Commit graph

91 commits

Author SHA1 Message Date
Guus Sliepen
2f4ccfe247 Fix tinc 1.0.x daemons connecting when ExperimentalProtocol = yes. 2011-07-19 21:11:11 +02:00
Guus Sliepen
cff27a258f Use ECDSA to sign ECDH key exchange for UDP session keys.
The ECDSA public keys will also be included in the ANS_KEY requests,
but are only used when no ECDSA public key is known yet.
2011-07-16 20:21:44 +02:00
Guus Sliepen
2ba61742d4 Use the correct direction flag when setting cipher keys.
The flag was set incorrectly, but for most ciphers this does not have
any effect. AES in any of the block modes is picky about it though.
2011-07-16 15:15:29 +02:00
Guus Sliepen
303dd1e702 Fix compiler warnings. 2011-07-13 22:52:52 +02:00
Guus Sliepen
fec279a9c5 Make use of the improved hex and base64 functions.
Also, use base64 for all EC related data, it is shorter and easy to
distinguish from the legacy protocol.
2011-07-12 23:43:12 +02:00
Guus Sliepen
bbeab00f46 Require ExperimentalProtocol = yes for new features, update documentation. 2011-07-11 21:54:01 +02:00
Guus Sliepen
30ef2a981e Automatically exchange ECDSA keys and upgrade to new authentication protocol.
If we don't have ECDSA keys for the node we connect to, set protocol_minor
to 1, to indicate this to the other end. This will first complete the
old way of authentication with RSA keys, and will then exchange ECDSA keys.
The connection will be terminated right afterwards, and the next attempt
will use ECDSA keys.
2011-07-10 22:34:17 +02:00
Guus Sliepen
8132be8fbd Very primitive ECDSA signed ECDH key exchange for the meta protocol.
Nonces and hash of the ID requests should be included in the seed for the PRF.
2011-07-07 22:30:55 +02:00
Guus Sliepen
86d83bd9bd Bump minor protocol to indicate ECDH capability for UDP session keys. 2011-07-05 21:29:31 +02:00
Guus Sliepen
9708bbfa8e Add a minor number to the protocol version. 2011-07-05 21:19:48 +02:00
Guus Sliepen
a22041922f Merge branch 'master' into 1.1
Conflicts:
	doc/tincd.8.in
	lib/pidfile.c
	src/graph.c
	src/net.c
	src/net.h
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/node.h
	src/protocol_auth.c
	src/protocol_key.c
	src/tincd.c
2010-11-12 16:15:29 +01:00
Guus Sliepen
ff71f28902 Merge local host configuration with server configuration.
With some exceptions, tinc only accepted host configuration options for the
local node from the corresponding host configuration file. Although this is
documented, many people expect that they can also put those options in
tinc.conf. Tinc now internally merges the contents of both tinc.conf and the
local host configuration file.
2010-10-22 12:47:12 +02:00
Guus Sliepen
113458c286 Use correct digest length when checking a received key. 2010-04-30 23:11:48 +02:00
Guus Sliepen
79e46d08a4 Merge branch 'master' into 1.1
Conflicts:
	NEWS
	README
	configure.in
	src/net.c
	src/net.h
2010-04-17 12:21:53 +02:00
Guus Sliepen
f75e71bc69 Convert Port to numeric form before sending it to other nodes.
If one uses a symbolic name for the Port option, tinc will send that name
literally to other nodes.  However, it is not guaranteed that all nodes have
the same contents in /etc/services, or have such a file at all.
2010-04-03 09:46:45 +01:00
Sven-Haegar Koch
103543aa2c Merge branch 'master' into 1.1
Conflicts:
	NEWS
	README
	configure.in
	have.h
	src/conf.c
	src/conf.h
	src/net.c
	src/net_packet.c
	src/protocol_key.c
	src/protocol_subnet.c
	src/route.c
	src/tincd.c
2010-03-26 16:51:03 +01:00
Guus Sliepen
40d91ff619 Update copyright notices. 2010-02-02 22:49:21 +01:00
Guus Sliepen
b455111184 Make MSS clamping configurable, but enabled by default.
It can either be set globally in tinc.conf, or per-node in host config files.
2010-01-16 20:16:33 +01:00
Guus Sliepen
edebf579f2 Use the TCP socket infrastructure for control sockets.
The control socket code was completely different from how meta connections are
handled, resulting in lots of extra code to handle requests.  Also, not every
operating system has UNIX sockets, so we have to resort to another type of
sockets or pipes for those anyway.  To reduce code duplication and make control
sockets work the same on all platforms, we now just connect to the TCP port
where tincd is already listening on.

To authenticate, the program that wants to control a running tinc daemon must
send the contents of a cookie file. The cookie is a random 256 bits number that
is regenerated every time tincd starts. The cookie file should only be readable
by the same user that can start a tincd.

Instead of the binary-ish protocol previously used, we now use an ASCII
protocol similar to that of the meta connections, but this can still change.
2009-11-07 23:43:25 +01:00
Guus Sliepen
108b238915 Merge branch 'master' into 1.1
Conflicts:
	NEWS
	README
	configure.in
	doc/tinc.texi
	doc/tincd.8.in
	src/Makefile.am
	src/connection.c
	src/edge.c
	src/meta.c
	src/net.c
	src/net.h
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/node.c
	src/openssl/rsagen.h
	src/protocol_auth.c
	src/protocol_edge.c
	src/subnet.c
2009-11-02 14:24:27 +01:00
Guus Sliepen
5cbddc68ba Use uint32_t instead of long int for connection options.
Options should have a fixed width anyway, but this also fixes a possible MinGW
compiler bug where %lx tries to print a 64 bit value, even though a long int is
only 32 bits.
2009-10-24 16:15:24 +02:00
Guus Sliepen
07a560eab6 Drop localisation and checkpoint tracing in files not covered by the merge. 2009-09-29 15:19:55 +02:00
Guus Sliepen
7ea85043ac Merge branch 'master' into 1.1
Conflicts:
	NEWS
	configure.in
	lib/Makefile.am
	lib/pidfile.c
	lib/pidfile.h
	lib/utils.c
	po/POTFILES.in
	po/nl.po
	src/Makefile.am
	src/bsd/device.c
	src/conf.c
	src/connection.c
	src/cygwin/device.c
	src/edge.c
	src/event.c
	src/graph.c
	src/linux/device.c
	src/meta.c
	src/mingw/device.c
	src/net.c
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/process.c
	src/protocol.c
	src/protocol_auth.c
	src/protocol_edge.c
	src/protocol_key.c
	src/protocol_misc.c
	src/protocol_subnet.c
	src/raw_socket/device.c
	src/route.c
	src/solaris/device.c
	src/subnet.c
	src/tincd.c
	src/uml_socket/device.c
2009-09-29 14:55:29 +02:00
Guus Sliepen
4c85542894 Drop support for localisation.
Localised messages don't make much sense for a daemon, and there is only the
Dutch translation which costs time to maintain.
2009-09-25 00:54:07 +02:00
Guus Sliepen
a227843b73 Remove checkpoint tracing.
This feature is not necessary anymore since we have tools like valgrind today
that can catch stack overflow errors before they make a backtrace in gdb
impossible.
2009-09-25 00:33:04 +02:00
Guus Sliepen
5dde6461a3 K&R style braces.
This is essentially commit f02d3ed3e1 from the
1.1 branch, making it easier to merge between master and 1.1.
2009-09-25 00:14:03 +02:00
Guus Sliepen
ab7c61b06f Update the address of the Free Software Foundation in all copyright headers. 2009-09-25 00:01:00 +02:00
Guus Sliepen
c217d214f4 Remove all occurences of $Id$. 2009-09-24 23:39:16 +02:00
Guus Sliepen
4124b9682f Handle truncated message authentication codes. 2009-06-06 19:04:04 +02:00
Guus Sliepen
5a132550de Merge branch 'master' into 1.1
Conflicts:
	doc/tincd.8.in
	lib/pidfile.c
	src/graph.c
	src/net.c
	src/net.h
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/node.h
	src/protocol_auth.c
	src/protocol_key.c
	src/tincd.c
2009-06-05 23:14:13 +02:00
Guus Sliepen
7034338bc3 Use xrealloc instead of if(ptr) ptr = xmalloc(). 2009-05-24 19:35:51 +02:00
Guus Sliepen
08aabbf931 Merge branch 'master' into 1.1
Conflicts:
	NEWS
	README
	doc/tinc.conf.5.in
	doc/tinc.texi
	po/nl.po
	src/conf.c
	src/connection.c
	src/event.c
	src/graph.c
	src/net.c
	src/net_packet.c
	src/net_socket.c
	src/node.c
	src/node.h
	src/openssl/rsagen.h
	src/protocol_auth.c
	src/protocol_key.c
	src/protocol_misc.c
	src/subnet.c
	src/subnet.h
	src/tincd.c
2009-03-09 19:02:24 +01:00
Guus Sliepen
d5b56bbba5 Disable PMTUDiscovery in switch and hub modes.
In switch and hub modes, tinc does not generate ICMP packets in response to
packets that are larger than the path MTU.  However, if PMTUDiscovery is
enabled, the IP_MTU_DISCOVER and IPV6_MTU_DISCOVER option is set on the UDP
sockets, which causes all UDP packets to be sent with the DF bit set, causing
large packets to be dropped, even if they would otherwise be routed fine.
2009-03-09 13:48:54 +01:00
Guus Sliepen
78fc59e994 Update THANKS and copyright information. 2009-03-05 14:12:36 +01:00
Michael Tokarev
76a1bcaffc Enable PMTUDiscovery only if BOTH sides wants it.
Don't enable PMTUDiscovery if at least one side does not support it.
Before it was enabled if at least one side supported it, now both are required.
2009-03-04 21:12:20 +01:00
Guus Sliepen
0e4d419aae Enable PMTU discovery by default. 2008-12-22 20:35:45 +00:00
Guus Sliepen
e9576632dc Update copyright information. 2008-12-22 20:27:52 +00:00
Guus Sliepen
76165488f8 Backport fixes from trunk since revision 1555. 2008-12-11 15:21:40 +00:00
Guus Sliepen
046158a216 Use the crypto wrappers again instead of calling OpenSSL directly.
This theoretically allows other cryptographic libraries to be used,
and it improves the readability of the code.
2008-12-11 14:44:44 +00:00
Guus Sliepen
38c2d6c1da Correct debug message. 2008-12-05 14:17:39 +00:00
Scott Lamb
40731d030f Temporarily revert to old crypto code
(The new code is still segfaulting for me, and I'd like to proceed with other
work.)

This largely rolls back to the revision 1545 state of the existing code
(new crypto layer is still there with no callers), though I reintroduced
the segfault fix of revision 1562.
2007-11-07 02:47:05 +00:00
Guus Sliepen
269892f70b Prevent double free() of a used challenge nonce. 2007-10-20 11:21:44 +00:00
Guus Sliepen
54892b2e3e Fix connection weight estimation. 2007-10-19 18:53:48 +00:00
Guus Sliepen
1b8f891836 Finish crypto wrapping. Also provide wrappers for OpenSSL.
Disable libgcrypt by default. Since it doesn't support the OFB cipher mode,
we can't use it in a backwards compatible way.
2007-05-23 13:45:49 +00:00
Guus Sliepen
465837dd7f Parse PEM RSA keys ourself, and use libgcrypt to do RSA encryption and decryption. 2007-05-20 22:28:49 +00:00
Guus Sliepen
fbf305c09d Use libevent for meta socket input/output buffering. 2007-05-19 22:23:02 +00:00
Guus Sliepen
29fbce4497 Detect duplicate outgoing connections. 2007-05-18 10:29:10 +00:00
Guus Sliepen
fb0cfccf7d Use splay trees instead of AVL trees. 2007-05-18 10:05:26 +00:00
Guus Sliepen
f02d3ed3e1 K&R style braces 2007-05-18 10:00:00 +00:00
Guus Sliepen
6ea1dfc995 Port fixes from release 1.0.8. 2007-05-17 19:15:48 +00:00