Commit graph

1330 commits

Author SHA1 Message Date
Guus Sliepen
268c8545aa Merge branch 'master' into 1.1 2012-07-14 15:13:21 +02:00
Guus Sliepen
ae8c0b65d8 Use /dev/tap0 by default on FreeBSD and NetBSD when using Mode = switch. 2012-07-12 11:25:11 +02:00
Guus Sliepen
bce177767d Fix crash when handling the ALRM signal.
In retry() the function do_outgoing_connection() is called, which can delete
items from the connection_tree, so when walking the tree we must first save the
pointer to the next item.
2012-06-26 14:22:57 +02:00
Guus Sliepen
19be9cf715 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	lib/utils.c
	src/linux/device.c
	src/meta.c
	src/net.h
	src/net_setup.c
	src/net_socket.c
	src/protocol.c
	src/protocol_auth.c
	src/tincd.c
2012-06-26 13:24:20 +02:00
Guus Sliepen
236b0ba4eb Fix crash when using Broadcast = direct. 2012-06-25 19:03:54 +02:00
Guus Sliepen
0a84f9cb8f Fix compiler warnings. 2012-06-25 19:01:51 +02:00
Guus Sliepen
c0af4c37d2 Small fixes in proxy code. 2012-06-25 15:00:24 +02:00
Guus Sliepen
62b61a1b7c Don't forget to send a newline when forwarding requests. 2012-05-13 22:16:42 +02:00
Guus Sliepen
58007d7efa Always pass request strings to other functions as const char *. 2012-05-08 16:44:15 +02:00
Sven-Haegar Koch
291a59b5b7 free_connection_partially(): also reset remote protocol version infos
The used remote protocol can change between two reconnects, aka if
the remote side has enabled/disabled for example their ExperimentalProtocols
setting.
2012-05-08 16:20:21 +02:00
Sven-Haegar Koch
32e5c5bb7c Silence SPTPS log messages, reduce them from DEBUG_ALWAYS to DEBUG_META. 2012-05-08 16:19:20 +02:00
Sven-Haegar Koch
c78bb14303 terminate_connection(): delete non-outgoing (aka incoming) connections. 2012-05-08 16:19:04 +02:00
Sven-Haegar Koch
8b9e5af0d9 Label control connections for log output as "<control>", not "<unknown>". 2012-05-08 16:18:28 +02:00
Sven-Haegar Koch
d3f4cf59ca free_connection_partially(): Avoid possible use-after-free for c->hischallenge 2012-05-08 16:18:18 +02:00
Sven-Haegar Koch
7a6ca7a993 terminate_connection(): only kill c->node->connection if it is pointing
to the same connection
2012-05-08 16:17:55 +02:00
Sven-Haegar Koch
a96c4f016c terminate_connection(): Avoid use-after-free and double-free for
already freed edge structure.
2012-05-08 16:16:59 +02:00
Guus Sliepen
5ae19cb0bb Add support for proxying through an external command.
Proxy type "exec" can be used to have an external script or binary set
up an outgoing connection. Standard input and output will be used to
exchange data with the external command. The variables REMOTEADDRESS and
REMOTEPORT are set to the intended destination address and port.
2012-04-19 15:18:31 +02:00
Guus Sliepen
fb5588856f Add support for SOCKS 5 proxies.
This only covers outgoing TCP connections, and supports only
username/password authentication or no authentication.
2012-04-19 14:10:54 +02:00
Guus Sliepen
b58d95eb29 Add basic support for SOCKS 4 and HTTP CONNECT proxies.
When the Proxy option is used, outgoing connections will be made via the
specified proxy. There is no support for authentication methods or for having
the proxy forward incoming connections, and there is no attempt to proxy UDP.
2012-04-18 23:19:40 +02:00
Guus Sliepen
84531fb6e6 Allow broadcast packets to be sent directly instead of via the MST.
When the "Broadcast = direct" option is used, broadcast packets are not sent
and forwarded via the Minimum Spanning Tree to all nodes, but are sent directly
to all nodes that can be reached in one hop.

One use for this is to allow running ad-hoc routing protocols, such as OLSR, on
top of tinc.
2012-04-16 01:57:25 +02:00
Sven-Haegar Koch
f8e15dfe8d ecdh & ecdsa: avoid some possible memory leaks in error conditions. 2012-04-16 00:54:50 +02:00
Sven-Haegar Koch
8792b9a9f3 Remove confusing error message for failed reading in ECDSA keys.
Most likeley the error is that there just is no valid key inside the used
host file, and in this case errno just contains a random value from the
last previously failed call.
2012-04-16 00:54:43 +02:00
Sven-Haegar Koch
a5bb6d40fb sptps_stop(): clear pointers after free to avoid double free.
sptps_stop() may get called twice on some failed connection setups.
2012-04-15 01:10:49 +02:00
Guus Sliepen
535a55100b Allow environment variables to be used for Name.
When the Name starts with a $, the rest will be interpreted as the name of an
environment variable containing the real Name. When Name is $HOST, but this
environment variable does not exist, gethostname() will be used to set the
Name. In both cases, illegal characters will be converted to underscores.
2012-03-29 16:45:25 +01:00
Guus Sliepen
1d9dacb1f2 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	src/logger.c
	src/net_setup.c
2012-03-26 19:06:39 +01:00
Guus Sliepen
89f4574e0b Add support for systemd style socket activation.
If the LISTEN_FDS environment variable is set and tinc is run in the
foreground, tinc will use filedescriptors 3 to 3 + LISTEN_FDS for its listening
TCP sockets. For now, tinc will create matching listening UDP sockets itself.

There is no dependency on systemd or on libsystemd-daemon.
2012-03-26 14:46:09 +01:00
Guus Sliepen
cc6aee7846 Remove newline from log message. 2012-03-26 14:45:20 +01:00
Guus Sliepen
86c2990327 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	src/Makefile.am
	src/conf.c
	src/conf.h
	src/connection.c
	src/net.c
	src/tincd.c
2012-03-25 23:35:31 +01:00
Guus Sliepen
b23681dddb Support :: in IPv6 Subnets. 2012-03-25 22:54:36 +01:00
Guus Sliepen
482c6119a7 Releasing 1.0.18. 2012-03-25 15:32:26 +01:00
Guus Sliepen
f71ce34180 Fix return type of vde_recv() as well.
In this case it is not really necessary as the conversion to int will already
take care of ensuring the return value is treated as signed.
2012-03-25 15:17:50 +01:00
Guus Sliepen
3998353853 Fix some more compiler warnings. 2012-03-25 14:46:50 +01:00
Guus Sliepen
cfe6558d4b Fix return value type of vde_send().
The libvdeplug_dyn.h header file incorrectly declares the return type of
vde_send() to size_t, while in reality it is ssize_t.
2012-03-25 14:00:21 +01:00
Guus Sliepen
95968c67f9 Fix compiler warnings. 2012-03-25 13:58:14 +01:00
Guus Sliepen
e2d1b0b899 Allow scoped addresses to be used for IPv6 multicast socket. 2012-03-25 13:42:10 +01:00
Guus Sliepen
2512040632 Add #ifdefs in case not all platforms support IPv4 and IPv6 multicast. 2012-03-25 13:40:55 +01:00
Guus Sliepen
b5e3bf1a85 Set default value of DecrementTTL to "no".
Decrementing the TTL causes IPv6 to fail when Mode = switch, and there may be
other unforeseen side-effects.
2012-03-23 13:18:36 +01:00
Guus Sliepen
c373de2e98 Add support for multicast communication with UML/QEMU/KVM.
DeviceType = multicast allows one to specify a multicast address and port with
a Device statement. Tinc will then read/send packets to that multicast group
instead of to a tun/tap device. This allows interaction with UML, QEMU and KVM
instances that are listening on the same group.
2012-03-21 17:00:53 +01:00
Guus Sliepen
a7dbb50c23 Allow a port to be specified in BindToAddress statements.
This can be used to let tinc listen on multiple ports for incoming connections.
2012-03-21 13:20:15 +01:00
Guus Sliepen
80e15d8b96 Always try next Address when an outgoing connection fails to authenticate.
When making outgoing connections, tinc goes through the list of Addresses and
tries all of them until one succeeds. However, before it would consider
establishing a TCP connection a success, even when the authentication failed.
This would be a problem if the first Address would point to a hostname and port
combination that belongs to the wrong tinc node, or perhaps even to a non-tinc
service, causing tinc to endlessly try this Address instead of moving to the
next one.

Problem found by Delf Eldkraft.
2012-03-20 23:49:16 +01:00
Guus Sliepen
d7bf63c63a Make sure the signature also covers the session label. 2012-03-18 21:24:46 +01:00
Guus Sliepen
d756bb92ed Don't send an ACK message after the first key exchange in the SPTPS protocol. 2012-03-18 17:46:30 +01:00
Guus Sliepen
c970ecdd75 Test SPTPS messages sent while key renegotation is in progress. 2012-03-18 17:42:43 +01:00
Guus Sliepen
3a4fe104a0 Add datagram mode to the SPTPS protocol.
* Everything is identical except the headers of the records.
* Instead of sending explicit message length and having an implicit sequence
  number, datagram mode has an implicit message length and an explicit sequence
  number.
* The sequence number is used to set the most significant bytes of the counter.
2012-03-18 16:42:02 +01:00
Guus Sliepen
03e06fd43a Allow CTR mode counter to be set to a specific value. 2012-03-18 16:41:13 +01:00
Guus Sliepen
4712d8f92e Update copyright notices. 2012-03-10 13:23:08 +01:00
Guus Sliepen
5b0f5ad958 Make sure disabling old RSA keys works on Windows.
Seeking in files and rewriting parts of them does not seem to work properly on
Windows. Instead, when old RSA keys are found when generating new ones, the
file containing the old keys is copied to a temporary file where the changes
are made, and that file is renamed back to the original filename. On Windows,
we cannot atomically replace files with a rename(), so we need to move the
original file out of the way first. If anything fails, the new code will warn
that the user has to solve the problem by hand.
2012-03-08 23:23:39 +01:00
Guus Sliepen
40c2858932 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	src/net_packet.c
2012-03-08 21:15:08 +01:00
Guus Sliepen
9dea33f530 Accept Subnets passed with the -o option when StrictSubnets = yes. 2012-03-07 10:40:06 +01:00
Guus Sliepen
63f8303a5d Only log errors sending UDP packets when debug level >= 5.
Since tinc will fall back to TCP or route via another node, it is not necessary
to log such errors unconditionally.
2012-03-02 16:09:58 +01:00
Guus Sliepen
8ac096b5bf Allow log messages to be captured by tincctl.
This allows tincctl to receive log messages from a running tincd,
independent of what is logged to syslog or to file. Tincctl can receive
debug messages with an arbitrary level.
2012-02-26 18:37:36 +01:00
Guus Sliepen
a1bd3a2913 Don't close control connections when handling a reload command.
Because this would terminate the connection while the control message
handler was still running, it would lead to a segmentation fault later
on.
2012-02-26 16:56:53 +01:00
Guus Sliepen
483c5dcfb4 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1 2012-02-26 16:27:13 +01:00
Guus Sliepen
ae52496109 Only use broadcast at the start of the PMTU discovery phase.
For local peer discovery, only a handful of packets are necessary for
peers to detect each other.
2012-02-26 16:23:02 +01:00
Guus Sliepen
344d6b9ac3 Let tincctl use the NETNAME environment variable if no -n option is given.
This allows administrators who frequently want to work with one tinc
network to omit the -n option. Since the NETNAME variable is set by
tincd when executing scripts, this makes it slightly easier to use
tincctl from within scripts.
2012-02-26 13:08:34 +01:00
Guus Sliepen
84570275ac Ensure all SPTPS functions are prefixed with sptps_. 2012-02-26 12:33:16 +01:00
Guus Sliepen
8b1ad6f76f Go back to breadth first search for path finding.
If 1.1.x nodes using Dijkstra's algorithm are mixed with 1.0.x nodes using BFS,
then routing loops can occur.
2012-02-25 23:03:09 +01:00
Guus Sliepen
36623e15a1 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1 2012-02-25 22:52:57 +01:00
Guus Sliepen
5140656de6 Stricter checks against routing loops.
If a packet that had to be sent via an intermediate hop, and that intermediate
hop was the one that sent the packet, we drop it.
2012-02-25 22:11:30 +01:00
Guus Sliepen
f1d5eae643 Don't send ICMP Time Exceeded messages for other Time Exceeded messages.
That would be silly.
2012-02-25 21:46:18 +01:00
Guus Sliepen
65d6f023c4 Use SPTPS when ExperimentalProtocol is enabled. 2012-02-25 18:25:21 +01:00
Guus Sliepen
efd21e232d Apply HMAC after encryption. 2012-02-25 15:18:15 +01:00
Guus Sliepen
f5dc136cfd Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	src/net.c
	src/net_packet.c
	src/net_socket.c
2012-02-23 13:26:01 +01:00
Guus Sliepen
5a28aa7b8b Add LocalDiscovery option which tries to detect peers on the local network.
Currently, this is implemented by sending IPv4 broadcast packets to the
LAN during path MTU discovery.
2012-02-22 23:17:43 +01:00
Guus Sliepen
8e717ddb60 Pass index into listen_socket[] to handle_incoming_vpn_data(). 2012-02-22 14:37:56 +01:00
Guus Sliepen
3fba80174d Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	doc/tincd.8.in
	src/Makefile.am
	src/bsd/device.c
	src/connection.c
	src/connection.h
	src/cygwin/device.c
	src/device.h
	src/dropin.h
	src/linux/device.c
	src/mingw/device.c
	src/net.c
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/process.c
	src/protocol.c
	src/protocol_key.c
	src/raw_socket_device.c
	src/route.c
	src/solaris/device.c
	src/tincd.c
	src/uml_device.c
2012-02-22 14:23:59 +01:00
Guus Sliepen
fba1c85f44 Remove useless warning about signature length being shorter than expected. 2012-02-21 23:19:51 +01:00
Guus Sliepen
cb6cbf452f Use only one hash algorithm (SHA512) in the PRF.
On some platforms, OpenSSL by default does not support the Whirlpool algorithm.
2012-02-21 23:17:12 +01:00
Guus Sliepen
ac48c4ee8c Fix check for raw socket support.
Also, move some variables so there are no compiler warnings about unused
variables when there is no support for raw sockets.
2012-02-21 14:06:55 +01:00
Guus Sliepen
d9ad3d313d Fix a bug that caused tinc to ignore all but the last listening socket. 2012-02-21 13:31:21 +01:00
Guus Sliepen
46506b7aaf Document the command line flag -o and provide --option as well. 2012-02-21 13:13:40 +01:00
Guus Sliepen
7d76e28759 Move initialization of char *priority up to prevent freeing an uninitialized pointer. 2012-02-21 11:39:21 +01:00
Guus Sliepen
8420a0c8bd Allow disabling of broadcast packets.
The Broadcast option can be used to cause tinc to drop all broadcast and
multicast packets. This option might be expanded in the future to selectively
allow only some broadcast packet types.
2012-02-20 17:19:00 +01:00
Guus Sliepen
ea415ccc16 Rename connection_t *broadcast to everyone. 2012-02-20 17:12:48 +01:00
Guus Sliepen
cff5a844a3 Don't bind outgoing TCP sockets anymore.
The code introduced in commit 41a05f59ba is not
needed anymore, since tinc has been able to handle UDP packets from a different
source address than those of the TCP packets since 1.0.10.  When using multiple
BindToAddress statements, this code does not make sense anymore, we do want the
kernel to choose the source address on its own.
2012-02-20 16:52:53 +01:00
Guus Sliepen
0233b1d710 Decrement TTL of incoming packets.
Tinc will now, by default, decrement the TTL field of incoming IPv4 and IPv6
packets, before forwarding them to the virtual network device or to another
node. Packets with a TTL value of zero will be dropped, and an ICMP Time
Exceeded message will be sent back.

This behaviour can be disabled using the DecrementTTL option.
2012-02-20 16:34:02 +01:00
Guus Sliepen
6289859ab3 Only compile raw socket code when it is supported on that platform. 2012-02-20 15:44:52 +01:00
Guus Sliepen
d1dcdf8eb6 Merge branch 'master' of black:tinc 2012-02-18 14:31:08 +01:00
Guus Sliepen
3b1fad04de Allow setting DeviceType to tun or tap on Linux. 2012-02-18 14:37:52 +01:00
Guus Sliepen
6455654d26 Send packets back using the same socket as they were received on. 2012-02-18 11:48:21 +01:00
Guus Sliepen
1b2846d907 Merge branch 'master' of black:tinc 2012-02-18 11:43:00 +01:00
Guus Sliepen
9f6a96af39 Allow multiple BindToAddress statements. 2012-02-17 16:25:00 +01:00
Guus Sliepen
708314df2f Set FD_CLOEXEC flag on all sockets.
Scripts called by tinc would inherit its open filedescriptors. This could
be a problem if other long-running daemons are started from those scripts,
if those daemons would not close all filedescriptors before going into the
background.

Problem found and solution suggested by Nick Hibma.
2012-02-17 16:13:38 +01:00
Guus Sliepen
1f00111e94 Fix a few small memory leaks. 2011-12-26 23:11:27 +01:00
Guus Sliepen
b50d6a7f2a Fix compiler warnings. 2011-12-26 23:04:40 +01:00
Guus Sliepen
178e52f76e Allow linking with multiple device drivers.
Apart from the platform specific tun/tap driver, link with the dummy and
raw_socket devices, and optionally with support for UML and VDE devices.
At runtime, the DeviceType option can be used to select which driver to
use.
2011-12-04 01:20:59 +01:00
Guus Sliepen
5672863e59 Fix a few small memory leaks. 2011-12-03 21:59:47 +01:00
Guus Sliepen
52ded09d17 Add vde/device.c to the tarball. 2011-11-27 12:13:16 +01:00
Guus Sliepen
2c7c87ec75 Fix compilation of VDE and UML interfaces. 2011-11-27 12:12:34 +01:00
Guus Sliepen
2a9060bba6 Exchange ACK records to indicate switch to new keys.
This allow application records to be sent while key renegotiation is still
happening.
2011-10-06 15:32:12 +02:00
Guus Sliepen
3b5898078a Use counter mode encryption. 2011-10-06 09:34:34 +02:00
Guus Sliepen
a0f795ff5b Add counter mode encryption. 2011-10-06 09:33:09 +02:00
Guus Sliepen
67ff81ec16 Test corner cases in the SPTPS protocol.
* Test zero-byte messages.
* Test maximum size (65535 byte) messages.
* Test different message types.
* Test key renegotiation.
2011-10-05 22:05:13 +02:00
Guus Sliepen
3001351150 Update SPTPS protocol.
* Exchange nonce and ECDH public key first, calculate the ECDSA signature
  over the complete key exchange.
* Make an explicit distinction between client and server in the signatures.
* Add more comments and replace some magic numbers by #defines.

Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 22:00:51 +02:00
Guus Sliepen
810847248a Fix compiler warning. 2011-10-05 21:59:33 +02:00
Guus Sliepen
ddea7a23a6 Return false instead of void when there is an error. 2011-08-30 20:49:48 +02:00
Guus Sliepen
e838289683 Prevent read_rsa_public_key() from returning an uninitialized RSA structure.
In case the config file could not be opened a new but unitialized RSA structure
would be returned, causing a segmentation fault later on. This would only
happen in the case that the config file could be opened before, but not when
read_rsa_public_key() was called. This situation could occur when the --user
option was used, and the config files were not readable by the specified user.
2011-08-30 20:04:18 +02:00
Guus Sliepen
5d4336e542 Handle UDP packets with unknown source addresses properly.
Probably due to a merge, the try_harder() function had duplicated the
rate-limiting code for detecting the sender node based on the HMAC of the
packet. This prevented this detection from running at all. The function is now
identical again to that in the 1.0 branch.
2011-08-10 17:04:17 +02:00
Michael Tokarev
bbc0ba9e87 use execvp() not execve() in tincctl start
sometimes argv[0] will have directory-less name (when the
command is started by shell searching in $PATH for example).
For tincctl start we want the same rules to run tincd as for
tincctl itself (having full path is better but if shell does
not provide one we've no other choice).  Previous code tried
to run ./tincd in this case, which is obviously wrong.

This is a fix for the previous commit.

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2011-08-07 10:51:21 +02:00
Michael Tokarev
a7556a9d2c run tincd from the same directory as tincctl and pass all options to it
For tincctl start, run tincd from dirname($0) not SBINDIR -
this allows painless alternative directory installation and
running from build directory too.

Also while at it, pass the rest of command line to tincd, not
only options before "start" argument.  This way it's possible
to pass options to tincd like this:
  tincctl -n net start -- -d 1 -R -U tincuser ...

And also add missing newline at the end of error message there.

Signed-Off-By: Michael Tokarev <mjt@tls.msk.ru>
2011-08-07 10:12:43 +02:00