diff --git a/configure.ac b/configure.ac index 6fd2621d..9a9bf019 100644 --- a/configure.ac +++ b/configure.ac @@ -211,23 +211,33 @@ AC_CHECK_DECLS([res_init], [AC_CHECK_LIB(resolv, res_init)], [], [ AC_CACHE_SAVE +AC_ARG_ENABLE(legacy-protocol, + AS_HELP_STRING([--disable-legacy-protocol], [disable support for the legacy (tinc 1.0) protocol]), + [ AS_IF([test "x$enable_legacy_protocol" = "xno"], + [ AC_DEFINE(DISABLE_LEGACY, 1, [Disable support for the legacy (tinc 1.0) protocol]) ]) + ] +) + dnl These are defined in files in m4/ dnl AC_ARG_WITH(libgcrypt, AC_HELP_STRING([--with-libgcrypt], [enable use of libgcrypt instead of OpenSSL])], []) +dnl AC_ARG_WITH(openssl, AC_HELP_STRING([--without-openssl], [disable support for OpenSSL])], []) tinc_CURSES tinc_READLINE tinc_ZLIB tinc_LZO -if test -n "$with_libgcrypt"; then - gcrypt=true - tinc_LIBGCRYPT -else - openssl=true - tinc_OPENSSL +if test "x$enable_legacy_protocol" != "xno"; then + if test -n "$with_libgcrypt"; then + gcrypt=true + tinc_LIBGCRYPT + else + openssl=true + tinc_OPENSSL + fi fi - + AM_CONDITIONAL(OPENSSL, test -n "$openssl") AM_CONDITIONAL(GCRYPT, test -n "$gcrypt") diff --git a/src/Makefile.am b/src/Makefile.am index cd84f3a8..5c8a8416 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -92,6 +92,8 @@ tincd_SOURCES = \ utils.c utils.h \ xalloc.h \ version.c version.h \ + ed25519/ecdh.c \ + ed25519/ecdsa.c \ $(ed25519_SOURCES) \ $(chacha_poly1305_SOURCES) @@ -111,6 +113,9 @@ tinc_SOURCES = \ top.c top.h \ utils.c utils.h \ version.c version.h \ + ed25519/ecdh.c \ + ed25519/ecdsa.c \ + ed25519/ecdsagen.c \ $(ed25519_SOURCES) \ $(chacha_poly1305_SOURCES) @@ -119,12 +124,15 @@ sptps_test_SOURCES = \ sptps.c sptps.h \ sptps_test.c \ utils.c utils.h \ + ed25519/ecdh.c \ + ed25519/ecdsa.c \ $(ed25519_SOURCES) \ $(chacha_poly1305_SOURCES) sptps_keypair_SOURCES = \ sptps_keypair.c \ utils.c utils.h \ + ed25519/ecdsagen.c \ $(ed25519_SOURCES) sptps_speed_SOURCES = \ @@ -132,6 +140,9 @@ sptps_speed_SOURCES = \ sptps.c sptps.h \ sptps_speed.c \ utils.c utils.h \ + ed25519/ecdh.c \ + ed25519/ecdsa.c \ + ed25519/ecdsagen.c \ $(ed25519_SOURCES) \ $(chacha_poly1305_SOURCES) @@ -173,54 +184,36 @@ tincd_SOURCES += \ openssl/cipher.c \ openssl/crypto.c \ openssl/digest.c openssl/digest.h \ - ed25519/ecdh.c \ - ed25519/ecdsa.c \ openssl/prf.c \ openssl/rsa.c tinc_SOURCES += \ openssl/cipher.c \ openssl/crypto.c \ openssl/digest.c openssl/digest.h \ - ed25519/ecdh.c \ - ed25519/ecdsa.c \ - ed25519/ecdsagen.c \ openssl/prf.c \ openssl/rsa.c \ openssl/rsagen.c sptps_test_SOURCES += \ openssl/crypto.c \ openssl/digest.c openssl/digest.h \ - ed25519/ecdh.c \ - ed25519/ecdsa.c \ openssl/prf.c sptps_keypair_SOURCES += \ - openssl/crypto.c \ - ed25519/ecdsagen.c + openssl/crypto.c sptps_speed_SOURCES += \ openssl/crypto.c \ openssl/digest.c openssl/digest.h \ - ed25519/ecdh.c \ - ed25519/ecdsa.c \ - ed25519/ecdsagen.c \ openssl/prf.c -endif - -if GCRYPT +elif GCRYPT tincd_SOURCES += \ gcrypt/cipher.c \ gcrypt/crypto.c \ gcrypt/digest.c gcrypt/digest.h \ - gcrypt/ecdh.c \ - gcrypt/ecdsa.c \ gcrypt/prf.c \ gcrypt/rsa.c tinc_SOURCES += \ gcrypt/cipher.c \ gcrypt/crypto.c \ gcrypt/digest.c gcrypt/digest.h \ - gcrypt/ecdh.c \ - gcrypt/ecdsa.c \ - gcrypt/ecdsagen.c \ gcrypt/prf.c \ gcrypt/rsa.c \ gcrypt/rsagen.c @@ -228,9 +221,28 @@ sptps_test_SOURCES += \ gcrypt/cipher.c \ gcrypt/crypto.c \ gcrypt/digest.c gcrypt/digest.h \ - gcrypt/ecdh.c \ - gcrypt/ecdsa.c \ gcrypt/prf.c +sptps_keypair_SOURCES += \ + openssl/crypto.c +sptps_speed_SOURCES += \ + openssl/crypto.c \ + openssl/digest.c openssl/digest.h \ + openssl/prf.c +else +tincd_SOURCES += \ + nolegacy/crypto.c \ + nolegacy/prf.c +tinc_SOURCES += \ + nolegacy/crypto.c \ + nolegacy/prf.c +sptps_test_SOURCES += \ + nolegacy/crypto.c \ + nolegacy/prf.c +sptps_keypair_SOURCES += \ + nolegacy/crypto.c +sptps_speed_SOURCES += \ + nolegacy/crypto.c \ + nolegacy/prf.c endif tinc_LDADD = $(READLINE_LIBS) $(CURSES_LIBS) diff --git a/src/cipher.h b/src/cipher.h index 47cd1cdc..f194c0dc 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -24,6 +24,8 @@ #define CIPHER_MAX_IV_SIZE 16 #define CIPHER_MAX_KEY_SIZE 32 +#ifndef DISABLE_LEGACY + typedef struct cipher cipher_t; extern cipher_t *cipher_open_by_name(const char *) __attribute__ ((__malloc__)); @@ -40,3 +42,5 @@ extern int cipher_get_nid(const cipher_t *); extern bool cipher_active(const cipher_t *); #endif + +#endif diff --git a/src/connection.c b/src/connection.c index 496f6747..0e61132c 100644 --- a/src/connection.c +++ b/src/connection.c @@ -55,14 +55,16 @@ void free_connection(connection_t *c) { if(!c) return; +#ifndef DISABLE_LEGACY cipher_close(c->incipher); digest_close(c->indigest); cipher_close(c->outcipher); digest_close(c->outdigest); + rsa_free(c->rsa); +#endif sptps_stop(&c->sptps); ecdsa_free(c->ecdsa); - rsa_free(c->rsa); free(c->hischallenge); diff --git a/src/connection.h b/src/connection.h index b74b582a..30c6598b 100644 --- a/src/connection.h +++ b/src/connection.h @@ -75,12 +75,15 @@ typedef struct connection_t { struct node_t *node; /* node associated with the other end */ struct edge_t *edge; /* edge associated with this connection */ +#ifndef DISABLE_LEGACY rsa_t *rsa; /* his public RSA key */ - ecdsa_t *ecdsa; /* his public ECDSA key */ cipher_t *incipher; /* Cipher he will use to send data to us */ cipher_t *outcipher; /* Cipher we will use to send data to him */ digest_t *indigest; digest_t *outdigest; +#endif + + ecdsa_t *ecdsa; /* his public ECDSA key */ sptps_t sptps; int inmaclength; diff --git a/src/digest.h b/src/digest.h index 1e149456..204048ad 100644 --- a/src/digest.h +++ b/src/digest.h @@ -22,6 +22,8 @@ #define DIGEST_MAX_SIZE 64 +#ifndef DISABLE_LEGACY + typedef struct digest digest_t; extern digest_t *digest_open_by_name(const char *name, int maclength) __attribute__ ((__malloc__)); @@ -37,3 +39,5 @@ extern size_t digest_length(const digest_t *); extern bool digest_active(const digest_t *); #endif + +#endif diff --git a/src/invitation.c b/src/invitation.c index dff8d5fe..38634886 100644 --- a/src/invitation.c +++ b/src/invitation.c @@ -33,6 +33,8 @@ #include "utils.h" #include "xalloc.h" +#include "ed25519/sha512.h" + int addressfamily = AF_UNSPEC; static void scan_for_hostname(const char *filename, char **hostname, char **port) { @@ -270,8 +272,6 @@ int cmd_invite(int argc, char *argv[]) { } } - char hash[25]; - xasprintf(&filename, "%s" SLASH "invitations", confbase); if(mkdir(filename, 0700) && errno != EEXIST) { fprintf(stderr, "Could not create directory %s: %s\n", filename, strerror(errno)); @@ -365,11 +365,9 @@ int cmd_invite(int argc, char *argv[]) { return 1; // Create a hash of the key. + char hash[64]; char *fingerprint = ecdsa_get_base64_public_key(key); - digest_t *digest = digest_open_by_name("sha256", 18); - if(!digest) - abort(); - digest_create(digest, fingerprint, strlen(fingerprint), hash); + sha512(fingerprint, strlen(fingerprint), hash); b64encode_urlsafe(hash, hash, 18); // Create a random cookie for this invitation. @@ -378,10 +376,10 @@ int cmd_invite(int argc, char *argv[]) { // Create a filename that doesn't reveal the cookie itself char buf[18 + strlen(fingerprint)]; - char cookiehash[25]; + char cookiehash[64]; memcpy(buf, cookie, 18); memcpy(buf + 18, fingerprint, sizeof buf - 18); - digest_create(digest, buf, sizeof buf, cookiehash); + sha512(buf, sizeof buf, cookiehash); b64encode_urlsafe(cookiehash, cookiehash, 18); b64encode_urlsafe(cookie, cookie, 18); @@ -739,8 +737,9 @@ make_names: sptps_send_record(&sptps, 1, b64key, strlen(b64key)); free(b64key); + ecdsa_free(key); - +#ifndef DISABLE_LEGACY rsa_t *rsa = rsa_generate(2048, 0x1001); xasprintf(&filename, "%s" SLASH "rsa_key.priv", confbase); f = fopenmask(filename, "w", 0600); @@ -751,8 +750,8 @@ make_names: rsa_write_pem_public_key(rsa, fh); fclose(fh); - ecdsa_free(key); rsa_free(rsa); +#endif check_port(name); @@ -958,11 +957,8 @@ int cmd_join(int argc, char *argv[]) { // Check if the hash of the key he gave us matches the hash in the URL. char *fingerprint = line + 2; - digest_t *digest = digest_open_by_name("sha256", 18); - if(!digest) - abort(); - char hishash[18]; - if(!digest_create(digest, fingerprint, strlen(fingerprint), hishash)) { + char hishash[64]; + if(sha512(fingerprint, strlen(fingerprint), hishash)) { fprintf(stderr, "Could not create digest\n%s\n", line + 2); return 1; } diff --git a/src/meta.c b/src/meta.c index 73769d9a..1c29fe9c 100644 --- a/src/meta.c +++ b/src/meta.c @@ -58,6 +58,9 @@ bool send_meta(connection_t *c, const char *buffer, int length) { /* Add our data to buffer */ if(c->status.encryptout) { +#ifdef DISABLE_LEGACY + return false; +#else size_t outlen = length; if(!cipher_encrypt(c->outcipher, buffer, length, buffer_prepare(&c->outbuf, length), &outlen, false) || outlen != length) { @@ -65,6 +68,7 @@ bool send_meta(connection_t *c, const char *buffer, int length) { c->name, c->hostname); return false; } +#endif } else { buffer_add(&c->outbuf, buffer, length); } @@ -170,6 +174,9 @@ bool receive_meta(connection_t *c) { inlen -= endp - bufp; bufp = endp; } else { +#ifdef DISABLE_LEGACY + return false; +#else size_t outlen = inlen; if(!cipher_decrypt(c->incipher, bufp, inlen, buffer_prepare(&c->inbuf, inlen), &outlen, false) || inlen != outlen) { @@ -179,6 +186,7 @@ bool receive_meta(connection_t *c) { } inlen = 0; +#endif } while(c->inbuf.len) { diff --git a/src/net_packet.c b/src/net_packet.c index c1461091..c07dd1ad 100644 --- a/src/net_packet.c +++ b/src/net_packet.c @@ -351,10 +351,14 @@ static bool try_mac(node_t *n, const vpn_packet_t *inpkt) { if(n->status.sptps) return sptps_verify_datagram(&n->sptps, DATA(inpkt), inpkt->len); +#ifdef DISABLE_LEGACY + return false; +#else if(!digest_active(n->indigest) || inpkt->len < sizeof(seqno_t) + digest_length(n->indigest)) return false; return digest_verify(n->indigest, SEQNO(inpkt), inpkt->len - digest_length(n->indigest), DATA(inpkt) + inpkt->len - digest_length(n->indigest)); +#endif } static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { @@ -383,6 +387,9 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { return true; } +#ifdef DISABLE_LEGACY + return false; +#else if(!n->status.validkey) { logger(DEBUG_TRAFFIC, LOG_DEBUG, "Got packet from %s (%s) but he hasn't got our key yet", n->name, n->hostname); return false; @@ -491,6 +498,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) { else receive_packet(n, inpkt); return true; +#endif } void receive_tcppacket(connection_t *c, const char *buffer, int len) { @@ -681,6 +689,9 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { if(n->status.sptps) return send_sptps_packet(n, origpkt); +#ifdef DISABLE_LEGACY + return; +#else /* Make sure we have a valid key */ if(!n->status.validkey) { @@ -789,6 +800,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) { end: origpkt->len = origlen; +#endif } static bool send_sptps_data_priv(node_t *to, node_t *from, int type, const void *data, size_t len) { diff --git a/src/net_setup.c b/src/net_setup.c index 29f12128..1007f699 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -145,6 +145,7 @@ bool read_ecdsa_public_key(connection_t *c) { return c->ecdsa; } +#ifndef DISABLE_LEGACY bool read_rsa_public_key(connection_t *c) { if(ecdsa_active(c->ecdsa)) return true; @@ -182,6 +183,7 @@ bool read_rsa_public_key(connection_t *c) { free(fname); return c->rsa; } +#endif static bool read_ecdsa_private_key(void) { FILE *fp; @@ -248,6 +250,7 @@ static bool read_invitation_key(void) { return invitation_key; } +#ifndef DISABLE_LEGACY static bool read_rsa_private_key(void) { FILE *fp; char *fname; @@ -304,6 +307,7 @@ static bool read_rsa_private_key(void) { free(fname); return myself->connection->rsa; } +#endif static timeout_t keyexpire_timeout; @@ -773,6 +777,13 @@ static bool setup_myself(void) { myself->options |= PROT_MINOR << 24; +#ifdef DISABLE_LEGACY + experimental = read_ecdsa_private_key(); + if(!experimental) { + logger(DEBUG_ALWAYS, LOG_ERR, "No private key available, cannot start tinc!"); + return false; + } +#else if(!get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental)) { experimental = read_ecdsa_private_key(); if(!experimental) @@ -790,6 +801,7 @@ static bool setup_myself(void) { return false; } } +#endif /* Ensure myport is numeric */ @@ -854,6 +866,7 @@ static bool setup_myself(void) { sptps_replaywin = replaywin; } +#ifndef DISABLE_LEGACY /* Generate packet encryption key */ if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) @@ -891,6 +904,7 @@ static bool setup_myself(void) { } free(digest); +#endif /* Compression */ diff --git a/src/net_socket.c b/src/net_socket.c index 1bf9d16a..85bc4df5 100644 --- a/src/net_socket.c +++ b/src/net_socket.c @@ -549,8 +549,10 @@ begin: c->status.connecting = true; c->name = xstrdup(outgoing->name); +#ifndef DISABLE_LEGACY c->outcipher = myself->connection->outcipher; c->outdigest = myself->connection->outdigest; +#endif c->outmaclength = myself->connection->outmaclength; c->outcompression = myself->connection->outcompression; c->last_ping_time = now.tv_sec; @@ -696,8 +698,10 @@ void handle_new_meta_connection(void *data, int flags) { c = new_connection(); c->name = xstrdup(""); +#ifndef DISABLE_LEGACY c->outcipher = myself->connection->outcipher; c->outdigest = myself->connection->outdigest; +#endif c->outmaclength = myself->connection->outmaclength; c->outcompression = myself->connection->outcompression; diff --git a/src/node.c b/src/node.c index e97bfaf3..71f55b85 100644 --- a/src/node.c +++ b/src/node.c @@ -30,7 +30,7 @@ #include "utils.h" #include "xalloc.h" -static digest_t *sha256; +#include "ed25519/sha512.h" splay_tree_t *node_tree; static splay_tree_t *node_id_tree; @@ -48,8 +48,6 @@ static int node_id_compare(const node_t *a, const node_t *b) { } void init_nodes(void) { - sha256 = digest_open_by_name("sha256", sizeof(node_id_t)); - node_tree = splay_alloc_tree((splay_compare_t) node_compare, (splay_action_t) free_node); node_id_tree = splay_alloc_tree((splay_compare_t) node_id_compare, NULL); node_udp_cache = hash_alloc(0x100, sizeof(sockaddr_t)); @@ -61,8 +59,6 @@ void exit_nodes(void) { hash_free(node_udp_cache); splay_delete_tree(node_id_tree); splay_delete_tree(node_tree); - - digest_close(sha256); } node_t *new_node(void) { @@ -86,10 +82,12 @@ void free_node(node_t *n) { sockaddrfree(&n->address); +#ifndef DISABLE_LEGACY cipher_close(n->incipher); digest_close(n->indigest); cipher_close(n->outcipher); digest_close(n->outdigest); +#endif ecdsa_free(n->ecdsa); sptps_stop(&n->sptps); @@ -109,7 +107,9 @@ void free_node(node_t *n) { } void node_add(node_t *n) { - digest_create(sha256, n->name, strlen(n->name), &n->id); + unsigned char buf[64]; + sha512(n->name, strlen(n->name),buf); + memcpy(&n->id, buf, sizeof n->id); splay_insert(node_tree, n); splay_insert(node_id_tree, n); @@ -191,10 +191,15 @@ bool dump_nodes(connection_t *c) { sprintf(id + 2 * c, "%02hhx", n->id.x[c]); id[sizeof id - 1] = 0; send_request(c, "%d %d %s %s %s %d %d %d %d %x %x %s %s %d %hd %hd %hd %ld", CONTROL, REQ_DUMP_NODES, - n->name, id, n->hostname ?: "unknown port unknown", cipher_get_nid(n->outcipher), - digest_get_nid(n->outdigest), (int)digest_length(n->outdigest), n->outcompression, - n->options, bitfield_to_int(&n->status, sizeof n->status), n->nexthop ? n->nexthop->name : "-", - n->via ? n->via->name ?: "-" : "-", n->distance, n->mtu, n->minmtu, n->maxmtu, (long)n->last_state_change); + n->name, id, n->hostname ?: "unknown port unknown", +#ifdef DISABLE_LEGACY + 0, 0, 0, +#else + cipher_get_nid(n->outcipher), digest_get_nid(n->outdigest), (int)digest_length(n->outdigest), +#endif + n->outcompression, n->options, bitfield_to_int(&n->status, sizeof n->status), + n->nexthop ? n->nexthop->name : "-", n->via ? n->via->name ?: "-" : "-", n->distance, + n->mtu, n->minmtu, n->maxmtu, (long)n->last_state_change); } return send_request(c, "%d %d", CONTROL, REQ_DUMP_NODES); diff --git a/src/node.h b/src/node.h index b6db18b3..bd10add7 100644 --- a/src/node.h +++ b/src/node.h @@ -57,11 +57,13 @@ typedef struct node_t { ecdsa_t *ecdsa; /* His public ECDSA key */ sptps_t sptps; +#ifndef DISABLE_LEGACY cipher_t *incipher; /* Cipher for UDP packets */ digest_t *indigest; /* Digest for UDP packets */ cipher_t *outcipher; /* Cipher for UDP packets */ digest_t *outdigest; /* Digest for UDP packets */ +#endif int incompression; /* Compressionlevel, 0 = no compression */ int outcompression; /* Compressionlevel, 0 = no compression */ diff --git a/src/protocol_auth.c b/src/protocol_auth.c index cd39f28d..0882ddfc 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -45,6 +45,8 @@ #include "utils.h" #include "xalloc.h" +#include "ed25519/sha512.h" + ecdsa_t *invitation_key = NULL; static bool send_proxyrequest(connection_t *c) { @@ -211,17 +213,13 @@ static bool receive_invitation_sptps(void *handle, uint8_t type, const void *dat return false; // Recover the filename from the cookie and the key - digest_t *digest = digest_open_by_name("sha256", 18); - if(!digest) - abort(); char *fingerprint = ecdsa_get_base64_public_key(invitation_key); char hashbuf[18 + strlen(fingerprint)]; - char cookie[25]; + char cookie[64]; memcpy(hashbuf, data, 18); memcpy(hashbuf + 18, fingerprint, sizeof hashbuf - 18); - digest_create(digest, hashbuf, sizeof hashbuf, cookie); + sha512(hashbuf, sizeof hashbuf, cookie); b64encode_urlsafe(cookie, cookie, 18); - digest_close(digest); free(fingerprint); char filename[PATH_MAX], usedname[PATH_MAX]; @@ -412,6 +410,9 @@ bool id_h(connection_t *c, const char *request) { } bool send_metakey(connection_t *c) { +#ifdef DISABLE_LEGACY + return false; +#else if(!myself->connection->rsa) { logger(DEBUG_CONNECTIONS, LOG_ERR, "Peer %s (%s) uses legacy protocol which we don't support", c->name, c->hostname); return false; @@ -480,9 +481,13 @@ bool send_metakey(connection_t *c) { c->status.encryptout = true; return result; +#endif } bool metakey_h(connection_t *c, const char *request) { +#ifdef DISABLE_LEGACY + return false; +#else if(!myself->connection->rsa) return false; @@ -545,9 +550,13 @@ bool metakey_h(connection_t *c, const char *request) { c->allow_request = CHALLENGE; return send_challenge(c); +#endif } bool send_challenge(connection_t *c) { +#ifdef DISABLE_LEGACY + return false; +#else const size_t len = rsa_size(c->rsa); char buffer[len * 2 + 1]; @@ -565,9 +574,13 @@ bool send_challenge(connection_t *c) { /* Send the challenge */ return send_request(c, "%d %s", CHALLENGE, buffer); +#endif } bool challenge_h(connection_t *c, const char *request) { +#ifdef DISABLE_LEGACY + return false; +#else if(!myself->connection->rsa) return false; @@ -606,9 +619,13 @@ bool challenge_h(connection_t *c, const char *request) { c->allow_request = CHAL_REPLY; return send_request(c, "%d %s", CHAL_REPLY, buffer); +#endif } bool chal_reply_h(connection_t *c, const char *request) { +#ifdef DISABLE_LEGACY + return false; +#else char hishash[MAX_STRING_SIZE]; if(sscanf(request, "%*d " MAX_STRING, hishash) != 1) { @@ -645,9 +662,13 @@ bool chal_reply_h(connection_t *c, const char *request) { c->allow_request = ACK; return send_ack(c); +#endif } static bool send_upgrade(connection_t *c) { +#ifdef DISABLE_LEGACY + return false; +#else /* Special case when protocol_minor is 1: the other end is Ed25519 capable, * but doesn't know our key yet. So send it now. */ @@ -659,6 +680,7 @@ static bool send_upgrade(connection_t *c) { bool result = send_request(c, "%d %s", ACK, pubkey); free(pubkey); return result; +#endif } bool send_ack(connection_t *c) { diff --git a/src/protocol_key.c b/src/protocol_key.c index 8b19d900..cfa2f53f 100644 --- a/src/protocol_key.c +++ b/src/protocol_key.c @@ -266,6 +266,9 @@ bool send_ans_key(node_t *to) { if(to->status.sptps) abort(); +#ifdef DISABLE_LEGACY + return false; +#else size_t keylen = myself->incipher ? cipher_keylength(myself->incipher) : 1; char key[keylen * 2 + 1]; @@ -306,6 +309,7 @@ bool send_ans_key(node_t *to) { digest_get_nid(to->indigest), (int)digest_length(to->indigest), to->incompression); +#endif } bool ans_key_h(connection_t *c, const char *request) { @@ -371,9 +375,11 @@ bool ans_key_h(connection_t *c, const char *request) { return send_request(to->nexthop->connection, "%s", request); } +#ifndef DISABLE_LEGACY /* Don't use key material until every check has passed. */ cipher_close(from->outcipher); digest_close(from->outdigest); +#endif from->status.validkey = false; if(compression < 0 || compression > 11) { @@ -408,6 +414,10 @@ bool ans_key_h(connection_t *c, const char *request) { return true; } +#ifdef DISABLE_LEGACY + logger(DEBUG_ALWAYS, LOG_ERR, "Node %s (%) uses legacy protocol!", from->name, from->hostname); + return false; +#else /* Check and lookup cipher and digest algorithms */ if(cipher) { @@ -462,4 +472,5 @@ bool ans_key_h(connection_t *c, const char *request) { send_mtu_probe(from); return true; +#endif } diff --git a/src/tincctl.c b/src/tincctl.c index abaf6ee8..0eb3a256 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -119,8 +119,12 @@ static void usage(bool status) { " restart [tincd options] Restart tincd.\n" " reload Partially reload configuration of running tincd.\n" " pid Show PID of currently running tincd.\n" +#ifdef DISABLE_LEGACY + " generate-keys Generate a new Ed25519 public/private keypair.\n" +#else " generate-keys [bits] Generate new RSA and Ed25519 public/private keypairs.\n" " generate-rsa-keys [bits] Generate a new RSA public/private keypair.\n" +#endif " generate-ed25519-keys Generate a new Ed25519 public/private keypair.\n" " dump Dump a list of one of the following things:\n" " [reachable] nodes - all known nodes in the VPN\n" @@ -415,6 +419,7 @@ static bool ed25519_keygen(bool ask) { return true; } +#ifndef DISABLE_LEGACY /* Generate a public/private RSA keypair, and ask for a file to store them in. @@ -480,6 +485,7 @@ static bool rsa_keygen(int bits, bool ask) { return true; } +#endif char buffer[4096]; size_t blen = 0; @@ -1800,7 +1806,12 @@ static int cmd_init(int argc, char *argv[]) { fprintf(f, "Name = %s\n", name); fclose(f); - if(!rsa_keygen(2048, false) || !ed25519_keygen(false)) +#ifndef DISABLE_LEGACY + if(!rsa_keygen(2048, false)) + return 1; +#endif + + if(!ed25519_keygen(false)) return 1; check_port(name); @@ -1824,7 +1835,11 @@ static int cmd_init(int argc, char *argv[]) { } static int cmd_generate_keys(int argc, char *argv[]) { +#ifdef DISABLE_LEGACY + if(argc > 1) { +#else if(argc > 2) { +#endif fprintf(stderr, "Too many arguments!\n"); return 1; } @@ -1832,9 +1847,18 @@ static int cmd_generate_keys(int argc, char *argv[]) { if(!name) name = get_my_name(false); - return !(rsa_keygen(argc > 1 ? atoi(argv[1]) : 2048, true) && ed25519_keygen(true)); +#ifndef DISABLE_LEGACY + if(!rsa_keygen(argc > 1 ? atoi(argv[1]) : 2048, true) + return 1; +#endif + + if(!ed25519_keygen(true)) + return 1; + + return 0; } +#ifndef DISABLE_LEGACY static int cmd_generate_rsa_keys(int argc, char *argv[]) { if(argc > 2) { fprintf(stderr, "Too many arguments!\n"); @@ -1846,6 +1870,7 @@ static int cmd_generate_rsa_keys(int argc, char *argv[]) { return !rsa_keygen(argc > 1 ? atoi(argv[1]) : 2048, true); } +#endif static int cmd_generate_ed25519_keys(int argc, char *argv[]) { if(argc > 1) { @@ -2196,7 +2221,9 @@ static const struct { {"set", cmd_config}, {"init", cmd_init}, {"generate-keys", cmd_generate_keys}, +#ifndef DISABLE_LEGACY {"generate-rsa-keys", cmd_generate_rsa_keys}, +#endif {"generate-ed25519-keys", cmd_generate_ed25519_keys}, {"help", cmd_help}, {"version", cmd_version},