lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Debian changes 1.0.26-1

Browse source 
tinc (1.0.26-1) unstable; urgency=medium

  * New upstream release.
  * Use the contents, not the presence, of the pidfile to check that tincd is
    shut down properly. Closes: #774682
  * Bump Standards-Version.
This commit is contained in:
Guus Sliepen 2015-07-05 17:23:08 +02:00
commit 088ed763df
35 changed files with 677 additions and 1427 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
COPYING
View file

@ -1,4 +1,4 @@
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.
Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list.
This program is free software; you can redistribute it and/or modify it under

104
ChangeLog
View file

@ -1,20 +1,64 @@
Version 1.0.26 July 05 2015
------------------------------------------------------------------------
Guus Sliepen (14):
Use VittGam's real name.
Attribution for Saverio Proto.
Always call res_init() before getaddrinfo().
Fix --logfile without a filename on Windows.
Never call putenv() with data on the stack.
Return non-zero exit code when encountering configuration errors during startup.
Fix autoconf check for function attributes.
Fix spelling of FORTIFY_SOURCE.
Update copyright notices.
Attribution for various contributors.
Only check for -fno-strict-overflow if -fwrapv does not work.
Fix unputenv() on Windows.
Don't try to call res_init() if ./configure told us it doesn't exist.
Releasing 1.0.26.
Jo-Philipp Wich (1):
fix musl compatibility
Version 1.0.25 December 22 2014
------------------------------------------------------------------------
Guus Sliepen (7):
Fix date of last NEWS entry.
Remember ToS/Diffserv priority for each socket individually.
Attribution for various contributors.
Automatically choose a tap device on Mac OS X when using switch Mode.
Update documentation for Mac OS X.
Check whether res_init() really lives in libresolv.
Releasing 1.0.25.
Borg (3):
Fixed scripts calling under Win32.
Get MAC of TAP device.
Fixed tinc-up script calling on Win32.
Alexis Hildebrandt (1):
Add support to link against libresolv Mac OS X
Baptiste Jonglez (1):
Use the description from the 1.1 man page for the IndirectData option
David Pflug (1):
Update README.android
Jochen Voss (1):
Fix some typos in the manual.
Tomislav Čohar (1):
Configure minimum reconnect timeouts.
VittGam (1):
Support ToS/DiffServ priority handling for IPv6 meta and UDP connections.
Version 1.0.24 May 11 2014
------------------------------------------------------------------------
Guus Sliepen (26):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Guus Sliepen (13):
Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init().
@ -34,22 +78,40 @@ Steffan Karger (3):
Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1):
fix documentation typo
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
refs/tags/1.0.23-android-1 March 11 2014
------------------------------------------------------------------------
Guus Sliepen (13):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
Version 1.0.23 October 19 2013
------------------------------------------------------------------------

27
NEWS
View file

@ -1,4 +1,29 @@
Version 1.0.24 May 11 2013
Version 1.0.26 July 5 2015
* Tinc now forces glibc to reload /etc/resolv.conf for every hostname lookup.
* Fixed --logfile without a filename on Windows.
* Ensure tinc can be compiled when using musl libc.
Thanks to Jo-Philipp Wich for his contribution to this version of tinc.
Version 1.0.25 December 22 2014
* Documentation updates.
* Support linking against -lresolv on Mac OS X.
* Fix scripts on Windows when using the ScriptsInterpreter option.
* Allow a minimum reconnect timeout to be specified.
* Support PriorityInheritance on IPv6 sockets.
Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss,
Tomislav Čohar and VittGam for their contributions to this version of tinc.
Version 1.0.24 May 11 2014
* Various compiler hardening flags are enabled by default.

6
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.24. Installation
This is the README file for tinc version 1.0.26. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2014 by:
tinc is Copyright (C) 1998-2015 by:
Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility
-------------
Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.0.26 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.

7
README.android
View file

@ -6,11 +6,12 @@ tar xfj android-ndk-r9d-linux-x86.tar.bz2
./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
- Download and cross-compile openSSL for ARM:
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar xfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
tar xfz openssl-1.0.1h.tar.gz
cd openssl-1.0.1h
./Configure dist
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
cd -
- Clone and cross-compile tinc:
git clone git://tinc-vpn.org/tinc

17
THANKS
View file

@ -1,14 +1,18 @@
We would like to thank the following people for their contributions to tinc:
* Alexander Reil and Gemeinde Berg
* Alexis Hildebrandt
* Allesandro Gatti
* Andreas van Cranenburgh
* Anthony G. Basile
* Armin Fisslthaler
* Armijn Hemel
* Baptiste Jonglez
* Borg
* Brandon Black
* Cris van Pelt
* Darius Jahandarie
* David Pflug
* Delf Eldkraft
* dnk
* Enrique Zanardi
@ -22,9 +26,13 @@ We would like to thank the following people for their contributions to tinc:
* James MacLean
* Jamie Briggs
* Jason Harper
* Jason Livesay
* Jelle de Jong
* Jeroen Domburg
* Jeroen Ubbink
* Jerome Etienne
* Jo-Philipp Wich
* Jochen Voss
* Julien Muchembled
* Lavrans Laading
* Loïc Dachary
@ -50,15 +58,24 @@ We would like to thank the following people for their contributions to tinc:
* Philipp Babel
* Robert van der Meulen
* Rumko
* Sam Bryan
* Saverio Proto
* Scott Lamb
* Steffan Karger
* Sven-Haegar Koch
* Teemu Kiviniemi
* Thomas Tsiakalakis
* Timothy Redaelli
* Tomasz Fortuna
* Tomislav Čohar
* Tommy Arnkværn
* Tonnerre Lombard
* Vil Brekin
* Vittorio Gambaletta
* Wessel Dankers
* William McArthur
* Wouter van Heyst
* 戴 鸣
And everyone we forgot (if we did, please let us know). Thank you!

7
aclocal.m4 vendored
View file

@ -103,10 +103,9 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# configured tree to be moved without reconfiguration.
AC_DEFUN([AM_AUX_DIR_EXPAND],
[dnl Rely on autoconf to set up CDPATH properly.
AC_PREREQ([2.50])dnl
# expand $ac_aux_dir to an absolute path
am_aux_dir=`cd $ac_aux_dir && pwd`
[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
# Expand $ac_aux_dir to an absolute path.
am_aux_dir=`cd "$ac_aux_dir" && pwd`
])
# AM_CONDITIONAL -*- Autoconf -*-

192
config.guess vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright 1992-2013 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2013-06-10'
timestamp='2014-03-23'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -50,7 +50,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright 1992-2013 Free Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -149,7 +149,7 @@ Linux|GNU|GNU/*)
LIBC=gnu
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;;
esac
@ -826,7 +826,7 @@ EOF
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:MSYS*:*)
*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
@ -969,10 +969,10 @@ EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
or1k:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
or32:Linux:*:*)
or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
padre:Linux:*:*)
@ -1260,16 +1260,26 @@ EOF
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
fi
fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;;
@ -1361,154 +1371,6 @@ EOF
exit ;;
esac
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
I don't know.... */
printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
#else
""
#endif
); exit (0);
#endif
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
printf ("m68k-hp-bsd\n"); exit (0);
#endif
#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
int version;
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
if (version < 4)
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
else
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
exit (0);
#endif
#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
printf ("ns32k-encore-mach\n"); exit (0);
#else
printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif
#if defined (__386BSD__)
printf ("i386-pc-bsd\n"); exit (0);
#endif
#if defined (sequent)
#if defined (i386)
printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif
#if defined (_SEQUENT_)
struct utsname un;
uname(&un);
if (strncmp(un.version, "V2", 2) == 0) {
printf ("i386-sequent-ptx2\n"); exit (0);
}
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
printf ("i386-sequent-ptx1\n"); exit (0);
}
printf ("i386-sequent-ptx\n"); exit (0);
#endif
#if defined (vax)
# if !defined (ultrix)
# include <sys/param.h>
# if defined (BSD)
# if BSD == 43
printf ("vax-dec-bsd4.3\n"); exit (0);
# else
# if BSD == 199006
printf ("vax-dec-bsd4.3reno\n"); exit (0);
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# endif
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# else
printf ("vax-dec-ultrix\n"); exit (0);
# endif
#endif
#if defined (alliant) && defined (i860)
printf ("i860-alliant-bsd\n"); exit (0);
#endif
exit (1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
if [ -x /usr/convex/getsysinfo ]
then
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
c34*)
echo c34-convex-bsd
exit ;;
c38*)
echo c38-convex-bsd
exit ;;
c4*)
echo c4-convex-bsd
exit ;;
esac
fi
cat >&2 <<EOF
$0: unable to guess system type

3
config.h.in
View file

@ -89,6 +89,9 @@
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET

30
config.sub vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright 1992-2013 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2013-08-10'
timestamp='2014-09-11'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@ -68,7 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright 1992-2013 Free Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -265,6 +265,7 @@ case $basic_machine in
| hexagon \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| k1om \
| le32 | le64 \
| lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
@ -282,8 +283,10 @@ case $basic_machine in
| mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \
@ -295,11 +298,11 @@ case $basic_machine in
| nds32 | nds32le | nds32be \
| nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \
| open8 \
| or1k | or32 \
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
@ -324,7 +327,7 @@ case $basic_machine in
c6x)
basic_machine=tic6x-unknown
;;
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown
os=-none
;;
@ -381,6 +384,7 @@ case $basic_machine in
| hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
@ -400,8 +404,10 @@ case $basic_machine in
| mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \
@ -413,6 +419,7 @@ case $basic_machine in
| nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \
| or1k*-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
@ -822,6 +829,10 @@ case $basic_machine in
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
@ -1367,14 +1378,14 @@ case $os in
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1592,9 +1603,6 @@ case $basic_machine in
mips*-*)
os=-elf
;;
or1k-*)
os=-elf
;;
or32-*)
os=-coff
;;

146
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.24.
# Generated by GNU Autoconf 2.69 for tinc 1.0.26.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.24'
PACKAGE_STRING='tinc 1.0.24'
PACKAGE_VERSION='1.0.26'
PACKAGE_STRING='tinc 1.0.26'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures tinc 1.0.24 to adapt to many kinds of systems.
\`configure' configures tinc 1.0.26 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1378,7 +1378,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.24:";;
short | recursive ) echo "Configuration of tinc 1.0.26:";;
esac
cat <<\_ACEOF
@ -1497,7 +1497,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
tinc configure 1.0.24
tinc configure 1.0.26
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -1962,7 +1962,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.24, which was
It was created by tinc $as_me 1.0.26, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2512,8 +2512,8 @@ test "$program_suffix" != NONE &&
ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
# expand $ac_aux_dir to an absolute path
am_aux_dir=`cd $ac_aux_dir && pwd`
# Expand $ac_aux_dir to an absolute path.
am_aux_dir=`cd "$ac_aux_dir" && pwd`
if test x"${MISSING+set}" != xset; then
case $am_aux_dir in
@ -2826,7 +2826,7 @@ fi
# Define the identity of the package.
PACKAGE='tinc'
VERSION='1.0.24'
VERSION='1.0.26'
cat >>confdefs.h <<_ACEOF
@ -5185,42 +5185,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"
else
:
fi
@ -5256,8 +5221,42 @@ fi
$as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
CPPFLAGS="$CPPFLAGS -fwrapv"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
else
:
fi
fi
case $host_os in
@ -5877,8 +5876,8 @@ else
CFLAGS="$CFLAGS -Wall -Werror"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
void test(void) __attribute__ ((__malloc__));
void test(void) { return; }
void *test(void) __attribute__ ((__malloc__));
void *test(void) { return (void *)0; }
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
@ -6275,6 +6274,53 @@ fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_RES_INIT $ac_have_decl
_ACEOF
if test $ac_have_decl = 1; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_init in -lresolv" >&5
$as_echo_n "checking for res_init in -lresolv... " >&6; }
if ${ac_cv_lib_resolv_res_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lresolv $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char res_init ();
int
main ()
{
return res_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_resolv_res_init=yes
else
ac_cv_lib_resolv_res_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_init" >&5
$as_echo "$ac_cv_lib_resolv_res_init" >&6; }
if test "x$ac_cv_lib_resolv_res_init" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBRESOLV 1
_ACEOF
LIBS="-lresolv $LIBS"
fi
fi
cat >confcache <<\_ACEOF
@ -7396,7 +7442,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by tinc $as_me 1.0.24, which was
This file was extended by tinc $as_me 1.0.26, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -7462,7 +7508,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
tinc config.status 1.0.24
tinc config.status 1.0.26
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

10
configure.ac
View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.24])
AC_INIT([tinc], [1.0.26])
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
AC_CONFIG_HEADERS([config.h])
@ -134,9 +134,9 @@ dnl No -fstack-protector-all because it doesn't work on all platforms or archite
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"])
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"])
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"])
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"],
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]))
case $host_os in
*mingw*)
AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
@ -202,7 +202,7 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
[], [], [#include "src/have.h"]
)
AC_CHECK_DECLS([res_init], [], [], [
AC_CHECK_DECLS([res_init], [AC_CHECK_LIB(resolv, res_init)], [], [
#include <netinet/in.h>
#include <resolv.h>
])

18
debian/changelog vendored
View file

@ -1,17 +1,11 @@
tinc (1.0.24-2.1+deb8u1) jessie-security; urgency=medium
tinc (1.0.26-1) unstable; urgency=medium
* Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
* Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
* New upstream release.
* Use the contents, not the presence, of the pidfile to check that tincd is
shut down properly. Closes: #774682
* Bump Standards-Version.
-- Guus Sliepen <guus@debian.org> Mon, 08 Oct 2018 20:14:24 +0200
tinc (1.0.24-2.1) unstable; urgency=medium
* NMU after getting go ahead from guus on #tinc
* Add a -dbg package which contains the debugging symbols for tinc
Thanks hark@puscii.nl (Closes: #752561)
-- Micah Anderson <micah@debian.org> Tue, 24 Jun 2014 14:01:47 -0400
-- Guus Sliepen <guus@debian.org> Sun, 05 Jul 2015 17:23:08 +0200
tinc (1.0.24-2) unstable; urgency=medium

15
debian/control vendored
View file

@ -2,7 +2,7 @@ Source: tinc
Section: net
Priority: optional
Maintainer: Guus Sliepen <guus@debian.org>
Standards-Version: 3.9.5
Standards-Version: 3.9.6
Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev
Homepage: http://www.tinc-vpn.org/
@ -14,16 +14,3 @@ Description: Virtual Private Network daemon
(VPN). One daemon can handle multiple connections, so you can
create an entire (moderately sized) VPN with only one daemon per
participating computer.
Package: tinc-dbg
Architecture: any
Section: debug
Priority: extra
Depends: ${shlibs:Depends}, ${misc:Depends}, tinc (= ${binary:Version})
Description: debugging symbols for tinc
tinc is a daemon with which you can create a virtual private network
(VPN). One daemon can handle multiple connections, so you can
create an entire (moderately sized) VPN with only one daemon per
participating computer.
.
This package contains the debugging symbols for tinc.

840
debian/patches/security-fixes vendored
View file

@ -1,840 +0,0 @@
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index 0548628f..a2a635fb 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -464,7 +464,7 @@ Multiple
.Va Address
variables can be specified, in which case each address will be tried until a working
connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised.
Furthermore, specifying
@@ -479,7 +479,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
-.It Va Digest Li = Ar digest Pq sha1
+.It Va Digest Li = Ar digest Pq sha256
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised.
Furthermore, specifying
diff --git a/doc/tinc.texi b/doc/tinc.texi
index 85790028..6e422cfe 100644
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
@cindex Digest
-@item Digest = <@var{digest}> (sha1)
+@item Digest = <@var{digest}> (sha256)
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
diff --git a/m4/openssl.m4 b/m4/openssl.m4
index 254ea4ff..77b3a4a8 100644
--- a/m4/openssl.m4
+++ b/m4/openssl.m4
@@ -45,12 +45,14 @@ AC_DEFUN([tinc_OPENSSL],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
)
- AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], ,
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
+ AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
- AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
+
+ AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include <openssl/rsa.h>])
])
diff --git a/src/connection.h b/src/connection.h
index 877601fe..9e4dc663 100644
--- a/src/connection.h
+++ b/src/connection.h
@@ -41,7 +41,9 @@ typedef struct connection_status_t {
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
- unsigned int unused:23;
+ unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */
+ unsigned int tarpit:1; /* 1 if the connection should be added to the tarpit */
+ unsigned int unused:21;
} connection_status_t;
#include "edge.h"
diff --git a/src/net.c b/src/net.c
index 8d0a0cf4..4e53d920 100644
--- a/src/net.c
+++ b/src/net.c
@@ -166,6 +166,22 @@ static int build_fdset(fd_set *readset, fd_set *writeset) {
return max;
}
+/* Put a misbehaving connection in the tarpit */
+void tarpit(int fd) {
+ static int pits[10] = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1};
+ static int next_pit = 0;
+
+ if(pits[next_pit] != -1) {
+ closesocket(pits[next_pit]);
+ }
+
+ pits[next_pit++] = fd;
+
+ if(next_pit >= sizeof pits / sizeof pits[0]) {
+ next_pit = 0;
+ }
+}
+
/*
Terminate a connection:
- Close the socket
@@ -186,8 +202,13 @@ void terminate_connection(connection_t *c, bool report) {
if(c->node)
c->node->connection = NULL;
- if(c->socket)
- closesocket(c->socket);
+ if(c->socket) {
+ if(c->status.tarpit) {
+ tarpit(c->socket);
+ } else {
+ closesocket(c->socket);
+ }
+ }
if(c->edge) {
if(!c->node) {
@@ -274,6 +295,7 @@ static void check_dead_connections(void) {
closesocket(c->socket);
do_outgoing_connection(c);
} else {
+ c->status.tarpit = true;
terminate_connection(c, false);
}
}
@@ -353,6 +375,7 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) {
if(FD_ISSET(c->socket, readset)) {
if(!receive_meta(c)) {
+ c->status.tarpit = true;
terminate_connection(c, c->status.active);
continue;
}
diff --git a/src/net.h b/src/net.h
index 2b50c5a2..5ae8d344 100644
--- a/src/net.h
+++ b/src/net.h
@@ -163,6 +163,7 @@ extern void flush_queue(struct node_t *);
extern bool read_rsa_public_key(struct connection_t *);
extern void send_mtu_probe(struct node_t *);
extern void load_all_subnets(void);
+extern void tarpit(int fd);
#ifndef HAVE_MINGW
#define closesocket(s) close(s)
diff --git a/src/net_packet.c b/src/net_packet.c
index d11d58ad..5d7c212d 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
len = 64;
memset(packet.data, 0, 14);
- RAND_pseudo_bytes(packet.data + 14, len - 14);
+ RAND_bytes(packet.data + 14, len - 14);
packet.len = len;
if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1;
@@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(n->incipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
@@ -482,10 +482,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
if(n->outcipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;
diff --git a/src/net_setup.c b/src/net_setup.c
index fa4e9867..ea2a3b78 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -53,11 +53,22 @@ char *proxyuser;
char *proxypass;
proxytype_t proxytype;
+#ifndef HAVE_RSA_SET0_KEY
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+ BN_free(r->n); r->n = n;
+ BN_free(r->e); r->e = e;
+ BN_free(r->d); r->d = d;
+ return 1;
+}
+#endif
+
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *pubname;
char *hcfname;
char *key;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
if(!c->rsa_key) {
c->rsa_key = RSA_new();
@@ -67,12 +78,19 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
- if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
+ if(BN_hex2bn(&n, key) != strlen(key)) {
+ free(key);
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false;
}
- BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key);
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
+ return false;
+ }
return true;
}
@@ -163,27 +181,39 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) {
FILE *fp;
char *fname, *key, *pubkey;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
+ BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL);
- if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
+ if(BN_hex2bn(&d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
+ BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
- if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
- logger(LOG_ERR, "Invalid PublicKey for myself!");
+ if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
free(pubkey);
+ BN_free(d);
+ logger(LOG_ERR, "Invalid PublicKey for myself!");
return false;
}
free(pubkey);
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
+ BN_free(d);
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
+ return false;
+ }
return true;
}
@@ -608,14 +638,25 @@ static bool setup_myself(void) {
}
free(cipher);
} else
- myself->incipher = EVP_bf_cbc();
+ myself->incipher = EVP_aes_256_cbc();
if(myself->incipher)
- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
+ myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else
myself->inkeylength = 1;
- myself->connection->outcipher = EVP_bf_ofb();
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
+ but try to match the key size with the one from the cipher selected
+ by Cipher.
+ */
+
+ int keylen = EVP_CIPHER_key_length(myself->incipher);
+ if(keylen <= 16)
+ myself->connection->outcipher = EVP_aes_128_cfb();
+ else if(keylen <= 24)
+ myself->connection->outcipher = EVP_aes_192_cfb();
+ else
+ myself->connection->outcipher = EVP_aes_256_cfb();
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
@@ -639,13 +680,13 @@ static bool setup_myself(void) {
free(digest);
} else
- myself->indigest = EVP_sha1();
+ myself->indigest = EVP_sha256();
- myself->connection->outdigest = EVP_sha1();
+ myself->connection->outdigest = EVP_sha256();
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) {
- if(myself->inmaclength > myself->indigest->md_size) {
+ if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!");
return false;
} else if(myself->inmaclength < 0) {
diff --git a/src/net_socket.c b/src/net_socket.c
index 9a67bb3c..479b595d 100644
--- a/src/net_socket.c
+++ b/src/net_socket.c
@@ -513,6 +513,9 @@ void setup_outgoing_connection(outgoing_t *outgoing) {
new connection
*/
bool handle_new_meta_connection(int sock) {
+ static const int max_accept_burst = 10;
+ static int last_accept_burst;
+ static int last_accept_time;
connection_t *c;
sockaddr_t sa;
int fd;
@@ -525,6 +528,22 @@ bool handle_new_meta_connection(int sock) {
return false;
}
+ if(last_accept_time == now) {
+ last_accept_burst++;
+
+ if(last_accept_burst >= max_accept_burst) {
+ if(last_accept_burst == max_accept_burst) {
+ ifdebug(CONNECTIONS) logger(LOG_WARNING, "Throttling incoming connections");
+ }
+
+ tarpit(fd);
+ return false;
+ }
+ } else {
+ last_accept_burst = 0;
+ last_accept_time = now;
+ }
+
sockaddrunmap(&sa);
c = new_connection();
@@ -546,7 +565,6 @@ bool handle_new_meta_connection(int sock) {
connection_add(c);
c->allow_request = ID;
- send_id(c);
return true;
}
diff --git a/src/node.c b/src/node.c
index cf70f838..19f37306 100644
--- a/src/node.c
+++ b/src/node.c
@@ -1,6 +1,6 @@
/*
node.c -- node tree management
- Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
+ Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@@ -57,8 +57,10 @@ node_t *new_node(void) {
if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree();
- EVP_CIPHER_CTX_init(&n->inctx);
- EVP_CIPHER_CTX_init(&n->outctx);
+ n->inctx = EVP_CIPHER_CTX_new();
+ n->outctx = EVP_CIPHER_CTX_new();
+ if(!n->inctx || !n->outctx)
+ abort();
n->mtu = MTU;
n->maxmtu = MTU;
@@ -80,8 +82,8 @@ void free_node(node_t *n) {
sockaddrfree(&n->address);
- EVP_CIPHER_CTX_cleanup(&n->inctx);
- EVP_CIPHER_CTX_cleanup(&n->outctx);
+ EVP_CIPHER_CTX_free(n->outctx);
+ EVP_CIPHER_CTX_free(n->inctx);
if(n->mtuevent)
event_del(n->mtuevent);
@@ -172,8 +174,8 @@ void dump_nodes(void) {
for(node = node_tree->head; node; node = node->next) {
n = node->data;
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
- n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0,
- n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression,
+ n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
+ n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
}
diff --git a/src/node.h b/src/node.h
index f9ef3c15..c83610e8 100644
--- a/src/node.h
+++ b/src/node.h
@@ -50,12 +50,12 @@ typedef struct node_t {
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
char *inkey; /* Cipher key and iv */
int inkeylength; /* Cipher key and iv length */
- EVP_CIPHER_CTX inctx; /* Cipher context */
+ EVP_CIPHER_CTX *inctx; /* Cipher context */
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
char *outkey; /* Cipher key and iv */
int outkeylength; /* Cipher key and iv length */
- EVP_CIPHER_CTX outctx; /* Cipher context */
+ EVP_CIPHER_CTX *outctx; /* Cipher context */
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
int inmaclength; /* Length of MAC */
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 971341f7..5834fcdf 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -145,7 +145,7 @@ bool id_h(connection_t *c) {
/* Check if identity is a valid name */
- if(!check_id(name)) {
+ if(!check_id(name) || !strcmp(name, myself->name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name,
c->hostname, "invalid name");
return false;
@@ -177,6 +177,11 @@ bool id_h(connection_t *c) {
if(!c->config_tree)
init_configuration(&c->config_tree);
c->allow_request = ACK;
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
return send_ack(c);
}
@@ -196,6 +201,10 @@ bool id_h(connection_t *c) {
c->allow_request = METAKEY;
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
return send_metakey(c);
}
@@ -210,8 +219,11 @@ bool send_metakey(connection_t *c) {
c->outkey = xrealloc(c->outkey, len);
- if(!c->outctx)
- c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
+ if(!c->outctx) {
+ c->outctx = EVP_CIPHER_CTX_new();
+ if(!c->outctx)
+ abort();
+ }
/* Copy random data to the buffer */
@@ -262,17 +274,17 @@ bool send_metakey(connection_t *c) {
/* Send the meta key */
x = send_request(c, "%d %d %d %d %d %s", METAKEY,
- c->outcipher ? c->outcipher->nid : 0,
- c->outdigest ? c->outdigest->type : 0, c->outmaclength,
+ c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
+ c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
c->outcompression, buffer);
/* Further outgoing requests are encrypted with the key we just generated */
if(c->outcipher) {
if(!EVP_EncryptInit(c->outctx, c->outcipher,
- (unsigned char *)c->outkey + len - c->outcipher->key_len,
- (unsigned char *)c->outkey + len - c->outcipher->key_len -
- c->outcipher->iv_len)) {
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
+ EVP_CIPHER_iv_length(c->outcipher))) {
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@@ -308,8 +320,11 @@ bool metakey_h(connection_t *c) {
c->inkey = xrealloc(c->inkey, len);
- if(!c->inctx)
- c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
+ if(!c->inctx) {
+ c->inctx = EVP_CIPHER_CTX_new();
+ if(!c->inctx)
+ abort();
+ }
/* Convert the challenge from hexadecimal back to binary */
@@ -345,9 +360,9 @@ bool metakey_h(connection_t *c) {
}
if(!EVP_DecryptInit(c->inctx, c->incipher,
- (unsigned char *)c->inkey + len - c->incipher->key_len,
- (unsigned char *)c->inkey + len - c->incipher->key_len -
- c->incipher->iv_len)) {
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
+ EVP_CIPHER_iv_length(c->incipher))) {
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@@ -355,7 +370,8 @@ bool metakey_h(connection_t *c) {
c->status.decryptin = true;
} else {
- c->incipher = NULL;
+ logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname);
+ return false;
}
c->inmaclength = maclength;
@@ -368,12 +384,13 @@ bool metakey_h(connection_t *c) {
return false;
}
- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
+ if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
return false;
}
} else {
- c->indigest = NULL;
+ logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname);
+ return false;
}
c->incompression = compression;
@@ -447,27 +464,38 @@ bool challenge_h(connection_t *c) {
/* Rest is done by send_chal_reply() */
- return send_chal_reply(c);
+ if(c->outgoing) {
+ return send_chal_reply(c);
+ } else {
+ return true;
+ }
}
bool send_chal_reply(connection_t *c) {
char hash[EVP_MAX_MD_SIZE * 2 + 1];
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/* Calculate the hash from the challenge we received */
- if(!EVP_DigestInit(&ctx, c->indigest)
- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
+ ctx = EVP_MD_CTX_create();
+ if(!ctx)
+ abort();
+
+ if(!EVP_DigestInit(ctx, c->indigest)
+ || !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
+ || !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
+ EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
+ EVP_MD_CTX_destroy(ctx);
+
/* Convert the hash to a hexadecimal formatted string */
- bin2hex(hash, hash, c->indigest->md_size);
- hash[c->indigest->md_size * 2] = '\0';
+ bin2hex(hash, hash, EVP_MD_size(c->indigest));
+ hash[EVP_MD_size(c->indigest) * 2] = '\0';
/* Send the reply */
@@ -477,7 +505,7 @@ bool send_chal_reply(connection_t *c) {
bool chal_reply_h(connection_t *c) {
char hishash[MAX_STRING_SIZE];
char myhash[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
@@ -487,7 +515,7 @@ bool chal_reply_h(connection_t *c) {
/* Check if the length of the hash is all right */
- if(strlen(hishash) != c->outdigest->md_size * 2) {
+ if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply length");
return false;
@@ -495,24 +523,31 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */
- if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
+ if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false;
}
/* Calculate the hash from the challenge we sent */
- if(!EVP_DigestInit(&ctx, c->outdigest)
- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
+ ctx = EVP_MD_CTX_create();
+ if(!ctx)
+ abort();
+
+ if(!EVP_DigestInit(ctx, c->outdigest)
+ || !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
+ || !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
+ EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
+ EVP_MD_CTX_destroy(ctx);
+
/* Verify the incoming hash with the calculated hash */
- if(memcmp(hishash, myhash, c->outdigest->md_size)) {
+ if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply");
@@ -531,6 +566,10 @@ bool chal_reply_h(connection_t *c) {
c->allow_request = ACK;
+ if(!c->outgoing) {
+ send_chal_reply(c);
+ }
+
return send_ack(c);
}
diff --git a/src/protocol_edge.c b/src/protocol_edge.c
index 3dfff05e..fa57494e 100644
--- a/src/protocol_edge.c
+++ b/src/protocol_edge.c
@@ -70,7 +70,7 @@ bool add_edge_h(connection_t *c) {
/* Check if names are valid */
- if(!check_id(from_name) || !check_id(to_name)) {
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ADD_EDGE", c->name,
c->hostname, "invalid name");
return false;
@@ -181,7 +181,7 @@ bool del_edge_h(connection_t *c) {
/* Check if names are valid */
- if(!check_id(from_name) || !check_id(to_name)) {
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "DEL_EDGE", c->name,
c->hostname, "invalid name");
return false;
diff --git a/src/protocol_key.c b/src/protocol_key.c
index 301ead5d..1b96597f 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
}
if(to->incipher)
- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
+ EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window
mykeyused = true;
@@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key,
- to->incipher ? to->incipher->nid : 0,
- to->indigest ? to->indigest->type : 0, to->inmaclength,
+ to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
+ to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression);
}
@@ -268,12 +268,17 @@ bool ans_key_h(connection_t *c) {
return true;
}
- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
+ if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname);
return true;
}
} else {
+ if(from->outkeylength != 1) {
+ logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
+ return true;
+ }
+
from->outcipher = NULL;
}
@@ -288,7 +293,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
+ if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname);
return true;
@@ -305,7 +310,7 @@ bool ans_key_h(connection_t *c) {
from->outcompression = compression;
if(from->outcipher)
- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
+ if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true;
diff --git a/src/tincd.c b/src/tincd.c
index b6a6c29c..19f2e174 100644
--- a/src/tincd.c
+++ b/src/tincd.c
@@ -330,7 +330,7 @@ static bool parse_options(int argc, char **argv) {
/* This function prettyprints the key generation process */
-static void indicator(int a, int b, void *p) {
+static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) {
case 0:
fprintf(stderr, ".");
@@ -362,19 +362,48 @@ static void indicator(int a, int b, void *p) {
default:
fprintf(stderr, "?");
}
+
+ return 1;
+}
+
+#ifndef HAVE_BN_GENCB_NEW
+BN_GENCB *BN_GENCB_new(void) {
+ return xmalloc_and_zero(sizeof(BN_GENCB));
}
+void BN_GENCB_free(BN_GENCB *cb) {
+ free(cb);
+}
+#endif
+
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
+ BIGNUM *e = NULL;
RSA *rsa_key;
FILE *f;
char *pubname, *privname;
+ BN_GENCB *cb;
+ int result;
fprintf(stderr, "Generating %d bits keys:\n", bits);
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
+
+ cb = BN_GENCB_new();
+ if(!cb)
+ abort();
+ BN_GENCB_set(cb, indicator, NULL);
+
+ rsa_key = RSA_new();
+ BN_hex2bn(&e, "10001");
+ if(!rsa_key || !e)
+ abort();
+
+ result = RSA_generate_key_ex(rsa_key, bits, e, cb);
+
+ BN_free(e);
+ BN_GENCB_free(cb);
if(!rsa_key) {
fprintf(stderr, "Error during key generation!\n");
@@ -697,7 +726,11 @@ end:
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
+#ifdef HAVE_ERR_REMOVE_STATE
+ // OpenSSL claims this function was deprecated in 1.0.0,
+ // but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
ERR_remove_state(0);
+#endif
ERR_free_strings();
exit_configuration(&config_tree);

1
debian/patches/series vendored
View file

@ -1 +0,0 @@
security-fixes

6
debian/rules vendored
View file

@ -12,15 +12,11 @@
%:
dh $@ --parallel
.PHONY: override_dh_strip
override_dh_strip:
dh_strip --dbg-package=tinc-dbg
override_dh_auto_configure:
dh_auto_configure -- --enable-uml --enable-vde
override_dh_auto_install:
dh_auto_install --destdir=debian/tinc -- install-html
dh_auto_install -- install-html
# Remove info dir file
rm -f debian/tinc/usr/share/info/dir

6
debian/tinc.if-post-down vendored
View file

@ -12,7 +12,11 @@ if [ "$IF_TINC_NET" ] ; then
/usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA
sleep 0.1
i=0;
while [ -f "$IF_TINC_PIDFILE" ] ; do
while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
if [ ! -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then
echo 'Failed to stop tinc daemon!'
exit 1

15
debian/tinc.if-pre-up vendored
View file

@ -45,7 +45,20 @@ test -n "$LIMITS" && setlimits $LIMITS
sleep 0.1
i=0;
while [ ! -f "$IF_TINC_PIDFILE" ] ; do
while [ ! -f $IF_TINC_PIDFILE ] ; do
if [ $i = '30' ] ; then
echo 'Failed to start tinc daemon!'
exit 1
fi
sleep 0.1
i=$(($i+1))
done
while read pid rest < $IF_TINC_PIDFILE ; do
if [ -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then
echo 'Failed to start tinc daemon!'
exit 1

9
doc/tinc.conf.5.in
View file

@ -486,12 +486,9 @@ Furthermore, specifying
.Qq none
will turn off packet authentication.
.It Va IndirectData Li = yes | no Pq no
This option specifies whether other tinc daemons besides the one you specified with
.Va ConnectTo
can make a direct connection to you.
This is especially useful if you are behind a firewall
and it is impossible to make a connection from the outside to your tinc daemon.
Otherwise, it is best to leave this option out or set it to no.
When set to yes, only nodes which already have a meta connection to you
will try to establish direct communication with you.
It is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets.
Can be anything from

353
doc/tinc.info
View file

@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.23, a Virtual Private
This is the info manual for tinc version 1.0.25, a Virtual Private
Network daemon.
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
@ -139,7 +139,7 @@ File: tinc.info, Node: Supported platforms, Prev: tinc, Up: Introduction
=======================
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD,
MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin
Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin
environment), with various hardware architectures. These are some of
the platforms that are supported by the universal tun/tap device driver
or other virtual network device drivers. Without such a driver, tinc
@ -176,7 +176,7 @@ File: tinc.info, Node: Configuring the kernel, Next: Libraries, Up: Preparati
* Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels::
* Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels::
* Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows::

@ -238,7 +238,7 @@ default kernel configuration.
Tunneling IPv6 may not work on NetBSD's tun device.

File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (MacOS/X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (Mac OS X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
2.1.5 Configuration of Solaris kernels
--------------------------------------
@ -251,23 +251,18 @@ sparc64 architectures, precompiled versions can be found at
header file is missing, install it from the source package.

File: tinc.info, Node: Configuration of Darwin (MacOS/X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Darwin (Mac OS X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
2.1.6 Configuration of Darwin (MacOS/X) kernels
-----------------------------------------------
2.1.6 Configuration of Darwin (Mac OS X) kernels
------------------------------------------------
Tinc on Darwin relies on a tunnel driver for its data acquisition from
the kernel. Tinc supports either the driver from
<http://tuntaposx.sourceforge.net/>, which supports both tun and tap
style devices, and also the driver from from
<http://chrisp.de/en/projects/tunnel.html>. The former driver is
recommended. The tunnel driver must be loaded before starting tinc with
the following command:
kmodload tunnel
style devices.

File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (MacOS/X) kernels, Up: Configuring the kernel
File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (Mac OS X) kernels, Up: Configuring the kernel
2.1.7 Configuration of Windows
------------------------------
@ -304,7 +299,7 @@ File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
If this library is not installed, you wil get an error when
If this library is not installed, you will get an error when
configuring tinc for build. Support for running tinc with other
cryptographic libraries installed _may_ be added in the future.
@ -360,7 +355,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
For the optional compression of UDP packets, tinc uses the functions
provided by the zlib library.
If this library is not installed, you wil get an error when running
If this library is not installed, you will get an error when running
the configure script. You can either install the zlib library, or
disable support for zlib compression by using the "-disable-zlib" option
when running the configure script. Note that if you disable support for
@ -385,7 +380,7 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running
If this library is not installed, you will get an error when running
the configure script. You can either install the LZO library, or
disable support for LZO compression by using the "-disable-lzo" option
when running the configure script. Note that if you disable support for
@ -445,25 +440,26 @@ your distribution will tell you how to do that.
* Menu:
* Darwin (MacOS/X) build environment::
* Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::

File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
3.1.1 Darwin (MacOS/X) build environment
----------------------------------------
3.1.1 Darwin (Mac OS X) build environment
-----------------------------------------
In order to build tinc on Darwin, you need to install the MacOS/X
In order to build tinc on Darwin, you need to install the Mac OS X
Developer Tools from <http://developer.apple.com/tools/macosxtools.html>
and a recent version of Fink from <http://www.finkproject.org/>.
and preferably a recent version of Fink from
<http://www.finkproject.org/>.
After installation use fink to download and install the following
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.

File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (MacOS/X) build environment, Up: Building and installing tinc
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
3.1.2 Cygwin (Windows) build environment
----------------------------------------
@ -596,9 +592,9 @@ assign a NETNAME to your VPN. It is not required if you only run one
tinc daemon, it doesn't even have to be the same on all the sites of
your VPN, but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document. This means
that you call tincd with the -n argument, which will assign a netname to
this daemon.
We will assume you use a netname throughout this document. This
means that you call tincd with the -n argument, which will assign a
netname to this daemon.
The effect of this is that the daemon will set its configuration root
to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n
@ -626,7 +622,7 @@ in the configuration file tinc.conf. If it sees one or more 'ConnectTo'
values pointing to other tinc daemons in that file, it will try to
connect to those other daemons. Whether this succeeds or not and
whether 'ConnectTo' is specified or not, tinc will listen for incoming
connection from other deamons. If you did specify a 'ConnectTo' value
connection from other daemons. If you did specify a 'ConnectTo' value
and the other side is not responding, tinc will keep retrying. This
means that once started, tinc will stay running until you tell it to
stop, and failures to connect to other tinc daemons will not stop your
@ -649,7 +645,7 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
An optional directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read.
These file consists of comments (lines started with a #) or
@ -755,10 +751,9 @@ DecrementTTL = <yes | no> (no) [experimental]
Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform)
The virtual network device to use. Tinc will automatically detect
what kind of device it is. Note that you can only use one device
per daemon. Under Windows, use INTERFACE instead of DEVICE. Note
that you can only use one device per daemon. See also *note Device
files::.
what kind of device it is. Under Windows, use INTERFACE instead of
DEVICE. Note that you can only use one device per daemon. See
also *note Device files::.
DeviceType = <TYPE> (platform dependent)
The type of the virtual network device. Tinc will normally
@ -864,7 +859,7 @@ Hostnames = <yes|no> (no)
This option selects whether IP addresses (both real and on the VPN)
should be resolved. Since DNS lookups are blocking, it might
affect tinc's efficiency, even stopping the daemon for a few
seconds everytime it does a lookup if your DNS server is not
seconds every time it does a lookup if your DNS server is not
responding.
This does not affect resolving hostnames to IP addresses from the
@ -937,7 +932,7 @@ Mode = <router|switch|hub> (router)
Name = <NAME> [required]
This is a symbolic name for this connection. The name should
consist only of alfanumeric and underscore characters (a-z, A-Z,
consist only of alphanumeric and underscore characters (a-z, A-Z,
0-9 and _).
If Name starts with a $, then the contents of the environment
@ -964,7 +959,7 @@ PriorityInheritance = <yes|no> (no) [experimental]
PrivateKey = <KEY> [obsolete]
This is the RSA private key for tinc. However, for safety reasons
it is advised to store private keys of any kind in separate files.
This prevents accidental eavesdropping if you are editting the
This prevents accidental eavesdropping if you are editing the
configuration file.
PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv')
@ -1114,9 +1109,9 @@ PublicKeyFile = <PATH> [obsolete]
Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
The subnet which this tinc daemon will serve. Tinc tries to look
up which other daemon it should send a packet to by searching the
appropiate subnet. If the packet matches a subnet, it will be sent
to the daemon who has this subnet in his host configuration file.
Multiple subnet lines can be specified for each daemon.
appropriate subnet. If the packet matches a subnet, it will be
sent to the daemon who has this subnet in his host configuration
file. Multiple subnet lines can be specified for each daemon.
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which
case a subnet consisting of only that single address is assumed, or
@ -1186,11 +1181,11 @@ scripts should have the extension .bat.
This script is started when any host becomes unreachable.
'/etc/tinc/NETNAME/subnet-up'
This script is started when a Subnet becomes reachable. The Subnet
This script is started when a subnet becomes reachable. The Subnet
and the node it belongs to are passed in environment variables.
'/etc/tinc/NETNAME/subnet-down'
This script is started when a Subnet becomes unreachable.
This script is started when a subnet becomes unreachable.
The scripts are started without command line arguments, but can make
use of certain environment variables. Under UNIX like operating systems
@ -1252,7 +1247,7 @@ Step 2. Creating your host configuration file
.............................................
If you added a line containing 'Name = yourname' in the main
configuarion file, you will need to create a host configuration file
configuration file, you will need to create a host configuration file
'/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to
create a host configuration file:
@ -1880,7 +1875,7 @@ packets, and 'tap' style, which are Ethernet devices and handle complete
Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines
its type. When tinc is in it's default routing mode, it can handle IPv4
its type. When tinc is in its default routing mode, it can handle IPv4
and IPv6 packets. Depending on the Subnet lines, it will send the
packets off to their destination IP address. In the 'switch' and 'hub'
mode, tinc will use broadcasts and MAC address discovery to deduce the
@ -1909,8 +1904,8 @@ the decrypted information to its own virtual network device.
tunnel), there is no problem for the kernel to accept a packet.
However, if it is a 'tap' device (this is the only available type on
FreeBSD), the destination MAC address must match that of the virtual
network interface. If tinc is in it's default routing mode, ARP does
not work, so the correct destination MAC can not be known by the sending
network interface. If tinc is in its default routing mode, ARP does not
work, so the correct destination MAC can not be known by the sending
host. Tinc solves this by letting the receiving end detect the MAC
address of its own virtual network interface and overwriting the
destination MAC address of the received packet.
@ -2146,13 +2141,13 @@ Explanation is below.
client ACK 655 123 0
| | +-> options
| +----> estimated weight
+--------> listening port of client
| +----> estimated weight
+--------> listening port of client
server ACK 655 321 0
| | +-> options
| +----> estimated weight
+--------> listening port of server
| +----> estimated weight
+--------> listening port of server
--------------------------------------------------------------------------
This new scheme has several improvements, both in efficiency and
@ -2290,30 +2285,30 @@ that it encompasses the entire VPN.
For IPv4 addresses:
Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Darwin (MacOS/X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Darwin (Mac OS X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
For IPv6 addresses:
Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH
FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH
FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
Darwin (Mac OS X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
On some platforms, when running tinc in switch mode, the VPN
interface must be set to tap mode with an ifconfig command:
OpenBSD 'ifconfig' INTERFACE 'link0'
OpenBSD 'ifconfig' INTERFACE 'link0'
On Linux, it is possible to create a persistent tun/tap interface
which will continue to exist even if tinc quit, although this is
@ -2321,7 +2316,7 @@ normally not required. It can be useful to set up a tun/tap interface
owned by a non-root user, so tinc can be started without needing any
root privileges at all.
Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME
Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME

File: tinc.info, Node: Routes, Prev: Interface configuration, Up: Platform specific information
@ -2338,26 +2333,26 @@ preferable, but not all platforms support this.
Adding routes to IPv4 subnets:
Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
LOCAL_ADDRESS
Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (Mac OS X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
LOCAL_ADDRESS
Adding routes to IPv6 subnets:
Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) ?
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE
Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE
Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE
FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (Mac OS X) 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE

File: tinc.info, Node: About us, Next: Concept Index, Prev: Platform specific information, Up: Top
@ -2457,13 +2452,13 @@ Concept Index
* DEVICE: Scripts. (line 53)
* device files: Device files. (line 6)
* DeviceType: Main configuration variables.
(line 80)
(line 79)
* Digest: Host configuration variables.
(line 31)
* DirectOnly: Main configuration variables.
(line 145)
(line 144)
* dummy: Main configuration variables.
(line 87)
(line 86)
* encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets.
(line 6)
@ -2471,53 +2466,53 @@ Concept Index
* example: Example configuration.
(line 6)
* exec: Main configuration variables.
(line 315)
(line 314)
* Forwarding: Main configuration variables.
(line 152)
(line 151)
* frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables.
(line 172)
(line 171)
* Hostnames: Main configuration variables.
(line 180)
(line 179)
* http: Main configuration variables.
(line 312)
(line 311)
* hub: Main configuration variables.
(line 250)
(line 249)
* ID: Authentication protocol.
(line 10)
* IffOneQueue: Main configuration variables.
(line 191)
(line 190)
* IndirectData: Host configuration variables.
(line 36)
* Interface: Main configuration variables.
(line 194)
(line 193)
* INTERFACE: Scripts. (line 56)
* IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6)
* KeyExpire: Main configuration variables.
(line 202)
(line 201)
* KEY_CHANGED: The meta-protocol. (line 63)
* libraries: Libraries. (line 6)
* license: OpenSSL. (line 35)
* LocalDiscovery: Main configuration variables.
(line 208)
(line 207)
* lzo: lzo. (line 6)
* MACExpire: Main configuration variables.
(line 219)
(line 218)
* MACLength: Host configuration variables.
(line 44)
* MaxTimeout: Main configuration variables.
(line 224)
(line 223)
* meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol.
(line 10)
* Mode: Main configuration variables.
(line 228)
(line 227)
* multicast: Main configuration variables.
(line 99)
(line 98)
* multiple networks: Multiple networks. (line 6)
* Name: Main configuration variables.
(line 255)
(line 254)
* NAME: Scripts. (line 50)
* netmask: Network interfaces. (line 33)
* netname: Multiple networks. (line 6)
@ -2531,9 +2526,9 @@ Concept Index
(line 69)
* PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables.
(line 266)
(line 265)
* PingTimeout: Main configuration variables.
(line 270)
(line 269)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 49)
@ -2544,32 +2539,32 @@ Concept Index
(line 57)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 276)
(line 275)
* private: Virtual Private Networks.
(line 10)
* PrivateKey: Main configuration variables.
(line 281)
(line 280)
* PrivateKeyFile: Main configuration variables.
(line 287)
(line 286)
* ProcessPriority: Main configuration variables.
(line 292)
(line 291)
* Proxy: Main configuration variables.
(line 297)
(line 296)
* PublicKey: Host configuration variables.
(line 61)
* PublicKeyFile: Host configuration variables.
(line 64)
* raw_socket: Main configuration variables.
(line 92)
(line 91)
* release: Supported platforms. (line 14)
* REMOTEADDRESS: Scripts. (line 65)
* REMOTEPORT: Scripts. (line 68)
* ReplayWindow: Main configuration variables.
(line 320)
(line 319)
* requirements: Libraries. (line 6)
* REQ_KEY: The meta-protocol. (line 63)
* router: Main configuration variables.
(line 231)
(line 230)
* runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19)
* scripts: Scripts. (line 6)
@ -2577,11 +2572,11 @@ Concept Index
(line 18)
* signals: Signals. (line 6)
* socks4: Main configuration variables.
(line 301)
(line 300)
* socks5: Main configuration variables.
(line 306)
(line 305)
* StrictSubnets: Main configuration variables.
(line 331)
(line 330)
* Subnet: Host configuration variables.
(line 76)
* SUBNET: Scripts. (line 72)
@ -2589,7 +2584,7 @@ Concept Index
(line 98)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 239)
(line 238)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 105)
@ -2601,24 +2596,24 @@ Concept Index
* tincd: tinc. (line 14)
* traditional VPNs: tinc. (line 19)
* tunifhead: Main configuration variables.
(line 134)
(line 133)
* TunnelServer: Main configuration variables.
(line 338)
(line 337)
* tunnohead: Main configuration variables.
(line 128)
(line 127)
* UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets.
(line 12)
* UDPRcvBuf: Main configuration variables.
(line 345)
(line 344)
* UDPSndBuf: Main configuration variables.
(line 350)
(line 349)
* UML: Main configuration variables.
(line 110)
(line 109)
* Universal tun/tap: Configuration of Linux kernels.
(line 6)
* VDE: Main configuration variables.
(line 115)
(line 114)
* virtual: Virtual Private Networks.
(line 18)
* virtual network device: The UDP tunnel. (line 6)
@ -2637,61 +2632,61 @@ Node: Introduction1105
Node: Virtual Private Networks1915
Node: tinc3639
Node: Supported platforms5166
Node: Preparations5865
Node: Configuring the kernel6121
Node: Configuration of Linux kernels6530
Node: Configuration of FreeBSD kernels7385
Node: Configuration of OpenBSD kernels7850
Node: Configuration of NetBSD kernels8458
Node: Configuration of Solaris kernels8863
Node: Configuration of Darwin (MacOS/X) kernels9524
Node: Configuration of Windows10213
Node: Libraries10726
Node: OpenSSL11114
Node: zlib13401
Node: lzo14428
Node: Installation15409
Node: Building and installing tinc16424
Node: Darwin (MacOS/X) build environment17083
Node: Cygwin (Windows) build environment17650
Node: MinGW (Windows) build environment18237
Node: System files18761
Node: Device files19026
Node: Other files19442
Node: Configuration20055
Node: Configuration introduction20366
Node: Multiple networks21634
Node: How connections work23059
Node: Configuration files24281
Node: Main configuration variables25776
Node: Host configuration variables41870
Node: Scripts47371
Node: How to configure50134
Node: Generating keypairs51391
Node: Network interfaces51890
Node: Example configuration53738
Node: Running tinc59063
Node: Runtime options59653
Node: Signals62955
Node: Debug levels64146
Node: Solving problems65082
Node: Error messages66634
Node: Sending bug reports70643
Node: Technical information71590
Node: The connection71821
Node: The UDP tunnel72133
Node: The meta-connection75196
Node: The meta-protocol76665
Node: Security81682
Node: Authentication protocol82815
Node: Encryption of network packets87832
Node: Security issues89208
Node: Platform specific information90835
Node: Interface configuration91063
Node: Routes93516
Node: About us95433
Node: Contact information95608
Node: Authors96012
Node: Concept Index96417
Node: Preparations5866
Node: Configuring the kernel6122
Node: Configuration of Linux kernels6532
Node: Configuration of FreeBSD kernels7387
Node: Configuration of OpenBSD kernels7852
Node: Configuration of NetBSD kernels8460
Node: Configuration of Solaris kernels8865
Node: Configuration of Darwin (Mac OS X) kernels9527
Node: Configuration of Windows10005
Node: Libraries10519
Node: OpenSSL10907
Node: zlib13195
Node: lzo14223
Node: Installation15205
Node: Building and installing tinc16220
Node: Darwin (Mac OS X) build environment16880
Node: Cygwin (Windows) build environment17462
Node: MinGW (Windows) build environment18050
Node: System files18574
Node: Device files18839
Node: Other files19255
Node: Configuration19868
Node: Configuration introduction20179
Node: Multiple networks21447
Node: How connections work22873
Node: Configuration files24095
Node: Main configuration variables25589
Node: Host configuration variables41628
Node: Scripts47131
Node: How to configure49894
Node: Generating keypairs51152
Node: Network interfaces51651
Node: Example configuration53499
Node: Running tinc58824
Node: Runtime options59414
Node: Signals62716
Node: Debug levels63907
Node: Solving problems64843
Node: Error messages66395
Node: Sending bug reports70404
Node: Technical information71351
Node: The connection71582
Node: The UDP tunnel71894
Node: The meta-connection74955
Node: The meta-protocol76424
Node: Security81441
Node: Authentication protocol82574
Node: Encryption of network packets87619
Node: Security issues88995
Node: Platform specific information90622
Node: Interface configuration90850
Node: Routes93321
Node: About us95335
Node: Contact information95510
Node: Authors95914
Node: Concept Index96319

End Tag Table

96
doc/tinc.texi
View file

@ -176,7 +176,7 @@ available too.
@section Supported platforms
@cindex platforms
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most
@ -224,7 +224,7 @@ support tinc.
* Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels::
* Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels::
* Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows::
@end menu
@ -261,7 +261,7 @@ alias char-major-10-200 tun
@subsection Configuration of FreeBSD kernels
For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration.
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}.
@c ==================================================================
@ -298,19 +298,12 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa
@c ==================================================================
@node Configuration of Darwin (MacOS/X) kernels
@subsection Configuration of Darwin (MacOS/X) kernels
@node Configuration of Darwin (Mac OS X) kernels
@subsection Configuration of Darwin (Mac OS X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices,
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
The former driver is recommended.
The tunnel driver must be loaded before starting tinc with the following command:
@example
kmodload tunnel
@end example
which supports both tun and tap style devices.
@c ==================================================================
@ -349,7 +342,7 @@ having them installed, configure will give you an error message, and stop.
For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library.
If this library is not installed, you wil get an error when configuring
If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries
installed @emph{may} be added in the future.
@ -413,7 +406,7 @@ Markus F.X.J. Oberhumer
For the optional compression of UDP packets, tinc uses the functions provided
by the zlib library.
If this library is not installed, you wil get an error when running the
If this library is not installed, you will get an error when running the
configure script. You can either install the zlib library, or disable support
for zlib compression by using the "--disable-zlib" option when running the
configure script. Note that if you disable support for zlib, the resulting
@ -437,7 +430,7 @@ default).
@cindex lzo
Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running the
If this library is not installed, you will get an error when running the
configure script. You can either install the LZO library, or disable support
for LZO compression by using the "--disable-lzo" option when running the
configure script. Note that if you disable support for LZO, the resulting
@ -503,19 +496,19 @@ you can use the package management tools of that distribution to install tinc.
The documentation that comes along with your distribution will tell you how to do that.
@menu
* Darwin (MacOS/X) build environment::
* Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment::
* MinGW (Windows) build environment::
@end menu
@c ==================================================================
@node Darwin (MacOS/X) build environment
@subsection Darwin (MacOS/X) build environment
@node Darwin (Mac OS X) build environment
@subsection Darwin (Mac OS X) build environment
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and
a recent version of Fink from @uref{http://www.finkproject.org/}.
preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
@ -666,7 +659,7 @@ It is not required if you only run one tinc daemon,
it doesn't even have to be the same on all the sites of your VPN,
but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document.
We will assume you use a netname throughout this document.
This means that you call tincd with the -n argument,
which will assign a netname to this daemon.
@ -694,7 +687,7 @@ reads in the configuration file tinc.conf.
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
it will try to connect to those other daemons.
Whether this succeeds or not and whether `ConnectTo' is specified or not,
tinc will listen for incoming connection from other deamons.
tinc will listen for incoming connection from other daemons.
If you did specify a `ConnectTo' value and the other side is not responding,
tinc will keep retrying.
This means that once started, tinc will stay running until you tell it to stop,
@ -718,7 +711,7 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read.
These file consists of comments (lines started with a #) or assignments
@ -829,7 +822,6 @@ Do not use this option if you use switch mode and want to use IPv6.
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
The virtual network device to use.
Tinc will automatically detect what kind of device it is.
Note that you can only use one device per daemon.
Under Windows, use @var{Interface} instead of @var{Device}.
Note that you can only use one device per daemon.
See also @ref{Device files}.
@ -947,7 +939,7 @@ that is executed, the graph is then sent to stdin.
@item Hostnames = <yes|no> (no)
This option selects whether IP addresses (both real and on the VPN)
should be resolved. Since DNS lookups are blocking, it might affect
tinc's efficiency, even stopping the daemon for a few seconds everytime
tinc's efficiency, even stopping the daemon for a few seconds every time
it does a lookup if your DNS server is not responding.
This does not affect resolving hostnames to IP addresses from the
@ -1022,7 +1014,7 @@ while no routing table is managed.
@cindex Name
@item Name = <@var{name}> [required]
This is a symbolic name for this connection.
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _).
The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores.
@ -1049,7 +1041,7 @@ will be inherited by the UDP packets that are sent out.
@item PrivateKey = <@var{key}> [obsolete]
This is the RSA private key for tinc. However, for safety reasons it is
advised to store private keys of any kind in separate files. This prevents
accidental eavesdropping if you are editting the configuration file.
accidental eavesdropping if you are editing the configuration file.
@cindex PrivateKeyFile
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
@ -1216,7 +1208,7 @@ connection with that host.
@cindex Subnet
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
The subnet which this tinc daemon will serve.
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
If the packet matches a subnet,
it will be sent to the daemon who has this subnet in his host configuration file.
Multiple subnet lines can be specified for each daemon.
@ -1293,11 +1285,11 @@ This script is started when any host becomes reachable.
This script is started when any host becomes unreachable.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-up
This script is started when a Subnet becomes reachable.
This script is started when a subnet becomes reachable.
The Subnet and the node it belongs to are passed in environment variables.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down
This script is started when a Subnet becomes unreachable.
This script is started when a subnet becomes unreachable.
@end table
@cindex environment variables
@ -1368,7 +1360,7 @@ add `ConnectTo' values.
@subsubheading Step 2. Creating your host configuration file
If you added a line containing `Name = yourname' in the main configuarion file,
If you added a line containing `Name = yourname' in the main configuration file,
you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}.
Adapt the following example to create a host configuration file:
@ -1938,7 +1930,7 @@ Note that you will only see this message if you specified a debug
level of 5 or higher!
@item Chances are that a @samp{Subnet = ...} line in the host configuration file of this tinc daemon is wrong.
Change it to a subnet that is accepted locally by another interface,
or if that is not the case, try changing the prefix length into /32.
or if that is not the case, try changing the prefix length into /32.
@end itemize
@item Node foo (1.2.3.4) is not reachable
@ -2022,7 +2014,7 @@ There are two possible types of virtual network devices:
and `tap' style, which are Ethernet devices and handle complete Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines its
type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6
type. When tinc is in its default routing mode, it can handle IPv4 and IPv6
packets. Depending on the Subnet lines, it will send the packets off to their destination IP address.
In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery
to deduce the destination of the packets.
@ -2053,7 +2045,7 @@ If the virtual network device is a `tun' device (a point-to-point tunnel),
there is no problem for the kernel to accept a packet.
However, if it is a `tap' device (this is the only available type on FreeBSD),
the destination MAC address must match that of the virtual network interface.
If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC
If tinc is in its default routing mode, ARP does not work, so the correct destination MAC
can not be known by the sending host.
Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface
and overwriting the destination MAC address of the received packet.
@ -2177,7 +2169,7 @@ message
------------------------------------------------------------------
REQ_KEY origin destination
| +--> name of the tinc daemon it wants the key from
+----------> name of the daemon that wants the key
+----------> name of the daemon that wants the key
ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4
| | \______________/ | | +--> MAC length
@ -2312,13 +2304,13 @@ their identity. Further information is exchanged.
client ACK 655 123 0
| | +-> options
| +----> estimated weight
+--------> listening port of client
| +----> estimated weight
+--------> listening port of client
server ACK 655 321 0
| | +-> options
| +----> estimated weight
+--------> listening port of server
| +----> estimated weight
+--------> listening port of server
--------------------------------------------------------------------------
@end example
@ -2446,7 +2438,7 @@ netmask should be such that it encompasses the entire VPN.
For IPv4 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Linux iproute2
@ -2459,7 +2451,7 @@ For IPv4 addresses:
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Solaris
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Darwin (MacOS/X)
@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Windows
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
@ -2467,7 +2459,7 @@ For IPv4 addresses:
For IPv6 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
@item FreeBSD
@ -2480,7 +2472,7 @@ For IPv6 addresses:
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
@item
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
@item Darwin (MacOS/X)
@item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@item Windows
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@ -2488,7 +2480,7 @@ For IPv6 addresses:
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item OpenBSD
@tab @code{ifconfig} @var{interface} @code{link0}
@end multitable
@ -2498,7 +2490,7 @@ continue to exist even if tinc quit, although this is normally not required.
It can be useful to set up a tun/tap interface owned by a non-root user, so
tinc can be started without needing any root privileges at all.
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@end multitable
@ -2516,7 +2508,7 @@ support this.
Adding routes to IPv4 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
@item Linux iproute2
@ -2529,15 +2521,15 @@ Adding routes to IPv4 subnets:
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Solaris
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Darwin (Mac OS X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@end multitable
Adding routes to IPv6 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
@item Linux iproute2
@ -2550,8 +2542,8 @@ Adding routes to IPv6 subnets:
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@item Solaris
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X)
@tab ?
@item Darwin (Mac OS X)
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@end multitable

4
m4/attribute.m4
View file

@ -9,8 +9,8 @@ AC_DEFUN([tinc_ATTRIBUTE],
CFLAGS="$CFLAGS -Wall -Werror"
AC_COMPILE_IFELSE(
[AC_LANG_SOURCE(
[void test(void) __attribute__ (($1));
void test(void) { return; }
[void *test(void) __attribute__ (($1));
void *test(void) { return (void *)0; }
],
)],
[tinc_cv_attribute_$1=yes],

4
src/bsd/device.c
View file

@ -1,7 +1,7 @@
/*
device.c -- Interaction BSD tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans,
2001-2012 Guus Sliepen <guus@tinc-vpn.org>
2001-2014 Guus Sliepen <guus@tinc-vpn.org>
2009 Grzegorz Dymarek <gregd72002@googlemail.com>
This program is free software; you can redistribute it and/or modify
@ -34,7 +34,7 @@
#endif
#define DEFAULT_TUN_DEVICE "/dev/tun0"
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD)
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_DARWIN)
#define DEFAULT_TAP_DEVICE "/dev/tap0"
#else
#define DEFAULT_TAP_DEVICE "/dev/tun0"

1
src/conf.h
View file

@ -38,6 +38,7 @@ extern avl_tree_t *config_tree;
extern int pinginterval;
extern int pingtimeout;
extern int maxtimeout;
extern int mintimeout;
extern bool bypass_security;
extern char *confbase;
extern char *netname;

17
src/have.h
View file

@ -1,7 +1,7 @@
/*
have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans
2003-2014 Guus Sliepen <guus@tinc-vpn.org>
2003-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -196,4 +196,19 @@
#include <netinet/if_ether.h>
#endif
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#ifdef STATUS
#undef STATUS
#endif
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
#ifdef HAVE_LINUX_IF_TUN_H
#include <linux/if_tun.h>
#endif
#endif /* __TINC_SYSTEM_H__ */

3
src/linux/device.c
View file

@ -134,6 +134,9 @@ static bool setup_device(void) {
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
}
if(overwrite_mac && !ioctl(device_fd, SIOCGIFHWADDR, &ifr))
memcpy(mymac.x, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
logger(LOG_INFO, "%s is a %s", device, device_info);
return true;

13
src/net.c
View file

@ -1,7 +1,7 @@
/*
net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2011 Loïc Grenié <loic.grenie@gmail.com>
@ -41,14 +41,6 @@
#include "subnet.h"
#include "xalloc.h"
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
bool do_purge = false;
volatile bool running = false;
#ifdef HAVE_PSELECT
@ -508,9 +500,6 @@ int main_loop(void) {
avl_node_t *node;
logger(LOG_INFO, "Flushing event queue");
expire_events();
#if HAVE_DECL_RES_INIT
res_init();
#endif
for(node = connection_tree->head; node; node = node->next) {
connection_t *c = node->data;
if(c->status.active)

1
src/net.h
View file

@ -87,6 +87,7 @@ typedef struct listen_socket_t {
int tcp;
int udp;
sockaddr_t sa;
int priority;
} listen_socket_t;
#include "conf.h"

29
src/net_packet.c
View file

@ -415,9 +415,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t *outpkt;
int origlen;
int outlen, outpad;
#if defined(SOL_IP) && defined(IP_TOS)
static int priority = 0;
#endif
int origpriority;
if(!n->status.reachable) {
@ -549,15 +546,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
sock = n->sock;
}
if(priorityinheritance && origpriority != listen_socket[n->sock].priority) {
listen_socket[n->sock].priority = origpriority;
switch(listen_socket[n->sock].sa.sa.sa_family) {
#if defined(SOL_IP) && defined(IP_TOS)
if(priorityinheritance && origpriority != priority
&& listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
priority = origpriority;
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
}
case AF_INET:
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
break;
#endif
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
case AF_INET6:
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof(origpriority)))
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
break;
#endif
default:
break;
}
}
if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) {

31
src/net_setup.c
View file

@ -1,7 +1,7 @@
/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
@ -539,7 +539,12 @@ static bool setup_myself(void) {
#if !defined(SOL_IP) || !defined(IP_TOS)
if(priorityinheritance)
logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
logger(LOG_WARNING, "%s not supported on this platform for IPv4 connection", "PriorityInheritance");
#endif
#if !defined(IPPROTO_IPV6) || !defined(IPV6_TCLASS)
if(priorityinheritance)
logger(LOG_WARNING, "%s not supported on this platform for IPv6 connection", "PriorityInheritance");
#endif
if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
@ -553,6 +558,18 @@ static bool setup_myself(void) {
} else
maxtimeout = 900;
if(get_config_int(lookup_config(config_tree, "MinTimeout"), &mintimeout)) {
if(mintimeout < 0) {
logger(LOG_ERR, "Bogus minimum timeout!");
return false;
}
if(mintimeout > maxtimeout) {
logger(LOG_WARNING, "Minimum timeout (%d s) cannot be larger than maximum timeout (%d s). Correcting !", mintimeout, maxtimeout );
mintimeout=maxtimeout;
}
} else
mintimeout = 0;
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
if(udp_rcvbuf <= 0) {
logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
@ -713,6 +730,12 @@ static bool setup_myself(void) {
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name);
#ifdef HAVE_MINGW
Sleep(1000);
#endif
#ifdef HAVE_CYGWIN
sleep(1);
#endif
execute_script("tinc-up", envp);
for(i = 0; i < 4; i++)
@ -790,6 +813,10 @@ static bool setup_myself(void) {
hint.ai_protocol = IPPROTO_TCP;
hint.ai_flags = AI_PASSIVE;
#if HAVE_DECL_RES_INIT
// ensure glibc reloads /etc/resolv.conf.
res_init();
#endif
err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
free(address);

9
src/net_socket.c
View file

@ -40,6 +40,7 @@
#endif
int addressfamily = AF_UNSPEC;
int mintimeout = 0;
int maxtimeout = 900;
int seconds_till_retry = 5;
int udp_rcvbuf = 0;
@ -77,6 +78,11 @@ static void configure_tcp(connection_t *c) {
option = IPTOS_LOWDELAY;
setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option));
#endif
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) && defined(IPTOS_LOWDELAY)
option = IPTOS_LOWDELAY;
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option));
#endif
}
static bool bind_to_interface(int sd) {
@ -273,6 +279,9 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
void retry_outgoing(outgoing_t *outgoing) {
outgoing->timeout += 5;
if(outgoing->timeout < mintimeout)
outgoing->timeout = mintimeout;
if(outgoing->timeout > maxtimeout)
outgoing->timeout = maxtimeout;

6
src/netutl.c
View file

@ -1,7 +1,7 @@
/*
netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -39,6 +39,10 @@ struct addrinfo *str2addrinfo(const char *address, const char *service, int sock
hint.ai_family = addressfamily;
hint.ai_socktype = socktype;
#if HAVE_DECL_RES_INIT
// ensure glibc reloads /etc/resolv.conf.
res_init();
#endif
err = getaddrinfo(address, service, &hint, &ai);
if(err) {

66
src/process.c
View file

@ -1,7 +1,7 @@
/*
process.c -- process management functions
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -347,17 +347,59 @@ bool detach(void) {
return true;
}
#ifdef HAVE_PUTENV
void unputenv(char *p) {
char *e = strchr(p, '=');
if(!e)
return;
int len = e - p;
#ifndef HAVE_UNSETENV
#ifdef HAVE_MINGW
// Windows requires putenv("FOO=") to unset %FOO%
len++;
#endif
#endif
char var[len + 1];
memcpy(var, p, len);
var[len] = 0;
#ifdef HAVE_UNSETENV
unsetenv(var);
#else
// We must keep what we putenv() around in memory.
// To do this without memory leaks, keep things in a list and reuse if possible.
static list_t list = {};
for(list_node_t *node = list.head; node; node = node->next) {
char *data = node->data;
if(!strcmp(data, var)) {
putenv(data);
return;
}
}
char *data = xstrdup(var);
list_insert_tail(&list, data);
putenv(data);
#endif
}
#else
void putenv(const char *p) {}
void unputenv(const char *p) {}
#endif
bool execute_script(const char *name, char **envp) {
#ifdef HAVE_SYSTEM
int status, len;
char *scriptname;
int i;
char *interpreter = NULL;
config_t *cfg_interpreter;
int status, len, i;
cfg_interpreter = lookup_config(config_tree, "ScriptsInterpreter");
#ifndef HAVE_MINGW
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
#else
len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name);
if(cfg_interpreter)
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
else
len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name);
#endif
if(len < 0)
return false;
@ -365,14 +407,13 @@ bool execute_script(const char *name, char **envp) {
scriptname[len - 1] = '\0';
/* First check if there is a script */
if(access(scriptname + 1, F_OK)) {
free(scriptname);
return true;
}
// Custom scripts interpreter
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) {
if(get_config_string(cfg_interpreter, &interpreter)) {
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
free(scriptname);
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
@ -383,12 +424,10 @@ bool execute_script(const char *name, char **envp) {
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
#ifdef HAVE_PUTENV
/* Set environment */
for(i = 0; envp[i]; i++)
putenv(envp[i]);
#endif
scriptname[len - 1] = '\"';
status = system(scriptname);
@ -397,15 +436,8 @@ bool execute_script(const char *name, char **envp) {
/* Unset environment */
for(i = 0; envp[i]; i++) {
char *e = strchr(envp[i], '=');
if(e) {
char p[e - envp[i] + 1];
strncpy(p, envp[i], e - envp[i]);
p[e - envp[i]] = '\0';
putenv(p);
}
}
for(i = 0; envp[i]; i++)
unputenv(envp[i]);
if(status != -1) {
#ifdef WEXITSTATUS

10
src/tincd.c
View file

@ -1,7 +1,7 @@
/*
tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu>
@ -97,7 +97,7 @@ char *pidfilename = NULL; /* pid file location */
char *logfilename = NULL; /* log file location */
char **g_argv; /* a copy of the cmdline arguments */
static int status;
static int status = 1;
static struct option const long_options[] = {
{"config", required_argument, NULL, 'c'},
@ -438,14 +438,14 @@ static void make_names(void) {
#ifdef HAVE_MINGW
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
if(!logfilename)
xasprintf(&logfilename, "%s/log/%s.log", identname);
if(!confbase) {
if(netname)
xasprintf(&confbase, "%s/%s", installdir, netname);
else
xasprintf(&confbase, "%s", installdir);
}
if(!logfilename)
xasprintf(&logfilename, "%s/tinc.log", confbase);
}
RegCloseKey(key);
if(*installdir)
@ -549,7 +549,7 @@ int main(int argc, char **argv) {
if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n"
printf("Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"