diff --git a/ChangeLog b/ChangeLog index 2dfda27..8f335b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,55 @@ +Version 1.0.24 May 11 2014 +------------------------------------------------------------------------ + +Guus Sliepen (26): + Mention in the manual that multiple Address staments are allowed. + If no Port is specified, set myport to actual port of first listening socket. + Enable compiler hardening flags by default. + Update support for Solaris. + Include for PATH_MAX. + Stricter check for raw socket support. + Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. + Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. + Don't enable -fstack-protector-all. + Remove or lower the priority of some debug messages. + Clarify StrictSubnets. + Attribution for various contributors. + Handle errors from TAP-Win32/64 adapter in a better way. + Remove useless variable 'hard' from try_harder(). + Merge pull request #14 from luckyhacky/master + Add an autoconf check for res_init(). + Nexthop calculation should always use the shortest path. + Fix issues found by Coverity. + Fix warnings found by GCC 4.9. + Fix a few more issues found by Coverity. + Fix a few more issues found by Coverity. + Drop h and hh length modifiers from printf format strings. + Fix a bug that could prevent tinc from starting correctly on Windows. + FIx the autoconf checks for res_init(). + Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported. + Releasing 1.0.24. + +Steffan Karger (3): + Use constant time memcmp() when comparing packet HMACs. + Use cryptographically strong random when generating keys. + Check RAND_bytes() return value, fail when getting random fails. + +Florent Clairambault (2): + Adding "conf.d" configuration dir support. + Adding some documentation around the /etc/tinc/$NET/conf.d directory. + +Armin Fisslthaler (1): + reload /etc/resolv.conf in SIGALRM handler + +Loic Dachary (1): + fix documentation typo + +Vilbrekin (1): + Update android build instructions. Disable PIE as this is not supported on some devices. + +luckyhacky (1): + update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl + Version 1.0.23 October 19 2013 ------------------------------------------------------------------------ diff --git a/INSTALL b/INSTALL index 007e939..2099840 100644 --- a/INSTALL +++ b/INSTALL @@ -12,8 +12,8 @@ without warranty of any kind. Basic Installation ================== - Briefly, the shell commands `./configure; make; make install' should -configure, build, and install this package. The following + Briefly, the shell command `./configure && make && make install' +should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. Some packages provide this `INSTALL' file but do not implement all of the features documented diff --git a/Makefile.in b/Makefile.in index ab6b838..a057ac8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.14 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -85,8 +85,10 @@ DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ config.sub depcomp install-sh missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ - $(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ - $(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ @@ -592,9 +594,10 @@ distcheck: dist && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ - && ../configure --srcdir=.. --prefix="$$dc_install_base" \ + && ../configure \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ + --srcdir=.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ diff --git a/NEWS b/NEWS index 8628bcb..191f645 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,26 @@ +Version 1.0.24 May 11 2013 + + * Various compiler hardening flags are enabled by default. + + * Updated support for Solaris, allowing switch mode on Solaris 11. + + * Configuration will now also be read from a conf.d directory. + + * Various updates to the documentation. + + * Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM. + + * Fixed a potential routing loop when IndirectData or TCPOnly is used and + broadcast packets are being sent. + + * Improved security with constant time memcmp and stricter use of OpenSSL's + RNG functions. + + * Fixed all issues found by Coverity. + +Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc +Dachary and Steffan Karger for their contributions to this version of tinc. + Version 1.0.23 October 19 2013 * Start authentication immediately on outgoing connections (useful for sslh). diff --git a/README b/README index 0f8a9a5..49fc1dc 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ -This is the README file for tinc version 1.0.23. Installation +This is the README file for tinc version 1.0.24. Installation instructions may be found in the INSTALL file. -tinc is Copyright (C) 1998-2013 by: +tinc is Copyright (C) 1998-2014 by: Ivo Timmermans, Guus Sliepen , @@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into Compatibility ------------- -Version 1.0.23 is compatible with 1.0pre8, 1.0 and later, but not with older +Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older versions of tinc. diff --git a/README.android b/README.android index 6fffe41..953633a 100644 --- a/README.android +++ b/README.android @@ -1,14 +1,14 @@ -Quick how-o cross compile tinc for android (done from $HOME/android/): +Quick how-to cross compile tinc for android (done from $HOME/android/): - Download android NDK and setup local ARM toolchain: -wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2 -tar xfj android-ndk-r8b-linux-x86.tar.bz2 -./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain +wget http://dl.google.com/android/ndk/android-ndk-r9d-linux-x86.tar.bz2 +tar xfj android-ndk-r9d-linux-x86.tar.bz2 +./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain - Download and cross-compile openSSL for ARM: -wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz -tar xfz openssl-1.0.1c.tar.gz -cd openssl-1.0.1c +wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz +tar xfz openssl-1.0.1g.tar.gz +cd openssl-1.0.1g ./Configure dist make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib @@ -16,5 +16,9 @@ make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-andr git clone git://tinc-vpn.org/tinc cd tinc autoreconf -fsi -CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/ +CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1g --with-openssl-include=$HOME/android/openssl-1.0.1g/include/ --disable-hardening make -j5 + +- Strip tincd binary to make it smaller +/tmp/my-android-toolchain/bin/arm-linux-androideabi-strip src/tincd + diff --git a/THANKS b/THANKS index 53aa3de..1444b54 100644 --- a/THANKS +++ b/THANKS @@ -4,6 +4,7 @@ We would like to thank the following people for their contributions to tinc: * Allesandro Gatti * Andreas van Cranenburgh * Anthony G. Basile +* Armin Fisslthaler * Armijn Hemel * Brandon Black * Cris van Pelt @@ -11,10 +12,13 @@ We would like to thank the following people for their contributions to tinc: * Delf Eldkraft * dnk * Enrique Zanardi +* Florent Clairambault * Flynn Marquardt +* Gary Kessler and Claudia Gonzalez * Grzegorz Dymarek * Hans Bayle * Ivo van Dong +* James Cook * James MacLean * Jamie Briggs * Jason Harper @@ -22,11 +26,14 @@ We would like to thank the following people for their contributions to tinc: * Jeroen Ubbink * Jerome Etienne * Julien Muchembled +* Lavrans Laading +* Loïc Dachary * Loïc Grenié * Lubomír Bulej * Mads Kiilerich * Marc A. Lehmann * Mark Glines +* Mark Petryk * Markus Goetz * Martin Kihlgren * Martin Schobert @@ -44,6 +51,7 @@ We would like to thank the following people for their contributions to tinc: * Robert van der Meulen * Rumko * Scott Lamb +* Steffan Karger * Sven-Haegar Koch * Teemu Kiviniemi * Timothy Redaelli @@ -52,7 +60,7 @@ We would like to thank the following people for their contributions to tinc: * Wessel Dankers * Wouter van Heyst -And everyone we forgot. Thank you! +And everyone we forgot (if we did, please let us know). Thank you! Ivo Timmermans Guus Sliepen diff --git a/aclocal.m4 b/aclocal.m4 index ae6f78a..bcae214 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.14 -*- Autoconf -*- +# generated automatically by aclocal 1.14.1 -*- Autoconf -*- # Copyright (C) 1996-2013 Free Software Foundation, Inc. @@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.14' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.14], [], +m4_if([$1], [1.14.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.14])dnl +[AM_AUTOMAKE_VERSION([1.14.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) @@ -573,7 +573,8 @@ to "yes", and re-run configure. END AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) fi -fi]) +fi +]) dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further @@ -1184,6 +1185,8 @@ AC_SUBST([am__untar]) ]) # _AM_PROG_TAR m4_include([m4/attribute.m4]) +m4_include([m4/ax_check_compile_flag.m4]) +m4_include([m4/ax_check_link_flag.m4]) m4_include([m4/lzo.m4]) m4_include([m4/openssl.m4]) m4_include([m4/zlib.m4]) diff --git a/config.h.in b/config.h.in index ad2bf4c..7c8b513 100644 --- a/config.h.in +++ b/config.h.in @@ -15,6 +15,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H +/* Define to 1 if you have the header file. */ +#undef HAVE_ARPA_NAMESER_H + /* Define to 1 if you have the `asprintf' function. */ #undef HAVE_ASPRINTF @@ -46,6 +49,10 @@ don't. */ #undef HAVE_DECL_GETNAMEINFO +/* Define to 1 if you have the declaration of `res_init', and to 0 if you + don't. */ +#undef HAVE_DECL_RES_INIT + /* Define to 1 if you have the header file. */ #undef HAVE_DIRENT_H @@ -211,6 +218,9 @@ /* Define to 1 if you have the `RAND_pseudo_bytes' function. */ #undef HAVE_RAND_PSEUDO_BYTES +/* Define to 1 if you have the header file. */ +#undef HAVE_RESOLV_H + /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT diff --git a/configure b/configure index 4943e34..9082724 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tinc 1.0.23. +# Generated by GNU Autoconf 2.69 for tinc 1.0.24. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tinc' PACKAGE_TARNAME='tinc' -PACKAGE_VERSION='1.0.23' -PACKAGE_STRING='tinc 1.0.23' +PACKAGE_VERSION='1.0.24' +PACKAGE_STRING='tinc 1.0.24' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -745,6 +745,7 @@ enable_uml enable_vde enable_tunemu with_windows2000 +enable_hardening enable_zlib with_zlib with_zlib_include @@ -1307,7 +1308,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tinc 1.0.23 to adapt to many kinds of systems. +\`configure' configures tinc 1.0.24 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1377,7 +1378,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tinc 1.0.23:";; + short | recursive ) echo "Configuration of tinc 1.0.24:";; esac cat <<\_ACEOF @@ -1397,15 +1398,16 @@ Optional Features: --enable-uml enable support for User Mode Linux --enable-vde enable support for Virtual Distributed Ethernet --enable-tunemu enable support for the tunemu driver + --disable-hardening disable compiler and linker hardening flags --disable-zlib disable zlib compression support --disable-lzo disable lzo compression support - --disable-jumbograms enable support for jumbograms (packets up to 9000 + --enable-jumbograms enable support for jumbograms (packets up to 9000 bytes) Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --without-windows2000 compile with support for Windows 2000. This disables + --with-windows2000 compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks. --with-zlib=DIR zlib base directory, or: --with-zlib-include=DIR zlib headers directory @@ -1495,7 +1497,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tinc configure 1.0.23 +tinc configure 1.0.24 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1744,6 +1746,52 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_header_compile +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache @@ -1798,52 +1846,6 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_type -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly @@ -1960,7 +1962,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tinc $as_me 1.0.23, which was +It was created by tinc $as_me 1.0.24, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2824,7 +2826,7 @@ fi # Define the identity of the package. PACKAGE='tinc' - VERSION='1.0.23' + VERSION='1.0.24' cat >>confdefs.h <<_ACEOF @@ -2916,6 +2918,7 @@ END as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 fi fi + ac_config_headers="$ac_config_headers config.h" @@ -5146,6 +5149,343 @@ if test -d /sw/lib ; then fi +# Check whether --enable-hardening was given. +if test "${enable_hardening+set}" = set; then : + enableval=$enable_hardening; +fi + +if test "x$enable_hardening" != "xno"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -DFORTIFY_SOURCE=2" >&5 +$as_echo_n "checking whether C compiler accepts -DFORTIFY_SOURCE=2... " >&6; } +if ${ax_cv_check_cflags___DFORTIFY_SOURCE_2+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -DFORTIFY_SOURCE=2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___DFORTIFY_SOURCE_2=yes +else + ax_cv_check_cflags___DFORTIFY_SOURCE_2=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5 +$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; } +if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then : + CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5 +$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; } +if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fno-strict-overflow" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fno_strict_overflow=yes +else + ax_cv_check_cflags___fno_strict_overflow=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5 +$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; } +if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then : + CPPFLAGS="$CPPFLAGS -fno-strict-overflow" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fwrapv" >&5 +$as_echo_n "checking whether C compiler accepts -fwrapv... " >&6; } +if ${ax_cv_check_cflags___fwrapv+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fwrapv" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fwrapv=yes +else + ax_cv_check_cflags___fwrapv=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fwrapv" >&5 +$as_echo "$ax_cv_check_cflags___fwrapv" >&6; } +if test x"$ax_cv_check_cflags___fwrapv" = xyes; then : + CPPFLAGS="$CPPFLAGS -fwrapv" +else + : +fi + + case $host_os in + *mingw*) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--dynamicbase" >&5 +$as_echo_n "checking whether the linker accepts -Wl,--dynamicbase... " >&6; } +if ${ax_cv_check_ldflags___Wl___dynamicbase+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,--dynamicbase" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl___dynamicbase=yes +else + ax_cv_check_ldflags___Wl___dynamicbase=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___dynamicbase" >&5 +$as_echo "$ax_cv_check_ldflags___Wl___dynamicbase" >&6; } +if test x"$ax_cv_check_ldflags___Wl___dynamicbase" = xyes; then : + LDFLAGS="$LDFLAGS -Wl,--dynamicbase" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--nxcompat" >&5 +$as_echo_n "checking whether the linker accepts -Wl,--nxcompat... " >&6; } +if ${ax_cv_check_ldflags___Wl___nxcompat+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,--nxcompat" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl___nxcompat=yes +else + ax_cv_check_ldflags___Wl___nxcompat=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___nxcompat" >&5 +$as_echo "$ax_cv_check_ldflags___Wl___nxcompat" >&6; } +if test x"$ax_cv_check_ldflags___Wl___nxcompat" = xyes; then : + LDFLAGS="$LDFLAGS -Wl,--nxcompat" +else + : +fi + + ;; + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 +$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; } +if ${ax_cv_check_cflags___fPIE+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fPIE=yes +else + ax_cv_check_cflags___fPIE=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5 +$as_echo "$ax_cv_check_cflags___fPIE" >&6; } +if test x"$ax_cv_check_cflags___fPIE" = xyes; then : + CPPFLAGS="$CPPFLAGS -fPIE" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 +$as_echo_n "checking whether the linker accepts -pie... " >&6; } +if ${ax_cv_check_ldflags___pie+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___pie=yes +else + ax_cv_check_ldflags___pie=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5 +$as_echo "$ax_cv_check_ldflags___pie" >&6; } +if test x"$ax_cv_check_ldflags___pie" = xyes; then : + LDFLAGS="$LDFLAGS -pie" +else + : +fi + + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5 +$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; } +if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,relro" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl__z_relro=yes +else + ax_cv_check_ldflags___Wl__z_relro=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5 +$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then : + LDFLAGS="$LDFLAGS -Wl,-z,relro" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5 +$as_echo_n "checking whether the linker accepts -Wl,-z,now... " >&6; } +if ${ax_cv_check_ldflags___Wl__z_now+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,-z,now" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl__z_now=yes +else + ax_cv_check_ldflags___Wl__z_now=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_now" >&5 +$as_echo "$ax_cv_check_ldflags___Wl__z_now" >&6; } +if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes; then : + LDFLAGS="$LDFLAGS -Wl,-z,now" +else + : +fi + + + +fi; + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } @@ -5259,7 +5599,7 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi -for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h +for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -5287,7 +5627,7 @@ fi done -for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h +for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include \"src/have.h\" @@ -5921,6 +6261,22 @@ cat >>confdefs.h <<_ACEOF _ACEOF +ac_fn_c_check_decl "$LINENO" "res_init" "ac_cv_have_decl_res_init" " + #include + #include + +" +if test "x$ac_cv_have_decl_res_init" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_RES_INIT $ac_have_decl +_ACEOF + + cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure @@ -7040,7 +7396,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tinc $as_me 1.0.23, which was +This file was extended by tinc $as_me 1.0.24, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7106,7 +7462,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tinc config.status 1.0.23 +tinc config.status 1.0.24 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 55ac809..bb2dc80 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([tinc], [1.0.23]) +AC_INIT([tinc], [1.0.24]) AC_CONFIG_SRCDIR([src/tincd.c]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall]) AC_CONFIG_HEADERS([config.h]) @@ -105,7 +105,7 @@ AC_ARG_ENABLE(tunemu, ) AC_ARG_WITH(windows2000, - AS_HELP_STRING([--without-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]), + AS_HELP_STRING([--with-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]), [ AS_IF([test "x$with_windows2000" = "xyes"], [AC_DEFINE(WITH_WINDOWS2000, 1, [Compile with support for Windows 2000])]) ] @@ -129,17 +129,40 @@ if test -d /sw/lib ; then LIBS="$LIBS -L/sw/lib" fi +dnl Compiler hardening flags +dnl No -fstack-protector-all because it doesn't work on all platforms or architectures. + +AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) +AS_IF([test "x$enable_hardening" != "xno"], + [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"]) + AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"]) + AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"]) + case $host_os in + *mingw*) + AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) + AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) + ;; + *) + AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"]) + AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"]) + ;; + esac + AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"]) + AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"]) + ] +); + dnl Checks for libraries. dnl Checks for header files. dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies. AC_HEADER_STDC -AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h]) +AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h]) AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h], [], [], [#include "src/have.h"] ) -AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h], +AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h], [], [], [#include "src/have.h"] ) AC_CHECK_HEADERS([netinet/tcp.h netinet/ip_icmp.h netinet/icmp6.h], @@ -179,6 +202,11 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo], [], [], [#include "src/have.h"] ) +AC_CHECK_DECLS([res_init], [], [], [ + #include + #include +]) + AC_CACHE_SAVE dnl These are defined in files in m4/ @@ -187,9 +215,9 @@ tinc_ZLIB tinc_LZO tinc_OPENSSL -dnl Check if support for jumbograms is requested +dnl Check if support for jumbograms is requested AC_ARG_ENABLE(jumbograms, - AS_HELP_STRING([--disable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]), + AS_HELP_STRING([--enable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]), [ AS_IF([test "x$enable_jumbograms" = "xyes"], [ AC_DEFINE(ENABLE_JUMBOGRAMS, 1, [Support for jumbograms (packets up to 9000 bytes)]) ]) ] diff --git a/doc/Makefile.in b/doc/Makefile.in index 4504226..dbee0d9 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.14 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -80,8 +80,10 @@ subdir = doc DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ - $(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ - $(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d diff --git a/doc/sample-config.tar.gz b/doc/sample-config.tar.gz index cd111db..e6875ef 100644 Binary files a/doc/sample-config.tar.gz and b/doc/sample-config.tar.gz differ diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index 365a3e3..0548628 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -1,4 +1,4 @@ -.Dd 2010-01-16 +.Dd 2014-05-11 .Dt TINC.CONF 5 .\" Manual page created by: .\" Ivo Timmermans @@ -416,7 +416,7 @@ and are available. .El .It Va ReplayWindow Li = Ar bytes Pq 16 -vhis is the size of the replay tracking window for each remote node, in bytes. +This is the size of the replay tracking window for each remote node, in bytes. The window is a bitfield which tracks 1 packet per bit, so for example the default setting of 16 will track up to 128 packets in the window. In high bandwidth scenarios, setting this to a higher value can reduce packet loss from @@ -428,7 +428,8 @@ traffic. When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ -directory. +directory. Subnets learned via connections to other nodes and which are not +present in the local host config files are ignored. .It Va TunnelServer Li = yes | no Po no Pc Bq experimental When this option is enabled tinc will no longer forward information between other tinc daemons, and will only allow connections with nodes for which host config files are present in the local @@ -631,6 +632,8 @@ The top directory for configuration files. .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf The default name of the server configuration file for net .Ar NETNAME . +.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/ +Optional directory from which any *.conf file will be loaded .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ Host configuration files are kept in this directory. .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up diff --git a/doc/tinc.info b/doc/tinc.info index 4ba5b49..f4370c0 100644 --- a/doc/tinc.info +++ b/doc/tinc.info @@ -1,14 +1,14 @@ -This is tinc.info, produced by makeinfo version 5.1 from tinc.texi. +This is tinc.info, produced by makeinfo version 5.2 from tinc.texi. INFO-DIR-SECTION Networking tools START-INFO-DIR-ENTRY * tinc: (tinc). The tinc Manual. END-INFO-DIR-ENTRY -This is the info manual for tinc version 1.0.22, a Virtual Private +This is the info manual for tinc version 1.0.23, a Virtual Private Network daemon. - Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen + Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and Wessel Dankers . Permission is granted to make and distribute verbatim copies of this @@ -649,6 +649,9 @@ The actual configuration of the daemon is done in the file '/etc/tinc/NETNAME/tinc.conf' and at least one other file in the directory '/etc/tinc/NETNAME/hosts/'. + An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from +which any .conf file will be read. + These file consists of comments (lines started with a #) or assignments in the form of @@ -1011,7 +1014,9 @@ ReplayWindow = (16) StrictSubnets = (no) [experimental] When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local - '/etc/tinc/NETNAME/hosts/' directory. + '/etc/tinc/NETNAME/hosts/' directory. Subnets learned via + connections to other nodes and which are not present in the local + host config files are ignored. TunnelServer = (no) [experimental] When this option is enabled tinc will no longer forward information @@ -1040,7 +1045,9 @@ Address = [] [recommended] This variable is only required if you want to connect to this host. It must resolve to the external IP address where the host can be reached, not the one that is internal to the VPN. If no port is - specified, the default Port is used. + specified, the default Port is used. Multiple Address variables + can be specified, in which case each address will be tried until a + working connection has been established. Cipher = (blowfish) The symmetric cipher algorithm used to encrypt UDP packets. Any @@ -2424,16 +2431,16 @@ Concept Index * CHAL_REPLY: Authentication protocol. (line 10) * CIDR notation: Host configuration variables. - (line 91) + (line 93) * Cipher: Host configuration variables. - (line 12) + (line 14) * ClampMSS: Host configuration variables. - (line 18) + (line 20) * client: How connections work. (line 18) * command line: Runtime options. (line 9) * Compression: Host configuration variables. - (line 24) + (line 26) * connection: The connection. (line 6) * ConnectTo: Main configuration variables. (line 53) @@ -2452,7 +2459,7 @@ Concept Index * DeviceType: Main configuration variables. (line 80) * Digest: Host configuration variables. - (line 29) + (line 31) * DirectOnly: Main configuration variables. (line 145) * dummy: Main configuration variables. @@ -2481,7 +2488,7 @@ Concept Index * IffOneQueue: Main configuration variables. (line 191) * IndirectData: Host configuration variables. - (line 34) + (line 36) * Interface: Main configuration variables. (line 194) * INTERFACE: Scripts. (line 56) @@ -2498,7 +2505,7 @@ Concept Index * MACExpire: Main configuration variables. (line 219) * MACLength: Host configuration variables. - (line 42) + (line 44) * MaxTimeout: Main configuration variables. (line 224) * meta-protocol: The meta-connection. (line 18) @@ -2521,7 +2528,7 @@ Concept Index * OpenSSL: OpenSSL. (line 6) * options: Runtime options. (line 9) * PEM format: Host configuration variables. - (line 67) + (line 69) * PING: The meta-protocol. (line 88) * PingInterval: Main configuration variables. (line 266) @@ -2529,12 +2536,12 @@ Concept Index (line 270) * platforms: Supported platforms. (line 6) * PMTU: Host configuration variables. - (line 47) + (line 49) * PMTUDiscovery: Host configuration variables. - (line 50) + (line 52) * PONG: The meta-protocol. (line 88) * Port: Host configuration variables. - (line 55) + (line 57) * port numbers: Other files. (line 17) * PriorityInheritance: Main configuration variables. (line 276) @@ -2549,9 +2556,9 @@ Concept Index * Proxy: Main configuration variables. (line 297) * PublicKey: Host configuration variables. - (line 59) + (line 61) * PublicKeyFile: Host configuration variables. - (line 62) + (line 64) * raw_socket: Main configuration variables. (line 92) * release: Supported platforms. (line 14) @@ -2576,16 +2583,16 @@ Concept Index * StrictSubnets: Main configuration variables. (line 331) * Subnet: Host configuration variables. - (line 74) + (line 76) * SUBNET: Scripts. (line 72) * Subnet weight: Host configuration variables. - (line 96) + (line 98) * SVPN: Security. (line 11) * switch: Main configuration variables. (line 239) * TCP: The meta-connection. (line 10) * TCPonly: Host configuration variables. - (line 103) + (line 105) * tinc: Introduction. (line 6) * TINC: Security. (line 6) * tinc-down: Scripts. (line 18) @@ -2596,16 +2603,16 @@ Concept Index * tunifhead: Main configuration variables. (line 134) * TunnelServer: Main configuration variables. - (line 336) + (line 338) * tunnohead: Main configuration variables. (line 128) * UDP: The UDP tunnel. (line 30) * UDP <1>: Encryption of network packets. (line 12) * UDPRcvBuf: Main configuration variables. - (line 343) + (line 345) * UDPSndBuf: Main configuration variables. - (line 348) + (line 350) * UML: Main configuration variables. (line 110) * Universal tun/tap: Configuration of Linux kernels. @@ -2656,35 +2663,35 @@ Node: Configuration introduction20366 Node: Multiple networks21634 Node: How connections work23059 Node: Configuration files24281 -Node: Main configuration variables25669 -Node: Host configuration variables41635 -Node: Scripts46990 -Node: How to configure49753 -Node: Generating keypairs51010 -Node: Network interfaces51509 -Node: Example configuration53357 -Node: Running tinc58682 -Node: Runtime options59272 -Node: Signals62574 -Node: Debug levels63765 -Node: Solving problems64701 -Node: Error messages66253 -Node: Sending bug reports70262 -Node: Technical information71209 -Node: The connection71440 -Node: The UDP tunnel71752 -Node: The meta-connection74815 -Node: The meta-protocol76284 -Node: Security81301 -Node: Authentication protocol82434 -Node: Encryption of network packets87451 -Node: Security issues88827 -Node: Platform specific information90454 -Node: Interface configuration90682 -Node: Routes93135 -Node: About us95052 -Node: Contact information95227 -Node: Authors95631 -Node: Concept Index96036 +Node: Main configuration variables25776 +Node: Host configuration variables41870 +Node: Scripts47371 +Node: How to configure50134 +Node: Generating keypairs51391 +Node: Network interfaces51890 +Node: Example configuration53738 +Node: Running tinc59063 +Node: Runtime options59653 +Node: Signals62955 +Node: Debug levels64146 +Node: Solving problems65082 +Node: Error messages66634 +Node: Sending bug reports70643 +Node: Technical information71590 +Node: The connection71821 +Node: The UDP tunnel72133 +Node: The meta-connection75196 +Node: The meta-protocol76665 +Node: Security81682 +Node: Authentication protocol82815 +Node: Encryption of network packets87832 +Node: Security issues89208 +Node: Platform specific information90835 +Node: Interface configuration91063 +Node: Routes93516 +Node: About us95433 +Node: Contact information95608 +Node: Authors96012 +Node: Concept Index96417  End Tag Table diff --git a/doc/tinc.texi b/doc/tinc.texi index b012cd9..8579002 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -15,7 +15,7 @@ This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2013 Ivo Timmermans, +Copyright @copyright{} 1998-2014 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -39,7 +39,7 @@ permission notice identical to this one. @vskip 0pt plus 1filll This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2013 Ivo Timmermans, +Copyright @copyright{} 1998-2014 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -718,6 +718,9 @@ The actual configuration of the daemon is done in the file @file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory @file{@value{sysconfdir}/tinc/@var{netname}/hosts/}. +An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which +any .conf file will be read. + These file consists of comments (lines started with a #) or assignments in the form of @@ -1102,6 +1105,8 @@ traffic. When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. +Subnets learned via connections to other nodes and which are not +present in the local host config files are ignored. @cindex TunnelServer @item TunnelServer = (no) [experimental] @@ -1134,6 +1139,8 @@ This variable is only required if you want to connect to this host. It must resolve to the external IP address where the host can be reached, not the one that is internal to the VPN. If no port is specified, the default Port is used. +Multiple Address variables can be specified, in which case each address will be +tried until a working connection has been established. @cindex Cipher @item Cipher = <@var{cipher}> (blowfish) diff --git a/doc/tincd.8.in b/doc/tincd.8.in index b117e8a..d200c48 100644 --- a/doc/tincd.8.in +++ b/doc/tincd.8.in @@ -1,4 +1,4 @@ -.Dd 2011-01-02 +.Dd 2014-05-11 .Dt TINCD 8 .\" Manual page created by: .\" Ivo Timmermans diff --git a/m4/Makefile.in b/m4/Makefile.in index 3b37f1b..866a7d4 100644 --- a/m4/Makefile.in +++ b/m4/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.14 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -81,8 +81,10 @@ subdir = m4 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ - $(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ - $(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 new file mode 100644 index 0000000..c3a8d69 --- /dev/null +++ b/m4/ax_check_compile_flag.m4 @@ -0,0 +1,72 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4 new file mode 100644 index 0000000..e2d0d36 --- /dev/null +++ b/m4/ax_check_link_flag.m4 @@ -0,0 +1,71 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the linker or gives an error. +# (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_CHECK_LINK_FLAG], +[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $4 $1" + AC_LINK_IFELSE([AC_LANG_PROGRAM()], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + LDFLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_LINK_FLAGS diff --git a/missing b/missing index cdea514..db98974 100755 --- a/missing +++ b/missing @@ -1,7 +1,7 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2012-06-26.16; # UTC +scriptversion=2013-10-28.13; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. @@ -160,7 +160,7 @@ give_advice () ;; autom4te*) echo "You might have modified some maintainer files that require" - echo "the 'automa4te' program to be rebuilt." + echo "the 'autom4te' program to be rebuilt." program_details 'autom4te' ;; bison*|yacc*) diff --git a/src/Makefile.in b/src/Makefile.in index aa402bf..96f170d 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.14 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -93,8 +93,10 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ - $(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ - $(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/ax_check_compile_flag.m4 \ + $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \ + $(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d diff --git a/src/avl_tree.c b/src/avl_tree.c index a8bf5d5..6b85516 100644 --- a/src/avl_tree.c +++ b/src/avl_tree.c @@ -2,7 +2,7 @@ avl_tree.c -- avl_ tree and linked list convenience Copyright (C) 1998 Michael H. Buselli 2000-2005 Ivo Timmermans, - 2000-2006 Guus Sliepen + 2000-2014 Guus Sliepen 2000-2005 Wessel Dankers This program is free software; you can redistribute it and/or modify @@ -168,14 +168,12 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node) child->right->parent = child; gchild->right = node; - if(gchild->right) - gchild->right->parent = gchild; + gchild->right->parent = gchild; gchild->left = child; - if(gchild->left) - gchild->left->parent = gchild; - *superparent = gchild; + gchild->left->parent = gchild; + *superparent = gchild; gchild->parent = parent; #ifdef AVL_COUNT node->count = AVL_CALC_COUNT(node); @@ -224,12 +222,10 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node) child->left->parent = child; gchild->left = node; - if(gchild->left) - gchild->left->parent = gchild; + gchild->left->parent = gchild; gchild->right = child; - if(gchild->right) - gchild->right->parent = gchild; + gchild->right->parent = gchild; *superparent = gchild; gchild->parent = parent; @@ -600,6 +596,8 @@ void avl_unlink_node(avl_tree_t *tree, avl_node_t *node) balnode = parent; } else { subst = node->prev; + if(!subst) // This only happens if node is not actually in a tree at all. + abort(); if(subst == left) { balnode = subst; diff --git a/src/conf.c b/src/conf.c index 0fc9d8f..99bf381 100644 --- a/src/conf.c +++ b/src/conf.c @@ -2,7 +2,7 @@ conf.c -- configuration code Copyright (C) 1998 Robert van der Meulen 1998-2005 Ivo Timmermans - 2000-2012 Guus Sliepen + 2000-2014 Guus Sliepen 2010-2011 Julien Muchembled 2000 Cris van Pelt @@ -378,6 +378,29 @@ bool read_server_config(void) { xasprintf(&fname, "%s/tinc.conf", confbase); x = read_config_file(config_tree, fname); + // We will try to read the conf files in the "conf.d" dir + if (x) { + char * dname; + xasprintf(&dname, "%s/conf.d", confbase); + DIR *dir = opendir (dname); + // If we can find this dir + if (dir) { + struct dirent *ep; + // We list all the files in it + while (x && (ep = readdir (dir))) { + size_t l = strlen(ep->d_name); + // And we try to read the ones that end with ".conf" + if (l > 5 && !strcmp(".conf", & ep->d_name[ l - 5 ])) { + free(fname); + xasprintf(&fname, "%s/%s", dname, ep->d_name); + x = read_config_file(config_tree, fname); + } + } + closedir (dir); + } + free(dname); + } + if(!x) { /* System error: complain */ logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno)); } diff --git a/src/graph.c b/src/graph.c index edea91b..8ffd70e 100644 --- a/src/graph.c +++ b/src/graph.c @@ -1,6 +1,6 @@ /* graph.c -- graph algorithms - Copyright (C) 2001-2013 Guus Sliepen , + Copyright (C) 2001-2014 Guus Sliepen , 2001-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -212,9 +212,13 @@ static void sssp_bfs(void) { && (!e->to->status.indirect || indirect)) continue; + // Only update nexthop the first time we visit this node. + + if(!e->to->status.visited) + e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop; + e->to->status.visited = true; e->to->status.indirect = indirect; - e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop; e->to->prevedge = e; e->to->via = indirect ? n->via : e->to; e->to->options = e->options; @@ -336,6 +340,7 @@ void dump_graph(void) { if(!file) { logger(LOG_ERR, "Unable to open graph dump file %s: %s", filename, strerror(errno)); + free(filename); free(tmpname); return; } @@ -363,7 +368,10 @@ void dump_graph(void) { #ifdef HAVE_MINGW unlink(filename); #endif - rename(tmpname, filename); + if(rename(tmpname, filename)) + logger(LOG_ERR, "Could not rename %s to %s: %s\n", tmpname, filename, strerror(errno)); free(tmpname); } + + free(filename); } diff --git a/src/have.h b/src/have.h index e00c7f7..bcd4612 100644 --- a/src/have.h +++ b/src/have.h @@ -1,7 +1,7 @@ /* have.h -- include headers which are known to exist Copyright (C) 1998-2005 Ivo Timmermans - 2003-2011 Guus Sliepen + 2003-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -38,6 +38,7 @@ #include #include #include +#include #ifdef HAVE_MINGW #include diff --git a/src/linux/device.c b/src/linux/device.c index d418aaf..66e790a 100644 --- a/src/linux/device.c +++ b/src/linux/device.c @@ -1,7 +1,7 @@ /* device.c -- Interaction with Linux ethertap and tun/tap device Copyright (C) 2001-2005 Ivo Timmermans, - 2001-2013 Guus Sliepen + 2001-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -107,17 +107,21 @@ static bool setup_device(void) { ifr.ifr_flags |= IFF_ONE_QUEUE; #endif - if(iface) + if(iface) { strncpy(ifr.ifr_name, iface, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ - 1] = 0; + } if(!ioctl(device_fd, TUNSETIFF, &ifr)) { strncpy(ifrname, ifr.ifr_name, IFNAMSIZ); - if(iface) free(iface); + ifrname[IFNAMSIZ - 1] = 0; + free(iface); iface = xstrdup(ifrname); } else if(!ioctl(device_fd, (('T' << 8) | 202), &ifr)) { logger(LOG_WARNING, "Old ioctl() request was needed for %s", device); strncpy(ifrname, ifr.ifr_name, IFNAMSIZ); - if(iface) free(iface); + ifrname[IFNAMSIZ - 1] = 0; + free(iface); iface = xstrdup(ifrname); } else #endif @@ -126,8 +130,7 @@ static bool setup_device(void) { overwrite_mac = true; device_info = "Linux ethertap device"; device_type = DEVICE_TYPE_ETHERTAP; - if(iface) - free(iface); + free(iface); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device); } diff --git a/src/meta.c b/src/meta.c index 4077029..e62c3b7 100644 --- a/src/meta.c +++ b/src/meta.c @@ -1,6 +1,6 @@ /* meta.c -- handle the meta communication - Copyright (C) 2000-2013 Guus Sliepen , + Copyright (C) 2000-2014 Guus Sliepen , 2000-2005 Ivo Timmermans 2006 Scott Lamb @@ -180,7 +180,7 @@ bool receive_meta(connection_t *c) { if(!c->node) { if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) { if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) { - logger(LOG_DEBUG, "Proxy request granted"); + ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted"); } else { logger(LOG_ERR, "Proxy request rejected"); return false; @@ -199,9 +199,9 @@ bool receive_meta(connection_t *c) { return false; } if(c->buffer[3] == 0) { - logger(LOG_DEBUG, "Proxy request granted"); + ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted"); } else { - logger(LOG_DEBUG, "Proxy request rejected"); + logger(LOG_ERR, "Proxy request rejected"); return false; } } else { diff --git a/src/mingw/device.c b/src/mingw/device.c index 56203d4..235e0fd 100644 --- a/src/mingw/device.c +++ b/src/mingw/device.c @@ -1,7 +1,7 @@ /* device.c -- Interaction with Windows tap driver in a MinGW environment Copyright (C) 2002-2005 Ivo Timmermans, - 2002-2013 Guus Sliepen + 2002-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -49,6 +49,7 @@ static DWORD WINAPI tapreader(void *bla) { DWORD len; OVERLAPPED overlapped; vpn_packet_t packet; + int errors = 0; logger(LOG_DEBUG, "Tap reader running"); @@ -71,16 +72,27 @@ static DWORD WINAPI tapreader(void *bla) { } else { logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno)); - return -1; + errors++; + if(errors >= 10) { + EnterCriticalSection(&mutex); + running = false; + LeaveCriticalSection(&mutex); + } + usleep(1000000); + continue; } } - EnterCriticalSection(&mutex); + errors = 0; packet.len = len; packet.priority = 0; + + EnterCriticalSection(&mutex); route(myself, &packet); LeaveCriticalSection(&mutex); } + + return 0; } static bool setup_device(void) { diff --git a/src/multicast_device.c b/src/multicast_device.c index 99fafcc..ea43e2c 100644 --- a/src/multicast_device.c +++ b/src/multicast_device.c @@ -1,7 +1,7 @@ /* device.c -- multicast socket Copyright (C) 2002-2005 Ivo Timmermans, - 2002-2013 Guus Sliepen + 2002-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -56,6 +56,7 @@ static bool setup_device(void) { space = strchr(host, ' '); if(!space) { logger(LOG_ERR, "Port number required for %s", device_info); + free(host); return false; } @@ -75,6 +76,7 @@ static bool setup_device(void) { device_fd = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP); if(device_fd < 0) { logger(LOG_ERR, "Creating socket failed: %s", sockstrerror(sockerrno)); + free(host); return false; } @@ -88,6 +90,7 @@ static bool setup_device(void) { if(bind(device_fd, ai->ai_addr, ai->ai_addrlen)) { closesocket(device_fd); logger(LOG_ERR, "Can't bind to %s %s: %s", host, port, sockstrerror(sockerrno)); + free(host); return false; } @@ -102,6 +105,7 @@ static bool setup_device(void) { if(setsockopt(device_fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, sizeof mreq)) { logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno)); closesocket(device_fd); + free(host); return false; } #ifdef IP_MULTICAST_LOOP @@ -123,6 +127,7 @@ static bool setup_device(void) { if(setsockopt(device_fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, (void *)&mreq, sizeof mreq)) { logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno)); closesocket(device_fd); + free(host); return false; } #ifdef IPV6_MULTICAST_LOOP @@ -135,11 +140,13 @@ static bool setup_device(void) { #endif default: - logger(LOG_ERR, "Multicast for address family %hx unsupported", ai->ai_family); + logger(LOG_ERR, "Multicast for address family %x unsupported", ai->ai_family); closesocket(device_fd); + free(host); return false; } + free(host); logger(LOG_INFO, "%s is a %s", device, device_info); return true; diff --git a/src/net.c b/src/net.c index c5e5707..8d0a0cf 100644 --- a/src/net.c +++ b/src/net.c @@ -1,7 +1,7 @@ /* net.c -- most of the network code Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2012 Guus Sliepen + 2000-2014 Guus Sliepen 2006 Scott Lamb 2011 Loïc Grenié @@ -41,6 +41,14 @@ #include "subnet.h" #include "xalloc.h" +#ifdef HAVE_ARPA_NAMESER_H +#include +#endif + +#ifdef HAVE_RESOLV_H +#include +#endif + bool do_purge = false; volatile bool running = false; #ifdef HAVE_PSELECT @@ -182,6 +190,12 @@ void terminate_connection(connection_t *c, bool report) { closesocket(c->socket); if(c->edge) { + if(!c->node) { + logger(LOG_ERR, "Connection to %s (%s) has an edge but node is NULL!", c->name, c->hostname); + // And that should never happen. + abort(); + } + if(report && !tunnelserver) send_del_edge(everyone, c->edge); @@ -494,6 +508,9 @@ int main_loop(void) { avl_node_t *node; logger(LOG_INFO, "Flushing event queue"); expire_events(); +#if HAVE_DECL_RES_INIT + res_init(); +#endif for(node = connection_tree->head; node; node = node->next) { connection_t *c = node->data; if(c->status.active) diff --git a/src/net_packet.c b/src/net_packet.c index 81d0572..d11d58a 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -1,7 +1,7 @@ /* net_packet.c -- Handles in- and outgoing VPN packets Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen 2010 Timothy Redaelli 2010 Brandon Black @@ -269,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) { HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); - return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); + return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); } static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { @@ -302,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); - if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { + if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", n->name, n->hostname); return; @@ -664,7 +664,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { avl_node_t *node; edge_t *e; node_t *n = NULL; - bool hard = false; static time_t last_hard_try = 0; for(node = edge_weight_tree->head; node; node = node->next) { @@ -673,11 +672,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { if(e->to == myself) continue; - if(sockaddrcmp_noport(from, &e->address)) { - if(last_hard_try == now) - continue; - hard = true; - } + if(last_hard_try == now && sockaddrcmp_noport(from, &e->address)) + continue; if(!try_mac(e->to, pkt)) continue; @@ -686,9 +682,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) { break; } - if(hard) - last_hard_try = now; - last_hard_try = now; return n; } diff --git a/src/net_setup.c b/src/net_setup.c index e1d9f27..fa4e986 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -1,7 +1,7 @@ /* net_setup.c -- Setup. Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen 2006 Scott Lamb 2010 Brandon Black @@ -165,23 +165,25 @@ static bool read_rsa_private_key(void) { char *fname, *key, *pubkey; if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { - if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { - logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); - return false; - } myself->connection->rsa_key = RSA_new(); // RSA_blinding_on(myself->connection->rsa_key, NULL); if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) { logger(LOG_ERR, "Invalid PrivateKey for myself!"); + free(key); + return false; + } + free(key); + if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) { + logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); return false; } if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) { logger(LOG_ERR, "Invalid PublicKey for myself!"); + free(pubkey); return false; } - BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); - free(key); free(pubkey); + BN_hex2bn(&myself->connection->rsa_key->e, "FFFF"); return true; } @@ -200,15 +202,12 @@ static bool read_rsa_private_key(void) { #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN) struct stat s; - if(fstat(fileno(fp), &s)) { - logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'", - fname, strerror(errno)); - free(fname); - return false; + if(!fstat(fileno(fp), &s)) { + if(s.st_mode & ~0100700) + logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname); + } else { + logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno)); } - - if(s.st_mode & ~0100700) - logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname); #endif myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); @@ -299,10 +298,12 @@ char *get_name(void) { if(!envname) { if(strcmp(name + 1, "HOST")) { fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1); + free(name); return false; } if(gethostname(hostname, sizeof hostname) || !*hostname) { fprintf(stderr, "Could not get hostname: %s\n", strerror(errno)); + free(name); return false; } hostname[31] = 0; @@ -340,6 +341,7 @@ static bool setup_myself(void) { bool choice; int i, err; int replaywin_int; + bool port_specified = false; myself = new_node(); myself->connection = new_connection(); @@ -355,6 +357,8 @@ static bool setup_myself(void) { return false; } + /* Read tinc.conf and our own host config file */ + myself->name = name; myself->connection->name = xstrdup(name); xasprintf(&fname, "%s/hosts/%s", confbase, name); @@ -367,6 +371,10 @@ static bool setup_myself(void) { if(!get_config_string(lookup_config(config_tree, "Port"), &myport)) myport = xstrdup("655"); + else + port_specified = true; + + /* Ensure myport is numeric */ if(!atoi(myport)) { struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM); @@ -378,8 +386,7 @@ static bool setup_myself(void) { sockaddr2str(&sa, NULL, &myport); } - get_config_string(lookup_config(config_tree, "Proxy"), &proxy); - if(proxy) { + if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) { if((space = strchr(proxy, ' '))) *space++ = 0; @@ -397,6 +404,7 @@ static bool setup_myself(void) { proxytype = PROXY_EXEC; } else { logger(LOG_ERR, "Unknown proxy type %s!", proxy); + free(proxy); return false; } @@ -408,6 +416,7 @@ static bool setup_myself(void) { case PROXY_EXEC: if(!space || !*space) { logger(LOG_ERR, "Argument expected for proxy type exec!"); + free(proxy); return false; } proxyhost = xstrdup(space); @@ -426,6 +435,7 @@ static bool setup_myself(void) { *space++ = 0, proxypass = space; if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) { logger(LOG_ERR, "Host and port argument expected for proxy!"); + free(proxy); return false; } proxyhost = xstrdup(proxyhost); @@ -479,6 +489,7 @@ static bool setup_myself(void) { routing_mode = RMODE_HUB; else { logger(LOG_ERR, "Invalid routing mode!"); + free(mode); return false; } free(mode); @@ -493,6 +504,7 @@ static bool setup_myself(void) { forwarding_mode = FMODE_KERNEL; else { logger(LOG_ERR, "Invalid forwarding mode!"); + free(mode); return false; } free(mode); @@ -519,6 +531,7 @@ static bool setup_myself(void) { broadcast_mode = BMODE_DIRECT; else { logger(LOG_ERR, "Invalid broadcast mode!"); + free(mode); return false; } free(mode); @@ -571,6 +584,7 @@ static bool setup_myself(void) { addressfamily = AF_UNSPEC; else { logger(LOG_ERR, "Invalid address family!"); + free(afname); return false; } free(afname); @@ -580,8 +594,7 @@ static bool setup_myself(void) { /* Generate packet encryption key */ - if(get_config_string - (lookup_config(config_tree, "Cipher"), &cipher)) { + if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) { if(!strcasecmp(cipher, "none")) { myself->incipher = NULL; } else { @@ -589,9 +602,11 @@ static bool setup_myself(void) { if(!myself->incipher) { logger(LOG_ERR, "Unrecognized cipher type!"); + free(cipher); return false; } } + free(cipher); } else myself->incipher = EVP_bf_cbc(); @@ -617,9 +632,12 @@ static bool setup_myself(void) { if(!myself->indigest) { logger(LOG_ERR, "Unrecognized digest type!"); + free(digest); return false; } } + + free(digest); } else myself->indigest = EVP_sha1(); @@ -683,6 +701,7 @@ static bool setup_myself(void) { else if(!strcasecmp(type, "vde")) devops = vde_devops; #endif + free(type); } if(!devops.setup()) @@ -812,13 +831,27 @@ static bool setup_myself(void) { } while(cfg); } - if(listen_sockets) - logger(LOG_NOTICE, "Ready"); - else { + if(!listen_sockets) { logger(LOG_ERR, "Unable to create any listening socket!"); return false; } + /* If no Port option was specified, set myport to the port used by the first listening socket. */ + + if(!port_specified) { + sockaddr_t sa; + socklen_t salen = sizeof sa; + if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) { + free(myport); + sockaddr2str(&sa, NULL, &myport); + if(!myport) + myport = xstrdup("655"); + } + } + + /* Done. */ + + logger(LOG_NOTICE, "Ready"); return true; } diff --git a/src/net_socket.c b/src/net_socket.c index 48e0783..9a67bb3 100644 --- a/src/net_socket.c +++ b/src/net_socket.c @@ -1,7 +1,7 @@ /* net_socket.c -- Handle various kinds of sockets. Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen 2006 Scott Lamb 2009 Florian Forster @@ -87,20 +87,21 @@ static bool bind_to_interface(int sd) { int status; #endif /* defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) */ - if(!get_config_string (lookup_config (config_tree, "BindToInterface"), &iface)) + if(!get_config_string(lookup_config (config_tree, "BindToInterface"), &iface)) return true; #if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0; + free(iface); status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)); if(status) { - logger(LOG_ERR, "Can't bind to interface %s: %s", iface, - strerror(errno)); + logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno)); return false; } + #else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */ logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface"); #endif @@ -135,20 +136,21 @@ int setup_listen_socket(const sockaddr_t *sa) { setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option); #endif - if(get_config_string - (lookup_config(config_tree, "BindToInterface"), &iface)) { + if(get_config_string(lookup_config(config_tree, "BindToInterface"), &iface)) { #if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); + ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0; + free(iface); if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) { closesocket(nfd); - logger(LOG_ERR, "Can't bind to interface %s: %s", iface, - strerror(sockerrno)); + logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(sockerrno)); return -1; } + #else logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface"); #endif @@ -238,8 +240,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) { option = 1; setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option)); } -#else -#warning No way to disable IPv4 fragmentation #endif #if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO) @@ -252,8 +252,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) { option = 1; setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option)); } -#else -#warning No way to disable IPv6 fragmentation #endif if (!bind_to_interface(nfd)) { @@ -311,7 +309,7 @@ static void do_outgoing_pipe(connection_t *c, char *command) { if(fork()) { c->socket = fd[0]; close(fd[1]); - logger(LOG_DEBUG, "Using proxy %s", command); + ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Using proxy %s", command); return; } @@ -407,7 +405,6 @@ begin: if(!proxytype) { c->socket = socket(c->address.sa.sa_family, SOCK_STREAM, IPPROTO_TCP); - configure_tcp(c); } else if(proxytype == PROXY_EXEC) { do_outgoing_pipe(c, proxyhost); } else { @@ -416,7 +413,6 @@ begin: goto begin; ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport); c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP); - configure_tcp(c); } if(c->socket == -1) { @@ -424,6 +420,9 @@ begin: goto begin; } + if(proxytype != PROXY_EXEC) + configure_tcp(c); + #ifdef FD_CLOEXEC fcntl(c->socket, F_SETFD, FD_CLOEXEC); #endif diff --git a/src/pidfile.c b/src/pidfile.c index 6e24d5f..232c2c4 100644 --- a/src/pidfile.c +++ b/src/pidfile.c @@ -46,7 +46,7 @@ pid_t read_pid (const char *pidfile) if(fscanf(f,"%20ld", &pid) != 1) pid = 0; fclose(f); - return pid; + return (pid_t)pid; } /* check_pid diff --git a/src/protocol_auth.c b/src/protocol_auth.c index a7a6fe0..971341f 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -107,7 +107,7 @@ static bool send_proxyrequest(connection_t *c) { i += 2; c->tcplen += 22; } else { - logger(LOG_ERR, "Address family %hx not supported for SOCKS 5 proxies!", c->address.sa.sa_family); + logger(LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family); return false; } if(i > len) @@ -215,7 +215,12 @@ bool send_metakey(connection_t *c) { /* Copy random data to the buffer */ - RAND_pseudo_bytes((unsigned char *)c->outkey, len); + if (1 != RAND_bytes((unsigned char *)c->outkey, len)) { + int err = ERR_get_error(); + logger(LOG_ERR, "Failed to generate meta key (%s)", ERR_error_string(err, NULL)); + return false; + } + /* The message we send must be smaller than the modulus of the RSA key. By definition, for a key of k bits, the following formula holds: @@ -391,7 +396,11 @@ bool send_challenge(connection_t *c) { /* Copy random data to the buffer */ - RAND_pseudo_bytes((unsigned char *)c->hischallenge, len); + if (1 != RAND_bytes((unsigned char *)c->hischallenge, len)) { + int err = ERR_get_error(); + logger(LOG_ERR, "Failed to generate challenge (%s)", ERR_error_string(err, NULL)); + return false; // Do not send predictable challenges, let connection attempt fail. + } /* Convert to hex */ diff --git a/src/protocol_key.c b/src/protocol_key.c index f2f317d..301ead5 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -1,7 +1,7 @@ /* protocol_key.c -- handle the meta-protocol, key exchange Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2012 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) { /* Check if this key request is for us */ if(to == myself) { /* Yes, send our own key back */ - send_ans_key(from); + if (!send_ans_key(from)) + return false; } else { if(tunnelserver) return true; @@ -156,7 +157,12 @@ bool send_ans_key(node_t *to) { to->inkey = xrealloc(to->inkey, to->inkeylength); // Create a new key - RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength); + if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) { + int err = ERR_get_error(); + logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL)); + return false; // Do not send insecure keys, let connection attempt fail. + } + if(to->incipher) EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); diff --git a/src/raw_socket_device.c b/src/raw_socket_device.c index 1dd726f..427fb3f 100644 --- a/src/raw_socket_device.c +++ b/src/raw_socket_device.c @@ -1,7 +1,7 @@ /* device.c -- raw socket Copyright (C) 2002-2005 Ivo Timmermans, - 2002-2012 Guus Sliepen + 2002-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -32,7 +32,7 @@ #include "route.h" #include "xalloc.h" -#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) +#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) && defined(SIOCGIFINDEX) static char *device_info; static uint64_t device_total_in = 0; @@ -62,20 +62,21 @@ static bool setup_device(void) { memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); + ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0; + if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) { close(device_fd); - logger(LOG_ERR, "Can't find interface %s: %s", iface, - strerror(errno)); + logger(LOG_ERR, "Can't find interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno)); return false; } - memset(&sa, '0', sizeof(sa)); + memset(&sa, 0, sizeof(sa)); sa.sll_family = AF_PACKET; sa.sll_protocol = htons(ETH_P_ALL); sa.sll_ifindex = ifr.ifr_ifindex; if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) { - logger(LOG_ERR, "Could not bind %s to %s: %s", device, iface, strerror(errno)); + logger(LOG_ERR, "Could not bind %s to %s: %s", device, ifr.ifr_ifrn.ifrn_name, strerror(errno)); return false; } diff --git a/src/route.c b/src/route.c index e196f44..c11267b 100644 --- a/src/route.c +++ b/src/route.c @@ -1,7 +1,7 @@ /* route.c -- routing Copyright (C) 2000-2005 Ivo Timmermans, - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -197,7 +197,7 @@ static void learn_mac(mac_t *address) { /* If we don't know this MAC address yet, store it */ if(!subnet) { - ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx", + ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x", address->x[0], address->x[1], address->x[2], address->x[3], address->x[4], address->x[5]); diff --git a/src/solaris/device.c b/src/solaris/device.c index 77a4361..af771ba 100644 --- a/src/solaris/device.c +++ b/src/solaris/device.c @@ -1,7 +1,8 @@ /* device.c -- Interaction with Solaris tun device Copyright (C) 2001-2005 Ivo Timmermans, - 2001-2012 Guus Sliepen + 2002-2010 OpenVPN Technologies, Inc. + 2001-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -18,98 +19,258 @@ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + #include "../system.h" #include #include -#include #include "../conf.h" #include "../device.h" #include "../logger.h" #include "../net.h" +#include "../route.h" #include "../utils.h" #include "../xalloc.h" -#define DEFAULT_DEVICE "/dev/tun" +#ifndef TUNNEWPPA +#warning Missing net/if_tun.h, using hardcoded value for TUNNEWPPA +#define TUNNEWPPA (('T'<<16) | 0x0001) +#endif + +#define DEFAULT_TUN_DEVICE "/dev/tun" +#define DEFAULT_TAP_DEVICE "/dev/tap" + +static enum { + DEVICE_TYPE_TUN, + DEVICE_TYPE_TAP, +} device_type = DEVICE_TYPE_TUN; int device_fd = -1; -static int ip_fd = -1, if_fd = -1; +static int if_fd = -1; +static int ip_fd = -1; char *device = NULL; char *iface = NULL; static char *device_info = NULL; -static uint64_t device_total_in = 0; -static uint64_t device_total_out = 0; +uint64_t device_total_in = 0; +uint64_t device_total_out = 0; static bool setup_device(void) { - int ppa; - char *ptr; + char *type; - if(!get_config_string(lookup_config(config_tree, "Device"), &device)) - device = xstrdup(DEFAULT_DEVICE); - - if((device_fd = open(device, O_RDWR | O_NONBLOCK)) < 0) { - logger(LOG_ERR, "Could not open %s: %s", device, strerror(errno)); - return false; + if(!get_config_string(lookup_config(config_tree, "Device"), &device)) { + if(routing_mode == RMODE_ROUTER) + device = xstrdup(DEFAULT_TUN_DEVICE); + else + device = xstrdup(DEFAULT_TAP_DEVICE); } -#ifdef FD_CLOEXEC - fcntl(device_fd, F_SETFD, FD_CLOEXEC); -#endif + if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) { + if(!strcasecmp(type, "tun")) + /* use default */; + else if(!strcasecmp(type, "tap")) + device_type = DEVICE_TYPE_TAP; + else { + logger(LOG_ERR, "Unknown device type %s!", type); + return false; + } + } else { + if(strstr(device, "tap") || routing_mode != RMODE_ROUTER) + device_type = DEVICE_TYPE_TAP; + } - ppa = 0; + if(device_type == DEVICE_TYPE_TUN) + device_info = "Solaris tun device"; + else + device_info = "Solaris tap device"; - ptr = device; - while(*ptr && !isdigit((int) *ptr)) - ptr++; - ppa = atoi(ptr); + /* The following is black magic copied from OpenVPN. */ if((ip_fd = open("/dev/ip", O_RDWR, 0)) < 0) { - logger(LOG_ERR, "Could not open /dev/ip: %s", strerror(errno)); + logger(LOG_ERR, "Could not open %s: %s\n", "/dev/ip", strerror(errno)); return false; } -#ifdef FD_CLOEXEC - fcntl(ip_fd, F_SETFD, FD_CLOEXEC); -#endif + if((device_fd = open(device, O_RDWR, 0)) < 0) { + logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno)); + return false; + } + + /* Get unit number. */ + + char *ptr = device; + get_config_string(lookup_config(config_tree, "Interface"), &ptr); + + while(*ptr && !isdigit(*ptr)) + ptr++; + int ppa = atoi(ptr); /* Assign a new PPA and get its unit number. */ - if((ppa = ioctl(device_fd, TUNNEWPPA, ppa)) < 0) { - logger(LOG_ERR, "Can't assign new interface: %s", strerror(errno)); - return false; + + struct strioctl strioc_ppa = { + .ic_cmd = TUNNEWPPA, + .ic_len = sizeof ppa, + .ic_dp = (char *)&ppa, + }; + + if(!*ptr) { /* no number given, try dynamic */ + bool found = false; + while(!found && ppa < 64) { + int new_ppa = ioctl(device_fd, I_STR, &strioc_ppa); + if(new_ppa >= 0) { + ppa = new_ppa; + found = true; + break; + } + ppa++; + } + if(!found) { + logger(LOG_ERR, "Could not find free PPA for %s %s!", device_info, device); + return false; + } + } else { /* try this particular one */ + if((ppa = ioctl(device_fd, I_STR, &strioc_ppa)) < 0) { + logger(LOG_ERR, "Could not assign PPA %d for %s %s!", ppa, device_info, device); + return false; + } } if((if_fd = open(device, O_RDWR, 0)) < 0) { - logger(LOG_ERR, "Could not open %s twice: %s", device, - strerror(errno)); + logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno)); return false; } -#ifdef FD_CLOEXEC - fcntl(if_fd, F_SETFD, FD_CLOEXEC); -#endif - if(ioctl(if_fd, I_PUSH, "ip") < 0) { - logger(LOG_ERR, "Can't push IP module: %s", strerror(errno)); + logger(LOG_ERR, "Could not push IP module onto %s %s!", device_info, device); return false; } - /* Assign ppa according to the unit number returned by tun device */ - if(ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0) { - logger(LOG_ERR, "Can't set PPA %d: %s", ppa, strerror(errno)); + xasprintf(&iface, "%s%d", device_type == DEVICE_TYPE_TUN ? "tun" : "tap", ppa); + + { + /* Remove muxes just in case they are left over from a crashed tincd */ + struct lifreq ifr = {}; + strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name); + if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) { + int muxid = ifr.lifr_arp_muxid; + ioctl(ip_fd, I_PUNLINK, muxid); + muxid = ifr.lifr_ip_muxid; + ioctl(ip_fd, I_PUNLINK, muxid); + } + } + + if(device_type == DEVICE_TYPE_TUN) { + /* Assign ppa according to the unit number returned by tun device */ + if(ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) { + logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device); + return false; + } + } + + int arp_fd = -1; + + if(device_type == DEVICE_TYPE_TAP) { + struct lifreq ifr = {}; + + if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) { + logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device); + return false; + } + + strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name)); + ifr.lifr_ppa = ppa; + + /* Assign ppa according to the unit number returned by tun device */ + if(ioctl(if_fd, SIOCSLIFNAME, &ifr) < 0) { + logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device); + return false; + } + if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) { + logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device); + return false; + } + + /* Push arp module to if_fd */ + if(ioctl(if_fd, I_PUSH, "arp") < 0) { + logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device); + return false; + } + + /* Pop any modules on the stream */ + while(true) { + if(ioctl(ip_fd, I_POP, NULL) < 0) + break; + } + + /* Push arp module to ip_fd */ + if(ioctl(ip_fd, I_PUSH, "arp") < 0) { + logger(LOG_ERR, "Could not push ARP module onto %s!", "/dev/ip"); + return false; + } + + /* Open arp_fd */ + if((arp_fd = open(device, O_RDWR, 0)) < 0) { + logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno)); + return false; + } + + /* Push arp module to arp_fd */ + if(ioctl(arp_fd, I_PUSH, "arp") < 0) { + logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device); + return false; + } + + /* Set ifname to arp */ + struct strioctl strioc_if = { + .ic_cmd = SIOCSLIFNAME, + .ic_len = sizeof ifr, + .ic_dp = (char *)&ifr, + }; + + if(ioctl(arp_fd, I_STR, &strioc_if) < 0) { + logger(LOG_ERR, "Could not set ifname to %s %s", device_info, device); + return false; + } + } + + int ip_muxid, arp_muxid; + + if((ip_muxid = ioctl(ip_fd, I_PLINK, if_fd)) < 0) { + logger(LOG_ERR, "Could not link %s %s to IP", device_info, device); return false; } - if(ioctl(ip_fd, I_LINK, if_fd) < 0) { - logger(LOG_ERR, "Can't link TUN device to IP: %s", strerror(errno)); + if(device_type == DEVICE_TYPE_TAP) { + if((arp_muxid = ioctl(ip_fd, I_PLINK, arp_fd)) < 0) { + logger(LOG_ERR, "Could not link %s %s to ARP", device_info, device); + return false; + } + close(arp_fd); + } + + struct lifreq ifr = {}; + strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name)); + ifr.lifr_ip_muxid = ip_muxid; + if(device_type == DEVICE_TYPE_TAP) { + ifr.lifr_arp_muxid = arp_muxid; + } + + if(ioctl(ip_fd, SIOCSLIFMUXID, &ifr) < 0) { + if(device_type == DEVICE_TYPE_TAP) { + ioctl(ip_fd, I_PUNLINK, arp_muxid); + } + ioctl(ip_fd, I_PUNLINK, ip_muxid); + logger(LOG_ERR, "Could not set multiplexor id for %s %s", device_info, device); return false; } - if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) - xasprintf(&iface, "tun%d", ppa); + close(if_fd); - device_info = "Solaris tun device"; +#ifdef FD_CLOEXEC + fcntl(device_fd, F_SETFD, FD_CLOEXEC); + fcntl(ip_fd, F_SETFD, FD_CLOEXEC); +#endif logger(LOG_INFO, "%s is a %s", device, device_info); @@ -117,7 +278,17 @@ static bool setup_device(void) { } static void close_device(void) { - close(if_fd); + if(iface) { + struct lifreq ifr = {}; + strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name); + if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) { + int muxid = ifr.lifr_arp_muxid; + ioctl(ip_fd, I_PUNLINK, muxid); + muxid = ifr.lifr_ip_muxid; + ioctl(ip_fd, I_PUNLINK, muxid); + } + } + close(ip_fd); close(device_fd); @@ -126,49 +297,73 @@ static void close_device(void) { } static bool read_packet(vpn_packet_t *packet) { - int lenin; + int inlen; - if((lenin = read(device_fd, packet->data + 14, MTU - 14)) <= 0) { - logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, - device, strerror(errno)); - return false; - } + switch(device_type) { + case DEVICE_TYPE_TUN: + if((inlen = read(device_fd, packet->data + 14, MTU - 14)) <= 0) { + logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno)); + return false; + } - switch(packet->data[14] >> 4) { - case 4: - packet->data[12] = 0x08; - packet->data[13] = 0x00; + switch(packet->data[14] >> 4) { + case 4: + packet->data[12] = 0x08; + packet->data[13] = 0x00; + break; + case 6: + packet->data[12] = 0x86; + packet->data[13] = 0xDD; + break; + default: + ifdebug(TRAFFIC) logger(LOG_ERR, "Unknown IP version %d while reading packet from %s %s", packet->data[14] >> 4, device_info, device); + return false; + } + + memset(packet->data, 0, 12); + packet->len = inlen + 14; break; - case 6: - packet->data[12] = 0x86; - packet->data[13] = 0xDD; + + case DEVICE_TYPE_TAP: + if((inlen = read(device_fd, packet->data, MTU)) <= 0) { + logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno)); + return false; + } + + packet->len = inlen + 14; break; + default: - ifdebug(TRAFFIC) logger(LOG_ERR, - "Unknown IP version %d while reading packet from %s %s", - packet->data[14] >> 4, device_info, device); - return false; + abort(); } - memset(packet->data, 0, 12); - packet->len = lenin + 14; - device_total_in += packet->len; - ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, - device_info); + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, device_info); return true; } static bool write_packet(vpn_packet_t *packet) { - ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", - packet->len, device_info); + ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", packet->len, device_info); - if(write(device_fd, packet->data + 14, packet->len - 14) < 0) { - logger(LOG_ERR, "Can't write to %s %s: %s", device_info, - device, strerror(errno)); - return false; + switch(device_type) { + case DEVICE_TYPE_TUN: + if(write(device_fd, packet->data + 14, packet->len - 14) < 0) { + logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno)); + return false; + } + break; + + case DEVICE_TYPE_TAP: + if(write(device_fd, packet->data, packet->len) < 0) { + logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno)); + return false; + } + break; + + default: + abort(); } device_total_out += packet->len; diff --git a/src/subnet.c b/src/subnet.c index f8a3461..6e8ad07 100644 --- a/src/subnet.c +++ b/src/subnet.c @@ -1,6 +1,6 @@ /* subnet.c -- handle subnet lookups and lists - Copyright (C) 2000-2013 Guus Sliepen , + Copyright (C) 2000-2014 Guus Sliepen , 2000-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -351,7 +351,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) { switch (subnet->type) { case SUBNET_MAC: - snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx#%d", + snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d", subnet->net.mac.address.x[0], subnet->net.mac.address.x[1], subnet->net.mac.address.x[2], @@ -362,7 +362,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) { break; case SUBNET_IPV4: - snprintf(netstr, len, "%hu.%hu.%hu.%hu/%d#%d", + snprintf(netstr, len, "%u.%u.%u.%u/%d#%d", subnet->net.ipv4.address.x[0], subnet->net.ipv4.address.x[1], subnet->net.ipv4.address.x[2], @@ -372,7 +372,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) { break; case SUBNET_IPV6: - snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d", + snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d", ntohs(subnet->net.ipv6.address.x[0]), ntohs(subnet->net.ipv6.address.x[1]), ntohs(subnet->net.ipv6.address.x[2]), diff --git a/src/tincd.c b/src/tincd.c index 7416d11..b6a6c29 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd Copyright (C) 1998-2005 Ivo Timmermans - 2000-2013 Guus Sliepen + 2000-2014 Guus Sliepen 2008 Max Rijevski 2009 Michael Tokarev 2010 Julien Muchembled @@ -162,6 +162,11 @@ static bool parse_options(int argc, char **argv) { break; case 'c': /* config file */ + if(confbase) { + fprintf(stderr, "Only one configuration directory can be given.\n"); + usage(true); + return false; + } confbase = xstrdup(optarg); break; @@ -229,6 +234,11 @@ static bool parse_options(int argc, char **argv) { case 'n': /* net name given */ /* netname "." is special: a "top-level name" */ + if(netname) { + fprintf(stderr, "Only one netname can be given.\n"); + usage(true); + return false; + } netname = strcmp(optarg, ".") != 0 ? xstrdup(optarg) : NULL; break; @@ -281,11 +291,22 @@ static bool parse_options(int argc, char **argv) { use_logfile = true; if(!optarg && optind < argc && *argv[optind] != '-') optarg = argv[optind++]; - if(optarg) + if(optarg) { + if(logfilename) { + fprintf(stderr, "Only one logfile can be given.\n"); + usage(true); + return false; + } logfilename = xstrdup(optarg); + } break; case 5: /* write PID to a file */ + if(pidfilename) { + fprintf(stderr, "Only one pidfile can be given.\n"); + usage(true); + return false; + } pidfilename = xstrdup(optarg); break; @@ -350,7 +371,6 @@ static void indicator(int a, int b, void *p) { static bool keygen(int bits) { RSA *rsa_key; FILE *f; - char *name = get_name(); char *pubname, *privname; fprintf(stderr, "Generating %d bits keys:\n", bits); @@ -378,10 +398,14 @@ static bool keygen(int bits) { PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); fclose(f); - if(name) + char *name = get_name(); + + if(name) { xasprintf(&pubname, "%s/hosts/%s", confbase, name); - else + free(name); + } else { xasprintf(&pubname, "%s/rsa_key.pub", confbase); + } f = ask_and_open(pubname, "public RSA key"); free(pubname); @@ -392,7 +416,6 @@ static bool keygen(int bits) { fputc('\n', f); PEM_write_RSAPublicKey(f, rsa_key); fclose(f); - free(name); return true; } @@ -526,7 +549,7 @@ int main(int argc, char **argv) { if(show_version) { printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n" + printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" diff --git a/src/utils.c b/src/utils.c index 3b221f5..555ea50 100644 --- a/src/utils.c +++ b/src/utils.c @@ -1,7 +1,7 @@ /* utils.c -- gathering of some stupid small functions Copyright (C) 1999-2005 Ivo Timmermans - 2000-2009 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -78,3 +78,18 @@ unsigned int bitfield_to_int(const void *bitfield, size_t size) { memcpy(&value, bitfield, size); return value; } + +/** + * As memcmp(), but constant-time. + * Returns 0 when data is equal, non-zero otherwise. + */ +int memcmp_constant_time (const void *a, const void *b, size_t size) { + const uint8_t *a1 = a, *b1 = b; + int ret = 0; + size_t i; + + for (i = 0; i < size; i++) + ret |= *a1++ ^ *b1++; + + return ret; +} diff --git a/src/utils.h b/src/utils.h index 2e4fcf8..4d447b1 100644 --- a/src/utils.h +++ b/src/utils.h @@ -1,7 +1,7 @@ /* utils.h -- header file for utils.c Copyright (C) 1999-2005 Ivo Timmermans - 2000-2009 Guus Sliepen + 2000-2014 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -42,4 +42,6 @@ extern const char *winerror(int); extern unsigned int bitfield_to_int(const void *bitfield, size_t size); +int memcmp_constant_time (const void *a, const void *b, size_t size); + #endif /* __TINC_UTILS_H__ */ diff --git a/src/xmalloc.c b/src/xmalloc.c index 1e40017..39dc03c 100644 --- a/src/xmalloc.c +++ b/src/xmalloc.c @@ -113,6 +113,9 @@ char *xstrdup(const char *s) { char *p; + if(!s) + return NULL; + p = strdup(s); if(!p) xalloc_fail ((int)strlen(s));