diff --git a/COPYING b/COPYING index f4dd065..91365f3 100644 --- a/COPYING +++ b/COPYING @@ -1,4 +1,4 @@ -Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others. +Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others. See the AUTHORS file for a complete list. This program is free software; you can redistribute it and/or modify it under diff --git a/ChangeLog b/ChangeLog index 8f335b1..efc25dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,20 +1,64 @@ +Version 1.0.26 July 05 2015 +------------------------------------------------------------------------ + +Guus Sliepen (14): + Use VittGam's real name. + Attribution for Saverio Proto. + Always call res_init() before getaddrinfo(). + Fix --logfile without a filename on Windows. + Never call putenv() with data on the stack. + Return non-zero exit code when encountering configuration errors during startup. + Fix autoconf check for function attributes. + Fix spelling of FORTIFY_SOURCE. + Update copyright notices. + Attribution for various contributors. + Only check for -fno-strict-overflow if -fwrapv does not work. + Fix unputenv() on Windows. + Don't try to call res_init() if ./configure told us it doesn't exist. + Releasing 1.0.26. + +Jo-Philipp Wich (1): + fix musl compatibility + +Version 1.0.25 December 22 2014 +------------------------------------------------------------------------ + +Guus Sliepen (7): + Fix date of last NEWS entry. + Remember ToS/Diffserv priority for each socket individually. + Attribution for various contributors. + Automatically choose a tap device on Mac OS X when using switch Mode. + Update documentation for Mac OS X. + Check whether res_init() really lives in libresolv. + Releasing 1.0.25. + +Borg (3): + Fixed scripts calling under Win32. + Get MAC of TAP device. + Fixed tinc-up script calling on Win32. + +Alexis Hildebrandt (1): + Add support to link against libresolv Mac OS X + +Baptiste Jonglez (1): + Use the description from the 1.1 man page for the IndirectData option + +David Pflug (1): + Update README.android + +Jochen Voss (1): + Fix some typos in the manual. + +Tomislav Čohar (1): + Configure minimum reconnect timeouts. + +VittGam (1): + Support ToS/DiffServ priority handling for IPv6 meta and UDP connections. + Version 1.0.24 May 11 2014 ------------------------------------------------------------------------ -Guus Sliepen (26): - Mention in the manual that multiple Address staments are allowed. - If no Port is specified, set myport to actual port of first listening socket. - Enable compiler hardening flags by default. - Update support for Solaris. - Include for PATH_MAX. - Stricter check for raw socket support. - Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. - Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. - Don't enable -fstack-protector-all. - Remove or lower the priority of some debug messages. - Clarify StrictSubnets. - Attribution for various contributors. - Handle errors from TAP-Win32/64 adapter in a better way. +Guus Sliepen (13): Remove useless variable 'hard' from try_harder(). Merge pull request #14 from luckyhacky/master Add an autoconf check for res_init(). @@ -34,22 +78,40 @@ Steffan Karger (3): Use cryptographically strong random when generating keys. Check RAND_bytes() return value, fail when getting random fails. -Florent Clairambault (2): - Adding "conf.d" configuration dir support. - Adding some documentation around the /etc/tinc/$NET/conf.d directory. - Armin Fisslthaler (1): reload /etc/resolv.conf in SIGALRM handler Loic Dachary (1): fix documentation typo -Vilbrekin (1): - Update android build instructions. Disable PIE as this is not supported on some devices. - luckyhacky (1): update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl +refs/tags/1.0.23-android-1 March 11 2014 +------------------------------------------------------------------------ + +Guus Sliepen (13): + Mention in the manual that multiple Address staments are allowed. + If no Port is specified, set myport to actual port of first listening socket. + Enable compiler hardening flags by default. + Update support for Solaris. + Include for PATH_MAX. + Stricter check for raw socket support. + Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. + Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. + Don't enable -fstack-protector-all. + Remove or lower the priority of some debug messages. + Clarify StrictSubnets. + Attribution for various contributors. + Handle errors from TAP-Win32/64 adapter in a better way. + +Florent Clairambault (2): + Adding "conf.d" configuration dir support. + Adding some documentation around the /etc/tinc/$NET/conf.d directory. + +Vilbrekin (1): + Update android build instructions. Disable PIE as this is not supported on some devices. + Version 1.0.23 October 19 2013 ------------------------------------------------------------------------ diff --git a/NEWS b/NEWS index 191f645..eb35583 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,29 @@ -Version 1.0.24 May 11 2013 +Version 1.0.26 July 5 2015 + + * Tinc now forces glibc to reload /etc/resolv.conf for every hostname lookup. + + * Fixed --logfile without a filename on Windows. + + * Ensure tinc can be compiled when using musl libc. + +Thanks to Jo-Philipp Wich for his contribution to this version of tinc. + +Version 1.0.25 December 22 2014 + + * Documentation updates. + + * Support linking against -lresolv on Mac OS X. + + * Fix scripts on Windows when using the ScriptsInterpreter option. + + * Allow a minimum reconnect timeout to be specified. + + * Support PriorityInheritance on IPv6 sockets. + +Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss, +Tomislav Čohar and VittGam for their contributions to this version of tinc. + +Version 1.0.24 May 11 2014 * Various compiler hardening flags are enabled by default. diff --git a/README b/README index 49fc1dc..69497d6 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ -This is the README file for tinc version 1.0.24. Installation +This is the README file for tinc version 1.0.26. Installation instructions may be found in the INSTALL file. -tinc is Copyright (C) 1998-2014 by: +tinc is Copyright (C) 1998-2015 by: Ivo Timmermans, Guus Sliepen , @@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into Compatibility ------------- -Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older +Version 1.0.26 is compatible with 1.0pre8, 1.0 and later, but not with older versions of tinc. diff --git a/README.android b/README.android index 953633a..7925bdb 100644 --- a/README.android +++ b/README.android @@ -6,11 +6,12 @@ tar xfj android-ndk-r9d-linux-x86.tar.bz2 ./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain - Download and cross-compile openSSL for ARM: -wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz -tar xfz openssl-1.0.1g.tar.gz -cd openssl-1.0.1g +wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz +tar xfz openssl-1.0.1h.tar.gz +cd openssl-1.0.1h ./Configure dist make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib +cd - - Clone and cross-compile tinc: git clone git://tinc-vpn.org/tinc diff --git a/THANKS b/THANKS index 1444b54..7a8521a 100644 --- a/THANKS +++ b/THANKS @@ -1,14 +1,18 @@ We would like to thank the following people for their contributions to tinc: * Alexander Reil and Gemeinde Berg +* Alexis Hildebrandt * Allesandro Gatti * Andreas van Cranenburgh * Anthony G. Basile * Armin Fisslthaler * Armijn Hemel +* Baptiste Jonglez +* Borg * Brandon Black * Cris van Pelt * Darius Jahandarie +* David Pflug * Delf Eldkraft * dnk * Enrique Zanardi @@ -22,9 +26,13 @@ We would like to thank the following people for their contributions to tinc: * James MacLean * Jamie Briggs * Jason Harper +* Jason Livesay * Jelle de Jong +* Jeroen Domburg * Jeroen Ubbink * Jerome Etienne +* Jo-Philipp Wich +* Jochen Voss * Julien Muchembled * Lavrans Laading * Loïc Dachary @@ -50,15 +58,24 @@ We would like to thank the following people for their contributions to tinc: * Philipp Babel * Robert van der Meulen * Rumko +* Sam Bryan +* Saverio Proto * Scott Lamb * Steffan Karger * Sven-Haegar Koch * Teemu Kiviniemi +* Thomas Tsiakalakis * Timothy Redaelli +* Tomasz Fortuna +* Tomislav Čohar +* Tommy Arnkværn * Tonnerre Lombard * Vil Brekin +* Vittorio Gambaletta * Wessel Dankers +* William McArthur * Wouter van Heyst +* 戴 鸣 And everyone we forgot (if we did, please let us know). Thank you! diff --git a/aclocal.m4 b/aclocal.m4 index bcae214..b621a0c 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -103,10 +103,9 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- diff --git a/config.guess b/config.guess index b79252d..1f5c50c 100755 --- a/config.guess +++ b/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2013 Free Software Foundation, Inc. +# Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2013-06-10' +timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -149,7 +149,7 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac @@ -826,7 +826,7 @@ EOF *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) + *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) @@ -969,10 +969,10 @@ EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} exit ;; - or32:Linux:*:*) + or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) @@ -1260,16 +1260,26 @@ EOF if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; @@ -1361,154 +1371,6 @@ EOF exit ;; esac -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && - { echo "$SYSTEM_NAME"; exit; } - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit ;; - c34*) - echo c34-convex-bsd - exit ;; - c38*) - echo c38-convex-bsd - exit ;; - c4*) - echo c4-convex-bsd - exit ;; - esac -fi - cat >&2 <." version="\ GNU config.sub ($timestamp) -Copyright 1992-2013 Free Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -265,6 +265,7 @@ case $basic_machine in | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ @@ -282,8 +283,10 @@ case $basic_machine in | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ @@ -295,11 +298,11 @@ case $basic_machine in | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | open8 \ - | or1k | or32 \ + | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ + | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ @@ -324,7 +327,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -381,6 +384,7 @@ case $basic_machine in | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ @@ -400,8 +404,10 @@ case $basic_machine in | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ @@ -413,6 +419,7 @@ case $basic_machine in | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ + | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ @@ -822,6 +829,10 @@ case $basic_machine in basic_machine=powerpc-unknown os=-morphos ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; msdos) basic_machine=i386-pc os=-msdos @@ -1367,14 +1378,14 @@ case $os in | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1592,9 +1603,6 @@ case $basic_machine in mips*-*) os=-elf ;; - or1k-*) - os=-elf - ;; or32-*) os=-coff ;; diff --git a/configure b/configure index 9082724..ccbe0f1 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tinc 1.0.24. +# Generated by GNU Autoconf 2.69 for tinc 1.0.26. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tinc' PACKAGE_TARNAME='tinc' -PACKAGE_VERSION='1.0.24' -PACKAGE_STRING='tinc 1.0.24' +PACKAGE_VERSION='1.0.26' +PACKAGE_STRING='tinc 1.0.26' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tinc 1.0.24 to adapt to many kinds of systems. +\`configure' configures tinc 1.0.26 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1378,7 +1378,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tinc 1.0.24:";; + short | recursive ) echo "Configuration of tinc 1.0.26:";; esac cat <<\_ACEOF @@ -1497,7 +1497,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tinc configure 1.0.24 +tinc configure 1.0.26 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1962,7 +1962,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tinc $as_me 1.0.24, which was +It was created by tinc $as_me 1.0.26, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2512,8 +2512,8 @@ test "$program_suffix" != NONE && ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -2826,7 +2826,7 @@ fi # Define the identity of the package. PACKAGE='tinc' - VERSION='1.0.24' + VERSION='1.0.26' cat >>confdefs.h <<_ACEOF @@ -5185,42 +5185,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5 $as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; } if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then : - CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2" -else - : -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5 -$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; } -if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -fno-strict-overflow" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___fno_strict_overflow=yes -else - ax_cv_check_cflags___fno_strict_overflow=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5 -$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; } -if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then : - CPPFLAGS="$CPPFLAGS -fno-strict-overflow" + CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2" else : fi @@ -5256,8 +5221,42 @@ fi $as_echo "$ax_cv_check_cflags___fwrapv" >&6; } if test x"$ax_cv_check_cflags___fwrapv" = xyes; then : CPPFLAGS="$CPPFLAGS -fwrapv" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5 +$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; } +if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fno-strict-overflow" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fno_strict_overflow=yes +else + ax_cv_check_cflags___fno_strict_overflow=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5 +$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; } +if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then : + CPPFLAGS="$CPPFLAGS -fno-strict-overflow" else : +fi + fi case $host_os in @@ -5877,8 +5876,8 @@ else CFLAGS="$CFLAGS -Wall -Werror" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -void test(void) __attribute__ ((__malloc__)); - void test(void) { return; } +void *test(void) __attribute__ ((__malloc__)); + void *test(void) { return (void *)0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : @@ -6275,6 +6274,53 @@ fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_RES_INIT $ac_have_decl _ACEOF +if test $ac_have_decl = 1; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_init in -lresolv" >&5 +$as_echo_n "checking for res_init in -lresolv... " >&6; } +if ${ac_cv_lib_resolv_res_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lresolv $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char res_init (); +int +main () +{ +return res_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_resolv_res_init=yes +else + ac_cv_lib_resolv_res_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_init" >&5 +$as_echo "$ac_cv_lib_resolv_res_init" >&6; } +if test "x$ac_cv_lib_resolv_res_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBRESOLV 1 +_ACEOF + + LIBS="-lresolv $LIBS" + +fi + +fi cat >confcache <<\_ACEOF @@ -7396,7 +7442,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tinc $as_me 1.0.24, which was +This file was extended by tinc $as_me 1.0.26, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7462,7 +7508,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tinc config.status 1.0.24 +tinc config.status 1.0.26 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index bb2dc80..41ddc6c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([tinc], [1.0.24]) +AC_INIT([tinc], [1.0.26]) AC_CONFIG_SRCDIR([src/tincd.c]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall]) AC_CONFIG_HEADERS([config.h]) @@ -134,9 +134,9 @@ dnl No -fstack-protector-all because it doesn't work on all platforms or archite AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) AS_IF([test "x$enable_hardening" != "xno"], - [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"]) - AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]) - AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"]) + [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"]) + AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"], + AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])) case $host_os in *mingw*) AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) @@ -202,7 +202,7 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo], [], [], [#include "src/have.h"] ) -AC_CHECK_DECLS([res_init], [], [], [ +AC_CHECK_DECLS([res_init], [AC_CHECK_LIB(resolv, res_init)], [], [ #include #include ]) diff --git a/debian/changelog b/debian/changelog index f8c1df3..7083e60 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,17 +1,11 @@ -tinc (1.0.24-2.1+deb8u1) jessie-security; urgency=medium +tinc (1.0.26-1) unstable; urgency=medium - * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738). - * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758). + * New upstream release. + * Use the contents, not the presence, of the pidfile to check that tincd is + shut down properly. Closes: #774682 + * Bump Standards-Version. - -- Guus Sliepen Mon, 08 Oct 2018 20:14:24 +0200 - -tinc (1.0.24-2.1) unstable; urgency=medium - - * NMU after getting go ahead from guus on #tinc - * Add a -dbg package which contains the debugging symbols for tinc - Thanks hark@puscii.nl (Closes: #752561) - - -- Micah Anderson Tue, 24 Jun 2014 14:01:47 -0400 + -- Guus Sliepen Sun, 05 Jul 2015 17:23:08 +0200 tinc (1.0.24-2) unstable; urgency=medium diff --git a/debian/control b/debian/control index ce877c4..7de8773 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: tinc Section: net Priority: optional Maintainer: Guus Sliepen -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev Homepage: http://www.tinc-vpn.org/ @@ -14,16 +14,3 @@ Description: Virtual Private Network daemon (VPN). One daemon can handle multiple connections, so you can create an entire (moderately sized) VPN with only one daemon per participating computer. - -Package: tinc-dbg -Architecture: any -Section: debug -Priority: extra -Depends: ${shlibs:Depends}, ${misc:Depends}, tinc (= ${binary:Version}) -Description: debugging symbols for tinc - tinc is a daemon with which you can create a virtual private network - (VPN). One daemon can handle multiple connections, so you can - create an entire (moderately sized) VPN with only one daemon per - participating computer. - . - This package contains the debugging symbols for tinc. diff --git a/debian/patches/security-fixes b/debian/patches/security-fixes deleted file mode 100644 index 9f04f0b..0000000 --- a/debian/patches/security-fixes +++ /dev/null @@ -1,840 +0,0 @@ -diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in -index 0548628f..a2a635fb 100644 ---- a/doc/tinc.conf.5.in -+++ b/doc/tinc.conf.5.in -@@ -464,7 +464,7 @@ Multiple - .Va Address - variables can be specified, in which case each address will be tried until a working - connection has been established. --.It Va Cipher Li = Ar cipher Pq blowfish -+.It Va Cipher Li = Ar cipher Pq aes-256-cbc - The symmetric cipher algorithm used to encrypt UDP packets. - Any cipher supported by OpenSSL is recognised. - Furthermore, specifying -@@ -479,7 +479,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls. - This option sets the level of compression used for UDP packets. - Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), - 10 (fast lzo) and 11 (best lzo). --.It Va Digest Li = Ar digest Pq sha1 -+.It Va Digest Li = Ar digest Pq sha256 - The digest algorithm used to authenticate UDP packets. - Any digest supported by OpenSSL is recognised. - Furthermore, specifying -diff --git a/doc/tinc.texi b/doc/tinc.texi -index 85790028..6e422cfe 100644 ---- a/doc/tinc.texi -+++ b/doc/tinc.texi -@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be - tried until a working connection has been established. - - @cindex Cipher --@item Cipher = <@var{cipher}> (blowfish) -+@item Cipher = <@var{cipher}> (aes-256-cbc) - The symmetric cipher algorithm used to encrypt UDP packets. - Any cipher supported by OpenSSL is recognized. - Furthermore, specifying "none" will turn off packet encryption. -@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), - 10 (fast lzo) and 11 (best lzo). - - @cindex Digest --@item Digest = <@var{digest}> (sha1) -+@item Digest = <@var{digest}> (sha256) - The digest algorithm used to authenticate UDP packets. - Any digest supported by OpenSSL is recognized. - Furthermore, specifying "none" will turn off packet authentication. -diff --git a/m4/openssl.m4 b/m4/openssl.m4 -index 254ea4ff..77b3a4a8 100644 ---- a/m4/openssl.m4 -+++ b/m4/openssl.m4 -@@ -45,12 +45,14 @@ AC_DEFUN([tinc_OPENSSL], - [AC_MSG_ERROR([OpenSSL libraries not found.])] - ) - -- AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], , -- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], -+ AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], , -+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], - ) - -- AC_CHECK_DECL([OpenSSL_add_all_algorithms], , -- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break], -+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], , -+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], - [#include ] - ) -+ -+ AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include ]) - ]) -diff --git a/src/connection.h b/src/connection.h -index 877601fe..9e4dc663 100644 ---- a/src/connection.h -+++ b/src/connection.h -@@ -41,7 +41,9 @@ typedef struct connection_status_t { - unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */ - unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */ - unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */ -- unsigned int unused:23; -+ unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */ -+ unsigned int tarpit:1; /* 1 if the connection should be added to the tarpit */ -+ unsigned int unused:21; - } connection_status_t; - - #include "edge.h" -diff --git a/src/net.c b/src/net.c -index 8d0a0cf4..4e53d920 100644 ---- a/src/net.c -+++ b/src/net.c -@@ -166,6 +166,22 @@ static int build_fdset(fd_set *readset, fd_set *writeset) { - return max; - } - -+/* Put a misbehaving connection in the tarpit */ -+void tarpit(int fd) { -+ static int pits[10] = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1}; -+ static int next_pit = 0; -+ -+ if(pits[next_pit] != -1) { -+ closesocket(pits[next_pit]); -+ } -+ -+ pits[next_pit++] = fd; -+ -+ if(next_pit >= sizeof pits / sizeof pits[0]) { -+ next_pit = 0; -+ } -+} -+ - /* - Terminate a connection: - - Close the socket -@@ -186,8 +202,13 @@ void terminate_connection(connection_t *c, bool report) { - if(c->node) - c->node->connection = NULL; - -- if(c->socket) -- closesocket(c->socket); -+ if(c->socket) { -+ if(c->status.tarpit) { -+ tarpit(c->socket); -+ } else { -+ closesocket(c->socket); -+ } -+ } - - if(c->edge) { - if(!c->node) { -@@ -274,6 +295,7 @@ static void check_dead_connections(void) { - closesocket(c->socket); - do_outgoing_connection(c); - } else { -+ c->status.tarpit = true; - terminate_connection(c, false); - } - } -@@ -353,6 +375,7 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) { - - if(FD_ISSET(c->socket, readset)) { - if(!receive_meta(c)) { -+ c->status.tarpit = true; - terminate_connection(c, c->status.active); - continue; - } -diff --git a/src/net.h b/src/net.h -index 2b50c5a2..5ae8d344 100644 ---- a/src/net.h -+++ b/src/net.h -@@ -163,6 +163,7 @@ extern void flush_queue(struct node_t *); - extern bool read_rsa_public_key(struct connection_t *); - extern void send_mtu_probe(struct node_t *); - extern void load_all_subnets(void); -+extern void tarpit(int fd); - - #ifndef HAVE_MINGW - #define closesocket(s) close(s) -diff --git a/src/net_packet.c b/src/net_packet.c -index d11d58ad..5d7c212d 100644 ---- a/src/net_packet.c -+++ b/src/net_packet.c -@@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) { - len = 64; - - memset(packet.data, 0, 14); -- RAND_pseudo_bytes(packet.data + 14, len - 14); -+ RAND_bytes(packet.data + 14, len - 14); - packet.len = len; - if(i >= 4 && n->mtuprobes <= 10) - packet.priority = -1; -@@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { - if(n->incipher) { - outpkt = pkt[nextpkt++]; - -- if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL) -- || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen, -+ if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL) -+ || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen, - (unsigned char *) &inpkt->seqno, inpkt->len) -- || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { -+ || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s", - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); - return; -@@ -482,10 +482,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { - if(n->outcipher) { - outpkt = pkt[nextpkt++]; - -- if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL) -- || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen, -+ if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL) -+ || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen, - (unsigned char *) &inpkt->seqno, inpkt->len) -- || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { -+ || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) { - ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s", - n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL)); - goto end; -diff --git a/src/net_setup.c b/src/net_setup.c -index fa4e9867..ea2a3b78 100644 ---- a/src/net_setup.c -+++ b/src/net_setup.c -@@ -53,11 +53,22 @@ char *proxyuser; - char *proxypass; - proxytype_t proxytype; - -+#ifndef HAVE_RSA_SET0_KEY -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { -+ BN_free(r->n); r->n = n; -+ BN_free(r->e); r->e = e; -+ BN_free(r->d); r->d = d; -+ return 1; -+} -+#endif -+ - bool read_rsa_public_key(connection_t *c) { - FILE *fp; - char *pubname; - char *hcfname; - char *key; -+ BIGNUM *n = NULL; -+ BIGNUM *e = NULL; - - if(!c->rsa_key) { - c->rsa_key = RSA_new(); -@@ -67,12 +78,19 @@ bool read_rsa_public_key(connection_t *c) { - /* First, check for simple PublicKey statement */ - - if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) { -- if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) { -+ if(BN_hex2bn(&n, key) != strlen(key)) { -+ free(key); - logger(LOG_ERR, "Invalid PublicKey for %s!", c->name); - return false; - } -- BN_hex2bn(&c->rsa_key->e, "FFFF"); - free(key); -+ BN_hex2bn(&e, "FFFF"); -+ if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) { -+ BN_free(e); -+ BN_free(n); -+ logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name); -+ return false; -+ } - return true; - } - -@@ -163,27 +181,39 @@ bool read_rsa_public_key(connection_t *c) { - static bool read_rsa_private_key(void) { - FILE *fp; - char *fname, *key, *pubkey; -+ BIGNUM *n = NULL; -+ BIGNUM *e = NULL; -+ BIGNUM *d = NULL; - - if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { - myself->connection->rsa_key = RSA_new(); - // RSA_blinding_on(myself->connection->rsa_key, NULL); -- if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) { -+ if(BN_hex2bn(&d, key) != strlen(key)) { - logger(LOG_ERR, "Invalid PrivateKey for myself!"); - free(key); - return false; - } - free(key); - if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { -+ BN_free(d); - logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); - return false; - } -- if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) { -- logger(LOG_ERR, "Invalid PublicKey for myself!"); -+ if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) { - free(pubkey); -+ BN_free(d); -+ logger(LOG_ERR, "Invalid PublicKey for myself!"); - return false; - } - free(pubkey); -- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); -+ BN_hex2bn(&e, "FFFF"); -+ if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) { -+ BN_free(d); -+ BN_free(e); -+ BN_free(n); -+ logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!"); -+ return false; -+ } - return true; - } - -@@ -608,14 +638,25 @@ static bool setup_myself(void) { - } - free(cipher); - } else -- myself->incipher = EVP_bf_cbc(); -+ myself->incipher = EVP_aes_256_cbc(); - - if(myself->incipher) -- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len; -+ myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher); - else - myself->inkeylength = 1; - -- myself->connection->outcipher = EVP_bf_ofb(); -+ /* We need to use a stream mode for the meta protocol. Use AES for this, -+ but try to match the key size with the one from the cipher selected -+ by Cipher. -+ */ -+ -+ int keylen = EVP_CIPHER_key_length(myself->incipher); -+ if(keylen <= 16) -+ myself->connection->outcipher = EVP_aes_128_cfb(); -+ else if(keylen <= 24) -+ myself->connection->outcipher = EVP_aes_192_cfb(); -+ else -+ myself->connection->outcipher = EVP_aes_256_cfb(); - - if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime)) - keylifetime = 3600; -@@ -639,13 +680,13 @@ static bool setup_myself(void) { - - free(digest); - } else -- myself->indigest = EVP_sha1(); -+ myself->indigest = EVP_sha256(); - -- myself->connection->outdigest = EVP_sha1(); -+ myself->connection->outdigest = EVP_sha256(); - - if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) { - if(myself->indigest) { -- if(myself->inmaclength > myself->indigest->md_size) { -+ if(myself->inmaclength > EVP_MD_size(myself->indigest)) { - logger(LOG_ERR, "MAC length exceeds size of digest!"); - return false; - } else if(myself->inmaclength < 0) { -diff --git a/src/net_socket.c b/src/net_socket.c -index 9a67bb3c..479b595d 100644 ---- a/src/net_socket.c -+++ b/src/net_socket.c -@@ -513,6 +513,9 @@ void setup_outgoing_connection(outgoing_t *outgoing) { - new connection - */ - bool handle_new_meta_connection(int sock) { -+ static const int max_accept_burst = 10; -+ static int last_accept_burst; -+ static int last_accept_time; - connection_t *c; - sockaddr_t sa; - int fd; -@@ -525,6 +528,22 @@ bool handle_new_meta_connection(int sock) { - return false; - } - -+ if(last_accept_time == now) { -+ last_accept_burst++; -+ -+ if(last_accept_burst >= max_accept_burst) { -+ if(last_accept_burst == max_accept_burst) { -+ ifdebug(CONNECTIONS) logger(LOG_WARNING, "Throttling incoming connections"); -+ } -+ -+ tarpit(fd); -+ return false; -+ } -+ } else { -+ last_accept_burst = 0; -+ last_accept_time = now; -+ } -+ - sockaddrunmap(&sa); - - c = new_connection(); -@@ -546,7 +565,6 @@ bool handle_new_meta_connection(int sock) { - connection_add(c); - - c->allow_request = ID; -- send_id(c); - - return true; - } -diff --git a/src/node.c b/src/node.c -index cf70f838..19f37306 100644 ---- a/src/node.c -+++ b/src/node.c -@@ -1,6 +1,6 @@ - /* - node.c -- node tree management -- Copyright (C) 2001-2011 Guus Sliepen , -+ Copyright (C) 2001-2016 Guus Sliepen , - 2001-2005 Ivo Timmermans - - This program is free software; you can redistribute it and/or modify -@@ -57,8 +57,10 @@ node_t *new_node(void) { - if(replaywin) n->late = xmalloc_and_zero(replaywin); - n->subnet_tree = new_subnet_tree(); - n->edge_tree = new_edge_tree(); -- EVP_CIPHER_CTX_init(&n->inctx); -- EVP_CIPHER_CTX_init(&n->outctx); -+ n->inctx = EVP_CIPHER_CTX_new(); -+ n->outctx = EVP_CIPHER_CTX_new(); -+ if(!n->inctx || !n->outctx) -+ abort(); - n->mtu = MTU; - n->maxmtu = MTU; - -@@ -80,8 +82,8 @@ void free_node(node_t *n) { - - sockaddrfree(&n->address); - -- EVP_CIPHER_CTX_cleanup(&n->inctx); -- EVP_CIPHER_CTX_cleanup(&n->outctx); -+ EVP_CIPHER_CTX_free(n->outctx); -+ EVP_CIPHER_CTX_free(n->inctx); - - if(n->mtuevent) - event_del(n->mtuevent); -@@ -172,8 +174,8 @@ void dump_nodes(void) { - for(node = node_tree->head; node; node = node->next) { - n = node->data; - logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)", -- n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0, -- n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression, -+ n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0, -+ n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression, - n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-", - n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu); - } -diff --git a/src/node.h b/src/node.h -index f9ef3c15..c83610e8 100644 ---- a/src/node.h -+++ b/src/node.h -@@ -50,12 +50,12 @@ typedef struct node_t { - const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */ - char *inkey; /* Cipher key and iv */ - int inkeylength; /* Cipher key and iv length */ -- EVP_CIPHER_CTX inctx; /* Cipher context */ -+ EVP_CIPHER_CTX *inctx; /* Cipher context */ - - const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/ - char *outkey; /* Cipher key and iv */ - int outkeylength; /* Cipher key and iv length */ -- EVP_CIPHER_CTX outctx; /* Cipher context */ -+ EVP_CIPHER_CTX *outctx; /* Cipher context */ - - const EVP_MD *indigest; /* Digest type for MAC of packets received from him */ - int inmaclength; /* Length of MAC */ -diff --git a/src/protocol_auth.c b/src/protocol_auth.c -index 971341f7..5834fcdf 100644 ---- a/src/protocol_auth.c -+++ b/src/protocol_auth.c -@@ -145,7 +145,7 @@ bool id_h(connection_t *c) { - - /* Check if identity is a valid name */ - -- if(!check_id(name)) { -+ if(!check_id(name) || !strcmp(name, myself->name)) { - logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name, - c->hostname, "invalid name"); - return false; -@@ -177,6 +177,11 @@ bool id_h(connection_t *c) { - if(!c->config_tree) - init_configuration(&c->config_tree); - c->allow_request = ACK; -+ -+ if(!c->outgoing) { -+ send_id(c); -+ } -+ - return send_ack(c); - } - -@@ -196,6 +201,10 @@ bool id_h(connection_t *c) { - - c->allow_request = METAKEY; - -+ if(!c->outgoing) { -+ send_id(c); -+ } -+ - return send_metakey(c); - } - -@@ -210,8 +219,11 @@ bool send_metakey(connection_t *c) { - - c->outkey = xrealloc(c->outkey, len); - -- if(!c->outctx) -- c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); -+ if(!c->outctx) { -+ c->outctx = EVP_CIPHER_CTX_new(); -+ if(!c->outctx) -+ abort(); -+ } - - /* Copy random data to the buffer */ - -@@ -262,17 +274,17 @@ bool send_metakey(connection_t *c) { - /* Send the meta key */ - - x = send_request(c, "%d %d %d %d %d %s", METAKEY, -- c->outcipher ? c->outcipher->nid : 0, -- c->outdigest ? c->outdigest->type : 0, c->outmaclength, -+ c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0, -+ c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength, - c->outcompression, buffer); - - /* Further outgoing requests are encrypted with the key we just generated */ - - if(c->outcipher) { - if(!EVP_EncryptInit(c->outctx, c->outcipher, -- (unsigned char *)c->outkey + len - c->outcipher->key_len, -- (unsigned char *)c->outkey + len - c->outcipher->key_len - -- c->outcipher->iv_len)) { -+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher), -+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) - -+ EVP_CIPHER_iv_length(c->outcipher))) { - logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s", - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; -@@ -308,8 +320,11 @@ bool metakey_h(connection_t *c) { - - c->inkey = xrealloc(c->inkey, len); - -- if(!c->inctx) -- c->inctx = xmalloc_and_zero(sizeof(*c->inctx)); -+ if(!c->inctx) { -+ c->inctx = EVP_CIPHER_CTX_new(); -+ if(!c->inctx) -+ abort(); -+ } - - /* Convert the challenge from hexadecimal back to binary */ - -@@ -345,9 +360,9 @@ bool metakey_h(connection_t *c) { - } - - if(!EVP_DecryptInit(c->inctx, c->incipher, -- (unsigned char *)c->inkey + len - c->incipher->key_len, -- (unsigned char *)c->inkey + len - c->incipher->key_len - -- c->incipher->iv_len)) { -+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher), -+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) - -+ EVP_CIPHER_iv_length(c->incipher))) { - logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s", - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; -@@ -355,7 +370,8 @@ bool metakey_h(connection_t *c) { - - c->status.decryptin = true; - } else { -- c->incipher = NULL; -+ logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname); -+ return false; - } - - c->inmaclength = maclength; -@@ -368,12 +384,13 @@ bool metakey_h(connection_t *c) { - return false; - } - -- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { -+ if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) { - logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname); - return false; - } - } else { -- c->indigest = NULL; -+ logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname); -+ return false; - } - - c->incompression = compression; -@@ -447,27 +464,38 @@ bool challenge_h(connection_t *c) { - - /* Rest is done by send_chal_reply() */ - -- return send_chal_reply(c); -+ if(c->outgoing) { -+ return send_chal_reply(c); -+ } else { -+ return true; -+ } - } - - bool send_chal_reply(connection_t *c) { - char hash[EVP_MAX_MD_SIZE * 2 + 1]; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - - /* Calculate the hash from the challenge we received */ - -- if(!EVP_DigestInit(&ctx, c->indigest) -- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) -- || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) { -+ ctx = EVP_MD_CTX_create(); -+ if(!ctx) -+ abort(); -+ -+ if(!EVP_DigestInit(ctx, c->indigest) -+ || !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key)) -+ || !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) { -+ EVP_MD_CTX_destroy(ctx); - logger(LOG_ERR, "Error during calculation of response for %s (%s): %s", - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - -+ EVP_MD_CTX_destroy(ctx); -+ - /* Convert the hash to a hexadecimal formatted string */ - -- bin2hex(hash, hash, c->indigest->md_size); -- hash[c->indigest->md_size * 2] = '\0'; -+ bin2hex(hash, hash, EVP_MD_size(c->indigest)); -+ hash[EVP_MD_size(c->indigest) * 2] = '\0'; - - /* Send the reply */ - -@@ -477,7 +505,7 @@ bool send_chal_reply(connection_t *c) { - bool chal_reply_h(connection_t *c) { - char hishash[MAX_STRING_SIZE]; - char myhash[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - - if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) { - logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name, -@@ -487,7 +515,7 @@ bool chal_reply_h(connection_t *c) { - - /* Check if the length of the hash is all right */ - -- if(strlen(hishash) != c->outdigest->md_size * 2) { -+ if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) { - logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, - c->hostname, "wrong challenge reply length"); - return false; -@@ -495,24 +523,31 @@ bool chal_reply_h(connection_t *c) { - - /* Convert the hash to binary format */ - -- if(!hex2bin(hishash, hishash, c->outdigest->md_size)) { -+ if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) { - logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash"); - return false; - } - - /* Calculate the hash from the challenge we sent */ - -- if(!EVP_DigestInit(&ctx, c->outdigest) -- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key)) -- || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) { -+ ctx = EVP_MD_CTX_create(); -+ if(!ctx) -+ abort(); -+ -+ if(!EVP_DigestInit(ctx, c->outdigest) -+ || !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key)) -+ || !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) { -+ EVP_MD_CTX_destroy(ctx); - logger(LOG_ERR, "Error during calculation of response from %s (%s): %s", - c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); - return false; - } - -+ EVP_MD_CTX_destroy(ctx); -+ - /* Verify the incoming hash with the calculated hash */ - -- if(memcmp(hishash, myhash, c->outdigest->md_size)) { -+ if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) { - logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, - c->hostname, "wrong challenge reply"); - -@@ -531,6 +566,10 @@ bool chal_reply_h(connection_t *c) { - - c->allow_request = ACK; - -+ if(!c->outgoing) { -+ send_chal_reply(c); -+ } -+ - return send_ack(c); - } - -diff --git a/src/protocol_edge.c b/src/protocol_edge.c -index 3dfff05e..fa57494e 100644 ---- a/src/protocol_edge.c -+++ b/src/protocol_edge.c -@@ -70,7 +70,7 @@ bool add_edge_h(connection_t *c) { - - /* Check if names are valid */ - -- if(!check_id(from_name) || !check_id(to_name)) { -+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) { - logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ADD_EDGE", c->name, - c->hostname, "invalid name"); - return false; -@@ -181,7 +181,7 @@ bool del_edge_h(connection_t *c) { - - /* Check if names are valid */ - -- if(!check_id(from_name) || !check_id(to_name)) { -+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) { - logger(LOG_ERR, "Got bad %s from %s (%s): %s", "DEL_EDGE", c->name, - c->hostname, "invalid name"); - return false; -diff --git a/src/protocol_key.c b/src/protocol_key.c -index 301ead5d..1b96597f 100644 ---- a/src/protocol_key.c -+++ b/src/protocol_key.c -@@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) { - } - - if(to->incipher) -- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); -+ EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher)); - - // Reset sequence number and late packet window - mykeyused = true; -@@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) { - - return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY, - myself->name, to->name, key, -- to->incipher ? to->incipher->nid : 0, -- to->indigest ? to->indigest->type : 0, to->inmaclength, -+ to->incipher ? EVP_CIPHER_nid(to->incipher) : 0, -+ to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength, - to->incompression); - } - -@@ -268,12 +268,17 @@ bool ans_key_h(connection_t *c) { - return true; - } - -- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) { -+ if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) { - logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, - from->hostname); - return true; - } - } else { -+ if(from->outkeylength != 1) { -+ logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname); -+ return true; -+ } -+ - from->outcipher = NULL; - } - -@@ -288,7 +293,7 @@ bool ans_key_h(connection_t *c) { - return true; - } - -- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) { -+ if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) { - logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!", - from->name, from->hostname); - return true; -@@ -305,7 +310,7 @@ bool ans_key_h(connection_t *c) { - from->outcompression = compression; - - if(from->outcipher) -- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) { -+ if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) { - logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s", - from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL)); - return true; -diff --git a/src/tincd.c b/src/tincd.c -index b6a6c29c..19f2e174 100644 ---- a/src/tincd.c -+++ b/src/tincd.c -@@ -330,7 +330,7 @@ static bool parse_options(int argc, char **argv) { - - /* This function prettyprints the key generation process */ - --static void indicator(int a, int b, void *p) { -+static int indicator(int a, int b, BN_GENCB *cb) { - switch (a) { - case 0: - fprintf(stderr, "."); -@@ -362,19 +362,48 @@ static void indicator(int a, int b, void *p) { - default: - fprintf(stderr, "?"); - } -+ -+ return 1; -+} -+ -+#ifndef HAVE_BN_GENCB_NEW -+BN_GENCB *BN_GENCB_new(void) { -+ return xmalloc_and_zero(sizeof(BN_GENCB)); - } - -+void BN_GENCB_free(BN_GENCB *cb) { -+ free(cb); -+} -+#endif -+ - /* - Generate a public/private RSA keypair, and ask for a file to store - them in. - */ - static bool keygen(int bits) { -+ BIGNUM *e = NULL; - RSA *rsa_key; - FILE *f; - char *pubname, *privname; -+ BN_GENCB *cb; -+ int result; - - fprintf(stderr, "Generating %d bits keys:\n", bits); -- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); -+ -+ cb = BN_GENCB_new(); -+ if(!cb) -+ abort(); -+ BN_GENCB_set(cb, indicator, NULL); -+ -+ rsa_key = RSA_new(); -+ BN_hex2bn(&e, "10001"); -+ if(!rsa_key || !e) -+ abort(); -+ -+ result = RSA_generate_key_ex(rsa_key, bits, e, cb); -+ -+ BN_free(e); -+ BN_GENCB_free(cb); - - if(!rsa_key) { - fprintf(stderr, "Error during key generation!\n"); -@@ -697,7 +726,11 @@ end: - EVP_cleanup(); - ENGINE_cleanup(); - CRYPTO_cleanup_all_ex_data(); -+#ifdef HAVE_ERR_REMOVE_STATE -+ // OpenSSL claims this function was deprecated in 1.0.0, -+ // but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly. - ERR_remove_state(0); -+#endif - ERR_free_strings(); - - exit_configuration(&config_tree); diff --git a/debian/patches/series b/debian/patches/series index a9c233b..e69de29 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -security-fixes diff --git a/debian/rules b/debian/rules index 8d13df5..2aaaef9 100755 --- a/debian/rules +++ b/debian/rules @@ -12,15 +12,11 @@ %: dh $@ --parallel -.PHONY: override_dh_strip -override_dh_strip: - dh_strip --dbg-package=tinc-dbg - override_dh_auto_configure: dh_auto_configure -- --enable-uml --enable-vde override_dh_auto_install: - dh_auto_install --destdir=debian/tinc -- install-html + dh_auto_install -- install-html # Remove info dir file rm -f debian/tinc/usr/share/info/dir diff --git a/debian/tinc.if-post-down b/debian/tinc.if-post-down index 60c2d51..cc1f5b5 100755 --- a/debian/tinc.if-post-down +++ b/debian/tinc.if-post-down @@ -12,7 +12,11 @@ if [ "$IF_TINC_NET" ] ; then /usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA sleep 0.1 i=0; - while [ -f "$IF_TINC_PIDFILE" ] ; do + while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do + if [ ! -e "/proc/$pid" ] ; then + exit 0 + fi + if [ $i = '30' ] ; then echo 'Failed to stop tinc daemon!' exit 1 diff --git a/debian/tinc.if-pre-up b/debian/tinc.if-pre-up index c92e2ab..43149ab 100755 --- a/debian/tinc.if-pre-up +++ b/debian/tinc.if-pre-up @@ -45,7 +45,20 @@ test -n "$LIMITS" && setlimits $LIMITS sleep 0.1 i=0; -while [ ! -f "$IF_TINC_PIDFILE" ] ; do +while [ ! -f $IF_TINC_PIDFILE ] ; do + if [ $i = '30' ] ; then + echo 'Failed to start tinc daemon!' + exit 1 + fi + sleep 0.1 + i=$(($i+1)) +done + +while read pid rest < $IF_TINC_PIDFILE ; do + if [ -e "/proc/$pid" ] ; then + exit 0 + fi + if [ $i = '30' ] ; then echo 'Failed to start tinc daemon!' exit 1 diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index 0548628..d1b2673 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -486,12 +486,9 @@ Furthermore, specifying .Qq none will turn off packet authentication. .It Va IndirectData Li = yes | no Pq no -This option specifies whether other tinc daemons besides the one you specified with -.Va ConnectTo -can make a direct connection to you. -This is especially useful if you are behind a firewall -and it is impossible to make a connection from the outside to your tinc daemon. -Otherwise, it is best to leave this option out or set it to no. +When set to yes, only nodes which already have a meta connection to you +will try to establish direct communication with you. +It is best to leave this option out or set it to no. .It Va MACLength Li = Ar length Pq 4 The length of the message authentication code used to authenticate UDP packets. Can be anything from diff --git a/doc/tinc.info b/doc/tinc.info index f4370c0..1604bc4 100644 --- a/doc/tinc.info +++ b/doc/tinc.info @@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY * tinc: (tinc). The tinc Manual. END-INFO-DIR-ENTRY -This is the info manual for tinc version 1.0.23, a Virtual Private +This is the info manual for tinc version 1.0.25, a Virtual Private Network daemon. Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen @@ -139,7 +139,7 @@ File: tinc.info, Node: Supported platforms, Prev: tinc, Up: Introduction ======================= Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, -MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin +Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment), with various hardware architectures. These are some of the platforms that are supported by the universal tun/tap device driver or other virtual network device drivers. Without such a driver, tinc @@ -176,7 +176,7 @@ File: tinc.info, Node: Configuring the kernel, Next: Libraries, Up: Preparati * Configuration of OpenBSD kernels:: * Configuration of NetBSD kernels:: * Configuration of Solaris kernels:: -* Configuration of Darwin (MacOS/X) kernels:: +* Configuration of Darwin (Mac OS X) kernels:: * Configuration of Windows::  @@ -238,7 +238,7 @@ default kernel configuration. Tunneling IPv6 may not work on NetBSD's tun device.  -File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (MacOS/X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel +File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (Mac OS X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel 2.1.5 Configuration of Solaris kernels -------------------------------------- @@ -251,23 +251,18 @@ sparc64 architectures, precompiled versions can be found at header file is missing, install it from the source package.  -File: tinc.info, Node: Configuration of Darwin (MacOS/X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel +File: tinc.info, Node: Configuration of Darwin (Mac OS X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel -2.1.6 Configuration of Darwin (MacOS/X) kernels ------------------------------------------------ +2.1.6 Configuration of Darwin (Mac OS X) kernels +------------------------------------------------ Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel. Tinc supports either the driver from , which supports both tun and tap -style devices, and also the driver from from -. The former driver is -recommended. The tunnel driver must be loaded before starting tinc with -the following command: - - kmodload tunnel +style devices.  -File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (MacOS/X) kernels, Up: Configuring the kernel +File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (Mac OS X) kernels, Up: Configuring the kernel 2.1.7 Configuration of Windows ------------------------------ @@ -304,7 +299,7 @@ File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries For all cryptography-related functions, tinc uses the functions provided by the OpenSSL library. - If this library is not installed, you wil get an error when + If this library is not installed, you will get an error when configuring tinc for build. Support for running tinc with other cryptographic libraries installed _may_ be added in the future. @@ -360,7 +355,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries For the optional compression of UDP packets, tinc uses the functions provided by the zlib library. - If this library is not installed, you wil get an error when running + If this library is not installed, you will get an error when running the configure script. You can either install the zlib library, or disable support for zlib compression by using the "-disable-zlib" option when running the configure script. Note that if you disable support for @@ -385,7 +380,7 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries Another form of compression is offered using the LZO library. - If this library is not installed, you wil get an error when running + If this library is not installed, you will get an error when running the configure script. You can either install the LZO library, or disable support for LZO compression by using the "-disable-lzo" option when running the configure script. Note that if you disable support for @@ -445,25 +440,26 @@ your distribution will tell you how to do that. * Menu: -* Darwin (MacOS/X) build environment:: +* Darwin (Mac OS X) build environment:: * Cygwin (Windows) build environment:: * MinGW (Windows) build environment::  -File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc +File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc -3.1.1 Darwin (MacOS/X) build environment ----------------------------------------- +3.1.1 Darwin (Mac OS X) build environment +----------------------------------------- -In order to build tinc on Darwin, you need to install the MacOS/X +In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools from -and a recent version of Fink from . +and preferably a recent version of Fink from +. After installation use fink to download and install the following packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.  -File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (MacOS/X) build environment, Up: Building and installing tinc +File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc 3.1.2 Cygwin (Windows) build environment ---------------------------------------- @@ -596,9 +592,9 @@ assign a NETNAME to your VPN. It is not required if you only run one tinc daemon, it doesn't even have to be the same on all the sites of your VPN, but it is recommended that you choose one anyway. - We will asume you use a netname throughout this document. This means -that you call tincd with the -n argument, which will assign a netname to -this daemon. + We will assume you use a netname throughout this document. This +means that you call tincd with the -n argument, which will assign a +netname to this daemon. The effect of this is that the daemon will set its configuration root to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n @@ -626,7 +622,7 @@ in the configuration file tinc.conf. If it sees one or more 'ConnectTo' values pointing to other tinc daemons in that file, it will try to connect to those other daemons. Whether this succeeds or not and whether 'ConnectTo' is specified or not, tinc will listen for incoming -connection from other deamons. If you did specify a 'ConnectTo' value +connection from other daemons. If you did specify a 'ConnectTo' value and the other side is not responding, tinc will keep retrying. This means that once started, tinc will stay running until you tell it to stop, and failures to connect to other tinc daemons will not stop your @@ -649,7 +645,7 @@ The actual configuration of the daemon is done in the file '/etc/tinc/NETNAME/tinc.conf' and at least one other file in the directory '/etc/tinc/NETNAME/hosts/'. - An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from + An optional directory '/etc/tinc/NETNAME/conf.d' can be added from which any .conf file will be read. These file consists of comments (lines started with a #) or @@ -755,10 +751,9 @@ DecrementTTL = (no) [experimental] Device = ('/dev/tap0', '/dev/net/tun' or other depending on platform) The virtual network device to use. Tinc will automatically detect - what kind of device it is. Note that you can only use one device - per daemon. Under Windows, use INTERFACE instead of DEVICE. Note - that you can only use one device per daemon. See also *note Device - files::. + what kind of device it is. Under Windows, use INTERFACE instead of + DEVICE. Note that you can only use one device per daemon. See + also *note Device files::. DeviceType = (platform dependent) The type of the virtual network device. Tinc will normally @@ -864,7 +859,7 @@ Hostnames = (no) This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are blocking, it might affect tinc's efficiency, even stopping the daemon for a few - seconds everytime it does a lookup if your DNS server is not + seconds every time it does a lookup if your DNS server is not responding. This does not affect resolving hostnames to IP addresses from the @@ -937,7 +932,7 @@ Mode = (router) Name = [required] This is a symbolic name for this connection. The name should - consist only of alfanumeric and underscore characters (a-z, A-Z, + consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _). If Name starts with a $, then the contents of the environment @@ -964,7 +959,7 @@ PriorityInheritance = (no) [experimental] PrivateKey = [obsolete] This is the RSA private key for tinc. However, for safety reasons it is advised to store private keys of any kind in separate files. - This prevents accidental eavesdropping if you are editting the + This prevents accidental eavesdropping if you are editing the configuration file. PrivateKeyFile = ('/etc/tinc/NETNAME/rsa_key.priv') @@ -1114,9 +1109,9 @@ PublicKeyFile = [obsolete] Subnet = The subnet which this tinc daemon will serve. Tinc tries to look up which other daemon it should send a packet to by searching the - appropiate subnet. If the packet matches a subnet, it will be sent - to the daemon who has this subnet in his host configuration file. - Multiple subnet lines can be specified for each daemon. + appropriate subnet. If the packet matches a subnet, it will be + sent to the daemon who has this subnet in his host configuration + file. Multiple subnet lines can be specified for each daemon. Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single address is assumed, or @@ -1186,11 +1181,11 @@ scripts should have the extension .bat. This script is started when any host becomes unreachable. '/etc/tinc/NETNAME/subnet-up' - This script is started when a Subnet becomes reachable. The Subnet + This script is started when a subnet becomes reachable. The Subnet and the node it belongs to are passed in environment variables. '/etc/tinc/NETNAME/subnet-down' - This script is started when a Subnet becomes unreachable. + This script is started when a subnet becomes unreachable. The scripts are started without command line arguments, but can make use of certain environment variables. Under UNIX like operating systems @@ -1252,7 +1247,7 @@ Step 2. Creating your host configuration file ............................................. If you added a line containing 'Name = yourname' in the main -configuarion file, you will need to create a host configuration file +configuration file, you will need to create a host configuration file '/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to create a host configuration file: @@ -1880,7 +1875,7 @@ packets, and 'tap' style, which are Ethernet devices and handle complete Ethernet frames. So when tinc reads an Ethernet frame from the device, it determines -its type. When tinc is in it's default routing mode, it can handle IPv4 +its type. When tinc is in its default routing mode, it can handle IPv4 and IPv6 packets. Depending on the Subnet lines, it will send the packets off to their destination IP address. In the 'switch' and 'hub' mode, tinc will use broadcasts and MAC address discovery to deduce the @@ -1909,8 +1904,8 @@ the decrypted information to its own virtual network device. tunnel), there is no problem for the kernel to accept a packet. However, if it is a 'tap' device (this is the only available type on FreeBSD), the destination MAC address must match that of the virtual -network interface. If tinc is in it's default routing mode, ARP does -not work, so the correct destination MAC can not be known by the sending +network interface. If tinc is in its default routing mode, ARP does not +work, so the correct destination MAC can not be known by the sending host. Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface and overwriting the destination MAC address of the received packet. @@ -2146,13 +2141,13 @@ Explanation is below. client ACK 655 123 0 | | +-> options - | +----> estimated weight - +--------> listening port of client + | +----> estimated weight + +--------> listening port of client server ACK 655 321 0 | | +-> options - | +----> estimated weight - +--------> listening port of server + | +----> estimated weight + +--------> listening port of server -------------------------------------------------------------------------- This new scheme has several improvements, both in efficiency and @@ -2290,30 +2285,30 @@ that it encompasses the entire VPN. For IPv4 addresses: -Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE -FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -Darwin (MacOS/X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK -Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK +Linux 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +Linux iproute2 'ip addr add' ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE +FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +Darwin (Mac OS X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK +Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK For IPv6 addresses: -Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH -FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH -OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH -NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH -Solaris 'ifconfig' INTERFACE 'inet6 plumb up' - 'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS -Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH -Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH +Linux 'ifconfig' INTERFACE 'add' ADDRESS'/'PREFIXLENGTH +FreeBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH +OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH +NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH +Solaris 'ifconfig' INTERFACE 'inet6 plumb up' + 'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS +Darwin (Mac OS X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH +Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command: -OpenBSD 'ifconfig' INTERFACE 'link0' +OpenBSD 'ifconfig' INTERFACE 'link0' On Linux, it is possible to create a persistent tun/tap interface which will continue to exist even if tinc quit, although this is @@ -2321,7 +2316,7 @@ normally not required. It can be useful to set up a tun/tap interface owned by a non-root user, so tinc can be started without needing any root privileges at all. -Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME +Linux 'ip tuntap add dev' INTERFACE 'mode' TUN|TAP 'user' USERNAME  File: tinc.info, Node: Routes, Prev: Interface configuration, Up: Platform specific information @@ -2338,26 +2333,26 @@ preferable, but not all platforms support this. Adding routes to IPv4 subnets: -Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE -Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE -FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS -OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS -NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS -Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' -Darwin (MacOS/X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS -Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE - LOCAL_ADDRESS +Linux 'route add -net' NETWORK_ADDRESS 'netmask' NETMASK INTERFACE +Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE +FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS +OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS +NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS +Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' +Darwin (Mac OS X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE +Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE + LOCAL_ADDRESS Adding routes to IPv6 subnets: -Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE -Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE -FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS -OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH -NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH -Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' -Darwin (MacOS/X) ? -Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE +Linux 'route add -A inet6' NETWORK_ADDRESS'/'PREFIXLENGTH INTERFACE +Linux iproute2 'ip route add' NETWORK_ADDRESS'/'PREFIXLENGTH 'dev' INTERFACE +FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS +OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH +NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH +Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' +Darwin (Mac OS X) 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE +Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE  File: tinc.info, Node: About us, Next: Concept Index, Prev: Platform specific information, Up: Top @@ -2457,13 +2452,13 @@ Concept Index * DEVICE: Scripts. (line 53) * device files: Device files. (line 6) * DeviceType: Main configuration variables. - (line 80) + (line 79) * Digest: Host configuration variables. (line 31) * DirectOnly: Main configuration variables. - (line 145) + (line 144) * dummy: Main configuration variables. - (line 87) + (line 86) * encapsulating: The UDP tunnel. (line 30) * encryption: Encryption of network packets. (line 6) @@ -2471,53 +2466,53 @@ Concept Index * example: Example configuration. (line 6) * exec: Main configuration variables. - (line 315) + (line 314) * Forwarding: Main configuration variables. - (line 152) + (line 151) * frame type: The UDP tunnel. (line 6) * GraphDumpFile: Main configuration variables. - (line 172) + (line 171) * Hostnames: Main configuration variables. - (line 180) + (line 179) * http: Main configuration variables. - (line 312) + (line 311) * hub: Main configuration variables. - (line 250) + (line 249) * ID: Authentication protocol. (line 10) * IffOneQueue: Main configuration variables. - (line 191) + (line 190) * IndirectData: Host configuration variables. (line 36) * Interface: Main configuration variables. - (line 194) + (line 193) * INTERFACE: Scripts. (line 56) * IRC: Contact information. (line 9) * key generation: Generating keypairs. (line 6) * KeyExpire: Main configuration variables. - (line 202) + (line 201) * KEY_CHANGED: The meta-protocol. (line 63) * libraries: Libraries. (line 6) * license: OpenSSL. (line 35) * LocalDiscovery: Main configuration variables. - (line 208) + (line 207) * lzo: lzo. (line 6) * MACExpire: Main configuration variables. - (line 219) + (line 218) * MACLength: Host configuration variables. (line 44) * MaxTimeout: Main configuration variables. - (line 224) + (line 223) * meta-protocol: The meta-connection. (line 18) * META_KEY: Authentication protocol. (line 10) * Mode: Main configuration variables. - (line 228) + (line 227) * multicast: Main configuration variables. - (line 99) + (line 98) * multiple networks: Multiple networks. (line 6) * Name: Main configuration variables. - (line 255) + (line 254) * NAME: Scripts. (line 50) * netmask: Network interfaces. (line 33) * netname: Multiple networks. (line 6) @@ -2531,9 +2526,9 @@ Concept Index (line 69) * PING: The meta-protocol. (line 88) * PingInterval: Main configuration variables. - (line 266) + (line 265) * PingTimeout: Main configuration variables. - (line 270) + (line 269) * platforms: Supported platforms. (line 6) * PMTU: Host configuration variables. (line 49) @@ -2544,32 +2539,32 @@ Concept Index (line 57) * port numbers: Other files. (line 17) * PriorityInheritance: Main configuration variables. - (line 276) + (line 275) * private: Virtual Private Networks. (line 10) * PrivateKey: Main configuration variables. - (line 281) + (line 280) * PrivateKeyFile: Main configuration variables. - (line 287) + (line 286) * ProcessPriority: Main configuration variables. - (line 292) + (line 291) * Proxy: Main configuration variables. - (line 297) + (line 296) * PublicKey: Host configuration variables. (line 61) * PublicKeyFile: Host configuration variables. (line 64) * raw_socket: Main configuration variables. - (line 92) + (line 91) * release: Supported platforms. (line 14) * REMOTEADDRESS: Scripts. (line 65) * REMOTEPORT: Scripts. (line 68) * ReplayWindow: Main configuration variables. - (line 320) + (line 319) * requirements: Libraries. (line 6) * REQ_KEY: The meta-protocol. (line 63) * router: Main configuration variables. - (line 231) + (line 230) * runtime options: Runtime options. (line 9) * scalability: tinc. (line 19) * scripts: Scripts. (line 6) @@ -2577,11 +2572,11 @@ Concept Index (line 18) * signals: Signals. (line 6) * socks4: Main configuration variables. - (line 301) + (line 300) * socks5: Main configuration variables. - (line 306) + (line 305) * StrictSubnets: Main configuration variables. - (line 331) + (line 330) * Subnet: Host configuration variables. (line 76) * SUBNET: Scripts. (line 72) @@ -2589,7 +2584,7 @@ Concept Index (line 98) * SVPN: Security. (line 11) * switch: Main configuration variables. - (line 239) + (line 238) * TCP: The meta-connection. (line 10) * TCPonly: Host configuration variables. (line 105) @@ -2601,24 +2596,24 @@ Concept Index * tincd: tinc. (line 14) * traditional VPNs: tinc. (line 19) * tunifhead: Main configuration variables. - (line 134) + (line 133) * TunnelServer: Main configuration variables. - (line 338) + (line 337) * tunnohead: Main configuration variables. - (line 128) + (line 127) * UDP: The UDP tunnel. (line 30) * UDP <1>: Encryption of network packets. (line 12) * UDPRcvBuf: Main configuration variables. - (line 345) + (line 344) * UDPSndBuf: Main configuration variables. - (line 350) + (line 349) * UML: Main configuration variables. - (line 110) + (line 109) * Universal tun/tap: Configuration of Linux kernels. (line 6) * VDE: Main configuration variables. - (line 115) + (line 114) * virtual: Virtual Private Networks. (line 18) * virtual network device: The UDP tunnel. (line 6) @@ -2637,61 +2632,61 @@ Node: Introduction1105 Node: Virtual Private Networks1915 Node: tinc3639 Node: Supported platforms5166 -Node: Preparations5865 -Node: Configuring the kernel6121 -Node: Configuration of Linux kernels6530 -Node: Configuration of FreeBSD kernels7385 -Node: Configuration of OpenBSD kernels7850 -Node: Configuration of NetBSD kernels8458 -Node: Configuration of Solaris kernels8863 -Node: Configuration of Darwin (MacOS/X) kernels9524 -Node: Configuration of Windows10213 -Node: Libraries10726 -Node: OpenSSL11114 -Node: zlib13401 -Node: lzo14428 -Node: Installation15409 -Node: Building and installing tinc16424 -Node: Darwin (MacOS/X) build environment17083 -Node: Cygwin (Windows) build environment17650 -Node: MinGW (Windows) build environment18237 -Node: System files18761 -Node: Device files19026 -Node: Other files19442 -Node: Configuration20055 -Node: Configuration introduction20366 -Node: Multiple networks21634 -Node: How connections work23059 -Node: Configuration files24281 -Node: Main configuration variables25776 -Node: Host configuration variables41870 -Node: Scripts47371 -Node: How to configure50134 -Node: Generating keypairs51391 -Node: Network interfaces51890 -Node: Example configuration53738 -Node: Running tinc59063 -Node: Runtime options59653 -Node: Signals62955 -Node: Debug levels64146 -Node: Solving problems65082 -Node: Error messages66634 -Node: Sending bug reports70643 -Node: Technical information71590 -Node: The connection71821 -Node: The UDP tunnel72133 -Node: The meta-connection75196 -Node: The meta-protocol76665 -Node: Security81682 -Node: Authentication protocol82815 -Node: Encryption of network packets87832 -Node: Security issues89208 -Node: Platform specific information90835 -Node: Interface configuration91063 -Node: Routes93516 -Node: About us95433 -Node: Contact information95608 -Node: Authors96012 -Node: Concept Index96417 +Node: Preparations5866 +Node: Configuring the kernel6122 +Node: Configuration of Linux kernels6532 +Node: Configuration of FreeBSD kernels7387 +Node: Configuration of OpenBSD kernels7852 +Node: Configuration of NetBSD kernels8460 +Node: Configuration of Solaris kernels8865 +Node: Configuration of Darwin (Mac OS X) kernels9527 +Node: Configuration of Windows10005 +Node: Libraries10519 +Node: OpenSSL10907 +Node: zlib13195 +Node: lzo14223 +Node: Installation15205 +Node: Building and installing tinc16220 +Node: Darwin (Mac OS X) build environment16880 +Node: Cygwin (Windows) build environment17462 +Node: MinGW (Windows) build environment18050 +Node: System files18574 +Node: Device files18839 +Node: Other files19255 +Node: Configuration19868 +Node: Configuration introduction20179 +Node: Multiple networks21447 +Node: How connections work22873 +Node: Configuration files24095 +Node: Main configuration variables25589 +Node: Host configuration variables41628 +Node: Scripts47131 +Node: How to configure49894 +Node: Generating keypairs51152 +Node: Network interfaces51651 +Node: Example configuration53499 +Node: Running tinc58824 +Node: Runtime options59414 +Node: Signals62716 +Node: Debug levels63907 +Node: Solving problems64843 +Node: Error messages66395 +Node: Sending bug reports70404 +Node: Technical information71351 +Node: The connection71582 +Node: The UDP tunnel71894 +Node: The meta-connection74955 +Node: The meta-protocol76424 +Node: Security81441 +Node: Authentication protocol82574 +Node: Encryption of network packets87619 +Node: Security issues88995 +Node: Platform specific information90622 +Node: Interface configuration90850 +Node: Routes93321 +Node: About us95335 +Node: Contact information95510 +Node: Authors95914 +Node: Concept Index96319  End Tag Table diff --git a/doc/tinc.texi b/doc/tinc.texi index 8579002..608077f 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -176,7 +176,7 @@ available too. @section Supported platforms @cindex platforms -Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment), +Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment), with various hardware architectures. These are some of the platforms that are supported by the universal tun/tap device driver or other virtual network device drivers. Without such a driver, tinc will most @@ -224,7 +224,7 @@ support tinc. * Configuration of OpenBSD kernels:: * Configuration of NetBSD kernels:: * Configuration of Solaris kernels:: -* Configuration of Darwin (MacOS/X) kernels:: +* Configuration of Darwin (Mac OS X) kernels:: * Configuration of Windows:: @end menu @@ -261,7 +261,7 @@ alias char-major-10-200 tun @subsection Configuration of FreeBSD kernels For FreeBSD version 4.1 and higher, tun and tap drivers are included in the default kernel configuration. -The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}. +The tap driver can be loaded with @code{kldload if_tap}, or by adding @code{if_tap_load="YES"} to @file{/boot/loader.conf}. @c ================================================================== @@ -298,19 +298,12 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa @c ================================================================== -@node Configuration of Darwin (MacOS/X) kernels -@subsection Configuration of Darwin (MacOS/X) kernels +@node Configuration of Darwin (Mac OS X) kernels +@subsection Configuration of Darwin (Mac OS X) kernels Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel. Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/}, -which supports both tun and tap style devices, -and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}. -The former driver is recommended. -The tunnel driver must be loaded before starting tinc with the following command: - -@example -kmodload tunnel -@end example +which supports both tun and tap style devices. @c ================================================================== @@ -349,7 +342,7 @@ having them installed, configure will give you an error message, and stop. For all cryptography-related functions, tinc uses the functions provided by the OpenSSL library. -If this library is not installed, you wil get an error when configuring +If this library is not installed, you will get an error when configuring tinc for build. Support for running tinc with other cryptographic libraries installed @emph{may} be added in the future. @@ -413,7 +406,7 @@ Markus F.X.J. Oberhumer For the optional compression of UDP packets, tinc uses the functions provided by the zlib library. -If this library is not installed, you wil get an error when running the +If this library is not installed, you will get an error when running the configure script. You can either install the zlib library, or disable support for zlib compression by using the "--disable-zlib" option when running the configure script. Note that if you disable support for zlib, the resulting @@ -437,7 +430,7 @@ default). @cindex lzo Another form of compression is offered using the LZO library. -If this library is not installed, you wil get an error when running the +If this library is not installed, you will get an error when running the configure script. You can either install the LZO library, or disable support for LZO compression by using the "--disable-lzo" option when running the configure script. Note that if you disable support for LZO, the resulting @@ -503,19 +496,19 @@ you can use the package management tools of that distribution to install tinc. The documentation that comes along with your distribution will tell you how to do that. @menu -* Darwin (MacOS/X) build environment:: +* Darwin (Mac OS X) build environment:: * Cygwin (Windows) build environment:: * MinGW (Windows) build environment:: @end menu @c ================================================================== -@node Darwin (MacOS/X) build environment -@subsection Darwin (MacOS/X) build environment +@node Darwin (Mac OS X) build environment +@subsection Darwin (Mac OS X) build environment -In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools +In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools from @uref{http://developer.apple.com/tools/macosxtools.html} and -a recent version of Fink from @uref{http://www.finkproject.org/}. +preferably a recent version of Fink from @uref{http://www.finkproject.org/}. After installation use fink to download and install the following packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. @@ -666,7 +659,7 @@ It is not required if you only run one tinc daemon, it doesn't even have to be the same on all the sites of your VPN, but it is recommended that you choose one anyway. -We will asume you use a netname throughout this document. +We will assume you use a netname throughout this document. This means that you call tincd with the -n argument, which will assign a netname to this daemon. @@ -694,7 +687,7 @@ reads in the configuration file tinc.conf. If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file, it will try to connect to those other daemons. Whether this succeeds or not and whether `ConnectTo' is specified or not, -tinc will listen for incoming connection from other deamons. +tinc will listen for incoming connection from other daemons. If you did specify a `ConnectTo' value and the other side is not responding, tinc will keep retrying. This means that once started, tinc will stay running until you tell it to stop, @@ -718,7 +711,7 @@ The actual configuration of the daemon is done in the file @file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory @file{@value{sysconfdir}/tinc/@var{netname}/hosts/}. -An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which +An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which any .conf file will be read. These file consists of comments (lines started with a #) or assignments @@ -829,7 +822,6 @@ Do not use this option if you use switch mode and want to use IPv6. @item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform) The virtual network device to use. Tinc will automatically detect what kind of device it is. -Note that you can only use one device per daemon. Under Windows, use @var{Interface} instead of @var{Device}. Note that you can only use one device per daemon. See also @ref{Device files}. @@ -947,7 +939,7 @@ that is executed, the graph is then sent to stdin. @item Hostnames = (no) This option selects whether IP addresses (both real and on the VPN) should be resolved. Since DNS lookups are blocking, it might affect -tinc's efficiency, even stopping the daemon for a few seconds everytime +tinc's efficiency, even stopping the daemon for a few seconds every time it does a lookup if your DNS server is not responding. This does not affect resolving hostnames to IP addresses from the @@ -1022,7 +1014,7 @@ while no routing table is managed. @cindex Name @item Name = <@var{name}> [required] This is a symbolic name for this connection. -The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _). +The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _). If Name starts with a $, then the contents of the environment variable that follows will be used. In that case, invalid characters will be converted to underscores. @@ -1049,7 +1041,7 @@ will be inherited by the UDP packets that are sent out. @item PrivateKey = <@var{key}> [obsolete] This is the RSA private key for tinc. However, for safety reasons it is advised to store private keys of any kind in separate files. This prevents -accidental eavesdropping if you are editting the configuration file. +accidental eavesdropping if you are editing the configuration file. @cindex PrivateKeyFile @item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv}) @@ -1216,7 +1208,7 @@ connection with that host. @cindex Subnet @item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]> The subnet which this tinc daemon will serve. -Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet. +Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his host configuration file. Multiple subnet lines can be specified for each daemon. @@ -1293,11 +1285,11 @@ This script is started when any host becomes reachable. This script is started when any host becomes unreachable. @item @value{sysconfdir}/tinc/@var{netname}/subnet-up -This script is started when a Subnet becomes reachable. +This script is started when a subnet becomes reachable. The Subnet and the node it belongs to are passed in environment variables. @item @value{sysconfdir}/tinc/@var{netname}/subnet-down -This script is started when a Subnet becomes unreachable. +This script is started when a subnet becomes unreachable. @end table @cindex environment variables @@ -1368,7 +1360,7 @@ add `ConnectTo' values. @subsubheading Step 2. Creating your host configuration file -If you added a line containing `Name = yourname' in the main configuarion file, +If you added a line containing `Name = yourname' in the main configuration file, you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}. Adapt the following example to create a host configuration file: @@ -1938,7 +1930,7 @@ Note that you will only see this message if you specified a debug level of 5 or higher! @item Chances are that a @samp{Subnet = ...} line in the host configuration file of this tinc daemon is wrong. Change it to a subnet that is accepted locally by another interface, -or if that is not the case, try changing the prefix length into /32. +or if that is not the case, try changing the prefix length into /32. @end itemize @item Node foo (1.2.3.4) is not reachable @@ -2022,7 +2014,7 @@ There are two possible types of virtual network devices: and `tap' style, which are Ethernet devices and handle complete Ethernet frames. So when tinc reads an Ethernet frame from the device, it determines its -type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6 +type. When tinc is in its default routing mode, it can handle IPv4 and IPv6 packets. Depending on the Subnet lines, it will send the packets off to their destination IP address. In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery to deduce the destination of the packets. @@ -2053,7 +2045,7 @@ If the virtual network device is a `tun' device (a point-to-point tunnel), there is no problem for the kernel to accept a packet. However, if it is a `tap' device (this is the only available type on FreeBSD), the destination MAC address must match that of the virtual network interface. -If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC +If tinc is in its default routing mode, ARP does not work, so the correct destination MAC can not be known by the sending host. Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface and overwriting the destination MAC address of the received packet. @@ -2177,7 +2169,7 @@ message ------------------------------------------------------------------ REQ_KEY origin destination | +--> name of the tinc daemon it wants the key from - +----------> name of the daemon that wants the key + +----------> name of the daemon that wants the key ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4 | | \______________/ | | +--> MAC length @@ -2312,13 +2304,13 @@ their identity. Further information is exchanged. client ACK 655 123 0 | | +-> options - | +----> estimated weight - +--------> listening port of client + | +----> estimated weight + +--------> listening port of client server ACK 655 321 0 | | +-> options - | +----> estimated weight - +--------> listening port of server + | +----> estimated weight + +--------> listening port of server -------------------------------------------------------------------------- @end example @@ -2446,7 +2438,7 @@ netmask should be such that it encompasses the entire VPN. For IPv4 addresses: -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item Linux @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @item Linux iproute2 @@ -2459,7 +2451,7 @@ For IPv4 addresses: @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @item Solaris @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} -@item Darwin (MacOS/X) +@item Darwin (Mac OS X) @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @item Windows @tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask} @@ -2467,7 +2459,7 @@ For IPv4 addresses: For IPv6 addresses: -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item Linux @tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength} @item FreeBSD @@ -2480,7 +2472,7 @@ For IPv6 addresses: @tab @code{ifconfig} @var{interface} @code{inet6 plumb up} @item @tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address} -@item Darwin (MacOS/X) +@item Darwin (Mac OS X) @tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength} @item Windows @tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength} @@ -2488,7 +2480,7 @@ For IPv6 addresses: On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command: -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item OpenBSD @tab @code{ifconfig} @var{interface} @code{link0} @end multitable @@ -2498,7 +2490,7 @@ continue to exist even if tinc quit, although this is normally not required. It can be useful to set up a tun/tap interface owned by a non-root user, so tinc can be started without needing any root privileges at all. -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item Linux @tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username} @end multitable @@ -2516,7 +2508,7 @@ support this. Adding routes to IPv4 subnets: -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item Linux @tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface} @item Linux iproute2 @@ -2529,15 +2521,15 @@ Adding routes to IPv4 subnets: @tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @item Solaris @tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface} -@item Darwin (MacOS/X) -@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} +@item Darwin (Mac OS X) +@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface} @item Windows @tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address} @end multitable Adding routes to IPv6 subnets: -@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} +@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @item Linux @tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface} @item Linux iproute2 @@ -2550,8 +2542,8 @@ Adding routes to IPv6 subnets: @tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength} @item Solaris @tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface} -@item Darwin (MacOS/X) -@tab ? +@item Darwin (Mac OS X) +@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface} @item Windows @tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface} @end multitable diff --git a/m4/attribute.m4 b/m4/attribute.m4 index 6a8f555..9d673e9 100644 --- a/m4/attribute.m4 +++ b/m4/attribute.m4 @@ -9,8 +9,8 @@ AC_DEFUN([tinc_ATTRIBUTE], CFLAGS="$CFLAGS -Wall -Werror" AC_COMPILE_IFELSE( [AC_LANG_SOURCE( - [void test(void) __attribute__ (($1)); - void test(void) { return; } + [void *test(void) __attribute__ (($1)); + void *test(void) { return (void *)0; } ], )], [tinc_cv_attribute_$1=yes], diff --git a/src/bsd/device.c b/src/bsd/device.c index f584355..3e9cfb2 100644 --- a/src/bsd/device.c +++ b/src/bsd/device.c @@ -1,7 +1,7 @@ /* device.c -- Interaction BSD tun/tap device Copyright (C) 2001-2005 Ivo Timmermans, - 2001-2012 Guus Sliepen + 2001-2014 Guus Sliepen 2009 Grzegorz Dymarek This program is free software; you can redistribute it and/or modify @@ -34,7 +34,7 @@ #endif #define DEFAULT_TUN_DEVICE "/dev/tun0" -#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) +#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_DARWIN) #define DEFAULT_TAP_DEVICE "/dev/tap0" #else #define DEFAULT_TAP_DEVICE "/dev/tun0" diff --git a/src/conf.h b/src/conf.h index 3a040c7..59c081c 100644 --- a/src/conf.h +++ b/src/conf.h @@ -38,6 +38,7 @@ extern avl_tree_t *config_tree; extern int pinginterval; extern int pingtimeout; extern int maxtimeout; +extern int mintimeout; extern bool bypass_security; extern char *confbase; extern char *netname; diff --git a/src/have.h b/src/have.h index bcd4612..396143d 100644 --- a/src/have.h +++ b/src/have.h @@ -1,7 +1,7 @@ /* have.h -- include headers which are known to exist Copyright (C) 1998-2005 Ivo Timmermans - 2003-2014 Guus Sliepen + 2003-2015 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -196,4 +196,19 @@ #include #endif +#ifdef HAVE_ARPA_NAMESER_H +#include +#ifdef STATUS +#undef STATUS +#endif +#endif + +#ifdef HAVE_RESOLV_H +#include +#endif + +#ifdef HAVE_LINUX_IF_TUN_H +#include +#endif + #endif /* __TINC_SYSTEM_H__ */ diff --git a/src/linux/device.c b/src/linux/device.c index 66e790a..8d042d2 100644 --- a/src/linux/device.c +++ b/src/linux/device.c @@ -134,6 +134,9 @@ static bool setup_device(void) { iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device); } + if(overwrite_mac && !ioctl(device_fd, SIOCGIFHWADDR, &ifr)) + memcpy(mymac.x, ifr.ifr_hwaddr.sa_data, ETH_ALEN); + logger(LOG_INFO, "%s is a %s", device, device_info); return true; diff --git a/src/net.c b/src/net.c index 8d0a0cf..06351bf 100644 --- a/src/net.c +++ b/src/net.c @@ -1,7 +1,7 @@ /* net.c -- most of the network code Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2014 Guus Sliepen + 2000-2015 Guus Sliepen 2006 Scott Lamb 2011 Loïc Grenié @@ -41,14 +41,6 @@ #include "subnet.h" #include "xalloc.h" -#ifdef HAVE_ARPA_NAMESER_H -#include -#endif - -#ifdef HAVE_RESOLV_H -#include -#endif - bool do_purge = false; volatile bool running = false; #ifdef HAVE_PSELECT @@ -508,9 +500,6 @@ int main_loop(void) { avl_node_t *node; logger(LOG_INFO, "Flushing event queue"); expire_events(); -#if HAVE_DECL_RES_INIT - res_init(); -#endif for(node = connection_tree->head; node; node = node->next) { connection_t *c = node->data; if(c->status.active) diff --git a/src/net.h b/src/net.h index 2b50c5a..0982020 100644 --- a/src/net.h +++ b/src/net.h @@ -87,6 +87,7 @@ typedef struct listen_socket_t { int tcp; int udp; sockaddr_t sa; + int priority; } listen_socket_t; #include "conf.h" diff --git a/src/net_packet.c b/src/net_packet.c index d11d58a..e67857c 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -415,9 +415,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { vpn_packet_t *outpkt; int origlen; int outlen, outpad; -#if defined(SOL_IP) && defined(IP_TOS) - static int priority = 0; -#endif int origpriority; if(!n->status.reachable) { @@ -549,15 +546,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { sock = n->sock; } + if(priorityinheritance && origpriority != listen_socket[n->sock].priority) { + listen_socket[n->sock].priority = origpriority; + switch(listen_socket[n->sock].sa.sa.sa_family) { #if defined(SOL_IP) && defined(IP_TOS) - if(priorityinheritance && origpriority != priority - && listen_socket[n->sock].sa.sa.sa_family == AF_INET) { - priority = origpriority; - ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority); - if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */ - logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); - } + case AF_INET: + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority); + if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */ + logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); + break; #endif +#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) + case AF_INET6: + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority); + if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof(origpriority))) + logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); + break; +#endif + default: + break; + } + } if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) { if(sockmsgsize(sockerrno)) { diff --git a/src/net_setup.c b/src/net_setup.c index fa4e986..863616b 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -1,7 +1,7 @@ /* net_setup.c -- Setup. Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2014 Guus Sliepen + 2000-2015 Guus Sliepen 2006 Scott Lamb 2010 Brandon Black @@ -539,7 +539,12 @@ static bool setup_myself(void) { #if !defined(SOL_IP) || !defined(IP_TOS) if(priorityinheritance) - logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance"); + logger(LOG_WARNING, "%s not supported on this platform for IPv4 connection", "PriorityInheritance"); +#endif + +#if !defined(IPPROTO_IPV6) || !defined(IPV6_TCLASS) + if(priorityinheritance) + logger(LOG_WARNING, "%s not supported on this platform for IPv6 connection", "PriorityInheritance"); #endif if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire)) @@ -553,6 +558,18 @@ static bool setup_myself(void) { } else maxtimeout = 900; + if(get_config_int(lookup_config(config_tree, "MinTimeout"), &mintimeout)) { + if(mintimeout < 0) { + logger(LOG_ERR, "Bogus minimum timeout!"); + return false; + } + if(mintimeout > maxtimeout) { + logger(LOG_WARNING, "Minimum timeout (%d s) cannot be larger than maximum timeout (%d s). Correcting !", mintimeout, maxtimeout ); + mintimeout=maxtimeout; + } + } else + mintimeout = 0; + if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) { if(udp_rcvbuf <= 0) { logger(LOG_ERR, "UDPRcvBuf cannot be negative!"); @@ -713,6 +730,12 @@ static bool setup_myself(void) { xasprintf(&envp[2], "INTERFACE=%s", iface ? : ""); xasprintf(&envp[3], "NAME=%s", myself->name); +#ifdef HAVE_MINGW + Sleep(1000); +#endif +#ifdef HAVE_CYGWIN + sleep(1); +#endif execute_script("tinc-up", envp); for(i = 0; i < 4; i++) @@ -790,6 +813,10 @@ static bool setup_myself(void) { hint.ai_protocol = IPPROTO_TCP; hint.ai_flags = AI_PASSIVE; +#if HAVE_DECL_RES_INIT + // ensure glibc reloads /etc/resolv.conf. + res_init(); +#endif err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai); free(address); diff --git a/src/net_socket.c b/src/net_socket.c index 9a67bb3..cb27106 100644 --- a/src/net_socket.c +++ b/src/net_socket.c @@ -40,6 +40,7 @@ #endif int addressfamily = AF_UNSPEC; +int mintimeout = 0; int maxtimeout = 900; int seconds_till_retry = 5; int udp_rcvbuf = 0; @@ -77,6 +78,11 @@ static void configure_tcp(connection_t *c) { option = IPTOS_LOWDELAY; setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option)); #endif + +#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) && defined(IPTOS_LOWDELAY) + option = IPTOS_LOWDELAY; + setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option)); +#endif } static bool bind_to_interface(int sd) { @@ -273,6 +279,9 @@ int setup_vpn_in_socket(const sockaddr_t *sa) { void retry_outgoing(outgoing_t *outgoing) { outgoing->timeout += 5; + if(outgoing->timeout < mintimeout) + outgoing->timeout = mintimeout; + if(outgoing->timeout > maxtimeout) outgoing->timeout = maxtimeout; diff --git a/src/netutl.c b/src/netutl.c index c57b24f..275c64f 100644 --- a/src/netutl.c +++ b/src/netutl.c @@ -1,7 +1,7 @@ /* netutl.c -- some supporting network utility code Copyright (C) 1998-2005 Ivo Timmermans - 2000-2011 Guus Sliepen + 2000-2015 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -39,6 +39,10 @@ struct addrinfo *str2addrinfo(const char *address, const char *service, int sock hint.ai_family = addressfamily; hint.ai_socktype = socktype; +#if HAVE_DECL_RES_INIT + // ensure glibc reloads /etc/resolv.conf. + res_init(); +#endif err = getaddrinfo(address, service, &hint, &ai); if(err) { diff --git a/src/process.c b/src/process.c index e487e34..2f10bfd 100644 --- a/src/process.c +++ b/src/process.c @@ -1,7 +1,7 @@ /* process.c -- process management functions Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2015 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -347,17 +347,59 @@ bool detach(void) { return true; } +#ifdef HAVE_PUTENV +void unputenv(char *p) { + char *e = strchr(p, '='); + if(!e) + return; + int len = e - p; +#ifndef HAVE_UNSETENV +#ifdef HAVE_MINGW + // Windows requires putenv("FOO=") to unset %FOO% + len++; +#endif +#endif + char var[len + 1]; + memcpy(var, p, len); + var[len] = 0; +#ifdef HAVE_UNSETENV + unsetenv(var); +#else + // We must keep what we putenv() around in memory. + // To do this without memory leaks, keep things in a list and reuse if possible. + static list_t list = {}; + for(list_node_t *node = list.head; node; node = node->next) { + char *data = node->data; + if(!strcmp(data, var)) { + putenv(data); + return; + } + } + char *data = xstrdup(var); + list_insert_tail(&list, data); + putenv(data); +#endif +} +#else +void putenv(const char *p) {} +void unputenv(const char *p) {} +#endif + bool execute_script(const char *name, char **envp) { #ifdef HAVE_SYSTEM - int status, len; char *scriptname; - int i; char *interpreter = NULL; + config_t *cfg_interpreter; + int status, len, i; + cfg_interpreter = lookup_config(config_tree, "ScriptsInterpreter"); #ifndef HAVE_MINGW len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name); #else - len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name); + if(cfg_interpreter) + len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name); + else + len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name); #endif if(len < 0) return false; @@ -365,14 +407,13 @@ bool execute_script(const char *name, char **envp) { scriptname[len - 1] = '\0'; /* First check if there is a script */ - if(access(scriptname + 1, F_OK)) { free(scriptname); return true; } // Custom scripts interpreter - if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) { + if(get_config_string(cfg_interpreter, &interpreter)) { // Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard) free(scriptname); len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name); @@ -383,12 +424,10 @@ bool execute_script(const char *name, char **envp) { ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name); -#ifdef HAVE_PUTENV /* Set environment */ for(i = 0; envp[i]; i++) putenv(envp[i]); -#endif scriptname[len - 1] = '\"'; status = system(scriptname); @@ -397,15 +436,8 @@ bool execute_script(const char *name, char **envp) { /* Unset environment */ - for(i = 0; envp[i]; i++) { - char *e = strchr(envp[i], '='); - if(e) { - char p[e - envp[i] + 1]; - strncpy(p, envp[i], e - envp[i]); - p[e - envp[i]] = '\0'; - putenv(p); - } - } + for(i = 0; envp[i]; i++) + unputenv(envp[i]); if(status != -1) { #ifdef WEXITSTATUS diff --git a/src/tincd.c b/src/tincd.c index b6a6c29..a2b3580 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd Copyright (C) 1998-2005 Ivo Timmermans - 2000-2014 Guus Sliepen + 2000-2015 Guus Sliepen 2008 Max Rijevski 2009 Michael Tokarev 2010 Julien Muchembled @@ -97,7 +97,7 @@ char *pidfilename = NULL; /* pid file location */ char *logfilename = NULL; /* log file location */ char **g_argv; /* a copy of the cmdline arguments */ -static int status; +static int status = 1; static struct option const long_options[] = { {"config", required_argument, NULL, 'c'}, @@ -438,14 +438,14 @@ static void make_names(void) { #ifdef HAVE_MINGW if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) { - if(!logfilename) - xasprintf(&logfilename, "%s/log/%s.log", identname); if(!confbase) { if(netname) xasprintf(&confbase, "%s/%s", installdir, netname); else xasprintf(&confbase, "%s", installdir); } + if(!logfilename) + xasprintf(&logfilename, "%s/tinc.log", confbase); } RegCloseKey(key); if(*installdir) @@ -549,7 +549,7 @@ int main(int argc, char **argv) { if(show_version) { printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n" + printf("Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n"