Commit graph

226 commits

Author SHA1 Message Date
Etienne Dechamps
f0885b8d2f Cleanly remove the device FD from the event loop before closing it. 2014-06-22 15:03:53 +01:00
Guus Sliepen
f0e7e6b03e Rename ECDSA to Ed25519. 2014-05-18 20:47:04 +02:00
Guus Sliepen
332b55d472 Change AutoConnect from int to bool.
The proper value is 3, not 2 or 4, and 5 is right out. So just hardcode this value,
and only have the option to turn AutoConnect on or off.
2014-05-06 14:11:55 +02:00
Guus Sliepen
06a4a8c153 Update copyright notices. 2014-02-07 20:38:48 +01:00
Guus Sliepen
38adc8bf54 Add the ListenAddress option.
ListenAddress works the same as BindToAddress, except that from now on,
explicitly binding outgoing packets to the address of a socket is only done for
sockets specified with BindToAddress.
2014-01-20 21:19:13 +01:00
Guus Sliepen
ef8efdfff1 Remove erroneous warning about SPTPS being disabled. 2013-12-08 21:37:56 +01:00
Guus Sliepen
be1446f5d0 Don't print an error when no ECDSA key is known for a node using the legacy protocol. 2013-12-08 21:32:21 +01:00
Guus Sliepen
1b580b2a6b Allow running without ECDSA keys If ExperimentalProtocol is not explicitly set.
To make upgrading less painful, allow running tinc 1.1 without ECDSA keys
unless ExperimentalProtocol is explicitly set to yes.
2013-12-08 21:10:06 +01:00
Guus Sliepen
06943e828c If no Port is specified, set myport to actual port of first listening socket.
If the Port statement is not used, there are two other ways to let tinc listen
on a non-default port: either by specifying one or more BindToAddress
statements including port numbers, or by starting it from systemd with socket
activation. Tinc announces its own port to other nodes, but before it only
announced what was set using the Port statement.
2013-12-05 15:01:30 +01:00
Guus Sliepen
51bddfd4dd Allow "none" for Cipher and Digest again. 2013-11-28 14:28:18 +01:00
Guus Sliepen
6168a9b6d5 Fix two warnings from Clang's static analyzer. 2013-11-15 15:32:53 +01:00
Guus Sliepen
68e3efe349 Fix segfault when Name = $HOST but $HOST is not set.
Conflicts:
	src/net_setup.c
2013-09-27 11:36:46 +02:00
Guus Sliepen
57991e2642 Use PATHEXT when checking for the presence of scripts on Windows.
It seems like a lot of overhead to call access() for every possible extension
defined in PATHEXT, but apparently this is what Windows does itself too. At
least this avoids calling system() when the script one is looking for does not
exist at all.

Since the tinc utility also needs to call scripts, execute_script() is now
split off into its own source file.
2013-08-23 21:23:46 +02:00
Guus Sliepen
0c54f36553 Remove broadcast of KEY_CHANGED message during tinc's initialization. 2013-08-18 22:43:55 +02:00
Guus Sliepen
09b0b49b98 Fix order of tincd's initialization.
The order in which tinc initialized things was not completely correct. Now, it
is done as follows:

- Load and parse configuration files.
- Create all TCP and UDP listening sockets.
- Create PID file and UNIX socket.
- Run the tinc-up script.
- Drop privileges.
- Start outgoing connections.
- Run the main loop.

The PID file can only be created correctly if the listening sockets have been
set up ,as it includes the address and port of the first listening socket. The
tinc-up script has to be run after the PID file and UNIX socket have been
created so it can change their permissions if necessary. Outgoing connections
should only be started right before the main loop, because this is not really
part of the initialization.
2013-08-18 22:35:27 +02:00
Guus Sliepen
8f84244458 Don't force a .bat extension for scripts under Windows. 2013-08-18 18:20:41 +02:00
Guus Sliepen
b180c1af99 Create UNIX socket at the same time as the PID file is created.
The PID file was created before tinc-up was called, but the UNIX socket was
created afterwards, which meant one could not change the UNIX socket's owner or
permissions from the tinc-up script.
2013-08-18 17:02:49 +02:00
Guus Sliepen
a38e0d6213 Use umask() to set file and UNIX socket permissions without race conditions.
As mentioned by Erik Tews, calling fchmod() after fopen() leaves a small window
for exploits. As long as tinc is single-threaded, we can use umask() instead to
reduce file permissions. This also works when creating the AF_UNIX control socket.

The umask of the user running tinc(d) is used for most files, except for the
private keys, invitation files, PID file and control socket.
2013-08-02 19:28:34 +02:00
Guus Sliepen
24e3ec863e Add connection rate limiting.
Tinc now strictly limits incoming connections from the same host to 1 per
second. For incoming connections from multiple hosts short bursts of incoming
connections are allowed (by default 100), but on average also only 1 connection
per second is allowed.

When an incoming connection exceeds the limit, tinc will keep the connection in
a tarpit; the connection will be kept open but it is ignored completely. Only
one connection is in a tarpit at a time to limit the number of useless open
connections.
2013-07-11 23:38:38 +02:00
Guus Sliepen
2eba793305 Set $NAME when calling host-up/down and subnet-up/down scripts. 2013-07-05 21:36:51 +02:00
Guus Sliepen
b811e980e3 Add the LocalDiscoveryAddress option.
When LocalDiscovery is enabled, tinc normally sends broadcast packets during
PMTU discovery to the broadcast address (255.255.255.255 or ff02::1). This
option lets tinc use a different address.

At the moment only one LocalDiscoveryAddress can be specified.
2013-05-31 18:50:34 +02:00
Guus Sliepen
e92b2004e2 Use strerror() instead of gai_strerror() when err == EAI_SYSTEM. 2013-05-31 17:23:00 +02:00
Guus Sliepen
ced4c1a327 Add an invitation protocol.
Using the tinc command, an administrator of an existing VPN can generate
invitations for new nodes. The invitation is a small URL that can easily
be copy&pasted into email or live chat. Another person can have tinc
automatically setup the necessary configuration files and exchange keys
with the server, by only using the invitation URL.

The invitation protocol uses temporary ECDSA keys. The invitation URL
consists of the hostname and port of the server, a hash of the server's
temporary ECDSA key and a cookie. When the client wants to accept an
invitation, it also creates a temporary ECDSA key, connects to the server
and says it wants to accept an invitation. Both sides exchange their
temporary keys. The client verifies that the server's key matches the hash
in the invitation URL. After setting up an SPTPS connection using the
temporary keys, the client gives the cookie to the server. If the cookie
is valid, the server sends the client an invitation file containing the
client's new name and a copy of the server's host config file. If everything
is ok, the client will generate a long-term ECDSA key and send it to the
server, which will add it to a new host config file for the client.

The invitation protocol currently allows multiple host config files to be
send from the server to the client. However, the client filters out
most configuration variables for its own host configuration file. In
particular, it only accepts Name, Mode, Broadcast, ConnectTo, Subnet and
AutoConnect. Also, at the moment no tinc-up script is generated.

When an invitation has succesfully been accepted, the client needs to start
the tinc daemon manually.
2013-05-29 18:31:10 +02:00
Guus Sliepen
fc119fb009 Use read_host_config() where appropriate. 2013-05-11 14:05:28 +02:00
Guus Sliepen
3c163a3796 Fix check for presence of ECDSA public key for outgoing connections.
At this point, c->config_tree may or may not be NULL, but this does not tell us whether it is an
outgoing connection or not. For incoming connections, we do not know the peer's name yet,
so we always have to claim ECDSA support. For outgoing connections, we always need to check
whether we have the peer's ECDSA public key, so that if we don't, we correctly tell the peer that
we want to upgrade.
2013-05-11 14:04:39 +02:00
Guus Sliepen
c83c2d080f Enable the SPTPS protocol by default. 2013-05-10 21:18:32 +02:00
Guus Sliepen
9b9230a0a7 Use conditional compilation for cryptographic functions.
This gets rid of the rest of the symbolic links. However, as a consequence, the
crypto header files have now moved to src/, and can no longer contain
library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t
and rsa_t are now all opaque types, and only pointers to those types can be
used.
2013-05-01 17:17:22 +02:00
Guus Sliepen
258bf7ea0f Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
2013-04-22 15:53:45 +02:00
Guus Sliepen
4c30004cb6 Avoid calling time(NULL).
In most cases we can use the cached time.
2013-03-08 14:11:15 +01:00
Guus Sliepen
cc3c69c892 Releasing 1.1pre5. 2013-01-20 21:03:22 +01:00
Guus Sliepen
94587264bd Allow connections via UNIX sockets.
This is mainly useful for control connections. The client must still present
the control cookie from the PID file.
2013-01-17 18:12:55 +01:00
Guus Sliepen
f5bb64b36a Move make_names() and related variables to its own source file. 2013-01-17 16:39:02 +01:00
Guus Sliepen
6bc5d626a8 Drop libevent and use our own event handling again.
There are several reasons for this:

- MacOS/X doesn't support polling the tap device using kqueue, requiring a
  workaround to fall back to select().
- On Windows only sockets are properly handled, therefore tinc uses a second
  thread that does a blocking ReadFile() on the TAP-Win32/64 device. However,
  this does not mix well with libevent.
- Libevent, event just the core, is quite large, and although it is easy to get
  and install on many platforms, it can be a burden.
- Libev is more lightweight and seems technically superior, but it doesn't
  abstract away all the platform differences (for example, async events are not
  supported on Windows).
2012-11-29 12:28:23 +01:00
Guus Sliepen
ade4fccad6 Using alloca() for a constant sized buffer is very silly.
Cppcheck said using alloca() in the 21st century is silly anyway.
2012-11-10 23:13:05 +01:00
Guus Sliepen
edc08b73a9 Slightly randomize all timeouts. 2012-10-21 17:45:16 +02:00
Guus Sliepen
717ea66d7b Add the AutoConnect option.
When set to a non-zero value, tinc will try to maintain exactly that number of
meta connections to other nodes.  If there are not enough connections, it will
periodically try to set up an outgoing connection to a random node.  If there
are too many connections, it will periodically try to remove an outgoing
connection.
2012-10-21 17:35:13 +02:00
Guus Sliepen
40ed0c07dd Log more messages using logger(). 2012-10-14 15:37:24 +02:00
Guus Sliepen
b234304b66 Make sure the ReplayWindow option works for SPTPS as well. 2012-10-14 14:48:35 +02:00
Guus Sliepen
d917c8cb6b Fix whitespace. 2012-10-10 17:17:49 +02:00
Guus Sliepen
d1ec010660 Fix memory leaks found by valgrind. 2012-10-09 16:27:28 +02:00
Guus Sliepen
0b8b23e0dd C99 extravaganza. 2012-10-08 00:35:38 +02:00
Guus Sliepen
ff306f0cda Replace the connection_tree with a connection_list.
The tree functions were never used on the connection_tree, a list is more appropriate.
Also be more paranoid about connections disappearing while traversing the list.
2012-10-07 21:59:53 +02:00
Guus Sliepen
d93a37928b Fix warnings from cppcheck. 2012-10-07 17:53:23 +02:00
Guus Sliepen
e053713465 When terminating, keep control connections open until the end.
This ensures all device files and listening sockets have been closed before
tincctl gets notified of tincd's termination.
2012-10-06 21:16:17 +02:00
Guus Sliepen
3887e6dcb5 Remove abort() call that accidentily sneaked into commit dd1b69e. 2012-10-01 10:39:15 +02:00
Guus Sliepen
dd1b69e31f Fix not reading Port statement from host config file. 2012-09-30 22:43:48 +02:00
Guus Sliepen
6dfdb32361 Merge branch 'master' into 1.1
Conflicts:
	lib/utils.c
	src/net_setup.c
	src/process.c
	src/protocol_auth.c
	src/protocol_key.c
	src/utils.h
2012-09-30 15:00:47 +02:00
Guus Sliepen
c4940a5c88 Add strict checks to hex to binary conversions.
The main goal is to catch misuse of the obsolete PrivateKey and PublicKey
statements.
2012-09-30 13:45:47 +02:00
Guus Sliepen
c5325ffdd1 Correctly add/remove outgoing connections when reloading configuration. 2012-09-28 17:05:01 +02:00
Guus Sliepen
d6388d782e Let tincctl parse and format dumps.
At the moment it just reproduces the old format.
2012-09-26 23:18:32 +02:00