Use AES256 and SHA256 by default, also for the meta-connections.

At the start of the decade, there were still distributions that shipped
with versions of OpenSSL that did not support these algorithms. By now
everyone should support them. The old defaults were Blowfish and SHA1,
both of which are not considered secure anymore.

The meta-protocol now always uses AES in OFB mode, but the key length
will adapt to the one specified by the Cipher option. The digest for the
meta-protocol is hardcoded to SHA256.

diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index e2e206e13f0f444750a296d060692cae5ce7b852..b0d6c77639260cfaf8522e0292fab03c8cb0fd9f 100644 (file)
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -468,7 +468,7 @@ Multiple
 .Va Address
 variables can be specified, in which case each address will be tried until a working
 connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
 The symmetric cipher algorithm used to encrypt UDP packets.
 Any cipher supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying
@@ -483,7 +483,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
 This option sets the level of compression used for UDP packets.
 Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
 10 (fast lzo) and 11 (best lzo).
-.It Va Digest Li = Ar digest Pq sha1
+.It Va Digest Li = Ar digest Pq sha256
 The digest algorithm used to authenticate UDP packets.
 Any digest supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying

diff --git a/doc/tinc.texi b/doc/tinc.texi
index 90cc380ca9720ac28af001b7959a4a23f6308bbe..132a1c42944c57684d70470d872f16e3645e72be 100644 (file)
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
 tried until a working connection has been established.
 
 @cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
 The symmetric cipher algorithm used to encrypt UDP packets.
 Any cipher supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying "none" will turn off packet encryption.
@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
 10 (fast lzo) and 11 (best lzo).
 
 @cindex Digest
-@item Digest = <@var{digest}> (sha1)
+@item Digest = <@var{digest}> (sha256)
 The digest algorithm used to authenticate UDP packets.
 Any digest supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying "none" will turn off packet authentication.

diff --git a/src/net_setup.c b/src/net_setup.c
index 6c50f9d87c7037a84bee2c55daf9545f4ee03a08..5b985c342c727da95b5d55b9748c19aff804b1b3 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -650,14 +650,25 @@ static bool setup_myself(void) {
                }
                free(cipher);
        } else
-               myself->incipher = EVP_bf_cbc();
+               myself->incipher = EVP_aes_256_cbc();
 
        if(myself->incipher)
                myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
        else
                myself->inkeylength = 1;
 
-       myself->connection->outcipher = EVP_bf_ofb();
+       /* We need to use OFB mode for the meta protocol. Use AES for this,
+          but try to match the key size with the one from the cipher selected
+          by Cipher.
+       */
+
+       int keylen = EVP_CIPHER_key_length(myself->incipher);
+       if(keylen <= 16)
+               myself->connection->outcipher = EVP_aes_128_ofb();
+       else if(keylen <= 24)
+               myself->connection->outcipher = EVP_aes_192_ofb();
+       else
+               myself->connection->outcipher = EVP_aes_256_ofb();
 
        if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
                keylifetime = 3600;
@@ -681,9 +692,9 @@ static bool setup_myself(void) {
 
                free(digest);
        } else
-               myself->indigest = EVP_sha1();
+               myself->indigest = EVP_sha256();
 
-       myself->connection->outdigest = EVP_sha1();
+       myself->connection->outdigest = EVP_sha256();
 
        if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
                if(myself->indigest) {