Guus Sliepen
68a20876d0
Use minor protocol version to determine whether to use ECDH key exchange between nodes.
2012-07-20 01:02:51 +02:00
Guus Sliepen
58007d7efa
Always pass request strings to other functions as const char *.
2012-05-08 16:44:15 +02:00
Guus Sliepen
86c2990327
Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
...
Conflicts:
NEWS
README
configure.in
src/Makefile.am
src/conf.c
src/conf.h
src/connection.c
src/net.c
src/tincd.c
2012-03-25 23:35:31 +01:00
Guus Sliepen
4712d8f92e
Update copyright notices.
2012-03-10 13:23:08 +01:00
Guus Sliepen
8ac096b5bf
Allow log messages to be captured by tincctl.
...
This allows tincctl to receive log messages from a running tincd,
independent of what is logged to syslog or to file. Tincctl can receive
debug messages with an arbitrary level.
2012-02-26 18:37:36 +01:00
Guus Sliepen
3fba80174d
Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
...
Conflicts:
NEWS
README
configure.in
doc/tincd.8.in
src/Makefile.am
src/bsd/device.c
src/connection.c
src/connection.h
src/cygwin/device.c
src/device.h
src/dropin.h
src/linux/device.c
src/mingw/device.c
src/net.c
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/process.c
src/protocol.c
src/protocol_key.c
src/raw_socket_device.c
src/route.c
src/solaris/device.c
src/tincd.c
src/uml_device.c
2012-02-22 14:23:59 +01:00
Guus Sliepen
ea415ccc16
Rename connection_t *broadcast to everyone.
2012-02-20 17:12:48 +01:00
Guus Sliepen
5672863e59
Fix a few small memory leaks.
2011-12-03 21:59:47 +01:00
Guus Sliepen
cff27a258f
Use ECDSA to sign ECDH key exchange for UDP session keys.
...
The ECDSA public keys will also be included in the ANS_KEY requests,
but are only used when no ECDSA public key is known yet.
2011-07-16 20:21:44 +02:00
Guus Sliepen
2ba61742d4
Use the correct direction flag when setting cipher keys.
...
The flag was set incorrectly, but for most ciphers this does not have
any effect. AES in any of the block modes is picky about it though.
2011-07-16 15:15:29 +02:00
Guus Sliepen
303dd1e702
Fix compiler warnings.
2011-07-13 22:52:52 +02:00
Guus Sliepen
fec279a9c5
Make use of the improved hex and base64 functions.
...
Also, use base64 for all EC related data, it is shorter and easy to
distinguish from the legacy protocol.
2011-07-12 23:43:12 +02:00
Guus Sliepen
bbeab00f46
Require ExperimentalProtocol = yes for new features, update documentation.
2011-07-11 21:54:01 +02:00
Guus Sliepen
ac163120d7
Proper use of PRF.
2011-07-03 16:30:49 +02:00
Guus Sliepen
82f00ea07b
Use PRF.
2011-07-03 15:59:49 +02:00
Guus Sliepen
8dfa072733
Support ECDH key exchange.
...
REQ_KEY requests have an extra field indicating key exchange version.
If it is present and > 0, the sender supports ECDH. If the receiver also
does, then it will generate a new keypair and sends the public key in a
ANS_KEY request with "ECDH:" prefixed. The ans_key_h() function will
compute the shared secret, which, at the moment,is used as is to set the
cipher and HMAC keys. However, this must be changed to use a proper KDF.
In the future, the ECDH key exchange must also be signed.
2011-07-03 13:17:28 +02:00
Guus Sliepen
365f60f3f8
Don't call event_del() from the mtuevent handler, always send_mtu_probe() in ans_key_h().
2011-06-24 22:49:18 +02:00
Guus Sliepen
6d08eb1614
Fix sparse warnings and add an extra sprinkling of const.
...
This is more or less the equivalent of Sven-Haegar Koch's fixes in the 1.1
branch.
2011-05-28 23:36:52 +02:00
Sven-Haegar Koch
f4010694b3
sparse fixup: warning: non-ANSI function declaration of function '...'
2011-05-28 15:24:39 +02:00
Guus Sliepen
3794e551c7
Fix check for event initialization due to the merge.
2011-05-14 11:52:35 +02:00
Guus Sliepen
ce8775000a
Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
...
Conflicts:
NEWS
README
configure.in
doc/tincd.8.in
lib/pidfile.c
src/bsd/device.c
src/dropin.h
src/net.c
src/net_packet.c
src/node.c
src/process.c
src/tincd.c
2011-05-09 21:35:14 +02:00
Guus Sliepen
67766d65f0
Update THANKS and copyright information.
2011-05-08 21:22:20 +02:00
Guus Sliepen
f99661a4ca
Always send MTU probes at least once every PingInterval.
...
Before, if MTU probes failed, tinc would stop sending probes until the next
time keys were regenerated (by default, once every hour). Now it continues to
send them every PingInterval, so it recovers faster from temporary failures.
2011-01-02 15:02:23 +01:00
Guus Sliepen
886a6f61a1
Merge branch 'master' into 1.1
...
Conflicts:
src/net_packet.c
src/openssl/rsagen.h
src/protocol_auth.c
src/protocol_key.c
2010-11-19 12:22:48 +00:00
Brandon L Black
23acc19bc0
Configurable ReplayWindow size, zero disables
2010-11-13 21:25:46 +01:00
Guus Sliepen
9e3ca39773
Use variable length arrays instead of alloca().
2010-11-13 15:55:38 +01:00
Guus Sliepen
a22041922f
Merge branch 'master' into 1.1
...
Conflicts:
doc/tincd.8.in
lib/pidfile.c
src/graph.c
src/net.c
src/net.h
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/node.h
src/protocol_auth.c
src/protocol_key.c
src/tincd.c
2010-11-12 16:15:29 +01:00
Guus Sliepen
4b6a9f1c1f
Do not append an address to ANS_KEY messages if we don't know any address.
...
This would let tinc raise an exception when an ANS_KEY request crossed a
DEL_EDGE request for the node sending the key.
2010-06-04 16:03:19 +02:00
Guus Sliepen
2911af6e23
Fix merge of commit 4a0b998151
.
2010-04-17 12:33:15 +02:00
Sven-Haegar Koch
ffa1dc73dc
Fixed 1.0 miss-merges
2010-03-31 05:01:39 +02:00
Sven-Haegar Koch
103543aa2c
Merge branch 'master' into 1.1
...
Conflicts:
NEWS
README
configure.in
have.h
src/conf.c
src/conf.h
src/net.c
src/net_packet.c
src/protocol_key.c
src/protocol_subnet.c
src/route.c
src/tincd.c
2010-03-26 16:51:03 +01:00
Guus Sliepen
cd0c2e86a4
Ensure peers with a meta connection always have our key.
...
This keeps UDP probes going, which in turn keeps NAT mappings alive.
2010-02-03 11:18:46 +01:00
Guus Sliepen
40d91ff619
Update copyright notices.
2010-02-02 22:49:21 +01:00
Guus Sliepen
4a0b998151
Determine peer's reflexive address and port when exchanging keys.
...
To help peers that are behind NAT connect to each other directly via UDP, they
need to know the exact external address and port that they use. Keys exchanged
between NATted peers necessarily go via a third node, which knows this address
and port, and can append this information to the keys, which is in turned used
by the peers.
Since PMTU discovery will immediately trigger UDP communication from both sides
to each other, this should allow direct communication between peers behind
full, address-restricted and port-restricted cone NAT.
2010-02-02 00:51:44 +01:00
Guus Sliepen
d15099e002
Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests.
...
When we got a key request for or from a node we don't know, we disconnected the
node that forwarded us that request. However, especially in TunnelServer mode,
disconnecting does not help. We now ignore such requests, but since there is no
way of telling the original sender that the request was dropped, we now retry
sending REQ_KEY requests when we don't get an ANS_KEY back.
2010-01-23 18:48:01 +01:00
Guus Sliepen
c845bc109c
Fix packet authentication.
...
This wasn't working at all, since we didn't do HMAC but just a plain hash.
Also, verification of packets failed because it was checking the whole packet,
not the packet minus the HMAC.
2009-12-18 01:15:25 +01:00
Guus Sliepen
7ea85043ac
Merge branch 'master' into 1.1
...
Conflicts:
NEWS
configure.in
lib/Makefile.am
lib/pidfile.c
lib/pidfile.h
lib/utils.c
po/POTFILES.in
po/nl.po
src/Makefile.am
src/bsd/device.c
src/conf.c
src/connection.c
src/cygwin/device.c
src/edge.c
src/event.c
src/graph.c
src/linux/device.c
src/meta.c
src/mingw/device.c
src/net.c
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/process.c
src/protocol.c
src/protocol_auth.c
src/protocol_edge.c
src/protocol_key.c
src/protocol_misc.c
src/protocol_subnet.c
src/raw_socket/device.c
src/route.c
src/solaris/device.c
src/subnet.c
src/tincd.c
src/uml_socket/device.c
2009-09-29 14:55:29 +02:00
Guus Sliepen
4c85542894
Drop support for localisation.
...
Localised messages don't make much sense for a daemon, and there is only the
Dutch translation which costs time to maintain.
2009-09-25 00:54:07 +02:00
Guus Sliepen
a227843b73
Remove checkpoint tracing.
...
This feature is not necessary anymore since we have tools like valgrind today
that can catch stack overflow errors before they make a backtrace in gdb
impossible.
2009-09-25 00:33:04 +02:00
Guus Sliepen
5dde6461a3
K&R style braces.
...
This is essentially commit f02d3ed3e1
from the
1.1 branch, making it easier to merge between master and 1.1.
2009-09-25 00:14:03 +02:00
Guus Sliepen
ab7c61b06f
Update the address of the Free Software Foundation in all copyright headers.
2009-09-25 00:01:00 +02:00
Guus Sliepen
c217d214f4
Remove all occurences of $Id$.
2009-09-24 23:39:16 +02:00
Guus Sliepen
1cbddbd573
Use correct format specifiers.
2009-09-16 20:17:11 +02:00
Guus Sliepen
075e6828a7
Merge branch 'master' into 1.1
...
Conflicts:
have.h
lib/dropin.c
lib/fake-getaddrinfo.c
lib/pidfile.c
src/Makefile.am
src/bsd/device.c
src/conf.c
src/connection.c
src/connection.h
src/graph.c
src/mingw/device.c
src/net.c
src/net_setup.c
src/node.c
src/protocol_key.c
src/protocol_misc.c
src/tincd.c
2009-09-16 19:55:47 +02:00
Guus Sliepen
35e87b903e
Use only rand(), not random().
...
We used both rand() and random() in our code. Since it returns an int, we have
to use %x in our format strings instead of %lx. This fixes a crash under
Windows when cross-compiling tinc with a recent version of MinGW.
2009-09-14 23:06:00 +02:00
Guus Sliepen
4124b9682f
Handle truncated message authentication codes.
2009-06-06 19:04:04 +02:00
Guus Sliepen
5a132550de
Merge branch 'master' into 1.1
...
Conflicts:
doc/tincd.8.in
lib/pidfile.c
src/graph.c
src/net.c
src/net.h
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/node.h
src/protocol_auth.c
src/protocol_key.c
src/tincd.c
2009-06-05 23:14:13 +02:00
Guus Sliepen
261d1eac1c
Properly set HMAC length for incoming packets.
2009-06-05 16:14:31 +02:00
Michael Tokarev
ca5b67111e
Fix ans_key exchange in recent changes
...
send_ans_key() was using the wrong in vs. outkeylength to
terminate the key being sent, so it was always empty.
2009-05-25 01:30:01 +02:00
Guus Sliepen
e012e752f4
Fix initialisation of packet decryption context broken by commit 3308d13e7e
.
...
Instead of a single, global decryption context, each node has its own context.
However, in send_ans_key(), the global context was initialised. This commit
fixes that and removes the global context completely.
Also only set status.validkey after all checks have been evaluated.
2009-05-24 19:31:31 +02:00