_context *st, const unsigned char *m, size_t byte
st->h[4] = h4;
}
-void
+static void
poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) {
uint32_t h0, h1, h2, h3, h4, c;
uint32_t g0, g1, g2, g3, g4;
@@ -241,8 +255,7 @@ poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) {
st->pad[3] = 0;
}
-
-void
+static void
poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t bytes) {
size_t i;
@@ -293,10 +306,37 @@ poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t byte
}
}
+/**
+ * Poly1305 tag generation. This concatenates a string according to the rules
+ * outlined in RFC 7539 and calculates the tag.
+ *
+ * \param key 32 byte secret one-time key for poly1305
+ * \param ct ciphertext
+ * \param ct_len ciphertext length in bytes
+ * \param tag pointer to 16 bytes for tag storage
+ */
void
-poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
+poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]) {
struct poly1305_context ctx;
+ unsigned left_over;
+ uint64_t len;
+ unsigned char pad[16];
+
poly1305_init(&ctx, key);
- poly1305_update(&ctx, m, bytes);
- poly1305_finish(&ctx, mac);
+ memset(&pad, 0, sizeof(pad));
+
+ /* payload and padding */
+ poly1305_update(&ctx, ct, ct_len);
+ left_over = ct_len % 16;
+
+ if(left_over) {
+ poly1305_update(&ctx, pad, 16 - left_over);
+ }
+
+ /* lengths */
+ len = 0;
+ poly1305_update(&ctx, (unsigned char *)&len, 8);
+ len = ct_len;
+ poly1305_update(&ctx, (unsigned char *)&len, 8);
+ poly1305_finish(&ctx, tag);
}
diff --git a/src/chacha-poly1305/poly1305.h b/src/chacha-poly1305/poly1305.h
index 624a19a9..5fc3b903 100644
--- a/src/chacha-poly1305/poly1305.h
+++ b/src/chacha-poly1305/poly1305.h
@@ -9,24 +9,6 @@
#define POLY1305_TAGLEN 16
#define POLY1305_BLOCK_SIZE 16
-/* use memcpy() to copy blocks of memory (typically faster) */
-#define USE_MEMCPY 1
-/* use unaligned little-endian load/store (can be faster) */
-#define USE_UNALIGNED 0
-
-struct poly1305_context {
- uint32_t r[5];
- uint32_t h[5];
- uint32_t pad[4];
- size_t leftover;
- unsigned char buffer[POLY1305_BLOCK_SIZE];
- unsigned char final;
-};
-
-void poly1305_init(struct poly1305_context *ctx, const unsigned char key[32]);
-void poly1305_update(struct poly1305_context *ctx, const unsigned char *m, size_t bytes);
-void poly1305_finish(struct poly1305_context *ctx, unsigned char mac[16]);
-void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]);
+void poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]);
#endif /* POLY1305_H */
-
diff --git a/src/sptps.c b/src/sptps.c
index 7c8d20b7..8f713fe6 100644
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -168,7 +168,7 @@ static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
#ifndef HAVE_OPENSSL
case SPTPS_CHACHA_POLY1305: {
- if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) {
+ if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) {
return false;
}
@@ -249,7 +249,7 @@ static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
#ifndef HAVE_OPENSSL
case SPTPS_CHACHA_POLY1305:
- if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) {
+ if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) {
return false;
}
--
2.36.0

11
debian/patches/fix-version-number vendored Normal file
View file

@ -0,0 +1,11 @@
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
origcflags="$CFLAGS"
AC_PREREQ(2.69)
-AC_INIT([tinc], m4_esyscmd_s((git describe || echo UNKNOWN) | sed 's/release-//'))
+AC_INIT([tinc], [1.1~pre18])
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([std-options subdir-objects nostdinc silent-rules -Wall])
AC_CONFIG_HEADERS([config.h])

11
debian/patches/series vendored Normal file
View file

@ -0,0 +1,11 @@
0001-Add-AES-256-GCM-support-to-SPTPS.patch
0002-Add-cipher-suite-selection-options-to-sptps_test.patch
0003-Let-sptps_speed-benchmark-all-cipher-suites.patch
0004-If-we-link-with-OpenSSL-use-it-for-Chacha20-Poly1305.patch
0005-Update-the-built-in-Chacha20-Poly1305-code-to-an-RFC.patch
0006-Ensure-we-are-compatible-with-LibreSSL.patch
0007-Fix-infinite-loop-on-SPTPS-errors-when-running-sptps.patch
0008-Fix-documentation-of-default-cipher-algorithm-used-f.patch
0009-Make-the-ExperimentalProtocol-option-obsolete.patch
0010-Move-poly1305_get_tag-into-poly1305.c-hide-poly1305_.patch
fix-version-number

23
debian/postinst vendored Normal file
View file

@ -0,0 +1,23 @@
#! /bin/sh
NETSFILE="/etc/tinc/nets.boot"
set -e
case "$1" in
configure)
if [ ! -e $NETSFILE ] ; then
echo "## This file contains all names of the networks to be started on system startup." > $NETSFILE
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 0
;;
esac
#DEBHELPER#

9
debian/postrm vendored Normal file
View file

@ -0,0 +1,9 @@
#!/bin/sh
set -e
if [ "$1" = purge ]; then
rm -f /etc/tinc/nets.boot
fi
#DEBHELPER#

28
debian/preinst vendored Normal file
View file

@ -0,0 +1,28 @@
#!/bin/sh
NETSFILE="/etc/tinc/nets.boot"
SYSTEM="/lib/systemd/system"
WANTS="/etc/systemd/system/multi-user.target.wants"
set -e
case "$1" in
upgrade)
if dpkg --compare-versions "$2" '<<' "1.1~pre11-1"; then
if [ -f "$NETSFILE" ]; then
echo -n "Creating systemd service instances from nets.boot:"
mkdir -p "$WANTS"
egrep '^[ ]*[a-zA-Z0-9_-]+' $NETSFILE | while read net args; do
echo -n " $net"
ln -s "$SYSTEM/tinc@.service" "$WANTS/tinc@$net.service" 2>/dev/null || true
done
echo "."
fi
fi
;;
*)
;;
esac
#DEBHELPER#

21
debian/rules vendored Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/make -f
%:
dh $@ --with quilt
override_dh_auto_configure:
dh_auto_configure -- --enable-uml \
--with-systemd=/lib/systemd/system/
$(MAKE) clean
override_dh_auto_install:
dh_auto_install -- install-html
# Remove info dir file
rm -f debian/tinc/usr/share/info/dir
override_dh_auto_test:
# Don't run the tests, it involves starting tinc daemons and making network connections.
# I don't think the autobuilders will like this.
override_dh_installinit:
dh_installinit -r

1
debian/source/format vendored Normal file
View file

@ -0,0 +1 @@
3.0 (quilt)

7
debian/tinc.default vendored Normal file
View file

@ -0,0 +1,7 @@
# Extra options to be passed to tincd.
# EXTRA="-d"
# Limits to be configured for the tincd process. Please read your shell
# (pointed by /bin/sh) documentation for ulimit. You probably want to raise the
# max locked memory value if using both --mlock and --user flags.
# LIMITS="-l 128"

3
debian/tinc.docs vendored Normal file
View file

@ -0,0 +1,3 @@
NEWS
README
AUTHORS

13
debian/tinc.if-post-down vendored Executable file
View file

@ -0,0 +1,13 @@
#!/bin/sh
set -e
test "$METHOD" != loopback -a -n "$IF_TINC_NET" || exit 0
if test -z "$IF_TINC_PIDFILE"; then
/usr/sbin/tinc -n "$IF_TINC_NET" stop $EXTRA
else
/usr/sbin/tinc -n "$IF_TINC_NET" --pidfile="$IF_TINC_PIDFILE" stop
fi
exit 0

46
debian/tinc.if-pre-up vendored Executable file
View file

@ -0,0 +1,46 @@
#!/bin/sh
set -e
test -n "$IF_TINC_NET" || exit 0
# Read options from /etc/default
if test -e /etc/default/tinc; then
. /etc/default/tinc
fi
# Set process limits
setlimits() {
while [ $# -gt 0 ]; do
parm=$1 ; shift
if [ -n "$1" -a "${1#-}" = "$1" ]; then
value=$1 ; shift
ulimit $parm $value
else
ulimit $parm
fi
done
}
test -n "$LIMITS" && setlimits $LIMITS
# Read options from /etc/network/interfaces
test -z "$IF_TINC_CONFIG" || EXTRA="$EXTRA -c $IF_TINC_CONFIG"
test -z "$IF_TINC_DEBUG" || EXTRA="$EXTRA -d$IF_TINC_DEBUG"
test -z "$IF_TINC_MLOCK" || EXTRA="$EXTRA --mlock"
test -z "$IF_TINC_LOGFILE" || EXTRA="$EXTRA --logfile=$IF_TINC_LOGFILE"
test -z "$IF_TINC_PIDFILE" || EXTRA="$EXTRA --pidfile=$IF_TINC_PIDFILE" || IF_TINC_PIDFILE=/var/run/tinc.$IF_TINC_NET.pid
test -z "$IF_TINC_CHROOT" || EXTRA="$EXTRA --chroot"
test -z "$IF_TINC_USER" || EXTRA="$EXTRA --user=$IF_TINC_USER"
# Start tinc daemon
if test -z "$IF_TINC_PIDFILE"; then
/usr/sbin/tinc -n "$IF_TINC_NET" start -o "Interface=$IFACE" $EXTRA
else
/usr/sbin/tinc -n "$IF_TINC_NET" --pidfile="$IF_TINC_PIDFILE" start -o "Interface=$IFACE" $EXTRA
fi
exit 0

11
debian/tinc.if-up vendored Executable file
View file

@ -0,0 +1,11 @@
#!/bin/sh
set -e
test "$METHOD" != loopback -a -n "$IF_TINC_NET" || exit 0
if test -z "$IF_TINC_PIDFILE"; then
/usr/sbin/tinc -n "$IF_TINC_NET" retry
else
/usr/sbin/tinc -n "$IF_TINC_NET" --pidfile="$IF_TINC_PIDFILE" retry
fi

103
debian/tinc.noinit vendored Normal file
View file

@ -0,0 +1,103 @@
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: tinc
# Required-Start: $remote_fs $network
# Required-Stop: $remote_fs $network
# Should-Start: $syslog $named
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start tinc daemons
# Description: Create a file $NETSFILE (/etc/tinc/nets.boot),
# and put all the names of the networks in there.
# These names must be valid directory names under
# $TCONF (/etc/tinc). Lines starting with a # will be
# ignored in this file.
### END INIT INFO
#
# Based on Lubomir Bulej's Redhat init script.
. /lib/lsb/init-functions
DAEMON="/usr/sbin/tincd"
CONTROL="/usr/sbin/tinc"
NAME="tinc"
DESC="tinc daemons"
TCONF="/etc/tinc"
NETSFILE="$TCONF/nets.boot"
NETS=""
test -f $DAEMON || exit 0
[ -r /etc/default/tinc ] && . /etc/default/tinc
# foreach_net "what-to-say" action [arguments...]
foreach_net() {
if [ ! -f $NETSFILE ] ; then
echo "Please create $NETSFILE."
exit 0
fi
echo -n "$1"
shift
egrep '^[ ]*[a-zA-Z0-9_-]+' $NETSFILE | while read net args; do
echo -n " $net"
case "$1" in
start|restart) $CONTROL -n $net $1 $EXTRA $args ;;
*) $CONTROL -n $net $1 ;;
esac
done
echo "."
}
signal_running() {
for i in /var/run/tinc.*pid; do
if [ -f "$i" ]; then
head -1 $i | while read pid junk; do
kill -$1 $pid
done
fi
done
}
setlimits() {
while [ $# -gt 0 ]; do
parm=$1 ; shift
if [ -n "$1" -a "${1#-}" = "$1" ]; then
value=$1 ; shift
ulimit $parm $value
else
ulimit $parm
fi
done
}
test -n "$LIMITS" && setlimits $LIMITS
case "$1" in
start)
foreach_net "Starting $DESC:" start
;;
stop)
foreach_net "Stopping $DESC:" stop
;;
reload|force-reload)
foreach_net "Reloading $DESC configuration:" reload
;;
restart)
foreach_net "Restarting $DESC:" restart
;;
force-restart)
$0 stop
$0 start
;;
retry)
signal_running ALRM
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|force-reload|retry}"
exit 1
;;
esac
exit 0

View file

@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by

View file

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,

File diff suppressed because it is too large Load diff

View file

@ -75,7 +75,7 @@ option, the value of this environment variable is used.
.Sh COMMANDS
.Bl -tag -width indent
.It init Op Ar name
Create initial configuration files and RSA and Ed25519 keypairs with default length.
Create initial configuration files and RSA and Ed25519 key pairs with default length.
If no
.Ar name
for this node is given, it will be asked for.
@ -149,11 +149,11 @@ will be made.
Shows the PID of the currently running
.Xr tincd 8 .
.It generate-keys Op bits
Generate both RSA and Ed25519 keypairs (see below) and exit.
Generate both RSA and Ed25519 key pairs (see below) and exit.
.It generate-ed25519-keys
Generate public/private Ed25519 keypair and exit.
Generate public/private Ed25519 key pair and exit.
.It generate-rsa-keys Op bits
Generate public/private RSA keypair and exit.
Generate public/private RSA key pair and exit.
If
.Ar bits
is omitted, the default length will be 2048 bits.

View file

@ -64,7 +64,7 @@ or by using
.Sh PUBLIC/PRIVATE KEYS
The
.Nm tinc Li init
command will have generated both RSA and Ed25519 public/private keypairs.
command will have generated both RSA and Ed25519 public/private key pairs.
The private keys should be stored in files named
.Pa rsa_key.priv
and
@ -114,7 +114,7 @@ If
.Qq any
is selected, then depending on the operating system both IPv4 and IPv6 or just
IPv6 listening sockets will be created.
.It Va AutoConnect Li = yes | no Po yes
.It Va AutoConnect Li = yes | no Pq yes
If set to yes,
.Nm tinc
will automatically set up meta connections to other nodes,
@ -235,7 +235,8 @@ Do NOT connect multiple
daemons to the same multicast address, this will very likely cause routing loops.
Also note that this can cause decrypted VPN packets to be sent out on a real network if misconfigured.
.It fd
Use a file descriptor.
Use a file descriptor, given directly as an integer or passed through a unix domain socket.
On Linux, an abstract socket address can be specified by using "@" as a prefix.
All packets are read from this interface.
Packets received for the local node are written to it.
.It uml Pq not compiled in by default
@ -683,7 +684,7 @@ this means that tinc will temporarily stop processing packets until the called s
This guarantees that scripts will execute in the exact same order as the events that trigger them.
If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
.Pp
Under Windows (not Cygwin), the scripts must have the extension
Under Windows, the scripts must have the extension
.Pa .bat
or
.Pa .cmd .

File diff suppressed because it is too large Load diff

View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2018 Ivo Timmermans,
Copyright @copyright{} 1998-2021 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -43,7 +43,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2018 Ivo Timmermans,
Copyright @copyright{} 1998-2021 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -182,7 +182,7 @@ available too.
@section Supported platforms
@cindex platforms
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows,
with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most
@ -267,7 +267,7 @@ alias char-major-10-200 tun
@subsection Configuration of FreeBSD kernels
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
The tap driver can be loaded with @command{kldload if_tap}, or by adding @samp{if_tap_load="YES"} to @file{/boot/loader.conf}.
@c ==================================================================
@ -308,7 +308,7 @@ Tinc also supports the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices,
By default, tinc expects the tuntaposx driver to be installed.
To use the utun driver, set add @code{Device = utunX} to @file{tinc.conf},
To use the utun driver, set add @samp{Device = utunX} to @file{tinc.conf},
where X is the desired number for the utun interface.
You can also omit the number, in which case the first free number will be chosen.
@ -421,7 +421,7 @@ by the zlib library.
If this library is not installed, you will get an error when running the
configure script. You can either install the zlib library, or disable support
for zlib compression by using the "--disable-zlib" option when running the
for zlib compression by using the @option{--disable-zlib} option when running the
configure script. Note that if you disable support for zlib, the resulting
binary will not work correctly on VPNs where zlib compression is used.
@ -445,7 +445,7 @@ Another form of compression is offered using the LZO library.
If this library is not installed, you will get an error when running the
configure script. You can either install the LZO library, or disable support
for LZO compression by using the "--disable-lzo" option when running the
for LZO compression by using the @option{--disable-lzo} option when running the
configure script. Note that if you disable support for LZO, the resulting
binary will not work correctly on VPNs where LZO compression is used.
@ -465,12 +465,12 @@ default).
@subsection libcurses
@cindex libcurses
For the "tinc top" command, tinc requires a curses library.
For the @command{tinc top} command, tinc requires a curses library.
If this library is not installed, you will get an error when running the
configure script. You can either install a suitable curses library, or disable
all functionality that depends on a curses library by using the
"--disable-curses" option when running the configure script.
@option{--disable-curses} option when running the configure script.
There are several curses libraries. It is recommended that you install
"ncurses" (@url{https://invisible-island.net/ncurses/}),
@ -488,12 +488,12 @@ of this package.
@subsection libreadline
@cindex libreadline
For the "tinc" command's shell functionality, tinc uses the readline library.
For the @command{tinc} command's shell functionality, tinc uses the readline library.
If this library is not installed, you will get an error when running the
configure script. You can either install a suitable readline library, or
disable all functionality that depends on a readline library by using the
"--disable-readline" option when running the configure script.
@option{--disable-readline} option when running the configure script.
You can use your operating system's package manager to install this if
available. Make sure you install the development AND runtime versions
@ -553,7 +553,6 @@ The documentation that comes along with your distribution will tell you how to d
@menu
* Darwin (MacOS/X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::
@end menu
@ -568,17 +567,6 @@ It might also help to install a recent version of Fink from @uref{http://www.fin
You need to download and install LibreSSL (or OpenSSL) and LZO,
either directly from their websites (see @ref{Libraries}) or using Fink.
@c ==================================================================
@node Cygwin (Windows) build environment
@subsection Cygwin (Windows) build environment
If Cygwin hasn't already been installed, install it directly from
@uref{https://www.cygwin.com/}.
When tinc is compiled in a Cygwin environment, it can only be run in this environment,
but all programs, including those started outside the Cygwin environment, will be able to use the VPN.
It will also support all features.
@c ==================================================================
@node MinGW (Windows) build environment
@subsection MinGW (Windows) build environment
@ -639,7 +627,7 @@ myvpn 10.0.0.0
@cindex port numbers
You may add this line to @file{/etc/services}. The effect is that you
may supply a @samp{tinc} as a valid port number to some programs. The
may supply @samp{tinc} as a valid port number to some programs. The
number 655 is registered with the IANA.
@example
@ -695,14 +683,14 @@ A good resource on networking is the
If you have everything clearly pictured in your mind,
proceed in the following order:
First, create the initial configuration files and public/private keypairs using the following command:
First, create the initial configuration files and public/private key pairs using the following command:
@example
tinc -n @var{NETNAME} init @var{NAME}
@end example
Second, use @samp{tinc -n @var{NETNAME} add ...} to further configure tinc.
Finally, export your host configuration file using @samp{tinc -n @var{NETNAME} export} and send it to those
Second, use @command{tinc -n @var{NETNAME} add ...} to further configure tinc.
Finally, export your host configuration file using @command{tinc -n @var{NETNAME} export} and send it to those
people or computers you want tinc to connect to.
They should send you their host configuration file back, which you can import using @samp{tinc -n @var{NETNAME} import}.
They should send you their host configuration file back, which you can import using @command{tinc -n @var{NETNAME} import}.
These steps are described in the subsections below.
@ -953,7 +941,8 @@ Also note that this can cause decrypted VPN packets to be sent out on a real net
@cindex fd
@item fd
Use a file descriptor.
Use a file descriptor, given directly as an integer or passed through a unix domain socket.
On Linux, an abstract socket address can be specified by using @samp{@@} as a prefix.
All packets are read from this interface.
Packets received for the local node are written to it.
@ -1024,7 +1013,7 @@ When this option is enabled, the SPTPS protocol will be used when connecting to
Ephemeral ECDH will be used for key exchanges,
and Ed25519 will be used instead of RSA for authentication.
When enabled, an Ed25519 key must have been generated before with
@samp{tinc generate-ed25519-keys}.
@command{tinc generate-ed25519-keys}.
@cindex Forwarding
@item Forwarding = <off|internal|kernel> (internal) [experimental]
@ -1081,7 +1070,7 @@ in which case listening sockets for each specified address are made.
If no @var{port} is specified, the socket will listen on the port specified by the Port option,
or to port 655 if neither is given.
To only listen on a specific port but not to a specific address, use "*" for the @var{address}.
To only listen on a specific port but not to a specific address, use @samp{*} for the @var{address}.
@cindex LocalDiscovery
@item LocalDiscovery = <yes | no> (no)
@ -1141,7 +1130,7 @@ impossible to crack a single key.
@cindex MACExpire
@item MACExpire = <@var{seconds}> (600)
This option controls the amount of time MAC addresses are kept before they are removed.
This only has effect when Mode is set to "switch".
This only has effect when Mode is set to @samp{switch}.
@cindex MaxConnectionBurst
@item MaxConnectionBurst = <@var{count}> (100)
@ -1185,7 +1174,7 @@ accidental eavesdropping if you are editing the configuration file.
@cindex PrivateKeyFile
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
This is the full path name of the RSA private key file that was
generated by @samp{tinc generate-keys}. It must be a full path, not a
generated by @command{tinc generate-keys}. It must be a full path, not a
relative directory.
@cindex ProcessPriority
@ -1287,7 +1276,7 @@ Note: this setting can have a significant impact on performance, especially raw
@item UPnP = <yes|udponly|no> (no)
If this option is enabled then tinc will search for UPnP-IGD devices on the local network.
It will then create and maintain port mappings for tinc's listening TCP and UDP ports.
If set to "udponly", tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
If set to @samp{udponly}, tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
Note that tinc must have been built with miniupnpc support for this feature to be available.
Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that
tinc uses might not be well-hardened with regard to malicious UPnP replies.
@ -1322,7 +1311,7 @@ tried until a working connection has been established.
@item Cipher = <@var{cipher}> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
Any cipher supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
Furthermore, specifying @samp{none} will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
@ -1342,7 +1331,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
@item Digest = <@var{digest}> (sha1)
The digest algorithm used to authenticate UDP packets using the legacy protocol.
Any digest supported by LibreSSL or OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
Furthermore, specifying @samp{none} will turn off packet authentication.
This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
@cindex IndirectData
@ -1383,7 +1372,7 @@ This is the RSA public key for this host.
@cindex PublicKeyFile
@item PublicKeyFile = <@var{path}> [obsolete]
This is the full path name of the RSA public key file that was generated
by @samp{tinc generate-keys}. It must be a full path, not a relative
by @command{tinc generate-keys}. It must be a full path, not a relative
directory.
@cindex PEM format
@ -1455,7 +1444,7 @@ this means that tinc will temporarily stop processing packets until the called s
This guarantees that scripts will execute in the exact same order as the events that trigger them.
If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background.
Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}.
Under Windows, the scripts should have the extension @file{.bat} or @file{.cmd}.
@table @file
@cindex tinc-up
@ -1557,7 +1546,7 @@ this is set to the invitation URL that has been created.
@end table
Do not forget that under UNIX operating systems,
you have to make the scripts executable, using the command @samp{chmod a+x script}.
you have to make the scripts executable, using the command @command{chmod a+x script}.
@c ==================================================================
@ -1566,13 +1555,13 @@ you have to make the scripts executable, using the command @samp{chmod a+x scrip
@subsubheading Step 1. Creating initial configuration files.
The initial directory structure, configuration files and public/private keypairs are created using the following command:
The initial directory structure, configuration files and public/private key pairs are created using the following command:
@example
tinc -n @var{netname} init @var{name}
@end example
(You will need to run this as root, or use "sudo".)
(You will need to run this as root, or use @command{sudo}.)
This will create the configuration directory @file{@value{sysconfdir}/tinc/@var{netname}.},
and inside it will create another directory named @file{hosts/}.
In the configuration directory, it will create the file @file{tinc.conf} with the following contents:
@ -1706,8 +1695,8 @@ The netmask is the mask of the @emph{entire} VPN network, not just your
own subnet.
The second command gives the interface an IPv6 address and netmask,
which will also automatically add an IPv6 route.
If you only want to use "ip addr" commands on Linux, don't forget that it doesn't bring the interface up, unlike ifconfig,
so you need to add @samp{ip link set $INTERFACE up} in that case.
If you only want to use @command{ip addr} commands on Linux, don't forget that it doesn't bring the interface up, unlike ifconfig,
so you need to add @command{ip link set $INTERFACE up} in that case.
The exact syntax of the ifconfig and route commands differs from platform to platform.
You can look up the commands for setting addresses and adding routes in @ref{Platform specific information},
@ -1747,7 +1736,7 @@ the real interface is also shown as a comment, to give you an idea of
how these example host is set up. All branches use the netname `company'
for this particular VPN.
Each branch is set up using the @samp{tinc init} and @samp{tinc config} commands,
Each branch is set up using the @command{tinc init} and @command{tinc config} commands,
here we just show the end results:
@subsubheading For Branch A
@ -1893,7 +1882,7 @@ Address = 4.5.6.7
@subsubheading Key files
A, B, C and D all have their own public/private keypairs:
A, B, C and D all have their own public/private key pairs:
The private RSA key is stored in @file{@value{sysconfdir}/tinc/company/rsa_key.priv},
the private Ed25519 key is stored in @file{@value{sysconfdir}/tinc/company/ed25519_key.priv},
@ -2149,7 +2138,7 @@ Some of them will only be visible if the debug level is high enough.
@item Error reading RSA key file `rsa_key.priv': No such file or directory
@itemize
@item You forgot to create a public/private keypair.
@item You forgot to create a public/private key pair.
@item Specify the complete pathname to the private key file with the @samp{PrivateKeyFile} option.
@end itemize
@ -2217,8 +2206,8 @@ You can add @samp{TCPOnly = yes} to host configuration files to force all VPN tr
@item Got bad/bogus/unauthorized REQUEST from foo (1.2.3.4 port 12345)
@itemize
@item Node foo does not have the right public/private keypair.
Generate new keypairs and distribute them again.
@item Node foo does not have the right public/private key pair.
Generate new key pairs and distribute them again.
@item An attacker tries to gain access to your VPN.
@item A network error caused corruption of metadata sent from foo.
@end itemize
@ -2238,7 +2227,7 @@ Be sure to include the following information in your bugreport:
@item What platform (operating system, version, hardware architecture) and which version of tinc you use.
@item If compiling tinc fails, a copy of @file{config.log} and the error messages you get.
@item Otherwise, a copy of @file{tinc.conf}, @file{tinc-up} and all files in the @file{hosts/} directory.
@item The output of the commands @samp{ifconfig -a} and @samp{route -n} (or @samp{netstat -rn} if that doesn't work).
@item The output of the commands @command{ifconfig -a} and @command{route -n} (or @command{netstat -rn} if that doesn't work).
@item The output of any command that fails to work as it should (like ping or traceroute).
@end itemize
@ -2319,11 +2308,11 @@ the value of this environment variable is used.
@section tinc commands
@c from the manpage
@table @code
@table @samp
@cindex init
@item init [@var{name}]
Create initial configuration files and RSA and Ed25519 keypairs with default length.
Create initial configuration files and RSA and Ed25519 key pairs with default length.
If no @var{name} for this node is given, it will be asked for.
@cindex get
@ -2386,15 +2375,15 @@ If no @var{URL} is given, it will be read from standard input.
@cindex start
@item start [tincd options]
Start @samp{tincd}, optionally with the given extra options.
Start @command{tincd}, optionally with the given extra options.
@cindex stop
@item stop
Stop @samp{tincd}.
Stop @command{tincd}.
@cindex restart
@item restart [tincd options]
Restart @samp{tincd}, optionally with the given extra options.
Restart @command{tincd}, optionally with the given extra options.
@cindex reload
@item reload
@ -2404,21 +2393,21 @@ in @file{tinc.conf} will be made.
@cindex pid
@item pid
Shows the PID of the currently running @samp{tincd}.
Shows the PID of the currently running @command{tincd}.
@cindex generate-keys
@item generate-keys [@var{bits}]
Generate both RSA and Ed25519 keypairs (see below) and exit.
Generate both RSA and Ed25519 key pairs (see below) and exit.
tinc will ask where you want to store the files, but will default to the
configuration directory (you can use the -c or -n option).
@cindex generate-ed25519-keys
@item generate-ed25519-keys
Generate public/private Ed25519 keypair and exit.
Generate public/private Ed25519 key pair and exit.
@cindex generate-rsa-keys
@item generate-rsa-keys [@var{bits}]
Generate public/private RSA keypair and exit. If @var{bits} is omitted, the
Generate public/private RSA key pair and exit. If @var{bits} is omitted, the
default length will be 2048 bits. When saving keys to existing files, tinc
will not delete the old keys; you have to remove them manually.
@ -2515,8 +2504,8 @@ The signed file is written to standard output.
Check the signature of a file against a node's public key.
The @var{name} of the node must be given,
or can be "." to check against the local node's public key,
or "*" to allow a signature from any node whose public key is known.
or can be @samp{.} to check against the local node's public key,
or @samp{*} to allow a signature from any node whose public key is known.
If no @var{filename} is given, the file is read from standard input.
If the verification is successful, a copy of the input with the signature removed is written to standard output, and the exit code will be zero.
If the verification failed, nothing will be written to standard output, and the exit code will be non-zero.
@ -2612,9 +2601,9 @@ Quit.
@chapter Invitations
Invitations are an easy way to add new nodes to an existing VPN. Invitations
can be created on an existing node using the @code{tinc invite} command, which
can be created on an existing node using the @command{tinc invite} command, which
generates a relatively short URL which can be given to someone else, who uses
the @code{tinc join} command to automatically set up tinc so it can connect to
the @command{tinc join} command to automatically set up tinc so it can connect to
the inviting node. The next sections describe how invitations actually work,
and how to further automate the invitations.
@ -2630,7 +2619,7 @@ and how to further automate the invitations.
@section How invitations work
When an invitation is created on a node (which from now on we will call the
server) using the @code{tinc invite} command, an invitation file is created
server) using the @command{tinc invite} command, an invitation file is created
that contains all the information necessary for the invitee (which we will call
the client) to create its configuration files. The invitation file is stays on
the server, but a URL is generated that has enough information for the client
@ -2668,14 +2657,14 @@ information in the invitation file.
It is important that the invitation URL is kept secret until it is used; if
another person gets a copy of the invitation URL before the real client runs
the @code{tinc join} command, then that other person can try to join the VPN.
the @command{tinc join} command, then that other person can try to join the VPN.
@c ==================================================================
@node Invitation file format
@section Invitation file format
The contents of an invitation file that is generated by the @code{tinc invite}
The contents of an invitation file that is generated by the @command{tinc invite}
command looks like this:
@example
@ -2689,15 +2678,15 @@ Address = server.example.com
@end example
The file is basically a concatenation of several host config blocks. Each host
config block starts with @code{Name = ...}. Lines that look like @code{#---#}
config block starts with @samp{Name = ...}. Lines that look like @samp{#---#}
are not important, it just makes it easier for humans to read the file.
However, the first line of an invitation file @emph{must} always start with
@code{Name = ...}.
@samp{Name = ...}.
The first host config block is always the one representing the invitee. So the
first Name statement determines the name that the invitee will get. From the
first block, the @file{tinc.conf} and @file{hosts/client} files will be
generated; the @code{tinc join} command on the client will automatically
generated; the @command{tinc join} command on the client will automatically
separate statements based on whether they should be in @file{tinc.conf} or in a
host config file. Some statements are special and are treated differently:
@ -2711,9 +2700,9 @@ configuration with the same netname.
@item Ifconfig = <@var{address}[/@var{netmask}] | dhcp | dhcp6 | slaac>
This is a hint for generating a @file{tinc-up} script.
If an address is specified, a command will be added to @file{tinc-up} so the VPN interface will be configured to have the given address.
If it is the word "dhcp", a command will be added to start a DHCP client on the VPN interface.
If it is the word dhcpv6, it will be a DHCPv6 client.
If it is "slaac", then it will add commands to enable IPv6 stateless address autoconfiguration.
If it is the word @samp{dhcp}, a command will be added to start a DHCP client on the VPN interface.
If it is the word @samp{dhcpv6}, it will be a DHCPv6 client.
If it is @samp{slaac}, then it will add commands to enable IPv6 stateless address autoconfiguration.
It is also possible to specify a MAC address, in which case a command will be added to set the MAC address of the VPN interface.
The exact commands added to the @file{tinc-up} script depends on the operating system the client is using.
@ -2729,7 +2718,7 @@ In general, a gateway is only necessary when running tinc in switch mode.
@end table
Subsequent host config blocks are copied verbatim into their respective files
in @file{hosts/}. The invitation file generated by @code{tinc invite} will
in @file{hosts/}. The invitation file generated by @command{tinc invite} will
normally only contain two blocks; one for the client and one for the server.
@ -2737,7 +2726,7 @@ normally only contain two blocks; one for the client and one for the server.
@node Writing an invitation-created script
@section Writing an invitation-created script
When an invitation is generated, the "invitation-created" script is called (if
When an invitation is generated, the @file{invitation-created} script is called (if
it exists) right after the invitation file is written, but before the URL has
been written to stdout. This allows one to change the invitation file
automatically before the invitation URL is passed to the invitee. Here is an
@ -3424,42 +3413,42 @@ For IPv4 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item Linux iproute2
@tab @code{ip addr add} @var{address}@code{/}@var{prefixlength} @code{dev} @var{interface}
@tab @command{ip addr add} @var{address}@samp{/}@var{prefixlength} @samp{dev} @var{interface}
@item FreeBSD
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item NetBSD
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item Solaris
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item Darwin (MacOS/X)
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@tab @command{ifconfig} @var{interface} @var{address} @samp{netmask} @var{netmask}
@item Windows
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
@tab @command{netsh interface ip set address} @var{interface} @samp{static} @var{address} @var{netmask}
@end multitable
For IPv6 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
@tab @command{ifconfig} @var{interface} @samp{add} @var{address}@samp{/}@var{prefixlength}
@item FreeBSD
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@tab @command{ifconfig} @var{interface} @samp{inet6} @var{address} @samp{prefixlen} @var{prefixlength}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@tab @command{ifconfig} @var{interface} @samp{inet6} @var{address} @samp{prefixlen} @var{prefixlength}
@item NetBSD
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@tab @command{ifconfig} @var{interface} @samp{inet6} @var{address} @samp{prefixlen} @var{prefixlength}
@item Solaris
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
@tab @command{ifconfig} @var{interface} @samp{inet6 plumb up}
@item
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
@tab @command{ifconfig} @var{interface} @samp{inet6 addif} @var{address} @var{address}
@item Darwin (MacOS/X)
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@tab @command{ifconfig} @var{interface} @samp{inet6} @var{address} @samp{prefixlen} @var{prefixlength}
@item Windows
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@tab @command{netsh interface ipv6 add address} @var{interface} @samp{static} @var{address}/@var{prefixlength}
@end multitable
On Linux, it is possible to create a persistent tun/tap interface which will
@ -3469,7 +3458,7 @@ tinc can be started without needing any root privileges at all.
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@tab @command{ip tuntap add dev} @var{interface} @samp{mode} @var{tun|tap} @samp{user} @var{username}
@end multitable
@c ==================================================================
@ -3487,42 +3476,42 @@ Adding routes to IPv4 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
@tab @command{route add -net} @var{network_address} @samp{netmask} @var{netmask} @var{interface}
@item Linux iproute2
@tab @code{ip route add} @var{network_address}@code{/}@var{prefixlength} @code{dev} @var{interface}
@tab @command{ip route add} @var{network_address}@samp{/}@var{prefixlength} @samp{dev} @var{interface}
@item FreeBSD
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@tab @command{route add} @var{network_address}@samp{/}@var{prefixlength} @var{local_address}
@item OpenBSD
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@tab @command{route add} @var{network_address}@samp{/}@var{prefixlength} @var{local_address}
@item NetBSD
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@tab @command{route add} @var{network_address}@samp{/}@var{prefixlength} @var{local_address}
@item Solaris
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@tab @command{route add} @var{network_address}@samp{/}@var{prefixlength} @var{local_address} @samp{-interface}
@item Darwin (MacOS/X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@tab @command{route add} @var{network_address}@samp{/}@var{prefixlength} @var{local_address}
@item Windows
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@tab @command{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@end multitable
Adding routes to IPv6 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
@tab @command{route add -A inet6} @var{network_address}@samp{/}@var{prefixlength} @var{interface}
@item Linux iproute2
@tab @code{ip route add} @var{network_address}@code{/}@var{prefixlength} @code{dev} @var{interface}
@tab @command{ip route add} @var{network_address}@samp{/}@var{prefixlength} @samp{dev} @var{interface}
@item FreeBSD
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@tab @command{route add -inet6} @var{network_address}@samp{/}@var{prefixlength} @var{local_address}
@item OpenBSD
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@tab @command{route add -inet6} @var{network_address} @var{local_address} @samp{-prefixlen} @var{prefixlength}
@item NetBSD
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@tab @command{route add -inet6} @var{network_address} @var{local_address} @samp{-prefixlen} @var{prefixlength}
@item Solaris
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@tab @command{route add -inet6} @var{network_address}@samp{/}@var{prefixlength} @var{local_address} @samp{-interface}
@item Darwin (MacOS/X)
@tab ?
@item Windows
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@tab @command{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@end multitable
@c ==================================================================
@ -3544,10 +3533,10 @@ There are many Linux distributions, and historically, many of them had their
own way of starting programs at boot time. Today, a number of major Linux
distributions have chosen to use systemd as their init system. Tinc ships with
systemd service files that allow you to start and stop tinc using systemd.
There are two service files: @code{tinc.service} is used to globally enable or
There are two service files: @samp{tinc.service} is used to globally enable or
disable all tinc daemons managed by systemd, and
@code{tinc@@@var{netname}.service} is used to enable or disable specific tinc
daemons. So if one has created a tinc network with netname @code{foo}, then
@samp{tinc@@@var{netname}.service} is used to enable or disable specific tinc
daemons. So if one has created a tinc network with netname @samp{foo}, then
you have to run the following two commands to ensure it is started at boot
time:
@ -3563,7 +3552,7 @@ following command:
systemctl start tinc@@foo
@end example
You can also use @samp{systemctl start tinc}, this will start all tinc daemons
You can also use @command{systemctl start tinc}, this will start all tinc daemons
that are enabled. You can stop and disable tinc networks in the same way.
If your system is not using systemd, then you have to look up your
@ -3573,10 +3562,10 @@ distribution's way of starting tinc at boot time.
@node Windows
@subsection Windows
On Windows, if tinc is started with the @code{tinc start} command without using
the @code{-D} or @code{--no-detach} option, it will automatically register
On Windows, if tinc is started with the @command{tinc start} command without using
the @option{-D} or @option{--no-detach} option, it will automatically register
itself as a service that is started at boot time. When tinc is stopped using
the @code{tinc stop} command, it will also automatically unregister itself.
the @command{tinc stop} command, it will also automatically unregister itself.
Once tinc is registered as a service, it is also possible to stop and start
tinc using the Windows Services Manager.

View file

@ -35,7 +35,7 @@ If that succeeds,
it will detach from the controlling terminal and continue in the background,
accepting and setting up connections to other tinc daemons
that are part of the virtual private network.
Under Windows (not Cygwin) tinc will install itself as a service,
Under Windows tinc will install itself as a service,
which will be restarted automatically after reboots.
.Sh OPTIONS
.Bl -tag -width indent

View file

@ -1,5 +1,5 @@
@set VERSION 1.1pre17
@set VERSION 1.1pre17-49-g4cc4b9bc
@set PACKAGE tinc
@set sysconfdir /etc
@set localstatedir /var
@set runstatedir /var/run
@set sysconfdir /usr/local/etc
@set localstatedir /usr/local/var
@set runstatedir /usr/local/var/run

View file

@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2018-03-11.20; # UTC
scriptversion=2020-11-14.01; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@ -69,6 +69,11 @@ posix_mkdir=
# Desired mode of installed file.
mode=0755
# Create dirs (including intermediate dirs) using mode 755.
# This is like GNU 'install' as of coreutils 8.32 (2020).
mkdir_umask=22
backupsuffix=
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
@ -99,18 +104,28 @@ Options:
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-C install only if different (preserve data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-p pass -p to $cpprog.
-s $stripprog installed files.
-S SUFFIX attempt to back up existing files, with suffix SUFFIX.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
By default, rm is invoked with -f; when overridden with RMPROG,
it's up to you to specify -f if you want it.
If -S is not specified, no backups are attempted.
Email bug reports to bug-automake@gnu.org.
Automake home page: https://www.gnu.org/software/automake/
"
while test $# -ne 0; do
@ -137,8 +152,13 @@ while test $# -ne 0; do
-o) chowncmd="$chownprog $2"
shift;;
-p) cpprog="$cpprog -p";;
-s) stripcmd=$stripprog;;
-S) backupsuffix="$2"
shift;;
-t)
is_target_a_directory=always
dst_arg=$2
@ -255,6 +275,10 @@ do
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
# Don't chown directories that already exist.
if test $dstdir_status = 0; then
chowncmd=""
fi
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
@ -301,22 +325,6 @@ do
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
@ -326,52 +334,49 @@ do
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# Note that $RANDOM variable is not portable (e.g. dash); Use it
# here however when possible just to lower collision chance.
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
# The $RANDOM variable is not portable (e.g., dash). Use it
# here however when possible just to lower collision chance.
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
trap '
ret=$?
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null
exit $ret
' 0
# Because "mkdir -p" follows existing symlinks and we likely work
# directly in world-writeable /tmp, make sure that the '$tmpdir'
# directory is successfully created first before we actually test
# 'mkdir -p' feature.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
# Because "mkdir -p" follows existing symlinks and we likely work
# directly in world-writeable /tmp, make sure that the '$tmpdir'
# directory is successfully created first before we actually test
# 'mkdir -p'.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac
if
@ -382,7 +387,7 @@ do
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
@ -411,7 +416,7 @@ do
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
(umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
@ -451,7 +456,18 @@ do
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
(umask $cp_umask &&
{ test -z "$stripcmd" || {
# Create $dsttmp read-write so that cp doesn't create it read-only,
# which would cause strip to fail.
if test -z "$doit"; then
: >"$dsttmp" # No need to fork-exec 'touch'.
else
$doit touch "$dsttmp"
fi
}
} &&
$doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
@ -477,6 +493,13 @@ do
then
rm -f "$dsttmp"
else
# If $backupsuffix is set, and the file being installed
# already exists, attempt a backup. Don't worry if it fails,
# e.g., if mv doesn't support -f.
if test -n "$backupsuffix" && test -f "$dst"; then
$doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null
fi
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
@ -491,9 +514,9 @@ do
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
$doit $rmcmd "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
{ $doit $rmcmd "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1

View file

@ -9,8 +9,8 @@ AC_DEFUN([tinc_ATTRIBUTE],
CFLAGS="$CFLAGS -Wall -Werror"
AC_COMPILE_IFELSE(
[AC_LANG_SOURCE(
[void *test(void) __attribute__ (($1));
void *test(void) { return (void *)0; }
[void *test(void *x) __attribute__ (($1));
void *test(void *x) { return (void *)x; }
],
)],
[tinc_cv_attribute_$1=yes],

View file

@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify

View file

@ -190,10 +190,6 @@ if MINGW
tincd_SOURCES += mingw/device.c mingw/common.h
endif
if CYGWIN
tincd_SOURCES += cygwin/device.c
endif
if UML
tincd_SOURCES += uml_device.c
endif

View file

@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# Makefile.in generated by automake 1.16.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@ -114,17 +114,16 @@ EXTRA_PROGRAMS = sptps_test$(EXEEXT) sptps_keypair$(EXEEXT) \
@BSD_TRUE@@TUNEMU_TRUE@am__append_8 = bsd/tunemu.c bsd/tunemu.h
@SOLARIS_TRUE@am__append_9 = solaris/device.c
@MINGW_TRUE@am__append_10 = mingw/device.c mingw/common.h
@CYGWIN_TRUE@am__append_11 = cygwin/device.c
@UML_TRUE@am__append_12 = uml_device.c
@VDE_TRUE@am__append_13 = vde_device.c
@OPENSSL_TRUE@am__append_14 = \
@UML_TRUE@am__append_11 = uml_device.c
@VDE_TRUE@am__append_12 = vde_device.c
@OPENSSL_TRUE@am__append_13 = \
@OPENSSL_TRUE@ openssl/cipher.c \
@OPENSSL_TRUE@ openssl/crypto.c \
@OPENSSL_TRUE@ openssl/digest.c openssl/digest.h \
@OPENSSL_TRUE@ openssl/prf.c \
@OPENSSL_TRUE@ openssl/rsa.c
@OPENSSL_TRUE@am__append_15 = \
@OPENSSL_TRUE@am__append_14 = \
@OPENSSL_TRUE@ openssl/cipher.c \
@OPENSSL_TRUE@ openssl/crypto.c \
@OPENSSL_TRUE@ openssl/digest.c openssl/digest.h \
@ -132,27 +131,27 @@ EXTRA_PROGRAMS = sptps_test$(EXEEXT) sptps_keypair$(EXEEXT) \
@OPENSSL_TRUE@ openssl/rsa.c \
@OPENSSL_TRUE@ openssl/rsagen.c
@OPENSSL_TRUE@am__append_16 = \
@OPENSSL_TRUE@am__append_15 = \
@OPENSSL_TRUE@ openssl/crypto.c \
@OPENSSL_TRUE@ openssl/digest.c openssl/digest.h \
@OPENSSL_TRUE@ openssl/prf.c
@OPENSSL_TRUE@am__append_17 = \
@OPENSSL_TRUE@am__append_16 = \
@OPENSSL_TRUE@ openssl/crypto.c
@OPENSSL_TRUE@am__append_18 = \
@OPENSSL_TRUE@am__append_17 = \
@OPENSSL_TRUE@ openssl/crypto.c \
@OPENSSL_TRUE@ openssl/digest.c openssl/digest.h \
@OPENSSL_TRUE@ openssl/prf.c
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_19 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_18 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/cipher.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/crypto.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/digest.c gcrypt/digest.h \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/prf.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/rsa.c
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_20 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_19 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/cipher.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/crypto.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/digest.c gcrypt/digest.h \
@ -160,20 +159,24 @@ EXTRA_PROGRAMS = sptps_test$(EXEEXT) sptps_keypair$(EXEEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/rsa.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/rsagen.c
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_21 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_20 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/cipher.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/crypto.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/digest.c gcrypt/digest.h \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/prf.c
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_22 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_21 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@ openssl/crypto.c
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_23 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__append_22 = \
@GCRYPT_TRUE@@OPENSSL_FALSE@ openssl/crypto.c \
@GCRYPT_TRUE@@OPENSSL_FALSE@ openssl/digest.c openssl/digest.h \
@GCRYPT_TRUE@@OPENSSL_FALSE@ openssl/prf.c
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_23 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/crypto.c \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/prf.c
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_24 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/crypto.c \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/prf.c
@ -183,18 +186,14 @@ EXTRA_PROGRAMS = sptps_test$(EXEEXT) sptps_keypair$(EXEEXT) \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/prf.c
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_26 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/crypto.c \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/prf.c
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_27 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/crypto.c
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_28 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@am__append_27 = \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/crypto.c \
@GCRYPT_FALSE@@OPENSSL_FALSE@ nolegacy/prf.c
@MINIUPNPC_TRUE@am__append_29 = upnp.h upnp.c
@TUNEMU_TRUE@am__append_30 = -lpcap
@MINIUPNPC_TRUE@am__append_28 = upnp.h upnp.c
@TUNEMU_TRUE@am__append_29 = -lpcap
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
@ -362,8 +361,8 @@ am__tincd_SOURCES_DIST = address_cache.c address_cache.h autoconnect.c \
chacha-poly1305/chacha-poly1305.h chacha-poly1305/poly1305.c \
chacha-poly1305/poly1305.h getopt.c getopt.h getopt1.c \
linux/device.c bsd/device.c bsd/tunemu.c bsd/tunemu.h \
solaris/device.c mingw/device.c mingw/common.h cygwin/device.c \
uml_device.c vde_device.c openssl/cipher.c openssl/crypto.c \
solaris/device.c mingw/device.c mingw/common.h uml_device.c \
vde_device.c openssl/cipher.c openssl/crypto.c \
openssl/digest.c openssl/digest.h openssl/prf.c openssl/rsa.c \
gcrypt/cipher.c gcrypt/crypto.c gcrypt/digest.c \
gcrypt/digest.h gcrypt/prf.c gcrypt/rsa.c nolegacy/crypto.c \
@ -373,19 +372,18 @@ am__tincd_SOURCES_DIST = address_cache.c address_cache.h autoconnect.c \
@BSD_TRUE@@TUNEMU_TRUE@am__objects_15 = bsd/tunemu.$(OBJEXT)
@SOLARIS_TRUE@am__objects_16 = solaris/device.$(OBJEXT)
@MINGW_TRUE@am__objects_17 = mingw/device.$(OBJEXT)
@CYGWIN_TRUE@am__objects_18 = cygwin/device.$(OBJEXT)
@UML_TRUE@am__objects_19 = uml_device.$(OBJEXT)
@VDE_TRUE@am__objects_20 = vde_device.$(OBJEXT)
@OPENSSL_TRUE@am__objects_21 = openssl/cipher.$(OBJEXT) \
@UML_TRUE@am__objects_18 = uml_device.$(OBJEXT)
@VDE_TRUE@am__objects_19 = vde_device.$(OBJEXT)
@OPENSSL_TRUE@am__objects_20 = openssl/cipher.$(OBJEXT) \
@OPENSSL_TRUE@ openssl/crypto.$(OBJEXT) \
@OPENSSL_TRUE@ openssl/digest.$(OBJEXT) openssl/prf.$(OBJEXT) \
@OPENSSL_TRUE@ openssl/rsa.$(OBJEXT)
@GCRYPT_TRUE@@OPENSSL_FALSE@am__objects_22 = gcrypt/cipher.$(OBJEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@am__objects_21 = gcrypt/cipher.$(OBJEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/crypto.$(OBJEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/digest.$(OBJEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/prf.$(OBJEXT) \
@GCRYPT_TRUE@@OPENSSL_FALSE@ gcrypt/rsa.$(OBJEXT)
@MINIUPNPC_TRUE@am__objects_23 = upnp.$(OBJEXT)
@MINIUPNPC_TRUE@am__objects_22 = upnp.$(OBJEXT)
am_tincd_OBJECTS = address_cache.$(OBJEXT) autoconnect.$(OBJEXT) \
buffer.$(OBJEXT) conf.$(OBJEXT) connection.$(OBJEXT) \
control.$(OBJEXT) dropin.$(OBJEXT) dummy_device.$(OBJEXT) \
@ -405,8 +403,7 @@ am_tincd_OBJECTS = address_cache.$(OBJEXT) autoconnect.$(OBJEXT) \
$(am__objects_2) $(am__objects_13) $(am__objects_14) \
$(am__objects_15) $(am__objects_16) $(am__objects_17) \
$(am__objects_18) $(am__objects_19) $(am__objects_20) \
$(am__objects_21) $(am__objects_22) $(am__objects_9) \
$(am__objects_23)
$(am__objects_21) $(am__objects_9) $(am__objects_22)
tincd_OBJECTS = $(am_tincd_OBJECTS)
@MINIUPNPC_TRUE@tincd_DEPENDENCIES = $(am__DEPENDENCIES_1)
tincd_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(tincd_LDFLAGS) \
@ -458,21 +455,20 @@ am__depfiles_remade = ./$(DEPDIR)/address_cache.Po \
chacha-poly1305/$(DEPDIR)/chacha-poly1305.Po \
chacha-poly1305/$(DEPDIR)/chacha.Po \
chacha-poly1305/$(DEPDIR)/poly1305.Po \
cygwin/$(DEPDIR)/device.Po ed25519/$(DEPDIR)/ecdh.Po \
ed25519/$(DEPDIR)/ecdsa.Po ed25519/$(DEPDIR)/ecdsagen.Po \
ed25519/$(DEPDIR)/fe.Po ed25519/$(DEPDIR)/ge.Po \
ed25519/$(DEPDIR)/key_exchange.Po ed25519/$(DEPDIR)/keypair.Po \
ed25519/$(DEPDIR)/sc.Po ed25519/$(DEPDIR)/sha512.Po \
ed25519/$(DEPDIR)/sign.Po ed25519/$(DEPDIR)/verify.Po \
gcrypt/$(DEPDIR)/cipher.Po gcrypt/$(DEPDIR)/crypto.Po \
gcrypt/$(DEPDIR)/digest.Po gcrypt/$(DEPDIR)/prf.Po \
gcrypt/$(DEPDIR)/rsa.Po gcrypt/$(DEPDIR)/rsagen.Po \
linux/$(DEPDIR)/device.Po mingw/$(DEPDIR)/device.Po \
nolegacy/$(DEPDIR)/crypto.Po nolegacy/$(DEPDIR)/prf.Po \
openssl/$(DEPDIR)/cipher.Po openssl/$(DEPDIR)/crypto.Po \
openssl/$(DEPDIR)/digest.Po openssl/$(DEPDIR)/prf.Po \
openssl/$(DEPDIR)/rsa.Po openssl/$(DEPDIR)/rsagen.Po \
solaris/$(DEPDIR)/device.Po
ed25519/$(DEPDIR)/ecdh.Po ed25519/$(DEPDIR)/ecdsa.Po \
ed25519/$(DEPDIR)/ecdsagen.Po ed25519/$(DEPDIR)/fe.Po \
ed25519/$(DEPDIR)/ge.Po ed25519/$(DEPDIR)/key_exchange.Po \
ed25519/$(DEPDIR)/keypair.Po ed25519/$(DEPDIR)/sc.Po \
ed25519/$(DEPDIR)/sha512.Po ed25519/$(DEPDIR)/sign.Po \
ed25519/$(DEPDIR)/verify.Po gcrypt/$(DEPDIR)/cipher.Po \
gcrypt/$(DEPDIR)/crypto.Po gcrypt/$(DEPDIR)/digest.Po \
gcrypt/$(DEPDIR)/prf.Po gcrypt/$(DEPDIR)/rsa.Po \
gcrypt/$(DEPDIR)/rsagen.Po linux/$(DEPDIR)/device.Po \
mingw/$(DEPDIR)/device.Po nolegacy/$(DEPDIR)/crypto.Po \
nolegacy/$(DEPDIR)/prf.Po openssl/$(DEPDIR)/cipher.Po \
openssl/$(DEPDIR)/crypto.Po openssl/$(DEPDIR)/digest.Po \
openssl/$(DEPDIR)/prf.Po openssl/$(DEPDIR)/rsa.Po \
openssl/$(DEPDIR)/rsagen.Po solaris/$(DEPDIR)/device.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@ -555,7 +551,7 @@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LCOV = @LCOV@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@ -lm $(CODE_COVERAGE_LIBS) $(am__append_30)
LIBS = @LIBS@ -lm $(CODE_COVERAGE_LIBS) $(am__append_29)
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MINIUPNPC_LIBS = @MINIUPNPC_LIBS@
@ -665,28 +661,27 @@ tincd_SOURCES = address_cache.c address_cache.h autoconnect.c \
$(am__append_2) $(am__append_6) $(am__append_7) \
$(am__append_8) $(am__append_9) $(am__append_10) \
$(am__append_11) $(am__append_12) $(am__append_13) \
$(am__append_14) $(am__append_19) $(am__append_24) \
$(am__append_29)
$(am__append_18) $(am__append_23) $(am__append_28)
tinc_SOURCES = dropin.c dropin.h fsck.c fsck.h ifconfig.c ifconfig.h \
info.c info.h invitation.c invitation.h list.c list.h names.c \
names.h netutl.c netutl.h script.c script.h sptps.c sptps.h \
subnet_parse.c subnet.h tincctl.c tincctl.h top.c top.h \
utils.c utils.h version.c version.h ed25519/ecdh.c \
ed25519/ecdsa.c ed25519/ecdsagen.c $(ed25519_SOURCES) \
$(chacha_poly1305_SOURCES) $(am__append_3) $(am__append_15) \
$(am__append_20) $(am__append_25)
$(chacha_poly1305_SOURCES) $(am__append_3) $(am__append_14) \
$(am__append_19) $(am__append_24)
sptps_test_SOURCES = logger.c logger.h sptps.c sptps.h sptps_test.c \
utils.c utils.h ed25519/ecdh.c ed25519/ecdsa.c \
$(ed25519_SOURCES) $(chacha_poly1305_SOURCES) $(am__append_4) \
$(am__append_16) $(am__append_21) $(am__append_26)
$(am__append_15) $(am__append_20) $(am__append_25)
sptps_keypair_SOURCES = sptps_keypair.c utils.c utils.h \
ed25519/ecdsagen.c $(ed25519_SOURCES) $(am__append_5) \
$(am__append_17) $(am__append_22) $(am__append_27)
$(am__append_16) $(am__append_21) $(am__append_26)
sptps_speed_SOURCES = logger.c logger.h sptps.c sptps.h sptps_speed.c \
utils.c utils.h ed25519/ecdh.c ed25519/ecdsa.c \
ed25519/ecdsagen.c $(ed25519_SOURCES) \
$(chacha_poly1305_SOURCES) $(am__append_18) $(am__append_23) \
$(am__append_28)
$(chacha_poly1305_SOURCES) $(am__append_17) $(am__append_22) \
$(am__append_27)
@MINIUPNPC_TRUE@tincd_LDADD = $(MINIUPNPC_LIBS)
@MINIUPNPC_TRUE@tincd_LDFLAGS = -pthread
tinc_LDADD = $(READLINE_LIBS) $(CURSES_LIBS)
@ -924,14 +919,6 @@ mingw/$(DEPDIR)/$(am__dirstamp):
@: > mingw/$(DEPDIR)/$(am__dirstamp)
mingw/device.$(OBJEXT): mingw/$(am__dirstamp) \
mingw/$(DEPDIR)/$(am__dirstamp)
cygwin/$(am__dirstamp):
@$(MKDIR_P) cygwin
@: > cygwin/$(am__dirstamp)
cygwin/$(DEPDIR)/$(am__dirstamp):
@$(MKDIR_P) cygwin/$(DEPDIR)
@: > cygwin/$(DEPDIR)/$(am__dirstamp)
cygwin/device.$(OBJEXT): cygwin/$(am__dirstamp) \
cygwin/$(DEPDIR)/$(am__dirstamp)
tincd$(EXEEXT): $(tincd_OBJECTS) $(tincd_DEPENDENCIES) $(EXTRA_tincd_DEPENDENCIES)
@rm -f tincd$(EXEEXT)
@ -941,7 +928,6 @@ mostlyclean-compile:
-rm -f *.$(OBJEXT)
-rm -f bsd/*.$(OBJEXT)
-rm -f chacha-poly1305/*.$(OBJEXT)
-rm -f cygwin/*.$(OBJEXT)
-rm -f ed25519/*.$(OBJEXT)
-rm -f gcrypt/*.$(OBJEXT)
-rm -f linux/*.$(OBJEXT)
@ -1013,7 +999,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@chacha-poly1305/$(DEPDIR)/chacha-poly1305.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@chacha-poly1305/$(DEPDIR)/chacha.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@chacha-poly1305/$(DEPDIR)/poly1305.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@cygwin/$(DEPDIR)/device.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@ed25519/$(DEPDIR)/ecdh.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@ed25519/$(DEPDIR)/ecdsa.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@ed25519/$(DEPDIR)/ecdsagen.Po@am__quote@ # am--include-marker
@ -1189,8 +1174,6 @@ distclean-generic:
-rm -f bsd/$(am__dirstamp)
-rm -f chacha-poly1305/$(DEPDIR)/$(am__dirstamp)
-rm -f chacha-poly1305/$(am__dirstamp)
-rm -f cygwin/$(DEPDIR)/$(am__dirstamp)
-rm -f cygwin/$(am__dirstamp)
-rm -f ed25519/$(DEPDIR)/$(am__dirstamp)
-rm -f ed25519/$(am__dirstamp)
-rm -f gcrypt/$(DEPDIR)/$(am__dirstamp)
@ -1275,7 +1258,6 @@ distclean: distclean-am
-rm -f chacha-poly1305/$(DEPDIR)/chacha-poly1305.Po
-rm -f chacha-poly1305/$(DEPDIR)/chacha.Po
-rm -f chacha-poly1305/$(DEPDIR)/poly1305.Po
-rm -f cygwin/$(DEPDIR)/device.Po
-rm -f ed25519/$(DEPDIR)/ecdh.Po
-rm -f ed25519/$(DEPDIR)/ecdsa.Po
-rm -f ed25519/$(DEPDIR)/ecdsagen.Po
@ -1409,7 +1391,6 @@ maintainer-clean: maintainer-clean-am
-rm -f chacha-poly1305/$(DEPDIR)/chacha-poly1305.Po
-rm -f chacha-poly1305/$(DEPDIR)/chacha.Po
-rm -f chacha-poly1305/$(DEPDIR)/poly1305.Po
-rm -f cygwin/$(DEPDIR)/device.Po
-rm -f ed25519/$(DEPDIR)/ecdh.Po
-rm -f ed25519/$(DEPDIR)/ecdsa.Po
-rm -f ed25519/$(DEPDIR)/ecdsagen.Po

View file

@ -151,7 +151,7 @@ const sockaddr_t *get_recent_address(address_cache_t *cache) {
cache->cfg = lookup_config(cache->config_tree, "Address");
}
while(cache->cfg && !cache->ai) {
while(cache->cfg && !cache->aip) {
char *address, *port;
get_config_string(cache->cfg, &address);
@ -167,6 +167,10 @@ const sockaddr_t *get_recent_address(address_cache_t *cache) {
}
}
if(cache->ai) {
free_known_addresses(cache->ai);
}
cache->aip = cache->ai = str2addrinfo(address, port, SOCK_STREAM);
if(cache->ai) {

View file

@ -186,10 +186,9 @@ void do_autoconnect() {
drop_superfluous_outgoing_connection();
}
/* Drop pending outgoing connections from the outgoing list. */
drop_superfluous_pending_connections();
/* Check if there are unreachable nodes that we should try to connect to. */
connect_to_unreachable();
/* Drop pending outgoing connections from the outgoing list. */
drop_superfluous_pending_connections();
}

View file

@ -1,7 +1,7 @@
/*
device.c -- Interaction BSD tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans,
2001-2017 Guus Sliepen <guus@tinc-vpn.org>
2001-2021 Guus Sliepen <guus@tinc-vpn.org>
2009 Grzegorz Dymarek <gregd72002@googlemail.com>
This program is free software; you can redistribute it and/or modify
@ -40,8 +40,13 @@
#include <net/if_utun.h>
#endif
#if defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
#define DEFAULT_TUN_DEVICE "/dev/tun" // Use the autoclone device
#define DEFAULT_TAP_DEVICE "/dev/tap"
#else
#define DEFAULT_TUN_DEVICE "/dev/tun0"
#define DEFAULT_TAP_DEVICE "/dev/tap0"
#endif
typedef enum device_type {
DEVICE_TYPE_TUN,

View file

@ -4,7 +4,7 @@
1998-2005 Ivo Timmermans
2000 Cris van Pelt
2010-2011 Julien Muchembled <jm@jmuchemb.eu>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2000-2021 Guus Sliepen <guus@tinc-vpn.org>
2013 Florent Clairambault <florent@clairambault.fr>
This program is free software; you can redistribute it and/or modify
@ -206,20 +206,14 @@ bool get_config_subnet(const config_t *cfg, subnet_t **result) {
return false;
}
/* Teach newbies what subnets are... */
if(((subnet.type == SUBNET_IPV4)
&& !maskcheck(&subnet.net.ipv4.address, subnet.net.ipv4.prefixlength, sizeof(subnet.net.ipv4.address)))
|| ((subnet.type == SUBNET_IPV6)
&& !maskcheck(&subnet.net.ipv6.address, subnet.net.ipv6.prefixlength, sizeof(subnet.net.ipv6.address)))) {
logger(DEBUG_ALWAYS, LOG_ERR, "Network address and prefix length do not match for configuration variable %s in %s line %d",
cfg->variable, cfg->file, cfg->line);
return false;
if(subnetcheck(subnet)) {
*(*result = new_subnet()) = subnet;
return true;
}
*(*result = new_subnet()) = subnet;
return true;
logger(DEBUG_ALWAYS, LOG_ERR, "Network address and prefix length do not match for configuration variable %s in %s line %d",
cfg->variable, cfg->file, cfg->line);
return false;
}
/*

View file

@ -1,278 +0,0 @@
/*
device.c -- Interaction with Windows tap driver in a Cygwin environment
Copyright (C) 2002-2005 Ivo Timmermans,
2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "../system.h"
#include "../net.h"
#include <w32api/windows.h>
#include <w32api/winioctl.h>
#include "../conf.h"
#include "../device.h"
#include "../logger.h"
#include "../names.h"
#include "../route.h"
#include "../utils.h"
#include "../xalloc.h"
#include "../mingw/common.h"
int device_fd = -1;
static HANDLE device_handle = INVALID_HANDLE_VALUE;
char *device = NULL;
char *iface = NULL;
static const char *device_info = "Windows tap device";
static pid_t reader_pid;
static int sp[2];
static bool setup_device(void) {
HKEY key, key2;
int i, err;
char regpath[1024];
char adapterid[1024];
char adaptername[1024];
char tapname[1024];
char gelukt = 0;
long len;
bool found = false;
get_config_string(lookup_config(config_tree, "Device"), &device);
get_config_string(lookup_config(config_tree, "Interface"), &iface);
if(device && iface) {
logger(LOG_WARNING, "Warning: both Device and Interface specified, results may not be as expected");
}
/* Open registry and look for network adapters */
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, NETWORK_CONNECTIONS_KEY, 0, KEY_READ, &key)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unable to read registry: %s", winerror(GetLastError()));
return false;
}
for(i = 0; ; i++) {
len = sizeof(adapterid);
if(RegEnumKeyEx(key, i, adapterid, &len, 0, 0, 0, NULL)) {
break;
}
/* Find out more about this adapter */
snprintf(regpath, sizeof(regpath), "%s\\%s\\Connection", NETWORK_CONNECTIONS_KEY, adapterid);
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, regpath, 0, KEY_READ, &key2)) {
continue;
}
len = sizeof(adaptername);
err = RegQueryValueEx(key2, "Name", 0, 0, adaptername, &len);
RegCloseKey(key2);
if(err) {
continue;
}
if(device) {
if(!strcmp(device, adapterid)) {
found = true;
break;
} else {
continue;
}
}
if(iface) {
if(!strcmp(iface, adaptername)) {
found = true;
break;
} else {
continue;
}
}
snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, adapterid);
device_handle = CreateFile(tapname, GENERIC_WRITE | GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0);
if(device_handle != INVALID_HANDLE_VALUE) {
CloseHandle(device_handle);
found = true;
break;
}
}
RegCloseKey(key);
if(!found) {
logger(DEBUG_ALWAYS, LOG_ERR, "No Windows tap device found!");
return false;
}
if(!device) {
device = xstrdup(adapterid);
}
if(!iface) {
iface = xstrdup(adaptername);
}
snprintf(tapname, sizeof(tapname), USERMODEDEVICEDIR "%s" TAPSUFFIX, device);
/* Now we are going to open this device twice: once for reading and once for writing.
We do this because apparently it isn't possible to check for activity in the select() loop.
Furthermore I don't really know how to do it the "Windows" way. */
if(socketpair(AF_UNIX, SOCK_DGRAM, PF_UNIX, sp)) {
logger(DEBUG_ALWAYS, LOG_DEBUG, "System call `%s' failed: %s", "socketpair", strerror(errno));
return false;
}
/* The parent opens the tap device for writing. */
device_handle = CreateFile(tapname, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0);
if(device_handle == INVALID_HANDLE_VALUE) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not open Windows tap device %s (%s) for writing: %s", device, iface, winerror(GetLastError()));
return false;
}
device_fd = sp[0];
/* Get MAC address from tap device */
if(!DeviceIoControl(device_handle, TAP_IOCTL_GET_MAC, mymac.x, sizeof(mymac.x), mymac.x, sizeof(mymac.x), &len, 0)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not get MAC address from Windows tap device %s (%s): %s", device, iface, winerror(GetLastError()));
return false;
}
if(routing_mode == RMODE_ROUTER) {
overwrite_mac = 1;
}
/* Now we start the child */
reader_pid = fork();
if(reader_pid == -1) {
logger(DEBUG_ALWAYS, LOG_DEBUG, "System call `%s' failed: %s", "fork", strerror(errno));
return false;
}
if(!reader_pid) {
/* The child opens the tap device for reading, blocking.
It passes everything it reads to the socket. */
char buf[MTU];
long inlen;
CloseHandle(device_handle);
device_handle = CreateFile(tapname, GENERIC_READ, FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0);
if(device_handle == INVALID_HANDLE_VALUE) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not open Windows tap device %s (%s) for reading: %s", device, iface, winerror(GetLastError()));
buf[0] = 0;
write(sp[1], buf, 1);
exit(1);
}
logger(DEBUG_ALWAYS, LOG_DEBUG, "Tap reader forked and running.");
/* Notify success */
buf[0] = 1;
write(sp[1], buf, 1);
/* Pass packets */
for(;;) {
ReadFile(device_handle, buf, MTU, &inlen, NULL);
write(sp[1], buf, inlen);
}
}
read(device_fd, &gelukt, 1);
if(gelukt != 1) {
logger(DEBUG_ALWAYS, LOG_DEBUG, "Tap reader failed!");
return false;
}
logger(DEBUG_ALWAYS, LOG_INFO, "%s (%s) is a %s", device, iface, device_info);
return true;
}
static void close_device(void) {
close(sp[0]);
close(sp[1]);
CloseHandle(device_handle);
device_handle = INVALID_HANDLE_VALUE;
kill(reader_pid, SIGKILL);
free(device);
device = NULL;
free(iface);
iface = NULL;
device_info = NULL;
}
static bool read_packet(vpn_packet_t *packet) {
int inlen;
if((inlen = read(sp[0], DATA(packet), MTU)) <= 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
}
packet->len = inlen;
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Read packet of %d bytes from %s", packet->len,
device_info);
return true;
}
static bool write_packet(vpn_packet_t *packet) {
long outlen;
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Writing packet of %d bytes to %s",
packet->len, device_info);
if(!WriteFile(device_handle, DATA(packet), packet->len, &outlen, NULL)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error while writing to %s %s: %s", device_info, device, winerror(GetLastError()));
return false;
}
return true;
}
const devops_t os_devops = {
.setup = setup_device,
.close = close_device,
.read = read_packet,
.write = write_packet,
};

View file

@ -1,7 +1,7 @@
/*
dropin.c -- a set of drop-in replacements for libc functions
Copyright (C) 2000-2005 Ivo Timmermans,
2000-2016 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -82,6 +82,8 @@ int daemon(int nochdir, int noclose) {
return 0;
#else
(void)nochdir;
(void)noclose;
return -1;
#endif
}
@ -144,6 +146,7 @@ int gettimeofday(struct timeval *tv, void *tz) {
#ifndef HAVE_NANOSLEEP
int nanosleep(const struct timespec *req, struct timespec *rem) {
(void)rem;
struct timeval tv = {req->tv_sec, req->tv_nsec / 1000};
return select(0, NULL, NULL, NULL, &tv);
}

View file

@ -1,6 +1,6 @@
/*
edge.c -- edge tree management
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2021 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -83,14 +83,26 @@ void free_edge(edge_t *e) {
}
void edge_add(edge_t *e) {
splay_insert(edge_weight_tree, e);
splay_insert(e->from->edge_tree, e);
splay_node_t *node = splay_insert(e->from->edge_tree, e);
if(!node) {
logger(DEBUG_ALWAYS, LOG_ERR, "Edge from %s to %s already exists in edge_tree\n", e->from->name, e->to->name);
return;
}
e->reverse = lookup_edge(e->to, e->from);
if(e->reverse) {
e->reverse->reverse = e;
}
node = splay_insert(edge_weight_tree, e);
if(!node) {
logger(DEBUG_ALWAYS, LOG_ERR, "Edge from %s to %s already exists in edge_weight_tree\n", e->from->name, e->to->name);
return;
}
}
void edge_del(edge_t *e) {

View file

@ -63,7 +63,7 @@ struct ether_header {
uint8_t ether_dhost[ETH_ALEN];
uint8_t ether_shost[ETH_ALEN];
uint16_t ether_type;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#endif
#ifndef HAVE_STRUCT_ARPHDR
@ -73,7 +73,7 @@ struct arphdr {
uint8_t ar_hln;
uint8_t ar_pln;
uint16_t ar_op;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#define ARPOP_REQUEST 1
#define ARPOP_REPLY 2
@ -91,7 +91,7 @@ struct ether_arp {
uint8_t arp_spa[4];
uint8_t arp_tha[ETH_ALEN];
uint8_t arp_tpa[4];
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#define arp_hrd ea_hdr.ar_hrd
#define arp_pro ea_hdr.ar_pro
#define arp_hln ea_hdr.ar_hln

View file

@ -1,6 +1,6 @@
/*
event.c -- I/O, timeout and signal event handling
Copyright (C) 2012-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2012-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -378,7 +378,7 @@ bool event_loop(void) {
while(running) {
struct timeval diff;
struct timeval *tv = get_time_remaining(&diff);
DWORD timeout_ms = tv ? (tv->tv_sec * 1000 + tv->tv_usec / 1000 + 1) : WSA_INFINITE;
DWORD timeout_ms = tv ? (DWORD)(tv->tv_sec * 1000 + tv->tv_usec / 1000 + 1) : WSA_INFINITE;
if(!event_count) {
Sleep(timeout_ms);
@ -436,7 +436,7 @@ bool event_loop(void) {
}
if(result < WSA_WAIT_EVENT_0 || result >= WSA_WAIT_EVENT_0 + event_count - event_offset) {
return(false);
return false;
}
/* Look up io in the map by index. */

View file

@ -1,9 +1,9 @@
/*
fd_device.c -- Interaction with Android tun fd
Copyright (C) 2001-2005 Ivo Timmermans,
2001-2016 Guus Sliepen <guus@tinc-vpn.org>
2001-2021 Guus Sliepen <guus@tinc-vpn.org>
2009 Grzegorz Dymarek <gregd72002@googlemail.com>
2016 Pacien TRAN-GIRARD <pacien@pacien.net>
2016-2020 Pacien TRAN-GIRARD <pacien@pacien.net>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -21,6 +21,10 @@
*/
#include "system.h"
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#include "conf.h"
#include "device.h"
#include "ethernet.h"
@ -29,23 +33,132 @@
#include "route.h"
#include "utils.h"
static inline bool check_config(void) {
struct unix_socket_addr {
size_t size;
struct sockaddr_un addr;
};
static int read_fd(int socket) {
char iobuf;
struct iovec iov = {0};
char cmsgbuf[CMSG_SPACE(sizeof(device_fd))];
struct msghdr msg = {0};
int ret;
struct cmsghdr *cmsgptr;
iov.iov_base = &iobuf;
iov.iov_len = 1;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmsgbuf;
msg.msg_controllen = sizeof(cmsgbuf);
if((ret = recvmsg(socket, &msg, 0)) < 1) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not read from unix socket (error %d)!", ret);
return -1;
}
#ifdef IP_RECVERR
if(msg.msg_flags & (MSG_CTRUNC | MSG_OOB | MSG_ERRQUEUE)) {
#else
if(msg.msg_flags & (MSG_CTRUNC | MSG_OOB)) {
#endif
logger(DEBUG_ALWAYS, LOG_ERR, "Error while receiving message (flags %d)!", msg.msg_flags);
return -1;
}
cmsgptr = CMSG_FIRSTHDR(&msg);
if(cmsgptr->cmsg_level != SOL_SOCKET) {
logger(DEBUG_ALWAYS, LOG_ERR, "Wrong CMSG level: %d, expected %d!",
cmsgptr->cmsg_level, SOL_SOCKET);
return -1;
}
if(cmsgptr->cmsg_type != SCM_RIGHTS) {
logger(DEBUG_ALWAYS, LOG_ERR, "Wrong CMSG type: %d, expected %d!",
cmsgptr->cmsg_type, SCM_RIGHTS);
return -1;
}
if(cmsgptr->cmsg_len != CMSG_LEN(sizeof(device_fd))) {
logger(DEBUG_ALWAYS, LOG_ERR, "Wrong CMSG data length: %lu, expected %lu!",
(unsigned long)cmsgptr->cmsg_len, (unsigned long)CMSG_LEN(sizeof(device_fd)));
return -1;
}
return *(int *) CMSG_DATA(cmsgptr);
}
static int receive_fd(struct unix_socket_addr socket_addr) {
int socketfd;
int ret;
int result;
if((socketfd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not open stream socket (error %d)!", socketfd);
return -1;
}
if((ret = connect(socketfd, (struct sockaddr *) &socket_addr.addr, socket_addr.size)) < 0) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not connect to Unix socket (error %d)!", ret);
result = -1;
goto end;
}
result = read_fd(socketfd);
end:
close(socketfd);
return result;
}
static struct unix_socket_addr parse_socket_addr(const char *path) {
struct sockaddr_un socket_addr;
size_t path_length;
if(strlen(path) >= sizeof(socket_addr.sun_path)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Unix socket path too long!");
return (struct unix_socket_addr) {
0
};
}
socket_addr.sun_family = AF_UNIX;
strncpy(socket_addr.sun_path, path, sizeof(socket_addr.sun_path));
if(path[0] == '@') {
/* abstract namespace socket */
socket_addr.sun_path[0] = '\0';
path_length = strlen(path);
} else {
/* filesystem path with NUL terminator */
path_length = strlen(path) + 1;
}
return (struct unix_socket_addr) {
.size = offsetof(struct sockaddr_un, sun_path) + path_length,
.addr = socket_addr
};
}
static bool setup_device(void) {
if(routing_mode == RMODE_SWITCH) {
logger(DEBUG_ALWAYS, LOG_ERR, "Switch mode not supported (requires unsupported TAP device)!");
return false;
}
if(!get_config_int(lookup_config(config_tree, "Device"), &device_fd)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not read fd from configuration!");
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Could not read device from configuration!");
return false;
}
return true;
}
static bool setup_device(void) {
if(!check_config()) {
return false;
/* device is either directly a file descriptor or an unix socket to read it from */
if(sscanf(device, "%d", &device_fd) != 1) {
logger(DEBUG_ALWAYS, LOG_INFO, "Receiving fd from Unix socket at %s.", device);
device_fd = receive_fd(parse_socket_addr(device));
}
if(device_fd < 0) {
@ -123,3 +236,4 @@ const devops_t fd_devops = {
.read = read_packet,
.write = write_packet,
};
#endif

View file

@ -1,6 +1,6 @@
/*
fsck.c -- Check the configuration files for problems
Copyright (C) 2014 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2014-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -254,7 +254,7 @@ int fsck(const char *argv0) {
return 1;
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
#ifndef HAVE_MINGW
if(st.st_mode & 077) {
fprintf(stderr, "WARNING: unsafe file permissions on %s.\n", fname);
@ -303,7 +303,7 @@ int fsck(const char *argv0) {
return 1;
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
#ifndef HAVE_MINGW
if(st.st_mode & 077) {
fprintf(stderr, "WARNING: unsafe file permissions on %s.\n", fname);
@ -385,26 +385,38 @@ int fsck(const char *argv0) {
return 1;
}
char buf1[len], buf2[len], buf3[len];
randomize(buf1, sizeof(buf1));
char *buf1 = malloc(len);
char *buf2 = malloc(len);
char *buf3 = malloc(len);
randomize(buf1, len);
buf1[0] &= 0x7f;
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf2));
memset(buf2, 0, len);
memset(buf3, 0, len);
bool result = false;
if(!rsa_public_encrypt(rsa_pub, buf1, sizeof(buf1), buf2)) {
if(rsa_public_encrypt(rsa_pub, buf1, len, buf2)) {
if(rsa_private_decrypt(rsa_priv, buf2, len, buf3)) {
if(memcmp(buf1, buf3, len)) {
result = true;
} else {
fprintf(stderr, "ERROR: public and private RSA keys do not match.\n");
}
} else {
fprintf(stderr, "ERROR: private RSA key does not work.\n");
}
} else {
fprintf(stderr, "ERROR: public RSA key does not work.\n");
}
free(buf3);
free(buf2);
free(buf1);
if(!result) {
return 1;
}
if(!rsa_private_decrypt(rsa_priv, buf2, sizeof(buf2), buf3)) {
fprintf(stderr, "ERROR: private RSA key does not work.\n");
return 1;
}
if(memcmp(buf1, buf3, sizeof(buf1))) {
fprintf(stderr, "ERROR: public and private RSA keys do not match.\n");
return 1;
}
}
} else {
if(rsa_pub) {

View file

@ -4,7 +4,7 @@
/*
have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans
2003-2016 Guus Sliepen <guus@tinc-vpn.org>
2003-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -57,6 +57,10 @@
/* Include system specific headers */
#ifdef HAVE_STDDEF_H
#include <stddef.h>
#endif
#ifdef HAVE_SYSLOG_H
#include <syslog.h>
#endif

View file

@ -1,6 +1,6 @@
/*
ifconfig.c -- Generate platform specific interface configuration commands
Copyright (C) 2016-2017 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2016-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -71,10 +71,12 @@ void ifconfig_dhcp(FILE *out) {
}
void ifconfig_dhcp6(FILE *out) {
(void)out;
fprintf(stderr, "DHCPv6 requested, but not supported by tinc on this platform\n");
}
void ifconfig_slaac(FILE *out) {
(void)out;
// It's the default?
}
@ -126,7 +128,7 @@ void ifconfig_address(FILE *out, const char *value) {
return;
}
#elif defined(HAVE_MINGW) || defined(HAVE_CYGWIN)
#elif defined(HAVE_MINGW)
switch(address.type) {
case SUBNET_MAC:
@ -134,11 +136,11 @@ void ifconfig_address(FILE *out, const char *value) {
break;
case SUBNET_IPV4:
fprintf(out, "netsh inetface ipv4 set address \"$INTERFACE\" static %s\n", address_str);
fprintf(out, "netsh interface ipv4 set address \"%%INTERFACE%%\" static %s\n", address_str);
break;
case SUBNET_IPV6:
fprintf(out, "netsh inetface ipv6 set address \"$INTERFACE\" static %s\n", address_str);
fprintf(out, "netsh interface ipv6 set address \"%%INTERFACE%%\" %s\n", address_str);
break;
default:
@ -199,11 +201,11 @@ void ifconfig_route(FILE *out, const char *value) {
if(*gateway_str) {
switch(subnet.type) {
case SUBNET_IPV4:
fprintf(out, "ip route add %s via %s dev \"$INTERFACE\"\n", subnet_str, gateway_str);
fprintf(out, "ip route add %s via %s dev \"$INTERFACE\" onlink\n", subnet_str, gateway_str);
break;
case SUBNET_IPV6:
fprintf(out, "ip route add %s via %s dev \"$INTERFACE\"\n", subnet_str, gateway_str);
fprintf(out, "ip route add %s via %s dev \"$INTERFACE\" onlink\n", subnet_str, gateway_str);
break;
default:
@ -224,16 +226,16 @@ void ifconfig_route(FILE *out, const char *value) {
}
}
#elif defined(HAVE_MINGW) || defined(HAVE_CYGWIN)
#elif defined(HAVE_MINGW)
if(*gateway_str) {
switch(subnet.type) {
case SUBNET_IPV4:
fprintf(out, "netsh inetface ipv4 add route %s \"%%INTERFACE%%\" %s\n", subnet_str, gateway_str);
fprintf(out, "netsh interface ipv4 add route %s \"%%INTERFACE%%\" %s\n", subnet_str, gateway_str);
break;
case SUBNET_IPV6:
fprintf(out, "netsh inetface ipv6 add route %s \"%%INTERFACE%%\" %s\n", subnet_str, gateway_str);
fprintf(out, "netsh interface ipv6 add route %s \"%%INTERFACE%%\" %s\n", subnet_str, gateway_str);
break;
default:
@ -242,11 +244,11 @@ void ifconfig_route(FILE *out, const char *value) {
} else {
switch(subnet.type) {
case SUBNET_IPV4:
fprintf(out, "netsh inetface ipv4 add route %s \"%%INTERFACE%%\"\n", subnet_str);
fprintf(out, "netsh interface ipv4 add route %s \"%%INTERFACE%%\"\n", subnet_str);
break;
case SUBNET_IPV6:
fprintf(out, "netsh inetface ipv6 add route %s \"%%INTERFACE%%\"\n", subnet_str);
fprintf(out, "netsh interface ipv6 add route %s \"%%INTERFACE%%\"\n", subnet_str);
break;
default:

View file

@ -836,8 +836,12 @@ make_names:
fprintf(stderr, "Ignoring unknown variable '%s' in invitation.\n", l);
continue;
} else if(!(variables[i].type & VAR_SAFE)) {
fprintf(stderr, "Ignoring unsafe variable '%s' in invitation.\n", l);
continue;
if(force) {
fprintf(stderr, "Warning: unsafe variable '%s' in invitation.\n", l);
} else {
fprintf(stderr, "Ignoring unsafe variable '%s' in invitation.\n", l);
continue;
}
}
// Copy the safe variable to the right config file
@ -983,7 +987,12 @@ ask_netname:
char filename2[PATH_MAX];
snprintf(filename, sizeof(filename), "%s" SLASH "tinc-up.invitation", confbase);
#ifdef HAVE_MINGW
snprintf(filename2, sizeof(filename2), "%s" SLASH "tinc-up.bat", confbase);
#else
snprintf(filename2, sizeof(filename2), "%s" SLASH "tinc-up", confbase);
#endif
if(valid_tinc_up) {
if(tty) {
@ -1013,10 +1022,14 @@ ask_netname:
char *command;
#ifndef HAVE_MINGW
const char *editor = getenv("VISUAL");
if (!editor)
if(!editor) {
editor = getenv("EDITOR");
if (!editor)
}
if(!editor) {
editor = "vi";
}
xasprintf(&command, "\"%s\" \"%s\"", editor, filename);
#else

View file

@ -81,7 +81,7 @@ struct ip {
uint8_t ip_p;
uint16_t ip_sum;
struct in_addr ip_src, ip_dst;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#endif
#ifndef IP_OFFMASK
@ -143,7 +143,7 @@ struct icmp {
#define icmp_radv icmp_dun.id_radv
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#endif
#endif

View file

@ -49,7 +49,7 @@ struct ip6_hdr {
} ip6_ctlun;
struct in6_addr ip6_src;
struct in6_addr ip6_dst;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#define ip6_vfc ip6_ctlun.ip6_un2_vfc
#define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow
#define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen
@ -68,7 +68,7 @@ struct icmp6_hdr {
uint16_t icmp6_un_data16[2];
uint8_t icmp6_un_data8[4];
} icmp6_dataun;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#define ICMP6_DST_UNREACH_NOROUTE 0
#define ICMP6_DST_UNREACH 1
#define ICMP6_PACKET_TOO_BIG 2
@ -88,7 +88,7 @@ struct icmp6_hdr {
struct nd_neighbor_solicit {
struct icmp6_hdr nd_ns_hdr;
struct in6_addr nd_ns_target;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#define ND_OPT_SOURCE_LINKADDR 1
#define ND_OPT_TARGET_LINKADDR 2
#define nd_ns_type nd_ns_hdr.icmp6_type
@ -101,7 +101,7 @@ struct nd_neighbor_solicit {
struct nd_opt_hdr {
uint8_t nd_opt_type;
uint8_t nd_opt_len;
} __attribute__((__gcc_struct__, __packed__));
} __attribute__((__gcc_struct__)) __attribute((__packed__));
#endif
#endif

View file

@ -1,6 +1,6 @@
/*
meta.c -- handle the meta communication
Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2018 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
2006 Scott Lamb <slamb@slamb.org>
@ -31,7 +31,9 @@
#include "xalloc.h"
#ifndef MIN
#define MIN(x, y) (((x)<(y))?(x):(y))
static ssize_t MIN(ssize_t x, ssize_t y) {
return x < y ? x : y;
}
#endif
bool send_meta_sptps(void *handle, uint8_t type, const void *buffer, size_t length) {

View file

@ -1,7 +1,7 @@
/*
device.c -- Interaction with Windows tap driver in a MinGW environment
Copyright (C) 2002-2005 Ivo Timmermans,
2002-2014 Guus Sliepen <guus@tinc-vpn.org>
2002-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -71,6 +71,9 @@ static void device_issue_read() {
}
static void device_handle_read(void *data, int flags) {
(void)data;
(void)flags;
DWORD len;
if(!GetOverlappedResult(device_handle, &device_read_overlapped, &len, FALSE)) {
@ -300,6 +303,7 @@ static void close_device(void) {
}
static bool read_packet(vpn_packet_t *packet) {
(void)packet;
return false;
}

View file

@ -1,7 +1,7 @@
/*
names.c -- generate commonly used (file)names
Copyright (C) 1998-2005 Ivo Timmermans
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -93,6 +93,7 @@ void make_names(bool daemon) {
}
#ifdef HAVE_MINGW
(void)daemon;
if(!logfilename) {
xasprintf(&logfilename, "%s" SLASH "log", confbase);

View file

@ -1,7 +1,7 @@
/*
net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2021 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2011 Loïc Grenié <loic.grenie@gmail.com>
@ -404,20 +404,18 @@ int reload_configuration(void) {
while(cfg) {
subnet_t *subnet, *s2;
if(!get_config_subnet(cfg, &subnet)) {
continue;
}
if(get_config_subnet(cfg, &subnet)) {
if((s2 = lookup_subnet(myself, subnet))) {
if(s2->expires == 1) {
s2->expires = 0;
}
if((s2 = lookup_subnet(myself, subnet))) {
if(s2->expires == 1) {
s2->expires = 0;
free_subnet(subnet);
} else {
subnet_add(myself, subnet);
send_add_subnet(everyone, subnet);
subnet_update(myself, subnet, true);
}
free_subnet(subnet);
} else {
subnet_add(myself, subnet);
send_add_subnet(everyone, subnet);
subnet_update(myself, subnet, true);
}
cfg = lookup_config_next(config_tree, cfg);

View file

@ -121,7 +121,6 @@ typedef struct listen_socket_t {
typedef struct outgoing_t {
struct node_t *node;
int timeout;
struct address_cache_t *address_cache;
timeout_t ev;
} outgoing_t;

View file

@ -1,7 +1,7 @@
/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2021 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
@ -152,11 +152,12 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
len = ntohs(len16);
}
if(n->udp_ping_sent.tv_sec != 0) { // a probe in flight
if(n->status.ping_sent) { // a probe in flight
gettimeofday(&now, NULL);
struct timeval rtt;
timersub(&now, &n->udp_ping_sent, &rtt);
n->udp_ping_rtt = rtt.tv_sec * 1000000 + rtt.tv_usec;
n->status.ping_sent = false;
logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s) rtt=%d.%03d", DATA(packet)[0], len, n->name, n->hostname, n->udp_ping_rtt / 1000, n->udp_ping_rtt % 1000);
} else {
logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], len, n->name, n->hostname);
@ -175,8 +176,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
reset_address_cache(n->address_cache, &n->address);
}
// Reset the UDP ping timer. (no probe in flight)
n->udp_ping_sent.tv_sec = 0;
// Reset the UDP ping timer.
if(udp_discovery) {
timeout_del(&n->udp_ping_timeout);
@ -314,13 +314,6 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) {
}
static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
size_t outlen;
pkt1.offset = DEFAULT_PACKET_OFFSET;
pkt2.offset = DEFAULT_PACKET_OFFSET;
if(n->status.sptps) {
if(!n->sptps.state) {
if(!n->status.waitingforkey) {
@ -356,6 +349,12 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
#ifdef DISABLE_LEGACY
return false;
#else
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
int nextpkt = 0;
size_t outlen;
pkt1.offset = DEFAULT_PACKET_OFFSET;
pkt2.offset = DEFAULT_PACKET_OFFSET;
if(!n->status.validkey_in) {
logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname);
@ -546,7 +545,10 @@ bool receive_tcppacket_sptps(connection_t *c, const char *data, size_t len) {
/* If we're not the final recipient, relay the packet. */
if(to != myself) {
send_sptps_data(to, from, 0, data, len);
if(to->status.validkey) {
send_sptps_data(to, from, 0, data, len);
}
try_tx(to, true);
return true;
}
@ -699,18 +701,6 @@ static void choose_local_address(const node_t *n, const sockaddr_t **sa, int *so
}
static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
vpn_packet_t *inpkt = origpkt;
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen = origpkt->len;
size_t outlen;
int origpriority = origpkt->priority;
pkt1.offset = DEFAULT_PACKET_OFFSET;
pkt2.offset = DEFAULT_PACKET_OFFSET;
if(!n->status.reachable) {
logger(DEBUG_TRAFFIC, LOG_INFO, "Trying to send UDP packet to unreachable node %s (%s)", n->name, n->hostname);
return;
@ -724,6 +714,18 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
#ifdef DISABLE_LEGACY
return;
#else
vpn_packet_t pkt1, pkt2;
vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
vpn_packet_t *inpkt = origpkt;
int nextpkt = 0;
vpn_packet_t *outpkt;
int origlen = origpkt->len;
size_t outlen;
int origpriority = origpkt->priority;
pkt1.offset = DEFAULT_PACKET_OFFSET;
pkt2.offset = DEFAULT_PACKET_OFFSET;
/* Make sure we have a valid key */
if(!n->status.validkey) {
@ -1133,6 +1135,7 @@ static void try_udp(node_t *n) {
if(ping_tx_elapsed.tv_sec >= interval) {
gettimeofday(&now, NULL);
n->udp_ping_sent = now; // a probe in flight
n->status.ping_sent = true;
send_udp_probe_packet(n, MIN_PROBE_SIZE);
if(localdiscovery && !n->status.udp_confirmed && n->prevedge) {
@ -1229,9 +1232,8 @@ static length_t choose_initial_maxmtu(node_t *n) {
return mtu;
#else
(void)n;
return MTU;
#endif
}
@ -1776,13 +1778,13 @@ void handle_incoming_vpn_data(void *data, int flags) {
#else
vpn_packet_t pkt;
sockaddr_t addr = {};
sockaddr_t addr = {0};
socklen_t addrlen = sizeof(addr);
pkt.offset = 0;
int len = recvfrom(ls->udp.fd, (void *)DATA(&pkt), MAXSIZE, 0, &addr.sa, &addrlen);
if(len <= 0 || len > MAXSIZE) {
if(len <= 0 || (size_t)len > MAXSIZE) {
if(!sockwouldblock(sockerrno)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Receiving packet failed: %s", sockstrerror(sockerrno));
}

View file

@ -1,7 +1,7 @@
/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2021 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
@ -215,14 +215,14 @@ static bool read_ecdsa_private_key(void) {
logger(DEBUG_ALWAYS, LOG_ERR, "Error reading Ed25519 private key file `%s': %s", fname, strerror(errno));
if(errno == ENOENT) {
logger(DEBUG_ALWAYS, LOG_INFO, "Create an Ed25519 keypair with `tinc -n %s generate-ed25519-keys'.", netname ? netname : ".");
logger(DEBUG_ALWAYS, LOG_INFO, "Create an Ed25519 key pair with `tinc -n %s generate-ed25519-keys'.", netname ? netname : ".");
}
free(fname);
return false;
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
#ifndef HAVE_MINGW
struct stat s;
if(fstat(fileno(fp), &s)) {
@ -307,14 +307,14 @@ static bool read_rsa_private_key(void) {
fname, strerror(errno));
if(errno == ENOENT) {
logger(DEBUG_ALWAYS, LOG_INFO, "Create an RSA keypair with `tinc -n %s generate-rsa-keys'.", netname ? netname : ".");
logger(DEBUG_ALWAYS, LOG_INFO, "Create an RSA key pair with `tinc -n %s generate-rsa-keys'.", netname ? netname : ".");
}
free(fname);
return false;
}
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
#ifndef HAVE_MINGW
struct stat s;
if(fstat(fileno(fp), &s)) {
@ -341,6 +341,7 @@ static bool read_rsa_private_key(void) {
}
#endif
#ifndef DISABLE_LEGACY
static timeout_t keyexpire_timeout;
static void keyexpire_handler(void *data) {
@ -349,6 +350,7 @@ static void keyexpire_handler(void *data) {
keylifetime, rand() % 100000
});
}
#endif
void regenerate_key(void) {
logger(DEBUG_STATUS, LOG_INFO, "Expiring symmetric keys");
@ -822,7 +824,7 @@ void device_disable(void) {
Configure node_t myself and set up the local sockets (listen only)
*/
static bool setup_myself(void) {
char *name, *hostname, *cipher, *digest, *type;
char *name, *hostname, *type;
char *address = NULL;
bool port_specified = false;
@ -967,6 +969,8 @@ static bool setup_myself(void) {
#ifndef DISABLE_LEGACY
/* Generate packet encryption key */
char *cipher;
if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
cipher = xstrdup("aes-256-cbc");
}
@ -995,6 +999,8 @@ static bool setup_myself(void) {
return false;
}
char *digest;
if(!get_config_string(lookup_config(config_tree, "Digest"), &digest)) {
digest = xstrdup("sha256");
}
@ -1047,10 +1053,14 @@ static bool setup_myself(void) {
devops = raw_socket_devops;
} else if(!strcasecmp(type, "multicast")) {
devops = multicast_devops;
} else if(!strcasecmp(type, "fd")) {
}
#ifdef HAVE_SYS_UN_H
else if(!strcasecmp(type, "fd")) {
devops = fd_devops;
}
#endif
#ifdef ENABLE_UML
else if(!strcasecmp(type, "uml")) {
devops = uml_devops;

View file

@ -1,7 +1,7 @@
/*
net_socket.c -- Handle various kinds of sockets.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2009 Florian Forster <octo@verplant.org>
@ -122,6 +122,7 @@ static bool bind_to_interface(int sd) {
}
#else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */
(void)sd;
logger(DEBUG_ALWAYS, LOG_WARNING, "%s not supported on this platform", "BindToInterface");
#endif
@ -387,7 +388,7 @@ void finish_connecting(connection_t *c) {
send_id(c);
}
static void do_outgoing_pipe(connection_t *c, char *command) {
static void do_outgoing_pipe(connection_t *c, const char *command) {
#ifndef HAVE_MINGW
int fd[2];
@ -435,6 +436,8 @@ static void do_outgoing_pipe(connection_t *c, char *command) {
exit(result);
#else
(void)c;
(void)command;
logger(DEBUG_ALWAYS, LOG_ERR, "Proxy type exec not supported on this platform!");
return;
#endif
@ -524,7 +527,7 @@ bool do_outgoing_connection(outgoing_t *outgoing) {
int result;
begin:
sa = get_recent_address(outgoing->address_cache);
sa = get_recent_address(outgoing->node->address_cache);
if(!sa) {
logger(DEBUG_CONNECTIONS, LOG_ERR, "Could not set up a meta connection to %s", outgoing->node->name);
@ -629,6 +632,10 @@ void setup_outgoing_connection(outgoing_t *outgoing, bool verbose) {
node_t *n = outgoing->node;
if(!n->address_cache) {
n->address_cache = open_address_cache(n);
}
if(n->connection) {
logger(DEBUG_CONNECTIONS, LOG_INFO, "Already connected to %s", n->name);
@ -640,10 +647,6 @@ void setup_outgoing_connection(outgoing_t *outgoing, bool verbose) {
}
}
if(!outgoing->address_cache) {
outgoing->address_cache = open_address_cache(n);
}
do_outgoing_connection(outgoing);
return;
@ -784,11 +787,6 @@ void handle_new_unix_connection(void *data, int flags) {
static void free_outgoing(outgoing_t *outgoing) {
timeout_del(&outgoing->ev);
if(outgoing->address_cache) {
close_address_cache(outgoing->address_cache);
}
free(outgoing);
}

View file

@ -41,7 +41,8 @@ typedef struct node_status_t {
unsigned int udppacket: 1; /* 1 if the most recently received packet was UDP */
unsigned int validkey_in: 1; /* 1 if we have sent a valid key to him */
unsigned int has_address: 1; /* 1 if we know an external address for this node */
unsigned int unused: 20;
unsigned int ping_sent: 1; /* 1 if we sent a UDP probe but haven't received the reply yet */
unsigned int unused: 19;
} node_status_t;
typedef struct node_t {

View file

@ -1,6 +1,6 @@
/*
crypto.c -- Cryptographic miscellaneous functions and initialisation
Copyright (C) 2007-2014 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -42,12 +42,14 @@ static void random_exit(void) {
close(random_fd);
}
void randomize(void *out, size_t outlen) {
void randomize(void *vout, size_t outlen) {
char *out = vout;
while(outlen) {
size_t len = read(random_fd, out, outlen);
ssize_t len = read(random_fd, out, outlen);
if(len <= 0) {
if(errno == EAGAIN || errno == EINTR) {
if(len == -1 && (errno == EAGAIN || errno == EINTR)) {
continue;
}

View file

@ -189,7 +189,7 @@ bool cipher_decrypt(cipher_t *cipher, const void *indata, size_t inlen, void *ou
} else {
int len;
if(EVP_EncryptUpdate(cipher->ctx, outdata, &len, indata, inlen)) {
if(EVP_DecryptUpdate(cipher->ctx, outdata, &len, indata, inlen)) {
if(outlen) {
*outlen = len;
}

View file

@ -1,6 +1,6 @@
/*
crypto.c -- Cryptographic miscellaneous functions and initialisation
Copyright (C) 2007-2014 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -50,10 +50,10 @@ void randomize(void *vout, size_t outlen) {
char *out = vout;
while(outlen) {
size_t len = read(random_fd, out, outlen);
ssize_t len = read(random_fd, out, outlen);
if(len <= 0) {
if(errno == EAGAIN || errno == EINTR) {
if(len == -1 && (errno == EAGAIN || errno == EINTR)) {
continue;
}
@ -96,9 +96,10 @@ void crypto_init(void) {
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
#if OPENSSL_API_COMPAT < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
#endif
if(!RAND_status()) {
fprintf(stderr, "Not enough entropy for the PRNG!\n");
@ -107,8 +108,10 @@ void crypto_init(void) {
}
void crypto_exit(void) {
#if OPENSSL_API_COMPAT < 0x10100000L
EVP_cleanup();
ERR_free_strings();
ENGINE_cleanup();
#endif
random_exit();
}

View file

@ -1,6 +1,6 @@
/*
rsa.c -- RSA key handling
Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -21,6 +21,7 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#define TINC_RSA_INTERNAL
typedef RSA rsa_t;

View file

@ -1,7 +1,7 @@
/*
process.c -- process management functions
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -115,7 +115,11 @@ static bool install_service(void) {
io_t stop_io;
DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID boe, LPVOID bah) {
DWORD WINAPI controlhandler(DWORD request, DWORD type, LPVOID data, LPVOID context) {
(void)type;
(void)data;
(void)context;
switch(request) {
case SERVICE_CONTROL_INTERROGATE:
SetServiceStatus(statushandle, &status);

View file

@ -284,13 +284,16 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat
}
// Read the new node's Name from the file
char buf[1024];
char buf[1024] = "";
fgets(buf, sizeof(buf), f);
size_t buflen = strlen(buf);
if(*buf) {
buf[strlen(buf) - 1] = 0;
// Strip whitespace at the end
while(buflen && strchr(" \t\r\n", buf[buflen - 1])) {
buf[--buflen] = 0;
}
// Split the first line into variable and value
len = strcspn(buf, " \t=");
char *name = buf + len;
name += strspn(name, " \t");
@ -302,6 +305,7 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat
buf[len] = 0;
// Check that it is a valid Name
if(!*buf || !*name || strcasecmp(buf, "Name") || !check_id(name) || !strcmp(name, myself->name)) {
logger(DEBUG_ALWAYS, LOG_ERR, "Invalid invitation file %s\n", cookie);
fclose(f);
@ -486,11 +490,8 @@ bool id_h(connection_t *c, const char *request) {
}
}
#ifndef DISABLE_LEGACY
bool send_metakey(connection_t *c) {
#ifdef DISABLE_LEGACY
return false;
#else
if(!myself->connection->rsa) {
logger(DEBUG_CONNECTIONS, LOG_ERR, "Peer %s (%s) uses legacy protocol which we don't support", c->name, c->hostname);
return false;
@ -580,14 +581,9 @@ bool send_metakey(connection_t *c) {
c->status.encryptout = true;
return result;
#endif
}
bool metakey_h(connection_t *c, const char *request) {
#ifdef DISABLE_LEGACY
return false;
#else
if(!myself->connection->rsa) {
return false;
}
@ -655,13 +651,9 @@ bool metakey_h(connection_t *c, const char *request) {
c->allow_request = CHALLENGE;
return send_challenge(c);
#endif
}
bool send_challenge(connection_t *c) {
#ifdef DISABLE_LEGACY
return false;
#else
const size_t len = rsa_size(c->rsa);
char buffer[len * 2 + 1];
@ -678,14 +670,9 @@ bool send_challenge(connection_t *c) {
/* Send the challenge */
return send_request(c, "%d %s", CHALLENGE, buffer);
#endif
}
bool challenge_h(connection_t *c, const char *request) {
#ifdef DISABLE_LEGACY
return false;
#else
if(!myself->connection->rsa) {
return false;
}
@ -720,8 +707,6 @@ bool challenge_h(connection_t *c, const char *request) {
} else {
return true;
}
#endif
}
bool send_chal_reply(connection_t *c) {
@ -748,9 +733,6 @@ bool send_chal_reply(connection_t *c) {
}
bool chal_reply_h(connection_t *c, const char *request) {
#ifdef DISABLE_LEGACY
return false;
#else
char hishash[MAX_STRING_SIZE];
if(sscanf(request, "%*d " MAX_STRING, hishash) != 1) {
@ -791,13 +773,9 @@ bool chal_reply_h(connection_t *c, const char *request) {
}
return send_ack(c);
#endif
}
static bool send_upgrade(connection_t *c) {
#ifdef DISABLE_LEGACY
return false;
#else
/* Special case when protocol_minor is 1: the other end is Ed25519 capable,
* but doesn't know our key yet. So send it now. */
@ -810,8 +788,46 @@ static bool send_upgrade(connection_t *c) {
bool result = send_request(c, "%d %s", ACK, pubkey);
free(pubkey);
return result;
#endif
}
#else
bool send_metakey(connection_t *c) {
(void)c;
return false;
}
bool metakey_h(connection_t *c, const char *request) {
(void)c;
(void)request;
return false;
}
bool send_challenge(connection_t *c) {
(void)c;
return false;
}
bool challenge_h(connection_t *c, const char *request) {
(void)c;
(void)request;
return false;
}
bool send_chal_reply(connection_t *c) {
(void)c;
return false;
}
bool chal_reply_h(connection_t *c, const char *request) {
(void)c;
(void)request;
return false;
}
static bool send_upgrade(connection_t *c) {
(void)c;
return false;
}
#endif
bool send_ack(connection_t *c) {
if(c->protocol_minor == 1) {

View file

@ -34,7 +34,9 @@
#include "utils.h"
#include "xalloc.h"
#ifndef DISABLE_LEGACY
static bool mykeyused = false;
#endif
void send_key_changed(void) {
#ifndef DISABLE_LEGACY

View file

@ -71,9 +71,9 @@ bool pong_h(connection_t *c, const char *request) {
/* Successful connection, reset timeout if this is an outgoing connection. */
if(c->outgoing) {
if(c->outgoing && c->outgoing->timeout) {
c->outgoing->timeout = 0;
reset_address_cache(c->outgoing->address_cache, &c->address);
reset_address_cache(c->outgoing->node->address_cache, &c->address);
}
return true;

View file

@ -1,7 +1,7 @@
/*
route.c -- routing
Copyright (C) 2000-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -59,33 +59,30 @@ static const size_t opt_size = sizeof(struct nd_opt_hdr);
#define MAX(a, b) ((a) > (b) ? (a) : (b))
#endif
volatile int dummy;
static timeout_t age_subnets_timeout;
/* RFC 1071 */
static uint16_t inet_checksum(void *data, int len, uint16_t prevsum) {
uint16_t *p = data;
static uint16_t inet_checksum(void *vdata, int len, uint16_t prevsum) {
uint8_t *data = vdata;
uint16_t word;
uint32_t checksum = prevsum ^ 0xFFFF;
while(len >= 2) {
checksum += *p++;
memcpy(&word, data, sizeof(word));
checksum += word;
data += 2;
len -= 2;
}
if(len) {
checksum += *(uint8_t *)p;
checksum += *data;
}
while(checksum >> 16) {
checksum = (checksum & 0xFFFF) + (checksum >> 16);
}
// Work around a compiler optimization bug.
if(checksum) {
dummy = 1;
}
return ~checksum;
}
@ -165,7 +162,7 @@ static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_
addr.sin_family = AF_INET;
socklen_t addrlen = sizeof(addr);
if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && addrlen <= sizeof(addr)) {
if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && (size_t)addrlen <= sizeof(addr)) {
ip_dst = addr.sin_addr;
}
}
@ -270,7 +267,7 @@ static void route_ipv6_unreachable(node_t *source, vpn_packet_t *packet, length_
addr.sin6_family = AF_INET6;
socklen_t addrlen = sizeof(addr);
if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && addrlen <= sizeof(addr)) {
if(!getsockname(sockfd, (struct sockaddr *) &addr, &addrlen) && (size_t)addrlen <= sizeof(addr)) {
pseudo.ip6_src = addr.sin6_addr;
}
}
@ -598,7 +595,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t et
logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
offset = DATA(packet) + ether_size + ip_size;
maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7;
ip_off = ntohs(ip.ip_off);
origf = ip_off & ~IP_OFFMASK;
ip_off &= IP_OFFMASK;

View file

@ -1,7 +1,7 @@
/*
script.c -- call an external script
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2017 Guus Sliepen <guus@tinc-vpn.org>
2000-2018 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -50,7 +50,7 @@ static void unputenv(const char *p) {
#else
// We must keep what we putenv() around in memory.
// To do this without memory leaks, keep things in a list and reuse if possible.
static list_t list = {};
static list_t list = {0};
for list_each(char, data, &list) {
if(!strcmp(data, var)) {
@ -142,7 +142,12 @@ bool execute_script(const char *name, environment_t *env) {
#ifdef HAVE_MINGW
if(!*scriptextension) {
const char *pathext = getenv("PATHEXT") ? : ".COM;.EXE;.BAT;.CMD";
const char *pathext = getenv("PATHEXT");
if(!pathext) {
pathext = ".COM;.EXE;.BAT;.CMD";
}
size_t pathlen = strlen(pathext);
size_t scriptlen = strlen(scriptname);
char fullname[scriptlen + pathlen + 1];

View file

@ -78,6 +78,7 @@ static bool send_data(void *handle, uint8_t type, const void *data, size_t len)
static bool receive_record(void *handle, uint8_t type, const void *data, uint16_t len) {
(void)handle;
if(verbose) {
fprintf(stderr, "Received type %d record of %u bytes:\n", type, len);
}
@ -369,6 +370,7 @@ int main(int argc, char *argv[]) {
}
char buf[65535] = "";
size_t readsize = datagram ? 1460u : sizeof(buf);
fd_set fds;
FD_ZERO(&fds);
@ -386,7 +388,7 @@ int main(int argc, char *argv[]) {
}
if(FD_ISSET(in, &fds)) {
ssize_t len = read(in, buf, sizeof(buf));
ssize_t len = read(in, buf, readsize);
if(len < 0) {
fprintf(stderr, "Could not read from stdin: %s\n", strerror(errno));

View file

@ -3,7 +3,7 @@
/*
subnet.h -- header for subnet.c
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2021 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -78,6 +78,7 @@ extern void subnet_update(struct node_t *owner, subnet_t *subnet, bool up);
extern int maskcmp(const void *a, const void *b, int masklen);
extern void maskcpy(void *dest, const void *src, int masklen, int len);
extern void mask(void *mask, int masklen, int len);
extern bool subnetcheck(const subnet_t subnet);
extern bool maskcheck(const void *mask, int masklen, int len);
extern bool net2str(char *netstr, int len, const subnet_t *subnet);
extern bool str2net(subnet_t *subnet, const char *netstr);

View file

@ -1,6 +1,6 @@
/*
subnet_parse.c -- handle subnet parsing
Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2021 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -87,6 +87,17 @@ void maskcpy(void *va, const void *vb, int masklen, int len) {
}
}
bool subnetcheck(const subnet_t subnet) {
if(((subnet.type == SUBNET_IPV4)
&& !maskcheck(&subnet.net.ipv4.address, subnet.net.ipv4.prefixlength, sizeof(subnet.net.ipv4.address)))
|| ((subnet.type == SUBNET_IPV6)
&& !maskcheck(&subnet.net.ipv6.address, subnet.net.ipv6.prefixlength, sizeof(subnet.net.ipv6.address)))) {
return false;
}
return true;
}
bool maskcheck(const void *va, int masklen, int len) {
int i;
const char *a = va;

View file

@ -1,6 +1,6 @@
/*
tincctl.c -- Controlling a running tincd
Copyright (C) 2007-2018 Guus Sliepen <guus@tinc-vpn.org>
Copyright (C) 2007-2021 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -40,6 +40,7 @@
#include "tincctl.h"
#include "top.h"
#include "version.h"
#include "subnet.h"
#ifndef MSG_NOSIGNAL
#define MSG_NOSIGNAL 0
@ -125,12 +126,12 @@ static void usage(bool status) {
" reload Partially reload configuration of running tincd.\n"
" pid Show PID of currently running tincd.\n"
#ifdef DISABLE_LEGACY
" generate-keys Generate a new Ed25519 public/private keypair.\n"
" generate-keys Generate a new Ed25519 public/private key pair.\n"
#else
" generate-keys [bits] Generate new RSA and Ed25519 public/private keypairs.\n"
" generate-rsa-keys [bits] Generate a new RSA public/private keypair.\n"
" generate-keys [bits] Generate new RSA and Ed25519 public/private key pairs.\n"
" generate-rsa-keys [bits] Generate a new RSA public/private key pair.\n"
#endif
" generate-ed25519-keys Generate a new Ed25519 public/private keypair.\n"
" generate-ed25519-keys Generate a new Ed25519 public/private key pair.\n"
" dump Dump a list of one of the following things:\n"
" [reachable] nodes - all known nodes in the VPN\n"
" edges - all known connections in the VPN\n"
@ -237,7 +238,7 @@ static bool parse_options(int argc, char **argv) {
FILE *fopenmask(const char *filename, const char *mode, mode_t perms) {
mode_t mask = umask(0);
perms &= ~mask;
umask(~perms);
umask(~perms & 0777);
FILE *f = fopen(filename, mode);
if(!f) {
@ -262,19 +263,21 @@ static void disable_old_keys(const char *filename, const char *what) {
bool disabled = false;
bool block = false;
bool error = false;
FILE *r, *w;
r = fopen(filename, "r");
FILE *r = fopen(filename, "r");
FILE *w = NULL;
if(!r) {
return;
}
snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename);
int result = snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename);
struct stat st = {.st_mode = 0600};
fstat(fileno(r), &st);
w = fopenmask(tmpfile, "w", st.st_mode);
if(result < sizeof(tmpfile)) {
struct stat st = {.st_mode = 0600};
fstat(fileno(r), &st);
w = fopenmask(tmpfile, "w", st.st_mode);
}
while(fgets(buf, sizeof(buf), r)) {
if(!block && !strncmp(buf, "-----BEGIN ", 11)) {
@ -416,7 +419,7 @@ ask_filename:
}
/*
Generate a public/private Ed25519 keypair, and ask for a file to store
Generate a public/private Ed25519 key pair, and ask for a file to store
them in.
*/
static bool ed25519_keygen(bool ask) {
@ -424,7 +427,7 @@ static bool ed25519_keygen(bool ask) {
FILE *f;
char fname[PATH_MAX];
fprintf(stderr, "Generating Ed25519 keypair:\n");
fprintf(stderr, "Generating Ed25519 key pair:\n");
if(!(key = ecdsa_generate())) {
fprintf(stderr, "Error during key generation!\n");
@ -480,7 +483,7 @@ error:
#ifndef DISABLE_LEGACY
/*
Generate a public/private RSA keypair, and ask for a file to store
Generate a public/private RSA key pair, and ask for a file to store
them in.
*/
static bool rsa_keygen(int bits, bool ask) {
@ -725,6 +728,24 @@ static void logcontrol(int fd, FILE *out, int level) {
}
}
static bool stop_tincd(void) {
if(!connect_tincd(true)) {
return false;
}
sendline(fd, "%d %d", CONTROL, REQ_STOP);
while(recvline(fd, line, sizeof(line))) {
// wait for tincd to close the connection...
}
close(fd);
pid = 0;
fd = -1;
return true;
}
#ifdef HAVE_MINGW
static bool remove_service(void) {
SC_HANDLE manager = NULL;
@ -742,7 +763,12 @@ static bool remove_service(void) {
service = OpenService(manager, identname, SERVICE_ALL_ACCESS);
if(!service) {
fprintf(stderr, "Could not open %s service: %s\n", identname, winerror(GetLastError()));
if(GetLastError() == ERROR_SERVICE_DOES_NOT_EXIST) {
success = stop_tincd();
} else {
fprintf(stderr, "Could not open %s service: %s\n", identname, winerror(GetLastError()));
}
goto exit;
}
@ -883,7 +909,6 @@ bool connect_tincd(bool verbose) {
return false;
}
#ifdef HAVE_MINGW
unsigned long arg = 0;
if(ioctlsocket(fd, FIONBIO, &arg) != 0) {
@ -892,8 +917,6 @@ bool connect_tincd(bool verbose) {
}
}
#endif
if(connect(fd, res->ai_addr, res->ai_addrlen) < 0) {
if(verbose) {
fprintf(stderr, "Cannot connect to %s port %s: %s\n", host, port, sockstrerror(sockerrno));
@ -1083,9 +1106,11 @@ static int cmd_stop(int argc, char *argv[]) {
return 1;
}
#ifndef HAVE_MINGW
#ifdef HAVE_MINGW
return remove_service();
#else
if(!connect_tincd(true)) {
if(!stop_tincd()) {
if(pid) {
if(kill(pid, SIGTERM)) {
fprintf(stderr, "Could not send TERM signal to process with PID %d: %s\n", pid, strerror(errno));
@ -1100,24 +1125,8 @@ static int cmd_stop(int argc, char *argv[]) {
return 1;
}
sendline(fd, "%d %d", CONTROL, REQ_STOP);
while(recvline(fd, line, sizeof(line))) {
// Wait for tincd to close the connection...
}
#else
if(!remove_service()) {
return 1;
}
#endif
close(fd);
pid = 0;
fd = -1;
return 0;
#endif
}
static int cmd_restart(int argc, char *argv[]) {
@ -1346,7 +1355,7 @@ static int cmd_dump(int argc, char *argv[]) {
color = "green";
}
printf(" %s [label = \"%s\", color = \"%s\"%s];\n", node, node, color, strcmp(host, "MYSELF") ? "" : ", style = \"filled\"");
printf(" \"%s\" [label = \"%s\", color = \"%s\"%s];\n", node, node, color, strcmp(host, "MYSELF") ? "" : ", style = \"filled\"");
} else {
if(only_reachable && !status.reachable) {
continue;
@ -1376,9 +1385,9 @@ static int cmd_dump(int argc, char *argv[]) {
float w = 1 + 65536.0 / weight;
if(do_graph == 1 && strcmp(node1, node2) > 0) {
printf(" %s -- %s [w = %f, weight = %f];\n", node1, node2, w, w);
printf(" \"%s\" -- \"%s\" [w = %f, weight = %f];\n", node1, node2, w, w);
} else if(do_graph == 2) {
printf(" %s -> %s [w = %f, weight = %f];\n", node1, node2, w, w);
printf(" \"%s\" -> \"%s\" [w = %f, weight = %f];\n", node1, node2, w, w);
}
} else {
printf("%s to %s at %s port %s local %s port %s options %x weight %d\n", from, to, host, port, local_host, local_port, options, weight);
@ -1717,18 +1726,18 @@ ecdsa_t *get_pubkey(FILE *f) {
const var_t variables[] = {
/* Server configuration */
{"AddressFamily", VAR_SERVER},
{"AddressFamily", VAR_SERVER | VAR_SAFE},
{"AutoConnect", VAR_SERVER | VAR_SAFE},
{"BindToAddress", VAR_SERVER | VAR_MULTIPLE},
{"BindToInterface", VAR_SERVER},
{"Broadcast", VAR_SERVER | VAR_SAFE},
{"BroadcastSubnet", VAR_SERVER | VAR_MULTIPLE | VAR_SAFE},
{"ConnectTo", VAR_SERVER | VAR_MULTIPLE | VAR_SAFE},
{"DecrementTTL", VAR_SERVER},
{"DecrementTTL", VAR_SERVER | VAR_SAFE},
{"Device", VAR_SERVER},
{"DeviceStandby", VAR_SERVER},
{"DeviceType", VAR_SERVER},
{"DirectOnly", VAR_SERVER},
{"DirectOnly", VAR_SERVER | VAR_SAFE},
{"Ed25519PrivateKeyFile", VAR_SERVER},
{"ExperimentalProtocol", VAR_SERVER},
{"Forwarding", VAR_SERVER},
@ -1738,34 +1747,34 @@ const var_t variables[] = {
{"IffOneQueue", VAR_SERVER},
{"Interface", VAR_SERVER},
{"InvitationExpire", VAR_SERVER},
{"KeyExpire", VAR_SERVER},
{"KeyExpire", VAR_SERVER | VAR_SAFE},
{"ListenAddress", VAR_SERVER | VAR_MULTIPLE},
{"LocalDiscovery", VAR_SERVER},
{"LocalDiscovery", VAR_SERVER | VAR_SAFE},
{"LogLevel", VAR_SERVER},
{"MACExpire", VAR_SERVER},
{"MaxConnectionBurst", VAR_SERVER},
{"MaxOutputBufferSize", VAR_SERVER},
{"MaxTimeout", VAR_SERVER},
{"MACExpire", VAR_SERVER | VAR_SAFE},
{"MaxConnectionBurst", VAR_SERVER | VAR_SAFE},
{"MaxOutputBufferSize", VAR_SERVER | VAR_SAFE},
{"MaxTimeout", VAR_SERVER | VAR_SAFE},
{"Mode", VAR_SERVER | VAR_SAFE},
{"Name", VAR_SERVER},
{"PingInterval", VAR_SERVER},
{"PingTimeout", VAR_SERVER},
{"PingInterval", VAR_SERVER | VAR_SAFE},
{"PingTimeout", VAR_SERVER | VAR_SAFE},
{"PriorityInheritance", VAR_SERVER},
{"PrivateKey", VAR_SERVER | VAR_OBSOLETE},
{"PrivateKeyFile", VAR_SERVER},
{"ProcessPriority", VAR_SERVER},
{"Proxy", VAR_SERVER},
{"ReplayWindow", VAR_SERVER},
{"ReplayWindow", VAR_SERVER | VAR_SAFE},
{"ScriptsExtension", VAR_SERVER},
{"ScriptsInterpreter", VAR_SERVER},
{"StrictSubnets", VAR_SERVER},
{"TunnelServer", VAR_SERVER},
{"UDPDiscovery", VAR_SERVER},
{"UDPDiscoveryKeepaliveInterval", VAR_SERVER},
{"UDPDiscoveryInterval", VAR_SERVER},
{"UDPDiscoveryTimeout", VAR_SERVER},
{"MTUInfoInterval", VAR_SERVER},
{"UDPInfoInterval", VAR_SERVER},
{"StrictSubnets", VAR_SERVER | VAR_SAFE},
{"TunnelServer", VAR_SERVER | VAR_SAFE},
{"UDPDiscovery", VAR_SERVER | VAR_SAFE},
{"UDPDiscoveryKeepaliveInterval", VAR_SERVER | VAR_SAFE},
{"UDPDiscoveryInterval", VAR_SERVER | VAR_SAFE},
{"UDPDiscoveryTimeout", VAR_SERVER | VAR_SAFE},
{"MTUInfoInterval", VAR_SERVER | VAR_SAFE},
{"UDPInfoInterval", VAR_SERVER | VAR_SAFE},
{"UDPRcvBuf", VAR_SERVER},
{"UDPSndBuf", VAR_SERVER},
{"UPnP", VAR_SERVER},
@ -1776,12 +1785,12 @@ const var_t variables[] = {
/* Host configuration */
{"Address", VAR_HOST | VAR_MULTIPLE},
{"Cipher", VAR_SERVER | VAR_HOST},
{"ClampMSS", VAR_SERVER | VAR_HOST},
{"Compression", VAR_SERVER | VAR_HOST},
{"ClampMSS", VAR_SERVER | VAR_HOST | VAR_SAFE},
{"Compression", VAR_SERVER | VAR_HOST | VAR_SAFE},
{"Digest", VAR_SERVER | VAR_HOST},
{"Ed25519PublicKey", VAR_HOST},
{"Ed25519PublicKeyFile", VAR_SERVER | VAR_HOST},
{"IndirectData", VAR_SERVER | VAR_HOST},
{"IndirectData", VAR_SERVER | VAR_HOST | VAR_SAFE},
{"MACLength", VAR_SERVER | VAR_HOST},
{"PMTU", VAR_SERVER | VAR_HOST},
{"PMTUDiscovery", VAR_SERVER | VAR_HOST},
@ -1789,7 +1798,7 @@ const var_t variables[] = {
{"PublicKey", VAR_HOST | VAR_OBSOLETE},
{"PublicKeyFile", VAR_SERVER | VAR_HOST | VAR_OBSOLETE},
{"Subnet", VAR_HOST | VAR_MULTIPLE | VAR_SAFE},
{"TCPOnly", VAR_SERVER | VAR_HOST},
{"TCPOnly", VAR_SERVER | VAR_HOST | VAR_SAFE},
{"Weight", VAR_HOST | VAR_SAFE},
{NULL, 0}
};
@ -1880,6 +1889,19 @@ static int cmd_config(int argc, char *argv[]) {
found = true;
variable = (char *)variables[i].name;
if(!strcasecmp(variable, "Subnet")) {
subnet_t s = {0};
if(!str2net(&s, value)) {
fprintf(stderr, "Malformed subnet definition %s\n", value);
}
if(!subnetcheck(s)) {
fprintf(stderr, "Network address and prefix length do not match: %s\n", value);
return 1;
}
}
/* Discourage use of obsolete variables. */
if(variables[i].type & VAR_OBSOLETE && action >= 0) {
@ -2301,6 +2323,7 @@ static int cmd_init(int argc, char *argv[]) {
static int cmd_generate_keys(int argc, char *argv[]) {
#ifdef DISABLE_LEGACY
(void)argv;
if(argc > 1) {
#else
@ -2440,10 +2463,14 @@ static int cmd_edit(int argc, char *argv[]) {
char *command;
#ifndef HAVE_MINGW
const char *editor = getenv("VISUAL");
if (!editor)
if(!editor) {
editor = getenv("EDITOR");
if (!editor)
}
if(!editor) {
editor = "vi";
}
xasprintf(&command, "\"%s\" \"%s\"", editor, filename);
#else

Some files were not shown because too many files have changed in this diff Show more