Update upstream source from tag 'upstream/1.0.36'

Update to upstream version '1.0.36'
with Debian dir 1c07c6f457

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.
+Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.
 See the AUTHORS file for a complete list.
 
 This program is free software; you can redistribute it and/or modify it under

ChangeLog

@@ -1,3 +1,26 @@
+Version 1.0.36                                            August 26 2019
+------------------------------------------------------------------------
+
+Guus Sliepen (8):
+      Remove the call to RAND_load_file().
+      Update THANKS.
+      Backport tinc 1.1's str2net() function.
+      Update THANKS.
+      Fix spelling errors found by codespell.
+      Reformat all code using astyle.
+      Add a missing check for a pathname being too long.
+      Releasing 1.0.36.
+
+Rosen Penev (2):
+      Fix compilation when OpenSSL has no ENGINE support
+      Fix compilation without deprecated OpenSSL APIs
+
+Quentin Rameau (1):
+      Double-quote nodes in graphviz network file
+
+Werner Schreiber (1):
+      Fix segfault when dest->mtu is 0.
+
 Version 1.0.35                                           October 05 2018
 ------------------------------------------------------------------------
 

Makefile.in

@@ -166,7 +166,7 @@ CSCOPE = cscope
 DIST_SUBDIRS = $(SUBDIRS)
 am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in AUTHORS \
 	COPYING ChangeLog INSTALL NEWS README THANKS compile \
-	config.guess config.sub install-sh missing
+	config.guess config.sub depcomp install-sh missing
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)

NEWS

@@ -1,7 +1,21 @@
+Version 1.0.36               August 26 2019
+
+ * Fix compiling tinc with certain versions of the OpenSSL library.
+ * Fix parsing some IPv6 addresses with :: in them.
+ * Fix GraphDumpFile output to handle node names starting with a digit.
+ * Fix a potential segmentation fault when fragmenting packets.
+
+Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their
+contributions to this version of tinc.
+
 Version 1.0.35               October 5 2018
 
  * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
  * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
+ * Minor fixes in the documentation.
+
+Thanks to Amine Amri and Rafael Sadowski for their contributions to this
+version of tinc.
 
 Version 1.0.34               June 12 2018
 

README

@@ -1,7 +1,7 @@
-This is the README file for tinc version 1.0.35. Installation
+This is the README file for tinc version 1.0.36. Installation
 instructions may be found in the INSTALL file.
 
-tinc is Copyright (C) 1998-2018 by:
+tinc is Copyright (C) 1998-2019 by:
 
 Ivo Timmermans,
 Guus Sliepen <guus@tinc-vpn.org>,

THANKS

@@ -22,6 +22,7 @@ We would like to thank the following people for their contributions to tinc:
 * Delf Eldkraft
 * Dennis Joachimsthaler
 * dnk
+* Егор Палкин
 * Élie Bouttier
 * Enrique Zanardi
 * Erik Tews
@@ -42,6 +43,7 @@ We would like to thank the following people for their contributions to tinc:
 * James Cook
 * James MacLean
 * Jamie Briggs
+* Jan Štembera
 * Jason Harper
 * Jason Livesay
 * Jasper Krijgsman
@@ -71,6 +73,7 @@ We would like to thank the following people for their contributions to tinc:
 * Max Rijevski
 * Menno Smits
 * Mesar Hameed
+* Michael Taylor
 * Michael Tokarev
 * Michael Yonli
 * Miles Nordin
@@ -82,10 +85,12 @@ We would like to thank the following people for their contributions to tinc:
 * Philipp Babel
 * Pierre Emeriaud
 * Pierre-Olivier Mercier
+* Rafael Wolf
 * Rafael Sadowski
 * Rafał Leśniak
 * Rhosyn Celyn
 * Robert van der Meulen
+* Robert Waniek
 * Rumko
 * Ryan Miller
 * Sam Bryan
@@ -104,6 +109,7 @@ We would like to thank the following people for their contributions to tinc:
 * Tonnerre Lombard
 * Ulrich Seifert
 * Vil Brekin
+* Vincent Laurent
 * Vittorio Gambaletta
 * Wendy Willard
 * Wessel Dankers

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tinc 1.0.35.
+# Generated by GNU Autoconf 2.69 for tinc 1.0.36.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -577,8 +577,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='tinc'
 PACKAGE_TARNAME='tinc'
-PACKAGE_VERSION='1.0.35'
+PACKAGE_VERSION='1.0.36'
-PACKAGE_STRING='tinc 1.0.35'
+PACKAGE_STRING='tinc 1.0.36'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1321,7 +1321,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures tinc 1.0.35 to adapt to many kinds of systems.
+\`configure' configures tinc 1.0.36 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1392,7 +1392,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of tinc 1.0.35:";;
+     short | recursive ) echo "Configuration of tinc 1.0.36:";;
    esac
   cat <<\_ACEOF
 
@@ -1509,7 +1509,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-tinc configure 1.0.35
+tinc configure 1.0.36
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1974,7 +1974,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by tinc $as_me 1.0.35, which was
+It was created by tinc $as_me 1.0.36, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2838,7 +2838,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='tinc'
- VERSION='1.0.35'
+ VERSION='1.0.36'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -7333,7 +7333,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tinc $as_me 1.0.35, which was
+This file was extended by tinc $as_me 1.0.36, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -7399,7 +7399,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-tinc config.status 1.0.35
+tinc config.status 1.0.36
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.61)
-AC_INIT([tinc], [1.0.35])
+AC_INIT([tinc], [1.0.36])
 AC_CONFIG_SRCDIR([src/tincd.c])
 AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
 AC_CONFIG_HEADERS([config.h])
@@ -237,7 +237,7 @@ AC_ARG_ENABLE(jumbograms,
   ]
 )
 
-dnl Ensure runstatedir is set if we are using a version of autoconf that does not suppport it
+dnl Ensure runstatedir is set if we are using a version of autoconf that does not support it
 if test "x$runstatedir" = "x"; then
   AC_SUBST([runstatedir], ['${localstatedir}/run'])
 fi

doc/tinc.info

@@ -1,14 +1,14 @@
-This is tinc.info, produced by makeinfo version 6.5 from tinc.texi.
+This is tinc.info, produced by makeinfo version 6.6 from tinc.texi.
 
 INFO-DIR-SECTION Networking tools
 START-INFO-DIR-ENTRY
 * tinc: (tinc).              The tinc Manual.
 END-INFO-DIR-ENTRY
 
-This is the info manual for tinc version 1.0.35, a Virtual Private
+This is the info manual for tinc version 1.0.36, a Virtual Private
 Network daemon.
 
-   Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen
+   Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen
 <guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
 
    Permission is granted to make and distribute verbatim copies of this
@@ -117,10 +117,10 @@ for both the receiving and sending end, it has become largely
 runtime-configurable--in short, it has become a full-fledged
 professional package.
 
-   Tinc also allows more than two sites to connect to eachother and form
+   Tinc also allows more than two sites to connect to each other and
-a single VPN. Traditionally VPNs are created by making tunnels, which
+form a single VPN. Traditionally VPNs are created by making tunnels,
-only have two endpoints.  Larger VPNs with more sites are created by
+which only have two endpoints.  Larger VPNs with more sites are created
-adding more tunnels.  Tinc takes another approach: only endpoints are
+by adding more tunnels.  Tinc takes another approach: only endpoints are
 specified, the software itself will take care of creating the tunnels.
 This allows for easier configuration and improved scalability.
 
@@ -2278,7 +2278,7 @@ address these issues in tinc 2.0.
    Cryptography is a hard thing to get right.  We cannot make any
 guarantees.  Time, review and feedback are the only things that can
 prove the security of any cryptographic product.  If you wish to review
-tinc or give us feedback, you are stronly encouraged to do so.
+tinc or give us feedback, you are strongly encouraged to do so.
 
 
 File: tinc.info,  Node: Platform specific information,  Next: About us,  Prev: Technical information,  Up: Top
@@ -2720,66 +2720,66 @@ Node: Top806
 Node: Introduction1105
 Node: Virtual Private Networks1915
 Node: tinc3639
-Node: Supported platforms5166
+Node: Supported platforms5167
-Node: Preparations5867
+Node: Preparations5868
-Node: Configuring the kernel6123
+Node: Configuring the kernel6124
-Node: Configuration of Linux kernels6533
+Node: Configuration of Linux kernels6534
-Node: Configuration of FreeBSD kernels7388
+Node: Configuration of FreeBSD kernels7389
-Node: Configuration of OpenBSD kernels7853
+Node: Configuration of OpenBSD kernels7854
-Node: Configuration of NetBSD kernels8210
+Node: Configuration of NetBSD kernels8211
-Node: Configuration of Solaris kernels8615
+Node: Configuration of Solaris kernels8616
-Node: Configuration of Darwin (Mac OS X) kernels9278
+Node: Configuration of Darwin (Mac OS X) kernels9279
-Node: Configuration of Windows10097
+Node: Configuration of Windows10098
-Node: Libraries10637
+Node: Libraries10638
-Node: LibreSSL/OpenSSL11046
+Node: LibreSSL/OpenSSL11047
-Node: zlib13588
+Node: zlib13589
-Node: lzo14617
+Node: lzo14618
-Node: Installation15600
+Node: Installation15601
-Node: Building and installing tinc16510
+Node: Building and installing tinc16511
-Node: Darwin (Mac OS X) build environment17170
+Node: Darwin (Mac OS X) build environment17171
-Node: Cygwin (Windows) build environment17735
+Node: Cygwin (Windows) build environment17736
-Node: MinGW (Windows) build environment18324
+Node: MinGW (Windows) build environment18325
-Node: System files18918
+Node: System files18919
-Node: Device files19183
+Node: Device files19184
-Node: Other files19599
+Node: Other files19600
-Node: Configuration20212
+Node: Configuration20213
-Node: Configuration introduction20523
+Node: Configuration introduction20524
-Node: Multiple networks21791
+Node: Multiple networks21792
-Node: How connections work23217
+Node: How connections work23218
-Node: Configuration files24439
+Node: Configuration files24440
-Node: Main configuration variables25933
+Node: Main configuration variables25934
-Node: Host configuration variables42189
+Node: Host configuration variables42190
-Node: Scripts47721
+Node: Scripts47722
-Node: How to configure50987
+Node: How to configure50988
-Node: Generating keypairs52245
+Node: Generating keypairs52246
-Node: Network interfaces52744
+Node: Network interfaces52745
-Node: Example configuration54592
+Node: Example configuration54593
-Node: Running tinc59917
+Node: Running tinc59918
-Node: Runtime options60507
+Node: Runtime options60508
-Node: Signals64136
+Node: Signals64137
-Node: Debug levels65327
+Node: Debug levels65328
-Node: Solving problems66263
+Node: Solving problems66264
-Node: Error messages67815
+Node: Error messages67816
-Node: Sending bug reports71824
+Node: Sending bug reports71825
-Node: Technical information72771
+Node: Technical information72772
-Node: The connection73002
+Node: The connection73003
-Node: The UDP tunnel73314
+Node: The UDP tunnel73315
-Node: The meta-connection76366
+Node: The meta-connection76367
-Node: The meta-protocol77835
+Node: The meta-protocol77836
-Node: Security82852
+Node: Security82853
-Node: Authentication protocol83994
+Node: Authentication protocol83995
-Node: Encryption of network packets89039
+Node: Encryption of network packets89040
-Node: Security issues90415
+Node: Security issues90416
-Node: Platform specific information92054
+Node: Platform specific information92056
-Node: Interface configuration92314
+Node: Interface configuration92316
-Node: Routes94610
+Node: Routes94612
-Node: Automatically starting tinc96660
+Node: Automatically starting tinc96662
-Node: Linux96883
+Node: Linux96885
-Node: Windows98104
+Node: Windows98106
-Node: Other platforms98609
+Node: Other platforms98611
-Node: About us98891
+Node: About us98893
-Node: Contact information99066
+Node: Contact information99068
-Node: Authors99469
+Node: Authors99471
-Node: Concept Index99874
+Node: Concept Index99876
 
 End Tag Table

doc/tinc.texi

@@ -15,7 +15,7 @@
 
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
 
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
 
@@ -39,7 +39,7 @@ permission notice identical to this one.
 @vskip 0pt plus 1filll
 This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
 
-Copyright @copyright{} 1998-2018 Ivo Timmermans,
+Copyright @copyright{} 1998-2019 Ivo Timmermans,
 Guus Sliepen <guus@@tinc-vpn.org> and
 Wessel Dankers <wsl@@tinc-vpn.org>.
 
@@ -155,7 +155,7 @@ professional package.
 
 @cindex traditional VPNs
 @cindex scalability
-Tinc also allows more than two sites to connect to eachother and form a single VPN.
+Tinc also allows more than two sites to connect to each other and form a single VPN.
 Traditionally VPNs are created by making tunnels, which only have two endpoints.
 Larger VPNs with more sites are created by adding more tunnels.
 Tinc takes another approach: only endpoints are specified,
@@ -2433,7 +2433,7 @@ We will address these issues in tinc 2.0.
 Cryptography is a hard thing to get right. We cannot make any
 guarantees. Time, review and feedback are the only things that can
 prove the security of any cryptographic product. If you wish to review
-tinc or give us feedback, you are stronly encouraged to do so.
+tinc or give us feedback, you are strongly encouraged to do so.
 
 
 @c ==================================================================

doc/tincinclude.texi

@@ -1,4 +1,4 @@
-@set VERSION 1.0.35
+@set VERSION 1.0.36
 @set PACKAGE tinc
 @set sysconfdir /etc
 @set localstatedir /var

src/conf.c

@@ -467,9 +467,14 @@ static void disable_old_keys(const char *filename) {
 		return;
 	}
 
-	snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename);
+	int len = snprintf(tmpfile, sizeof(tmpfile), "%s.tmp", filename);
 
-	w = fopen(tmpfile, "w");
+	if(len < 0 || len >= PATH_MAX) {
+		fprintf(stderr, "Pathname too long: %s.tmp\n", filename);
+		w = NULL;
+	} else {
+		w = fopen(tmpfile, "w");
+	}
 
 	while(fgets(buf, sizeof(buf), r)) {
 		if(!strncmp(buf, "-----BEGIN RSA", 14)) {

src/connection.c

@@ -96,13 +96,13 @@ void free_connection_partially(connection_t *c) {
 	c->outbudget = 0;
 
 	if(c->inctx) {
-		EVP_CIPHER_CTX_cleanup(c->inctx);
+		EVP_CIPHER_CTX_reset(c->inctx);
 		free(c->inctx);
 		c->inctx = NULL;
 	}
 
 	if(c->outctx) {
-		EVP_CIPHER_CTX_cleanup(c->outctx);
+		EVP_CIPHER_CTX_reset(c->outctx);
 		free(c->outctx);
 		c->outctx = NULL;
 	}

src/connection.h

@@ -24,6 +24,10 @@
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_CIPHER_CTX_reset(c) EVP_CIPHER_CTX_cleanup(c)
+#endif
+
 #include "avl_tree.h"
 
 #define OPTION_INDIRECT         0x0001

src/graph.c

@@ -360,13 +360,13 @@ void dump_graph(void) {
 	/* dump all nodes first */
 	for(node = node_tree->head; node; node = node->next) {
 		n = node->data;
-		fprintf(file, "	%s [label = \"%s\"];\n", n->name, n->name);
+		fprintf(file, "	\"%s\" [label = \"%s\"];\n", n->name, n->name);
 	}
 
 	/* now dump all edges */
 	for(node = edge_weight_tree->head; node; node = node->next) {
 		e = node->data;
-		fprintf(file, "	%s -> %s;\n", e->from->name, e->to->name);
+		fprintf(file, "	\"%s\" -> \"%s\";\n", e->from->name, e->to->name);
 	}
 
 	fprintf(file, "}\n");

src/net_setup.c

@@ -27,6 +27,7 @@
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/bn.h>
 
 #include "avl_tree.h"
 #include "conf.h"

src/route.c

@@ -581,7 +581,7 @@ static void fragment_ipv4_packet(node_t *dest, vpn_packet_t *packet, length_t et
 	ifdebug(TRAFFIC) logger(LOG_INFO, "Fragmenting packet of %d bytes to %s (%s)", packet->len, dest->name, dest->hostname);
 
 	offset = packet->data + ether_size + ip_size;
-	maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
+	maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7;
 	ip_off = ntohs(ip.ip_off);
 	origf = ip_off & ~IP_OFFMASK;
 	ip_off &= IP_OFFMASK;

src/subnet.c

@@ -1,6 +1,6 @@
 /*
     subnet.c -- handle subnet lookups and lists
-    Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2019 Guus Sliepen <guus@tinc-vpn.org>,
                   2000-2005 Ivo Timmermans
 
     This program is free software; you can redistribute it and/or modify
@@ -205,177 +205,162 @@ void subnet_del(node_t *n, subnet_t *subnet) {
 /* Ascii representation of subnets */
 
 bool str2net(subnet_t *subnet, const char *subnetstr) {
-	int i, l;
+	char str[1024];
-	uint16_t x[8];
+	strncpy(str, subnetstr, sizeof(str));
+	str[sizeof(str) - 1] = 0;
+	int consumed;
+
 	int weight = 10;
+	char *weight_separator = strchr(str, '#');
 
-	if(sscanf(subnetstr, "%hu.%hu.%hu.%hu/%d#%d",
+	if(weight_separator) {
-	                &x[0], &x[1], &x[2], &x[3], &l, &weight) >= 5) {
+		char *weight_str = weight_separator + 1;
-		if(l < 0 || l > 32) {
+
+		if(sscanf(weight_str, "%d%n", &weight, &consumed) < 1) {
 			return false;
 		}
 
-		subnet->type = SUBNET_IPV4;
+		if(weight_str[consumed]) {
-		subnet->net.ipv4.prefixlength = l;
-		subnet->weight = weight;
-
-		for(i = 0; i < 4; i++) {
-			if(x[i] > 255) {
-				return false;
-			}
-
-			subnet->net.ipv4.address.x[i] = x[i];
-		}
-
-		return true;
-	}
-
-	if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d",
-	                &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7],
-	                &l, &weight) >= 9) {
-		if(l < 0 || l > 128) {
 			return false;
 		}
 
-		subnet->type = SUBNET_IPV6;
+		*weight_separator = 0;
-		subnet->net.ipv6.prefixlength = l;
-		subnet->weight = weight;
-
-		for(i = 0; i < 8; i++) {
-			subnet->net.ipv6.address.x[i] = htons(x[i]);
-		}
-
-		return true;
 	}
 
-	if(sscanf(subnetstr, "%hu.%hu.%hu.%hu#%d", &x[0], &x[1], &x[2], &x[3], &weight) >= 4) {
+	int prefixlength = -1;
-		subnet->type = SUBNET_IPV4;
+	char *prefixlength_separator = strchr(str, '/');
-		subnet->net.ipv4.prefixlength = 32;
-		subnet->weight = weight;
 
-		for(i = 0; i < 4; i++) {
+	if(prefixlength_separator) {
-			if(x[i] > 255) {
+		char *prefixlength_str = prefixlength_separator + 1;
-				return false;
-			}
 
-			subnet->net.ipv4.address.x[i] = x[i];
+		if(sscanf(prefixlength_str, "%d%n", &prefixlength, &consumed) < 1) {
+			return false;
 		}
 
-		return true;
+		if(prefixlength_str[consumed]) {
-	}
+			return false;
-
-	if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx#%d",
-	                &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &weight) >= 8) {
-		subnet->type = SUBNET_IPV6;
-		subnet->net.ipv6.prefixlength = 128;
-		subnet->weight = weight;
-
-		for(i = 0; i < 8; i++) {
-			subnet->net.ipv6.address.x[i] = htons(x[i]);
 		}
 
-		return true;
+		*prefixlength_separator = 0;
+
+		if(prefixlength < 0) {
+			return false;
+		}
 	}
 
-	if(sscanf(subnetstr, "%hx:%hx:%hx:%hx:%hx:%hx#%d",
+	uint16_t x[8];
-	                &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &weight) >= 6) {
+
+	if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx%n", &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &consumed) >= 6 && !str[consumed]) {
+		/*
+		   Normally we should check that each part has two digits to prevent ambiguities.
+		   However, in old tinc versions net2str() will aggressively return MAC addresses with one-digit parts,
+		   so we have to accept them otherwise we would be unable to parse ADD_SUBNET messages.
+		*/
+		if(prefixlength >= 0) {
+			return false;
+		}
+
 		subnet->type = SUBNET_MAC;
 		subnet->weight = weight;
 
-		for(i = 0; i < 6; i++) {
+		for(int i = 0; i < 6; i++) {
 			subnet->net.mac.address.x[i] = x[i];
 		}
 
 		return true;
 	}
 
-	// IPv6 short form
+	if(sscanf(str, "%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !str[consumed]) {
-	if(strstr(subnetstr, "::")) {
+		if(prefixlength == -1) {
-		const char *p;
+			prefixlength = 32;
-		char *q;
+		}
-		int colons = 0;
 
-		// Count number of colons
+		if(prefixlength > 32) {
-		for(p = subnetstr; *p; p++)
-			if(*p == ':') {
-				colons++;
-			}
-
-		if(colons > 7) {
 			return false;
 		}
 
-		// Scan numbers before the double colon
+		subnet->type = SUBNET_IPV4;
-		p = subnetstr;
+		subnet->net.ipv4.prefixlength = prefixlength;
+		subnet->weight = weight;
 
-		for(i = 0; i < colons; i++) {
+		for(int i = 0; i < 4; i++) {
-			if(*p == ':') {
+			if(x[i] > 255) {
-				break;
-			}
-
-			x[i] = strtoul(p, &q, 0x10);
-
-			if(!q || p == q || *q != ':') {
 				return false;
 			}
 
-			p = ++q;
+			subnet->net.ipv4.address.x[i] = x[i];
 		}
 
-		p++;
+		return true;
-		colons -= i;
+	}
 
-		if(!i) {
+	/* IPv6 */
-			p++;
-			colons--;
-		}
 
-		if(!*p || *p == '/' || *p == '#') {
+	char *last_colon = strrchr(str, ':');
-			colons--;
-		}
 
-		// Fill in the blanks
+	if(last_colon && sscanf(last_colon, ":%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !last_colon[consumed]) {
-		for(; i < 8 - colons; i++) {
+		/* Dotted quad suffix notation, convert to standard IPv6 notation */
-			x[i] = 0;
+		for(int i = 0; i < 4; i++)
-		}
+			if(x[i] > 255) {
-
-		// Scan the remaining numbers
-		for(; i < 8; i++) {
-			x[i] = strtoul(p, &q, 0x10);
-
-			if(!q || p == q) {
 				return false;
 			}
 
-			if(i == 7) {
+		snprintf(last_colon, sizeof(str) - (last_colon - str), ":%02x%02x:%02x%02x", x[0], x[1], x[2], x[3]);
-				p = q;
+	}
-				break;
+
+	char *double_colon = strstr(str, "::");
+
+	if(double_colon) {
+		/* Figure out how many zero groups we need to expand */
+		int zero_group_count = 8;
+
+		for(const char *cur = str; *cur; cur++)
+			if(*cur != ':') {
+				zero_group_count--;
+
+				while(cur[1] && cur[1] != ':') {
+					cur++;
+				}
 			}
 
-			if(*q != ':') {
+		if(zero_group_count < 1) {
-				return false;
+			return false;
-			}
-
-			p = ++q;
 		}
 
-		l = 128;
+		/* Split the double colon in the middle to make room for zero groups */
+		double_colon++;
+		memmove(double_colon + (zero_group_count * 2 - 1), double_colon, strlen(double_colon) + 1);
 
-		if(*p == '/') {
+		/* Write zero groups in the resulting gap, overwriting the second colon */
-			sscanf(p, "/%d#%d", &l, &weight);
+		for(int i = 0; i < zero_group_count; i++) {
-		} else if(*p == '#') {
+			memcpy(&double_colon[i * 2], "0:", 2);
-			sscanf(p, "#%d", &weight);
 		}
 
-		if(l < 0 || l > 128) {
+		/* Remove any leading or trailing colons */
+		if(str[0] == ':') {
+			memmove(&str[0], &str[1], strlen(&str[1]) + 1);
+		}
+
+		if(str[strlen(str) - 1] == ':') {
+			str[strlen(str) - 1] = 0;
+		}
+	}
+
+	if(sscanf(str, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx%n",
+	                &x[0], &x[1], &x[2], &x[3], &x[4], &x[5], &x[6], &x[7], &consumed) >= 8 && !str[consumed]) {
+		if(prefixlength == -1) {
+			prefixlength = 128;
+		}
+
+		if(prefixlength > 128) {
 			return false;
 		}
 
 		subnet->type = SUBNET_IPV6;
-		subnet->net.ipv6.prefixlength = l;
+		subnet->net.ipv6.prefixlength = prefixlength;
 		subnet->weight = weight;
 
-		for(i = 0; i < 8; i++) {
+		for(int i = 0; i < 8; i++) {
 			subnet->net.ipv6.address.x[i] = htons(x[i]);
 		}
 

src/tincd.c

@@ -1,7 +1,7 @@
 /*
     tincd.c -- the main file for tincd
     Copyright (C) 1998-2005 Ivo Timmermans
-                  2000-2018 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2019 Guus Sliepen <guus@tinc-vpn.org>
                   2008      Max Rijevski <maksuf@gmail.com>
                   2009      Michael Tokarev <mjt@tls.msk.ru>
                   2010      Julien Muchembled <jm@jmuchemb.eu>
@@ -37,7 +37,10 @@
 #include <openssl/rsa.h>
 #include <openssl/pem.h>
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
+#include <openssl/bn.h>
 
 #ifdef HAVE_LZO
 #include LZO1X_H
@@ -651,7 +654,7 @@ int main(int argc, char **argv) {
 
 	if(show_version) {
 		printf("%s version %s\n", PACKAGE, VERSION);
-		printf("Copyright (C) 1998-2018 Ivo Timmermans, Guus Sliepen and others.\n"
+		printf("Copyright (C) 1998-2019 Ivo Timmermans, Guus Sliepen and others.\n"
 		       "See the AUTHORS file for a complete list.\n\n"
 		       "tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,\n"
 		       "and you are welcome to redistribute it under certain conditions;\n"
@@ -685,17 +688,14 @@ int main(int argc, char **argv) {
 
 	init_configuration(&config_tree);
 
-	/* Slllluuuuuuurrrrp! */
+#ifndef OPENSSL_NO_ENGINE
-
-	if(RAND_load_file("/dev/urandom", 1024) != 1024) {
-		logger(LOG_ERR, "Error initializing RNG!");
-		return 1;
-	}
-
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
+#endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	OpenSSL_add_all_algorithms();
+#endif
 
 	if(generate_keys) {
 		read_server_config();
@@ -814,9 +814,13 @@ end:
 
 	free(priority);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	EVP_cleanup();
 	ERR_free_strings();
+#ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
+#endif
+#endif
 
 	exit_configuration(&config_tree);
 	list_delete_list(cmdline_conf);