Commit graph

27 commits

Author SHA1 Message Date
tron
73d05e2276 Recursive PKGREVISION bump for OpenSSL API version bump. 2014-02-12 23:17:32 +00:00
tonnerre
1d5de3fc2c Update net/tinc to version 1.0.23.
Changes since version 1.0.22:
 - Check for writability when waiting for a socket to finish connecting.
 - Don't send PING requests on connections which are not active yet.
 - Fix segfault when Name = $HOST but $HOST is not set.
 - Fix typos in the documentation.
 - Modernize the build system.
 - Get rid of the splay tree implementation.
 - Add description of IffOneQueue and MaxTimeout to the info manual.
 - Clean up child processes from proxy type exec.
2013-12-01 20:18:29 +00:00
tonnerre
c0ecc5698c Update tinc to version 1.0.22.
Changes since version 1.0.13:
 * Better optional argument handling.
 * Set $NAME when calling host-up/down and subnet-up/down scripts.
 * Don't echo broadcast packets back when Broadcast = direct.
 * Update copyright notices.
 * Fix combination of Mode = router and DeviceType = tap on Linux.
 * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
 * Use /dev/tap0 by default on FreeBSD and NetBSD when using Mode = switch.
 * Document how to load the tap driver on FreeBSD.
 * Update THANKS file.
 * Also clarify hostnames=[yes|no] in tinc.conf(5).
 * Attribution for Vil Brekin and some code style cleanups.
 * Don't ignore Makefile.am.
 * Fix links in documenation.
 * Attribution for Martin Schürrer.
 * Add strict checks to hex to binary conversions.
 * Clear connection options and status fields in free_connection_partially().
 * Fix warnings from cppcheck.
 * Clear Ethernet header when reading packets from a tun device.
 * Clear status and options fields of unreachable nodes.
 * Fix warnings from groff.
 * Using alloca() for a constant sized buffer is very silly.
 * Make sure PMTU discovery works in switch mode with VLAN tags.
 * Mention in the manual that support for LZO and zlib can be disabled.
 * Fix configure script help text for --enable options.
 * Don't take the address of a variable whose scope is about to disappear.
 * Send broadcast packets using a random socket, and properly support IPv6.
 * Remove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf.
 * Fix support for tunemu on iOS devices.
 * Make sure PriorityInheritance also works in switch mode.
 * Detect increases in PMTU.
 * Fix a compiler warning.
 * Fix segmentation fault when trying to connect via a SOCKS5 proxy.
 * Don't send proxy requests for incoming connections.
 * Fix compiler warnings on Windows.
 * Fix detection of rejected SOCKS5 proxy requests.
 * Basic patch for android cross-compilation.
 * Replace hard-code with new ScriptsInterpreter configuration property.
 * Add basic .gitignore file, cleaning (most) files generated by autotools.
 * Use __ANDROID__ define rather than dirty hard-code to allow android NDK cross-compilation.
 * Android cross-compilation instructions.
 * Output details of encryption errors
 * Minor clarification, tinc.conf hostnames=[yes|no] variable only resolves names for logging purposes.
 * Support :: in IPv6 Subnets.
 * Remove newline from log message.
 * Add support for systemd style socket activation.
 * Allow environment variables to be used for Name.
 * Allow broadcast packets to be sent directly instead of via the MST.
 * Add basic support for SOCKS 4 and HTTP CONNECT proxies.
 * Add support for SOCKS 5 proxies.
 * Add support for proxying through an external command.
 * Document new proxy types.
 * Small fixes in proxy code.
 * Fix compiler warnings.
 * Fix crash when using Broadcast = direct.
 * configure.in: fix AC_ARG_ENABLE and AC_ARG_WITH
 * add (errnum) in front of windows error messages
 * Always try next Address when an outgoing connection fails to authenticate.
 * Allow a port to be specified in BindToAddress statements.
 * Add support for multicast communication with UML/QEMU/KVM.
 * Set default value of DecrementTTL to "no".
 * Add #ifdefs in case not all platforms support IPv4 and IPv6 multicast.
 * Allow scoped addresses to be used for IPv6 multicast socket.
 * Fix compiler warnings.
 * Fix return value type of vde_send().
 * Fix some more compiler warnings.
 * Document OpenBSD "ifconfig link0" and Linux "ip tuntap" commands.
 * Fix return type of vde_recv() as well.
 * Mark DecrementTTL option experimental.
 * Prevent read_rsa_public_key() from returning an uninitialized RSA structure.
 * Return false instead of void when there is an error.
 * Fix compilation of VDE and UML interfaces.
 * Add vde/device.c to the tarball.
 * Fix a few small memory leaks.
 * Allow linking with multiple device drivers.
 * Set FD_CLOEXEC flag on all sockets.
 * Allow multiple BindToAddress statements.
 * Merge branch 'master' of black:tinc
 * Send packets back using the same socket as they were received on.
 * Allow setting DeviceType to tun or tap on Linux.
 * Merge branch 'master' of black:tinc
 * Only compile raw socket code when it is supported on that platform.
 * Decrement TTL of incoming packets.
 * Don't bind outgoing TCP sockets anymore.
 * Rename connection_t *broadcast to everyone.
 * Allow disabling of broadcast packets.
 * Move initialization of char *priority up to prevent freeing an uninitialized pointer.
 * Document the command line flag -o and provide --option as well.
 * Fix a bug that caused tinc to ignore all but the last listening socket.
 * Fix check for raw socket support.
 * Pass index into listen_socket[] to handle_incoming_vpn_data().
 * Add LocalDiscovery option which tries to detect peers on the local network.
 * Don't send ICMP Time Exceeded messages for other Time Exceeded messages.
 * Stricter checks against routing loops.
 * Only use broadcast at the start of the PMTU discovery phase.
 * Only log errors sending UDP packets when debug level >= 5.
 * Accept Subnets passed with the -o option when StrictSubnets = yes.
 * Add missing ICMP6 message type definitions.
 * Make sure disabling old RSA keys works on Windows.
 * Update copyright notices.
 * Add missing ICMP message type definitions.
 * Make code to detect two nodes with the same Name less triggerhappy.
 * Flush output buffer in send_tcppacket().
 * Use usleep() instead of sleep(), MinGW complained.
 * Reorder checks for libraries to allow ./configure LDFLAGS=-static.
 * Make return value of SetPriorityClass() behave the same as setpriority().
 * Fix sparse warnings and add an extra sprinkling of const.
 * Remove newlines from log messages.
 * Remove a few unnecessary #includes.
 * Attribution for Loïc Grenié.
 * Improved --logfile option.
 * Remove redundant @CFLAGS@ from AM_CFLAGS.
 * Nearly tickless tinc.
 * Fix reading configuration files that do not end with a newline. Again.
 * Define WINVER before including any other header file on Windows.
 * Use intptr_t instead of long to store a pointer.
 * OpenSSL 1.0.0 compiled for 64 bit Windows requires linking with -lcrypt32.
 * Fix all warnings when compiling with mingw64.
 * Use strrchr() insteaad of rindex().
 * Detect and prevent two nodes with the same Name being on the VPN simultaneously.
 * Use 64 bit counters to keep track of bytes sent/received from the virtual network interface.
 * Do not append an address to ANS_KEY messages if we don't know any address.
 * Merge local host configuration with server configuration.
 * Remove duplicate command-line option parsing.
 * Attribution for Julien Muchembled.
 * Attribution for Timothy Redaelli.
 * Ensure there is a newline character before a PEM key is written.
 * Abort disabling old PEM keys on I/O errors.
 * Remove unused variables.
 * Quit when there are too many consecutive errors on the tun/tap device.
 * Read error counter must be static.
 * Add short options -R and -U to the tincd(8) manpage.
 * Don't use strlen() on a NULL pointer.
 * Provide usleep() for Windows.
 * Use variable length arrays instead of alloca().
 * Fix warning message when setting SO_RCVBUF or SO_SNDBUF fails.
 * Free replay window when freeing a node_t.
 * Fix variable length array declaration.
 * Attribution for Brandon Black.
 * Use setpriority() instead of nice() on UNIX-like systems.
 * Always send MTU probes at least once every PingInterval.
 * Close all filedescriptors in Solaris close_device().
 * Limit field width when scanning PID file.
 * Replace bogus #else with #endif.
 * Remove unused variables.
 * Document the behavior of "-n."
 * Update the manual.
 * Update the NEWS.
 * Proper check and dropin replacement for usleep().
 * Fix typo spotted by Andrew Scheller.
 * Add support for VDE through libvdeplug.
 * Fix spurious misidentification of incoming UDP packets.
 * Prevent anything from updating our own UDP address.
 * Do not set indirect flag on edges from nodes with multiple addresses.
 * Increase threshold for detecting two nodes with the same Name.
 * Always use the default signal handler for ABRT signals.
 * Check for EVP_EncryptInit_ex instead of SHA1_Version in OpenSSL.
 * Update THANKS and copyright information.
 * Ensure proper linking with OpenSSL with recent versions of MinGW.
 * Include <inttypes.h> when using intptr_t.
 * Experimental IFF_ONE_QUEUE support for Linux
 * Configurable SO_RCVBUF/SO_SNDBUF for the UDP socket
 * Configurable ReplayWindow size, zero disables
 * Improved handling of queue-jumping packets on receive
 * New '-o' option to configure server or hosts from command line
 * Fix command-line '-o' option for host configuration
 * Fix warnings showed using -D_FORTIFY_SOURCE=2
 * Fix warnings under BSD
 * Treat netname="." in a special way.
 * DragonFlyBSD support
2013-10-14 18:27:54 +00:00
jperkin
becd113253 PKGREVISION bumps for the security/openssl 1.0.1d update. 2013-02-06 23:20:50 +00:00
asau
e059e7e469 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 17:18:07 +00:00
joerg
f09264241a Don't use empty lines in mdoc documents. Bump revision. 2012-01-23 00:29:31 +00:00
obache
1d9df3258a recursive bump from gettext-lib shlib bump. 2011-04-22 13:41:54 +00:00
rumko
486ace2647 net/tinc: account for different header path on dfly
On DragonFly BSD, tun and tap headers are under net/tun/ and
net/tap/ and not directly in net/. Due to this, tinc does not
properly set up the tun devices in runtime. Bump PKGREVISION.

ok@ wiz
2011-02-13 00:20:24 +00:00
tonnerre
5aa0f78af5 Upgrade tinc to version 1.0.13.
Changes since 1.0.9:

  * Mark Forwarding and DirectOnly options as being experimental.
  * Don't redefine MAX if it already exists.
  * Fixes for definitions under Windows.
  * Ensure subnet-up/down scripts are called after HUP when necessary.
  * Fix reloading Subnets when StrictSubnets is set.
  * Reload Subnets when getting a HUP signal and StrictSubnets is used.
  * Ensure ICMP_NET_ANO is defined.
  * Convert Port to numeric form before sending it to other nodes.

    If one uses a symbolic name for the Port option, tinc will send that name
    literally to other nodes.  However, it is not guaranteed that all nodes have
    the same contents in /etc/services, or have such a file at all.

  * Never delete Subnets when StrictSubnets is set

    If a node is unreachable, and not connected to an edge anymore, it gets
    deleted. When this happens its subnets are also removed, which should
    not happen with StrictSubnets=yes.

    Solution:
    - do not remove subnets in src/net.c::purge(), we know that all subnets
      in the list came from our hosts files.
      I think here you got the check wrong by looking at the tunnelserver
      code below it - with strictsubnets we still inform others but do not
      remove the subnet from our data.
    - do not remove nodes in net.c::purge() that still have subnets
      attached.

  * Log unauthorized Subnets when StrictSubnets is set.
  * ConnectTo does not mean tinc does not listen for incoming connections anymore.
  * Fixes for the Forwarding option.
  * Add the DirectOnly option.

    When this option is enabled, packets that cannot be sent directly to the destination node,
    but which would have to be forwarded by an intermediate node, are dropped instead.
    When combined with the IndirectData option,
    packets for nodes for which we do not have a meta connection with are also dropped.

  * Add the Forwarding option.

    This determines if and how incoming packets that are not meant for the local
    node are forwarded.  It can either be off, internal (tinc forwards them itself,
    as in previous versions), or kernel (packets are always sent to the TUN/TAP
    device, letting the kernel sort them out).

  * Add the StrictSubnets option.

    When this option is enabled, tinc will not accept dynamic updates of Subnets
    from other nodes, but will only use Subnets read from local host config files
    to build its routing table.

  * Preload all Subnets in TunnelServer mode.

    This simplifies the logic in protocol_subnet.c.

  * Check for dirent.h.
  * Simplify reading lines from configuration files.

    Instead of allocating storage for each line read, we now read into fixed-size
    buffers on the stack. This fixes a case where a malformed configuration file
    could crash tinc.

  * Clamp MSS to miminum MTU in both directions.

    Clamp MSS of both incoming and outgoing packets, and use the minimum of the
    PMTU of both directions when clamping.

  * Add --disable-zlib configure option
  * Add --disable-lzo configure option
  * Ensure peers with a meta connection always have our key.

    This keeps UDP probes going, which in turn keeps NAT mappings alive.

  * Update copyright notices.
  * Try to set DF bit on BSDs as well.

    Every operating system seems to have its own, slightly different way to disable
    packet fragmentation. Emit a compiler warning when no suitable way is found.
    On OpenBSD, it seems impossible to do it for IPv4.

  * Immediately exchange keys when establishing a meta connection.

    This in turn will trigger PMTU discovery, and ensures nodes know each others
    reflexive UDP address and port.

  * Determine peer's reflexive address and port when exchanging keys.

    To help peers that are behind NAT connect to each other directly via UDP, they
    need to know the exact external address and port that they use. Keys exchanged
    between NATted peers necessarily go via a third node, which knows this address
    and port, and can append this information to the keys, which is in turned used
    by the peers.

    Since PMTU discovery will immediately trigger UDP communication from both sides
    to each other, this should allow direct communication between peers behind
    full, address-restricted and port-restricted cone NAT.

  * Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests.

    When we got a key request for or from a node we don't know, we disconnected the
    node that forwarded us that request.  However, especially in TunnelServer mode,
    disconnecting does not help. We now ignore such requests, but since there is no
    way of telling the original sender that the request was dropped, we now retry
    sending REQ_KEY requests when we don't get an ANS_KEY back.

  * Run subnet-up/down scripts for local MAC addresses as well.
  * Fix subnet-up/down scripts being called with an empty SUBNET.

    Commit 052ff8b2c598358d1c5febaa9f9f5fc5d384cfd3 contained a bug that causes
    scripts to be called with an empty, or possibly corrupted SUBNET variable when
    a Subnet is added or removed while the owner is still online. In router mode,
    this normally does not happen, but in switch mode this is normal.

  * Make MSS clamping configurable, but enabled by default.

    It can either be set globally in tinc.conf, or per-node in host config files.

  * Also clamp MSS of TCP over IPv6 packets.
  * Optimise handling of select() returning <= 0.

    Before, we immediately retried select() if it returned -1 and errno is EAGAIN
    or EINTR, and if it returned 0 it would check for network events even if we
    know there are none.  Now, if -1 or 0 is returned we skip checking network
    events, but we do check for timer and signal events.

  * Ping nodes immediately when receiving SIGALRM.

    One reason to send the ALRM signal is to let tinc immediately try to connect to
    outgoing nodes, for example when PPP or DHCP configuration of the outgoing
    interface finished.  Conversely, when the outgoing interface goes down one can
    now send this signal to let tinc quickly detect that links are down too.

  * Clamp MSS of IPv4 SYN packets.

    Some ISPs block the ICMP Fragmentation Needed packets that tinc sends.  We
    clamp the MSS of IPv4 SYN packets to prevent hosts behind those ISPs from
    sending too large packets.

  * Allow Port and PMTUDiscovery options in tinc.conf, always enable PMTUDiscovery by default.
  * Use xstrdup() instead of xasprintf() to copy static strings.
  * Allow port to be specified in Address statements.

    This allows one to connect to use more than one port number to connect to
    another node. The syntax is now:

    Address = <hostname> [<port>]

  * Do not fragment packets smaller than RFC defined minimum MTUs.

    For IPv6, the minimum MTU is 1280 (RFC 2460), for IPv4 the minimum is actually
    68, but this is such a low limit that it will probably hurt performance, so we
    do as if it is 576 (the minimum packet size hosts should be able to handle, RFC
    791). If we detect a path MTU smaller than those minima, and we have to handle
    a packet that is bigger than the PMTU but smaller than those minima, we forward
    them via TCP instead of fragmenting or returning ICMP packets.

  * Forget addresses of unreachable nodes.

    We clear the cached address used for UDP connections when a node becomes
    unreachable. This also prevents host-up scripts from passing the old, cached
    address from when the host becomes reachable again from a different address.

  * Remove unused variable in lookup_subnet_*() functions.
  * When learning MAC addresses, only check our own Subnets for previous entries.

    Before it would check all addresses, and not learn an address if another node
    already claimed that address. This caused fast roaming to fail, the code from
    commit 6f6f426b353596edca77829c0477268fc2fc1925 was never triggered.

  * Start a tinc service if it already exists.
  * Fast handoff of roaming MAC addresses.

    In switch mode, if a known MAC address is claimed by a second node before it
    expired at the first node, it is likely that this is because a computer has
    roamed from the LAN of the first node to that of the second node. To ensure
    packets for that computer are routed to the second node, the first node should
    delete its corresponding Subnet as soon as possible, without waiting for the
    normal expiry timeout.

  * Move socket error interpretation to utils.h.
  * Use WSAGetLastError() to determine cause of network errors on Windows.

    This reduces log spam and lets path MTU discovery work faster.

  * Remove localedir leftovers.
  * Use IP_DONTFRAGMENT instead of IP_MTU_DISCOVER on Windows.

    This ensures the DF bit on outgoing UDP packets gets set on Windows when path
    MTU discovery is enabled, reducing fragmentation.

  * Forward packets to not directly reachable hosts via UDP if possible.

    If MTU probing discovered a node was not reachable via UDP, packets for it were
    forwarded to the next hop, but always via TCP, even if the next hop was
    reachable via UDP. This is now fixed by retrying to send the packet using
    send_packet() if the destination is not the same as the nexthop.

  * Make maxmtu equal to minmtu when fixing the path MTU to a node.

    This ensures MTU probes used to ping nodes are not too large, and prevents
    restarting MTU probing unnecessarily.

  * Always reply to MTU probes via UDP.

    It could sometime happen that a node would return MTU probes via TCP, which
    does not make a lot of sense.

  * Allow UDP packets with an address different from the corresponding TCP connection.
  * Use uint32_t instead of long int for connection options.

    Options should have a fixed width anyway, but this also fixes a possible MinGW
    compiler bug where %lx tries to print a 64 bit value, even though a long int is
    only 32 bits.

  * Add dummy device.
  * Clarify and increase level of log message about MTU probes to unreachable nodes.
  * Handle weighted Subnets in switch and hub modes.

    We now handle MAC Subnets in exactly the same way as IPv4 and IPv6 Subnets.
    This also fixes a problem that causes unncessary broadcasting of unicast
    packets in VPNs where some daemons run 1.0.10 and some run other versions.

  * Fix a possible crash when sending the HUP signal.

    When the HUP signal is sent while some outgoing connections have not been made
    yet, or are being retried, a NULL pointer could be dereferenced resulting in
    tinc crashing. We fix this by more careful handling of outgoing_ts, and by
    deleting all connections that have not been fully activated yet at the HUP
    signal is received.

  * Fix description of the WEIGHT environment variable.
  * Include missing header.
  * Remove debugging message when reading packets from a BSD device.
  * Allow the cloning /dev/tap interface to be used on FreeBSD and NetBSD.

    This device works like /dev/tun on Linux, automatically creating a new tap
    interface when a program opens it. We now pass the actual name of the newly
    created interface in $INTERFACE.

  * Use MTU probes to regularly ping other nodes over UDP.

    This keeps NAT mappings for UDP alive, and will also detect when a node is not
    reachable via UDP anymore or if the path MTU is decreasing. Tinc will fall back
    to TCP if the node has become unreachable.

    If UDP communication is impossible, we stop sending probes, but we retry if it
    changes its keys.

    We also decouple the UDP and TCP ping mechanisms completely, to ensure tinc
    properly detects failure of either method.

  * Small updates to the documentation.

    Mention that TCPOnly is not necessary anymore since tinc will autodetect
    whether it can send via UDP or not. Also mention the WEIGHT environment
    variable and the new default value (2048 bits) of RSA keys.

  * Ensure that the texinfo manual can be converted to HTML.

    The top node was made conditional with the @iftex command, since it should not
    appear in PostScript and PDF output. However, it is still necessary for
    texi2html, so we have to use @ifnottex instead.

    Texi2html also complains about the use of @cindex in the copyright statement,
    so we remove that.

  * Revert "Raise default crypto algorithms to AES256 and SHA256."

    Although it would be better to have the new defaults, only the most recent
    releases of most of the platforms supported by tinc come with a version of
    OpenSSL that supports SHA256. To ensure people can compile tinc and that nodes
    can interact with each other, we revert the default back to Blowfish and SHA1.

  * Remove code duplication when checking ADD_EDGE/DEL_EDGE messages.
  * Don't disconnect clients in TunnelServer mode who send unauthorised ADD_SUBNETs.
    So that we are liberal in what we accept.
  * Removed last gettext function.
  * Remove autogenerated files from EXTRA_DIST.

    Apparently they were once necessary, but autoconf now includes them
    automatically.  Some of them are not used anymore, and this caused make dist to
    fail.

  * Update the NEWS.
  * Add more authors to the copyright headers.

    Git's log and blame tools were used to find out which files had significant
    contributions from authors who sent in patches that were applied before we used
    git.

  * Drop support for localisation.

    Localised messages don't make much sense for a daemon, and there is only the
    Dutch translation which costs time to maintain.

  * Remove checkpoint tracing.

    This feature is not necessary anymore since we have tools like valgrind today
    that can catch stack overflow errors before they make a backtrace in gdb
    impossible.

  * K&R style braces.
  * Update the address of the Free Software Foundation in all copyright headers.
  * Remove Ivo's old email addresses.
  * Remove all occurences of $Id$.
  * Update copyright information.

    - Update year numbers in copyright headers.
    - Add copyright information for Michael Tokarev and Florian Forster to the
      copyright headers of files to which they have contributed significantly.
    - Mention Michael and Florian in AUTHORS.
    - Mention that tinc is GPLv3 or later if compiled with the --enable-tunemu
      flag.

  * Send large packets we cannot handle properly via TCP.

    During the path MTU discovery phase, we might not know the maximum MTU yet, but
    we do know a safe minimum.  If we encounter a packet that is larger than that
    the minimum, we now send it via TCP instead to ensure it arrives.  We also
    allow large packets that we cannot fragment or create ICMP replies for to be
    sent via TCP.

  * Raise default RSA key length to 2048 bits.
  * Use a mutex to allow the TAP reader to process packets faster on Windows.

    The TAP-Win32 device is not a socket, and select() under Windows only works
    with sockets.  Tinc used a separate thread to read from the TAP-Win32 device,
    and passed this via a local socket to the main thread which could then select()
    from it. We now use a global mutex, which is only unlocked when the main thread
    is waiting for select(), to allow the TAP reader thread to process packets
    directly.

  * Remove extra {.
  * Raise default crypto algorithms to AES256 and SHA256.

    In light of the recent improvements of attacks on SHA1, the default hash
    algorithm in tinc is now SHA256. At the same time, the default symmetric
    encryption algorithm has been changed to AES256.

  * Use access() instead of stat() for checking whether scripts exist.
  * Remove dropin random() function, as it is not used anymore.
  * Allow compiling for Windows XP and higher.

    This allows us to use getaddrinfo(), getnameinfo() and related functions, which
    allow tinc to make connections over existing IPv6 networks. These functions are
    not available on Windows 2000 however. By default, support is enabled, but when
    compiling for Windows 2000 the configure switch --with-windows2000 should be
    used.

    Since getaddrinfo() et al. are not functions but macros on Windows, we have to
    use AC_CHECK_DECLS() instead of AC_CHECK_FUNCS() in configure.in.

  * Also do not use drand48(), it is not available on Windows.
  * Use only rand(), not random().

    We used both rand() and random() in our code. Since it returns an int, we have
    to use %x in our format strings instead of %lx. This fixes a crash under
    Windows when cross-compiling tinc with a recent version of MinGW.

  * Apparently it's impolite to ask GCC to subtract two pointers.

    If two pointers do not belong to the same array, pointer subtraction gives
    nonsensical results, depending on the level of optimisation and the
    architecture one is compiling for. It is apparently not just subtracting the
    pointer values and dividing by the size of the object, but uses some kind of
    higher magic not intended for mere mortals. GCC will not warn about this at
    all. Casting to void * is also a no-no, because then GCC does warn that strict
    aliasing rules are being broken. The only safe way to query the ordering of two
    pointers is to use the (in)equality operators.

    The unsafe implementation of connection_compare() has probably caused the "old
    connection_t for ... still lingering" messages. Our implementation of AVL trees
    is augmented with a doubly linked list, which is normally what is traversed.
    Only when deleting an old connection the tree itself is traversed.

  * Remove superfluous call to avl_delete().
  * Handle unicast packets larger than PMTU in switch mode.

    If PMTUDiscovery is enabled, and we see a unicast packet that is larger than
    the path MTU in switch mode, treat it just like we would do in router mode.

  * Allow PMTUDiscovery in switch and hub modes again.

    PMTUDiscovery was disabled in commit d5b56bbba56480b5565ffb38496175a7c1df60ac
    because tinc did not handle packets larger than the path MTU in switch and hub
    modes. We now allow it again in preparation of proper support, but default to
    off.

  * Put Subnet weight in a separate environment variable.

    Commit 5674bba5c54c1aee3a4ac5b3aba6b3ebded91bbc introduced weighted Subnets,
    but the weight was included in the SUBNET variable passed to subnet-up/down
    scripts. This makes it harder to use in those scripts. The weight is now
    stripped from the SUBNET variable and put in the WEIGHT variabel.

  * Don't stat() on iPhone/iPod.

    Grzegorz Dymarek noted that tinc segfaults at the stat() call in
    execute_script() on the iPhone.  We can omit the stat() call for the moment,
    the subsequent call to system() will fail with just a warning.

  * Add support for iPhones and recent iPods.

    This is a slightly modified patch from Grzegorz Dymarek that allows tinc to use
    the tunemu device, which allows tinc to be compiled for iPhones and recent
    iPods. To enable support for tunemu, the --enable-tunemu option has to be used
    when running the configure script.

  * Another safe bitfield conversion.
  * Add the GPL license to the repository.

    Tinc is licensed under the GPL version 2 or later. To ensure autoconf does not
    install the wrong license if COPYING is missing, we have to put the right one
    in place.

  * Convert bitfields to integers in a safe way.

    This is commit eb391c52eed46f3f03b404553df417851fc0cb90 redone, but without the
    non-standard anonymous union.

  * Ensure tinc compiles with gcc -std=c99.

    We use a lot of C99 features already, but also some extensions which are not in
    the standard.

  * UNIX signal numbers start at 1.
  * Replace asprintf() by xasprintf().
  * Check the return value of fscanf() when reading a PID file.
  * Add xasprintf() and xvasprintf().

    These functions wrap asprintf() and vasprintf(), and check the return value. If
    the function failed, tinc will exit with an error message, similar to xmalloc()
    and friends.

  * Remove extra semicolon in my definition of setpriority()
  * Always remove a node from the UDP tree before freeing it.

    Valgrind caught tinc reading free'd memory during a purge(). This was caused by
    first removing it from the main node tree, which will already call free_node(),
    and then removing it from the UDP tree. This might cause spurious segmentation
    faults.

  * Change level of some debug messages, zero pointer after freeing hostname.
  * Do not log errors when recvfrom() returns EAGAIN or EINTR.

    Although we select() before we call recvfrom(), it sometimes happens that
    select() tells us we can read but a subsequent read fails anyway. This is
    harmless.

  * Remove pending MTU probe events when a node's reachability status changes.
  * Don't try to send MTU probes to unreachable nodes.

    If there is an outstanding MTU probe event for a node which is not reachable
    anymore, a UDP packet would be sent to that node, which caused a key request to
    be sent to that node, which triggered a NULL pointer dereference. Probes and
    other UDP packets to unreachable nodes are now dropped.

  * Properly set HMAC length for incoming packets.
  * try outgoing connections before chroot/drop_privs

    When chrooted, we either need to force-initialize resolver
    and/or nsswitch somehow (no clean way) or resolve all the
    names we want before entering chroot jail.  The latter
    looks cleaner, easier and it is actually safe because
    we still don't talk with the remote nodes there, only
    initiating outgoing connections.

  * cleanup setpriority thing to make it readable
  * Add some const where appropriate.
  * Add ProcessPriority option.

    This option can be set to low, normal or high. On UNIX flavours, this changes
    the nice value of the process by +10, 0 and -10 respectively. On Windows, it
    sets the priority to BELOW_NORMAL_PRIORITY_CLASS, NORMAL_PRIORITY_CLASS and
    HIGH_PRIORITY_CLASS respectively.

    A high priority might help to reduce latency and packet loss on the VPN.

  * src/net_socket.c: Bind outgoing TCP sockets to `BindToAddress'.

    If a host has multiple addresses on an interface, the source address of the TCP
    connection(s) was picked by the operating system while the UDP packets used a
    bound socket, i. e. the source address was the address specified by the user.
    This caused problems because the receiving code requires the TCP connection and
    the UDP connection to originate from the same IP address.

    This patch adds support for the `BindToInterface' and `BindToAddress' options
    to the setup of outgoing TCP connections.

    Tested with Debian Etch on x86 and Debian Lenny on x86_64.

    Signed-off-by: Florian Forster <octo@verplant.org>

  * src/linux/device.c: Fix segfault when running without `--net'.

    If running without `--net', the (global) variable `netname' is NULL. This
    creates a segmentation fault because this NULL-pointer is passed to strdup:

     Program terminated with signal 11, Segmentation fault.
     #0  0xb7d30463 in strlen () from /lib/tls/i686/cmov/libc.so.6
     (gdb) bt
     #0  0xb7d30463 in strlen () from /lib/tls/i686/cmov/libc.so.6
     #1  0xb7d30175 in strdup () from /lib/tls/i686/cmov/libc.so.6
     #2  0x0805bf47 in xstrdup (s=0x0) at xmalloc.c:118  <---
     #3  0x0805be33 in setup_device () at device.c:66
     #4  0x0805072e in setup_myself () at net_setup.c:432
     #5  0x08050db2 in setup_network () at net_setup.c:536
     #6  0x0805b27f in main (argc=Cannot access memory at address 0x0) at tincd.c:580

    This patch fixes this by checking `netname' in `setup_device'. An alternative
    would be to check for NULL-pointers in `xstrdup' and return NULL in this case.

    Signed-off-by: Florian Forster <octo@verplant.org>

  * tunnelserver: log which ADD_SUBNET was refused

    Add some logging about refused ADD_SUBNET
    (it causes subsequent client disconnect so it's
    important to know which subnet was at fault).

    Maybe we should just ignore it completely.

  * Do not forward broadcast packets when TunnelServer is enabled.

    First of all, the idea behind the TunnelServer option is to hide all other
    nodes from each other, so we shouldn't forward broadcast packets from them
    anyway. The other reason is that since edges from other nodes are ignored, the
    calculated minimum spanning tree might not be correct, which can result in
    routing loops.

  * Use packet size before decompression to calculate path MTU.

    Since compression can either grow or shrink a packet, the size of an MTU probe
    after decompression might not reflect the real path MTU. Now we use the size
    before decompression, which is independent of the compression algorithm, and
    substract a safety margin such that the calculated path MTU will be safe even
    for packets which grow as much as possible after compression.

  * Add declaration for sockaddrcmp_noport().
  * Fix ans_key exchange in recent changes

    send_ans_key() was using the wrong in vs. outkeylength to
    terminate the key being sent, so it was always empty.

  * Use xrealloc instead of if(ptr) ptr = xmalloc().
  * Fix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf6f2ab17228a9820cea66.

    Instead of a single, global decryption context, each node has its own context.
    However, in send_ans_key(), the global context was initialised. This commit
    fixes that and removes the global context completely.

    Also only set status.validkey after all checks have been evaluated.

  * don't log every strange packet coming to the UDP port

    it's a sure way to fill up syslog.  Only log those if
    debug level is up to PROTOCOL

  * Fix link to Mattias Nissler's tun/tap driver for MacOS/X.
  * If PMTUDiscovery is not set, do not forward packets via TCP unnecessarily.

  * ignore indirect edge registrations in tunnelserver mode

    In tunnelserver mode we're not interested to hear about
    our client edges, just like in case of subnets.  Just
    ignore all requests which are not about our node or the
    client node.

    The fix is very similar to what was done for subnets.

    Note that we don't need to add the "unknown" nodes to
    the list in tunnelserver mode too, so move allocation
    of new nodes down the line.

  * TunnelServer: Don't disconnect client on DEL_SUBNET too

    Similar changes as was in 2327d3f6eb5982bcc922ff1ab1ec436ba6aeffdc
    but for del_subnet_h().

    Before, we vere returning false (and causing disconnect of the
    client) in case of tunnelserver and the client sending DEL_SUBNET
    for non-his subnet or for subnet which owner isn't in our connection
    list.

    After the mentioned change to add_subnet_h() that routine does not
    add such indirect owners to the connection list anymore, so that
    was ok (owner == NULL and we return true).

    But if we too has a connection with the node about which the client
    is sending DEL_SUBNET notification, say, because that client lost
    connection with that other node, we'll disconnect this client from
    us too, returning false for indirect DEL_SUBNET.

    Fix that by allowing and ignoring indirect DEL_SUBNET in tunnelserver
    mode.

    Also rearranged the function a bit, to match add_subnet_h() (in
    particular, syntax-check everything first, see if we've seen this
    request before).

    And also fix some comments.

  * format 'not supported on this platform' error message

    Format it in a similar way in all places, to make translation happier.
    No functional changes.

  * change error messages in droppriv code to match the rest

    Change formatting of error messages about failed syscalls
    to be the same as in other places in tincd.

    Also suggest a change in "$foo not supported on this platform"
    message as it's now used more than once.

  * bugfix: chdir(/) after chroot

    Fix the famous chdir(".") vs chdir("/") after chroot(something).

  * bugfix: move mlock to after detach() so it works for child, not parent

    mlock()/mlockall() are not persistent across fork(), and it's
    done in parent process before daemon() which does fork().  So
    basically, current --mlock does nothing useful.

    Move mlock() to after detach() so it works for child process
    instead of parent.

    Also, check if the platform supports mlock right when processing
    options (since else we'll have to die after startup, not at
    startup, the error message will be in log only).

  * bugfix: initialize pid (as read from pidfile) to zero

    If we didn't read any number from a pid file, we'll return
    an unitialized variable to the caller, and it will treat
    that garbage as a pid of a process (possible to kill).

    Fix that.

  * Implement privilege dropping

    Add two options, -R/--chroot and -U/--user=user, to chroot to the
    config directory (where tinc.conf is located) and to perform
    setuid to the user specified, after all the initialization is done.

    What's left is handling of pid file since we can't remove it anymore.

  * Rename setup_network_connections() and split out try_outgoing_connections()

    In preparation of chroot/setuid operations, split out call to
    try_outgoing_connections() from setup_network_connections()
    (which was the last call in setup_network_connections()).
    This is because dropping privileges should be done in-between
    setup_network_connections() and try_outgoing_connections().

    This patch renames setup_network_connections() to setup_network()
    and moves call to try_outgoing_connections() into main routine.

    No functional changes.

  * Handle UDP packets from different and ports than advertised.

    Previously, tinc used a fixed address and port for each node for UDP packet
    exchange.  The port was the one advertised by that node as its listening port.
    However, due to NAT the port might be different.  Now, tinc sends a different
    session key to each node. This way, the sending node can be determined from
    incoming packets by checking the MAC against all session keys. If a match is
    found, the address and port for that node are updated.

  * Use a simple Random Early Drop algorithm in send_tcppacket().
  * Disable PMTUDiscovery in switch and hub modes.

    In switch and hub modes, tinc does not generate ICMP packets in response to
    packets that are larger than the path MTU.  However, if PMTUDiscovery is
    enabled, the IP_MTU_DISCOVER and IPV6_MTU_DISCOVER option is set on the UDP
    sockets, which causes all UDP packets to be sent with the DF bit set, causing
    large packets to be dropped, even if they would otherwise be routed fine.
  * Update THANKS and copyright information.
  * Allow weight to be assigned to Subnets.

    Tinc allows multiple nodes to own the same Subnet, but did not have a sensible
    way to decide which one to send packets to. Tinc also did not check the
    reachability of nodes when deciding where to route packets to, so it would not
    automatically fail over to a reachable node.

    Tinc now assigns a weight to each Subnet. The default weight is 10, with lower
    weights having higher priority.  The Subnets are now internally sorted in the
    same way as the kernel's routing table, and the Subnets are search linearly,
    skipping those of unreachable nodes. A small cache of recently used addresses
    is used to speed up the lookup functions.

  * Enable PMTUDiscovery only if BOTH sides wants it.

    Don't enable PMTUDiscovery if at least one side does not support it.
    Before it was enabled if at least one side supported it, now both are required.

  * Handle neighbor solicitation requests without link layer addresses.

    Apparently FreeBSD likes to send out neighbor solicitation requests, even on a
    tun interface where this is completely pointless. These requests do not have an
    option header containing a link layer address, so the proxy-neighborsol code
    was treating these requests as invalid. We now handle such requests, and send
    back equally pointless replies, also without a link layer address. This seems
    to satisfy FreeBSD.

  * Allow tunnelserver to work with clients that have other peers.

    In TunnelServer mode, tinc server disconnects any client if it announces
    indirect subnets -- subnets that are not theirs (e.g. subnets for nodes
    the CLIENT has connections now, even if those nodes are known to the server
    too).  Fix that by ignoring such (indirect) announces instead.

    While we're at it, move check for such indirect subnet registration to
    before allocating new node structure, as in TunnelServer mode we don't
    really need to know that other node.

  * Disable old RSA keys when generating new ones.

    When generating an RSA keypair, the new public and private keys are appended to
    files. However, when OpenSSL reads keys it only reads the first in a file, not
    the last. Instead of printing an easily ignored warning, tinc now disables old
    keys when appending new ones.

  * Validate Name before using it in a filename when generating a keypair.
  * Allow reading config files with CRLF endings on Unix systems.
  * Remove unused definitions from net.h.
  * Use a global list to track outgoing connections.

    Previously an outgoing_t was maintained for each outgoing connection,
    but the pointer to it was either stored in a connection_t or in an event_t.
    This made it very hard to keep track of and to clean up.

    Now a list is created when tinc starts and reads all the ConnectTo variables,
    and which is recreated when tinc receives a HUP signal.

  * Add missing cleanup functions in close_network_connections().
  * Change flush_events() to expire_events().

    The former function made a totally bogus shallow copy of the event_tree, called
    the handler of each event and then deleted the whole tree.  This should've
    caused tinc to crash when an ALARM signal was sent more than once, but for some
    reason it didn't. It also behaved incorrectly when a handler added a new event.

    The new function just moves the expiration time of all events to the past.

  * Move free()s at the end om main() to the proper destructor functions.
  * Only send packets via UDP if UDP communication is possible.

    When no session key is known for a node, or when it is doing PMTU discovery but
    no MTU probes have returned yet, packets are sent via TCP. Some logic is added
    to make sure intermediate nodes continue forwarding via TCP.  The per-node
    packet queue is now no longer necessary and has been removed.

  * Consistently allocate device and iface variables on the heap.

    This fixes a segfault when no Device has been specified and tinc exits, and it
    would try to free() a static string. Thanks to Borg for spottin.

  * Update documentation for git.
2010-05-01 16:56:40 +00:00
wiz
579796a3e5 Recursive PKGREVISION bump for jpeg update to 8. 2010-01-17 12:02:03 +00:00
wiz
60f460ab01 Use standard location for LICENSE line (in MAINTAINER/HOMEPAGE/COMMENT
block). Uncomment some commented out LICENSE lines while here.
2009-05-19 08:59:00 +00:00
tonnerre
6b888440f2 Update net/tinc to version 1.0.9. Pick up maintainership and set license.
Changes since version 1.0.7:

 - Apply patch from Max Rijevski fixing a memory leak when closing connections.
   It also cleans up more when stopping tinc, helping tools like valgrind.
 - Handle broadcast and multicast packets in router mode.
   Multicast packets are treated as broadcast packets.
 - Update the manpage as well, and some whitespace to make its source more legible.
 - Update documentation.
   - TCPOnly is not experimental.
   - Do not mention old Linux kernels and Ethertap anymore.
   - Document the DeviceType, PMTU and PMTUDiscovery options.
 - Enable PMTU discovery by default.
 - Update copyright information.
 - Update Dutch translation.
 - Make sure IPv6 sockets are IPv6 only.
 - This will get rid of the "Can't bind to 0.0.0.0 port 655/tcp: Address already
   in use" message on Linux.
 - Use TUNIFHEAD by default on FreeBSD to make sure IPv6 works.
 - Treat virtual network device as tap if Mode = switch or hub.
   On OpenBSD, the link0 flag should still be set in tinc-up or by other means.
 - Correct debug message.
 - Prevent freeing a NULL pointer when a hostname is unresolvable.
 - Do not try to send REQ_KEY or ANS_KEY requests to unreachable nodes.
 - Fix reading configuration files that do not end with a newline.
 - Make sure the prefixlength of subnets is sane.
 - Handle SERVICE_CONTROL_INTERROGATE requests. Thanks to Carsten Ralle for noticing this.
 - Don't free struct addrinfo too early. Spotted by Christian Cier-Zniewski.
 - Update dutch translation.
 - Make sure connection->name is never NULL.
 - Apply patch from "dnk" making sockets non-blocking under Windows.
 - Close the proper filedescriptor (if it exists).
 - Apply patch from Scott Lamb fixing some memory and resource leaks.
 - Apply patch from Scott Lamb preventing an infinite loop when sending SIGALRM.
2009-04-18 19:27:11 +00:00
tnn
ad6ceadd25 Per the process outlined in revbump(1), perform a recursive revbump
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
2008-01-18 05:06:18 +00:00
joerg
17adb7cfd1 I18N (PR 37581) and DESTDIR support. 2007-12-21 20:35:36 +00:00
obache
9d5fe512ed Update tinc to 1.0.7.
News

Jan 5th 2007
Version 1.0.7 released.
 * Fixed a bug that caused slow network speeds on Windows.
 * Fixed a bug that caused tinc unable to write packets to the tun device on OpenBSD.

Dec 18th 2006
Version 1.0.6 released.
 * More flexible detection of the LZO libraries when compiling.
 * Fixed a bug where broadcasts in switch and hub modes sometimes would not work anymore when part of the VPN had become disconnected from the rest.

Nov 14th 2006
Version 1.0.5 released.
 * Lots of small fixes.
 * Broadcast packets no longer grow in size with each hop. This should fix switch mode (again).
 * Generic host-up and host-down scripts.
 * Optionally dump graph in graphviz format to a file or a script.
 * Support LZO 2.0 and later.
2007-04-21 15:19:01 +00:00
wiz
b6160330f7 Update MASTER_SITES and/or HOMEPAGE, from Sergey Svishchev. 2006-10-04 21:53:15 +00:00
jlam
a4b4d5b501 List the info files directly in the PLIST and honor PKG{INFO,MAN}DIR. 2006-04-06 03:20:54 +00:00
joerg
6746b21a6f Add DragonFly support. 2006-03-23 16:28:01 +00:00
jlam
9c8b5ede43 Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
2006-03-04 21:28:51 +00:00
hira
17788e1738 Add missing RCS Id tag to patch-aa. Remove diff command line. 2005-06-17 15:32:44 +00:00
wiz
903b92942a Update to 1.0.4, including a patch by Tonnerre, provided
in PR 30378.

version 1.0.4                May  4 2005

 * Fix switch and hub modes.

 * Optionally start scripts when a Subnet becomes (un)reachable.

version 1.0.3                Nov 11 2004

* Show error message when failing to write a PID file.

* Ignore spaces at end of lines in config files.

* Fix handling of late packets.

* Unify BSD tun/tap device handling. This allows IPv6 on tun devices and
  anything on tap devices as long as the underlying OS supports it.

* Handle IPv6 on Solaris tun devices.

* Allow tinc to work properly under Windows XP SP2.

* Allow VLAN tagged Ethernet frames in switch and hub mode.

* Experimental PMTUDiscovery, TunnelServer and BlockingTCP options.

version 1.0.2                Nov  8 2003

* Fix address and hostname resolving under Windows.

* Remove warnings about non-existing scripts and unsupported address families.

* Use the event logger under Windows.

* Fix quoting of filenames and command line arguments under Windows.

* Strict checks for length incoming network packets and return values of
  cryptographic functions,

* Fix a bug in metadata handling that made the tinc daemon abort.
2005-05-30 16:58:03 +00:00
rillig
f795c2e475 Removed trailing white-space. 2005-05-23 08:26:03 +00:00
tv
f816d81489 Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used. 2005-04-11 21:44:48 +00:00
agc
b12d62efb5 Add RMD160 digests. 2005-02-24 12:13:41 +00:00
tv
c487cb967a Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
2004-10-03 00:12:51 +00:00
xtraeme
8d2bb7dcb6 Drop maintainership; I don't have the enough free time to maintain
all these packages.
2004-05-07 01:14:46 +00:00
xtraeme
2587a8567d Initial import of tinc-1.0.1 from pkgsrc-wip.
tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and
encryption to create a secure private network between hosts on the Internet.

Because the VPN appears to the IP level network code as a normal network
device, there is no need to adapt any existing software. This allows VPN
sites to share information with each other over the Internet without exposing
any information to others. In addition, tinc has the following features:

o Encryption, authentication and compression
    All traffic is optionally compressed using zlib or LZO, and OpenSSL is
    used to encrypt the traffic and protect it from alteration with message
    authentication codes and sequence numbers.
o Automatic full mesh routing
    Regardless of how you set up the tinc daemons to connect to each
    other, VPN traffic is always (if possible) sent directly to the
    destination, without going through intermediate hops.
o Easily expand your VPN
    When you want to add nodes to your VPN, all you have to do is add an extra
    configuration file, there is no need to start new daemons or create and
    configure new devices or network interfaces.
o Ability to bridge ethernet segments
    You can link multiple ethernet segments together to work like a single
    segment, allowing you to run applications and games that normally only work
    on a LAN over the Internet.
2004-04-01 05:42:11 +00:00