diff --git a/m4/openssl.m4 b/m4/openssl.m4 index 6bb33cf5..4afcff2f 100644 --- a/m4/openssl.m4 +++ b/m4/openssl.m4 @@ -49,7 +49,7 @@ AC_DEFUN([tinc_OPENSSL], [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], ) - AC_CHECK_DECLS([OpenSSL_add_all_algorithms], , + AC_CHECK_DECLS([OpenSSL_add_all_algorithms EVP_aes_256_cfb], , [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], [#include ] ) diff --git a/src/cipher.h b/src/cipher.h index 3f98c18f..41335ec4 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -1,6 +1,6 @@ /* cipher.h -- header file cipher.c - Copyright (C) 2007-2013 Guus Sliepen + Copyright (C) 2007-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -30,7 +30,6 @@ typedef struct cipher cipher_t; extern cipher_t *cipher_open_by_name(const char *) __attribute__ ((__malloc__)); extern cipher_t *cipher_open_by_nid(int) __attribute__ ((__malloc__)); -extern cipher_t *cipher_open_blowfish_ofb(void) __attribute__ ((__malloc__)); extern void cipher_close(cipher_t *); extern size_t cipher_keylength(const cipher_t *); extern size_t cipher_blocksize(const cipher_t *); diff --git a/src/digest.h b/src/digest.h index 204048ad..a3691bf0 100644 --- a/src/digest.h +++ b/src/digest.h @@ -1,6 +1,6 @@ /* digest.h -- header file digest.c - Copyright (C) 2007-2013 Guus Sliepen + Copyright (C) 2007-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -28,7 +28,6 @@ typedef struct digest digest_t; extern digest_t *digest_open_by_name(const char *name, int maclength) __attribute__ ((__malloc__)); extern digest_t *digest_open_by_nid(int nid, int maclength) __attribute__ ((__malloc__)); -extern digest_t *digest_open_sha1(int maclength) __attribute__ ((__malloc__)); extern void digest_close(digest_t *); extern bool digest_create(digest_t *, const void *indata, size_t inlen, void *outdata) __attribute__ ((__warn_unused_result__)); extern bool digest_verify(digest_t *, const void *indata, size_t inlen, const void *digestdata) __attribute__ ((__warn_unused_result__)); diff --git a/src/net_setup.c b/src/net_setup.c index b0a0c953..9293c118 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -857,7 +857,7 @@ static bool setup_myself(void) { /* Generate packet encryption key */ if(!get_config_string(lookup_config(config_tree, "Cipher"), &cipher)) - cipher = xstrdup("blowfish"); + cipher = xstrdup("aes-256-cbc"); if(!strcasecmp(cipher, "none")) { myself->incipher = NULL; @@ -881,7 +881,7 @@ static bool setup_myself(void) { } if(!get_config_string(lookup_config(config_tree, "Digest"), &digest)) - digest = xstrdup("sha1"); + digest = xstrdup("sha256"); if(!strcasecmp(digest, "none")) { myself->indigest = NULL; diff --git a/src/openssl/cipher.c b/src/openssl/cipher.c index ae9640f0..17ad408b 100644 --- a/src/openssl/cipher.c +++ b/src/openssl/cipher.c @@ -1,6 +1,6 @@ /* cipher.c -- Symmetric block cipher handling - Copyright (C) 2007-2013 Guus Sliepen + Copyright (C) 2007-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -62,10 +62,6 @@ cipher_t *cipher_open_by_nid(int nid) { return cipher_open(evp_cipher); } -cipher_t *cipher_open_blowfish_ofb(void) { - return cipher_open(EVP_bf_ofb()); -} - void cipher_close(cipher_t *cipher) { if(!cipher) return; diff --git a/src/openssl/digest.c b/src/openssl/digest.c index c303785d..58ca167f 100644 --- a/src/openssl/digest.c +++ b/src/openssl/digest.c @@ -1,6 +1,6 @@ /* digest.c -- Digest handling - Copyright (C) 2007-2013 Guus Sliepen + Copyright (C) 2007-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -64,10 +64,6 @@ digest_t *digest_open_by_nid(int nid, int maclength) { return digest_open(evp_md, maclength); } -digest_t *digest_open_sha1(int maclength) { - return digest_open(EVP_sha1(), maclength); -} - bool digest_set_key(digest_t *digest, const void *key, size_t len) { digest->key = xrealloc(digest->key, len); memcpy(digest->key, key, len); diff --git a/src/protocol_auth.c b/src/protocol_auth.c index 31b1f1e7..aee5736a 100644 --- a/src/protocol_auth.c +++ b/src/protocol_auth.c @@ -1,7 +1,7 @@ /* protocol_auth.c -- handle the meta-protocol, authentication Copyright (C) 1999-2005 Ivo Timmermans, - 2000-2014 Guus Sliepen + 2000-2016 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -421,10 +421,22 @@ bool send_metakey(connection_t *c) { if(!read_rsa_public_key(c)) return false; - if(!(c->outcipher = cipher_open_blowfish_ofb())) + /* We need to use a stream mode for the meta protocol. Use AES for this, + but try to match the key size with the one from the cipher selected + by Cipher. + */ + + int keylen = cipher_keylength(myself->incipher); + if(keylen <= 16) + c->outcipher = cipher_open_by_name("aes-128-cfb"); + else if(keylen <= 24) + c->outcipher = cipher_open_by_name("aes-192-cfb"); + else + c->outcipher = cipher_open_by_name("aes-256-cfb"); + if(!c) return false; - if(!(c->outdigest = digest_open_sha1(-1))) + if(!(c->outdigest = digest_open_by_name("sha256", -1))) return false; const size_t len = rsa_size(c->rsa);