Version 1.0.24 May 11 2014 ------------------------------------------------------------------------ Guus Sliepen (26): Mention in the manual that multiple Address staments are allowed. If no Port is specified, set myport to actual port of first listening socket. Enable compiler hardening flags by default. Update support for Solaris. Include for PATH_MAX. Stricter check for raw socket support. Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. Fix incorrectly merged bits from 80cd2ff73071941a5356555b85a00ee90dfd0e16. Don't enable -fstack-protector-all. Remove or lower the priority of some debug messages. Clarify StrictSubnets. Attribution for various contributors. Handle errors from TAP-Win32/64 adapter in a better way. Remove useless variable 'hard' from try_harder(). Merge pull request #14 from luckyhacky/master Add an autoconf check for res_init(). Nexthop calculation should always use the shortest path. Fix issues found by Coverity. Fix warnings found by GCC 4.9. Fix a few more issues found by Coverity. Fix a few more issues found by Coverity. Drop h and hh length modifiers from printf format strings. Fix a bug that could prevent tinc from starting correctly on Windows. FIx the autoconf checks for res_init(). Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported. Releasing 1.0.24. Steffan Karger (3): Use constant time memcmp() when comparing packet HMACs. Use cryptographically strong random when generating keys. Check RAND_bytes() return value, fail when getting random fails. Florent Clairambault (2): Adding "conf.d" configuration dir support. Adding some documentation around the /etc/tinc/$NET/conf.d directory. Armin Fisslthaler (1): reload /etc/resolv.conf in SIGALRM handler Loic Dachary (1): fix documentation typo Vilbrekin (1): Update android build instructions. Disable PIE as this is not supported on some devices. luckyhacky (1): update to openssl version 1.0.1g due to lack of heartbleed bug in prior version of openssl Version 1.0.23 October 19 2013 ------------------------------------------------------------------------ Guus Sliepen (9): Check for writability when waiting for a socket to finish connecting. Don't send PING requests on connections which are not active yet. Fix segfault when Name = $HOST but $HOST is not set. Fix typos in the documentation. Modernize the build system. Get rid of the splay tree implementation. Add description of IffOneQueue and MaxTimeout to the info manual. Clean up child processes from proxy type exec. Releasing 1.0.23. Version 1.0.22 August 13 2013 ------------------------------------------------------------------------ Guus Sliepen (7): Better optional argument handling. Fix a typo. Set $NAME when calling host-up/down and subnet-up/down scripts. Don't use vasprintf() anymore on Windows. Don't echo broadcast packets back when Broadcast = direct. Update copyright notices. Releasing 1.0.22. Etienne Dechamps (1): Fix combination of Mode = router and DeviceType = tap on Linux. Version 1.0.21 April 22 2013 ------------------------------------------------------------------------ Guus Sliepen (2): Drop packets forwarded via TCP if they are too big (CVE-2013-1428). Releasing 1.0.21. Version 1.0.20 March 03 2013 ------------------------------------------------------------------------ Guus Sliepen (30): Use /dev/tap0 by default on FreeBSD and NetBSD when using Mode = switch. Document how to load the tap driver on FreeBSD. Update THANKS file. Also clarify hostnames=[yes|no] in tinc.conf(5). Attribution for Vil Brekin and some code style cleanups. Don't ignore Makefile.am. Fix links in documenation. Attribution for Martin Schürrer. Add strict checks to hex to binary conversions. Clear connection options and status fields in free_connection_partially(). Fix warnings from cppcheck. Clear Ethernet header when reading packets from a tun device. Clear status and options fields of unreachable nodes. Fix warnings from groff. Using alloca() for a constant sized buffer is very silly. Make sure PMTU discovery works in switch mode with VLAN tags. Mention in the manual that support for LZO and zlib can be disabled. Fix configure script help text for --enable options. Don't take the address of a variable whose scope is about to disappear. Send broadcast packets using a random socket, and properly support IPv6. Remove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf. Fix support for tunemu on iOS devices. Make sure PriorityInheritance also works in switch mode. Detect increases in PMTU. Fix a compiler warning. Fix segmentation fault when trying to connect via a SOCKS5 proxy. Don't send proxy requests for incoming connections. Fix compiler warnings on Windows. Fix detection of rejected SOCKS5 proxy requests. Releasing 1.0.20. Vilbrekin (5): Basic patch for android cross-compilation. Replace hard-code with new ScriptsInterpreter configuration property. Add basic .gitignore file, cleaning (most) files generated by autotools. Use __ANDROID__ define rather than dirty hard-code to allow android NDK cross-compilation. Android cross-compilation instructions. Martin Schürrer (1): Output details of encryption errors Mesar Hameed (1): Minor clarification, tinc.conf hostnames=[yes|no] variable only resolves names for logging purposes. Version 1.0.19 June 25 2012 ------------------------------------------------------------------------ Guus Sliepen (14): Support :: in IPv6 Subnets. Remove newline from log message. Add support for systemd style socket activation. Allow environment variables to be used for Name. Allow broadcast packets to be sent directly instead of via the MST. Add basic support for SOCKS 4 and HTTP CONNECT proxies. Add support for SOCKS 5 proxies. Add support for proxying through an external command. Document new proxy types. Small fixes in proxy code. #include on Windows. Fix compiler warnings. Fix crash when using Broadcast = direct. Releasing 1.0.19. Anthony G. Basile (1): configure.in: fix AC_ARG_ENABLE and AC_ARG_WITH Michael Tokarev (1): add (errnum) in front of windows error messages Version 1.0.18 March 25 2012 ------------------------------------------------------------------------ Guus Sliepen (13): Always try next Address when an outgoing connection fails to authenticate. Allow a port to be specified in BindToAddress statements. Add support for multicast communication with UML/QEMU/KVM. Set default value of DecrementTTL to "no". Add #ifdefs in case not all platforms support IPv4 and IPv6 multicast. Allow scoped addresses to be used for IPv6 multicast socket. Fix compiler warnings. Fix return value type of vde_send(). Fix some more compiler warnings. Document OpenBSD "ifconfig link0" and Linux "ip tuntap" commands. Fix return type of vde_recv() as well. Mark DecrementTTL option experimental. Releasing 1.0.18. Version 1.0.17 March 10 2012 ------------------------------------------------------------------------ Guus Sliepen (32): Prevent read_rsa_public_key() from returning an uninitialized RSA structure. Return false instead of void when there is an error. Fix compilation of VDE and UML interfaces. Add vde/device.c to the tarball. Fix a few small memory leaks. Allow linking with multiple device drivers. Set FD_CLOEXEC flag on all sockets. Allow multiple BindToAddress statements. Merge branch 'master' of black:tinc Send packets back using the same socket as they were received on. Allow setting DeviceType to tun or tap on Linux. Merge branch 'master' of black:tinc Only compile raw socket code when it is supported on that platform. Decrement TTL of incoming packets. Don't bind outgoing TCP sockets anymore. Rename connection_t *broadcast to everyone. Allow disabling of broadcast packets. Move initialization of char *priority up to prevent freeing an uninitialized pointer. Document the command line flag -o and provide --option as well. Fix a bug that caused tinc to ignore all but the last listening socket. Fix check for raw socket support. Pass index into listen_socket[] to handle_incoming_vpn_data(). Add LocalDiscovery option which tries to detect peers on the local network. Don't send ICMP Time Exceeded messages for other Time Exceeded messages. Stricter checks against routing loops. Only use broadcast at the start of the PMTU discovery phase. Only log errors sending UDP packets when debug level >= 5. Accept Subnets passed with the -o option when StrictSubnets = yes. Add missing ICMP6 message type definitions. Make sure disabling old RSA keys works on Windows. Update copyright notices. Releasing 1.0.17. Nick Hibma (1): Add missing ICMP message type definitions. Version 1.0.16 July 23 2011 ------------------------------------------------------------------------ Guus Sliepen (4): Make code to detect two nodes with the same Name less triggerhappy. Flush output buffer in send_tcppacket(). Use usleep() instead of sleep(), MinGW complained. Releasing 1.0.16. Version 1.0.15 June 24 2011 ------------------------------------------------------------------------ Guus Sliepen (9): Reorder checks for libraries to allow ./configure LDFLAGS=-static. Make return value of SetPriorityClass() behave the same as setpriority(). Fix sparse warnings and add an extra sprinkling of const. Remove newlines from log messages. Remove a few unnecessary #includes. Attribution for Loïc Grenié. Improved --logfile option. Remove redundant @CFLAGS@ from AM_CFLAGS. Releasing 1.0.15. Loïc Grenié (1): Nearly tickless tinc. Version 1.0.14 May 08 2011 ------------------------------------------------------------------------ Guus Sliepen (48): Fix reading configuration files that do not end with a newline. Again. Define WINVER before including any other header file on Windows. Use intptr_t instead of long to store a pointer. OpenSSL 1.0.0 compiled for 64 bit Windows requires linking with -lcrypt32. Fix all warnings when compiling with mingw64. Use strrchr() insteaad of rindex(). Detect and prevent two nodes with the same Name being on the VPN simultaneously. Use 64 bit counters to keep track of bytes sent/received from the virtual network interface. Do not append an address to ANS_KEY messages if we don't know any address. Merge local host configuration with server configuration. Remove duplicate command-line option parsing. Attribution for Julien Muchembled. Attribution for Timothy Redaelli. Ensure there is a newline character before a PEM key is written. Abort disabling old PEM keys on I/O errors. Remove unused variables. Quit when there are too many consecutive errors on the tun/tap device. Read error counter must be static. Add short options -R and -U to the tincd(8) manpage. Don't use strlen() on a NULL pointer. Provide usleep() for Windows. Use variable length arrays instead of alloca(). Fix warning message when setting SO_RCVBUF or SO_SNDBUF fails. Free replay window when freeing a node_t. Fix variable length array declaration. Attribution for Brandon Black. Use setpriority() instead of nice() on UNIX-like systems. Always send MTU probes at least once every PingInterval. Close all filedescriptors in Solaris close_device(). Limit field width when scanning PID file. Replace bogus #else with #endif. Remove unused variables. Document the behavior of "-n." Update the manual. Update the NEWS. Proper check and dropin replacement for usleep(). Fix typo spotted by Andrew Scheller. Add support for VDE through libvdeplug. Fix spurious misidentification of incoming UDP packets. Prevent anything from updating our own UDP address. Do not set indirect flag on edges from nodes with multiple addresses. Increase threshold for detecting two nodes with the same Name. Always use the default signal handler for ABRT signals. Check for EVP_EncryptInit_ex instead of SHA1_Version in OpenSSL. Update THANKS and copyright information. Ensure proper linking with OpenSSL with recent versions of MinGW. Include when using intptr_t. Releasing 1.0.14. Brandon L Black (4): Experimental IFF_ONE_QUEUE support for Linux Configurable SO_RCVBUF/SO_SNDBUF for the UDP socket Configurable ReplayWindow size, zero disables Improved handling of queue-jumping packets on receive Julien Muchembled (2): New '-o' option to configure server or hosts from command line Fix command-line '-o' option for host configuration Timothy Redaelli (2): Fix warnings showed using -D_FORTIFY_SOURCE=2 Fix warnings under BSD Michael Tokarev (1): Treat netname="." in a special way. Rumko (1): DragonFlyBSD support Version 1.0.13 April 11 2010 ------------------------------------------------------------------------ Guus Sliepen (20): Clamp MSS to miminum MTU in both directions. Simplify reading lines from configuration files. Check for dirent.h. Preload all Subnets in TunnelServer mode. Add the StrictSubnets option. Add the Forwarding option. Add the DirectOnly option. Fixes for the Forwarding option. ConnectTo does not mean tinc does not listen for incoming connections anymore. Log unauthorized Subnets when StrictSubnets is set. Fix typo. Convert Port to numeric form before sending it to other nodes. Ensure ICMP_NET_ANO is defined. Reload Subnets when getting a HUP signal and StrictSubnets is used. Fix reloading Subnets when StrictSubnets is set. Ensure subnet-up/down scripts are called after HUP when necessary. Fixes for definitions under Windows. Don't redefine MAX if it already exists. Mark Forwarding and DirectOnly options as being experimental. Releasing 1.0.13. Timothy Redaelli (2): Add --disable-lzo configure option Add --disable-zlib configure option Sven-Haegar Koch (1): Never delete Subnets when StrictSubnets is set Version 1.0.12 February 03 2010 ------------------------------------------------------------------------ Guus Sliepen (21): When learning MAC addresses, only check our own Subnets for previous entries. Remove unused variable in lookup_subnet_*() functions. Forget addresses of unreachable nodes. Do not fragment packets smaller than RFC defined minimum MTUs. Allow port to be specified in Address statements. Use xstrdup() instead of xasprintf() to copy static strings. Allow Port and PMTUDiscovery options in tinc.conf, always enable PMTUDiscovery by default. Clamp MSS of IPv4 SYN packets. Ping nodes immediately when receiving SIGALRM. Optimise handling of select() returning <= 0. Also clamp MSS of TCP over IPv6 packets. Make MSS clamping configurable, but enabled by default. Fix subnet-up/down scripts being called with an empty SUBNET. Run subnet-up/down scripts for local MAC addresses as well. Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests. Determine peer's reflexive address and port when exchanging keys. Immediately exchange keys when establishing a meta connection. Try to set DF bit on BSDs as well. Update copyright notices. Ensure peers with a meta connection always have our key. Releasing 1.0.12. Version 1.0.11 November 01 2009 ------------------------------------------------------------------------ Guus Sliepen (16): Fix a possible crash when sending the HUP signal. Starting to work towards 1.0.11. Handle weighted Subnets in switch and hub modes. Clarify and increase level of log message about MTU probes to unreachable nodes. Add dummy device. Use uint32_t instead of long int for connection options. Allow UDP packets with an address different from the corresponding TCP connection. Always reply to MTU probes via UDP. Make maxmtu equal to minmtu when fixing the path MTU to a node. Forward packets to not directly reachable hosts via UDP if possible. Use IP_DONTFRAGMENT instead of IP_MTU_DISCOVER on Windows. Use WSAGetLastError() to determine cause of network errors on Windows. Move socket error interpretation to utils.h. Fast handoff of roaming MAC addresses. Start a tinc service if it already exists. Releasing 1.0.11. Michael Tokarev (1): Remove localedir leftovers. Version 1.0.10 October 18 2009 ------------------------------------------------------------------------ Guus Sliepen (78): Update documentation for git. Consistently allocate device and iface variables on the heap. Only send packets via UDP if UDP communication is possible. Move free()s at the end om main() to the proper destructor functions. Change flush_events() to expire_events(). Add missing cleanup functions in close_network_connections(). Use a global list to track outgoing connections. Remove unused definitions from net.h. Allow reading config files with CRLF endings on Unix systems. Validate Name before using it in a filename when generating a keypair. Disable old RSA keys when generating new ones. Handle neighbor solicitation requests without link layer addresses. Allow weight to be assigned to Subnets. Update THANKS and copyright information. Disable PMTUDiscovery in switch and hub modes. Use a simple Random Early Drop algorithm in send_tcppacket(). Handle UDP packets from different and ports than advertised. If PMTUDiscovery is not set, do not forward packets via TCP unnecessarily. Fix link to Mattias Nissler's tun/tap driver for MacOS/X. Fix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf6f2ab17228a9820cea66. Use xrealloc instead of if(ptr) ptr = xmalloc(). Add declaration for sockaddrcmp_noport(). Use packet size before decompression to calculate path MTU. Do not forward broadcast packets when TunnelServer is enabled. Add ProcessPriority option. Add some const where appropriate. Properly set HMAC length for incoming packets. Don't try to send MTU probes to unreachable nodes. Remove pending MTU probe events when a node's reachability status changes. Do not log errors when recvfrom() returns EAGAIN or EINTR. Change level of some debug messages, zero pointer after freeing hostname. Always remove a node from the UDP tree before freeing it. Add xasprintf() and xvasprintf(). Check the return value of fscanf() when reading a PID file. Replace asprintf() by xasprintf(). UNIX signal numbers start at 1. Ensure tinc compiles with gcc -std=c99. Convert bitfields to integers in a safe way. Add the GPL license to the repository. Another safe bitfield conversion. Add support for iPhones and recent iPods. Don't stat() on iPhone/iPod. Put Subnet weight in a separate environment variable. Allow PMTUDiscovery in switch and hub modes again. Handle unicast packets larger than PMTU in switch mode. Remove superfluous call to avl_delete(). Apparently it's impolite to ask GCC to subtract two pointers. Use only rand(), not random(). Also do not use drand48(), it is not available on Windows. Allow compiling for Windows XP and higher. Remove dropin random() function, as it is not used anymore. Use access() instead of stat() for checking whether scripts exist. Raise default crypto algorithms to AES256 and SHA256. Remove extra {. Use a mutex to allow the TAP reader to process packets faster on Windows. Raise default RSA key length to 2048 bits. Send large packets we cannot handle properly via TCP. Update copyright information. Remove all occurences of $Id$. Remove Ivo's old email addresses. Update the address of the Free Software Foundation in all copyright headers. K&R style braces. Remove checkpoint tracing. Drop support for localisation. Add more authors to the copyright headers. Update the NEWS. Remove autogenerated files from EXTRA_DIST. Don't disconnect clients in TunnelServer mode who send unauthorised ADD_SUBNETs. Remove code duplication when checking ADD_EDGE/DEL_EDGE messages. Revert "Raise default crypto algorithms to AES256 and SHA256." Ensure that the texinfo manual can be converted to HTML. Small updates to the documentation. Use MTU probes to regularly ping other nodes over UDP. Allow the cloning /dev/tap interface to be used on FreeBSD and NetBSD. Remove debugging message when reading packets from a BSD device. Include missing header. Fix description of the WEIGHT environment variable. Releasing 1.0.10. Michael Tokarev (17): Allow tunnelserver to work with clients that have other peers. Enable PMTUDiscovery only if BOTH sides wants it. Rename setup_network_connections() and split out try_outgoing_connections() Implement privilege dropping bugfix: initialize pid (as read from pidfile) to zero bugfix: move mlock to after detach() so it works for child, not parent bugfix: chdir(/) after chroot change error messages in droppriv code to match the rest format 'not supported on this platform' error message TunnelServer: Don't disconnect client on DEL_SUBNET too ignore indirect edge registrations in tunnelserver mode don't log every strange packet coming to the UDP port Fix ans_key exchange in recent changes tunnelserver: log which ADD_SUBNET was refused cleanup setpriority thing to make it readable try outgoing connections before chroot/drop_privs Remove extra semicolon in my definition of setpriority() Florian Forster (2): src/linux/device.c: Fix segfault when running without `--net'. src/net_socket.c: Bind outgoing TCP sockets to `BindToAddress'. Borg (1): Removed last gettext function. Version 1.0.9 December 26 2008 ------------------------------------------------------------------------ Guus Sliepen (18): Handle SERVICE_CONTROL_INTERROGATE requests. Thanks to Carsten Ralle for noticing this. Make sure the prefixlength of subnets is sane. Fix reading configuration files that do not end with a newline. Do not try to send REQ_KEY or ANS_KEY requests to unreachable nodes. Prevent freeing a NULL pointer when a hostname is unresolvable. Correct debug message. Treat virtual network device as tap if Mode = switch or hub. Use TUNIFHEAD by default on FreeBSD to make sure IPv6 works. Make sure IPv6 sockets are IPv6 only. Update Dutch translation. Update copyright information. Enable PMTU discovery by default. Update documentation. Update the manpage as well, and some whitespace to make its source more legible. Handle broadcast and multicast packets in router mode. Apply patch from Max Rijevski fixing a memory leak when closing connections. Add missing parentheses in check for IPv4 multicast addresses. Releasing 1.0.9. Version 1.0.8 May 16 2007 ------------------------------------------------------------------------ Guus Sliepen (8): Apply patch from Scott Lamb preventing an infinite loop when sending SIGALRM. Apply patch from Scott Lamb fixing some memory and resource leaks. Close the proper filedescriptor (if it exists). Apply patch from "dnk" making sockets non-blocking under Windows. Make sure connection->name is never NULL. Update dutch translation. Don't free struct addrinfo too early. Spotted by Christian Cier-Zniewski. Releasing 1.0.8. Version 1.0.7 January 05 2007 ------------------------------------------------------------------------ Guus Sliepen (7): Use a ringbuffer in shared memory to transfer packets from the tapreader thread to the main thread. Tapreader socket should be bound to localhost only. Fix generic BSD tun device to write only the actual packet length. rename() cannot replace existing files on Windows. No things to do for the 1.0 branch except bugfixing. Update copyright notices. Releasing 1.0.7. Version 1.0.6 December 18 2006 ------------------------------------------------------------------------ Guus Sliepen (13): Make sure resolved addressed for outgoing connections are freed, if there are any. Search for lzo/lzo1x.h, lzo2/lzo1x.h and lzo1x.h. When building the minimum spanning tree, make sure we start from a reachable node. Use the correct next pointer. Remove unnecessary stuff from configure.in. Remove old Spanish translation. Fix rule that creates html version of manpages. Use standard autoconf macros instead of our own. We do properly check for malloc and realloc. Remove the test for linux/if_tun.h. Do a simple test for linux/if_tun.h instead of no test at all. Prevent compiler warnings about redefinition of EAI_FAMILY on FreeBSD 6.1. Releasing 1.0.6. Version 1.0.5 November 14 2006 ------------------------------------------------------------------------ Guus Sliepen (32): Prevent possible buffer overflows when using very large (>= 8192 bit) RSA keys. Add alloca.h to the list of necessary header files. Enable OpenSSL ENGINE, so crypto hardware gets used. Thanks to Andreas van Cranenburgh. EVP_Cleanup() when quitting. Apply patch from Scott Lamb unifying configuration of TCP socket options. Apply patch from Scott Lamb adding an output buffer for the TCP sockets. Make sure $NAME is set correctly when executing tinc-down script. Missing #include. Export flush_meta(). Fix signedness compiler warnings. Fix a bug in handling prefixlengths that are not a multiple of 4. Update copyright notices, remove Ivo's email address. Restore length of the original packet in send_udppacket(). Use memcpy() to copy sockaddrs returned by getaddrinfo(). Add generic host-up and host-down scripts. Do not break strict aliasing of status_t structs. Fix format string warnings. Remove unused variables. Remove unused parameter from maskcmp(). Remove unused variable. memcpy() addresses from packet headers before calling the lookup functions. The "active" bit in node.status is not used. Added graph dumping ability based on Markus Goetz's patch. popen() requires pclose(). Support and autodetect LZO version 2.0 and later. Support and autodetect LZO version 2.0 and later. Document GraphDumpFile option. Update Dutch translation. Nodes use events, so event system should be initialised first and destroyed last. When deleting an entire tree, start at head, not at root. EWOULDBLOCK does not exist on platforms without O_NONBLOCK Releasing 1.0.5. Version 1.0.4 May 04 2005 ------------------------------------------------------------------------ Guus Sliepen (17): Make sure broadcast packet reach the local network interface. Fix splay tree code. subnet-up/down hooks subnet-up/down hooks, use list_t for the todo list. Small fix. Free memory used by connection_t after it is deleted from the connection tree. Use the proper free function. Correct size argument for strncat(). Nodes should only be in the node_udp_tree if they are reachable. Don't try to add a non-existing node back to the node_udp_tree. Remove unused (and potentially segfaulting) net2str() call. Be on the safe side with initialisation of c->name. Searching through splay trees may change the tree variable. Several splay tree fixes. Describe subnet-up/down scripts in documentation. Update copyright notices. Releasing 1.0.4. Version 1.0.3 November 11 2004 ------------------------------------------------------------------------ Guus Sliepen (77): Removed items in TODO list that are already implemented. Only two items Applied patch from Jamie Briggs for bash2 conformance. Added another semicolon for bash2 compliance (thanks to Jamie Briggs) Adding even more stuff from the CABAL branch. Synchronise HEAD with CABAL branch. This will become 2.0. Some device.c files weren't synchronised. Makevars file was accidentily removed. Forgot to synchronise po/ directory... Add description of new authentication scheme. Add Opaque option which prevent information from being forwarded to certain nodes. Replace Opaque and Strict options with a TunnelServer option. Complain if pid file cannot be created. Read MaxTimeout from tinc.conf like the manpage says. Missing space between words. Don't retry if configuration is wrong from the beginning. Fix proxy-neighborsolicitation. Code beautification, start of multicast support. Forget multicast. Always inline some function. Let tinc figure out the exact MTU of the link. More sensible name, and try to set PMTU discovery on IPv6 sockets as well. Describe the TunnelServer and PMTUDiscovery options. Better name, show probed MTU in dump. Improvements for PMTU discovery and IPv4 packet fragmentation. Missing definitions. Small fixes for PMTU discovery. Don't forget to update destination MAC address. Small updates. Remove autogen.sh, the autoreconf program does exactly that. Replace cvs-clean with a much better svn-clean. Remove CVS related cruft. Eat trailing whitespace in config files. Only read our public key if it wasn't already in the private key file. Updating dutch translation. Even better svn-clean command. Applied Martin Kihlgren's IdentityGenerosity patch, Fix declaration of update_node_address(). Use Subversion to create ChangeLog, better svn-clean rule. Revert Martin Kihlgren's patch, it doesn't work the way it should. Move CABAL branch to its rightful place: the trunk. Update copyrights, links, email addresses and let Subversion update $Id$ keywords. Increase MTU by 4 bytes to allow VLAN tagged Ethernet frames in hub and switch mode. Clean up environment after executing scripts. Handle timeouts during connecting the same way as other errors. Added UML network socket handling. Don't set $INTERFACE automatically, don't quit on EINTR/EAGAIN. Marking potential late packets was in the wrong place. Remove duplicate #include "system.h" Move all #ifdef HAVE_HEADER_H #include to have.h, Fix several #includes. strndupa() is too arcane for some environments. Allow tinc to work with the latest TAP-Win32 driver. Correct return value. Don't let tinc service depend on NDIS component. Support alternative tun/tap driver from http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ Generic device driver for *BSD and MacOS/X static Check for sys/uio.h, net/if_tun.h and net/if_tap.h Don't include .svn directory in sample configuration. Splay trees. Hoopjumping to get the default directories in the manuals properly. Update to make it compile again. Fixed another bug in late packet handling. Hopefully this really fixes late packet handling. Missing check for NULL-pointer. Use the generic BSD tun/tap code. Fix order of arguments for tar. Let compiler decide when to inline. Support tunneling IPv6 on Solaris. Add BlockingTCP option, useful when using TCPOnly on slow or congested links. Update documentation. Set BSD tuns to broadcast mode. On OpenBSD, this enables IPv6 on the tun device! Remove duplication. Updated dutch translation. Short readme about how to compile tinc from a Subversion checkout. Add more people who have contributed to tinc. Releasing 1.0.3. Ivo Timmermans (52): Check for __gmpz_powm for libgmp3. Changed version number to 1.0pre3. Autogenerated by gettextize. Bring head revision up to date with cabal (try #3) Add check for the syslog function Generalized error handling functions Add all the new files to the sources list for the utility library New function: xalloc_and_zero() Generalized list and hash handling functions First try to create a graphical frontend for tinc configuration Updating HEAD branch #1; removing obsolete files. Updating HEAD branch #2; removing debian/ dir. Updating HEAD branch #3; more obsolete files removed. Updating HEAD branch #4; Merging CABAL -> HEAD. Updating HEAD branch #5; Last files from CABAL. Ok, I forgot these ;) More updates More... Last bits (hopefully) Main pokey interface files. Pokey interface definition Write src/pokey/Makefile Also compile in pokey/ Remove debug level declaration Update copyright info Remove debug_lvl New logging system to replace syslog() calls with a generic function. Rename log_message to log Add syslog() wrapper Add syslog wrapper Some magic Added priority definitions from syslog.h log_default_hook was renamed to log_default Added prototype for log_syslog Use logging.h instead of syslog.h Compile in logging.c Things to ignore... Use new logging system Include logging.h Renamed libvpn to libtinc Rename libvpn to libtinc ... Print newline when writing to stderr *** empty log message *** Moving files, first attempt at gcrypt compatibility, more interface Commit diff test Another file moved; random interface stuff. Callbacks Moved event.c/h test test 2 Hm. Wessel Dankers (5): Initial revision. Lots of loose ends, not usable yet. added bit on config file, split up sections, added Id: tag Added extra bit about keys. More about keys This file is now only in the CABAL revision. cvs2svn (1): This commit was generated by cvs2svn to compensate for changes in r1352, Version 1.0.2 November 08 2003 ------------------------------------------------------------------------ Guus Sliepen (47): Simplify fake getname/addrinfo() functions, possibly fixing freeing a NULL pointer. stat() batch files under Windows. Don't getsockopt() SO_ERROR. We get the error from send()/recv() anyway. Fix fake getnameinfo() and check more arguments. Fix --logfile under Windows. Use the event log under Windows. Compilation fix. Do what the SDK documentation tells. If we're not in main_loop() and the service is stopped, exit immediately. Allow tinc to handle unknown type addresses from other tinc daemons. Don't overwrite the first " when installing a service. Add checkpoints. When purging nodes, only delete them if nobody references them anymore. Remove debug message. Add license exception from Markus Oberhumer. Remove old edges from unreachable nodes to us. This prevents the hosts/NAME-up We don't have to tell GCC how to cast. Prevent multiple inclusions. Remove pidfile when exitting. Update translations. Check for short packets from the tun/tap device and from other tinc daemons. Generate keys with 0x10001 as public exponent, which has less prime factors Better length checks. Copy structs from packets to the stack before using them, to prevent const Ethernet protocol types. Unused variable in struct. Don't confuse users with "Address family not supported" warnings. Use CPPFLAGS, LDFLAGS and LIBS as appropiate. PIDs are of type pid_t, and use %ld when reading/writing them to the pidfile. Make sure type of AF_UNKNOWN is sa_family_t. Forgot to #include "xalloc.h" Update missing definitions, structs describing headers get __packed__ attribute. Missing declaration. Set media status for newer TAP-Win32 driver. Some platforms don't know sa_family_t or define it other than uint16_t. Update documentation. Fix ASCII art. Check return value of EVP_* functions, and check if length before en/decryption Check all EVP_ function calls. Parentheses in the wrong spots. Fix bug that could lead to an assertion failure in libcrypto when multiple Small fixes in documentation. Fix another bug in meta.c. Update dutch translation. Add missing definitions. Release notes for 1.0.2 Version 1.0.1 August 14 2003 ------------------------------------------------------------------------ Guus Sliepen (24): Windows uses backslashes... Tell windows to be patient. Remove unused stuff from doc/. Correct error message when remote host closed connection. Simplify execute_script(). It will probably work under Windows as well. Allow empty lines in config files. Make rule for sample-config.tar.gz. Readd quotes. Typo. Better error messages under Windows. Log error first, try to close later. Quote when needed and don't try stuff that doesn't work under Windows. Under Windows, the installation directory can be found in the registry. Better error checking and reporting. Small things. Simpler checking of permissions on private RSA key and other fixes. Check for fchmod(). Only system() needs script name quoted. Update documentation. Add a description for the Service control panel. Updated dutch translation. Small fixes. Fix permissions check for rsa_key.priv. Update. Version 1.0 August 08 2003 ------------------------------------------------------------------------ Guus Sliepen (111): Thank some more people. Run graph() after edge_del() when updating an edge. Add documentation for BindToAddress. Fix PriorityInheritance. PrivateKeyFile instead of PrivateKey. Run graph algorithm when replacing a second connection from the same host Add $NAME for tinc-up/down scripts. - Fix indentation in some places. Various fixes for autoconf and OpenSSL 0.9.7 and a missing header. Make sure send_meta() writes everything. Typo. - Avoid memory leak caused by OpenSSL 0.9.7a. - Speed up checksumming Don't copy more than necessary. Checksums must also work for uneven number of bytes. HUP signal now closes connections to hosts if their host config file is Better handling of late packets. Make sure outgoing_t is completely freed. - Per-node EVP_CIPHER_CTX to avoid initialisation overhead. Small fixes to make LZO compression work. Small fixes. Fix links. Fix warning and add missing checks for LZO library. Call make_names() before doing anything else. If we have a Linux tun/tap device and we are in router mode, open the device AddressFamily is "any" by default. Remove mymac stuff from device.c. Fixes from Wessel Danker's libavl. More braces to make gcc happy. Update documentation. Update dutch translation. Typo and conversion to UTF-8. There are two lzo compression levels. Really make tinc default to any addressfamily. This subtle pointer arithmetic thingy is (I'm very sure of it) the cause - simplify configure.in Check for IPv6 header files. Define logger(), cleans up source code and allows us to write log entries Sprinkling the source with static and attributes. Provide all missing IPv6 definitions in lib/ipv6.h. Actually add ipv6.h. More missing definitions. More missing IPv6 definitions and autoconf checks to make sure it compiles Simplify logging, update copyrights and some minor cleanups. Update copyrights. Removing distribution specific files from CVS. Format string checking for logger(). Export mymac. Make use of the CIPE driver. Woohoo, tinc for Windows! Windows headers declare a struct interface somewhere. Big header file cleanup: everything that has to do with standard system Even more missing definitions. Remove all #ifndefs from route.c Update all device.c files. Check for ethernet/ipv4/ipv6 related structures. Use iface instead of interface because it might already be declared in Oops. No UNIX style permissions under Windows. Be consistent. Oops. Check for sys/mman.h. Use functions from logger.c Copy cygwin driver to mingw directory. It doesn't work (yet). Add section about configuring Cygwin and CIPE on Windows. Option to specify pidfile location. Use bools and enums where appropriate. Run setup_device() after parsing configuration but before claiming we're ready. Don't initialise a CIPHER_CTX if cipher == NULL. Sprinkle around a lot of const and some C99 initialisers. More generic handling of tap device under Windows. More checks for missing functions. Fix compile errors and warnings. Update dutch translation and make sure all device drivers are included in Update configure scripts. Make sure it works. Make sure (at least) the MinGW device driver works. Native Windows support. Cleanups. Update documentation and remove stuff that's too outdated. Remove doc/es/ and src/device.c from the distribution. No C99 initialisers, gcc 2.95.3 doesn't like it. Replacement for stdbool.h Prevent definitions from messing up attributes. Check if the compiler knows about the __malloc__ attribute. Wrong argument. Remove forgotten braces. No easy way to properly detect header files... Woops! Wrong function... Prevent system headers from including our own headers. Allow whitespace in values. Oops. Windows has no symbolic links as we know it. When compiling with MinGW, link with ws2_32. Install tinc as a service under Windows (MinGW). Remove cleanup_and_exit(), Error messages. Cleanups and error messages. Missing include. Oops. Updated dutch translation. Explain how tinc detaches and how it is "killed" under Windows. Typo and another thing to think about. Clean up last part of main(). Old gcc compilers don't like declarations in the middle of a function. Cygwin needs windows.h. Keep Windows happy. Remove newlines from log messages. Update dutch translation Simplify translation Use our own port when connecting to ourself. Sync CABAL branch with release-1_0 branch. Ivo Timmermans (2): Fix saving of debug level for startup level 0 Call RSA_blinding_on(), as advised in the paper on Wessel Dankers (1): its: Engels voor "van het" - 3e persoon enkelvoud, genitief, onzijdig Version 1.0pre8 September 16 2002 ------------------------------------------------------------------------ Guus Sliepen (73): Support for MaxOS/X. Add BindToAddress variable, similar to the late BindToIP. Added Nick Patavalis for his RedHat package. Informative log message if execl() failed. Fix very stupid bug in node_del(), which might have caused corruption of Only purge once when there are no more connections. Support RSA_PUBKEYs (as opposed to RSAPublicKeys) so tinc accepts Make it work correctly with NetBSD tun device. Use correct includes on NetBSD. Cleanup: Use inttypes.h instead of stdint.h. - netinet/* include files depend on netinet/in_systm.h. Added Darwin (MacOS/X) tun device handling. Use darwin/device.c when compiling on MacOS/X. Include darwin/device.c in distribution. Autoconf cleanup. Works for both 2.13 and 2.53, although running autoconf Add configuration details for NetBSD and Darwin (MacOS/X). Reset listen_sockets after SIGHUP. Update comments about IPv6 autoconfiguration. s/sliepen.warande.net/sliepen.eu.org/g Fix for prefixlengths of 32 (IPv4) and 128 (IPv6) bits. Allow list of environment variables to be passed to execute_script(). Allow identical subnets from different owners. Clear subnets before using them. Started port to Cygwin. Added stub device.c for Cygwin. Include complete fake-getname/addrinfo from OpenSSH. Allow tincd to be locked into main memory. Don't bother to chown, and correctly document ConnectTo. Added support for raw sockets. This can be used instead of tun/tap devices. Gettext 1.11.5 compatibility. Check for ranlib. Replacement for the current routing algorithm. Make sure setlocale() is available. Drop graph and edge stuff. Use new node stuff instead. A reachable node is always more preferable to an unreachable one... Woops. Reduce KEY_CHANGED traffic. Prevent looping DEL_NODE/ADD_NODE messages after a node disconnects. Don't forget to set prevhop to myself for new connections. Just ignore wrong ADD_NODEs instead of replying with a DEL_NODE, in the Revert to edge and graph stuff. This time, use a directed graph. Small fixes. Generalized request broadcasting/forwarding. Updated dutch translation. Small updates. Run autopoint and libtoolize before creating initial makefiles. Add missing headers. Typo. Only reset seqno's when a key is sent or received. Remove global edge_tree. edge_weight_compare() shouldn't rely on edge_compare(). Reset the *correct* seqnos. Fix MST algorithm. Why don't these connection_t's get cleaned up? Cleanups: Switch to K&R style indentation. Switch to K&R style indentation. Remove redundant spaces. Let GCC check format string and arguments of send_request(). Fix compiler warnings. Clean up after indent. Link with libintl if necessary. Fix placement of #include "config.h" Make sure malloc() is declared. What was I thinking? MacOS/X needs #define _P1003_1B_VISIBLE in order to use mlockall(). port_t isn't used anymore and conflicts with MacOS/X headers. Small fixes so tinc compiles out of the box on SunOS 5.8 Updated dutch translation. Use /dev/net/tun as default for tun/tap device under Linux. Update documentation. Remarks about 1.0pre8 release. Ivo Timmermans (9): Put #ifndef checks for HAVE_RAND_PSEUDO_BYTES in the correct places. Typo OSX support getnameinfo fixes Add /sw/{include,lib} to search paths if they exist Include a few more header files Include netbsd's device.c in make dist Added Alessandro Gatti Added AM_MAINTAINER_MODE Wessel Dankers (1): This should work much better. Version 1.0pre7 April 09 2002 ------------------------------------------------------------------------ Guus Sliepen (9): Make configure --help output look nicer. Don't check_network_activity() if select() is interrupted by a signal. check_rsa() is broken, I don't know why, just remove it for now. Fix maskcheck() and maskcmp(). Automake forgets about depcomp, remind it. masklength is better known as prefixlength. masklength is better known as prefixlength Updated dutch translation. Remarks about 1.0pre7 release. Version 1.0pre6 March 27 2002 ------------------------------------------------------------------------ Guus Sliepen (91): Forgot to merge new files from pre5. Last bits of the merger. Sensible defaults for $INTERFACE. - If no PrivateKeyFile is specified, /etc/tinc/netname/rsa_key.priv is assumed. Small fix. Added support for packet compression, thanks to Mark Glines. Don't use sa_sigaction (which NetBSD doesn't like) at all if we don't use siginfo. Get rid of sys/signal.h. Added device.c for NetBSD, actually a copy of the OpenBSD one. Add check for NetBSD. - Non-blocking connect()s. Fix segfault when receiving HUP signal. Use AF_UNSPEC for listening sockets if AddressFamily = any. Forward packets in router mode. Fix maskcmp() and maskcpy(). Cache results of lookup_subnet_...(). Protocol now also exchanges cipher/digest/maclength/compression for the Preserve inpkt->len, needed for broadcasts. - Use gai_strerror() where appropriate - Change SA_LEN to SALEN, former one is already defined on some platforms. Tweaking IPv6 support. Allow multiple listening sockets. Fix send_request() bug. Make BindToInterface work. Fix listening sockets. If "PriorityInheritance = yes" is specified in tinc.conf, the value of the Create/bind TCP and UDP listening sockets in pairs. Updated documentation. Updated dutch translation. - Global time_t now, so that we don't have to call time() too often. Document and clean up MAC address expiry. Woops. Check if BindToDevice and PriorityInheritance are supported. Fix forwarding of IPv6 packets. po/POTFILES and po/Makefile should not be generated by configure. Autodetect $MAKE/gmake/make. Small fixes to improve portability. Don't retry to make outgoing connections when exitting. Cleanups, spelling fixes, allow symbol names for signals (-k option), prune_connections() before build_fdset(). Try to reply to neighbor solicitation requests. New strategy: forward icmp6 neighbor solicitations to intended target. Simplified implementation of Kruskal's minimum spanning tree algorithm. Packet sequence number/authentication warnings only if debug_lvl >= 5. Remove silly cache thingy. Put #ifdef NEIGHBORSOL around corresponding code. Revert changes to Kruskal's algo. Neighbor solicitation requests now work (I think). Oops, don't forget to actually put the checksum in the response packet. Different way of detecting neighbor solicitation requests. Typo. Unmap v4mapped sockaddrs. Only unmap IPv6 addresses. #define s6_addr32, needed for FreeBSD. Fix #define s6_addr32. Remember sockaddrs of listening sockets, use appropriate one when sending Cleanup. Don't use s6_addr[16|32] anymore. Updated dutch translation. Updated SSSP algorithm to automatically detect indirect links (if a node uses Put a break on requests that run around in circles. - Added support for jumbograms. Fix add_edge_h(). Fix compiler warnings, strictly use long int and %lx for options. send_ack() was broken. free() request strings when deleting past requests from the tree. Don't run graph algorithms if no edge is deleted in terminate_connection(). Reset retry timeout when receiving the first PONG, not right after receiving the ACK. Don't try to execute scripts unless they exist. Execute hosts/name-up when a node becomes reachable, and hosts/name-down Set $INTERFACE correctly when using ethertap while compiled with tun/tap support. Updated dutch translation. Respect type field. OpenBSD tun device uses address family number instead of Ethernet type. Configuration variables were still handled case sensitively. Set myself->status.reachable. Updated documentation. Tell a little bit more about security. Send REQ_KEY only once until ANS_KEY has arrived. Fix execute_script(). Small correction. Merge do_prune() with build_fdset(). Probably fixes the invalid filedescriptor error. Extend list_t with the number of elements in the list. Limit the amount of packets in a queue to 8. Small updates. Remove cruft. Recent automake uses $(AMTAR) instead of $(TAR) Remove symlink to device.c when doing a make dist. Fix format strings. Update dutch translation. Update with information about the pre6 release. Version 1.0pre5 February 10 2002 ------------------------------------------------------------------------ Guus Sliepen (109): Small fixes to allow correct compilation under FreeBSD (tested with 4.3) Make sure Solaris is happy too. Fix subnet_lookup() for overlapping subnets. Needs rethinking. Added proxy-arp support. No more ifconfig -arp needed. Works like a charm - tinc can now act as a switch or a hub too (as opposed to a router only) Changed some stuff to allow correct generation of po/Makefile after a Updated dutch translation. - This oneliner removes the need for ifconfig tap? hw ether fe:fd:0:0:0:0 Fix bug where lookup_subnet_ipv4() could go into an infinite loop. You can now put an option "Mode" in tinc.conf, and choose from: Add missing? counting of total_socket_in. Log and warn about duplicate subnet_add()'s for the same subnet. Fixes to make switching work between hosts that have no meta-connection. Save configure cache more often. Changed drastically because it didn't work correctly: Only reset seconds_till_retry when we activate the outgoing connection. Woops - big bug in send_key_changed fixed. - Solaris compile fixes Check for and add -ldl. Remove #warnings I used for debugging stuff. Reinstated search for if_tun.h in kernel source tree, because apparently Spanish translation removed. Nobody maintains it, and it is severely ABOUT-NLS is created by autogen.sh. Don't build Spanish translation. Execute tinc-down BEFORE tap device is closed. This is a. more symmetric es.po revived. Also remove po/Makefile.in.in, which is generated by autogen.sh. Log error if two hosts connect with same IP/port tuple. Fix gcc 3.0 warnings. Check for dlopen in standard libraries first (needed for DEC OSF). It appears that autogen.sh doesn't like es.po if it isn't mentioned in Update of RedHat build scripts. Dutch translation updated. More items marked as done. Fix printf format bug. Fix compiler warning. Check for all potential duplicate entries in the id tree. - Always use instead of just Don't load table of verbose OpenSSL errormessages. Correct inclusion of standard if_tun.h header file. Split connection list into two lists: Correctly use the active_tree. Remove all unnecessary status.meta and status.active checks. Added purge_tree for connection_t's which are no longer in the connection, Updated terminate_connection() so you can choose if DEL_HOSTs should be Always close all sockets in terminate_connection(). Woohoo! tinc now compiles, runs and actually *works* on Solaris! Started writing a document about how daemons connect to each other. Described problem in more detail. Small update. Correctie. Written down a possible solution. Discuss how sending ADD_EDGEs would be better than sending ADD_HOSTs. More on edges. Don't use %m in fprintf(). Write public key to rsa_key.pub instead of rsa_key.priv (if not host The val variable in a config_t is never used as a long. Explicitly log which type of tunnel device is used. Don't send DEL_HOSTs when !status.meta Fix signed comparison bug in lookup_subnet_ipv4(). Remove IndirectData support for now, new implementation will be added Revised reconnection mechanism, always try out all ConnectTo lines. Optional signal number for -k option. config_t* is a const parameter in get_config_val(). - Try old TUN/TAP ioctl() request if the one from if_tun.h fails. Not only keep track of nexthop, but also of lastbutonehop. If destination cl Show next- and lastbutonehop when dumping connectionlist to syslog. Try next connectto instead of the same over and over. Fill in next- and lastbutonehop for myself. - Renamed lastbutonehop to prevhop. Fix bug where tinc would crash because of a portscan or a connection from a - Use ping timeout mechanism to close connections that don't authenticate Fix bug when dropping an old connection in favour of a new one from the Updated dutch translation. Started implementing doc/CONNECTIVITY. Small corrections. Further implementation of doc/CONNECTIVITY. connection.[ch] is now split into a Removed everything from connection.c that has already been moved to node.c and Revamp configuration handling: More updates to new node/vertex/connection combo. - Split tap device stuff out of net.[ch] Added FreeBSD tap device handling. Solaris tun device handling cleaned up a bit and added. Forgot to remove some old #ifdef stuff. Added OpenBSD tun device handling. Untested though. Forgot the tun specific stuff. Support new files (node/vertex/device.[ch]) and OpenBSD. Big bad commit: Make sure everything links. Various small fixes to make tinc runnable again. What was I thinking? s/vertex/edge/g. - More s/vertex/edge/g - More changes needed for Kruskal's algorithm Working version of Kruskal's algorithm. The running time is very bad though. Various fixes, tinc is now somewhat capable of actually working again. More updates to protocol handlers and reimplemented terminate_connection(). - Small fixes to graph algorithms Don't forget to read public RSA key when making an outgoing connection. Show cfg->variable instead of cfg->value when complaining about wrong type. Avoid connecting to another node twice, and check name of outgoing connections. Some very small fixes Use PEM functions as suggested by OpenSSL docs. Several bugfixes. *** empty log message *** Be liberal in what you accept: allow unknown edges to be deleted. Correctly check if subnet owner exists. Various fixes needed for Solaris. More fixes for Solaris. Merging of the entire pre5 branch. Ivo Timmermans (32): New make target: `make release' Changed version number to 1.0-cvs Don't distribute autogen.sh in a release Don't include the debian/ dir in a release Small fix to make it compile again Killing tincd with SIGINT causes it to toggle between the current Check for getaddrinfo Check for getnameinfo, gai_strerror, freeaddrinfo Credit OpenSSH Check for struct addrinfo Deprecated get_config_ip and get_config_port Use struct addrinfo in connection_t to hold all host data such as IP Changed prototype for lookup_connection to use struct addrinfo Changed lookup_connection to use struct addrinfo Removed definitions of ipv4_t, ipv6_t, port_t Obsoleted all IP types in favor of struct addrinfo Changed to use struct addrinfo where needed. get_config_{ip,port} removed. Don't compile/link netutl.c. Obsoleted. Don't include netutl.h. (re)added port to struct node_t Added HAVE_STRUCT_ADDRINFO Added dropin replacements for get*info and helper functions. First part of rewriting things to use struct addrinfo. lookup_node_udp changed. Don't include netutl.h. route_ipv4 and route_ipv6 replaced by route_ip. get_config_subnet needs to be fixed. Fixed silly typo: "np" instead of "no" Don't include netutl.h. Conversion to struct addrinfo is almost complete for this file. Wessel Dankers (1): make is not always GNU make. Version 1.0pre4 May 25 2001 ------------------------------------------------------------------------ Guus Sliepen (97): Porting to FreeBSD: - Added balanced tree management stuff as well. (It is not finished yet.) - Simplified do_detach - Removed stray @INCLUDE@ (how did that get there?) - Fixed searching - Implemented deletions - Fix tree head/tail upon insertion - Fixed a lot of small things. Tested everything except deletions. - Deletion also works now. - Small fixes - Integrate rbl trees into tinc. - Proper initialization of rbltree structures. - Various small fixes. - More fixes. - Check for NULL tree->delete callback - Cleaned up and checked for some more NULL pointers in rbl.c - Write pidfile AFTER detaching... - No more %as. - Work with the correct key buffer in ans_key_h - More porting to FreeBSD and Solaris. - Fixed all (except 2) compiler warnings gcc -Wall gave. - #include instead of - Don't link with -ldl anymore Another big & bad commit: - Added Armijn to the list - Added daemon() replacement. - Use only one socket for all UDP traffic (for compatibility) - Don't even think about using sscanf with %as anymore - AVL tree routines: faster than RBL, and also more stable. - Doubled size of trace buffer for easier debugging. - Let user choose whether keys are in the config files or separate - Updated dutch translation. - Check and follow symlinks in is_safe_path - Changed license of AVL tree library to GPL. - Updated manual pages. - Updated texinfo manual. - Typo. - Changed list routines to give it the same look'n'feel as the rbl and - Reinstated a queue for outgoing packets. - Added header file for route.c. The routing routines in it are not used - Description of protocol and authentication updated. - It's 2001, all copyright notices are updated. - Fixed IPv6 subnet lookup routine. - Added indirectdata and tcponly functionality. - Squashed another nasty bug. - Sign was wrong in search_closest_smaller/greater - Cleaned up subnet_t - Only send out DEL_HOSTs for hosts with a meta connection Added sample configuration directory. - Copy entire sample-config directory to /etc/tinc/example upon installing. - Allow ASN1 style keys to be in the config files. FreeBSD compile fixes (thanks to XeF4) Fix memory leak in avl_insert() if item was already inserted. Updated dutch translation. Removed another local definition of the variable "errno" Added .cvsignore files to get rid of warnings and prevent autogenerated Ignore file for src/ - Updated CVS_CREATED to remove intl/ directory and some other Added description of the proposed new authentication scheme. Corrected check for errors after read() calls. Add missing \n. Free node->data and node, not node->data twice. Copy packets before putting them in the queue. Encrypt network packets in CBC mode instead of CFB mode. Implemented new authentication scheme from doc/SECURITY2. Added process.c to the translated files. - Make sure METAKEY is smaller than the modulus of the RSA key Don't forget to reconnect if outgoing connection fails during - Fixed Interface option (untested) Removed lots of compiler warnings. Removed compiler warning. Various small fixes. Added explaination of our key exchange using RSA encryption. - route.c is now used to determine destination Updated translation. Added a description of what is going on in net.c and route.c, and how Fixed a race condition triggered by receive_meta() and the new Fixed bug in setup_signals() that would make tinc die when unexpected Ignore alarm signals if we do not need to respond to them. Check indirectdata option before forwarding certain requests. Depend on new ssl package and install alias for universal TUN/TAP module. Correctly cycle through ConnectTo variables. - s/ip_t/ipv4_t/g - Make sure correct information is supplied for both old kernels (with More revisions to the documentation: Changed URL from kernelnotes.org to linuxdoc.org. Add randomness to PING/PONG packets to prevent crypto attacks on quiet Since this is incompatible with some earlier versions, PROT_CURRENT is All features for 1.0 are implemented now, we just have to check the Only send key_changed if it was previously requested. Small fixes: Small corrections to the manuals. With recent kernels the tun device file is located in /dev/net. TCPonly now works (in a relatively clean way too). Merged PROTOCOL, NETWORK and SECURITY2 with the texinfo manual. Documents are merged. Now we only need to check the ports and the TCPonly Fix sample configuration to show keys in PEM format and correct tapdevice. Ivo Timmermans (88): Add a check for openssl that accepts explicit file locations. Identify version as 1.0pre4-cvs Better checks for OpenSSL. I think it can now detect almost all conceivable installations. Oops, small error. Get rid of the annoying empty line Also check for rand.h and err.h. If any of these files does not Also check for sha.h. Use the HAVE_OPENSSL_xxx_H defined from m4/openssl.m4 during Let the output from an executed script in execute_script() go to List management and manipulation routines. Keep a list of running children, and in each loop in main_loop(), Move all process-related functions into process.c. New function: xmalloc_and_zero, which initialises the allocated memory Delete struct ifr Move more functions from tincd.c into process.c. Use proper prototypes. Added this release More function and header checks Also include process.h Get rid of all libtool references at once. libtool was only used by Honor the --localstatedir option to configure, instead of hardcoded /var. Add more checks to ensure that filedescriptors are right in Declare fd. Do not use the C library's daemon() call. Do not check for the daemon() system call Do not attempt to retreive ChangeLog information only from the CABAL Set localstatedir to /var Use cvs2cl instead of rcs2log to generate the ChangeLog. Set CFLAGS to -O2 -Wall when running configure Alter CFLAGS, somehow INCLUDES doesn't propagate properly. Still Set errno to 0 before trying to kill the other process. Explain how to tell configure where OpenSSL lives. Call autogen.sh instead of configure alone; and make cvs-clean instead Add default tinc-up and tinc-down scripts for a Debian system. These Updated Spanish translation, provided by Enrique Zanardi. Give an error message if daemon() failed. Check for the function strsignal, and define it to "" if it is not Sort items to either 1.0 or future release goals. Use sigaction to set signal handlers, the previous commit (1.1.2.16) Save RSA public and private keys to a separate file, instead of dropin.c/h contain a set of drop-in replacements for non-standard C Check for get_current_dir_name. There is a replacement function in Added a check for a scanf that knows about %as. Implemented a readline() function that will read an entire line into a xstrdup now takes a const pointer as an argument. Use readline() in read_config_file() instead of fgets. Also free the pointer returned by readline(). Updated Dutch translation Implemented is_safe_path, and extended ask_and_safe_open. Read the PEM file pointed to by the configuration directive The file is safe if it doesn't exist. In readline(): initialise the line to zero length; Better error checking when reading the RSA private key. Avoid printing duplicate messages from read_rsa_keys New function read_rsa_public_key(); All full stops have two spaces after them. (Silly commit, I know.) Tagged `Storing private key in separate file' as done. readline() accepts two extra parameters, buf and buflen, to avoid Use buffer instead of line in read_config_file(), line may be assigned Stated that distributing executables linked with OpenSSL is permitted Include COPYING.README in the distribution. Added documentation merger Sort configuration directives Option -d accepts an argument to set the debug level immediately. Massive long awaited documentation update. It's not finished yet, Oops. I did some VERY wrong things with readline(). Fixed now. Tiny bits of code beautifying Install a file in /etc/modutils/tinc, containing all necessary aliases Ported it back to /bin/sh. Give a warning about having to re-create the keys Re-introduced MyVirtualIP and VpnMask, as dummy options. Various small changes. Include autogen.sh (needed for the Debian package). Forget router.c Added lint target, requires lclint. Fix error reporting of read_config Set Architecture to `any' Change version to 1.0pre4 Second draft of the release notes Merged documentation with various updates I had lying around Get the Debian changelog up to date Get the PO files up to date with the current source Fixed some errors Distribute the sample config as a .tar.gz Unpack sample-config.tar.gz when installing More files to ignore in CVS tinc_TUNTAP now substitutes the values outside the AC_CACHE_CHECK Authentication done Wessel Dankers (1): Important bugfix in avl_insert_before() and avl_insert_after() Version 1.0pre3 November 09 2000 ------------------------------------------------------------------------ Guus Sliepen (119): Debian init.d script automatically sets tap device's MTU to 1448 now. First step for implementation of the "indirectdata" directive. This should If we have "indirectdata" flag set, we only send data to our uplink. Large cleanup: Added CVS Id tags to header files. - Log possible spoofing attacks. Hostnames are back! Hostlookup() is actually being called now. - More verbose connection list Fixes some hostlookups. Fixes indirectdata for real now (hopefully). - Indirectdata finally REALLY REALLY works now! - Moved all connection messages to debug level 1, without -d's only the - Fixed KEY_CHANGED notification. A lot of notify_others() calls were - Fixed indirectdata=no problem - Improved handling of errors on connection attempts. - Purge old connections that are ADD_HOSTed. - Fixes a silly little insignificant buglet. - Extra check op EINTR bij inlezen requests - Fixed some spelling errors. - Fixed missing " in nl.po - Fixed a message in nl.po - Added log message when SIGCHLD is received ("thanks" to Ivo van Dong) - Updated Dutch translation. - Removed all IP_ADDR_S macros, because gettext doesn't like them. Each - New semantics for BASIC_INFO, ADD_HOST and DEL_HOST requests. This will - Fixed memory leak. - Removed segfault bug in conf.c (must have been there for ages!) - Instead of logging an error when remote end closes the connection, - Made tinc even more silent if no -d flag is given at all. - Added documentation for the protocols (most important the meta protocol) - Removed a single unused bit from status_bits_t. - Updated PROTOCOL (a bit) - Forgot to mention ourselves in the tincd manual page! :) - Added Spanish translation from Enrique Zanardi. - Updated THANKS file - Delayed address resolving for ConnectTo lines in configuration file to - Fixed typo. - Added experimental hackish tunneling-over-TCP support. - Lots o' buglets fixed (-Wall helps) Fixed PACKET read loop. Removed calling add_queue for tcponly packets. - Added date/time of build and protocol number to --version output. - Moved TCP packet reception to meta handler: less kludgy and less buggy! - Reinstated O_NONBLOCK for meta socket - Added two extra configuration options, Interface and InterfaceIP, to Fixed all sprintf() spl01ts. Ran update-po and updated dutch translation. Commented on some size calculations. Updated the manual: Updated tinc.conf manual. Fix rules (thanks to Laurence) - Use strerror() instead of sys_errlist[] for increased portability - New protocol. Will break everything else for now. - Added more function skeletons for the new protocol. - Lots of functions added for the new protocol. - Some key exchange stuff. (Last commit before going to bed.) - Fixed modulo in keylength check - Lots of small changes. Added document about the used cryptographic algorithms and the reasons - Included authentication scheme from protocol.c - Updated authentication scheme. - Severe code reduction and simplification of challenge requests - Removed options "string" stuff. It was a bad idea... - Very detailed example of the authentication phase. - Added meta.c which contains functions to send, receive and broadcast - Added subnet handling code Removing cipher directory (all will be covered by OpenSSL). Big and bad commit of my current tree... - Changed genauth to produce rsa keypairs instead of random passphrases. - Generalized config file parsing to support multiple configuration trees. - Fixing-things pass: every source file compiles into an object file now, - Second fixing-things pass: it even links now. - The daemon actually runs now (somewhat) Corrected #ifdefs for tun/tap support. - Fixing little things - More fixing. Tinc daemons can now even create activated connections. - Seed the PRNG using /dev/random before generating the keys. - tinc now really does public/private key encryption! It even works, whee! - Made Makefile.am stub for doc/es/ - Removed last reference to genauth from Makefile.am - Fixed all debug levels. - route.c will contain the routing logic. - Lots of little stuff modified - Updated subnet list handling. Subnets are added to two lists now, the - Lots of small fixes - Fixed offsets when reading/writing from/to tap device - Override destination ethernet address on incoming packets with - Very big cleanup. - Fixed ans_key_h - Hit people who can't figure out subnet address/mask pairs with a - Enforce correct order of authentication requests - Moved connlist stuff to the proper header file. - Updated dutch translation. - Removed old encr stuff - Small fixes - Use CFB mode for encrypting packets: it works and we don't need padding. - Finishing touch: encrypt the meta connections - Small cleanups - Fixed some spelling mistakes and terminology here and there. - Update. Removed config file parsing and interface setup. This will be handled by - Removed unused MAC strip/add functions. - Removed even more warnings. - Resolve scriptname after fork() - Removed manpage for no longer existing genauth. - connlist.c added to translation - Don't forget to set packet cipher for added hosts. - Forward keys in hex notation, not as binary data. - Check for packets that are looping back. - Simplified ping mechanism. - Prepended config_ to all configuration option names, because it confused Changed execution of tinc-up: - Open UDP connection for all known hosts. Comments please. Porting to SunOS 5.8: Porting to SunOS 5.8: - Fixed --config - Applied Jamie Brigg's patch (close sockets after error) - Add Jamie :) - Make checkpoint tracing a compile time option (off by default) Ivo Timmermans (77): Alphabetized the list, added Lubom�r Bulej, removed Sander Smeenk and Tijs van Bakel, put merits after all names. Don't touch VPNMASK if it's defined, otherwise use $MSK. These files are created by gettextize (run by autogen.sh) (should have known that). Include ../intl in the include path, and add @INTLLIBS@ to the list of libraries. Merge changes from 1.6-1.8. Configuration directive `IndirectData'. Changed version number to 1.0pre3. Version 1.0pre3. Removed Free Software Foundation copyright, because Guus Sliepen contributed significantly. Oops, and mention Guus too. Include the Spanish translation in the distribution/build process. (Quoting Laurence Lane:) Also chomp $VPNMASK Added a rule to create an rpm Changed CVSROOT path in `make ChangeLog' Link with OpenSSL crypto libraries instead of own blowfish library Updated text, removed protocol flowchart Include openssl/blowfish.h Support for -lsocket and -lnsl on SunOS Correct filenames for passphrases given in the example Add Guus' name and shift out old protocol requests Better checks for SunOS libraries Added some structures and types that are needed for the overhaul. New directive: Name. First round of needed fixes after the overhaul Second round of fixes Added Spanish translation of the docs by Matias Carrasco Many updates, parts rewritten, added, shuffled around. Link with OpenSSL, forget libGMP Updated new requirements, pointers to the manual Don't look for GMP header files Update Depends lines to reflect the dependencies on OpenSSL Fix `Requirements'-section for GMP and OpenSSL libraries. Add CVS id lines Add checks for the presence of the universal tun/tap device driver. Wrap the tun/tap code in #ifdef HAVE_TUNTAP Linearized checks for if_tun.h Really #include the if_tun.h files now Output doc/es/Makefile Process subdir es/ Don't declare cp_file and cp_line in xmalloc() Get the head revision up to date with cabal Changed changelog Include linux/sockios.h and net/if.h anyway, regardless of the value of HAVE_TUNTAP. read_server_config: Check for result of read_config_file. Oops, echelon change committed to cabal... :) Skip the check for Linux kernel sources This file is no longer needed. - Synchronized changelog with the package's changelog. Do not include $(top_srcdir)/cipher, it does no longer exist. Added a perl example to turn an IP address into a MAC address. Only check for linux/if_tun.h once Changed `I' to `We' - small change, lots of difference :) More exhaustive list of changes - perhaps it can be worded differently? Change wsl to Wessel's name and email address in the ChangeLog creation Mention fileutils, add a pointer to THANKS for more details Changed a few messages wrt. system calls; updated and changed the Dutch translation a bit. Don't include shlibs, as it no longer exists. Oops, and include doc-base.tinc (new file). - If necessary, patch po/Makefile.in from po-Makefile.in.in.diff to Minor cosmetic change. Save the environment on startup. Run the scripts tinc-up and tinc-down from a separate function, which Warnings removal pass: always include config.h first; add a few Small change to the way the environment is copied. Use putenv() instead of clumsy do-it-yourself in execute_script. Do not include the passphrases directory In execute_script: Add route.c to the list of source files. Updated Dutch translation Build-depends on libtool Build-Depends on gettext Final release notes added, also edited release notes for 1.0pre2 to what the announcement on the mailing list looked like. Wrapped text to 70 (72?) columns for easy reading Bop version number to 1.0pre3-1 Updates, updates Add prototype for destroy_queue Wessel Dankers (3): File added to CABAL (hopefully) Grrr, recommit Added architecture section, made a start with the kernel section. Version 1.0pre2 May 31 2000 ------------------------------------------------------------------------ Ivo Timmermans (56): Deleted the protocol description. Perl version of the system startup script. Only print an error with send_termreq if debug_lvl is 2 or more. Add check for mpz_powm in libgmp3. Version 1.0pre1-0.1. Changed version to 1.0pre2. Give IP address instead of hex number when connecting tcp socket failed. Add shlibs control file for the blowfish library. Inserted useful content. Add initscript, tincd->tinc. Add description, better dependancies. Mention both upstream authors. tincd->tinc .deb version number 1.0pre2-0.4. Updated to newer version. Exit with zero status if is empty. Unlimited length in the config file, thanks to Cris van Pelt. Depend on perl5. *** empty log message *** Look if the tap devices exist before bluntly remaking them. Use the new VpnMask directive to add a route to the rest of the VPN. This file is generated with dpkg-buildpackage. Read /etc/tinc/nets.boot to find the networks that have to be started. Create a default /etc/tinc/nets.boot after installation, containing all directories under /etc/tinc by default. Version 1.0pre2-0.3 Don't distribute the file files. Find networks in instead of . Include postinst in the distribution. Errors will not terminate the script or result in a nonzero exit code. Updated copyright notice. Fixed typo. Mask the vpn net with the vpn netmask, route would give an error if the netmask didn't match the net. When VpnMask is not present in the config file, silently use $MSK as vpnmask. Add an example of using VpnMask. Use /etc/tinc/example as a base directory for an example. /etc/tinc/example/README points to /usr/share/doc/tinc/README.Debian. Create an empty /etc/tinc/nets.boot. Updated by Lubomir Bulej and Mads Kiilerich: it uses /etc/tinc/nets.boot and the VpnMask directive in the config files. Internationalization of tinc. Include intl/ directory in the list of subdirs. Include system.h and ABOUT-NLS. Update acconfig.h to include values for gettext inclusion. Include GNU gettext checks. Define LOCALEDIR in CFLAGS. Dutch translation of tinc. Bounds check for request id (between 0 and 255). Updated changes list for version 1.0pre2. Added new configuration directive `Hostnames', which controls the resolving of IP addresses to hostnames. When a connection is terminated, all hosts that are still connected get notified of the lost connections. In terminate_connection, only send a notification to hosts that are directly connected to us. (DEL_HOST gets forwarded automatically.) Only accept an ADD_HOST request for a host that already exists in our conn_list if the nexthop field matches the sender. This is a workaround for older clients. Include news for 1.0pre2. Tell about /etc/tinc/nets.boot. Updated Dutch translation. Version 1.0pre2-1. Handle locale settings. Miscellaneous copyright updates. Guus Sliepen (16): Proxymode removed. Cleanups. Changed ping behaviour (backwards compatible). If we don't have any data Fixed typos. Test for existence of configured tinc networks. This will also make Stub for VpnMask config directive. TODO file reinstated: VpnMask truely works now. Typo. Fixed last typo. Init.d now uses ifconfig command to set both the tap's IP Documentation updates. Removed all references to configuration variable Fix for a DoS attack: Fixed typos. When terminating a connection, it's status is not only set to Made tinc persistent. If no outgoing connection can be established right Terminate a connection on any error. Furthermore, disallow del_host, Only activate a connection upon receiving it's public key if it's an Version 1.0pre1 May 08 2000 ------------------------------------------------------------------------ Ivo Timmermans (84): Get rid of the message `zxnrbl\'. Upon regeneration, free the old encryption key `securely\' by overwriting it. Kill the parent after any error conditions in detach(). Ignore SIGCHLD. New option -D, don't detach. Moved to version number 1.0. Only one round of reading bits out of urandom; Pass the requested size from xmalloc() and xrealloc() on to xalloc_fail_func() Check for an illegal length of passphrase in read_passphrase(). Check if stdout is a terminal, if so, print a verbose message. Default passphrase length of 1024, added -h/--help options. Submitted by Mads Kiilerich. New manpage for genauth. Updated manpages. Address for bugreports changed to tinc@nl.linux.org. Include the directory redhat in the build process. Include genauth.8 in the distribution. Submitted changes by Mads Kiilerich. A short notice from Mads Kiilerich. Keep make dist(dir) happy. Added cvs-clean. These files are not needed in release 1.0. Don't compile in `idea'. Don't include idea/idea.h. Don't try to create cipher/idea/Makefile. The shell script autogen.sh can create all these removed files, but be s/Gnome/tinc/g This file is obsolete, most of the ideas are already in echelon. Remove check for bigendianness. Don't define HAVE_NAMESPACES and HAVE_STL. Use `make ChangeLog' to create this file from the CVS logs. Remove test for GNOME. Changes largely from Mads Kiilerich. Added Mads Kiilerich, removed Guus Sliepen. *** empty log message *** Generate this Makefile.am from Makefile.am.in. Contributed by Mads Kiilerich. Spelling fixes. Delete all the files that are created by autogen.sh on a `make cvs-clean'. Propagate CFLAGS from configure to gcc. Don't include TODO in the dist. Remove ChangeLog with a `make cvs-clean'. Initial CVS. *** empty log message *** Create a ChangeLog file, automake requires it. *** empty log message *** Debug level tweaking. From Mads Kiilerich. The make command is in /usr/bin. Add an entry to dir. Omit TODO. Version to 1.0pre1; Filled in the details, license from libblowfish copied. Updated version number to 1.0. Default config file name is tinc.conf, and pidfile is tinc.pid. More updates wrt. the change from tincd->tinc. Added `deb' target. Filled up the protocol structs with unused bytes. Got rid of the nasty hacks... and replaced it by another one. Initially, the vpn_mask of a connection is 255.255.255.255 to avoid confusion with lookup_conn. Replaced check for status.active by status.dataopen in check_network_activity. New way of handling the meta protocol. Read public keys the right way (tm). Removed debug messages. Read one less byte from an ANS_KEY request. Send one less byte from an ANS_KEY request. Protocol fix (ANS_KEY). This breaks 0.3.3 protocol compatibility. Key forwarding, write one byte extra. Committed by Lubom�r Bulej. Updates by Mads Kiilerich. Committed by Mads Kiilerich. Fixed meta protocol. More tincd->tinc updates. Mentioned new metaprotocol. Fix a typo, better handling of the info document. (from Mads Kiilerich) Don't use error.h or error(), put #error in front of cpp errors. getopt_long() support for platforms that don't have it. Include stdio.h for fprintf. More for getopt support. Check for the existance of libdl. Don't link in libdl. Include sys/types.h. Copied most of the code from the redhat script. Added semicolons required by bash2 (Mads Kiilerich). Guus Sliepen (18): Added extra checks for desynchronized connection lists. Hopefully this will Bug found! Wrong pointer was used for handling multiple ADD_HOST requests Added checkpoints to beginning and ending of every function. Packet queues fixed. They caused the trouble when resending keys. Fixed typo and removed some unnecessary variables. When trying to talk to a host that is in the netmask of a tinc server but Converted every &variable[0] to variable. Cleanups: Removed write_n() function. Oops! Reference to write_n() removed and changed into neat write() call. Meta protocol overhaul. Tinc is now incompatible with previous versions, Fixed small mistake that would prevent forwarding requests. Previous fix fixed. Meta protocol should be really flawless from now on! Replaced sprintf() by safer snprintf(), removed possible buffer overflow Outgoing packets now use network byte order in header. Fixes typo and UDP network byte order. Squashed gcc warning. Added new config variable "ProxyMode". If enabled, all outgoing packets