Etienne Dechamps [Thu, 26 Jun 2014 19:42:40 +0000 (20:42 +0100)]
Fix errno references when handling socket errors.
When using socket functions, "sockerrno" is supposed to be used to
retrieve the error code as opposed to "errno", so that it is translated
to the correct call on Windows (WSAGetLastError() - Windows does not
update errno on socket errors). Unfortunately, the use of sockerrno is
inconsistent throughout the tinc codebase, as errno is often used
incorrectly on socket-related calls.
This commit fixes these oversights, which improves socket error
handling on Windows.
Etienne Dechamps [Sun, 22 Jun 2014 17:45:49 +0000 (18:45 +0100)]
Fix Windows includes.
These Windows include lines are capitalized, which causes the build to fail
when cross-compiling from Linux to Windows using MinGW as the MinGW headers
are entirely lower case.
Guus Sliepen [Sun, 11 May 2014 15:11:02 +0000 (17:11 +0200)]
Remove the warnings when IP_DONTFRAGMENT/IPV6-DONTFRAG is not supported.
There is nothing we can do about it, and tinc will run fine anyway.
Alexis Hildebrandt [Sun, 22 Jun 2014 14:43:15 +0000 (16:43 +0200)]
Add support to link against libresolv Mac OS X
Armin Fisslthaler [Fri, 25 Apr 2014 12:44:06 +0000 (14:44 +0200)]
reload /etc/resolv.conf in SIGALRM handler
Etienne Dechamps [Sun, 22 Jun 2014 09:48:34 +0000 (10:48 +0100)]
Make DeviceStandby control network interface link status on Windows.
Besides controlling when tinc-up and tinc-down get called, this commit makes
DeviceStandby control when the virtual network interface "cable" is "plugged"
on Windows. This is more user-friendly as the status of the tinc network can
be seen just by looking at the state of the network interface, and it makes
Windows behave better when isolated.
Etienne Dechamps [Sun, 22 Jun 2014 09:48:34 +0000 (10:48 +0100)]
Add DeviceStandby option to only enable the device when nodes are reachable.
This adds a new DeviceStandby option; when it is disabled (the default),
behavior is unchanged. If it is enabled, tinc-up will not be called during
tinc initialization, but will instead be deferred until the first node is
reachable, and it will be closed as soon as no nodes are reachable.
This is useful because it means the device won't be set up until we are fairly
sure there is something listening on the other side. This is more user-friendly,
as one can check on the status of the tinc network connection just by checking
the status of the network interface. Besides, it prevents the OS from thinking
it is connected to some network when it is in fact completely isolated.
Etienne Dechamps [Sun, 22 Jun 2014 13:06:44 +0000 (14:06 +0100)]
Cleanly remove the device FD from the event loop before closing it.
Etienne Dechamps [Sun, 22 Jun 2014 08:53:26 +0000 (09:53 +0100)]
Make device close cleaner.
Etienne Dechamps [Sun, 22 Jun 2014 08:54:45 +0000 (09:54 +0100)]
Move Solaris if_fd to local scope.
This variable is never used outside of setup_device(), therefore there is no
reason to declare it in global scope.
Baptiste Jonglez [Fri, 20 Jun 2014 06:56:13 +0000 (15:56 +0900)]
Clarify man page regarding the IndirectData option
Guus Sliepen [Sun, 15 Jun 2014 10:19:10 +0000 (12:19 +0200)]
Unconditionally return non-zero exit code when "tinc del" does not find the requested variable.
Guus Sliepen [Sun, 15 Jun 2014 10:14:01 +0000 (12:14 +0200)]
Return non-zero exit code when "tinc get" does not find the requested variable.
Guus Sliepen [Tue, 3 Jun 2014 09:02:58 +0000 (11:02 +0200)]
Fix base64 decoding of
Ed25519 keys.
Guus Sliepen [Sun, 18 May 2014 19:51:42 +0000 (21:51 +0200)]
Allow Cipher and Digest "none".
This is for backwards compatibility with tinc 1.0, it has no effect on
the SPTPS protocol.
Guus Sliepen [Sun, 18 May 2014 18:49:35 +0000 (20:49 +0200)]
Implement a PEM-like format for
Ed25519 keys.
We don't require compatibility with any other software, but we do want
Ed25519 keys to work
the same as RSA keys for now.
Guus Sliepen [Sun, 18 May 2014 18:47:04 +0000 (20:47 +0200)]
Guus Sliepen [Tue, 13 May 2014 18:29:09 +0000 (20:29 +0200)]
Add sanity checks when generating new RSA keys.
The key size should be a multiple of 8 bits, and it should be between 1024 and
8192 bits.
Guus Sliepen [Mon, 12 May 2014 13:57:40 +0000 (15:57 +0200)]
Fix PMTU discovery via datagram SPTPS.
In send_sptps_data(), the len variable contains the length of the whole
datagram that needs to be sent to the peer, including the overhead from SPTPS
itself.
Guus Sliepen [Mon, 12 May 2014 13:56:29 +0000 (15:56 +0200)]
Fix a crash when we have a malformed public ECDSA key of another node.
Guus Sliepen [Mon, 12 May 2014 12:35:56 +0000 (14:35 +0200)]
Add missing closedir().
Guus Sliepen [Mon, 12 May 2014 12:35:12 +0000 (14:35 +0200)]
Use void pointers to opaque buffers.
Guus Sliepen [Tue, 6 May 2014 12:11:55 +0000 (14:11 +0200)]
Change AutoConnect from int to bool.
The proper value is 3, not 2 or 4, and 5 is right out. So just hardcode this value,
and only have the option to turn AutoConnect on or off.
Guus Sliepen [Tue, 6 May 2014 11:01:48 +0000 (13:01 +0200)]
Fix compiler warnings.
Guus Sliepen [Tue, 6 May 2014 10:58:25 +0000 (12:58 +0200)]
Nexthop calculation should always use the shortest path.
When tinc runs the graph algorithms and updates the nexthop and via pointers,
it uses a breadth-first search, but it can sometimes revisit nodes that have
already been visited if the previous path is marked as being indirect, and
there is a longer path that is "direct". The via pointer should be updated in
this case, because this points to the closest hop to the destination that can
be reached directly. However, the nexthop pointer should not be updated.
This fixes a bug where there could potentially be a routing loop if a node in
the graph has an edge with the indirect flag set, and some other edge without
that flag, the indirect edge is part of the minimum spanning tree, and a
broadcast packet is being sent.
Saverio Proto [Mon, 5 May 2014 13:23:25 +0000 (15:23 +0200)]
Fix typo in comment
Guus Sliepen [Fri, 25 Apr 2014 15:00:55 +0000 (17:00 +0200)]
Put brackets around IPv6 addresses in invitation URL, even if there is no port number.
Guus Sliepen [Tue, 15 Apr 2014 15:26:08 +0000 (17:26 +0200)]
sptps_test: allow using a tun device instead of stdio.
Guus Sliepen [Mon, 14 Apr 2014 19:43:45 +0000 (21:43 +0200)]
Use the ChaCha-Poly1305 cipher for the SPTPS protocol.
The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a
dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function
changes between versions. The source code for ChaCha-Pol1305 is small and in
the public domain, and can therefore be easily included in tinc itself.
Moreover, it is very fast even without using any optimized assembler, easily
outperforming AES-256-GCM on platforms that don't have special AES instructions
in hardware.
Guus Sliepen [Mon, 14 Apr 2014 18:49:43 +0000 (20:49 +0200)]
Merge branch '1.1-
ed25519' into 1.1
Guus Sliepen [Sun, 13 Apr 2014 10:09:48 +0000 (12:09 +0200)]
Properly initialize buffers.
Valgrind complained about use of uninitialized data.
Guus Sliepen [Sun, 6 Apr 2014 20:47:26 +0000 (22:47 +0200)]
Use
Ed25519 keys.
This uses the portable
Ed25519 library made by Orson Peters, which in turn uses
the reference implementation made by Daniel J. Bernstein.
This implementation also allows
Ed25519 keys to be used for key exchange, so
there is no need to add a separate implementation of Curve25519.
Guus Sliepen [Sun, 6 Apr 2014 20:46:06 +0000 (22:46 +0200)]
Fix return value of b64encode().
Guus Sliepen [Sun, 9 Mar 2014 14:32:10 +0000 (15:32 +0100)]
Handle a disconnecting tincd better.
- Try to prevent SIGPIPE from being sent for errors sending to the control
socket. We don't outright block the SIGPIPE signal because we still want the
tinc CLI to exit when its output is actually sent to a real (broken) pipe.
- Don't call exit() from top(), and properly detect when the control socket is
closed by the tincd.
Guus Sliepen [Wed, 26 Feb 2014 16:27:57 +0000 (17:27 +0100)]
Rewind the file before trying to use PEM_read_RSA_PUBKEY().
Guus Sliepen [Wed, 26 Feb 2014 10:00:30 +0000 (11:00 +0100)]
Add "network" command to list or switch networks.
Guus Sliepen [Fri, 7 Feb 2014 22:06:26 +0000 (23:06 +0100)]
Add missing attribution for 1.1pre10 to the NEWS file.
Guus Sliepen [Fri, 7 Feb 2014 22:05:33 +0000 (23:05 +0100)]
Really fix compiling under Windows.
Guus Sliepen [Fri, 7 Feb 2014 20:40:42 +0000 (21:40 +0100)]
Releasing 1.1pre10.
Guus Sliepen [Fri, 7 Feb 2014 20:40:29 +0000 (21:40 +0100)]
Check whether OpenSSL has support for GCM.
Guus Sliepen [Fri, 7 Feb 2014 20:14:41 +0000 (21:14 +0100)]
Fix compiling for Windows.
Guus Sliepen [Fri, 7 Feb 2014 19:38:48 +0000 (20:38 +0100)]
Update copyright notices.
Guus Sliepen [Fri, 7 Feb 2014 18:57:06 +0000 (19:57 +0100)]
Attribution for Dennis Joachimsthaler.
Guus Sliepen [Fri, 7 Feb 2014 15:34:08 +0000 (16:34 +0100)]
Handle errors from TAP-Win32/64 adapter in a better way.
Before, the tapreader thread would just exit immediately after encountering the
first error, without notifying the main thread. Now, the tapreader thead never
exits itself, but tells the main thread to stop when more than ten errors are
encountered in a row.
Guus Sliepen [Fri, 7 Feb 2014 18:48:11 +0000 (19:48 +0100)]
Attribution for various contributors.
Conflicts:
THANKS
Guus Sliepen [Thu, 30 Jan 2014 16:10:30 +0000 (17:10 +0100)]
Use addresses learned from other nodes when making outgoing connections.
Before, when making a meta-connection to a node (either because of a ConnectTo
or because AutoConnect is set), tinc required one or more Address statements
in the corresponding host config file. However, tinc learns addresses from
other nodes that it uses for UDP connections. We can use those just as well for
TCP connections.
Guus Sliepen [Wed, 29 Jan 2014 16:32:18 +0000 (17:32 +0100)]
Document Weight and also allow it to be set from tinc.conf.
Guus Sliepen [Wed, 29 Jan 2014 16:17:59 +0000 (17:17 +0100)]
Don't ask questions if we are not running interactively.
When creating invitations or using them to join a VPN, and the tinc command is
not run interactively (ie, when stdin and stdout are not connected or
redirected to/from a file), don't ask questions. If normally tinc would ask for
a confirmation, just assume the default answer instead. If tinc really needs
some input, just print an error message instead.
In case an invitation is used for a VPN which uses a netname that is already in
use on the local host, tinc will store the configuration in a temporary
directory. Normally it asks for an alternative netname and then renames the
temporary directory, but when not run interactively, it now just prints the
location of the unchanged temporary directory.
Guus Sliepen [Mon, 27 Jan 2014 22:21:25 +0000 (23:21 +0100)]
Add missing newlines when copying variables from tinc.conf to an invitation file.
Guus Sliepen [Fri, 24 Jan 2014 15:09:32 +0000 (16:09 +0100)]
Test two tinc daemons using network namespaces.
Testing multiple daemons connecting to each other on the same computer is
usually difficult, because connections to local IP addresses will bypass most
of the network stack. However, recent versions of Linux support network
namespaces, which can isolate network interfaces. We use this to isolate the
virtual interface of the daemons from each other, so we get the behaviour as if
the daemons were each running on their own machine. This can also be used for
more complicated tests (including those with firewall rules) without disturbing
the real network setup of the host computer.
Guus Sliepen [Mon, 20 Jan 2014 20:19:13 +0000 (21:19 +0100)]
Add the ListenAddress option.
ListenAddress works the same as BindToAddress, except that from now on,
explicitly binding outgoing packets to the address of a socket is only done for
sockets specified with BindToAddress.
Guus Sliepen [Mon, 20 Jan 2014 19:21:15 +0000 (20:21 +0100)]
Document that 1.1 uses AES-256 in GCM mode.
Guus Sliepen [Mon, 20 Jan 2014 19:16:58 +0000 (20:16 +0100)]
Document clearly that tinc depends on curses and readline libraries.
Guus Sliepen [Sun, 19 Jan 2014 20:15:23 +0000 (21:15 +0100)]
Let tinc-gui use correct address family when connecting to tincd via TCP.
Dennis Joachimsthaler [Fri, 17 Jan 2014 17:15:40 +0000 (18:15 +0100)]
Ensure tinc-gui running in 64 bits mode can find tinc's 32 bit registry key.
Dennis Joachimsthaler [Fri, 17 Jan 2014 15:10:10 +0000 (16:10 +0100)]
Fix tinc-gui on Windows.
Guus Sliepen [Thu, 16 Jan 2014 13:52:44 +0000 (14:52 +0100)]
Add index entries for the CLI commands.
Guus Sliepen [Thu, 16 Jan 2014 13:46:44 +0000 (14:46 +0100)]
Update the documentation of the tinc command.
Guus Sliepen [Thu, 16 Jan 2014 13:02:56 +0000 (14:02 +0100)]
Clarify StrictSubnets.
Florent Clairambault [Sun, 29 Dec 2013 22:11:54 +0000 (23:11 +0100)]
Adding "conf.d" configuration dir support.
Any file matching the pattern /etc/tinc/$NETNAME/conf.d/*.conf will be
parsed after the tinc.conf file.
Guus Sliepen [Tue, 10 Dec 2013 16:13:15 +0000 (17:13 +0100)]
Fix handling of --with-libgcrypt.
Guus Sliepen [Tue, 10 Dec 2013 16:02:52 +0000 (17:02 +0100)]
Don't enable -fstack-protector-all.
It is not supported on all architectures and is problematic on some
platforms.
Guus Sliepen [Tue, 10 Dec 2013 10:18:04 +0000 (11:18 +0100)]
Add our own autoconf check for libgcrypt.
This one doesn't require one to have libgcrypt installed while running
autoreconf, making life easier for people who compile tinc from git.
Guus Sliepen [Tue, 10 Dec 2013 09:48:00 +0000 (10:48 +0100)]
Enable compiler hardening flags by default.
Check whether the compiler supports hardening flags and enable them unless
--disable-hardening is specified.
Conflicts:
configure.ac
Guus Sliepen [Sun, 8 Dec 2013 20:37:56 +0000 (21:37 +0100)]
Remove erroneous warning about SPTPS being disabled.
Guus Sliepen [Sun, 8 Dec 2013 20:32:21 +0000 (21:32 +0100)]
Don't print an error when no ECDSA key is known for a node using the legacy protocol.
Guus Sliepen [Sun, 8 Dec 2013 20:31:50 +0000 (21:31 +0100)]
Give full path to unconfigured tinc-up script.
Guus Sliepen [Sun, 8 Dec 2013 20:06:03 +0000 (21:06 +0100)]
Allow running without ECDSA keys If ExperimentalProtocol is not explicitly set.
To make upgrading less painful, allow running tinc 1.1 without ECDSA keys
unless ExperimentalProtocol is explicitly set to yes.
Guus Sliepen [Sun, 8 Dec 2013 19:23:44 +0000 (20:23 +0100)]
Don't print device statistics when exiting tinc.
Much more detailed statistics are now kept per node, which can be queried at
any time, which makes the device statistics obsolete.
Guus Sliepen [Sat, 7 Dec 2013 21:59:37 +0000 (22:59 +0100)]
Prefer ncurses over curses.
Guus Sliepen [Sat, 7 Dec 2013 21:54:02 +0000 (22:54 +0100)]
Use hardcoded value for TUNNEWPPA if net/if_tun.h is missing on Solaris.
Guus Sliepen [Sat, 7 Dec 2013 21:39:24 +0000 (22:39 +0100)]
Avoid using a variable named "sun". Solaris doesn't like it.
Guus Sliepen [Sat, 7 Dec 2013 21:20:10 +0000 (22:20 +0100)]
Stricter check for raw socket support.
Guus Sliepen [Sat, 7 Dec 2013 21:19:39 +0000 (22:19 +0100)]
Include <limits.h> for PATH_MAX.
Guus Sliepen [Sat, 7 Dec 2013 20:52:41 +0000 (21:52 +0100)]
Update support for Solaris.
Adds support for the latest TAP driver from
http://www.whiteboard.ne.jp/~admin2/tuntap/, so tinc now also works in switch
mode on Solaris 11.
Guus Sliepen [Thu, 5 Dec 2013 14:01:30 +0000 (15:01 +0100)]
If no Port is specified, set myport to actual port of first listening socket.
If the Port statement is not used, there are two other ways to let tinc listen
on a non-default port: either by specifying one or more BindToAddress
statements including port numbers, or by starting it from systemd with socket
activation. Tinc announces its own port to other nodes, but before it only
announced what was set using the Port statement.
Guus Sliepen [Thu, 5 Dec 2013 13:30:00 +0000 (14:30 +0100)]
Mention in the manual that multiple Address staments are allowed.
Guus Sliepen [Thu, 28 Nov 2013 13:19:55 +0000 (14:19 +0100)]
Allow "none" for Cipher and Digest again.
Guus Sliepen [Thu, 21 Nov 2013 21:13:14 +0000 (22:13 +0100)]
Make LocalDiscovery work for SPTPS packets.
Guus Sliepen [Wed, 20 Nov 2013 22:02:20 +0000 (23:02 +0100)]
Remove an unused variable.
Guus Sliepen [Fri, 15 Nov 2013 14:32:53 +0000 (15:32 +0100)]
Fix two warnings from Clang's static analyzer.
Guus Sliepen [Tue, 22 Oct 2013 19:28:44 +0000 (21:28 +0200)]
Fix sending bulk data starting with a newline.
Guus Sliepen [Tue, 22 Oct 2013 19:19:41 +0000 (21:19 +0200)]
Make sptps_test less verbose by default.
Guus Sliepen [Fri, 18 Oct 2013 14:58:47 +0000 (16:58 +0200)]
Clean up child processes from proxy type exec.
Guus Sliepen [Tue, 15 Oct 2013 12:09:42 +0000 (14:09 +0200)]
Fix sending empty SPTPS records.
Guus Sliepen [Sat, 12 Oct 2013 23:02:52 +0000 (01:02 +0200)]
Use AES-256-GCM for the SPTPS protocol.
It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES
and PCLMULQDQ instructions.
Guus Sliepen [Fri, 27 Sep 2013 08:43:56 +0000 (10:43 +0200)]
Fix typos in the documentation.
Thanks to Thomas Sattler for finding and reporting them.
Guus Sliepen [Fri, 27 Sep 2013 09:36:46 +0000 (11:36 +0200)]
Fix segfault when Name = $HOST but $HOST is not set.
Conflicts:
src/net_setup.c
Guus Sliepen [Sun, 15 Sep 2013 20:03:00 +0000 (22:03 +0200)]
Link sptps_speed with -lrt.
This is necessary for clock_gettime() on older versions of libc.
Guus Sliepen [Sun, 15 Sep 2013 20:02:33 +0000 (22:02 +0200)]
Don't leak memory during the key generation speed test.
Guus Sliepen [Sun, 15 Sep 2013 15:35:55 +0000 (17:35 +0200)]
Add a benchmark for the SPTPS protocol.
Guus Sliepen [Sun, 15 Sep 2013 14:21:25 +0000 (16:21 +0200)]
Avoid using BIOs.
Guus Sliepen [Sun, 15 Sep 2013 11:36:53 +0000 (13:36 +0200)]
Wrong date for the 1.1pre9 release in the NEWS.
Guus Sliepen [Sun, 8 Sep 2013 15:29:12 +0000 (17:29 +0200)]
Releasing 1.1pre9.
Guus Sliepen [Sun, 8 Sep 2013 13:03:06 +0000 (15:03 +0200)]
Don't try to mkdir(CONFDIR) if --config is used.
Guus Sliepen [Sun, 8 Sep 2013 12:47:59 +0000 (14:47 +0200)]
Make sure test scripts end up in the tarball.
Guus Sliepen [Sun, 8 Sep 2013 12:42:32 +0000 (14:42 +0200)]
Automake doesn't like info files being mentioned in CLEANFILES.
Guus Sliepen [Thu, 5 Sep 2013 15:42:31 +0000 (17:42 +0200)]
Test running ping through two tinc daemons.
This is a more complicated test with one tinc daemon using a tap interface
(therefore requiring root), and a second one using a multicast interface. A
separate program "pong" is listening on the same multicast address, and waits
for ARP and ICMP packets, responding to ICMP echo packets with replies.
This test doesn't require any configuration of the tap interface.
Guus Sliepen [Thu, 5 Sep 2013 15:41:05 +0000 (17:41 +0200)]
Don't return zero-length packets when receiving multicast loopback packets.
Guus Sliepen [Thu, 5 Sep 2013 12:59:56 +0000 (14:59 +0200)]
Add two more test scripts.