]> www.tinc-vpn.org Git - tinc/commitdiff
Require OpenSSL 1.1.0 or later. master
authorGuus Sliepen <guus@tinc-vpn.org>
Tue, 27 Jul 2021 13:10:15 +0000 (15:10 +0200)
committerGuus Sliepen <guus@tinc-vpn.org>
Tue, 27 Jul 2021 13:10:15 +0000 (15:10 +0200)
This gets rid of some backwards compatibility code, and avoids calling
deprecated OpenSSL functions.

COPYING
NEWS
README
configure.ac
doc/tinc.texi
m4/openssl.m4
src/connection.h
src/net_setup.c
src/protocol_key.c
src/subnet.c
src/tincd.c

diff --git a/COPYING b/COPYING
index 1a88dcf3d101ad8eb956fd24670d0c38cd7d78c5..1384f468e9049b71027656501d867d4a930c8a15 100644 (file)
--- a/COPYING
+++ b/COPYING
@@ -1,4 +1,4 @@
-Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.
+Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.
 See the AUTHORS file for a complete list.
 
 This program is free software; you can redistribute it and/or modify it under
diff --git a/NEWS b/NEWS
index 4a342f7e8cead421763884fdbe4121f054ba34fb..c587e8764eb3fa1a9f03c2f6ba8f63bc82b90918 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,21 @@
+Version 1.0.36               August 26 2019
+
+ * Fix compiling tinc with certain versions of the OpenSSL library.
+ * Fix parsing some IPv6 addresses with :: in them.
+ * Fix GraphDumpFile output to handle node names starting with a digit.
+ * Fix a potential segmentation fault when fragmenting packets.
+
+Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their
+contributions to this version of tinc.
+
 Version 1.0.35               October 5 2018
 
  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
+ * Minor fixes in the documentation.
+
+Thanks to Amine Amri and Rafael Sadowski for their contributions to this
+version of tinc.
 
 Version 1.0.34               June 12 2018
 
diff --git a/README b/README
index f47cc299484bc10bd42504f3ea01e1f2adb830a8..2f7856132b0fa1f87d065623a9a8ed9b80e6b0c6 100644 (file)
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
-This is the README file for tinc version 1.0.35. Installation
+This is the README file for tinc version 1.0.36. Installation
 instructions may be found in the INSTALL file.
 
-tinc is Copyright (C) 1998-2018 by:
+tinc is Copyright (C) 1998-2019 by:
 
 Ivo Timmermans,
 Guus Sliepen <guus@tinc-vpn.org>,
@@ -69,7 +69,7 @@ Requirements
 ------------
 
 The OpenSSL library is used for all cryptographic functions. You can find it at
-https://www.openssl.org/. You will need version 1.0.1 or later with support for
+https://www.openssl.org/. You will need version 1.1.0 or later with support for
 AES256 and SHA256 enabled. If this library is not installed on your system, the
 configure script will fail.  The manual in doc/tinc.texi contains more detailed
 information on how to install this library. Alternatively, you may also use the
index 6de03132d2a94460f67d8e3bd37916b6d14495a3..ca2948aa5392d685a119dd4e3ba48157c891f7fd 100644 (file)
@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.61)
-AC_INIT([tinc], [1.0.35])
+AC_INIT([tinc], [1.0.36])
 AC_CONFIG_SRCDIR([src/tincd.c])
 AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
 AC_CONFIG_HEADERS([config.h])
@@ -237,7 +237,7 @@ AC_ARG_ENABLE(jumbograms,
   ]
 )
 
-dnl Ensure runstatedir is set if we are using a version of autoconf that does not suppport it
+dnl Ensure runstatedir is set if we are using a version of autoconf that does not support it
 if test "x$runstatedir" = "x"; then
   AC_SUBST([runstatedir], ['${localstatedir}/run'])
 fi
index c3fbdaede1fdcac4a1a6f27963a9b9d86ac9ab5d..0420e6f6fe22f09509a27dfa37c8442717007a16 100644 (file)
@@ -15,7 +15,7 @@
 
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
 
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
 
@@ -39,7 +39,7 @@ permission notice identical to this one.
 @vskip 0pt plus 1filll
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
 
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
 
index 895c31aa0d09ff374a27274f8f7aabfe8b3046de..99023c2493058a2881f320a522741066d3293a0d 100644 (file)
@@ -35,24 +35,15 @@ AC_DEFUN([tinc_OPENSSL],
      LDFLAGS="$LDFLAGS -L$withval"]
   )
 
-  AC_CHECK_HEADERS(openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h,
+  AC_CHECK_HEADERS([openssl/evp.h openssl/rsa.h openssl/rand.h openssl/err.h openssl/sha.h openssl/pem.h openssl/engine.h],
     [],
     [AC_MSG_ERROR([LibreSSL/OpenSSL header files not found.]); break]
   )
 
-  AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
+  AC_CHECK_LIB(crypto, OPENSSL_init_crypto,
     [LIBS="-lcrypto $LIBS"],
     [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
   )
 
-  AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
-    [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
-  )
-
-  AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
-    [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
-    [#include <openssl/evp.h>]
-  )
-
-  AC_CHECK_FUNCS([BN_GENCB_new RSA_set0_key], , , [#include <openssl/rsa.h>])
+  AC_DEFINE(HAVE_OPENSSL, 1, [enable OpenSSL support])
 ])
index d619e85cf64f7dcabd973e4578939eb315f256b2..629e16b9cc1bc555db64ce91a2abede82865f24c 100644 (file)
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_cleanup(c)
-#endif
-
 #include "avl_tree.h"
 
 #define OPTION_INDIRECT         0x0001
index f26007bda07ff27d248f98166f0133fce2a2e8e3..501fecd385770ada23842b4de74966157b1e4977 100644 (file)
 char *myport;
 devops_t devops;
 
-#ifndef HAVE_RSA_SET0_KEY
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-       BN_free(r->n);
-       r->n = n;
-       BN_free(r->e);
-       r->e = e;
-       BN_free(r->d);
-       r->d = d;
-       return 1;
-}
-#endif
-
 bool read_rsa_public_key(connection_t *c) {
        FILE *fp;
        char *pubname;
index 6140a5321ece9be3815d03a9a689c4f14c36084d..d4a0b17401b3e31743170870291dfb96c520518d 100644 (file)
@@ -131,6 +131,12 @@ bool req_key_h(connection_t *c) {
        /* Check if this key request is for us */
 
        if(to == myself) {                      /* Yes, send our own key back */
+               if(!from->status.reachable) {
+                       logger(LOG_WARNING, "Got %s from %s (%s) origin %s which is not reachable",
+                              "REQ_KEY", c->name, c->hostname, from_name);
+                       return true;
+               }
+
                if(!send_ans_key(from)) {
                        return false;
                }
index 0939d4c1f4e7a48144f87a734a27f45188af4a28..da69810cf980e53393338469248e360d62020ec1 100644 (file)
@@ -1,6 +1,6 @@
 /*
     subnet.c -- handle subnet lookups and lists
-    Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2019 Guus Sliepen <guus@tinc-vpn.org>,
                   2000-2005 Ivo Timmermans
 
     This program is free software; you can redistribute it and/or modify
@@ -205,7 +205,7 @@ void subnet_del(node_t *n, subnet_t *subnet) {
 /* Ascii representation of subnets */
 
 bool str2net(subnet_t *subnet, const char *subnetstr) {
-       char str[1024];
+       char str[64];
        strncpy(str, subnetstr, sizeof(str));
        str[sizeof(str) - 1] = 0;
        int consumed;
@@ -270,7 +270,7 @@ bool str2net(subnet_t *subnet, const char *subnetstr) {
                return true;
        }
 
-       if(sscanf(str, "%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !str[consumed]) {
+       if(inet_pton(AF_INET, str, &subnet->net.ipv4.address)) {
                if(prefixlength == -1) {
                        prefixlength = 32;
                }
@@ -283,71 +283,10 @@ bool str2net(subnet_t *subnet, const char *subnetstr) {
                subnet->net.ipv4.prefixlength = prefixlength;
                subnet->weight = weight;
 
-               for(int i = 0; i < 4; i++) {
-                       if(x[i] > 255) {
-                               return false;
-                       }
-
-                       subnet->net.ipv4.address.x[i] = x[i];
-               }
-
                return true;
        }
 
-       /* IPv6 */
-
-       char *last_colon = strrchr(str, ':');
-
-       if(last_colon && sscanf(last_colon, ":%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !last_colon[consumed]) {
-               /* Dotted quad suffix notation, convert to standard IPv6 notation */
-               for(int i = 0; i < 4; i++)
-                       if(x[i] > 255) {
-                               return false;
-                       }
-
-               snprintf(last_colon, sizeof(str) - (last_colon - str), ":%02x%02x:%02x%02x", x[0], x[1], x[2], x[3]);
-       }
-
-       char *double_colon = strstr(str, "::");
-
-       if(double_colon) {
-               /* Figure out how many zero groups we need to expand */
-               int zero_group_count = 8;
-
-               for(const char *cur = str; *cur; cur++)
-                       if(*cur != ':') {
-                               zero_group_count--;
-
-                               while(cur[1] && cur[1] != ':') {
-                                       cur++;
-                               }
-                       }
-
-               if(zero_group_count < 1) {
-                       return false;
-               }
-
-               /* Split the double colon in the middle to make room for zero groups */
-               double_colon++;
-               memmove(double_colon + (zero_group_count * 2 - 1), double_colon, strlen(double_colon) + 1);
-
-               /* Write zero groups in the resulting gap, overwriting the second colon */
-               for(int i = 0; i < zero_group_count; i++) {
-                       memcpy(&double_colon[i * 2], "0:", 2);
-               }
-
-               /* Remove any leading or trailing colons */
-               if(str[0] == ':') {
-                       memmove(&str[0], &str[1], strlen(&str[1]) + 1);
-               }
-
-               if(str[strlen(str) - 1] == ':') {
-                       str[strlen(str) - 1] = 0;
-               }
-       }
-
-       if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx%n",
-                       &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &consumed) >= 8 && !str[consumed]) {
+       if(inet_pton(AF_INET6, str, &subnet->net.ipv6.address)) {
                if(prefixlength == -1) {
                        prefixlength = 128;
                }
@@ -360,10 +299,6 @@ bool str2net(subnet_t *subnet, const char *subnetstr) {
                subnet->net.ipv6.prefixlength = prefixlength;
                subnet->weight = weight;
 
-               for(int i = 0; i < 8; i++) {
-                       subnet->net.ipv6.address.x[i] = htons(x[i]);
-               }
-
                return true;
        }
 
@@ -376,47 +311,58 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
                return false;
        }
 
+       int result;
+       int prefixlength = -1;
+
        switch(subnet->type) {
        case SUBNET_MAC:
-               snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d",
+               snprintf(netstr, len, "%02x:%02x:%02x:%02x:%02x:%02x",
                         subnet->net.mac.address.x[0],
                         subnet->net.mac.address.x[1],
                         subnet->net.mac.address.x[2],
                         subnet->net.mac.address.x[3],
                         subnet->net.mac.address.x[4],
-                        subnet->net.mac.address.x[5],
-                        subnet->weight);
+                        subnet->net.mac.address.x[5]);
                break;
 
        case SUBNET_IPV4:
-               snprintf(netstr, len, "%u.%u.%u.%u/%d#%d",
-                        subnet->net.ipv4.address.x[0],
-                        subnet->net.ipv4.address.x[1],
-                        subnet->net.ipv4.address.x[2],
-                        subnet->net.ipv4.address.x[3],
-                        subnet->net.ipv4.prefixlength,
-                        subnet->weight);
+               inet_ntop(AF_INET, &subnet->net.ipv4.address, netstr, len);
+               prefixlength = subnet->net.ipv4.prefixlength;
+
+               if(prefixlength == 32) {
+                       prefixlength = -1;
+               }
+
                break;
 
-       case SUBNET_IPV6:
-               snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d",
-                        ntohs(subnet->net.ipv6.address.x[0]),
-                        ntohs(subnet->net.ipv6.address.x[1]),
-                        ntohs(subnet->net.ipv6.address.x[2]),
-                        ntohs(subnet->net.ipv6.address.x[3]),
-                        ntohs(subnet->net.ipv6.address.x[4]),
-                        ntohs(subnet->net.ipv6.address.x[5]),
-                        ntohs(subnet->net.ipv6.address.x[6]),
-                        ntohs(subnet->net.ipv6.address.x[7]),
-                        subnet->net.ipv6.prefixlength,
-                        subnet->weight);
+       case SUBNET_IPV6: {
+               inet_ntop(AF_INET6, &subnet->net.ipv6.address, netstr, len);
+               prefixlength = subnet->net.ipv6.prefixlength;
+
+               if(prefixlength == 128) {
+                       prefixlength = -1;
+               }
+
                break;
+       }
 
        default:
-               logger(LOG_ERR,
-                      "net2str() was called with unknown subnet type %d, exiting!",
-                      subnet->type);
-               exit(0);
+               logger(LOG_ERR, "net2str() was called with unknown subnet type %d, exiting!", subnet->type);
+               exit(1);
+       }
+
+       size_t used = strlen(netstr);
+       netstr += used;
+       len -= used;
+
+       if(prefixlength >= 0) {
+               result = snprintf(netstr, len, "/%d", prefixlength);
+               netstr += result;
+               len -= result;
+       }
+
+       if(subnet->weight != 10) {
+               snprintf(netstr, len, "#%d", subnet->weight);
        }
 
        return true;
index e8a60449aa8412ced9ff62ce39c49979dc8aee13..c1f2e5a2b16d93deeb032885d18d36573c0687d7 100644 (file)
@@ -1,7 +1,7 @@
 /*
     tincd.c -- the main file for tincd
     Copyright (C) 1998-2005 Ivo Timmermans
-                  2000-2018 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2019 Guus Sliepen <guus@tinc-vpn.org>
                   2008      Max Rijevski <maksuf@gmail.com>
                   2009      Michael Tokarev <mjt@tls.msk.ru>
                   2010      Julien Muchembled <jm@jmuchemb.eu>
@@ -37,9 +37,7 @@
 #include <openssl/rsa.h>
 #include <openssl/pem.h>
 #include <openssl/evp.h>
-#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
-#endif
 #include <openssl/bn.h>
 
 #ifdef HAVE_LZO
@@ -404,16 +402,6 @@ static int indicator(int a, int b, BN_GENCB *cb) {
        return 1;
 }
 
-#ifndef HAVE_BN_GENCB_NEW
-BN_GENCB *BN_GENCB_new(void) {
-       return xmalloc_and_zero(sizeof(BN_GENCB));
-}
-
-void BN_GENCB_free(BN_GENCB *cb) {
-       free(cb);
-}
-#endif
-
 /*
   Generate a public/private RSA keypair, and ask for a file to store
   them in.
@@ -654,7 +642,7 @@ int main(int argc, char **argv) {
 
        if(show_version) {
                printf("%s version %s\n", PACKAGE, VERSION);
-               printf("Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.\n"
+               printf("Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.\n"
                       "See the AUTHORS file for a complete list.\n\n"
                       "tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,\n"
                       "and you are welcome to redistribute it under certain conditions;\n"
@@ -688,14 +676,7 @@ int main(int argc, char **argv) {
 
        init_configuration(&config_tree);
 
-#ifndef OPENSSL_NO_ENGINE
        ENGINE_load_builtin_engines();
-       ENGINE_register_all_complete();
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       OpenSSL_add_all_algorithms();
-#endif
 
        if(generate_keys) {
                read_server_config();
@@ -814,14 +795,6 @@ end:
 
        free(priority);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-       EVP_cleanup();
-       ERR_free_strings();
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE_cleanup();
-#endif
-#endif
-
        exit_configuration(&config_tree);
        list_delete_list(cmdline_conf);
        free_names();