From 974d0468ad285d9ddbc5b052110076d7adf0ed2e Mon Sep 17 00:00:00 2001 From: Stephen Early Date: Sun, 23 Sep 2001 21:49:00 +0100 Subject: [PATCH] Import release 0.06 --- INSTALL | 83 ++++++++++----------- Makefile.in | 78 ++++++++++++++++--- NOTES | 76 ++++--------------- TODO | 6 +- conffile.fl | 19 ++++- config.h.top | 23 ------ configure | 206 +++++++++++++++++++++++++-------------------------- configure.in | 2 +- example.conf | 2 + myrddin.pub | 1 - private-key | Bin 528 -> 0 bytes secnet.c | 5 +- testconfig | 156 -------------------------------------- testconfigz | 153 -------------------------------------- testsites | 27 ------- 15 files changed, 247 insertions(+), 590 deletions(-) delete mode 100644 myrddin.pub delete mode 100644 private-key delete mode 100644 testconfig delete mode 100644 testconfigz delete mode 100644 testsites diff --git a/INSTALL b/INSTALL index bfb9afd..2001fa8 100644 --- a/INSTALL +++ b/INSTALL @@ -1,6 +1,6 @@ INSTALLATION INSTRUCTIONS for SECNET -USE AT YOUR OWN RISK. THIS IS ALPHA QUALITY SOFTWARE. I DO NOT +USE AT YOUR OWN RISK. THIS IS ALPHA TEST SOFTWARE. I DO NOT GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT VERSIONS. @@ -12,14 +12,14 @@ Ensure that you have libgmp2-dev and adns installed (and bison and flex, and for that matter gcc...). If you intend to configure secnet to obtain packets from the kernel -through userv-ipif, install and configure userv-ipif. It is part of +through userv-ipif, install and configure userv-ipif. It is part of userv-utils, available from ftp.chiark.greenend.org.uk in /users/ian/userv If you intend to configure secnet to obtain packets from the kernel using the universal TUN/TAP driver, make sure it's configured in your -kernel (it's under "network device support" in Linux) and that you've -created the appropriate device files; see +kernel (it's under "network device support" in Linux-2.4) and that +you've created the appropriate device files; see linux/Documentation/networking/tuntap.txt If you're using TUN/TAP on a platform other than Linux-2.4, see @@ -27,36 +27,34 @@ http://vtun.sourceforge.net/tun/ Note than TUN comes in two flavours, one (called 'tun' in the secnet config file) which has only one device file (usually /dev/net/tun) and -the other (called 'tun-old') which has many device files -(/dev/tun*). Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris -have old-style TUN. Currently only new-style TUN has been tested with -secnet. +the other (called 'tun-old') which has many device files (/dev/tun*). +Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style +TUN. Currently only new-style TUN has been tested with secnet. ** System and network configuration -If you intend to start secnet as root, I suggest you create an userid -for it to run as once it's ready to drop its privileges. Example (on +If you intend to start secnet as root, I suggest you create a userid +for it to run as once it's ready to drop its privileges. Example (on Debian): # adduser --system --no-create-home secnet -You will need to allocate two IP addresses for use by secnet. One will -be for the tunnel interface on your tunnel endpoint machine (i.e. the -address you see in 'ifconfig' when you look at the tunnel -interface). The other will be for secnet itself. These addresses could -possibly be allocated from the range used by your internal network: if -you do this, you should think about providing appropriate proxy-ARP on -the machine running secnet for the two addresses. Alternatively the -addresses could be from some other range - this works well if the -machine running secnet is the default route out of your network. +You will need to allocate two IP addresses for use by secnet. One +will be for the tunnel interface on your tunnel endpoint machine (i.e. +the address you see in 'ifconfig' when you look at the tunnel +interface). The other will be for secnet itself. These addresses +could possibly be allocated from the range used by your internal +network: if you do this, you should think about providing appropriate +proxy-ARP on the machine running secnet for the two addresses. +Alternatively the addresses could be from some other range - this +works well if the machine running secnet is the default route out of +your network. http://www.ucam.org/cam-grin/ may be useful. Advanced users: secnet's IP address does not _have_ to be in the range of networks claimed by your end of the tunnel; it could be in the -range of networks claimed by the other end. Doing this is confusing, -but works (in the case where you can't get the administrator of the -other end to allocate an IP address for his copy of secnet [hint hint -Ian]). +range of networks claimed by the other end. Doing this is confusing, +but works. * Installation @@ -64,7 +62,7 @@ To install secnet do $ ./configure $ make -# cp secnet /usr/local/sbin/secnet +# make install # mkdir /etc/secnet # cp example.conf /etc/secnet/secnet.conf # cd /etc/secnet @@ -74,53 +72,52 @@ $ make your current configuration file.) Generate a site file fragment for your site (see below), and submit it -for inclusion in the vpn-sites file. Download the vpn-sites file to +for inclusion in the vpn-sites file. Download the vpn-sites file to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the sites file contains public keys for all the sites in the VPN. * Configuration Should be reasonably obvious - edit /etc/secnet/secnet.conf as -prompted by the comments. XXX Fuller documentation of the -configuration file format should be forthcoming in time. Its syntax is -described in the README file at the moment. +prompted by the comments. XXX Fuller documentation of the +configuration file format should be forthcoming in time. Its syntax +is described in the README file at the moment. * Constructing your site file fragment You need the following information: -1. a short name for your site, eg. "greenend". This is used to +1. a short name for your site, eg. "greenend". This is used to identify your site in the vpn-sites file. -2. the name your site will use in the key setup protocol, +2. the name your site will use in the key setup protocol, eg. "greenend" (these two will usually be similar or the same). -3. the DNS name of the machine that will be the "front-end" for your -secnet installation. This will typically be the name of the gateway -machine for your network, eg. sinister.dynamic.greenend.org.uk +3. the DNS name of the machine that will be the "front-end" for your +secnet installation. This will typically be the name of the gateway +machine for your network, eg. sinister.dynamic.greenend.org.uk secnet does not actually have to run on this machine, as long as the machine can be configured to forward UDP packets to the machine that is running secnet. -4. the port number used to contact secnet at your site. This is the +4. the port number used to contact secnet at your site. This is the port number on the front-end machine, and does not necessarily have to match the port number on the machine running secnet. -5. the list of networks accessible at your site over the VPN. +5. the list of networks accessible at your site over the VPN. -6. the public part of the RSA key you generated during installation +6. the public part of the RSA key you generated during installation (in /etc/secnet/key.pub if you followed the installation -instructions). This file contains three numbers and a comment on one -line. The first number is the key length in bits, and can be -ignored. The second number (typically small) is the encryption key -'e', and the third number (large) is the modulus 'n'. +instructions). This file contains three numbers and a comment on one +line. The first number is the key length in bits, and can be ignored. +The second number (typically small) is the encryption key 'e', and the +third number (large) is the modulus 'n'. If you are running secnet on a particularly slow machine, you may like to specify a larger value for the key setup retry timeout than the -default, to prevent unnecessary retransmissions of key setup -packets. See the notes in the example configuration file for more on -this. +default, to prevent unnecessary retransmissions of key setup packets. +See the notes in the example configuration file for more on this. The site file fragment should look something like this: diff --git a/Makefile.in b/Makefile.in index 1094ef4..2dea738 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,24 +1,59 @@ -.DUMMY: all clean realclean dist install +# Makefile for secnet +# Copyright (C) 1995-2001 Stephen Early + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +.PHONY: all clean realclean dist install PACKAGE:=secnet -VERSION:=0.05 +VERSION:=0.06 @SET_MAKE@ srcdir:=@srcdir@ VPATH:=@srcdir@ -CFLAGS:=@CFLAGS@ @DEFS@ -DVERSION=\"$(VERSION)\" -Wall -I. +SHELL:=/bin/sh +RM:=@RM@ +CC:=@CC@ +INSTALL:=@INSTALL@ +INSTALL_PROGRAM:=@INSTALL_PROGRAM@ +CFLAGS:=@CFLAGS@ @DEFS@ -Wall -I. LDFLAGS:=@LDFLAGS@ - LDLIBS:=@LIBS@ +prefix:=@prefix@ +exec_prefix:=@exec_prefix@ +sbindir:=@sbindir@ +sysconfdir:=@sysconfdir@ +transform:=@program_transform_name@ + TARGETS:=secnet OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \ resolver.o random.o udp.o site.o transform.o netlink.o rsa.o dh.o \ - serpent.o md5.o + serpent.o md5.o version.o + +DISTFILES:=COPYING INSTALL Makefile.in NOTES README TODO conffile.c \ + conffile.fl conffile.h conffile.y conffile_internal.h config.h.bot \ + config.h.in config.h.top configure configure.in dh.c \ + example-sites-file example.conf install.sh linux md5.c md5.h \ + modules.c modules.h netlink.c random.c resolver.c rsa.c \ + secnet.c secnet.h serpent.c serpent.h serpentsboxes.h \ + site.c transform.c udp.c util.c util.h %.c: %.y @@ -28,12 +63,31 @@ OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \ %.tab.c: %.y bison -d $< -RM:=@RM@ all: $(TARGETS) +Makefile: Makefile.in config.status + $(SHELL) config.status + +config.status: configure + $(srcdir)/configure --no-create + +$(OBJECTS): config.h secnet.h util.h +conffile.o conffile.tab.o conffile.yy.o: conffile.h conffile_internal.h +secnet.c: conffile.h +md5.o: md5.h +serpent.o transform.o: serpent.h +serpent.o: serpentsboxes.h +conffile.o: modules.h + secnet: $(OBJECTS) +version.c: Makefile + echo "char version[]=\"secnet-$(VERSION)\";" >version.c + +install: all + $(INSTALL_PROGRAM) secnet $(sbindir)/`echo secnet|sed '$(transform)'` + clean: $(RM) -f $(srcdir)/*.o $(srcdir)/*~ $(srcdir)/*.yy.c \ $(srcdir)/*.tab.[ch] @@ -43,10 +97,14 @@ realclean: clean $(srcdir)/config.log $(srcdir)/config.status $(srcdir)/config.cache \ $(srcdir)/Makefile.bak core -dist: realclean - (cd .. ; ln -s $(PACKAGE) $(PACKAGE)-$(VERSION) ; tar hcf - \ - $(PACKAGE)-$(VERSION) | \ - gzip -9 > $(PACKAGE)-$(VERSION).tar.gz ; rm $(PACKAGE)-$(VERSION) ) +pfname:=$(PACKAGE)-$(VERSION) +dist: + $(RM) -rf $(pfname) + mkdir $(pfname) + for i in $(DISTFILES) ; do ln -s ../$$i $(pfname)/ ; done + tar hcf ../$(pfname).tar $(pfname) + gzip -9f ../$(pfname).tar + $(RM) -rf $(pfname) conffile.yy.c: conffile.fl conffile.tab.c conffile.tab.c: conffile.y diff --git a/NOTES b/NOTES index 272e359..a815905 100644 --- a/NOTES +++ b/NOTES @@ -1,9 +1,10 @@ -#* Design of new, multi-subnet secnet protocol +* Design of new, multi-subnet secnet protocol -Like the first version, we're tunnelling IP packets inside UDP -packets. To defeat various restrictions which may be imposed on us by -network providers (like the prohibition of incoming TCP connections) -we're sticking with UDP for everything this time, including key setup. +Like the first (1995/6) version, we're tunnelling IP packets inside +UDP packets. To defeat various restrictions which may be imposed on us +by network providers (like the prohibition of incoming TCP +connections) we're sticking with UDP for everything this time, +including key setup. Other new features include being able to deal with subnets hidden behind changing 'real' IP addresses, and the ability to choose @@ -21,62 +22,6 @@ convenient for every gateway machine to use the same name for each tunnel endpoint, but this is not vital. Individual tunnels are identified by their two endpoint names. - -The configuration is held in memory as a data structure as follows: - -The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys -are atoms. Values are lists, dictionaries or closures. Lists can hold -the following types: string, number. - -Closures cannot be constructed directly; they are added to the -'default' dictionary before the configuration file is read. Invocation -of a closure can return any type of value. - - -Configuration file format: the file describes a dictionary. - -key value; - -value is item[,item...] - -item can be "string", number, path (looks up in dictionary), -{dictionary}, value(value), value{dictionary}. If item is a list it -is copied into the list - we can't have lists of lists. - -A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup -from the current dictionary (or parents) or the root. If a key refers -to a list of more than one item then an index number (base 0) in -square brackets can be used to specify the list item number. - -Items of the form value1(value2) invoke executable value1 with an -argument of value2. The return value can be a string or dictionary, -but not a list. (Invocation happens after the entire configuration -file has been read.) - -Items of the form value{dict} invoke executable value with an argument -of a single-element list, containing dict. It's just syntactic sugar -for value({dict}). - - -When a key is used (rather than defined) it is looked up in the -current dictionary, and if it isn't found it is looked up in the -(lexical) parent, until the root is reached. - - - - -What sorts of crypto-related things do we need to define? - -sources of randomness -block algorithms -block cipher modes? -hash functions -padding functions -public key signature algorithms -public key crypto key stores -key setup algorithms - - ** Protocols *** Protocol environment: @@ -172,6 +117,8 @@ retransmit or confirm reception. It is suggested that this message be sent when a key times out, or the tunnel is forcibly terminated for some reason. +XXX not yet implemented. + 8) i?,i?,NAK/msg8 If the link-layer can't work out what to do with a packet (session has @@ -186,8 +133,11 @@ The attacker can of course forge NAKs since they aren't protected. But if they can only forge packets then they won't be able to stop the ping/pong working. Trust in NAKs can be rate-limited... -Alternative idea: if you receive a packet you can't decode, because -there's no key established, then initiate key setup... +Alternative idea (which is actually implemented): if you receive a +packet you can't decode, because there's no key established, then +initiate key setup... + +Keepalives are probably a good idea. **** Protocol sub-goal 3: send a packet diff --git a/TODO b/TODO index b2e871b..45ee330 100644 --- a/TODO +++ b/TODO @@ -1,8 +1,8 @@ -configure.in: cut down to just the required tests. Support for installation. +configure.in: done -Makefile.in: support for installation. +Makefile.in: autodep stuff -conffile.c: deal with line numbers from included conffiles correctly +conffile.c: done dh.c: change format to binary from decimal string diff --git a/conffile.fl b/conffile.fl index d191ffc..2142ff3 100644 --- a/conffile.fl +++ b/conffile.fl @@ -11,7 +11,12 @@ #include "util.h" #define MAX_INCLUDE_DEPTH 10 -YY_BUFFER_STATE include_stack[MAX_INCLUDE_DEPTH]; +struct include_stack_item { + YY_BUFFER_STATE bst; + uint32_t lineno; + string_t file; +}; +struct include_stack_item include_stack[MAX_INCLUDE_DEPTH]; int include_stack_ptr=0; uint32_t config_lineno=0; @@ -64,12 +69,16 @@ include BEGIN(incl); if (include_stack_ptr >= MAX_INCLUDE_DEPTH) { fatal("Configuration file includes nested too deeply"); } - include_stack[include_stack_ptr++]= - YY_CURRENT_BUFFER; + include_stack[include_stack_ptr].bst=YY_CURRENT_BUFFER; + include_stack[include_stack_ptr].lineno=config_lineno; + include_stack[include_stack_ptr].file=config_file; + include_stack_ptr++; yyin=fopen(yytext,"r"); if (!yyin) { fatal("Can't open included file %s",yytext); } + config_lineno=1; + config_file=safe_strdup(yytext,"conffile.fl/include"); yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE)); BEGIN(INITIAL); } @@ -80,7 +89,9 @@ include BEGIN(incl); else { fclose(yyin); yy_delete_buffer(YY_CURRENT_BUFFER); - yy_switch_to_buffer(include_stack[include_stack_ptr]); + yy_switch_to_buffer(include_stack[include_stack_ptr].bst); + config_lineno=include_stack[include_stack_ptr].lineno; + config_file=include_stack[include_stack_ptr].file; } } \"[^\"]*\" yylval=stringnode(yytext); return TOK_STRING; diff --git a/config.h.top b/config.h.top index 0cea96d..4a0c6fb 100644 --- a/config.h.top +++ b/config.h.top @@ -1,26 +1,3 @@ -/*************************************************************************** - * - * Part II Project, "A secure, private IP network" - * Stephen Early - * - * - * $RCSfile$ - * - * Description: - * - * Copyright: (C) Stephen Early 1995 - * - * $Revision$ - * - * $Date$ - * - * $State$ - * - ***************************************************************************/ - -/* $Log$ - */ - #ifndef _CONFIG_H #define _CONFIG_H diff --git a/configure b/configure index 4153c02..4ca2072 100755 --- a/configure +++ b/configure @@ -782,10 +782,93 @@ else fi fi +ac_aux_dir= +for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do + if test -f $ac_dir/install-sh; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install-sh -c" + break + elif test -f $ac_dir/install.sh; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install.sh -c" + break + fi +done +if test -z "$ac_aux_dir"; then + { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; } +fi +ac_config_guess=$ac_aux_dir/config.guess +ac_config_sub=$ac_aux_dir/config.sub +ac_configure=$ac_aux_dir/configure # This should be Cygnus configure. + +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# ./install, which can be erroneously created by make from ./install.sh. +echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 +echo "configure:817: checking for a BSD compatible install" >&5 +if test -z "$INSTALL"; then +if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":" + for ac_dir in $PATH; do + # Account for people who put trailing slashes in PATH elements. + case "$ac_dir/" in + /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + if test -f $ac_dir/$ac_prog; then + if test $ac_prog = install && + grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + else + ac_cv_path_install="$ac_dir/$ac_prog -c" + break 2 + fi + fi + done + ;; + esac + done + IFS="$ac_save_IFS" + +fi + if test "${ac_cv_path_install+set}" = set; then + INSTALL="$ac_cv_path_install" + else + # As a last resort, use the slow shell script. We don't cache a + # path for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the path is relative. + INSTALL="$ac_install_sh" + fi +fi +echo "$ac_t""$INSTALL" 1>&6 + +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' + +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + # Extract the first word of "rm", so it can be a program name with args. set dummy rm; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:789: checking for $ac_word" >&5 +echo "configure:872: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_RM'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -818,7 +901,7 @@ else fi echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:822: checking how to run the C preprocessor" >&5 +echo "configure:905: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -833,13 +916,13 @@ else # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:843: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:926: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -850,13 +933,13 @@ else rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:860: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:943: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -867,13 +950,13 @@ else rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:877: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:960: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -898,12 +981,12 @@ fi echo "$ac_t""$CPP" 1>&6 echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 -echo "configure:902: checking for ANSI C header files" >&5 +echo "configure:985: checking for ANSI C header files" >&5 if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < #include @@ -911,7 +994,7 @@ else #include EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:915: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:998: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -928,7 +1011,7 @@ rm -f conftest* if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat > conftest.$ac_ext < EOF @@ -946,7 +1029,7 @@ fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat > conftest.$ac_ext < EOF @@ -967,7 +1050,7 @@ if test "$cross_compiling" = yes; then : else cat > conftest.$ac_ext < #define ISLOWER(c) ('a' <= (c) && (c) <= 'z') @@ -978,7 +1061,7 @@ if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2); exit (0); } EOF -if { (eval echo configure:982: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:1065: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then : else @@ -1005,17 +1088,17 @@ for ac_hdr in linux/if.h do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:1009: checking for $ac_hdr" >&5 +echo "configure:1092: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1019: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1102: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1041,89 +1124,6 @@ else fi done -ac_aux_dir= -for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do - if test -f $ac_dir/install-sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f $ac_dir/install.sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - fi -done -if test -z "$ac_aux_dir"; then - { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; } -fi -ac_config_guess=$ac_aux_dir/config.guess -ac_config_sub=$ac_aux_dir/config.sub -ac_configure=$ac_aux_dir/configure # This should be Cygnus configure. - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# ./install, which can be erroneously created by make from ./install.sh. -echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:1076: checking for a BSD compatible install" >&5 -if test -z "$INSTALL"; then -if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":" - for ac_dir in $PATH; do - # Account for people who put trailing slashes in PATH elements. - case "$ac_dir/" in - /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;; - *) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - if test -f $ac_dir/$ac_prog; then - if test $ac_prog = install && - grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - else - ac_cv_path_install="$ac_dir/$ac_prog -c" - break 2 - fi - fi - done - ;; - esac - done - IFS="$ac_save_IFS" - -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL="$ac_cv_path_install" - else - # As a last resort, use the slow shell script. We don't cache a - # path for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the path is relative. - INSTALL="$ac_install_sh" - fi -fi -echo "$ac_t""$INSTALL" 1>&6 - -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' - -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6 echo "configure:1129: checking whether byte ordering is bigendian" >&5 if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then @@ -1492,11 +1492,11 @@ s%@infodir@%$infodir%g s%@mandir@%$mandir%g s%@SET_MAKE@%$SET_MAKE%g s%@CC@%$CC%g -s%@RM@%$RM%g -s%@CPP@%$CPP%g s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g s%@INSTALL_DATA@%$INSTALL_DATA%g +s%@RM@%$RM%g +s%@CPP@%$CPP%g CEOF EOF diff --git a/configure.in b/configure.in index ff74f20..cb47835 100644 --- a/configure.in +++ b/configure.in @@ -9,10 +9,10 @@ AC_LANG_C AC_PROG_MAKE_SET AC_PROG_CC +AC_PROG_INSTALL AC_PATH_PROG(RM,rm) AC_STDC_HEADERS AC_CHECK_HEADERS(linux/if.h) -AC_PROG_INSTALL AC_C_BIGENDIAN AC_CHECK_LIB(gmp2,mpz_init_set_str) diff --git a/example.conf b/example.conf index cfaa847..96a8433 100644 --- a/example.conf +++ b/example.conf @@ -124,6 +124,8 @@ include /etc/secnet/sites # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it # contains public keys for all sites. +# Do not include your own site in this list! + sites site(example-vpn/some-site), site(example-vpn/some-other-site), diff --git a/myrddin.pub b/myrddin.pub deleted file mode 100644 index 6736d15..0000000 --- a/myrddin.pub +++ /dev/null @@ -1 +0,0 @@ -1024 35 154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543 steve@myrddin diff --git a/private-key b/private-key deleted file mode 100644 index f764068413fa9fd407e7107a6ecc19ef8ec1e64e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 528 zcmV+r0`L7(Q%E3CQb|@pR7D_5MOh$5NlZl`Mo&^rK~x|yE-?xK000000000400aQr zbhZni$fos+%!yXo=)#qB!b8TNh=USvj~h{7x&)z~`nDyXb>;V4u0tV2tiJP8$s%Q- zvK8!n(B>8d`rb3Xk`M?zVtIC#rsy)!m_EKnE*?UL=OQ5Mk4tK*W^~Y@By!NlxsQ9q zlgxm-fnE8_pry6_dUYdLQw15|3(aQ$1|t9f01b0=Wp-siZFzEJWNB{W2;&F?{Swc8 zQFJbJwe|`(s9Wd|t+|Z;e!VxAG{@1vgHdk>wiNK|3W@^Ck&A=(ARE+5;iwpm>vSxI ziA;v?CUta{v(dr#1$>C>gQ*U{u~Nmtk5EAzZ}m@^pdVB1Cx2Oqk;Tne?nn{o>`<(@ zm+VB`xM+1+D*^o(EYD8LxE#d3pn0`sc$2Dg1}pDoz4)5tEc&i$ z66z8k73e2MuO@dLfAOKG=VeZ8${a|a(Ht?Y$h^m8JGFoU0P7~8?P-Eo{+c{QQT?6; zhy~A@0rM=}n0d~6|HK@%4k{4TanAhIAxjz7TOz?SqirgCU}~K2iGaPh@W?+1*8%|U z>DSuPqPilUX)z&Vp|Gw(yf}Ni8Jdx #include @@ -23,7 +23,6 @@ static char *version="secnet version " VERSION " $Date: 1996/03/13 22:27:41 $"; #include "secnet.h" #include "util.h" #include "conffile.h" -#include "modules.h" /* Command-line options (possibly config-file options too) */ static char *configfile="/etc/secnet/secnet.conf"; @@ -156,7 +155,7 @@ static void setup(dict_t *config) fatal("configuration does not include a system/log facility\n"); } log=init_log(l); - log->log(log->st,LOG_DEBUG,"secnet " VERSION ": logging started"); + log->log(log->st,LOG_DEBUG,"%s: logging started",version); /* Who are we supposed to run as? */ userid=dict_read_string(system,"userid",False,"system",loc); diff --git a/testconfig b/testconfig deleted file mode 100644 index 9a84119..0000000 --- a/testconfig +++ /dev/null @@ -1,156 +0,0 @@ -# secnet configuration file - -# This file defines a dictionary full of configuration information for -# secnet. Two keys must be defined in this file for secnet to -# start. One is "system", a dictionary containing systemwide control -# parameters. The other is "sites", a list of all the sites that you -# intend to communicate with. - -# Other files can be included inline by writing "include filename" at -# the start of a line. - -# The configuration file has a fairly simple syntax: -# key definition; or key = definition; (the "=" is optional) -# ...sets 'key' in the current dictionary to 'definition'. -# -# "key" is [[:alpha:]_][[:alnum:]\-_]* -# -# definition may be one of the following: -# a string, in quotes -# a number, in decimal -# a dictionary, in { } -# a path to a key that already exists, to reference that definition -# a "closure", followed by arguments -# -# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in -# the current dictionary or any of its parents) -# alternatively /key1/key2/key3... (to start from the root) -# -# closures are followed by an argument list in ( ), and may return -# whatever type they like (including other closures) -# -# closure { definitions } is short for closure({definitions}). -# -# Whenever secnet looks for a key it checks the (lexical) parent dictionaries -# as well until it finds it or reaches the root. This is useful for setting -# defaults for large collections of dictionaries (eg. defining sites). -# -# It is also permissible to list other dictionaries before a dictionary -# definition, eg. {definitions}. These will be -# searched in order for keys, before the lexical parent. (Not yet implemented) -# -# secnet predefines some keys in the root dictionary; some useful ones are: -# yes, true, True, TRUE: the boolean value True -# no, false, False, FALSE: the boolean value False -# makelist: turns a dictionary (arg1) into a list (return value) -# readfile: reads a file (arg1) and returns it as a string -# -# secnet modules also predefine keys, eg. "adns", "randomfile", etc. -# See the module documentation for more information. - -# After the configuration file is read, secnet looks for particular keys -# in configuration space to tell it what to do: -# system: system-wide parameters (control, logging, etc.) -# sites: a list of sites with which to communicate - -# Log facility -log logfile("secnet","local2"); # Not yet implemented, goes to stderr - -# Systemwide configuration (all other configuration is per-site): -# log a log facility for program messages -# userid who we try to run as after setup -# pidfile -system { - userid "steve"; -# pidfile "/var/run/secnet.pid"; - pidfile "foo.pid"; -}; - -# Parameters for each remote site (arguments to the site() closure): -# things we configure locally -# buffer buffer for constructing/sending/receiving packets -# netlink user/kernel netlink device for this tunnel -# comm UDP communication -# resolver resolver to use for name lookups -# log a log destination for this connection -# log-events string list: which events we log -# random a source of randomness - -# our local configuration visible to the outside world -# local-name string: how we identify ourselves to them -# local-key our own private RSA key -# local-port port number we listen on - -# their configuration visible to us -# name string: how they identify themselves -# address string: use with resolver to find their IP address -# networks string list: their networks for us -# key the remote site's RSA public key -# port port we send to to contact remote site - -# things both ends must agree on -# transform routine for bulk encryption -# dh Diffie-Hellman parameters -# hash secure hash function - -# things both ends ought to agree on, but don't have to -# key-lifetime max session key lifetime, in milliseconds -# setup-retries max retransmits of a key setup packet -# setup-timeout wait between retransmits of key setup packets, in ms -# wait-time wait between unsuccessful key setup attempts, in ms - -netlink tun { - name "fred"; # Printed in log messages from this netlink -# interface "fred"; - - # local networks served by this netlink device - # incoming tunneled packets for other networks will be discarded - networks "192.168.73.0/24", "192.168.1.0/24", "172.19.71.0/24"; - local-address "192.168.73.72"; # IP address of interface - secnet-address "192.168.73.73"; # IP address of secnet - mtu 1400; - - buffer sysbuffer(); # userv/ipif needs a buffer to build incoming - # packets from the netlink device before passing them - # to the site layer -}; -comm udp { - port 1234; - buffer sysbuffer(4096,{lockdown=yes;}); -}; -resolver adns { - config="wibble wobble"; -}; -# log is defined earlier - we share it with the system -log-events "init","up","down"; -random randomfile("/dev/urandom",no); - -local-name "myrddin"; -local-key rsa-private("private-key"); - -transform serpent256-cbc { - max-sequence-skew 10; -}; - -dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); -hash md5; - -key-lifetime 20000; - -zealot { - name "zealot"; - address "zealot.sinister.greenend.org.uk"; - port 5678; - networks "192.168.73.74/32", "192.168.73.75/32"; - key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833"); - }; - -myrddin { - name "myrddin"; - address "myrddin.sinister.greenend.org.uk"; - port 1234; - networks "192.168.73.72/32", "192.168.73.73/32"; - key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543"); - }; - -sites site(zealot); diff --git a/testconfigz b/testconfigz deleted file mode 100644 index 59027f8..0000000 --- a/testconfigz +++ /dev/null @@ -1,153 +0,0 @@ -# secnet configuration file - -# This file defines a dictionary full of configuration information for -# secnet. Two keys must be defined in this file for secnet to -# start. One is "system", a dictionary containing systemwide control -# parameters. The other is "sites", a list of all the sites that you -# intend to communicate with. - -# Other files can be included inline by writing "include filename" at -# the start of a line. - -# The configuration file has a fairly simple syntax: -# key definition; or key = definition; (the "=" is optional) -# ...sets 'key' in the current dictionary to 'definition'. -# -# "key" is [[:alpha:]_][[:alnum:]\-_]* -# -# definition may be one of the following: -# a string, in quotes -# a number, in decimal -# a dictionary, in { } -# a path to a key that already exists, to reference that definition -# a "closure", followed by arguments -# -# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in -# the current dictionary or any of its parents) -# alternatively /key1/key2/key3... (to start from the root) -# -# closures are followed by an argument list in ( ), and may return -# whatever type they like (including other closures) -# -# closure { definitions } is short for closure({definitions}). -# -# Whenever secnet looks for a key it checks the (lexical) parent dictionaries -# as well until it finds it or reaches the root. This is useful for setting -# defaults for large collections of dictionaries (eg. defining sites). -# -# It is also permissible to list other dictionaries before a dictionary -# definition, eg. {definitions}. These will be -# searched in order for keys, before the lexical parent. (Not yet implemented) -# -# secnet predefines some keys in the root dictionary; some useful ones are: -# yes, true, True, TRUE: the boolean value True -# no, false, False, FALSE: the boolean value False -# makelist: turns a dictionary (arg1) into a list (return value) -# readfile: reads a file (arg1) and returns it as a string -# -# secnet modules also predefine keys, eg. "adns", "randomfile", etc. -# See the module documentation for more information. - -# After the configuration file is read, secnet looks for particular keys -# in configuration space to tell it what to do: -# system: system-wide parameters (control, logging, etc.) -# sites: a list of sites with which to communicate - -# Log facility -log logfile("secnet","local2"); # Not yet implemented, goes to stderr - -# Systemwide configuration (all other configuration is per-site): -# log a log facility for program messages -# userid who we try to run as after setup -# pidfile -system { -# userid "tunnel"; -# pidfile "/var/run/secnet.pid"; -}; - -# Parameters for each remote site (arguments to the site() closure): -# things we configure locally -# buffer buffer for constructing/sending/receiving packets -# netlink user/kernel netlink device for this tunnel -# comm UDP communication -# resolver resolver to use for name lookups -# log a log destination for this connection -# log-events string list: which events we log -# random a source of randomness - -# our local configuration visible to the outside world -# local-name string: how we identify ourselves to them -# local-key our own private RSA key -# local-port port number we listen on - -# their configuration visible to us -# name string: how they identify themselves -# address string: use with resolver to find their IP address -# networks string list: their networks for us -# key the remote site's RSA public key -# port port we send to to contact remote site - -# things both ends must agree on -# transform routine for bulk encryption -# dh Diffie-Hellman parameters -# hash secure hash function - -# A buffer for all sites to share, to construct outgoing packets -buffer sysbuffer(4096,{lockdown=yes;}); - -netlink tun { -# name "foo"; # Printed in log messages from this netlink - # userv-path "/usr/bin/userv"; - # service-user "root"; - # service-name "ipif"; - - # local networks served by this netlink device - # incoming tunneled packets for other networks will be discarded - networks "192.168.73.74/32","192.168.73.75/32"; - local-address "192.168.73.74"; # IP address of interface - secnet-address "192.168.73.75"; # IP address of secnet - mtu 1400; - - buffer sysbuffer(); # userv/ipif needs a buffer to build incoming - # packets from the netlink device before passing them - # to the site layer -}; -comm udp { - port 5678; - # buffer shared with sites -}; -resolver adns { - noenv=yes; # yes is a name for the boolean "true" - nameservers "127.0.0.1","192.168.73.4"; -}; -# log is defined earlier - we share it with the system -log-events "init","up","down"; -random randomfile("/dev/urandom",no); - -local-name "zealot"; -local-key rsa-private("private-key"); - -transform serpent256-cbc { - max-sequence-skew 10; -}; - -dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); -hash md5; - -zealot { - name "zealot"; - address "zealot.sinister.greenend.org.uk"; - port 5678; - networks "192.168.73.74/32", "192.168.73.75/32"; - key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833"); - }; - -myrddin { - name "myrddin"; - address "myrddin.sinister.greenend.org.uk"; - port 1234; - networks "192.168.73.72/32", "192.168.73.73/32"; - key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543"); - }; - -sites site(myrddin); diff --git a/testsites b/testsites deleted file mode 100644 index e3ca05f..0000000 --- a/testsites +++ /dev/null @@ -1,27 +0,0 @@ -# This is secnet's equivalent of the 'vpn-sites' file - -# Global parameters for all sites (can be overridden if some sites want to -# use other parameters) - -sinister-vpn { - -dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); -hash md5; - -# All the remote sites we might want to talk to -groad { - name "gilbert-road"; - address "relativity.dynamic.greenend.org.uk"; - port 5678; - networks "172.18.45.0/24"; - key rsa-public("35","153279875126380522437827076871354104097683702803616313419670959273217685015951590424876274370401136371563604396779864283483623325238228723798087715987495590765759771552692972297669972616769731553560605291312242789575053620182470998166393580503400960149506261455420521811814445675652857085993458063584337404329"); - }; -chiark { - name "chiark"; - address "chiark.greenend.org.uk"; - port 2345; - networks "172.31.80.8/32"; - key rsa-public("35","127129251486595848418110457412760173306108766728826928401101049305981756206590497728003410607079784801800518655333869748411389535602962935662455800359479854817411356280256727700339726067467542581881498715223842814199845818940876020358790270431574802728927549159072714772035370848962882690573372309719699356913"); - }; - -}; -- 2.30.2