Guus Sliepen
a4f132770d
Revert "Raise default crypto algorithms to AES256 and SHA256."
...
Although it would be better to have the new defaults, only the most recent
releases of most of the platforms supported by tinc come with a version of
OpenSSL that supports SHA256. To ensure people can compile tinc and that nodes
can interact with each other, we revert the default back to Blowfish and SHA1.
This reverts commit 4bb3793e38
.
2009-10-11 13:56:04 +02:00
Guus Sliepen
7ea85043ac
Merge branch 'master' into 1.1
...
Conflicts:
NEWS
configure.in
lib/Makefile.am
lib/pidfile.c
lib/pidfile.h
lib/utils.c
po/POTFILES.in
po/nl.po
src/Makefile.am
src/bsd/device.c
src/conf.c
src/connection.c
src/cygwin/device.c
src/edge.c
src/event.c
src/graph.c
src/linux/device.c
src/meta.c
src/mingw/device.c
src/net.c
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/process.c
src/protocol.c
src/protocol_auth.c
src/protocol_edge.c
src/protocol_key.c
src/protocol_misc.c
src/protocol_subnet.c
src/raw_socket/device.c
src/route.c
src/solaris/device.c
src/subnet.c
src/tincd.c
src/uml_socket/device.c
2009-09-29 14:55:29 +02:00
Guus Sliepen
46e481dc94
Add more authors to the copyright headers.
...
Git's log and blame tools were used to find out which files had significant
contributions from authors who sent in patches that were applied before we used
git.
2009-09-25 21:14:56 +02:00
Guus Sliepen
4c85542894
Drop support for localisation.
...
Localised messages don't make much sense for a daemon, and there is only the
Dutch translation which costs time to maintain.
2009-09-25 00:54:07 +02:00
Guus Sliepen
a227843b73
Remove checkpoint tracing.
...
This feature is not necessary anymore since we have tools like valgrind today
that can catch stack overflow errors before they make a backtrace in gdb
impossible.
2009-09-25 00:33:04 +02:00
Guus Sliepen
5dde6461a3
K&R style braces.
...
This is essentially commit f02d3ed3e1
from the
1.1 branch, making it easier to merge between master and 1.1.
2009-09-25 00:14:03 +02:00
Guus Sliepen
ab7c61b06f
Update the address of the Free Software Foundation in all copyright headers.
2009-09-25 00:01:00 +02:00
Guus Sliepen
c217d214f4
Remove all occurences of $Id$.
2009-09-24 23:39:16 +02:00
Guus Sliepen
4bdf0e80ee
Replace asprintf()s not covered by the merge to xasprintf().
2009-09-16 20:28:30 +02:00
Guus Sliepen
075e6828a7
Merge branch 'master' into 1.1
...
Conflicts:
have.h
lib/dropin.c
lib/fake-getaddrinfo.c
lib/pidfile.c
src/Makefile.am
src/bsd/device.c
src/conf.c
src/connection.c
src/connection.h
src/graph.c
src/mingw/device.c
src/net.c
src/net_setup.c
src/node.c
src/protocol_key.c
src/protocol_misc.c
src/tincd.c
2009-09-16 19:55:47 +02:00
Guus Sliepen
4bb3793e38
Raise default crypto algorithms to AES256 and SHA256.
...
In light of the recent improvements of attacks on SHA1, the default hash
algorithm in tinc is now SHA256. At the same time, the default symmetric
encryption algorithm has been changed to AES256.
2009-09-15 12:08:05 +02:00
Guus Sliepen
7242868b64
Allow PMTUDiscovery in switch and hub modes again.
...
PMTUDiscovery was disabled in commit d5b56bbba5
because tinc did not handle packets larger than the path MTU in switch and hub
modes. We now allow it again in preparation of proper support, but default to
off.
2009-09-12 13:40:32 +02:00
Guus Sliepen
73d77dd416
Replace asprintf() by xasprintf().
2009-09-08 18:18:36 +02:00
Guus Sliepen
4124b9682f
Handle truncated message authentication codes.
2009-06-06 19:04:04 +02:00
Guus Sliepen
5a132550de
Merge branch 'master' into 1.1
...
Conflicts:
doc/tincd.8.in
lib/pidfile.c
src/graph.c
src/net.c
src/net.h
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/node.h
src/protocol_auth.c
src/protocol_key.c
src/tincd.c
2009-06-05 23:14:13 +02:00
Guus Sliepen
e012e752f4
Fix initialisation of packet decryption context broken by commit 3308d13e7e
.
...
Instead of a single, global decryption context, each node has its own context.
However, in send_ans_key(), the global context was initialised. This commit
fixes that and removes the global context completely.
Also only set status.validkey after all checks have been evaluated.
2009-05-24 19:31:31 +02:00
Michael Tokarev
218adee785
format 'not supported on this platform' error message
...
Format it in a similar way in all places, to make translation happier.
No functional changes.
2009-05-18 15:35:52 +02:00
Michael Tokarev
6698f7c390
Rename setup_network_connections() and split out try_outgoing_connections()
...
In preparation of chroot/setuid operations, split out call to
try_outgoing_connections() from setup_network_connections()
(which was the last call in setup_network_connections()).
This is because dropping privileges should be done in-between
setup_network_connections() and try_outgoing_connections().
This patch renames setup_network_connections() to setup_network()
and moves call to try_outgoing_connections() into main routine.
No functional changes.
2009-05-18 14:34:24 +02:00
Guus Sliepen
3308d13e7e
Handle UDP packets from different and ports than advertised.
...
Previously, tinc used a fixed address and port for each node for UDP packet
exchange. The port was the one advertised by that node as its listening port.
However, due to NAT the port might be different. Now, tinc sends a different
session key to each node. This way, the sending node can be determined from
incoming packets by checking the MAC against all session keys. If a match is
found, the address and port for that node are updated.
2009-04-03 01:05:23 +02:00
Guus Sliepen
08aabbf931
Merge branch 'master' into 1.1
...
Conflicts:
NEWS
README
doc/tinc.conf.5.in
doc/tinc.texi
po/nl.po
src/conf.c
src/connection.c
src/event.c
src/graph.c
src/net.c
src/net_packet.c
src/net_socket.c
src/node.c
src/node.h
src/openssl/rsagen.h
src/protocol_auth.c
src/protocol_key.c
src/protocol_misc.c
src/subnet.c
src/subnet.h
src/tincd.c
2009-03-09 19:02:24 +01:00
Guus Sliepen
43fa7283ac
Use a simple Random Early Drop algorithm in send_tcppacket().
2009-03-09 14:04:31 +01:00
Guus Sliepen
d5b56bbba5
Disable PMTUDiscovery in switch and hub modes.
...
In switch and hub modes, tinc does not generate ICMP packets in response to
packets that are larger than the path MTU. However, if PMTUDiscovery is
enabled, the IP_MTU_DISCOVER and IPV6_MTU_DISCOVER option is set on the UDP
sockets, which causes all UDP packets to be sent with the DF bit set, causing
large packets to be dropped, even if they would otherwise be routed fine.
2009-03-09 13:48:54 +01:00
Guus Sliepen
78fc59e994
Update THANKS and copyright information.
2009-03-05 14:12:36 +01:00
Guus Sliepen
503c32eb0e
Use a global list to track outgoing connections.
...
Previously an outgoing_t was maintained for each outgoing connection,
but the pointer to it was either stored in a connection_t or in an event_t.
This made it very hard to keep track of and to clean up.
Now a list is created when tinc starts and reads all the ConnectTo variables,
and which is recreated when tinc receives a HUP signal.
2009-01-20 13:12:41 +01:00
Guus Sliepen
a7e793c94e
Add missing cleanup functions in close_network_connections().
2009-01-19 23:17:28 +01:00
Guus Sliepen
a39a9506cd
Move free()s at the end om main() to the proper destructor functions.
2009-01-09 12:36:06 +01:00
Guus Sliepen
0e4d419aae
Enable PMTU discovery by default.
2008-12-22 20:35:45 +00:00
Guus Sliepen
046158a216
Use the crypto wrappers again instead of calling OpenSSL directly.
...
This theoretically allows other cryptographic libraries to be used,
and it improves the readability of the code.
2008-12-11 14:44:44 +00:00
Scott Lamb
40731d030f
Temporarily revert to old crypto code
...
(The new code is still segfaulting for me, and I'd like to proceed with other
work.)
This largely rolls back to the revision 1545 state of the existing code
(new crypto layer is still there with no callers), though I reintroduced
the segfault fix of revision 1562.
2007-11-07 02:47:05 +00:00
Guus Sliepen
1b8f891836
Finish crypto wrapping. Also provide wrappers for OpenSSL.
...
Disable libgcrypt by default. Since it doesn't support the OFB cipher mode,
we can't use it in a backwards compatible way.
2007-05-23 13:45:49 +00:00
Guus Sliepen
465837dd7f
Parse PEM RSA keys ourself, and use libgcrypt to do RSA encryption and decryption.
2007-05-20 22:28:49 +00:00
Guus Sliepen
bf8e3ce13d
Remove pidfile in favour of control socket.
2007-05-19 14:13:21 +00:00
Guus Sliepen
01f47c46af
Start of control socket implementation.
2007-05-18 16:52:34 +00:00
Guus Sliepen
fb0cfccf7d
Use splay trees instead of AVL trees.
2007-05-18 10:05:26 +00:00
Guus Sliepen
f02d3ed3e1
K&R style braces
2007-05-18 10:00:00 +00:00
Guus Sliepen
ddc6a81a85
Remove global variable "now".
2007-05-18 09:34:06 +00:00
Guus Sliepen
7e1117197c
Move key regeneration handling to net_setup.c.
2007-05-17 23:57:48 +00:00
Guus Sliepen
bf6490825e
Remove legacy event system.
2007-05-17 22:13:12 +00:00
Guus Sliepen
d8dea8091f
Properly delete listener socket events on shutdown.
2007-05-17 19:51:26 +00:00
Scott Lamb
38c25d62c2
Convert to libevent.
...
This is a quick initial conversion that doesn't yet show much advantage:
- We roll our own timeouts.
- We roll our own signal handling.
- We build up the meta connection fd events on each loop rather than
on state changes.
2007-02-27 01:57:01 +00:00
Scott Lamb
834290b00f
A couple missed tevent things.
...
(Sorry; had a couple changes queued.)
2007-02-27 01:30:57 +00:00
Scott Lamb
6362b12df7
Rename "event_t" to "tevent_t", along with associated functions.
...
This relieves some confusion and problems during the libevent transition.
In particular, "event_add" was defined by both.
(The 't' stands for 'timeout', 'tinc', 'temporary', or some such.)
2007-02-27 01:26:11 +00:00
Guus Sliepen
1bb5a284fe
Make sure resolved addressed for outgoing connections are freed, if there are any.
2006-11-29 16:57:46 +00:00
Guus Sliepen
0714ac6c59
Nodes use events, so event system should be initialised first and destroyed last.
2006-11-11 22:44:15 +00:00
Guus Sliepen
1728d5b2c4
The "active" bit in node.status is not used.
2006-11-11 13:43:00 +00:00
Guus Sliepen
f88c9942e1
Use memcpy() to copy sockaddrs returned by getaddrinfo().
...
Thanks to Miles Nordin for spotting this.
2006-06-11 18:53:27 +00:00
Guus Sliepen
de78d79db8
Update copyright notices, remove Ivo's email address.
2006-04-26 13:52:58 +00:00
Guus Sliepen
af95368c0f
Fix signedness compiler warnings.
2006-03-19 13:06:21 +00:00
Guus Sliepen
a90f1b652c
Make sure $NAME is set correctly when executing tinc-down script.
2006-02-06 12:30:51 +00:00
Guus Sliepen
228e7a5c8f
Apply patch from Scott Lamb adding an output buffer for the TCP sockets.
...
This helps coalescing multiple send_meta() commands into one TCP packet.
Also limit the size of the output buffer before dropping PACKETs.
2006-01-19 17:13:18 +00:00
Guus Sliepen
df3220a154
Update copyright notices.
2005-05-04 18:09:30 +00:00
Guus Sliepen
c46f56a8b8
subnet-up/down hooks
2004-12-01 20:06:05 +00:00
Guus Sliepen
4fe7aff4d1
Add BlockingTCP option, useful when using TCPOnly on slow or congested links.
2004-11-10 21:56:31 +00:00
Guus Sliepen
7926a156e5
Update copyrights, links, email addresses and let Subversion update $Id$ keywords.
2004-03-21 14:21:22 +00:00
Guus Sliepen
af86a3226e
Revert Martin Kihlgren's patch, it doesn't work the way it should.
2004-03-20 22:23:42 +00:00
Guus Sliepen
56aad1bb48
Applied Martin Kihlgren's IdentityGenerosity patch,
...
simplified and renamed to StrictSource.
2004-03-20 15:28:55 +00:00
Guus Sliepen
a92c471a2b
Only read our public key if it wasn't already in the private key file.
2004-03-15 18:15:02 +00:00
Guus Sliepen
6d41b429a2
Better name, show probed MTU in dump.
2003-12-20 21:25:17 +00:00
Guus Sliepen
9bab08e972
More sensible name, and try to set PMTU discovery on IPv6 sockets as well.
2003-12-20 21:09:33 +00:00
Guus Sliepen
6b12bea62f
Let tinc figure out the exact MTU of the link.
2003-12-20 19:47:53 +00:00
Guus Sliepen
25447b3841
Read MaxTimeout from tinc.conf like the manpage says.
2003-12-07 14:28:39 +00:00
Guus Sliepen
e3220cacb5
Replace Opaque and Strict options with a TunnelServer option.
2003-11-17 15:30:18 +00:00
Guus Sliepen
a1ab57e275
Check all EVP_ function calls.
2003-10-11 12:16:13 +00:00
Guus Sliepen
6c5f3d8b74
We don't have to tell GCC how to cast.
2003-08-28 21:05:11 +00:00
Guus Sliepen
7ed2559025
Fix permissions check for rsa_key.priv.
2003-08-14 14:21:35 +00:00
Guus Sliepen
9bde92ce97
Simpler checking of permissions on private RSA key and other fixes.
2003-08-08 22:11:54 +00:00
Guus Sliepen
fcbe29bc4c
No C99 initialisers, gcc 2.95.3 doesn't like it.
...
Also make sure getopt.h is included.
2003-07-30 11:50:45 +00:00
Guus Sliepen
721e4caee0
Native Windows support.
2003-07-29 22:59:01 +00:00
Guus Sliepen
5cb1471351
Don't initialise a CIPHER_CTX if cipher == NULL.
2003-07-23 22:17:31 +00:00
Guus Sliepen
4aadb9500d
Run setup_device() after parsing configuration but before claiming we're ready.
2003-07-22 21:13:23 +00:00
Guus Sliepen
eefa28059a
Use bools and enums where appropriate.
2003-07-22 20:55:21 +00:00
Guus Sliepen
123bb765d1
Use iface instead of interface because it might already be declared in
...
system header files.
2003-07-18 13:45:06 +00:00
Guus Sliepen
e449d94cae
Big header file cleanup: everything that has to do with standard system
...
libraries is moved to system.h.
2003-07-17 15:06:27 +00:00
Guus Sliepen
5db596c684
Simplify logging, update copyrights and some minor cleanups.
2003-07-12 17:41:48 +00:00
Guus Sliepen
0b9175e998
Define logger(), cleans up source code and allows us to write log entries
...
to a separate file.
2003-07-06 22:11:37 +00:00
Guus Sliepen
9528a63c35
Really make tinc default to any addressfamily.
2003-06-25 20:52:59 +00:00
Guus Sliepen
c70f52087b
- Per-node EVP_CIPHER_CTX to avoid initialisation overhead.
...
- LZO compression, thanks to Teemu Kiviniemi.
- Updated dutch translation.
2003-05-06 21:13:18 +00:00
Guus Sliepen
9792ba2cac
- Avoid memory leak caused by OpenSSL 0.9.7a.
...
- Disable RSA_blinding_on() because it segfaults.
2003-03-28 13:41:49 +00:00
Ivo Timmermans
2fff0a91a7
Call RSA_blinding_on(), as advised in the paper on
...
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
to offer some resistance against timing attacks.
2003-03-14 09:43:10 +00:00
Guus Sliepen
38f562fdfc
Add $NAME for tinc-up/down scripts.
2003-01-14 12:53:59 +00:00
Guus Sliepen
5eca9520d9
Small fixes so tinc compiles out of the box on SunOS 5.8
2002-09-15 14:55:54 +00:00
Guus Sliepen
6f9f6779e6
Remove redundant spaces.
2002-09-09 22:33:31 +00:00
Guus Sliepen
f75dcef72a
Switch to K&R style indentation.
2002-09-09 21:25:28 +00:00
Guus Sliepen
5fc1ed17f4
Cleanups:
...
- Convert cp to cp(); so that automatic indenters work.
- Convert constructions like if(x == NULL) to if(!x).
- Move all assignments out of conditions.
2002-09-09 19:40:12 +00:00
Guus Sliepen
82ebfc923d
Revert to edge and graph stuff. This time, use a directed graph.
2002-09-04 13:48:52 +00:00
Guus Sliepen
d134c4542d
Drop graph and edge stuff. Use new node stuff instead.
2002-09-03 20:43:26 +00:00
Guus Sliepen
36cbaa32f4
Allow list of environment variables to be passed to execute_script().
...
When executing host-up/down scripts, include the address and port of the
remote host.
2002-07-10 11:27:06 +00:00
Guus Sliepen
627f7c22b4
s/sliepen.warande.net/sliepen.eu.org/g
...
s/itimmermans@bigfoot.com/ivo@o2w.nl/g
2002-06-21 10:11:37 +00:00
Guus Sliepen
940fcb6701
Reset listen_sockets after SIGHUP.
2002-06-13 16:12:40 +00:00
Guus Sliepen
78e8852184
- netinet/* include files depend on netinet/in_systm.h.
...
- Squash bashism in configure.in.
2002-06-08 14:08:57 +00:00
Guus Sliepen
116ba3b3da
Cleanup:
...
- Remove checks for specific OS's, instead check for #defines/#includes.
- Use uint??_t where appropriate.
- Mask handling functions use void pointers to get rid of silly casts.
2002-06-08 12:57:10 +00:00
Guus Sliepen
4856d8e1f8
Support RSA_PUBKEYs (as opposed to RSAPublicKeys) so tinc accepts
...
public keys generated by the OpenSSL command line tools.
2002-06-02 16:06:33 +00:00
Guus Sliepen
b6ad4ce35a
Add BindToAddress variable, similar to the late BindToIP.
2002-04-23 07:49:38 +00:00
Guus Sliepen
d8c249008a
check_rsa() is broken, I don't know why, just remove it for now.
2002-04-01 21:28:39 +00:00
Guus Sliepen
33d8747021
Set myself->status.reachable.
2002-03-25 13:54:49 +00:00
Guus Sliepen
52e7699273
- Added support for jumbograms.
...
- Remove tcpaddress from edges, it is not used at all.
- Last bits of code to prevent looping requests.
2002-03-22 11:43:48 +00:00
Guus Sliepen
305505f5ec
Remember sockaddrs of listening sockets, use appropriate one when sending
...
UDP packets.
2002-03-18 22:47:20 +00:00
Guus Sliepen
5ffeb13d65
Don't retry to make outgoing connections when exitting.
2002-03-10 16:09:15 +00:00
Guus Sliepen
0c16add71c
Check if BindToDevice and PriorityInheritance are supported.
2002-03-01 15:14:29 +00:00
Guus Sliepen
14979f835d
- Global time_t now, so that we don't have to call time() too often.
...
- MAC addresses expire after a time configurable by MACExpire (default 600
seconds)
2002-03-01 14:09:31 +00:00
Guus Sliepen
f93b1334e0
Create/bind TCP and UDP listening sockets in pairs.
2002-03-01 13:18:54 +00:00
Guus Sliepen
80ea653e8d
Fix listening sockets.
2002-03-01 12:25:58 +00:00
Guus Sliepen
50403909b6
Allow multiple listening sockets.
2002-02-26 23:26:41 +00:00
Guus Sliepen
dbc5b5bb5e
- Use gai_strerror() where appropriate
...
- Clear hints before using them with getaddrinfo()
- Use sa_len on platforms that support them
2002-02-20 22:15:32 +00:00
Guus Sliepen
c6d0158831
Protocol now also exchanges cipher/digest/maclength/compression for the
...
meta connection.
2002-02-20 19:25:09 +00:00
Guus Sliepen
8c91fac315
Use AF_UNSPEC for listening sockets if AddressFamily = any.
2002-02-20 16:04:39 +00:00
Guus Sliepen
c2b9c06062
- Non-blocking connect()s.
...
- Socket handling revamped to use sockaddr_t.
- tinc can now tunnel over IPv6.
- Handle all addresses and subnets in network byte order.
Only convert them when they need to be printed.
- IPv6 subnets bigger than /128 now work.
- Use %s and strerror(errno) instead of %m.
2002-02-18 16:25:19 +00:00