Commit graph

108 commits

Author SHA1 Message Date
Guus Sliepen
d1ec010660 Fix memory leaks found by valgrind. 2012-10-09 16:27:28 +02:00
Guus Sliepen
0b8b23e0dd C99 extravaganza. 2012-10-08 00:35:38 +02:00
Guus Sliepen
ff306f0cda Replace the connection_tree with a connection_list.
The tree functions were never used on the connection_tree, a list is more appropriate.
Also be more paranoid about connections disappearing while traversing the list.
2012-10-07 21:59:53 +02:00
Guus Sliepen
c2a9ed9e98 Handle packets encrypted via SPTPS that need to be forwarded via TCP. 2012-10-07 14:03:50 +02:00
Guus Sliepen
bb6b97ce34 Make datagram SPTPS key exchange more robust.
Similar to old style key exchange requests, keep track of whether a key
exchange is already in progress and how long it took. If no key is known yet
or if key exchange takes too long, (re)start a new key exchange.
2012-10-07 13:31:19 +02:00
Guus Sliepen
6dfdb32361 Merge branch 'master' into 1.1
Conflicts:
	lib/utils.c
	src/net_setup.c
	src/process.c
	src/protocol_auth.c
	src/protocol_key.c
	src/utils.h
2012-09-30 15:00:47 +02:00
Guus Sliepen
c4940a5c88 Add strict checks to hex to binary conversions.
The main goal is to catch misuse of the obsolete PrivateKey and PublicKey
statements.
2012-09-30 13:45:47 +02:00
Guus Sliepen
9e76c464b2 Remove some debugging messages. 2012-09-28 17:51:48 +02:00
Guus Sliepen
8af2f3f5a4 Optionally compress and/or strip Ethernet header from SPTPS packets. 2012-08-02 17:44:59 +02:00
Guus Sliepen
91937812bd Clear struct sptps before reusing it. 2012-08-02 17:23:51 +02:00
Guus Sliepen
7a71d48009 Use a status bit to track which nodes use SPTPS. 2012-07-31 21:43:49 +02:00
Guus Sliepen
153abaa4d9 Use datagram SPTPS for packet exchange between nodes.
When two nodes which support SPTPS want to send packets to each other, they now
always use SPTPS. The node initiating the SPTPS session send the first SPTPS
packet via an extended REQ_KEY messages. All other handshake messages are sent
using ANS_KEY messages. This ensures that intermediate nodes using an older
version of tinc can still help with NAT traversal. After the authentication
phase is over, SPTPS packets are sent via UDP, or are encapsulated in extended
REQ_KEY messages instead of PACKET messages.
2012-07-30 18:36:59 +02:00
Guus Sliepen
5eeed38b8e Make sure tinc compiles on Windows. 2012-07-21 12:51:53 +02:00
Guus Sliepen
68a20876d0 Use minor protocol version to determine whether to use ECDH key exchange between nodes. 2012-07-20 01:02:51 +02:00
Guus Sliepen
58007d7efa Always pass request strings to other functions as const char *. 2012-05-08 16:44:15 +02:00
Guus Sliepen
86c2990327 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	src/Makefile.am
	src/conf.c
	src/conf.h
	src/connection.c
	src/net.c
	src/tincd.c
2012-03-25 23:35:31 +01:00
Guus Sliepen
4712d8f92e Update copyright notices. 2012-03-10 13:23:08 +01:00
Guus Sliepen
8ac096b5bf Allow log messages to be captured by tincctl.
This allows tincctl to receive log messages from a running tincd,
independent of what is logged to syslog or to file. Tincctl can receive
debug messages with an arbitrary level.
2012-02-26 18:37:36 +01:00
Guus Sliepen
3fba80174d Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	doc/tincd.8.in
	src/Makefile.am
	src/bsd/device.c
	src/connection.c
	src/connection.h
	src/cygwin/device.c
	src/device.h
	src/dropin.h
	src/linux/device.c
	src/mingw/device.c
	src/net.c
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/process.c
	src/protocol.c
	src/protocol_key.c
	src/raw_socket_device.c
	src/route.c
	src/solaris/device.c
	src/tincd.c
	src/uml_device.c
2012-02-22 14:23:59 +01:00
Guus Sliepen
ea415ccc16 Rename connection_t *broadcast to everyone. 2012-02-20 17:12:48 +01:00
Guus Sliepen
5672863e59 Fix a few small memory leaks. 2011-12-03 21:59:47 +01:00
Guus Sliepen
cff27a258f Use ECDSA to sign ECDH key exchange for UDP session keys.
The ECDSA public keys will also be included in the ANS_KEY requests,
but are only used when no ECDSA public key is known yet.
2011-07-16 20:21:44 +02:00
Guus Sliepen
2ba61742d4 Use the correct direction flag when setting cipher keys.
The flag was set incorrectly, but for most ciphers this does not have
any effect. AES in any of the block modes is picky about it though.
2011-07-16 15:15:29 +02:00
Guus Sliepen
303dd1e702 Fix compiler warnings. 2011-07-13 22:52:52 +02:00
Guus Sliepen
fec279a9c5 Make use of the improved hex and base64 functions.
Also, use base64 for all EC related data, it is shorter and easy to
distinguish from the legacy protocol.
2011-07-12 23:43:12 +02:00
Guus Sliepen
bbeab00f46 Require ExperimentalProtocol = yes for new features, update documentation. 2011-07-11 21:54:01 +02:00
Guus Sliepen
ac163120d7 Proper use of PRF. 2011-07-03 16:30:49 +02:00
Guus Sliepen
82f00ea07b Use PRF. 2011-07-03 15:59:49 +02:00
Guus Sliepen
8dfa072733 Support ECDH key exchange.
REQ_KEY requests have an extra field indicating key exchange version.
If it is present and > 0, the sender supports ECDH. If the receiver also
does, then it will generate a new keypair and sends the public key in a
ANS_KEY request with "ECDH:" prefixed. The ans_key_h() function will
compute the shared secret, which, at the moment,is used as is to set the
cipher and HMAC keys. However, this must be changed to use a proper KDF.
In the future, the ECDH key exchange must also be signed.
2011-07-03 13:17:28 +02:00
Guus Sliepen
365f60f3f8 Don't call event_del() from the mtuevent handler, always send_mtu_probe() in ans_key_h(). 2011-06-24 22:49:18 +02:00
Guus Sliepen
6d08eb1614 Fix sparse warnings and add an extra sprinkling of const.
This is more or less the equivalent of Sven-Haegar Koch's fixes in the 1.1
branch.
2011-05-28 23:36:52 +02:00
Sven-Haegar Koch
f4010694b3 sparse fixup: warning: non-ANSI function declaration of function '...' 2011-05-28 15:24:39 +02:00
Guus Sliepen
3794e551c7 Fix check for event initialization due to the merge. 2011-05-14 11:52:35 +02:00
Guus Sliepen
ce8775000a Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	doc/tincd.8.in
	lib/pidfile.c
	src/bsd/device.c
	src/dropin.h
	src/net.c
	src/net_packet.c
	src/node.c
	src/process.c
	src/tincd.c
2011-05-09 21:35:14 +02:00
Guus Sliepen
67766d65f0 Update THANKS and copyright information. 2011-05-08 21:22:20 +02:00
Guus Sliepen
f99661a4ca Always send MTU probes at least once every PingInterval.
Before, if MTU probes failed, tinc would stop sending probes until the next
time keys were regenerated (by default, once every hour).  Now it continues to
send them every PingInterval, so it recovers faster from temporary failures.
2011-01-02 15:02:23 +01:00
Guus Sliepen
886a6f61a1 Merge branch 'master' into 1.1
Conflicts:
	src/net_packet.c
	src/openssl/rsagen.h
	src/protocol_auth.c
	src/protocol_key.c
2010-11-19 12:22:48 +00:00
Brandon L Black
23acc19bc0 Configurable ReplayWindow size, zero disables 2010-11-13 21:25:46 +01:00
Guus Sliepen
9e3ca39773 Use variable length arrays instead of alloca(). 2010-11-13 15:55:38 +01:00
Guus Sliepen
a22041922f Merge branch 'master' into 1.1
Conflicts:
	doc/tincd.8.in
	lib/pidfile.c
	src/graph.c
	src/net.c
	src/net.h
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/node.h
	src/protocol_auth.c
	src/protocol_key.c
	src/tincd.c
2010-11-12 16:15:29 +01:00
Guus Sliepen
4b6a9f1c1f Do not append an address to ANS_KEY messages if we don't know any address.
This would let tinc raise an exception when an ANS_KEY request crossed a
DEL_EDGE request for the node sending the key.
2010-06-04 16:03:19 +02:00
Guus Sliepen
2911af6e23 Fix merge of commit 4a0b998151. 2010-04-17 12:33:15 +02:00
Sven-Haegar Koch
ffa1dc73dc Fixed 1.0 miss-merges 2010-03-31 05:01:39 +02:00
Sven-Haegar Koch
103543aa2c Merge branch 'master' into 1.1
Conflicts:
	NEWS
	README
	configure.in
	have.h
	src/conf.c
	src/conf.h
	src/net.c
	src/net_packet.c
	src/protocol_key.c
	src/protocol_subnet.c
	src/route.c
	src/tincd.c
2010-03-26 16:51:03 +01:00
Guus Sliepen
cd0c2e86a4 Ensure peers with a meta connection always have our key.
This keeps UDP probes going, which in turn keeps NAT mappings alive.
2010-02-03 11:18:46 +01:00
Guus Sliepen
40d91ff619 Update copyright notices. 2010-02-02 22:49:21 +01:00
Guus Sliepen
4a0b998151 Determine peer's reflexive address and port when exchanging keys.
To help peers that are behind NAT connect to each other directly via UDP, they
need to know the exact external address and port that they use. Keys exchanged
between NATted peers necessarily go via a third node, which knows this address
and port, and can append this information to the keys, which is in turned used
by the peers.

Since PMTU discovery will immediately trigger UDP communication from both sides
to each other, this should allow direct communication between peers behind
full, address-restricted and port-restricted cone NAT.
2010-02-02 00:51:44 +01:00
Guus Sliepen
d15099e002 Be liberal in accepting KEY_CHANGED/REQ_KEY/ANS_KEY requests.
When we got a key request for or from a node we don't know, we disconnected the
node that forwarded us that request.  However, especially in TunnelServer mode,
disconnecting does not help. We now ignore such requests, but since there is no
way of telling the original sender that the request was dropped, we now retry
sending REQ_KEY requests when we don't get an ANS_KEY back.
2010-01-23 18:48:01 +01:00
Guus Sliepen
c845bc109c Fix packet authentication.
This wasn't working at all, since we didn't do HMAC but just a plain hash.
Also, verification of packets failed because it was checking the whole packet,
not the packet minus the HMAC.
2009-12-18 01:15:25 +01:00
Guus Sliepen
7ea85043ac Merge branch 'master' into 1.1
Conflicts:
	NEWS
	configure.in
	lib/Makefile.am
	lib/pidfile.c
	lib/pidfile.h
	lib/utils.c
	po/POTFILES.in
	po/nl.po
	src/Makefile.am
	src/bsd/device.c
	src/conf.c
	src/connection.c
	src/cygwin/device.c
	src/edge.c
	src/event.c
	src/graph.c
	src/linux/device.c
	src/meta.c
	src/mingw/device.c
	src/net.c
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/process.c
	src/protocol.c
	src/protocol_auth.c
	src/protocol_edge.c
	src/protocol_key.c
	src/protocol_misc.c
	src/protocol_subnet.c
	src/raw_socket/device.c
	src/route.c
	src/solaris/device.c
	src/subnet.c
	src/tincd.c
	src/uml_socket/device.c
2009-09-29 14:55:29 +02:00