Import Debian changes 1.0.26-1
tinc (1.0.26-1) unstable; urgency=medium * New upstream release. * Use the contents, not the presence, of the pidfile to check that tincd is shut down properly. Closes: #774682 * Bump Standards-Version.
This commit is contained in:
commit
088ed763df
35 changed files with 677 additions and 1427 deletions
2
COPYING
2
COPYING
|
@ -1,4 +1,4 @@
|
|||
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.
|
||||
Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.
|
||||
See the AUTHORS file for a complete list.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under
|
||||
|
|
104
ChangeLog
104
ChangeLog
|
@ -1,20 +1,64 @@
|
|||
Version 1.0.26 July 05 2015
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (14):
|
||||
Use VittGam's real name.
|
||||
Attribution for Saverio Proto.
|
||||
Always call res_init() before getaddrinfo().
|
||||
Fix --logfile without a filename on Windows.
|
||||
Never call putenv() with data on the stack.
|
||||
Return non-zero exit code when encountering configuration errors during startup.
|
||||
Fix autoconf check for function attributes.
|
||||
Fix spelling of FORTIFY_SOURCE.
|
||||
Update copyright notices.
|
||||
Attribution for various contributors.
|
||||
Only check for -fno-strict-overflow if -fwrapv does not work.
|
||||
Fix unputenv() on Windows.
|
||||
Don't try to call res_init() if ./configure told us it doesn't exist.
|
||||
Releasing 1.0.26.
|
||||
|
||||
Jo-Philipp Wich (1):
|
||||
fix musl compatibility
|
||||
|
||||
Version 1.0.25 December 22 2014
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (7):
|
||||
Fix date of last NEWS entry.
|
||||
Remember ToS/Diffserv priority for each socket individually.
|
||||
Attribution for various contributors.
|
||||
Automatically choose a tap device on Mac OS X when using switch Mode.
|
||||
Update documentation for Mac OS X.
|
||||
Check whether res_init() really lives in libresolv.
|
||||
Releasing 1.0.25.
|
||||
|
||||
Borg (3):
|
||||
Fixed scripts calling under Win32.
|
||||
Get MAC of TAP device.
|
||||
Fixed tinc-up script calling on Win32.
|
||||
|
||||
Alexis Hildebrandt (1):
|
||||
Add support to link against libresolv Mac OS X
|
||||
|
||||
Baptiste Jonglez (1):
|
||||
Use the description from the 1.1 man page for the IndirectData option
|
||||
|
||||
David Pflug (1):
|
||||
Update README.android
|
||||
|
||||
Jochen Voss (1):
|
||||
Fix some typos in the manual.
|
||||
|
||||
Tomislav Čohar (1):
|
||||
Configure minimum reconnect timeouts.
|
||||
|
||||
VittGam (1):
|
||||
Support ToS/DiffServ priority handling for IPv6 meta and UDP connections.
|
||||
|
||||
Version 1.0.24 May 11 2014
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (26):
|
||||
Mention in the manual that multiple Address staments are allowed.
|
||||
If no Port is specified, set myport to actual port of first listening socket.
|
||||
Enable compiler hardening flags by default.
|
||||
Update support for Solaris.
|
||||
Include <limits.h> for PATH_MAX.
|
||||
Stricter check for raw socket support.
|
||||
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
|
||||
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
|
||||
Don't enable -fstack-protector-all.
|
||||
Remove or lower the priority of some debug messages.
|
||||
Clarify StrictSubnets.
|
||||
Attribution for various contributors.
|
||||
Handle errors from TAP-Win32/64 adapter in a better way.
|
||||
Guus Sliepen (13):
|
||||
Remove useless variable 'hard' from try_harder().
|
||||
Merge pull request #14 from luckyhacky/master
|
||||
Add an autoconf check for res_init().
|
||||
|
@ -34,22 +78,40 @@ Steffan Karger (3):
|
|||
Use cryptographically strong random when generating keys.
|
||||
Check RAND_bytes() return value, fail when getting random fails.
|
||||
|
||||
Florent Clairambault (2):
|
||||
Adding "conf.d" configuration dir support.
|
||||
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
|
||||
|
||||
Armin Fisslthaler (1):
|
||||
reload /etc/resolv.conf in SIGALRM handler
|
||||
|
||||
Loic Dachary (1):
|
||||
fix documentation typo
|
||||
|
||||
Vilbrekin (1):
|
||||
Update android build instructions. Disable PIE as this is not supported on some devices.
|
||||
|
||||
luckyhacky (1):
|
||||
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
|
||||
|
||||
refs/tags/1.0.23-android-1 March 11 2014
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Guus Sliepen (13):
|
||||
Mention in the manual that multiple Address staments are allowed.
|
||||
If no Port is specified, set myport to actual port of first listening socket.
|
||||
Enable compiler hardening flags by default.
|
||||
Update support for Solaris.
|
||||
Include <limits.h> for PATH_MAX.
|
||||
Stricter check for raw socket support.
|
||||
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
|
||||
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
|
||||
Don't enable -fstack-protector-all.
|
||||
Remove or lower the priority of some debug messages.
|
||||
Clarify StrictSubnets.
|
||||
Attribution for various contributors.
|
||||
Handle errors from TAP-Win32/64 adapter in a better way.
|
||||
|
||||
Florent Clairambault (2):
|
||||
Adding "conf.d" configuration dir support.
|
||||
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
|
||||
|
||||
Vilbrekin (1):
|
||||
Update android build instructions. Disable PIE as this is not supported on some devices.
|
||||
|
||||
Version 1.0.23 October 19 2013
|
||||
------------------------------------------------------------------------
|
||||
|
||||
|
|
27
NEWS
27
NEWS
|
@ -1,4 +1,29 @@
|
|||
Version 1.0.24 May 11 2013
|
||||
Version 1.0.26 July 5 2015
|
||||
|
||||
* Tinc now forces glibc to reload /etc/resolv.conf for every hostname lookup.
|
||||
|
||||
* Fixed --logfile without a filename on Windows.
|
||||
|
||||
* Ensure tinc can be compiled when using musl libc.
|
||||
|
||||
Thanks to Jo-Philipp Wich for his contribution to this version of tinc.
|
||||
|
||||
Version 1.0.25 December 22 2014
|
||||
|
||||
* Documentation updates.
|
||||
|
||||
* Support linking against -lresolv on Mac OS X.
|
||||
|
||||
* Fix scripts on Windows when using the ScriptsInterpreter option.
|
||||
|
||||
* Allow a minimum reconnect timeout to be specified.
|
||||
|
||||
* Support PriorityInheritance on IPv6 sockets.
|
||||
|
||||
Thanks to David Pflug, Baptiste Jonglez, Alexis Hildebrandt, Borg, Jochen Voss,
|
||||
Tomislav Čohar and VittGam for their contributions to this version of tinc.
|
||||
|
||||
Version 1.0.24 May 11 2014
|
||||
|
||||
* Various compiler hardening flags are enabled by default.
|
||||
|
||||
|
|
6
README
6
README
|
@ -1,7 +1,7 @@
|
|||
This is the README file for tinc version 1.0.24. Installation
|
||||
This is the README file for tinc version 1.0.26. Installation
|
||||
instructions may be found in the INSTALL file.
|
||||
|
||||
tinc is Copyright (C) 1998-2014 by:
|
||||
tinc is Copyright (C) 1998-2015 by:
|
||||
|
||||
Ivo Timmermans,
|
||||
Guus Sliepen <guus@tinc-vpn.org>,
|
||||
|
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
|
|||
Compatibility
|
||||
-------------
|
||||
|
||||
Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
Version 1.0.26 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
versions of tinc.
|
||||
|
||||
|
||||
|
|
|
@ -6,11 +6,12 @@ tar xfj android-ndk-r9d-linux-x86.tar.bz2
|
|||
./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
|
||||
|
||||
- Download and cross-compile openSSL for ARM:
|
||||
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
|
||||
tar xfz openssl-1.0.1g.tar.gz
|
||||
cd openssl-1.0.1g
|
||||
wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
|
||||
tar xfz openssl-1.0.1h.tar.gz
|
||||
cd openssl-1.0.1h
|
||||
./Configure dist
|
||||
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
|
||||
cd -
|
||||
|
||||
- Clone and cross-compile tinc:
|
||||
git clone git://tinc-vpn.org/tinc
|
||||
|
|
17
THANKS
17
THANKS
|
@ -1,14 +1,18 @@
|
|||
We would like to thank the following people for their contributions to tinc:
|
||||
|
||||
* Alexander Reil and Gemeinde Berg
|
||||
* Alexis Hildebrandt
|
||||
* Allesandro Gatti
|
||||
* Andreas van Cranenburgh
|
||||
* Anthony G. Basile
|
||||
* Armin Fisslthaler
|
||||
* Armijn Hemel
|
||||
* Baptiste Jonglez
|
||||
* Borg
|
||||
* Brandon Black
|
||||
* Cris van Pelt
|
||||
* Darius Jahandarie
|
||||
* David Pflug
|
||||
* Delf Eldkraft
|
||||
* dnk
|
||||
* Enrique Zanardi
|
||||
|
@ -22,9 +26,13 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* James MacLean
|
||||
* Jamie Briggs
|
||||
* Jason Harper
|
||||
* Jason Livesay
|
||||
* Jelle de Jong
|
||||
* Jeroen Domburg
|
||||
* Jeroen Ubbink
|
||||
* Jerome Etienne
|
||||
* Jo-Philipp Wich
|
||||
* Jochen Voss
|
||||
* Julien Muchembled
|
||||
* Lavrans Laading
|
||||
* Loïc Dachary
|
||||
|
@ -50,15 +58,24 @@ We would like to thank the following people for their contributions to tinc:
|
|||
* Philipp Babel
|
||||
* Robert van der Meulen
|
||||
* Rumko
|
||||
* Sam Bryan
|
||||
* Saverio Proto
|
||||
* Scott Lamb
|
||||
* Steffan Karger
|
||||
* Sven-Haegar Koch
|
||||
* Teemu Kiviniemi
|
||||
* Thomas Tsiakalakis
|
||||
* Timothy Redaelli
|
||||
* Tomasz Fortuna
|
||||
* Tomislav Čohar
|
||||
* Tommy Arnkværn
|
||||
* Tonnerre Lombard
|
||||
* Vil Brekin
|
||||
* Vittorio Gambaletta
|
||||
* Wessel Dankers
|
||||
* William McArthur
|
||||
* Wouter van Heyst
|
||||
* 戴 鸣
|
||||
|
||||
And everyone we forgot (if we did, please let us know). Thank you!
|
||||
|
||||
|
|
7
aclocal.m4
vendored
7
aclocal.m4
vendored
|
@ -103,10 +103,9 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
|
|||
# configured tree to be moved without reconfiguration.
|
||||
|
||||
AC_DEFUN([AM_AUX_DIR_EXPAND],
|
||||
[dnl Rely on autoconf to set up CDPATH properly.
|
||||
AC_PREREQ([2.50])dnl
|
||||
# expand $ac_aux_dir to an absolute path
|
||||
am_aux_dir=`cd $ac_aux_dir && pwd`
|
||||
[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl
|
||||
# Expand $ac_aux_dir to an absolute path.
|
||||
am_aux_dir=`cd "$ac_aux_dir" && pwd`
|
||||
])
|
||||
|
||||
# AM_CONDITIONAL -*- Autoconf -*-
|
||||
|
|
174
config.guess
vendored
174
config.guess
vendored
|
@ -1,8 +1,8 @@
|
|||
#! /bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright 1992-2013 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2013-06-10'
|
||||
timestamp='2014-03-23'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -50,7 +50,7 @@ version="\
|
|||
GNU config.guess ($timestamp)
|
||||
|
||||
Originally written by Per Bothner.
|
||||
Copyright 1992-2013 Free Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
@ -149,7 +149,7 @@ Linux|GNU|GNU/*)
|
|||
LIBC=gnu
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
|
||||
;;
|
||||
esac
|
||||
|
||||
|
@ -826,7 +826,7 @@ EOF
|
|||
*:MINGW*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw32
|
||||
exit ;;
|
||||
i*:MSYS*:*)
|
||||
*:MSYS*:*)
|
||||
echo ${UNAME_MACHINE}-pc-msys
|
||||
exit ;;
|
||||
i*:windows32*:*)
|
||||
|
@ -969,10 +969,10 @@ EOF
|
|||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
||||
;;
|
||||
or1k:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
openrisc*:Linux:*:*)
|
||||
echo or1k-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
or32:Linux:*:*)
|
||||
or32:Linux:*:* | or1k*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
padre:Linux:*:*)
|
||||
|
@ -1260,6 +1260,7 @@ EOF
|
|||
if test "$UNAME_PROCESSOR" = unknown ; then
|
||||
UNAME_PROCESSOR=powerpc
|
||||
fi
|
||||
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
|
||||
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
|
||||
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
|
||||
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
|
||||
|
@ -1271,6 +1272,15 @@ EOF
|
|||
esac
|
||||
fi
|
||||
fi
|
||||
elif test "$UNAME_PROCESSOR" = i386 ; then
|
||||
# Avoid executing cc on OS X 10.9, as it ships with a stub
|
||||
# that puts up a graphical alert prompting to install
|
||||
# developer tools. Any system running Mac OS X 10.7 or
|
||||
# later (Darwin 11 and later) is required to have a 64-bit
|
||||
# processor. This is not true of the ARM version of Darwin
|
||||
# that Apple uses in portable devices.
|
||||
UNAME_PROCESSOR=x86_64
|
||||
fi
|
||||
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:procnto*:*:* | *:QNX:[0123456789]*:*)
|
||||
|
@ -1361,154 +1371,6 @@ EOF
|
|||
exit ;;
|
||||
esac
|
||||
|
||||
eval $set_cc_for_build
|
||||
cat >$dummy.c <<EOF
|
||||
#ifdef _SEQUENT_
|
||||
# include <sys/types.h>
|
||||
# include <sys/utsname.h>
|
||||
#endif
|
||||
main ()
|
||||
{
|
||||
#if defined (sony)
|
||||
#if defined (MIPSEB)
|
||||
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
|
||||
I don't know.... */
|
||||
printf ("mips-sony-bsd\n"); exit (0);
|
||||
#else
|
||||
#include <sys/param.h>
|
||||
printf ("m68k-sony-newsos%s\n",
|
||||
#ifdef NEWSOS4
|
||||
"4"
|
||||
#else
|
||||
""
|
||||
#endif
|
||||
); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__arm) && defined (__acorn) && defined (__unix)
|
||||
printf ("arm-acorn-riscix\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (hp300) && !defined (hpux)
|
||||
printf ("m68k-hp-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (NeXT)
|
||||
#if !defined (__ARCHITECTURE__)
|
||||
#define __ARCHITECTURE__ "m68k"
|
||||
#endif
|
||||
int version;
|
||||
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
|
||||
if (version < 4)
|
||||
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
|
||||
else
|
||||
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
|
||||
exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (MULTIMAX) || defined (n16)
|
||||
#if defined (UMAXV)
|
||||
printf ("ns32k-encore-sysv\n"); exit (0);
|
||||
#else
|
||||
#if defined (CMU)
|
||||
printf ("ns32k-encore-mach\n"); exit (0);
|
||||
#else
|
||||
printf ("ns32k-encore-bsd\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__386BSD__)
|
||||
printf ("i386-pc-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (sequent)
|
||||
#if defined (i386)
|
||||
printf ("i386-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#if defined (ns32000)
|
||||
printf ("ns32k-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (_SEQUENT_)
|
||||
struct utsname un;
|
||||
|
||||
uname(&un);
|
||||
|
||||
if (strncmp(un.version, "V2", 2) == 0) {
|
||||
printf ("i386-sequent-ptx2\n"); exit (0);
|
||||
}
|
||||
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
|
||||
printf ("i386-sequent-ptx1\n"); exit (0);
|
||||
}
|
||||
printf ("i386-sequent-ptx\n"); exit (0);
|
||||
|
||||
#endif
|
||||
|
||||
#if defined (vax)
|
||||
# if !defined (ultrix)
|
||||
# include <sys/param.h>
|
||||
# if defined (BSD)
|
||||
# if BSD == 43
|
||||
printf ("vax-dec-bsd4.3\n"); exit (0);
|
||||
# else
|
||||
# if BSD == 199006
|
||||
printf ("vax-dec-bsd4.3reno\n"); exit (0);
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-ultrix\n"); exit (0);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined (alliant) && defined (i860)
|
||||
printf ("i860-alliant-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
exit (1);
|
||||
}
|
||||
EOF
|
||||
|
||||
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
|
||||
{ echo "$SYSTEM_NAME"; exit; }
|
||||
|
||||
# Apollos put the system type in the environment.
|
||||
|
||||
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
|
||||
|
||||
# Convex versions that predate uname can use getsysinfo(1)
|
||||
|
||||
if [ -x /usr/convex/getsysinfo ]
|
||||
then
|
||||
case `getsysinfo -f cpu_type` in
|
||||
c1*)
|
||||
echo c1-convex-bsd
|
||||
exit ;;
|
||||
c2*)
|
||||
if getsysinfo -f scalar_acc
|
||||
then echo c32-convex-bsd
|
||||
else echo c2-convex-bsd
|
||||
fi
|
||||
exit ;;
|
||||
c34*)
|
||||
echo c34-convex-bsd
|
||||
exit ;;
|
||||
c38*)
|
||||
echo c38-convex-bsd
|
||||
exit ;;
|
||||
c4*)
|
||||
echo c4-convex-bsd
|
||||
exit ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
cat >&2 <<EOF
|
||||
$0: unable to guess system type
|
||||
|
||||
|
|
|
@ -89,6 +89,9 @@
|
|||
/* Define to 1 if you have the `nsl' library (-lnsl). */
|
||||
#undef HAVE_LIBNSL
|
||||
|
||||
/* Define to 1 if you have the `resolv' library (-lresolv). */
|
||||
#undef HAVE_LIBRESOLV
|
||||
|
||||
/* Define to 1 if you have the `socket' library (-lsocket). */
|
||||
#undef HAVE_LIBSOCKET
|
||||
|
||||
|
|
30
config.sub
vendored
30
config.sub
vendored
|
@ -1,8 +1,8 @@
|
|||
#! /bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright 1992-2013 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2013-08-10'
|
||||
timestamp='2014-09-11'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
|
@ -68,7 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
|
|||
version="\
|
||||
GNU config.sub ($timestamp)
|
||||
|
||||
Copyright 1992-2013 Free Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
@ -265,6 +265,7 @@ case $basic_machine in
|
|||
| hexagon \
|
||||
| i370 | i860 | i960 | ia64 \
|
||||
| ip2k | iq2000 \
|
||||
| k1om \
|
||||
| le32 | le64 \
|
||||
| lm32 \
|
||||
| m32c | m32r | m32rle | m68000 | m68k | m88k \
|
||||
|
@ -282,8 +283,10 @@ case $basic_machine in
|
|||
| mips64vr5900 | mips64vr5900el \
|
||||
| mipsisa32 | mipsisa32el \
|
||||
| mipsisa32r2 | mipsisa32r2el \
|
||||
| mipsisa32r6 | mipsisa32r6el \
|
||||
| mipsisa64 | mipsisa64el \
|
||||
| mipsisa64r2 | mipsisa64r2el \
|
||||
| mipsisa64r6 | mipsisa64r6el \
|
||||
| mipsisa64sb1 | mipsisa64sb1el \
|
||||
| mipsisa64sr71k | mipsisa64sr71kel \
|
||||
| mipsr5900 | mipsr5900el \
|
||||
|
@ -295,11 +298,11 @@ case $basic_machine in
|
|||
| nds32 | nds32le | nds32be \
|
||||
| nios | nios2 | nios2eb | nios2el \
|
||||
| ns16k | ns32k \
|
||||
| open8 \
|
||||
| or1k | or32 \
|
||||
| open8 | or1k | or1knd | or32 \
|
||||
| pdp10 | pdp11 | pj | pjl \
|
||||
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
||||
| pyramid \
|
||||
| riscv32 | riscv64 \
|
||||
| rl78 | rx \
|
||||
| score \
|
||||
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
|
||||
|
@ -324,7 +327,7 @@ case $basic_machine in
|
|||
c6x)
|
||||
basic_machine=tic6x-unknown
|
||||
;;
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip)
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
|
||||
basic_machine=$basic_machine-unknown
|
||||
os=-none
|
||||
;;
|
||||
|
@ -381,6 +384,7 @@ case $basic_machine in
|
|||
| hexagon-* \
|
||||
| i*86-* | i860-* | i960-* | ia64-* \
|
||||
| ip2k-* | iq2000-* \
|
||||
| k1om-* \
|
||||
| le32-* | le64-* \
|
||||
| lm32-* \
|
||||
| m32c-* | m32r-* | m32rle-* \
|
||||
|
@ -400,8 +404,10 @@ case $basic_machine in
|
|||
| mips64vr5900-* | mips64vr5900el-* \
|
||||
| mipsisa32-* | mipsisa32el-* \
|
||||
| mipsisa32r2-* | mipsisa32r2el-* \
|
||||
| mipsisa32r6-* | mipsisa32r6el-* \
|
||||
| mipsisa64-* | mipsisa64el-* \
|
||||
| mipsisa64r2-* | mipsisa64r2el-* \
|
||||
| mipsisa64r6-* | mipsisa64r6el-* \
|
||||
| mipsisa64sb1-* | mipsisa64sb1el-* \
|
||||
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
|
||||
| mipsr5900-* | mipsr5900el-* \
|
||||
|
@ -413,6 +419,7 @@ case $basic_machine in
|
|||
| nios-* | nios2-* | nios2eb-* | nios2el-* \
|
||||
| none-* | np1-* | ns16k-* | ns32k-* \
|
||||
| open8-* \
|
||||
| or1k*-* \
|
||||
| orion-* \
|
||||
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
||||
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
||||
|
@ -822,6 +829,10 @@ case $basic_machine in
|
|||
basic_machine=powerpc-unknown
|
||||
os=-morphos
|
||||
;;
|
||||
moxiebox)
|
||||
basic_machine=moxie-unknown
|
||||
os=-moxiebox
|
||||
;;
|
||||
msdos)
|
||||
basic_machine=i386-pc
|
||||
os=-msdos
|
||||
|
@ -1367,14 +1378,14 @@ case $os in
|
|||
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
||||
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
||||
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
||||
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
|
||||
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
|
||||
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
|
||||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
|
||||
# Remember, each alternative MUST END IN *, to match a version number.
|
||||
;;
|
||||
-qnx*)
|
||||
|
@ -1592,9 +1603,6 @@ case $basic_machine in
|
|||
mips*-*)
|
||||
os=-elf
|
||||
;;
|
||||
or1k-*)
|
||||
os=-elf
|
||||
;;
|
||||
or32-*)
|
||||
os=-coff
|
||||
;;
|
||||
|
|
146
configure
vendored
146
configure
vendored
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for tinc 1.0.24.
|
||||
# Generated by GNU Autoconf 2.69 for tinc 1.0.26.
|
||||
#
|
||||
#
|
||||
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
|
||||
|
@ -577,8 +577,8 @@ MAKEFLAGS=
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='tinc'
|
||||
PACKAGE_TARNAME='tinc'
|
||||
PACKAGE_VERSION='1.0.24'
|
||||
PACKAGE_STRING='tinc 1.0.24'
|
||||
PACKAGE_VERSION='1.0.26'
|
||||
PACKAGE_STRING='tinc 1.0.26'
|
||||
PACKAGE_BUGREPORT=''
|
||||
PACKAGE_URL=''
|
||||
|
||||
|
@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures tinc 1.0.24 to adapt to many kinds of systems.
|
||||
\`configure' configures tinc 1.0.26 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
@ -1378,7 +1378,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of tinc 1.0.24:";;
|
||||
short | recursive ) echo "Configuration of tinc 1.0.26:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
@ -1497,7 +1497,7 @@ fi
|
|||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
tinc configure 1.0.24
|
||||
tinc configure 1.0.26
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
|
@ -1962,7 +1962,7 @@ cat >config.log <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by tinc $as_me 1.0.24, which was
|
||||
It was created by tinc $as_me 1.0.26, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
@ -2512,8 +2512,8 @@ test "$program_suffix" != NONE &&
|
|||
ac_script='s/[\\$]/&&/g;s/;s,x,x,$//'
|
||||
program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"`
|
||||
|
||||
# expand $ac_aux_dir to an absolute path
|
||||
am_aux_dir=`cd $ac_aux_dir && pwd`
|
||||
# Expand $ac_aux_dir to an absolute path.
|
||||
am_aux_dir=`cd "$ac_aux_dir" && pwd`
|
||||
|
||||
if test x"${MISSING+set}" != xset; then
|
||||
case $am_aux_dir in
|
||||
|
@ -2826,7 +2826,7 @@ fi
|
|||
|
||||
# Define the identity of the package.
|
||||
PACKAGE='tinc'
|
||||
VERSION='1.0.24'
|
||||
VERSION='1.0.26'
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
|
@ -5185,42 +5185,7 @@ fi
|
|||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
|
||||
$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
|
||||
if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
|
||||
CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
|
||||
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
|
||||
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
|
||||
ax_check_save_flags=$CFLAGS
|
||||
CFLAGS="$CFLAGS -fno-strict-overflow"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
ax_cv_check_cflags___fno_strict_overflow=yes
|
||||
else
|
||||
ax_cv_check_cflags___fno_strict_overflow=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
CFLAGS=$ax_check_save_flags
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
|
||||
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
|
||||
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
|
||||
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
|
||||
CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
@ -5256,8 +5221,42 @@ fi
|
|||
$as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
|
||||
if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
|
||||
CPPFLAGS="$CPPFLAGS -fwrapv"
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
|
||||
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
|
||||
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
|
||||
ax_check_save_flags=$CFLAGS
|
||||
CFLAGS="$CFLAGS -fno-strict-overflow"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
ax_cv_check_cflags___fno_strict_overflow=yes
|
||||
else
|
||||
ax_cv_check_cflags___fno_strict_overflow=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
CFLAGS=$ax_check_save_flags
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
|
||||
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
|
||||
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
|
||||
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
|
||||
else
|
||||
:
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
case $host_os in
|
||||
|
@ -5877,8 +5876,8 @@ else
|
|||
CFLAGS="$CFLAGS -Wall -Werror"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
void test(void) __attribute__ ((__malloc__));
|
||||
void test(void) { return; }
|
||||
void *test(void) __attribute__ ((__malloc__));
|
||||
void *test(void) { return (void *)0; }
|
||||
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
|
@ -6275,6 +6274,53 @@ fi
|
|||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_DECL_RES_INIT $ac_have_decl
|
||||
_ACEOF
|
||||
if test $ac_have_decl = 1; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_init in -lresolv" >&5
|
||||
$as_echo_n "checking for res_init in -lresolv... " >&6; }
|
||||
if ${ac_cv_lib_resolv_res_init+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_check_lib_save_LIBS=$LIBS
|
||||
LIBS="-lresolv $LIBS"
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
/* Override any GCC internal prototype to avoid an error.
|
||||
Use char because int might match the return type of a GCC
|
||||
builtin and then its argument prototype would still apply. */
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
#endif
|
||||
char res_init ();
|
||||
int
|
||||
main ()
|
||||
{
|
||||
return res_init ();
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
ac_cv_lib_resolv_res_init=yes
|
||||
else
|
||||
ac_cv_lib_resolv_res_init=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
LIBS=$ac_check_lib_save_LIBS
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_init" >&5
|
||||
$as_echo "$ac_cv_lib_resolv_res_init" >&6; }
|
||||
if test "x$ac_cv_lib_resolv_res_init" = xyes; then :
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define HAVE_LIBRESOLV 1
|
||||
_ACEOF
|
||||
|
||||
LIBS="-lresolv $LIBS"
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
|
||||
cat >confcache <<\_ACEOF
|
||||
|
@ -7396,7 +7442,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
|||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by tinc $as_me 1.0.24, which was
|
||||
This file was extended by tinc $as_me 1.0.26, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
@ -7462,7 +7508,7 @@ _ACEOF
|
|||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
tinc config.status 1.0.24
|
||||
tinc config.status 1.0.26
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
|
10
configure.ac
10
configure.ac
|
@ -1,7 +1,7 @@
|
|||
dnl Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_PREREQ(2.61)
|
||||
AC_INIT([tinc], [1.0.24])
|
||||
AC_INIT([tinc], [1.0.26])
|
||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
|
@ -134,9 +134,9 @@ dnl No -fstack-protector-all because it doesn't work on all platforms or archite
|
|||
|
||||
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
|
||||
AS_IF([test "x$enable_hardening" != "xno"],
|
||||
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"])
|
||||
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])
|
||||
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"])
|
||||
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORTIFY_SOURCE=2"])
|
||||
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"],
|
||||
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]))
|
||||
case $host_os in
|
||||
*mingw*)
|
||||
AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
|
||||
|
@ -202,7 +202,7 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
|
|||
[], [], [#include "src/have.h"]
|
||||
)
|
||||
|
||||
AC_CHECK_DECLS([res_init], [], [], [
|
||||
AC_CHECK_DECLS([res_init], [AC_CHECK_LIB(resolv, res_init)], [], [
|
||||
#include <netinet/in.h>
|
||||
#include <resolv.h>
|
||||
])
|
||||
|
|
18
debian/changelog
vendored
18
debian/changelog
vendored
|
@ -1,17 +1,11 @@
|
|||
tinc (1.0.24-2.1+deb8u1) jessie-security; urgency=medium
|
||||
tinc (1.0.26-1) unstable; urgency=medium
|
||||
|
||||
* Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
|
||||
* Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
|
||||
* New upstream release.
|
||||
* Use the contents, not the presence, of the pidfile to check that tincd is
|
||||
shut down properly. Closes: #774682
|
||||
* Bump Standards-Version.
|
||||
|
||||
-- Guus Sliepen <guus@debian.org> Mon, 08 Oct 2018 20:14:24 +0200
|
||||
|
||||
tinc (1.0.24-2.1) unstable; urgency=medium
|
||||
|
||||
* NMU after getting go ahead from guus on #tinc
|
||||
* Add a -dbg package which contains the debugging symbols for tinc
|
||||
Thanks hark@puscii.nl (Closes: #752561)
|
||||
|
||||
-- Micah Anderson <micah@debian.org> Tue, 24 Jun 2014 14:01:47 -0400
|
||||
-- Guus Sliepen <guus@debian.org> Sun, 05 Jul 2015 17:23:08 +0200
|
||||
|
||||
tinc (1.0.24-2) unstable; urgency=medium
|
||||
|
||||
|
|
15
debian/control
vendored
15
debian/control
vendored
|
@ -2,7 +2,7 @@ Source: tinc
|
|||
Section: net
|
||||
Priority: optional
|
||||
Maintainer: Guus Sliepen <guus@debian.org>
|
||||
Standards-Version: 3.9.5
|
||||
Standards-Version: 3.9.6
|
||||
Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev
|
||||
Homepage: http://www.tinc-vpn.org/
|
||||
|
||||
|
@ -14,16 +14,3 @@ Description: Virtual Private Network daemon
|
|||
(VPN). One daemon can handle multiple connections, so you can
|
||||
create an entire (moderately sized) VPN with only one daemon per
|
||||
participating computer.
|
||||
|
||||
Package: tinc-dbg
|
||||
Architecture: any
|
||||
Section: debug
|
||||
Priority: extra
|
||||
Depends: ${shlibs:Depends}, ${misc:Depends}, tinc (= ${binary:Version})
|
||||
Description: debugging symbols for tinc
|
||||
tinc is a daemon with which you can create a virtual private network
|
||||
(VPN). One daemon can handle multiple connections, so you can
|
||||
create an entire (moderately sized) VPN with only one daemon per
|
||||
participating computer.
|
||||
.
|
||||
This package contains the debugging symbols for tinc.
|
||||
|
|
840
debian/patches/security-fixes
vendored
840
debian/patches/security-fixes
vendored
|
@ -1,840 +0,0 @@
|
|||
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
|
||||
index 0548628f..a2a635fb 100644
|
||||
--- a/doc/tinc.conf.5.in
|
||||
+++ b/doc/tinc.conf.5.in
|
||||
@@ -464,7 +464,7 @@ Multiple
|
||||
.Va Address
|
||||
variables can be specified, in which case each address will be tried until a working
|
||||
connection has been established.
|
||||
-.It Va Cipher Li = Ar cipher Pq blowfish
|
||||
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
|
||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||
Any cipher supported by OpenSSL is recognised.
|
||||
Furthermore, specifying
|
||||
@@ -479,7 +479,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
|
||||
This option sets the level of compression used for UDP packets.
|
||||
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||
10 (fast lzo) and 11 (best lzo).
|
||||
-.It Va Digest Li = Ar digest Pq sha1
|
||||
+.It Va Digest Li = Ar digest Pq sha256
|
||||
The digest algorithm used to authenticate UDP packets.
|
||||
Any digest supported by OpenSSL is recognised.
|
||||
Furthermore, specifying
|
||||
diff --git a/doc/tinc.texi b/doc/tinc.texi
|
||||
index 85790028..6e422cfe 100644
|
||||
--- a/doc/tinc.texi
|
||||
+++ b/doc/tinc.texi
|
||||
@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
|
||||
tried until a working connection has been established.
|
||||
|
||||
@cindex Cipher
|
||||
-@item Cipher = <@var{cipher}> (blowfish)
|
||||
+@item Cipher = <@var{cipher}> (aes-256-cbc)
|
||||
The symmetric cipher algorithm used to encrypt UDP packets.
|
||||
Any cipher supported by OpenSSL is recognized.
|
||||
Furthermore, specifying "none" will turn off packet encryption.
|
||||
@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
|
||||
10 (fast lzo) and 11 (best lzo).
|
||||
|
||||
@cindex Digest
|
||||
-@item Digest = <@var{digest}> (sha1)
|
||||
+@item Digest = <@var{digest}> (sha256)
|
||||
The digest algorithm used to authenticate UDP packets.
|
||||
Any digest supported by OpenSSL is recognized.
|
||||
Furthermore, specifying "none" will turn off packet authentication.
|
||||
diff --git a/m4/openssl.m4 b/m4/openssl.m4
|
||||
index 254ea4ff..77b3a4a8 100644
|
||||
--- a/m4/openssl.m4
|
||||
+++ b/m4/openssl.m4
|
||||
@@ -45,12 +45,14 @@ AC_DEFUN([tinc_OPENSSL],
|
||||
[AC_MSG_ERROR([OpenSSL libraries not found.])]
|
||||
)
|
||||
|
||||
- AC_CHECK_FUNCS([RAND_pseudo_bytes EVP_EncryptInit_ex], ,
|
||||
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
+ AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
|
||||
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
)
|
||||
|
||||
- AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
|
||||
- [AC_MSG_ERROR([Missing OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
|
||||
+ [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
|
||||
[#include <openssl/evp.h>]
|
||||
)
|
||||
+
|
||||
+ AC_CHECK_FUNCS([BN_GENCB_new ERR_remove_state RSA_set0_key], , , [#include <openssl/rsa.h>])
|
||||
])
|
||||
diff --git a/src/connection.h b/src/connection.h
|
||||
index 877601fe..9e4dc663 100644
|
||||
--- a/src/connection.h
|
||||
+++ b/src/connection.h
|
||||
@@ -41,7 +41,9 @@ typedef struct connection_status_t {
|
||||
unsigned int encryptout:1; /* 1 if we can encrypt outgoing traffic */
|
||||
unsigned int decryptin:1; /* 1 if we have to decrypt incoming traffic */
|
||||
unsigned int mst:1; /* 1 if this connection is part of a minimum spanning tree */
|
||||
- unsigned int unused:23;
|
||||
+ unsigned int proxy_passed:1; /* 1 if we are connecting via a proxy and we have finished talking with it */
|
||||
+ unsigned int tarpit:1; /* 1 if the connection should be added to the tarpit */
|
||||
+ unsigned int unused:21;
|
||||
} connection_status_t;
|
||||
|
||||
#include "edge.h"
|
||||
diff --git a/src/net.c b/src/net.c
|
||||
index 8d0a0cf4..4e53d920 100644
|
||||
--- a/src/net.c
|
||||
+++ b/src/net.c
|
||||
@@ -166,6 +166,22 @@ static int build_fdset(fd_set *readset, fd_set *writeset) {
|
||||
return max;
|
||||
}
|
||||
|
||||
+/* Put a misbehaving connection in the tarpit */
|
||||
+void tarpit(int fd) {
|
||||
+ static int pits[10] = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1};
|
||||
+ static int next_pit = 0;
|
||||
+
|
||||
+ if(pits[next_pit] != -1) {
|
||||
+ closesocket(pits[next_pit]);
|
||||
+ }
|
||||
+
|
||||
+ pits[next_pit++] = fd;
|
||||
+
|
||||
+ if(next_pit >= sizeof pits / sizeof pits[0]) {
|
||||
+ next_pit = 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
Terminate a connection:
|
||||
- Close the socket
|
||||
@@ -186,8 +202,13 @@ void terminate_connection(connection_t *c, bool report) {
|
||||
if(c->node)
|
||||
c->node->connection = NULL;
|
||||
|
||||
- if(c->socket)
|
||||
- closesocket(c->socket);
|
||||
+ if(c->socket) {
|
||||
+ if(c->status.tarpit) {
|
||||
+ tarpit(c->socket);
|
||||
+ } else {
|
||||
+ closesocket(c->socket);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if(c->edge) {
|
||||
if(!c->node) {
|
||||
@@ -274,6 +295,7 @@ static void check_dead_connections(void) {
|
||||
closesocket(c->socket);
|
||||
do_outgoing_connection(c);
|
||||
} else {
|
||||
+ c->status.tarpit = true;
|
||||
terminate_connection(c, false);
|
||||
}
|
||||
}
|
||||
@@ -353,6 +375,7 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) {
|
||||
|
||||
if(FD_ISSET(c->socket, readset)) {
|
||||
if(!receive_meta(c)) {
|
||||
+ c->status.tarpit = true;
|
||||
terminate_connection(c, c->status.active);
|
||||
continue;
|
||||
}
|
||||
diff --git a/src/net.h b/src/net.h
|
||||
index 2b50c5a2..5ae8d344 100644
|
||||
--- a/src/net.h
|
||||
+++ b/src/net.h
|
||||
@@ -163,6 +163,7 @@ extern void flush_queue(struct node_t *);
|
||||
extern bool read_rsa_public_key(struct connection_t *);
|
||||
extern void send_mtu_probe(struct node_t *);
|
||||
extern void load_all_subnets(void);
|
||||
+extern void tarpit(int fd);
|
||||
|
||||
#ifndef HAVE_MINGW
|
||||
#define closesocket(s) close(s)
|
||||
diff --git a/src/net_packet.c b/src/net_packet.c
|
||||
index d11d58ad..5d7c212d 100644
|
||||
--- a/src/net_packet.c
|
||||
+++ b/src/net_packet.c
|
||||
@@ -145,7 +145,7 @@ void send_mtu_probe(node_t *n) {
|
||||
len = 64;
|
||||
|
||||
memset(packet.data, 0, 14);
|
||||
- RAND_pseudo_bytes(packet.data + 14, len - 14);
|
||||
+ RAND_bytes(packet.data + 14, len - 14);
|
||||
packet.len = len;
|
||||
if(i >= 4 && n->mtuprobes <= 10)
|
||||
packet.priority = -1;
|
||||
@@ -314,10 +314,10 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
|
||||
if(n->incipher) {
|
||||
outpkt = pkt[nextpkt++];
|
||||
|
||||
- if(!EVP_DecryptInit_ex(&n->inctx, NULL, NULL, NULL, NULL)
|
||||
- || !EVP_DecryptUpdate(&n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
|
||||
+ if(!EVP_DecryptInit_ex(n->inctx, NULL, NULL, NULL, NULL)
|
||||
+ || !EVP_DecryptUpdate(n->inctx, (unsigned char *) &outpkt->seqno, &outlen,
|
||||
(unsigned char *) &inpkt->seqno, inpkt->len)
|
||||
- || !EVP_DecryptFinal_ex(&n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|
||||
+ || !EVP_DecryptFinal_ex(n->inctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|
||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Error decrypting packet from %s (%s): %s",
|
||||
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return;
|
||||
@@ -482,10 +482,10 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
|
||||
if(n->outcipher) {
|
||||
outpkt = pkt[nextpkt++];
|
||||
|
||||
- if(!EVP_EncryptInit_ex(&n->outctx, NULL, NULL, NULL, NULL)
|
||||
- || !EVP_EncryptUpdate(&n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
|
||||
+ if(!EVP_EncryptInit_ex(n->outctx, NULL, NULL, NULL, NULL)
|
||||
+ || !EVP_EncryptUpdate(n->outctx, (unsigned char *) &outpkt->seqno, &outlen,
|
||||
(unsigned char *) &inpkt->seqno, inpkt->len)
|
||||
- || !EVP_EncryptFinal_ex(&n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|
||||
+ || !EVP_EncryptFinal_ex(n->outctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
|
||||
ifdebug(TRAFFIC) logger(LOG_ERR, "Error while encrypting packet to %s (%s): %s",
|
||||
n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
goto end;
|
||||
diff --git a/src/net_setup.c b/src/net_setup.c
|
||||
index fa4e9867..ea2a3b78 100644
|
||||
--- a/src/net_setup.c
|
||||
+++ b/src/net_setup.c
|
||||
@@ -53,11 +53,22 @@ char *proxyuser;
|
||||
char *proxypass;
|
||||
proxytype_t proxytype;
|
||||
|
||||
+#ifndef HAVE_RSA_SET0_KEY
|
||||
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
|
||||
+ BN_free(r->n); r->n = n;
|
||||
+ BN_free(r->e); r->e = e;
|
||||
+ BN_free(r->d); r->d = d;
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
bool read_rsa_public_key(connection_t *c) {
|
||||
FILE *fp;
|
||||
char *pubname;
|
||||
char *hcfname;
|
||||
char *key;
|
||||
+ BIGNUM *n = NULL;
|
||||
+ BIGNUM *e = NULL;
|
||||
|
||||
if(!c->rsa_key) {
|
||||
c->rsa_key = RSA_new();
|
||||
@@ -67,12 +78,19 @@ bool read_rsa_public_key(connection_t *c) {
|
||||
/* First, check for simple PublicKey statement */
|
||||
|
||||
if(get_config_string(lookup_config(c->config_tree, "PublicKey"), &key)) {
|
||||
- if(BN_hex2bn(&c->rsa_key->n, key) != strlen(key)) {
|
||||
+ if(BN_hex2bn(&n, key) != strlen(key)) {
|
||||
+ free(key);
|
||||
logger(LOG_ERR, "Invalid PublicKey for %s!", c->name);
|
||||
return false;
|
||||
}
|
||||
- BN_hex2bn(&c->rsa_key->e, "FFFF");
|
||||
free(key);
|
||||
+ BN_hex2bn(&e, "FFFF");
|
||||
+ if(!n || !e || RSA_set0_key(c->rsa_key, n, e, NULL) != 1) {
|
||||
+ BN_free(e);
|
||||
+ BN_free(n);
|
||||
+ logger(LOG_ERR, "RSA_set0_key() failed with PublicKey for %s!", c->name);
|
||||
+ return false;
|
||||
+ }
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -163,27 +181,39 @@ bool read_rsa_public_key(connection_t *c) {
|
||||
static bool read_rsa_private_key(void) {
|
||||
FILE *fp;
|
||||
char *fname, *key, *pubkey;
|
||||
+ BIGNUM *n = NULL;
|
||||
+ BIGNUM *e = NULL;
|
||||
+ BIGNUM *d = NULL;
|
||||
|
||||
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
|
||||
myself->connection->rsa_key = RSA_new();
|
||||
// RSA_blinding_on(myself->connection->rsa_key, NULL);
|
||||
- if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
|
||||
+ if(BN_hex2bn(&d, key) != strlen(key)) {
|
||||
logger(LOG_ERR, "Invalid PrivateKey for myself!");
|
||||
free(key);
|
||||
return false;
|
||||
}
|
||||
free(key);
|
||||
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
|
||||
+ BN_free(d);
|
||||
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
|
||||
return false;
|
||||
}
|
||||
- if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
|
||||
- logger(LOG_ERR, "Invalid PublicKey for myself!");
|
||||
+ if(BN_hex2bn(&n, pubkey) != strlen(pubkey)) {
|
||||
free(pubkey);
|
||||
+ BN_free(d);
|
||||
+ logger(LOG_ERR, "Invalid PublicKey for myself!");
|
||||
return false;
|
||||
}
|
||||
free(pubkey);
|
||||
- BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
|
||||
+ BN_hex2bn(&e, "FFFF");
|
||||
+ if(!n || !e || !d || RSA_set0_key(myself->connection->rsa_key, n, e, d) != 1) {
|
||||
+ BN_free(d);
|
||||
+ BN_free(e);
|
||||
+ BN_free(n);
|
||||
+ logger(LOG_ERR, "RSA_set0_key() failed with PrivateKey for myself!");
|
||||
+ return false;
|
||||
+ }
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -608,14 +638,25 @@ static bool setup_myself(void) {
|
||||
}
|
||||
free(cipher);
|
||||
} else
|
||||
- myself->incipher = EVP_bf_cbc();
|
||||
+ myself->incipher = EVP_aes_256_cbc();
|
||||
|
||||
if(myself->incipher)
|
||||
- myself->inkeylength = myself->incipher->key_len + myself->incipher->iv_len;
|
||||
+ myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
|
||||
else
|
||||
myself->inkeylength = 1;
|
||||
|
||||
- myself->connection->outcipher = EVP_bf_ofb();
|
||||
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
|
||||
+ but try to match the key size with the one from the cipher selected
|
||||
+ by Cipher.
|
||||
+ */
|
||||
+
|
||||
+ int keylen = EVP_CIPHER_key_length(myself->incipher);
|
||||
+ if(keylen <= 16)
|
||||
+ myself->connection->outcipher = EVP_aes_128_cfb();
|
||||
+ else if(keylen <= 24)
|
||||
+ myself->connection->outcipher = EVP_aes_192_cfb();
|
||||
+ else
|
||||
+ myself->connection->outcipher = EVP_aes_256_cfb();
|
||||
|
||||
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
|
||||
keylifetime = 3600;
|
||||
@@ -639,13 +680,13 @@ static bool setup_myself(void) {
|
||||
|
||||
free(digest);
|
||||
} else
|
||||
- myself->indigest = EVP_sha1();
|
||||
+ myself->indigest = EVP_sha256();
|
||||
|
||||
- myself->connection->outdigest = EVP_sha1();
|
||||
+ myself->connection->outdigest = EVP_sha256();
|
||||
|
||||
if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
|
||||
if(myself->indigest) {
|
||||
- if(myself->inmaclength > myself->indigest->md_size) {
|
||||
+ if(myself->inmaclength > EVP_MD_size(myself->indigest)) {
|
||||
logger(LOG_ERR, "MAC length exceeds size of digest!");
|
||||
return false;
|
||||
} else if(myself->inmaclength < 0) {
|
||||
diff --git a/src/net_socket.c b/src/net_socket.c
|
||||
index 9a67bb3c..479b595d 100644
|
||||
--- a/src/net_socket.c
|
||||
+++ b/src/net_socket.c
|
||||
@@ -513,6 +513,9 @@ void setup_outgoing_connection(outgoing_t *outgoing) {
|
||||
new connection
|
||||
*/
|
||||
bool handle_new_meta_connection(int sock) {
|
||||
+ static const int max_accept_burst = 10;
|
||||
+ static int last_accept_burst;
|
||||
+ static int last_accept_time;
|
||||
connection_t *c;
|
||||
sockaddr_t sa;
|
||||
int fd;
|
||||
@@ -525,6 +528,22 @@ bool handle_new_meta_connection(int sock) {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ if(last_accept_time == now) {
|
||||
+ last_accept_burst++;
|
||||
+
|
||||
+ if(last_accept_burst >= max_accept_burst) {
|
||||
+ if(last_accept_burst == max_accept_burst) {
|
||||
+ ifdebug(CONNECTIONS) logger(LOG_WARNING, "Throttling incoming connections");
|
||||
+ }
|
||||
+
|
||||
+ tarpit(fd);
|
||||
+ return false;
|
||||
+ }
|
||||
+ } else {
|
||||
+ last_accept_burst = 0;
|
||||
+ last_accept_time = now;
|
||||
+ }
|
||||
+
|
||||
sockaddrunmap(&sa);
|
||||
|
||||
c = new_connection();
|
||||
@@ -546,7 +565,6 @@ bool handle_new_meta_connection(int sock) {
|
||||
connection_add(c);
|
||||
|
||||
c->allow_request = ID;
|
||||
- send_id(c);
|
||||
|
||||
return true;
|
||||
}
|
||||
diff --git a/src/node.c b/src/node.c
|
||||
index cf70f838..19f37306 100644
|
||||
--- a/src/node.c
|
||||
+++ b/src/node.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
node.c -- node tree management
|
||||
- Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
+ Copyright (C) 2001-2016 Guus Sliepen <guus@tinc-vpn.org>,
|
||||
2001-2005 Ivo Timmermans
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
@@ -57,8 +57,10 @@ node_t *new_node(void) {
|
||||
if(replaywin) n->late = xmalloc_and_zero(replaywin);
|
||||
n->subnet_tree = new_subnet_tree();
|
||||
n->edge_tree = new_edge_tree();
|
||||
- EVP_CIPHER_CTX_init(&n->inctx);
|
||||
- EVP_CIPHER_CTX_init(&n->outctx);
|
||||
+ n->inctx = EVP_CIPHER_CTX_new();
|
||||
+ n->outctx = EVP_CIPHER_CTX_new();
|
||||
+ if(!n->inctx || !n->outctx)
|
||||
+ abort();
|
||||
n->mtu = MTU;
|
||||
n->maxmtu = MTU;
|
||||
|
||||
@@ -80,8 +82,8 @@ void free_node(node_t *n) {
|
||||
|
||||
sockaddrfree(&n->address);
|
||||
|
||||
- EVP_CIPHER_CTX_cleanup(&n->inctx);
|
||||
- EVP_CIPHER_CTX_cleanup(&n->outctx);
|
||||
+ EVP_CIPHER_CTX_free(n->outctx);
|
||||
+ EVP_CIPHER_CTX_free(n->inctx);
|
||||
|
||||
if(n->mtuevent)
|
||||
event_del(n->mtuevent);
|
||||
@@ -172,8 +174,8 @@ void dump_nodes(void) {
|
||||
for(node = node_tree->head; node; node = node->next) {
|
||||
n = node->data;
|
||||
logger(LOG_DEBUG, " %s at %s cipher %d digest %d maclength %d compression %d options %x status %04x nexthop %s via %s pmtu %d (min %d max %d)",
|
||||
- n->name, n->hostname, n->outcipher ? n->outcipher->nid : 0,
|
||||
- n->outdigest ? n->outdigest->type : 0, n->outmaclength, n->outcompression,
|
||||
+ n->name, n->hostname, n->outcipher ? EVP_CIPHER_nid(n->outcipher) : 0,
|
||||
+ n->outdigest ? EVP_MD_type(n->outdigest) : 0, n->outmaclength, n->outcompression,
|
||||
n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-",
|
||||
n->via ? n->via->name : "-", n->mtu, n->minmtu, n->maxmtu);
|
||||
}
|
||||
diff --git a/src/node.h b/src/node.h
|
||||
index f9ef3c15..c83610e8 100644
|
||||
--- a/src/node.h
|
||||
+++ b/src/node.h
|
||||
@@ -50,12 +50,12 @@ typedef struct node_t {
|
||||
const EVP_CIPHER *incipher; /* Cipher type for UDP packets received from him */
|
||||
char *inkey; /* Cipher key and iv */
|
||||
int inkeylength; /* Cipher key and iv length */
|
||||
- EVP_CIPHER_CTX inctx; /* Cipher context */
|
||||
+ EVP_CIPHER_CTX *inctx; /* Cipher context */
|
||||
|
||||
const EVP_CIPHER *outcipher; /* Cipher type for UDP packets sent to him*/
|
||||
char *outkey; /* Cipher key and iv */
|
||||
int outkeylength; /* Cipher key and iv length */
|
||||
- EVP_CIPHER_CTX outctx; /* Cipher context */
|
||||
+ EVP_CIPHER_CTX *outctx; /* Cipher context */
|
||||
|
||||
const EVP_MD *indigest; /* Digest type for MAC of packets received from him */
|
||||
int inmaclength; /* Length of MAC */
|
||||
diff --git a/src/protocol_auth.c b/src/protocol_auth.c
|
||||
index 971341f7..5834fcdf 100644
|
||||
--- a/src/protocol_auth.c
|
||||
+++ b/src/protocol_auth.c
|
||||
@@ -145,7 +145,7 @@ bool id_h(connection_t *c) {
|
||||
|
||||
/* Check if identity is a valid name */
|
||||
|
||||
- if(!check_id(name)) {
|
||||
+ if(!check_id(name) || !strcmp(name, myself->name)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ID", c->name,
|
||||
c->hostname, "invalid name");
|
||||
return false;
|
||||
@@ -177,6 +177,11 @@ bool id_h(connection_t *c) {
|
||||
if(!c->config_tree)
|
||||
init_configuration(&c->config_tree);
|
||||
c->allow_request = ACK;
|
||||
+
|
||||
+ if(!c->outgoing) {
|
||||
+ send_id(c);
|
||||
+ }
|
||||
+
|
||||
return send_ack(c);
|
||||
}
|
||||
|
||||
@@ -196,6 +201,10 @@ bool id_h(connection_t *c) {
|
||||
|
||||
c->allow_request = METAKEY;
|
||||
|
||||
+ if(!c->outgoing) {
|
||||
+ send_id(c);
|
||||
+ }
|
||||
+
|
||||
return send_metakey(c);
|
||||
}
|
||||
|
||||
@@ -210,8 +219,11 @@ bool send_metakey(connection_t *c) {
|
||||
|
||||
c->outkey = xrealloc(c->outkey, len);
|
||||
|
||||
- if(!c->outctx)
|
||||
- c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
|
||||
+ if(!c->outctx) {
|
||||
+ c->outctx = EVP_CIPHER_CTX_new();
|
||||
+ if(!c->outctx)
|
||||
+ abort();
|
||||
+ }
|
||||
|
||||
/* Copy random data to the buffer */
|
||||
|
||||
@@ -262,17 +274,17 @@ bool send_metakey(connection_t *c) {
|
||||
/* Send the meta key */
|
||||
|
||||
x = send_request(c, "%d %d %d %d %d %s", METAKEY,
|
||||
- c->outcipher ? c->outcipher->nid : 0,
|
||||
- c->outdigest ? c->outdigest->type : 0, c->outmaclength,
|
||||
+ c->outcipher ? EVP_CIPHER_nid(c->outcipher) : 0,
|
||||
+ c->outdigest ? EVP_MD_type(c->outdigest) : 0, c->outmaclength,
|
||||
c->outcompression, buffer);
|
||||
|
||||
/* Further outgoing requests are encrypted with the key we just generated */
|
||||
|
||||
if(c->outcipher) {
|
||||
if(!EVP_EncryptInit(c->outctx, c->outcipher,
|
||||
- (unsigned char *)c->outkey + len - c->outcipher->key_len,
|
||||
- (unsigned char *)c->outkey + len - c->outcipher->key_len -
|
||||
- c->outcipher->iv_len)) {
|
||||
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher),
|
||||
+ (unsigned char *)c->outkey + len - EVP_CIPHER_key_length(c->outcipher) -
|
||||
+ EVP_CIPHER_iv_length(c->outcipher))) {
|
||||
logger(LOG_ERR, "Error during initialisation of cipher for %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
@@ -308,8 +320,11 @@ bool metakey_h(connection_t *c) {
|
||||
|
||||
c->inkey = xrealloc(c->inkey, len);
|
||||
|
||||
- if(!c->inctx)
|
||||
- c->inctx = xmalloc_and_zero(sizeof(*c->inctx));
|
||||
+ if(!c->inctx) {
|
||||
+ c->inctx = EVP_CIPHER_CTX_new();
|
||||
+ if(!c->inctx)
|
||||
+ abort();
|
||||
+ }
|
||||
|
||||
/* Convert the challenge from hexadecimal back to binary */
|
||||
|
||||
@@ -345,9 +360,9 @@ bool metakey_h(connection_t *c) {
|
||||
}
|
||||
|
||||
if(!EVP_DecryptInit(c->inctx, c->incipher,
|
||||
- (unsigned char *)c->inkey + len - c->incipher->key_len,
|
||||
- (unsigned char *)c->inkey + len - c->incipher->key_len -
|
||||
- c->incipher->iv_len)) {
|
||||
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher),
|
||||
+ (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) -
|
||||
+ EVP_CIPHER_iv_length(c->incipher))) {
|
||||
logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
@@ -355,7 +370,8 @@ bool metakey_h(connection_t *c) {
|
||||
|
||||
c->status.decryptin = true;
|
||||
} else {
|
||||
- c->incipher = NULL;
|
||||
+ logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname);
|
||||
+ return false;
|
||||
}
|
||||
|
||||
c->inmaclength = maclength;
|
||||
@@ -368,12 +384,13 @@ bool metakey_h(connection_t *c) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
|
||||
+ if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) {
|
||||
logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname);
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
- c->indigest = NULL;
|
||||
+ logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname);
|
||||
+ return false;
|
||||
}
|
||||
|
||||
c->incompression = compression;
|
||||
@@ -447,27 +464,38 @@ bool challenge_h(connection_t *c) {
|
||||
|
||||
/* Rest is done by send_chal_reply() */
|
||||
|
||||
- return send_chal_reply(c);
|
||||
+ if(c->outgoing) {
|
||||
+ return send_chal_reply(c);
|
||||
+ } else {
|
||||
+ return true;
|
||||
+ }
|
||||
}
|
||||
|
||||
bool send_chal_reply(connection_t *c) {
|
||||
char hash[EVP_MAX_MD_SIZE * 2 + 1];
|
||||
- EVP_MD_CTX ctx;
|
||||
+ EVP_MD_CTX *ctx;
|
||||
|
||||
/* Calculate the hash from the challenge we received */
|
||||
|
||||
- if(!EVP_DigestInit(&ctx, c->indigest)
|
||||
- || !EVP_DigestUpdate(&ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|
||||
- || !EVP_DigestFinal(&ctx, (unsigned char *)hash, NULL)) {
|
||||
+ ctx = EVP_MD_CTX_create();
|
||||
+ if(!ctx)
|
||||
+ abort();
|
||||
+
|
||||
+ if(!EVP_DigestInit(ctx, c->indigest)
|
||||
+ || !EVP_DigestUpdate(ctx, c->mychallenge, RSA_size(myself->connection->rsa_key))
|
||||
+ || !EVP_DigestFinal(ctx, (unsigned char *)hash, NULL)) {
|
||||
+ EVP_MD_CTX_destroy(ctx);
|
||||
logger(LOG_ERR, "Error during calculation of response for %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
}
|
||||
|
||||
+ EVP_MD_CTX_destroy(ctx);
|
||||
+
|
||||
/* Convert the hash to a hexadecimal formatted string */
|
||||
|
||||
- bin2hex(hash, hash, c->indigest->md_size);
|
||||
- hash[c->indigest->md_size * 2] = '\0';
|
||||
+ bin2hex(hash, hash, EVP_MD_size(c->indigest));
|
||||
+ hash[EVP_MD_size(c->indigest) * 2] = '\0';
|
||||
|
||||
/* Send the reply */
|
||||
|
||||
@@ -477,7 +505,7 @@ bool send_chal_reply(connection_t *c) {
|
||||
bool chal_reply_h(connection_t *c) {
|
||||
char hishash[MAX_STRING_SIZE];
|
||||
char myhash[EVP_MAX_MD_SIZE];
|
||||
- EVP_MD_CTX ctx;
|
||||
+ EVP_MD_CTX *ctx;
|
||||
|
||||
if(sscanf(c->buffer, "%*d " MAX_STRING, hishash) != 1) {
|
||||
logger(LOG_ERR, "Got bad %s from %s (%s)", "CHAL_REPLY", c->name,
|
||||
@@ -487,7 +515,7 @@ bool chal_reply_h(connection_t *c) {
|
||||
|
||||
/* Check if the length of the hash is all right */
|
||||
|
||||
- if(strlen(hishash) != c->outdigest->md_size * 2) {
|
||||
+ if(strlen(hishash) != EVP_MD_size(c->outdigest) * 2) {
|
||||
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
|
||||
c->hostname, "wrong challenge reply length");
|
||||
return false;
|
||||
@@ -495,24 +523,31 @@ bool chal_reply_h(connection_t *c) {
|
||||
|
||||
/* Convert the hash to binary format */
|
||||
|
||||
- if(!hex2bin(hishash, hishash, c->outdigest->md_size)) {
|
||||
+ if(!hex2bin(hishash, hishash, EVP_MD_size(c->outdigest))) {
|
||||
logger(LOG_ERR, "Got bad %s from %s(%s): %s", "CHAL_REPLY", c->name, c->hostname, "invalid hash");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Calculate the hash from the challenge we sent */
|
||||
|
||||
- if(!EVP_DigestInit(&ctx, c->outdigest)
|
||||
- || !EVP_DigestUpdate(&ctx, c->hischallenge, RSA_size(c->rsa_key))
|
||||
- || !EVP_DigestFinal(&ctx, (unsigned char *)myhash, NULL)) {
|
||||
+ ctx = EVP_MD_CTX_create();
|
||||
+ if(!ctx)
|
||||
+ abort();
|
||||
+
|
||||
+ if(!EVP_DigestInit(ctx, c->outdigest)
|
||||
+ || !EVP_DigestUpdate(ctx, c->hischallenge, RSA_size(c->rsa_key))
|
||||
+ || !EVP_DigestFinal(ctx, (unsigned char *)myhash, NULL)) {
|
||||
+ EVP_MD_CTX_destroy(ctx);
|
||||
logger(LOG_ERR, "Error during calculation of response from %s (%s): %s",
|
||||
c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return false;
|
||||
}
|
||||
|
||||
+ EVP_MD_CTX_destroy(ctx);
|
||||
+
|
||||
/* Verify the incoming hash with the calculated hash */
|
||||
|
||||
- if(memcmp(hishash, myhash, c->outdigest->md_size)) {
|
||||
+ if(memcmp(hishash, myhash, EVP_MD_size(c->outdigest))) {
|
||||
logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name,
|
||||
c->hostname, "wrong challenge reply");
|
||||
|
||||
@@ -531,6 +566,10 @@ bool chal_reply_h(connection_t *c) {
|
||||
|
||||
c->allow_request = ACK;
|
||||
|
||||
+ if(!c->outgoing) {
|
||||
+ send_chal_reply(c);
|
||||
+ }
|
||||
+
|
||||
return send_ack(c);
|
||||
}
|
||||
|
||||
diff --git a/src/protocol_edge.c b/src/protocol_edge.c
|
||||
index 3dfff05e..fa57494e 100644
|
||||
--- a/src/protocol_edge.c
|
||||
+++ b/src/protocol_edge.c
|
||||
@@ -70,7 +70,7 @@ bool add_edge_h(connection_t *c) {
|
||||
|
||||
/* Check if names are valid */
|
||||
|
||||
- if(!check_id(from_name) || !check_id(to_name)) {
|
||||
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "ADD_EDGE", c->name,
|
||||
c->hostname, "invalid name");
|
||||
return false;
|
||||
@@ -181,7 +181,7 @@ bool del_edge_h(connection_t *c) {
|
||||
|
||||
/* Check if names are valid */
|
||||
|
||||
- if(!check_id(from_name) || !check_id(to_name)) {
|
||||
+ if(!check_id(from_name) || !check_id(to_name) || !strcmp(from_name, to_name)) {
|
||||
logger(LOG_ERR, "Got bad %s from %s (%s): %s", "DEL_EDGE", c->name,
|
||||
c->hostname, "invalid name");
|
||||
return false;
|
||||
diff --git a/src/protocol_key.c b/src/protocol_key.c
|
||||
index 301ead5d..1b96597f 100644
|
||||
--- a/src/protocol_key.c
|
||||
+++ b/src/protocol_key.c
|
||||
@@ -164,7 +164,7 @@ bool send_ans_key(node_t *to) {
|
||||
}
|
||||
|
||||
if(to->incipher)
|
||||
- EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
|
||||
+ EVP_DecryptInit_ex(to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + EVP_CIPHER_key_length(to->incipher));
|
||||
|
||||
// Reset sequence number and late packet window
|
||||
mykeyused = true;
|
||||
@@ -178,8 +178,8 @@ bool send_ans_key(node_t *to) {
|
||||
|
||||
return send_request(to->nexthop->connection, "%d %s %s %s %d %d %d %d", ANS_KEY,
|
||||
myself->name, to->name, key,
|
||||
- to->incipher ? to->incipher->nid : 0,
|
||||
- to->indigest ? to->indigest->type : 0, to->inmaclength,
|
||||
+ to->incipher ? EVP_CIPHER_nid(to->incipher) : 0,
|
||||
+ to->indigest ? EVP_MD_type(to->indigest) : 0, to->inmaclength,
|
||||
to->incompression);
|
||||
}
|
||||
|
||||
@@ -268,12 +268,17 @@ bool ans_key_h(connection_t *c) {
|
||||
return true;
|
||||
}
|
||||
|
||||
- if(from->outkeylength != from->outcipher->key_len + from->outcipher->iv_len) {
|
||||
+ if(from->outkeylength != EVP_CIPHER_key_length(from->outcipher) + EVP_CIPHER_iv_length(from->outcipher)) {
|
||||
logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name,
|
||||
from->hostname);
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
+ if(from->outkeylength != 1) {
|
||||
+ logger(LOG_ERR, "Node %s (%s) uses wrong keylength!", from->name, from->hostname);
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
from->outcipher = NULL;
|
||||
}
|
||||
|
||||
@@ -288,7 +293,7 @@ bool ans_key_h(connection_t *c) {
|
||||
return true;
|
||||
}
|
||||
|
||||
- if(from->outmaclength > from->outdigest->md_size || from->outmaclength < 0) {
|
||||
+ if(from->outmaclength > EVP_MD_size(from->outdigest) || from->outmaclength < 0) {
|
||||
logger(LOG_ERR, "Node %s (%s) uses bogus MAC length!",
|
||||
from->name, from->hostname);
|
||||
return true;
|
||||
@@ -305,7 +310,7 @@ bool ans_key_h(connection_t *c) {
|
||||
from->outcompression = compression;
|
||||
|
||||
if(from->outcipher)
|
||||
- if(!EVP_EncryptInit_ex(&from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + from->outcipher->key_len)) {
|
||||
+ if(!EVP_EncryptInit_ex(from->outctx, from->outcipher, NULL, (unsigned char *)from->outkey, (unsigned char *)from->outkey + EVP_CIPHER_key_length(from->outcipher))) {
|
||||
logger(LOG_ERR, "Error during initialisation of key from %s (%s): %s",
|
||||
from->name, from->hostname, ERR_error_string(ERR_get_error(), NULL));
|
||||
return true;
|
||||
diff --git a/src/tincd.c b/src/tincd.c
|
||||
index b6a6c29c..19f2e174 100644
|
||||
--- a/src/tincd.c
|
||||
+++ b/src/tincd.c
|
||||
@@ -330,7 +330,7 @@ static bool parse_options(int argc, char **argv) {
|
||||
|
||||
/* This function prettyprints the key generation process */
|
||||
|
||||
-static void indicator(int a, int b, void *p) {
|
||||
+static int indicator(int a, int b, BN_GENCB *cb) {
|
||||
switch (a) {
|
||||
case 0:
|
||||
fprintf(stderr, ".");
|
||||
@@ -362,19 +362,48 @@ static void indicator(int a, int b, void *p) {
|
||||
default:
|
||||
fprintf(stderr, "?");
|
||||
}
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+#ifndef HAVE_BN_GENCB_NEW
|
||||
+BN_GENCB *BN_GENCB_new(void) {
|
||||
+ return xmalloc_and_zero(sizeof(BN_GENCB));
|
||||
}
|
||||
|
||||
+void BN_GENCB_free(BN_GENCB *cb) {
|
||||
+ free(cb);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
Generate a public/private RSA keypair, and ask for a file to store
|
||||
them in.
|
||||
*/
|
||||
static bool keygen(int bits) {
|
||||
+ BIGNUM *e = NULL;
|
||||
RSA *rsa_key;
|
||||
FILE *f;
|
||||
char *pubname, *privname;
|
||||
+ BN_GENCB *cb;
|
||||
+ int result;
|
||||
|
||||
fprintf(stderr, "Generating %d bits keys:\n", bits);
|
||||
- rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
|
||||
+
|
||||
+ cb = BN_GENCB_new();
|
||||
+ if(!cb)
|
||||
+ abort();
|
||||
+ BN_GENCB_set(cb, indicator, NULL);
|
||||
+
|
||||
+ rsa_key = RSA_new();
|
||||
+ BN_hex2bn(&e, "10001");
|
||||
+ if(!rsa_key || !e)
|
||||
+ abort();
|
||||
+
|
||||
+ result = RSA_generate_key_ex(rsa_key, bits, e, cb);
|
||||
+
|
||||
+ BN_free(e);
|
||||
+ BN_GENCB_free(cb);
|
||||
|
||||
if(!rsa_key) {
|
||||
fprintf(stderr, "Error during key generation!\n");
|
||||
@@ -697,7 +726,11 @@ end:
|
||||
EVP_cleanup();
|
||||
ENGINE_cleanup();
|
||||
CRYPTO_cleanup_all_ex_data();
|
||||
+#ifdef HAVE_ERR_REMOVE_STATE
|
||||
+ // OpenSSL claims this function was deprecated in 1.0.0,
|
||||
+ // but valgrind's leak detector shows you still need to call it to make sure OpenSSL cleans up properly.
|
||||
ERR_remove_state(0);
|
||||
+#endif
|
||||
ERR_free_strings();
|
||||
|
||||
exit_configuration(&config_tree);
|
1
debian/patches/series
vendored
1
debian/patches/series
vendored
|
@ -1 +0,0 @@
|
|||
security-fixes
|
6
debian/rules
vendored
6
debian/rules
vendored
|
@ -12,15 +12,11 @@
|
|||
%:
|
||||
dh $@ --parallel
|
||||
|
||||
.PHONY: override_dh_strip
|
||||
override_dh_strip:
|
||||
dh_strip --dbg-package=tinc-dbg
|
||||
|
||||
override_dh_auto_configure:
|
||||
dh_auto_configure -- --enable-uml --enable-vde
|
||||
|
||||
override_dh_auto_install:
|
||||
dh_auto_install --destdir=debian/tinc -- install-html
|
||||
dh_auto_install -- install-html
|
||||
# Remove info dir file
|
||||
rm -f debian/tinc/usr/share/info/dir
|
||||
|
||||
|
|
6
debian/tinc.if-post-down
vendored
6
debian/tinc.if-post-down
vendored
|
@ -12,7 +12,11 @@ if [ "$IF_TINC_NET" ] ; then
|
|||
/usr/sbin/tincd -n "$IF_TINC_NET" -k $EXTRA
|
||||
sleep 0.1
|
||||
i=0;
|
||||
while [ -f "$IF_TINC_PIDFILE" ] ; do
|
||||
while [ -f $IF_TINC_PIDFILE ] && read pid rest < $IF_TINC_PIDFILE ; do
|
||||
if [ ! -e "/proc/$pid" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ $i = '30' ] ; then
|
||||
echo 'Failed to stop tinc daemon!'
|
||||
exit 1
|
||||
|
|
15
debian/tinc.if-pre-up
vendored
15
debian/tinc.if-pre-up
vendored
|
@ -45,7 +45,20 @@ test -n "$LIMITS" && setlimits $LIMITS
|
|||
|
||||
sleep 0.1
|
||||
i=0;
|
||||
while [ ! -f "$IF_TINC_PIDFILE" ] ; do
|
||||
while [ ! -f $IF_TINC_PIDFILE ] ; do
|
||||
if [ $i = '30' ] ; then
|
||||
echo 'Failed to start tinc daemon!'
|
||||
exit 1
|
||||
fi
|
||||
sleep 0.1
|
||||
i=$(($i+1))
|
||||
done
|
||||
|
||||
while read pid rest < $IF_TINC_PIDFILE ; do
|
||||
if [ -e "/proc/$pid" ] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ $i = '30' ] ; then
|
||||
echo 'Failed to start tinc daemon!'
|
||||
exit 1
|
||||
|
|
|
@ -486,12 +486,9 @@ Furthermore, specifying
|
|||
.Qq none
|
||||
will turn off packet authentication.
|
||||
.It Va IndirectData Li = yes | no Pq no
|
||||
This option specifies whether other tinc daemons besides the one you specified with
|
||||
.Va ConnectTo
|
||||
can make a direct connection to you.
|
||||
This is especially useful if you are behind a firewall
|
||||
and it is impossible to make a connection from the outside to your tinc daemon.
|
||||
Otherwise, it is best to leave this option out or set it to no.
|
||||
When set to yes, only nodes which already have a meta connection to you
|
||||
will try to establish direct communication with you.
|
||||
It is best to leave this option out or set it to no.
|
||||
.It Va MACLength Li = Ar length Pq 4
|
||||
The length of the message authentication code used to authenticate UDP packets.
|
||||
Can be anything from
|
||||
|
|
281
doc/tinc.info
281
doc/tinc.info
|
@ -5,7 +5,7 @@ START-INFO-DIR-ENTRY
|
|||
* tinc: (tinc). The tinc Manual.
|
||||
END-INFO-DIR-ENTRY
|
||||
|
||||
This is the info manual for tinc version 1.0.23, a Virtual Private
|
||||
This is the info manual for tinc version 1.0.25, a Virtual Private
|
||||
Network daemon.
|
||||
|
||||
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
|
||||
|
@ -139,7 +139,7 @@ File: tinc.info, Node: Supported platforms, Prev: tinc, Up: Introduction
|
|||
=======================
|
||||
|
||||
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD,
|
||||
MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin
|
||||
Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin
|
||||
environment), with various hardware architectures. These are some of
|
||||
the platforms that are supported by the universal tun/tap device driver
|
||||
or other virtual network device drivers. Without such a driver, tinc
|
||||
|
@ -176,7 +176,7 @@ File: tinc.info, Node: Configuring the kernel, Next: Libraries, Up: Preparati
|
|||
* Configuration of OpenBSD kernels::
|
||||
* Configuration of NetBSD kernels::
|
||||
* Configuration of Solaris kernels::
|
||||
* Configuration of Darwin (MacOS/X) kernels::
|
||||
* Configuration of Darwin (Mac OS X) kernels::
|
||||
* Configuration of Windows::
|
||||
|
||||
|
||||
|
@ -238,7 +238,7 @@ default kernel configuration.
|
|||
Tunneling IPv6 may not work on NetBSD's tun device.
|
||||
|
||||
|
||||
File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (MacOS/X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
|
||||
File: tinc.info, Node: Configuration of Solaris kernels, Next: Configuration of Darwin (Mac OS X) kernels, Prev: Configuration of NetBSD kernels, Up: Configuring the kernel
|
||||
|
||||
2.1.5 Configuration of Solaris kernels
|
||||
--------------------------------------
|
||||
|
@ -251,23 +251,18 @@ sparc64 architectures, precompiled versions can be found at
|
|||
header file is missing, install it from the source package.
|
||||
|
||||
|
||||
File: tinc.info, Node: Configuration of Darwin (MacOS/X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
|
||||
File: tinc.info, Node: Configuration of Darwin (Mac OS X) kernels, Next: Configuration of Windows, Prev: Configuration of Solaris kernels, Up: Configuring the kernel
|
||||
|
||||
2.1.6 Configuration of Darwin (MacOS/X) kernels
|
||||
-----------------------------------------------
|
||||
2.1.6 Configuration of Darwin (Mac OS X) kernels
|
||||
------------------------------------------------
|
||||
|
||||
Tinc on Darwin relies on a tunnel driver for its data acquisition from
|
||||
the kernel. Tinc supports either the driver from
|
||||
<http://tuntaposx.sourceforge.net/>, which supports both tun and tap
|
||||
style devices, and also the driver from from
|
||||
<http://chrisp.de/en/projects/tunnel.html>. The former driver is
|
||||
recommended. The tunnel driver must be loaded before starting tinc with
|
||||
the following command:
|
||||
|
||||
kmodload tunnel
|
||||
style devices.
|
||||
|
||||
|
||||
File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (MacOS/X) kernels, Up: Configuring the kernel
|
||||
File: tinc.info, Node: Configuration of Windows, Prev: Configuration of Darwin (Mac OS X) kernels, Up: Configuring the kernel
|
||||
|
||||
2.1.7 Configuration of Windows
|
||||
------------------------------
|
||||
|
@ -304,7 +299,7 @@ File: tinc.info, Node: OpenSSL, Next: zlib, Up: Libraries
|
|||
For all cryptography-related functions, tinc uses the functions provided
|
||||
by the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when
|
||||
If this library is not installed, you will get an error when
|
||||
configuring tinc for build. Support for running tinc with other
|
||||
cryptographic libraries installed _may_ be added in the future.
|
||||
|
||||
|
@ -360,7 +355,7 @@ File: tinc.info, Node: zlib, Next: lzo, Prev: OpenSSL, Up: Libraries
|
|||
For the optional compression of UDP packets, tinc uses the functions
|
||||
provided by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when running
|
||||
If this library is not installed, you will get an error when running
|
||||
the configure script. You can either install the zlib library, or
|
||||
disable support for zlib compression by using the "-disable-zlib" option
|
||||
when running the configure script. Note that if you disable support for
|
||||
|
@ -385,7 +380,7 @@ File: tinc.info, Node: lzo, Prev: zlib, Up: Libraries
|
|||
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when running
|
||||
If this library is not installed, you will get an error when running
|
||||
the configure script. You can either install the LZO library, or
|
||||
disable support for LZO compression by using the "-disable-lzo" option
|
||||
when running the configure script. Note that if you disable support for
|
||||
|
@ -445,25 +440,26 @@ your distribution will tell you how to do that.
|
|||
|
||||
* Menu:
|
||||
|
||||
* Darwin (MacOS/X) build environment::
|
||||
* Darwin (Mac OS X) build environment::
|
||||
* Cygwin (Windows) build environment::
|
||||
* MinGW (Windows) build environment::
|
||||
|
||||
|
||||
File: tinc.info, Node: Darwin (MacOS/X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
|
||||
File: tinc.info, Node: Darwin (Mac OS X) build environment, Next: Cygwin (Windows) build environment, Up: Building and installing tinc
|
||||
|
||||
3.1.1 Darwin (MacOS/X) build environment
|
||||
----------------------------------------
|
||||
3.1.1 Darwin (Mac OS X) build environment
|
||||
-----------------------------------------
|
||||
|
||||
In order to build tinc on Darwin, you need to install the MacOS/X
|
||||
In order to build tinc on Darwin, you need to install the Mac OS X
|
||||
Developer Tools from <http://developer.apple.com/tools/macosxtools.html>
|
||||
and a recent version of Fink from <http://www.finkproject.org/>.
|
||||
and preferably a recent version of Fink from
|
||||
<http://www.finkproject.org/>.
|
||||
|
||||
After installation use fink to download and install the following
|
||||
packages: autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||
|
||||
|
||||
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (MacOS/X) build environment, Up: Building and installing tinc
|
||||
File: tinc.info, Node: Cygwin (Windows) build environment, Next: MinGW (Windows) build environment, Prev: Darwin (Mac OS X) build environment, Up: Building and installing tinc
|
||||
|
||||
3.1.2 Cygwin (Windows) build environment
|
||||
----------------------------------------
|
||||
|
@ -596,9 +592,9 @@ assign a NETNAME to your VPN. It is not required if you only run one
|
|||
tinc daemon, it doesn't even have to be the same on all the sites of
|
||||
your VPN, but it is recommended that you choose one anyway.
|
||||
|
||||
We will asume you use a netname throughout this document. This means
|
||||
that you call tincd with the -n argument, which will assign a netname to
|
||||
this daemon.
|
||||
We will assume you use a netname throughout this document. This
|
||||
means that you call tincd with the -n argument, which will assign a
|
||||
netname to this daemon.
|
||||
|
||||
The effect of this is that the daemon will set its configuration root
|
||||
to '/etc/tinc/NETNAME/', where NETNAME is your argument to the -n
|
||||
|
@ -626,7 +622,7 @@ in the configuration file tinc.conf. If it sees one or more 'ConnectTo'
|
|||
values pointing to other tinc daemons in that file, it will try to
|
||||
connect to those other daemons. Whether this succeeds or not and
|
||||
whether 'ConnectTo' is specified or not, tinc will listen for incoming
|
||||
connection from other deamons. If you did specify a 'ConnectTo' value
|
||||
connection from other daemons. If you did specify a 'ConnectTo' value
|
||||
and the other side is not responding, tinc will keep retrying. This
|
||||
means that once started, tinc will stay running until you tell it to
|
||||
stop, and failures to connect to other tinc daemons will not stop your
|
||||
|
@ -649,7 +645,7 @@ The actual configuration of the daemon is done in the file
|
|||
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
|
||||
directory '/etc/tinc/NETNAME/hosts/'.
|
||||
|
||||
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
|
||||
An optional directory '/etc/tinc/NETNAME/conf.d' can be added from
|
||||
which any .conf file will be read.
|
||||
|
||||
These file consists of comments (lines started with a #) or
|
||||
|
@ -755,10 +751,9 @@ DecrementTTL = <yes | no> (no) [experimental]
|
|||
|
||||
Device = <DEVICE> ('/dev/tap0', '/dev/net/tun' or other depending on platform)
|
||||
The virtual network device to use. Tinc will automatically detect
|
||||
what kind of device it is. Note that you can only use one device
|
||||
per daemon. Under Windows, use INTERFACE instead of DEVICE. Note
|
||||
that you can only use one device per daemon. See also *note Device
|
||||
files::.
|
||||
what kind of device it is. Under Windows, use INTERFACE instead of
|
||||
DEVICE. Note that you can only use one device per daemon. See
|
||||
also *note Device files::.
|
||||
|
||||
DeviceType = <TYPE> (platform dependent)
|
||||
The type of the virtual network device. Tinc will normally
|
||||
|
@ -937,7 +932,7 @@ Mode = <router|switch|hub> (router)
|
|||
|
||||
Name = <NAME> [required]
|
||||
This is a symbolic name for this connection. The name should
|
||||
consist only of alfanumeric and underscore characters (a-z, A-Z,
|
||||
consist only of alphanumeric and underscore characters (a-z, A-Z,
|
||||
0-9 and _).
|
||||
|
||||
If Name starts with a $, then the contents of the environment
|
||||
|
@ -964,7 +959,7 @@ PriorityInheritance = <yes|no> (no) [experimental]
|
|||
PrivateKey = <KEY> [obsolete]
|
||||
This is the RSA private key for tinc. However, for safety reasons
|
||||
it is advised to store private keys of any kind in separate files.
|
||||
This prevents accidental eavesdropping if you are editting the
|
||||
This prevents accidental eavesdropping if you are editing the
|
||||
configuration file.
|
||||
|
||||
PrivateKeyFile = <PATH> ('/etc/tinc/NETNAME/rsa_key.priv')
|
||||
|
@ -1114,9 +1109,9 @@ PublicKeyFile = <PATH> [obsolete]
|
|||
Subnet = <ADDRESS[/PREFIXLENGTH[#WEIGHT]]>
|
||||
The subnet which this tinc daemon will serve. Tinc tries to look
|
||||
up which other daemon it should send a packet to by searching the
|
||||
appropiate subnet. If the packet matches a subnet, it will be sent
|
||||
to the daemon who has this subnet in his host configuration file.
|
||||
Multiple subnet lines can be specified for each daemon.
|
||||
appropriate subnet. If the packet matches a subnet, it will be
|
||||
sent to the daemon who has this subnet in his host configuration
|
||||
file. Multiple subnet lines can be specified for each daemon.
|
||||
|
||||
Subnets can either be single MAC, IPv4 or IPv6 addresses, in which
|
||||
case a subnet consisting of only that single address is assumed, or
|
||||
|
@ -1186,11 +1181,11 @@ scripts should have the extension .bat.
|
|||
This script is started when any host becomes unreachable.
|
||||
|
||||
'/etc/tinc/NETNAME/subnet-up'
|
||||
This script is started when a Subnet becomes reachable. The Subnet
|
||||
This script is started when a subnet becomes reachable. The Subnet
|
||||
and the node it belongs to are passed in environment variables.
|
||||
|
||||
'/etc/tinc/NETNAME/subnet-down'
|
||||
This script is started when a Subnet becomes unreachable.
|
||||
This script is started when a subnet becomes unreachable.
|
||||
|
||||
The scripts are started without command line arguments, but can make
|
||||
use of certain environment variables. Under UNIX like operating systems
|
||||
|
@ -1252,7 +1247,7 @@ Step 2. Creating your host configuration file
|
|||
.............................................
|
||||
|
||||
If you added a line containing 'Name = yourname' in the main
|
||||
configuarion file, you will need to create a host configuration file
|
||||
configuration file, you will need to create a host configuration file
|
||||
'/etc/tinc/NETNAME/hosts/yourname'. Adapt the following example to
|
||||
create a host configuration file:
|
||||
|
||||
|
@ -1880,7 +1875,7 @@ packets, and 'tap' style, which are Ethernet devices and handle complete
|
|||
Ethernet frames.
|
||||
|
||||
So when tinc reads an Ethernet frame from the device, it determines
|
||||
its type. When tinc is in it's default routing mode, it can handle IPv4
|
||||
its type. When tinc is in its default routing mode, it can handle IPv4
|
||||
and IPv6 packets. Depending on the Subnet lines, it will send the
|
||||
packets off to their destination IP address. In the 'switch' and 'hub'
|
||||
mode, tinc will use broadcasts and MAC address discovery to deduce the
|
||||
|
@ -1909,8 +1904,8 @@ the decrypted information to its own virtual network device.
|
|||
tunnel), there is no problem for the kernel to accept a packet.
|
||||
However, if it is a 'tap' device (this is the only available type on
|
||||
FreeBSD), the destination MAC address must match that of the virtual
|
||||
network interface. If tinc is in it's default routing mode, ARP does
|
||||
not work, so the correct destination MAC can not be known by the sending
|
||||
network interface. If tinc is in its default routing mode, ARP does not
|
||||
work, so the correct destination MAC can not be known by the sending
|
||||
host. Tinc solves this by letting the receiving end detect the MAC
|
||||
address of its own virtual network interface and overwriting the
|
||||
destination MAC address of the received packet.
|
||||
|
@ -2296,7 +2291,7 @@ FreeBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
|||
OpenBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
||||
NetBSD 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
||||
Solaris 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
||||
Darwin (MacOS/X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
||||
Darwin (Mac OS X) 'ifconfig' INTERFACE ADDRESS 'netmask' NETMASK
|
||||
Windows 'netsh interface ip set address' INTERFACE 'static' ADDRESS NETMASK
|
||||
|
||||
For IPv6 addresses:
|
||||
|
@ -2307,7 +2302,7 @@ OpenBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
|
|||
NetBSD 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
|
||||
Solaris 'ifconfig' INTERFACE 'inet6 plumb up'
|
||||
'ifconfig' INTERFACE 'inet6 addif' ADDRESS ADDRESS
|
||||
Darwin (MacOS/X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
|
||||
Darwin (Mac OS X) 'ifconfig' INTERFACE 'inet6' ADDRESS 'prefixlen' PREFIXLENGTH
|
||||
Windows 'netsh interface ipv6 add address' INTERFACE 'static' ADDRESS/PREFIXLENGTH
|
||||
|
||||
On some platforms, when running tinc in switch mode, the VPN
|
||||
|
@ -2344,7 +2339,7 @@ FreeBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
|
|||
OpenBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
|
||||
NetBSD 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
|
||||
Solaris 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
|
||||
Darwin (MacOS/X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS
|
||||
Darwin (Mac OS X) 'route add' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
|
||||
Windows 'netsh routing ip add persistentroute' NETWORK_ADDRESS NETMASK INTERFACE
|
||||
LOCAL_ADDRESS
|
||||
|
||||
|
@ -2356,7 +2351,7 @@ FreeBSD 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRE
|
|||
OpenBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
|
||||
NetBSD 'route add -inet6' NETWORK_ADDRESS LOCAL_ADDRESS '-prefixlen' PREFIXLENGTH
|
||||
Solaris 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH LOCAL_ADDRESS '-interface'
|
||||
Darwin (MacOS/X) ?
|
||||
Darwin (Mac OS X) 'route add -inet6' NETWORK_ADDRESS'/'PREFIXLENGTH '-interface' INTERFACE
|
||||
Windows 'netsh interface ipv6 add route' NETWORK ADDRESS/PREFIXLENGTH INTERFACE
|
||||
|
||||
|
||||
|
@ -2457,13 +2452,13 @@ Concept Index
|
|||
* DEVICE: Scripts. (line 53)
|
||||
* device files: Device files. (line 6)
|
||||
* DeviceType: Main configuration variables.
|
||||
(line 80)
|
||||
(line 79)
|
||||
* Digest: Host configuration variables.
|
||||
(line 31)
|
||||
* DirectOnly: Main configuration variables.
|
||||
(line 145)
|
||||
(line 144)
|
||||
* dummy: Main configuration variables.
|
||||
(line 87)
|
||||
(line 86)
|
||||
* encapsulating: The UDP tunnel. (line 30)
|
||||
* encryption: Encryption of network packets.
|
||||
(line 6)
|
||||
|
@ -2471,53 +2466,53 @@ Concept Index
|
|||
* example: Example configuration.
|
||||
(line 6)
|
||||
* exec: Main configuration variables.
|
||||
(line 315)
|
||||
(line 314)
|
||||
* Forwarding: Main configuration variables.
|
||||
(line 152)
|
||||
(line 151)
|
||||
* frame type: The UDP tunnel. (line 6)
|
||||
* GraphDumpFile: Main configuration variables.
|
||||
(line 172)
|
||||
(line 171)
|
||||
* Hostnames: Main configuration variables.
|
||||
(line 180)
|
||||
(line 179)
|
||||
* http: Main configuration variables.
|
||||
(line 312)
|
||||
(line 311)
|
||||
* hub: Main configuration variables.
|
||||
(line 250)
|
||||
(line 249)
|
||||
* ID: Authentication protocol.
|
||||
(line 10)
|
||||
* IffOneQueue: Main configuration variables.
|
||||
(line 191)
|
||||
(line 190)
|
||||
* IndirectData: Host configuration variables.
|
||||
(line 36)
|
||||
* Interface: Main configuration variables.
|
||||
(line 194)
|
||||
(line 193)
|
||||
* INTERFACE: Scripts. (line 56)
|
||||
* IRC: Contact information. (line 9)
|
||||
* key generation: Generating keypairs. (line 6)
|
||||
* KeyExpire: Main configuration variables.
|
||||
(line 202)
|
||||
(line 201)
|
||||
* KEY_CHANGED: The meta-protocol. (line 63)
|
||||
* libraries: Libraries. (line 6)
|
||||
* license: OpenSSL. (line 35)
|
||||
* LocalDiscovery: Main configuration variables.
|
||||
(line 208)
|
||||
(line 207)
|
||||
* lzo: lzo. (line 6)
|
||||
* MACExpire: Main configuration variables.
|
||||
(line 219)
|
||||
(line 218)
|
||||
* MACLength: Host configuration variables.
|
||||
(line 44)
|
||||
* MaxTimeout: Main configuration variables.
|
||||
(line 224)
|
||||
(line 223)
|
||||
* meta-protocol: The meta-connection. (line 18)
|
||||
* META_KEY: Authentication protocol.
|
||||
(line 10)
|
||||
* Mode: Main configuration variables.
|
||||
(line 228)
|
||||
(line 227)
|
||||
* multicast: Main configuration variables.
|
||||
(line 99)
|
||||
(line 98)
|
||||
* multiple networks: Multiple networks. (line 6)
|
||||
* Name: Main configuration variables.
|
||||
(line 255)
|
||||
(line 254)
|
||||
* NAME: Scripts. (line 50)
|
||||
* netmask: Network interfaces. (line 33)
|
||||
* netname: Multiple networks. (line 6)
|
||||
|
@ -2531,9 +2526,9 @@ Concept Index
|
|||
(line 69)
|
||||
* PING: The meta-protocol. (line 88)
|
||||
* PingInterval: Main configuration variables.
|
||||
(line 266)
|
||||
(line 265)
|
||||
* PingTimeout: Main configuration variables.
|
||||
(line 270)
|
||||
(line 269)
|
||||
* platforms: Supported platforms. (line 6)
|
||||
* PMTU: Host configuration variables.
|
||||
(line 49)
|
||||
|
@ -2544,32 +2539,32 @@ Concept Index
|
|||
(line 57)
|
||||
* port numbers: Other files. (line 17)
|
||||
* PriorityInheritance: Main configuration variables.
|
||||
(line 276)
|
||||
(line 275)
|
||||
* private: Virtual Private Networks.
|
||||
(line 10)
|
||||
* PrivateKey: Main configuration variables.
|
||||
(line 281)
|
||||
(line 280)
|
||||
* PrivateKeyFile: Main configuration variables.
|
||||
(line 287)
|
||||
(line 286)
|
||||
* ProcessPriority: Main configuration variables.
|
||||
(line 292)
|
||||
(line 291)
|
||||
* Proxy: Main configuration variables.
|
||||
(line 297)
|
||||
(line 296)
|
||||
* PublicKey: Host configuration variables.
|
||||
(line 61)
|
||||
* PublicKeyFile: Host configuration variables.
|
||||
(line 64)
|
||||
* raw_socket: Main configuration variables.
|
||||
(line 92)
|
||||
(line 91)
|
||||
* release: Supported platforms. (line 14)
|
||||
* REMOTEADDRESS: Scripts. (line 65)
|
||||
* REMOTEPORT: Scripts. (line 68)
|
||||
* ReplayWindow: Main configuration variables.
|
||||
(line 320)
|
||||
(line 319)
|
||||
* requirements: Libraries. (line 6)
|
||||
* REQ_KEY: The meta-protocol. (line 63)
|
||||
* router: Main configuration variables.
|
||||
(line 231)
|
||||
(line 230)
|
||||
* runtime options: Runtime options. (line 9)
|
||||
* scalability: tinc. (line 19)
|
||||
* scripts: Scripts. (line 6)
|
||||
|
@ -2577,11 +2572,11 @@ Concept Index
|
|||
(line 18)
|
||||
* signals: Signals. (line 6)
|
||||
* socks4: Main configuration variables.
|
||||
(line 301)
|
||||
(line 300)
|
||||
* socks5: Main configuration variables.
|
||||
(line 306)
|
||||
(line 305)
|
||||
* StrictSubnets: Main configuration variables.
|
||||
(line 331)
|
||||
(line 330)
|
||||
* Subnet: Host configuration variables.
|
||||
(line 76)
|
||||
* SUBNET: Scripts. (line 72)
|
||||
|
@ -2589,7 +2584,7 @@ Concept Index
|
|||
(line 98)
|
||||
* SVPN: Security. (line 11)
|
||||
* switch: Main configuration variables.
|
||||
(line 239)
|
||||
(line 238)
|
||||
* TCP: The meta-connection. (line 10)
|
||||
* TCPonly: Host configuration variables.
|
||||
(line 105)
|
||||
|
@ -2601,24 +2596,24 @@ Concept Index
|
|||
* tincd: tinc. (line 14)
|
||||
* traditional VPNs: tinc. (line 19)
|
||||
* tunifhead: Main configuration variables.
|
||||
(line 134)
|
||||
(line 133)
|
||||
* TunnelServer: Main configuration variables.
|
||||
(line 338)
|
||||
(line 337)
|
||||
* tunnohead: Main configuration variables.
|
||||
(line 128)
|
||||
(line 127)
|
||||
* UDP: The UDP tunnel. (line 30)
|
||||
* UDP <1>: Encryption of network packets.
|
||||
(line 12)
|
||||
* UDPRcvBuf: Main configuration variables.
|
||||
(line 345)
|
||||
(line 344)
|
||||
* UDPSndBuf: Main configuration variables.
|
||||
(line 350)
|
||||
(line 349)
|
||||
* UML: Main configuration variables.
|
||||
(line 110)
|
||||
(line 109)
|
||||
* Universal tun/tap: Configuration of Linux kernels.
|
||||
(line 6)
|
||||
* VDE: Main configuration variables.
|
||||
(line 115)
|
||||
(line 114)
|
||||
* virtual: Virtual Private Networks.
|
||||
(line 18)
|
||||
* virtual network device: The UDP tunnel. (line 6)
|
||||
|
@ -2637,61 +2632,61 @@ Node: Introduction1105
|
|||
Node: Virtual Private Networks1915
|
||||
Node: tinc3639
|
||||
Node: Supported platforms5166
|
||||
Node: Preparations5865
|
||||
Node: Configuring the kernel6121
|
||||
Node: Configuration of Linux kernels6530
|
||||
Node: Configuration of FreeBSD kernels7385
|
||||
Node: Configuration of OpenBSD kernels7850
|
||||
Node: Configuration of NetBSD kernels8458
|
||||
Node: Configuration of Solaris kernels8863
|
||||
Node: Configuration of Darwin (MacOS/X) kernels9524
|
||||
Node: Configuration of Windows10213
|
||||
Node: Libraries10726
|
||||
Node: OpenSSL11114
|
||||
Node: zlib13401
|
||||
Node: lzo14428
|
||||
Node: Installation15409
|
||||
Node: Building and installing tinc16424
|
||||
Node: Darwin (MacOS/X) build environment17083
|
||||
Node: Cygwin (Windows) build environment17650
|
||||
Node: MinGW (Windows) build environment18237
|
||||
Node: System files18761
|
||||
Node: Device files19026
|
||||
Node: Other files19442
|
||||
Node: Configuration20055
|
||||
Node: Configuration introduction20366
|
||||
Node: Multiple networks21634
|
||||
Node: How connections work23059
|
||||
Node: Configuration files24281
|
||||
Node: Main configuration variables25776
|
||||
Node: Host configuration variables41870
|
||||
Node: Scripts47371
|
||||
Node: How to configure50134
|
||||
Node: Generating keypairs51391
|
||||
Node: Network interfaces51890
|
||||
Node: Example configuration53738
|
||||
Node: Running tinc59063
|
||||
Node: Runtime options59653
|
||||
Node: Signals62955
|
||||
Node: Debug levels64146
|
||||
Node: Solving problems65082
|
||||
Node: Error messages66634
|
||||
Node: Sending bug reports70643
|
||||
Node: Technical information71590
|
||||
Node: The connection71821
|
||||
Node: The UDP tunnel72133
|
||||
Node: The meta-connection75196
|
||||
Node: The meta-protocol76665
|
||||
Node: Security81682
|
||||
Node: Authentication protocol82815
|
||||
Node: Encryption of network packets87832
|
||||
Node: Security issues89208
|
||||
Node: Platform specific information90835
|
||||
Node: Interface configuration91063
|
||||
Node: Routes93516
|
||||
Node: About us95433
|
||||
Node: Contact information95608
|
||||
Node: Authors96012
|
||||
Node: Concept Index96417
|
||||
Node: Preparations5866
|
||||
Node: Configuring the kernel6122
|
||||
Node: Configuration of Linux kernels6532
|
||||
Node: Configuration of FreeBSD kernels7387
|
||||
Node: Configuration of OpenBSD kernels7852
|
||||
Node: Configuration of NetBSD kernels8460
|
||||
Node: Configuration of Solaris kernels8865
|
||||
Node: Configuration of Darwin (Mac OS X) kernels9527
|
||||
Node: Configuration of Windows10005
|
||||
Node: Libraries10519
|
||||
Node: OpenSSL10907
|
||||
Node: zlib13195
|
||||
Node: lzo14223
|
||||
Node: Installation15205
|
||||
Node: Building and installing tinc16220
|
||||
Node: Darwin (Mac OS X) build environment16880
|
||||
Node: Cygwin (Windows) build environment17462
|
||||
Node: MinGW (Windows) build environment18050
|
||||
Node: System files18574
|
||||
Node: Device files18839
|
||||
Node: Other files19255
|
||||
Node: Configuration19868
|
||||
Node: Configuration introduction20179
|
||||
Node: Multiple networks21447
|
||||
Node: How connections work22873
|
||||
Node: Configuration files24095
|
||||
Node: Main configuration variables25589
|
||||
Node: Host configuration variables41628
|
||||
Node: Scripts47131
|
||||
Node: How to configure49894
|
||||
Node: Generating keypairs51152
|
||||
Node: Network interfaces51651
|
||||
Node: Example configuration53499
|
||||
Node: Running tinc58824
|
||||
Node: Runtime options59414
|
||||
Node: Signals62716
|
||||
Node: Debug levels63907
|
||||
Node: Solving problems64843
|
||||
Node: Error messages66395
|
||||
Node: Sending bug reports70404
|
||||
Node: Technical information71351
|
||||
Node: The connection71582
|
||||
Node: The UDP tunnel71894
|
||||
Node: The meta-connection74955
|
||||
Node: The meta-protocol76424
|
||||
Node: Security81441
|
||||
Node: Authentication protocol82574
|
||||
Node: Encryption of network packets87619
|
||||
Node: Security issues88995
|
||||
Node: Platform specific information90622
|
||||
Node: Interface configuration90850
|
||||
Node: Routes93321
|
||||
Node: About us95335
|
||||
Node: Contact information95510
|
||||
Node: Authors95914
|
||||
Node: Concept Index96319
|
||||
|
||||
End Tag Table
|
||||
|
|
|
@ -176,7 +176,7 @@ available too.
|
|||
@section Supported platforms
|
||||
|
||||
@cindex platforms
|
||||
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
|
||||
Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment),
|
||||
with various hardware architectures. These are some of the platforms
|
||||
that are supported by the universal tun/tap device driver or other virtual network device drivers.
|
||||
Without such a driver, tinc will most
|
||||
|
@ -224,7 +224,7 @@ support tinc.
|
|||
* Configuration of OpenBSD kernels::
|
||||
* Configuration of NetBSD kernels::
|
||||
* Configuration of Solaris kernels::
|
||||
* Configuration of Darwin (MacOS/X) kernels::
|
||||
* Configuration of Darwin (Mac OS X) kernels::
|
||||
* Configuration of Windows::
|
||||
@end menu
|
||||
|
||||
|
@ -298,19 +298,12 @@ If the @file{net/if_tun.h} header file is missing, install it from the source pa
|
|||
|
||||
|
||||
@c ==================================================================
|
||||
@node Configuration of Darwin (MacOS/X) kernels
|
||||
@subsection Configuration of Darwin (MacOS/X) kernels
|
||||
@node Configuration of Darwin (Mac OS X) kernels
|
||||
@subsection Configuration of Darwin (Mac OS X) kernels
|
||||
|
||||
Tinc on Darwin relies on a tunnel driver for its data acquisition from the kernel.
|
||||
Tinc supports either the driver from @uref{http://tuntaposx.sourceforge.net/},
|
||||
which supports both tun and tap style devices,
|
||||
and also the driver from from @uref{http://chrisp.de/en/projects/tunnel.html}.
|
||||
The former driver is recommended.
|
||||
The tunnel driver must be loaded before starting tinc with the following command:
|
||||
|
||||
@example
|
||||
kmodload tunnel
|
||||
@end example
|
||||
which supports both tun and tap style devices.
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
|
@ -349,7 +342,7 @@ having them installed, configure will give you an error message, and stop.
|
|||
For all cryptography-related functions, tinc uses the functions provided
|
||||
by the OpenSSL library.
|
||||
|
||||
If this library is not installed, you wil get an error when configuring
|
||||
If this library is not installed, you will get an error when configuring
|
||||
tinc for build. Support for running tinc with other cryptographic libraries
|
||||
installed @emph{may} be added in the future.
|
||||
|
||||
|
@ -413,7 +406,7 @@ Markus F.X.J. Oberhumer
|
|||
For the optional compression of UDP packets, tinc uses the functions provided
|
||||
by the zlib library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the zlib library, or disable support
|
||||
for zlib compression by using the "--disable-zlib" option when running the
|
||||
configure script. Note that if you disable support for zlib, the resulting
|
||||
|
@ -437,7 +430,7 @@ default).
|
|||
@cindex lzo
|
||||
Another form of compression is offered using the LZO library.
|
||||
|
||||
If this library is not installed, you wil get an error when running the
|
||||
If this library is not installed, you will get an error when running the
|
||||
configure script. You can either install the LZO library, or disable support
|
||||
for LZO compression by using the "--disable-lzo" option when running the
|
||||
configure script. Note that if you disable support for LZO, the resulting
|
||||
|
@ -503,19 +496,19 @@ you can use the package management tools of that distribution to install tinc.
|
|||
The documentation that comes along with your distribution will tell you how to do that.
|
||||
|
||||
@menu
|
||||
* Darwin (MacOS/X) build environment::
|
||||
* Darwin (Mac OS X) build environment::
|
||||
* Cygwin (Windows) build environment::
|
||||
* MinGW (Windows) build environment::
|
||||
@end menu
|
||||
|
||||
|
||||
@c ==================================================================
|
||||
@node Darwin (MacOS/X) build environment
|
||||
@subsection Darwin (MacOS/X) build environment
|
||||
@node Darwin (Mac OS X) build environment
|
||||
@subsection Darwin (Mac OS X) build environment
|
||||
|
||||
In order to build tinc on Darwin, you need to install the MacOS/X Developer Tools
|
||||
In order to build tinc on Darwin, you need to install the Mac OS X Developer Tools
|
||||
from @uref{http://developer.apple.com/tools/macosxtools.html} and
|
||||
a recent version of Fink from @uref{http://www.finkproject.org/}.
|
||||
preferably a recent version of Fink from @uref{http://www.finkproject.org/}.
|
||||
|
||||
After installation use fink to download and install the following packages:
|
||||
autoconf25, automake, dlcompat, m4, openssl, zlib and lzo.
|
||||
|
@ -666,7 +659,7 @@ It is not required if you only run one tinc daemon,
|
|||
it doesn't even have to be the same on all the sites of your VPN,
|
||||
but it is recommended that you choose one anyway.
|
||||
|
||||
We will asume you use a netname throughout this document.
|
||||
We will assume you use a netname throughout this document.
|
||||
This means that you call tincd with the -n argument,
|
||||
which will assign a netname to this daemon.
|
||||
|
||||
|
@ -694,7 +687,7 @@ reads in the configuration file tinc.conf.
|
|||
If it sees one or more `ConnectTo' values pointing to other tinc daemons in that file,
|
||||
it will try to connect to those other daemons.
|
||||
Whether this succeeds or not and whether `ConnectTo' is specified or not,
|
||||
tinc will listen for incoming connection from other deamons.
|
||||
tinc will listen for incoming connection from other daemons.
|
||||
If you did specify a `ConnectTo' value and the other side is not responding,
|
||||
tinc will keep retrying.
|
||||
This means that once started, tinc will stay running until you tell it to stop,
|
||||
|
@ -718,7 +711,7 @@ The actual configuration of the daemon is done in the file
|
|||
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
|
||||
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
|
||||
|
||||
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
|
||||
An optional directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
|
||||
any .conf file will be read.
|
||||
|
||||
These file consists of comments (lines started with a #) or assignments
|
||||
|
@ -829,7 +822,6 @@ Do not use this option if you use switch mode and want to use IPv6.
|
|||
@item Device = <@var{device}> (@file{/dev/tap0}, @file{/dev/net/tun} or other depending on platform)
|
||||
The virtual network device to use.
|
||||
Tinc will automatically detect what kind of device it is.
|
||||
Note that you can only use one device per daemon.
|
||||
Under Windows, use @var{Interface} instead of @var{Device}.
|
||||
Note that you can only use one device per daemon.
|
||||
See also @ref{Device files}.
|
||||
|
@ -1022,7 +1014,7 @@ while no routing table is managed.
|
|||
@cindex Name
|
||||
@item Name = <@var{name}> [required]
|
||||
This is a symbolic name for this connection.
|
||||
The name should consist only of alfanumeric and underscore characters (a-z, A-Z, 0-9 and _).
|
||||
The name should consist only of alphanumeric and underscore characters (a-z, A-Z, 0-9 and _).
|
||||
|
||||
If Name starts with a $, then the contents of the environment variable that follows will be used.
|
||||
In that case, invalid characters will be converted to underscores.
|
||||
|
@ -1049,7 +1041,7 @@ will be inherited by the UDP packets that are sent out.
|
|||
@item PrivateKey = <@var{key}> [obsolete]
|
||||
This is the RSA private key for tinc. However, for safety reasons it is
|
||||
advised to store private keys of any kind in separate files. This prevents
|
||||
accidental eavesdropping if you are editting the configuration file.
|
||||
accidental eavesdropping if you are editing the configuration file.
|
||||
|
||||
@cindex PrivateKeyFile
|
||||
@item PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/rsa_key.priv})
|
||||
|
@ -1216,7 +1208,7 @@ connection with that host.
|
|||
@cindex Subnet
|
||||
@item Subnet = <@var{address}[/@var{prefixlength}[#@var{weight}]]>
|
||||
The subnet which this tinc daemon will serve.
|
||||
Tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
|
||||
Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
|
||||
If the packet matches a subnet,
|
||||
it will be sent to the daemon who has this subnet in his host configuration file.
|
||||
Multiple subnet lines can be specified for each daemon.
|
||||
|
@ -1293,11 +1285,11 @@ This script is started when any host becomes reachable.
|
|||
This script is started when any host becomes unreachable.
|
||||
|
||||
@item @value{sysconfdir}/tinc/@var{netname}/subnet-up
|
||||
This script is started when a Subnet becomes reachable.
|
||||
This script is started when a subnet becomes reachable.
|
||||
The Subnet and the node it belongs to are passed in environment variables.
|
||||
|
||||
@item @value{sysconfdir}/tinc/@var{netname}/subnet-down
|
||||
This script is started when a Subnet becomes unreachable.
|
||||
This script is started when a subnet becomes unreachable.
|
||||
@end table
|
||||
|
||||
@cindex environment variables
|
||||
|
@ -1368,7 +1360,7 @@ add `ConnectTo' values.
|
|||
|
||||
@subsubheading Step 2. Creating your host configuration file
|
||||
|
||||
If you added a line containing `Name = yourname' in the main configuarion file,
|
||||
If you added a line containing `Name = yourname' in the main configuration file,
|
||||
you will need to create a host configuration file @file{@value{sysconfdir}/tinc/@var{netname}/hosts/yourname}.
|
||||
Adapt the following example to create a host configuration file:
|
||||
|
||||
|
@ -2022,7 +2014,7 @@ There are two possible types of virtual network devices:
|
|||
and `tap' style, which are Ethernet devices and handle complete Ethernet frames.
|
||||
|
||||
So when tinc reads an Ethernet frame from the device, it determines its
|
||||
type. When tinc is in it's default routing mode, it can handle IPv4 and IPv6
|
||||
type. When tinc is in its default routing mode, it can handle IPv4 and IPv6
|
||||
packets. Depending on the Subnet lines, it will send the packets off to their destination IP address.
|
||||
In the `switch' and `hub' mode, tinc will use broadcasts and MAC address discovery
|
||||
to deduce the destination of the packets.
|
||||
|
@ -2053,7 +2045,7 @@ If the virtual network device is a `tun' device (a point-to-point tunnel),
|
|||
there is no problem for the kernel to accept a packet.
|
||||
However, if it is a `tap' device (this is the only available type on FreeBSD),
|
||||
the destination MAC address must match that of the virtual network interface.
|
||||
If tinc is in it's default routing mode, ARP does not work, so the correct destination MAC
|
||||
If tinc is in its default routing mode, ARP does not work, so the correct destination MAC
|
||||
can not be known by the sending host.
|
||||
Tinc solves this by letting the receiving end detect the MAC address of its own virtual network interface
|
||||
and overwriting the destination MAC address of the received packet.
|
||||
|
@ -2446,7 +2438,7 @@ netmask should be such that it encompasses the entire VPN.
|
|||
|
||||
For IPv4 addresses:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item Linux
|
||||
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
||||
@item Linux iproute2
|
||||
|
@ -2459,7 +2451,7 @@ For IPv4 addresses:
|
|||
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
||||
@item Solaris
|
||||
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
||||
@item Darwin (MacOS/X)
|
||||
@item Darwin (Mac OS X)
|
||||
@tab @code{ifconfig} @var{interface} @var{address} @code{netmask} @var{netmask}
|
||||
@item Windows
|
||||
@tab @code{netsh interface ip set address} @var{interface} @code{static} @var{address} @var{netmask}
|
||||
|
@ -2467,7 +2459,7 @@ For IPv4 addresses:
|
|||
|
||||
For IPv6 addresses:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item Linux
|
||||
@tab @code{ifconfig} @var{interface} @code{add} @var{address}@code{/}@var{prefixlength}
|
||||
@item FreeBSD
|
||||
|
@ -2480,7 +2472,7 @@ For IPv6 addresses:
|
|||
@tab @code{ifconfig} @var{interface} @code{inet6 plumb up}
|
||||
@item
|
||||
@tab @code{ifconfig} @var{interface} @code{inet6 addif} @var{address} @var{address}
|
||||
@item Darwin (MacOS/X)
|
||||
@item Darwin (Mac OS X)
|
||||
@tab @code{ifconfig} @var{interface} @code{inet6} @var{address} @code{prefixlen} @var{prefixlength}
|
||||
@item Windows
|
||||
@tab @code{netsh interface ipv6 add address} @var{interface} @code{static} @var{address}/@var{prefixlength}
|
||||
|
@ -2488,7 +2480,7 @@ For IPv6 addresses:
|
|||
|
||||
On some platforms, when running tinc in switch mode, the VPN interface must be set to tap mode with an ifconfig command:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item OpenBSD
|
||||
@tab @code{ifconfig} @var{interface} @code{link0}
|
||||
@end multitable
|
||||
|
@ -2498,7 +2490,7 @@ continue to exist even if tinc quit, although this is normally not required.
|
|||
It can be useful to set up a tun/tap interface owned by a non-root user, so
|
||||
tinc can be started without needing any root privileges at all.
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item Linux
|
||||
@tab @code{ip tuntap add dev} @var{interface} @code{mode} @var{tun|tap} @code{user} @var{username}
|
||||
@end multitable
|
||||
|
@ -2516,7 +2508,7 @@ support this.
|
|||
|
||||
Adding routes to IPv4 subnets:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item Linux
|
||||
@tab @code{route add -net} @var{network_address} @code{netmask} @var{netmask} @var{interface}
|
||||
@item Linux iproute2
|
||||
|
@ -2529,15 +2521,15 @@ Adding routes to IPv4 subnets:
|
|||
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
||||
@item Solaris
|
||||
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
|
||||
@item Darwin (MacOS/X)
|
||||
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @var{local_address}
|
||||
@item Darwin (Mac OS X)
|
||||
@tab @code{route add} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
|
||||
@item Windows
|
||||
@tab @code{netsh routing ip add persistentroute} @var{network_address} @var{netmask} @var{interface} @var{local_address}
|
||||
@end multitable
|
||||
|
||||
Adding routes to IPv6 subnets:
|
||||
|
||||
@multitable {Darwin (MacOS/X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@multitable {Darwin (Mac OS X)} {ifconfig route add -bla network address netmask netmask prefixlength interface}
|
||||
@item Linux
|
||||
@tab @code{route add -A inet6} @var{network_address}@code{/}@var{prefixlength} @var{interface}
|
||||
@item Linux iproute2
|
||||
|
@ -2550,8 +2542,8 @@ Adding routes to IPv6 subnets:
|
|||
@tab @code{route add -inet6} @var{network_address} @var{local_address} @code{-prefixlen} @var{prefixlength}
|
||||
@item Solaris
|
||||
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @var{local_address} @code{-interface}
|
||||
@item Darwin (MacOS/X)
|
||||
@tab ?
|
||||
@item Darwin (Mac OS X)
|
||||
@tab @code{route add -inet6} @var{network_address}@code{/}@var{prefixlength} @code{-interface} @var{interface}
|
||||
@item Windows
|
||||
@tab @code{netsh interface ipv6 add route} @var{network address}/@var{prefixlength} @var{interface}
|
||||
@end multitable
|
||||
|
|
|
@ -9,8 +9,8 @@ AC_DEFUN([tinc_ATTRIBUTE],
|
|||
CFLAGS="$CFLAGS -Wall -Werror"
|
||||
AC_COMPILE_IFELSE(
|
||||
[AC_LANG_SOURCE(
|
||||
[void test(void) __attribute__ (($1));
|
||||
void test(void) { return; }
|
||||
[void *test(void) __attribute__ (($1));
|
||||
void *test(void) { return (void *)0; }
|
||||
],
|
||||
)],
|
||||
[tinc_cv_attribute_$1=yes],
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
device.c -- Interaction BSD tun/tap device
|
||||
Copyright (C) 2001-2005 Ivo Timmermans,
|
||||
2001-2012 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2001-2014 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2009 Grzegorz Dymarek <gregd72002@googlemail.com>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
|
@ -34,7 +34,7 @@
|
|||
#endif
|
||||
|
||||
#define DEFAULT_TUN_DEVICE "/dev/tun0"
|
||||
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD)
|
||||
#if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_DARWIN)
|
||||
#define DEFAULT_TAP_DEVICE "/dev/tap0"
|
||||
#else
|
||||
#define DEFAULT_TAP_DEVICE "/dev/tun0"
|
||||
|
|
|
@ -38,6 +38,7 @@ extern avl_tree_t *config_tree;
|
|||
extern int pinginterval;
|
||||
extern int pingtimeout;
|
||||
extern int maxtimeout;
|
||||
extern int mintimeout;
|
||||
extern bool bypass_security;
|
||||
extern char *confbase;
|
||||
extern char *netname;
|
||||
|
|
17
src/have.h
17
src/have.h
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
have.h -- include headers which are known to exist
|
||||
Copyright (C) 1998-2005 Ivo Timmermans
|
||||
2003-2014 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2003-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -196,4 +196,19 @@
|
|||
#include <netinet/if_ether.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_ARPA_NAMESER_H
|
||||
#include <arpa/nameser.h>
|
||||
#ifdef STATUS
|
||||
#undef STATUS
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_RESOLV_H
|
||||
#include <resolv.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LINUX_IF_TUN_H
|
||||
#include <linux/if_tun.h>
|
||||
#endif
|
||||
|
||||
#endif /* __TINC_SYSTEM_H__ */
|
||||
|
|
|
@ -134,6 +134,9 @@ static bool setup_device(void) {
|
|||
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
|
||||
}
|
||||
|
||||
if(overwrite_mac && !ioctl(device_fd, SIOCGIFHWADDR, &ifr))
|
||||
memcpy(mymac.x, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
|
||||
|
||||
logger(LOG_INFO, "%s is a %s", device, device_info);
|
||||
|
||||
return true;
|
||||
|
|
13
src/net.c
13
src/net.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
net.c -- most of the network code
|
||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
2011 Loïc Grenié <loic.grenie@gmail.com>
|
||||
|
||||
|
@ -41,14 +41,6 @@
|
|||
#include "subnet.h"
|
||||
#include "xalloc.h"
|
||||
|
||||
#ifdef HAVE_ARPA_NAMESER_H
|
||||
#include <arpa/nameser.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_RESOLV_H
|
||||
#include <resolv.h>
|
||||
#endif
|
||||
|
||||
bool do_purge = false;
|
||||
volatile bool running = false;
|
||||
#ifdef HAVE_PSELECT
|
||||
|
@ -508,9 +500,6 @@ int main_loop(void) {
|
|||
avl_node_t *node;
|
||||
logger(LOG_INFO, "Flushing event queue");
|
||||
expire_events();
|
||||
#if HAVE_DECL_RES_INIT
|
||||
res_init();
|
||||
#endif
|
||||
for(node = connection_tree->head; node; node = node->next) {
|
||||
connection_t *c = node->data;
|
||||
if(c->status.active)
|
||||
|
|
|
@ -87,6 +87,7 @@ typedef struct listen_socket_t {
|
|||
int tcp;
|
||||
int udp;
|
||||
sockaddr_t sa;
|
||||
int priority;
|
||||
} listen_socket_t;
|
||||
|
||||
#include "conf.h"
|
||||
|
|
|
@ -415,9 +415,6 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
|
|||
vpn_packet_t *outpkt;
|
||||
int origlen;
|
||||
int outlen, outpad;
|
||||
#if defined(SOL_IP) && defined(IP_TOS)
|
||||
static int priority = 0;
|
||||
#endif
|
||||
int origpriority;
|
||||
|
||||
if(!n->status.reachable) {
|
||||
|
@ -549,15 +546,27 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
|
|||
sock = n->sock;
|
||||
}
|
||||
|
||||
if(priorityinheritance && origpriority != listen_socket[n->sock].priority) {
|
||||
listen_socket[n->sock].priority = origpriority;
|
||||
switch(listen_socket[n->sock].sa.sa.sa_family) {
|
||||
#if defined(SOL_IP) && defined(IP_TOS)
|
||||
if(priorityinheritance && origpriority != priority
|
||||
&& listen_socket[n->sock].sa.sa.sa_family == AF_INET) {
|
||||
priority = origpriority;
|
||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting outgoing packet priority to %d", priority);
|
||||
if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &priority, sizeof(priority))) /* SO_PRIORITY doesn't seem to work */
|
||||
case AF_INET:
|
||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv4 outgoing packet priority to %d", origpriority);
|
||||
if(setsockopt(listen_socket[n->sock].udp, SOL_IP, IP_TOS, &origpriority, sizeof(origpriority))) /* SO_PRIORITY doesn't seem to work */
|
||||
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
|
||||
case AF_INET6:
|
||||
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Setting IPv6 outgoing packet priority to %d", origpriority);
|
||||
if(setsockopt(listen_socket[n->sock].udp, IPPROTO_IPV6, IPV6_TCLASS, &origpriority, sizeof(origpriority)))
|
||||
logger(LOG_ERR, "System call `%s' failed: %s", "setsockopt", strerror(errno));
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if(sendto(listen_socket[sock].udp, (char *) &inpkt->seqno, inpkt->len, 0, sa, sl) < 0 && !sockwouldblock(sockerrno)) {
|
||||
if(sockmsgsize(sockerrno)) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
net_setup.c -- Setup.
|
||||
Copyright (C) 1998-2005 Ivo Timmermans,
|
||||
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2006 Scott Lamb <slamb@slamb.org>
|
||||
2010 Brandon Black <blblack@gmail.com>
|
||||
|
||||
|
@ -539,7 +539,12 @@ static bool setup_myself(void) {
|
|||
|
||||
#if !defined(SOL_IP) || !defined(IP_TOS)
|
||||
if(priorityinheritance)
|
||||
logger(LOG_WARNING, "%s not supported on this platform", "PriorityInheritance");
|
||||
logger(LOG_WARNING, "%s not supported on this platform for IPv4 connection", "PriorityInheritance");
|
||||
#endif
|
||||
|
||||
#if !defined(IPPROTO_IPV6) || !defined(IPV6_TCLASS)
|
||||
if(priorityinheritance)
|
||||
logger(LOG_WARNING, "%s not supported on this platform for IPv6 connection", "PriorityInheritance");
|
||||
#endif
|
||||
|
||||
if(!get_config_int(lookup_config(config_tree, "MACExpire"), &macexpire))
|
||||
|
@ -553,6 +558,18 @@ static bool setup_myself(void) {
|
|||
} else
|
||||
maxtimeout = 900;
|
||||
|
||||
if(get_config_int(lookup_config(config_tree, "MinTimeout"), &mintimeout)) {
|
||||
if(mintimeout < 0) {
|
||||
logger(LOG_ERR, "Bogus minimum timeout!");
|
||||
return false;
|
||||
}
|
||||
if(mintimeout > maxtimeout) {
|
||||
logger(LOG_WARNING, "Minimum timeout (%d s) cannot be larger than maximum timeout (%d s). Correcting !", mintimeout, maxtimeout );
|
||||
mintimeout=maxtimeout;
|
||||
}
|
||||
} else
|
||||
mintimeout = 0;
|
||||
|
||||
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
|
||||
if(udp_rcvbuf <= 0) {
|
||||
logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
|
||||
|
@ -713,6 +730,12 @@ static bool setup_myself(void) {
|
|||
xasprintf(&envp[2], "INTERFACE=%s", iface ? : "");
|
||||
xasprintf(&envp[3], "NAME=%s", myself->name);
|
||||
|
||||
#ifdef HAVE_MINGW
|
||||
Sleep(1000);
|
||||
#endif
|
||||
#ifdef HAVE_CYGWIN
|
||||
sleep(1);
|
||||
#endif
|
||||
execute_script("tinc-up", envp);
|
||||
|
||||
for(i = 0; i < 4; i++)
|
||||
|
@ -790,6 +813,10 @@ static bool setup_myself(void) {
|
|||
hint.ai_protocol = IPPROTO_TCP;
|
||||
hint.ai_flags = AI_PASSIVE;
|
||||
|
||||
#if HAVE_DECL_RES_INIT
|
||||
// ensure glibc reloads /etc/resolv.conf.
|
||||
res_init();
|
||||
#endif
|
||||
err = getaddrinfo(address && *address ? address : NULL, port, &hint, &ai);
|
||||
free(address);
|
||||
|
||||
|
|
|
@ -40,6 +40,7 @@
|
|||
#endif
|
||||
|
||||
int addressfamily = AF_UNSPEC;
|
||||
int mintimeout = 0;
|
||||
int maxtimeout = 900;
|
||||
int seconds_till_retry = 5;
|
||||
int udp_rcvbuf = 0;
|
||||
|
@ -77,6 +78,11 @@ static void configure_tcp(connection_t *c) {
|
|||
option = IPTOS_LOWDELAY;
|
||||
setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option));
|
||||
#endif
|
||||
|
||||
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) && defined(IPTOS_LOWDELAY)
|
||||
option = IPTOS_LOWDELAY;
|
||||
setsockopt(c->socket, IPPROTO_IPV6, IPV6_TCLASS, (void *)&option, sizeof(option));
|
||||
#endif
|
||||
}
|
||||
|
||||
static bool bind_to_interface(int sd) {
|
||||
|
@ -273,6 +279,9 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
|
|||
void retry_outgoing(outgoing_t *outgoing) {
|
||||
outgoing->timeout += 5;
|
||||
|
||||
if(outgoing->timeout < mintimeout)
|
||||
outgoing->timeout = mintimeout;
|
||||
|
||||
if(outgoing->timeout > maxtimeout)
|
||||
outgoing->timeout = maxtimeout;
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
netutl.c -- some supporting network utility code
|
||||
Copyright (C) 1998-2005 Ivo Timmermans
|
||||
2000-2011 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -39,6 +39,10 @@ struct addrinfo *str2addrinfo(const char *address, const char *service, int sock
|
|||
hint.ai_family = addressfamily;
|
||||
hint.ai_socktype = socktype;
|
||||
|
||||
#if HAVE_DECL_RES_INIT
|
||||
// ensure glibc reloads /etc/resolv.conf.
|
||||
res_init();
|
||||
#endif
|
||||
err = getaddrinfo(address, service, &hint, &ai);
|
||||
|
||||
if(err) {
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
process.c -- process management functions
|
||||
Copyright (C) 1999-2005 Ivo Timmermans,
|
||||
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -347,16 +347,58 @@ bool detach(void) {
|
|||
return true;
|
||||
}
|
||||
|
||||
#ifdef HAVE_PUTENV
|
||||
void unputenv(char *p) {
|
||||
char *e = strchr(p, '=');
|
||||
if(!e)
|
||||
return;
|
||||
int len = e - p;
|
||||
#ifndef HAVE_UNSETENV
|
||||
#ifdef HAVE_MINGW
|
||||
// Windows requires putenv("FOO=") to unset %FOO%
|
||||
len++;
|
||||
#endif
|
||||
#endif
|
||||
char var[len + 1];
|
||||
memcpy(var, p, len);
|
||||
var[len] = 0;
|
||||
#ifdef HAVE_UNSETENV
|
||||
unsetenv(var);
|
||||
#else
|
||||
// We must keep what we putenv() around in memory.
|
||||
// To do this without memory leaks, keep things in a list and reuse if possible.
|
||||
static list_t list = {};
|
||||
for(list_node_t *node = list.head; node; node = node->next) {
|
||||
char *data = node->data;
|
||||
if(!strcmp(data, var)) {
|
||||
putenv(data);
|
||||
return;
|
||||
}
|
||||
}
|
||||
char *data = xstrdup(var);
|
||||
list_insert_tail(&list, data);
|
||||
putenv(data);
|
||||
#endif
|
||||
}
|
||||
#else
|
||||
void putenv(const char *p) {}
|
||||
void unputenv(const char *p) {}
|
||||
#endif
|
||||
|
||||
bool execute_script(const char *name, char **envp) {
|
||||
#ifdef HAVE_SYSTEM
|
||||
int status, len;
|
||||
char *scriptname;
|
||||
int i;
|
||||
char *interpreter = NULL;
|
||||
config_t *cfg_interpreter;
|
||||
int status, len, i;
|
||||
|
||||
cfg_interpreter = lookup_config(config_tree, "ScriptsInterpreter");
|
||||
#ifndef HAVE_MINGW
|
||||
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
|
||||
#else
|
||||
if(cfg_interpreter)
|
||||
len = xasprintf(&scriptname, "\"%s/%s\"", confbase, name);
|
||||
else
|
||||
len = xasprintf(&scriptname, "\"%s/%s.bat\"", confbase, name);
|
||||
#endif
|
||||
if(len < 0)
|
||||
|
@ -365,14 +407,13 @@ bool execute_script(const char *name, char **envp) {
|
|||
scriptname[len - 1] = '\0';
|
||||
|
||||
/* First check if there is a script */
|
||||
|
||||
if(access(scriptname + 1, F_OK)) {
|
||||
free(scriptname);
|
||||
return true;
|
||||
}
|
||||
|
||||
// Custom scripts interpreter
|
||||
if(get_config_string(lookup_config(config_tree, "ScriptsInterpreter"), &interpreter)) {
|
||||
if(get_config_string(cfg_interpreter, &interpreter)) {
|
||||
// Force custom scripts interpreter allowing execution of scripts on android without execution flag (such as on /sdcard)
|
||||
free(scriptname);
|
||||
len = xasprintf(&scriptname, "%s \"%s/%s\"", interpreter, confbase, name);
|
||||
|
@ -383,12 +424,10 @@ bool execute_script(const char *name, char **envp) {
|
|||
|
||||
ifdebug(STATUS) logger(LOG_INFO, "Executing script %s", name);
|
||||
|
||||
#ifdef HAVE_PUTENV
|
||||
/* Set environment */
|
||||
|
||||
for(i = 0; envp[i]; i++)
|
||||
putenv(envp[i]);
|
||||
#endif
|
||||
|
||||
scriptname[len - 1] = '\"';
|
||||
status = system(scriptname);
|
||||
|
@ -397,15 +436,8 @@ bool execute_script(const char *name, char **envp) {
|
|||
|
||||
/* Unset environment */
|
||||
|
||||
for(i = 0; envp[i]; i++) {
|
||||
char *e = strchr(envp[i], '=');
|
||||
if(e) {
|
||||
char p[e - envp[i] + 1];
|
||||
strncpy(p, envp[i], e - envp[i]);
|
||||
p[e - envp[i]] = '\0';
|
||||
putenv(p);
|
||||
}
|
||||
}
|
||||
for(i = 0; envp[i]; i++)
|
||||
unputenv(envp[i]);
|
||||
|
||||
if(status != -1) {
|
||||
#ifdef WEXITSTATUS
|
||||
|
|
10
src/tincd.c
10
src/tincd.c
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
tincd.c -- the main file for tincd
|
||||
Copyright (C) 1998-2005 Ivo Timmermans
|
||||
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2000-2015 Guus Sliepen <guus@tinc-vpn.org>
|
||||
2008 Max Rijevski <maksuf@gmail.com>
|
||||
2009 Michael Tokarev <mjt@tls.msk.ru>
|
||||
2010 Julien Muchembled <jm@jmuchemb.eu>
|
||||
|
@ -97,7 +97,7 @@ char *pidfilename = NULL; /* pid file location */
|
|||
char *logfilename = NULL; /* log file location */
|
||||
char **g_argv; /* a copy of the cmdline arguments */
|
||||
|
||||
static int status;
|
||||
static int status = 1;
|
||||
|
||||
static struct option const long_options[] = {
|
||||
{"config", required_argument, NULL, 'c'},
|
||||
|
@ -438,14 +438,14 @@ static void make_names(void) {
|
|||
#ifdef HAVE_MINGW
|
||||
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
|
||||
if(!RegQueryValueEx(key, NULL, 0, 0, (LPBYTE)installdir, &len)) {
|
||||
if(!logfilename)
|
||||
xasprintf(&logfilename, "%s/log/%s.log", identname);
|
||||
if(!confbase) {
|
||||
if(netname)
|
||||
xasprintf(&confbase, "%s/%s", installdir, netname);
|
||||
else
|
||||
xasprintf(&confbase, "%s", installdir);
|
||||
}
|
||||
if(!logfilename)
|
||||
xasprintf(&logfilename, "%s/tinc.log", confbase);
|
||||
}
|
||||
RegCloseKey(key);
|
||||
if(*installdir)
|
||||
|
@ -549,7 +549,7 @@ int main(int argc, char **argv) {
|
|||
if(show_version) {
|
||||
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
|
||||
VERSION, __DATE__, __TIME__, PROT_CURRENT);
|
||||
printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
printf("Copyright (C) 1998-2015 Ivo Timmermans, Guus Sliepen and others.\n"
|
||||
"See the AUTHORS file for a complete list.\n\n"
|
||||
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
|
||||
"and you are welcome to redistribute it under certain conditions;\n"
|
||||
|
|
Loading…
Reference in a new issue