X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Fnet_setup.c;h=2371f7ee099c5390800ec484387867d874bf0c75;hp=6c50f9d87c7037a84bee2c55daf9545f4ee03a08;hb=5c344f297682cf11793407fca4547968aee22d95;hpb=40b21d3ff4b50f7688e49651d1237987ce45128d diff --git a/src/net_setup.c b/src/net_setup.c index 6c50f9d8..2371f7ee 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -1,7 +1,7 @@ /* net_setup.c -- Setup. Copyright (C) 1998-2005 Ivo Timmermans, - 2000-2016 Guus Sliepen + 2000-2017 Guus Sliepen 2006 Scott Lamb 2010 Brandon Black @@ -650,14 +650,28 @@ static bool setup_myself(void) { } free(cipher); } else - myself->incipher = EVP_bf_cbc(); + myself->incipher = EVP_aes_256_cbc(); if(myself->incipher) myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher); else myself->inkeylength = 1; - myself->connection->outcipher = EVP_bf_ofb(); + /* We need to use a stream mode for the meta protocol. Use AES for this, + but try to match the key size with the one from the cipher selected + by Cipher. + + If Cipher is set to none, still use a low level of encryption for the + meta protocol. + */ + + int keylen = myself->incipher ? EVP_CIPHER_key_length(myself->incipher) : 0; + if(keylen <= 16) + myself->connection->outcipher = EVP_aes_128_cfb(); + else if(keylen <= 24) + myself->connection->outcipher = EVP_aes_192_cfb(); + else + myself->connection->outcipher = EVP_aes_256_cfb(); if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime)) keylifetime = 3600; @@ -681,9 +695,9 @@ static bool setup_myself(void) { free(digest); } else - myself->indigest = EVP_sha1(); + myself->indigest = EVP_sha256(); - myself->connection->outdigest = EVP_sha1(); + myself->connection->outdigest = EVP_sha256(); if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) { if(myself->indigest) {