Import Debian changes 1.0.14-1~bpo60+1

tinc (1.0.14-1~bpo60+1) squeeze-backports; urgency=low

  * Rebuild for squeeze-backports.

tinc (1.0.14-1) unstable; urgency=low

  * New upstream release.
  * Bump Standards-Version.
This commit is contained in:
Guus Sliepen 2011-06-07 09:35:50 +00:00
commit f01c927470
54 changed files with 1604 additions and 789 deletions

View file

@ -8,6 +8,9 @@ Significant contributions from:
- Grzegorz Dymarek <gregd72002@googlemail.com> - Grzegorz Dymarek <gregd72002@googlemail.com>
- Max Rijevski <maksuf@gmail.com> - Max Rijevski <maksuf@gmail.com>
- Scott Lamb <slamb@slamb.org> - Scott Lamb <slamb@slamb.org>
- Julien Muchembled <jm@jmuchemb.eu>
- Timothy Redaelli <timothy@redaelli.eu>
- Brandon Black <blblack@gmail.com>
These files are from other sources: These files are from other sources:
* lib/pidfile.h and lib/pidfile.c are by Martin Schulze, taken from * lib/pidfile.h and lib/pidfile.c are by Martin Schulze, taken from

441
ChangeLog
View file

@ -1,3 +1,444 @@
commit f3f7ccfb2890576cb8992ec5e432310cec27627a
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 23:15:25 2011 +0200
Releasing 1.0.14.
commit 0d906489f2ce9faf81dc230f7db6ab5378573554
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 23:12:44 2011 +0200
Include <inttypes.h> when using intptr_t.
commit dc887f5011834d5a9a6ec5deb8781c6bfd88c474
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 23:12:06 2011 +0200
Ensure proper linking with OpenSSL with recent versions of MinGW.
commit 67766d65f06854ee894d784f638c5c9cd2b50bca
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 21:22:20 2011 +0200
Update THANKS and copyright information.
commit 6e6b037ef4fd9877aeb1d947da7364409fa8cbb7
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 21:06:06 2011 +0200
Check for EVP_EncryptInit_ex instead of SHA1_Version in OpenSSL.
The latter function disappeared, and wasn't actually used in tinc, so now we
check on a function that we do use.
commit 257cb6ac60bb0924720de9e252cdf7f4759bf741
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 12:40:44 2011 +0200
Always use the default signal handler for ABRT signals.
This will allow coredumps to be generated when tinc is daemonized.
Also add the -kABRT option.
commit eacb5a28fb4c1515633f2b8a206e7067bc7b8f0c
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun May 8 12:16:26 2011 +0200
Increase threshold for detecting two nodes with the same Name.
In commit 4a21aabada23d1d2c8a10f54dd7248171c4ec82f, code was added to detect
contradicting ADD_EDGE and DEL_EDGE messages being sent, which is an indication
of two nodes with the same Name connected to the same VPN. However, these
contradictory messages can also happen when there is a network partitioning. In
the former case a loop happens which causes many contradictory message, while
in the latter case only a few of those messages will be sent. So, now we
increase the threshold to at least 10 of both ADD_EDGE and DEL_EDGE messages.
commit f11c6101f30df645223920bef3eb7592de9bcb79
Author: Julien Muchembled <jm@jmuchemb.eu>
Date: Thu Apr 28 13:21:55 2011 +0200
Fix command-line '-o' option for host configuration
This fixes a regression introduced by commit 667b1ba while refactoring option
parsing code.
commit 0aa86d4b8b3010522e6de8842f5bd29004ba3df6
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Wed Mar 9 09:34:56 2011 +0100
Do not set indirect flag on edges from nodes with multiple addresses.
Since tinc now handles UDP packets with a different source address and port
than used for TCP connections, the heuristic to treat edges as indirect when
tinc could detect that multiple addresses were used does not make sense
anymore, and can actually reduce performance.
commit 7cf68b5e35c002511cc7468967de6a75934cc998
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Feb 18 23:11:43 2011 +0100
Prevent anything from updating our own UDP address.
Because we don't want to keep track of that, and this will cause the node
structure from being relinked into the node tree, which results in myself
pointing to an invalid address.
commit cdbbbfabea173894bd2fb5f28135a04ddc5e3fd7
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Feb 18 23:02:11 2011 +0100
Fix spurious misidentification of incoming UDP packets.
When a UDP packet was received with an unknown source address/port, and if it
failed a HMAC check against known keys, it could still incorrectly assign that
UDP address to another node. This would temporarily cause outgoing UDP packets
to go to the wrong destination address, until packets from the correct address
were received again.
commit 046d83bf91e01bc7a32e66a02758caf228bc4601
Author: Rumko <rumko@rumko.net>
Date: Sat Feb 12 18:22:14 2011 +0100
DragonFlyBSD support
* added DragonFly BSD support
* added a check for sys/resource.h (needed on DragonFly)
commit f017c7f98f8f68d6ca50ebe247f4115aadd93635
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon Feb 7 18:34:55 2011 +0100
Add support for VDE through libvdeplug.
When compiled with vde/device.c, tinc will connect to a vde_switch instance
instead of using a tun/tap device.
commit 8d18cc6c4e625625a2437d26c587f9f382a0c589
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Jan 29 10:49:44 2011 +0100
Fix typo spotted by Andrew Scheller.
commit b3731c04097e66a6b8908bb893c5da831d89c04d
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Wed Jan 12 20:57:14 2011 +0100
Proper check and dropin replacement for usleep().
commit 4b8a5993036fccc2108fcc2550649d9b78fb1ab7
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 17:25:24 2011 +0100
Update the NEWS.
commit c228da54d47657811dfb679e7f138cbba58a9f67
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 17:25:03 2011 +0100
Update the manual.
commit 4575c6c7dffe228ce302776022a2075b7ef37ab0
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 17:24:23 2011 +0100
Document the behavior of "-n."
commit 6c05bf082b1ce9acfc0ebb5c6f32c2ece41c7f80
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 16:59:42 2011 +0100
Remove unused variables.
commit 6a51d89cf706bcefce1861a1a66d40ef7d7db43b
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 16:55:42 2011 +0100
Replace bogus #else with #endif.
Found by cppcheck, which complained about lenin not being initialized, but the
real problem is that reading packets would fail when using code compiled with
--tunemu on a normal tun device.
commit d7636352ce359e807b392a6e5ac0a6aeff4a63d2
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 16:52:36 2011 +0100
Limit field width when scanning PID file.
Cppcheck warns that scanf() might otherwise crash when presented with a huge,
bogus PID file.
commit 3ce5e292da8bab3a1316faf1ca18625f05074467
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 16:50:24 2011 +0100
Close all filedescriptors in Solaris close_device().
commit f99661a4ca5bacff47239ce7978b9c9948917c54
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Jan 2 15:02:23 2011 +0100
Always send MTU probes at least once every PingInterval.
Before, if MTU probes failed, tinc would stop sending probes until the next
time keys were regenerated (by default, once every hour). Now it continues to
send them every PingInterval, so it recovers faster from temporary failures.
commit cac0a5c651535e8317839b0deff1ee98086a8184
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Nov 20 14:31:11 2010 +0000
Use setpriority() instead of nice() on UNIX-like systems.
The return value of nice() can not reliably indicate errors. The return value
of the setpriority() call is well-defined.
commit d91903ef3c2a1f4481ae8757bb2b14282f2b7e68
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Nov 16 17:28:41 2010 +0100
Attribution for Brandon Black.
commit e764ff7be9949c91865aff72844357e76ae6dd78
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Nov 16 16:45:36 2010 +0100
Fix variable length array declaration.
commit 5eb0440110f99f0a49838cc00a0686c7a7595663
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Nov 13 21:36:51 2010 +0100
Free replay window when freeing a node_t.
commit a9445e38f25bd24eca289768fc46e44e36b842ac
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Nov 13 21:34:59 2010 +0100
Fix warning message when setting SO_RCVBUF or SO_SNDBUF fails.
commit 0d61d4ae1358553fc8dde350747542f137f5cb8b
Author: Brandon L Black <blblack@gmail.com>
Date: Sat Nov 13 12:05:51 2010 -0600
Improved handling of queue-jumping packets on receive
commit 23acc19bc090051156ad895caed61848f5afb144
Author: Brandon L Black <blblack@gmail.com>
Date: Sat Nov 13 12:05:50 2010 -0600
Configurable ReplayWindow size, zero disables
commit 8dfe1b374e165ecba5d3ae324ee834d337476be8
Author: Brandon L Black <blblack@gmail.com>
Date: Sat Nov 13 12:05:49 2010 -0600
Configurable SO_RCVBUF/SO_SNDBUF for the UDP socket
commit 3f410e2f8f7c365630f226adf4904935698f9e0d
Author: Brandon L Black <blblack@gmail.com>
Date: Sat Nov 13 12:05:48 2010 -0600
Experimental IFF_ONE_QUEUE support for Linux
commit 9e3ca397735077f85bbde48c36e1b3e0fa950988
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Nov 13 15:55:38 2010 +0100
Use variable length arrays instead of alloca().
commit e2e6ec8050274b0a8678d6fc263e7dc4ef66feae
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Nov 13 15:50:39 2010 +0100
Provide usleep() for Windows.
commit 930bf74fbe5ce8363b6cc2ae3a3e960e910e0996
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Nov 12 11:38:05 2010 +0100
Don't use strlen() on a NULL pointer.
A bug introduced in commit 667b1bac77b134cf32c98d5dc25619e8c3303f52 caused tinc
to crash on startup.
commit a07aa92176571eb7f063708640d0d486280808ef
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Nov 12 11:33:01 2010 +0100
Add short options -R and -U to the tincd(8) manpage.
commit 66b7aea294896a99df289231143a506b422b994c
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Nov 2 14:23:43 2010 +0100
Read error counter must be static.
commit a91bf2dfcd0f5857905e59da7d944654e0875503
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Tue Nov 2 14:18:35 2010 +0100
Quit when there are too many consecutive errors on the tun/tap device.
Although transient errors sometimes happen on the tun/tap device (for example,
if the kernel is temporarily out of buffer space), there are situations where
the tun/tap device becomes permanently broken. Instead of endlessly spamming
the syslog, we now sleep an increasing amount of time between consecutive read
errors, and if reads still fail after 10 attempts (approximately 3 seconds),
tinc will quit.
commit aca70cd3c3fe787e62c618849e43f67b3870ac20
Author: Michael Tokarev <mjt@tls.msk.ru>
Date: Sun Oct 24 15:23:10 2010 +0400
Treat netname="." in a special way.
Treat netname "." in a special way as if there was no netname
specified. Before, f.e. tincd -n. -k didn't work as it tried
to open /var/run/tinc-.pid. Now -n. works as if there was no
-n option is specified.
Signed-Off-By: Michael Tokarev <mjt@tls.msk.ru>
commit 5f729f76f5a63114df582fc29f4189140c1e5ead
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 22:46:44 2010 +0200
Remove unused variables.
These were caused by commit 667b1bac77b134cf32c98d5dc25619e8c3303f52.
commit 20ae7dd8c12390f7360eb28cc17e1b8a8a706b06
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 22:43:50 2010 +0200
Abort disabling old PEM keys on I/O errors.
commit a08462bf845973016e061b8ca1233142d80416f6
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 22:42:21 2010 +0200
Ensure there is a newline character before a PEM key is written.
commit c6ccbadfcf93a7bd4a88dee8ff146b4db7f85e71
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 13:40:04 2010 +0200
Attribution for Timothy Redaelli.
commit 1c2cd7ed273ee1538ff8a13d036c68aa9992c4aa
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 13:17:42 2010 +0200
Attribution for Julien Muchembled.
commit 667b1bac77b134cf32c98d5dc25619e8c3303f52
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 13:06:06 2010 +0200
Remove duplicate command-line option parsing.
Also fix parsing of command-line host configuration options for the local node.
commit ff71f289022ccb91abc2726f16522d55b5ccf0f6
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Oct 22 12:47:12 2010 +0200
Merge local host configuration with server configuration.
With some exceptions, tinc only accepted host configuration options for the
local node from the corresponding host configuration file. Although this is
documented, many people expect that they can also put those options in
tinc.conf. Tinc now internally merges the contents of both tinc.conf and the
local host configuration file.
commit 8c3105283ac53f8cc9cc4dde25957ec1cf6b53a0
Author: Julien Muchembled <jm@jmuchemb.eu>
Date: Fri Sep 3 13:34:22 2010 +0200
New '-o' option to configure server or hosts from command line
Options given on the command line have precedence over configuration from files.
This can be useful, for example, for a roaming node, for which 'ConnectTo' and
<host>.Address depends on its location.
commit 4b6a9f1c1f645ce5989692655337d9e23ca28648
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Jun 4 16:03:19 2010 +0200
Do not append an address to ANS_KEY messages if we don't know any address.
This would let tinc raise an exception when an ANS_KEY request crossed a
DEL_EDGE request for the node sending the key.
commit 798fa2f04c52b0639713f74b1195847bec40c16a
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Jun 4 15:04:08 2010 +0200
Use 64 bit counters to keep track of bytes sent/received from the virtual network interface.
commit 4a21aabada23d1d2c8a10f54dd7248171c4ec82f
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri Jun 4 14:53:52 2010 +0200
Detect and prevent two nodes with the same Name being on the VPN simultaneously.
In this situation, the two nodes will start fighting over the edges they announced.
When we have to contradict both ADD_EDGE and DEL_EDGE messages, we log a warning,
and with 25% chance per PingTimeout we quit.
commit dbf3d168b720045328d476f3b9e5f5e45b4ab6de
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri May 7 12:24:49 2010 +0200
Use strrchr() insteaad of rindex().
The latter function is deprecated, some build environments do not support.
commit eda71798749e8b0abf5e8b3cbc11da82aa607f00
Author: Timothy Redaelli <timothy@redaelli.eu>
Date: Tue May 4 15:43:48 2010 +0200
Fix warnings under BSD
commit df985256a766ee90f2fa4269b95fa0565c969dda
Author: Timothy Redaelli <timothy@redaelli.eu>
Date: Tue May 4 00:27:44 2010 +0200
Fix warnings showed using -D_FORTIFY_SOURCE=2
commit f5122ccecee095b9185b2324dea7bcd9655462ee
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat May 1 15:39:59 2010 +0200
Fix all warnings when compiling with mingw64.
commit ef92a5725c47c6e8e801e07190dd7dd3f9cb3a17
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat May 1 15:39:03 2010 +0200
OpenSSL 1.0.0 compiled for 64 bit Windows requires linking with -lcrypt32.
commit 0fdd7da52077d77a11a3646eb3e7d5b6ffa178e8
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat May 1 15:38:04 2010 +0200
Use intptr_t instead of long to store a pointer.
commit c94ede3b8708cdf105a3fecfc119a558e1583f27
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat May 1 15:37:11 2010 +0200
Define WINVER before including any other header file on Windows.
commit 4766359e1426bdf1383c898d6103d8760e5e296d
Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sat Apr 17 12:01:38 2010 +0200
Fix reading configuration files that do not end with a newline. Again.
commit 26b8cf8680ae68443dccac2adbc2361caafc3712 commit 26b8cf8680ae68443dccac2adbc2361caafc3712
Author: Guus Sliepen <guus@tinc-vpn.org> Author: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun Apr 11 20:40:20 2010 +0200 Date: Sun Apr 11 20:40:20 2010 +0200

View file

@ -37,7 +37,7 @@ subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/Makefile.in $(srcdir)/config.h.in \
$(top_srcdir)/configure AUTHORS COPYING ChangeLog INSTALL NEWS \ $(top_srcdir)/configure AUTHORS COPYING ChangeLog INSTALL NEWS \
THANKS config.guess config.sub depcomp install-sh missing THANKS TODO config.guess config.sub depcomp install-sh missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \
$(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \ $(top_srcdir)/m4/lzo.m4 $(top_srcdir)/m4/openssl.m4 \

21
NEWS
View file

@ -1,3 +1,24 @@
Version 1.0.14 May 8 2011
* Fixed reading configuration files that do not end with a newline. Again.
* Allow arbitrary configuration options being specified on the command line.
* Allow all options in both tinc.conf and the local host config file.
* Configurable replay window, UDP send and receive buffers for performance tuning.
* Try harder to get UDP communication back after falling back to TCP.
* Initial support for attaching tinc to a VDE switch.
* DragonFly BSD support.
* Allow linking with OpenSSL 1.0.0.
Thanks to Brandon Black, Julien Muchembled, Michael Tokarev, Rumko and Timothy
Redaelli for their contributions to this version of tinc.
Version 1.0.13 Apr 11 2010 Version 1.0.13 Apr 11 2010
* Allow building tinc without LZO and/or Zlib. * Allow building tinc without LZO and/or Zlib.

18
README
View file

@ -1,7 +1,7 @@
This is the README file for tinc version 1.0.13. Installation This is the README file for tinc version 1.0.14. Installation
instructions may be found in the INSTALL file. instructions may be found in the INSTALL file.
tinc is Copyright (C) 1998-2010 by: tinc is Copyright (C) 1998-2011 by:
Ivo Timmermans, Ivo Timmermans,
Guus Sliepen <guus@tinc-vpn.org>, Guus Sliepen <guus@tinc-vpn.org>,
@ -55,7 +55,7 @@ should be changed into "Device", and "Device" should be changed into
Compatibility Compatibility
------------- -------------
Version 1.0.13 is compatible with 1.0pre8, 1.0 and later, but not with older Version 1.0.14 is compatible with 1.0pre8, 1.0 and later, but not with older
versions of tinc. versions of tinc.
@ -69,14 +69,12 @@ this library is not installed on you system, configure will fail. The
manual in doc/tinc.texi contains more detailed information on how to manual in doc/tinc.texi contains more detailed information on how to
install this library. install this library.
Since 1.0pre6, the zlib library is used for optional compression. You need this Since 1.0pre6, the zlib library is used for optional compression. You can
library whether or not you plan to enable the compression. You can find it at find it at http://www.gzip.org/zlib/. Because of a possible exploit in
http://www.gzip.org/zlib/. Because of a possible exploit in earlier versions we earlier versions we recommend that you download version 1.1.4 or later.
recommand that you download version 1.1.4 or later.
Since 1.0, the lzo library is also used for optional compression. You need this Since 1.0, the lzo library is also used for optional compression. You can
library whether or not you plan to enable compression. You can find it at find it at http://www.oberhumer.com/opensource/lzo/.
http://www.oberhumer.com/opensource/lzo/.
In order to compile tinc, you will need a GNU C compiler environment. In order to compile tinc, you will need a GNU C compiler environment.

3
THANKS
View file

@ -4,6 +4,7 @@ We would like to thank the following people for their contributions to tinc:
* Allesandro Gatti * Allesandro Gatti
* Andreas van Cranenburgh * Andreas van Cranenburgh
* Armijn Hemel * Armijn Hemel
* Brandon Black
* Cris van Pelt * Cris van Pelt
* Delf Eldkraft * Delf Eldkraft
* dnk * dnk
@ -17,6 +18,7 @@ We would like to thank the following people for their contributions to tinc:
* Jason Harper * Jason Harper
* Jeroen Ubbink * Jeroen Ubbink
* Jerome Etienne * Jerome Etienne
* Julien Muchembled
* Lubomír Bulej * Lubomír Bulej
* Mads Kiilerich * Mads Kiilerich
* Marc A. Lehmann * Marc A. Lehmann
@ -31,6 +33,7 @@ We would like to thank the following people for their contributions to tinc:
* Nick Patavalis * Nick Patavalis
* Paul Littlefield * Paul Littlefield
* Robert van der Meulen * Robert van der Meulen
* Rumko
* Scott Lamb * Scott Lamb
* Sven-Haegar Koch * Sven-Haegar Koch
* Teemu Kiviniemi * Teemu Kiviniemi

7
TODO Normal file
View file

@ -0,0 +1,7 @@
* end-to-end encryption
* perfect forward secrecy, ECDH
* AES in counter mode
* Replay + Delay protection
* MPLS-like label
* Conflicting Subnets or key-name pairs: disable both, inform admin

4
aclocal.m4 vendored
View file

@ -13,8 +13,8 @@
m4_ifndef([AC_AUTOCONF_VERSION], m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],, m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
[m4_warning([this file was generated for autoconf 2.65. [m4_warning([this file was generated for autoconf 2.68.
You have another version of autoconf. It may work, but is not guaranteed to. You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely. If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically `autoreconf'.])]) To do so, use the procedure documented by the package, typically `autoreconf'.])])

View file

@ -58,6 +58,9 @@
/* Define to 1 if you have the <dirent.h> header file. */ /* Define to 1 if you have the <dirent.h> header file. */
#undef HAVE_DIRENT_H #undef HAVE_DIRENT_H
/* DragonFly */
#undef HAVE_DRAGONFLY
/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */ /* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
#undef HAVE_EVP_ENCRYPTINIT_EX #undef HAVE_EVP_ENCRYPTINIT_EX
@ -173,6 +176,12 @@
/* Define to 1 if you have the <net/if_types.h> header file. */ /* Define to 1 if you have the <net/if_types.h> header file. */
#undef HAVE_NET_IF_TYPES_H #undef HAVE_NET_IF_TYPES_H
/* Define to 1 if you have the <net/tap/if_tap.h> header file. */
#undef HAVE_NET_TAP_IF_TAP_H
/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
#undef HAVE_NET_TUN_IF_TUN_H
/* OpenBSD */ /* OpenBSD */
#undef HAVE_OPENBSD #undef HAVE_OPENBSD
@ -303,6 +312,9 @@
/* Define to 1 if you have the <sys/param.h> header file. */ /* Define to 1 if you have the <sys/param.h> header file. */
#undef HAVE_SYS_PARAM_H #undef HAVE_SYS_PARAM_H
/* Define to 1 if you have the <sys/resource.h> header file. */
#undef HAVE_SYS_RESOURCE_H
/* Define to 1 if you have the <sys/socket.h> header file. */ /* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H #undef HAVE_SYS_SOCKET_H
@ -327,6 +339,9 @@
/* Define to 1 if you have the `unsetenv' function. */ /* Define to 1 if you have the `unsetenv' function. */
#undef HAVE_UNSETENV #undef HAVE_UNSETENV
/* Define to 1 if you have the `usleep' function. */
#undef HAVE_USLEEP
/* Define to 1 if you have the `vsyslog' function. */ /* Define to 1 if you have the `vsyslog' function. */
#undef HAVE_VSYSLOG #undef HAVE_VSYSLOG

856
configure vendored

File diff suppressed because it is too large Load diff

View file

@ -3,7 +3,7 @@ dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61) AC_PREREQ(2.61)
AC_INIT AC_INIT
AC_CONFIG_SRCDIR([src/tincd.c]) AC_CONFIG_SRCDIR([src/tincd.c])
AM_INIT_AUTOMAKE(tinc, 1.0.13) AM_INIT_AUTOMAKE(tinc, 1.0.14)
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
AM_MAINTAINER_MODE AM_MAINTAINER_MODE
@ -13,8 +13,6 @@ AM_MAINTAINER_MODE
AC_GNU_SOURCE AC_GNU_SOURCE
AC_DEFINE([__USE_BSD], 1, [Enable BSD extensions]) AC_DEFINE([__USE_BSD], 1, [Enable BSD extensions])
ALL_LINGUAS="nl"
dnl Checks for programs. dnl Checks for programs.
AC_PROG_CC_C99 AC_PROG_CC_C99
AC_PROG_CPP AC_PROG_CPP
@ -51,6 +49,10 @@ case $host_os in
AC_DEFINE(HAVE_NETBSD, 1, [NetBSD]) AC_DEFINE(HAVE_NETBSD, 1, [NetBSD])
[ rm -f src/device.c; ln -sf bsd/device.c src/device.c ] [ rm -f src/device.c; ln -sf bsd/device.c src/device.c ]
;; ;;
*dragonfly*)
AC_DEFINE(HAVE_DRAGONFLY, 1, [DragonFly])
[ rm -f src/device.c; ln -sf bsd/device.c src/device.c ]
;;
*bsd*) *bsd*)
AC_MSG_WARN("Unknown BSD variant, tinc might not compile or work!") AC_MSG_WARN("Unknown BSD variant, tinc might not compile or work!")
AC_DEFINE(HAVE_BSD, 1, [Unknown BSD variant]) AC_DEFINE(HAVE_BSD, 1, [Unknown BSD variant])
@ -63,7 +65,7 @@ case $host_os in
*mingw*) *mingw*)
AC_DEFINE(HAVE_MINGW, 1, [MinGW]) AC_DEFINE(HAVE_MINGW, 1, [MinGW])
[ rm -f src/device.c; cp -f src/mingw/device.c src/device.c ] [ rm -f src/device.c; cp -f src/mingw/device.c src/device.c ]
LIBS="$LIBS -lws2_32" LIBS="$LIBS -lws2_32 -lgdi32 -lcrypt32"
;; ;;
*) *)
AC_MSG_ERROR("Unknown operating system.") AC_MSG_ERROR("Unknown operating system.")
@ -99,8 +101,8 @@ dnl Checks for header files.
dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies. dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies.
AC_HEADER_STDC AC_HEADER_STDC
AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h]) AC_CHECK_HEADERS([stdbool.h syslog.h sys/file.h sys/ioctl.h sys/mman.h sys/param.h sys/resource.h sys/socket.h sys/time.h sys/uio.h sys/wait.h netdb.h arpa/inet.h dirent.h])
AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h], AC_CHECK_HEADERS([net/if.h net/if_types.h linux/if_tun.h net/if_tun.h net/tun/if_tun.h net/if_tap.h net/tap/if_tap.h net/ethernet.h net/if_arp.h netinet/in_systm.h netinet/in.h netinet/in6.h],
[], [], [#include "have.h"] [], [], [#include "have.h"]
) )
AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h], AC_CHECK_HEADERS([netinet/if_ether.h netinet/ip.h netinet/ip6.h],
@ -128,7 +130,7 @@ dnl Checks for library functions.
AC_FUNC_MEMCMP AC_FUNC_MEMCMP
AC_FUNC_ALLOCA AC_FUNC_ALLOCA
AC_TYPE_SIGNAL AC_TYPE_SIGNAL
AC_CHECK_FUNCS([asprintf daemon fchmod flock ftime fork get_current_dir_name gettimeofday mlockall putenv random select strdup strerror strsignal strtol system unsetenv vsyslog writev], AC_CHECK_FUNCS([asprintf daemon fchmod flock ftime fork get_current_dir_name gettimeofday mlockall putenv random select strdup strerror strsignal strtol system unsetenv usleep vsyslog writev],
[], [], [#include "have.h"] [], [], [#include "have.h"]
) )
AC_FUNC_MALLOC AC_FUNC_MALLOC

13
debian/changelog vendored
View file

@ -1,8 +1,15 @@
tinc (1.0.13-1+squeeze1) squeeze-security; urgency=high tinc (1.0.14-1~bpo60+1) squeeze-backports; urgency=low
* Drop packets forwarded via TCP if they are too big (CVE-2013-1428). * Rebuild for squeeze-backports.
-- Guus Sliepen <guus@debian.org> Fri, 12 Apr 2013 20:40:15 +0000 -- Guus Sliepen <guus@debian.org> Tue, 07 Jun 2011 09:35:50 +0000
tinc (1.0.14-1) unstable; urgency=low
* New upstream release.
* Bump Standards-Version.
-- Guus Sliepen <guus@debian.org> Mon, 09 May 2011 00:25:37 +0200
tinc (1.0.13-1) unstable; urgency=low tinc (1.0.13-1) unstable; urgency=low

2
debian/control vendored
View file

@ -2,7 +2,7 @@ Source: tinc
Section: net Section: net
Priority: optional Priority: optional
Maintainer: Guus Sliepen <guus@debian.org> Maintainer: Guus Sliepen <guus@debian.org>
Standards-Version: 3.8.4 Standards-Version: 3.9.2
Build-Depends: libssl-dev, debhelper (>= 7.0.50~), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev Build-Depends: libssl-dev, debhelper (>= 7.0.50~), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev
Homepage: http://www.tinc-vpn.org/ Homepage: http://www.tinc-vpn.org/

View file

@ -1,31 +0,0 @@
From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 12 Apr 2013 17:15:05 +0200
Subject: [PATCH] Drop packets forwarded via TCP if they are too big
(CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.
This issue was found by Martin Schobert.
---
src/net_packet.c | 3 +++
1 file changed, 3 insertions(+)
Index: tinc-1.0.13/src/net_packet.c
===================================================================
--- tinc-1.0.13.orig/src/net_packet.c 2010-03-13 17:53:33.000000000 +0000
+++ tinc-1.0.13/src/net_packet.c 2013-04-12 20:34:17.395183282 +0000
@@ -347,6 +347,9 @@
void receive_tcppacket(connection_t *c, char *buffer, int len) {
vpn_packet_t outpkt;
+ if(len > sizeof outpkt.data)
+ return;
+
outpkt.len = len;
if(c->options & OPTION_TCPONLY)
outpkt.priority = 0;

View file

@ -1 +0,0 @@
fix-CVE-2013-1428

Binary file not shown.

View file

@ -110,6 +110,13 @@ Note: it is not required that you put in the
sign, but doing so improves readability. sign, but doing so improves readability.
If you leave it out, remember to replace it with at least one space character. If you leave it out, remember to replace it with at least one space character.
.Pp
The server configuration is complemented with host specific configuration (see the next section).
Although all configuration options for the local host listed in this document can also be put in
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /tinc.conf ,
it is recommended to put host specific configuration options in the host configuration file,
as this makes it easy to exchange with other nodes.
.Pp .Pp
Here are all valid variables, listed in alphabetical order. Here are all valid variables, listed in alphabetical order.
The default value is given between parentheses. The default value is given between parentheses.
@ -248,6 +255,9 @@ a lookup if your DNS server is not responding.
This does not affect resolving hostnames to IP addresses from the This does not affect resolving hostnames to IP addresses from the
host configuration files. host configuration files.
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
.It Va Interface Li = Ar interface .It Va Interface Li = Ar interface
Defines the name of the interface corresponding to the virtual network device. Defines the name of the interface corresponding to the virtual network device.
Depending on the operating system and the type of device this may or may not actually set the name of the interface. Depending on the operating system and the type of device this may or may not actually set the name of the interface.
@ -334,6 +344,16 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN. Increasing the priority may help to reduce latency and packet loss on the VPN.
.It Va ReplayWindow Li = Ar bytes Pq 16
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental .It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
When this option is enabled tinc will only use Subnet statements which are When this option is enabled tinc will only use Subnet statements which are
present in the host config files in the local present in the host config files in the local
@ -346,6 +366,14 @@ and will only allow connections with nodes for which host config files are prese
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/ .Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory. directory.
Setting this options also implicitly sets StrictSubnets. Setting this options also implicitly sets StrictSubnets.
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
.It Va UDPSndBuf Li = Ar bytes Pq OS default
Sets the socket send buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
.El .El
.Sh HOST CONFIGURATION FILES .Sh HOST CONFIGURATION FILES

View file

@ -5,10 +5,10 @@ START-INFO-DIR-ENTRY
* tinc: (tinc). The tinc Manual. * tinc: (tinc). The tinc Manual.
END-INFO-DIR-ENTRY END-INFO-DIR-ENTRY
This is the info manual for tinc version 1.0.13, a Virtual Private This is the info manual for tinc version 1.0.14, a Virtual Private
Network daemon. Network daemon.
Copyright (C) 1998-2010 Ivo Timmermans, Guus Sliepen Copyright (C) 1998-2011 Ivo Timmermans, Guus Sliepen
<guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>. <guus@tinc-vpn.org> and Wessel Dankers <wsl@tinc-vpn.org>.
Permission is granted to make and distribute verbatim copies of this Permission is granted to make and distribute verbatim copies of this
@ -84,7 +84,7 @@ trusted computers on the other end of the Internet.
This problem can be solved by using _virtual_ networks. Virtual This problem can be solved by using _virtual_ networks. Virtual
networks can live on top of other networks, but they use encapsulation networks can live on top of other networks, but they use encapsulation
to keep using their private address space so they do not interfere with to keep using their private address space so they do not interfere with
the Internet. Mostly, virtual networks appear like a singe LAN, even the Internet. Mostly, virtual networks appear like a single LAN, even
though they can span the entire world. But virtual networks can't be though they can span the entire world. But virtual networks can't be
secured by using firewalls, because the traffic that flows through it secured by using firewalls, because the traffic that flows through it
has to go through the Internet, where other people can look at it. has to go through the Internet, where other people can look at it.
@ -654,6 +654,13 @@ that you put in the `=' sign, but doing so improves readability. If
you leave it out, remember to replace it with at least one space you leave it out, remember to replace it with at least one space
character. character.
The server configuration is complemented with host specific
configuration (see the next section). Although all host configuration
options for the local node listed in this document can also be put in
`/etc/tinc/NETNAME/tinc.conf', it is recommended to put host specific
configuration options in the host configuration file, as this makes it
easy to exchange with other nodes.
In this section all valid variables are listed in alphabetical order. In this section all valid variables are listed in alphabetical order.
The default value is given between parentheses, other comments are The default value is given between parentheses, other comments are
between square brackets. between square brackets.
@ -869,6 +876,17 @@ ProcessPriority = <low|normal|high>
adjusted. Increasing the priority may help to reduce latency and adjusted. Increasing the priority may help to reduce latency and
packet loss on the VPN. packet loss on the VPN.
ReplayWindow = <bytes> (16)
This is the size of the replay tracking window for each remote
node, in bytes. The window is a bitfield which tracks 1 packet
per bit, so for example the default setting of 16 will track up to
128 packets in the window. In high bandwidth scenarios, setting
this to a higher value can reduce packet loss from the interaction
of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking
completely and pass all traffic, but leaves tinc vulnerable to
replay-based attacks on your traffic.
StrictSubnets <yes|no> (no) [experimental] StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements When this option is enabled tinc will only use Subnet statements
which are present in the host config files in the local which are present in the host config files in the local
@ -881,6 +899,16 @@ TunnelServer = <yes|no> (no) [experimental]
the local `/etc/tinc/NETNAME/hosts/' directory. Setting this the local `/etc/tinc/NETNAME/hosts/' directory. Setting this
options also implicitly sets StrictSubnets. options also implicitly sets StrictSubnets.
UDPRcvBuf = <bytes> (OS default)
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating
system.
UDPSndBuf = <bytes> Pq OS default
Sets the socket send buffer size for the UDP socket, in bytes. If
unset, the default buffer size will be used by the operating
system.
 
File: tinc.info, Node: Host configuration variables, Next: Scripts, Prev: Main configuration variables, Up: Configuration files File: tinc.info, Node: Host configuration variables, Next: Scripts, Prev: Main configuration variables, Up: Configuration files
@ -1403,7 +1431,10 @@ command line options.
always be stopped and removed. always be stopped and removed.
`-n, --net=NETNAME' `-n, --net=NETNAME'
Use configuration for net NETNAME. *Note Multiple networks::. Use configuration for net NETNAME. This will let tinc read all
configuration files from `/etc/tinc/NETNAME/'. Specifying . for
NETNAME is the same as not specifying any NETNAME. *Note Multiple
networks::.
`-K, --generate-keys[=BITS]' `-K, --generate-keys[=BITS]'
Generate public/private keypair of BITS length. If BITS is not Generate public/private keypair of BITS length. If BITS is not
@ -2377,6 +2408,8 @@ Concept Index
* release: Supported platforms. (line 14) * release: Supported platforms. (line 14)
* REMOTEADDRESS: Scripts. (line 67) * REMOTEADDRESS: Scripts. (line 67)
* REMOTEPORT: Scripts. (line 70) * REMOTEPORT: Scripts. (line 70)
* ReplayWindow: Main configuration variables.
(line 204)
* REQ_KEY: The meta-protocol. (line 64) * REQ_KEY: The meta-protocol. (line 64)
* requirements: Libraries. (line 6) * requirements: Libraries. (line 6)
* router: Main configuration variables. * router: Main configuration variables.
@ -2388,7 +2421,7 @@ Concept Index
(line 18) (line 18)
* signals: Signals. (line 6) * signals: Signals. (line 6)
* StrictSubnets: Main configuration variables. * StrictSubnets: Main configuration variables.
(line 204) (line 215)
* SUBNET: Scripts. (line 74) * SUBNET: Scripts. (line 74)
* Subnet: Host configuration variables. * Subnet: Host configuration variables.
(line 74) (line 74)
@ -2410,12 +2443,16 @@ Concept Index
* tunifhead: Main configuration variables. * tunifhead: Main configuration variables.
(line 62) (line 62)
* TunnelServer: Main configuration variables. * TunnelServer: Main configuration variables.
(line 209) (line 220)
* tunnohead: Main configuration variables. * tunnohead: Main configuration variables.
(line 56) (line 56)
* UDP <1>: Encryption of network packets. * UDP <1>: Encryption of network packets.
(line 12) (line 12)
* UDP: The UDP tunnel. (line 30) * UDP: The UDP tunnel. (line 30)
* UDPRcvBuf: Main configuration variables.
(line 227)
* UDPSndBuf: Main configuration variables.
(line 232)
* Universal tun/tap: Configuration of Linux kernels. * Universal tun/tap: Configuration of Linux kernels.
(line 6) (line 6)
* virtual: Virtual Private Networks. * virtual: Virtual Private Networks.
@ -2434,63 +2471,63 @@ Tag Table:
Node: Top810 Node: Top810
Node: Introduction1109 Node: Introduction1109
Node: Virtual Private Networks1919 Node: Virtual Private Networks1919
Node: tinc3644 Node: tinc3645
Node: Supported platforms5171 Node: Supported platforms5172
Node: Preparations5869 Node: Preparations5870
Node: Configuring the kernel6125 Node: Configuring the kernel6126
Node: Configuration of Linux kernels6534 Node: Configuration of Linux kernels6535
Node: Configuration of FreeBSD kernels7389 Node: Configuration of FreeBSD kernels7390
Node: Configuration of OpenBSD kernels7779 Node: Configuration of OpenBSD kernels7780
Node: Configuration of NetBSD kernels8387 Node: Configuration of NetBSD kernels8388
Node: Configuration of Solaris kernels8792 Node: Configuration of Solaris kernels8793
Node: Configuration of Darwin (MacOS/X) kernels9453 Node: Configuration of Darwin (MacOS/X) kernels9454
Node: Configuration of Windows10142 Node: Configuration of Windows10143
Node: Libraries10656 Node: Libraries10657
Node: OpenSSL11044 Node: OpenSSL11045
Node: zlib13320 Node: zlib13321
Node: lzo14149 Node: lzo14150
Node: Installation14936 Node: Installation14937
Node: Building and installing tinc15951 Node: Building and installing tinc15952
Node: Darwin (MacOS/X) build environment16610 Node: Darwin (MacOS/X) build environment16611
Node: Cygwin (Windows) build environment17178 Node: Cygwin (Windows) build environment17179
Node: MinGW (Windows) build environment17766 Node: MinGW (Windows) build environment17767
Node: System files18290 Node: System files18291
Node: Device files18555 Node: Device files18556
Node: Other files18971 Node: Other files18972
Node: Configuration19584 Node: Configuration19585
Node: Configuration introduction19895 Node: Configuration introduction19896
Node: Multiple networks21168 Node: Multiple networks21169
Node: How connections work22594 Node: How connections work22595
Node: Configuration files23816 Node: Configuration files23817
Node: Main configuration variables24823 Node: Main configuration variables25204
Node: Host configuration variables34334 Node: Host configuration variables35709
Node: Scripts39745 Node: Scripts41120
Node: How to configure42515 Node: How to configure43890
Node: Generating keypairs43778 Node: Generating keypairs45153
Node: Network interfaces44277 Node: Network interfaces45652
Node: Example configuration46125 Node: Example configuration47500
Node: Running tinc51448 Node: Running tinc52823
Node: Runtime options52038 Node: Runtime options53413
Node: Signals54833 Node: Signals56369
Node: Debug levels55902 Node: Debug levels57438
Node: Solving problems56838 Node: Solving problems58374
Node: Error messages58390 Node: Error messages59926
Node: Sending bug reports62403 Node: Sending bug reports63939
Node: Technical information63355 Node: Technical information64891
Node: The connection63586 Node: The connection65122
Node: The UDP tunnel63898 Node: The UDP tunnel65434
Node: The meta-connection66959 Node: The meta-connection68495
Node: The meta-protocol68428 Node: The meta-protocol69964
Node: Security73437 Node: Security74973
Node: Authentication protocol74567 Node: Authentication protocol76103
Node: Encryption of network packets79571 Node: Encryption of network packets81107
Node: Security issues80944 Node: Security issues82480
Node: Platform specific information82561 Node: Platform specific information84097
Node: Interface configuration82789 Node: Interface configuration84325
Node: Routes84688 Node: Routes86224
Node: About us86604 Node: About us88140
Node: Contact information86779 Node: Contact information88315
Node: Authors87183 Node: Authors88719
Node: Concept Index87588 Node: Concept Index89124
 
End Tag Table End Tag Table

View file

@ -15,7 +15,7 @@
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2010 Ivo Timmermans, Copyright @copyright{} 1998-2011 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -39,7 +39,7 @@ permission notice identical to this one.
@vskip 0pt plus 1filll @vskip 0pt plus 1filll
This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon. This is the info manual for @value{PACKAGE} version @value{VERSION}, a Virtual Private Network daemon.
Copyright @copyright{} 1998-2010 Ivo Timmermans, Copyright @copyright{} 1998-2011 Ivo Timmermans,
Guus Sliepen <guus@@tinc-vpn.org> and Guus Sliepen <guus@@tinc-vpn.org> and
Wessel Dankers <wsl@@tinc-vpn.org>. Wessel Dankers <wsl@@tinc-vpn.org>.
@ -119,7 +119,7 @@ computers on the other end of the Internet.
This problem can be solved by using @emph{virtual} networks. Virtual This problem can be solved by using @emph{virtual} networks. Virtual
networks can live on top of other networks, but they use encapsulation to networks can live on top of other networks, but they use encapsulation to
keep using their private address space so they do not interfere with keep using their private address space so they do not interfere with
the Internet. Mostly, virtual networks appear like a singe LAN, even though the Internet. Mostly, virtual networks appear like a single LAN, even though
they can span the entire world. But virtual networks can't be secured they can span the entire world. But virtual networks can't be secured
by using firewalls, because the traffic that flows through it has to go by using firewalls, because the traffic that flows through it has to go
through the Internet, where other people can look at it. through the Internet, where other people can look at it.
@ -725,6 +725,13 @@ and carriage returns are ignored. Note: it is not required that you put
in the `=' sign, but doing so improves readability. If you leave it in the `=' sign, but doing so improves readability. If you leave it
out, remember to replace it with at least one space character. out, remember to replace it with at least one space character.
The server configuration is complemented with host specific configuration (see
the next section). Although all host configuration options for the local node
listed in this document can also be put in
@file{@value{sysconfdir}/tinc/@var{netname}/tinc.conf}, it is recommended to
put host specific configuration options in the host configuration file, as this
makes it easy to exchange with other nodes.
In this section all valid variables are listed in alphabetical order. In this section all valid variables are listed in alphabetical order.
The default value is given between parentheses, The default value is given between parentheses,
other comments are between square brackets. other comments are between square brackets.
@ -955,6 +962,18 @@ specified in the configuration file.
When this option is used the priority of the tincd process will be adjusted. When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN. Increasing the priority may help to reduce latency and packet loss on the VPN.
@cindex ReplayWindow
@item ReplayWindow = <bytes> (16)
This is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from
the interaction of replay tracking with underlying real packet loss and/or
reordering. Setting this to zero will disable replay tracking completely and
pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
traffic.
@cindex StrictSubnets @cindex StrictSubnets
@item StrictSubnets <yes|no> (no) [experimental] @item StrictSubnets <yes|no> (no) [experimental]
When this option is enabled tinc will only use Subnet statements which are When this option is enabled tinc will only use Subnet statements which are
@ -968,6 +987,16 @@ and will only allow connections with nodes for which host config files are prese
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory. @file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets. Setting this options also implicitly sets StrictSubnets.
@cindex UDPRcvBuf
@item UDPRcvBuf = <bytes> (OS default)
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
@cindex UDPSndBuf
@item UDPSndBuf = <bytes> Pq OS default
Sets the socket send buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.
@end table @end table
@ -1536,7 +1565,11 @@ Under native Windows the optional argument is ignored,
the service will always be stopped and removed. the service will always be stopped and removed.
@item -n, --net=@var{netname} @item -n, --net=@var{netname}
Use configuration for net @var{netname}. @xref{Multiple networks}. Use configuration for net @var{netname}.
This will let tinc read all configuration files from
@file{@value{sysconfdir}/tinc/@var{netname}/}.
Specifying . for @var{netname} is the same as not specifying any @var{netname}.
@xref{Multiple networks}.
@item -K, --generate-keys[=@var{bits}] @item -K, --generate-keys[=@var{bits}]
Generate public/private keypair of @var{bits} length. If @var{bits} is not specified, Generate public/private keypair of @var{bits} length. If @var{bits} is not specified,

View file

@ -1,4 +1,4 @@
.Dd 2009-05-18 .Dd 2011-01-02
.Dt TINCD 8 .Dt TINCD 8
.\" Manual page created by: .\" Manual page created by:
.\" Ivo Timmermans .\" Ivo Timmermans
@ -64,6 +64,14 @@ the service will always be stopped and removed.
.It Fl n, -net Ns = Ns Ar NETNAME .It Fl n, -net Ns = Ns Ar NETNAME
Connect to net Connect to net
.Ar NETNAME . .Ar NETNAME .
This will let tinc read all configuration files from
.Pa @sysconfdir@/tinc/ Ar NETNAME .
Specifying
.Li .
for
.Ar NETNAME
is the same as not specifying any
.Ar NETNAME .
.It Fl K, -generate-keys Ns Op = Ns Ar BITS .It Fl K, -generate-keys Ns Op = Ns Ar BITS
Generate public/private RSA keypair and exit. Generate public/private RSA keypair and exit.
If If
@ -89,11 +97,11 @@ Under Windows this option will be ignored.
.It Fl -bypass-security .It Fl -bypass-security
Disables encryption and authentication of the meta protocol. Disables encryption and authentication of the meta protocol.
Only useful for debugging. Only useful for debugging.
.It Fl -chroot .It Fl R, -chroot
With this option tinc chroots into the directory where network With this option tinc chroots into the directory where network
config is located (@sysconfdir@/tinc/NETNAME if -n option is used, config is located (@sysconfdir@/tinc/NETNAME if -n option is used,
or to the directory specified with -c option) after initialization. or to the directory specified with -c option) after initialization.
.It Fl -user Ns = Ns Ar USER .It Fl U, -user Ns = Ns Ar USER
setuid to the specified setuid to the specified
.Ar USER .Ar USER
after initialization. after initialization.

27
have.h
View file

@ -1,7 +1,7 @@
/* /*
have.h -- include headers which are known to exist have.h -- include headers which are known to exist
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2003-2009 Guus Sliepen <guus@tinc-vpn.org> 2003-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -21,6 +21,14 @@
#ifndef __TINC_HAVE_H__ #ifndef __TINC_HAVE_H__
#define __TINC_HAVE_H__ #define __TINC_HAVE_H__
#ifdef HAVE_MINGW
#ifdef WITH_WINDOWS2000
#define WINVER Windows2000
#else
#define WINVER WindowsXP
#endif
#endif
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdarg.h> #include <stdarg.h>
@ -32,11 +40,6 @@
#include <unistd.h> #include <unistd.h>
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
#ifdef WITH_WINDOWS2000
#define WINVER Windows2000
#else
#define WINVER WindowsXP
#endif
#include <w32api.h> #include <w32api.h>
#include <windows.h> #include <windows.h>
#include <ws2tcpip.h> #include <ws2tcpip.h>
@ -92,6 +95,10 @@
#include <sys/param.h> #include <sys/param.h>
#endif #endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
#endif
#ifdef HAVE_SYS_UIO_H #ifdef HAVE_SYS_UIO_H
#include <sys/uio.h> #include <sys/uio.h>
#endif #endif
@ -123,10 +130,18 @@
#include <net/if_tun.h> #include <net/if_tun.h>
#endif #endif
#ifdef HAVE_NET_TUN_IF_TUN_H
#include <net/tun/if_tun.h>
#endif
#ifdef HAVE_NET_IF_TAP_H #ifdef HAVE_NET_IF_TAP_H
#include <net/if_tap.h> #include <net/if_tap.h>
#endif #endif
#ifdef HAVE_NET_TAP_IF_TAP_H
#include <net/tap/if_tap.h>
#endif
#ifdef HAVE_NETINET_IN_SYSTM_H #ifdef HAVE_NETINET_IN_SYSTM_H
#include <netinet/in_systm.h> #include <netinet/in_systm.h>
#endif #endif

View file

@ -1,7 +1,7 @@
/* /*
dropin.c -- a set of drop-in replacements for libc functions dropin.c -- a set of drop-in replacements for libc functions
Copyright (C) 2000-2005 Ivo Timmermans, Copyright (C) 2000-2005 Ivo Timmermans,
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -163,3 +163,11 @@ int gettimeofday(struct timeval *tv, void *tz) {
return 0; return 0;
} }
#endif #endif
#ifndef HAVE_USLEEP
int usleep(long usec) {
struct timeval tv = {usec / 1000000, (usec / 1000) % 1000};
select(0, NULL, NULL, NULL, &tv);
return 0;
}
#endif

View file

@ -1,7 +1,7 @@
/* /*
dropin.h -- header file for dropin.c dropin.h -- header file for dropin.c
Copyright (C) 2000-2005 Ivo Timmermans, Copyright (C) 2000-2005 Ivo Timmermans,
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -41,4 +41,8 @@ extern int vasprintf(char **, const char *, va_list ap);
extern int gettimeofday(struct timeval *, void *); extern int gettimeofday(struct timeval *, void *);
#endif #endif
#ifndef HAVE_USLEEP
extern int usleep(long);
#endif
#endif /* __DROPIN_H__ */ #endif /* __DROPIN_H__ */

View file

@ -44,6 +44,10 @@ with this program; if not, write to the Free Software Foundation, Inc.,
#include <stdio.h> #include <stdio.h>
#ifdef HAVE_STRING_H
#include <string.h>
#endif
/* Comment out all this code if we are using the GNU C Library, and are not /* Comment out all this code if we are using the GNU C Library, and are not
actually compiling the library itself. This code is part of the GNU C actually compiling the library itself. This code is part of the GNU C
Library, but also included in many other GNU distributions. Compiling Library, but also included in many other GNU distributions. Compiling
@ -688,16 +692,18 @@ _getopt_internal (argc, argv, optstring, longopts, longind, long_only)
else else
{ {
if (opterr) if (opterr)
if (argv[optind - 1][1] == '-') {
/* --option */ if (argv[optind - 1][1] == '-')
fprintf (stderr, /* --option */
"%s: option `--%s' doesn't allow an argument\n", fprintf (stderr,
argv[0], pfound->name); "%s: option `--%s' doesn't allow an argument\n",
else argv[0], pfound->name);
/* +option or -option */ else
fprintf (stderr, /* +option or -option */
"%s: option `%c%s' doesn't allow an argument\n", fprintf (stderr,
argv[0], argv[optind - 1][0], pfound->name); "%s: option `%c%s' doesn't allow an argument\n",
argv[0], argv[optind - 1][0], pfound->name);
}
nextchar += strlen (nextchar); nextchar += strlen (nextchar);

View file

@ -23,6 +23,10 @@
# include "config.h" # include "config.h"
#endif #endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
#undef __ptr_t #undef __ptr_t
#if defined __cplusplus || (defined __STDC__ && __STDC__) #if defined __cplusplus || (defined __STDC__ && __STDC__)
# define __ptr_t void * # define __ptr_t void *
@ -107,8 +111,8 @@ static int
memcmp_bytes (a, b) memcmp_bytes (a, b)
op_t a, b; op_t a, b;
{ {
long int srcp1 = (long int) &a; intptr_t srcp1 = (intptr_t) &a;
long int srcp2 = (long int) &b; intptr_t srcp2 = (intptr_t) &b;
op_t a0, b0; op_t a0, b0;
do do
@ -123,7 +127,7 @@ memcmp_bytes (a, b)
} }
#endif #endif
static int memcmp_common_alignment __P((long, long, size_t)); static int memcmp_common_alignment __P((intptr_t, intptr_t, size_t));
/* memcmp_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN `op_t' /* memcmp_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN `op_t'
objects (not LEN bytes!). Both SRCP1 and SRCP2 should be aligned for objects (not LEN bytes!). Both SRCP1 and SRCP2 should be aligned for
@ -133,8 +137,8 @@ __inline
#endif #endif
static int static int
memcmp_common_alignment (srcp1, srcp2, len) memcmp_common_alignment (srcp1, srcp2, len)
long int srcp1; intptr_t srcp1;
long int srcp2; intptr_t srcp2;
size_t len; size_t len;
{ {
op_t a0, a1; op_t a0, a1;
@ -213,7 +217,7 @@ memcmp_common_alignment (srcp1, srcp2, len)
return 0; return 0;
} }
static int memcmp_not_common_alignment __P((long, long, size_t)); static int memcmp_not_common_alignment __P((intptr_t, intptr_t, size_t));
/* memcmp_not_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN /* memcmp_not_common_alignment -- Compare blocks at SRCP1 and SRCP2 with LEN
`op_t' objects (not LEN bytes!). SRCP2 should be aligned for memory `op_t' objects (not LEN bytes!). SRCP2 should be aligned for memory
@ -223,8 +227,8 @@ __inline
#endif #endif
static int static int
memcmp_not_common_alignment (srcp1, srcp2, len) memcmp_not_common_alignment (srcp1, srcp2, len)
long int srcp1; intptr_t srcp1;
long int srcp2; intptr_t srcp2;
size_t len; size_t len;
{ {
op_t a0, a1, a2, a3; op_t a0, a1, a2, a3;
@ -332,8 +336,8 @@ rpl_memcmp (s1, s2, len)
{ {
op_t a0; op_t a0;
op_t b0; op_t b0;
long int srcp1 = (long int) s1; intptr_t srcp1 = (intptr_t) s1;
long int srcp2 = (long int) s2; intptr_t srcp2 = (intptr_t) s2;
op_t res; op_t res;
if (len >= OP_T_THRES) if (len >= OP_T_THRES)

View file

@ -41,7 +41,7 @@ pid_t read_pid (char *pidfile)
if (!(f=fopen(pidfile,"r"))) if (!(f=fopen(pidfile,"r")))
return 0; return 0;
if(fscanf(f,"%ld", &pid) != 1) if(fscanf(f,"%20ld", &pid) != 1)
pid = 0; pid = 0;
fclose(f); fclose(f);
return pid; return pid;

View file

@ -26,19 +26,15 @@ AC_DEFUN([tinc_OPENSSL],
[AC_MSG_ERROR([OpenSSL header files not found.]); break] [AC_MSG_ERROR([OpenSSL header files not found.]); break]
) )
AC_CHECK_LIB(crypto, EVP_EncryptInit_ex,
[LIBS="-lcrypto $LIBS"],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
)
case $host_os in case $host_os in
*mingw*) *mingw*)
AC_CHECK_LIB(crypto, SHA1_version,
[LIBS="$LIBS -lcrypto -lgdi32"],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
)
;; ;;
*) *)
AC_CHECK_LIB(crypto, SHA1_version,
[LIBS="$LIBS -lcrypto"],
[AC_MSG_ERROR([OpenSSL libraries not found.])]
)
AC_CHECK_FUNC(dlopen, AC_CHECK_FUNC(dlopen,
[], [],
[AC_CHECK_LIB(dl, dlopen, [AC_CHECK_LIB(dl, dlopen,

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction BSD tun/tap device device.c -- Interaction BSD tun/tap device
Copyright (C) 2001-2005 Ivo Timmermans, Copyright (C) 2001-2005 Ivo Timmermans,
2001-2009 Guus Sliepen <guus@tinc-vpn.org> 2001-2011 Guus Sliepen <guus@tinc-vpn.org>
2009 Grzegorz Dymarek <gregd72002@googlemail.com> 2009 Grzegorz Dymarek <gregd72002@googlemail.com>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -47,11 +47,11 @@ int device_fd = -1;
char *device = NULL; char *device = NULL;
char *iface = NULL; char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
#if defined(TUNEMU) #if defined(TUNEMU)
static device_type_t device_type = DEVICE_TYPE_TUNEMU; static device_type_t device_type = DEVICE_TYPE_TUNEMU;
#elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) #elif defined(HAVE_OPENBSD) || defined(HAVE_FREEBSD) || defined(HAVE_DRAGONFLY)
static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD; static device_type_t device_type = DEVICE_TYPE_TUNIFHEAD;
#else #else
static device_type_t device_type = DEVICE_TYPE_TUN; static device_type_t device_type = DEVICE_TYPE_TUN;
@ -64,7 +64,7 @@ bool setup_device(void) {
device = xstrdup(DEFAULT_DEVICE); device = xstrdup(DEFAULT_DEVICE);
if(!get_config_string(lookup_config(config_tree, "Interface"), &iface)) if(!get_config_string(lookup_config(config_tree, "Interface"), &iface))
iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) { if(get_config_string(lookup_config(config_tree, "DeviceType"), &type)) {
if(!strcasecmp(type, "tun")) if(!strcasecmp(type, "tun"))
@ -199,9 +199,8 @@ bool read_packet(vpn_packet_t *packet) {
if(device_type == DEVICE_TYPE_TUNEMU) if(device_type == DEVICE_TYPE_TUNEMU)
lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14); lenin = tunemu_read(device_fd, packet->data + 14, MTU - 14);
else else
#else
lenin = read(device_fd, packet->data + 14, MTU - 14);
#endif #endif
lenin = read(device_fd, packet->data + 14, MTU - 14);
if(lenin <= 0) { if(lenin <= 0) {
logger(LOG_ERR, "Error while reading from %s %s: %s", device_info, logger(LOG_ERR, "Error while reading from %s %s: %s", device_info,
@ -353,6 +352,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -2,7 +2,8 @@
conf.c -- configuration code conf.c -- configuration code
Copyright (C) 1998 Robert van der Meulen Copyright (C) 1998 Robert van der Meulen
1998-2005 Ivo Timmermans 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2010 Guus Sliepen <guus@tinc-vpn.org>
2010-2011 Julien Muchembled <jm@jmuchemb.eu>
2000 Cris van Pelt 2000 Cris van Pelt
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -23,6 +24,7 @@
#include "system.h" #include "system.h"
#include "avl_tree.h" #include "avl_tree.h"
#include "connection.h"
#include "conf.h" #include "conf.h"
#include "logger.h" #include "logger.h"
#include "netutl.h" /* for str2address */ #include "netutl.h" /* for str2address */
@ -36,6 +38,8 @@ int pinginterval = 0; /* seconds between pings */
int pingtimeout = 0; /* seconds to wait for response */ int pingtimeout = 0; /* seconds to wait for response */
char *confbase = NULL; /* directory in which all config files are */ char *confbase = NULL; /* directory in which all config files are */
char *netname = NULL; /* name of the vpn network */ char *netname = NULL; /* name of the vpn network */
list_t *cmdline_conf = NULL; /* global/host configuration values given at the command line */
static int config_compare(const config_t *a, const config_t *b) { static int config_compare(const config_t *a, const config_t *b) {
int result; int result;
@ -45,12 +49,17 @@ static int config_compare(const config_t *a, const config_t *b) {
if(result) if(result)
return result; return result;
/* give priority to command line options */
result = !b->file - !a->file;
if (result)
return result;
result = a->line - b->line; result = a->line - b->line;
if(result) if(result)
return result; return result;
else else
return strcmp(a->file, b->file); return a->file ? strcmp(a->file, b->file) : 0;
} }
void init_configuration(avl_tree_t ** config_tree) { void init_configuration(avl_tree_t ** config_tree) {
@ -87,7 +96,7 @@ config_t *lookup_config(avl_tree_t *config_tree, char *variable) {
config_t cfg, *found; config_t cfg, *found;
cfg.variable = variable; cfg.variable = variable;
cfg.file = ""; cfg.file = NULL;
cfg.line = 0; cfg.line = 0;
found = avl_search_closest_greater(config_tree, &cfg); found = avl_search_closest_greater(config_tree, &cfg);
@ -224,7 +233,7 @@ static char *readline(FILE * fp, char *buf, size_t buflen) {
newline = strchr(p, '\n'); newline = strchr(p, '\n');
if(!newline) if(!newline)
return NULL; return buf;
*newline = '\0'; /* kill newline */ *newline = '\0'; /* kill newline */
if(newline > p && newline[-1] == '\r') /* and carriage return if necessary */ if(newline > p && newline[-1] == '\r') /* and carriage return if necessary */
@ -233,6 +242,45 @@ static char *readline(FILE * fp, char *buf, size_t buflen) {
return buf; return buf;
} }
config_t *parse_config_line(char *line, const char *fname, int lineno) {
config_t *cfg;
int len;
char *variable, *value, *eol;
variable = value = line;
eol = line + strlen(line);
while(strchr("\t ", *--eol))
*eol = '\0';
len = strcspn(value, "\t =");
value += len;
value += strspn(value, "\t ");
if(*value == '=') {
value++;
value += strspn(value, "\t ");
}
variable[len] = '\0';
if(!*value) {
const char err[] = "No value for variable";
if (fname)
logger(LOG_ERR, "%s `%s' on line %d while reading config file %s",
err, variable, lineno, fname);
else
logger(LOG_ERR, "%s `%s' in command line option %d",
err, variable, lineno);
return NULL;
}
cfg = new_config();
cfg->variable = xstrdup(variable);
cfg->value = xstrdup(value);
cfg->file = fname ? xstrdup(fname) : NULL;
cfg->line = lineno;
return cfg;
}
/* /*
Parse a configuration file and put the results in the configuration tree Parse a configuration file and put the results in the configuration tree
starting at *base. starting at *base.
@ -241,9 +289,7 @@ bool read_config_file(avl_tree_t *config_tree, const char *fname) {
FILE *fp; FILE *fp;
char buffer[MAX_STRING_SIZE]; char buffer[MAX_STRING_SIZE];
char *line; char *line;
char *variable, *value, *eol;
int lineno = 0; int lineno = 0;
int len;
bool ignore = false; bool ignore = false;
config_t *cfg; config_t *cfg;
bool result = false; bool result = false;
@ -280,34 +326,9 @@ bool read_config_file(avl_tree_t *config_tree, const char *fname) {
continue; continue;
} }
variable = value = line; cfg = parse_config_line(line, fname, lineno);
if (!cfg)
eol = line + strlen(line);
while(strchr("\t ", *--eol))
*eol = '\0';
len = strcspn(value, "\t =");
value += len;
value += strspn(value, "\t ");
if(*value == '=') {
value++;
value += strspn(value, "\t ");
}
variable[len] = '\0';
if(!*value) {
logger(LOG_ERR, "No value for variable `%s' on line %d while reading config file %s",
variable, lineno, fname);
break; break;
}
cfg = new_config();
cfg->variable = xstrdup(variable);
cfg->value = xstrdup(value);
cfg->file = xstrdup(fname);
cfg->line = lineno;
config_add(config_tree, cfg); config_add(config_tree, cfg);
} }
@ -316,10 +337,43 @@ bool read_config_file(avl_tree_t *config_tree, const char *fname) {
return result; return result;
} }
void read_config_options(avl_tree_t *config_tree, const char *prefix) {
list_node_t *node, *next;
size_t prefix_len = prefix ? strlen(prefix) : 0;
for(node = cmdline_conf->tail; node; node = next) {
config_t *orig_cfg, *cfg = (config_t *)node->data;
next = node->prev;
if(!prefix) {
if(strchr(cfg->variable, '.'))
continue;
node->data = NULL;
list_unlink_node(cmdline_conf, node);
} else {
if(strncmp(prefix, cfg->variable, prefix_len) ||
cfg->variable[prefix_len] != '.')
continue;
/* Because host configuration is parsed again when
reconnecting, nodes must not be freed when a prefix
is given. */
orig_cfg = cfg;
cfg = new_config();
cfg->variable = xstrdup(orig_cfg->variable + prefix_len + 1);
cfg->value = xstrdup(orig_cfg->value);
cfg->file = NULL;
cfg->line = orig_cfg->line;
}
config_add(config_tree, cfg);
}
}
bool read_server_config() { bool read_server_config() {
char *fname; char *fname;
bool x; bool x;
read_config_options(config_tree, NULL);
xasprintf(&fname, "%s/tinc.conf", confbase); xasprintf(&fname, "%s/tinc.conf", confbase);
x = read_config_file(config_tree, fname); x = read_config_file(config_tree, fname);
@ -332,6 +386,19 @@ bool read_server_config() {
return x; return x;
} }
bool read_connection_config(connection_t *c) {
char *fname;
bool x;
read_config_options(c->config_tree, c->name);
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
x = read_config_file(c->config_tree, fname);
free(fname);
return x;
}
FILE *ask_and_open(const char *filename, const char *what) { FILE *ask_and_open(const char *filename, const char *what) {
FILE *r; FILE *r;
char *directory; char *directory;
@ -400,24 +467,33 @@ bool disable_old_keys(FILE *f) {
rewind(f); rewind(f);
pos = ftell(f); pos = ftell(f);
if(pos < 0)
return false;
while(fgets(buf, sizeof buf, f)) { while(fgets(buf, sizeof buf, f)) {
if(!strncmp(buf, "-----BEGIN RSA", 14)) { if(!strncmp(buf, "-----BEGIN RSA", 14)) {
buf[11] = 'O'; buf[11] = 'O';
buf[12] = 'L'; buf[12] = 'L';
buf[13] = 'D'; buf[13] = 'D';
fseek(f, pos, SEEK_SET); if(fseek(f, pos, SEEK_SET))
fputs(buf, f); break;
if(fputs(buf, f) <= 0)
break;
disabled = true; disabled = true;
} }
else if(!strncmp(buf, "-----END RSA", 12)) { else if(!strncmp(buf, "-----END RSA", 12)) {
buf[ 9] = 'O'; buf[ 9] = 'O';
buf[10] = 'L'; buf[10] = 'L';
buf[11] = 'D'; buf[11] = 'D';
fseek(f, pos, SEEK_SET); if(fseek(f, pos, SEEK_SET))
fputs(buf, f); break;
if(fputs(buf, f) <= 0)
break;
disabled = true; disabled = true;
} }
pos = ftell(f); pos = ftell(f);
if(pos < 0)
break;
} }
return disabled; return disabled;

View file

@ -22,6 +22,7 @@
#define __TINC_CONF_H__ #define __TINC_CONF_H__
#include "avl_tree.h" #include "avl_tree.h"
#include "list.h"
typedef struct config_t { typedef struct config_t {
char *variable; char *variable;
@ -40,6 +41,7 @@ extern int maxtimeout;
extern bool bypass_security; extern bool bypass_security;
extern char *confbase; extern char *confbase;
extern char *netname; extern char *netname;
extern list_t *cmdline_conf;
extern void init_configuration(avl_tree_t **); extern void init_configuration(avl_tree_t **);
extern void exit_configuration(avl_tree_t **); extern void exit_configuration(avl_tree_t **);
@ -54,8 +56,11 @@ extern bool get_config_string(const config_t *, char **);
extern bool get_config_address(const config_t *, struct addrinfo **); extern bool get_config_address(const config_t *, struct addrinfo **);
extern bool get_config_subnet(const config_t *, struct subnet_t **); extern bool get_config_subnet(const config_t *, struct subnet_t **);
extern config_t *parse_config_line(char *, const char *, int);
extern bool read_config_file(avl_tree_t *, const char *); extern bool read_config_file(avl_tree_t *, const char *);
extern void read_config_options(avl_tree_t *, const char *);
extern bool read_server_config(void); extern bool read_server_config(void);
extern bool read_connection_config(struct connection_t *);
extern FILE *ask_and_open(const char *, const char *); extern FILE *ask_and_open(const char *, const char *);
extern bool is_safe_path(const char *); extern bool is_safe_path(const char *);
extern bool disable_old_keys(FILE *); extern bool disable_old_keys(FILE *);

View file

@ -127,14 +127,3 @@ void dump_connections(void) {
logger(LOG_DEBUG, "End of connections."); logger(LOG_DEBUG, "End of connections.");
} }
bool read_connection_config(connection_t *c) {
char *fname;
bool x;
xasprintf(&fname, "%s/hosts/%s", confbase, c->name);
x = read_config_file(c->config_tree, fname);
free(fname);
return x;
}

View file

@ -111,6 +111,5 @@ extern void free_connection(connection_t *);
extern void connection_add(connection_t *); extern void connection_add(connection_t *);
extern void connection_del(connection_t *); extern void connection_del(connection_t *);
extern void dump_connections(void); extern void dump_connections(void);
extern bool read_connection_config(connection_t *);
#endif /* __TINC_CONNECTION_H__ */ #endif /* __TINC_CONNECTION_H__ */

View file

@ -38,8 +38,8 @@ char *device = NULL;
char *iface = NULL; char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
static pid_t reader_pid; static pid_t reader_pid;
static int sp[2]; static int sp[2];
@ -261,6 +261,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -1,6 +1,6 @@
/* /*
graph.c -- graph algorithms graph.c -- graph algorithms
Copyright (C) 2001-2010 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -199,16 +199,12 @@ void sssp_bfs(void) {
n->address is set to the e->address of the edge left of n to n. n->address is set to the e->address of the edge left of n to n.
We are currently examining the edge e right of n from n: We are currently examining the edge e right of n from n:
- If e->reverse->address != n->address, then e->to is probably
not reachable for the nodes left of n. We do as if the indirectdata
flag is set on edge e.
- If edge e provides for better reachability of e->to, update - If edge e provides for better reachability of e->to, update
e->to and (re)add it to the todo_list to (re)examine the reachability e->to and (re)add it to the todo_list to (re)examine the reachability
of nodes behind it. of nodes behind it.
*/ */
indirect = n->status.indirect || e->options & OPTION_INDIRECT indirect = n->status.indirect || e->options & OPTION_INDIRECT;
|| ((n != myself) && sockaddrcmp(&n->address, &e->reverse->address));
if(e->to->status.visited if(e->to->status.visited
&& (!e->to->status.indirect || indirect)) && (!e->to->status.indirect || indirect))

View file

@ -47,11 +47,12 @@ char *iface = NULL;
static char ifrname[IFNAMSIZ]; static char ifrname[IFNAMSIZ];
static char *device_info; static char *device_info;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
bool setup_device(void) { bool setup_device(void) {
struct ifreq ifr; struct ifreq ifr;
bool t1q = false;
if(!get_config_string(lookup_config(config_tree, "Device"), &device)) if(!get_config_string(lookup_config(config_tree, "Device"), &device))
device = xstrdup(DEFAULT_DEVICE); device = xstrdup(DEFAULT_DEVICE);
@ -61,7 +62,7 @@ bool setup_device(void) {
if (netname != NULL) if (netname != NULL)
iface = xstrdup(netname); iface = xstrdup(netname);
#else #else
iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
#endif #endif
device_fd = open(device, O_RDWR | O_NONBLOCK); device_fd = open(device, O_RDWR | O_NONBLOCK);
@ -84,6 +85,12 @@ bool setup_device(void) {
device_info = "Linux tun/tap device (tap mode)"; device_info = "Linux tun/tap device (tap mode)";
} }
#ifdef IFF_ONE_QUEUE
/* Set IFF_ONE_QUEUE flag... */
if(get_config_bool(lookup_config(config_tree, "IffOneQueue"), &t1q) && t1q)
ifr.ifr_flags |= IFF_ONE_QUEUE;
#endif
if(iface) if(iface)
strncpy(ifr.ifr_name, iface, IFNAMSIZ); strncpy(ifr.ifr_name, iface, IFNAMSIZ);
@ -105,7 +112,7 @@ bool setup_device(void) {
device_type = DEVICE_TYPE_ETHERTAP; device_type = DEVICE_TYPE_ETHERTAP;
if(iface) if(iface)
free(iface); free(iface);
iface = xstrdup(rindex(device, '/') ? rindex(device, '/') + 1 : device); iface = xstrdup(strrchr(device, '/') ? strrchr(device, '/') + 1 : device);
} }
logger(LOG_INFO, "%s is a %s", device, device_info); logger(LOG_INFO, "%s is a %s", device, device_info);
@ -205,6 +212,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -85,7 +85,7 @@ void logger(int priority, const char *format, ...) {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
{ {
char message[4096]; char message[4096];
char *messages[] = {message}; const char *messages[] = {message};
vsnprintf(message, sizeof(message), format, ap); vsnprintf(message, sizeof(message), format, ap);
ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL); ReportEvent(loghandle, priority, 0, 0, NULL, 1, 0, messages, NULL);
} }

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction with Windows tap driver in a MinGW environment device.c -- Interaction with Windows tap driver in a MinGW environment
Copyright (C) 2002-2005 Ivo Timmermans, Copyright (C) 2002-2005 Ivo Timmermans,
2002-2009 Guus Sliepen <guus@tinc-vpn.org> 2002-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -38,8 +38,8 @@ char *device = NULL;
char *iface = NULL; char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
extern char *myport; extern char *myport;
@ -95,17 +95,9 @@ bool setup_device(void) {
bool found = false; bool found = false;
int sock, err; int err;
HANDLE thread; HANDLE thread;
struct addrinfo *ai;
struct addrinfo hint = {
.ai_family = AF_UNSPEC,
.ai_socktype = SOCK_STREAM,
.ai_protocol = IPPROTO_TCP,
.ai_flags = 0,
};
get_config_string(lookup_config(config_tree, "Device"), &device); get_config_string(lookup_config(config_tree, "Device"), &device);
get_config_string(lookup_config(config_tree, "Interface"), &iface); get_config_string(lookup_config(config_tree, "Interface"), &iface);
@ -247,6 +239,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -1,7 +1,7 @@
/* /*
net.c -- most of the network code net.c -- most of the network code
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2010 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -44,6 +44,8 @@ bool do_purge = false;
volatile bool running = false; volatile bool running = false;
time_t now = 0; time_t now = 0;
int contradicting_add_edge = 0;
int contradicting_del_edge = 0;
/* Purge edges and subnets of unreachable nodes. Use carefully. */ /* Purge edges and subnets of unreachable nodes. Use carefully. */
@ -278,12 +280,21 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) {
int result, i; int result, i;
socklen_t len = sizeof(result); socklen_t len = sizeof(result);
vpn_packet_t packet; vpn_packet_t packet;
static int errors = 0;
/* check input from kernel */ /* check input from kernel */
if(device_fd >= 0 && FD_ISSET(device_fd, readset)) { if(device_fd >= 0 && FD_ISSET(device_fd, readset)) {
if(read_packet(&packet)) { if(read_packet(&packet)) {
errors = 0;
packet.priority = 0; packet.priority = 0;
route(myself, &packet); route(myself, &packet);
} else {
usleep(errors * 50000);
errors++;
if(errors > 10) {
logger(LOG_ERR, "Too many errors from %s, exiting!", device);
running = false;
}
} }
} }
@ -297,7 +308,7 @@ static void check_network_activity(fd_set * readset, fd_set * writeset) {
if(FD_ISSET(c->socket, readset)) { if(FD_ISSET(c->socket, readset)) {
if(c->status.connecting) { if(c->status.connecting) {
c->status.connecting = false; c->status.connecting = false;
getsockopt(c->socket, SOL_SOCKET, SO_ERROR, &result, &len); getsockopt(c->socket, SOL_SOCKET, SO_ERROR, (void *)&result, &len);
if(!result) if(!result)
finish_connecting(c); finish_connecting(c);
@ -415,6 +426,19 @@ int main_loop(void) {
send_key_changed(broadcast, myself); send_key_changed(broadcast, myself);
keyexpires = now + keylifetime; keyexpires = now + keylifetime;
} }
if(contradicting_del_edge > 10 && contradicting_add_edge > 10) {
logger(LOG_WARNING, "Possible node with same Name as us!");
if(rand() % 3 == 0) {
logger(LOG_ERR, "Shutting down, check configuration of all nodes for duplicate Names!");
running = false;
break;
}
contradicting_add_edge = 0;
contradicting_del_edge = 0;
}
} }
if(sigalrm) { if(sigalrm) {

View file

@ -106,15 +106,20 @@ extern list_t *outgoing_list;
extern int maxoutbufsize; extern int maxoutbufsize;
extern int seconds_till_retry; extern int seconds_till_retry;
extern int addressfamily; extern int addressfamily;
extern unsigned replaywin;
extern listen_socket_t listen_socket[MAXSOCKETS]; extern listen_socket_t listen_socket[MAXSOCKETS];
extern int listen_sockets; extern int listen_sockets;
extern int keyexpires; extern int keyexpires;
extern int keylifetime; extern int keylifetime;
extern int udp_rcvbuf;
extern int udp_sndbuf;
extern bool do_prune; extern bool do_prune;
extern bool do_purge; extern bool do_purge;
extern char *myport; extern char *myport;
extern time_t now; extern time_t now;
extern int contradicting_add_edge;
extern int contradicting_del_edge;
/* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */ /* Yes, very strange placement indeed, but otherwise the typedefs get all tangled up */
#include "connection.h" #include "connection.h"

View file

@ -1,7 +1,9 @@
/* /*
net_packet.c -- Handles in- and outgoing VPN packets net_packet.c -- Handles in- and outgoing VPN packets
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2010 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2010 Timothy Redaelli <timothy@redaelli.eu>
2010 Brandon Black <blblack@gmail.com>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -59,6 +61,8 @@ static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999
static void send_udppacket(node_t *, vpn_packet_t *); static void send_udppacket(node_t *, vpn_packet_t *);
unsigned replaywin = 16;
#define MAX_SEQNO 1073741824 #define MAX_SEQNO 1073741824
// mtuprobes == 1..30: initial discovery, send bursts with 1 second interval // mtuprobes == 1..30: initial discovery, send bursts with 1 second interval
@ -81,16 +85,21 @@ void send_mtu_probe(node_t *n) {
} }
if(n->mtuprobes > 32) { if(n->mtuprobes > 32) {
if(!n->minmtu) {
n->mtuprobes = 31;
timeout = pinginterval;
goto end;
}
ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname); ifdebug(TRAFFIC) logger(LOG_INFO, "%s (%s) did not respond to UDP ping, restarting PMTU discovery", n->name, n->hostname);
n->mtuprobes = 1; n->mtuprobes = 1;
n->minmtu = 0; n->minmtu = 0;
n->maxmtu = MTU; n->maxmtu = MTU;
} }
if(n->mtuprobes >= 10 && !n->minmtu) { if(n->mtuprobes >= 10 && n->mtuprobes < 32 && !n->minmtu) {
ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname); ifdebug(TRAFFIC) logger(LOG_INFO, "No response to MTU probes from %s (%s)", n->name, n->hostname);
n->mtuprobes = 0; n->mtuprobes = 31;
return;
} }
if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) { if(n->mtuprobes == 30 || (n->mtuprobes < 30 && n->minmtu >= n->maxmtu)) {
@ -144,12 +153,17 @@ void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
packet->data[0] = 1; packet->data[0] = 1;
send_udppacket(n, packet); send_udppacket(n, packet);
} else { } else {
if(n->mtuprobes > 30) {
if(n->minmtu)
n->mtuprobes = 30;
else
n->mtuprobes = 1;
}
if(len > n->maxmtu) if(len > n->maxmtu)
len = n->maxmtu; len = n->maxmtu;
if(n->minmtu < len) if(n->minmtu < len)
n->minmtu = len; n->minmtu = len;
if(n->mtuprobes > 30)
n->mtuprobes = 30;
} }
} }
@ -292,25 +306,32 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
inpkt->len -= sizeof(inpkt->seqno); inpkt->len -= sizeof(inpkt->seqno);
inpkt->seqno = ntohl(inpkt->seqno); inpkt->seqno = ntohl(inpkt->seqno);
if(inpkt->seqno != n->received_seqno + 1) { if(replaywin) {
if(inpkt->seqno >= n->received_seqno + sizeof(n->late) * 8) { if(inpkt->seqno != n->received_seqno + 1) {
logger(LOG_WARNING, "Lost %d packets from %s (%s)", if(inpkt->seqno >= n->received_seqno + replaywin * 8) {
inpkt->seqno - n->received_seqno - 1, n->name, n->hostname); if(n->farfuture++ < replaywin >> 2) {
logger(LOG_WARNING, "Packet from %s (%s) is %d seqs in the future, dropped (%u)",
memset(n->late, 0, sizeof(n->late)); n->name, n->hostname, inpkt->seqno - n->received_seqno - 1, n->farfuture);
} else if (inpkt->seqno <= n->received_seqno) { return;
if((n->received_seqno >= sizeof(n->late) * 8 && inpkt->seqno <= n->received_seqno - sizeof(n->late) * 8) || !(n->late[(inpkt->seqno / 8) % sizeof(n->late)] & (1 << inpkt->seqno % 8))) { }
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d", logger(LOG_WARNING, "Lost %d packets from %s (%s)",
n->name, n->hostname, inpkt->seqno, n->received_seqno); inpkt->seqno - n->received_seqno - 1, n->name, n->hostname);
return; memset(n->late, 0, replaywin);
} else if (inpkt->seqno <= n->received_seqno) {
if((n->received_seqno >= replaywin * 8 && inpkt->seqno <= n->received_seqno - replaywin * 8) || !(n->late[(inpkt->seqno / 8) % replaywin] & (1 << inpkt->seqno % 8))) {
logger(LOG_WARNING, "Got late or replayed packet from %s (%s), seqno %d, last received %d",
n->name, n->hostname, inpkt->seqno, n->received_seqno);
return;
}
} else {
for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
n->late[(i / 8) % replaywin] |= 1 << i % 8;
} }
} else {
for(i = n->received_seqno + 1; i < inpkt->seqno; i++)
n->late[(i / 8) % sizeof(n->late)] |= 1 << i % 8;
} }
}
n->late[(inpkt->seqno / 8) % sizeof(n->late)] &= ~(1 << inpkt->seqno % 8); n->farfuture = 0;
n->late[(inpkt->seqno / 8) % replaywin] &= ~(1 << inpkt->seqno % 8);
}
if(inpkt->seqno > n->received_seqno) if(inpkt->seqno > n->received_seqno)
n->received_seqno = inpkt->seqno; n->received_seqno = inpkt->seqno;
@ -365,7 +386,9 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
vpn_packet_t *outpkt; vpn_packet_t *outpkt;
int origlen; int origlen;
int outlen, outpad; int outlen, outpad;
#if defined(SOL_IP) && defined(IP_TOS)
static int priority = 0; static int priority = 0;
#endif
int origpriority; int origpriority;
int sock; int sock;
@ -552,20 +575,21 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
avl_node_t *node; avl_node_t *node;
edge_t *e; edge_t *e;
node_t *n = NULL; node_t *n = NULL;
bool hard = false;
static time_t last_hard_try = 0; static time_t last_hard_try = 0;
for(node = edge_weight_tree->head; node; node = node->next) { for(node = edge_weight_tree->head; node; node = node->next) {
e = node->data; e = node->data;
if(e->to == myself)
continue;
if(sockaddrcmp_noport(from, &e->address)) { if(sockaddrcmp_noport(from, &e->address)) {
if(last_hard_try == now) if(last_hard_try == now)
continue; continue;
last_hard_try = now; hard = true;
} }
if(!n)
n = e->to;
if(!try_mac(e->to, pkt)) if(!try_mac(e->to, pkt))
continue; continue;
@ -573,6 +597,9 @@ static node_t *try_harder(const sockaddr_t *from, const vpn_packet_t *pkt) {
break; break;
} }
if(hard)
last_hard_try = now;
return n; return n;
} }

View file

@ -3,6 +3,7 @@
Copyright (C) 1998-2005 Ivo Timmermans, Copyright (C) 1998-2005 Ivo Timmermans,
2000-2010 Guus Sliepen <guus@tinc-vpn.org> 2000-2010 Guus Sliepen <guus@tinc-vpn.org>
2006 Scott Lamb <slamb@slamb.org> 2006 Scott Lamb <slamb@slamb.org>
2010 Brandon Black <blblack@gmail.com>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -149,7 +150,7 @@ bool read_rsa_private_key(void) {
struct stat s; struct stat s;
if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) { if(get_config_string(lookup_config(config_tree, "PrivateKey"), &key)) {
if(!get_config_string(lookup_config(myself->connection->config_tree, "PublicKey"), &pubkey)) { if(!get_config_string(lookup_config(config_tree, "PublicKey"), &pubkey)) {
logger(LOG_ERR, "PrivateKey used but no PublicKey found!"); logger(LOG_ERR, "PrivateKey used but no PublicKey found!");
return false; return false;
} }
@ -270,15 +271,16 @@ bool setup_myself(void) {
config_t *cfg; config_t *cfg;
subnet_t *subnet; subnet_t *subnet;
char *name, *hostname, *mode, *afname, *cipher, *digest; char *name, *hostname, *mode, *afname, *cipher, *digest;
char *fname = NULL;
char *address = NULL; char *address = NULL;
char *envp[5]; char *envp[5];
struct addrinfo *ai, *aip, hint = {0}; struct addrinfo *ai, *aip, hint = {0};
bool choice; bool choice;
int i, err; int i, err;
int replaywin_int;
myself = new_node(); myself = new_node();
myself->connection = new_connection(); myself->connection = new_connection();
init_configuration(&myself->connection->config_tree);
myself->hostname = xstrdup("MYSELF"); myself->hostname = xstrdup("MYSELF");
myself->connection->hostname = xstrdup("MYSELF"); myself->connection->hostname = xstrdup("MYSELF");
@ -299,17 +301,15 @@ bool setup_myself(void) {
myself->name = name; myself->name = name;
myself->connection->name = xstrdup(name); myself->connection->name = xstrdup(name);
xasprintf(&fname, "%s/hosts/%s", confbase, name);
if(!read_connection_config(myself->connection)) { read_config_options(config_tree, name);
logger(LOG_ERR, "Cannot open host configuration file for myself!"); read_config_file(config_tree, fname);
return false; free(fname);
}
if(!read_rsa_private_key()) if(!read_rsa_private_key())
return false; return false;
if(!get_config_string(lookup_config(config_tree, "Port"), &myport) if(!get_config_string(lookup_config(config_tree, "Port"), &myport))
&& !get_config_string(lookup_config(myself->connection->config_tree, "Port"), &myport))
myport = xstrdup("655"); myport = xstrdup("655");
if(!atoi(myport)) { if(!atoi(myport)) {
@ -324,7 +324,7 @@ bool setup_myself(void) {
/* Read in all the subnets specified in the host configuration file */ /* Read in all the subnets specified in the host configuration file */
cfg = lookup_config(myself->connection->config_tree, "Subnet"); cfg = lookup_config(config_tree, "Subnet");
while(cfg) { while(cfg) {
if(!get_config_subnet(cfg, &subnet)) if(!get_config_subnet(cfg, &subnet))
@ -332,7 +332,7 @@ bool setup_myself(void) {
subnet_add(myself, subnet); subnet_add(myself, subnet);
cfg = lookup_config_next(myself->connection->config_tree, cfg); cfg = lookup_config_next(config_tree, cfg);
} }
/* Check some options */ /* Check some options */
@ -343,12 +343,6 @@ bool setup_myself(void) {
if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice) if(get_config_bool(lookup_config(config_tree, "TCPOnly"), &choice) && choice)
myself->options |= OPTION_TCPONLY; myself->options |= OPTION_TCPONLY;
if(get_config_bool(lookup_config(myself->connection->config_tree, "IndirectData"), &choice) && choice)
myself->options |= OPTION_INDIRECT;
if(get_config_bool(lookup_config(myself->connection->config_tree, "TCPOnly"), &choice) && choice)
myself->options |= OPTION_TCPONLY;
if(myself->options & OPTION_TCPONLY) if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT; myself->options |= OPTION_INDIRECT;
@ -386,14 +380,12 @@ bool setup_myself(void) {
} }
choice = true; choice = true;
get_config_bool(lookup_config(myself->connection->config_tree, "PMTUDiscovery"), &choice);
get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice); get_config_bool(lookup_config(config_tree, "PMTUDiscovery"), &choice);
if(choice) if(choice)
myself->options |= OPTION_PMTU_DISCOVERY; myself->options |= OPTION_PMTU_DISCOVERY;
choice = true; choice = true;
get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice); get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
get_config_bool(lookup_config(myself->connection->config_tree, "ClampMSS"), &choice);
if(choice) if(choice)
myself->options |= OPTION_CLAMP_MSS; myself->options |= OPTION_CLAMP_MSS;
@ -415,6 +407,28 @@ bool setup_myself(void) {
} else } else
maxtimeout = 900; maxtimeout = 900;
if(get_config_int(lookup_config(config_tree, "UDPRcvBuf"), &udp_rcvbuf)) {
if(udp_rcvbuf <= 0) {
logger(LOG_ERR, "UDPRcvBuf cannot be negative!");
return false;
}
}
if(get_config_int(lookup_config(config_tree, "UDPSndBuf"), &udp_sndbuf)) {
if(udp_sndbuf <= 0) {
logger(LOG_ERR, "UDPSndBuf cannot be negative!");
return false;
}
}
if(get_config_int(lookup_config(config_tree, "ReplayWindow"), &replaywin_int)) {
if(replaywin_int < 0) {
logger(LOG_ERR, "ReplayWindow cannot be negative!");
return false;
}
replaywin = (unsigned)replaywin_int;
}
if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) { if(get_config_string(lookup_config(config_tree, "AddressFamily"), &afname)) {
if(!strcasecmp(afname, "IPv4")) if(!strcasecmp(afname, "IPv4"))
addressfamily = AF_INET; addressfamily = AF_INET;
@ -434,7 +448,7 @@ bool setup_myself(void) {
/* Generate packet encryption key */ /* Generate packet encryption key */
if(get_config_string if(get_config_string
(lookup_config(myself->connection->config_tree, "Cipher"), &cipher)) { (lookup_config(config_tree, "Cipher"), &cipher)) {
if(!strcasecmp(cipher, "none")) { if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL; myself->incipher = NULL;
} else { } else {
@ -462,7 +476,7 @@ bool setup_myself(void) {
/* Check if we want to use message authentication codes... */ /* Check if we want to use message authentication codes... */
if(get_config_string(lookup_config(myself->connection->config_tree, "Digest"), &digest)) { if(get_config_string(lookup_config(config_tree, "Digest"), &digest)) {
if(!strcasecmp(digest, "none")) { if(!strcasecmp(digest, "none")) {
myself->indigest = NULL; myself->indigest = NULL;
} else { } else {
@ -478,7 +492,7 @@ bool setup_myself(void) {
myself->connection->outdigest = EVP_sha1(); myself->connection->outdigest = EVP_sha1();
if(get_config_int(lookup_config(myself->connection->config_tree, "MACLength"), &myself->inmaclength)) { if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
if(myself->indigest) { if(myself->indigest) {
if(myself->inmaclength > myself->indigest->md_size) { if(myself->inmaclength > myself->indigest->md_size) {
logger(LOG_ERR, "MAC length exceeds size of digest!"); logger(LOG_ERR, "MAC length exceeds size of digest!");
@ -495,7 +509,7 @@ bool setup_myself(void) {
/* Compression */ /* Compression */
if(get_config_int(lookup_config(myself->connection->config_tree, "Compression"), &myself->incompression)) { if(get_config_int(lookup_config(config_tree, "Compression"), &myself->incompression)) {
if(myself->incompression < 0 || myself->incompression > 11) { if(myself->incompression < 0 || myself->incompression > 11) {
logger(LOG_ERR, "Bogus compression level!"); logger(LOG_ERR, "Bogus compression level!");
return false; return false;

View file

@ -44,6 +44,8 @@
int addressfamily = AF_UNSPEC; int addressfamily = AF_UNSPEC;
int maxtimeout = 900; int maxtimeout = 900;
int seconds_till_retry = 5; int seconds_till_retry = 5;
int udp_rcvbuf = 0;
int udp_sndbuf = 0;
listen_socket_t listen_socket[MAXSOCKETS]; listen_socket_t listen_socket[MAXSOCKETS];
int listen_sockets; int listen_sockets;
@ -70,12 +72,12 @@ static void configure_tcp(connection_t *c) {
#if defined(SOL_TCP) && defined(TCP_NODELAY) #if defined(SOL_TCP) && defined(TCP_NODELAY)
option = 1; option = 1;
setsockopt(c->socket, SOL_TCP, TCP_NODELAY, &option, sizeof(option)); setsockopt(c->socket, SOL_TCP, TCP_NODELAY, (void *)&option, sizeof(option));
#endif #endif
#if defined(SOL_IP) && defined(IP_TOS) && defined(IPTOS_LOWDELAY) #if defined(SOL_IP) && defined(IP_TOS) && defined(IPTOS_LOWDELAY)
option = IPTOS_LOWDELAY; option = IPTOS_LOWDELAY;
setsockopt(c->socket, SOL_IP, IP_TOS, &option, sizeof(option)); setsockopt(c->socket, SOL_IP, IP_TOS, (void *)&option, sizeof(option));
#endif #endif
} }
@ -95,7 +97,7 @@ static bool bind_to_interface(int sd) {
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0; ifr.ifr_ifrn.ifrn_name[IFNAMSIZ - 1] = 0;
status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)); status = setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr));
if(status) { if(status) {
logger(LOG_ERR, "Can't bind to interface %s: %s", iface, logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(errno)); strerror(errno));
@ -181,11 +183,11 @@ int setup_listen_socket(const sockaddr_t *sa) {
/* Optimize TCP settings */ /* Optimize TCP settings */
option = 1; option = 1;
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option)); setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof(option));
#if defined(SOL_IPV6) && defined(IPV6_V6ONLY) #if defined(SOL_IPV6) && defined(IPV6_V6ONLY)
if(sa->sa.sa_family == AF_INET6) if(sa->sa.sa_family == AF_INET6)
setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, &option, sizeof option); setsockopt(nfd, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif #endif
if(get_config_string if(get_config_string
@ -196,7 +198,7 @@ int setup_listen_socket(const sockaddr_t *sa) {
memset(&ifr, 0, sizeof(ifr)); memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ); strncpy(ifr.ifr_ifrn.ifrn_name, iface, IFNAMSIZ);
if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr))) { if(setsockopt(nfd, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr))) {
closesocket(nfd); closesocket(nfd);
logger(LOG_ERR, "Can't bind to interface %s: %s", iface, logger(LOG_ERR, "Can't bind to interface %s: %s", iface,
strerror(sockerrno)); strerror(sockerrno));
@ -259,11 +261,17 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
#endif #endif
option = 1; option = 1;
setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &option, sizeof(option)); setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, (void *)&option, sizeof(option));
if(udp_rcvbuf && setsockopt(nfd, SOL_SOCKET, SO_RCVBUF, (void *)&udp_rcvbuf, sizeof(udp_rcvbuf)))
logger(LOG_WARNING, "Can't set UDP SO_RCVBUF to %i: %s", udp_rcvbuf, strerror(errno));
if(udp_sndbuf && setsockopt(nfd, SOL_SOCKET, SO_SNDBUF, (void *)&udp_sndbuf, sizeof(udp_sndbuf)))
logger(LOG_WARNING, "Can't set UDP SO_SNDBUF to %i: %s", udp_sndbuf, strerror(errno));
#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
if(sa->sa.sa_family == AF_INET6) if(sa->sa.sa_family == AF_INET6)
setsockopt(nfd, IPPROTO_IPV6, IPV6_V6ONLY, &option, sizeof option); setsockopt(nfd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif #endif
#if defined(IP_DONTFRAG) && !defined(IP_DONTFRAGMENT) #if defined(IP_DONTFRAG) && !defined(IP_DONTFRAGMENT)
@ -273,12 +281,12 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
#if defined(SOL_IP) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO) #if defined(SOL_IP) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
if(myself->options & OPTION_PMTU_DISCOVERY) { if(myself->options & OPTION_PMTU_DISCOVERY) {
option = IP_PMTUDISC_DO; option = IP_PMTUDISC_DO;
setsockopt(nfd, SOL_IP, IP_MTU_DISCOVER, &option, sizeof(option)); setsockopt(nfd, SOL_IP, IP_MTU_DISCOVER, (void *)&option, sizeof(option));
} }
#elif defined(IPPROTO_IP) && defined(IP_DONTFRAGMENT) #elif defined(IPPROTO_IP) && defined(IP_DONTFRAGMENT)
if(myself->options & OPTION_PMTU_DISCOVERY) { if(myself->options & OPTION_PMTU_DISCOVERY) {
option = 1; option = 1;
setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, &option, sizeof(option)); setsockopt(nfd, IPPROTO_IP, IP_DONTFRAGMENT, (void *)&option, sizeof(option));
} }
#else #else
#warning No way to disable IPv4 fragmentation #warning No way to disable IPv4 fragmentation
@ -287,12 +295,12 @@ int setup_vpn_in_socket(const sockaddr_t *sa) {
#if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO) #if defined(SOL_IPV6) && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
if(myself->options & OPTION_PMTU_DISCOVERY) { if(myself->options & OPTION_PMTU_DISCOVERY) {
option = IPV6_PMTUDISC_DO; option = IPV6_PMTUDISC_DO;
setsockopt(nfd, SOL_IPV6, IPV6_MTU_DISCOVER, &option, sizeof(option)); setsockopt(nfd, SOL_IPV6, IPV6_MTU_DISCOVER, (void *)&option, sizeof(option));
} }
#elif defined(IPPROTO_IPV6) && defined(IPV6_DONTFRAG) #elif defined(IPPROTO_IPV6) && defined(IPV6_DONTFRAG)
if(myself->options & OPTION_PMTU_DISCOVERY) { if(myself->options & OPTION_PMTU_DISCOVERY) {
option = 1; option = 1;
setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, &option, sizeof(option)); setsockopt(nfd, IPPROTO_IPV6, IPV6_DONTFRAG, (void *)&option, sizeof(option));
} }
#else #else
#warning No way to disable IPv6 fragmentation #warning No way to disable IPv6 fragmentation
@ -410,7 +418,7 @@ begin:
#if defined(SOL_IPV6) && defined(IPV6_V6ONLY) #if defined(SOL_IPV6) && defined(IPV6_V6ONLY)
int option = 1; int option = 1;
if(c->address.sa.sa_family == AF_INET6) if(c->address.sa.sa_family == AF_INET6)
setsockopt(c->socket, SOL_IPV6, IPV6_V6ONLY, &option, sizeof option); setsockopt(c->socket, SOL_IPV6, IPV6_V6ONLY, (void *)&option, sizeof option);
#endif #endif
bind_to_interface(c->socket); bind_to_interface(c->socket);

View file

@ -1,7 +1,7 @@
/* /*
netutl.c -- some supporting network utility code netutl.c -- some supporting network utility code
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -93,8 +93,7 @@ void sockaddr2str(const sockaddr_t *sa, char **addrstr, char **portstr) {
if(err) { if(err) {
logger(LOG_ERR, "Error while translating addresses: %s", logger(LOG_ERR, "Error while translating addresses: %s",
gai_strerror(err)); gai_strerror(err));
raise(SIGFPE); abort();
exit(0);
} }
scopeid = strchr(address, '%'); scopeid = strchr(address, '%');
@ -155,8 +154,7 @@ int sockaddrcmp_noport(const sockaddr_t *a, const sockaddr_t *b) {
default: default:
logger(LOG_ERR, "sockaddrcmp() was called with unknown address family %d, exitting!", logger(LOG_ERR, "sockaddrcmp() was called with unknown address family %d, exitting!",
a->sa.sa_family); a->sa.sa_family);
raise(SIGFPE); abort();
exit(0);
} }
} }
@ -199,8 +197,7 @@ int sockaddrcmp(const sockaddr_t *a, const sockaddr_t *b) {
default: default:
logger(LOG_ERR, "sockaddrcmp() was called with unknown address family %d, exitting!", logger(LOG_ERR, "sockaddrcmp() was called with unknown address family %d, exitting!",
a->sa.sa_family); a->sa.sa_family);
raise(SIGFPE); abort();
exit(0);
} }
} }

View file

@ -1,6 +1,6 @@
/* /*
node.c -- node tree management node.c -- node tree management
Copyright (C) 2001-2009 Guus Sliepen <guus@tinc-vpn.org>, Copyright (C) 2001-2011 Guus Sliepen <guus@tinc-vpn.org>,
2001-2005 Ivo Timmermans 2001-2005 Ivo Timmermans
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
@ -54,6 +54,7 @@ void exit_nodes(void) {
node_t *new_node(void) { node_t *new_node(void) {
node_t *n = xmalloc_and_zero(sizeof(*n)); node_t *n = xmalloc_and_zero(sizeof(*n));
if(replaywin) n->late = xmalloc_and_zero(replaywin);
n->subnet_tree = new_subnet_tree(); n->subnet_tree = new_subnet_tree();
n->edge_tree = new_edge_tree(); n->edge_tree = new_edge_tree();
EVP_CIPHER_CTX_init(&n->inctx); EVP_CIPHER_CTX_init(&n->inctx);
@ -91,6 +92,9 @@ void free_node(node_t *n) {
if(n->name) if(n->name)
free(n->name); free(n->name);
if(n->late)
free(n->late);
free(n); free(n);
} }
@ -137,6 +141,11 @@ node_t *lookup_node_udp(const sockaddr_t *sa) {
} }
void update_node_udp(node_t *n, const sockaddr_t *sa) { void update_node_udp(node_t *n, const sockaddr_t *sa) {
if(n == myself) {
logger(LOG_WARNING, "Trying to update UDP address of myself!\n");
return;
}
avl_delete(node_udp_tree, n); avl_delete(node_udp_tree, n);
if(n->hostname) if(n->hostname)

View file

@ -77,7 +77,8 @@ typedef struct node_t {
uint32_t sent_seqno; /* Sequence number last sent to this node */ uint32_t sent_seqno; /* Sequence number last sent to this node */
uint32_t received_seqno; /* Sequence number last received from this node */ uint32_t received_seqno; /* Sequence number last received from this node */
unsigned char late[16]; /* Bitfield marking late packets */ uint32_t farfuture; /* Packets in a row that have arrived from the far future */
unsigned char* late; /* Bitfield marking late packets */
length_t mtu; /* Maximum size of packets to send to this node */ length_t mtu; /* Maximum size of packets to send to this node */
length_t minmtu; /* Probed minimum MTU */ length_t minmtu; /* Probed minimum MTU */

View file

@ -1,7 +1,7 @@
/* /*
process.c -- process management functions process.c -- process management functions
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2009 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -43,7 +43,9 @@ extern char **g_argv;
extern bool use_logfile; extern bool use_logfile;
extern volatile bool running; extern volatile bool running;
#ifndef HAVE_MINGW
sigset_t emptysigset; sigset_t emptysigset;
#endif
static int saved_debug_level = -1; static int saved_debug_level = -1;
@ -354,7 +356,7 @@ bool detach(void) {
bool execute_script(const char *name, char **envp) { bool execute_script(const char *name, char **envp) {
#ifdef HAVE_SYSTEM #ifdef HAVE_SYSTEM
int status, len; int status, len;
char *scriptname, *p; char *scriptname;
int i; int i;
#ifndef HAVE_MINGW #ifndef HAVE_MINGW
@ -395,7 +397,7 @@ bool execute_script(const char *name, char **envp) {
for(i = 0; envp[i]; i++) { for(i = 0; envp[i]; i++) {
char *e = strchr(envp[i], '='); char *e = strchr(envp[i], '=');
if(e) { if(e) {
p = alloca(e - envp[i] + 1); char p[e - envp[i] + 1];
strncpy(p, envp[i], e - envp[i]); strncpy(p, envp[i], e - envp[i]);
p[e - envp[i]] = '\0'; p[e - envp[i]] = '\0';
putenv(p); putenv(p);
@ -544,6 +546,7 @@ static struct {
{SIGCHLD, ignore_signal_handler}, {SIGCHLD, ignore_signal_handler},
{SIGALRM, sigalrm_handler}, {SIGALRM, sigalrm_handler},
{SIGWINCH, sigwinch_handler}, {SIGWINCH, sigwinch_handler},
{SIGABRT, SIG_DFL},
{0, NULL} {0, NULL}
}; };
#endif #endif

View file

@ -30,4 +30,8 @@ extern bool execute_script(const char *, char **);
extern bool detach(void); extern bool detach(void);
extern bool kill_other(int); extern bool kill_other(int);
#ifdef HAVE_MINGW
extern bool init_service(void);
#endif
#endif /* __TINC_PROCESS_H__ */ #endif /* __TINC_PROCESS_H__ */

View file

@ -109,15 +109,13 @@ bool id_h(connection_t *c) {
} }
bool send_metakey(connection_t *c) { bool send_metakey(connection_t *c) {
char *buffer;
int len;
bool x; bool x;
len = RSA_size(c->rsa_key); int len = RSA_size(c->rsa_key);
/* Allocate buffers for the meta key */ /* Allocate buffers for the meta key */
buffer = alloca(2 * len + 1); char buffer[2 * len + 1];
c->outkey = xrealloc(c->outkey, len); c->outkey = xrealloc(c->outkey, len);
@ -287,16 +285,13 @@ bool metakey_h(connection_t *c) {
} }
bool send_challenge(connection_t *c) { bool send_challenge(connection_t *c) {
char *buffer;
int len;
/* CHECKME: what is most reasonable value for len? */ /* CHECKME: what is most reasonable value for len? */
len = RSA_size(c->rsa_key); int len = RSA_size(c->rsa_key);
/* Allocate buffers for the challenge */ /* Allocate buffers for the challenge */
buffer = alloca(2 * len + 1); char buffer[2 * len + 1];
c->hischallenge = xrealloc(c->hischallenge, len); c->hischallenge = xrealloc(c->hischallenge, len);
@ -539,7 +534,7 @@ bool ack_h(connection_t *c) {
if(get_config_int(lookup_config(c->config_tree, "PMTU"), &mtu) && mtu < n->mtu) if(get_config_int(lookup_config(c->config_tree, "PMTU"), &mtu) && mtu < n->mtu)
n->mtu = mtu; n->mtu = mtu;
if(get_config_int(lookup_config(myself->connection->config_tree, "PMTU"), &mtu) && mtu < n->mtu) if(get_config_int(lookup_config(config_tree, "PMTU"), &mtu) && mtu < n->mtu)
n->mtu = mtu; n->mtu = mtu;
if(get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice)) { if(get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice)) {

View file

@ -133,6 +133,7 @@ bool add_edge_h(connection_t *c) {
} else if(from == myself) { } else if(from == myself) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself which does not exist", ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself which does not exist",
"ADD_EDGE", c->name, c->hostname); "ADD_EDGE", c->name, c->hostname);
contradicting_add_edge++;
e = new_edge(); e = new_edge();
e->from = from; e->from = from;
e->to = to; e->to = to;
@ -229,6 +230,7 @@ bool del_edge_h(connection_t *c) {
if(e->from == myself) { if(e->from == myself) {
ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself", ifdebug(PROTOCOL) logger(LOG_WARNING, "Got %s from %s (%s) for ourself",
"DEL_EDGE", c->name, c->hostname); "DEL_EDGE", c->name, c->hostname);
contradicting_del_edge++;
send_add_edge(c, e); /* Send back a correction */ send_add_edge(c, e); /* Send back a correction */
return true; return true;
} }

View file

@ -1,7 +1,7 @@
/* /*
protocol_key.c -- handle the meta-protocol, key exchange protocol_key.c -- handle the meta-protocol, key exchange
Copyright (C) 1999-2005 Ivo Timmermans, Copyright (C) 1999-2005 Ivo Timmermans,
2000-2010 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -145,8 +145,6 @@ bool req_key_h(connection_t *c) {
} }
bool send_ans_key(node_t *to) { bool send_ans_key(node_t *to) {
char *key;
// Set key parameters // Set key parameters
to->incipher = myself->incipher; to->incipher = myself->incipher;
to->inkeylength = myself->inkeylength; to->inkeylength = myself->inkeylength;
@ -165,10 +163,10 @@ bool send_ans_key(node_t *to) {
// Reset sequence number and late packet window // Reset sequence number and late packet window
mykeyused = true; mykeyused = true;
to->received_seqno = 0; to->received_seqno = 0;
memset(to->late, 0, sizeof(to->late)); if(replaywin) memset(to->late, 0, replaywin);
// Convert to hexadecimal and send // Convert to hexadecimal and send
key = alloca(2 * to->inkeylength + 1); char key[2 * to->inkeylength + 1];
bin2hex(to->inkey, key, to->inkeylength); bin2hex(to->inkey, key, to->inkeylength);
key[to->inkeylength * 2] = '\0'; key[to->inkeylength * 2] = '\0';
@ -229,7 +227,7 @@ bool ans_key_h(connection_t *c) {
return true; return true;
} }
if(!*address) { if(!*address && from->address.sa.sa_family != AF_UNSPEC) {
char *address, *port; char *address, *port;
ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name); ifdebug(PROTOCOL) logger(LOG_DEBUG, "Appending reflexive UDP address to ANS_KEY from %s to %s", from->name, to->name);
sockaddr2str(&from->address, &address, &port); sockaddr2str(&from->address, &address, &port);
@ -312,7 +310,7 @@ bool ans_key_h(connection_t *c) {
update_node_udp(from, &sa); update_node_udp(from, &sa);
} }
if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuprobes) if(from->options & OPTION_PMTU_DISCOVERY && !from->mtuevent)
send_mtu_probe(from); send_mtu_probe(from);
return true; return true;

View file

@ -35,8 +35,8 @@ char *iface = NULL;
static char ifrname[IFNAMSIZ]; static char ifrname[IFNAMSIZ];
static char *device_info; static char *device_info;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
bool setup_device(void) { bool setup_device(void) {
struct ifreq ifr; struct ifreq ifr;
@ -123,6 +123,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -1,7 +1,7 @@
/* /*
device.c -- Interaction with Solaris tun device device.c -- Interaction with Solaris tun device
Copyright (C) 2001-2005 Ivo Timmermans, Copyright (C) 2001-2005 Ivo Timmermans,
2001-2009 Guus Sliepen <guus@tinc-vpn.org> 2001-2011 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -34,15 +34,15 @@
#define DEFAULT_DEVICE "/dev/tun" #define DEFAULT_DEVICE "/dev/tun"
int device_fd = -1; int device_fd = -1;
int ip_fd = -1, if_fd = -1;
char *device = NULL; char *device = NULL;
char *iface = NULL; char *iface = NULL;
static char *device_info = NULL; static char *device_info = NULL;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
bool setup_device(void) { bool setup_device(void) {
int ip_fd = -1, if_fd = -1;
int ppa; int ppa;
char *ptr; char *ptr;
@ -105,6 +105,8 @@ bool setup_device(void) {
} }
void close_device(void) { void close_device(void) {
close(if_fd);
close(ip_fd);
close(device_fd); close(device_fd);
free(device); free(device);
@ -163,6 +165,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }

View file

@ -1,9 +1,11 @@
/* /*
tincd.c -- the main file for tincd tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans Copyright (C) 1998-2005 Ivo Timmermans
2000-2010 Guus Sliepen <guus@tinc-vpn.org> 2000-2011 Guus Sliepen <guus@tinc-vpn.org>
2008 Max Rijevski <maksuf@gmail.com> 2008 Max Rijevski <maksuf@gmail.com>
2009 Michael Tokarev <mjt@tls.msk.ru> 2009 Michael Tokarev <mjt@tls.msk.ru>
2010 Julien Muchembled <jm@jmuchemb.eu>
2010 Timothy Redaelli <timothy@redaelli.eu>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -118,6 +120,7 @@ static struct option const long_options[] = {
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
static struct WSAData wsa_state; static struct WSAData wsa_state;
CRITICAL_SECTION mutex; CRITICAL_SECTION mutex;
int main2(int argc, char **argv);
#endif #endif
static void usage(bool status) { static void usage(bool status) {
@ -135,6 +138,7 @@ static void usage(bool status) {
" -L, --mlock Lock tinc into main memory.\n" " -L, --mlock Lock tinc into main memory.\n"
" --logfile[=FILENAME] Write log entries to a logfile.\n" " --logfile[=FILENAME] Write log entries to a logfile.\n"
" --pidfile=FILENAME Write PID to FILENAME.\n" " --pidfile=FILENAME Write PID to FILENAME.\n"
" -o [HOST.]KEY=VALUE Set global/host configuration value.\n"
" -R, --chroot chroot to NET dir at startup.\n" " -R, --chroot chroot to NET dir at startup.\n"
" -U, --user=USER setuid to given USER at startup.\n" " -U, --user=USER setuid to given USER at startup.\n"
" --help Display this help and exit.\n" " --help Display this help and exit.\n"
@ -144,10 +148,14 @@ static void usage(bool status) {
} }
static bool parse_options(int argc, char **argv) { static bool parse_options(int argc, char **argv) {
config_t *cfg;
int r; int r;
int option_index = 0; int option_index = 0;
int lineno = 0;
while((r = getopt_long(argc, argv, "c:DLd::k::n:K::RU:", long_options, &option_index)) != EOF) { cmdline_conf = list_alloc((list_action_t)free_config);
while((r = getopt_long(argc, argv, "c:DLd::k::n:o:K::RU:", long_options, &option_index)) != EOF) {
switch (r) { switch (r) {
case 0: /* long option */ case 0: /* long option */
break; break;
@ -195,6 +203,8 @@ static bool parse_options(int argc, char **argv) {
kill_tincd = SIGINT; kill_tincd = SIGINT;
else if(!strcasecmp(optarg, "ALRM")) else if(!strcasecmp(optarg, "ALRM"))
kill_tincd = SIGALRM; kill_tincd = SIGALRM;
else if(!strcasecmp(optarg, "ABRT"))
kill_tincd = SIGABRT;
else { else {
kill_tincd = atoi(optarg); kill_tincd = atoi(optarg);
@ -213,7 +223,16 @@ static bool parse_options(int argc, char **argv) {
break; break;
case 'n': /* net name given */ case 'n': /* net name given */
netname = xstrdup(optarg); /* netname "." is special: a "top-level name" */
netname = strcmp(optarg, ".") != 0 ?
xstrdup(optarg) : NULL;
break;
case 'o': /* option */
cfg = parse_config_line(optarg, NULL, ++lineno);
if (!cfg)
return false;
list_insert_tail(cmdline_conf, cfg);
break; break;
case 'K': /* generate public/private keypair */ case 'K': /* generate public/private keypair */
@ -350,6 +369,7 @@ static bool keygen(int bits) {
fchmod(fileno(f), 0600); fchmod(fileno(f), 0600);
#endif #endif
fputc('\n', f);
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
fclose(f); fclose(f);
free(filename); free(filename);
@ -367,6 +387,7 @@ static bool keygen(int bits) {
if(disable_old_keys(f)) if(disable_old_keys(f))
fprintf(stderr, "Warning: old key(s) found and disabled.\n"); fprintf(stderr, "Warning: old key(s) found and disabled.\n");
fputc('\n', f);
PEM_write_RSAPublicKey(f, rsa_key); PEM_write_RSAPublicKey(f, rsa_key);
fclose(f); fclose(f);
free(filename); free(filename);
@ -483,12 +504,12 @@ static bool drop_privs() {
} }
#ifdef HAVE_MINGW #ifdef HAVE_MINGW
# define setpriority(level) SetPriorityClass(GetCurrentProcess(), level) # define setpriority(level) SetPriorityClass(GetCurrentProcess(), (level))
#else #else
# define NORMAL_PRIORITY_CLASS 0 # define NORMAL_PRIORITY_CLASS 0
# define BELOW_NORMAL_PRIORITY_CLASS 10 # define BELOW_NORMAL_PRIORITY_CLASS 10
# define HIGH_PRIORITY_CLASS -10 # define HIGH_PRIORITY_CLASS -10
# define setpriority(level) nice(level) # define setpriority(level) (setpriority(PRIO_PROCESS, 0, (level)))
#endif #endif
int main(int argc, char **argv) { int main(int argc, char **argv) {
@ -502,7 +523,7 @@ int main(int argc, char **argv) {
if(show_version) { if(show_version) {
printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE, printf("%s version %s (built %s %s, protocol %d)\n", PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT); VERSION, __DATE__, __TIME__, PROT_CURRENT);
printf("Copyright (C) 1998-2010 Ivo Timmermans, Guus Sliepen and others.\n" printf("Copyright (C) 1998-2011 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n" "See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n" "and you are welcome to redistribute it under certain conditions;\n"
@ -594,13 +615,25 @@ int main2(int argc, char **argv) {
char *priority = 0; char *priority = 0;
if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) { if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
if(!strcasecmp(priority, "Normal")) if(!strcasecmp(priority, "Normal")) {
setpriority(NORMAL_PRIORITY_CLASS); if (setpriority(NORMAL_PRIORITY_CLASS) != 0) {
else if(!strcasecmp(priority, "Low")) logger(LOG_ERR, "System call `%s' failed: %s",
setpriority(BELOW_NORMAL_PRIORITY_CLASS); "setpriority", strerror(errno));
else if(!strcasecmp(priority, "High")) goto end;
setpriority(HIGH_PRIORITY_CLASS); }
else { } else if(!strcasecmp(priority, "Low")) {
if (setpriority(BELOW_NORMAL_PRIORITY_CLASS) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s",
"setpriority", strerror(errno));
goto end;
}
} else if(!strcasecmp(priority, "High")) {
if (setpriority(HIGH_PRIORITY_CLASS) != 0) {
logger(LOG_ERR, "System call `%s' failed: %s",
"setpriority", strerror(errno));
goto end;
}
} else {
logger(LOG_ERR, "Invalid priority `%s`!", priority); logger(LOG_ERR, "Invalid priority `%s`!", priority);
goto end; goto end;
} }

View file

@ -41,8 +41,8 @@ static char *device_info;
extern char *identname; extern char *identname;
extern bool running; extern bool running;
static int device_total_in = 0; static uint64_t device_total_in = 0;
static int device_total_out = 0; static uint64_t device_total_out = 0;
enum request_type { REQ_NEW_CONTROL }; enum request_type { REQ_NEW_CONTROL };
@ -272,6 +272,6 @@ bool write_packet(vpn_packet_t *packet) {
void dump_device_stats(void) { void dump_device_stats(void) {
logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device); logger(LOG_DEBUG, "Statistics for %s %s:", device_info, device);
logger(LOG_DEBUG, " total bytes in: %10d", device_total_in); logger(LOG_DEBUG, " total bytes in: %10"PRIu64, device_total_in);
logger(LOG_DEBUG, " total bytes out: %10d", device_total_out); logger(LOG_DEBUG, " total bytes out: %10"PRIu64, device_total_out);
} }