lagertonne/tinc
1
0
Fork 0
Code Issues Pull requests Projects Releases 6 Wiki Activity

Import Upstream version 1.0.24

Browse source
This commit is contained in:
Guus Sliepen 2019-08-26 13:44:45 +02:00
parent 413f90b815
commit 45b80e247e
45 changed files with 1342 additions and 341 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
ChangeLog
View file

@ -1,3 +1,55 @@
Version 1.0.24 May 11 2014
------------------------------------------------------------------------
Guus Sliepen (26):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init().
Nexthop calculation should always use the shortest path.
Fix issues found by Coverity.
Fix warnings found by GCC 4.9.
Fix a few more issues found by Coverity.
Fix a few more issues found by Coverity.
Drop h and hh length modifiers from printf format strings.
Fix a bug that could prevent tinc from starting correctly on Windows.
FIx the autoconf checks for res_init().
Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.
Releasing 1.0.24.
Steffan Karger (3):
Use constant time memcmp() when comparing packet HMACs.
Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1):
fix documentation typo
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
Version 1.0.23 October 19 2013
------------------------------------------------------------------------

4
INSTALL
View file

@ -12,8 +12,8 @@ without warranty of any kind.
Basic Installation
==================
Briefly, the shell commands `./configure; make; make install' should
configure, build, and install this package. The following
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented

11
Makefile.in
View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -85,8 +85,10 @@ DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
config.sub depcomp install-sh missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
@ -592,9 +594,10 @@ distcheck: dist
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
&& ../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \

23
NEWS
View file

@ -1,3 +1,26 @@
Version 1.0.24 May 11 2013
* Various compiler hardening flags are enabled by default.
* Updated support for Solaris, allowing switch mode on Solaris 11.
* Configuration will now also be read from a conf.d directory.
* Various updates to the documentation.
* Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM.
* Fixed a potential routing loop when IndirectData or TCPOnly is used and
broadcast packets are being sent.
* Improved security with constant time memcmp and stricter use of OpenSSL's
RNG functions.
* Fixed all issues found by Coverity.
Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc
Dachary and Steffan Karger for their contributions to this version of tinc.
Version 1.0.23 October 19 2013
* Start authentication immediately on outgoing connections (useful for sslh).

6
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.23. Installation
This is the README file for tinc version 1.0.24. Installation
instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2013 by:
tinc is Copyright (C) 1998-2014 by:
Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility
-------------
Version 1.0.23 is compatible with 1.0pre8, 1.0 and later, but not with older
Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc.

20
README.android
View file

@ -1,14 +1,14 @@
Quick how-o cross compile tinc for android (done from $HOME/android/):
Quick how-to cross compile tinc for android (done from $HOME/android/):
- Download android NDK and setup local ARM toolchain:
wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2
tar xfj android-ndk-r8b-linux-x86.tar.bz2
./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
wget http://dl.google.com/android/ndk/android-ndk-r9d-linux-x86.tar.bz2
tar xfj android-ndk-r9d-linux-x86.tar.bz2
./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
- Download and cross-compile openSSL for ARM:
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
tar xfz openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar xfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./Configure dist
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
@ -16,5 +16,9 @@ make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-andr
git clone git://tinc-vpn.org/tinc
cd tinc
autoreconf -fsi
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1g --with-openssl-include=$HOME/android/openssl-1.0.1g/include/ --disable-hardening
make -j5
- Strip tincd binary to make it smaller
/tmp/my-android-toolchain/bin/arm-linux-androideabi-strip src/tincd

10
THANKS
View file

@ -4,6 +4,7 @@ We would like to thank the following people for their contributions to tinc:
* Allesandro Gatti
* Andreas van Cranenburgh
* Anthony G. Basile
* Armin Fisslthaler
* Armijn Hemel
* Brandon Black
* Cris van Pelt
@ -11,10 +12,13 @@ We would like to thank the following people for their contributions to tinc:
* Delf Eldkraft
* dnk
* Enrique Zanardi
* Florent Clairambault
* Flynn Marquardt
* Gary Kessler and Claudia Gonzalez
* Grzegorz Dymarek
* Hans Bayle
* Ivo van Dong
* James Cook
* James MacLean
* Jamie Briggs
* Jason Harper
@ -22,11 +26,14 @@ We would like to thank the following people for their contributions to tinc:
* Jeroen Ubbink
* Jerome Etienne
* Julien Muchembled
* Lavrans Laading
* Loïc Dachary
* Loïc Grenié
* Lubomír Bulej
* Mads Kiilerich
* Marc A. Lehmann
* Mark Glines
* Mark Petryk
* Markus Goetz
* Martin Kihlgren
* Martin Schobert
@ -44,6 +51,7 @@ We would like to thank the following people for their contributions to tinc:
* Robert van der Meulen
* Rumko
* Scott Lamb
* Steffan Karger
* Sven-Haegar Koch
* Teemu Kiviniemi
* Timothy Redaelli
@ -52,7 +60,7 @@ We would like to thank the following people for their contributions to tinc:
* Wessel Dankers
* Wouter van Heyst
And everyone we forgot. Thank you!
And everyone we forgot (if we did, please let us know). Thank you!
Ivo Timmermans
Guus Sliepen

11
aclocal.m4 vendored
View file

@ -1,4 +1,4 @@
# generated automatically by aclocal 1.14 -*- Autoconf -*-
# generated automatically by aclocal 1.14.1 -*- Autoconf -*-
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.14'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.14], [],
m4_if([$1], [1.14.1], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.14])dnl
[AM_AUTOMAKE_VERSION([1.14.1])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@ -573,7 +573,8 @@ to "yes", and re-run configure.
END
AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
fi
fi])
fi
])
dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
@ -1184,6 +1185,8 @@ AC_SUBST([am__untar])
]) # _AM_PROG_TAR
m4_include([m4/attribute.m4])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/lzo.m4])
m4_include([m4/openssl.m4])
m4_include([m4/zlib.m4])

10
config.h.in
View file

@ -15,6 +15,9 @@
/* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H
/* Define to 1 if you have the <arpa/nameser.h> header file. */
#undef HAVE_ARPA_NAMESER_H
/* Define to 1 if you have the `asprintf' function. */
#undef HAVE_ASPRINTF
@ -46,6 +49,10 @@
don't. */
#undef HAVE_DECL_GETNAMEINFO
/* Define to 1 if you have the declaration of `res_init', and to 0 if you
don't. */
#undef HAVE_DECL_RES_INIT
/* Define to 1 if you have the <dirent.h> header file. */
#undef HAVE_DIRENT_H
@ -211,6 +218,9 @@
/* Define to 1 if you have the `RAND_pseudo_bytes' function. */
#undef HAVE_RAND_PSEUDO_BYTES
/* Define to 1 if you have the <resolv.h> header file. */
#undef HAVE_RESOLV_H
/* Define to 1 if you have the `select' function. */
#undef HAVE_SELECT

476
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.23.
# Generated by GNU Autoconf 2.69 for tinc 1.0.24.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.23'
PACKAGE_STRING='tinc 1.0.23'
PACKAGE_VERSION='1.0.24'
PACKAGE_STRING='tinc 1.0.24'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@ -745,6 +745,7 @@ enable_uml
enable_vde
enable_tunemu
with_windows2000
enable_hardening
enable_zlib
with_zlib
with_zlib_include
@ -1307,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures tinc 1.0.23 to adapt to many kinds of systems.
\`configure' configures tinc 1.0.24 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1377,7 +1378,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.23:";;
short | recursive ) echo "Configuration of tinc 1.0.24:";;
esac
cat <<\_ACEOF
@ -1397,15 +1398,16 @@ Optional Features:
--enable-uml enable support for User Mode Linux
--enable-vde enable support for Virtual Distributed Ethernet
--enable-tunemu enable support for the tunemu driver
--disable-hardening disable compiler and linker hardening flags
--disable-zlib disable zlib compression support
--disable-lzo disable lzo compression support
--disable-jumbograms enable support for jumbograms (packets up to 9000
--enable-jumbograms enable support for jumbograms (packets up to 9000
bytes)
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--without-windows2000 compile with support for Windows 2000. This disables
--with-windows2000 compile with support for Windows 2000. This disables
support for tunneling over existing IPv6 networks.
--with-zlib=DIR zlib base directory, or:
--with-zlib-include=DIR zlib headers directory
@ -1495,7 +1497,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
tinc configure 1.0.23
tinc configure 1.0.24
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -1744,6 +1746,52 @@ $as_echo "$ac_res" >&6; }
} # ac_fn_c_check_header_compile
# ac_fn_c_try_link LINENO
# -----------------------
# Try to link conftest.$ac_ext, and return whether this succeeded.
ac_fn_c_try_link ()
{
as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
rm -f conftest.$ac_objext conftest$ac_exeext
if { { ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
$as_echo "$ac_try_echo"; } >&5
(eval "$ac_link") 2>conftest.err
ac_status=$?
if test -s conftest.err; then
grep -v '^ *+' conftest.err >conftest.er1
cat conftest.er1 >&5
mv -f conftest.er1 conftest.err
fi
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
test -x conftest$ac_exeext
}; then :
ac_retval=0
else
$as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_retval=1
fi
# Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
# created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
# interfere with the next link command; also delete a directory that is
# left behind by Apple's compiler. We do this before executing the actions.
rm -rf conftest.dSYM conftest_ipa8_conftest.oo
eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
as_fn_set_status $ac_retval
} # ac_fn_c_try_link
# ac_fn_c_check_type LINENO TYPE VAR INCLUDES
# -------------------------------------------
# Tests whether TYPE exists after having included INCLUDES, setting cache
@ -1798,52 +1846,6 @@ $as_echo "$ac_res" >&6; }
} # ac_fn_c_check_type
# ac_fn_c_try_link LINENO
# -----------------------
# Try to link conftest.$ac_ext, and return whether this succeeded.
ac_fn_c_try_link ()
{
as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
rm -f conftest.$ac_objext conftest$ac_exeext
if { { ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
$as_echo "$ac_try_echo"; } >&5
(eval "$ac_link") 2>conftest.err
ac_status=$?
if test -s conftest.err; then
grep -v '^ *+' conftest.err >conftest.er1
cat conftest.er1 >&5
mv -f conftest.er1 conftest.err
fi
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
test -x conftest$ac_exeext
}; then :
ac_retval=0
else
$as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_retval=1
fi
# Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
# created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
# interfere with the next link command; also delete a directory that is
# left behind by Apple's compiler. We do this before executing the actions.
rm -rf conftest.dSYM conftest_ipa8_conftest.oo
eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
as_fn_set_status $ac_retval
} # ac_fn_c_try_link
# ac_fn_c_check_func LINENO FUNC VAR
# ----------------------------------
# Tests whether FUNC exists, setting the cache variable VAR accordingly
@ -1960,7 +1962,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.23, which was
It was created by tinc $as_me 1.0.24, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2824,7 +2826,7 @@ fi
# Define the identity of the package.
PACKAGE='tinc'
VERSION='1.0.23'
VERSION='1.0.24'
cat >>confdefs.h <<_ACEOF
@ -2916,6 +2918,7 @@ END
as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
fi
fi
ac_config_headers="$ac_config_headers config.h"
@ -5146,6 +5149,343 @@ if test -d /sw/lib ; then
fi
# Check whether --enable-hardening was given.
if test "${enable_hardening+set}" = set; then :
enableval=$enable_hardening;
fi
if test "x$enable_hardening" != "xno"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -DFORTIFY_SOURCE=2" >&5
$as_echo_n "checking whether C compiler accepts -DFORTIFY_SOURCE=2... " >&6; }
if ${ax_cv_check_cflags___DFORTIFY_SOURCE_2+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -DFORTIFY_SOURCE=2"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___DFORTIFY_SOURCE_2=yes
else
ax_cv_check_cflags___DFORTIFY_SOURCE_2=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fwrapv" >&5
$as_echo_n "checking whether C compiler accepts -fwrapv... " >&6; }
if ${ax_cv_check_cflags___fwrapv+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fwrapv"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fwrapv=yes
else
ax_cv_check_cflags___fwrapv=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fwrapv" >&5
$as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
CPPFLAGS="$CPPFLAGS -fwrapv"
else
:
fi
case $host_os in
*mingw*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--dynamicbase" >&5
$as_echo_n "checking whether the linker accepts -Wl,--dynamicbase... " >&6; }
if ${ax_cv_check_ldflags___Wl___dynamicbase+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,--dynamicbase"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl___dynamicbase=yes
else
ax_cv_check_ldflags___Wl___dynamicbase=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___dynamicbase" >&5
$as_echo "$ax_cv_check_ldflags___Wl___dynamicbase" >&6; }
if test x"$ax_cv_check_ldflags___Wl___dynamicbase" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,--dynamicbase"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--nxcompat" >&5
$as_echo_n "checking whether the linker accepts -Wl,--nxcompat... " >&6; }
if ${ax_cv_check_ldflags___Wl___nxcompat+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,--nxcompat"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl___nxcompat=yes
else
ax_cv_check_ldflags___Wl___nxcompat=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___nxcompat" >&5
$as_echo "$ax_cv_check_ldflags___Wl___nxcompat" >&6; }
if test x"$ax_cv_check_ldflags___Wl___nxcompat" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,--nxcompat"
else
:
fi
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; }
if ${ax_cv_check_cflags___fPIE+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fPIE"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fPIE=yes
else
ax_cv_check_cflags___fPIE=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
$as_echo "$ax_cv_check_cflags___fPIE" >&6; }
if test x"$ax_cv_check_cflags___fPIE" = xyes; then :
CPPFLAGS="$CPPFLAGS -fPIE"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
$as_echo_n "checking whether the linker accepts -pie... " >&6; }
if ${ax_cv_check_ldflags___pie+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___pie=yes
else
ax_cv_check_ldflags___pie=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
$as_echo "$ax_cv_check_ldflags___pie" >&6; }
if test x"$ax_cv_check_ldflags___pie" = xyes; then :
LDFLAGS="$LDFLAGS -pie"
else
:
fi
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,relro"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_relro=yes
else
ax_cv_check_ldflags___Wl__z_relro=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,-z,relro"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,now... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_now+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,now"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_now=yes
else
ax_cv_check_ldflags___Wl__z_now=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_now" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_now" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,-z,now"
else
:
fi
fi;
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
$as_echo_n "checking for ANSI C header files... " >&6; }
@ -5259,7 +5599,7 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
fi
for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h
for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -5287,7 +5627,7 @@ fi
done
for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h
for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include \"src/have.h\"
@ -5921,6 +6261,22 @@ cat >>confdefs.h <<_ACEOF
_ACEOF
ac_fn_c_check_decl "$LINENO" "res_init" "ac_cv_have_decl_res_init" "
#include <netinet/in.h>
#include <resolv.h>
"
if test "x$ac_cv_have_decl_res_init" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_RES_INIT $ac_have_decl
_ACEOF
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure
@ -7040,7 +7396,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by tinc $as_me 1.0.23, which was
This file was extended by tinc $as_me 1.0.24, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -7106,7 +7462,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
tinc config.status 1.0.23
tinc config.status 1.0.24
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

40
configure.ac
View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.23])
AC_INIT([tinc], [1.0.24])
AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
AC_CONFIG_HEADERS([config.h])
@ -105,7 +105,7 @@ AC_ARG_ENABLE(tunemu,
)
AC_ARG_WITH(windows2000,
AS_HELP_STRING([--without-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]),
AS_HELP_STRING([--with-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]),
[ AS_IF([test "x$with_windows2000" = "xyes"],
[AC_DEFINE(WITH_WINDOWS2000, 1, [Compile with support for Windows 2000])])
]
@ -129,17 +129,40 @@ if test -d /sw/lib ; then
LIBS="$LIBS -L/sw/lib"
fi
dnl Compiler hardening flags
dnl No -fstack-protector-all because it doesn't work on all platforms or architectures.
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"])
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"])
case $host_os in
*mingw*)
AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"])
;;
*)
AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"])
AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"])
;;
esac
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"])
AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"])
]
);
dnl Checks for libraries.
dnl Checks for header files.
dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
AC_HEADER_STDC
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h])
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h])
AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h],
[], [], [#include "src/have.h"]
)
AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h],
AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h],
[], [], [#include "src/have.h"]
)
AC_CHECK_HEADERS([netinet/tcp.h netinet/ip_icmp.h netinet/icmp6.h],
@ -179,6 +202,11 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
[], [], [#include "src/have.h"]
)
AC_CHECK_DECLS([res_init], [], [], [
#include <netinet/in.h>
#include <resolv.h>
])
AC_CACHE_SAVE
dnl These are defined in files in m4/
@ -187,9 +215,9 @@ tinc_ZLIB
tinc_LZO
tinc_OPENSSL
dnl Check if support for jumbograms is requested
dnl Check if support for jumbograms is requested
AC_ARG_ENABLE(jumbograms,
AS_HELP_STRING([--disable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]),
AS_HELP_STRING([--enable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]),
[ AS_IF([test "x$enable_jumbograms" = "xyes"],
[ AC_DEFINE(ENABLE_JUMBOGRAMS, 1, [Support for jumbograms (packets up to 9000 bytes)]) ])
]

8
doc/Makefile.in
View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -80,8 +80,10 @@ subdir = doc
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d

BIN
doc/sample-config.tar.gz
View file

Binary file not shown.

9
doc/tinc.conf.5.in
View file

@ -1,4 +1,4 @@
.Dd 2010-01-16
.Dd 2014-05-11
.Dt TINC.CONF 5
.\" Manual page created by:
.\" Ivo Timmermans
@ -416,7 +416,7 @@ and
are available.
.El
.It Va ReplayWindow Li = Ar bytes Pq 16
vhis is the size of the replay tracking window for each remote node, in bytes.
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
@ -428,7 +428,8 @@ traffic.
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
directory. Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local
@ -631,6 +632,8 @@ The top directory for configuration files.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
The default name of the server configuration file for net
.Ar NETNAME .
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
Optional directory from which any *.conf file will be loaded
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
Host configuration files are kept in this directory.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up

115
doc/tinc.info
View file

@ -1,14 +1,14 @@
This is tinc.info, produced by makeinfo version 5.1 from tinc.texi.
This is tinc.info, produced by makeinfo version 5.2 from tinc.texi.
INFO-DIR-SECTION Networking tools
START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.22, a Virtual Private
This is the info manual for tinc version 1.0.23, a Virtual Private
Network daemon.
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
Permission is granted to make and distribute verbatim copies of this
@ -649,6 +649,9 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read.
These file consists of comments (lines started with a #) or
assignments in the form of
@ -1011,7 +1014,9 @@ ReplayWindow = <bytes> (16)
StrictSubnets = <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local
'/etc/tinc/NETNAME/hosts/' directory.
'/etc/tinc/NETNAME/hosts/' directory. Subnets learned via
connections to other nodes and which are not present in the local
host config files are ignored.
TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information
@ -1040,7 +1045,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
This variable is only required if you want to connect to this host.
It must resolve to the external IP address where the host can be
reached, not the one that is internal to the VPN. If no port is
specified, the default Port is used.
specified, the default Port is used. Multiple Address variables
can be specified, in which case each address will be tried until a
working connection has been established.
Cipher = <CIPHER> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any
@ -2424,16 +2431,16 @@ Concept Index
* CHAL_REPLY: Authentication protocol.
(line 10)
* CIDR notation: Host configuration variables.
(line 91)
(line 93)
* Cipher: Host configuration variables.
(line 12)
(line 14)
* ClampMSS: Host configuration variables.
(line 18)
(line 20)
* client: How connections work.
(line 18)
* command line: Runtime options. (line 9)
* Compression: Host configuration variables.
(line 24)
(line 26)
* connection: The connection. (line 6)
* ConnectTo: Main configuration variables.
(line 53)
@ -2452,7 +2459,7 @@ Concept Index
* DeviceType: Main configuration variables.
(line 80)
* Digest: Host configuration variables.
(line 29)
(line 31)
* DirectOnly: Main configuration variables.
(line 145)
* dummy: Main configuration variables.
@ -2481,7 +2488,7 @@ Concept Index
* IffOneQueue: Main configuration variables.
(line 191)
* IndirectData: Host configuration variables.
(line 34)
(line 36)
* Interface: Main configuration variables.
(line 194)
* INTERFACE: Scripts. (line 56)
@ -2498,7 +2505,7 @@ Concept Index
* MACExpire: Main configuration variables.
(line 219)
* MACLength: Host configuration variables.
(line 42)
(line 44)
* MaxTimeout: Main configuration variables.
(line 224)
* meta-protocol: The meta-connection. (line 18)
@ -2521,7 +2528,7 @@ Concept Index
* OpenSSL: OpenSSL. (line 6)
* options: Runtime options. (line 9)
* PEM format: Host configuration variables.
(line 67)
(line 69)
* PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables.
(line 266)
@ -2529,12 +2536,12 @@ Concept Index
(line 270)
* platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables.
(line 47)
(line 49)
* PMTUDiscovery: Host configuration variables.
(line 50)
(line 52)
* PONG: The meta-protocol. (line 88)
* Port: Host configuration variables.
(line 55)
(line 57)
* port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables.
(line 276)
@ -2549,9 +2556,9 @@ Concept Index
* Proxy: Main configuration variables.
(line 297)
* PublicKey: Host configuration variables.
(line 59)
(line 61)
* PublicKeyFile: Host configuration variables.
(line 62)
(line 64)
* raw_socket: Main configuration variables.
(line 92)
* release: Supported platforms. (line 14)
@ -2576,16 +2583,16 @@ Concept Index
* StrictSubnets: Main configuration variables.
(line 331)
* Subnet: Host configuration variables.
(line 74)
(line 76)
* SUBNET: Scripts. (line 72)
* Subnet weight: Host configuration variables.
(line 96)
(line 98)
* SVPN: Security. (line 11)
* switch: Main configuration variables.
(line 239)
* TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables.
(line 103)
(line 105)
* tinc: Introduction. (line 6)
* TINC: Security. (line 6)
* tinc-down: Scripts. (line 18)
@ -2596,16 +2603,16 @@ Concept Index
* tunifhead: Main configuration variables.
(line 134)
* TunnelServer: Main configuration variables.
(line 336)
(line 338)
* tunnohead: Main configuration variables.
(line 128)
* UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets.
(line 12)
* UDPRcvBuf: Main configuration variables.
(line 343)
(line 345)
* UDPSndBuf: Main configuration variables.
(line 348)
(line 350)
* UML: Main configuration variables.
(line 110)
* Universal tun/tap: Configuration of Linux kernels.
@ -2656,35 +2663,35 @@ Node: Configuration introduction20366
Node: Multiple networks21634
Node: How connections work23059
Node: Configuration files24281
Node: Main configuration variables25669
Node: Host configuration variables41635
Node: Scripts46990
Node: How to configure49753
Node: Generating keypairs51010
Node: Network interfaces51509
Node: Example configuration53357
Node: Running tinc58682
Node: Runtime options59272
Node: Signals62574
Node: Debug levels63765
Node: Solving problems64701
Node: Error messages66253
Node: Sending bug reports70262
Node: Technical information71209
Node: The connection71440
Node: The UDP tunnel71752
Node: The meta-connection74815
Node: The meta-protocol76284
Node: Security81301
Node: Authentication protocol82434
Node: Encryption of network packets87451
Node: Security issues88827
Node: Platform specific information90454
Node: Interface configuration90682
Node: Routes93135
Node: About us95052
Node: Contact information95227
Node: Authors95631
Node: Concept Index96036
Node: Main configuration variables25776
Node: Host configuration variables41870
Node: Scripts47371
Node: How to configure50134
Node: Generating keypairs51391
Node: Network interfaces51890
Node: Example configuration53738
Node: Running tinc59063
Node: Runtime options59653
Node: Signals62955
Node: Debug levels64146
Node: Solving problems65082
Node: Error messages66634
Node: Sending bug reports70643
Node: Technical information71590
Node: The connection71821
Node: The UDP tunnel72133
Node: The meta-connection75196
Node: The meta-protocol76665
Node: Security81682
Node: Authentication protocol82815
Node: Encryption of network packets87832
Node: Security issues89208
Node: Platform specific information90835
Node: Interface configuration91063
Node: Routes93516
Node: About us95433
Node: Contact information95608
Node: Authors96012
Node: Concept Index96417

End Tag Table

11
doc/tinc.texi
View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans,
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -39,7 +39,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans,
Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>.
@ -718,6 +718,9 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read.
These file consists of comments (lines started with a #) or assignments
in the form of
@ -1102,6 +1105,8 @@ traffic.
When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
@ -1134,6 +1139,8 @@ This variable is only required if you want to connect to this host. It
must resolve to the external IP address where the host can be reached,
not the one that is internal to the VPN.
If no port is specified, the default Port is used.
Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)

2
doc/tincd.8.in
View file

@ -1,4 +1,4 @@
.Dd 2011-01-02
.Dd 2014-05-11
.Dt TINCD 8
.\" Manual page created by:
.\" Ivo Timmermans

8
m4/Makefile.in
View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -81,8 +81,10 @@ subdir = m4
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d

72
m4/ax_check_compile_flag.m4 Normal file
View file

@ -0,0 +1,72 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
#
# DESCRIPTION
#
# Check whether the given FLAG works with the current language's compiler
# or gives an error. (Warnings, however, are ignored)
#
# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
# success/failure.
#
# If EXTRA-FLAGS is defined, it is added to the current language's default
# flags (e.g. CFLAGS) when the check is done. The check is thus made with
# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
# force the compiler to issue an error when a bad flag is given.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_CHECK_COMPILE_FLAG],
[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
_AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
[AS_VAR_SET(CACHEVAR,[yes])],
[AS_VAR_SET(CACHEVAR,[no])])
_AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
[m4_default([$2], :)],
[m4_default([$3], :)])
AS_VAR_POPDEF([CACHEVAR])dnl
])dnl AX_CHECK_COMPILE_FLAGS

71
m4/ax_check_link_flag.m4 Normal file
View file

@ -0,0 +1,71 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
#
# DESCRIPTION
#
# Check whether the given FLAG works with the linker or gives an error.
# (Warnings, however, are ignored)
#
# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
# success/failure.
#
# If EXTRA-FLAGS is defined, it is added to the linker's default flags
# when the check is done. The check is thus made with the flags: "LDFLAGS
# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
# issue an error when a bad flag is given.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_CHECK_LINK_FLAG],
[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS $4 $1"
AC_LINK_IFELSE([AC_LANG_PROGRAM()],
[AS_VAR_SET(CACHEVAR,[yes])],
[AS_VAR_SET(CACHEVAR,[no])])
LDFLAGS=$ax_check_save_flags])
AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
[m4_default([$2], :)],
[m4_default([$3], :)])
AS_VAR_POPDEF([CACHEVAR])dnl
])dnl AX_CHECK_LINK_FLAGS

4
missing
View file

@ -1,7 +1,7 @@
#! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2012-06-26.16; # UTC
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
@ -160,7 +160,7 @@ give_advice ()
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'automa4te' program to be rebuilt."
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)

8
src/Makefile.in
View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -93,8 +93,10 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
$(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d

18
src/avl_tree.c
View file

@ -2,7 +2,7 @@
avl_tree.c -- avl_ tree and linked list convenience
Copyright (C) 1998 Michael H. Buselli
2000-2005 Ivo Timmermans,
2000-2006 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2005 Wessel Dankers <wsl@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
@ -168,14 +168,12 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
child->right->parent = child;
gchild->right = node;
if(gchild->right)
gchild->right->parent = gchild;
gchild->right->parent = gchild;
gchild->left = child;
if(gchild->left)
gchild->left->parent = gchild;
*superparent = gchild;
gchild->left->parent = gchild;
*superparent = gchild;
gchild->parent = parent;
#ifdef AVL_COUNT
node->count = AVL_CALC_COUNT(node);
@ -224,12 +222,10 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
child->left->parent = child;
gchild->left = node;
if(gchild->left)
gchild->left->parent = gchild;
gchild->left->parent = gchild;
gchild->right = child;
if(gchild->right)
gchild->right->parent = gchild;
gchild->right->parent = gchild;
*superparent = gchild;
gchild->parent = parent;
@ -600,6 +596,8 @@ void avl_unlink_node(avl_tree_t *tree, avl_node_t *node)
balnode = parent;
} else {
subst = node->prev;
if(!subst) // This only happens if node is not actually in a tree at all.
abort();
if(subst == left) {
balnode = subst;

25
src/conf.c
View file

@ -2,7 +2,7 @@
conf.c -- configuration code
Copyright (C) 1998 Robert van der Meulen
1998-2005 Ivo Timmermans
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2010-2011 Julien Muchembled <jm@jmuchemb.eu>
2000 Cris van Pelt
@ -378,6 +378,29 @@ bool read_server_config(void) {
xasprintf(&fname, "%s/tinc.conf", confbase);
x = read_config_file(config_tree, fname);
// We will try to read the conf files in the "conf.d" dir
if (x) {
char * dname;
xasprintf(&dname, "%s/conf.d", confbase);
DIR *dir = opendir (dname);
// If we can find this dir
if (dir) {
struct dirent *ep;
// We list all the files in it
while (x && (ep = readdir (dir))) {
size_t l = strlen(ep->d_name);
// And we try to read the ones that end with ".conf"
if (l > 5 && !strcmp(".conf", & ep->d_name[ l - 5 ])) {
free(fname);
xasprintf(&fname, "%s/%s", dname, ep->d_name);
x = read_config_file(config_tree, fname);
}
}
closedir (dir);
}
free(dname);
}
if(!x) { /* System error: complain */
logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno));
}

14
src/graph.c
View file

@ -1,6 +1,6 @@
/*
graph.c -- graph algorithms
Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2001-2014 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -212,9 +212,13 @@ static void sssp_bfs(void) {
&& (!e->to->status.indirect || indirect))
continue;
// Only update nexthop the first time we visit this node.
if(!e->to->status.visited)
e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
e->to->status.visited = true;
e->to->status.indirect = indirect;
e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
e->to->prevedge = e;
e->to->via = indirect ? n->via : e->to;
e->to->options = e->options;
@ -336,6 +340,7 @@ void dump_graph(void) {
if(!file) {
logger(LOG_ERR, "Unable to open graph dump file %s: %s", filename, strerror(errno));
free(filename);
free(tmpname);
return;
}
@ -363,7 +368,10 @@ void dump_graph(void) {
#ifdef HAVE_MINGW
unlink(filename);
#endif
rename(tmpname, filename);
if(rename(tmpname, filename))
logger(LOG_ERR, "Could not rename %s to %s: %s\n", tmpname, filename, strerror(errno));
free(tmpname);
}
free(filename);
}

3
src/have.h
View file

@ -1,7 +1,7 @@
/*
have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans
2003-2011 Guus Sliepen <guus@tinc-vpn.org>
2003-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -38,6 +38,7 @@
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
#ifdef HAVE_MINGW
#include <w32api.h>

15
src/linux/device.c
View file

@ -1,7 +1,7 @@
/*
device.c -- Interaction with Linux ethertap and tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans,
2001-2013 Guus Sliepen <guus@tinc-vpn.org>
2001-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -107,17 +107,21 @@ static bool setup_device(void) {
ifr.ifr_flags |= IFF_ONE_QUEUE;
#endif
if(iface)
if(iface) {
strncpy(ifr.ifr_name, iface, IFNAMSIZ);
ifr.ifr_name[IFNAMSIZ - 1] = 0;
}
if(!ioctl(device_fd, TUNSETIFF, &ifr)) {
strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
if(iface) free(iface);
ifrname[IFNAMSIZ - 1] = 0;
free(iface);
iface = xstrdup(ifrname);
} else if(!ioctl(device_fd, (('T' << 8) | 202), &ifr)) {
logger(LOG_WARNING, "Old ioctl() request was needed for %s", device);
strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
if(iface) free(iface);
ifrname[IFNAMSIZ - 1] = 0;
free(iface);
iface = xstrdup(ifrname);
} else
#endif
@ -126,8 +130,7 @@ static bool setup_device(void) {
overwrite_mac = true;
device_info = "Linux ethertap device";
device_type = DEVICE_TYPE_ETHERTAP;
if(iface)
free(iface);
free(iface);
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
}

8
src/meta.c
View file

@ -1,6 +1,6 @@
/*
meta.c -- handle the meta communication
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
2006 Scott Lamb <slamb@slamb.org>
@ -180,7 +180,7 @@ bool receive_meta(connection_t *c) {
if(!c->node) {
if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
logger(LOG_DEBUG, "Proxy request granted");
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
} else {
logger(LOG_ERR, "Proxy request rejected");
return false;
@ -199,9 +199,9 @@ bool receive_meta(connection_t *c) {
return false;
}
if(c->buffer[3] == 0) {
logger(LOG_DEBUG, "Proxy request granted");
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
} else {
logger(LOG_DEBUG, "Proxy request rejected");
logger(LOG_ERR, "Proxy request rejected");
return false;
}
} else {

18
src/mingw/device.c
View file

@ -1,7 +1,7 @@
/*
device.c -- Interaction with Windows tap driver in a MinGW environment
Copyright (C) 2002-2005 Ivo Timmermans,
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -49,6 +49,7 @@ static DWORD WINAPI tapreader(void *bla) {
DWORD len;
OVERLAPPED overlapped;
vpn_packet_t packet;
int errors = 0;
logger(LOG_DEBUG, "Tap reader running");
@ -71,16 +72,27 @@ static DWORD WINAPI tapreader(void *bla) {
} else {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return -1;
errors++;
if(errors >= 10) {
EnterCriticalSection(&mutex);
running = false;
LeaveCriticalSection(&mutex);
}
usleep(1000000);
continue;
}
}
EnterCriticalSection(&mutex);
errors = 0;
packet.len = len;
packet.priority = 0;
EnterCriticalSection(&mutex);
route(myself, &packet);
LeaveCriticalSection(&mutex);
}
return 0;
}
static bool setup_device(void) {

11
src/multicast_device.c
View file

@ -1,7 +1,7 @@
/*
device.c -- multicast socket
Copyright (C) 2002-2005 Ivo Timmermans,
2002-2013 Guus Sliepen <guus@tinc-vpn.org>
2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -56,6 +56,7 @@ static bool setup_device(void) {
space = strchr(host, ' ');
if(!space) {
logger(LOG_ERR, "Port number required for %s", device_info);
free(host);
return false;
}
@ -75,6 +76,7 @@ static bool setup_device(void) {
device_fd = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP);
if(device_fd < 0) {
logger(LOG_ERR, "Creating socket failed: %s", sockstrerror(sockerrno));
free(host);
return false;
}
@ -88,6 +90,7 @@ static bool setup_device(void) {
if(bind(device_fd, ai->ai_addr, ai->ai_addrlen)) {
closesocket(device_fd);
logger(LOG_ERR, "Can't bind to %s %s: %s", host, port, sockstrerror(sockerrno));
free(host);
return false;
}
@ -102,6 +105,7 @@ static bool setup_device(void) {
if(setsockopt(device_fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, sizeof mreq)) {
logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
closesocket(device_fd);
free(host);
return false;
}
#ifdef IP_MULTICAST_LOOP
@ -123,6 +127,7 @@ static bool setup_device(void) {
if(setsockopt(device_fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, (void *)&mreq, sizeof mreq)) {
logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
closesocket(device_fd);
free(host);
return false;
}
#ifdef IPV6_MULTICAST_LOOP
@ -135,11 +140,13 @@ static bool setup_device(void) {
#endif
default:
logger(LOG_ERR, "Multicast for address family %hx unsupported", ai->ai_family);
logger(LOG_ERR, "Multicast for address family %x unsupported", ai->ai_family);
closesocket(device_fd);
free(host);
return false;
}
free(host);
logger(LOG_INFO, "%s is a %s", device, device_info);
return true;

19
src/net.c
View file

@ -1,7 +1,7 @@
/*
net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2011 Loïc Grenié <loic.grenie@gmail.com>
@ -41,6 +41,14 @@
#include "subnet.h"
#include "xalloc.h"
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
bool do_purge = false;
volatile bool running = false;
#ifdef HAVE_PSELECT
@ -182,6 +190,12 @@ void terminate_connection(connection_t *c, bool report) {
closesocket(c->socket);
if(c->edge) {
if(!c->node) {
logger(LOG_ERR, "Connection to %s (%s) has an edge but node is NULL!", c->name, c->hostname);
// And that should never happen.
abort();
}
if(report && !tunnelserver)
send_del_edge(everyone, c->edge);
@ -494,6 +508,9 @@ int main_loop(void) {
avl_node_t *node;
logger(LOG_INFO, "Flushing event queue");
expire_events();
#if HAVE_DECL_RES_INIT
res_init();
#endif
for(node = connection_tree->head; node; node = node->next) {
connection_t *c = node->data;
if(c->status.active)

17
src/net_packet.c
View file

@ -1,7 +1,7 @@
/*
net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
@ -269,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
}
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@ -302,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
HMAC(n->indigest, n->inkey, n->inkeylength,
(unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
n->name, n->hostname);
return;
@ -664,7 +664,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
avl_node_t *node;
edge_t *e;
node_t *n = NULL;
bool hard = false;
static time_t last_hard_try = 0;
for(node = edge_weight_tree->head; node; node = node->next) {
@ -673,11 +672,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
if(e->to == myself)
continue;
if(sockaddrcmp_noport(from, &e->address)) {
if(last_hard_try == now)
continue;
hard = true;
}
if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
continue;
if(!try_mac(e->to, pkt))
continue;
@ -686,9 +682,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
break;
}
if(hard)
last_hard_try = now;
last_hard_try = now;
return n;
}

77
src/net_setup.c
View file

@ -1,7 +1,7 @@
/*
net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
@ -165,23 +165,25 @@ static bool read_rsa_private_key(void) {
char *fname, *key, *pubkey;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL);
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!");
free(pubkey);
return false;
}
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
free(key);
free(pubkey);
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
return true;
}
@ -200,15 +202,12 @@ static bool read_rsa_private_key(void) {
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
struct stat s;
if(fstat(fileno(fp), &s)) {
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
fname, strerror(errno));
free(fname);
return false;
if(!fstat(fileno(fp), &s)) {
if(s.st_mode & ~0100700)
logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
} else {
logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
}
if(s.st_mode & ~0100700)
logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
#endif
myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
@ -299,10 +298,12 @@ char *get_name(void) {
if(!envname) {
if(strcmp(name + 1, "HOST")) {
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
free(name);
return false;
}
if(gethostname(hostname, sizeof hostname) || !*hostname) {
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
free(name);
return false;
}
hostname[31] = 0;
@ -340,6 +341,7 @@ static bool setup_myself(void) {
bool choice;
int i, err;
int replaywin_int;
bool port_specified = false;
myself = new_node();
myself->connection = new_connection();
@ -355,6 +357,8 @@ static bool setup_myself(void) {
return false;
}
/* Read tinc.conf and our own host config file */
myself->name = name;
myself->connection->name = xstrdup(name);
xasprintf(&fname, "%s/hosts/%s", confbase, name);
@ -367,6 +371,10 @@ static bool setup_myself(void) {
if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
myport = xstrdup("655");
else
port_specified = true;
/* Ensure myport is numeric */
if(!atoi(myport)) {
struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
@ -378,8 +386,7 @@ static bool setup_myself(void) {
sockaddr2str(&sa, NULL, &myport);
}
get_config_string(lookup_config(config_tree, "Proxy"), &proxy);
if(proxy) {
if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) {
if((space = strchr(proxy, ' ')))
*space++ = 0;
@ -397,6 +404,7 @@ static bool setup_myself(void) {
proxytype = PROXY_EXEC;
} else {
logger(LOG_ERR, "Unknown proxy type %s!", proxy);
free(proxy);
return false;
}
@ -408,6 +416,7 @@ static bool setup_myself(void) {
case PROXY_EXEC:
if(!space || !*space) {
logger(LOG_ERR, "Argument expected for proxy type exec!");
free(proxy);
return false;
}
proxyhost = xstrdup(space);
@ -426,6 +435,7 @@ static bool setup_myself(void) {
*space++ = 0, proxypass = space;
if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
logger(LOG_ERR, "Host and port argument expected for proxy!");
free(proxy);
return false;
}
proxyhost = xstrdup(proxyhost);
@ -479,6 +489,7 @@ static bool setup_myself(void) {
routing_mode = RMODE_HUB;
else {
logger(LOG_ERR, "Invalid routing mode!");
free(mode);
return false;
}
free(mode);
@ -493,6 +504,7 @@ static bool setup_myself(void) {
forwarding_mode = FMODE_KERNEL;
else {
logger(LOG_ERR, "Invalid forwarding mode!");
free(mode);
return false;
}
free(mode);
@ -519,6 +531,7 @@ static bool setup_myself(void) {
broadcast_mode = BMODE_DIRECT;
else {
logger(LOG_ERR, "Invalid broadcast mode!");
free(mode);
return false;
}
free(mode);
@ -571,6 +584,7 @@ static bool setup_myself(void) {
addressfamily = AF_UNSPEC;
else {
logger(LOG_ERR, "Invalid address family!");
free(afname);
return false;
}
free(afname);
@ -580,8 +594,7 @@ static bool setup_myself(void) {
/* Generate packet encryption key */
if(get_config_string
(lookup_config(config_tree, "Cipher"), &cipher)) {
if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
} else {
@ -589,9 +602,11 @@ static bool setup_myself(void) {
if(!myself->incipher) {
logger(LOG_ERR, "Unrecognized cipher type!");
free(cipher);
return false;
}
}
free(cipher);
} else
myself->incipher = EVP_bf_cbc();
@ -617,9 +632,12 @@ static bool setup_myself(void) {
if(!myself->indigest) {
logger(LOG_ERR, "Unrecognized digest type!");
free(digest);
return false;
}
}
free(digest);
} else
myself->indigest = EVP_sha1();
@ -683,6 +701,7 @@ static bool setup_myself(void) {
else if(!strcasecmp(type, "vde"))
devops = vde_devops;
#endif
free(type);
}
if(!devops.setup())
@ -812,13 +831,27 @@ static bool setup_myself(void) {
} while(cfg);
}
if(listen_sockets)
logger(LOG_NOTICE, "Ready");
else {
if(!listen_sockets) {
logger(LOG_ERR, "Unable to create any listening socket!");
return false;
}
/* If no Port option was specified, set myport to the port used by the first listening socket. */
if(!port_specified) {
sockaddr_t sa;
socklen_t salen = sizeof sa;
if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) {
free(myport);
sockaddr2str(&sa, NULL, &myport);
if(!myport)
myport = xstrdup("655");
}
}
/* Done. */
logger(LOG_NOTICE, "Ready");
return true;
}

29
src/net_socket.c
View file

@ -1,7 +1,7 @@
/*
net_socket.c -- Handle various kinds of sockets.
Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org>
2009 Florian Forster <octo@verplant.org>
@ -87,20 +87,21 @@ static bool bind_to_interface(int sd) {
int status;
#endif /* defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) */
if(!get_config_string (lookup_config (config_tree, "BindToInterface"), &iface))
if(!get_config_string(lookup_config (config_tree, "BindToInterface"), &iface))
return true;
#if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
free(iface);
status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr));
if(status) {
logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(errno));
logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
return false;
}
#else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */
logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
#endif
@ -135,20 +136,21 @@ int setup_listen_socket(const sockaddr_t *sa) {
setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif
if(get_config_string
(lookup_config(config_tree, "BindToInterface"), &iface)) {
if(get_config_string(lookup_config(config_tree, "BindToInterface"), &iface)) {
#if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
free(iface);
if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) {
closesocket(nfd);
logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(sockerrno));
logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(sockerrno));
return -1;
}
#else
logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
#endif
@ -238,8 +240,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
option = 1;
setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option));
}
#else
#warning No way to disable IPv4 fragmentation
#endif
#if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
@ -252,8 +252,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
option = 1;
setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
}
#else
#warning No way to disable IPv6 fragmentation
#endif
if (!bind_to_interface(nfd)) {
@ -311,7 +309,7 @@ static void do_outgoing_pipe(connection_t *c, char *command) {
if(fork()) {
c->socket = fd[0];
close(fd[1]);
logger(LOG_DEBUG, "Using proxy %s", command);
ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Using proxy %s", command);
return;
}
@ -407,7 +405,6 @@ begin:
if(!proxytype) {
c->socket = socket(c->address.sa.sa_family, SOCK_STREAM, IPPROTO_TCP);
configure_tcp(c);
} else if(proxytype == PROXY_EXEC) {
do_outgoing_pipe(c, proxyhost);
} else {
@ -416,7 +413,6 @@ begin:
goto begin;
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
configure_tcp(c);
}
if(c->socket == -1) {
@ -424,6 +420,9 @@ begin:
goto begin;
}
if(proxytype != PROXY_EXEC)
configure_tcp(c);
#ifdef FD_CLOEXEC
fcntl(c->socket, F_SETFD, FD_CLOEXEC);
#endif

2
src/pidfile.c
View file

@ -46,7 +46,7 @@ pid_t read_pid (const char *pidfile)
if(fscanf(f,"%20ld", &pid) != 1)
pid = 0;
fclose(f);
return pid;
return (pid_t)pid;
}
/* check_pid

17
src/protocol_auth.c
View file

@ -1,7 +1,7 @@
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -107,7 +107,7 @@ static bool send_proxyrequest(connection_t *c) {
i += 2;
c->tcplen += 22;
} else {
logger(LOG_ERR, "Address family %hx not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
logger(LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
return false;
}
if(i > len)
@ -215,7 +215,12 @@ bool send_metakey(connection_t *c) {
/* Copy random data to the buffer */
RAND_pseudo_bytes((unsigned char *)c->outkey, len);
if (1 != RAND_bytes((unsigned char *)c->outkey, len)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate meta key (%s)", ERR_error_string(err, NULL));
return false;
}
/* The message we send must be smaller than the modulus of the RSA key.
By definition, for a key of k bits, the following formula holds:
@ -391,7 +396,11 @@ bool send_challenge(connection_t *c) {
/* Copy random data to the buffer */
RAND_pseudo_bytes((unsigned char *)c->hischallenge, len);
if (1 != RAND_bytes((unsigned char *)c->hischallenge, len)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate challenge (%s)", ERR_error_string(err, NULL));
return false; // Do not send predictable challenges, let connection attempt fail.
}
/* Convert to hex */

12
src/protocol_key.c
View file

@ -1,7 +1,7 @@
/*
protocol_key.c -- handle the meta-protocol, key exchange
Copyright (C) 1999-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) {
/* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */
send_ans_key(from);
if (!send_ans_key(from))
return false;
} else {
if(tunnelserver)
return true;
@ -156,7 +157,12 @@ bool send_ans_key(node_t *to) {
to->inkey = xrealloc(to->inkey, to->inkeylength);
// Create a new key
RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL));
return false; // Do not send insecure keys, let connection attempt fail.
}
if(to->incipher)
EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);

13
src/raw_socket_device.c
View file

@ -1,7 +1,7 @@
/*
device.c -- raw socket
Copyright (C) 2002-2005 Ivo Timmermans,
2002-2012 Guus Sliepen <guus@tinc-vpn.org>
2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -32,7 +32,7 @@
#include "route.h"
#include "xalloc.h"
#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET)
#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) && defined(SIOCGIFINDEX)
static char *device_info;
static uint64_t device_total_in = 0;
@ -62,20 +62,21 @@ static bool setup_device(void) {
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) {
close(device_fd);
logger(LOG_ERR, "Can't find interface %s: %s", iface,
strerror(errno));
logger(LOG_ERR, "Can't find interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
return false;
}
memset(&sa, '0', sizeof(sa));
memset(&sa, 0, sizeof(sa));
sa.sll_family = AF_PACKET;
sa.sll_protocol = htons(ETH_P_ALL);
sa.sll_ifindex = ifr.ifr_ifindex;
if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) {
logger(LOG_ERR, "Could not bind %s to %s: %s", device, iface, strerror(errno));
logger(LOG_ERR, "Could not bind %s to %s: %s", device, ifr.ifr_ifrn.ifrn_name, strerror(errno));
return false;
}

4
src/route.c
View file

@ -1,7 +1,7 @@
/*
route.c -- routing
Copyright (C) 2000-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -197,7 +197,7 @@ static void learn_mac(mac_t *address) {
/* If we don't know this MAC address yet, store it */
if(!subnet) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx",
ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
address->x[0], address->x[1], address->x[2], address->x[3],
address->x[4], address->x[5]);

341
src/solaris/device.c
View file

@ -1,7 +1,8 @@
/*
device.c -- Interaction with Solaris tun device
Copyright (C) 2001-2005 Ivo Timmermans,
2001-2012 Guus Sliepen <guus@tinc-vpn.org>
2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
2001-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -18,98 +19,258 @@
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "../system.h"
#include <sys/stropts.h>
#include <sys/sockio.h>
#include <net/if_tun.h>
#include "../conf.h"
#include "../device.h"
#include "../logger.h"
#include "../net.h"
#include "../route.h"
#include "../utils.h"
#include "../xalloc.h"
#define DEFAULT_DEVICE "/dev/tun"
#ifndef TUNNEWPPA
#warning Missing net/if_tun.h, using hardcoded value for TUNNEWPPA
#define TUNNEWPPA (('T'<<16) | 0x0001)
#endif
#define DEFAULT_TUN_DEVICE "/dev/tun"
#define DEFAULT_TAP_DEVICE "/dev/tap"
static enum {
DEVICE_TYPE_TUN,
DEVICE_TYPE_TAP,
} device_type = DEVICE_TYPE_TUN;
int device_fd = -1;
static int ip_fd = -1, if_fd = -1;
static int if_fd = -1;
static int ip_fd = -1;
char *device = NULL;
char *iface = NULL;
static char *device_info = NULL;
static uint64_t device_total_in = 0;
static uint64_t device_total_out = 0;
uint64_t device_total_in = 0;
uint64_t device_total_out = 0;
static bool setup_device(void) {
int ppa;
char *ptr;
char *type;
if(!get_config_string(lookup_config(config_tree, "Device"), &device))
device = xstrdup(DEFAULT_DEVICE);
if((device_fd = open(device, O_RDWR | O_NONBLOCK)) < 0) {
logger(LOG_ERR, "Could not open %s: %s", device, strerror(errno));
return false;
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
if(routing_mode == RMODE_ROUTER)
device = xstrdup(DEFAULT_TUN_DEVICE);
else
device = xstrdup(DEFAULT_TAP_DEVICE);
}
#ifdef FD_CLOEXEC
fcntl(device_fd, F_SETFD, FD_CLOEXEC);
#endif
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
if(!strcasecmp(type, "tun"))
/* use default */;
else if(!strcasecmp(type, "tap"))
device_type = DEVICE_TYPE_TAP;
else {
logger(LOG_ERR, "Unknown device type %s!", type);
return false;
}
} else {
if(strstr(device, "tap") || routing_mode != RMODE_ROUTER)
device_type = DEVICE_TYPE_TAP;
}
ppa = 0;
if(device_type == DEVICE_TYPE_TUN)
device_info = "Solaris tun device";
else
device_info = "Solaris tap device";
ptr = device;
while(*ptr && !isdigit((int) *ptr))
ptr++;
ppa = atoi(ptr);
/* The following is black magic copied from OpenVPN. */
if((ip_fd = open("/dev/ip", O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open /dev/ip: %s", strerror(errno));
logger(LOG_ERR, "Could not open %s: %s\n", "/dev/ip", strerror(errno));
return false;
}
#ifdef FD_CLOEXEC
fcntl(ip_fd, F_SETFD, FD_CLOEXEC);
#endif
if((device_fd = open(device, O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
return false;
}
/* Get unit number. */
char *ptr = device;
get_config_string(lookup_config(config_tree, "Interface"), &ptr);
while(*ptr && !isdigit(*ptr))
ptr++;
int ppa = atoi(ptr);
/* Assign a new PPA and get its unit number. */
if((ppa = ioctl(device_fd, TUNNEWPPA, ppa)) < 0) {
logger(LOG_ERR, "Can't assign new interface: %s", strerror(errno));
return false;
struct strioctl strioc_ppa = {
.ic_cmd = TUNNEWPPA,
.ic_len = sizeof ppa,
.ic_dp = (char *)&ppa,
};
if(!*ptr) { /* no number given, try dynamic */
bool found = false;
while(!found && ppa < 64) {
int new_ppa = ioctl(device_fd, I_STR, &strioc_ppa);
if(new_ppa >= 0) {
ppa = new_ppa;
found = true;
break;
}
ppa++;
}
if(!found) {
logger(LOG_ERR, "Could not find free PPA for %s %s!", device_info, device);
return false;
}
} else { /* try this particular one */
if((ppa = ioctl(device_fd, I_STR, &strioc_ppa)) < 0) {
logger(LOG_ERR, "Could not assign PPA %d for %s %s!", ppa, device_info, device);
return false;
}
}
if((if_fd = open(device, O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open %s twice: %s", device,
strerror(errno));
logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
return false;
}
#ifdef FD_CLOEXEC
fcntl(if_fd, F_SETFD, FD_CLOEXEC);
#endif
if(ioctl(if_fd, I_PUSH, "ip") < 0) {
logger(LOG_ERR, "Can't push IP module: %s", strerror(errno));
logger(LOG_ERR, "Could not push IP module onto %s %s!", device_info, device);
return false;
}
/* Assign ppa according to the unit number returned by tun device */
if(ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0) {
logger(LOG_ERR, "Can't set PPA %d: %s", ppa, strerror(errno));
xasprintf(&iface, "%s%d", device_type == DEVICE_TYPE_TUN ? "tun" : "tap", ppa);
{
/* Remove muxes just in case they are left over from a crashed tincd */
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
int muxid = ifr.lifr_arp_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
muxid = ifr.lifr_ip_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
}
}
if(device_type == DEVICE_TYPE_TUN) {
/* Assign ppa according to the unit number returned by tun device */
if(ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) {
logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
return false;
}
}
int arp_fd = -1;
if(device_type == DEVICE_TYPE_TAP) {
struct lifreq ifr = {};
if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
return false;
}
strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
ifr.lifr_ppa = ppa;
/* Assign ppa according to the unit number returned by tun device */
if(ioctl(if_fd, SIOCSLIFNAME, &ifr) < 0) {
logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
return false;
}
if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
return false;
}
/* Push arp module to if_fd */
if(ioctl(if_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
return false;
}
/* Pop any modules on the stream */
while(true) {
if(ioctl(ip_fd, I_POP, NULL) < 0)
break;
}
/* Push arp module to ip_fd */
if(ioctl(ip_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s!", "/dev/ip");
return false;
}
/* Open arp_fd */
if((arp_fd = open(device, O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
return false;
}
/* Push arp module to arp_fd */
if(ioctl(arp_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
return false;
}
/* Set ifname to arp */
struct strioctl strioc_if = {
.ic_cmd = SIOCSLIFNAME,
.ic_len = sizeof ifr,
.ic_dp = (char *)&ifr,
};
if(ioctl(arp_fd, I_STR, &strioc_if) < 0) {
logger(LOG_ERR, "Could not set ifname to %s %s", device_info, device);
return false;
}
}
int ip_muxid, arp_muxid;
if((ip_muxid = ioctl(ip_fd, I_PLINK, if_fd)) < 0) {
logger(LOG_ERR, "Could not link %s %s to IP", device_info, device);
return false;
}
if(ioctl(ip_fd, I_LINK, if_fd) < 0) {
logger(LOG_ERR, "Can't link TUN device to IP: %s", strerror(errno));
if(device_type == DEVICE_TYPE_TAP) {
if((arp_muxid = ioctl(ip_fd, I_PLINK, arp_fd)) < 0) {
logger(LOG_ERR, "Could not link %s %s to ARP", device_info, device);
return false;
}
close(arp_fd);
}
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
ifr.lifr_ip_muxid = ip_muxid;
if(device_type == DEVICE_TYPE_TAP) {
ifr.lifr_arp_muxid = arp_muxid;
}
if(ioctl(ip_fd, SIOCSLIFMUXID, &ifr) < 0) {
if(device_type == DEVICE_TYPE_TAP) {
ioctl(ip_fd, I_PUNLINK, arp_muxid);
}
ioctl(ip_fd, I_PUNLINK, ip_muxid);
logger(LOG_ERR, "Could not set multiplexor id for %s %s", device_info, device);
return false;
}
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
xasprintf(&iface, "tun%d", ppa);
close(if_fd);
device_info = "Solaris tun device";
#ifdef FD_CLOEXEC
fcntl(device_fd, F_SETFD, FD_CLOEXEC);
fcntl(ip_fd, F_SETFD, FD_CLOEXEC);
#endif
logger(LOG_INFO, "%s is a %s", device, device_info);
@ -117,7 +278,17 @@ static bool setup_device(void) {
}
static void close_device(void) {
close(if_fd);
if(iface) {
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
int muxid = ifr.lifr_arp_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
muxid = ifr.lifr_ip_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
}
}
close(ip_fd);
close(device_fd);
@ -126,49 +297,73 @@ static void close_device(void) {
}
static bool read_packet(vpn_packet_t *packet) {
int lenin;
int inlen;
if((lenin = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno));
return false;
}
switch(device_type) {
case DEVICE_TYPE_TUN:
if((inlen = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
return false;
}
switch(packet->data[14] >> 4) {
case 4:
packet->data[12] = 0x08;
packet->data[13] = 0x00;
switch(packet->data[14] >> 4) {
case 4:
packet->data[12] = 0x08;
packet->data[13] = 0x00;
break;
case 6:
packet->data[12] = 0x86;
packet->data[13] = 0xDD;
break;
default:
ifdebug(TRAFFIC) logger(LOG_ERR, "Unknown IP version %d while reading packet from %s %s", packet->data[14] >> 4, device_info, device);
return false;
}
memset(packet->data, 0, 12);
packet->len = inlen + 14;
break;
case 6:
packet->data[12] = 0x86;
packet->data[13] = 0xDD;
case DEVICE_TYPE_TAP:
if((inlen = read(device_fd, packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
return false;
}
packet->len = inlen + 14;
break;
default:
ifdebug(TRAFFIC) logger(LOG_ERR,
"Unknown IP version %d while reading packet from %s %s",
packet->data[14] >> 4, device_info, device);
return false;
abort();
}
memset(packet->data, 0, 12);
packet->len = lenin + 14;
device_total_in += packet->len;
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len,
device_info);
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, device_info);
return true;
}
static bool write_packet(vpn_packet_t *packet) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
packet->len, device_info);
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", packet->len, device_info);
if(write(device_fd, packet->data + 14, packet->len - 14) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info,
device, strerror(errno));
return false;
switch(device_type) {
case DEVICE_TYPE_TUN:
if(write(device_fd, packet->data + 14, packet->len - 14) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
return false;
}
break;
case DEVICE_TYPE_TAP:
if(write(device_fd, packet->data, packet->len) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
return false;
}
break;
default:
abort();
}
device_total_out += packet->len;

8
src/subnet.c
View file

@ -1,6 +1,6 @@
/*
subnet.c -- handle subnet lookups and lists
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify
@ -351,7 +351,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
switch (subnet->type) {
case SUBNET_MAC:
snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx#%d",
snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d",
subnet->net.mac.address.x[0],
subnet->net.mac.address.x[1],
subnet->net.mac.address.x[2],
@ -362,7 +362,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
break;
case SUBNET_IPV4:
snprintf(netstr, len, "%hu.%hu.%hu.%hu/%d#%d",
snprintf(netstr, len, "%u.%u.%u.%u/%d#%d",
subnet->net.ipv4.address.x[0],
subnet->net.ipv4.address.x[1],
subnet->net.ipv4.address.x[2],
@ -372,7 +372,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
break;
case SUBNET_IPV6:
snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d",
snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d",
ntohs(subnet->net.ipv6.address.x[0]),
ntohs(subnet->net.ipv6.address.x[1]),
ntohs(subnet->net.ipv6.address.x[2]),

37
src/tincd.c
View file

@ -1,7 +1,7 @@
/*
tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans
2000-2013 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu>
@ -162,6 +162,11 @@ static bool parse_options(int argc, char **argv) {
break;
case 'c': /* config file */
if(confbase) {
fprintf(stderr, "Only one configuration directory can be given.\n");
usage(true);
return false;
}
confbase = xstrdup(optarg);
break;
@ -229,6 +234,11 @@ static bool parse_options(int argc, char **argv) {
case 'n': /* net name given */
/* netname "." is special: a "top-level name" */
if(netname) {
fprintf(stderr, "Only one netname can be given.\n");
usage(true);
return false;
}
netname = strcmp(optarg, ".") != 0 ? xstrdup(optarg) : NULL;
break;
@ -281,11 +291,22 @@ static bool parse_options(int argc, char **argv) {
use_logfile = true;
if(!optarg && optind < argc && *argv[optind] != '-')
optarg = argv[optind++];
if(optarg)
if(optarg) {
if(logfilename) {
fprintf(stderr, "Only one logfile can be given.\n");
usage(true);
return false;
}
logfilename = xstrdup(optarg);
}
break;
case 5: /* write PID to a file */
if(pidfilename) {
fprintf(stderr, "Only one pidfile can be given.\n");
usage(true);
return false;
}
pidfilename = xstrdup(optarg);
break;
@ -350,7 +371,6 @@ static void indicator(int a, int b, void *p) {
static bool keygen(int bits) {
RSA *rsa_key;
FILE *f;
char *name = get_name();
char *pubname, *privname;
fprintf(stderr, "Generating %d bits keys:\n", bits);
@ -378,10 +398,14 @@ static bool keygen(int bits) {
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
fclose(f);
if(name)
char *name = get_name();
if(name) {
xasprintf(&pubname, "%s/hosts/%s", confbase, name);
else
free(name);
} else {
xasprintf(&pubname, "%s/rsa_key.pub", confbase);
}
f = ask_and_open(pubname, "public RSA key");
free(pubname);
@ -392,7 +416,6 @@ static bool keygen(int bits) {
fputc('\n', f);
PEM_write_RSAPublicKey(f, rsa_key);
fclose(f);
free(name);
return true;
}
@ -526,7 +549,7 @@ int main(int argc, char **argv) {
if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n"
printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"

17
src/utils.c
View file

@ -1,7 +1,7 @@
/*
utils.c -- gathering of some stupid small functions
Copyright (C) 1999-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -78,3 +78,18 @@ unsigned int bitfield_to_int(const void *bitfield, size_t size) {
memcpy(&value, bitfield, size);
return value;
}
/**
* As memcmp(), but constant-time.
* Returns 0 when data is equal, non-zero otherwise.
*/
int memcmp_constant_time (const void *a, const void *b, size_t size) {
const uint8_t *a1 = a, *b1 = b;
int ret = 0;
size_t i;
for (i = 0; i < size; i++)
ret |= *a1++ ^ *b1++;
return ret;
}

4
src/utils.h
View file

@ -1,7 +1,7 @@
/*
utils.h -- header file for utils.c
Copyright (C) 1999-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org>
2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -42,4 +42,6 @@ extern const char *winerror(int);
extern unsigned int bitfield_to_int(const void *bitfield, size_t size);
int memcmp_constant_time (const void *a, const void *b, size_t size);
#endif /* __TINC_UTILS_H__ */

3
src/xmalloc.c
View file

@ -113,6 +113,9 @@ char *xstrdup(const char *s)
{
char *p;
if(!s)
return NULL;
p = strdup(s);
if(!p)
xalloc_fail ((int)strlen(s));