Use AES256 and SHA256 by default for the legacy protocol.

At the start of the decade, there were still distributions that shipped with versions of OpenSSL that did not support these algorithms. By now everyone should support them. The old defaults were Blowfish and SHA1, both of which are not considered secure anymore. The meta-protocol now always uses AES in CFB mode, but the key length will adapt to the one specified by the Cipher option. The digest for the meta-protocol is hardcoded to SHA256.
2016-10-30 15:17:52 +01:00 · 2016-10-30 15:17:52 +01:00 · edc1efed3c
commit edc1efed3c
parent fcaf158494
7 changed files with 22 additions and 20 deletions
--- a/src/openssl/cipher.c
+++ b/src/openssl/cipher.c
@ -1,6 +1,6 @@
 /*
    cipher.c -- Symmetric block cipher handling
-    Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -62,10 +62,6 @@ cipher_t *cipher_open_by_nid(int nid) {
 	return cipher_open(evp_cipher);
 }

-cipher_t *cipher_open_blowfish_ofb(void) {
-	return cipher_open(EVP_bf_ofb());
-}
-
 void cipher_close(cipher_t *cipher) {
 	if(!cipher)
 		return;
--- a/src/openssl/digest.c
+++ b/src/openssl/digest.c
@ -1,6 +1,6 @@
 /*
    digest.c -- Digest handling
-    Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@ -64,10 +64,6 @@ digest_t *digest_open_by_nid(int nid, int maclength) {
 	return digest_open(evp_md, maclength);
 }

-digest_t *digest_open_sha1(int maclength) {
-	return digest_open(EVP_sha1(), maclength);
-}
-
 bool digest_set_key(digest_t *digest, const void *key, size_t len) {
 	digest->key = xrealloc(digest->key, len);
 	memcpy(digest->key, key, len);