Commit graph

2491 commits

Author SHA1 Message Date
Guus Sliepen
475088ed77 sptps_test: allow using a tun device instead of stdio. 2014-04-15 17:26:08 +02:00
Guus Sliepen
2980173ee7 Use the ChaCha-Poly1305 cipher for the SPTPS protocol.
The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a
dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function
changes between versions. The source code for ChaCha-Pol1305 is small and in
the public domain, and can therefore be easily included in tinc itself.
Moreover, it is very fast even without using any optimized assembler, easily
outperforming AES-256-GCM on platforms that don't have special AES instructions
in hardware.
2014-04-14 21:43:45 +02:00
Guus Sliepen
49e3baec20 Merge branch '1.1-ed25519' into 1.1 2014-04-14 20:50:16 +02:00
Guus Sliepen
37b729d7fd Properly initialize buffers.
Valgrind complained about use of uninitialized data.
2014-04-13 12:09:48 +02:00
Guus Sliepen
2f01744f82 Use Ed25519 keys.
This uses the portable Ed25519 library made by Orson Peters, which in turn uses
the reference implementation made by Daniel J. Bernstein.

This implementation also allows Ed25519 keys to be used for key exchange, so
there is no need to add a separate implementation of Curve25519.
2014-04-06 22:47:26 +02:00
Guus Sliepen
d6734a2da4 Fix return value of b64encode(). 2014-04-06 22:46:06 +02:00
Guus Sliepen
f134bd0c9c Handle a disconnecting tincd better.
- Try to prevent SIGPIPE from being sent for errors sending to the control
  socket. We don't outright block the SIGPIPE signal because we still want the
  tinc CLI to exit when its output is actually sent to a real (broken) pipe.

- Don't call exit() from top(), and properly detect when the control socket is
  closed by the tincd.
2014-03-09 15:32:10 +01:00
Guus Sliepen
09e000ba54 Rewind the file before trying to use PEM_read_RSA_PUBKEY(). 2014-02-26 17:27:57 +01:00
Guus Sliepen
44c7f554c7 Add "network" command to list or switch networks. 2014-02-26 11:04:42 +01:00
Guus Sliepen
48ecff6ddb Add missing attribution for 1.1pre10 to the NEWS file. 2014-02-07 23:06:26 +01:00
Guus Sliepen
9f7e2dffb2 Really fix compiling under Windows. 2014-02-07 23:05:33 +01:00
Guus Sliepen
173072ff07 Releasing 1.1pre10. 2014-02-07 21:40:42 +01:00
Guus Sliepen
cb5c1b5986 Check whether OpenSSL has support for GCM. 2014-02-07 21:40:29 +01:00
Guus Sliepen
cdda0388a8 Fix compiling for Windows. 2014-02-07 21:14:41 +01:00
Guus Sliepen
06a4a8c153 Update copyright notices. 2014-02-07 20:38:48 +01:00
Guus Sliepen
bc9347042b Attribution for Dennis Joachimsthaler. 2014-02-07 19:57:06 +01:00
Guus Sliepen
ac7f82cb23 Handle errors from TAP-Win32/64 adapter in a better way.
Before, the tapreader thread would just exit immediately after encountering the
first error, without notifying the main thread. Now, the tapreader thead never
exits itself, but tells the main thread to stop when more than ten errors are
encountered in a row.
2014-02-07 19:55:31 +01:00
Guus Sliepen
2f41780023 Attribution for various contributors.
Conflicts:
	THANKS
2014-02-07 19:55:28 +01:00
Guus Sliepen
e717e424c2 Use addresses learned from other nodes when making outgoing connections.
Before, when making a meta-connection to a node (either because of a ConnectTo
or because AutoConnect is set), tinc required one or more Address statements
in the corresponding host config file. However, tinc learns addresses from
other nodes that it uses for UDP connections. We can use those just as well for
TCP connections.
2014-01-30 17:10:30 +01:00
Guus Sliepen
995444c4f9 Document Weight and also allow it to be set from tinc.conf. 2014-01-29 17:32:18 +01:00
Guus Sliepen
2e318f3799 Don't ask questions if we are not running interactively.
When creating invitations or using them to join a VPN, and the tinc command is
not run interactively (ie, when stdin and stdout are not connected or
redirected to/from a file), don't ask questions. If normally tinc would ask for
a confirmation, just assume the default answer instead. If tinc really needs
some input, just print an error message instead.

In case an invitation is used for a VPN which uses a netname that is already in
use on the local host, tinc will store the configuration in a temporary
directory. Normally it asks for an alternative netname and then renames the
temporary directory, but when not run interactively, it now just prints the
location of the unchanged temporary directory.
2014-01-29 17:17:59 +01:00
Guus Sliepen
00398a60ec Add missing newlines when copying variables from tinc.conf to an invitation file. 2014-01-27 23:21:25 +01:00
Guus Sliepen
fa1e9b0461 Test two tinc daemons using network namespaces.
Testing multiple daemons connecting to each other on the same computer is
usually difficult, because connections to local IP addresses will bypass most
of the network stack. However, recent versions of Linux support network
namespaces, which can isolate network interfaces. We use this to isolate the
virtual interface of the daemons from each other, so we get the behaviour as if
the daemons were each running on their own machine. This can also be used for
more complicated tests (including those with firewall rules) without disturbing
the real network setup of the host computer.
2014-01-24 16:17:09 +01:00
Guus Sliepen
38adc8bf54 Add the ListenAddress option.
ListenAddress works the same as BindToAddress, except that from now on,
explicitly binding outgoing packets to the address of a socket is only done for
sockets specified with BindToAddress.
2014-01-20 21:19:13 +01:00
Guus Sliepen
e187758a7e Document that 1.1 uses AES-256 in GCM mode. 2014-01-20 20:21:15 +01:00
Guus Sliepen
1a115d1d1c Document clearly that tinc depends on curses and readline libraries. 2014-01-20 20:16:58 +01:00
Guus Sliepen
a3decd0951 Let tinc-gui use correct address family when connecting to tincd via TCP. 2014-01-19 21:15:23 +01:00
Dennis Joachimsthaler
c10f3105b3 Ensure tinc-gui running in 64 bits mode can find tinc's 32 bit registry key. 2014-01-17 18:15:40 +01:00
Dennis Joachimsthaler
ab583f7e8c Fix tinc-gui on Windows. 2014-01-17 16:10:10 +01:00
Guus Sliepen
11d562e9b2 Add index entries for the CLI commands. 2014-01-16 14:52:44 +01:00
Guus Sliepen
d8ea66ff1f Update the documentation of the tinc command. 2014-01-16 14:46:44 +01:00
Guus Sliepen
8af6d64fd9 Clarify StrictSubnets. 2014-01-16 14:29:35 +01:00
Florent Clairambault
c8543bbe6b Adding "conf.d" configuration dir support.
Any file matching the pattern /etc/tinc/$NETNAME/conf.d/*.conf will be
parsed after the tinc.conf file.
2013-12-29 23:11:54 +01:00
Guus Sliepen
e6b32936c5 Fix handling of --with-libgcrypt. 2013-12-10 17:13:15 +01:00
Guus Sliepen
b7d59f035b Don't enable -fstack-protector-all.
It is not supported on all architectures and is problematic on some
platforms.
2013-12-10 17:09:16 +01:00
Guus Sliepen
53b00f8c1a Add our own autoconf check for libgcrypt.
This one doesn't require one to have libgcrypt installed while running
autoreconf, making life easier for people who compile tinc from git.
2013-12-10 11:18:04 +01:00
Guus Sliepen
283c5d1cf0 Enable compiler hardening flags by default.
Check whether the compiler supports hardening flags and enable them unless
--disable-hardening is specified.

Conflicts:
	configure.ac
2013-12-10 10:48:00 +01:00
Guus Sliepen
ef8efdfff1 Remove erroneous warning about SPTPS being disabled. 2013-12-08 21:37:56 +01:00
Guus Sliepen
be1446f5d0 Don't print an error when no ECDSA key is known for a node using the legacy protocol. 2013-12-08 21:32:21 +01:00
Guus Sliepen
c151cfa2e9 Give full path to unconfigured tinc-up script. 2013-12-08 21:31:50 +01:00
Guus Sliepen
1b580b2a6b Allow running without ECDSA keys If ExperimentalProtocol is not explicitly set.
To make upgrading less painful, allow running tinc 1.1 without ECDSA keys
unless ExperimentalProtocol is explicitly set to yes.
2013-12-08 21:10:06 +01:00
Guus Sliepen
41583d5dcf Don't print device statistics when exiting tinc.
Much more detailed statistics are now kept per node, which can be queried at
any time, which makes the device statistics obsolete.
2013-12-08 20:23:44 +01:00
Guus Sliepen
19b97e79aa Prefer ncurses over curses. 2013-12-07 22:59:37 +01:00
Guus Sliepen
b115de2199 Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris. 2013-12-07 22:54:02 +01:00
Guus Sliepen
cf9bea4e93 Avoid using a variable named "sun". Solaris doesn't like it. 2013-12-07 22:39:24 +01:00
Guus Sliepen
221f559bcf Stricter check for raw socket support. 2013-12-07 22:20:10 +01:00
Guus Sliepen
c1f7357e7d Include <limits.h> for PATH_MAX. 2013-12-07 22:19:39 +01:00
Guus Sliepen
c9bdac68e1 Update support for Solaris.
Adds support for the latest TAP driver from
http://www.whiteboard.ne.jp/~admin2/tuntap/, so tinc now also works in switch
mode on Solaris 11.
2013-12-07 21:52:41 +01:00
Guus Sliepen
06943e828c If no Port is specified, set myport to actual port of first listening socket.
If the Port statement is not used, there are two other ways to let tinc listen
on a non-default port: either by specifying one or more BindToAddress
statements including port numbers, or by starting it from systemd with socket
activation. Tinc announces its own port to other nodes, but before it only
announced what was set using the Port statement.
2013-12-05 15:01:30 +01:00
Guus Sliepen
3e924045cc Mention in the manual that multiple Address staments are allowed. 2013-12-05 14:36:29 +01:00