Guus Sliepen [Tue, 13 Aug 2013 18:53:05 +0000 (20:53 +0200)]
Update copyright notices.
Guus Sliepen [Thu, 8 Aug 2013 15:40:43 +0000 (17:40 +0200)]
Don't echo broadcast packets back when Broadcast = direct.
Guus Sliepen [Wed, 17 Jul 2013 16:08:58 +0000 (18:08 +0200)]
Don't use vasprintf() anymore on Windows.
Windows doesn't actually support it, but MinGW provides it. However, with some versions of
MinGW it doesn't work correctly. Instead, we vsnprintf() to a local buffer and xstrdup() the
results.
Etienne Dechamps [Sat, 13 Jul 2013 22:34:42 +0000 (23:34 +0100)]
Fix combination of Mode = router and DeviceType = tap on Linux.
I believe I have found a bug in tinc on Linux when it is used with
Mode = router and DeviceType = tap. This combination is useful because
it allows global broadcast packets to be used in router mode. However,
when tinc receives a packet in this situation, it needs to make sure its
destination MAC address matches the address of the TAP adapter, which is
typically not the case since the sending node doesn't know the MAC
address of the recipient. Unfortunately, this is not the case on Linux,
which breaks connectivity.
Guus Sliepen [Fri, 5 Jul 2013 18:51:27 +0000 (20:51 +0200)]
Set $NAME when calling host-up/down and subnet-up/down scripts.
Guus Sliepen [Sat, 8 Jun 2013 11:44:29 +0000 (13:44 +0200)]
Fix a typo.
Guus Sliepen [Thu, 30 May 2013 14:43:20 +0000 (16:43 +0200)]
Better optional argument handling.
Some options can take an optional argument. However, in this case GNU getopt
requires that the optional argument is right next to the option without
whitespace inbetween. If there is whitespace, getopt will treat it as a
non-option argument, but tinc ignored those without a warning. Now tinc will
allow optional arguments with whitespace inbetween, and will give an error when
it encounters any other non-option arguments.
Guus Sliepen [Mon, 22 Apr 2013 12:12:07 +0000 (14:12 +0200)]
Releasing 1.0.21.
Guus Sliepen [Fri, 12 Apr 2013 15:15:05 +0000 (17:15 +0200)]
Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.
This issue was found by Martin Schobert.
Guus Sliepen [Sun, 3 Mar 2013 20:06:25 +0000 (21:06 +0100)]
Releasing 1.0.20.
Guus Sliepen [Sun, 3 Mar 2013 19:51:36 +0000 (20:51 +0100)]
Fix detection of rejected SOCKS5 proxy requests.
Guus Sliepen [Sun, 3 Mar 2013 19:44:18 +0000 (20:44 +0100)]
Fix compiler warnings on Windows.
Guus Sliepen [Thu, 7 Feb 2013 13:23:31 +0000 (14:23 +0100)]
Don't send proxy requests for incoming connections.
Guus Sliepen [Wed, 6 Feb 2013 13:34:39 +0000 (14:34 +0100)]
Fix segmentation fault when trying to connect via a SOCKS5 proxy.
Guus Sliepen [Thu, 31 Jan 2013 15:03:24 +0000 (16:03 +0100)]
Fix a compiler warning.
Guus Sliepen [Thu, 31 Jan 2013 14:58:33 +0000 (15:58 +0100)]
Detect increases in PMTU.
Tinc never restarts PMTU discovery unless a node becomes unreachable. However,
it can be that the PMTU was very low during the initial discovery, but has
increased later. To detect this, tinc now tries to send an extra packet every
PingInterval, with a size slightly higher than the currently known PMTU. If
this packet is succesfully received back, we partially restart PMTU discovery
to find out the new maximum.
Guus Sliepen [Sun, 20 Jan 2013 14:16:13 +0000 (15:16 +0100)]
Make sure PriorityInheritance also works in switch mode.
Guus Sliepen [Sun, 16 Dec 2012 14:36:06 +0000 (15:36 +0100)]
Fix support for tunemu on iOS devices.
The actual code was fine but the #ifdefs tested for the wrong preprocessor
variable.
Guus Sliepen [Wed, 14 Nov 2012 09:44:35 +0000 (10:44 +0100)]
Remove text saying you must have one of PrivateKey or PrivateKeyFile in tinc.conf.
Guus Sliepen [Tue, 13 Nov 2012 14:05:41 +0000 (15:05 +0100)]
Send broadcast packets using a random socket, and properly support IPv6.
Before it would always use the first socket, and always send an IPv4 broadcast packet. That
works fine in a lot of situations, but it is better to try all sockets, and to send IPv6 packets
on IPv6 sockets. This is especially important for users that are on IPv6-only networks or that
have multiple physical network interfaces, although in the latter case it probably requires
them to use the ListenAddress variable to create a separate socket for each interface.
Conflicts:
src/net_packet.c
Guus Sliepen [Tue, 13 Nov 2012 14:01:43 +0000 (15:01 +0100)]
Don't take the address of a variable whose scope is about to disappear.
Conflicts:
src/net_packet.c
Guus Sliepen [Sun, 11 Nov 2012 18:01:28 +0000 (19:01 +0100)]
Fix configure script help text for --enable options.
Guus Sliepen [Sun, 11 Nov 2012 17:53:23 +0000 (18:53 +0100)]
Mention in the manual that support for LZO and zlib can be disabled.
Guus Sliepen [Sat, 10 Nov 2012 22:45:22 +0000 (23:45 +0100)]
Make sure PMTU discovery works in switch mode with VLAN tags.
Before, when tinc saw a packet larger than the PMTU with a VLAN tag, it would
not know what to do with it, and would just forward it via TCP. Now, tinc
handles 802.1q packets correctly, as long as there is only one tag.
Guus Sliepen [Sat, 10 Nov 2012 22:13:05 +0000 (23:13 +0100)]
Using alloca() for a constant sized buffer is very silly.
Cppcheck said using alloca() in the 21st century is silly anyway.
Guus Sliepen [Wed, 17 Oct 2012 11:51:02 +0000 (13:51 +0200)]
Fix warnings from groff.
Conflicts:
doc/tinc.conf.5.in
doc/tincctl.8.in
Guus Sliepen [Thu, 11 Oct 2012 20:21:30 +0000 (22:21 +0200)]
Clear status and options fields of unreachable nodes.
Conflicts:
src/graph.c
Guus Sliepen [Tue, 9 Oct 2012 19:02:49 +0000 (21:02 +0200)]
Clear Ethernet header when reading packets from a tun device.
This fixes a warning from valgrind about uninitialized bytes, which were being
sent to other nodes.
Guus Sliepen [Sun, 7 Oct 2012 15:53:41 +0000 (17:53 +0200)]
Fix warnings from cppcheck.
Guus Sliepen [Sat, 6 Oct 2012 19:05:02 +0000 (21:05 +0200)]
Clear connection options and status fields in free_connection_partially().
Most fields should be zero when reusing a connection. In particular, when an
outgoing connection to a node which is reachable on more than one address is
made, the second connection to that node will have status.encryptout set but
outctx will be NULL, causing a NULL pointer dereference when
EVP_EncryptUpdate() is called in send_meta() when it shouldn't.
Guus Sliepen [Sun, 30 Sep 2012 11:45:47 +0000 (13:45 +0200)]
Add strict checks to hex to binary conversions.
The main goal is to catch misuse of the obsolete PrivateKey and PublicKey
statements.
Guus Sliepen [Sun, 30 Sep 2012 11:45:39 +0000 (13:45 +0200)]
Attribution for Martin Schürrer.
Martin Schürrer [Sun, 30 Sep 2012 00:04:55 +0000 (02:04 +0200)]
Output details of encryption errors
Guus Sliepen [Thu, 27 Sep 2012 15:19:02 +0000 (17:19 +0200)]
Fix links in documenation.
Guus Sliepen [Mon, 24 Sep 2012 12:56:00 +0000 (14:56 +0200)]
Don't ignore Makefile.am.
Guus Sliepen [Mon, 24 Sep 2012 12:02:07 +0000 (14:02 +0200)]
Attribution for Vil Brekin and some code style cleanups.
Vilbrekin [Sat, 25 Aug 2012 18:32:38 +0000 (20:32 +0200)]
Android cross-compilation instructions.
Vilbrekin [Sat, 25 Aug 2012 18:01:11 +0000 (20:01 +0200)]
Use __ANDROID__ define rather than dirty hard-code to allow android NDK cross-compilation.
Vilbrekin [Sat, 25 Aug 2012 17:59:26 +0000 (19:59 +0200)]
Add basic .gitignore file, cleaning (most) files generated by autotools.
Vilbrekin [Sat, 25 Aug 2012 17:14:00 +0000 (19:14 +0200)]
Replace hard-code with new ScriptsInterpreter configuration property.
This new setting allows choosing a custom script interpreter used for the various tinc callbacks.
If none is specified, the script itself is called as executable (as before).
This is particularly useful when storing tinc configuration and script on a mount point with no-exec attribute.
Vilbrekin [Wed, 22 Aug 2012 08:46:24 +0000 (10:46 +0200)]
Basic patch for android cross-compilation.
Commented non-existing functions in android NDK.
Prefix scripts execution with shell binary to allow execution on no-exec mount points.
Everyything is currently hard coded, while it should use pre-compiler variables...
Guus Sliepen [Fri, 27 Jul 2012 20:43:01 +0000 (22:43 +0200)]
Also clarify hostnames=[yes|no] in tinc.conf(5).
Mesar Hameed [Tue, 24 Jul 2012 06:18:50 +0000 (07:18 +0100)]
Minor clarification, tinc.conf hostnames=[yes|no] variable only resolves names for logging purposes.
Guus Sliepen [Thu, 12 Jul 2012 09:32:08 +0000 (11:32 +0200)]
Update THANKS file.
Guus Sliepen [Thu, 12 Jul 2012 09:30:56 +0000 (11:30 +0200)]
Document how to load the tap driver on FreeBSD.
Guus Sliepen [Thu, 12 Jul 2012 09:25:11 +0000 (11:25 +0200)]
Use /dev/tap0 by default on FreeBSD and NetBSD when using Mode = switch.
Guus Sliepen [Mon, 25 Jun 2012 17:45:51 +0000 (19:45 +0200)]
Releasing 1.0.19.
Guus Sliepen [Mon, 25 Jun 2012 17:03:54 +0000 (19:03 +0200)]
Fix crash when using Broadcast = direct.
Guus Sliepen [Mon, 25 Jun 2012 17:01:51 +0000 (19:01 +0200)]
Fix compiler warnings.
Guus Sliepen [Mon, 25 Jun 2012 13:01:42 +0000 (15:01 +0200)]
#include <winsock2.h> on Windows.
MinGW complained about it not being included.
Guus Sliepen [Mon, 25 Jun 2012 13:00:24 +0000 (15:00 +0200)]
Small fixes in proxy code.
Michael Tokarev [Fri, 4 May 2012 12:41:47 +0000 (16:41 +0400)]
add (errnum) in front of windows error messages
On localized, non-English versions of windows, it is
common to have two active charsets -- for console applications
and for GUI applications, together with localized error messages
returned by windows. But two charsets are rarely compatible,
so sending the same byte sequence to console and to windows
event log makes one or another to be unreadable. So at least
include the error number, this way it will be possible to
lookup the actual error test using external ways.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Guus Sliepen [Thu, 19 Apr 2012 13:56:08 +0000 (15:56 +0200)]
Document new proxy types.
Guus Sliepen [Thu, 19 Apr 2012 13:18:31 +0000 (15:18 +0200)]
Add support for proxying through an external command.
Proxy type "exec" can be used to have an external script or binary set
up an outgoing connection. Standard input and output will be used to
exchange data with the external command. The variables REMOTEADDRESS and
REMOTEPORT are set to the intended destination address and port.
Guus Sliepen [Thu, 19 Apr 2012 12:10:54 +0000 (14:10 +0200)]
Add support for SOCKS 5 proxies.
This only covers outgoing TCP connections, and supports only
username/password authentication or no authentication.
Guus Sliepen [Wed, 18 Apr 2012 21:19:40 +0000 (23:19 +0200)]
Add basic support for SOCKS 4 and HTTP CONNECT proxies.
When the Proxy option is used, outgoing connections will be made via the
specified proxy. There is no support for authentication methods or for having
the proxy forward incoming connections, and there is no attempt to proxy UDP.
Guus Sliepen [Sun, 15 Apr 2012 23:57:25 +0000 (01:57 +0200)]
Allow broadcast packets to be sent directly instead of via the MST.
When the "Broadcast = direct" option is used, broadcast packets are not sent
and forwarded via the Minimum Spanning Tree to all nodes, but are sent directly
to all nodes that can be reached in one hop.
One use for this is to allow running ad-hoc routing protocols, such as OLSR, on
top of tinc.
Guus Sliepen [Thu, 29 Mar 2012 15:45:25 +0000 (16:45 +0100)]
Allow environment variables to be used for Name.
When the Name starts with a $, the rest will be interpreted as the name of an
environment variable containing the real Name. When Name is $HOST, but this
environment variable does not exist, gethostname() will be used to set the
Name. In both cases, illegal characters will be converted to underscores.
Guus Sliepen [Mon, 26 Mar 2012 13:46:09 +0000 (14:46 +0100)]
Add support for systemd style socket activation.
If the LISTEN_FDS environment variable is set and tinc is run in the
foreground, tinc will use filedescriptors 3 to 3 + LISTEN_FDS for its listening
TCP sockets. For now, tinc will create matching listening UDP sockets itself.
There is no dependency on systemd or on libsystemd-daemon.
Guus Sliepen [Mon, 26 Mar 2012 13:45:20 +0000 (14:45 +0100)]
Remove newline from log message.
Anthony G. Basile [Mon, 26 Mar 2012 10:29:40 +0000 (06:29 -0400)]
configure.in: fix AC_ARG_ENABLE and AC_ARG_WITH
The current configure.in file does not correctly make use of these
macros. The resulting configure file will therefore enable an item
even if --disable-FEATURE is given. This patch restores the intended
behavior.
Guus Sliepen [Sun, 25 Mar 2012 21:54:36 +0000 (22:54 +0100)]
Support :: in IPv6 Subnets.
Guus Sliepen [Sun, 25 Mar 2012 14:32:26 +0000 (15:32 +0100)]
Releasing 1.0.18.
Guus Sliepen [Sun, 25 Mar 2012 14:30:58 +0000 (15:30 +0100)]
Mark DecrementTTL option experimental.
Guus Sliepen [Sun, 25 Mar 2012 14:17:50 +0000 (15:17 +0100)]
Fix return type of vde_recv() as well.
In this case it is not really necessary as the conversion to int will already
take care of ensuring the return value is treated as signed.
Guus Sliepen [Sun, 25 Mar 2012 13:55:56 +0000 (14:55 +0100)]
Document OpenBSD "ifconfig link0" and Linux "ip tuntap" commands.
Guus Sliepen [Sun, 25 Mar 2012 13:46:50 +0000 (14:46 +0100)]
Fix some more compiler warnings.
Guus Sliepen [Sun, 25 Mar 2012 13:00:21 +0000 (14:00 +0100)]
Fix return value type of vde_send().
The libvdeplug_dyn.h header file incorrectly declares the return type of
vde_send() to size_t, while in reality it is ssize_t.
Guus Sliepen [Sun, 25 Mar 2012 12:58:14 +0000 (13:58 +0100)]
Fix compiler warnings.
Guus Sliepen [Sun, 25 Mar 2012 12:42:10 +0000 (13:42 +0100)]
Allow scoped addresses to be used for IPv6 multicast socket.
Guus Sliepen [Sun, 25 Mar 2012 12:40:55 +0000 (13:40 +0100)]
Add #ifdefs in case not all platforms support IPv4 and IPv6 multicast.
Guus Sliepen [Fri, 23 Mar 2012 12:18:36 +0000 (13:18 +0100)]
Set default value of DecrementTTL to "no".
Decrementing the TTL causes IPv6 to fail when Mode = switch, and there may be
other unforeseen side-effects.
Guus Sliepen [Wed, 21 Mar 2012 16:00:53 +0000 (17:00 +0100)]
Add support for multicast communication with UML/QEMU/KVM.
DeviceType = multicast allows one to specify a multicast address and port with
a Device statement. Tinc will then read/send packets to that multicast group
instead of to a tun/tap device. This allows interaction with UML, QEMU and KVM
instances that are listening on the same group.
Guus Sliepen [Wed, 21 Mar 2012 12:20:15 +0000 (13:20 +0100)]
Allow a port to be specified in BindToAddress statements.
This can be used to let tinc listen on multiple ports for incoming connections.
Guus Sliepen [Tue, 20 Mar 2012 22:49:16 +0000 (23:49 +0100)]
Always try next Address when an outgoing connection fails to authenticate.
When making outgoing connections, tinc goes through the list of Addresses and
tries all of them until one succeeds. However, before it would consider
establishing a TCP connection a success, even when the authentication failed.
This would be a problem if the first Address would point to a hostname and port
combination that belongs to the wrong tinc node, or perhaps even to a non-tinc
service, causing tinc to endlessly try this Address instead of moving to the
next one.
Problem found by Delf Eldkraft.
Guus Sliepen [Sat, 10 Mar 2012 12:31:36 +0000 (13:31 +0100)]
Releasing 1.0.17.
Guus Sliepen [Sat, 10 Mar 2012 12:23:08 +0000 (13:23 +0100)]
Update copyright notices.
Guus Sliepen [Thu, 8 Mar 2012 22:23:39 +0000 (23:23 +0100)]
Make sure disabling old RSA keys works on Windows.
Seeking in files and rewriting parts of them does not seem to work properly on
Windows. Instead, when old RSA keys are found when generating new ones, the
file containing the old keys is copied to a temporary file where the changes
are made, and that file is renamed back to the original filename. On Windows,
we cannot atomically replace files with a rename(), so we need to move the
original file out of the way first. If anything fails, the new code will warn
that the user has to solve the problem by hand.
Guus Sliepen [Thu, 8 Mar 2012 21:19:20 +0000 (22:19 +0100)]
Add missing ICMP6 message type definitions.
Guus Sliepen [Wed, 7 Mar 2012 09:40:06 +0000 (10:40 +0100)]
Accept Subnets passed with the -o option when StrictSubnets = yes.
Guus Sliepen [Fri, 2 Mar 2012 15:09:58 +0000 (16:09 +0100)]
Only log errors sending UDP packets when debug level >= 5.
Since tinc will fall back to TCP or route via another node, it is not necessary
to log such errors unconditionally.
Guus Sliepen [Sun, 26 Feb 2012 15:23:02 +0000 (16:23 +0100)]
Only use broadcast at the start of the PMTU discovery phase.
For local peer discovery, only a handful of packets are necessary for
peers to detect each other.
Guus Sliepen [Sat, 25 Feb 2012 21:11:30 +0000 (22:11 +0100)]
Stricter checks against routing loops.
If a packet that had to be sent via an intermediate hop, and that intermediate
hop was the one that sent the packet, we drop it.
Guus Sliepen [Sat, 25 Feb 2012 20:46:18 +0000 (21:46 +0100)]
Don't send ICMP Time Exceeded messages for other Time Exceeded messages.
That would be silly.
Guus Sliepen [Wed, 22 Feb 2012 22:17:43 +0000 (23:17 +0100)]
Add LocalDiscovery option which tries to detect peers on the local network.
Currently, this is implemented by sending IPv4 broadcast packets to the
LAN during path MTU discovery.
Guus Sliepen [Wed, 22 Feb 2012 13:37:56 +0000 (14:37 +0100)]
Pass index into listen_socket[] to handle_incoming_vpn_data().
Nick Hibma [Tue, 21 Feb 2012 14:26:58 +0000 (15:26 +0100)]
Add missing ICMP message type definitions.
Guus Sliepen [Tue, 21 Feb 2012 13:06:55 +0000 (14:06 +0100)]
Fix check for raw socket support.
Also, move some variables so there are no compiler warnings about unused
variables when there is no support for raw sockets.
Guus Sliepen [Tue, 21 Feb 2012 12:31:21 +0000 (13:31 +0100)]
Fix a bug that caused tinc to ignore all but the last listening socket.
Guus Sliepen [Tue, 21 Feb 2012 12:13:40 +0000 (13:13 +0100)]
Document the command line flag -o and provide --option as well.
Guus Sliepen [Tue, 21 Feb 2012 10:39:21 +0000 (11:39 +0100)]
Move initialization of char *priority up to prevent freeing an uninitialized pointer.
Guus Sliepen [Mon, 20 Feb 2012 16:19:00 +0000 (17:19 +0100)]
Allow disabling of broadcast packets.
The Broadcast option can be used to cause tinc to drop all broadcast and
multicast packets. This option might be expanded in the future to selectively
allow only some broadcast packet types.
Guus Sliepen [Mon, 20 Feb 2012 16:12:48 +0000 (17:12 +0100)]
Rename connection_t *broadcast to everyone.
Guus Sliepen [Mon, 20 Feb 2012 15:52:53 +0000 (16:52 +0100)]
Don't bind outgoing TCP sockets anymore.
The code introduced in commit
41a05f59ba2c3eb5caab555f096ed1b9fbe69ee3 is not
needed anymore, since tinc has been able to handle UDP packets from a different
source address than those of the TCP packets since 1.0.10. When using multiple
BindToAddress statements, this code does not make sense anymore, we do want the
kernel to choose the source address on its own.
Guus Sliepen [Mon, 20 Feb 2012 15:34:02 +0000 (16:34 +0100)]
Decrement TTL of incoming packets.
Tinc will now, by default, decrement the TTL field of incoming IPv4 and IPv6
packets, before forwarding them to the virtual network device or to another
node. Packets with a TTL value of zero will be dropped, and an ICMP Time
Exceeded message will be sent back.
This behaviour can be disabled using the DecrementTTL option.
Guus Sliepen [Mon, 20 Feb 2012 14:44:52 +0000 (15:44 +0100)]
Only compile raw socket code when it is supported on that platform.
Guus Sliepen [Sat, 18 Feb 2012 13:31:08 +0000 (14:31 +0100)]
Merge branch 'master' of black:tinc
Guus Sliepen [Sat, 18 Feb 2012 13:37:52 +0000 (14:37 +0100)]
Allow setting DeviceType to tun or tap on Linux.
Guus Sliepen [Sat, 18 Feb 2012 10:48:21 +0000 (11:48 +0100)]
Send packets back using the same socket as they were received on.
Guus Sliepen [Sat, 18 Feb 2012 10:43:00 +0000 (11:43 +0100)]
Merge branch 'master' of black:tinc