Import Debian changes 1.0.24-1

tinc (1.0.24-1) unstable; urgency=medium

  [ Guus Sliepen ]
  * New upstream release
  * Add a debian/watch file.
  * Bump Standards-Version.

  [ Gian Piero Carrubba ]
  * Allow resource limits to be set in /etc/default/tinc.
    Closes: #690685, #704702
This commit is contained in:
Guus Sliepen 2014-05-11 21:17:13 +02:00
commit cce24e0be4
52 changed files with 1463 additions and 342 deletions

View file

@ -1,3 +1,55 @@
Version 1.0.24 May 11 2014
------------------------------------------------------------------------
Guus Sliepen (26):
Mention in the manual that multiple Address staments are allowed.
If no Port is specified, set myport to actual port of first listening socket.
Enable compiler hardening flags by default.
Update support for Solaris.
Include <limits.h> for PATH_MAX.
Stricter check for raw socket support.
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16.
Don't enable -fstack-protector-all.
Remove or lower the priority of some debug messages.
Clarify StrictSubnets.
Attribution for various contributors.
Handle errors from TAP-Win32/64 adapter in a better way.
Remove useless variable 'hard' from try_harder().
Merge pull request #14 from luckyhacky/master
Add an autoconf check for res_init().
Nexthop calculation should always use the shortest path.
Fix issues found by Coverity.
Fix warnings found by GCC 4.9.
Fix a few more issues found by Coverity.
Fix a few more issues found by Coverity.
Drop h and hh length modifiers from printf format strings.
Fix a bug that could prevent tinc from starting correctly on Windows.
FIx the autoconf checks for res_init().
Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.
Releasing 1.0.24.
Steffan Karger (3):
Use constant time memcmp() when comparing packet HMACs.
Use cryptographically strong random when generating keys.
Check RAND_bytes() return value, fail when getting random fails.
Florent Clairambault (2):
Adding "conf.d" configuration dir support.
Adding some documentation around the /etc/tinc/$NET/conf.d directory.
Armin Fisslthaler (1):
reload /etc/resolv.conf in SIGALRM handler
Loic Dachary (1):
fix documentation typo
Vilbrekin (1):
Update android build instructions. Disable PIE as this is not supported on some devices.
luckyhacky (1):
update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl
Version 1.0.23 October 19 2013 Version 1.0.23 October 19 2013
------------------------------------------------------------------------ ------------------------------------------------------------------------

View file

@ -12,8 +12,8 @@ without warranty of any kind.
Basic Installation Basic Installation
================== ==================
Briefly, the shell commands `./configure; make; make install' should Briefly, the shell command `./configure && make && make install'
configure, build, and install this package. The following should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented `INSTALL' file but do not implement all of the features documented

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am. # Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc. # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -85,8 +85,10 @@ DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
config.sub depcomp install-sh missing config.sub depcomp install-sh missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
@ -592,9 +594,10 @@ distcheck: dist
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \ && am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \ && $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \ && ../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) check \

23
NEWS
View file

@ -1,3 +1,26 @@
Version 1.0.24 May 11 2013
* Various compiler hardening flags are enabled by default.
* Updated support for Solaris, allowing switch mode on Solaris 11.
* Configuration will now also be read from a conf.d directory.
* Various updates to the documentation.
* Tinc now forces glibc to reload /etc/resolv.conf after it receives SIGALRM.
* Fixed a potential routing loop when IndirectData or TCPOnly is used and
broadcast packets are being sent.
* Improved security with constant time memcmp and stricter use of OpenSSL's
RNG functions.
* Fixed all issues found by Coverity.
Thanks to Florent Clairambault, Vilbrekin, luckyhacky, Armin Fisslthaler, Loïc
Dachary and Steffan Karger for their contributions to this version of tinc.
Version 1.0.23 October 19 2013 Version 1.0.23 October 19 2013
* Start authentication immediately on outgoing connections (useful for sslh). * Start authentication immediately on outgoing connections (useful for sslh).

6
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.23. Installation This is the README file for tinc version 1.0.24. Installation
instructions may be found in the INSTALL file. instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2013 by: tinc is Copyright (C) 1998-2014 by:
Ivo Timmermans, Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>, Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility Compatibility
------------- -------------
Version 1.0.23 is compatible with 1.0pre8, 1.0 and later, but not with older Version 1.0.24 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. versions of tinc.

View file

@ -1,14 +1,14 @@
Quick how-o cross compile tinc for android (done from $HOME/android/): Quick how-to cross compile tinc for android (done from $HOME/android/):
- Download android NDK and setup local ARM toolchain: - Download android NDK and setup local ARM toolchain:
wget http://dl.google.com/android/ndk/android-ndk-r8b-linux-x86.tar.bz2 wget http://dl.google.com/android/ndk/android-ndk-r9d-linux-x86.tar.bz2
tar xfj android-ndk-r8b-linux-x86.tar.bz2 tar xfj android-ndk-r9d-linux-x86.tar.bz2
./android-ndk-r8b/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain ./android-ndk-r9d/build/tools/make-standalone-toolchain.sh --platform=android-5 --install-dir=/tmp/my-android-toolchain
- Download and cross-compile openSSL for ARM: - Download and cross-compile openSSL for ARM:
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar xfz openssl-1.0.1c.tar.gz tar xfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1c cd openssl-1.0.1g
./Configure dist ./Configure dist
make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-android-toolchain/bin/arm-linux-androideabi-ar r" RANLIB=/tmp/my-android-toolchain/bin/arm-linux-androideabi-ranlib
@ -16,5 +16,9 @@ make CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc AR="/tmp/my-andr
git clone git://tinc-vpn.org/tinc git clone git://tinc-vpn.org/tinc
cd tinc cd tinc
autoreconf -fsi autoreconf -fsi
CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1c --with-openssl-include=$HOME/android/openssl-1.0.1c/include/ CC=/tmp/my-android-toolchain/bin/arm-linux-androideabi-gcc ./configure --host=arm-linux --disable-lzo --with-openssl-lib=$HOME/android/openssl-1.0.1g --with-openssl-include=$HOME/android/openssl-1.0.1g/include/ --disable-hardening
make -j5 make -j5
- Strip tincd binary to make it smaller
/tmp/my-android-toolchain/bin/arm-linux-androideabi-strip src/tincd

10
THANKS
View file

@ -4,6 +4,7 @@ We would like to thank the following people for their contributions to tinc:
* Allesandro Gatti * Allesandro Gatti
* Andreas van Cranenburgh * Andreas van Cranenburgh
* Anthony G. Basile * Anthony G. Basile
* Armin Fisslthaler
* Armijn Hemel * Armijn Hemel
* Brandon Black * Brandon Black
* Cris van Pelt * Cris van Pelt
@ -11,10 +12,13 @@ We would like to thank the following people for their contributions to tinc:
* Delf Eldkraft * Delf Eldkraft
* dnk * dnk
* Enrique Zanardi * Enrique Zanardi
* Florent Clairambault
* Flynn Marquardt * Flynn Marquardt
* Gary Kessler and Claudia Gonzalez
* Grzegorz Dymarek * Grzegorz Dymarek
* Hans Bayle * Hans Bayle
* Ivo van Dong * Ivo van Dong
* James Cook
* James MacLean * James MacLean
* Jamie Briggs * Jamie Briggs
* Jason Harper * Jason Harper
@ -22,11 +26,14 @@ We would like to thank the following people for their contributions to tinc:
* Jeroen Ubbink * Jeroen Ubbink
* Jerome Etienne * Jerome Etienne
* Julien Muchembled * Julien Muchembled
* Lavrans Laading
* Loïc Dachary
* Loïc Grenié * Loïc Grenié
* Lubomír Bulej * Lubomír Bulej
* Mads Kiilerich * Mads Kiilerich
* Marc A. Lehmann * Marc A. Lehmann
* Mark Glines * Mark Glines
* Mark Petryk
* Markus Goetz * Markus Goetz
* Martin Kihlgren * Martin Kihlgren
* Martin Schobert * Martin Schobert
@ -44,6 +51,7 @@ We would like to thank the following people for their contributions to tinc:
* Robert van der Meulen * Robert van der Meulen
* Rumko * Rumko
* Scott Lamb * Scott Lamb
* Steffan Karger
* Sven-Haegar Koch * Sven-Haegar Koch
* Teemu Kiviniemi * Teemu Kiviniemi
* Timothy Redaelli * Timothy Redaelli
@ -52,7 +60,7 @@ We would like to thank the following people for their contributions to tinc:
* Wessel Dankers * Wessel Dankers
* Wouter van Heyst * Wouter van Heyst
And everyone we forgot. Thank you! And everyone we forgot (if we did, please let us know). Thank you!
Ivo Timmermans Ivo Timmermans
Guus Sliepen Guus Sliepen

11
aclocal.m4 vendored
View file

@ -1,4 +1,4 @@
# generated automatically by aclocal 1.14 -*- Autoconf -*- # generated automatically by aclocal 1.14.1 -*- Autoconf -*-
# Copyright (C) 1996-2013 Free Software Foundation, Inc. # Copyright (C) 1996-2013 Free Software Foundation, Inc.
@ -35,7 +35,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.14' [am__api_version='1.14'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro. dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.14], [], m4_if([$1], [1.14.1], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
]) ])
@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.14])dnl [AM_AUTOMAKE_VERSION([1.14.1])dnl
m4_ifndef([AC_AUTOCONF_VERSION], m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@ -573,7 +573,8 @@ to "yes", and re-run configure.
END END
AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
fi fi
fi]) fi
])
dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
@ -1184,6 +1185,8 @@ AC_SUBST([am__untar])
]) # _AM_PROG_TAR ]) # _AM_PROG_TAR
m4_include([m4/attribute.m4]) m4_include([m4/attribute.m4])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_link_flag.m4])
m4_include([m4/lzo.m4]) m4_include([m4/lzo.m4])
m4_include([m4/openssl.m4]) m4_include([m4/openssl.m4])
m4_include([m4/zlib.m4]) m4_include([m4/zlib.m4])

View file

@ -15,6 +15,9 @@
/* Define to 1 if you have the <arpa/inet.h> header file. */ /* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H #undef HAVE_ARPA_INET_H
/* Define to 1 if you have the <arpa/nameser.h> header file. */
#undef HAVE_ARPA_NAMESER_H
/* Define to 1 if you have the `asprintf' function. */ /* Define to 1 if you have the `asprintf' function. */
#undef HAVE_ASPRINTF #undef HAVE_ASPRINTF
@ -46,6 +49,10 @@
don't. */ don't. */
#undef HAVE_DECL_GETNAMEINFO #undef HAVE_DECL_GETNAMEINFO
/* Define to 1 if you have the declaration of `res_init', and to 0 if you
don't. */
#undef HAVE_DECL_RES_INIT
/* Define to 1 if you have the <dirent.h> header file. */ /* Define to 1 if you have the <dirent.h> header file. */
#undef HAVE_DIRENT_H #undef HAVE_DIRENT_H
@ -211,6 +218,9 @@
/* Define to 1 if you have the `RAND_pseudo_bytes' function. */ /* Define to 1 if you have the `RAND_pseudo_bytes' function. */
#undef HAVE_RAND_PSEUDO_BYTES #undef HAVE_RAND_PSEUDO_BYTES
/* Define to 1 if you have the <resolv.h> header file. */
#undef HAVE_RESOLV_H
/* Define to 1 if you have the `select' function. */ /* Define to 1 if you have the `select' function. */
#undef HAVE_SELECT #undef HAVE_SELECT

476
configure vendored
View file

@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for tinc 1.0.23. # Generated by GNU Autoconf 2.69 for tinc 1.0.24.
# #
# #
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -577,8 +577,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='tinc' PACKAGE_NAME='tinc'
PACKAGE_TARNAME='tinc' PACKAGE_TARNAME='tinc'
PACKAGE_VERSION='1.0.23' PACKAGE_VERSION='1.0.24'
PACKAGE_STRING='tinc 1.0.23' PACKAGE_STRING='tinc 1.0.24'
PACKAGE_BUGREPORT='' PACKAGE_BUGREPORT=''
PACKAGE_URL='' PACKAGE_URL=''
@ -745,6 +745,7 @@ enable_uml
enable_vde enable_vde
enable_tunemu enable_tunemu
with_windows2000 with_windows2000
enable_hardening
enable_zlib enable_zlib
with_zlib with_zlib
with_zlib_include with_zlib_include
@ -1307,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures tinc 1.0.23 to adapt to many kinds of systems. \`configure' configures tinc 1.0.24 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1377,7 +1378,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of tinc 1.0.23:";; short | recursive ) echo "Configuration of tinc 1.0.24:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@ -1397,15 +1398,16 @@ Optional Features:
--enable-uml enable support for User Mode Linux --enable-uml enable support for User Mode Linux
--enable-vde enable support for Virtual Distributed Ethernet --enable-vde enable support for Virtual Distributed Ethernet
--enable-tunemu enable support for the tunemu driver --enable-tunemu enable support for the tunemu driver
--disable-hardening disable compiler and linker hardening flags
--disable-zlib disable zlib compression support --disable-zlib disable zlib compression support
--disable-lzo disable lzo compression support --disable-lzo disable lzo compression support
--disable-jumbograms enable support for jumbograms (packets up to 9000 --enable-jumbograms enable support for jumbograms (packets up to 9000
bytes) bytes)
Optional Packages: Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--without-windows2000 compile with support for Windows 2000. This disables --with-windows2000 compile with support for Windows 2000. This disables
support for tunneling over existing IPv6 networks. support for tunneling over existing IPv6 networks.
--with-zlib=DIR zlib base directory, or: --with-zlib=DIR zlib base directory, or:
--with-zlib-include=DIR zlib headers directory --with-zlib-include=DIR zlib headers directory
@ -1495,7 +1497,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
tinc configure 1.0.23 tinc configure 1.0.24
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@ -1744,6 +1746,52 @@ $as_echo "$ac_res" >&6; }
} # ac_fn_c_check_header_compile } # ac_fn_c_check_header_compile
# ac_fn_c_try_link LINENO
# -----------------------
# Try to link conftest.$ac_ext, and return whether this succeeded.
ac_fn_c_try_link ()
{
as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
rm -f conftest.$ac_objext conftest$ac_exeext
if { { ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
$as_echo "$ac_try_echo"; } >&5
(eval "$ac_link") 2>conftest.err
ac_status=$?
if test -s conftest.err; then
grep -v '^ *+' conftest.err >conftest.er1
cat conftest.er1 >&5
mv -f conftest.er1 conftest.err
fi
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
test -x conftest$ac_exeext
}; then :
ac_retval=0
else
$as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_retval=1
fi
# Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
# created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
# interfere with the next link command; also delete a directory that is
# left behind by Apple's compiler. We do this before executing the actions.
rm -rf conftest.dSYM conftest_ipa8_conftest.oo
eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
as_fn_set_status $ac_retval
} # ac_fn_c_try_link
# ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ac_fn_c_check_type LINENO TYPE VAR INCLUDES
# ------------------------------------------- # -------------------------------------------
# Tests whether TYPE exists after having included INCLUDES, setting cache # Tests whether TYPE exists after having included INCLUDES, setting cache
@ -1798,52 +1846,6 @@ $as_echo "$ac_res" >&6; }
} # ac_fn_c_check_type } # ac_fn_c_check_type
# ac_fn_c_try_link LINENO
# -----------------------
# Try to link conftest.$ac_ext, and return whether this succeeded.
ac_fn_c_try_link ()
{
as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
rm -f conftest.$ac_objext conftest$ac_exeext
if { { ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
$as_echo "$ac_try_echo"; } >&5
(eval "$ac_link") 2>conftest.err
ac_status=$?
if test -s conftest.err; then
grep -v '^ *+' conftest.err >conftest.er1
cat conftest.er1 >&5
mv -f conftest.er1 conftest.err
fi
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext && {
test "$cross_compiling" = yes ||
test -x conftest$ac_exeext
}; then :
ac_retval=0
else
$as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_retval=1
fi
# Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
# created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
# interfere with the next link command; also delete a directory that is
# left behind by Apple's compiler. We do this before executing the actions.
rm -rf conftest.dSYM conftest_ipa8_conftest.oo
eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
as_fn_set_status $ac_retval
} # ac_fn_c_try_link
# ac_fn_c_check_func LINENO FUNC VAR # ac_fn_c_check_func LINENO FUNC VAR
# ---------------------------------- # ----------------------------------
# Tests whether FUNC exists, setting the cache variable VAR accordingly # Tests whether FUNC exists, setting the cache variable VAR accordingly
@ -1960,7 +1962,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by tinc $as_me 1.0.23, which was It was created by tinc $as_me 1.0.24, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@ -2824,7 +2826,7 @@ fi
# Define the identity of the package. # Define the identity of the package.
PACKAGE='tinc' PACKAGE='tinc'
VERSION='1.0.23' VERSION='1.0.24'
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
@ -2916,6 +2918,7 @@ END
as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
fi fi
fi fi
ac_config_headers="$ac_config_headers config.h" ac_config_headers="$ac_config_headers config.h"
@ -5146,6 +5149,343 @@ if test -d /sw/lib ; then
fi fi
# Check whether --enable-hardening was given.
if test "${enable_hardening+set}" = set; then :
enableval=$enable_hardening;
fi
if test "x$enable_hardening" != "xno"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -DFORTIFY_SOURCE=2" >&5
$as_echo_n "checking whether C compiler accepts -DFORTIFY_SOURCE=2... " >&6; }
if ${ax_cv_check_cflags___DFORTIFY_SOURCE_2+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -DFORTIFY_SOURCE=2"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___DFORTIFY_SOURCE_2=yes
else
ax_cv_check_cflags___DFORTIFY_SOURCE_2=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&5
$as_echo "$ax_cv_check_cflags___DFORTIFY_SOURCE_2" >&6; }
if test x"$ax_cv_check_cflags___DFORTIFY_SOURCE_2" = xyes; then :
CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-strict-overflow" >&5
$as_echo_n "checking whether C compiler accepts -fno-strict-overflow... " >&6; }
if ${ax_cv_check_cflags___fno_strict_overflow+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fno-strict-overflow"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fno_strict_overflow=yes
else
ax_cv_check_cflags___fno_strict_overflow=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fno_strict_overflow" >&5
$as_echo "$ax_cv_check_cflags___fno_strict_overflow" >&6; }
if test x"$ax_cv_check_cflags___fno_strict_overflow" = xyes; then :
CPPFLAGS="$CPPFLAGS -fno-strict-overflow"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fwrapv" >&5
$as_echo_n "checking whether C compiler accepts -fwrapv... " >&6; }
if ${ax_cv_check_cflags___fwrapv+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fwrapv"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fwrapv=yes
else
ax_cv_check_cflags___fwrapv=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fwrapv" >&5
$as_echo "$ax_cv_check_cflags___fwrapv" >&6; }
if test x"$ax_cv_check_cflags___fwrapv" = xyes; then :
CPPFLAGS="$CPPFLAGS -fwrapv"
else
:
fi
case $host_os in
*mingw*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--dynamicbase" >&5
$as_echo_n "checking whether the linker accepts -Wl,--dynamicbase... " >&6; }
if ${ax_cv_check_ldflags___Wl___dynamicbase+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,--dynamicbase"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl___dynamicbase=yes
else
ax_cv_check_ldflags___Wl___dynamicbase=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___dynamicbase" >&5
$as_echo "$ax_cv_check_ldflags___Wl___dynamicbase" >&6; }
if test x"$ax_cv_check_ldflags___Wl___dynamicbase" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,--dynamicbase"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--nxcompat" >&5
$as_echo_n "checking whether the linker accepts -Wl,--nxcompat... " >&6; }
if ${ax_cv_check_ldflags___Wl___nxcompat+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,--nxcompat"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl___nxcompat=yes
else
ax_cv_check_ldflags___Wl___nxcompat=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___nxcompat" >&5
$as_echo "$ax_cv_check_ldflags___Wl___nxcompat" >&6; }
if test x"$ax_cv_check_ldflags___Wl___nxcompat" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,--nxcompat"
else
:
fi
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; }
if ${ax_cv_check_cflags___fPIE+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fPIE"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
ax_cv_check_cflags___fPIE=yes
else
ax_cv_check_cflags___fPIE=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
$as_echo "$ax_cv_check_cflags___fPIE" >&6; }
if test x"$ax_cv_check_cflags___fPIE" = xyes; then :
CPPFLAGS="$CPPFLAGS -fPIE"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
$as_echo_n "checking whether the linker accepts -pie... " >&6; }
if ${ax_cv_check_ldflags___pie+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -pie"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___pie=yes
else
ax_cv_check_ldflags___pie=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
$as_echo "$ax_cv_check_ldflags___pie" >&6; }
if test x"$ax_cv_check_ldflags___pie" = xyes; then :
LDFLAGS="$LDFLAGS -pie"
else
:
fi
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,relro"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_relro=yes
else
ax_cv_check_ldflags___Wl__z_relro=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,-z,relro"
else
:
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,now" >&5
$as_echo_n "checking whether the linker accepts -Wl,-z,now... " >&6; }
if ${ax_cv_check_ldflags___Wl__z_now+:} false; then :
$as_echo_n "(cached) " >&6
else
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS -Wl,-z,now"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main ()
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ax_cv_check_ldflags___Wl__z_now=yes
else
ax_cv_check_ldflags___Wl__z_now=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LDFLAGS=$ax_check_save_flags
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_now" >&5
$as_echo "$ax_cv_check_ldflags___Wl__z_now" >&6; }
if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes; then :
LDFLAGS="$LDFLAGS -Wl,-z,now"
else
:
fi
fi;
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5
$as_echo_n "checking for ANSI C header files... " >&6; } $as_echo_n "checking for ANSI C header files... " >&6; }
@ -5259,7 +5599,7 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h
fi fi
for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h for ac_header in stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@ -5287,7 +5627,7 @@ fi
done done
for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h for ac_header in netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h
do : do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include \"src/have.h\" ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include \"src/have.h\"
@ -5921,6 +6261,22 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
ac_fn_c_check_decl "$LINENO" "res_init" "ac_cv_have_decl_res_init" "
#include <netinet/in.h>
#include <resolv.h>
"
if test "x$ac_cv_have_decl_res_init" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_RES_INIT $ac_have_decl
_ACEOF
cat >confcache <<\_ACEOF cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure # This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure # tests run on this system so they can be shared between configure
@ -7040,7 +7396,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by tinc $as_me 1.0.23, which was This file was extended by tinc $as_me 1.0.24, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@ -7106,7 +7462,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
tinc config.status 1.0.23 tinc config.status 1.0.24
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

View file

@ -1,7 +1,7 @@
dnl Process this file with autoconf to produce a configure script. dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61) AC_PREREQ(2.61)
AC_INIT([tinc], [1.0.23]) AC_INIT([tinc], [1.0.24])
AC_CONFIG_SRCDIR([src/tincd.c]) AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall]) AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc -Wall])
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
@ -105,7 +105,7 @@ AC_ARG_ENABLE(tunemu,
) )
AC_ARG_WITH(windows2000, AC_ARG_WITH(windows2000,
AS_HELP_STRING([--without-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]), AS_HELP_STRING([--with-windows2000], [compile with support for Windows 2000. This disables support for tunneling over existing IPv6 networks.]),
[ AS_IF([test "x$with_windows2000" = "xyes"], [ AS_IF([test "x$with_windows2000" = "xyes"],
[AC_DEFINE(WITH_WINDOWS2000, 1, [Compile with support for Windows 2000])]) [AC_DEFINE(WITH_WINDOWS2000, 1, [Compile with support for Windows 2000])])
] ]
@ -129,17 +129,40 @@ if test -d /sw/lib ; then
LIBS="$LIBS -L/sw/lib" LIBS="$LIBS -L/sw/lib"
fi fi
dnl Compiler hardening flags
dnl No -fstack-protector-all because it doesn't work on all platforms or architectures.
AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags]))
AS_IF([test "x$enable_hardening" != "xno"],
[AX_CHECK_COMPILE_FLAG([-DFORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -DFORITFY_SOURCE=2"])
AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])
AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"])
case $host_os in
*mingw*)
AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"])
AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"])
;;
*)
AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"])
AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"])
;;
esac
AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"])
AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"])
]
);
dnl Checks for libraries. dnl Checks for libraries.
dnl Checks for header files. dnl Checks for header files.
dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies. dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
AC_HEADER_STDC AC_HEADER_STDC
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h]) AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h arpa/nameser.h dirent.h])
AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h], AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h netpacket/packet.h],
[], [], [#include "src/have.h"] [], [], [#include "src/have.h"]
) )
AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h], AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h resolv.h],
[], [], [#include "src/have.h"] [], [], [#include "src/have.h"]
) )
AC_CHECK_HEADERS([netinet/tcp.h netinet/ip_icmp.h netinet/icmp6.h], AC_CHECK_HEADERS([netinet/tcp.h netinet/ip_icmp.h netinet/icmp6.h],
@ -179,6 +202,11 @@ AC_CHECK_DECLS([freeaddrinfo, gai_strerror, getaddrinfo, getnameinfo],
[], [], [#include "src/have.h"] [], [], [#include "src/have.h"]
) )
AC_CHECK_DECLS([res_init], [], [], [
#include <netinet/in.h>
#include <resolv.h>
])
AC_CACHE_SAVE AC_CACHE_SAVE
dnl These are defined in files in m4/ dnl These are defined in files in m4/
@ -189,7 +217,7 @@ tinc_OPENSSL
dnl Check if support for jumbograms is requested dnl Check if support for jumbograms is requested
AC_ARG_ENABLE(jumbograms, AC_ARG_ENABLE(jumbograms,
AS_HELP_STRING([--disable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]), AS_HELP_STRING([--enable-jumbograms], [enable support for jumbograms (packets up to 9000 bytes)]),
[ AS_IF([test "x$enable_jumbograms" = "xyes"], [ AS_IF([test "x$enable_jumbograms" = "xyes"],
[ AC_DEFINE(ENABLE_JUMBOGRAMS, 1, [Support for jumbograms (packets up to 9000 bytes)]) ]) [ AC_DEFINE(ENABLE_JUMBOGRAMS, 1, [Support for jumbograms (packets up to 9000 bytes)]) ])
] ]

13
debian/changelog vendored
View file

@ -1,3 +1,16 @@
tinc (1.0.24-1) unstable; urgency=medium
[ Guus Sliepen ]
* New upstream release
* Add a debian/watch file.
* Bump Standards-Version.
[ Gian Piero Carrubba ]
* Allow resource limits to be set in /etc/default/tinc.
Closes: #690685, #704702
-- Guus Sliepen <guus@debian.org> Sun, 11 May 2014 21:17:13 +0200
tinc (1.0.23-2) unstable; urgency=low tinc (1.0.23-2) unstable; urgency=low
* Use if-statements instead of && in shell scripts. Closes: #731279 * Use if-statements instead of && in shell scripts. Closes: #731279

2
debian/control vendored
View file

@ -2,7 +2,7 @@ Source: tinc
Section: net Section: net
Priority: optional Priority: optional
Maintainer: Guus Sliepen <guus@debian.org> Maintainer: Guus Sliepen <guus@debian.org>
Standards-Version: 3.9.4 Standards-Version: 3.9.5
Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev Build-Depends: libssl-dev, debhelper (>= 9), gettext, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev
Homepage: http://www.tinc-vpn.org/ Homepage: http://www.tinc-vpn.org/

5
debian/tinc.default vendored
View file

@ -1,2 +1,7 @@
# Extra options to be passed to tincd. # Extra options to be passed to tincd.
# EXTRA="-d" # EXTRA="-d"
# Limits to be configured for the tincd process. Please read your shell
# (pointed by /bin/sh) documentation for ulimit. You probably want to raise the
# max locked memory value if using both --mlock and --user flags.
# LIMITS="-l 1024"

16
debian/tinc.if-pre-up vendored
View file

@ -10,6 +10,22 @@ fi
. /etc/default/tinc . /etc/default/tinc
# Set process limits
setlimits() {
while [ $# -gt 0 ]; do
parm=$1 ; shift
if [ -n "$1" -a "${1#-}" = "$1" ]; then
value=$1 ; shift
ulimit $parm $value
else
ulimit $parm
fi
done
}
test -n "$LIMITS" && setlimits $LIMITS
# Read options from /etc/network/interfaces # Read options from /etc/network/interfaces
[ -n "$IF_TINC_CONFIG" ] && EXTRA="$EXTRA -c $IF_TINC_CONFIG" [ -n "$IF_TINC_CONFIG" ] && EXTRA="$EXTRA -c $IF_TINC_CONFIG"

14
debian/tinc.init vendored
View file

@ -56,6 +56,20 @@ signal_running() {
done done
} }
setlimits() {
while [ $# -gt 0 ]; do
parm=$1 ; shift
if [ -n "$1" -a "${1#-}" = "$1" ]; then
value=$1 ; shift
ulimit $parm $value
else
ulimit $parm
fi
done
}
test -n "$LIMITS" && setlimits $LIMITS
start() { start() {
$DAEMON $EXTRA -n "$@" $DAEMON $EXTRA -n "$@"
} }

70
debian/upstream/signing-key.asc vendored Normal file
View file

@ -0,0 +1,70 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBEVZzTABEADawFv/ibQ48uA1eRhL07vdM36Pcq2HDyuyNA+vYEalNH4jLmha
nGPvDALWwX0DXIWDAG8zeTj8s8zliLIjuPS4WRI2YdKIvWeG9fEvpKSXVWa42ica
dpzn/H2aBd4Ax6rQaiTXKOvxANAp2Veb+73ssPV5AL00uGTpzhh98xQzfFQCZ9ZL
YSVPqbMed5oCt/4jM9FBO2CuBtkfiO0dVVYtW7FAVjcIlE2NaZol/KGvz7wsS+yA
dE42W0l5MdQueLmTF4AIUSSTyPFGMQoyqh+MPif73Y589IGcW6GdfKYWnVDo6Trh
HOhcEky+uTYKb6NL0vrJgUiYVMzAOXFDdJni1eQGO6EfZRNYtTga3alWq/jVelK7
BID5JyNbkrTAqdPnhJGivVyk8gGX3+Hng8rkXTfWhp6yAYau1QfBm0F2tIQmpL1C
+7DoLvFErboQf685jXJBjzyvsJxB2ZLH1OOw6mNL0hy2LFkIyGza/bktY2em4apo
KWV5AM5LpyW6THH1oDS7706xFNkf4IFhKE0hKPzBiRnMDjRtMI131lkc5+P8Lqf5
jLTCFUgbEhU6Dz2YjhHAumVm0NWJETUpFDtVvMrqk+mp5xldUOWRNlYQC5aQOyda
eHOlNzB/BFbPhKMWI/zWlEH6f0t6WjHb4iwpWO47511aVNHF59aPzbAHxwARAQAB
tC9UaW5jIERldmVsb3BtZW50IFRlYW0gPHRpbmMtZGV2ZWxAdGluYy12cG4ub3Jn
PokCNgQTAQIAIAUCRVnNMAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEEpg
hLnA1x9KxOAQAMPhO2WTXv9AaGQBQhyyoGseKoSfcRjtI9YEfE0OInQQ2E+SPYF/
dkfeLGAUqa4foTYQlMqfw70vBhTdVCb7HLTGn6/ICFUtDwakUQCgUQGlUVQiondA
8W6jj+QWrh5BQhHuXy2nCVaKnksu0/xQPsJotghxuYqaot3iJ4qVw9iT/Yeo9irH
Ffftqu0OVCdQ5zQuFNI9YCv/C83L59ecH7bOzYz2efTyobvxrhmgQtgOQwCWOE09
Kr3veM9KLG33YoXlqv8QN/3CwtsJvSwfhj+R2JowZC7RqHe/yznRzmRMsgbrolxi
uiJLonGxcNNkD7WhXi7/zL4A/JaC27XrFf1MPLv8aiTwnOIfrXd5jawpauUOZOXK
UjIZHlIqviB0r5s7A+AFeHW38Tp9VzNuQ7aEl5bHbSXV+s7DTAwGb279z0AVaJ3h
5hWFxupw7UoGdzROwCBYzeX3sioAL6QvkXua8X6zOH45VEiSwrRX3Hlx/MLo7Z4g
PWgFLf6WviHQXCG834To1XIwUk9RgNsL7OzGjtaCuRymADImKMNwierq2zTfoRFQ
v9onIadIMF1fsc70hiBG9yAi36MEuk4VxG8Jc3PQQfSFm4RWazv1k3E0AAIob2Ek
DLVjvLO62Navo/OQ6D7yyiX0qes5S7/k3F1h8+87eRn3yxZE2kbxPg8KuQENBEVZ
zYYBCACoYgExmMKEtABL3pir/IXI4exR/45hkP6txFIrkVQb8DGJ9H39kiDr4gtj
F+pvcgMpec35S3m4fJ7WhDNvbDB4ZvONc1NMKs9cqDXfB+TLWPm4W+SkcKUrs+nK
i8l7ieggTALJcvRoLTX2EFmUFrD6y870W3rK2SfC/0VJX8Ou5cPbwCeueExjo5x0
3gNfu0jWUS0cyA9y+1rVVekrLuJY/+SI4jv3gdzrYbxD0f6dpbpC37QHoJdd0KGF
acPtT2azjY+HxW10EA3Aw9oZWFXnb1nFg2RbDpkaGLmLbaXweltLyw154UmCXxym
PXPqi9bSfEkj0GiYrapk4mW114u9ABEBAAGJA0QEGAECAA8FAkVZzYcCGwIFCQHh
M4ABKQkQSmCEucDXH0rAXSAEGQECAAYFAkVZzYcACgkQ017duBDeLmmu3wf/TFZM
tLKxiyQPtGSTE3eULPdWCEMDZXdSPTY0QHM7Zvh+qn1ei+iFpD0549MYnBEAwDIV
4o62Nrcg8IPu0CEkZIAn2JiFFGYvMGk91awZGV1GS3umd7Dt349E1oKDPZVzRn+j
QIKarXxxabRmx2s/dZZgSs/eguWTboBFmvls9tVfe8x/xPvcHFmqHVUoGKEJy6Tm
no+s4yNjpc5wAaRml+GYf1tK9WMFuZn79qKxkYv4WI96dXR0FL59YbFRkkaI+1/b
G31MvWTqVjY1nJGslByFPUUB8Ca1djtp1gx6NXnOYr3V5MEDfdbjjPu79No+/y6M
tIua5yNtSRlk2nKhIqo3D/sGQ/uHijiMRAtoLhiyqYMc9W9vx/KOoCUHoMJqE39a
Eputvgwwo0rwgSmNfB1dzneFojBdJ47WBSHC8NKtkpJj6mzvvlaI9jmEpK54x3nl
OmBj3X/xaepoRGAtrmgTBP4A9hSjrTMGu/tUQjlX+Xcr6n3g7GSVe5FpUyIMPXEU
+JZDTiEUyn1OdzfNGmnWP+KJX5pQVq4czf5XK6otLZJELDVw/Hbjnjmdz5WOKgEH
jSof3WPeMBgPAcd/cMAZeiGtWM1UpJBHqEXTkthmrpmtRftJKDbooNM9d5OwKiT+
I3vNBv/plMSr8NDjhTWC+ihrN6RBj1vaqpDgGpucPhoO2hwNqWuI4q5WUKtCyw6J
An7ErNaH4c0nVaZq6kJ8Vxdt+LpKYmOsJ8y9xtl6StcrkKNn+6ZfCfee7DEo2bvb
scfpqJqqOqb5KOagTpYs8mo6yQ3leRvFtoeBOQHVQzct23EwOMxbDyeunT50a1eH
MZTEWuIiuCUudM81QXU46oIcaAtj8tpG0Tmnku9g27EjwxUt+8kVmhlPHMb2TdoF
k5d0ce+JuxIG5+i+t8sUCorMc8zfp4g1bxZeMOcPnfyO3bSW11EVcN7ZxHlFC+XE
YOByP50CM3P8lItPlQ+WpY9kYWjiwu9kVPaGQ16G47nspngJInU5dhka3KJGtIZe
q7kBDQRFWc3GAQgAz/JUs24niKsd0ZtOjUWd4R4y0gjS0kC/vvLL2gbXYkA9tcjG
5iEvVWJY34QsudX0v1ULsVnJ89X/gsk8hAhAia1TQm+0Qq+MSxEaQkMSaOO8N70U
XzgH1dielvpea20WO4MyWQuRIJ0K2nsGmEPnt6ZP7fK8HVHFNggP/mQ6LMu1reAF
gvb8cEtjb9B5QaCUEoLjsbsuo+vLW7AWy4GfIRNESHw2Qt08AUaGrihpu6zi7N2b
QkHHJtqa63GzYJ+kYzAVvrFJXdwL/TRXLBzv+6yyvYSIHi8uB6/o6CZN6hpjfpME
ph+oYPqXeNOyMd1E9Kg8ymcPrNyQKfE3WnCRXQARAQABiQIlBBgBAgAPBQJFWc3H
AhsMBQkB4TOAAAoJEEpghLnA1x9KXYMP/3D9JYti6C8DWuX2hWv+2SUbLcMa5u1e
ETewIo5S3mqGWSaxX4YLPVRkZ1lOLmFysOLimf0thYm7IsatLcWmBdYUpK92ilvr
Sk2sKlhrOoBXEX/79Kz+Aj5PjeyiQxgQ7Ba/afwhU6aTqs2Dp1T0YNu2eBvV+1QH
lZnW2Wh96zzwc0dJUuY9eBk5Fgpu08Wce7o6jxFPtVyAaQa0zcNAmw2TSY7wbunJ
WTl9OgATAyqVCuhWW7AnPcSqkH8lQigSc00wfqJKOD2Us0FqN6UKDCZTyQkdP6hx
G+3aUkkvGSOxy7u9bVWmrikuJMoiIY/CH/m+GcJJATVibI7t5MhhtBGySKc3PAwc
58sVe9AnbDvs84efrNP59j2KG2KKqcqjTGAmKyJnG3N50xJGakDIsqfneIRNWpEE
pOOPaOqR4qnPAS9OSt9A3hqBpWPjQcScd6AuO+J2PE5y23pTnb9PtLBQb5e4VFiv
N54u8j4bU2CO0SC2isZ3CR68dPHthWsxt4XbjhgktjbpQRQ8L2EDBQ8oE13GOrOw
P8x4Q0eC5uzkXNyRqzKOsxlZEuc+75aDDd3M2GDw08FG7GI1p/L+NgenwT+9TmFX
2hOKVrjgyx+fPut1t5DJJubDWXGOK33qvrL7HTCEv1zz7LNbbPwwNHK4lfMAWuJW
D9wc3Y9Se/P/
=5MAs
-----END PGP PUBLIC KEY BLOCK-----

2
debian/watch vendored Normal file
View file

@ -0,0 +1,2 @@
version=3
opts=pgpsigurlmangle=s/$/.sig/ http://www.tinc-vpn.org/packages/tinc-(1\.0\.\d+)\.tar\.gz

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am. # Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc. # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -80,8 +80,10 @@ subdir = doc
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am texinfo.tex
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d mkinstalldirs = $(install_sh) -d

Binary file not shown.

View file

@ -1,4 +1,4 @@
.Dd 2010-01-16 .Dd 2014-05-11
.Dt TINC.CONF 5 .Dt TINC.CONF 5
.\" Manual page created by: .\" Manual page created by:
.\" Ivo Timmermans .\" Ivo Timmermans
@ -416,7 +416,7 @@ and
are available. are available.
.El .El
.It Va ReplayWindow Li = Ar bytes Pq 16 .It Va ReplayWindow Li = Ar bytes Pq 16
vhis is the size of the replay tracking window for each remote node, in bytes. This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from bandwidth scenarios, setting this to a higher value can reduce packet loss from
@ -428,7 +428,8 @@ traffic.
When this option is enabled tinc will only use Subnet statements which are When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local present in the host config files in the local
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory. directory. Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
.It Va TunnelServer Li = yes | no Po no Pc Bq experimental .It Va TunnelServer Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will no longer forward information between other tinc daemons, When this option is enabled tinc will no longer forward information between other tinc daemons,
and will only allow connections with nodes for which host config files are present in the local and will only allow connections with nodes for which host config files are present in the local
@ -631,6 +632,8 @@ The top directory for configuration files.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf
The default name of the server configuration file for net The default name of the server configuration file for net
.Ar NETNAME . .Ar NETNAME .
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /conf.d/
Optional directory from which any *.conf file will be loaded
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
Host configuration files are kept in this directory. Host configuration files are kept in this directory.
.It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up .It Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc-up

View file

@ -1,14 +1,14 @@
This is tinc.info, produced by makeinfo version 5.1 from tinc.texi. This is tinc.info, produced by makeinfo version 5.2 from tinc.texi.
INFO-DIR-SECTION Networking tools INFO-DIR-SECTION Networking tools
START-INFO-DIR-ENTRY START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual. * tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.22, a Virtual Private This is the info manual for tinc version 1.0.23, a Virtual Private
Network daemon. Network daemon.
Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>. <guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
Permission is granted to make and distribute verbatim copies of this Permission is granted to make and distribute verbatim copies of this
@ -649,6 +649,9 @@ The actual configuration of the daemon is done in the file
'/etc/tinc/NETNAME/tinc.conf' and at least one other file in the '/etc/tinc/NETNAME/tinc.conf' and at least one other file in the
directory '/etc/tinc/NETNAME/hosts/'. directory '/etc/tinc/NETNAME/hosts/'.
An optionnal directory '/etc/tinc/NETNAME/conf.d' can be added from
which any .conf file will be read.
These file consists of comments (lines started with a #) or These file consists of comments (lines started with a #) or
assignments in the form of assignments in the form of
@ -1011,7 +1014,9 @@ ReplayWindow = <bytes> (16)
StrictSubnets = <yes|no> (no) [experimental] StrictSubnets = <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local which are present in the host config files in the local
'/etc/tinc/NETNAME/hosts/' directory. '/etc/tinc/NETNAME/hosts/' directory. Subnets learned via
connections to other nodes and which are not present in the local
host config files are ignored.
TunnelServer = <yes|no> (no) [experimental] TunnelServer = <yes|no> (no) [experimental]
When this option is enabled tinc will no longer forward information When this option is enabled tinc will no longer forward information
@ -1040,7 +1045,9 @@ Address = <IP ADDRESS|HOSTNAME> [<port>] [recommended]
This variable is only required if you want to connect to this host. This variable is only required if you want to connect to this host.
It must resolve to the external IP address where the host can be It must resolve to the external IP address where the host can be
reached, not the one that is internal to the VPN. If no port is reached, not the one that is internal to the VPN. If no port is
specified, the default Port is used. specified, the default Port is used. Multiple Address variables
can be specified, in which case each address will be tried until a
working connection has been established.
Cipher = <CIPHER> (blowfish) Cipher = <CIPHER> (blowfish)
The symmetric cipher algorithm used to encrypt UDP packets. Any The symmetric cipher algorithm used to encrypt UDP packets. Any
@ -2424,16 +2431,16 @@ Concept Index
* CHAL_REPLY: Authentication protocol. * CHAL_REPLY: Authentication protocol.
(line 10) (line 10)
* CIDR notation: Host configuration variables. * CIDR notation: Host configuration variables.
(line 91) (line 93)
* Cipher: Host configuration variables. * Cipher: Host configuration variables.
(line 12) (line 14)
* ClampMSS: Host configuration variables. * ClampMSS: Host configuration variables.
(line 18) (line 20)
* client: How connections work. * client: How connections work.
(line 18) (line 18)
* command line: Runtime options. (line 9) * command line: Runtime options. (line 9)
* Compression: Host configuration variables. * Compression: Host configuration variables.
(line 24) (line 26)
* connection: The connection. (line 6) * connection: The connection. (line 6)
* ConnectTo: Main configuration variables. * ConnectTo: Main configuration variables.
(line 53) (line 53)
@ -2452,7 +2459,7 @@ Concept Index
* DeviceType: Main configuration variables. * DeviceType: Main configuration variables.
(line 80) (line 80)
* Digest: Host configuration variables. * Digest: Host configuration variables.
(line 29) (line 31)
* DirectOnly: Main configuration variables. * DirectOnly: Main configuration variables.
(line 145) (line 145)
* dummy: Main configuration variables. * dummy: Main configuration variables.
@ -2481,7 +2488,7 @@ Concept Index
* IffOneQueue: Main configuration variables. * IffOneQueue: Main configuration variables.
(line 191) (line 191)
* IndirectData: Host configuration variables. * IndirectData: Host configuration variables.
(line 34) (line 36)
* Interface: Main configuration variables. * Interface: Main configuration variables.
(line 194) (line 194)
* INTERFACE: Scripts. (line 56) * INTERFACE: Scripts. (line 56)
@ -2498,7 +2505,7 @@ Concept Index
* MACExpire: Main configuration variables. * MACExpire: Main configuration variables.
(line 219) (line 219)
* MACLength: Host configuration variables. * MACLength: Host configuration variables.
(line 42) (line 44)
* MaxTimeout: Main configuration variables. * MaxTimeout: Main configuration variables.
(line 224) (line 224)
* meta-protocol: The meta-connection. (line 18) * meta-protocol: The meta-connection. (line 18)
@ -2521,7 +2528,7 @@ Concept Index
* OpenSSL: OpenSSL. (line 6) * OpenSSL: OpenSSL. (line 6)
* options: Runtime options. (line 9) * options: Runtime options. (line 9)
* PEM format: Host configuration variables. * PEM format: Host configuration variables.
(line 67) (line 69)
* PING: The meta-protocol. (line 88) * PING: The meta-protocol. (line 88)
* PingInterval: Main configuration variables. * PingInterval: Main configuration variables.
(line 266) (line 266)
@ -2529,12 +2536,12 @@ Concept Index
(line 270) (line 270)
* platforms: Supported platforms. (line 6) * platforms: Supported platforms. (line 6)
* PMTU: Host configuration variables. * PMTU: Host configuration variables.
(line 47) (line 49)
* PMTUDiscovery: Host configuration variables. * PMTUDiscovery: Host configuration variables.
(line 50) (line 52)
* PONG: The meta-protocol. (line 88) * PONG: The meta-protocol. (line 88)
* Port: Host configuration variables. * Port: Host configuration variables.
(line 55) (line 57)
* port numbers: Other files. (line 17) * port numbers: Other files. (line 17)
* PriorityInheritance: Main configuration variables. * PriorityInheritance: Main configuration variables.
(line 276) (line 276)
@ -2549,9 +2556,9 @@ Concept Index
* Proxy: Main configuration variables. * Proxy: Main configuration variables.
(line 297) (line 297)
* PublicKey: Host configuration variables. * PublicKey: Host configuration variables.
(line 59) (line 61)
* PublicKeyFile: Host configuration variables. * PublicKeyFile: Host configuration variables.
(line 62) (line 64)
* raw_socket: Main configuration variables. * raw_socket: Main configuration variables.
(line 92) (line 92)
* release: Supported platforms. (line 14) * release: Supported platforms. (line 14)
@ -2576,16 +2583,16 @@ Concept Index
* StrictSubnets: Main configuration variables. * StrictSubnets: Main configuration variables.
(line 331) (line 331)
* Subnet: Host configuration variables. * Subnet: Host configuration variables.
(line 74) (line 76)
* SUBNET: Scripts. (line 72) * SUBNET: Scripts. (line 72)
* Subnet weight: Host configuration variables. * Subnet weight: Host configuration variables.
(line 96) (line 98)
* SVPN: Security. (line 11) * SVPN: Security. (line 11)
* switch: Main configuration variables. * switch: Main configuration variables.
(line 239) (line 239)
* TCP: The meta-connection. (line 10) * TCP: The meta-connection. (line 10)
* TCPonly: Host configuration variables. * TCPonly: Host configuration variables.
(line 103) (line 105)
* tinc: Introduction. (line 6) * tinc: Introduction. (line 6)
* TINC: Security. (line 6) * TINC: Security. (line 6)
* tinc-down: Scripts. (line 18) * tinc-down: Scripts. (line 18)
@ -2596,16 +2603,16 @@ Concept Index
* tunifhead: Main configuration variables. * tunifhead: Main configuration variables.
(line 134) (line 134)
* TunnelServer: Main configuration variables. * TunnelServer: Main configuration variables.
(line 336) (line 338)
* tunnohead: Main configuration variables. * tunnohead: Main configuration variables.
(line 128) (line 128)
* UDP: The UDP tunnel. (line 30) * UDP: The UDP tunnel. (line 30)
* UDP <1>: Encryption of network packets. * UDP <1>: Encryption of network packets.
(line 12) (line 12)
* UDPRcvBuf: Main configuration variables. * UDPRcvBuf: Main configuration variables.
(line 343) (line 345)
* UDPSndBuf: Main configuration variables. * UDPSndBuf: Main configuration variables.
(line 348) (line 350)
* UML: Main configuration variables. * UML: Main configuration variables.
(line 110) (line 110)
* Universal tun/tap: Configuration of Linux kernels. * Universal tun/tap: Configuration of Linux kernels.
@ -2656,35 +2663,35 @@ Node: Configuration introduction20366
Node: Multiple networks21634 Node: Multiple networks21634
Node: How connections work23059 Node: How connections work23059
Node: Configuration files24281 Node: Configuration files24281
Node: Main configuration variables25669 Node: Main configuration variables25776
Node: Host configuration variables41635 Node: Host configuration variables41870
Node: Scripts46990 Node: Scripts47371
Node: How to configure49753 Node: How to configure50134
Node: Generating keypairs51010 Node: Generating keypairs51391
Node: Network interfaces51509 Node: Network interfaces51890
Node: Example configuration53357 Node: Example configuration53738
Node: Running tinc58682 Node: Running tinc59063
Node: Runtime options59272 Node: Runtime options59653
Node: Signals62574 Node: Signals62955
Node: Debug levels63765 Node: Debug levels64146
Node: Solving problems64701 Node: Solving problems65082
Node: Error messages66253 Node: Error messages66634
Node: Sending bug reports70262 Node: Sending bug reports70643
Node: Technical information71209 Node: Technical information71590
Node: The connection71440 Node: The connection71821
Node: The UDP tunnel71752 Node: The UDP tunnel72133
Node: The meta-connection74815 Node: The meta-connection75196
Node: The meta-protocol76284 Node: The meta-protocol76665
Node: Security81301 Node: Security81682
Node: Authentication protocol82434 Node: Authentication protocol82815
Node: Encryption of network packets87451 Node: Encryption of network packets87832
Node: Security issues88827 Node: Security issues89208
Node: Platform specific information90454 Node: Platform specific information90835
Node: Interface configuration90682 Node: Interface configuration91063
Node: Routes93135 Node: Routes93516
Node: About us95052 Node: About us95433
Node: Contact information95227 Node: Contact information95608
Node: Authors95631 Node: Authors96012
Node: Concept Index96036 Node: Concept Index96417
 
End Tag Table End Tag Table

View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans, Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -39,7 +39,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll @vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2013 Ivo Timmermans, Copyright @copyright{} 1998-2014 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -718,6 +718,9 @@ The actual configuration of the daemon is done in the file
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory @file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf} and at least one other file in the directory
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/}. @file{@value{sysconfdir}/tinc/@var{netname}/hosts/}.
An optionnal directory @file{@value{sysconfdir}/tinc/@var{netname}/conf.d} can be added from which
any .conf file will be read.
These file consists of comments (lines started with a #) or assignments These file consists of comments (lines started with a #) or assignments
in the form of in the form of
@ -1102,6 +1105,8 @@ traffic.
When this option is enabled tinc will only use Subnet statements which are When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local present in the host config files in the local
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Subnets learned via connections to other nodes and which are not
present in the local host config files are ignored.
@cindex TunnelServer @cindex TunnelServer
@item TunnelServer = <yes|no> (no) [experimental] @item TunnelServer = <yes|no> (no) [experimental]
@ -1134,6 +1139,8 @@ This variable is only required if you want to connect to this host. It
must resolve to the external IP address where the host can be reached, must resolve to the external IP address where the host can be reached,
not the one that is internal to the VPN. not the one that is internal to the VPN.
If no port is specified, the default Port is used. If no port is specified, the default Port is used.
Multiple Address variables can be specified, in which case each address will be
tried until a working connection has been established.
@cindex Cipher @cindex Cipher
@item Cipher = <@var{cipher}> (blowfish) @item Cipher = <@var{cipher}> (blowfish)

View file

@ -1,4 +1,4 @@
.Dd 2011-01-02 .Dd 2014-05-11
.Dt TINCD 8 .Dt TINCD 8
.\" Manual page created by: .\" Manual page created by:
.\" Ivo Timmermans .\" Ivo Timmermans

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am. # Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc. # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -81,8 +81,10 @@ subdir = m4
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d mkinstalldirs = $(install_sh) -d

View file

@ -0,0 +1,72 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
#
# DESCRIPTION
#
# Check whether the given FLAG works with the current language's compiler
# or gives an error. (Warnings, however, are ignored)
#
# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
# success/failure.
#
# If EXTRA-FLAGS is defined, it is added to the current language's default
# flags (e.g. CFLAGS) when the check is done. The check is thus made with
# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
# force the compiler to issue an error when a bad flag is given.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_CHECK_COMPILE_FLAG],
[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
_AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
[AS_VAR_SET(CACHEVAR,[yes])],
[AS_VAR_SET(CACHEVAR,[no])])
_AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
[m4_default([$2], :)],
[m4_default([$3], :)])
AS_VAR_POPDEF([CACHEVAR])dnl
])dnl AX_CHECK_COMPILE_FLAGS

71
m4/ax_check_link_flag.m4 Normal file
View file

@ -0,0 +1,71 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
#
# DESCRIPTION
#
# Check whether the given FLAG works with the linker or gives an error.
# (Warnings, however, are ignored)
#
# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
# success/failure.
#
# If EXTRA-FLAGS is defined, it is added to the linker's default flags
# when the check is done. The check is thus made with the flags: "LDFLAGS
# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
# issue an error when a bad flag is given.
#
# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
#
# LICENSE
#
# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 2
AC_DEFUN([AX_CHECK_LINK_FLAG],
[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
ax_check_save_flags=$LDFLAGS
LDFLAGS="$LDFLAGS $4 $1"
AC_LINK_IFELSE([AC_LANG_PROGRAM()],
[AS_VAR_SET(CACHEVAR,[yes])],
[AS_VAR_SET(CACHEVAR,[no])])
LDFLAGS=$ax_check_save_flags])
AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
[m4_default([$2], :)],
[m4_default([$3], :)])
AS_VAR_POPDEF([CACHEVAR])dnl
])dnl AX_CHECK_LINK_FLAGS

View file

@ -1,7 +1,7 @@
#! /bin/sh #! /bin/sh
# Common wrapper for a few potentially missing GNU programs. # Common wrapper for a few potentially missing GNU programs.
scriptversion=2012-06-26.16; # UTC scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996-2013 Free Software Foundation, Inc. # Copyright (C) 1996-2013 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
@ -160,7 +160,7 @@ give_advice ()
;; ;;
autom4te*) autom4te*)
echo "You might have modified some maintainer files that require" echo "You might have modified some maintainer files that require"
echo "the 'automa4te' program to be rebuilt." echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te' program_details 'autom4te'
;; ;;
bison*|yacc*) bison*|yacc*)

View file

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.14 from Makefile.am. # Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@ # @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc. # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@ -93,8 +93,10 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp $(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ $(top_srcdir)/m4/ax_check_compile_flag.m4 \
$(top_srcdir)/m4/zlib.m4 $(top_srcdir)/configure.ac $(top_srcdir)/m4/ax_check_link_flag.m4 $(top_srcdir)/m4/lzo.m4 \
$(top_srcdir)/m4/openssl.m4 $(top_srcdir)/m4/zlib.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4) $(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d mkinstalldirs = $(install_sh) -d

View file

@ -2,7 +2,7 @@
avl_tree.c -- avl_ tree and linked list convenience avl_tree.c -- avl_ tree and linked list convenience
Copyright (C) 1998 Michael H. Buselli Copyright (C) 1998 Michael H. Buselli
2000-2005 Ivo Timmermans, 2000-2005 Ivo Timmermans,
2000-2006 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2000-2005 Wessel Dankers <wsl@tinc-vpn.org> 2000-2005 Wessel Dankers <wsl@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -168,14 +168,12 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
child->right->parent = child; child->right->parent = child;
gchild->right = node; gchild->right = node;
if(gchild->right)
gchild->right->parent = gchild; gchild->right->parent = gchild;
gchild->left = child; gchild->left = child;
if(gchild->left)
gchild->left->parent = gchild; gchild->left->parent = gchild;
*superparent = gchild;
*superparent = gchild;
gchild->parent = parent; gchild->parent = parent;
#ifdef AVL_COUNT #ifdef AVL_COUNT
node->count = AVL_CALC_COUNT(node); node->count = AVL_CALC_COUNT(node);
@ -224,11 +222,9 @@ static void avl_rebalance(avl_tree_t *tree, avl_node_t *node)
child->left->parent = child; child->left->parent = child;
gchild->left = node; gchild->left = node;
if(gchild->left)
gchild->left->parent = gchild; gchild->left->parent = gchild;
gchild->right = child; gchild->right = child;
if(gchild->right)
gchild->right->parent = gchild; gchild->right->parent = gchild;
*superparent = gchild; *superparent = gchild;
@ -600,6 +596,8 @@ void avl_unlink_node(avl_tree_t *tree, avl_node_t *node)
balnode = parent; balnode = parent;
} else { } else {
subst = node->prev; subst = node->prev;
if(!subst) // This only happens if node is not actually in a tree at all.
abort();
if(subst == left) { if(subst == left) {
balnode = subst; balnode = subst;

View file

@ -2,7 +2,7 @@
conf.c -- configuration code conf.c -- configuration code
Copyright (C) 1998 Robert van der Meulen Copyright (C) 1998 Robert van der Meulen
1998-2005 Ivo Timmermans 1998-2005 Ivo Timmermans
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2010-2011 Julien Muchembled <jm@jmuchemb.eu> 2010-2011 Julien Muchembled <jm@jmuchemb.eu>
2000 Cris van Pelt 2000 Cris van Pelt
@ -378,6 +378,29 @@ bool read_server_config(void) {
xasprintf(&fname, "%s/tinc.conf", confbase); xasprintf(&fname, "%s/tinc.conf", confbase);
x = read_config_file(config_tree, fname); x = read_config_file(config_tree, fname);
// We will try to read the conf files in the "conf.d" dir
if (x) {
char * dname;
xasprintf(&dname, "%s/conf.d", confbase);
DIR *dir = opendir (dname);
// If we can find this dir
if (dir) {
struct dirent *ep;
// We list all the files in it
while (x && (ep = readdir (dir))) {
size_t l = strlen(ep->d_name);
// And we try to read the ones that end with ".conf"
if (l > 5 && !strcmp(".conf", & ep->d_name[ l - 5 ])) {
free(fname);
xasprintf(&fname, "%s/%s", dname, ep->d_name);
x = read_config_file(config_tree, fname);
}
}
closedir (dir);
}
free(dname);
}
if(!x) { /* System error: complain */ if(!x) { /* System error: complain */
logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno)); logger(LOG_ERR, "Failed to read `%s': %s", fname, strerror(errno));
} }

View file

@ -1,6 +1,6 @@
/* /*
graph.c -- graph algorithms graph.c -- graph algorithms
Copyright (C) 2001-2013 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2014 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -212,9 +212,13 @@ static void sssp_bfs(void) {
&& (!e->to->status.indirect || indirect)) && (!e->to->status.indirect || indirect))
continue; continue;
// Only update nexthop the first time we visit this node.
if(!e->to->status.visited)
e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
e->to->status.visited = true; e->to->status.visited = true;
e->to->status.indirect = indirect; e->to->status.indirect = indirect;
e->to->nexthop = (n->nexthop == myself) ? e->to : n->nexthop;
e->to->prevedge = e; e->to->prevedge = e;
e->to->via = indirect ? n->via : e->to; e->to->via = indirect ? n->via : e->to;
e->to->options = e->options; e->to->options = e->options;
@ -336,6 +340,7 @@ void dump_graph(void) {
if(!file) { if(!file) {
logger(LOG_ERR, "Unable to open graph dump file %s: %s", filename, strerror(errno)); logger(LOG_ERR, "Unable to open graph dump file %s: %s", filename, strerror(errno));
free(filename);
free(tmpname); free(tmpname);
return; return;
} }
@ -363,7 +368,10 @@ void dump_graph(void) {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
unlink(filename); unlink(filename);
#endif #endif
rename(tmpname, filename); if(rename(tmpname, filename))
logger(LOG_ERR, "Could not rename %s to %s: %s\n", tmpname, filename, strerror(errno));
free(tmpname); free(tmpname);
} }
free(filename);
} }

View file

@ -1,7 +1,7 @@
/* /*
have.h -- include headers which are known to exist have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2003-2011 Guus Sliepen <guus@tinc-vpn.org> 2003-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -38,6 +38,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#include <limits.h>
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
#include <w32api.h> #include <w32api.h>

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction with Linux ethertap and tun/tap device device.c -- Interaction with Linux ethertap and tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans, Copyright (C) 2001-2005 Ivo Timmermans,
2001-2013 Guus Sliepen <guus@tinc-vpn.org> 2001-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -107,17 +107,21 @@ static bool setup_device(void) {
ifr.ifr_flags |= IFF_ONE_QUEUE; ifr.ifr_flags |= IFF_ONE_QUEUE;
#endif #endif
if(iface) if(iface) {
strncpy(ifr.ifr_name, iface, IFNAMSIZ); strncpy(ifr.ifr_name, iface, IFNAMSIZ);
ifr.ifr_name[IFNAMSIZ - 1] = 0;
}
if(!ioctl(device_fd, TUNSETIFF, &ifr)) { if(!ioctl(device_fd, TUNSETIFF, &ifr)) {
strncpy(ifrname, ifr.ifr_name, IFNAMSIZ); strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
if(iface) free(iface); ifrname[IFNAMSIZ - 1] = 0;
free(iface);
iface = xstrdup(ifrname); iface = xstrdup(ifrname);
} else if(!ioctl(device_fd, (('T' << 8) | 202), &ifr)) { } else if(!ioctl(device_fd, (('T' << 8) | 202), &ifr)) {
logger(LOG_WARNING, "Old ioctl() request was needed for %s", device); logger(LOG_WARNING, "Old ioctl() request was needed for %s", device);
strncpy(ifrname, ifr.ifr_name, IFNAMSIZ); strncpy(ifrname, ifr.ifr_name, IFNAMSIZ);
if(iface) free(iface); ifrname[IFNAMSIZ - 1] = 0;
free(iface);
iface = xstrdup(ifrname); iface = xstrdup(ifrname);
} else } else
#endif #endif
@ -126,7 +130,6 @@ static bool setup_device(void) {
overwrite_mac = true; overwrite_mac = true;
device_info = "Linux ethertap device"; device_info = "Linux ethertap device";
device_type = DEVICE_TYPE_ETHERTAP; device_type = DEVICE_TYPE_ETHERTAP;
if(iface)
free(iface); free(iface);
iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
} }

View file

@ -1,6 +1,6 @@
/* /*
meta.c -- handle the meta communication meta.c -- handle the meta communication
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans 2000-2005 Ivo Timmermans
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
@ -180,7 +180,7 @@ bool receive_meta(connection_t *c) {
if(!c->node) { if(!c->node) {
if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) { if(c->outgoing && proxytype == PROXY_SOCKS4 && c->allow_request == ID) {
if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) { if(c->buffer[0] == 0 && c->buffer[1] == 0x5a) {
logger(LOG_DEBUG, "Proxy request granted"); ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
} else { } else {
logger(LOG_ERR, "Proxy request rejected"); logger(LOG_ERR, "Proxy request rejected");
return false; return false;
@ -199,9 +199,9 @@ bool receive_meta(connection_t *c) {
return false; return false;
} }
if(c->buffer[3] == 0) { if(c->buffer[3] == 0) {
logger(LOG_DEBUG, "Proxy request granted"); ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Proxy request granted");
} else { } else {
logger(LOG_DEBUG, "Proxy request rejected"); logger(LOG_ERR, "Proxy request rejected");
return false; return false;
} }
} else { } else {

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction with Windows tap driver in a MinGW environment device.c -- Interaction with Windows tap driver in a MinGW environment
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2013 Guus Sliepen <guus@tinc-vpn.org> 2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -49,6 +49,7 @@ static DWORD WINAPI tapreader(void *bla) {
DWORD len; DWORD len;
OVERLAPPED overlapped; OVERLAPPED overlapped;
vpn_packet_t packet; vpn_packet_t packet;
int errors = 0;
logger(LOG_DEBUG, "Tap reader running"); logger(LOG_DEBUG, "Tap reader running");
@ -71,16 +72,27 @@ static DWORD WINAPI tapreader(void *bla) {
} else { } else {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
device, strerror(errno)); device, strerror(errno));
return -1; errors++;
if(errors >= 10) {
EnterCriticalSection(&mutex);
running = false;
LeaveCriticalSection(&mutex);
}
usleep(1000000);
continue;
} }
} }
EnterCriticalSection(&mutex); errors = 0;
packet.len = len; packet.len = len;
packet.priority = 0; packet.priority = 0;
EnterCriticalSection(&mutex);
route(myself, &packet); route(myself, &packet);
LeaveCriticalSection(&mutex); LeaveCriticalSection(&mutex);
} }
return 0;
} }
static bool setup_device(void) { static bool setup_device(void) {

View file

@ -1,7 +1,7 @@
/* /*
device.c -- multicast socket device.c -- multicast socket
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2013 Guus Sliepen <guus@tinc-vpn.org> 2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -56,6 +56,7 @@ static bool setup_device(void) {
space = strchr(host, ' '); space = strchr(host, ' ');
if(!space) { if(!space) {
logger(LOG_ERR, "Port number required for %s", device_info); logger(LOG_ERR, "Port number required for %s", device_info);
free(host);
return false; return false;
} }
@ -75,6 +76,7 @@ static bool setup_device(void) {
device_fd = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP); device_fd = socket(ai->ai_family, SOCK_DGRAM, IPPROTO_UDP);
if(device_fd < 0) { if(device_fd < 0) {
logger(LOG_ERR, "Creating socket failed: %s", sockstrerror(sockerrno)); logger(LOG_ERR, "Creating socket failed: %s", sockstrerror(sockerrno));
free(host);
return false; return false;
} }
@ -88,6 +90,7 @@ static bool setup_device(void) {
if(bind(device_fd, ai->ai_addr, ai->ai_addrlen)) { if(bind(device_fd, ai->ai_addr, ai->ai_addrlen)) {
closesocket(device_fd); closesocket(device_fd);
logger(LOG_ERR, "Can't bind to %s %s: %s", host, port, sockstrerror(sockerrno)); logger(LOG_ERR, "Can't bind to %s %s: %s", host, port, sockstrerror(sockerrno));
free(host);
return false; return false;
} }
@ -102,6 +105,7 @@ static bool setup_device(void) {
if(setsockopt(device_fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, sizeof mreq)) { if(setsockopt(device_fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, sizeof mreq)) {
logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno)); logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
closesocket(device_fd); closesocket(device_fd);
free(host);
return false; return false;
} }
#ifdef IP_MULTICAST_LOOP #ifdef IP_MULTICAST_LOOP
@ -123,6 +127,7 @@ static bool setup_device(void) {
if(setsockopt(device_fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, (void *)&mreq, sizeof mreq)) { if(setsockopt(device_fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, (void *)&mreq, sizeof mreq)) {
logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno)); logger(LOG_ERR, "Cannot join multicast group %s %s: %s", host, port, sockstrerror(sockerrno));
closesocket(device_fd); closesocket(device_fd);
free(host);
return false; return false;
} }
#ifdef IPV6_MULTICAST_LOOP #ifdef IPV6_MULTICAST_LOOP
@ -135,11 +140,13 @@ static bool setup_device(void) {
#endif #endif
default: default:
logger(LOG_ERR, "Multicast for address family %hx unsupported", ai->ai_family); logger(LOG_ERR, "Multicast for address family %x unsupported", ai->ai_family);
closesocket(device_fd); closesocket(device_fd);
free(host);
return false; return false;
} }
free(host);
logger(LOG_INFO, "%s is a %s", device, device_info); logger(LOG_INFO, "%s is a %s", device, device_info);
return true; return true;

View file

@ -1,7 +1,7 @@
/* /*
net.c -- most of the network code net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2011 Loïc Grenié <loic.grenie@gmail.com> 2011 Loïc Grenié <loic.grenie@gmail.com>
@ -41,6 +41,14 @@
#include "subnet.h" #include "subnet.h"
#include "xalloc.h" #include "xalloc.h"
#ifdef HAVE_ARPA_NAMESER_H
#include <arpa/nameser.h>
#endif
#ifdef HAVE_RESOLV_H
#include <resolv.h>
#endif
bool do_purge = false; bool do_purge = false;
volatile bool running = false; volatile bool running = false;
#ifdef HAVE_PSELECT #ifdef HAVE_PSELECT
@ -182,6 +190,12 @@ void terminate_connection(connection_t *c, bool report) {
closesocket(c->socket); closesocket(c->socket);
if(c->edge) { if(c->edge) {
if(!c->node) {
logger(LOG_ERR, "Connection to %s (%s) has an edge but node is NULL!", c->name, c->hostname);
// And that should never happen.
abort();
}
if(report && !tunnelserver) if(report && !tunnelserver)
send_del_edge(everyone, c->edge); send_del_edge(everyone, c->edge);
@ -494,6 +508,9 @@ int main_loop(void) {
avl_node_t *node; avl_node_t *node;
logger(LOG_INFO, "Flushing event queue"); logger(LOG_INFO, "Flushing event queue");
expire_events(); expire_events();
#if HAVE_DECL_RES_INIT
res_init();
#endif
for(node = connection_tree->head; node; node = node->next) { for(node = connection_tree->head; node; node = node->next) {
connection_t *c = node->data; connection_t *c = node->data;
if(c->status.active) if(c->status.active)

View file

@ -1,7 +1,7 @@
/* /*
net_packet.c -- Handles in- and outgoing VPN packets net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu> 2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -269,7 +269,7 @@ static bool try_mac(const node_t *n, const vpn_packet_t *inpkt) {
HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL); HMAC(n->indigest, n->inkey, n->inkeylength, (unsigned char *) &inpkt->seqno, inpkt->len - n->inmaclength, (unsigned char *)hmac, NULL);
return !memcmp(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength); return !memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len - n->inmaclength, n->inmaclength);
} }
static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) { static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
@ -302,7 +302,7 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
HMAC(n->indigest, n->inkey, n->inkeylength, HMAC(n->indigest, n->inkey, n->inkeylength,
(unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL); (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) { if(memcmp_constant_time(hmac, (char *) &inpkt->seqno + inpkt->len, n->inmaclength)) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)", ifdebug(TRAFFIC) logger(LOG_DEBUG, "Got unauthenticated packet from %s (%s)",
n->name, n->hostname); n->name, n->hostname);
return; return;
@ -664,7 +664,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
avl_node_t *node; avl_node_t *node;
edge_t *e; edge_t *e;
node_t *n = NULL; node_t *n = NULL;
bool hard = false;
static time_t last_hard_try = 0; static time_t last_hard_try = 0;
for(node = edge_weight_tree->head; node; node = node->next) { for(node = edge_weight_tree->head; node; node = node->next) {
@ -673,11 +672,8 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
if(e->to == myself) if(e->to == myself)
continue; continue;
if(sockaddrcmp_noport(from, &e->address)) { if(last_hard_try == now && sockaddrcmp_noport(from, &e->address))
if(last_hard_try == now)
continue; continue;
hard = true;
}
if(!try_mac(e->to, pkt)) if(!try_mac(e->to, pkt))
continue; continue;
@ -686,9 +682,6 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
break; break;
} }
if(hard)
last_hard_try = now;
last_hard_try = now; last_hard_try = now;
return n; return n;
} }

View file

@ -1,7 +1,7 @@
/* /*
net_setup.c -- Setup. net_setup.c -- Setup.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com> 2010 Brandon Black <blblack@gmail.com>
@ -165,23 +165,25 @@ static bool read_rsa_private_key(void) {
char *fname, *key, *pubkey; char *fname, *key, *pubkey;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false;
}
myself->connection->rsa_key = RSA_new(); myself->connection->rsa_key = RSA_new();
// RSA_blinding_on(myself->connection->rsa_key, NULL); // RSA_blinding_on(myself->connection->rsa_key, NULL);
if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) { if(BN_hex2bn(&myself->connection->rsa_key->d, key) != strlen(key)) {
logger(LOG_ERR, "Invalid PrivateKey for myself!"); logger(LOG_ERR, "Invalid PrivateKey for myself!");
free(key);
return false;
}
free(key);
if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false; return false;
} }
if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) { if(BN_hex2bn(&myself->connection->rsa_key->n, pubkey) != strlen(pubkey)) {
logger(LOG_ERR, "Invalid PublicKey for myself!"); logger(LOG_ERR, "Invalid PublicKey for myself!");
free(pubkey);
return false; return false;
} }
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
free(key);
free(pubkey); free(pubkey);
BN_hex2bn(&myself->connection->rsa_key->e, "FFFF");
return true; return true;
} }
@ -200,15 +202,12 @@ static bool read_rsa_private_key(void) {
#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN) #if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
struct stat s; struct stat s;
if(fstat(fileno(fp), &s)) { if(!fstat(fileno(fp), &s)) {
logger(LOG_ERR, "Could not stat RSA private key file `%s': %s'",
fname, strerror(errno));
free(fname);
return false;
}
if(s.st_mode & ~0100700) if(s.st_mode & ~0100700)
logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname); logger(LOG_WARNING, "Warning: insecure file permissions for RSA private key file `%s'!", fname);
} else {
logger(LOG_WARNING, "Could not stat RSA private key file `%s': %s'", fname, strerror(errno));
}
#endif #endif
myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
@ -299,10 +298,12 @@ char *get_name(void) {
if(!envname) { if(!envname) {
if(strcmp(name + 1, "HOST")) { if(strcmp(name + 1, "HOST")) {
fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1); fprintf(stderr, "Invalid Name: environment variable %s does not exist\n", name + 1);
free(name);
return false; return false;
} }
if(gethostname(hostname, sizeof hostname) || !*hostname) { if(gethostname(hostname, sizeof hostname) || !*hostname) {
fprintf(stderr, "Could not get hostname: %s\n", strerror(errno)); fprintf(stderr, "Could not get hostname: %s\n", strerror(errno));
free(name);
return false; return false;
} }
hostname[31] = 0; hostname[31] = 0;
@ -340,6 +341,7 @@ static bool setup_myself(void) {
bool choice; bool choice;
int i, err; int i, err;
int replaywin_int; int replaywin_int;
bool port_specified = false;
myself = new_node(); myself = new_node();
myself->connection = new_connection(); myself->connection = new_connection();
@ -355,6 +357,8 @@ static bool setup_myself(void) {
return false; return false;
} }
/* Read tinc.conf and our own host config file */
myself->name = name; myself->name = name;
myself->connection->name = xstrdup(name); myself->connection->name = xstrdup(name);
xasprintf(&fname, "%s/hosts/%s", confbase, name); xasprintf(&fname, "%s/hosts/%s", confbase, name);
@ -367,6 +371,10 @@ static bool setup_myself(void) {
if(!get_config_string(lookup_config(config_tree, "Port"), &myport)) if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
myport = xstrdup("655"); myport = xstrdup("655");
else
port_specified = true;
/* Ensure myport is numeric */
if(!atoi(myport)) { if(!atoi(myport)) {
struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM); struct addrinfo *ai = str2addrinfo("localhost", myport, SOCK_DGRAM);
@ -378,8 +386,7 @@ static bool setup_myself(void) {
sockaddr2str(&sa, NULL, &myport); sockaddr2str(&sa, NULL, &myport);
} }
get_config_string(lookup_config(config_tree, "Proxy"), &proxy); if(get_config_string(lookup_config(config_tree, "Proxy"), &proxy)) {
if(proxy) {
if((space = strchr(proxy, ' '))) if((space = strchr(proxy, ' ')))
*space++ = 0; *space++ = 0;
@ -397,6 +404,7 @@ static bool setup_myself(void) {
proxytype = PROXY_EXEC; proxytype = PROXY_EXEC;
} else { } else {
logger(LOG_ERR, "Unknown proxy type %s!", proxy); logger(LOG_ERR, "Unknown proxy type %s!", proxy);
free(proxy);
return false; return false;
} }
@ -408,6 +416,7 @@ static bool setup_myself(void) {
case PROXY_EXEC: case PROXY_EXEC:
if(!space || !*space) { if(!space || !*space) {
logger(LOG_ERR, "Argument expected for proxy type exec!"); logger(LOG_ERR, "Argument expected for proxy type exec!");
free(proxy);
return false; return false;
} }
proxyhost = xstrdup(space); proxyhost = xstrdup(space);
@ -426,6 +435,7 @@ static bool setup_myself(void) {
*space++ = 0, proxypass = space; *space++ = 0, proxypass = space;
if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) { if(!proxyhost || !*proxyhost || !proxyport || !*proxyport) {
logger(LOG_ERR, "Host and port argument expected for proxy!"); logger(LOG_ERR, "Host and port argument expected for proxy!");
free(proxy);
return false; return false;
} }
proxyhost = xstrdup(proxyhost); proxyhost = xstrdup(proxyhost);
@ -479,6 +489,7 @@ static bool setup_myself(void) {
routing_mode = RMODE_HUB; routing_mode = RMODE_HUB;
else { else {
logger(LOG_ERR, "Invalid routing mode!"); logger(LOG_ERR, "Invalid routing mode!");
free(mode);
return false; return false;
} }
free(mode); free(mode);
@ -493,6 +504,7 @@ static bool setup_myself(void) {
forwarding_mode = FMODE_KERNEL; forwarding_mode = FMODE_KERNEL;
else { else {
logger(LOG_ERR, "Invalid forwarding mode!"); logger(LOG_ERR, "Invalid forwarding mode!");
free(mode);
return false; return false;
} }
free(mode); free(mode);
@ -519,6 +531,7 @@ static bool setup_myself(void) {
broadcast_mode = BMODE_DIRECT; broadcast_mode = BMODE_DIRECT;
else { else {
logger(LOG_ERR, "Invalid broadcast mode!"); logger(LOG_ERR, "Invalid broadcast mode!");
free(mode);
return false; return false;
} }
free(mode); free(mode);
@ -571,6 +584,7 @@ static bool setup_myself(void) {
addressfamily = AF_UNSPEC; addressfamily = AF_UNSPEC;
else { else {
logger(LOG_ERR, "Invalid address family!"); logger(LOG_ERR, "Invalid address family!");
free(afname);
return false; return false;
} }
free(afname); free(afname);
@ -580,8 +594,7 @@ static bool setup_myself(void) {
/* Generate packet encryption key */ /* Generate packet encryption key */
if(get_config_string if(get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) {
(lookup_config(config_tree, "Cipher"), &cipher)) {
if(!strcasecmp(cipher, "none")) { if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL; myself->incipher = NULL;
} else { } else {
@ -589,9 +602,11 @@ static bool setup_myself(void) {
if(!myself->incipher) { if(!myself->incipher) {
logger(LOG_ERR, "Unrecognized cipher type!"); logger(LOG_ERR, "Unrecognized cipher type!");
free(cipher);
return false; return false;
} }
} }
free(cipher);
} else } else
myself->incipher = EVP_bf_cbc(); myself->incipher = EVP_bf_cbc();
@ -617,9 +632,12 @@ static bool setup_myself(void) {
if(!myself->indigest) { if(!myself->indigest) {
logger(LOG_ERR, "Unrecognized digest type!"); logger(LOG_ERR, "Unrecognized digest type!");
free(digest);
return false; return false;
} }
} }
free(digest);
} else } else
myself->indigest = EVP_sha1(); myself->indigest = EVP_sha1();
@ -683,6 +701,7 @@ static bool setup_myself(void) {
else if(!strcasecmp(type, "vde")) else if(!strcasecmp(type, "vde"))
devops = vde_devops; devops = vde_devops;
#endif #endif
free(type);
} }
if(!devops.setup()) if(!devops.setup())
@ -812,13 +831,27 @@ static bool setup_myself(void) {
} while(cfg); } while(cfg);
} }
if(listen_sockets) if(!listen_sockets) {
logger(LOG_NOTICE, "Ready");
else {
logger(LOG_ERR, "Unable to create any listening socket!"); logger(LOG_ERR, "Unable to create any listening socket!");
return false; return false;
} }
/* If no Port option was specified, set myport to the port used by the first listening socket. */
if(!port_specified) {
sockaddr_t sa;
socklen_t salen = sizeof sa;
if(!getsockname(listen_socket[0].udp, &sa.sa, &salen)) {
free(myport);
sockaddr2str(&sa, NULL, &myport);
if(!myport)
myport = xstrdup("655");
}
}
/* Done. */
logger(LOG_NOTICE, "Ready");
return true; return true;
} }

View file

@ -1,7 +1,7 @@
/* /*
net_socket.c -- Handle various kinds of sockets. net_socket.c -- Handle various kinds of sockets.
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2009 Florian Forster <octo@verplant.org> 2009 Florian Forster <octo@verplant.org>
@ -94,13 +94,14 @@ static bool bind_to_interface(int sd) {
memset(&ifr, 0, sizeof(ifr)); memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0; ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
free(iface);
status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)); status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr));
if(status) { if(status) {
logger(LOG_ERR, "Can't bind to interface %s: %s", iface, logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
strerror(errno));
return false; return false;
} }
#else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */ #else /* if !defined(SOL_SOCKET) || !defined(SO_BINDTODEVICE) */
logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface"); logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
#endif #endif
@ -135,20 +136,21 @@ int setup_listen_socket(const sockaddr_t *sa) {
setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option); setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif #endif
if(get_config_string if(get_config_string(lookup_config(config_tree, "BindToInterface"), &iface)) {
(lookup_config(config_tree, "BindToInterface"), &iface)) {
#if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE) #if defined(SOL_SOCKET) && defined(SO_BINDTODEVICE)
struct ifreq ifr; struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr)); memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
free(iface);
if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) { if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) {
closesocket(nfd); closesocket(nfd);
logger(LOG_ERR, "Can't bind to interface %s: %s", iface, logger(LOG_ERR, "Can't bind to interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(sockerrno));
strerror(sockerrno));
return -1; return -1;
} }
#else #else
logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface"); logger(LOG_WARNING, "%s not supported on this platform", "BindToInterface");
#endif #endif
@ -238,8 +240,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
option = 1; option = 1;
setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option)); setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option));
} }
#else
#warning No way to disable IPv4 fragmentation
#endif #endif
#if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO) #if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
@ -252,8 +252,6 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
option = 1; option = 1;
setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option)); setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
} }
#else
#warning No way to disable IPv6 fragmentation
#endif #endif
if (!bind_to_interface(nfd)) { if (!bind_to_interface(nfd)) {
@ -311,7 +309,7 @@ static void do_outgoing_pipe(connection_t *c, char *command) {
if(fork()) { if(fork()) {
c->socket = fd[0]; c->socket = fd[0];
close(fd[1]); close(fd[1]);
logger(LOG_DEBUG, "Using proxy %s", command); ifdebug(CONNECTIONS) logger(LOG_DEBUG, "Using proxy %s", command);
return; return;
} }
@ -407,7 +405,6 @@ begin:
if(!proxytype) { if(!proxytype) {
c->socket = socket(c->address.sa.sa_family, SOCK_STREAM, IPPROTO_TCP); c->socket = socket(c->address.sa.sa_family, SOCK_STREAM, IPPROTO_TCP);
configure_tcp(c);
} else if(proxytype == PROXY_EXEC) { } else if(proxytype == PROXY_EXEC) {
do_outgoing_pipe(c, proxyhost); do_outgoing_pipe(c, proxyhost);
} else { } else {
@ -416,7 +413,6 @@ begin:
goto begin; goto begin;
ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport); ifdebug(CONNECTIONS) logger(LOG_INFO, "Using proxy at %s port %s", proxyhost, proxyport);
c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP); c->socket = socket(proxyai->ai_family, SOCK_STREAM, IPPROTO_TCP);
configure_tcp(c);
} }
if(c->socket == -1) { if(c->socket == -1) {
@ -424,6 +420,9 @@ begin:
goto begin; goto begin;
} }
if(proxytype != PROXY_EXEC)
configure_tcp(c);
#ifdef FD_CLOEXEC #ifdef FD_CLOEXEC
fcntl(c->socket, F_SETFD, FD_CLOEXEC); fcntl(c->socket, F_SETFD, FD_CLOEXEC);
#endif #endif

View file

@ -46,7 +46,7 @@ pid_t read_pid (const char *pidfile)
if(fscanf(f,"%20ld", &pid) != 1) if(fscanf(f,"%20ld", &pid) != 1)
pid = 0; pid = 0;
fclose(f); fclose(f);
return pid; return (pid_t)pid;
} }
/* check_pid /* check_pid

View file

@ -1,7 +1,7 @@
/* /*
protocol_auth.c -- handle the meta-protocol, authentication protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -107,7 +107,7 @@ static bool send_proxyrequest(connection_t *c) {
i += 2; i += 2;
c->tcplen += 22; c->tcplen += 22;
} else { } else {
logger(LOG_ERR, "Address family %hx not supported for SOCKS 5 proxies!", c->address.sa.sa_family); logger(LOG_ERR, "Address family %x not supported for SOCKS 5 proxies!", c->address.sa.sa_family);
return false; return false;
} }
if(i > len) if(i > len)
@ -215,7 +215,12 @@ bool send_metakey(connection_t *c) {
/* Copy random data to the buffer */ /* Copy random data to the buffer */
RAND_pseudo_bytes((unsigned char *)c->outkey, len); if (1 != RAND_bytes((unsigned char *)c->outkey, len)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate meta key (%s)", ERR_error_string(err, NULL));
return false;
}
/* The message we send must be smaller than the modulus of the RSA key. /* The message we send must be smaller than the modulus of the RSA key.
By definition, for a key of k bits, the following formula holds: By definition, for a key of k bits, the following formula holds:
@ -391,7 +396,11 @@ bool send_challenge(connection_t *c) {
/* Copy random data to the buffer */ /* Copy random data to the buffer */
RAND_pseudo_bytes((unsigned char *)c->hischallenge, len); if (1 != RAND_bytes((unsigned char *)c->hischallenge, len)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate challenge (%s)", ERR_error_string(err, NULL));
return false; // Do not send predictable challenges, let connection attempt fail.
}
/* Convert to hex */ /* Convert to hex */

View file

@ -1,7 +1,7 @@
/* /*
protocol_key.c -- handle the meta-protocol, key exchange protocol_key.c -- handle the meta-protocol, key exchange
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2012 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -127,7 +127,8 @@ bool req_key_h(connection_t *c) {
/* Check if this key request is for us */ /* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */ if(to == myself) { /* Yes, send our own key back */
send_ans_key(from); if (!send_ans_key(from))
return false;
} else { } else {
if(tunnelserver) if(tunnelserver)
return true; return true;
@ -156,7 +157,12 @@ bool send_ans_key(node_t *to) {
to->inkey = xrealloc(to->inkey, to->inkeylength); to->inkey = xrealloc(to->inkey, to->inkeylength);
// Create a new key // Create a new key
RAND_pseudo_bytes((unsigned char *)to->inkey, to->inkeylength); if (1 != RAND_bytes((unsigned char *)to->inkey, to->inkeylength)) {
int err = ERR_get_error();
logger(LOG_ERR, "Failed to generate random for key (%s)", ERR_error_string(err, NULL));
return false; // Do not send insecure keys, let connection attempt fail.
}
if(to->incipher) if(to->incipher)
EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len); EVP_DecryptInit_ex(&to->inctx, to->incipher, NULL, (unsigned char *)to->inkey, (unsigned char *)to->inkey + to->incipher->key_len);

View file

@ -1,7 +1,7 @@
/* /*
device.c -- raw socket device.c -- raw socket
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2012 Guus Sliepen <guus@tinc-vpn.org> 2002-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -32,7 +32,7 @@
#include "route.h" #include "route.h"
#include "xalloc.h" #include "xalloc.h"
#if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) #if defined(PF_PACKET) && defined(ETH_P_ALL) && defined(AF_PACKET) && defined(SIOCGIFINDEX)
static char *device_info; static char *device_info;
static uint64_t device_total_in = 0; static uint64_t device_total_in = 0;
@ -62,20 +62,21 @@ static bool setup_device(void) {
memset(&ifr, 0, sizeof(ifr)); memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) { if(ioctl(device_fd, SIOCGIFINDEX, &ifr)) {
close(device_fd); close(device_fd);
logger(LOG_ERR, "Can't find interface %s: %s", iface, logger(LOG_ERR, "Can't find interface %s: %s", ifr.ifr_ifrn.ifrn_name, strerror(errno));
strerror(errno));
return false; return false;
} }
memset(&sa, '0', sizeof(sa)); memset(&sa, 0, sizeof(sa));
sa.sll_family = AF_PACKET; sa.sll_family = AF_PACKET;
sa.sll_protocol = htons(ETH_P_ALL); sa.sll_protocol = htons(ETH_P_ALL);
sa.sll_ifindex = ifr.ifr_ifindex; sa.sll_ifindex = ifr.ifr_ifindex;
if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) { if(bind(device_fd, (struct sockaddr *) &sa, (socklen_t) sizeof(sa))) {
logger(LOG_ERR, "Could not bind %s to %s: %s", device, iface, strerror(errno)); logger(LOG_ERR, "Could not bind %s to %s: %s", device, ifr.ifr_ifrn.ifrn_name, strerror(errno));
return false; return false;
} }

View file

@ -1,7 +1,7 @@
/* /*
route.c -- routing route.c -- routing
Copyright (C) 2000-2005 Ivo Timmermans, Copyright (C) 2000-2005 Ivo Timmermans,
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -197,7 +197,7 @@ static void learn_mac(mac_t *address) {
/* If we don't know this MAC address yet, store it */ /* If we don't know this MAC address yet, store it */
if(!subnet) { if(!subnet) {
ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %hx:%hx:%hx:%hx:%hx:%hx", ifdebug(TRAFFIC) logger(LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
address->x[0], address->x[1], address->x[2], address->x[3], address->x[0], address->x[1], address->x[2], address->x[3],
address->x[4], address->x[5]); address->x[4], address->x[5]);

View file

@ -1,7 +1,8 @@
/* /*
device.c -- Interaction with Solaris tun device device.c -- Interaction with Solaris tun device
Copyright (C) 2001-2005 Ivo Timmermans, Copyright (C) 2001-2005 Ivo Timmermans,
2001-2012 Guus Sliepen <guus@tinc-vpn.org> 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
2001-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -18,98 +19,258 @@
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/ */
#include "../system.h" #include "../system.h"
#include <sys/stropts.h> #include <sys/stropts.h>
#include <sys/sockio.h> #include <sys/sockio.h>
#include <net/if_tun.h>
#include "../conf.h" #include "../conf.h"
#include "../device.h" #include "../device.h"
#include "../logger.h" #include "../logger.h"
#include "../net.h" #include "../net.h"
#include "../route.h"
#include "../utils.h" #include "../utils.h"
#include "../xalloc.h" #include "../xalloc.h"
#define DEFAULT_DEVICE "/dev/tun" #ifndef TUNNEWPPA
#warning Missing net/if_tun.h, using hardcoded value for TUNNEWPPA
#define TUNNEWPPA (('T'<<16) | 0x0001)
#endif
#define DEFAULT_TUN_DEVICE "/dev/tun"
#define DEFAULT_TAP_DEVICE "/dev/tap"
static enum {
DEVICE_TYPE_TUN,
DEVICE_TYPE_TAP,
} device_type = DEVICE_TYPE_TUN;
int device_fd = -1; int device_fd = -1;
static int ip_fd = -1, if_fd = -1; static int if_fd = -1;
static int ip_fd = -1;
char *device = NULL; char *device = NULL;
char *iface = NULL; char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static uint64_t device_total_in = 0; uint64_t device_total_in = 0;
static uint64_t device_total_out = 0; uint64_t device_total_out = 0;
static bool setup_device(void) { static bool setup_device(void) {
int ppa; char *type;
char *ptr;
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) if(!get_config_string(lookup_config(config_tree, "Device"), &device)) {
device = xstrdup(DEFAULT_DEVICE); if(routing_mode == RMODE_ROUTER)
device = xstrdup(DEFAULT_TUN_DEVICE);
if((device_fd = open(device, O_RDWR | O_NONBLOCK)) < 0) { else
logger(LOG_ERR, "Could not open %s: %s", device, strerror(errno)); device = xstrdup(DEFAULT_TAP_DEVICE);
return false;
} }
#ifdef FD_CLOEXEC if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
fcntl(device_fd, F_SETFD, FD_CLOEXEC); if(!strcasecmp(type, "tun"))
#endif /* use default */;
else if(!strcasecmp(type, "tap"))
device_type = DEVICE_TYPE_TAP;
else {
logger(LOG_ERR, "Unknown device type %s!", type);
return false;
}
} else {
if(strstr(device, "tap") || routing_mode != RMODE_ROUTER)
device_type = DEVICE_TYPE_TAP;
}
ppa = 0; if(device_type == DEVICE_TYPE_TUN)
device_info = "Solaris tun device";
else
device_info = "Solaris tap device";
ptr = device; /* The following is black magic copied from OpenVPN. */
while(*ptr && !isdigit((int) *ptr))
ptr++;
ppa = atoi(ptr);
if((ip_fd = open("/dev/ip", O_RDWR, 0)) < 0) { if((ip_fd = open("/dev/ip", O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open /dev/ip: %s", strerror(errno)); logger(LOG_ERR, "Could not open %s: %s\n", "/dev/ip", strerror(errno));
return false; return false;
} }
#ifdef FD_CLOEXEC if((device_fd = open(device, O_RDWR, 0)) < 0) {
fcntl(ip_fd, F_SETFD, FD_CLOEXEC); logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
#endif return false;
}
/* Get unit number. */
char *ptr = device;
get_config_string(lookup_config(config_tree, "Interface"), &ptr);
while(*ptr && !isdigit(*ptr))
ptr++;
int ppa = atoi(ptr);
/* Assign a new PPA and get its unit number. */ /* Assign a new PPA and get its unit number. */
if((ppa = ioctl(device_fd, TUNNEWPPA, ppa)) < 0) {
logger(LOG_ERR, "Can't assign new interface: %s", strerror(errno)); struct strioctl strioc_ppa = {
.ic_cmd = TUNNEWPPA,
.ic_len = sizeof ppa,
.ic_dp = (char *)&ppa,
};
if(!*ptr) { /* no number given, try dynamic */
bool found = false;
while(!found && ppa < 64) {
int new_ppa = ioctl(device_fd, I_STR, &strioc_ppa);
if(new_ppa >= 0) {
ppa = new_ppa;
found = true;
break;
}
ppa++;
}
if(!found) {
logger(LOG_ERR, "Could not find free PPA for %s %s!", device_info, device);
return false; return false;
} }
} else { /* try this particular one */
if((ppa = ioctl(device_fd, I_STR, &strioc_ppa)) < 0) {
logger(LOG_ERR, "Could not assign PPA %d for %s %s!", ppa, device_info, device);
return false;
}
}
if((if_fd = open(device, O_RDWR, 0)) < 0) { if((if_fd = open(device, O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open %s twice: %s", device, logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
strerror(errno));
return false; return false;
} }
#ifdef FD_CLOEXEC
fcntl(if_fd, F_SETFD, FD_CLOEXEC);
#endif
if(ioctl(if_fd, I_PUSH, "ip") < 0) { if(ioctl(if_fd, I_PUSH, "ip") < 0) {
logger(LOG_ERR, "Can't push IP module: %s", strerror(errno)); logger(LOG_ERR, "Could not push IP module onto %s %s!", device_info, device);
return false; return false;
} }
xasprintf(&iface, "%s%d", device_type == DEVICE_TYPE_TUN ? "tun" : "tap", ppa);
{
/* Remove muxes just in case they are left over from a crashed tincd */
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
int muxid = ifr.lifr_arp_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
muxid = ifr.lifr_ip_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
}
}
if(device_type == DEVICE_TYPE_TUN) {
/* Assign ppa according to the unit number returned by tun device */ /* Assign ppa according to the unit number returned by tun device */
if(ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) { if(ioctl(if_fd, IF_UNITSEL, (char *)&ppa) < 0) {
logger(LOG_ERR, "Can't set PPA %d: %s", ppa, strerror(errno)); logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
return false;
}
}
int arp_fd = -1;
if(device_type == DEVICE_TYPE_TAP) {
struct lifreq ifr = {};
if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
return false; return false;
} }
if(ioctl(ip_fd, I_LINK, if_fd) < 0) { strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
logger(LOG_ERR, "Can't link TUN device to IP: %s", strerror(errno)); ifr.lifr_ppa = ppa;
/* Assign ppa according to the unit number returned by tun device */
if(ioctl(if_fd, SIOCSLIFNAME, &ifr) < 0) {
logger(LOG_ERR, "Could not set PPA %d on %s %s!", ppa, device_info, device);
return false;
}
if(ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0) {
logger(LOG_ERR, "Could not set flags on %s %s!", device_info, device);
return false; return false;
} }
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) /* Push arp module to if_fd */
xasprintf(&iface, "tun%d", ppa); if(ioctl(if_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
return false;
}
device_info = "Solaris tun device"; /* Pop any modules on the stream */
while(true) {
if(ioctl(ip_fd, I_POP, NULL) < 0)
break;
}
/* Push arp module to ip_fd */
if(ioctl(ip_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s!", "/dev/ip");
return false;
}
/* Open arp_fd */
if((arp_fd = open(device, O_RDWR, 0)) < 0) {
logger(LOG_ERR, "Could not open %s: %s\n", device, strerror(errno));
return false;
}
/* Push arp module to arp_fd */
if(ioctl(arp_fd, I_PUSH, "arp") < 0) {
logger(LOG_ERR, "Could not push ARP module onto %s %s!", device_info, device);
return false;
}
/* Set ifname to arp */
struct strioctl strioc_if = {
.ic_cmd = SIOCSLIFNAME,
.ic_len = sizeof ifr,
.ic_dp = (char *)&ifr,
};
if(ioctl(arp_fd, I_STR, &strioc_if) < 0) {
logger(LOG_ERR, "Could not set ifname to %s %s", device_info, device);
return false;
}
}
int ip_muxid, arp_muxid;
if((ip_muxid = ioctl(ip_fd, I_PLINK, if_fd)) < 0) {
logger(LOG_ERR, "Could not link %s %s to IP", device_info, device);
return false;
}
if(device_type == DEVICE_TYPE_TAP) {
if((arp_muxid = ioctl(ip_fd, I_PLINK, arp_fd)) < 0) {
logger(LOG_ERR, "Could not link %s %s to ARP", device_info, device);
return false;
}
close(arp_fd);
}
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof(ifr.lifr_name));
ifr.lifr_ip_muxid = ip_muxid;
if(device_type == DEVICE_TYPE_TAP) {
ifr.lifr_arp_muxid = arp_muxid;
}
if(ioctl(ip_fd, SIOCSLIFMUXID, &ifr) < 0) {
if(device_type == DEVICE_TYPE_TAP) {
ioctl(ip_fd, I_PUNLINK, arp_muxid);
}
ioctl(ip_fd, I_PUNLINK, ip_muxid);
logger(LOG_ERR, "Could not set multiplexor id for %s %s", device_info, device);
return false;
}
close(if_fd);
#ifdef FD_CLOEXEC
fcntl(device_fd, F_SETFD, FD_CLOEXEC);
fcntl(ip_fd, F_SETFD, FD_CLOEXEC);
#endif
logger(LOG_INFO, "%s is a %s", device, device_info); logger(LOG_INFO, "%s is a %s", device, device_info);
@ -117,7 +278,17 @@ static bool setup_device(void) {
} }
static void close_device(void) { static void close_device(void) {
close(if_fd); if(iface) {
struct lifreq ifr = {};
strncpy(ifr.lifr_name, iface, sizeof ifr.lifr_name);
if(ioctl(ip_fd, SIOCGLIFMUXID, &ifr) >= 0) {
int muxid = ifr.lifr_arp_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
muxid = ifr.lifr_ip_muxid;
ioctl(ip_fd, I_PUNLINK, muxid);
}
}
close(ip_fd); close(ip_fd);
close(device_fd); close(device_fd);
@ -126,11 +297,12 @@ static void close_device(void) {
} }
static bool read_packet(vpn_packet_t *packet) { static bool read_packet(vpn_packet_t *packet) {
int lenin; int inlen;
if((lenin = read(device_fd, packet->data + 14, MTU - 14)) <= 0) { switch(device_type) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, case DEVICE_TYPE_TUN:
device, strerror(errno)); if((inlen = read(device_fd, packet->data + 14, MTU - 14)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
return false; return false;
} }
@ -144,32 +316,55 @@ static bool read_packet(vpn_packet_t *packet) {
packet->data[13] = 0xDD; packet->data[13] = 0xDD;
break; break;
default: default:
ifdebug(TRAFFIC) logger(LOG_ERR, ifdebug(TRAFFIC) logger(LOG_ERR, "Unknown IP version %d while reading packet from %s %s", packet->data[14] >> 4, device_info, device);
"Unknown IP version %d while reading packet from %s %s",
packet->data[14] >> 4, device_info, device);
return false; return false;
} }
memset(packet->data, 0, 12); memset(packet->data, 0, 12);
packet->len = lenin + 14; packet->len = inlen + 14;
break;
case DEVICE_TYPE_TAP:
if((inlen = read(device_fd, packet->data, MTU)) <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, device, strerror(errno));
return false;
}
packet->len = inlen + 14;
break;
default:
abort();
}
device_total_in += packet->len; device_total_in += packet->len;
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, ifdebug(TRAFFIC) logger(LOG_DEBUG, "Read packet of %d bytes from %s", packet->len, device_info);
device_info);
return true; return true;
} }
static bool write_packet(vpn_packet_t *packet) { static bool write_packet(vpn_packet_t *packet) {
ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", ifdebug(TRAFFIC) logger(LOG_DEBUG, "Writing packet of %d bytes to %s", packet->len, device_info);
packet->len, device_info);
switch(device_type) {
case DEVICE_TYPE_TUN:
if(write(device_fd, packet->data + 14, packet->len - 14) < 0) { if(write(device_fd, packet->data + 14, packet->len - 14) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
device, strerror(errno));
return false; return false;
} }
break;
case DEVICE_TYPE_TAP:
if(write(device_fd, packet->data, packet->len) < 0) {
logger(LOG_ERR, "Can't write to %s %s: %s", device_info, device, strerror(errno));
return false;
}
break;
default:
abort();
}
device_total_out += packet->len; device_total_out += packet->len;

View file

@ -1,6 +1,6 @@
/* /*
subnet.c -- handle subnet lookups and lists subnet.c -- handle subnet lookups and lists
Copyright (C) 2000-2013 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2000-2014 Guus Sliepen <guus@tinc-vpn.org>,
2000-2005 Ivo Timmermans 2000-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -351,7 +351,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
switch (subnet->type) { switch (subnet->type) {
case SUBNET_MAC: case SUBNET_MAC:
snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx#%d", snprintf(netstr, len, "%x:%x:%x:%x:%x:%x#%d",
subnet->net.mac.address.x[0], subnet->net.mac.address.x[0],
subnet->net.mac.address.x[1], subnet->net.mac.address.x[1],
subnet->net.mac.address.x[2], subnet->net.mac.address.x[2],
@ -362,7 +362,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
break; break;
case SUBNET_IPV4: case SUBNET_IPV4:
snprintf(netstr, len, "%hu.%hu.%hu.%hu/%d#%d", snprintf(netstr, len, "%u.%u.%u.%u/%d#%d",
subnet->net.ipv4.address.x[0], subnet->net.ipv4.address.x[0],
subnet->net.ipv4.address.x[1], subnet->net.ipv4.address.x[1],
subnet->net.ipv4.address.x[2], subnet->net.ipv4.address.x[2],
@ -372,7 +372,7 @@ bool net2str(char *netstr, int len, const subnet_t *subnet) {
break; break;
case SUBNET_IPV6: case SUBNET_IPV6:
snprintf(netstr, len, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx/%d#%d", snprintf(netstr, len, "%x:%x:%x:%x:%x:%x:%x:%x/%d#%d",
ntohs(subnet->net.ipv6.address.x[0]), ntohs(subnet->net.ipv6.address.x[0]),
ntohs(subnet->net.ipv6.address.x[1]), ntohs(subnet->net.ipv6.address.x[1]),
ntohs(subnet->net.ipv6.address.x[2]), ntohs(subnet->net.ipv6.address.x[2]),

View file

@ -1,7 +1,7 @@
/* /*
tincd.c -- the main file for tincd tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2013 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com> 2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru> 2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu> 2010 Julien Muchembled <jm@jmuchemb.eu>
@ -162,6 +162,11 @@ static bool parse_options(int argc, char **argv) {
break; break;
case 'c': /* config file */ case 'c': /* config file */
if(confbase) {
fprintf(stderr, "Only one configuration directory can be given.\n");
usage(true);
return false;
}
confbase = xstrdup(optarg); confbase = xstrdup(optarg);
break; break;
@ -229,6 +234,11 @@ static bool parse_options(int argc, char **argv) {
case 'n': /* net name given */ case 'n': /* net name given */
/* netname "." is special: a "top-level name" */ /* netname "." is special: a "top-level name" */
if(netname) {
fprintf(stderr, "Only one netname can be given.\n");
usage(true);
return false;
}
netname = strcmp(optarg, ".") != 0 ? xstrdup(optarg) : NULL; netname = strcmp(optarg, ".") != 0 ? xstrdup(optarg) : NULL;
break; break;
@ -281,11 +291,22 @@ static bool parse_options(int argc, char **argv) {
use_logfile = true; use_logfile = true;
if(!optarg && optind < argc && *argv[optind] != '-') if(!optarg && optind < argc && *argv[optind] != '-')
optarg = argv[optind++]; optarg = argv[optind++];
if(optarg) if(optarg) {
if(logfilename) {
fprintf(stderr, "Only one logfile can be given.\n");
usage(true);
return false;
}
logfilename = xstrdup(optarg); logfilename = xstrdup(optarg);
}
break; break;
case 5: /* write PID to a file */ case 5: /* write PID to a file */
if(pidfilename) {
fprintf(stderr, "Only one pidfile can be given.\n");
usage(true);
return false;
}
pidfilename = xstrdup(optarg); pidfilename = xstrdup(optarg);
break; break;
@ -350,7 +371,6 @@ static void indicator(int a, int b, void *p) {
static bool keygen(int bits) { static bool keygen(int bits) {
RSA *rsa_key; RSA *rsa_key;
FILE *f; FILE *f;
char *name = get_name();
char *pubname, *privname; char *pubname, *privname;
fprintf(stderr, "Generating %d bits keys:\n", bits); fprintf(stderr, "Generating %d bits keys:\n", bits);
@ -378,10 +398,14 @@ static bool keygen(int bits) {
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
fclose(f); fclose(f);
if(name) char *name = get_name();
if(name) {
xasprintf(&pubname, "%s/hosts/%s", confbase, name); xasprintf(&pubname, "%s/hosts/%s", confbase, name);
else free(name);
} else {
xasprintf(&pubname, "%s/rsa_key.pub", confbase); xasprintf(&pubname, "%s/rsa_key.pub", confbase);
}
f = ask_and_open(pubname, "public RSA key"); f = ask_and_open(pubname, "public RSA key");
free(pubname); free(pubname);
@ -392,7 +416,6 @@ static bool keygen(int bits) {
fputc('\n', f); fputc('\n', f);
PEM_write_RSAPublicKey(f, rsa_key); PEM_write_RSAPublicKey(f, rsa_key);
fclose(f); fclose(f);
free(name);
return true; return true;
} }
@ -526,7 +549,7 @@ int main(int argc, char **argv) {
if(show_version) { if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT); VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2013 Ivo Timmermans, Guus Sliepen and others.\n" printf("Copyright (C) 1998-2014 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n" "See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n" "and you are welcome to redistribute it under certain conditions;\n"

View file

@ -1,7 +1,7 @@
/* /*
utils.c -- gathering of some stupid small functions utils.c -- gathering of some stupid small functions
Copyright (C) 1999-2005 Ivo Timmermans Copyright (C) 1999-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -78,3 +78,18 @@ unsigned int bitfield_to_int(const void *bitfield, size_t size) {
memcpy(&value, bitfield, size); memcpy(&value, bitfield, size);
return value; return value;
} }
/**
* As memcmp(), but constant-time.
* Returns 0 when data is equal, non-zero otherwise.
*/
int memcmp_constant_time (const void *a, const void *b, size_t size) {
const uint8_t *a1 = a, *b1 = b;
int ret = 0;
size_t i;
for (i = 0; i < size; i++)
ret |= *a1++ ^ *b1++;
return ret;
}

View file

@ -1,7 +1,7 @@
/* /*
utils.h -- header file for utils.c utils.h -- header file for utils.c
Copyright (C) 1999-2005 Ivo Timmermans Copyright (C) 1999-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -42,4 +42,6 @@ extern const char *winerror(int);
extern unsigned int bitfield_to_int(const void *bitfield, size_t size); extern unsigned int bitfield_to_int(const void *bitfield, size_t size);
int memcmp_constant_time (const void *a, const void *b, size_t size);
#endif /* __TINC_UTILS_H__ */ #endif /* __TINC_UTILS_H__ */

View file

@ -113,6 +113,9 @@ char *xstrdup(const char *s)
{ {
char *p; char *p;
if(!s)
return NULL;
p = strdup(s); p = strdup(s);
if(!p) if(!p)
xalloc_fail ((int)strlen(s)); xalloc_fail ((int)strlen(s));