Import Debian changes 1.0.26-1

tinc (1.0.26-1) unstable; urgency=medium

  * New upstream release.
  * Use the contents, not the presence, of the pidfile to check that tincd is
    shut down properly. Closes: #774682
  * Bump Standards-Version.
This commit is contained in:
Guus Sliepen 2015-07-05 17:23:08 +02:00
commit 088ed763df
35 changed files with 677 additions and 1427 deletions

View file

@ -1,4 +1,4 @@
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others. Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.
See the AUTHORS file for a complete list. See the AUTHORS file for a complete list.
This program is free software; you can redistribute it and/or modify it under This program is free software; you can redistribute it and/or modify it under

104
ChangeLog
View file

@ -1,20 +1,64 @@
Version 1.0.26 July 05 2015
------------------------------------------------------------------------
Guus Sliepen (14):
Use VittGam's real name.
Attribution for Saverio Proto.
Always call res_init() before getaddrinfo().
Fix --logfile without a filename on Windows.
Never call putenv() with data on the stack.
Return non-zero exit code when encountering configuration errors during startup.
Fix autoconf check for function attributes.
Fix spelling of FORTIFY_SOURCE.
Update copyright notices.
Attribution for various contributors.
Only check for -fno-strict-overflow if -fwrapv does not work.
Fix unputenv() on Windows.
Don't try to call res_init() if ./configure told us it doesn't exist.
Releasing 1.0.26.
Jo-Philipp Wich (1):
fix musl compatibility
Version 1.0.25 December 22 2014
------------------------------------------------------------------------
Guus Sliepen (7):
Fix date of last NEWS entry.
Remember ToS/Diffserv priority for each socket individually.
Attribution for various contributors.
Automatically choose a tap device on Mac OS X when using switch Mode.
Update documentation for Mac OS X.
Check whether res_init() really lives in libresolv.
Releasing 1.0.25.
Borg (3):
Fixed scripts calling under Win32.
Get MAC of TAP device.
Fixed tinc-up script calling on Win32.
Alexis Hildebrandt (1):
Add support to link against libresolv Mac OS X
Baptiste Jonglez (1):
Use the description from the 1.1 man page for the IndirectData option
David Pflug (1):
Update README.android
Jochen Voss (1):
Fix some typos in the manual.
Tomislav Čohar (1):
Configure minimum reconnect timeouts.
VittGam (1):
Support ToS/DiffServ priority handling for IPv6 meta and UDP connections.
Version 1.0.24 May 11 2014 Version 1.0.24 May 11 2014
------------------------------------------------------------------------ ------------------------------------------------------------------------
Guus Sliepen (26): Guus Sliepen (13):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Remove useless variable 'hard' from try_harder(). Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init(). Add an autoconf check for res_init().
@ -34,22 +78,40 @@ Steffan Karger (3):
Use cryptographically strong random when generating keys. Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails. Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1): Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1): Loic Dachary (1):
fix documentation typo fix documentation typo
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1): luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
refs/tags/1.0.23-android-1 March 11 2014
------------------------------------------------------------------------
Guus Sliepen (13):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
Version 1.0.23 October 19 2013 Version 1.0.23 October 19 2013
------------------------------------------------------------------------ ------------------------------------------------------------------------

27
NEWS
View file

@ -1,4 +1,29 @@
Version 1.0.24 May 11 2013 Version 1.0.26 July 5 2015
* Tinc now forces glibc to reload /etc/resolv.conf for every hostname lookup.
* Fixed --logfile without a filename on Windows.
* Ensure tinc can be compiled when using musl libc.
Thanks to Jo-Philipp Wich for his contribution to this version of tinc.
Version 1.0.25 December 22 2014
* Documentation updates.
* Support linking against -lresolv on Mac OS X.
* Fix scripts on Windows when using the ScriptsInterpreter option.
* Allow a minimum reconnect timeout to be specified.
* Support PriorityInheritance on IPv6 sockets.
Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss,
Tomislav Čohar and VittGam for their contributions to this version of tinc.
Version 1.0.24 May 11 2014
* Various compiler hardening flags are enabled by default. * Various compiler hardening flags are enabled by default.

6
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.24. Installation This is the README file for tinc version 1.0.26. Installation
instructions may be found in the INSTALL file. instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2014 by: tinc is Copyright (C) 1998-2015 by:
Ivo Timmermans, Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>, Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility Compatibility
------------- -------------
Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older Version 1.0.26 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. versions of tinc.

View file

@ -6,11 +6,12 @@ tar xfj android-ndk-r9d-linux-x86.tar.bz2
./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain ./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
- Download and cross-compile openSSL for ARM: - Download and cross-compile openSSL for ARM:
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
tar xfz openssl-1.0.1g.tar.gz tar xfz openssl-1.0.1h.tar.gz
cd openssl-1.0.1g cd openssl-1.0.1h
./Configure dist ./Configure dist
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
cd -
- Clone and cross-compile tinc: - Clone and cross-compile tinc:
git clone git://tinc-vpn.org/tinc git clone git://tinc-vpn.org/tinc

17
THANKS
View file

@ -1,14 +1,18 @@
We would like to thank the following people for their contributions to tinc: We would like to thank the following people for their contributions to tinc:
* Alexander Reil and Gemeinde Berg * Alexander Reil and Gemeinde Berg
* Alexis Hildebrandt
* Allesandro Gatti * Allesandro Gatti
* Andreas van Cranenburgh * Andreas van Cranenburgh
* Anthony G. Basile * Anthony G. Basile
* Armin Fisslthaler * Armin Fisslthaler
* Armijn Hemel * Armijn Hemel
* Baptiste Jonglez
* Borg
* Brandon Black * Brandon Black
* Cris van Pelt * Cris van Pelt
* Darius Jahandarie * Darius Jahandarie
* David Pflug
* Delf Eldkraft * Delf Eldkraft
* dnk * dnk
* Enrique Zanardi * Enrique Zanardi
@ -22,9 +26,13 @@ We would like to thank the following people for their contributions to tinc:
* James MacLean * James MacLean
* Jamie Briggs * Jamie Briggs
* Jason Harper * Jason Harper
* Jason Livesay
* Jelle de Jong * Jelle de Jong
* Jeroen Domburg
* Jeroen Ubbink * Jeroen Ubbink
* Jerome Etienne * Jerome Etienne
* Jo-Philipp Wich
* Jochen Voss
* Julien Muchembled * Julien Muchembled
* Lavrans Laading * Lavrans Laading
* Loïc Dachary * Loïc Dachary
@ -50,15 +58,24 @@ We would like to thank the following people for their contributions to tinc:
* Philipp Babel * Philipp Babel
* Robert van der Meulen * Robert van der Meulen
* Rumko * Rumko
* Sam Bryan
* Saverio Proto
* Scott Lamb * Scott Lamb
* Steffan Karger * Steffan Karger
* Sven-Haegar Koch * Sven-Haegar Koch
* Teemu Kiviniemi * Teemu Kiviniemi
* Thomas Tsiakalakis
* Timothy Redaelli * Timothy Redaelli
* Tomasz Fortuna
* Tomislav Čohar
* Tommy Arnkværn
* Tonnerre Lombard * Tonnerre Lombard
* Vil Brekin * Vil Brekin
* Vittorio Gambaletta
* Wessel Dankers * Wessel Dankers
* William McArthur
* Wouter van Heyst * Wouter van Heyst
* 戴 鸣
And everyone we forgot (if we did, please let us know). Thank you! And everyone we forgot (if we did, please let us know). Thank you!

7
aclocal.m4 vendored
View file

@ -103,10 +103,9 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# configured tree to be moved without reconfiguration. # configured tree to be moved without reconfiguration.
AC_DEFUN([AM_AUX_DIR_EXPAND], AC_DEFUN([AM_AUX_DIR_EXPAND],
[dnl Rely on autoconf to set up CDPATH properly. [AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
AC_PREREQ([2.50])dnl # Expand $ac_aux_dir to an absolute path.
# expand $ac_aux_dir to an absolute path am_aux_dir=`cd "$ac_aux_dir" && pwd`
am_aux_dir=`cd $ac_aux_dir && pwd`
]) ])
# AM_CONDITIONAL -*- Autoconf -*- # AM_CONDITIONAL -*- Autoconf -*-

174
config.guess vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh #! /bin/sh
# Attempt to guess a canonical system name. # Attempt to guess a canonical system name.
# Copyright 1992-2013 Free Software Foundation, Inc. # Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2013-06-10' timestamp='2014-03-23'
# This file is free software; you can redistribute it and/or modify it # This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by # under the terms of the GNU General Public License as published by
@ -50,7 +50,7 @@ version="\
GNU config.guess ($timestamp) GNU config.guess ($timestamp)
Originally written by Per Bothner. Originally written by Per Bothner.
Copyright 1992-2013 Free Software Foundation, Inc. Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -149,7 +149,7 @@ Linux|GNU|GNU/*)
LIBC=gnu LIBC=gnu
#endif #endif
EOF EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;; ;;
esac esac
@ -826,7 +826,7 @@ EOF
*:MINGW*:*) *:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32 echo ${UNAME_MACHINE}-pc-mingw32
exit ;; exit ;;
i*:MSYS*:*) *:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys echo ${UNAME_MACHINE}-pc-msys
exit ;; exit ;;
i*:windows32*:*) i*:windows32*:*)
@ -969,10 +969,10 @@ EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;; ;;
or1k:Linux:*:*) openrisc*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC} echo or1k-unknown-linux-${LIBC}
exit ;; exit ;;
or32:Linux:*:*) or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC} echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;; exit ;;
padre:Linux:*:*) padre:Linux:*:*)
@ -1260,6 +1260,7 @@ EOF
if test "$UNAME_PROCESSOR" = unknown ; then if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc UNAME_PROCESSOR=powerpc
fi fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
@ -1271,6 +1272,15 @@ EOF
esac esac
fi fi
fi fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;; exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*) *:procnto*:*:* | *:QNX:[0123456789]*:*)
@ -1361,154 +1371,6 @@ EOF
exit ;; exit ;;
esac esac
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
I don't know.... */
printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
#else
""
#endif
); exit (0);
#endif
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
printf ("m68k-hp-bsd\n"); exit (0);
#endif
#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
int version;
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
if (version < 4)
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
else
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
exit (0);
#endif
#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
printf ("ns32k-encore-mach\n"); exit (0);
#else
printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif
#if defined (__386BSD__)
printf ("i386-pc-bsd\n"); exit (0);
#endif
#if defined (sequent)
#if defined (i386)
printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif
#if defined (_SEQUENT_)
struct utsname un;
uname(&un);
if (strncmp(un.version, "V2", 2) == 0) {
printf ("i386-sequent-ptx2\n"); exit (0);
}
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
printf ("i386-sequent-ptx1\n"); exit (0);
}
printf ("i386-sequent-ptx\n"); exit (0);
#endif
#if defined (vax)
# if !defined (ultrix)
# include <sys/param.h>
# if defined (BSD)
# if BSD == 43
printf ("vax-dec-bsd4.3\n"); exit (0);
# else
# if BSD == 199006
printf ("vax-dec-bsd4.3reno\n"); exit (0);
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# endif
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# else
printf ("vax-dec-ultrix\n"); exit (0);
# endif
#endif
#if defined (alliant) && defined (i860)
printf ("i860-alliant-bsd\n"); exit (0);
#endif
exit (1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
if [ -x /usr/convex/getsysinfo ]
then
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
c34*)
echo c34-convex-bsd
exit ;;
c38*)
echo c38-convex-bsd
exit ;;
c4*)
echo c4-convex-bsd
exit ;;
esac
fi
cat >&2 <<EOF cat >&2 <<EOF
$0: unable to guess system type $0: unable to guess system type

View file

@ -89,6 +89,9 @@
/* Define to 1 if you have the `nsl' library (-lnsl). */ /* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL #undef HAVE_LIBNSL
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
/* Define to 1 if you have the `socket' library (-lsocket). */ /* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET #undef HAVE_LIBSOCKET

30
config.sub vendored
View file

@ -1,8 +1,8 @@
#! /bin/sh #! /bin/sh
# Configuration validation subroutine script. # Configuration validation subroutine script.
# Copyright 1992-2013 Free Software Foundation, Inc. # Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2013-08-10' timestamp='2014-09-11'
# This file is free software; you can redistribute it and/or modify it # This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by # under the terms of the GNU General Public License as published by
@ -68,7 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\ version="\
GNU config.sub ($timestamp) GNU config.sub ($timestamp)
Copyright 1992-2013 Free Software Foundation, Inc. Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -265,6 +265,7 @@ case $basic_machine in
| hexagon \ | hexagon \
| i370 | i860 | i960 | ia64 \ | i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \ | ip2k | iq2000 \
| k1om \
| le32 | le64 \ | le32 | le64 \
| lm32 \ | lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \ | m32c | m32r | m32rle | m68000 | m68k | m88k \
@ -282,8 +283,10 @@ case $basic_machine in
| mips64vr5900 | mips64vr5900el \ | mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \ | mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \ | mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \ | mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \ | mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \ | mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \ | mipsr5900 | mipsr5900el \
@ -295,11 +298,11 @@ case $basic_machine in
| nds32 | nds32le | nds32be \ | nds32 | nds32le | nds32be \
| nios | nios2 | nios2eb | nios2el \ | nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \ | ns16k | ns32k \
| open8 \ | open8 | or1k | or1knd | or32 \
| or1k | or32 \
| pdp10 | pdp11 | pj | pjl \ | pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \ | powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \ | pyramid \
| riscv32 | riscv64 \
| rl78 | rx \ | rl78 | rx \
| score \ | score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
@ -324,7 +327,7 @@ case $basic_machine in
c6x) c6x)
basic_machine=tic6x-unknown basic_machine=tic6x-unknown
;; ;;
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown basic_machine=$basic_machine-unknown
os=-none os=-none
;; ;;
@ -381,6 +384,7 @@ case $basic_machine in
| hexagon-* \ | hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \ | i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \ | ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \ | le32-* | le64-* \
| lm32-* \ | lm32-* \
| m32c-* | m32r-* | m32rle-* \ | m32c-* | m32r-* | m32rle-* \
@ -400,8 +404,10 @@ case $basic_machine in
| mips64vr5900-* | mips64vr5900el-* \ | mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \ | mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \ | mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \ | mipsr5900-* | mipsr5900el-* \
@ -413,6 +419,7 @@ case $basic_machine in
| nios-* | nios2-* | nios2eb-* | nios2el-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \ | none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \ | open8-* \
| or1k*-* \
| orion-* \ | orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
@ -822,6 +829,10 @@ case $basic_machine in
basic_machine=powerpc-unknown basic_machine=powerpc-unknown
os=-morphos os=-morphos
;; ;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos) msdos)
basic_machine=i386-pc basic_machine=i386-pc
os=-msdos os=-msdos
@ -1367,14 +1378,14 @@ case $os in
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number. # Remember, each alternative MUST END IN *, to match a version number.
;; ;;
-qnx*) -qnx*)
@ -1592,9 +1603,6 @@ case $basic_machine in
mips*-*) mips*-*)
os=-elf os=-elf
;; ;;
or1k-*)
os=-elf
;;
or32-*) or32-*)
os=-coff os=-coff
;; ;;

146
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.24. # Generated by GNU Autoconf 2.69 for tinc 1.0.26.
# #
# #
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='tinc' PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc' PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.24' PACKAGE_VERSION='1.0.26'
PACKAGE_STRING='tinc 1.0.24' PACKAGE_STRING='tinc 1.0.26'
PACKAGE_BUGREPORT='' PACKAGE_BUGREPORT=''
PACKAGE_URL='' PACKAGE_URL=''
@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures tinc 1.0.24 to adapt to many kinds of systems. \`configure' configures tinc 1.0.26 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1378,7 +1378,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.24:";; short | recursive ) echo "Configuration of tinc 1.0.26:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@ -1497,7 +1497,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
tinc configure 1.0.24 tinc configure 1.0.26
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@ -1962,7 +1962,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.24, which was It was created by tinc $as_me 1.0.26, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@ -2512,8 +2512,8 @@ test "$program_suffix" != NONE &&
ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
# expand $ac_aux_dir to an absolute path # Expand $ac_aux_dir to an absolute path.
am_aux_dir=`cd $ac_aux_dir && pwd` am_aux_dir=`cd "$ac_aux_dir" && pwd`
if test x"${MISSING+set}" != xset; then if test x"${MISSING+set}" != xset; then
case $am_aux_dir in case $am_aux_dir in
@ -2826,7 +2826,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE='tinc' PACKAGE='tinc'
VERSION='1.0.24' VERSION='1.0.26'
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
@ -5185,42 +5185,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; } $as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then : if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2" CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
else else
: :
fi fi
@ -5256,8 +5221,42 @@ fi
$as_echo "$ax_cv_check_cflags___fwrapv" >&6; } $as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
if test x"$ax_cv_check_cflags___fwrapv" = xyes; then : if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
CPPFLAGS="$CPPFLAGS -fwrapv" CPPFLAGS="$CPPFLAGS -fwrapv"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
else else
: :
fi
fi fi
case $host_os in case $host_os in
@ -5877,8 +5876,8 @@ else
CFLAGS="$CFLAGS -Wall -Werror" CFLAGS="$CFLAGS -Wall -Werror"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */ /* end confdefs.h. */
void test(void) __attribute__ ((__malloc__)); void *test(void) __attribute__ ((__malloc__));
void test(void) { return; } void *test(void) { return (void *)0; }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_compile "$LINENO"; then :
@ -6275,6 +6274,53 @@ fi
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_RES_INIT $ac_have_decl #define HAVE_DECL_RES_INIT $ac_have_decl
_ACEOF _ACEOF
if test $ac_have_decl = 1; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_init in -lresolv" >&5
$as_echo_n "checking for res_init in -lresolv... " >&6; }
if ${ac_cv_lib_resolv_res_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lresolv $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char res_init ();
int
main ()
{
return res_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_resolv_res_init=yes
else
ac_cv_lib_resolv_res_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_init" >&5
$as_echo "$ac_cv_lib_resolv_res_init" >&6; }
if test "x$ac_cv_lib_resolv_res_init" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBRESOLV 1
_ACEOF
LIBS="-lresolv $LIBS"
fi
fi
cat >confcache <<\_ACEOF cat >confcache <<\_ACEOF
@ -7396,7 +7442,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by tinc $as_me 1.0.24, which was This file was extended by tinc $as_me 1.0.26, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -7462,7 +7508,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
tinc config.status 1.0.24 tinc config.status 1.0.26
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script. dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61) AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.24]) AC_INIT([tinc], [1.0.26])
AC_CONFIG_SRCDIR([src/tincd.c]) AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
@ -134,9 +134,9 @@ dnl No -fstack-protector-all because it doesn't work on all platforms or archite
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"], AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"]) [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"])
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]) AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"],
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"]) AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]))
case $host_os in case $host_os in
*mingw*) *mingw*)
AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
@ -202,7 +202,7 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
[], [], [#include "src/have.h"] [], [], [#include "src/have.h"]
) )
AC_CHECK_DECLS([res_init], [], [], [ AC_CHECK_DECLS([res_init], [AC_CHECK_LIB(resolv, res_init)], [], [
#include <netinet/in.h> #include <netinet/in.h>
#include <resolv.h> #include <resolv.h>
]) ])

18
debian/changelog vendored
View file

@ -1,17 +1,11 @@
tinc (1.0.24-2.1+deb8u1) jessie-security; urgency=medium tinc (1.0.26-1) unstable; urgency=medium
* Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738). * New upstream release.
* Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758). * Use the contents, not the presence, of the pidfile to check that tincd is
shut down properly. Closes: #774682
* Bump Standards-Version.
-- Guus Sliepen <guus@debian.org> Mon, 08 Oct 2018 20:14:24 +0200 -- Guus Sliepen <guus@debian.org> Sun, 05 Jul 2015 17:23:08 +0200
tinc (1.0.24-2.1) unstable; urgency=medium
* NMU after getting go ahead from guus on #tinc
* Add a -dbg package which contains the debugging symbols for tinc
Thanks hark@puscii.nl (Closes: #752561)
-- Micah Anderson <micah@debian.org> Tue, 24 Jun 2014 14:01:47 -0400
tinc (1.0.24-2) unstable; urgency=medium tinc (1.0.24-2) unstable; urgency=medium

15
debian/control vendored
View file

@ -2,7 +2,7 @@ Source: tinc
Section: net Section: net
Priority: optional Priority: optional
Maintainer: Guus Sliepen <guus@debian.org> Maintainer: Guus Sliepen <guus@debian.org>
Standards-Version: 3.9.5 Standards-Version: 3.9.6
Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev
Homepage: http://www.tinc-vpn.org/ Homepage: http://www.tinc-vpn.org/
@ -14,16 +14,3 @@ Description: Virtual Private Network daemon
(VPN). One daemon can handle multiple connections, so you can (VPN). One daemon can handle multiple connections, so you can
create an entire (moderately sized) VPN with only one daemon per create an entire (moderately sized) VPN with only one daemon per
participating computer. participating computer.
Package: tinc-dbg
Architecture: any
Section: debug
Priority: extra
Depends: ${shlibs:Depends}, ${misc:Depends}, tinc (= ${binary:Version})
Description: debugging symbols for tinc
tinc is a daemon with which you can create a virtual private network
(VPN). One daemon can handle multiple connections, so you can
create an entire (moderately sized) VPN with only one daemon per
participating computer.
.
This package contains the debugging symbols for tinc.

View file

@ -1,840 +0,0 @@
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index 0548628f..a2a635fb 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -464,7 +464,7 @@ Multiple
.Va Address
variables can be specified, in which case each address will be tried until a working
connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognised.
Furthermore, specifying
@@ -479,7 +479,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
-.It Va Digest Li = Ar digest Pq sha1
+.It Va Digest Li = Ar digest Pq sha256
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognised.
Furthermore, specifying
diff --git a/doc/tinc.texi b/doc/tinc.texi
index 85790028..6e422cfe 100644
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
The symmetric cipher algorithm used to encrypt UDP packets.
Any cipher supported by OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet encryption.
@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
10 (fast lzo) and 11 (best lzo).
@cindex Digest
-@item Digest = <@var{digest}> (sha1)
+@item Digest = <@var{digest}> (sha256)
The digest algorithm used to authenticate UDP packets.
Any digest supported by OpenSSL is recognized.
Furthermore, specifying "none" will turn off packet authentication.
diff --git a/m4/openssl.m4 b/m4/openssl.m4
index 254ea4ff..77b3a4a8 100644
--- a/m4/openssl.m4
+++ b/m4/openssl.m4
@@ -45,12 +45,14 @@ AC_DEFUN([tinc_OPENSSL],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
)
- AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], ,
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
+ AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
- AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
+
+ AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include <openssl/rsa.h>])
])
diff --git a/src/connection.h b/src/connection.h
index 877601fe..9e4dc663 100644
--- a/src/connection.h
+++ b/src/connection.h
@@ -41,7 +41,9 @@ typedef struct connection_status_t {
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
- unsigned int unused:23;
+ unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */
+ unsigned int tarpit:1; /* 1 if the connection should be added to the tarpit */
+ unsigned int unused:21;
} connection_status_t;
#include "edge.h"
diff --git a/src/net.c b/src/net.c
index 8d0a0cf4..4e53d920 100644
--- a/src/net.c
+++ b/src/net.c
@@ -166,6 +166,22 @@ static int build_fdset(fd_set *readset, fd_set *writeset) {
return max;
}
+/* Put a misbehaving connection in the tarpit */
+void tarpit(int fd) {
+ static int pits[10] = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1};
+ static int next_pit = 0;
+
+ if(pits[next_pit] != -1) {
+ closesocket(pits[next_pit]);
+ }
+
+ pits[next_pit++] = fd;
+
+ if(next_pit >= sizeof pits / sizeof pits[0]) {
+ next_pit = 0;
+ }
+}
+
/*
Terminate a connection:
- Close the socket
@@ -186,8 +202,13 @@ void terminate_connection(connection_t *c, bool report) {
if(c->node)
c->node->connection = NULL;
- if(c->socket)
- closesocket(c->socket);
+ if(c->socket) {
+ if(c->status.tarpit) {
+ tarpit(c->socket);
+ } else {
+ closesocket(c->socket);
+ }
+ }
if(c->edge) {
if(!c->node) {
@@ -274,6 +295,7 @@ static void check_dead_connections(void) {
closesocket(c->socket);
do_outgoing_connection(c);
} else {
+ c->status.tarpit = true;
terminate_connection(c, false);
}
}
@@ -353,6 +375,7 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) {
if(FD_ISSET(c->socket, readset)) {
if(!receive_meta(c)) {
+ c->status.tarpit = true;
terminate_connection(c, c->status.active);
continue;
}
diff --git a/src/net.h b/src/net.h
index 2b50c5a2..5ae8d344 100644
--- a/src/net.h
+++ b/src/net.h
@@ -163,6 +163,7 @@ extern void flush_queue(struct node_t *);
extern bool read_rsa_public_key(struct connection_t *);
extern void send_mtu_probe(struct node_t *);
extern void load_all_subnets(void);
+extern void tarpit(int fd);
#ifndef HAVE_MINGW
#define closesocket(s) close(s)
diff --git a/src/net_packet.c b/src/net_packet.c
index d11d58ad..5d7c212d 100644
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
len = 64;
memset(packet.data, 0, 14);
- RAND_pseudo_bytes(packet.data + 14, len - 14);
+ RAND_bytes(packet.data + 14, len - 14);
packet.len = len;
if(i >= 4 && n->mtuprobes <= 10)
packet.priority = -1;
@@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
if(n->incipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
- || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
+ || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
return;
@@ -482,10 +482,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
if(n->outcipher) {
outpkt = pkt[nextpkt++];
- if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
- || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
+ if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
+ || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
(unsigned char *) &inpkt->seqno, inpkt->len)
- || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+ || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
goto end;
diff --git a/src/net_setup.c b/src/net_setup.c
index fa4e9867..ea2a3b78 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -53,11 +53,22 @@ char *proxyuser;
char *proxypass;
proxytype_t proxytype;
+#ifndef HAVE_RSA_SET0_KEY
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+ BN_free(r->n); r->n = n;
+ BN_free(r->e); r->e = e;
+ BN_free(r->d); r->d = d;
+ return 1;
+}
+#endif
+
bool read_rsa_public_key(connection_t *c) {
FILE *fp;
char *pubname;
char *hcfname;
char *key;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
if(!c->rsa_key) {
c->rsa_key = RSA_new();
@@ -67,12 +78,19 @@ bool read_rsa_public_key(connection_t *c) {
/* First, check for simple PublicKey statement */
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
- if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
+ if(BN_hex2bn(&n, key) != strlen(key)) {
+ free(key);
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
return false;
}
- BN_hex2bn(&c->rsa_key->e, "FFFF");
free(key);
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
+ return false;
+ }
return true;
}
@@ -163,27 +181,39 @@ bool read_rsa_public_key(connection_t *c) {
static bool read_rsa_private_key(void) {
FILE *fp;
char *fname, *key, *pubkey;
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
+ BIGNUM *d = NULL;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL);
- if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
+ if(BN_hex2bn(&d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
+ BN_free(d);
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
- if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
- logger(LOG_ERR, "Invalid PublicKey for myself!");
+ if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
free(pubkey);
+ BN_free(d);
+ logger(LOG_ERR, "Invalid PublicKey for myself!");
return false;
}
free(pubkey);
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
+ BN_hex2bn(&e, "FFFF");
+ if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
+ BN_free(d);
+ BN_free(e);
+ BN_free(n);
+ logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
+ return false;
+ }
return true;
}
@@ -608,14 +638,25 @@ static bool setup_myself(void) {
}
free(cipher);
} else
- myself->incipher = EVP_bf_cbc();
+ myself->incipher = EVP_aes_256_cbc();
if(myself->incipher)
- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
+ myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
else
myself->inkeylength = 1;
- myself->connection->outcipher = EVP_bf_ofb();
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
+ but try to match the key size with the one from the cipher selected
+ by Cipher.
+ */
+
+ int keylen = EVP_CIPHER_key_length(myself->incipher);
+ if(keylen <= 16)
+ myself->connection->outcipher = EVP_aes_128_cfb();
+ else if(keylen <= 24)
+ myself->connection->outcipher = EVP_aes_192_cfb();
+ else
+ myself->connection->outcipher = EVP_aes_256_cfb();
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;
@@ -639,13 +680,13 @@ static bool setup_myself(void) {
free(digest);
} else
- myself->indigest = EVP_sha1();
+ myself->indigest = EVP_sha256();
- myself->connection->outdigest = EVP_sha1();
+ myself->connection->outdigest = EVP_sha256();
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) {
- if(myself->inmaclength > myself->indigest->md_size) {
+ if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
logger(LOG_ERR, "MAC length exceeds size of digest!");
return false;
} else if(myself->inmaclength < 0) {
diff --git a/src/net_socket.c b/src/net_socket.c
index 9a67bb3c..479b595d 100644
--- a/src/net_socket.c
+++ b/src/net_socket.c
@@ -513,6 +513,9 @@ void setup_outgoing_connection(outgoing_t *outgoing) {
new connection
*/
bool handle_new_meta_connection(int sock) {
+ static const int max_accept_burst = 10;
+ static int last_accept_burst;
+ static int last_accept_time;
connection_t *c;
sockaddr_t sa;
int fd;
@@ -525,6 +528,22 @@ bool handle_new_meta_connection(int sock) {
return false;
}
+ if(last_accept_time == now) {
+ last_accept_burst++;
+
+ if(last_accept_burst >= max_accept_burst) {
+ if(last_accept_burst == max_accept_burst) {
+ ifdebug(CONNECTIONS) logger(LOG_WARNING, "Throttling incoming connections");
+ }
+
+ tarpit(fd);
+ return false;
+ }
+ } else {
+ last_accept_burst = 0;
+ last_accept_time = now;
+ }
+
sockaddrunmap(&sa);
c = new_connection();
@@ -546,7 +565,6 @@ bool handle_new_meta_connection(int sock) {
connection_add(c);
c->allow_request = ID;
- send_id(c);
return true;
}
diff --git a/src/node.c b/src/node.c
index cf70f838..19f37306 100644
--- a/src/node.c
+++ b/src/node.c
@@ -1,6 +1,6 @@
/*
node.c -- node tree management
- Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
+ Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@@ -57,8 +57,10 @@ node_t *new_node(void) {
if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree();
- EVP_CIPHER_CTX_init(&n->inctx);
- EVP_CIPHER_CTX_init(&n->outctx);
+ n->inctx = EVP_CIPHER_CTX_new();
+ n->outctx = EVP_CIPHER_CTX_new();
+ if(!n->inctx || !n->outctx)
+ abort();
n->mtu = MTU;
n->maxmtu = MTU;
@@ -80,8 +82,8 @@ void free_node(node_t *n) {
sockaddrfree(&n->address);
- EVP_CIPHER_CTX_cleanup(&n->inctx);
- EVP_CIPHER_CTX_cleanup(&n->outctx);
+ EVP_CIPHER_CTX_free(n->outctx);
+ EVP_CIPHER_CTX_free(n->inctx);
if(n->mtuevent)
event_del(n->mtuevent);
@@ -172,8 +174,8 @@ void dump_nodes(void) {
for(node = node_tree->head; node; node = node->next) {
n = node->data;
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
- n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0,
- n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression,
+ n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
+ n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
}
diff --git a/src/node.h b/src/node.h
index f9ef3c15..c83610e8 100644
--- a/src/node.h
+++ b/src/node.h
@@ -50,12 +50,12 @@ typedef struct node_t {
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
char *inkey; /* Cipher key and iv */
int inkeylength; /* Cipher key and iv length */
- EVP_CIPHER_CTX inctx; /* Cipher context */
+ EVP_CIPHER_CTX *inctx; /* Cipher context */
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
char *outkey; /* Cipher key and iv */
int outkeylength; /* Cipher key and iv length */
- EVP_CIPHER_CTX outctx; /* Cipher context */
+ EVP_CIPHER_CTX *outctx; /* Cipher context */
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
int inmaclength; /* Length of MAC */
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
index 971341f7..5834fcdf 100644
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@@ -145,7 +145,7 @@ bool id_h(connection_t *c) {
/* Check if identity is a valid name */
- if(!check_id(name)) {
+ if(!check_id(name) || !strcmp(name, myself->name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name,
c->hostname, "invalid name");
return false;
@@ -177,6 +177,11 @@ bool id_h(connection_t *c) {
if(!c->config_tree)
init_configuration(&c->config_tree);
c->allow_request = ACK;
+
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
return send_ack(c);
}
@@ -196,6 +201,10 @@ bool id_h(connection_t *c) {
c->allow_request = METAKEY;
+ if(!c->outgoing) {
+ send_id(c);
+ }
+
return send_metakey(c);
}
@@ -210,8 +219,11 @@ bool send_metakey(connection_t *c) {
c->outkey = xrealloc(c->outkey, len);
- if(!c->outctx)
- c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
+ if(!c->outctx) {
+ c->outctx = EVP_CIPHER_CTX_new();
+ if(!c->outctx)
+ abort();
+ }
/* Copy random data to the buffer */
@@ -262,17 +274,17 @@ bool send_metakey(connection_t *c) {
/* Send the meta key */
x = send_request(c, "%d %d %d %d %d %s", METAKEY,
- c->outcipher ? c->outcipher->nid : 0,
- c->outdigest ? c->outdigest->type : 0, c->outmaclength,
+ c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
+ c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
c->outcompression, buffer);
/* Further outgoing requests are encrypted with the key we just generated */
if(c->outcipher) {
if(!EVP_EncryptInit(c->outctx, c->outcipher,
- (unsigned char *)c->outkey + len - c->outcipher->key_len,
- (unsigned char *)c->outkey + len - c->outcipher->key_len -
- c->outcipher->iv_len)) {
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
+ EVP_CIPHER_iv_length(c->outcipher))) {
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@@ -308,8 +320,11 @@ bool metakey_h(connection_t *c) {
c->inkey = xrealloc(c->inkey, len);
- if(!c->inctx)
- c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
+ if(!c->inctx) {
+ c->inctx = EVP_CIPHER_CTX_new();
+ if(!c->inctx)
+ abort();
+ }
/* Convert the challenge from hexadecimal back to binary */
@@ -345,9 +360,9 @@ bool metakey_h(connection_t *c) {
}
if(!EVP_DecryptInit(c->inctx, c->incipher,
- (unsigned char *)c->inkey + len - c->incipher->key_len,
- (unsigned char *)c->inkey + len - c->incipher->key_len -
- c->incipher->iv_len)) {
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
+ EVP_CIPHER_iv_length(c->incipher))) {
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
@@ -355,7 +370,8 @@ bool metakey_h(connection_t *c) {
c->status.decryptin = true;
} else {
- c->incipher = NULL;
+ logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname);
+ return false;
}
c->inmaclength = maclength;
@@ -368,12 +384,13 @@ bool metakey_h(connection_t *c) {
return false;
}
- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
+ if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
return false;
}
} else {
- c->indigest = NULL;
+ logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname);
+ return false;
}
c->incompression = compression;
@@ -447,27 +464,38 @@ bool challenge_h(connection_t *c) {
/* Rest is done by send_chal_reply() */
- return send_chal_reply(c);
+ if(c->outgoing) {
+ return send_chal_reply(c);
+ } else {
+ return true;
+ }
}
bool send_chal_reply(connection_t *c) {
char hash[EVP_MAX_MD_SIZE * 2 + 1];
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/* Calculate the hash from the challenge we received */
- if(!EVP_DigestInit(&ctx, c->indigest)
- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
+ ctx = EVP_MD_CTX_create();
+ if(!ctx)
+ abort();
+
+ if(!EVP_DigestInit(ctx, c->indigest)
+ || !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
+ || !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
+ EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
+ EVP_MD_CTX_destroy(ctx);
+
/* Convert the hash to a hexadecimal formatted string */
- bin2hex(hash, hash, c->indigest->md_size);
- hash[c->indigest->md_size * 2] = '\0';
+ bin2hex(hash, hash, EVP_MD_size(c->indigest));
+ hash[EVP_MD_size(c->indigest) * 2] = '\0';
/* Send the reply */
@@ -477,7 +505,7 @@ bool send_chal_reply(connection_t *c) {
bool chal_reply_h(connection_t *c) {
char hishash[MAX_STRING_SIZE];
char myhash[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
@@ -487,7 +515,7 @@ bool chal_reply_h(connection_t *c) {
/* Check if the length of the hash is all right */
- if(strlen(hishash) != c->outdigest->md_size * 2) {
+ if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply length");
return false;
@@ -495,24 +523,31 @@ bool chal_reply_h(connection_t *c) {
/* Convert the hash to binary format */
- if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
+ if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
return false;
}
/* Calculate the hash from the challenge we sent */
- if(!EVP_DigestInit(&ctx, c->outdigest)
- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
- || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
+ ctx = EVP_MD_CTX_create();
+ if(!ctx)
+ abort();
+
+ if(!EVP_DigestInit(ctx, c->outdigest)
+ || !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
+ || !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
+ EVP_MD_CTX_destroy(ctx);
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
return false;
}
+ EVP_MD_CTX_destroy(ctx);
+
/* Verify the incoming hash with the calculated hash */
- if(memcmp(hishash, myhash, c->outdigest->md_size)) {
+ if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
c->hostname, "wrong challenge reply");
@@ -531,6 +566,10 @@ bool chal_reply_h(connection_t *c) {
c->allow_request = ACK;
+ if(!c->outgoing) {
+ send_chal_reply(c);
+ }
+
return send_ack(c);
}
diff --git a/src/protocol_edge.c b/src/protocol_edge.c
index 3dfff05e..fa57494e 100644
--- a/src/protocol_edge.c
+++ b/src/protocol_edge.c
@@ -70,7 +70,7 @@ bool add_edge_h(connection_t *c) {
/* Check if names are valid */
- if(!check_id(from_name) || !check_id(to_name)) {
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ADD_EDGE", c->name,
c->hostname, "invalid name");
return false;
@@ -181,7 +181,7 @@ bool del_edge_h(connection_t *c) {
/* Check if names are valid */
- if(!check_id(from_name) || !check_id(to_name)) {
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "DEL_EDGE", c->name,
c->hostname, "invalid name");
return false;
diff --git a/src/protocol_key.c b/src/protocol_key.c
index 301ead5d..1b96597f 100644
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
}
if(to->incipher)
- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
+ EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
// Reset sequence number and late packet window
mykeyused = true;
@@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
myself->name, to->name, key,
- to->incipher ? to->incipher->nid : 0,
- to->indigest ? to->indigest->type : 0, to->inmaclength,
+ to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
+ to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
to->incompression);
}
@@ -268,12 +268,17 @@ bool ans_key_h(connection_t *c) {
return true;
}
- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
+ if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
from->hostname);
return true;
}
} else {
+ if(from->outkeylength != 1) {
+ logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
+ return true;
+ }
+
from->outcipher = NULL;
}
@@ -288,7 +293,7 @@ bool ans_key_h(connection_t *c) {
return true;
}
- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
+ if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
from->name, from->hostname);
return true;
@@ -305,7 +310,7 @@ bool ans_key_h(connection_t *c) {
from->outcompression = compression;
if(from->outcipher)
- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
+ if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
return true;
diff --git a/src/tincd.c b/src/tincd.c
index b6a6c29c..19f2e174 100644
--- a/src/tincd.c
+++ b/src/tincd.c
@@ -330,7 +330,7 @@ static bool parse_options(int argc, char **argv) {
/* This function prettyprints the key generation process */
-static void indicator(int a, int b, void *p) {
+static int indicator(int a, int b, BN_GENCB *cb) {
switch (a) {
case 0:
fprintf(stderr, ".");
@@ -362,19 +362,48 @@ static void indicator(int a, int b, void *p) {
default:
fprintf(stderr, "?");
}
+
+ return 1;
+}
+
+#ifndef HAVE_BN_GENCB_NEW
+BN_GENCB *BN_GENCB_new(void) {
+ return xmalloc_and_zero(sizeof(BN_GENCB));
}
+void BN_GENCB_free(BN_GENCB *cb) {
+ free(cb);
+}
+#endif
+
/*
Generate a public/private RSA keypair, and ask for a file to store
them in.
*/
static bool keygen(int bits) {
+ BIGNUM *e = NULL;
RSA *rsa_key;
FILE *f;
char *pubname, *privname;
+ BN_GENCB *cb;
+ int result;
fprintf(stderr, "Generating %d bits keys:\n", bits);
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
+
+ cb = BN_GENCB_new();
+ if(!cb)
+ abort();
+ BN_GENCB_set(cb, indicator, NULL);
+
+ rsa_key = RSA_new();
+ BN_hex2bn(&e, "10001");
+ if(!rsa_key || !e)
+ abort();
+
+ result = RSA_generate_key_ex(rsa_key, bits, e, cb);
+
+ BN_free(e);
+ BN_GENCB_free(cb);
if(!rsa_key) {
fprintf(stderr, "Error during key generation!\n");
@@ -697,7 +726,11 @@ end:
EVP_cleanup();
ENGINE_cleanup();
CRYPTO_cleanup_all_ex_data();
+#ifdef HAVE_ERR_REMOVE_STATE
+ // OpenSSL claims this function was deprecated in 1.0.0,
+ // but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
ERR_remove_state(0);
+#endif
ERR_free_strings();
exit_configuration(&config_tree);

View file

@ -1 +0,0 @@
security-fixes

6
debian/rules vendored
View file

@ -12,15 +12,11 @@
%: %:
dh $@ --parallel dh $@ --parallel
.PHONY: override_dh_strip
override_dh_strip:
dh_strip --dbg-package=tinc-dbg
override_dh_auto_configure: override_dh_auto_configure:
dh_auto_configure -- --enable-uml --enable-vde dh_auto_configure -- --enable-uml --enable-vde
override_dh_auto_install: override_dh_auto_install:
dh_auto_install --destdir=debian/tinc -- install-html dh_auto_install -- install-html
# Remove info dir file # Remove info dir file
rm -f debian/tinc/usr/share/info/dir rm -f debian/tinc/usr/share/info/dir

View file

@ -12,7 +12,11 @@ if [ "$IF_TINC_NET" ] ; then
/usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA /usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA
sleep 0.1 sleep 0.1
i=0; i=0;
while [ -f "$IF_TINC_PIDFILE" ] ; do while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
if [ ! -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then if [ $i = '30' ] ; then
echo 'Failed to stop tinc daemon!' echo 'Failed to stop tinc daemon!'
exit 1 exit 1

15
debian/tinc.if-pre-up vendored
View file

@ -45,7 +45,20 @@ test -n "$LIMITS" && setlimits $LIMITS
sleep 0.1 sleep 0.1
i=0; i=0;
while [ ! -f "$IF_TINC_PIDFILE" ] ; do while [ ! -f $IF_TINC_PIDFILE ] ; do
if [ $i = '30' ] ; then
echo 'Failed to start tinc daemon!'
exit 1
fi
sleep 0.1
i=$(($i+1))
done
while read pid rest < $IF_TINC_PIDFILE ; do
if [ -e "/proc/$pid" ] ; then
exit 0
fi
if [ $i = '30' ] ; then if [ $i = '30' ] ; then
echo 'Failed to start tinc daemon!' echo 'Failed to start tinc daemon!'
exit 1 exit 1

View file

@ -486,12 +486,9 @@ Furthermore, specifying
.Qq none .Qq none
will turn off packet authentication. will turn off packet authentication.
.It Va IndirectData Li = yes | no Pq no .It Va IndirectData Li = yes | no Pq no
This option specifies whether other tinc daemons besides the one you specified with When set to yes, only nodes which already have a meta connection to you
.Va ConnectTo will try to establish direct communication with you.
can make a direct connection to you. It is best to leave this option out or set it to no.
This is especially useful if you are behind a firewall
and it is impossible to make a connection from the outside to your tinc daemon.
Otherwise, it is best to leave this option out or set it to no.
.It Va MACLength Li = Ar length Pq 4 .It Va MACLength Li = Ar length Pq 4
The length of the message authentication code used to authenticate UDP packets. The length of the message authentication code used to authenticate UDP packets.
Can be anything from Can be anything from

View file

@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual. * tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.23, a Virtual Private This is the info manual for tinc version 1.0.25, a Virtual Private
Network daemon. Network daemon.
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
@ -139,7 +139,7 @@ File: tinc.info, Node: Supported platforms, Prev: tinc, Up: Introduction
======================= =======================
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD,
MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin
environment), with various hardware architectures. These are some of environment), with various hardware architectures. These are some of
the platforms that are supported by the universal tun/tap device driver the platforms that are supported by the universal tun/tap device driver
or other virtual network device drivers. Without such a driver, tinc or other virtual network device drivers. Without such a driver, tinc
@ -176,7 +176,7 @@ File: tinc.info, Node: Configuring the kernel, Next: Libraries, Up: Preparati
* Configuration of OpenBSD kernels:: * Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels:: * Configuration of NetBSD kernels::
* Configuration of Solaris kernels:: * Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels:: * Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows:: * Configuration of Windows::
 
@ -238,7 +238,7 @@ default kernel configuration.
Tunneling IPv6 may not work on NetBSD's tun device. Tunneling IPv6 may not work on NetBSD's tun device.
 
File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (MacOS/X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (Mac OS X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
2.1.5 Configuration of Solaris kernels 2.1.5 Configuration of Solaris kernels
-------------------------------------- --------------------------------------
@ -251,23 +251,18 @@ sparc64 architectures, precompiled versions can be found at
header file is missing, install it from the source package. header file is missing, install it from the source package.
 
File: tinc.info, Node: Configuration of Darwin (MacOS/X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel File: tinc.info, Node: Configuration of Darwin (Mac OS X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
2.1.6 Configuration of Darwin (MacOS/X) kernels 2.1.6 Configuration of Darwin (Mac OS X) kernels
----------------------------------------------- ------------------------------------------------
Tinc on Darwin relies on a tunnel driver for its data acquisition from Tinc on Darwin relies on a tunnel driver for its data acquisition from
the kernel. Tinc supports either the driver from the kernel. Tinc supports either the driver from
<http://tuntaposx.sourceforge.net/>, which supports both tun and tap <http://tuntaposx.sourceforge.net/>, which supports both tun and tap
style devices, and also the driver from from style devices.
<http://chrisp.de/en/projects/tunnel.html>. The former driver is
recommended. The tunnel driver must be loaded before starting tinc with
the following command:
kmodload tunnel
 
File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (MacOS/X) kernels, Up: Configuring the kernel File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (Mac OS X) kernels, Up: Configuring the kernel
2.1.7 Configuration of Windows 2.1.7 Configuration of Windows
------------------------------ ------------------------------
@ -304,7 +299,7 @@ File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries
For all cryptography-related functions, tinc uses the functions provided For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the OpenSSL library.
If this library is not installed, you wil get an error when If this library is not installed, you will get an error when
configuring tinc for build. Support for running tinc with other configuring tinc for build. Support for running tinc with other
cryptographic libraries installed _may_ be added in the future. cryptographic libraries installed _may_ be added in the future.
@ -360,7 +355,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
For the optional compression of UDP packets, tinc uses the functions For the optional compression of UDP packets, tinc uses the functions
provided by the zlib library. provided by the zlib library.
If this library is not installed, you wil get an error when running If this library is not installed, you will get an error when running
the configure script. You can either install the zlib library, or the configure script. You can either install the zlib library, or
disable support for zlib compression by using the "-disable-zlib" option disable support for zlib compression by using the "-disable-zlib" option
when running the configure script. Note that if you disable support for when running the configure script. Note that if you disable support for
@ -385,7 +380,7 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
Another form of compression is offered using the LZO library. Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running If this library is not installed, you will get an error when running
the configure script. You can either install the LZO library, or the configure script. You can either install the LZO library, or
disable support for LZO compression by using the "-disable-lzo" option disable support for LZO compression by using the "-disable-lzo" option
when running the configure script. Note that if you disable support for when running the configure script. Note that if you disable support for
@ -445,25 +440,26 @@ your distribution will tell you how to do that.
* Menu: * Menu:
* Darwin (MacOS/X) build environment:: * Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment:: * Cygwin (Windows) build environment::
* MinGW (Windows) build environment:: * MinGW (Windows) build environment::
 
File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
3.1.1 Darwin (MacOS/X) build environment 3.1.1 Darwin (Mac OS X) build environment
---------------------------------------- -----------------------------------------
In order to build tinc on Darwin, you need to install the MacOS/X In order to build tinc on Darwin, you need to install the Mac OS X
Developer Tools from <http://developer.apple.com/tools/macosxtools.html> Developer Tools from <http://developer.apple.com/tools/macosxtools.html>
and a recent version of Fink from <http://www.finkproject.org/>. and preferably a recent version of Fink from
<http://www.finkproject.org/>.
After installation use fink to download and install the following After installation use fink to download and install the following
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
 
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (MacOS/X) build environment, Up: Building and installing tinc File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
3.1.2 Cygwin (Windows) build environment 3.1.2 Cygwin (Windows) build environment
---------------------------------------- ----------------------------------------
@ -596,9 +592,9 @@ assign a NETNAME to your VPN. It is not required if you only run one
tinc daemon, it doesn't even have to be the same on all the sites of tinc daemon, it doesn't even have to be the same on all the sites of
your VPN, but it is recommended that you choose one anyway. your VPN, but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document. This means We will assume you use a netname throughout this document. This
that you call tincd with the -n argument, which will assign a netname to means that you call tincd with the -n argument, which will assign a
this daemon. netname to this daemon.
The effect of this is that the daemon will set its configuration root The effect of this is that the daemon will set its configuration root
to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n
@ -626,7 +622,7 @@ in the configuration file tinc.conf. If it sees one or more 'ConnectTo'
values pointing to other tinc daemons in that file, it will try to values pointing to other tinc daemons in that file, it will try to
connect to those other daemons. Whether this succeeds or not and connect to those other daemons. Whether this succeeds or not and
whether 'ConnectTo' is specified or not, tinc will listen for incoming whether 'ConnectTo' is specified or not, tinc will listen for incoming
connection from other deamons. If you did specify a 'ConnectTo' value connection from other daemons. If you did specify a 'ConnectTo' value
and the other side is not responding, tinc will keep retrying. This and the other side is not responding, tinc will keep retrying. This
means that once started, tinc will stay running until you tell it to means that once started, tinc will stay running until you tell it to
stop, and failures to connect to other tinc daemons will not stop your stop, and failures to connect to other tinc daemons will not stop your
@ -649,7 +645,7 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the '/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'. directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from An optional directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read. which any .conf file will be read.
These file consists of comments (lines started with a #) or These file consists of comments (lines started with a #) or
@ -755,10 +751,9 @@ DecrementTTL = <yes | no> (no) [experimental]
Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform) Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform)
The virtual network device to use. Tinc will automatically detect The virtual network device to use. Tinc will automatically detect
what kind of device it is. Note that you can only use one device what kind of device it is. Under Windows, use INTERFACE instead of
per daemon. Under Windows, use INTERFACE instead of DEVICE. Note DEVICE. Note that you can only use one device per daemon. See
that you can only use one device per daemon. See also *note Device also *note Device files::.
files::.
DeviceType = <TYPE> (platform dependent) DeviceType = <TYPE> (platform dependent)
The type of the virtual network device. Tinc will normally The type of the virtual network device. Tinc will normally
@ -937,7 +932,7 @@ Mode = <router|switch|hub> (router)
Name = <NAME> [required] Name = <NAME> [required]
This is a symbolic name for this connection. The name should This is a symbolic name for this connection. The name should
consist only of alfanumeric and underscore characters (a-z, A-Z, consist only of alphanumeric and underscore characters (a-z, A-Z,
0-9 and _). 0-9 and _).
If Name starts with a $, then the contents of the environment If Name starts with a $, then the contents of the environment
@ -964,7 +959,7 @@ PriorityInheritance = <yes|no> (no) [experimental]
PrivateKey = <KEY> [obsolete] PrivateKey = <KEY> [obsolete]
This is the RSA private key for tinc. However, for safety reasons This is the RSA private key for tinc. However, for safety reasons
it is advised to store private keys of any kind in separate files. it is advised to store private keys of any kind in separate files.
This prevents accidental eavesdropping if you are editting the This prevents accidental eavesdropping if you are editing the
configuration file. configuration file.
PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv') PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv')
@ -1114,9 +1109,9 @@ PublicKeyFile = <PATH> [obsolete]
Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]> Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
The subnet which this tinc daemon will serve. Tinc tries to look The subnet which this tinc daemon will serve. Tinc tries to look
up which other daemon it should send a packet to by searching the up which other daemon it should send a packet to by searching the
appropiate subnet. If the packet matches a subnet, it will be sent appropriate subnet. If the packet matches a subnet, it will be
to the daemon who has this subnet in his host configuration file. sent to the daemon who has this subnet in his host configuration
Multiple subnet lines can be specified for each daemon. file. Multiple subnet lines can be specified for each daemon.
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which Subnets can either be single MAC, IPv4 or IPv6 addresses, in which
case a subnet consisting of only that single address is assumed, or case a subnet consisting of only that single address is assumed, or
@ -1186,11 +1181,11 @@ scripts should have the extension .bat.
This script is started when any host becomes unreachable. This script is started when any host becomes unreachable.
'/etc/tinc/NETNAME/subnet-up' '/etc/tinc/NETNAME/subnet-up'
This script is started when a Subnet becomes reachable. The Subnet This script is started when a subnet becomes reachable. The Subnet
and the node it belongs to are passed in environment variables. and the node it belongs to are passed in environment variables.
'/etc/tinc/NETNAME/subnet-down' '/etc/tinc/NETNAME/subnet-down'
This script is started when a Subnet becomes unreachable. This script is started when a subnet becomes unreachable.
The scripts are started without command line arguments, but can make The scripts are started without command line arguments, but can make
use of certain environment variables. Under UNIX like operating systems use of certain environment variables. Under UNIX like operating systems
@ -1252,7 +1247,7 @@ Step 2. Creating your host configuration file
............................................. .............................................
If you added a line containing 'Name = yourname' in the main If you added a line containing 'Name = yourname' in the main
configuarion file, you will need to create a host configuration file configuration file, you will need to create a host configuration file
'/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to '/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to
create a host configuration file: create a host configuration file:
@ -1880,7 +1875,7 @@ packets, and 'tap' style, which are Ethernet devices and handle complete
Ethernet frames. Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines So when tinc reads an Ethernet frame from the device, it determines
its type. When tinc is in it's default routing mode, it can handle IPv4 its type. When tinc is in its default routing mode, it can handle IPv4
and IPv6 packets. Depending on the Subnet lines, it will send the and IPv6 packets. Depending on the Subnet lines, it will send the
packets off to their destination IP address. In the 'switch' and 'hub' packets off to their destination IP address. In the 'switch' and 'hub'
mode, tinc will use broadcasts and MAC address discovery to deduce the mode, tinc will use broadcasts and MAC address discovery to deduce the
@ -1909,8 +1904,8 @@ the decrypted information to its own virtual network device.
tunnel), there is no problem for the kernel to accept a packet. tunnel), there is no problem for the kernel to accept a packet.
However, if it is a 'tap' device (this is the only available type on However, if it is a 'tap' device (this is the only available type on
FreeBSD), the destination MAC address must match that of the virtual FreeBSD), the destination MAC address must match that of the virtual
network interface. If tinc is in it's default routing mode, ARP does network interface. If tinc is in its default routing mode, ARP does not
not work, so the correct destination MAC can not be known by the sending work, so the correct destination MAC can not be known by the sending
host. Tinc solves this by letting the receiving end detect the MAC host. Tinc solves this by letting the receiving end detect the MAC
address of its own virtual network interface and overwriting the address of its own virtual network interface and overwriting the
destination MAC address of the received packet. destination MAC address of the received packet.
@ -2296,7 +2291,7 @@ FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Darwin (MacOS/X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK Darwin (Mac OS X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
For IPv6 addresses: For IPv6 addresses:
@ -2307,7 +2302,7 @@ OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Solaris 'ifconfig' INTERFACE 'inet6 plumb up' Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS 'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH Darwin (Mac OS X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
On some platforms, when running tinc in switch mode, the VPN On some platforms, when running tinc in switch mode, the VPN
@ -2344,7 +2339,7 @@ FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS Darwin (Mac OS X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
LOCAL_ADDRESS LOCAL_ADDRESS
@ -2356,7 +2351,7 @@ FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRE
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface' Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
Darwin (MacOS/X) ? Darwin (Mac OS X) 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE
 
@ -2457,13 +2452,13 @@ Concept Index
* DEVICE: Scripts. (line 53) * DEVICE: Scripts. (line 53)
* device files: Device files. (line 6) * device files: Device files. (line 6)
* DeviceType: Main configuration variables. * DeviceType: Main configuration variables.
(line 80) (line 79)
* Digest: Host configuration variables. * Digest: Host configuration variables.
(line 31) (line 31)
* DirectOnly: Main configuration variables. * DirectOnly: Main configuration variables.
(line 145) (line 144)
* dummy: Main configuration variables. * dummy: Main configuration variables.
(line 87) (line 86)
* encapsulating: The UDP tunnel. (line 30) * encapsulating: The UDP tunnel. (line 30)
* encryption: Encryption of network packets. * encryption: Encryption of network packets.
(line 6) (line 6)
@ -2471,53 +2466,53 @@ Concept Index
* example: Example configuration. * example: Example configuration.
(line 6) (line 6)
* exec: Main configuration variables. * exec: Main configuration variables.
(line 315) (line 314)
* Forwarding: Main configuration variables. * Forwarding: Main configuration variables.
(line 152) (line 151)
* frame type: The UDP tunnel. (line 6) * frame type: The UDP tunnel. (line 6)
* GraphDumpFile: Main configuration variables. * GraphDumpFile: Main configuration variables.
(line 172) (line 171)
* Hostnames: Main configuration variables. * Hostnames: Main configuration variables.
(line 180) (line 179)
* http: Main configuration variables. * http: Main configuration variables.
(line 312) (line 311)
* hub: Main configuration variables. * hub: Main configuration variables.
(line 250) (line 249)
* ID: Authentication protocol. * ID: Authentication protocol.
(line 10) (line 10)
* IffOneQueue: Main configuration variables. * IffOneQueue: Main configuration variables.
(line 191) (line 190)
* IndirectData: Host configuration variables. * IndirectData: Host configuration variables.
(line 36) (line 36)
* Interface: Main configuration variables. * Interface: Main configuration variables.
(line 194) (line 193)
* INTERFACE: Scripts. (line 56) * INTERFACE: Scripts. (line 56)
* IRC: Contact information. (line 9) * IRC: Contact information. (line 9)
* key generation: Generating keypairs. (line 6) * key generation: Generating keypairs. (line 6)
* KeyExpire: Main configuration variables. * KeyExpire: Main configuration variables.
(line 202) (line 201)
* KEY_CHANGED: The meta-protocol. (line 63) * KEY_CHANGED: The meta-protocol. (line 63)
* libraries: Libraries. (line 6) * libraries: Libraries. (line 6)
* license: OpenSSL. (line 35) * license: OpenSSL. (line 35)
* LocalDiscovery: Main configuration variables. * LocalDiscovery: Main configuration variables.
(line 208) (line 207)
* lzo: lzo. (line 6) * lzo: lzo. (line 6)
* MACExpire: Main configuration variables. * MACExpire: Main configuration variables.
(line 219) (line 218)
* MACLength: Host configuration variables. * MACLength: Host configuration variables.
(line 44) (line 44)
* MaxTimeout: Main configuration variables. * MaxTimeout: Main configuration variables.
(line 224) (line 223)
* meta-protocol: The meta-connection. (line 18) * meta-protocol: The meta-connection. (line 18)
* META_KEY: Authentication protocol. * META_KEY: Authentication protocol.
(line 10) (line 10)
* Mode: Main configuration variables. * Mode: Main configuration variables.
(line 228) (line 227)
* multicast: Main configuration variables. * multicast: Main configuration variables.
(line 99) (line 98)
* multiple networks: Multiple networks. (line 6) * multiple networks: Multiple networks. (line 6)
* Name: Main configuration variables. * Name: Main configuration variables.
(line 255) (line 254)
* NAME: Scripts. (line 50) * NAME: Scripts. (line 50)
* netmask: Network interfaces. (line 33) * netmask: Network interfaces. (line 33)
* netname: Multiple networks. (line 6) * netname: Multiple networks. (line 6)
@ -2531,9 +2526,9 @@ Concept Index
(line 69) (line 69)
* PING: The meta-protocol. (line 88) * PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables. * PingInterval: Main configuration variables.
(line 266) (line 265)
* PingTimeout: Main configuration variables. * PingTimeout: Main configuration variables.
(line 270) (line 269)
* platforms: Supported platforms. (line 6) * platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables. * PMTU: Host configuration variables.
(line 49) (line 49)
@ -2544,32 +2539,32 @@ Concept Index
(line 57) (line 57)
* port numbers: Other files. (line 17) * port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables. * PriorityInheritance: Main configuration variables.
(line 276) (line 275)
* private: Virtual Private Networks. * private: Virtual Private Networks.
(line 10) (line 10)
* PrivateKey: Main configuration variables. * PrivateKey: Main configuration variables.
(line 281) (line 280)
* PrivateKeyFile: Main configuration variables. * PrivateKeyFile: Main configuration variables.
(line 287) (line 286)
* ProcessPriority: Main configuration variables. * ProcessPriority: Main configuration variables.
(line 292) (line 291)
* Proxy: Main configuration variables. * Proxy: Main configuration variables.
(line 297) (line 296)
* PublicKey: Host configuration variables. * PublicKey: Host configuration variables.
(line 61) (line 61)
* PublicKeyFile: Host configuration variables. * PublicKeyFile: Host configuration variables.
(line 64) (line 64)
* raw_socket: Main configuration variables. * raw_socket: Main configuration variables.
(line 92) (line 91)
* release: Supported platforms. (line 14) * release: Supported platforms. (line 14)
* REMOTEADDRESS: Scripts. (line 65) * REMOTEADDRESS: Scripts. (line 65)
* REMOTEPORT: Scripts. (line 68) * REMOTEPORT: Scripts. (line 68)
* ReplayWindow: Main configuration variables. * ReplayWindow: Main configuration variables.
(line 320) (line 319)
* requirements: Libraries. (line 6) * requirements: Libraries. (line 6)
* REQ_KEY: The meta-protocol. (line 63) * REQ_KEY: The meta-protocol. (line 63)
* router: Main configuration variables. * router: Main configuration variables.
(line 231) (line 230)
* runtime options: Runtime options. (line 9) * runtime options: Runtime options. (line 9)
* scalability: tinc. (line 19) * scalability: tinc. (line 19)
* scripts: Scripts. (line 6) * scripts: Scripts. (line 6)
@ -2577,11 +2572,11 @@ Concept Index
(line 18) (line 18)
* signals: Signals. (line 6) * signals: Signals. (line 6)
* socks4: Main configuration variables. * socks4: Main configuration variables.
(line 301) (line 300)
* socks5: Main configuration variables. * socks5: Main configuration variables.
(line 306) (line 305)
* StrictSubnets: Main configuration variables. * StrictSubnets: Main configuration variables.
(line 331) (line 330)
* Subnet: Host configuration variables. * Subnet: Host configuration variables.
(line 76) (line 76)
* SUBNET: Scripts. (line 72) * SUBNET: Scripts. (line 72)
@ -2589,7 +2584,7 @@ Concept Index
(line 98) (line 98)
* SVPN: Security. (line 11) * SVPN: Security. (line 11)
* switch: Main configuration variables. * switch: Main configuration variables.
(line 239) (line 238)
* TCP: The meta-connection. (line 10) * TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables. * TCPonly: Host configuration variables.
(line 105) (line 105)
@ -2601,24 +2596,24 @@ Concept Index
* tincd: tinc. (line 14) * tincd: tinc. (line 14)
* traditional VPNs: tinc. (line 19) * traditional VPNs: tinc. (line 19)
* tunifhead: Main configuration variables. * tunifhead: Main configuration variables.
(line 134) (line 133)
* TunnelServer: Main configuration variables. * TunnelServer: Main configuration variables.
(line 338) (line 337)
* tunnohead: Main configuration variables. * tunnohead: Main configuration variables.
(line 128) (line 127)
* UDP: The UDP tunnel. (line 30) * UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets. * UDP <1>: Encryption of network packets.
(line 12) (line 12)
* UDPRcvBuf: Main configuration variables. * UDPRcvBuf: Main configuration variables.
(line 345) (line 344)
* UDPSndBuf: Main configuration variables. * UDPSndBuf: Main configuration variables.
(line 350) (line 349)
* UML: Main configuration variables. * UML: Main configuration variables.
(line 110) (line 109)
* Universal tun/tap: Configuration of Linux kernels. * Universal tun/tap: Configuration of Linux kernels.
(line 6) (line 6)
* VDE: Main configuration variables. * VDE: Main configuration variables.
(line 115) (line 114)
* virtual: Virtual Private Networks. * virtual: Virtual Private Networks.
(line 18) (line 18)
* virtual network device: The UDP tunnel. (line 6) * virtual network device: The UDP tunnel. (line 6)
@ -2637,61 +2632,61 @@ Node: Introduction1105
Node: Virtual Private Networks1915 Node: Virtual Private Networks1915
Node: tinc3639 Node: tinc3639
Node: Supported platforms5166 Node: Supported platforms5166
Node: Preparations5865 Node: Preparations5866
Node: Configuring the kernel6121 Node: Configuring the kernel6122
Node: Configuration of Linux kernels6530 Node: Configuration of Linux kernels6532
Node: Configuration of FreeBSD kernels7385 Node: Configuration of FreeBSD kernels7387
Node: Configuration of OpenBSD kernels7850 Node: Configuration of OpenBSD kernels7852
Node: Configuration of NetBSD kernels8458 Node: Configuration of NetBSD kernels8460
Node: Configuration of Solaris kernels8863 Node: Configuration of Solaris kernels8865
Node: Configuration of Darwin (MacOS/X) kernels9524 Node: Configuration of Darwin (Mac OS X) kernels9527
Node: Configuration of Windows10213 Node: Configuration of Windows10005
Node: Libraries10726 Node: Libraries10519
Node: OpenSSL11114 Node: OpenSSL10907
Node: zlib13401 Node: zlib13195
Node: lzo14428 Node: lzo14223
Node: Installation15409 Node: Installation15205
Node: Building and installing tinc16424 Node: Building and installing tinc16220
Node: Darwin (MacOS/X) build environment17083 Node: Darwin (Mac OS X) build environment16880
Node: Cygwin (Windows) build environment17650 Node: Cygwin (Windows) build environment17462
Node: MinGW (Windows) build environment18237 Node: MinGW (Windows) build environment18050
Node: System files18761 Node: System files18574
Node: Device files19026 Node: Device files18839
Node: Other files19442 Node: Other files19255
Node: Configuration20055 Node: Configuration19868
Node: Configuration introduction20366 Node: Configuration introduction20179
Node: Multiple networks21634 Node: Multiple networks21447
Node: How connections work23059 Node: How connections work22873
Node: Configuration files24281 Node: Configuration files24095
Node: Main configuration variables25776 Node: Main configuration variables25589
Node: Host configuration variables41870 Node: Host configuration variables41628
Node: Scripts47371 Node: Scripts47131
Node: How to configure50134 Node: How to configure49894
Node: Generating keypairs51391 Node: Generating keypairs51152
Node: Network interfaces51890 Node: Network interfaces51651
Node: Example configuration53738 Node: Example configuration53499
Node: Running tinc59063 Node: Running tinc58824
Node: Runtime options59653 Node: Runtime options59414
Node: Signals62955 Node: Signals62716
Node: Debug levels64146 Node: Debug levels63907
Node: Solving problems65082 Node: Solving problems64843
Node: Error messages66634 Node: Error messages66395
Node: Sending bug reports70643 Node: Sending bug reports70404
Node: Technical information71590 Node: Technical information71351
Node: The connection71821 Node: The connection71582
Node: The UDP tunnel72133 Node: The UDP tunnel71894
Node: The meta-connection75196 Node: The meta-connection74955
Node: The meta-protocol76665 Node: The meta-protocol76424
Node: Security81682 Node: Security81441
Node: Authentication protocol82815 Node: Authentication protocol82574
Node: Encryption of network packets87832 Node: Encryption of network packets87619
Node: Security issues89208 Node: Security issues88995
Node: Platform specific information90835 Node: Platform specific information90622
Node: Interface configuration91063 Node: Interface configuration90850
Node: Routes93516 Node: Routes93321
Node: About us95433 Node: About us95335
Node: Contact information95608 Node: Contact information95510
Node: Authors96012 Node: Authors95914
Node: Concept Index96417 Node: Concept Index96319
 
End Tag Table End Tag Table

View file

@ -176,7 +176,7 @@ available too.
@section Supported platforms @section Supported platforms
@cindex platforms @cindex platforms
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment), Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
with various hardware architectures. These are some of the platforms with various hardware architectures. These are some of the platforms
that are supported by the universal tun/tap device driver or other virtual network device drivers. that are supported by the universal tun/tap device driver or other virtual network device drivers.
Without such a driver, tinc will most Without such a driver, tinc will most
@ -224,7 +224,7 @@ support tinc.
* Configuration of OpenBSD kernels:: * Configuration of OpenBSD kernels::
* Configuration of NetBSD kernels:: * Configuration of NetBSD kernels::
* Configuration of Solaris kernels:: * Configuration of Solaris kernels::
* Configuration of Darwin (MacOS/X) kernels:: * Configuration of Darwin (Mac OS X) kernels::
* Configuration of Windows:: * Configuration of Windows::
@end menu @end menu
@ -298,19 +298,12 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa
@c ================================================================== @c ==================================================================
@node Configuration of Darwin (MacOS/X) kernels @node Configuration of Darwin (Mac OS X) kernels
@subsection Configuration of Darwin (MacOS/X) kernels @subsection Configuration of Darwin (Mac OS X) kernels
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel. Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/}, Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
which supports both tun and tap style devices, which supports both tun and tap style devices.
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
The former driver is recommended.
The tunnel driver must be loaded before starting tinc with the following command:
@example
kmodload tunnel
@end example
@c ================================================================== @c ==================================================================
@ -349,7 +342,7 @@ having them installed, configure will give you an error message, and stop.
For all cryptography-related functions, tinc uses the functions provided For all cryptography-related functions, tinc uses the functions provided
by the OpenSSL library. by the OpenSSL library.
If this library is not installed, you wil get an error when configuring If this library is not installed, you will get an error when configuring
tinc for build. Support for running tinc with other cryptographic libraries tinc for build. Support for running tinc with other cryptographic libraries
installed @emph{may} be added in the future. installed @emph{may} be added in the future.
@ -413,7 +406,7 @@ Markus F.X.J. Oberhumer
For the optional compression of UDP packets, tinc uses the functions provided For the optional compression of UDP packets, tinc uses the functions provided
by the zlib library. by the zlib library.
If this library is not installed, you wil get an error when running the If this library is not installed, you will get an error when running the
configure script. You can either install the zlib library, or disable support configure script. You can either install the zlib library, or disable support
for zlib compression by using the "--disable-zlib" option when running the for zlib compression by using the "--disable-zlib" option when running the
configure script. Note that if you disable support for zlib, the resulting configure script. Note that if you disable support for zlib, the resulting
@ -437,7 +430,7 @@ default).
@cindex lzo @cindex lzo
Another form of compression is offered using the LZO library. Another form of compression is offered using the LZO library.
If this library is not installed, you wil get an error when running the If this library is not installed, you will get an error when running the
configure script. You can either install the LZO library, or disable support configure script. You can either install the LZO library, or disable support
for LZO compression by using the "--disable-lzo" option when running the for LZO compression by using the "--disable-lzo" option when running the
configure script. Note that if you disable support for LZO, the resulting configure script. Note that if you disable support for LZO, the resulting
@ -503,19 +496,19 @@ you can use the package management tools of that distribution to install tinc.
The documentation that comes along with your distribution will tell you how to do that. The documentation that comes along with your distribution will tell you how to do that.
@menu @menu
* Darwin (MacOS/X) build environment:: * Darwin (Mac OS X) build environment::
* Cygwin (Windows) build environment:: * Cygwin (Windows) build environment::
* MinGW (Windows) build environment:: * MinGW (Windows) build environment::
@end menu @end menu
@c ================================================================== @c ==================================================================
@node Darwin (MacOS/X) build environment @node Darwin (Mac OS X) build environment
@subsection Darwin (MacOS/X) build environment @subsection Darwin (Mac OS X) build environment
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
from @uref{http://developer.apple.com/tools/macosxtools.html} and from @uref{http://developer.apple.com/tools/macosxtools.html} and
a recent version of Fink from @uref{http://www.finkproject.org/}. preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
After installation use fink to download and install the following packages: After installation use fink to download and install the following packages:
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo. autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
@ -666,7 +659,7 @@ It is not required if you only run one tinc daemon,
it doesn't even have to be the same on all the sites of your VPN, it doesn't even have to be the same on all the sites of your VPN,
but it is recommended that you choose one anyway. but it is recommended that you choose one anyway.
We will asume you use a netname throughout this document. We will assume you use a netname throughout this document.
This means that you call tincd with the -n argument, This means that you call tincd with the -n argument,
which will assign a netname to this daemon. which will assign a netname to this daemon.
@ -694,7 +687,7 @@ reads in the configuration file tinc.conf.
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file, If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
it will try to connect to those other daemons. it will try to connect to those other daemons.
Whether this succeeds or not and whether `ConnectTo' is specified or not, Whether this succeeds or not and whether `ConnectTo' is specified or not,
tinc will listen for incoming connection from other deamons. tinc will listen for incoming connection from other daemons.
If you did specify a `ConnectTo' value and the other side is not responding, If you did specify a `ConnectTo' value and the other side is not responding,
tinc will keep retrying. tinc will keep retrying.
This means that once started, tinc will stay running until you tell it to stop, This means that once started, tinc will stay running until you tell it to stop,
@ -718,7 +711,7 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory @file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}. @file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read. any .conf file will be read.
These file consists of comments (lines started with a #) or assignments These file consists of comments (lines started with a #) or assignments
@ -829,7 +822,6 @@ Do not use this option if you use switch mode and want to use IPv6.
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform) @item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
The virtual network device to use. The virtual network device to use.
Tinc will automatically detect what kind of device it is. Tinc will automatically detect what kind of device it is.
Note that you can only use one device per daemon.
Under Windows, use @var{Interface} instead of @var{Device}. Under Windows, use @var{Interface} instead of @var{Device}.
Note that you can only use one device per daemon. Note that you can only use one device per daemon.
See also @ref{Device files}. See also @ref{Device files}.
@ -1022,7 +1014,7 @@ while no routing table is managed.
@cindex Name @cindex Name
@item Name = <@var{name}> [required] @item Name = <@var{name}> [required]
This is a symbolic name for this connection. This is a symbolic name for this connection.
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _). The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
If Name starts with a $, then the contents of the environment variable that follows will be used. If Name starts with a $, then the contents of the environment variable that follows will be used.
In that case, invalid characters will be converted to underscores. In that case, invalid characters will be converted to underscores.
@ -1049,7 +1041,7 @@ will be inherited by the UDP packets that are sent out.
@item PrivateKey = <@var{key}> [obsolete] @item PrivateKey = <@var{key}> [obsolete]
This is the RSA private key for tinc. However, for safety reasons it is This is the RSA private key for tinc. However, for safety reasons it is
advised to store private keys of any kind in separate files. This prevents advised to store private keys of any kind in separate files. This prevents
accidental eavesdropping if you are editting the configuration file. accidental eavesdropping if you are editing the configuration file.
@cindex PrivateKeyFile @cindex PrivateKeyFile
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv}) @item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
@ -1216,7 +1208,7 @@ connection with that host.
@cindex Subnet @cindex Subnet
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]> @item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
The subnet which this tinc daemon will serve. The subnet which this tinc daemon will serve.
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet. Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
If the packet matches a subnet, If the packet matches a subnet,
it will be sent to the daemon who has this subnet in his host configuration file. it will be sent to the daemon who has this subnet in his host configuration file.
Multiple subnet lines can be specified for each daemon. Multiple subnet lines can be specified for each daemon.
@ -1293,11 +1285,11 @@ This script is started when any host becomes reachable.
This script is started when any host becomes unreachable. This script is started when any host becomes unreachable.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-up @item @value{sysconfdir}/tinc/@var{netname}/subnet-up
This script is started when a Subnet becomes reachable. This script is started when a subnet becomes reachable.
The Subnet and the node it belongs to are passed in environment variables. The Subnet and the node it belongs to are passed in environment variables.
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down @item @value{sysconfdir}/tinc/@var{netname}/subnet-down
This script is started when a Subnet becomes unreachable. This script is started when a subnet becomes unreachable.
@end table @end table
@cindex environment variables @cindex environment variables
@ -1368,7 +1360,7 @@ add `ConnectTo' values.
@subsubheading Step 2. Creating your host configuration file @subsubheading Step 2. Creating your host configuration file
If you added a line containing `Name = yourname' in the main configuarion file, If you added a line containing `Name = yourname' in the main configuration file,
you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}. you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}.
Adapt the following example to create a host configuration file: Adapt the following example to create a host configuration file:
@ -2022,7 +2014,7 @@ There are two possible types of virtual network devices:
and `tap' style, which are Ethernet devices and handle complete Ethernet frames. and `tap' style, which are Ethernet devices and handle complete Ethernet frames.
So when tinc reads an Ethernet frame from the device, it determines its So when tinc reads an Ethernet frame from the device, it determines its
type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6 type. When tinc is in its default routing mode, it can handle IPv4 and IPv6
packets. Depending on the Subnet lines, it will send the packets off to their destination IP address. packets. Depending on the Subnet lines, it will send the packets off to their destination IP address.
In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery
to deduce the destination of the packets. to deduce the destination of the packets.
@ -2053,7 +2045,7 @@ If the virtual network device is a `tun' device (a point-to-point tunnel),
there is no problem for the kernel to accept a packet. there is no problem for the kernel to accept a packet.
However, if it is a `tap' device (this is the only available type on FreeBSD), However, if it is a `tap' device (this is the only available type on FreeBSD),
the destination MAC address must match that of the virtual network interface. the destination MAC address must match that of the virtual network interface.
If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC If tinc is in its default routing mode, ARP does not work, so the correct destination MAC
can not be known by the sending host. can not be known by the sending host.
Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface
and overwriting the destination MAC address of the received packet. and overwriting the destination MAC address of the received packet.
@ -2446,7 +2438,7 @@ netmask should be such that it encompasses the entire VPN.
For IPv4 addresses: For IPv4 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux @item Linux
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Linux iproute2 @item Linux iproute2
@ -2459,7 +2451,7 @@ For IPv4 addresses:
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Solaris @item Solaris
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Darwin (MacOS/X) @item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask} @tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
@item Windows @item Windows
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask} @tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
@ -2467,7 +2459,7 @@ For IPv4 addresses:
For IPv6 addresses: For IPv6 addresses:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux @item Linux
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength} @tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
@item FreeBSD @item FreeBSD
@ -2480,7 +2472,7 @@ For IPv6 addresses:
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up} @tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
@item @item
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address} @tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
@item Darwin (MacOS/X) @item Darwin (Mac OS X)
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength} @tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
@item Windows @item Windows
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength} @tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
@ -2488,7 +2480,7 @@ For IPv6 addresses:
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command: On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item OpenBSD @item OpenBSD
@tab @code{ifconfig} @var{interface} @code{link0} @tab @code{ifconfig} @var{interface} @code{link0}
@end multitable @end multitable
@ -2498,7 +2490,7 @@ continue to exist even if tinc quit, although this is normally not required.
It can be useful to set up a tun/tap interface owned by a non-root user, so It can be useful to set up a tun/tap interface owned by a non-root user, so
tinc can be started without needing any root privileges at all. tinc can be started without needing any root privileges at all.
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux @item Linux
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username} @tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
@end multitable @end multitable
@ -2516,7 +2508,7 @@ support this.
Adding routes to IPv4 subnets: Adding routes to IPv4 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux @item Linux
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface} @tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
@item Linux iproute2 @item Linux iproute2
@ -2529,15 +2521,15 @@ Adding routes to IPv4 subnets:
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
@item Solaris @item Solaris
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface} @tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X) @item Darwin (Mac OS X)
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows @item Windows
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address} @tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
@end multitable @end multitable
Adding routes to IPv6 subnets: Adding routes to IPv6 subnets:
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface} @multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
@item Linux @item Linux
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface} @tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
@item Linux iproute2 @item Linux iproute2
@ -2550,8 +2542,8 @@ Adding routes to IPv6 subnets:
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength} @tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
@item Solaris @item Solaris
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface} @tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
@item Darwin (MacOS/X) @item Darwin (Mac OS X)
@tab ? @tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
@item Windows @item Windows
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface} @tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
@end multitable @end multitable

View file

@ -9,8 +9,8 @@ AC_DEFUN([tinc_ATTRIBUTE],
CFLAGS="$CFLAGS -Wall -Werror" CFLAGS="$CFLAGS -Wall -Werror"
AC_COMPILE_IFELSE( AC_COMPILE_IFELSE(
[AC_LANG_SOURCE( [AC_LANG_SOURCE(
[void test(void) __attribute__ (($1)); [void *test(void) __attribute__ (($1));
void test(void) { return; } void *test(void) { return (void *)0; }
], ],
)], )],
[tinc_cv_attribute_$1=yes], [tinc_cv_attribute_$1=yes],

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction BSD tun/tap device device.c -- Interaction BSD tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans, Copyright (C) 2001-2005 Ivo Timmermans,
2001-2012 Guus Sliepen <guus@tinc-vpn.org> 2001-2014 Guus Sliepen <guus@tinc-vpn.org>
2009 Grzegorz Dymarek <gregd72002@googlemail.com> 2009 Grzegorz Dymarek <gregd72002@googlemail.com>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -34,7 +34,7 @@
#endif #endif
#define DEFAULT_TUN_DEVICE "/dev/tun0" #define DEFAULT_TUN_DEVICE "/dev/tun0"
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) #if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_DARWIN)
#define DEFAULT_TAP_DEVICE "/dev/tap0" #define DEFAULT_TAP_DEVICE "/dev/tap0"
#else #else
#define DEFAULT_TAP_DEVICE "/dev/tun0" #define DEFAULT_TAP_DEVICE "/dev/tun0"

View file

@ -38,6 +38,7 @@ extern avl_tree_t *config_tree;
extern int pinginterval; extern int pinginterval;
extern int pingtimeout; extern int pingtimeout;
extern int maxtimeout; extern int maxtimeout;
extern int mintimeout;
extern bool bypass_security; extern bool bypass_security;
extern char *confbase; extern char *confbase;
extern char *netname; extern char *netname;

View file

@ -1,7 +1,7 @@
/* /*
have.h -- include headers which are known to exist have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2003-2014 Guus Sliepen <guus@tinc-vpn.org> 2003-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -196,4 +196,19 @@
#include <netinet/if_ether.h> #include <netinet/if_ether.h>
#endif #endif
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#ifdef STATUS
#undef STATUS
#endif
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
#ifdef HAVE_LINUX_IF_TUN_H
#include <linux/if_tun.h>
#endif
#endif /* __TINC_SYSTEM_H__ */ #endif /* __TINC_SYSTEM_H__ */

View file

@ -134,6 +134,9 @@ static bool setup_device(void) {
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
} }
if(overwrite_mac && !ioctl(device_fd, SIOCGIFHWADDR, &ifr))
memcpy(mymac.x, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
logger(LOG_INFO, "%s is a %s", device, device_info); logger(LOG_INFO, "%s is a %s", device, device_info);
return true; return true;

View file

@ -1,7 +1,7 @@
/* /*
net.c -- most of the network code net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2014 Guus Sliepen <guus@tinc-vpn.org> 2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2011 Loïc Grenié <loic.grenie@gmail.com> 2011 Loïc Grenié <loic.grenie@gmail.com>
@ -41,14 +41,6 @@
#include "subnet.h" #include "subnet.h"
#include "xalloc.h" #include "xalloc.h"
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
bool do_purge = false; bool do_purge = false;
volatile bool running = false; volatile bool running = false;
#ifdef HAVE_PSELECT #ifdef HAVE_PSELECT
@ -508,9 +500,6 @@ int main_loop(void) {
avl_node_t *node; avl_node_t *node;
logger(LOG_INFO, "Flushing event queue"); logger(LOG_INFO, "Flushing event queue");
expire_events(); expire_events();
#if HAVE_DECL_RES_INIT
res_init();
#endif
for(node = connection_tree->head; node; node = node->next) { for(node = connection_tree->head; node; node = node->next) {
connection_t *c = node->data; connection_t *c = node->data;
if(c->status.active) if(c->status.active)

View file

@ -87,6 +87,7 @@ typedef struct listen_socket_t {
int tcp; int tcp;
int udp; int udp;
sockaddr_t sa; sockaddr_t sa;
int priority;
} listen_socket_t; } listen_socket_t;
#include "conf.h" #include "conf.h"

View file

@ -415,9 +415,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t *outpkt; vpn_packet_t *outpkt;
int origlen; int origlen;
int outlen, outpad; int outlen, outpad;
#if defined(SOL_IP) && defined(IP_TOS)
static int priority = 0;
#endif
int origpriority; int origpriority;
if(!n->status.reachable) { if(!n->status.reachable) {
@ -549,15 +546,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
sock = n->sock; sock = n->sock;
} }
if(priorityinheritance && origpriority != listen_socket[n->sock].priority) {
listen_socket[n->sock].priority = origpriority;
switch(listen_socket[n->sock].sa.sa.sa_family) {
#if defined(SOL_IP) && defined(IP_TOS) #if defined(SOL_IP) && defined(IP_TOS)
if(priorityinheritance && origpriority != priority case AF_INET:
&& listen_socket[n->sock].sa.sa.sa_family == AF_INET) { ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
priority = origpriority; if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno)); logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
} break;
#endif #endif
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
case AF_INET6:
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof(origpriority)))
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
break;
#endif
default:
break;
}
}
if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) { if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
if(sockmsgsize(sockerrno)) { if(sockmsgsize(sockerrno)) {

View file

@ -1,7 +1,7 @@
/* /*
net_setup.c -- Setup. net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2014 Guus Sliepen <guus@tinc-vpn.org> 2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -539,7 +539,12 @@ static bool setup_myself(void) {
#if !defined(SOL_IP) || !defined(IP_TOS) #if !defined(SOL_IP) || !defined(IP_TOS)
if(priorityinheritance) if(priorityinheritance)
logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance"); logger(LOG_WARNING, "%s not supported on this platform for IPv4 connection", "PriorityInheritance");
#endif
#if !defined(IPPROTO_IPV6) || !defined(IPV6_TCLASS)
if(priorityinheritance)
logger(LOG_WARNING, "%s not supported on this platform for IPv6 connection", "PriorityInheritance");
#endif #endif
if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire)) if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
@ -553,6 +558,18 @@ static bool setup_myself(void) {
} else } else
maxtimeout = 900; maxtimeout = 900;
if(get_config_int(lookup_config(config_tree, "MinTimeout"), &mintimeout)) {
if(mintimeout < 0) {
logger(LOG_ERR, "Bogus minimum timeout!");
return false;
}
if(mintimeout > maxtimeout) {
logger(LOG_WARNING, "Minimum timeout (%d s) cannot be larger than maximum timeout (%d s). Correcting !", mintimeout, maxtimeout );
mintimeout=maxtimeout;
}
} else
mintimeout = 0;
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) { if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
if(udp_rcvbuf <= 0) { if(udp_rcvbuf <= 0) {
logger(LOG_ERR, "UDPRcvBuf cannot be negative!"); logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
@ -713,6 +730,12 @@ static bool setup_myself(void) {
xasprintf(&envp[2], "INTERFACE=%s", iface ? : ""); xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
xasprintf(&envp[3], "NAME=%s", myself->name); xasprintf(&envp[3], "NAME=%s", myself->name);
#ifdef HAVE_MINGW
Sleep(1000);
#endif
#ifdef HAVE_CYGWIN
sleep(1);
#endif
execute_script("tinc-up", envp); execute_script("tinc-up", envp);
for(i = 0; i < 4; i++) for(i = 0; i < 4; i++)
@ -790,6 +813,10 @@ static bool setup_myself(void) {
hint.ai_protocol = IPPROTO_TCP; hint.ai_protocol = IPPROTO_TCP;
hint.ai_flags = AI_PASSIVE; hint.ai_flags = AI_PASSIVE;
#if HAVE_DECL_RES_INIT
// ensure glibc reloads /etc/resolv.conf.
res_init();
#endif
err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai); err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
free(address); free(address);

View file

@ -40,6 +40,7 @@
#endif #endif
int addressfamily = AF_UNSPEC; int addressfamily = AF_UNSPEC;
int mintimeout = 0;
int maxtimeout = 900; int maxtimeout = 900;
int seconds_till_retry = 5; int seconds_till_retry = 5;
int udp_rcvbuf = 0; int udp_rcvbuf = 0;
@ -77,6 +78,11 @@ static void configure_tcp(connection_t *c) {
option = IPTOS_LOWDELAY; option = IPTOS_LOWDELAY;
setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option)); setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option));
#endif #endif
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) && defined(IPTOS_LOWDELAY)
option = IPTOS_LOWDELAY;
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option));
#endif
} }
static bool bind_to_interface(int sd) { static bool bind_to_interface(int sd) {
@ -273,6 +279,9 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
void retry_outgoing(outgoing_t *outgoing) { void retry_outgoing(outgoing_t *outgoing) {
outgoing->timeout += 5; outgoing->timeout += 5;
if(outgoing->timeout < mintimeout)
outgoing->timeout = mintimeout;
if(outgoing->timeout > maxtimeout) if(outgoing->timeout > maxtimeout)
outgoing->timeout = maxtimeout; outgoing->timeout = maxtimeout;

View file

@ -1,7 +1,7 @@
/* /*
netutl.c -- some supporting network utility code netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2011 Guus Sliepen <guus@tinc-vpn.org> 2000-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -39,6 +39,10 @@ struct addrinfo *str2addrinfo(const char *address, const char *service, int sock
hint.ai_family = addressfamily; hint.ai_family = addressfamily;
hint.ai_socktype = socktype; hint.ai_socktype = socktype;
#if HAVE_DECL_RES_INIT
// ensure glibc reloads /etc/resolv.conf.
res_init();
#endif
err = getaddrinfo(address, service, &hint, &ai); err = getaddrinfo(address, service, &hint, &ai);
if(err) { if(err) {

View file

@ -1,7 +1,7 @@
/* /*
process.c -- process management functions process.c -- process management functions
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2015 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -347,16 +347,58 @@ bool detach(void) {
return true; return true;
} }
#ifdef HAVE_PUTENV
void unputenv(char *p) {
char *e = strchr(p, '=');
if(!e)
return;
int len = e - p;
#ifndef HAVE_UNSETENV
#ifdef HAVE_MINGW
// Windows requires putenv("FOO=") to unset %FOO%
len++;
#endif
#endif
char var[len + 1];
memcpy(var, p, len);
var[len] = 0;
#ifdef HAVE_UNSETENV
unsetenv(var);
#else
// We must keep what we putenv() around in memory.
// To do this without memory leaks, keep things in a list and reuse if possible.
static list_t list = {};
for(list_node_t *node = list.head; node; node = node->next) {
char *data = node->data;
if(!strcmp(data, var)) {
putenv(data);
return;
}
}
char *data = xstrdup(var);
list_insert_tail(&list, data);
putenv(data);
#endif
}
#else
void putenv(const char *p) {}
void unputenv(const char *p) {}
#endif
bool execute_script(const char *name, char **envp) { bool execute_script(const char *name, char **envp) {
#ifdef HAVE_SYSTEM #ifdef HAVE_SYSTEM
int status, len;
char *scriptname; char *scriptname;
int i;
char *interpreter = NULL; char *interpreter = NULL;
config_t *cfg_interpreter;
int status, len, i;
cfg_interpreter = lookup_config(config_tree, "ScriptsInterpreter");
#ifndef HAVE_MINGW #ifndef HAVE_MINGW
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name); len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
#else #else
if(cfg_interpreter)
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
else
len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name); len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name);
#endif #endif
if(len < 0) if(len < 0)
@ -365,14 +407,13 @@ bool execute_script(const char *name, char **envp) {
scriptname[len - 1] = '\0'; scriptname[len - 1] = '\0';
/* First check if there is a script */ /* First check if there is a script */
if(access(scriptname + 1, F_OK)) { if(access(scriptname + 1, F_OK)) {
free(scriptname); free(scriptname);
return true; return true;
} }
// Custom scripts interpreter // Custom scripts interpreter
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) { if(get_config_string(cfg_interpreter, &interpreter)) {
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard) // Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
free(scriptname); free(scriptname);
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name); len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
@ -383,12 +424,10 @@ bool execute_script(const char *name, char **envp) {
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name); ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
#ifdef HAVE_PUTENV
/* Set environment */ /* Set environment */
for(i = 0; envp[i]; i++) for(i = 0; envp[i]; i++)
putenv(envp[i]); putenv(envp[i]);
#endif
scriptname[len - 1] = '\"'; scriptname[len - 1] = '\"';
status = system(scriptname); status = system(scriptname);
@ -397,15 +436,8 @@ bool execute_script(const char *name, char **envp) {
/* Unset environment */ /* Unset environment */
for(i = 0; envp[i]; i++) { for(i = 0; envp[i]; i++)
char *e = strchr(envp[i], '='); unputenv(envp[i]);
if(e) {
char p[e - envp[i] + 1];
strncpy(p, envp[i], e - envp[i]);
p[e - envp[i]] = '\0';
putenv(p);
}
}
if(status != -1) { if(status != -1) {
#ifdef WEXITSTATUS #ifdef WEXITSTATUS

View file

@ -1,7 +1,7 @@
/* /*
tincd.c -- the main file for tincd tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2014 Guus Sliepen <guus@tinc-vpn.org> 2000-2015 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com> 2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru> 2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu> 2010 Julien Muchembled <jm@jmuchemb.eu>
@ -97,7 +97,7 @@ char *pidfilename = NULL; /* pid file location */
char *logfilename = NULL; /* log file location */ char *logfilename = NULL; /* log file location */
char **g_argv; /* a copy of the cmdline arguments */ char **g_argv; /* a copy of the cmdline arguments */
static int status; static int status = 1;
static struct option const long_options[] = { static struct option const long_options[] = {
{"config", required_argument, NULL, 'c'}, {"config", required_argument, NULL, 'c'},
@ -438,14 +438,14 @@ static void make_names(void) {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) { if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
if(!logfilename)
xasprintf(&logfilename, "%s/log/%s.log", identname);
if(!confbase) { if(!confbase) {
if(netname) if(netname)
xasprintf(&confbase, "%s/%s", installdir, netname); xasprintf(&confbase, "%s/%s", installdir, netname);
else else
xasprintf(&confbase, "%s", installdir); xasprintf(&confbase, "%s", installdir);
} }
if(!logfilename)
xasprintf(&logfilename, "%s/tinc.log", confbase);
} }
RegCloseKey(key); RegCloseKey(key);
if(*installdir) if(*installdir)
@ -549,7 +549,7 @@ int main(int argc, char **argv) {
if(show_version) { if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT); VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n" printf("Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n" "See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n" "and you are welcome to redistribute it under certain conditions;\n"