From 558fa3fbbb2e6fd1bed6dec54ef603ceb6c943ad Mon Sep 17 00:00:00 2001 From: Stephen Early Date: Mon, 24 Sep 2001 17:25:00 +0100 Subject: [PATCH] Import release 0.09 --- CREDITS | 3 + INSTALL | 20 +++-- Makefile.in | 4 +- README | 251 ++++++++++++++++++++++++++++++++++++++++------------ conffile.fl | 2 + conffile.y | 2 +- site.c | 12 ++- 7 files changed, 229 insertions(+), 65 deletions(-) create mode 100644 CREDITS diff --git a/CREDITS b/CREDITS new file mode 100644 index 0000000..860e299 --- /dev/null +++ b/CREDITS @@ -0,0 +1,3 @@ +Stephen Early - original author +Ross Anderson, Eli Biham, Lars Knudsen - serpent +Colin Plumb, Ian Jackson - MD5 implementation diff --git a/INSTALL b/INSTALL index 81292a1..db1fabf 100644 --- a/INSTALL +++ b/INSTALL @@ -65,6 +65,16 @@ $ ./configure $ make # make install +(Note: you may see the following warning while compiling +conffile.tab.c; I believe this is a bison bug: +/usr/share/bison/bison.simple: In function `yyparse': +/usr/share/bison/bison.simple:285: warning: `yyval' might be used + uninitialized in this function +) + +Any other warnings or errors should be reported to +steve@greenend.org.uk. + If installing for the first time, do # mkdir /etc/secnet @@ -78,8 +88,8 @@ $ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" XXX this should eventually be worked out automatically by 'configure'.] Generate a site file fragment for your site (see below), and submit it -for inclusion in the vpn-sites file. Download the vpn-sites file to -/etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the +for inclusion in your VPN's 'sites' file. Download the vpn-sites file +to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the sites file contains public keys for all the sites in the VPN. * Configuration @@ -116,9 +126,9 @@ match the port number on the machine running secnet. 6. the public part of the RSA key you generated during installation (in /etc/secnet/key.pub if you followed the installation instructions). This file contains three numbers and a comment on one -line. The first number is the key length in bits, and can be ignored. -The second number (typically small) is the encryption key 'e', and the -third number (large) is the modulus 'n'. +line. The first number is the key length in bits, and should be +ignored. The second number (typically small) is the encryption key +'e', and the third number (large) is the modulus 'n'. If you are running secnet on a particularly slow machine, you may like to specify a larger value for the key setup retry timeout than the diff --git a/Makefile.in b/Makefile.in index d910766..5465a36 100644 --- a/Makefile.in +++ b/Makefile.in @@ -18,7 +18,7 @@ .PHONY: all clean realclean dist install PACKAGE:=secnet -VERSION:=0.08 +VERSION:=0.09 @SET_MAKE@ @@ -47,7 +47,7 @@ OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \ resolver.o random.o udp.o site.o transform.o netlink.o rsa.o dh.o \ serpent.o md5.o version.o -DISTFILES:=COPYING INSTALL Makefile.in NOTES README TODO conffile.c \ +DISTFILES:=COPYING CREDITS INSTALL Makefile.in NOTES README TODO conffile.c \ conffile.fl conffile.h conffile.y conffile_internal.h config.h.bot \ config.h.in config.h.top configure configure.in dh.c \ example-sites-file example.conf install.sh linux md5.c md5.h \ diff --git a/README b/README index b6e8e55..14b7ad3 100644 --- a/README +++ b/README @@ -1,55 +1,196 @@ -XXX under construction. For now, here are the comments that used to be -at the top of the example configuration file: - -# This file defines a dictionary full of configuration information for -# secnet. Two keys must be defined in this file for secnet to -# start. One is "system", a dictionary containing systemwide control -# parameters. The other is "sites", a list of all the sites that you -# intend to communicate with. - -# Other files can be included inline by writing "include filename" at -# the start of a line. - -# The configuration file has a fairly simple syntax: -# key definition; or key = definition; (the "=" is optional) -# ...sets 'key' in the current dictionary to 'definition'. -# -# "key" is [[:alpha:]_][[:alnum:]\-_]* -# -# definition may be one of the following: -# a string, in quotes -# a number, in decimal -# a dictionary, in { } -# a path to a key that already exists, to reference that definition -# a "closure", followed by arguments -# -# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in -# the current dictionary or any of its parents) -# alternatively /key1/key2/key3... (to start from the root) -# -# closures are followed by an argument list in ( ), and may return -# whatever type they like (including other closures) -# -# closure { definitions } is short for closure({definitions}). -# -# Whenever secnet looks for a key it checks the (lexical) parent dictionaries -# as well until it finds it or reaches the root. This is useful for setting -# defaults for large collections of dictionaries (eg. defining sites). -# -# It is also permissible to list other dictionaries before a dictionary -# definition, eg. {definitions}. These will be -# searched in order for keys, before the lexical parent. (Not yet implemented) -# -# secnet predefines some keys in the root dictionary; some useful ones are: -# yes, true, True, TRUE: the boolean value True -# no, false, False, FALSE: the boolean value False -# makelist: turns a dictionary (arg1) into a list (return value) -# readfile: reads a file (arg1) and returns it as a string -# -# secnet modules also predefine keys, eg. "adns", "randomfile", etc. -# See the module documentation for more information. - -# After the configuration file is read, secnet looks for particular keys -# in configuration space to tell it what to do: -# system: system-wide parameters (control, logging, etc.) -# sites: a list of sites with which to communicate +secnet - flexible VPN software + +* Introduction + +secnet allows large virtual private networks to be constructed +spanning multiple separate sites. It is designed for the case where a +private network connecting many hosts is 'hidden' behind a single +globally-routable IP address, but can also be applied in other +circumstances. It communicates entirely using UDP, and works well +with gateways that implement network address translation. + +If you are installing secnet to join an existing VPN, you should read +the 'INSTALL' file and your particular VPN's documentation now. You +may need to refer back to this file for information on the netlink and +comm sections of the configuration file. + +If you are thinking about setting up a new VPN of any size (from one +providing complete links between multiple sites to a simple +laptop-to-host link), read the section in this file on 'Creating a +VPN'. + +* Creating a VPN + +XXX TODO + +* secnet configuration file format + +By default secnet on linux reads /etc/secnet/secnet.conf. The default +may be different on other platforms. + +This file defines a dictionary (a mapping from keys to values) full of +configuration information for secnet. Two keys must be defined in +this file for secnet to start. One is "system", a dictionary +containing systemwide control parameters. The other is "sites", a +list of all the sites that you intend to communicate with. + +The configuration file has a very simple syntax; keys are defined as +follows: + +key definition; +or +key = definition; + +(the "=" is optional) + +Keys must match the following regular expression: +[[:alpha:]_][[:alnum:]\-_]* + +i.e. the first character must be an alpha or an underscore, and the +remaining characters may be alphanumeric, '-' or '_'. + +Keys can be defined to be a comma-separated list of any of the +following types: + + a boolean + a string, in quotes + a number, in decimal + a dictionary of definitions, enclosed in { } + a "closure", followed by arguments + a path to a key that already exists, to reference that definition + +Note that dictionaries can be nested: a key in one dictionary can +refer to another dictionary. When secnet looks for a key in a +particular directory and can't find it, it looks in the dictionary's +lexical 'parents' in turn until it finds it (or fails to find it at +all and stops with an error). + +Definitions can refer to previous definitions by naming them with a +path. Paths are key1/key2/key3... (starting from wherever we find +key1, i.e. in the current dictionary or any of its parents), or +alternatively /key1/key2/key3... (to start from the root). +Definitions cannot refer to future definitions. + +Example: + +a=1; +b=2; +c={ d=3; e=a; }; +f={ a=4; g=c; }; + +The following paths are valid: +a is 1 +b is 2 +c is a dictionary: + c/d is 3 + c/e is 1 +f is a dictionary: + f/a is 4 + f/g is a dictionary: + f/g/d is 3 + f/g/e is 1 + +Note that f/g/e is NOT 4. + +In a future version of secnet it will also be permissible to list +other dictionaries before a dictionary definition, +eg. {definitions}. These will be searched in +order for keys, before the lexical parent. (This is not yet +implemented) + +Elements that are lists are inserted into lists in definitions, not +referenced by them (i.e. you can't have lists of lists). + +Some closures may be followed by an argument list in ( ), and may +return any number of whatever type they like (including other +closures). Some types of closure (typically those returned from +invokations of other closures) cannot be invoked. + +closure { definitions } is short for closure({definitions}). + +The main body of secnet, and all the additional modules, predefine +some keys in the root dictionary. The main ones are: + + yes, true, True, TRUE: the boolean value True + no, false, False, FALSE: the boolean value False + makelist: turns a dictionary (arg1) into a list of definitions + (ignoring the keys) + readfile: reads a file (arg1) and returns it as a string + +Keys defined by modules are described below, in the module +documentation. + +Other configuration files can be included inline by writing "include +filename" at the start of a line. + +After the configuration file is read, secnet looks for particular keys +in configuration space to tell it what to do: + + system: a dictionary which can contain the following keys: + log (log closure): a destination for system messages + userid (string): the userid for secnet to run as once it drops privileges + pidfile (string): where to store its PID + + sites: a list of closures of type 'site', which define other tunnel + endpoints that secnet will attempt to communicate with + +* secnet command line options + +XXX TODO + +* secnet builtin modules + +** resolver + +Defines: + adns (closure => resolver closure) + +** random + +Defines: + randomsrc (closure => randomsrc closure) + +** udp + +Defines: + udp (closure => comm closure) + +** util + +Defines: + logfile (closure => log closure) + sysbuffer (closure => buffer closure) + +** site + +Defines: + site (closure => site closure) + +** transform + +Defines: + serpent256-cbc (closure => transform closure) + +** netlink + +Defines: + userv-ipif (closure => netlink closure) + tun (closure => netlink closure) [only on linux-2.4] + tun-old (closure => netlink closure) + null-netlink (closure => netlink closure) + +** rsa + +Defines: + rsa-private (closure => rsaprivkey closure) + rsa-public (closure => rsapubkey closure) + +** dh + +Defines: + diffie-hellman (closure => dh closure) + +** md5 + +Defines: + md5 (hash closure) diff --git a/conffile.fl b/conffile.fl index 2142ff3..c1b4b04 100644 --- a/conffile.fl +++ b/conffile.fl @@ -10,6 +10,8 @@ #include "conffile.tab.h" #include "util.h" +#define YY_NO_UNPUT + #define MAX_INCLUDE_DEPTH 10 struct include_stack_item { YY_BUFFER_STATE bst; diff --git a/conffile.y b/conffile.y index b6b246c..cd53b7c 100644 --- a/conffile.y +++ b/conffile.y @@ -23,7 +23,7 @@ static void yyerror(char *s); %% -input: assignments { result = $1; } +input: assignments { result = $1; $$=result; } ; assignments: assignments assignment { $$=node(T_ALIST, $2, $1); } diff --git a/site.c b/site.c index 5b8227e..22f1575 100644 --- a/site.c +++ b/site.c @@ -1090,17 +1090,25 @@ static list_t *site_apply(closure_t *self, struct cloc loc, dict_t *context, cfgfatal(loc,"site","parameter must be a dictionary\n"); dict=item->data.dict; + st->localname=dict_read_string(dict, "local-name", True, "site", loc); + st->remotename=dict_read_string(dict, "name", True, "site", loc); + /* Sanity check (which also allows the 'sites' file to include + site() closures for all sites including our own): refuse to + talk to ourselves */ + if (strcmp(st->localname,st->remotename)==0) { + Message(M_INFO,"site %s: talking to ourselves!\n",st->localname); + free(st); + return NULL; + } st->netlink=find_cl_if(dict,"netlink",CL_NETLINK,True,"site",loc); st->comm=find_cl_if(dict,"comm",CL_COMM,True,"site",loc); st->resolver=find_cl_if(dict,"resolver",CL_RESOLVER,True,"site",loc); st->log=find_cl_if(dict,"log",CL_LOG,True,"site",loc); st->random=find_cl_if(dict,"random",CL_RANDOMSRC,True,"site",loc); - st->localname=dict_read_string(dict, "local-name", True, "site", loc); st->privkey=find_cl_if(dict,"local-key",CL_RSAPRIVKEY,True,"site",loc); st->remoteport=dict_read_number(dict,"port",True,"site",loc,0); - st->remotename=dict_read_string(dict, "name", True, "site", loc); st->address=dict_read_string(dict, "address", False, "site", loc); dict_read_subnet_list(dict, "networks", True, "site", loc, &st->remotenets); -- 2.30.2