-Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.
+Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.
This program is free software; you can redistribute it and/or modify it under
+Version 1.0.36 August 26 2019
+
+ * Fix compiling tinc with certain versions of the OpenSSL library.
+ * Fix parsing some IPv6 addresses with :: in them.
+ * Fix GraphDumpFile output to handle node names starting with a digit.
+ * Fix a potential segmentation fault when fragmenting packets.
+
+Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their
+contributions to this version of tinc.
+
Version 1.0.35 October 5 2018
* Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
* Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
+ * Minor fixes in the documentation.
+
+Thanks to Amine Amri and Rafael Sadowski for their contributions to this
+version of tinc.
Version 1.0.34 June 12 2018
-This is the README file for tinc version 1.0.35. Installation
+This is the README file for tinc version 1.0.36. Installation
instructions may be found in the INSTALL file.
-tinc is Copyright (C) 1998-2018 by:
+tinc is Copyright (C) 1998-2019 by:
Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>,
------------
The OpenSSL library is used for all cryptographic functions. You can find it at
-https://www.openssl.org/. You will need version 1.0.1 or later with support for
+https://www.openssl.org/. You will need version 1.1.0 or later with support for
AES256 and SHA256 enabled. If this library is not installed on your system, the
configure script will fail. The manual in doc/tinc.texi contains more detailed
information on how to install this library. Alternatively, you may also use the
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
-AC_INIT([tinc], [1.0.35])
+AC_INIT([tinc], [1.0.36])
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
AC_CONFIG_HEADERS([config.h])
]
)
-dnl Ensure runstatedir is set if we are using a version of autoconf that does not suppport it
+dnl Ensure runstatedir is set if we are using a version of autoconf that does not support it
if test "x$runstatedir" = "x"; then
AC_SUBST([runstatedir], ['${localstatedir}/run'])
fi
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
LDFLAGS="$LDFLAGS -L$withval"]
)
- AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h,
+ AC_CHECK_HEADERS([openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h],
[],
[AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break]
)
- AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
+ AC_CHECK_LIB(crypto, OPENSSL_init_crypto,
[LIBS="-lcrypto $LIBS"],
[AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
)
- AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
- [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
- )
-
- AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
- [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
- [#include <openssl/evp.h>]
- )
-
- AC_CHECK_FUNCS([BN_GENCB_new RSA_set0_key], , , [#include <openssl/rsa.h>])
+ AC_DEFINE(HAVE_OPENSSL, 1, [enable OpenSSL support])
])
#include <openssl/rsa.h>
#include <openssl/evp.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_cleanup(c)
-#endif
-
#include "avl_tree.h"
#define OPTION_INDIRECT 0x0001
char *myport;
devops_t devops;
-#ifndef HAVE_RSA_SET0_KEY
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
- BN_free(r->n);
- r->n = n;
- BN_free(r->e);
- r->e = e;
- BN_free(r->d);
- r->d = d;
- return 1;
-}
-#endif
-
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *pubname;
/* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */
+ if(!from->status.reachable) {
+ logger(LOG_WARNING, "Got %s from %s (%s) origin %s which is not reachable",
+ "REQ_KEY", c->name, c->hostname, from_name);
+ return true;
+ }
+
if(!send_ans_key(from)) {
return false;
}
/*
subnet.c -- handle subnet lookups and lists
- Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
+ Copyright (C) 2000-2019 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
/* Ascii representation of subnets */
bool str2net(subnet_t *subnet, const char *subnetstr) {
- char str[1024];
+ char str[64];
strncpy(str, subnetstr, sizeof(str));
str[sizeof(str) - 1] = 0;
int consumed;
return true;
}
- if(sscanf(str, "%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !str[consumed]) {
+ if(inet_pton(AF_INET, str, &subnet->net.ipv4.address)) {
if(prefixlength == -1) {
prefixlength = 32;
}
subnet->net.ipv4.prefixlength = prefixlength;
subnet->weight = weight;
- for(int i = 0; i < 4; i++) {
- if(x[i] > 255) {
- return false;
- }
-
- subnet->net.ipv4.address.x[i] = x[i];
- }
-
return true;
}
- /* IPv6 */
-
- char *last_colon = strrchr(str, ':');
-
- if(last_colon && sscanf(last_colon, ":%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !last_colon[consumed]) {
- /* Dotted quad suffix notation, convert to standard IPv6 notation */
- for(int i = 0; i < 4; i++)
- if(x[i] > 255) {
- return false;
- }
-
- snprintf(last_colon, sizeof(str) - (last_colon - str), ":%02x%02x:%02x%02x", x[0], x[1], x[2], x[3]);
- }
-
- char *double_colon = strstr(str, "::");
-
- if(double_colon) {
- /* Figure out how many zero groups we need to expand */
- int zero_group_count = 8;
-
- for(const char *cur = str; *cur; cur++)
- if(*cur != ':') {
- zero_group_count--;
-
- while(cur[1] && cur[1] != ':') {
- cur++;
- }
- }
-
- if(zero_group_count < 1) {
- return false;
- }
-
- /* Split the double colon in the middle to make room for zero groups */
- double_colon++;
- memmove(double_colon + (zero_group_count * 2 - 1), double_colon, strlen(double_colon) + 1);
-
- /* Write zero groups in the resulting gap, overwriting the second colon */
- for(int i = 0; i < zero_group_count; i++) {
- memcpy(&double_colon[i * 2], "0:", 2);
- }
-
- /* Remove any leading or trailing colons */
- if(str[0] == ':') {
- memmove(&str[0], &str[1], strlen(&str[1]) + 1);
- }
-
- if(str[strlen(str) - 1] == ':') {
- str[strlen(str) - 1] = 0;
- }
- }
-
- if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx%n",
- &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &consumed) >= 8 && !str[consumed]) {
+ if(inet_pton(AF_INET6, str, &subnet->net.ipv6.address)) {
if(prefixlength == -1) {
prefixlength = 128;
}
subnet->net.ipv6.prefixlength = prefixlength;
subnet->weight = weight;
- for(int i = 0; i < 8; i++) {
- subnet->net.ipv6.address.x[i] = htons(x[i]);
- }
-
return true;
}
return false;
}
+ int result;
+ int prefixlength = -1;
+
switch(subnet->type) {
case SUBNET_MAC:
- snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d",
+ snprintf(netstr, len, "%02x:%02x:%02x:%02x:%02x:%02x",
subnet->net.mac.address.x[0],
subnet->net.mac.address.x[1],
subnet->net.mac.address.x[2],
subnet->net.mac.address.x[3],
subnet->net.mac.address.x[4],
- subnet->net.mac.address.x[5],
- subnet->weight);
+ subnet->net.mac.address.x[5]);
break;
case SUBNET_IPV4:
- snprintf(netstr, len, "%u.%u.%u.%u/%d#%d",
- subnet->net.ipv4.address.x[0],
- subnet->net.ipv4.address.x[1],
- subnet->net.ipv4.address.x[2],
- subnet->net.ipv4.address.x[3],
- subnet->net.ipv4.prefixlength,
- subnet->weight);
+ inet_ntop(AF_INET, &subnet->net.ipv4.address, netstr, len);
+ prefixlength = subnet->net.ipv4.prefixlength;
+
+ if(prefixlength == 32) {
+ prefixlength = -1;
+ }
+
break;
- case SUBNET_IPV6:
- snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d",
- ntohs(subnet->net.ipv6.address.x[0]),
- ntohs(subnet->net.ipv6.address.x[1]),
- ntohs(subnet->net.ipv6.address.x[2]),
- ntohs(subnet->net.ipv6.address.x[3]),
- ntohs(subnet->net.ipv6.address.x[4]),
- ntohs(subnet->net.ipv6.address.x[5]),
- ntohs(subnet->net.ipv6.address.x[6]),
- ntohs(subnet->net.ipv6.address.x[7]),
- subnet->net.ipv6.prefixlength,
- subnet->weight);
+ case SUBNET_IPV6: {
+ inet_ntop(AF_INET6, &subnet->net.ipv6.address, netstr, len);
+ prefixlength = subnet->net.ipv6.prefixlength;
+
+ if(prefixlength == 128) {
+ prefixlength = -1;
+ }
+
break;
+ }
default:
- logger(LOG_ERR,
- "net2str() was called with unknown subnet type %d, exiting!",
- subnet->type);
- exit(0);
+ logger(LOG_ERR, "net2str() was called with unknown subnet type %d, exiting!", subnet->type);
+ exit(1);
+ }
+
+ size_t used = strlen(netstr);
+ netstr += used;
+ len -= used;
+
+ if(prefixlength >= 0) {
+ result = snprintf(netstr, len, "/%d", prefixlength);
+ netstr += result;
+ len -= result;
+ }
+
+ if(subnet->weight != 10) {
+ snprintf(netstr, len, "#%d", subnet->weight);
}
return true;
/*
tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans
- 2000-2018 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2019 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu>
#include <openssl/rsa.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
-#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
-#endif
#include <openssl/bn.h>
#ifdef HAVE_LZO
return 1;
}
-#ifndef HAVE_BN_GENCB_NEW
-BN_GENCB *BN_GENCB_new(void) {
- return xmalloc_and_zero(sizeof(BN_GENCB));
-}
-
-void BN_GENCB_free(BN_GENCB *cb) {
- free(cb);
-}
-#endif
-
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
if(show_version) {
printf("%s version %s\n", PACKAGE, VERSION);
- printf("Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.\n"
+ printf("Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"
init_configuration(&config_tree);
-#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OpenSSL_add_all_algorithms();
-#endif
if(generate_keys) {
read_server_config();
free(priority);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- EVP_cleanup();
- ERR_free_strings();
-#ifndef OPENSSL_NO_ENGINE
- ENGINE_cleanup();
-#endif
-#endif
-
exit_configuration(&config_tree);
list_delete_list(cmdline_conf);
free_names();
projects / tinc / commitdiff