Import Upstream version 1.0.24

2019-08-26 13:44:45 +02:00 · 2019-08-26 13:44:45 +02:00 · 45b80e247e
commit 45b80e247e
parent 413f90b815
45 changed files with 1342 additions and 341 deletions
--- a/52
+++ b/52
@ -1,3 +1,55 @@
 Version 1.0.24                                               May 11 2014
 ------------------------------------------------------------------------
 Guus Sliepen (26):
      Mention in the manual that multiple Address staments are allowed.
      If no Port is specified, set myport to actual port of first listening socket.
      Enable compiler hardening flags by default.
      Update support for Solaris.
      Include <limits.h> for PATH_MAX.
      Stricter check for raw socket support.
      Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
      Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
      Don't enable -fstack-protector-all.
      Remove or lower the priority of some debug messages.
      Clarify StrictSubnets.
      Attribution for various contributors.
      Handle errors from TAP-Win32/64 adapter in a better way.
      Remove useless variable 'hard' from try_harder().
      Merge pull request #14 from luckyhacky/master
      Add an autoconf check for res_init().
      Nexthop calculation should always use the shortest path.
      Fix issues found by Coverity.
      Fix warnings found by GCC 4.9.
      Fix a few more issues found by Coverity.
      Fix a few more issues found by Coverity.
      Drop h and hh length modifiers from printf format strings.
      Fix a bug that could prevent tinc from starting correctly on Windows.
      FIx the autoconf checks for res_init().
      Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.
      Releasing 1.0.24.
 Steffan Karger (3):
      Use constant time memcmp() when comparing packet HMACs.
      Use cryptographically strong random when generating keys.
      Check RAND_bytes() return value, fail when getting random fails.
 Florent Clairambault (2):
      Adding "conf.d" configuration dir support.
      Adding some documentation around the /etc/tinc/$NET/conf.d directory.
 Armin Fisslthaler (1):
      reload /etc/resolv.conf in SIGALRM handler
 Loic Dachary (1):
      fix documentation typo
 Vilbrekin (1):
      Update android build instructions. Disable PIE as this is not supported on some devices.
 luckyhacky (1):
      update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
 Version 1.0.23                                           October 19 2013
 ------------------------------------------------------------------------
--- a/4
+++ b/4
@ -12,8 +12,8 @@ without warranty of any kind.
 Basic Installation
 ==================
-   Briefly, the shell commands `./configure; make; make install' should
+   Briefly, the shell command `./configure && make && make install'
-configure, build, and install this package.  The following
+should configure, build, and install this package.  The following
 more-detailed instructions are generic; see the `README' file for
 instructions specific to this package.  Some packages provide this
 `INSTALL' file but do not implement all of the features documented
--- a/Makefile.in
+++ b/Makefile.in
@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.14 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -85,8 +85,10 @@ DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
 	config.sub depcomp install-sh missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
-	$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
+	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
-	$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
 	$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
@ -592,9 +594,10 @@ distcheck: dist
 	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
 	  && am__cwd=`pwd` \
 	  && $(am__cd) $(distdir)/_build \
-	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	  && ../configure \
 	    $(AM_DISTCHECK_CONFIGURE_FLAGS) \
 	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	    --srcdir=.. --prefix="$$dc_install_base" \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
--- a/23
+++ b/23
@ -1,3 +1,26 @@
 Version 1.0.24               May 11 2013
 * Various compiler hardening flags are enabled by default.
 * Updated support for Solaris, allowing switch mode on Solaris 11.
 * Configuration will now also be read from a conf.d directory.
 * Various updates to the documentation.
 * Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM.
 * Fixed a potential routing loop when IndirectData or TCPOnly is used and
   broadcast packets are being sent.
 * Improved security with constant time memcmp and stricter use of OpenSSL's
   RNG functions.
 * Fixed all issues found by Coverity.
 Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc
 Dachary and Steffan Karger for their contributions to this version of tinc.
 Version 1.0.23               October 19 2013
 * Start authentication immediately on outgoing connections (useful for sslh).
--- a/6
+++ b/6
@ -1,7 +1,7 @@
-This is the README file for tinc version 1.0.23. Installation
+This is the README file for tinc version 1.0.24. Installation
 instructions may be found in the INSTALL file.
-tinc is Copyright (C) 1998-2013 by:
+tinc is Copyright (C) 1998-2014 by:
 Ivo Timmermans,
 Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
 Compatibility
 -------------
-Version 1.0.23 is compatible with 1.0pre8, 1.0 and later, but not with older
+Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older
 versions of tinc.
--- a/README.android
+++ b/README.android
@ -1,14 +1,14 @@
-Quick how-o cross compile tinc for android (done from $HOME/android/):
+Quick how-to cross compile tinc for android (done from $HOME/android/):
 - Download android NDK and setup local ARM toolchain:
-wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2
+wget http://dl.google.com/android/ndk/android-ndk-r9d-linux-x86.tar.bz2
-tar xfj android-ndk-r8b-linux-x86.tar.bz2
+tar xfj android-ndk-r9d-linux-x86.tar.bz2
-./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
+./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
 - Download and cross-compile openSSL for ARM:
-wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
+wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
-tar xfz openssl-1.0.1c.tar.gz
+tar xfz openssl-1.0.1g.tar.gz
-cd openssl-1.0.1c
+cd openssl-1.0.1g
 ./Configure dist
 make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
@ -16,5 +16,9 @@ make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-andr
 git clone git://tinc-vpn.org/tinc
 cd tinc
 autoreconf -fsi
-CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/
+CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1g --with-openssl-include=$HOME/android/openssl-1.0.1g/include/ --disable-hardening
 make -j5
 - Strip tincd binary to make it smaller
 /tmp/my-android-toolchain/bin/arm-linux-androideabi-strip src/tincd
--- a/10
+++ b/10
@ -4,6 +4,7 @@ We would like to thank the following people for their contributions to tinc:
 * Allesandro Gatti
 * Andreas van Cranenburgh
 * Anthony G. Basile
 * Armin Fisslthaler
 * Armijn Hemel
 * Brandon Black
 * Cris van Pelt
@ -11,10 +12,13 @@ We would like to thank the following people for their contributions to tinc:
 * Delf Eldkraft
 * dnk
 * Enrique Zanardi
 * Florent Clairambault
 * Flynn Marquardt
 * Gary Kessler and Claudia Gonzalez
 * Grzegorz Dymarek
 * Hans Bayle
 * Ivo van Dong
 * James Cook
 * James MacLean
 * Jamie Briggs
 * Jason Harper
@ -22,11 +26,14 @@ We would like to thank the following people for their contributions to tinc:
 * Jeroen Ubbink
 * Jerome Etienne
 * Julien Muchembled
 * Lavrans Laading
 * Loïc Dachary
 * Loïc Grenié
 * Lubomír Bulej
 * Mads Kiilerich
 * Marc A. Lehmann
 * Mark Glines
 * Mark Petryk
 * Markus Goetz
 * Martin Kihlgren
 * Martin Schobert
@ -44,6 +51,7 @@ We would like to thank the following people for their contributions to tinc:
 * Robert van der Meulen
 * Rumko
 * Scott Lamb
 * Steffan Karger
 * Sven-Haegar Koch
 * Teemu Kiviniemi
 * Timothy Redaelli
@ -52,7 +60,7 @@ We would like to thank the following people for their contributions to tinc:
 * Wessel Dankers
 * Wouter van Heyst
-And everyone we forgot. Thank you!
+And everyone we forgot (if we did, please let us know). Thank you!
 Ivo Timmermans
 Guus Sliepen
--- a/aclocal.m4
+++ b/aclocal.m4
@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.14 -*- Autoconf -*-
+# generated automatically by aclocal 1.14.1 -*- Autoconf -*-
 # Copyright (C) 1996-2013 Free Software Foundation, Inc.
@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
 [am__api_version='1.14'
 dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
 dnl require some minimum version.  Point them to the right macro.
-m4_if([$1], [1.14], [],
+m4_if([$1], [1.14.1], [],
      [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
 ])
@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
 # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
 # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
 AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.14])dnl
+[AM_AUTOMAKE_VERSION([1.14.1])dnl
 m4_ifndef([AC_AUTOCONF_VERSION],
  [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
 _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@ -573,7 +573,8 @@ to "yes", and re-run configure.
 END
    AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
  fi
-fi])
+fi
 ])
 dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion.  Do not
 dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
@ -1184,6 +1185,8 @@ AC_SUBST([am__untar])
 ]) # _AM_PROG_TAR
 m4_include([m4/attribute.m4])
 m4_include([m4/ax_check_compile_flag.m4])
 m4_include([m4/ax_check_link_flag.m4])
 m4_include([m4/lzo.m4])
 m4_include([m4/openssl.m4])
 m4_include([m4/zlib.m4])
--- a/config.h.in
+++ b/config.h.in
@ -15,6 +15,9 @@
 /* Define to 1 if you have the <arpa/inet.h> header file. */
 #undef HAVE_ARPA_INET_H
 /* Define to 1 if you have the <arpa/nameser.h> header file. */
 #undef HAVE_ARPA_NAMESER_H
 /* Define to 1 if you have the `asprintf' function. */
 #undef HAVE_ASPRINTF
@ -46,6 +49,10 @@
   don't. */
 #undef HAVE_DECL_GETNAMEINFO
 /* Define to 1 if you have the declaration of `res_init', and to 0 if you
   don't. */
 #undef HAVE_DECL_RES_INIT
 /* Define to 1 if you have the <dirent.h> header file. */
 #undef HAVE_DIRENT_H
@ -211,6 +218,9 @@
 /* Define to 1 if you have the `RAND_pseudo_bytes' function. */
 #undef HAVE_RAND_PSEUDO_BYTES
 /* Define to 1 if you have the <resolv.h> header file. */
 #undef HAVE_RESOLV_H
 /* Define to 1 if you have the `select' function. */
 #undef HAVE_SELECT
--- a/476
+++ b/476
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tinc 1.0.23.
+# Generated by GNU Autoconf 2.69 for tinc 1.0.24.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='tinc'
 PACKAGE_TARNAME='tinc'
-PACKAGE_VERSION='1.0.23'
+PACKAGE_VERSION='1.0.24'
-PACKAGE_STRING='tinc 1.0.23'
+PACKAGE_STRING='tinc 1.0.24'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
@ -745,6 +745,7 @@ enable_uml
 enable_vde
 enable_tunemu
 with_windows2000
 enable_hardening
 enable_zlib
 with_zlib
 with_zlib_include
@ -1307,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures tinc 1.0.23 to adapt to many kinds of systems.
+\`configure' configures tinc 1.0.24 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1377,7 +1378,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of tinc 1.0.23:";;
+     short | recursive ) echo "Configuration of tinc 1.0.24:";;
   esac
  cat <<\_ACEOF
@ -1397,15 +1398,16 @@ Optional Features:
  --enable-uml            enable support for User Mode Linux
  --enable-vde            enable support for Virtual Distributed Ethernet
  --enable-tunemu         enable support for the tunemu driver
  --disable-hardening     disable compiler and linker hardening flags
  --disable-zlib          disable zlib compression support
  --disable-lzo           disable lzo compression support
-  --disable-jumbograms    enable support for jumbograms (packets up to 9000
+  --enable-jumbograms     enable support for jumbograms (packets up to 9000
                          bytes)
 Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --without-windows2000   compile with support for Windows 2000. This disables
+  --with-windows2000      compile with support for Windows 2000. This disables
                          support for tunneling over existing IPv6 networks.
  --with-zlib=DIR         zlib base directory, or:
  --with-zlib-include=DIR zlib headers directory
@ -1495,7 +1497,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-tinc configure 1.0.23
+tinc configure 1.0.24
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@ -1744,6 +1746,52 @@ $as_echo "$ac_res" >&6; }
 } # ac_fn_c_check_header_compile
 # ac_fn_c_try_link LINENO
 # -----------------------
 # Try to link conftest.$ac_ext, and return whether this succeeded.
 ac_fn_c_try_link ()
 {
  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
  rm -f conftest.$ac_objext conftest$ac_exeext
  if { { ac_try="$ac_link"
 case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
 esac
 eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
 $as_echo "$ac_try_echo"; } >&5
  (eval "$ac_link") 2>conftest.err
  ac_status=$?
  if test -s conftest.err; then
    grep -v '^ *+' conftest.err >conftest.er1
    cat conftest.er1 >&5
    mv -f conftest.er1 conftest.err
  fi
  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
       } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
 	 test -x conftest$ac_exeext
       }; then :
  ac_retval=0
 else
  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 	ac_retval=1
 fi
  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
  # interfere with the next link command; also delete a directory that is
  # left behind by Apple's compiler.  We do this before executing the actions.
  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
  as_fn_set_status $ac_retval
 } # ac_fn_c_try_link
 # ac_fn_c_check_type LINENO TYPE VAR INCLUDES
 # -------------------------------------------
 # Tests whether TYPE exists after having included INCLUDES, setting cache
@ -1798,52 +1846,6 @@ $as_echo "$ac_res" >&6; }
 } # ac_fn_c_check_type
 # ac_fn_c_try_link LINENO
 # -----------------------
 # Try to link conftest.$ac_ext, and return whether this succeeded.
 ac_fn_c_try_link ()
 {
  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
  rm -f conftest.$ac_objext conftest$ac_exeext
  if { { ac_try="$ac_link"
 case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
 esac
 eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
 $as_echo "$ac_try_echo"; } >&5
  (eval "$ac_link") 2>conftest.err
  ac_status=$?
  if test -s conftest.err; then
    grep -v '^ *+' conftest.err >conftest.er1
    cat conftest.er1 >&5
    mv -f conftest.er1 conftest.err
  fi
  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
       } && test -s conftest$ac_exeext && {
 	 test "$cross_compiling" = yes ||
 	 test -x conftest$ac_exeext
       }; then :
  ac_retval=0
 else
  $as_echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 	ac_retval=1
 fi
  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
  # interfere with the next link command; also delete a directory that is
  # left behind by Apple's compiler.  We do this before executing the actions.
  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
  as_fn_set_status $ac_retval
 } # ac_fn_c_try_link
 # ac_fn_c_check_func LINENO FUNC VAR
 # ----------------------------------
 # Tests whether FUNC exists, setting the cache variable VAR accordingly
@ -1960,7 +1962,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by tinc $as_me 1.0.23, which was
+It was created by tinc $as_me 1.0.24, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@ -2824,7 +2826,7 @@ fi
 # Define the identity of the package.
 PACKAGE='tinc'
- VERSION='1.0.23'
+ VERSION='1.0.24'
 cat >>confdefs.h <<_ACEOF
@ -2916,6 +2918,7 @@ END
    as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
  fi
 fi
 ac_config_headers="$ac_config_headers config.h"
@ -5146,6 +5149,343 @@ if test -d /sw/lib ; then
 fi
 # Check whether --enable-hardening was given.
 if test "${enable_hardening+set}" = set; then :
  enableval=$enable_hardening;
 fi
 if test "x$enable_hardening" != "xno"; then :
  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -DFORTIFY_SOURCE=2" >&5
 $as_echo_n "checking whether C compiler accepts -DFORTIFY_SOURCE=2... " >&6; }
 if ${ax_cv_check_cflags___DFORTIFY_SOURCE_2+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$CFLAGS
  CFLAGS="$CFLAGS  -DFORTIFY_SOURCE=2"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ax_cv_check_cflags___DFORTIFY_SOURCE_2=yes
 else
  ax_cv_check_cflags___DFORTIFY_SOURCE_2=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  CFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
 $as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
 if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
  CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"
 else
  :
 fi
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
 $as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
 if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$CFLAGS
  CFLAGS="$CFLAGS  -fno-strict-overflow"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ax_cv_check_cflags___fno_strict_overflow=yes
 else
  ax_cv_check_cflags___fno_strict_overflow=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  CFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
 $as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
 if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
  CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
 else
  :
 fi
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fwrapv" >&5
 $as_echo_n "checking whether C compiler accepts -fwrapv... " >&6; }
 if ${ax_cv_check_cflags___fwrapv+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$CFLAGS
  CFLAGS="$CFLAGS  -fwrapv"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ax_cv_check_cflags___fwrapv=yes
 else
  ax_cv_check_cflags___fwrapv=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  CFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fwrapv" >&5
 $as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
 if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
  CPPFLAGS="$CPPFLAGS -fwrapv"
 else
  :
 fi
   case $host_os in
     *mingw*)
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--dynamicbase" >&5
 $as_echo_n "checking whether the linker accepts -Wl,--dynamicbase... " >&6; }
 if ${ax_cv_check_ldflags___Wl___dynamicbase+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS  -Wl,--dynamicbase"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
  ax_cv_check_ldflags___Wl___dynamicbase=yes
 else
  ax_cv_check_ldflags___Wl___dynamicbase=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
  LDFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___dynamicbase" >&5
 $as_echo "$ax_cv_check_ldflags___Wl___dynamicbase" >&6; }
 if test x"$ax_cv_check_ldflags___Wl___dynamicbase" = xyes; then :
  LDFLAGS="$LDFLAGS -Wl,--dynamicbase"
 else
  :
 fi
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--nxcompat" >&5
 $as_echo_n "checking whether the linker accepts -Wl,--nxcompat... " >&6; }
 if ${ax_cv_check_ldflags___Wl___nxcompat+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS  -Wl,--nxcompat"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
  ax_cv_check_ldflags___Wl___nxcompat=yes
 else
  ax_cv_check_ldflags___Wl___nxcompat=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
  LDFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___nxcompat" >&5
 $as_echo "$ax_cv_check_ldflags___Wl___nxcompat" >&6; }
 if test x"$ax_cv_check_ldflags___Wl___nxcompat" = xyes; then :
  LDFLAGS="$LDFLAGS -Wl,--nxcompat"
 else
  :
 fi
       ;;
     *)
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
 $as_echo_n "checking whether C compiler accepts -fPIE... " >&6; }
 if ${ax_cv_check_cflags___fPIE+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$CFLAGS
  CFLAGS="$CFLAGS  -fPIE"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
  ax_cv_check_cflags___fPIE=yes
 else
  ax_cv_check_cflags___fPIE=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  CFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
 $as_echo "$ax_cv_check_cflags___fPIE" >&6; }
 if test x"$ax_cv_check_cflags___fPIE" = xyes; then :
  CPPFLAGS="$CPPFLAGS -fPIE"
 else
  :
 fi
       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
 $as_echo_n "checking whether the linker accepts -pie... " >&6; }
 if ${ax_cv_check_ldflags___pie+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS  -pie"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
  ax_cv_check_ldflags___pie=yes
 else
  ax_cv_check_ldflags___pie=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
  LDFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
 $as_echo "$ax_cv_check_ldflags___pie" >&6; }
 if test x"$ax_cv_check_ldflags___pie" = xyes; then :
  LDFLAGS="$LDFLAGS -pie"
 else
  :
 fi
       ;;
   esac
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
 $as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
 if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS  -Wl,-z,relro"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
  ax_cv_check_ldflags___Wl__z_relro=yes
 else
  ax_cv_check_ldflags___Wl__z_relro=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
  LDFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
 $as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
 if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
  LDFLAGS="$LDFLAGS -Wl,-z,relro"
 else
  :
 fi
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5
 $as_echo_n "checking whether the linker accepts -Wl,-z,now... " >&6; }
 if ${ax_cv_check_ldflags___Wl__z_now+:} false; then :
  $as_echo_n "(cached) " >&6
 else
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS  -Wl,-z,now"
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 int
 main ()
 {
  ;
  return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
  ax_cv_check_ldflags___Wl__z_now=yes
 else
  ax_cv_check_ldflags___Wl__z_now=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
    conftest$ac_exeext conftest.$ac_ext
  LDFLAGS=$ax_check_save_flags
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_now" >&5
 $as_echo "$ax_cv_check_ldflags___Wl__z_now" >&6; }
 if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes; then :
  LDFLAGS="$LDFLAGS -Wl,-z,now"
 else
  :
 fi
 fi;
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
 $as_echo_n "checking for ANSI C header files... " >&6; }
@ -5259,7 +5599,7 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
 fi
-for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h
+for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -5287,7 +5627,7 @@ fi
 done
-for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h
+for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include \"src/have.h\"
@ -5921,6 +6261,22 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 ac_fn_c_check_decl "$LINENO" "res_init" "ac_cv_have_decl_res_init" "
  #include <netinet/in.h>
  #include <resolv.h>
 "
 if test "x$ac_cv_have_decl_res_init" = xyes; then :
  ac_have_decl=1
 else
  ac_have_decl=0
 fi
 cat >>confdefs.h <<_ACEOF
 #define HAVE_DECL_RES_INIT $ac_have_decl
 _ACEOF
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
 # tests run on this system so they can be shared between configure
@ -7040,7 +7396,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tinc $as_me 1.0.23, which was
+This file was extended by tinc $as_me 1.0.24, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -7106,7 +7462,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-tinc config.status 1.0.23
+tinc config.status 1.0.24
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
--- a/configure.ac
+++ b/configure.ac
@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.61)
-AC_INIT([tinc], [1.0.23])
+AC_INIT([tinc], [1.0.24])
 AC_CONFIG_SRCDIR([src/tincd.c])
 AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
 AC_CONFIG_HEADERS([config.h])
@ -105,7 +105,7 @@ AC_ARG_ENABLE(tunemu,
 )
 AC_ARG_WITH(windows2000,
-  AS_HELP_STRING([--without-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]),
+  AS_HELP_STRING([--with-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]),
  [ AS_IF([test "x$with_windows2000" = "xyes"],
      [AC_DEFINE(WITH_WINDOWS2000, 1, [Compile with support for Windows 2000])])
  ]
@ -129,17 +129,40 @@ if test -d /sw/lib ; then
  LIBS="$LIBS -L/sw/lib"
 fi
 dnl Compiler hardening flags
 dnl No -fstack-protector-all because it doesn't work on all platforms or architectures.
 AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
 AS_IF([test "x$enable_hardening" != "xno"],
  [AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"])
   AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])
   AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"])
   case $host_os in
     *mingw*)
       AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
       AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"])
       ;;
     *)
       AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"])
       AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"])
       ;;
   esac
   AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"])
   AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"])
  ]
 );
 dnl Checks for libraries.
 dnl Checks for header files.
 dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
 AC_HEADER_STDC
-AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h])
+AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h])
 AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h],
  [], [], [#include "src/have.h"]
 )
-AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h],
+AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h],
  [], [], [#include "src/have.h"]
 )
 AC_CHECK_HEADERS([netinet/tcp.h netinet/ip_icmp.h netinet/icmp6.h],
@ -179,6 +202,11 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
  [], [], [#include "src/have.h"]
 )
 AC_CHECK_DECLS([res_init], [], [], [
  #include <netinet/in.h>
  #include <resolv.h>
 ])
 AC_CACHE_SAVE
 dnl These are defined in files in m4/
@ -187,9 +215,9 @@ tinc_ZLIB
 tinc_LZO
 tinc_OPENSSL
-dnl Check if support for jumbograms is requested 
+dnl Check if support for jumbograms is requested
 AC_ARG_ENABLE(jumbograms,
-  AS_HELP_STRING([--disable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]),
+  AS_HELP_STRING([--enable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]),
  [ AS_IF([test "x$enable_jumbograms" = "xyes"],
      [ AC_DEFINE(ENABLE_JUMBOGRAMS, 1, [Support for jumbograms (packets up to 9000 bytes)]) ])
  ]
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.14 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -80,8 +80,10 @@ subdir = doc
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
-	$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
+	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
-	$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
 	$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
--- a/doc/sample-config.tar.gz
+++ b/doc/sample-config.tar.gz
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@ -1,4 +1,4 @@
-.Dd 2010-01-16
+.Dd 2014-05-11
 .Dt TINC.CONF 5
 .\" Manual page created by:
 .\" Ivo Timmermans
@ -416,7 +416,7 @@ and
 are available.
 .El
 .It Va ReplayWindow Li = Ar bytes Pq 16
-vhis is the size of the replay tracking window for each remote node, in bytes.
+This is the size of the replay tracking window for each remote node, in bytes.
 The window is a bitfield which tracks 1 packet per bit, so for example
 the default setting of 16 will track up to 128 packets in the window.  In high
 bandwidth scenarios, setting this to a higher value can reduce packet loss from
@ -428,7 +428,8 @@ traffic.
 When this option is enabled tinc will only use Subnet statements which are
 present in the host config files in the local
 .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
-directory.
+directory. Subnets learned via connections to other nodes and which are not
 present in the local host config files are ignored.
 .It Va TunnelServer Li = yes | no Po no Pc Bq experimental
 When this option is enabled tinc will no longer forward information between other tinc daemons,
 and will only allow connections with nodes for which host config files are present in the local
@ -631,6 +632,8 @@ The top directory for configuration files.
 .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
 The default name of the server configuration file for net
 .Ar NETNAME .
 .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
 Optional directory from which any *.conf file will be loaded
 .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
 Host configuration files are kept in this directory.
 .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up
--- a/doc/tinc.info
+++ b/doc/tinc.info
@ -1,14 +1,14 @@
-This is tinc.info, produced by makeinfo version 5.1 from tinc.texi.
+This is tinc.info, produced by makeinfo version 5.2 from tinc.texi.
 INFO-DIR-SECTION Networking tools
 START-INFO-DIR-ENTRY
 * tinc: (tinc).              The tinc Manual.
 END-INFO-DIR-ENTRY
-This is the info manual for tinc version 1.0.22, a Virtual Private
+This is the info manual for tinc version 1.0.23, a Virtual Private
 Network daemon.
-   Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen
+   Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
 <guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
   Permission is granted to make and distribute verbatim copies of this
@ -649,6 +649,9 @@ The actual configuration of the daemon is done in the file
 '/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
 directory '/etc/tinc/NETNAME/hosts/'.
   An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
 which any .conf file will be read.
   These file consists of comments (lines started with a #) or
 assignments in the form of
@ -1011,7 +1014,9 @@ ReplayWindow = <bytes> (16)
 StrictSubnets = <yes|no> (no) [experimental]
     When this option is enabled tinc will only use Subnet statements
     which are present in the host config files in the local
-     '/etc/tinc/NETNAME/hosts/' directory.
+     '/etc/tinc/NETNAME/hosts/' directory.  Subnets learned via
     connections to other nodes and which are not present in the local
     host config files are ignored.
 TunnelServer = <yes|no> (no) [experimental]
     When this option is enabled tinc will no longer forward information
@ -1040,7 +1045,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
     This variable is only required if you want to connect to this host.
     It must resolve to the external IP address where the host can be
     reached, not the one that is internal to the VPN. If no port is
-     specified, the default Port is used.
+     specified, the default Port is used.  Multiple Address variables
     can be specified, in which case each address will be tried until a
     working connection has been established.
 Cipher = <CIPHER> (blowfish)
     The symmetric cipher algorithm used to encrypt UDP packets.  Any
@ -2424,16 +2431,16 @@ Concept Index
 * CHAL_REPLY:                            Authentication protocol.
                                                              (line  10)
 * CIDR notation:                         Host configuration variables.
-                                                              (line  91)
+                                                              (line  93)
 * Cipher:                                Host configuration variables.
-                                                              (line  12)
+                                                              (line  14)
 * ClampMSS:                              Host configuration variables.
-                                                              (line  18)
+                                                              (line  20)
 * client:                                How connections work.
                                                              (line  18)
 * command line:                          Runtime options.     (line   9)
 * Compression:                           Host configuration variables.
-                                                              (line  24)
+                                                              (line  26)
 * connection:                            The connection.      (line   6)
 * ConnectTo:                             Main configuration variables.
                                                              (line  53)
@ -2452,7 +2459,7 @@ Concept Index
 * DeviceType:                            Main configuration variables.
                                                              (line  80)
 * Digest:                                Host configuration variables.
-                                                              (line  29)
+                                                              (line  31)
 * DirectOnly:                            Main configuration variables.
                                                              (line 145)
 * dummy:                                 Main configuration variables.
@ -2481,7 +2488,7 @@ Concept Index
 * IffOneQueue:                           Main configuration variables.
                                                              (line 191)
 * IndirectData:                          Host configuration variables.
-                                                              (line  34)
+                                                              (line  36)
 * Interface:                             Main configuration variables.
                                                              (line 194)
 * INTERFACE:                             Scripts.             (line  56)
@ -2498,7 +2505,7 @@ Concept Index
 * MACExpire:                             Main configuration variables.
                                                              (line 219)
 * MACLength:                             Host configuration variables.
-                                                              (line  42)
+                                                              (line  44)
 * MaxTimeout:                            Main configuration variables.
                                                              (line 224)
 * meta-protocol:                         The meta-connection. (line  18)
@ -2521,7 +2528,7 @@ Concept Index
 * OpenSSL:                               OpenSSL.             (line   6)
 * options:                               Runtime options.     (line   9)
 * PEM format:                            Host configuration variables.
-                                                              (line  67)
+                                                              (line  69)
 * PING:                                  The meta-protocol.   (line  88)
 * PingInterval:                          Main configuration variables.
                                                              (line 266)
@ -2529,12 +2536,12 @@ Concept Index
                                                              (line 270)
 * platforms:                             Supported platforms. (line   6)
 * PMTU:                                  Host configuration variables.
-                                                              (line  47)
+                                                              (line  49)
 * PMTUDiscovery:                         Host configuration variables.
-                                                              (line  50)
+                                                              (line  52)
 * PONG:                                  The meta-protocol.   (line  88)
 * Port:                                  Host configuration variables.
-                                                              (line  55)
+                                                              (line  57)
 * port numbers:                          Other files.         (line  17)
 * PriorityInheritance:                   Main configuration variables.
                                                              (line 276)
@ -2549,9 +2556,9 @@ Concept Index
 * Proxy:                                 Main configuration variables.
                                                              (line 297)
 * PublicKey:                             Host configuration variables.
-                                                              (line  59)
+                                                              (line  61)
 * PublicKeyFile:                         Host configuration variables.
-                                                              (line  62)
+                                                              (line  64)
 * raw_socket:                            Main configuration variables.
                                                              (line  92)
 * release:                               Supported platforms. (line  14)
@ -2576,16 +2583,16 @@ Concept Index
 * StrictSubnets:                         Main configuration variables.
                                                              (line 331)
 * Subnet:                                Host configuration variables.
-                                                              (line  74)
+                                                              (line  76)
 * SUBNET:                                Scripts.             (line  72)
 * Subnet weight:                         Host configuration variables.
-                                                              (line  96)
+                                                              (line  98)
 * SVPN:                                  Security.            (line  11)
 * switch:                                Main configuration variables.
                                                              (line 239)
 * TCP:                                   The meta-connection. (line  10)
 * TCPonly:                               Host configuration variables.
-                                                              (line 103)
+                                                              (line 105)
 * tinc:                                  Introduction.        (line   6)
 * TINC:                                  Security.            (line   6)
 * tinc-down:                             Scripts.             (line  18)
@ -2596,16 +2603,16 @@ Concept Index
 * tunifhead:                             Main configuration variables.
                                                              (line 134)
 * TunnelServer:                          Main configuration variables.
-                                                              (line 336)
+                                                              (line 338)
 * tunnohead:                             Main configuration variables.
                                                              (line 128)
 * UDP:                                   The UDP tunnel.      (line  30)
 * UDP <1>:                               Encryption of network packets.
                                                              (line  12)
 * UDPRcvBuf:                             Main configuration variables.
-                                                              (line 343)
+                                                              (line 345)
 * UDPSndBuf:                             Main configuration variables.
-                                                              (line 348)
+                                                              (line 350)
 * UML:                                   Main configuration variables.
                                                              (line 110)
 * Universal tun/tap:                     Configuration of Linux kernels.
@ -2656,35 +2663,35 @@ Node: Configuration introduction20366
 Node: Multiple networks21634
 Node: How connections work23059
 Node: Configuration files24281
-Node: Main configuration variables25669
+Node: Main configuration variables25776
-Node: Host configuration variables41635
+Node: Host configuration variables41870
-Node: Scripts46990
+Node: Scripts47371
-Node: How to configure49753
+Node: How to configure50134
-Node: Generating keypairs51010
+Node: Generating keypairs51391
-Node: Network interfaces51509
+Node: Network interfaces51890
-Node: Example configuration53357
+Node: Example configuration53738
-Node: Running tinc58682
+Node: Running tinc59063
-Node: Runtime options59272
+Node: Runtime options59653
-Node: Signals62574
+Node: Signals62955
-Node: Debug levels63765
+Node: Debug levels64146
-Node: Solving problems64701
+Node: Solving problems65082
-Node: Error messages66253
+Node: Error messages66634
-Node: Sending bug reports70262
+Node: Sending bug reports70643
-Node: Technical information71209
+Node: Technical information71590
-Node: The connection71440
+Node: The connection71821
-Node: The UDP tunnel71752
+Node: The UDP tunnel72133
-Node: The meta-connection74815
+Node: The meta-connection75196
-Node: The meta-protocol76284
+Node: The meta-protocol76665
-Node: Security81301
+Node: Security81682
-Node: Authentication protocol82434
+Node: Authentication protocol82815
-Node: Encryption of network packets87451
+Node: Encryption of network packets87832
-Node: Security issues88827
+Node: Security issues89208
-Node: Platform specific information90454
+Node: Platform specific information90835
-Node: Interface configuration90682
+Node: Interface configuration91063
-Node: Routes93135
+Node: Routes93516
-Node: About us95052
+Node: About us95433
-Node: Contact information95227
+Node: Contact information95608
-Node: Authors95631
+Node: Authors96012
-Node: Concept Index96036
+Node: Concept Index96417
 End Tag Table
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@ -15,7 +15,7 @@
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2013 Ivo Timmermans,
+Copyright @copyright{} 1998-2014 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
@ -39,7 +39,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
-Copyright @copyright{} 1998-2013 Ivo Timmermans,
+Copyright @copyright{} 1998-2014 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
@ -718,6 +718,9 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
 An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
 any .conf file will be read.
 These file consists of comments (lines started with a #) or assignments
 in the form of
@ -1102,6 +1105,8 @@ traffic.
 When this option is enabled tinc will only use Subnet statements which are
 present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
 Subnets learned via connections to other nodes and which are not
 present in the local host config files are ignored.
@cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental]
@ -1134,6 +1139,8 @@ This variable is only required if you want to connect to this host.  It
 must resolve to the external IP address where the host can be reached,
 not the one that is internal to the VPN.
 If no port is specified, the default Port is used.
 Multiple Address variables can be specified, in which case each address will be
 tried until a working connection has been established.
@cindex Cipher
@item Cipher = <@var{cipher}> (blowfish)
--- a/doc/tincd.8.in
+++ b/doc/tincd.8.in
@ -1,4 +1,4 @@
-.Dd 2011-01-02
+.Dd 2014-05-11
 .Dt TINCD 8
 .\" Manual page created by:
 .\" Ivo Timmermans
--- a/m4/Makefile.in
+++ b/m4/Makefile.in
@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.14 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -81,8 +81,10 @@ subdir = m4
 DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
-	$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
+	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
-	$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
 	$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
--- a/m4/ax_check_compile_flag.m4
+++ b/m4/ax_check_compile_flag.m4
@ -0,0 +1,72 @@
 # ===========================================================================
 #   http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
 # ===========================================================================
 #
 # SYNOPSIS
 #
 #   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
 #
 # DESCRIPTION
 #
 #   Check whether the given FLAG works with the current language's compiler
 #   or gives an error.  (Warnings, however, are ignored)
 #
 #   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
 #   success/failure.
 #
 #   If EXTRA-FLAGS is defined, it is added to the current language's default
 #   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
 #   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
 #   force the compiler to issue an error when a bad flag is given.
 #
 #   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
 #   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
 #
 # LICENSE
 #
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
 #   This program is free software: you can redistribute it and/or modify it
 #   under the terms of the GNU General Public License as published by the
 #   Free Software Foundation, either version 3 of the License, or (at your
 #   option) any later version.
 #
 #   This program is distributed in the hope that it will be useful, but
 #   WITHOUT ANY WARRANTY; without even the implied warranty of
 #   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
 #   Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License along
 #   with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 #   As a special exception, the respective Autoconf Macro's copyright owner
 #   gives unlimited permission to copy, distribute and modify the configure
 #   scripts that are the output of Autoconf when processing the Macro. You
 #   need not follow the terms of the GNU General Public License when using
 #   or distributing such scripts, even though portions of the text of the
 #   Macro appear in them. The GNU General Public License (GPL) does govern
 #   all other use of the material that constitutes the Autoconf Macro.
 #
 #   This special exception to the GPL applies to versions of the Autoconf
 #   Macro released by the Autoconf Archive. When you make and distribute a
 #   modified version of the Autoconf Macro, you may extend this special
 #   exception to the GPL to apply to your modified version as well.
 #serial 2
 AC_DEFUN([AX_CHECK_COMPILE_FLAG],
 [AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
 AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
 AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
  AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
    [AS_VAR_SET(CACHEVAR,[yes])],
    [AS_VAR_SET(CACHEVAR,[no])])
  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
 AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
  [m4_default([$2], :)],
  [m4_default([$3], :)])
 AS_VAR_POPDEF([CACHEVAR])dnl
 ])dnl AX_CHECK_COMPILE_FLAGS
--- a/m4/ax_check_link_flag.m4
+++ b/m4/ax_check_link_flag.m4
@ -0,0 +1,71 @@
 # ===========================================================================
 #    http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
 # ===========================================================================
 #
 # SYNOPSIS
 #
 #   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
 #
 # DESCRIPTION
 #
 #   Check whether the given FLAG works with the linker or gives an error.
 #   (Warnings, however, are ignored)
 #
 #   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
 #   success/failure.
 #
 #   If EXTRA-FLAGS is defined, it is added to the linker's default flags
 #   when the check is done.  The check is thus made with the flags: "LDFLAGS
 #   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
 #   issue an error when a bad flag is given.
 #
 #   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
 #   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
 #
 # LICENSE
 #
 #   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 #   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 #
 #   This program is free software: you can redistribute it and/or modify it
 #   under the terms of the GNU General Public License as published by the
 #   Free Software Foundation, either version 3 of the License, or (at your
 #   option) any later version.
 #
 #   This program is distributed in the hope that it will be useful, but
 #   WITHOUT ANY WARRANTY; without even the implied warranty of
 #   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
 #   Public License for more details.
 #
 #   You should have received a copy of the GNU General Public License along
 #   with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 #   As a special exception, the respective Autoconf Macro's copyright owner
 #   gives unlimited permission to copy, distribute and modify the configure
 #   scripts that are the output of Autoconf when processing the Macro. You
 #   need not follow the terms of the GNU General Public License when using
 #   or distributing such scripts, even though portions of the text of the
 #   Macro appear in them. The GNU General Public License (GPL) does govern
 #   all other use of the material that constitutes the Autoconf Macro.
 #
 #   This special exception to the GPL applies to versions of the Autoconf
 #   Macro released by the Autoconf Archive. When you make and distribute a
 #   modified version of the Autoconf Macro, you may extend this special
 #   exception to the GPL to apply to your modified version as well.
 #serial 2
 AC_DEFUN([AX_CHECK_LINK_FLAG],
 [AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
 AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
  ax_check_save_flags=$LDFLAGS
  LDFLAGS="$LDFLAGS $4 $1"
  AC_LINK_IFELSE([AC_LANG_PROGRAM()],
    [AS_VAR_SET(CACHEVAR,[yes])],
    [AS_VAR_SET(CACHEVAR,[no])])
  LDFLAGS=$ax_check_save_flags])
 AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
  [m4_default([$2], :)],
  [m4_default([$3], :)])
 AS_VAR_POPDEF([CACHEVAR])dnl
 ])dnl AX_CHECK_LINK_FLAGS
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 #! /bin/sh
 # Common wrapper for a few potentially missing GNU programs.
-scriptversion=2012-06-26.16; # UTC
+scriptversion=2013-10-28.13; # UTC
 # Copyright (C) 1996-2013 Free Software Foundation, Inc.
 # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
@ -160,7 +160,7 @@ give_advice ()
      ;;
   autom4te*)
      echo "You might have modified some maintainer files that require"
-      echo "the 'automa4te' program to be rebuilt."
+      echo "the 'autom4te' program to be rebuilt."
      program_details 'autom4te'
      ;;
    bison*|yacc*)
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.14 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -93,8 +93,10 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
 	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
-	$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \
+	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
-	$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac
+	$(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
 	$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
--- a/src/avl_tree.c
+++ b/src/avl_tree.c
@ -2,7 +2,7 @@
    avl_tree.c -- avl_ tree and linked list convenience
    Copyright (C) 1998 Michael H. Buselli
                  2000-2005 Ivo Timmermans,
-                  2000-2006 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2000-2005 Wessel Dankers <wsl@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
@ -168,14 +168,12 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
 						child->right->parent = child;
 					gchild->right = node;
-					if(gchild->right)
+					gchild->right->parent = gchild;
 						gchild->right->parent = gchild;
 					gchild->left = child;
-					if(gchild->left)
+					gchild->left->parent = gchild;
 						gchild->left->parent = gchild;
 					*superparent = gchild;
 					*superparent = gchild;
 					gchild->parent = parent;
 #ifdef AVL_COUNT
 					node->count = AVL_CALC_COUNT(node);
@ -224,12 +222,10 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
 						child->left->parent = child;
 					gchild->left = node;
-					if(gchild->left)
+					gchild->left->parent = gchild;
 						gchild->left->parent = gchild;
 					gchild->right = child;
-					if(gchild->right)
+					gchild->right->parent = gchild;
 						gchild->right->parent = gchild;
 					*superparent = gchild;
 					gchild->parent = parent;
@ -600,6 +596,8 @@ void avl_unlink_node(avl_tree_t *tree, avl_node_t *node)
 		balnode = parent;
 	} else {
 		subst = node->prev;
 		if(!subst) // This only happens if node is not actually in a tree at all.
 			abort();
 		if(subst == left) {
 			balnode = subst;
--- a/src/conf.c
+++ b/src/conf.c
@ -2,7 +2,7 @@
    conf.c -- configuration code
    Copyright (C) 1998 Robert van der Meulen
                  1998-2005 Ivo Timmermans
-                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2010-2011 Julien Muchembled <jm@jmuchemb.eu>
 		  2000 Cris van Pelt
@ -378,6 +378,29 @@ bool read_server_config(void) {
 	xasprintf(&fname, "%s/tinc.conf", confbase);
 	x = read_config_file(config_tree, fname);
 	// We will try to read the conf files in the "conf.d" dir
 	if (x) {
 		char * dname;
 		xasprintf(&dname, "%s/conf.d", confbase);
 		DIR *dir = opendir (dname);
 		// If we can find this dir
 		if (dir) { 
 			struct dirent *ep;
 			// We list all the files in it
 			while (x && (ep = readdir (dir))) {
 				size_t l = strlen(ep->d_name);
 				// And we try to read the ones that end with ".conf"
 				if (l > 5 && !strcmp(".conf", & ep->d_name[ l - 5 ])) {
 					free(fname);
 					xasprintf(&fname, "%s/%s", dname, ep->d_name);
 					x = read_config_file(config_tree, fname);
 				}
 			}
 			closedir (dir);
 		}
 		free(dname);
 	}
 	if(!x) {				/* System error: complain */
 		logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno));
 	}
--- a/src/graph.c
+++ b/src/graph.c
@ -1,6 +1,6 @@
 /*
    graph.c -- graph algorithms
-    Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2001-2014 Guus Sliepen <guus@tinc-vpn.org>,
                  2001-2005 Ivo Timmermans
    This program is free software; you can redistribute it and/or modify
@ -212,9 +212,13 @@ static void sssp_bfs(void) {
 			   && (!e->to->status.indirect || indirect))
 				continue;
 			// Only update nexthop the first time we visit this node.
 			if(!e->to->status.visited)
 				e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
 			e->to->status.visited = true;
 			e->to->status.indirect = indirect;
 			e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
 			e->to->prevedge = e;
 			e->to->via = indirect ? n->via : e->to;
 			e->to->options = e->options;
@ -336,6 +340,7 @@ void dump_graph(void) {
 	if(!file) {
 		logger(LOG_ERR, "Unable to open graph dump file %s: %s", filename, strerror(errno));
 		free(filename);
 		free(tmpname);
 		return;
 	}
@ -363,7 +368,10 @@ void dump_graph(void) {
 #ifdef HAVE_MINGW
 		unlink(filename);
 #endif
-		rename(tmpname, filename);
+		if(rename(tmpname, filename))
 			logger(LOG_ERR, "Could not rename %s to %s: %s\n", tmpname, filename, strerror(errno));
 		free(tmpname);
 	}
 	free(filename);
 }
--- a/src/have.h
+++ b/src/have.h
@ -1,7 +1,7 @@
 /*
    have.h -- include headers which are known to exist
    Copyright (C) 1998-2005 Ivo Timmermans
-                  2003-2011 Guus Sliepen <guus@tinc-vpn.org>
+                  2003-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -38,6 +38,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <limits.h>
 #ifdef HAVE_MINGW
 #include <w32api.h>
--- a/src/linux/device.c
+++ b/src/linux/device.c
@ -1,7 +1,7 @@
 /*
    device.c -- Interaction with Linux ethertap and tun/tap device
    Copyright (C) 2001-2005 Ivo Timmermans,
-                  2001-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2001-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -107,17 +107,21 @@ static bool setup_device(void) {
 		ifr.ifr_flags |= IFF_ONE_QUEUE;
 #endif
-	if(iface)
+	if(iface) {
 		strncpy(ifr.ifr_name, iface, IFNAMSIZ);
 		ifr.ifr_name[IFNAMSIZ - 1] = 0;
 	}
 	if(!ioctl(device_fd, TUNSETIFF, &ifr)) {
 		strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
-		if(iface) free(iface);
+		ifrname[IFNAMSIZ - 1] = 0;
 		free(iface);
 		iface = xstrdup(ifrname);
 	} else if(!ioctl(device_fd, (('T' << 8) | 202), &ifr)) {
 		logger(LOG_WARNING, "Old ioctl() request was needed for %s", device);
 		strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
-		if(iface) free(iface);
+		ifrname[IFNAMSIZ - 1] = 0;
 		free(iface);
 		iface = xstrdup(ifrname);
 	} else
 #endif
@ -126,8 +130,7 @@ static bool setup_device(void) {
 			overwrite_mac = true;
 		device_info = "Linux ethertap device";
 		device_type = DEVICE_TYPE_ETHERTAP;
-		if(iface)
+		free(iface);
 			free(iface);
 		iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
 	}
--- a/src/meta.c
+++ b/src/meta.c
@ -1,6 +1,6 @@
 /*
    meta.c -- handle the meta communication
-    Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
                  2000-2005 Ivo Timmermans
                  2006      Scott Lamb <slamb@slamb.org>
@ -180,7 +180,7 @@ bool receive_meta(connection_t *c) {
 				if(!c->node) {
 					if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
 						if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
-							logger(LOG_DEBUG, "Proxy request granted");
+							ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
 						} else {
 							logger(LOG_ERR, "Proxy request rejected");
 							return false;
@ -199,9 +199,9 @@ bool receive_meta(connection_t *c) {
 							return false;
 						}
 						if(c->buffer[3] == 0) {
-							logger(LOG_DEBUG, "Proxy request granted");
+							ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
 						} else {
-							logger(LOG_DEBUG, "Proxy request rejected");
+							logger(LOG_ERR, "Proxy request rejected");
 							return false;
 						}
 					} else {
--- a/src/mingw/device.c
+++ b/src/mingw/device.c
@ -1,7 +1,7 @@
 /*
    device.c -- Interaction with Windows tap driver in a MinGW environment
    Copyright (C) 2002-2005 Ivo Timmermans,
-                  2002-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2002-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -49,6 +49,7 @@ static DWORD WINAPI tapreader(void *bla) {
 	DWORD len;
 	OVERLAPPED overlapped;
 	vpn_packet_t packet;
 	int errors = 0;
 	logger(LOG_DEBUG, "Tap reader running");
@ -71,16 +72,27 @@ static DWORD WINAPI tapreader(void *bla) {
 			} else {
 				logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
 					   device, strerror(errno));
-				return -1;
+				errors++;
 				if(errors >= 10) {
 					EnterCriticalSection(&mutex);
 					running = false;
 					LeaveCriticalSection(&mutex);
 				}
 				usleep(1000000);
 				continue;
 			}
 		}
-		EnterCriticalSection(&mutex);
+		errors = 0;
 		packet.len = len;
 		packet.priority = 0;
 		EnterCriticalSection(&mutex);
 		route(myself, &packet);
 		LeaveCriticalSection(&mutex);
 	}
 	return 0;
 }
 static bool setup_device(void) {
--- a/src/multicast_device.c
+++ b/src/multicast_device.c
@ -1,7 +1,7 @@
 /*
    device.c -- multicast socket
    Copyright (C) 2002-2005 Ivo Timmermans,
-                  2002-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2002-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -56,6 +56,7 @@ static bool setup_device(void) {
 	space = strchr(host, ' ');
 	if(!space) {
 		logger(LOG_ERR, "Port number required for %s", device_info);
 		free(host);
 		return false;
 	}
@ -75,6 +76,7 @@ static bool setup_device(void) {
 	device_fd = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP);
 	if(device_fd < 0) {
 		logger(LOG_ERR, "Creating socket failed: %s", sockstrerror(sockerrno));
 		free(host);
 		return false;
 	}
@ -88,6 +90,7 @@ static bool setup_device(void) {
 	if(bind(device_fd, ai->ai_addr, ai->ai_addrlen)) {
 		closesocket(device_fd);
 		logger(LOG_ERR, "Can't bind to %s %s: %s", host, port, sockstrerror(sockerrno));
 		free(host);
 		return false;
 	}
@ -102,6 +105,7 @@ static bool setup_device(void) {
 			if(setsockopt(device_fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, sizeof mreq)) {
 				logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
 				closesocket(device_fd);
 				free(host);
 				return false;
 			}
 #ifdef IP_MULTICAST_LOOP
@ -123,6 +127,7 @@ static bool setup_device(void) {
 			if(setsockopt(device_fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, (void *)&mreq, sizeof mreq)) {
 				logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
 				closesocket(device_fd);
 				free(host);
 				return false;
 			}
 #ifdef IPV6_MULTICAST_LOOP
@ -135,11 +140,13 @@ static bool setup_device(void) {
 #endif
 		default:
-			logger(LOG_ERR, "Multicast for address family %hx unsupported", ai->ai_family);
+			logger(LOG_ERR, "Multicast for address family %x unsupported", ai->ai_family);
 			closesocket(device_fd);
 			free(host);
 			return false;
 	}
 	free(host);
 	logger(LOG_INFO, "%s is a %s", device, device_info);
 	return true;
--- a/src/net.c
+++ b/src/net.c
@ -1,7 +1,7 @@
 /*
    net.c -- most of the network code
    Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2006      Scott Lamb <slamb@slamb.org>
 		  2011      Loïc Grenié <loic.grenie@gmail.com>
@ -41,6 +41,14 @@
 #include "subnet.h"
 #include "xalloc.h"
 #ifdef HAVE_ARPA_NAMESER_H
 #include <arpa/nameser.h>
 #endif
 #ifdef HAVE_RESOLV_H
 #include <resolv.h>
 #endif
 bool do_purge = false;
 volatile bool running = false;
 #ifdef HAVE_PSELECT
@ -182,6 +190,12 @@ void terminate_connection(connection_t *c, bool report) {
 		closesocket(c->socket);
 	if(c->edge) {
 		if(!c->node) {
 			logger(LOG_ERR, "Connection to %s (%s) has an edge but node is NULL!", c->name, c->hostname);
 			// And that should never happen.
 			abort();
 		}
 		if(report && !tunnelserver)
 			send_del_edge(everyone, c->edge);
@ -494,6 +508,9 @@ int main_loop(void) {
 			avl_node_t *node;
 			logger(LOG_INFO, "Flushing event queue");
 			expire_events();
 #if HAVE_DECL_RES_INIT
 			res_init();
 #endif
 			for(node = connection_tree->head; node; node = node->next) {
 				connection_t *c = node->data;
 				if(c->status.active)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@ -1,7 +1,7 @@
 /*
    net_packet.c -- Handles in- and outgoing VPN packets
    Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2010      Timothy Redaelli <timothy@redaelli.eu>
                  2010      Brandon Black <blblack@gmail.com>
@ -269,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
 	HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
-	return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
+	return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
 }
 static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@ -302,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 		HMAC(n->indigest, n->inkey, n->inkeylength,
 			 (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
-		if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
+		if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
 			ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
 					   n->name, n->hostname);
 			return;
@ -664,7 +664,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
 	avl_node_t *node;
 	edge_t *e;
 	node_t *n = NULL;
 	bool hard = false;
 	static time_t last_hard_try = 0;
 	for(node = edge_weight_tree->head; node; node = node->next) {
@ -673,11 +672,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
 		if(e->to == myself)
 			continue;
-		if(sockaddrcmp_noport(from, &e->address)) {
+		if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
-			if(last_hard_try == now)
+			continue;
 				continue;
 			hard = true;
 		}
 		if(!try_mac(e->to, pkt))
 			continue;
@ -686,9 +682,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
 		break;
 	}
 	if(hard)
 		last_hard_try = now;
 	last_hard_try = now;
 	return n;
 }
--- a/src/net_setup.c
+++ b/src/net_setup.c
@ -1,7 +1,7 @@
 /*
    net_setup.c -- Setup.
    Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2006      Scott Lamb <slamb@slamb.org>
                  2010      Brandon Black <blblack@gmail.com>
@ -165,23 +165,25 @@ static bool read_rsa_private_key(void) {
 	char *fname, *key, *pubkey;
 	if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
 		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
 			logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
 			return false;
 		}
 		myself->connection->rsa_key = RSA_new();
 //		RSA_blinding_on(myself->connection->rsa_key, NULL);
 		if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
 			logger(LOG_ERR, "Invalid PrivateKey for myself!");
 			free(key);
 			return false;
 		}
 		free(key);
 		if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
 			logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
 			return false;
 		}
 		if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
 			logger(LOG_ERR, "Invalid PublicKey for myself!");
 			free(pubkey);
 			return false;
 		}
 		BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
 		free(key);
 		free(pubkey);
 		BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
 		return true;
 	}
@ -200,15 +202,12 @@ static bool read_rsa_private_key(void) {
 #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
 	struct stat s;
-	if(fstat(fileno(fp), &s)) {
+	if(!fstat(fileno(fp), &s)) {
-		logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
+		if(s.st_mode & ~0100700)
-				fname, strerror(errno));
+			logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
-		free(fname);
+	} else {
-		return false;
+		logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
 	}
 	if(s.st_mode & ~0100700)
 		logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
 #endif
 	myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
@ -299,10 +298,12 @@ char *get_name(void) {
 		if(!envname) {
 			if(strcmp(name + 1, "HOST")) {
 				fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
 				free(name);
 				return false;
 			}
 			if(gethostname(hostname, sizeof hostname) || !*hostname) {
 				fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
 				free(name);
 				return false;
 			}
 			hostname[31] = 0;
@ -340,6 +341,7 @@ static bool setup_myself(void) {
 	bool choice;
 	int i, err;
 	int replaywin_int;
 	bool port_specified = false;
 	myself = new_node();
 	myself->connection = new_connection();
@ -355,6 +357,8 @@ static bool setup_myself(void) {
 		return false;
 	}
 	/* Read tinc.conf and our own host config file */
 	myself->name = name;
 	myself->connection->name = xstrdup(name);
 	xasprintf(&fname, "%s/hosts/%s", confbase, name);
@ -367,6 +371,10 @@ static bool setup_myself(void) {
 	if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
 		myport = xstrdup("655");
 	else
 		port_specified = true;
 	/* Ensure myport is numeric */
 	if(!atoi(myport)) {
 		struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
@ -378,8 +386,7 @@ static bool setup_myself(void) {
 		sockaddr2str(&sa, NULL, &myport);
 	}
-	get_config_string(lookup_config(config_tree, "Proxy"), &proxy);
+	if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) {
 	if(proxy) {
 		if((space = strchr(proxy, ' ')))
 			*space++ = 0;
@ -397,6 +404,7 @@ static bool setup_myself(void) {
 			proxytype = PROXY_EXEC;
 		} else {
 			logger(LOG_ERR, "Unknown proxy type %s!", proxy);
 			free(proxy);
 			return false;
 		}
@ -408,6 +416,7 @@ static bool setup_myself(void) {
 			case PROXY_EXEC:
 				if(!space || !*space) {
 					logger(LOG_ERR, "Argument expected for proxy type exec!");
 					free(proxy);
 					return false;
 				}
 				proxyhost =  xstrdup(space);
@ -426,6 +435,7 @@ static bool setup_myself(void) {
 					*space++ = 0, proxypass = space;
 				if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
 					logger(LOG_ERR, "Host and port argument expected for proxy!");
 					free(proxy);
 					return false;
 				}
 				proxyhost = xstrdup(proxyhost);
@ -479,6 +489,7 @@ static bool setup_myself(void) {
 			routing_mode = RMODE_HUB;
 		else {
 			logger(LOG_ERR, "Invalid routing mode!");
 			free(mode);
 			return false;
 		}
 		free(mode);
@ -493,6 +504,7 @@ static bool setup_myself(void) {
 			forwarding_mode = FMODE_KERNEL;
 		else {
 			logger(LOG_ERR, "Invalid forwarding mode!");
 			free(mode);
 			return false;
 		}
 		free(mode);
@ -519,6 +531,7 @@ static bool setup_myself(void) {
 			broadcast_mode = BMODE_DIRECT;
 		else {
 			logger(LOG_ERR, "Invalid broadcast mode!");
 			free(mode);
 			return false;
 		}
 		free(mode);
@ -571,6 +584,7 @@ static bool setup_myself(void) {
 			addressfamily = AF_UNSPEC;
 		else {
 			logger(LOG_ERR, "Invalid address family!");
 			free(afname);
 			return false;
 		}
 		free(afname);
@ -580,8 +594,7 @@ static bool setup_myself(void) {
 	/* Generate packet encryption key */
-	if(get_config_string
+	if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
 	   (lookup_config(config_tree, "Cipher"), &cipher)) {
 		if(!strcasecmp(cipher, "none")) {
 			myself->incipher = NULL;
 		} else {
@ -589,9 +602,11 @@ static bool setup_myself(void) {
 			if(!myself->incipher) {
 				logger(LOG_ERR, "Unrecognized cipher type!");
 				free(cipher);
 				return false;
 			}
 		}
 		free(cipher);
 	} else
 		myself->incipher = EVP_bf_cbc();
@ -617,9 +632,12 @@ static bool setup_myself(void) {
 			if(!myself->indigest) {
 				logger(LOG_ERR, "Unrecognized digest type!");
 				free(digest);
 				return false;
 			}
 		}
 		free(digest);
 	} else
 		myself->indigest = EVP_sha1();
@ -683,6 +701,7 @@ static bool setup_myself(void) {
 		else if(!strcasecmp(type, "vde"))
 			devops = vde_devops;
 #endif
 		free(type);
 	}
 	if(!devops.setup())
@ -812,13 +831,27 @@ static bool setup_myself(void) {
 		} while(cfg);
 	}
-	if(listen_sockets)
+	if(!listen_sockets) {
 		logger(LOG_NOTICE, "Ready");
 	else {
 		logger(LOG_ERR, "Unable to create any listening socket!");
 		return false;
 	}
 	/* If no Port option was specified, set myport to the port used by the first listening socket. */
 	if(!port_specified) {
 		sockaddr_t sa;
 		socklen_t salen = sizeof sa;
 		if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) {
 			free(myport);
 			sockaddr2str(&sa, NULL, &myport);
 			if(!myport)
 				myport = xstrdup("655");
 		}
 	}
 	/* Done. */
 	logger(LOG_NOTICE, "Ready");
 	return true;
 }
--- a/src/net_socket.c
+++ b/src/net_socket.c
@ -1,7 +1,7 @@
 /*
    net_socket.c -- Handle various kinds of sockets.
    Copyright (C) 1998-2005 Ivo Timmermans,
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2006      Scott Lamb <slamb@slamb.org>
                  2009      Florian Forster <octo@verplant.org>
@ -87,20 +87,21 @@ static bool bind_to_interface(int sd) {
 	int status;
 #endif /* defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) */
-	if(!get_config_string (lookup_config (config_tree, "BindToInterface"), &iface))
+	if(!get_config_string(lookup_config (config_tree, "BindToInterface"), &iface))
 		return true;
 #if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
 	memset(&ifr, 0, sizeof(ifr));
 	strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
 	ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
 	free(iface);
 	status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr));
 	if(status) {
-		logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
+		logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
 				strerror(errno));
 		return false;
 	}
 #else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */
 	logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
 #endif
@ -135,20 +136,21 @@ int setup_listen_socket(const sockaddr_t *sa) {
 		setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
 #endif
-	if(get_config_string
+	if(get_config_string(lookup_config(config_tree, "BindToInterface"), &iface)) {
 	   (lookup_config(config_tree, "BindToInterface"), &iface)) {
 #if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
 		struct ifreq ifr;
 		memset(&ifr, 0, sizeof(ifr));
 		strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
 		ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
 		free(iface);
 		if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) {
 			closesocket(nfd);
-			logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
+			logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(sockerrno));
 				   strerror(sockerrno));
 			return -1;
 		}
 #else
 		logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
 #endif
@ -238,8 +240,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
 		option = 1;
 		setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option));
 	}
 #else
 #warning No way to disable IPv4 fragmentation
 #endif
 #if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
@ -252,8 +252,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
 		option = 1;
 		setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
 	}
 #else
 #warning No way to disable IPv6 fragmentation
 #endif
 	if (!bind_to_interface(nfd)) {
@ -311,7 +309,7 @@ static void do_outgoing_pipe(connection_t *c, char *command) {
 	if(fork()) {
 		c->socket = fd[0];
 		close(fd[1]);
-		logger(LOG_DEBUG, "Using proxy %s", command);
+		ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Using proxy %s", command);
 		return;
 	}
@ -407,7 +405,6 @@ begin:
 	if(!proxytype) {
 		c->socket = socket(c->address.sa.sa_family, SOCK_STREAM, IPPROTO_TCP);
 		configure_tcp(c);
 	} else if(proxytype == PROXY_EXEC) {
 		do_outgoing_pipe(c, proxyhost);
 	} else {
@ -416,7 +413,6 @@ begin:
 			goto begin;
 		ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
 		c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
 		configure_tcp(c);
 	}
 	if(c->socket == -1) {
@ -424,6 +420,9 @@ begin:
 		goto begin;
 	}
 	if(proxytype != PROXY_EXEC)
 		configure_tcp(c);
 #ifdef FD_CLOEXEC
 	fcntl(c->socket, F_SETFD, FD_CLOEXEC);
 #endif
--- a/src/pidfile.c
+++ b/src/pidfile.c
@ -46,7 +46,7 @@ pid_t read_pid (const char *pidfile)
  if(fscanf(f,"%20ld", &pid) != 1)
    pid = 0;
  fclose(f);
-  return pid;
+  return (pid_t)pid;
 }
 /* check_pid
--- a/src/protocol_auth.c
+++ b/src/protocol_auth.c
@ -1,7 +1,7 @@
 /*
    protocol_auth.c -- handle the meta-protocol, authentication
    Copyright (C) 1999-2005 Ivo Timmermans,
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -107,7 +107,7 @@ static bool send_proxyrequest(connection_t *c) {
 				i += 2;
 				c->tcplen += 22;
 			} else {
-				logger(LOG_ERR, "Address family %hx not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
+				logger(LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
 				return false;
 			}
 			if(i > len)
@ -215,7 +215,12 @@ bool send_metakey(connection_t *c) {
 	/* Copy random data to the buffer */
-	RAND_pseudo_bytes((unsigned char *)c->outkey, len);
+	if (1 != RAND_bytes((unsigned char *)c->outkey, len)) {
 		int err = ERR_get_error();
 		logger(LOG_ERR, "Failed to generate meta key (%s)", ERR_error_string(err, NULL));
 		return false;
 	}
 	/* The message we send must be smaller than the modulus of the RSA key.
 	   By definition, for a key of k bits, the following formula holds:
@ -391,7 +396,11 @@ bool send_challenge(connection_t *c) {
 	/* Copy random data to the buffer */
-	RAND_pseudo_bytes((unsigned char *)c->hischallenge, len);
+	if (1 != RAND_bytes((unsigned char *)c->hischallenge, len)) {
 		int err = ERR_get_error();
 		logger(LOG_ERR, "Failed to generate challenge (%s)", ERR_error_string(err, NULL));
 		return false; // Do not send predictable challenges, let connection attempt fail.
 	}
 	/* Convert to hex */
--- a/src/protocol_key.c
+++ b/src/protocol_key.c
@ -1,7 +1,7 @@
 /*
    protocol_key.c -- handle the meta-protocol, key exchange
    Copyright (C) 1999-2005 Ivo Timmermans,
-                  2000-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) {
 	/* Check if this key request is for us */
 	if(to == myself) {			/* Yes, send our own key back */
-		send_ans_key(from);
+		if (!send_ans_key(from))
 			return false;
 	} else {
 		if(tunnelserver)
 			return true;
@ -156,7 +157,12 @@ bool send_ans_key(node_t *to) {
 	to->inkey = xrealloc(to->inkey, to->inkeylength);
 	// Create a new key
-	RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength);
+	if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) {
 		int err = ERR_get_error();
 		logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL));
 		return false; // Do not send insecure keys, let connection attempt fail.
 	}
 	if(to->incipher)
 		EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);
--- a/src/raw_socket_device.c
+++ b/src/raw_socket_device.c
@ -1,7 +1,7 @@
 /*
    device.c -- raw socket
    Copyright (C) 2002-2005 Ivo Timmermans,
-                  2002-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2002-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -32,7 +32,7 @@
 #include "route.h"
 #include "xalloc.h"
-#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET)
+#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) && defined(SIOCGIFINDEX)
 static char *device_info;
 static uint64_t device_total_in = 0;
@ -62,20 +62,21 @@ static bool setup_device(void) {
 	memset(&ifr, 0, sizeof(ifr));
 	strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
 	ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
 	if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) {
 		close(device_fd);
-		logger(LOG_ERR, "Can't find interface %s: %s", iface,
+		logger(LOG_ERR, "Can't find interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
 			   strerror(errno));
 		return false;
 	}
-	memset(&sa, '0', sizeof(sa));
+	memset(&sa, 0, sizeof(sa));
 	sa.sll_family = AF_PACKET;
 	sa.sll_protocol = htons(ETH_P_ALL);
 	sa.sll_ifindex = ifr.ifr_ifindex;
 	if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) {
-		logger(LOG_ERR, "Could not bind %s to %s: %s", device, iface, strerror(errno));
+		logger(LOG_ERR, "Could not bind %s to %s: %s", device, ifr.ifr_ifrn.ifrn_name, strerror(errno));
 		return false;
 	}
--- a/src/route.c
+++ b/src/route.c
@ -1,7 +1,7 @@
 /*
    route.c -- routing
    Copyright (C) 2000-2005 Ivo Timmermans,
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -197,7 +197,7 @@ static void learn_mac(mac_t *address) {
 	/* If we don't know this MAC address yet, store it */
 	if(!subnet) {
-		ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx",
+		ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
 				   address->x[0], address->x[1], address->x[2], address->x[3],
 				   address->x[4], address->x[5]);
--- a/src/solaris/device.c
+++ b/src/solaris/device.c
@ -1,7 +1,8 @@
 /*
    device.c -- Interaction with Solaris tun device
    Copyright (C) 2001-2005 Ivo Timmermans,
-                  2001-2012 Guus Sliepen <guus@tinc-vpn.org>
+                  2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
                  2001-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -18,98 +19,258 @@
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../system.h"
 #include <sys/stropts.h>
 #include <sys/sockio.h>
 #include <net/if_tun.h>
 #include "../conf.h"
 #include "../device.h"
 #include "../logger.h"
 #include "../net.h"
 #include "../route.h"
 #include "../utils.h"
 #include "../xalloc.h"
-#define DEFAULT_DEVICE "/dev/tun"
+#ifndef TUNNEWPPA
 #warning Missing net/if_tun.h, using hardcoded value for TUNNEWPPA
 #define TUNNEWPPA       (('T'<<16) | 0x0001)
 #endif
 #define DEFAULT_TUN_DEVICE "/dev/tun"
 #define DEFAULT_TAP_DEVICE "/dev/tap"
 static enum {
 	DEVICE_TYPE_TUN,
 	DEVICE_TYPE_TAP,
 } device_type = DEVICE_TYPE_TUN;
 int device_fd = -1;
-static int ip_fd = -1, if_fd = -1;
+static int if_fd = -1;
 static int ip_fd = -1;
 char *device = NULL;
 char *iface = NULL;
 static char *device_info = NULL;
-static uint64_t device_total_in = 0;
+uint64_t device_total_in = 0;
-static uint64_t device_total_out = 0;
+uint64_t device_total_out = 0;
 static bool setup_device(void) {
-	int ppa;
+	char *type;
 	char *ptr;
-	if(!get_config_string(lookup_config(config_tree, "Device"), &device))
+	if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
-		device = xstrdup(DEFAULT_DEVICE);
+		if(routing_mode == RMODE_ROUTER)
-
+			device = xstrdup(DEFAULT_TUN_DEVICE);
-	if((device_fd = open(device, O_RDWR | O_NONBLOCK)) < 0) {
+		else
-		logger(LOG_ERR, "Could not open %s: %s", device, strerror(errno));
+			device = xstrdup(DEFAULT_TAP_DEVICE);
 		return false;
 	}
-#ifdef FD_CLOEXEC
+	if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
-	fcntl(device_fd, F_SETFD, FD_CLOEXEC);
+		if(!strcasecmp(type, "tun"))
-#endif
+			/* use default */;
 		else if(!strcasecmp(type, "tap"))
 			device_type = DEVICE_TYPE_TAP;
 		else {
 			logger(LOG_ERR, "Unknown device type %s!", type);
 			return false;
 		}
 	} else {
 		if(strstr(device, "tap") || routing_mode != RMODE_ROUTER)
 			device_type = DEVICE_TYPE_TAP;
 	}
-	ppa = 0;
+	if(device_type == DEVICE_TYPE_TUN)
 		device_info = "Solaris tun device";
 	else
 		device_info = "Solaris tap device";
-	ptr = device;
+	/* The following is black magic copied from OpenVPN. */
 	while(*ptr && !isdigit((int) *ptr))
 		ptr++;
 	ppa = atoi(ptr);
 	if((ip_fd = open("/dev/ip", O_RDWR, 0)) < 0) {
-		logger(LOG_ERR, "Could not open /dev/ip: %s", strerror(errno));
+		logger(LOG_ERR, "Could not open %s: %s\n", "/dev/ip", strerror(errno));
 		return false;
 	}
-#ifdef FD_CLOEXEC
+	if((device_fd = open(device, O_RDWR, 0)) < 0) {
-	fcntl(ip_fd, F_SETFD, FD_CLOEXEC);
+		logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
-#endif
+		return false;
 	}
 	/* Get unit number. */
 	char *ptr = device;
 	get_config_string(lookup_config(config_tree, "Interface"), &ptr);
 	while(*ptr && !isdigit(*ptr))
 		ptr++;
 	int ppa = atoi(ptr);
 	/* Assign a new PPA and get its unit number. */
-	if((ppa = ioctl(device_fd, TUNNEWPPA, ppa)) < 0) {
+
-		logger(LOG_ERR, "Can't assign new interface: %s", strerror(errno));
+	struct strioctl strioc_ppa = {
-		return false;
+		.ic_cmd = TUNNEWPPA,
 		.ic_len = sizeof ppa,
 		.ic_dp = (char *)&ppa,
 	};
 	if(!*ptr) { /* no number given, try dynamic */
 		bool found = false;
 		while(!found && ppa < 64) {
 			int new_ppa = ioctl(device_fd, I_STR, &strioc_ppa);
 			if(new_ppa >= 0) {
 				ppa = new_ppa;
 				found = true;
 				break;
 			}
 			ppa++;
 		}
 		if(!found) {
 			logger(LOG_ERR, "Could not find free PPA for %s %s!", device_info, device);
 			return false;
 		}
 	} else { /* try this particular one */
 		if((ppa = ioctl(device_fd, I_STR, &strioc_ppa)) < 0) {
 			logger(LOG_ERR, "Could not assign PPA %d for %s %s!", ppa, device_info, device);
 			return false;
 		}
 	}
 	if((if_fd = open(device, O_RDWR, 0)) < 0) {
-		logger(LOG_ERR, "Could not open %s twice: %s", device,
+		logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
 			   strerror(errno));
 		return false;
 	}
 #ifdef FD_CLOEXEC
 	fcntl(if_fd, F_SETFD, FD_CLOEXEC);
 #endif
 	if(ioctl(if_fd, I_PUSH, "ip") < 0) {
-		logger(LOG_ERR, "Can't push IP module: %s", strerror(errno));
+		logger(LOG_ERR, "Could not push IP module onto %s %s!", device_info, device);
 		return false;
 	}
-	/* Assign ppa according to the unit number returned by tun device */
+	xasprintf(&iface, "%s%d", device_type == DEVICE_TYPE_TUN ? "tun" : "tap", ppa);
-	if(ioctl(if_fd, IF_UNITSEL, (char *) &ppa) < 0) {
+
-		logger(LOG_ERR, "Can't set PPA %d: %s", ppa, strerror(errno));
+	{
 		/* Remove muxes just in case they are left over from a crashed tincd */
 		struct lifreq ifr = {};
 		strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
 		if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
 			int muxid = ifr.lifr_arp_muxid;
 			ioctl(ip_fd, I_PUNLINK, muxid);
 			muxid = ifr.lifr_ip_muxid;
 			ioctl(ip_fd, I_PUNLINK, muxid);
 		}
 	}
 	if(device_type == DEVICE_TYPE_TUN) {
 		/* Assign ppa according to the unit number returned by tun device */
 		if(ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) {
 			logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
 			return false;
 		}
 	}
 	int arp_fd = -1;
 	if(device_type == DEVICE_TYPE_TAP) {
 		struct lifreq ifr = {};
 		if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
 			logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
 			return false;
 		}
 		strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
 		ifr.lifr_ppa = ppa;
 		/* Assign ppa according to the unit number returned by tun device */
 		if(ioctl(if_fd, SIOCSLIFNAME, &ifr) < 0) {
 			logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
 			return false;
 		}
 		if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
 			logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
 			return false;
 		}
 		/* Push arp module to if_fd */
 		if(ioctl(if_fd, I_PUSH, "arp") < 0) {
 			logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
 			return false;
 		}
 		/* Pop any modules on the stream */
 		while(true) {
 			if(ioctl(ip_fd, I_POP, NULL) < 0)
 				break;
 		}
 		/* Push arp module to ip_fd */
 		if(ioctl(ip_fd, I_PUSH, "arp") < 0) {
 			logger(LOG_ERR, "Could not push ARP module onto %s!", "/dev/ip");
 			return false;
 		}
 		/* Open arp_fd */
 		if((arp_fd = open(device, O_RDWR, 0)) < 0) {
 			logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
 			return false;
 		}
 		/* Push arp module to arp_fd */
 		if(ioctl(arp_fd, I_PUSH, "arp") < 0) {
 			logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
 			return false;
 		}
 		/* Set ifname to arp */
 		struct strioctl strioc_if = {
 			.ic_cmd = SIOCSLIFNAME,
 			.ic_len = sizeof ifr,
 			.ic_dp = (char *)&ifr,
 		};
 		if(ioctl(arp_fd, I_STR, &strioc_if) < 0) {
 			logger(LOG_ERR, "Could not set ifname to %s %s", device_info, device);
 			return false;
 		}
 	}
 	int ip_muxid, arp_muxid;
 	if((ip_muxid = ioctl(ip_fd, I_PLINK, if_fd)) < 0) {
 		logger(LOG_ERR, "Could not link %s %s to IP", device_info, device);
 		return false;
 	}
-	if(ioctl(ip_fd, I_LINK, if_fd) < 0) {
+	if(device_type == DEVICE_TYPE_TAP) {
-		logger(LOG_ERR, "Can't link TUN device to IP: %s", strerror(errno));
+		if((arp_muxid = ioctl(ip_fd, I_PLINK, arp_fd)) < 0) {
 			logger(LOG_ERR, "Could not link %s %s to ARP", device_info, device);
 			return false;
 		}
 		close(arp_fd);
 	}
 	struct lifreq ifr = {};
 	strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
 	ifr.lifr_ip_muxid = ip_muxid;
 	if(device_type == DEVICE_TYPE_TAP) {
 		ifr.lifr_arp_muxid = arp_muxid;
 	}
 	if(ioctl(ip_fd, SIOCSLIFMUXID, &ifr) < 0) {
 		if(device_type == DEVICE_TYPE_TAP) {
 			ioctl(ip_fd, I_PUNLINK, arp_muxid);
 		}
 		ioctl(ip_fd, I_PUNLINK, ip_muxid);
 		logger(LOG_ERR, "Could not set multiplexor id for %s %s", device_info, device);
 		return false;
 	}
-	if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
+	close(if_fd);
 		xasprintf(&iface, "tun%d", ppa);
-	device_info = "Solaris tun device";
+#ifdef FD_CLOEXEC
 	fcntl(device_fd, F_SETFD, FD_CLOEXEC);
 	fcntl(ip_fd, F_SETFD, FD_CLOEXEC);
 #endif
 	logger(LOG_INFO, "%s is a %s", device, device_info);
@ -117,7 +278,17 @@ static bool setup_device(void) {
 }
 static void close_device(void) {
-	close(if_fd);
+	if(iface) {
 		struct lifreq ifr = {};
 		strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
 		if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
 			int muxid = ifr.lifr_arp_muxid;
 			ioctl(ip_fd, I_PUNLINK, muxid);
 			muxid = ifr.lifr_ip_muxid;
 			ioctl(ip_fd, I_PUNLINK, muxid);
 		}
 	}
 	close(ip_fd);
 	close(device_fd);
@ -126,49 +297,73 @@ static void close_device(void) {
 }
 static bool read_packet(vpn_packet_t *packet) {
-	int lenin;
+	int inlen;
-	if((lenin = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
+	switch(device_type) {
-		logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
+		case DEVICE_TYPE_TUN:
-			   device, strerror(errno));
+			if((inlen = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
-		return false;
+				logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
-	}
+				return false;
 			}
-	switch(packet->data[14] >> 4) {
+			switch(packet->data[14] >> 4) {
-		case 4:
+				case 4:
-			packet->data[12] = 0x08;
+					packet->data[12] = 0x08;
-			packet->data[13] = 0x00;
+					packet->data[13] = 0x00;
 					break;
 				case 6:
 					packet->data[12] = 0x86;
 					packet->data[13] = 0xDD;
 					break;
 				default:
 					ifdebug(TRAFFIC) logger(LOG_ERR, "Unknown IP version %d while reading packet from %s %s", packet->data[14] >> 4, device_info, device);
 					return false;
 			}
 			memset(packet->data, 0, 12);
 			packet->len = inlen + 14;
 			break;
-		case 6:
+
-			packet->data[12] = 0x86;
+		case DEVICE_TYPE_TAP:
-			packet->data[13] = 0xDD;
+			if((inlen = read(device_fd, packet->data, MTU)) <= 0) {
 				logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
 				return false;
 			}
 			packet->len = inlen + 14;
 			break;
 		default:
-			ifdebug(TRAFFIC) logger(LOG_ERR,
+			abort();
 					   "Unknown IP version %d while reading packet from %s %s",
 					   packet->data[14] >> 4, device_info, device);
 			return false;
 	}
 	memset(packet->data, 0, 12);
 	packet->len = lenin + 14;
 	device_total_in += packet->len;
-	ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len,
+	ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, device_info);
 			   device_info);
 	return true;
 }
 static bool write_packet(vpn_packet_t *packet) {
-	ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s",
+	ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", packet->len, device_info);
 			   packet->len, device_info);
-	if(write(device_fd, packet->data + 14, packet->len - 14) < 0) {
+	switch(device_type) {
-		logger(LOG_ERR, "Can't write to %s %s: %s", device_info,
+		case DEVICE_TYPE_TUN:
-			   device, strerror(errno));
+			if(write(device_fd, packet->data + 14, packet->len - 14) < 0) {
-		return false;
+				logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
 				return false;
 			}
 			break;
 		case DEVICE_TYPE_TAP:
 			if(write(device_fd, packet->data, packet->len) < 0) {
 				logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
 				return false;
 			}
 			break;
 		default:
 			abort();
 	}
 	device_total_out += packet->len;
--- a/src/subnet.c
+++ b/src/subnet.c
@ -1,6 +1,6 @@
 /*
    subnet.c -- handle subnet lookups and lists
-    Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
                  2000-2005 Ivo Timmermans
    This program is free software; you can redistribute it and/or modify
@ -351,7 +351,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
 	switch (subnet->type) {
 		case SUBNET_MAC:
-			snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx#%d",
+			snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d",
 					 subnet->net.mac.address.x[0],
 					 subnet->net.mac.address.x[1],
 					 subnet->net.mac.address.x[2],
@ -362,7 +362,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
 			break;
 		case SUBNET_IPV4:
-			snprintf(netstr, len, "%hu.%hu.%hu.%hu/%d#%d",
+			snprintf(netstr, len, "%u.%u.%u.%u/%d#%d",
 					 subnet->net.ipv4.address.x[0],
 					 subnet->net.ipv4.address.x[1],
 					 subnet->net.ipv4.address.x[2],
@ -372,7 +372,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
 			break;
 		case SUBNET_IPV6:
-			snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d",
+			snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d",
 					 ntohs(subnet->net.ipv6.address.x[0]),
 					 ntohs(subnet->net.ipv6.address.x[1]),
 					 ntohs(subnet->net.ipv6.address.x[2]),
--- a/src/tincd.c
+++ b/src/tincd.c
@ -1,7 +1,7 @@
 /*
    tincd.c -- the main file for tincd
    Copyright (C) 1998-2005 Ivo Timmermans
-                  2000-2013 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
                  2008      Max Rijevski <maksuf@gmail.com>
                  2009      Michael Tokarev <mjt@tls.msk.ru>
                  2010      Julien Muchembled <jm@jmuchemb.eu>
@ -162,6 +162,11 @@ static bool parse_options(int argc, char **argv) {
 				break;
 			case 'c':				/* config file */
 				if(confbase) {
 					fprintf(stderr, "Only one configuration directory can be given.\n");
 					usage(true);
 					return false;
 				}
 				confbase = xstrdup(optarg);
 				break;
@ -229,6 +234,11 @@ static bool parse_options(int argc, char **argv) {
 			case 'n':				/* net name given */
 				/* netname "." is special: a "top-level name" */
 				if(netname) {
 					fprintf(stderr, "Only one netname can be given.\n");
 					usage(true);
 					return false;
 				}
 				netname = strcmp(optarg, ".") != 0 ? xstrdup(optarg) : NULL;
 				break;
@ -281,11 +291,22 @@ static bool parse_options(int argc, char **argv) {
 				use_logfile = true;
 				if(!optarg && optind < argc && *argv[optind] != '-')
 					optarg = argv[optind++];
-				if(optarg)
+				if(optarg) {
 					if(logfilename) {
 						fprintf(stderr, "Only one logfile can be given.\n");
 						usage(true);
 						return false;
 					}
 					logfilename = xstrdup(optarg);
 				}
 				break;
 			case 5:					/* write PID to a file */
 				if(pidfilename) {
 					fprintf(stderr, "Only one pidfile can be given.\n");
 					usage(true);
 					return false;
 				}
 				pidfilename = xstrdup(optarg);
 				break;
@ -350,7 +371,6 @@ static void indicator(int a, int b, void *p) {
 static bool keygen(int bits) {
 	RSA *rsa_key;
 	FILE *f;
 	char *name = get_name();
 	char *pubname, *privname;
 	fprintf(stderr, "Generating %d bits keys:\n", bits);
@ -378,10 +398,14 @@ static bool keygen(int bits) {
 	PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
 	fclose(f);
-	if(name)
+	char *name = get_name();
 	if(name) {
 		xasprintf(&pubname, "%s/hosts/%s", confbase, name);
-	else
+		free(name);
 	} else {
 		xasprintf(&pubname, "%s/rsa_key.pub", confbase);
 	}
 	f = ask_and_open(pubname, "public RSA key");
 	free(pubname);
@ -392,7 +416,6 @@ static bool keygen(int bits) {
 	fputc('\n', f);
 	PEM_write_RSAPublicKey(f, rsa_key);
 	fclose(f);
 	free(name);
 	return true;
 }
@ -526,7 +549,7 @@ int main(int argc, char **argv) {
 	if(show_version) {
 		printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
 			   VERSION, __DATE__, __TIME__, PROT_CURRENT);
-		printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n"
+		printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n"
 				"See the AUTHORS file for a complete list.\n\n"
 				"tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,\n"
 				"and you are welcome to redistribute it under certain conditions;\n"
--- a/src/utils.c
+++ b/src/utils.c
@ -1,7 +1,7 @@
 /*
    utils.c -- gathering of some stupid small functions
    Copyright (C) 1999-2005 Ivo Timmermans
-                  2000-2009 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -78,3 +78,18 @@ unsigned int bitfield_to_int(const void *bitfield, size_t size) {
 	memcpy(&value, bitfield, size);
 	return value;
 }
 /**
 * As memcmp(), but constant-time.
 * Returns 0 when data is equal, non-zero otherwise.
 */
 int memcmp_constant_time (const void *a, const void *b, size_t size) {
  const uint8_t *a1 = a, *b1 = b;
  int ret = 0;
  size_t i;
  for (i = 0; i < size; i++)
      ret |= *a1++ ^ *b1++;
  return ret;
 }
--- a/src/utils.h
+++ b/src/utils.h
@ -1,7 +1,7 @@
 /*
    utils.h -- header file for utils.c
    Copyright (C) 1999-2005 Ivo Timmermans
-                  2000-2009 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2014 Guus Sliepen <guus@tinc-vpn.org>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -42,4 +42,6 @@ extern const char *winerror(int);
 extern unsigned int bitfield_to_int(const void *bitfield, size_t size);
 int memcmp_constant_time (const void *a, const void *b, size_t size);
 #endif							/* __TINC_UTILS_H__ */
--- a/src/xmalloc.c
+++ b/src/xmalloc.c
@ -113,6 +113,9 @@ char *xstrdup(const char *s)
 {
  char *p;
  if(!s)
    return NULL;
  p = strdup(s);
  if(!p)
    xalloc_fail ((int)strlen(s));