Backport tinc 1.1's str2net() function. The old function could get confused by short-hand IPv6 notation (using ::) and mistake them for MAC addresses. The new code is more strict; it will correctly handle all short-hand addresses, and will return an error when an address has trailing garbage instead of ignoring it.
Remove the call to RAND_load_file(). It might have been necessary for some very old version of OpenSSL, but the currently minimum required version for tinc will do a proper initialization of its PRNG automatically. LibreSSL of course does the right thing too, and its RAND_load_file() is just a dummy.
Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738) The authentication protocol allows an oracle attack that could potentially be exploited. This commit contains several mitigations: - Connections are no longer closed immediately on error, but put in a "tarpit". - The authentication protocol now requires a valid CHAL_REPLY from the initiator of a connection before sending a CHAL_REPLY of its own. - Only a limited amount of connections per second are accepted. - Null ciphers or digests are no longer allowed in METAKEYs. - Connections that claim to have the same name as the local node are rejected.