j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity
1839 commits 2 branches 0 tags 10 MiB
Commit graph

1228 commits

Author SHA1 Message Date
Guus Sliepen
e16ead8dd9 Use usleep() instead of sleep(), MinGW complained. 2011-07-23 14:11:44 +02:00
Guus Sliepen
ff751903aa Don't abort() on low-level crypto errors, just return false. 
The abort() calls were accidentily left in for debugging.
 2011-07-20 08:19:18 +02:00
Guus Sliepen
2f4ccfe247 Fix tinc 1.0.x daemons connecting when ExperimentalProtocol = yes. 2011-07-19 21:11:11 +02:00
Guus Sliepen
c259d552fa Add missing newline. 2011-07-17 20:06:06 +02:00
Guus Sliepen
f6020a5224 Write loopback address instead of "any" address in pidfile. 2011-07-17 20:01:24 +02:00
Guus Sliepen
50fcfea127 Flush output buffer in send_tcppacket(). 
This is mainly important for Windows, where the select() call in the
main thread is not being woken up when the tapreader thread calls
route(), causing a delay of up to 1 second before the output buffer is
flushed. This would cause bad performance when UDP communication is not
possible.
 2011-07-17 19:34:01 +02:00
Guus Sliepen
25091454da "tincctl stop" now removes the tinc service on Windows. 2011-07-17 19:23:52 +02:00
Guus Sliepen
c6c989cfa1 Fix declaration of usleep(). 2011-07-17 18:02:56 +02:00
Guus Sliepen
18e9839dc8 Ensure symlinked files do not end up in the tarball. 2011-07-17 10:59:54 +02:00
Guus Sliepen
fa4a01e4a2 Use const pointer to source in base64 and hex routines. 2011-07-16 22:38:50 +02:00
Guus Sliepen
574b380dfc Use usleep() instead of sleep(), MinGW complained. 2011-07-16 22:38:22 +02:00
Guus Sliepen
cff27a258f Use ECDSA to sign ECDH key exchange for UDP session keys. 
The ECDSA public keys will also be included in the ANS_KEY requests,
but are only used when no ECDSA public key is known yet.
 2011-07-16 20:21:44 +02:00
Guus Sliepen
03ac48ea19 Use the same logic as tinc 1.0.x for detecting two nodes with the same Name. 2011-07-16 15:21:37 +02:00
Guus Sliepen
2ba61742d4 Use the correct direction flag when setting cipher keys. 
The flag was set incorrectly, but for most ciphers this does not have
any effect. AES in any of the block modes is picky about it though.
 2011-07-16 15:15:29 +02:00
Guus Sliepen
be2fc8b045 Make code to detect two nodes with the same Name less triggerhappy. 
First of all, if there really are two nodes with the same name, much
more than 10 contradicting ADD_EDGE and DEL_EDGE messages will be sent.
Also, we forgot to reset the counters when nothing happened.

In case there is a ADD_EDGE/DEL_EDGE storm, we do not shut down, but
sleep an increasing amount of time, allowing tinc to recover gracefully
from temporary failures.
 2011-07-16 10:47:35 +02:00
Guus Sliepen
303dd1e702 Fix compiler warnings. 2011-07-13 22:52:52 +02:00
Guus Sliepen
791c1898ea Remove unnecessary variables and functions. 2011-07-13 22:31:53 +02:00
Guus Sliepen
fec279a9c5 Make use of the improved hex and base64 functions. 
Also, use base64 for all EC related data, it is shorter and easy to
distinguish from the legacy protocol.
 2011-07-12 23:43:12 +02:00
Guus Sliepen
06b8271ed5 Make hexadecimal and base64 routines behave the same. 
The length parameter for the encoding functions is the length of the
binary input, and for the decoding functions it is the maximum size of
the binary output.

The return value is always the length of the resulting output, excluding
the terminating NULL character for the encoding routines.

All functions can encode and decode in-place. The encoding functions
will always write a terminating NULL character, and the decoding
functions will stop at a NULL character.
 2011-07-12 23:23:26 +02:00
Guus Sliepen
bbeab00f46 Require ExperimentalProtocol = yes for new features, update documentation. 2011-07-11 21:54:01 +02:00
Guus Sliepen
d1cd3c8145 Close meta connection socket after cleaning up event structures. 
Epoll doesn't like it when an already closed filedescriptor is being
removed, so we defer closing the socket until after all else is cleaned
up.
 2011-07-10 22:46:43 +02:00
Guus Sliepen
30ef2a981e Automatically exchange ECDSA keys and upgrade to new authentication protocol. 
If we don't have ECDSA keys for the node we connect to, set protocol_minor
to 1, to indicate this to the other end. This will first complete the
old way of authentication with RSA keys, and will then exchange ECDSA keys.
The connection will be terminated right afterwards, and the next attempt
will use ECDSA keys.
 2011-07-10 22:34:17 +02:00
Guus Sliepen
027228debe Free ECDSA and RSA structures when freeing a connection_t. 2011-07-10 21:04:31 +02:00
Guus Sliepen
73863fab8a Hash input before signing it with ECDSA. 2011-07-08 18:17:34 +02:00
Guus Sliepen
8132be8fbd Very primitive ECDSA signed ECDH key exchange for the meta protocol. 
Nonces and hash of the ID requests should be included in the seed for the PRF.
 2011-07-07 22:30:55 +02:00
Guus Sliepen
210b5ceeee Read ECDSA keys. 2011-07-07 22:28:25 +02:00
Guus Sliepen
03582eb669 Implement ECDSA sign and verify operations. 
Very basic at the moment, doesn't hash the input first,
and uses OpenSSL's DER encoded signature as output.
 2011-07-07 22:27:17 +02:00
Guus Sliepen
86d83bd9bd Bump minor protocol to indicate ECDH capability for UDP session keys. 2011-07-05 21:29:31 +02:00
Guus Sliepen
9708bbfa8e Add a minor number to the protocol version. 2011-07-05 21:19:48 +02:00
Guus Sliepen
b99656d84a Round up the size of the secret parts after splitting it in two. 2011-07-04 07:51:47 +02:00
Guus Sliepen
95e1cc36d3 Add ECDSA key import. 2011-07-03 23:44:43 +02:00
Guus Sliepen
1e2d9b0899 Finish base64 decoding routine. 2011-07-03 23:33:56 +02:00
Guus Sliepen
80b81c00b1 Have tincctl generate ECDSA keys. 
The generate-keys command now generates both an RSA and an ECDSA keypair,
but one can generate-rsa-keys or generate-ecdsa-keys to just generate one type.
 2011-07-03 22:25:29 +02:00
Guus Sliepen
8ace7f3e57 Add ECDSA key generation. 2011-07-03 22:15:00 +02:00
Guus Sliepen
1d92dd62a7 Base64 encoding and decoding functions. 2011-07-03 22:13:58 +02:00
Guus Sliepen
c385d11533 Cleanups in ECDH code. 2011-07-03 22:13:34 +02:00
Guus Sliepen
895f868714 No need to keep around pointers to EC_GROUP. 2011-07-03 21:21:37 +02:00
Guus Sliepen
ac163120d7 Proper use of PRF. 2011-07-03 16:30:49 +02:00
Guus Sliepen
82f00ea07b Use PRF. 2011-07-03 15:59:49 +02:00
Guus Sliepen
feb3f22fff Add PRF to derive key material from the ECDH shared secret. 
It is modelled after the pseudorandom function from RFC4346 (TLS 1.1), the only
significant change is the use of SHA512 and Whirlpool instead of MD5 and SHA1.
 2011-07-03 15:26:58 +02:00
Guus Sliepen
8dfa072733 Support ECDH key exchange. 
REQ_KEY requests have an extra field indicating key exchange version.
If it is present and > 0, the sender supports ECDH. If the receiver also
does, then it will generate a new keypair and sends the public key in a
ANS_KEY request with "ECDH:" prefixed. The ans_key_h() function will
compute the shared secret, which, at the moment,is used as is to set the
cipher and HMAC keys. However, this must be changed to use a proper KDF.
In the future, the ECDH key exchange must also be signed.
 2011-07-03 13:17:28 +02:00
Guus Sliepen
ee8a214318 Preliminary implementation of Elliptic Curve Diffie-Hellman Ephemeral key exchange. 2011-06-27 21:52:23 +02:00
Guus Sliepen
8c953b1bfe Don't react to escape character in tincctl top. 
Not only the ESC key generates an escape character, but many other keys
do as well, such as arrow keys.
 2011-06-26 12:58:50 +02:00
Guus Sliepen
660f530a6f Really stable sorting of tincctl top output. 2011-06-25 22:20:39 +02:00
Guus Sliepen
ab4d289faf Make pid files backwards compatible and add address of listening socket. 
The pid is now written first, so that a version 1.0.x tincd can be used to stop
a running version 1.1 tincd.  Getsockname() is used to determine the address of
the first listening socket, so that tincctl can connect to the local tincd even
if AddressFamily = ipv6, or if BindToAddress or BindToInterface is used.
 2011-06-25 21:35:27 +02:00
Guus Sliepen
a05fa7f882 Rename controlcookie file to pidfile. 2011-06-25 21:21:36 +02:00
Guus Sliepen
c64f64b875 Don't call exit_control() if we didn't do init_control(). 2011-06-25 21:16:13 +02:00
Guus Sliepen
3b237afbda Re-add support for SIGALRM. 2011-06-25 20:20:07 +02:00
Guus Sliepen
8733110dec Ensure the right files end up in the tarball after make dist. 2011-06-25 17:08:40 +02:00
Guus Sliepen
7944cce19e Don't use AM_CONDITIONAL for CURSES. 
For some reason, this doesn't work when cross-compiling for Windows.
 2011-06-25 00:06:06 +02:00
Guus Sliepen
365f60f3f8 Don't call event_del() from the mtuevent handler, always send_mtu_probe() in ans_key_h(). 2011-06-24 22:49:18 +02:00
Guus Sliepen
1fe8ba2f06 Delete mtuevent if it is not used. 
Keeping it around prevents ans_key_h() from restarting PMTU discovery.
 2011-06-24 22:10:03 +02:00
Guus Sliepen
79e9a4f743 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1 
Conflicts:
	NEWS
	README
	configure.in
	src/Makefile.am
 2011-06-24 21:40:55 +02:00
Guus Sliepen
3c0511984f Remove redundant @CFLAGS@ from AM_CFLAGS. 2011-06-24 12:27:04 +02:00
Guus Sliepen
532557beea Only log UDP address changes at the appropriate debug levels. 2011-06-21 23:06:53 +02:00
Guus Sliepen
60ed7fe598 Reopen log file after SIGHUP. 
This was missed by the previous merge.
 2011-06-06 21:19:30 +02:00
Guus Sliepen
33f241d978 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1 
Conflicts:
	NEWS
	configure.in
	doc/tincd.8.in
	lib/pidfile.c
	lib/pidfile.h
	lib/xalloc.h
	lib/xmalloc.c
	src/conf.c
	src/conf.h
	src/connection.c
	src/connection.h
	src/event.c
	src/graph.c
	src/graph.h
	src/net.c
	src/net.h
	src/node.h
	src/openssl/crypto.c
	src/process.c
	src/protocol.c
	src/protocol_key.c
	src/route.c
 2011-06-06 20:42:15 +02:00
Guus Sliepen
601f3b2dd7 Clean up digests when freeing a connection_t. 2011-06-06 20:12:33 +02:00
Guus Sliepen
4b3fd94b1c Improved --logfile option. 
Instead of UNIX time, the log messages now start with the time in RFC3339
format, which human-readable and still easy for the computer to parse and sort.
The HUP signal will also cause the log file to be closed and reopened, which is
useful when log rotation is used. If there is an error while opening the log
file, this is logged to stderr.
 2011-06-06 16:26:11 +02:00
Guus Sliepen
b3bbeab6e6 Attribution for Loïc Grenié. 2011-06-04 11:27:54 +02:00
Loïc Grenié
50af33d01f Nearly tickless tinc. 
Use pselect instead of select in main_loop (if available). This lets
tincd sleeps as long as there is nothing to do.
 2011-06-04 11:19:46 +02:00
Guus Sliepen
8b3cc695b5 Don't ignore SIGCHLD, system() needs it. 
But we do ignore SIGPIPE, and tinc 1.0.x signals that are no longer used
(SIGUSR1 and SIGUSR2), since the default handler of these signals is to
terminate tincd immediately.
 2011-06-03 15:50:20 +02:00
Guus Sliepen
5989a29d7b Fix format strings for Windows. 
Windows doesn't like %zd, so cast (s)size_t to int. Also, some shorts were
incorrectly printed with %d instead of %hd.
 2011-06-03 00:46:56 +02:00
Guus Sliepen
3ade33bfac Use send() when writing to sockets, and the return type is ssize_t. 2011-06-03 00:34:30 +02:00
Guus Sliepen
5f4d57e846 Small fixes for Windows. 2011-06-02 23:40:27 +02:00
Guus Sliepen
2adc789401 Even simpler signal handling. 2011-06-02 22:14:53 +02:00
Guus Sliepen
2f42896789 Remove debugging message that was accidentily left in. 2011-06-02 21:29:11 +02:00
Guus Sliepen
c6b0e102ad Don't treat packets coming in via TCP as having zero length. 2011-06-02 21:16:57 +02:00
Guus Sliepen
80ca91769d Fix nodes joining the VPN after tincctl top started. 2011-06-02 21:14:50 +02:00
Guus Sliepen
311f60f4f0 Make traffic statistics more readable with configurable scaling. 2011-06-02 20:48:18 +02:00
Guus Sliepen
a8f0d21330 More stable sorting in tincctl top. 
Although we use qsort(), which is not guaranteed to be stable, resorting the
previously sorted array is more stable than recreating and resorting the array
each time.
 2011-06-02 20:27:16 +02:00
Guus Sliepen
2bda2aa885 Fix some compiler and cppcheck warnings. 2011-06-02 18:22:26 +02:00
Guus Sliepen
809dfd2f5b Remove support for the Ethertap device. 2011-06-02 18:07:50 +02:00
Guus Sliepen
af2e0c9a32 Remove unused functions and variables. 2011-06-02 17:57:53 +02:00
Guus Sliepen
b7754e5aaa Drop the GNU memcmp.c implementation. 2011-06-02 17:53:35 +02:00
Guus Sliepen
25b467638a Drop the GNU malloc.c, realloc.c, and xmalloc.c. 
We live in the 21st century, and we require C99 semantics, so we do not need to
work around buggy libcs. The xmalloc() and related functions are now static
inline functions.
 2011-06-02 17:45:06 +02:00
Guus Sliepen
e452a933f9 Simplify signal handling. 
We don't override any signal handlers anymore except those for SIGPIPE and
SIGCHLD. Fatal signals (SIGSEGV, SIGBUS etc.) will terminate tincd and
optionally dump core.  The previous behaviour was to terminate gracefully and
try to restart, but that usually failed and made any core dump useless.
 2011-06-02 17:14:30 +02:00
Guus Sliepen
4d440336c3 Remove outgoing event in free_connection(). 2011-05-29 22:34:19 +02:00
Guus Sliepen
d29bfc9a45 Initialise priority field to zero for packets read from the VPN interface. 2011-05-29 22:14:35 +02:00
Guus Sliepen
4c403840ff Cosmetic fix when pressing 's' in tincctl top. 2011-05-29 22:12:37 +02:00
Guus Sliepen
b3aeaf0f91 Show hostname and port in error message when connecting to a running tincd. 2011-05-29 22:10:54 +02:00
Sven-Haegar Koch
04de15984f do_outgoing_connection() may delete a failed connection, and the structure 
must not be accessed afterwards.
 2011-05-29 22:05:14 +02:00
Sven-Haegar Koch
82109868b5 src/net_socket.c bind_to_address(): Use after free in error path. 2011-05-29 22:05:04 +02:00
Guus Sliepen
5bc957074a Allow tincctl to connect to something besides localhost. 
This would allow tincctl to connect to a remote tincd, or to a local tincd that
isn't listening on localhost, for example if it is using the BindToInterface or
BindToAddress options.
 2011-05-29 14:41:05 +02:00
Guus Sliepen
64771f73eb Remove a few unnecessary #includes. 
Some spotted by Michael Tokarev.
 2011-05-28 23:46:56 +02:00
Guus Sliepen
5cff8c47c1 Remove newlines from log messages. 2011-05-28 23:42:18 +02:00
Guus Sliepen
6d08eb1614 Fix sparse warnings and add an extra sprinkling of const. 
This is more or less the equivalent of Sven-Haegar Koch's fixes in the 1.1
branch.
 2011-05-28 23:36:52 +02:00
Sven-Haegar Koch
e6b21e1a51 fgets() returns NULL on error, not < 0 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
434e57ae5e sparse fixup: warning: Using plain integer as NULL pointer 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
f4010694b3 sparse fixup: warning: non-ANSI function declaration of function '...' 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
d772289f6d sparse fixup: warning: symbol '...' was not declared. Should it be static? 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
02e32cf61e sparse fixup: error: too many arguments for function send_key_changed 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
b995243ac3 sparse fixup: error: dubious one-bit signed bitfield 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
bbd0025ae3 Use same definition for xalloc_fail_func as is really used. 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
3fca2cad48 Removed two newlines from the end of log messages which created empty lines. 2011-05-28 15:24:39 +02:00
Sven-Haegar Koch
9cce44dfe3 Fixed error logging on "Input buffer full" condition. 2011-05-28 15:24:38 +02:00
Guus Sliepen
07ffb1a198 Make return value of SetPriorityClass() behave the same as setpriority(). 2011-05-22 15:56:04 +02:00
Guus Sliepen
453c44e7b2 Add the ability to dump all traffic going through route() over a control connection. 
One can get the packet stream in pcap format, which can be decoded using
tcpdump, for example:

tincctl -n <netname> pcap | tcpdump -r -
 2011-05-22 14:17:30 +02:00
Guus Sliepen
54c900e961 Reset tcplen after use. 2011-05-22 14:02:27 +02:00
Guus Sliepen
8ddcad5fa1 Check if an event is initialized before calling event_del(). 
Libevent prints a warning to stderr if we do that.
 2011-05-22 13:24:01 +02:00