oweals/tinc.git
15 years agoHandle truncated message authentication codes.
Guus Sliepen [Sat, 6 Jun 2009 17:04:04 +0000 (19:04 +0200)]
Handle truncated message authentication codes.

15 years agoMerge branch 'master' into 1.1
Guus Sliepen [Fri, 5 Jun 2009 21:03:28 +0000 (23:03 +0200)]
Merge branch 'master' into 1.1

Conflicts:
doc/tincd.8.in
lib/pidfile.c
src/graph.c
src/net.c
src/net.h
src/net_packet.c
src/net_setup.c
src/net_socket.c
src/netutl.c
src/node.c
src/node.h
src/protocol_auth.c
src/protocol_key.c
src/tincd.c

15 years agotry outgoing connections before chroot/drop_privs
Michael Tokarev [Fri, 5 Jun 2009 09:33:58 +0000 (13:33 +0400)]
try outgoing connections before chroot/drop_privs

When chrooted, we either need to force-initialize resolver
and/or nsswitch somehow (no clean way) or resolve all the
names we want before entering chroot jail.  The latter
looks cleaner, easier and it is actually safe because
we still don't talk with the remote nodes there, only
initiating outgoing connections.

15 years agocleanup setpriority thing to make it readable
Michael Tokarev [Fri, 5 Jun 2009 07:58:17 +0000 (11:58 +0400)]
cleanup setpriority thing to make it readable

15 years agoAdd some const where appropriate.
Guus Sliepen [Thu, 28 May 2009 21:18:22 +0000 (23:18 +0200)]
Add some const where appropriate.

15 years agoAdd ProcessPriority option.
Guus Sliepen [Thu, 28 May 2009 20:51:30 +0000 (22:51 +0200)]
Add ProcessPriority option.

This option can be set to low, normal or high. On UNIX flavours, this changes
the nice value of the process by +10, 0 and -10 respectively. On Windows, it
sets the priority to BELOW_NORMAL_PRIORITY_CLASS, NORMAL_PRIORITY_CLASS and
HIGH_PRIORITY_CLASS respectively.

A high priority might help to reduce latency and packet loss on the VPN.

15 years agosrc/net_socket.c: Bind outgoing TCP sockets to `BindToAddress'.
Florian Forster [Wed, 27 May 2009 12:20:24 +0000 (14:20 +0200)]
src/net_socket.c: Bind outgoing TCP sockets to `BindToAddress'.

If a host has multiple addresses on an interface, the source address of the TCP
connection(s) was picked by the operating system while the UDP packets used a
bound socket, i. e. the source address was the address specified by the user.
This caused problems because the receiving code requires the TCP connection and
the UDP connection to originate from the same IP address.

This patch adds support for the `BindToInterface' and `BindToAddress' options
to the setup of outgoing TCP connections.

Tested with Debian Etch on x86 and Debian Lenny on x86_64.

Signed-off-by: Florian Forster <octo@verplant.org>
15 years agosrc/linux/device.c: Fix segfault when running without `--net'.
Florian Forster [Wed, 27 May 2009 07:27:44 +0000 (09:27 +0200)]
src/linux/device.c: Fix segfault when running without `--net'.

If running without `--net', the (global) variable `netname' is NULL. This
creates a segmentation fault because this NULL-pointer is passed to strdup:

 Program terminated with signal 11, Segmentation fault.
 #0  0xb7d30463 in strlen () from /lib/tls/i686/cmov/libc.so.6
 (gdb) bt
 #0  0xb7d30463 in strlen () from /lib/tls/i686/cmov/libc.so.6
 #1  0xb7d30175 in strdup () from /lib/tls/i686/cmov/libc.so.6
 #2  0x0805bf47 in xstrdup (s=0x0) at xmalloc.c:118  <---
 #3  0x0805be33 in setup_device () at device.c:66
 #4  0x0805072e in setup_myself () at net_setup.c:432
 #5  0x08050db2 in setup_network () at net_setup.c:536
 #6  0x0805b27f in main (argc=Cannot access memory at address 0x0) at tincd.c:580

This patch fixes this by checking `netname' in `setup_device'. An alternative
would be to check for NULL-pointers in `xstrdup' and return NULL in this case.

Signed-off-by: Florian Forster <octo@verplant.org>
15 years agotunnelserver: log which ADD_SUBNET was refused
Michael Tokarev [Sun, 24 May 2009 13:23:24 +0000 (17:23 +0400)]
tunnelserver: log which ADD_SUBNET was refused

Add some logging about refused ADD_SUBNET
(it causes subsequent client disconnect so it's
important to know which subnet was at fault).

Maybe we should just ignore it completely.

15 years agoDo not forward broadcast packets when TunnelServer is enabled.
Guus Sliepen [Mon, 25 May 2009 13:04:33 +0000 (15:04 +0200)]
Do not forward broadcast packets when TunnelServer is enabled.

First of all, the idea behind the TunnelServer option is to hide all other
nodes from each other, so we shouldn't forward broadcast packets from them
anyway. The other reason is that since edges from other nodes are ignored, the
calculated minimum spanning tree might not be correct, which can result in
routing loops.

15 years agoUse packet size before decompression to calculate path MTU.
Guus Sliepen [Mon, 25 May 2009 10:19:37 +0000 (12:19 +0200)]
Use packet size before decompression to calculate path MTU.

Since compression can either grow or shrink a packet, the size of an MTU probe
after decompression might not reflect the real path MTU. Now we use the size
before decompression, which is independent of the compression algorithm, and
substract a safety margin such that the calculated path MTU will be safe even
for packets which grow as much as possible after compression.

15 years agoAdd declaration for sockaddrcmp_noport().
Guus Sliepen [Mon, 25 May 2009 10:19:08 +0000 (12:19 +0200)]
Add declaration for sockaddrcmp_noport().

15 years agoFix ans_key exchange in recent changes
Michael Tokarev [Sun, 24 May 2009 18:32:24 +0000 (22:32 +0400)]
Fix ans_key exchange in recent changes

send_ans_key() was using the wrong in vs. outkeylength to
terminate the key being sent, so it was always empty.

15 years agoUse xrealloc instead of if(ptr) ptr = xmalloc().
Guus Sliepen [Sun, 24 May 2009 17:35:51 +0000 (19:35 +0200)]
Use xrealloc instead of if(ptr) ptr = xmalloc().

15 years agoFix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf...
Guus Sliepen [Sun, 24 May 2009 17:31:31 +0000 (19:31 +0200)]
Fix initialisation of packet decryption context broken by commit 3308d13e7e3bf20cfeaf6f2ab17228a9820cea66.

Instead of a single, global decryption context, each node has its own context.
However, in send_ans_key(), the global context was initialised. This commit
fixes that and removes the global context completely.

Also only set status.validkey after all checks have been evaluated.

15 years agodon't log every strange packet coming to the UDP port
Michael Tokarev [Thu, 21 May 2009 21:10:16 +0000 (01:10 +0400)]
don't log every strange packet coming to the UDP port

it's a sure way to fill up syslog.  Only log those if
debug level is up to PROTOCOL

15 years agoFix link to Mattias Nissler's tun/tap driver for MacOS/X.
Guus Sliepen [Sun, 24 May 2009 15:13:00 +0000 (17:13 +0200)]
Fix link to Mattias Nissler's tun/tap driver for MacOS/X.

Thanks to Martin Christof Kindsmüller for spotting.

15 years agoIf PMTUDiscovery is not set, do not forward packets via TCP unnecessarily.
Guus Sliepen [Sun, 24 May 2009 13:58:47 +0000 (15:58 +0200)]
If PMTUDiscovery is not set, do not forward packets via TCP unnecessarily.

15 years agoignore indirect edge registrations in tunnelserver mode
Michael Tokarev [Thu, 21 May 2009 21:01:35 +0000 (01:01 +0400)]
ignore indirect edge registrations in tunnelserver mode

In tunnelserver mode we're not interested to hear about
our client edges, just like in case of subnets.  Just
ignore all requests which are not about our node or the
client node.

The fix is very similar to what was done for subnets.

Note that we don't need to add the "unknown" nodes to
the list in tunnelserver mode too, so move allocation
of new nodes down the line.

15 years agoTunnelServer: Don't disconnect client on DEL_SUBNET too
Michael Tokarev [Wed, 20 May 2009 14:40:04 +0000 (18:40 +0400)]
TunnelServer: Don't disconnect client on DEL_SUBNET too

Similar changes as was in 2327d3f6eb5982bcc922ff1ab1ec436ba6aeffdc
but for del_subnet_h().

Before, we vere returning false (and causing disconnect of the
client) in case of tunnelserver and the client sending DEL_SUBNET
for non-his subnet or for subnet which owner isn't in our connection
list.

After the mentioned change to add_subnet_h() that routine does not
add such indirect owners to the connection list anymore, so that
was ok (owner == NULL and we return true).

But if we too has a connection with the node about which the client
is sending DEL_SUBNET notification, say, because that client lost
connection with that other node, we'll disconnect this client from
us too, returning false for indirect DEL_SUBNET.

Fix that by allowing and ignoring indirect DEL_SUBNET in tunnelserver
mode.

Also rearranged the function a bit, to match add_subnet_h() (in
particular, syntax-check everything first, see if we've seen this
request before).

And also fix some comments.

15 years agoformat 'not supported on this platform' error message
Michael Tokarev [Mon, 18 May 2009 13:34:30 +0000 (17:34 +0400)]
format 'not supported on this platform' error message

Format it in a similar way in all places, to make translation happier.
No functional changes.

15 years agochange error messages in droppriv code to match the rest
Michael Tokarev [Mon, 18 May 2009 13:00:00 +0000 (17:00 +0400)]
change error messages in droppriv code to match the rest

Change formatting of error messages about failed syscalls
to be the same as in other places in tincd.

Also suggest a change in "$foo not supported on this platform"
message as it's now used more than once.

15 years agobugfix: chdir(/) after chroot
Michael Tokarev [Mon, 18 May 2009 12:53:08 +0000 (16:53 +0400)]
bugfix: chdir(/) after chroot

Fix the famous chdir(".") vs chdir("/") after chroot(something).

15 years agobugfix: move mlock to after detach() so it works for child, not parent
Michael Tokarev [Mon, 18 May 2009 12:49:39 +0000 (16:49 +0400)]
bugfix: move mlock to after detach() so it works for child, not parent

mlock()/mlockall() are not persistent across fork(), and it's
done in parent process before daemon() which does fork().  So
basically, current --mlock does nothing useful.

Move mlock() to after detach() so it works for child process
instead of parent.

Also, check if the platform supports mlock right when processing
options (since else we'll have to die after startup, not at
startup, the error message will be in log only).

15 years agobugfix: initialize pid (as read from pidfile) to zero
Michael Tokarev [Mon, 18 May 2009 12:28:55 +0000 (16:28 +0400)]
bugfix: initialize pid (as read from pidfile) to zero

If we didn't read any number from a pid file, we'll return
an unitialized variable to the caller, and it will treat
that garbage as a pid of a process (possible to kill).

Fix that.

15 years agoImplement privilege dropping
Michael Tokarev [Mon, 18 May 2009 12:25:41 +0000 (16:25 +0400)]
Implement privilege dropping

Add two options, -R/--chroot and -U/--user=user, to chroot to the
config directory (where tinc.conf is located) and to perform
setuid to the user specified, after all the initialization is done.

What's left is handling of pid file since we can't remove it anymore.

15 years agoRename setup_network_connections() and split out try_outgoing_connections()
Michael Tokarev [Mon, 18 May 2009 12:25:10 +0000 (16:25 +0400)]
Rename setup_network_connections() and split out try_outgoing_connections()

In preparation of chroot/setuid operations, split out call to
try_outgoing_connections() from setup_network_connections()
(which was the last call in setup_network_connections()).
This is because dropping privileges should be done in-between
setup_network_connections() and try_outgoing_connections().

This patch renames setup_network_connections() to setup_network()
and moves call to try_outgoing_connections() into main routine.

No functional changes.

15 years agoHandle UDP packets from different and ports than advertised.
Guus Sliepen [Thu, 2 Apr 2009 23:05:23 +0000 (01:05 +0200)]
Handle UDP packets from different and ports than advertised.

Previously, tinc used a fixed address and port for each node for UDP packet
exchange.  The port was the one advertised by that node as its listening port.
However, due to NAT the port might be different.  Now, tinc sends a different
session key to each node. This way, the sending node can be determined from
incoming packets by checking the MAC against all session keys. If a match is
found, the address and port for that node are updated.

15 years agoMerge branch 'master' into 1.1
Guus Sliepen [Mon, 9 Mar 2009 18:02:24 +0000 (19:02 +0100)]
Merge branch 'master' into 1.1

Conflicts:
NEWS
README
doc/tinc.conf.5.in
doc/tinc.texi
po/nl.po
src/conf.c
src/connection.c
src/event.c
src/graph.c
src/net.c
src/net_packet.c
src/net_socket.c
src/node.c
src/node.h
src/openssl/rsagen.h
src/protocol_auth.c
src/protocol_key.c
src/protocol_misc.c
src/subnet.c
src/subnet.h
src/tincd.c

15 years agoUse a simple Random Early Drop algorithm in send_tcppacket().
Guus Sliepen [Mon, 9 Mar 2009 13:04:31 +0000 (14:04 +0100)]
Use a simple Random Early Drop algorithm in send_tcppacket().

15 years agoDisable PMTUDiscovery in switch and hub modes.
Guus Sliepen [Mon, 9 Mar 2009 12:48:54 +0000 (13:48 +0100)]
Disable PMTUDiscovery in switch and hub modes.

In switch and hub modes, tinc does not generate ICMP packets in response to
packets that are larger than the path MTU.  However, if PMTUDiscovery is
enabled, the IP_MTU_DISCOVER and IPV6_MTU_DISCOVER option is set on the UDP
sockets, which causes all UDP packets to be sent with the DF bit set, causing
large packets to be dropped, even if they would otherwise be routed fine.

15 years agoUpdate THANKS and copyright information.
Guus Sliepen [Thu, 5 Mar 2009 13:12:36 +0000 (14:12 +0100)]
Update THANKS and copyright information.

15 years agoAllow weight to be assigned to Subnets.
Guus Sliepen [Thu, 5 Mar 2009 12:34:13 +0000 (13:34 +0100)]
Allow weight to be assigned to Subnets.

Tinc allows multiple nodes to own the same Subnet, but did not have a sensible
way to decide which one to send packets to. Tinc also did not check the
reachability of nodes when deciding where to route packets to, so it would not
automatically fail over to a reachable node.

Tinc now assigns a weight to each Subnet. The default weight is 10, with lower
weights having higher priority.  The Subnets are now internally sorted in the
same way as the kernel's routing table, and the Subnets are search linearly,
skipping those of unreachable nodes. A small cache of recently used addresses
is used to speed up the lookup functions.

15 years agoEnable PMTUDiscovery only if BOTH sides wants it.
Michael Tokarev [Sat, 28 Feb 2009 13:37:51 +0000 (16:37 +0300)]
Enable PMTUDiscovery only if BOTH sides wants it.

Don't enable PMTUDiscovery if at least one side does not support it.
Before it was enabled if at least one side supported it, now both are required.

15 years agoHandle neighbor solicitation requests without link layer addresses.
Guus Sliepen [Tue, 17 Feb 2009 13:43:05 +0000 (14:43 +0100)]
Handle neighbor solicitation requests without link layer addresses.

Apparently FreeBSD likes to send out neighbor solicitation requests, even on a
tun interface where this is completely pointless. These requests do not have an
option header containing a link layer address, so the proxy-neighborsol code
was treating these requests as invalid. We now handle such requests, and send
back equally pointless replies, also without a link layer address. This seems
to satisfy FreeBSD.

15 years agoAllow tunnelserver to work with clients that have other peers.
Michael Tokarev [Mon, 9 Feb 2009 22:51:10 +0000 (23:51 +0100)]
Allow tunnelserver to work with clients that have other peers.

In TunnelServer mode, tinc server disconnects any client if it announces
indirect subnets -- subnets that are not theirs (e.g. subnets for nodes
the CLIENT has connections now, even if those nodes are known to the server
too).  Fix that by ignoring such (indirect) announces instead.

While we're at it, move check for such indirect subnet registration to
before allocating new node structure, as in TunnelServer mode we don't
really need to know that other node.

15 years agoDisable old RSA keys when generating new ones.
Guus Sliepen [Tue, 3 Feb 2009 13:54:45 +0000 (14:54 +0100)]
Disable old RSA keys when generating new ones.

When generating an RSA keypair, the new public and private keys are appended to
files. However, when OpenSSL reads keys it only reads the first in a file, not
the last. Instead of printing an easily ignored warning, tinc now disables old
keys when appending new ones.

15 years agoValidate Name before using it in a filename when generating a keypair.
Guus Sliepen [Tue, 20 Jan 2009 13:21:50 +0000 (14:21 +0100)]
Validate Name before using it in a filename when generating a keypair.

15 years agoAllow reading config files with CRLF endings on Unix systems.
Guus Sliepen [Tue, 20 Jan 2009 13:20:44 +0000 (14:20 +0100)]
Allow reading config files with CRLF endings on Unix systems.

15 years agoRemove unused definitions from net.h.
Guus Sliepen [Tue, 20 Jan 2009 12:19:31 +0000 (13:19 +0100)]
Remove unused definitions from net.h.

15 years agoUse a global list to track outgoing connections.
Guus Sliepen [Tue, 20 Jan 2009 12:12:41 +0000 (13:12 +0100)]
Use a global list to track outgoing connections.

Previously an outgoing_t was maintained for each outgoing connection,
but the pointer to it was either stored in a connection_t or in an event_t.
This made it very hard to keep track of and to clean up.

Now a list is created when tinc starts and reads all the ConnectTo variables,
and which is recreated when tinc receives a HUP signal.

15 years agoAdd missing cleanup functions in close_network_connections().
Guus Sliepen [Mon, 19 Jan 2009 22:17:28 +0000 (23:17 +0100)]
Add missing cleanup functions in close_network_connections().

15 years agoChange flush_events() to expire_events().
Guus Sliepen [Mon, 19 Jan 2009 21:50:05 +0000 (22:50 +0100)]
Change flush_events() to expire_events().

The former function made a totally bogus shallow copy of the event_tree, called
the handler of each event and then deleted the whole tree.  This should've
caused tinc to crash when an ALARM signal was sent more than once, but for some
reason it didn't. It also behaved incorrectly when a handler added a new event.

The new function just moves the expiration time of all events to the past.

15 years agoMove free()s at the end om main() to the proper destructor functions.
Guus Sliepen [Fri, 9 Jan 2009 11:36:06 +0000 (12:36 +0100)]
Move free()s at the end om main() to the proper destructor functions.

15 years agoOnly send packets via UDP if UDP communication is possible.
Guus Sliepen [Sat, 3 Jan 2009 21:33:55 +0000 (22:33 +0100)]
Only send packets via UDP if UDP communication is possible.

When no session key is known for a node, or when it is doing PMTU discovery but
no MTU probes have returned yet, packets are sent via TCP. Some logic is added
to make sure intermediate nodes continue forwarding via TCP.  The per-node
packet queue is now no longer necessary and has been removed.

15 years agoConsistently allocate device and iface variables on the heap.
Guus Sliepen [Sat, 3 Jan 2009 21:06:10 +0000 (22:06 +0100)]
Consistently allocate device and iface variables on the heap.

This fixes a segfault when no Device has been specified and tinc exits, and it
would try to free() a static string. Thanks to Borg for spottin.

15 years agoUpdate documentation for git.
Guus Sliepen [Sat, 27 Dec 2008 10:09:43 +0000 (11:09 +0100)]
Update documentation for git.

15 years agoReleasing 1.0.9. release-1.0.9
Guus Sliepen [Fri, 26 Dec 2008 13:47:34 +0000 (13:47 +0000)]
Releasing 1.0.9.

15 years agoAdd missing parentheses in check for IPv4 multicast addresses.
Guus Sliepen [Fri, 26 Dec 2008 12:46:45 +0000 (12:46 +0000)]
Add missing parentheses in check for IPv4 multicast addresses.

15 years agoApply patch from Max Rijevski fixing a memory leak when closing connections.
Guus Sliepen [Tue, 23 Dec 2008 23:14:37 +0000 (23:14 +0000)]
Apply patch from Max Rijevski fixing a memory leak when closing connections.
It also cleans up more when stopping tinc, helping tools like valgrind.

15 years agoHandle broadcast and multicast packets in router mode.
Guus Sliepen [Tue, 23 Dec 2008 22:31:38 +0000 (22:31 +0000)]
Handle broadcast and multicast packets in router mode.
Multicast packets are treated as broadcast packets.
Based on a patch from Max Rijevski.

15 years agoUpdate the manpage as well, and some whitespace to make its source more legible.
Guus Sliepen [Mon, 22 Dec 2008 21:49:23 +0000 (21:49 +0000)]
Update the manpage as well, and some whitespace to make its source more legible.

15 years agoUpdate documentation.
Guus Sliepen [Mon, 22 Dec 2008 21:29:21 +0000 (21:29 +0000)]
Update documentation.
- TCPOnly is not experimental.
- Do not mention old Linux kernels and Ethertap anymore.
- Document the DeviceType, PMTU and PMTUDiscovery options.

15 years agoEnable PMTU discovery by default.
Guus Sliepen [Mon, 22 Dec 2008 20:35:45 +0000 (20:35 +0000)]
Enable PMTU discovery by default.

15 years agoUpdate copyright information.
Guus Sliepen [Mon, 22 Dec 2008 20:27:52 +0000 (20:27 +0000)]
Update copyright information.

15 years agoUpdate Dutch translation.
Guus Sliepen [Mon, 22 Dec 2008 19:43:49 +0000 (19:43 +0000)]
Update Dutch translation.

15 years agoMake sure IPv6 sockets are IPv6 only.
Guus Sliepen [Mon, 22 Dec 2008 19:40:40 +0000 (19:40 +0000)]
Make sure IPv6 sockets are IPv6 only.
This will get rid of the "Can't bind to 0.0.0.0 port 655/tcp: Address already
in use" message on Linux.

15 years agoUse TUNIFHEAD by default on FreeBSD to make sure IPv6 works.
Guus Sliepen [Mon, 22 Dec 2008 19:33:37 +0000 (19:33 +0000)]
Use TUNIFHEAD by default on FreeBSD to make sure IPv6 works.

15 years agoTreat virtual network device as tap if Mode = switch or hub.
Guus Sliepen [Sun, 21 Dec 2008 16:19:31 +0000 (16:19 +0000)]
Treat virtual network device as tap if Mode = switch or hub.
On OpenBSD, the link0 flag should still be set in tinc-up or by other means.

15 years agoMove RSA key generation into the wrappers.
Guus Sliepen [Sun, 14 Dec 2008 12:47:26 +0000 (12:47 +0000)]
Move RSA key generation into the wrappers.

15 years agoMake sure IPv6 sockets are IPv6 only.
Guus Sliepen [Thu, 11 Dec 2008 20:49:14 +0000 (20:49 +0000)]
Make sure IPv6 sockets are IPv6 only.

15 years agoUse Dijkstra's algorithm. Based on patches from Max Rijevskiy.
Guus Sliepen [Thu, 11 Dec 2008 18:07:26 +0000 (18:07 +0000)]
Use Dijkstra's algorithm. Based on patches from Max Rijevskiy.

15 years agoRemove wrong checks.
Guus Sliepen [Thu, 11 Dec 2008 18:05:59 +0000 (18:05 +0000)]
Remove wrong checks.

15 years agoRemove unnecessary parentheses from sizeof, apply sizeof to variables instead of...
Guus Sliepen [Thu, 11 Dec 2008 15:56:18 +0000 (15:56 +0000)]
Remove unnecessary parentheses from sizeof, apply sizeof to variables instead of types whereever possible.

15 years agoFix compiler warnings.
Guus Sliepen [Thu, 11 Dec 2008 15:42:46 +0000 (15:42 +0000)]
Fix compiler warnings.

15 years agoBackport fixes from trunk since revision 1555.
Guus Sliepen [Thu, 11 Dec 2008 15:21:40 +0000 (15:21 +0000)]
Backport fixes from trunk since revision 1555.

15 years agoUse the crypto wrappers again instead of calling OpenSSL directly.
Guus Sliepen [Thu, 11 Dec 2008 14:44:44 +0000 (14:44 +0000)]
Use the crypto wrappers again instead of calling OpenSSL directly.
This theoretically allows other cryptographic libraries to be used,
and it improves the readability of the code.

15 years agoMove AC_GNU_SOURCE up to make autoconf happy.
Guus Sliepen [Thu, 11 Dec 2008 14:43:13 +0000 (14:43 +0000)]
Move AC_GNU_SOURCE up to make autoconf happy.
Also bump libgcrypt dependency to 1.4.0, because that version supports the OFB cipher mode.

15 years agoOnly show meta connection related debug messages when debug level >= 4
Guus Sliepen [Thu, 11 Dec 2008 14:03:52 +0000 (14:03 +0000)]
Only show meta connection related debug messages when debug level >= 4

15 years agoLook in the configured sbin directory for the tincd binary.
Guus Sliepen [Thu, 11 Dec 2008 13:59:46 +0000 (13:59 +0000)]
Look in the configured sbin directory for the tincd binary.

15 years agoCorrect debug message.
Guus Sliepen [Fri, 5 Dec 2008 14:17:39 +0000 (14:17 +0000)]
Correct debug message.

16 years agoPrevent freeing a NULL pointer when a hostname is unresolvable.
Guus Sliepen [Tue, 18 Nov 2008 15:11:27 +0000 (15:11 +0000)]
Prevent freeing a NULL pointer when a hostname is unresolvable.

16 years agoDo not try to send REQ_KEY or ANS_KEY requests to unreachable nodes.
Guus Sliepen [Sat, 25 Oct 2008 19:54:00 +0000 (19:54 +0000)]
Do not try to send REQ_KEY or ANS_KEY requests to unreachable nodes.

16 years agoFix reading configuration files that do not end with a newline.
Guus Sliepen [Sat, 25 Oct 2008 18:10:08 +0000 (18:10 +0000)]
Fix reading configuration files that do not end with a newline.

16 years agoMake sure the prefixlength of subnets is sane.
Guus Sliepen [Fri, 14 Dec 2007 21:17:08 +0000 (21:17 +0000)]
Make sure the prefixlength of subnets is sane.
Thanks to Sven-Haegar Koch for spotting the bug and providing a fix.

17 years agoUse a control socket directory to restrict access
Scott Lamb [Thu, 8 Nov 2007 19:18:44 +0000 (19:18 +0000)]
Use a control socket directory to restrict access

This provides reasonable security even on Solaris. The sysadmin is
responsible for securing the control socket's ancestors from the
grandparent on.

We could add a cryptographic handshake later if desired.

17 years agoCoding style corrections
Scott Lamb [Wed, 7 Nov 2007 06:45:28 +0000 (06:45 +0000)]
Coding style corrections

17 years agoReload configuration through control socket
Scott Lamb [Wed, 7 Nov 2007 02:51:24 +0000 (02:51 +0000)]
Reload configuration through control socket

I also kept the SIGHUP handler, which many people will expect to see.
The control socket is better, though - it will tell you if there is a
problem.

17 years agoRetry connections through control socket
Scott Lamb [Wed, 7 Nov 2007 02:50:58 +0000 (02:50 +0000)]
Retry connections through control socket

17 years agoAlter debugging levels through control socket
Scott Lamb [Wed, 7 Nov 2007 02:50:27 +0000 (02:50 +0000)]
Alter debugging levels through control socket

17 years agoPurge through the control socket
Scott Lamb [Wed, 7 Nov 2007 02:49:57 +0000 (02:49 +0000)]
Purge through the control socket

17 years agoDump through control socket
Scott Lamb [Wed, 7 Nov 2007 02:49:25 +0000 (02:49 +0000)]
Dump through control socket

Note this removes SIGUSR1, SIGUSR2, and the graph dumping config option.
It seems cleaner to do everything through the control socket.

17 years agoFancier protocol for control socket
Scott Lamb [Wed, 7 Nov 2007 02:48:33 +0000 (02:48 +0000)]
Fancier protocol for control socket

* pass error status back
* pass message boundaries

17 years agoFix reload crash
Scott Lamb [Wed, 7 Nov 2007 02:48:15 +0000 (02:48 +0000)]
Fix reload crash

sighup_handler was expecting the connection_tree to stay the same across
terminate_connection(), which hasn't been true since r1539.

17 years agoUpdate documentation to match tincctl changes
Scott Lamb [Wed, 7 Nov 2007 02:48:00 +0000 (02:48 +0000)]
Update documentation to match tincctl changes

(Most of this was done in r1559, but it looks like tincctl.8.in got missed.)

17 years agoTemporarily revert to old crypto code
Scott Lamb [Wed, 7 Nov 2007 02:47:05 +0000 (02:47 +0000)]
Temporarily revert to old crypto code

(The new code is still segfaulting for me, and I'd like to proceed with other
work.)

This largely rolls back to the revision 1545 state of the existing code
(new crypto layer is still there with no callers), though I reintroduced
the segfault fix of revision 1562.

17 years agoPrevent double free() of a used challenge nonce.
Guus Sliepen [Sat, 20 Oct 2007 11:21:44 +0000 (11:21 +0000)]
Prevent double free() of a used challenge nonce.

17 years agoFix meta data segfault when receiving a partial command.
Guus Sliepen [Fri, 19 Oct 2007 19:07:30 +0000 (19:07 +0000)]
Fix meta data segfault when receiving a partial command.

17 years agoUse a dummy function as the read callback for connection bufferevents. Should not...
Guus Sliepen [Fri, 19 Oct 2007 18:54:43 +0000 (18:54 +0000)]
Use a dummy function as the read callback for connection bufferevents. Should not be triggered.

17 years agoFix connection weight estimation.
Guus Sliepen [Fri, 19 Oct 2007 18:53:48 +0000 (18:53 +0000)]
Fix connection weight estimation.

17 years agoApply patch from Scott Lamb: Update documentation to match tincctl changes
Guus Sliepen [Tue, 4 Sep 2007 15:06:35 +0000 (15:06 +0000)]
Apply patch from Scott Lamb: Update documentation to match tincctl changes

17 years agoSmall fixes to make gcrypt routines compile.
Guus Sliepen [Tue, 4 Sep 2007 14:58:52 +0000 (14:58 +0000)]
Small fixes to make gcrypt routines compile.

17 years agoFix formatting of --help output.
Guus Sliepen [Tue, 4 Sep 2007 14:58:11 +0000 (14:58 +0000)]
Fix formatting of --help output.

17 years agoOnly check for libgcrypt if --with-gcrypt is used.
Guus Sliepen [Tue, 4 Sep 2007 14:57:37 +0000 (14:57 +0000)]
Only check for libgcrypt if --with-gcrypt is used.

17 years agoHandle SERVICE_CONTROL_INTERROGATE requests. Thanks to Carsten Ralle for noticing...
Guus Sliepen [Fri, 17 Aug 2007 22:09:00 +0000 (22:09 +0000)]
Handle SERVICE_CONTROL_INTERROGATE requests. Thanks to Carsten Ralle for noticing this.

17 years agoconst correctness
Scott Lamb [Fri, 20 Jul 2007 20:10:46 +0000 (20:10 +0000)]
const correctness

cipher_encrypt and cipher_decrypt should take "const void *" data

17 years agoUpdated svn:ignores list for new symlinked sources and tincctl.
Scott Lamb [Wed, 18 Jul 2007 16:44:05 +0000 (16:44 +0000)]
Updated svn:ignores list for new symlinked sources and tincctl.

17 years agoRefresh po/POTFILES.in.
Scott Lamb [Wed, 18 Jul 2007 16:40:41 +0000 (16:40 +0000)]
Refresh po/POTFILES.in.

In particular, remove lib/pidfile.c which was causing failures. Also sort
for diffability with "find . -type f -name '*.c' | cut -c3- | sort" output.

17 years agoRevert to only requiring autoconf 2.59.
Scott Lamb [Wed, 18 Jul 2007 16:40:29 +0000 (16:40 +0000)]
Revert to only requiring autoconf 2.59.

The new autoconf macros introduced at the same time (AC_GNU_SOURCE,
AC_FUNC_MALLOC, AC_FUNC_REALLOC) exist in the autoconf 2.59 documentation,
and autoconf 2.59 appears to still work. This is more convenient, as RHEL 5
ships with autoconf 2.59.

17 years agoFinish crypto wrapping. Also provide wrappers for OpenSSL.
Guus Sliepen [Wed, 23 May 2007 13:45:49 +0000 (13:45 +0000)]
Finish crypto wrapping. Also provide wrappers for OpenSSL.
Disable libgcrypt by default. Since it doesn't support the OFB cipher mode,
we can't use it in a backwards compatible way.