diff --git a/COPYING b/COPYING index 1a88dcf..1384f46 100644 --- a/COPYING +++ b/COPYING @@ -1,4 +1,4 @@ -Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others. +Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others. See the AUTHORS file for a complete list. This program is free software; you can redistribute it and/or modify it under diff --git a/ChangeLog b/ChangeLog index f2f43d9..041bf3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,26 @@ +Version 1.0.36 August 26 2019 +------------------------------------------------------------------------ + +Guus Sliepen (8): + Remove the call to RAND_load_file(). + Update THANKS. + Backport tinc 1.1's str2net() function. + Update THANKS. + Fix spelling errors found by codespell. + Reformat all code using astyle. + Add a missing check for a pathname being too long. + Releasing 1.0.36. + +Rosen Penev (2): + Fix compilation when OpenSSL has no ENGINE support + Fix compilation without deprecated OpenSSL APIs + +Quentin Rameau (1): + Double-quote nodes in graphviz network file + +Werner Schreiber (1): + Fix segfault when dest->mtu is 0. + Version 1.0.35 October 05 2018 ------------------------------------------------------------------------ diff --git a/Makefile.in b/Makefile.in index 526846b..e1f2745 100644 --- a/Makefile.in +++ b/Makefile.in @@ -166,7 +166,7 @@ CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in AUTHORS \ COPYING ChangeLog INSTALL NEWS README THANKS compile \ - config.guess config.sub install-sh missing + config.guess config.sub depcomp install-sh missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff --git a/NEWS b/NEWS index 4a342f7..c587e87 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,21 @@ +Version 1.0.36 August 26 2019 + + * Fix compiling tinc with certain versions of the OpenSSL library. + * Fix parsing some IPv6 addresses with :: in them. + * Fix GraphDumpFile output to handle node names starting with a digit. + * Fix a potential segmentation fault when fragmenting packets. + +Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their +contributions to this version of tinc. + Version 1.0.35 October 5 2018 * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738). * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758). + * Minor fixes in the documentation. + +Thanks to Amine Amri and Rafael Sadowski for their contributions to this +version of tinc. Version 1.0.34 June 12 2018 diff --git a/README b/README index f47cc29..127cde2 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ -This is the README file for tinc version 1.0.35. Installation +This is the README file for tinc version 1.0.36. Installation instructions may be found in the INSTALL file. -tinc is Copyright (C) 1998-2018 by: +tinc is Copyright (C) 1998-2019 by: Ivo Timmermans, Guus Sliepen , diff --git a/THANKS b/THANKS index d6f4af7..a0f7966 100644 --- a/THANKS +++ b/THANKS @@ -22,6 +22,7 @@ We would like to thank the following people for their contributions to tinc: * Delf Eldkraft * Dennis Joachimsthaler * dnk +* Егор Палкин * Élie Bouttier * Enrique Zanardi * Erik Tews @@ -42,6 +43,7 @@ We would like to thank the following people for their contributions to tinc: * James Cook * James MacLean * Jamie Briggs +* Jan Štembera * Jason Harper * Jason Livesay * Jasper Krijgsman @@ -71,6 +73,7 @@ We would like to thank the following people for their contributions to tinc: * Max Rijevski * Menno Smits * Mesar Hameed +* Michael Taylor * Michael Tokarev * Michael Yonli * Miles Nordin @@ -82,10 +85,12 @@ We would like to thank the following people for their contributions to tinc: * Philipp Babel * Pierre Emeriaud * Pierre-Olivier Mercier +* Rafael Wolf * Rafael Sadowski * Rafał Leśniak * Rhosyn Celyn * Robert van der Meulen +* Robert Waniek * Rumko * Ryan Miller * Sam Bryan @@ -104,6 +109,7 @@ We would like to thank the following people for their contributions to tinc: * Tonnerre Lombard * Ulrich Seifert * Vil Brekin +* Vincent Laurent * Vittorio Gambaletta * Wendy Willard * Wessel Dankers diff --git a/configure b/configure index 26dd965..7828190 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for tinc 1.0.35. +# Generated by GNU Autoconf 2.69 for tinc 1.0.36. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='tinc' PACKAGE_TARNAME='tinc' -PACKAGE_VERSION='1.0.35' -PACKAGE_STRING='tinc 1.0.35' +PACKAGE_VERSION='1.0.36' +PACKAGE_STRING='tinc 1.0.36' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1321,7 +1321,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures tinc 1.0.35 to adapt to many kinds of systems. +\`configure' configures tinc 1.0.36 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1392,7 +1392,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of tinc 1.0.35:";; + short | recursive ) echo "Configuration of tinc 1.0.36:";; esac cat <<\_ACEOF @@ -1509,7 +1509,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -tinc configure 1.0.35 +tinc configure 1.0.36 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1974,7 +1974,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by tinc $as_me 1.0.35, which was +It was created by tinc $as_me 1.0.36, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2838,7 +2838,7 @@ fi # Define the identity of the package. PACKAGE='tinc' - VERSION='1.0.35' + VERSION='1.0.36' cat >>confdefs.h <<_ACEOF @@ -7333,7 +7333,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by tinc $as_me 1.0.35, which was +This file was extended by tinc $as_me 1.0.36, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -7399,7 +7399,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -tinc config.status 1.0.35 +tinc config.status 1.0.36 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 6de0313..ca2948a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([tinc], [1.0.35]) +AC_INIT([tinc], [1.0.36]) AC_CONFIG_SRCDIR([src/tincd.c]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall]) AC_CONFIG_HEADERS([config.h]) @@ -237,7 +237,7 @@ AC_ARG_ENABLE(jumbograms, ] ) -dnl Ensure runstatedir is set if we are using a version of autoconf that does not suppport it +dnl Ensure runstatedir is set if we are using a version of autoconf that does not support it if test "x$runstatedir" = "x"; then AC_SUBST([runstatedir], ['${localstatedir}/run']) fi diff --git a/doc/tinc.info b/doc/tinc.info index 97caea4..44720f3 100644 --- a/doc/tinc.info +++ b/doc/tinc.info @@ -1,14 +1,14 @@ -This is tinc.info, produced by makeinfo version 6.5 from tinc.texi. +This is tinc.info, produced by makeinfo version 6.6 from tinc.texi. INFO-DIR-SECTION Networking tools START-INFO-DIR-ENTRY * tinc: (tinc). The tinc Manual. END-INFO-DIR-ENTRY -This is the info manual for tinc version 1.0.35, a Virtual Private +This is the info manual for tinc version 1.0.36, a Virtual Private Network daemon. - Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen + Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and Wessel Dankers . Permission is granted to make and distribute verbatim copies of this @@ -117,10 +117,10 @@ for both the receiving and sending end, it has become largely runtime-configurable--in short, it has become a full-fledged professional package. - Tinc also allows more than two sites to connect to eachother and form -a single VPN. Traditionally VPNs are created by making tunnels, which -only have two endpoints. Larger VPNs with more sites are created by -adding more tunnels. Tinc takes another approach: only endpoints are + Tinc also allows more than two sites to connect to each other and +form a single VPN. Traditionally VPNs are created by making tunnels, +which only have two endpoints. Larger VPNs with more sites are created +by adding more tunnels. Tinc takes another approach: only endpoints are specified, the software itself will take care of creating the tunnels. This allows for easier configuration and improved scalability. @@ -2278,7 +2278,7 @@ address these issues in tinc 2.0. Cryptography is a hard thing to get right. We cannot make any guarantees. Time, review and feedback are the only things that can prove the security of any cryptographic product. If you wish to review -tinc or give us feedback, you are stronly encouraged to do so. +tinc or give us feedback, you are strongly encouraged to do so.  File: tinc.info, Node: Platform specific information, Next: About us, Prev: Technical information, Up: Top @@ -2720,66 +2720,66 @@ Node: Top806 Node: Introduction1105 Node: Virtual Private Networks1915 Node: tinc3639 -Node: Supported platforms5166 -Node: Preparations5867 -Node: Configuring the kernel6123 -Node: Configuration of Linux kernels6533 -Node: Configuration of FreeBSD kernels7388 -Node: Configuration of OpenBSD kernels7853 -Node: Configuration of NetBSD kernels8210 -Node: Configuration of Solaris kernels8615 -Node: Configuration of Darwin (Mac OS X) kernels9278 -Node: Configuration of Windows10097 -Node: Libraries10637 -Node: LibreSSL/OpenSSL11046 -Node: zlib13588 -Node: lzo14617 -Node: Installation15600 -Node: Building and installing tinc16510 -Node: Darwin (Mac OS X) build environment17170 -Node: Cygwin (Windows) build environment17735 -Node: MinGW (Windows) build environment18324 -Node: System files18918 -Node: Device files19183 -Node: Other files19599 -Node: Configuration20212 -Node: Configuration introduction20523 -Node: Multiple networks21791 -Node: How connections work23217 -Node: Configuration files24439 -Node: Main configuration variables25933 -Node: Host configuration variables42189 -Node: Scripts47721 -Node: How to configure50987 -Node: Generating keypairs52245 -Node: Network interfaces52744 -Node: Example configuration54592 -Node: Running tinc59917 -Node: Runtime options60507 -Node: Signals64136 -Node: Debug levels65327 -Node: Solving problems66263 -Node: Error messages67815 -Node: Sending bug reports71824 -Node: Technical information72771 -Node: The connection73002 -Node: The UDP tunnel73314 -Node: The meta-connection76366 -Node: The meta-protocol77835 -Node: Security82852 -Node: Authentication protocol83994 -Node: Encryption of network packets89039 -Node: Security issues90415 -Node: Platform specific information92054 -Node: Interface configuration92314 -Node: Routes94610 -Node: Automatically starting tinc96660 -Node: Linux96883 -Node: Windows98104 -Node: Other platforms98609 -Node: About us98891 -Node: Contact information99066 -Node: Authors99469 -Node: Concept Index99874 +Node: Supported platforms5167 +Node: Preparations5868 +Node: Configuring the kernel6124 +Node: Configuration of Linux kernels6534 +Node: Configuration of FreeBSD kernels7389 +Node: Configuration of OpenBSD kernels7854 +Node: Configuration of NetBSD kernels8211 +Node: Configuration of Solaris kernels8616 +Node: Configuration of Darwin (Mac OS X) kernels9279 +Node: Configuration of Windows10098 +Node: Libraries10638 +Node: LibreSSL/OpenSSL11047 +Node: zlib13589 +Node: lzo14618 +Node: Installation15601 +Node: Building and installing tinc16511 +Node: Darwin (Mac OS X) build environment17171 +Node: Cygwin (Windows) build environment17736 +Node: MinGW (Windows) build environment18325 +Node: System files18919 +Node: Device files19184 +Node: Other files19600 +Node: Configuration20213 +Node: Configuration introduction20524 +Node: Multiple networks21792 +Node: How connections work23218 +Node: Configuration files24440 +Node: Main configuration variables25934 +Node: Host configuration variables42190 +Node: Scripts47722 +Node: How to configure50988 +Node: Generating keypairs52246 +Node: Network interfaces52745 +Node: Example configuration54593 +Node: Running tinc59918 +Node: Runtime options60508 +Node: Signals64137 +Node: Debug levels65328 +Node: Solving problems66264 +Node: Error messages67816 +Node: Sending bug reports71825 +Node: Technical information72772 +Node: The connection73003 +Node: The UDP tunnel73315 +Node: The meta-connection76367 +Node: The meta-protocol77836 +Node: Security82853 +Node: Authentication protocol83995 +Node: Encryption of network packets89040 +Node: Security issues90416 +Node: Platform specific information92056 +Node: Interface configuration92316 +Node: Routes94612 +Node: Automatically starting tinc96662 +Node: Linux96885 +Node: Windows98106 +Node: Other platforms98611 +Node: About us98893 +Node: Contact information99068 +Node: Authors99471 +Node: Concept Index99876  End Tag Table diff --git a/doc/tinc.texi b/doc/tinc.texi index b1f5d9d..0420e6f 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -15,7 +15,7 @@ This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2018 Ivo Timmermans, +Copyright @copyright{} 1998-2019 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -39,7 +39,7 @@ permission notice identical to this one. @vskip 0pt plus 1filll This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. -Copyright @copyright{} 1998-2018 Ivo Timmermans, +Copyright @copyright{} 1998-2019 Ivo Timmermans, Guus Sliepen and Wessel Dankers . @@ -155,7 +155,7 @@ professional package. @cindex traditional VPNs @cindex scalability -Tinc also allows more than two sites to connect to eachother and form a single VPN. +Tinc also allows more than two sites to connect to each other and form a single VPN. Traditionally VPNs are created by making tunnels, which only have two endpoints. Larger VPNs with more sites are created by adding more tunnels. Tinc takes another approach: only endpoints are specified, @@ -2433,7 +2433,7 @@ We will address these issues in tinc 2.0. Cryptography is a hard thing to get right. We cannot make any guarantees. Time, review and feedback are the only things that can prove the security of any cryptographic product. If you wish to review -tinc or give us feedback, you are stronly encouraged to do so. +tinc or give us feedback, you are strongly encouraged to do so. @c ================================================================== diff --git a/doc/tincinclude.texi b/doc/tincinclude.texi index 93d7ad2..b784882 100644 --- a/doc/tincinclude.texi +++ b/doc/tincinclude.texi @@ -1,4 +1,4 @@ -@set VERSION 1.0.35 +@set VERSION 1.0.36 @set PACKAGE tinc @set sysconfdir /etc @set localstatedir /var diff --git a/src/conf.c b/src/conf.c index 58d7b6d..3f81877 100644 --- a/src/conf.c +++ b/src/conf.c @@ -467,9 +467,14 @@ static void disable_old_keys(const char *filename) { return; } - snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename); + int len = snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename); - w = fopen(tmpfile, "w"); + if(len < 0 || len >= PATH_MAX) { + fprintf(stderr, "Pathname too long: %s.tmp\n", filename); + w = NULL; + } else { + w = fopen(tmpfile, "w"); + } while(fgets(buf, sizeof(buf), r)) { if(!strncmp(buf, "-----BEGIN RSA", 14)) { diff --git a/src/connection.c b/src/connection.c index 38b3ccf..d137af1 100644 --- a/src/connection.c +++ b/src/connection.c @@ -96,13 +96,13 @@ void free_connection_partially(connection_t *c) { c->outbudget = 0; if(c->inctx) { - EVP_CIPHER_CTX_cleanup(c->inctx); + EVP_CIPHER_CTX_reset(c->inctx); free(c->inctx); c->inctx = NULL; } if(c->outctx) { - EVP_CIPHER_CTX_cleanup(c->outctx); + EVP_CIPHER_CTX_reset(c->outctx); free(c->outctx); c->outctx = NULL; } diff --git a/src/connection.h b/src/connection.h index 629e16b..d619e85 100644 --- a/src/connection.h +++ b/src/connection.h @@ -24,6 +24,10 @@ #include #include +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_cleanup(c) +#endif + #include "avl_tree.h" #define OPTION_INDIRECT 0x0001 diff --git a/src/graph.c b/src/graph.c index 3529d01..c63fdf9 100644 --- a/src/graph.c +++ b/src/graph.c @@ -360,13 +360,13 @@ void dump_graph(void) { /* dump all nodes first */ for(node = node_tree->head; node; node = node->next) { n = node->data; - fprintf(file, " %s [label = \"%s\"];\n", n->name, n->name); + fprintf(file, " \"%s\" [label = \"%s\"];\n", n->name, n->name); } /* now dump all edges */ for(node = edge_weight_tree->head; node; node = node->next) { e = node->data; - fprintf(file, " %s -> %s;\n", e->from->name, e->to->name); + fprintf(file, " \"%s\" -> \"%s\";\n", e->from->name, e->to->name); } fprintf(file, "}\n"); diff --git a/src/net_setup.c b/src/net_setup.c index cac7455..f26007b 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -27,6 +27,7 @@ #include #include #include +#include #include "avl_tree.h" #include "conf.h" diff --git a/src/route.c b/src/route.c index 850a146..f8b11bb 100644 --- a/src/route.c +++ b/src/route.c @@ -581,7 +581,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t et ifdebug(TRAFFIC) logger(LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname); offset = packet->data + ether_size + ip_size; - maxlen = (dest->mtu - ether_size - ip_size) & ~0x7; + maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7; ip_off = ntohs(ip.ip_off); origf = ip_off & ~IP_OFFMASK; ip_off &= IP_OFFMASK; diff --git a/src/subnet.c b/src/subnet.c index dc30b01..154fd80 100644 --- a/src/subnet.c +++ b/src/subnet.c @@ -1,6 +1,6 @@ /* subnet.c -- handle subnet lookups and lists - Copyright (C) 2000-2014 Guus Sliepen , + Copyright (C) 2000-2019 Guus Sliepen , 2000-2005 Ivo Timmermans This program is free software; you can redistribute it and/or modify @@ -205,177 +205,162 @@ void subnet_del(node_t *n, subnet_t *subnet) { /* Ascii representation of subnets */ bool str2net(subnet_t *subnet, const char *subnetstr) { - int i, l; - uint16_t x[8]; + char str[1024]; + strncpy(str, subnetstr, sizeof(str)); + str[sizeof(str) - 1] = 0; + int consumed; + int weight = 10; + char *weight_separator = strchr(str, '#'); - if(sscanf(subnetstr, "%hu.%hu.%hu.%hu/%d#%d", - &x[0], &x[1], &x[2], &x[3], &l, &weight) >= 5) { - if(l < 0 || l > 32) { + if(weight_separator) { + char *weight_str = weight_separator + 1; + + if(sscanf(weight_str, "%d%n", &weight, &consumed) < 1) { return false; } - subnet->type = SUBNET_IPV4; - subnet->net.ipv4.prefixlength = l; - subnet->weight = weight; - - for(i = 0; i < 4; i++) { - if(x[i] > 255) { - return false; - } - - subnet->net.ipv4.address.x[i] = x[i]; - } - - return true; - } - - if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d", - &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], - &l, &weight) >= 9) { - if(l < 0 || l > 128) { + if(weight_str[consumed]) { return false; } - subnet->type = SUBNET_IPV6; - subnet->net.ipv6.prefixlength = l; - subnet->weight = weight; - - for(i = 0; i < 8; i++) { - subnet->net.ipv6.address.x[i] = htons(x[i]); - } - - return true; + *weight_separator = 0; } - if(sscanf(subnetstr, "%hu.%hu.%hu.%hu#%d", &x[0], &x[1], &x[2], &x[3], &weight) >= 4) { - subnet->type = SUBNET_IPV4; - subnet->net.ipv4.prefixlength = 32; - subnet->weight = weight; + int prefixlength = -1; + char *prefixlength_separator = strchr(str, '/'); - for(i = 0; i < 4; i++) { - if(x[i] > 255) { - return false; - } + if(prefixlength_separator) { + char *prefixlength_str = prefixlength_separator + 1; - subnet->net.ipv4.address.x[i] = x[i]; + if(sscanf(prefixlength_str, "%d%n", &prefixlength, &consumed) < 1) { + return false; } - return true; - } - - if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx#%d", - &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &weight) >= 8) { - subnet->type = SUBNET_IPV6; - subnet->net.ipv6.prefixlength = 128; - subnet->weight = weight; - - for(i = 0; i < 8; i++) { - subnet->net.ipv6.address.x[i] = htons(x[i]); + if(prefixlength_str[consumed]) { + return false; } - return true; + *prefixlength_separator = 0; + + if(prefixlength < 0) { + return false; + } } - if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx#%d", - &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &weight) >= 6) { + uint16_t x[8]; + + if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx%n", &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &consumed) >= 6 && !str[consumed]) { + /* + Normally we should check that each part has two digits to prevent ambiguities. + However, in old tinc versions net2str() will aggressively return MAC addresses with one-digit parts, + so we have to accept them otherwise we would be unable to parse ADD_SUBNET messages. + */ + if(prefixlength >= 0) { + return false; + } + subnet->type = SUBNET_MAC; subnet->weight = weight; - for(i = 0; i < 6; i++) { + for(int i = 0; i < 6; i++) { subnet->net.mac.address.x[i] = x[i]; } return true; } - // IPv6 short form - if(strstr(subnetstr, "::")) { - const char *p; - char *q; - int colons = 0; + if(sscanf(str, "%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !str[consumed]) { + if(prefixlength == -1) { + prefixlength = 32; + } - // Count number of colons - for(p = subnetstr; *p; p++) - if(*p == ':') { - colons++; - } - - if(colons > 7) { + if(prefixlength > 32) { return false; } - // Scan numbers before the double colon - p = subnetstr; + subnet->type = SUBNET_IPV4; + subnet->net.ipv4.prefixlength = prefixlength; + subnet->weight = weight; - for(i = 0; i < colons; i++) { - if(*p == ':') { - break; - } - - x[i] = strtoul(p, &q, 0x10); - - if(!q || p == q || *q != ':') { + for(int i = 0; i < 4; i++) { + if(x[i] > 255) { return false; } - p = ++q; + subnet->net.ipv4.address.x[i] = x[i]; } - p++; - colons -= i; + return true; + } - if(!i) { - p++; - colons--; - } + /* IPv6 */ - if(!*p || *p == '/' || *p == '#') { - colons--; - } + char *last_colon = strrchr(str, ':'); - // Fill in the blanks - for(; i < 8 - colons; i++) { - x[i] = 0; - } - - // Scan the remaining numbers - for(; i < 8; i++) { - x[i] = strtoul(p, &q, 0x10); - - if(!q || p == q) { + if(last_colon && sscanf(last_colon, ":%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !last_colon[consumed]) { + /* Dotted quad suffix notation, convert to standard IPv6 notation */ + for(int i = 0; i < 4; i++) + if(x[i] > 255) { return false; } - if(i == 7) { - p = q; - break; + snprintf(last_colon, sizeof(str) - (last_colon - str), ":%02x%02x:%02x%02x", x[0], x[1], x[2], x[3]); + } + + char *double_colon = strstr(str, "::"); + + if(double_colon) { + /* Figure out how many zero groups we need to expand */ + int zero_group_count = 8; + + for(const char *cur = str; *cur; cur++) + if(*cur != ':') { + zero_group_count--; + + while(cur[1] && cur[1] != ':') { + cur++; + } } - if(*q != ':') { - return false; - } - - p = ++q; + if(zero_group_count < 1) { + return false; } - l = 128; + /* Split the double colon in the middle to make room for zero groups */ + double_colon++; + memmove(double_colon + (zero_group_count * 2 - 1), double_colon, strlen(double_colon) + 1); - if(*p == '/') { - sscanf(p, "/%d#%d", &l, &weight); - } else if(*p == '#') { - sscanf(p, "#%d", &weight); + /* Write zero groups in the resulting gap, overwriting the second colon */ + for(int i = 0; i < zero_group_count; i++) { + memcpy(&double_colon[i * 2], "0:", 2); } - if(l < 0 || l > 128) { + /* Remove any leading or trailing colons */ + if(str[0] == ':') { + memmove(&str[0], &str[1], strlen(&str[1]) + 1); + } + + if(str[strlen(str) - 1] == ':') { + str[strlen(str) - 1] = 0; + } + } + + if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx%n", + &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &consumed) >= 8 && !str[consumed]) { + if(prefixlength == -1) { + prefixlength = 128; + } + + if(prefixlength > 128) { return false; } subnet->type = SUBNET_IPV6; - subnet->net.ipv6.prefixlength = l; + subnet->net.ipv6.prefixlength = prefixlength; subnet->weight = weight; - for(i = 0; i < 8; i++) { + for(int i = 0; i < 8; i++) { subnet->net.ipv6.address.x[i] = htons(x[i]); } diff --git a/src/tincd.c b/src/tincd.c index b4704c4..066ad9c 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd Copyright (C) 1998-2005 Ivo Timmermans - 2000-2018 Guus Sliepen + 2000-2019 Guus Sliepen 2008 Max Rijevski 2009 Michael Tokarev 2010 Julien Muchembled @@ -37,7 +37,10 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif +#include #ifdef HAVE_LZO #include LZO1X_H @@ -651,7 +654,7 @@ int main(int argc, char **argv) { if(show_version) { printf("%s version %s\n", PACKAGE, VERSION); - printf("Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.\n" + printf("Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -685,17 +688,14 @@ int main(int argc, char **argv) { init_configuration(&config_tree); - /* Slllluuuuuuurrrrp! */ - - if(RAND_load_file("/dev/urandom", 1024) != 1024) { - logger(LOG_ERR, "Error initializing RNG!"); - return 1; - } - +#ifndef OPENSSL_NO_ENGINE ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); +#endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); +#endif if(generate_keys) { read_server_config(); @@ -814,9 +814,13 @@ end: free(priority); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); ERR_free_strings(); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif +#endif exit_configuration(&config_tree); list_delete_list(cmdline_conf);