Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738) The authentication protocol allows an oracle attack that could potentially be exploited. This commit contains several mitigations: - Connections are no longer closed immediately on error, but put in a "tarpit". - The authentication protocol now requires a valid CHAL_REPLY from the initiator of a connection before sending a CHAL_REPLY of its own. - Only a limited amount of connections per second are accepted. - Null ciphers or digests are no longer allowed in METAKEYs. - Connections that claim to have the same name as the local node are rejected.
Fix all -Wall -W compiler warnings.
Disable PMTU discovery when TCPOnly is used.
Reformat all code using astyle.
Really fix byte budget calculation. We want to use the underlying cipher's block length, but if it's a stream mode this will be 1. In that case, use the IV length. Ensure we never get a budget that cannot be stored in a 64 bits integer. Thanks to Wessel Dankers for helping getting this right.
Fix bit shifting arithmetic so the code actually does what the last commit message says.
Enforce maximum amount of bytes sent/received on meta-connections. This is sqrt(2^{block_length_in_bits}).
Delay sending the real ID request until after a proxy request is granted.
Ensure compatibility with OpenSSL 1.1.0.
Preserve IPv6 scope_id in edges. When creating an edge after authenticating a peer, we copy the address used for the TCP connection, but change the port to that used for UDP. But the way we did it discarded the scope_id for IPv6 addresses. This prevented UDP communication from working correctly when connecting to a peer on the same LAN using an IPv6 link-local address. Thanks to Rafał Leśniak for pointing out this issue.
Update copyright notices.
Add ability to use proxies to connect to hostnames when there is no nameserver. This adds support for SOCKS4a, and enhances the support for SOCKS5 and HTTP.
Drop h and hh length modifiers from printf format strings. C already guarantees that chars and shorts get passed as int. The few uses in tinc are mainly to print fields of struct addrinfo, and fields like ai_family have different sizes on different platforms, which actually caused some warnings to be generated.
Fix warnings found by GCC 4.9. Too many arguments for format string in a few error messages.
Check RAND_bytes() return value, fail when getting random fails. When RAND_bytes() does not return success, the buffer contents cannot be used. This patch makes sure the return code is checked, and the connection fails when keys or challenges cannot be trusted. Signed-off-by: Steffan Karger <steffan@karger.me>
Use cryptographically strong random when generating keys. From the OpenSSL manual: "Byte sequences generated by RAND_pseudo_bytes() will be unique if they are of sufficient length, but are not necessarily unpredictable." So, replace these call with RAND_bytes() to get cryptographically strong key material. Signed-off-by: Steffan Karger <steffan@karger.me>
Releasing 1.0.20.
Don't send proxy requests for incoming connections.
Add strict checks to hex to binary conversions. The main goal is to catch misuse of the obsolete PrivateKey and PublicKey statements.
Attribution for Martin Schürrer.