At the start of the decade, there were still distributions that shipped
with versions of OpenSSL that did not support these algorithms. By now
everyone should support them. The old defaults were Blowfish and SHA1,
both of which are not considered secure anymore.
The meta-protocol now always uses AES in CFB mode, but the key length
will adapt to the one specified by the Cipher option. The digest for the
meta-protocol is hardcoded to SHA256.
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
- AC_CHECK_DECLS([OpenSSL_add_all_algorithms], ,
+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms EVP_aes_256_cfb], ,
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
/*
cipher.h -- header file cipher.c
/*
cipher.h -- header file cipher.c
- Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+ Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
extern cipher_t *cipher_open_by_name(const char *) __attribute__ ((__malloc__));
extern cipher_t *cipher_open_by_nid(int) __attribute__ ((__malloc__));
extern cipher_t *cipher_open_by_name(const char *) __attribute__ ((__malloc__));
extern cipher_t *cipher_open_by_nid(int) __attribute__ ((__malloc__));
-extern cipher_t *cipher_open_blowfish_ofb(void) __attribute__ ((__malloc__));
extern void cipher_close(cipher_t *);
extern size_t cipher_keylength(const cipher_t *);
extern size_t cipher_blocksize(const cipher_t *);
extern void cipher_close(cipher_t *);
extern size_t cipher_keylength(const cipher_t *);
extern size_t cipher_blocksize(const cipher_t *);
/*
digest.h -- header file digest.c
/*
digest.h -- header file digest.c
- Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+ Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
extern digest_t *digest_open_by_name(const char *name, int maclength) __attribute__ ((__malloc__));
extern digest_t *digest_open_by_nid(int nid, int maclength) __attribute__ ((__malloc__));
extern digest_t *digest_open_by_name(const char *name, int maclength) __attribute__ ((__malloc__));
extern digest_t *digest_open_by_nid(int nid, int maclength) __attribute__ ((__malloc__));
-extern digest_t *digest_open_sha1(int maclength) __attribute__ ((__malloc__));
extern void digest_close(digest_t *);
extern bool digest_create(digest_t *, const void *indata, size_t inlen, void *outdata) __attribute__ ((__warn_unused_result__));
extern bool digest_verify(digest_t *, const void *indata, size_t inlen, const void *digestdata) __attribute__ ((__warn_unused_result__));
extern void digest_close(digest_t *);
extern bool digest_create(digest_t *, const void *indata, size_t inlen, void *outdata) __attribute__ ((__warn_unused_result__));
extern bool digest_verify(digest_t *, const void *indata, size_t inlen, const void *digestdata) __attribute__ ((__warn_unused_result__));
/* Generate packet encryption key */
if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
/* Generate packet encryption key */
if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher))
- cipher = xstrdup("blowfish");
+ cipher = xstrdup("aes-256-cbc");
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
if(!strcasecmp(cipher, "none")) {
myself->incipher = NULL;
}
if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
}
if(!get_config_string(lookup_config(config_tree, "Digest"), &digest))
- digest = xstrdup("sha1");
+ digest = xstrdup("sha256");
if(!strcasecmp(digest, "none")) {
myself->indigest = NULL;
if(!strcasecmp(digest, "none")) {
myself->indigest = NULL;
/*
cipher.c -- Symmetric block cipher handling
/*
cipher.c -- Symmetric block cipher handling
- Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+ Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
return cipher_open(evp_cipher);
}
return cipher_open(evp_cipher);
}
-cipher_t *cipher_open_blowfish_ofb(void) {
- return cipher_open(EVP_bf_ofb());
-}
-
void cipher_close(cipher_t *cipher) {
if(!cipher)
return;
void cipher_close(cipher_t *cipher) {
if(!cipher)
return;
/*
digest.c -- Digest handling
/*
digest.c -- Digest handling
- Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+ Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
return digest_open(evp_md, maclength);
}
return digest_open(evp_md, maclength);
}
-digest_t *digest_open_sha1(int maclength) {
- return digest_open(EVP_sha1(), maclength);
-}
-
bool digest_set_key(digest_t *digest, const void *key, size_t len) {
digest->key = xrealloc(digest->key, len);
memcpy(digest->key, key, len);
bool digest_set_key(digest_t *digest, const void *key, size_t len) {
digest->key = xrealloc(digest->key, len);
memcpy(digest->key, key, len);
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
/*
protocol_auth.c -- handle the meta-protocol, authentication
Copyright (C) 1999-2005 Ivo Timmermans,
- 2000-2014 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2016 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
if(!read_rsa_public_key(c))
return false;
if(!read_rsa_public_key(c))
return false;
- if(!(c->outcipher = cipher_open_blowfish_ofb()))
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
+ but try to match the key size with the one from the cipher selected
+ by Cipher.
+ */
+
+ int keylen = cipher_keylength(myself->incipher);
+ if(keylen <= 16)
+ c->outcipher = cipher_open_by_name("aes-128-cfb");
+ else if(keylen <= 24)
+ c->outcipher = cipher_open_by_name("aes-192-cfb");
+ else
+ c->outcipher = cipher_open_by_name("aes-256-cfb");
+ if(!c)
- if(!(c->outdigest = digest_open_sha1(-1)))
+ if(!(c->outdigest = digest_open_by_name("sha256", -1)))
return false;
const size_t len = rsa_size(c->rsa);
return false;
const size_t len = rsa_size(c->rsa);