Import release 0.06

diff --git a/INSTALL b/INSTALL
index bfb9afd370ddcee66d0aedc52e1696d3ffbf30e7..2001fa86785948fdf841e3cb265b3bb51810a45a 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -1,6 +1,6 @@
 INSTALLATION INSTRUCTIONS for SECNET
 
 INSTALLATION INSTRUCTIONS for SECNET
 

-USE AT YOUR OWN RISK. THIS IS ALPHA QUALITY SOFTWARE. I DO NOT
+USE AT YOUR OWN RISK.  THIS IS ALPHA TEST SOFTWARE.  I DO NOT

 GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
 VERSIONS.
 
 GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
 VERSIONS.
 


@@ -12,14 +12,14 @@ Ensure that you have libgmp2-dev and adns installed (and bison and
 flex, and for that matter gcc...).
 
 If you intend to configure secnet to obtain packets from the kernel
 flex, and for that matter gcc...).
 
 If you intend to configure secnet to obtain packets from the kernel

-through userv-ipif, install and configure userv-ipif. It is part of
+through userv-ipif, install and configure userv-ipif.  It is part of

 userv-utils, available from ftp.chiark.greenend.org.uk in
 /users/ian/userv
 
 If you intend to configure secnet to obtain packets from the kernel
 using the universal TUN/TAP driver, make sure it's configured in your
 userv-utils, available from ftp.chiark.greenend.org.uk in
 /users/ian/userv
 
 If you intend to configure secnet to obtain packets from the kernel
 using the universal TUN/TAP driver, make sure it's configured in your

-kernel (it's under "network device support" in Linux) and that you've
-created the appropriate device files; see
+kernel (it's under "network device support" in Linux-2.4) and that
+you've created the appropriate device files; see

 linux/Documentation/networking/tuntap.txt
 
 If you're using TUN/TAP on a platform other than Linux-2.4, see
 linux/Documentation/networking/tuntap.txt
 
 If you're using TUN/TAP on a platform other than Linux-2.4, see


@@ -27,36 +27,34 @@ http://vtun.sourceforge.net/tun/
 
 Note than TUN comes in two flavours, one (called 'tun' in the secnet
 config file) which has only one device file (usually /dev/net/tun) and
 
 Note than TUN comes in two flavours, one (called 'tun' in the secnet
 config file) which has only one device file (usually /dev/net/tun) and

-the other (called 'tun-old') which has many device files
-(/dev/tun*). Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris
-have old-style TUN. Currently only new-style TUN has been tested with
-secnet.
+the other (called 'tun-old') which has many device files (/dev/tun*).
+Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style
+TUN.  Currently only new-style TUN has been tested with secnet.

 
 ** System and network configuration
 
 
 ** System and network configuration
 

-If you intend to start secnet as root, I suggest you create an userid
-for it to run as once it's ready to drop its privileges. Example (on
+If you intend to start secnet as root, I suggest you create a userid
+for it to run as once it's ready to drop its privileges.  Example (on

 Debian):
 # adduser --system --no-create-home secnet
 
 Debian):
 # adduser --system --no-create-home secnet
 

-You will need to allocate two IP addresses for use by secnet. One will
-be for the tunnel interface on your tunnel endpoint machine (i.e. the
-address you see in 'ifconfig' when you look at the tunnel
-interface). The other will be for secnet itself. These addresses could
-possibly be allocated from the range used by your internal network: if
-you do this, you should think about providing appropriate proxy-ARP on
-the machine running secnet for the two addresses. Alternatively the
-addresses could be from some other range - this works well if the
-machine running secnet is the default route out of your network.
+You will need to allocate two IP addresses for use by secnet.  One
+will be for the tunnel interface on your tunnel endpoint machine (i.e.
+the address you see in 'ifconfig' when you look at the tunnel
+interface).  The other will be for secnet itself.  These addresses
+could possibly be allocated from the range used by your internal
+network: if you do this, you should think about providing appropriate
+proxy-ARP on the machine running secnet for the two addresses.
+Alternatively the addresses could be from some other range - this
+works well if the machine running secnet is the default route out of
+your network.

 
 http://www.ucam.org/cam-grin/ may be useful.
 
 Advanced users: secnet's IP address does not _have_ to be in the range
 of networks claimed by your end of the tunnel; it could be in the
 
 http://www.ucam.org/cam-grin/ may be useful.
 
 Advanced users: secnet's IP address does not _have_ to be in the range
 of networks claimed by your end of the tunnel; it could be in the

-range of networks claimed by the other end. Doing this is confusing,
-but works (in the case where you can't get the administrator of the
-other end to allocate an IP address for his copy of secnet [hint hint
-Ian]).
+range of networks claimed by the other end.  Doing this is confusing,
+but works.

 
 * Installation
 
 
 * Installation
 


@@ -64,7 +62,7 @@ To install secnet do
 
 $ ./configure
 $ make
 
 $ ./configure
 $ make

-# cp secnet /usr/local/sbin/secnet
+# make install

 # mkdir /etc/secnet
 # cp example.conf /etc/secnet/secnet.conf
 # cd /etc/secnet
 # mkdir /etc/secnet
 # cp example.conf /etc/secnet/secnet.conf
 # cd /etc/secnet


@@ -74,53 +72,52 @@ $ make
 your current configuration file.)
 
 Generate a site file fragment for your site (see below), and submit it
 your current configuration file.)
 
 Generate a site file fragment for your site (see below), and submit it

-for inclusion in the vpn-sites file. Download the vpn-sites file to
+for inclusion in the vpn-sites file.  Download the vpn-sites file to

 /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
 sites file contains public keys for all the sites in the VPN.
 
 * Configuration
 
 Should be reasonably obvious - edit /etc/secnet/secnet.conf as
 /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
 sites file contains public keys for all the sites in the VPN.
 
 * Configuration
 
 Should be reasonably obvious - edit /etc/secnet/secnet.conf as

-prompted by the comments. XXX Fuller documentation of the
-configuration file format should be forthcoming in time. Its syntax is
-described in the README file at the moment.
+prompted by the comments.  XXX Fuller documentation of the
+configuration file format should be forthcoming in time.  Its syntax
+is described in the README file at the moment.

 
 * Constructing your site file fragment
 
 You need the following information:
 
 
 * Constructing your site file fragment
 
 You need the following information:
 

-1.  a short name for your site, eg. "greenend". This is used to
+1. a short name for your site, eg.  "greenend".  This is used to

 identify your site in the vpn-sites file.
 
 identify your site in the vpn-sites file.
 

-2.  the name your site will use in the key setup protocol,
+2. the name your site will use in the key setup protocol,

 eg. "greenend" (these two will usually be similar or the same).
 
 eg. "greenend" (these two will usually be similar or the same).
 

-3.  the DNS name of the machine that will be the "front-end" for your
-secnet installation. This will typically be the name of the gateway
-machine for your network, eg. sinister.dynamic.greenend.org.uk
+3. the DNS name of the machine that will be the "front-end" for your
+secnet installation.  This will typically be the name of the gateway
+machine for your network, eg.  sinister.dynamic.greenend.org.uk

 
 secnet does not actually have to run on this machine, as long as the
 machine can be configured to forward UDP packets to the machine that
 is running secnet.
 
 
 secnet does not actually have to run on this machine, as long as the
 machine can be configured to forward UDP packets to the machine that
 is running secnet.
 

-4.  the port number used to contact secnet at your site. This is the
+4. the port number used to contact secnet at your site.  This is the

 port number on the front-end machine, and does not necessarily have to
 match the port number on the machine running secnet.
 
 port number on the front-end machine, and does not necessarily have to
 match the port number on the machine running secnet.
 

-5.  the list of networks accessible at your site over the VPN.
+5. the list of networks accessible at your site over the VPN.

 
 

-6.  the public part of the RSA key you generated during installation
+6. the public part of the RSA key you generated during installation

 (in /etc/secnet/key.pub if you followed the installation
 (in /etc/secnet/key.pub if you followed the installation

-instructions). This file contains three numbers and a comment on one
-line. The first number is the key length in bits, and can be
-ignored. The second number (typically small) is the encryption key
-'e', and the third number (large) is the modulus 'n'.
+instructions).  This file contains three numbers and a comment on one
+line.  The first number is the key length in bits, and can be ignored.
+The second number (typically small) is the encryption key 'e', and the
+third number (large) is the modulus 'n'.

 
 If you are running secnet on a particularly slow machine, you may like
 to specify a larger value for the key setup retry timeout than the
 
 If you are running secnet on a particularly slow machine, you may like
 to specify a larger value for the key setup retry timeout than the

-default, to prevent unnecessary retransmissions of key setup
-packets. See the notes in the example configuration file for more on
-this.
+default, to prevent unnecessary retransmissions of key setup packets.
+See the notes in the example configuration file for more on this.

 
 The site file fragment should look something like this:
 
 
 The site file fragment should look something like this:
 

diff --git a/Makefile.in b/Makefile.in
index 1094ef44f165a112c3ff10f1e2c011744dd80075..2dea73838574a95fea287ba2c9a44a8fb2e26ddc 100644 (file)
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,24 +1,59 @@
-.DUMMY:        all clean realclean dist install
+# Makefile for secnet
+# Copyright (C) 1995-2001 Stephen Early <steve@greenend.org.uk>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+.PHONY:        all clean realclean dist install

 
 PACKAGE:=secnet
 
 PACKAGE:=secnet

-VERSION:=0.05
+VERSION:=0.06

 
 @SET_MAKE@
 
 srcdir:=@srcdir@
 VPATH:=@srcdir@
 
 
 @SET_MAKE@
 
 srcdir:=@srcdir@
 VPATH:=@srcdir@
 

-CFLAGS:=@CFLAGS@ @DEFS@ -DVERSION=\"$(VERSION)\" -Wall -I.
+SHELL:=/bin/sh
+RM:=@RM@
+CC:=@CC@
+INSTALL:=@INSTALL@
+INSTALL_PROGRAM:=@INSTALL_PROGRAM@

 
 

+CFLAGS:=@CFLAGS@ @DEFS@ -Wall -I.

 LDFLAGS:=@LDFLAGS@
 LDFLAGS:=@LDFLAGS@

-

 LDLIBS:=@LIBS@
 
 LDLIBS:=@LIBS@
 

+prefix:=@prefix@
+exec_prefix:=@exec_prefix@
+sbindir:=@sbindir@
+sysconfdir:=@sysconfdir@
+transform:=@program_transform_name@
+

 TARGETS:=secnet
 
 OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \
        resolver.o random.o udp.o site.o transform.o netlink.o rsa.o dh.o \
 TARGETS:=secnet
 
 OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \
        resolver.o random.o udp.o site.o transform.o netlink.o rsa.o dh.o \

-       serpent.o md5.o
+       serpent.o md5.o version.o
+
+DISTFILES:=COPYING INSTALL Makefile.in NOTES README TODO conffile.c \
+       conffile.fl conffile.h conffile.y conffile_internal.h config.h.bot \
+       config.h.in config.h.top configure configure.in dh.c \
+       example-sites-file example.conf install.sh linux md5.c md5.h \
+       modules.c modules.h netlink.c random.c resolver.c rsa.c \
+       secnet.c secnet.h serpent.c serpent.h serpentsboxes.h \
+       site.c transform.c udp.c util.c util.h

 
 %.c:   %.y
 
 
 %.c:   %.y
 


@@ -28,12 +63,31 @@ OBJECTS:=secnet.o util.o conffile.yy.o conffile.tab.o conffile.o modules.o \
 %.tab.c:       %.y
        bison -d $<
 
 %.tab.c:       %.y
        bison -d $<
 

-RM:=@RM@

 
 all:   $(TARGETS)
 
 
 all:   $(TARGETS)
 

+Makefile: Makefile.in config.status
+       $(SHELL) config.status
+
+config.status: configure
+       $(srcdir)/configure --no-create
+
+$(OBJECTS): config.h secnet.h util.h
+conffile.o conffile.tab.o conffile.yy.o: conffile.h conffile_internal.h
+secnet.c: conffile.h
+md5.o: md5.h
+serpent.o transform.o: serpent.h
+serpent.o: serpentsboxes.h
+conffile.o: modules.h
+

 secnet:        $(OBJECTS)
 
 secnet:        $(OBJECTS)
 

+version.c: Makefile
+       echo "char version[]=\"secnet-$(VERSION)\";" >version.c
+
+install: all
+       $(INSTALL_PROGRAM) secnet $(sbindir)/`echo secnet|sed '$(transform)'`
+

 clean:
        $(RM) -f $(srcdir)/*.o $(srcdir)/*~ $(srcdir)/*.yy.c \
                $(srcdir)/*.tab.[ch]
 clean:
        $(RM) -f $(srcdir)/*.o $(srcdir)/*~ $(srcdir)/*.yy.c \
                $(srcdir)/*.tab.[ch]


@@ -43,10 +97,14 @@ realclean:  clean
        $(srcdir)/config.log $(srcdir)/config.status $(srcdir)/config.cache \
        $(srcdir)/Makefile.bak core
 
        $(srcdir)/config.log $(srcdir)/config.status $(srcdir)/config.cache \
        $(srcdir)/Makefile.bak core
 

-dist:  realclean
-       (cd .. ; ln -s $(PACKAGE) $(PACKAGE)-$(VERSION) ; tar hcf - \
-       $(PACKAGE)-$(VERSION) | \
-       gzip -9 > $(PACKAGE)-$(VERSION).tar.gz ; rm $(PACKAGE)-$(VERSION) )
+pfname:=$(PACKAGE)-$(VERSION)
+dist:
+       $(RM) -rf $(pfname)
+       mkdir $(pfname)
+       for i in $(DISTFILES) ; do ln -s ../$$i $(pfname)/ ; done
+       tar hcf ../$(pfname).tar $(pfname)
+       gzip -9f ../$(pfname).tar
+       $(RM) -rf $(pfname)

 
 conffile.yy.c: conffile.fl conffile.tab.c
 conffile.tab.c:        conffile.y
 
 conffile.yy.c: conffile.fl conffile.tab.c
 conffile.tab.c:        conffile.y

diff --git a/NOTES b/NOTES
index 272e359c8a250559e21a44c3112013cc130fc56a..a815905c425423818fc0f6d2c10c8363ee1a4ece 100644 (file)
--- a/NOTES
+++ b/NOTES
@@ -1,9 +1,10 @@
-#* Design of new, multi-subnet secnet protocol
+* Design of new, multi-subnet secnet protocol

 
 

-Like the first version, we're tunnelling IP packets inside UDP
-packets. To defeat various restrictions which may be imposed on us by
-network providers (like the prohibition of incoming TCP connections)
-we're sticking with UDP for everything this time, including key setup.
+Like the first (1995/6) version, we're tunnelling IP packets inside
+UDP packets. To defeat various restrictions which may be imposed on us
+by network providers (like the prohibition of incoming TCP
+connections) we're sticking with UDP for everything this time,
+including key setup.

 
 Other new features include being able to deal with subnets hidden
 behind changing 'real' IP addresses, and the ability to choose
 
 Other new features include being able to deal with subnets hidden
 behind changing 'real' IP addresses, and the ability to choose


@@ -21,62 +22,6 @@ convenient for every gateway machine to use the same name for each
 tunnel endpoint, but this is not vital. Individual tunnels are
 identified by their two endpoint names.
 
 tunnel endpoint, but this is not vital. Individual tunnels are
 identified by their two endpoint names.
 

-
-The configuration is held in memory as a data structure as follows:
-
-The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys
-are atoms. Values are lists, dictionaries or closures. Lists can hold
-the following types: string, number.
-
-Closures cannot be constructed directly; they are added to the
-'default' dictionary before the configuration file is read. Invocation
-of a closure can return any type of value.
-
-
-Configuration file format: the file describes a dictionary.
-
-key value;
-
-value is item[,item...]
-
-item can be "string", number, path (looks up in dictionary),
-{dictionary}, value(value), value{dictionary}.  If item is a list it
-is copied into the list - we can't have lists of lists.
-
-A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup
-from the current dictionary (or parents) or the root. If a key refers
-to a list of more than one item then an index number (base 0) in
-square brackets can be used to specify the list item number.
-
-Items of the form value1(value2) invoke executable value1 with an
-argument of value2. The return value can be a string or dictionary,
-but not a list. (Invocation happens after the entire configuration
-file has been read.)
-
-Items of the form value{dict} invoke executable value with an argument
-of a single-element list, containing dict. It's just syntactic sugar
-for value({dict}).
-
-
-When a key is used (rather than defined) it is looked up in the
-current dictionary, and if it isn't found it is looked up in the
-(lexical) parent, until the root is reached. 
-
-
-
-
-What sorts of crypto-related things do we need to define?
-
-sources of randomness
-block algorithms
-block cipher modes?
-hash functions
-padding functions
-public key signature algorithms
-public key crypto key stores
-key setup algorithms
-
-

 ** Protocols
 
 *** Protocol environment:
 ** Protocols
 
 *** Protocol environment:


@@ -172,6 +117,8 @@ retransmit or confirm reception. It is suggested that this message be
 sent when a key times out, or the tunnel is forcibly terminated for
 some reason.
 
 sent when a key times out, or the tunnel is forcibly terminated for
 some reason.
 

+XXX not yet implemented.
+

 8) i?,i?,NAK/msg8
 
 If the link-layer can't work out what to do with a packet (session has
 8) i?,i?,NAK/msg8
 
 If the link-layer can't work out what to do with a packet (session has


@@ -186,8 +133,11 @@ The attacker can of course forge NAKs since they aren't protected. But
 if they can only forge packets then they won't be able to stop the
 ping/pong working. Trust in NAKs can be rate-limited...
 
 if they can only forge packets then they won't be able to stop the
 ping/pong working. Trust in NAKs can be rate-limited...
 

-Alternative idea: if you receive a packet you can't decode, because
-there's no key established, then initiate key setup...
+Alternative idea (which is actually implemented): if you receive a
+packet you can't decode, because there's no key established, then
+initiate key setup...
+
+Keepalives are probably a good idea.

 
 **** Protocol sub-goal 3: send a packet
 
 
 **** Protocol sub-goal 3: send a packet
 

diff --git a/TODO b/TODO
index b2e871bf4693e255dc4f9a8335a20de7d8052a73..45ee3302610be3fd62d9487d4a5820d17cd77ec4 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1,8 +1,8 @@
-configure.in: cut down to just the required tests. Support for installation.
+configure.in: done

 
 

-Makefile.in: support for installation.
+Makefile.in: autodep stuff

 
 

-conffile.c: deal with line numbers from included conffiles correctly
+conffile.c: done

 
 dh.c: change format to binary from decimal string
 
 
 dh.c: change format to binary from decimal string
 

diff --git a/conffile.fl b/conffile.fl
index d191ffca017d3014f341fe4023b7c260529bfe7a..2142ff3cdb2cf4c804022482e3e3390f146cc32d 100644 (file)
--- a/conffile.fl
+++ b/conffile.fl
@@ -11,7 +11,12 @@
 #include "util.h"
 
 #define MAX_INCLUDE_DEPTH 10
 #include "util.h"
 
 #define MAX_INCLUDE_DEPTH 10

-YY_BUFFER_STATE include_stack[MAX_INCLUDE_DEPTH];
+struct include_stack_item {
+       YY_BUFFER_STATE bst;
+       uint32_t lineno;
+       string_t file;
+};
+struct include_stack_item include_stack[MAX_INCLUDE_DEPTH];

 int include_stack_ptr=0;
 
 uint32_t config_lineno=0;
 int include_stack_ptr=0;
 
 uint32_t config_lineno=0;


@@ -64,12 +69,16 @@ include                     BEGIN(incl);
        if (include_stack_ptr >= MAX_INCLUDE_DEPTH) {
                fatal("Configuration file includes nested too deeply");
        }
        if (include_stack_ptr >= MAX_INCLUDE_DEPTH) {
                fatal("Configuration file includes nested too deeply");
        }

-       include_stack[include_stack_ptr++]=
-               YY_CURRENT_BUFFER;
+       include_stack[include_stack_ptr].bst=YY_CURRENT_BUFFER;
+       include_stack[include_stack_ptr].lineno=config_lineno;
+       include_stack[include_stack_ptr].file=config_file;
+       include_stack_ptr++;

        yyin=fopen(yytext,"r");
        if (!yyin) {
                fatal("Can't open included file %s",yytext);
        }
        yyin=fopen(yytext,"r");
        if (!yyin) {
                fatal("Can't open included file %s",yytext);
        }

+       config_lineno=1;
+       config_file=safe_strdup(yytext,"conffile.fl/include");

        yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
        BEGIN(INITIAL);
        }
        yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
        BEGIN(INITIAL);
        }


@@ -80,7 +89,9 @@ include                       BEGIN(incl);
        else {
                fclose(yyin);
                yy_delete_buffer(YY_CURRENT_BUFFER);
        else {
                fclose(yyin);
                yy_delete_buffer(YY_CURRENT_BUFFER);

-               yy_switch_to_buffer(include_stack[include_stack_ptr]);
+               yy_switch_to_buffer(include_stack[include_stack_ptr].bst);
+               config_lineno=include_stack[include_stack_ptr].lineno;
+               config_file=include_stack[include_stack_ptr].file;

        }
        }
 \"[^\"]*\"             yylval=stringnode(yytext); return TOK_STRING;
        }
        }
 \"[^\"]*\"             yylval=stringnode(yytext); return TOK_STRING;

diff --git a/config.h.top b/config.h.top
index 0cea96d2bf158a48cd4b20357bd01d0e35e55d48..4a0c6fbbb32f505bb5f92c1d618e4858fae07d28 100644 (file)
--- a/config.h.top
+++ b/config.h.top
@@ -1,26 +1,3 @@
-/***************************************************************************
- *
- *              Part II Project, "A secure, private IP network"
- *              Stephen Early <sde1000@cam.ac.uk>
- *   
- *
- *     $RCSfile$
- *
- *  Description: 
- *
- *    Copyright: (C) Stephen Early 1995
- *
- *    $Revision$
- *
- *        $Date$
- *
- *       $State$
- *
- ***************************************************************************/
-
-/* $Log$
- */
-

 #ifndef _CONFIG_H
 #define _CONFIG_H
 
 #ifndef _CONFIG_H
 #define _CONFIG_H
 

diff --git a/configure b/configure
index 4153c022ddac32f5e9b91714e06f11d316db1f71..4ca20721dbeef18ad6b183a4e2dfd7605fd6a4a2 100755 (executable)
--- a/configure
+++ b/configure
@@ -782,10 +782,93 @@ else
   fi
 fi
 
   fi
 fi
 

+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
+fi
+ac_config_guess=$ac_aux_dir/config.guess
+ac_config_sub=$ac_aux_dir/config.sub
+ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# ./install, which can be erroneously created by make from ./install.sh.
+echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
+echo "configure:817: checking for a BSD compatible install" >&5
+if test -z "$INSTALL"; then
+if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+    IFS="${IFS=        }"; ac_save_IFS="$IFS"; IFS=":"
+  for ac_dir in $PATH; do
+    # Account for people who put trailing slashes in PATH elements.
+    case "$ac_dir/" in
+    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
+    *)
+      # OSF1 and SCO ODT 3.0 have their own names for install.
+      # Don't use installbsd from OSF since it installs stuff as root
+      # by default.
+      for ac_prog in ginstall scoinst install; do
+        if test -f $ac_dir/$ac_prog; then
+         if test $ac_prog = install &&
+            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
+           # AIX install.  It has an incompatible calling convention.
+           :
+         else
+           ac_cv_path_install="$ac_dir/$ac_prog -c"
+           break 2
+         fi
+       fi
+      done
+      ;;
+    esac
+  done
+  IFS="$ac_save_IFS"
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL="$ac_cv_path_install"
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL="$ac_install_sh"
+  fi
+fi
+echo "$ac_t""$INSTALL" 1>&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+

 # Extract the first word of "rm", so it can be a program name with args.
 set dummy rm; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
 # Extract the first word of "rm", so it can be a program name with args.
 set dummy rm; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6

-echo "configure:789: checking for $ac_word" >&5
+echo "configure:872: checking for $ac_word" >&5

 if eval "test \"`echo '$''{'ac_cv_path_RM'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
 if eval "test \"`echo '$''{'ac_cv_path_RM'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else


@@ -818,7 +901,7 @@ else
 fi
 
 echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
 fi
 
 echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6

-echo "configure:822: checking how to run the C preprocessor" >&5
+echo "configure:905: checking how to run the C preprocessor" >&5

 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=


@@ -833,13 +916,13 @@ else
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp.
   cat > conftest.$ac_ext <<EOF
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp.
   cat > conftest.$ac_ext <<EOF

-#line 837 "configure"
+#line 920 "configure"

 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"

-{ (eval echo configure:843: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:926: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }

 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :


@@ -850,13 +933,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -E -traditional-cpp"
   cat > conftest.$ac_ext <<EOF
   rm -rf conftest*
   CPP="${CC-cc} -E -traditional-cpp"
   cat > conftest.$ac_ext <<EOF

-#line 854 "configure"
+#line 937 "configure"

 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"

-{ (eval echo configure:860: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:943: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }

 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :


@@ -867,13 +950,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -nologo -E"
   cat > conftest.$ac_ext <<EOF
   rm -rf conftest*
   CPP="${CC-cc} -nologo -E"
   cat > conftest.$ac_ext <<EOF

-#line 871 "configure"
+#line 954 "configure"

 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"

-{ (eval echo configure:877: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:960: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }

 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :


@@ -898,12 +981,12 @@ fi
 echo "$ac_t""$CPP" 1>&6
 
 echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
 echo "$ac_t""$CPP" 1>&6
 
 echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6

-echo "configure:902: checking for ANSI C header files" >&5
+echo "configure:985: checking for ANSI C header files" >&5

 if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
 if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF

-#line 907 "configure"
+#line 990 "configure"

 #include "confdefs.h"
 #include <stdlib.h>
 #include <stdarg.h>
 #include "confdefs.h"
 #include <stdlib.h>
 #include <stdarg.h>


@@ -911,7 +994,7 @@ else
 #include <float.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
 #include <float.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"

-{ (eval echo configure:915: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:998: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }

 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*


@@ -928,7 +1011,7 @@ rm -f conftest*
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF

-#line 932 "configure"
+#line 1015 "configure"

 #include "confdefs.h"
 #include <string.h>
 EOF
 #include "confdefs.h"
 #include <string.h>
 EOF


@@ -946,7 +1029,7 @@ fi
 if test $ac_cv_header_stdc = yes; then
   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF
 if test $ac_cv_header_stdc = yes; then
   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF

-#line 950 "configure"
+#line 1033 "configure"

 #include "confdefs.h"
 #include <stdlib.h>
 EOF
 #include "confdefs.h"
 #include <stdlib.h>
 EOF


@@ -967,7 +1050,7 @@ if test "$cross_compiling" = yes; then
   :
 else
   cat > conftest.$ac_ext <<EOF
   :
 else
   cat > conftest.$ac_ext <<EOF

-#line 971 "configure"
+#line 1054 "configure"

 #include "confdefs.h"
 #include <ctype.h>
 #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 #include "confdefs.h"
 #include <ctype.h>
 #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')


@@ -978,7 +1061,7 @@ if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
 exit (0); }
 
 EOF
 exit (0); }
 
 EOF

-if { (eval echo configure:982: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:1065: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null

 then
   :
 else
 then
   :
 else


@@ -1005,17 +1088,17 @@ for ac_hdr in linux/if.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6

-echo "configure:1009: checking for $ac_hdr" >&5
+echo "configure:1092: checking for $ac_hdr" >&5

 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF

-#line 1014 "configure"
+#line 1097 "configure"

 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"

-{ (eval echo configure:1019: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1102: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }

 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*


@@ -1041,89 +1124,6 @@ else
 fi
 done
 
 fi
 done
 

-ac_aux_dir=
-for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
-  if test -f $ac_dir/install-sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f $ac_dir/install.sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  fi
-done
-if test -z "$ac_aux_dir"; then
-  { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; }
-fi
-ac_config_guess=$ac_aux_dir/config.guess
-ac_config_sub=$ac_aux_dir/config.sub
-ac_configure=$ac_aux_dir/configure # This should be Cygnus configure.
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# ./install, which can be erroneously created by make from ./install.sh.
-echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:1076: checking for a BSD compatible install" >&5
-if test -z "$INSTALL"; then
-if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-    IFS="${IFS=        }"; ac_save_IFS="$IFS"; IFS=":"
-  for ac_dir in $PATH; do
-    # Account for people who put trailing slashes in PATH elements.
-    case "$ac_dir/" in
-    /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;;
-    *)
-      # OSF1 and SCO ODT 3.0 have their own names for install.
-      # Don't use installbsd from OSF since it installs stuff as root
-      # by default.
-      for ac_prog in ginstall scoinst install; do
-        if test -f $ac_dir/$ac_prog; then
-         if test $ac_prog = install &&
-            grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then
-           # AIX install.  It has an incompatible calling convention.
-           :
-         else
-           ac_cv_path_install="$ac_dir/$ac_prog -c"
-           break 2
-         fi
-       fi
-      done
-      ;;
-    esac
-  done
-  IFS="$ac_save_IFS"
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL="$ac_cv_path_install"
-  else
-    # As a last resort, use the slow shell script.  We don't cache a
-    # path for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the path is relative.
-    INSTALL="$ac_install_sh"
-  fi
-fi
-echo "$ac_t""$INSTALL" 1>&6
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-

 echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
 echo "configure:1129: checking whether byte ordering is bigendian" >&5
 if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then
 echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6
 echo "configure:1129: checking whether byte ordering is bigendian" >&5
 if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then


@@ -1492,11 +1492,11 @@ s%@infodir@%$infodir%g
 s%@mandir@%$mandir%g
 s%@SET_MAKE@%$SET_MAKE%g
 s%@CC@%$CC%g
 s%@mandir@%$mandir%g
 s%@SET_MAKE@%$SET_MAKE%g
 s%@CC@%$CC%g

-s%@RM@%$RM%g
-s%@CPP@%$CPP%g

 s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
 s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
 s%@INSTALL_DATA@%$INSTALL_DATA%g
 s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g
 s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g
 s%@INSTALL_DATA@%$INSTALL_DATA%g

+s%@RM@%$RM%g
+s%@CPP@%$CPP%g

 
 CEOF
 EOF
 
 CEOF
 EOF

diff --git a/configure.in b/configure.in
index ff74f20d4c5262b8eb22d44cbaf2bfa8932afadb..cb478355a9ead9e2000ad79f96737da30d8e17a5 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -9,10 +9,10 @@ AC_LANG_C
 
 AC_PROG_MAKE_SET
 AC_PROG_CC
 
 AC_PROG_MAKE_SET
 AC_PROG_CC

+AC_PROG_INSTALL

 AC_PATH_PROG(RM,rm)
 AC_STDC_HEADERS
 AC_CHECK_HEADERS(linux/if.h)
 AC_PATH_PROG(RM,rm)
 AC_STDC_HEADERS
 AC_CHECK_HEADERS(linux/if.h)

-AC_PROG_INSTALL

 AC_C_BIGENDIAN
 
 AC_CHECK_LIB(gmp2,mpz_init_set_str)
 AC_C_BIGENDIAN
 
 AC_CHECK_LIB(gmp2,mpz_init_set_str)

diff --git a/example.conf b/example.conf
index cfaa847a67429a043540925028609d977846c83c..96a84339223e46e08602c4697a23efa0037707da 100644 (file)
--- a/example.conf
+++ b/example.conf
@@ -124,6 +124,8 @@ include /etc/secnet/sites
 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
 # contains public keys for all sites.
 
 # a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
 # contains public keys for all sites.
 

+# Do not include your own site in this list!
+

 sites
        site(example-vpn/some-site),
        site(example-vpn/some-other-site),
 sites
        site(example-vpn/some-site),
        site(example-vpn/some-other-site),

diff --git a/myrddin.pub b/myrddin.pub
deleted file mode 100644 (file)
index 6736d15..0000000
--- a/myrddin.pub
+++ /dev/null
@@ -1 +0,0 @@
-1024 35 154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543 steve@myrddin

diff --git a/private-key b/private-key
deleted file mode 100644 (file)
index f764068..0000000
Binary files a/private-key and /dev/null differ

diff --git a/secnet.c b/secnet.c
index b0bb4b3d6a477b99af53376f4f7cfc951bffea9a..1cb38db21207ac04707b40d0484f03bc29135e1d 100644 (file)
--- a/secnet.c
+++ b/secnet.c
@@ -4,7 +4,7 @@
  *
  */
 
  *
  */
 

-static char *version="secnet version " VERSION " $Date: 1996/03/13 22:27:41 $";
+extern char version[];

 
 #include <stdio.h>
 #include <string.h>
 
 #include <stdio.h>
 #include <string.h>


@@ -23,7 +23,6 @@ static char *version="secnet version " VERSION " $Date: 1996/03/13 22:27:41 $";
 #include "secnet.h"
 #include "util.h"
 #include "conffile.h"
 #include "secnet.h"
 #include "util.h"
 #include "conffile.h"

-#include "modules.h"

 
 /* Command-line options (possibly config-file options too) */
 static char *configfile="/etc/secnet/secnet.conf";
 
 /* Command-line options (possibly config-file options too) */
 static char *configfile="/etc/secnet/secnet.conf";


@@ -156,7 +155,7 @@ static void setup(dict_t *config)
        fatal("configuration does not include a system/log facility\n");
     }
     log=init_log(l);
        fatal("configuration does not include a system/log facility\n");
     }
     log=init_log(l);

-    log->log(log->st,LOG_DEBUG,"secnet " VERSION ": logging started");
+    log->log(log->st,LOG_DEBUG,"%s: logging started",version);

 
     /* Who are we supposed to run as? */
     userid=dict_read_string(system,"userid",False,"system",loc);
 
     /* Who are we supposed to run as? */
     userid=dict_read_string(system,"userid",False,"system",loc);

diff --git a/testconfig b/testconfig
deleted file mode 100644 (file)
index 9a84119..0000000
--- a/testconfig
+++ /dev/null
@@ -1,156 +0,0 @@
-# secnet configuration file
-
-# This file defines a dictionary full of configuration information for
-# secnet. Two keys must be defined in this file for secnet to
-# start. One is "system", a dictionary containing systemwide control
-# parameters. The other is "sites", a list of all the sites that you
-# intend to communicate with.
-
-# Other files can be included inline by writing "include filename" at
-# the start of a line.
-
-# The configuration file has a fairly simple syntax:
-# key definition;  or key = definition; (the "=" is optional)
-# ...sets 'key' in the current dictionary to 'definition'.
-# 
-# "key" is [[:alpha:]_][[:alnum:]\-_]*
-# 
-# definition may be one of the following:
-#  a string, in quotes
-#  a number, in decimal
-#  a dictionary, in { }
-#  a path to a key that already exists, to reference that definition
-#  a "closure", followed by arguments
-#
-# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in
-#  the current dictionary or any of its parents)
-# alternatively /key1/key2/key3... (to start from the root)
-# 
-# closures are followed by an argument list in ( ), and may return
-# whatever type they like (including other closures)
-#
-# closure { definitions } is short for closure({definitions}).
-#
-# Whenever secnet looks for a key it checks the (lexical) parent dictionaries
-# as well until it finds it or reaches the root. This is useful for setting
-# defaults for large collections of dictionaries (eg. defining sites).
-#
-# It is also permissible to list other dictionaries before a dictionary
-# definition, eg. <defaults,otherdefaults>{definitions}. These will be
-# searched in order for keys, before the lexical parent. (Not yet implemented)
-# 
-# secnet predefines some keys in the root dictionary; some useful ones are:
-#  yes, true, True, TRUE:   the boolean value True
-#  no, false, False, FALSE: the boolean value False
-#  makelist:   turns a dictionary (arg1) into a list (return value)
-#  readfile:   reads a file (arg1) and returns it as a string
-#
-# secnet modules also predefine keys, eg. "adns", "randomfile", etc.
-# See the module documentation for more information.
-
-# After the configuration file is read, secnet looks for particular keys
-# in configuration space to tell it what to do:
-#  system:     system-wide parameters (control, logging, etc.)
-#  sites:      a list of sites with which to communicate
-
-# Log facility
-log logfile("secnet","local2"); # Not yet implemented, goes to stderr
-
-# Systemwide configuration (all other configuration is per-site):
-# log          a log facility for program messages
-# userid       who we try to run as after setup
-# pidfile
-system {
-       userid "steve";
-#      pidfile "/var/run/secnet.pid";
-       pidfile "foo.pid";
-};
-
-# Parameters for each remote site (arguments to the site() closure):
-#  things we configure locally
-# buffer                buffer for constructing/sending/receiving packets
-# netlink              user/kernel netlink device for this tunnel
-# comm                 UDP communication
-# resolver             resolver to use for name lookups
-# log                  a log destination for this connection
-# log-events           string list: which events we log
-# random                a source of randomness
-
-#  our local configuration visible to the outside world
-# local-name           string: how we identify ourselves to them
-# local-key            our own private RSA key
-# local-port           port number we listen on
-
-#  their configuration visible to us
-# name                 string: how they identify themselves
-# address              string: use with resolver to find their IP address
-# networks             string list: their networks for us
-# key                  the remote site's RSA public key
-# port                 port we send to to contact remote site
-
-#  things both ends must agree on
-# transform             routine for bulk encryption
-# dh                   Diffie-Hellman parameters
-# hash                 secure hash function
-
-#  things both ends ought to agree on, but don't have to
-# key-lifetime          max session key lifetime, in milliseconds
-# setup-retries         max retransmits of a key setup packet
-# setup-timeout         wait between retransmits of key setup packets, in ms
-# wait-time             wait between unsuccessful key setup attempts, in ms
-
-netlink tun {
-       name "fred"; # Printed in log messages from this netlink
-#      interface "fred";
-
-       # local networks served by this netlink device
-       # incoming tunneled packets for other networks will be discarded
-       networks "192.168.73.0/24", "192.168.1.0/24", "172.19.71.0/24";
-       local-address "192.168.73.72"; # IP address of interface
-       secnet-address "192.168.73.73"; # IP address of secnet
-       mtu 1400;
-
-       buffer sysbuffer(); # userv/ipif needs a buffer to build incoming
-               # packets from the netlink device before passing them
-               # to the site layer
-};
-comm udp {
-       port 1234;
-       buffer sysbuffer(4096,{lockdown=yes;});
-};
-resolver adns {
-       config="wibble wobble";
-};
-# log is defined earlier - we share it with the system
-log-events "init","up","down";
-random randomfile("/dev/urandom",no);
-
-local-name "myrddin";
-local-key rsa-private("private-key");
-
-transform serpent256-cbc {
-       max-sequence-skew 10;
-};
-
-dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2");
-hash md5;
-
-key-lifetime 20000;
-
-zealot {
-               name "zealot";
-               address "zealot.sinister.greenend.org.uk";
-               port 5678;
-               networks "192.168.73.74/32", "192.168.73.75/32";
-               key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833");
-       };
-
-myrddin {
-               name "myrddin";
-               address "myrddin.sinister.greenend.org.uk";
-               port 1234;
-               networks "192.168.73.72/32", "192.168.73.73/32";
-               key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543");
-       };
-
-sites site(zealot);

diff --git a/testconfigz b/testconfigz
deleted file mode 100644 (file)
index 59027f8..0000000
--- a/testconfigz
+++ /dev/null
@@ -1,153 +0,0 @@
-# secnet configuration file
-
-# This file defines a dictionary full of configuration information for
-# secnet. Two keys must be defined in this file for secnet to
-# start. One is "system", a dictionary containing systemwide control
-# parameters. The other is "sites", a list of all the sites that you
-# intend to communicate with.
-
-# Other files can be included inline by writing "include filename" at
-# the start of a line.
-
-# The configuration file has a fairly simple syntax:
-# key definition;  or key = definition; (the "=" is optional)
-# ...sets 'key' in the current dictionary to 'definition'.
-# 
-# "key" is [[:alpha:]_][[:alnum:]\-_]*
-# 
-# definition may be one of the following:
-#  a string, in quotes
-#  a number, in decimal
-#  a dictionary, in { }
-#  a path to a key that already exists, to reference that definition
-#  a "closure", followed by arguments
-#
-# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in
-#  the current dictionary or any of its parents)
-# alternatively /key1/key2/key3... (to start from the root)
-# 
-# closures are followed by an argument list in ( ), and may return
-# whatever type they like (including other closures)
-#
-# closure { definitions } is short for closure({definitions}).
-#
-# Whenever secnet looks for a key it checks the (lexical) parent dictionaries
-# as well until it finds it or reaches the root. This is useful for setting
-# defaults for large collections of dictionaries (eg. defining sites).
-#
-# It is also permissible to list other dictionaries before a dictionary
-# definition, eg. <defaults,otherdefaults>{definitions}. These will be
-# searched in order for keys, before the lexical parent. (Not yet implemented)
-# 
-# secnet predefines some keys in the root dictionary; some useful ones are:
-#  yes, true, True, TRUE:   the boolean value True
-#  no, false, False, FALSE: the boolean value False
-#  makelist:   turns a dictionary (arg1) into a list (return value)
-#  readfile:   reads a file (arg1) and returns it as a string
-#
-# secnet modules also predefine keys, eg. "adns", "randomfile", etc.
-# See the module documentation for more information.
-
-# After the configuration file is read, secnet looks for particular keys
-# in configuration space to tell it what to do:
-#  system:     system-wide parameters (control, logging, etc.)
-#  sites:      a list of sites with which to communicate
-
-# Log facility
-log logfile("secnet","local2"); # Not yet implemented, goes to stderr
-
-# Systemwide configuration (all other configuration is per-site):
-# log          a log facility for program messages
-# userid       who we try to run as after setup
-# pidfile
-system {
-#      userid "tunnel";
-#      pidfile "/var/run/secnet.pid";
-};
-
-# Parameters for each remote site (arguments to the site() closure):
-#  things we configure locally
-# buffer                buffer for constructing/sending/receiving packets
-# netlink              user/kernel netlink device for this tunnel
-# comm                 UDP communication
-# resolver             resolver to use for name lookups
-# log                  a log destination for this connection
-# log-events           string list: which events we log
-# random                a source of randomness
-
-#  our local configuration visible to the outside world
-# local-name           string: how we identify ourselves to them
-# local-key            our own private RSA key
-# local-port           port number we listen on
-
-#  their configuration visible to us
-# name                 string: how they identify themselves
-# address              string: use with resolver to find their IP address
-# networks             string list: their networks for us
-# key                  the remote site's RSA public key
-# port                 port we send to to contact remote site
-
-#  things both ends must agree on
-# transform             routine for bulk encryption
-# dh                   Diffie-Hellman parameters
-# hash                 secure hash function
-
-# A buffer for all sites to share, to construct outgoing packets
-buffer sysbuffer(4096,{lockdown=yes;});
-
-netlink tun {
-#      name "foo"; # Printed in log messages from this netlink
-       # userv-path "/usr/bin/userv";
-       # service-user "root";
-       # service-name "ipif";
-
-       # local networks served by this netlink device
-       # incoming tunneled packets for other networks will be discarded
-       networks "192.168.73.74/32","192.168.73.75/32";
-       local-address "192.168.73.74"; # IP address of interface
-       secnet-address "192.168.73.75"; # IP address of secnet
-       mtu 1400;
-
-       buffer sysbuffer(); # userv/ipif needs a buffer to build incoming
-               # packets from the netlink device before passing them
-               # to the site layer
-};
-comm udp {
-       port 5678;
-       # buffer shared with sites
-};
-resolver adns {
-       noenv=yes;      # yes is a name for the boolean "true"
-       nameservers "127.0.0.1","192.168.73.4";
-};
-# log is defined earlier - we share it with the system
-log-events "init","up","down";
-random randomfile("/dev/urandom",no);
-
-local-name "zealot";
-local-key rsa-private("private-key");
-
-transform serpent256-cbc {
-       max-sequence-skew 10;
-};
-
-dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2");
-hash md5;
-
-zealot {
-               name "zealot";
-               address "zealot.sinister.greenend.org.uk";
-               port 5678;
-               networks "192.168.73.74/32", "192.168.73.75/32";
-               key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833");
-       };
-
-myrddin {
-               name "myrddin";
-               address "myrddin.sinister.greenend.org.uk";
-               port 1234;
-               networks "192.168.73.72/32", "192.168.73.73/32";
-               key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543");
-       };
-
-sites site(myrddin);

diff --git a/testsites b/testsites
deleted file mode 100644 (file)
index e3ca05f..0000000
--- a/testsites
+++ /dev/null
@@ -1,27 +0,0 @@
-# This is secnet's equivalent of the 'vpn-sites' file
-
-# Global parameters for all sites (can be overridden if some sites want to
-# use other parameters)
-
-sinister-vpn {
-
-dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2");
-hash md5;
-
-# All the remote sites we might want to talk to
-groad {
-               name "gilbert-road";
-               address "relativity.dynamic.greenend.org.uk";
-               port 5678;
-               networks "172.18.45.0/24";
-               key rsa-public("35","153279875126380522437827076871354104097683702803616313419670959273217685015951590424876274370401136371563604396779864283483623325238228723798087715987495590765759771552692972297669972616769731553560605291312242789575053620182470998166393580503400960149506261455420521811814445675652857085993458063584337404329");
-       };
-chiark {
-               name "chiark";
-               address "chiark.greenend.org.uk";
-               port 2345;
-               networks "172.31.80.8/32";
-               key rsa-public("35","127129251486595848418110457412760173306108766728826928401101049305981756206590497728003410607079784801800518655333869748411389535602962935662455800359479854817411356280256727700339726067467542581881498715223842814199845818940876020358790270431574802728927549159072714772035370848962882690573372309719699356913");
-       };
-
-};