From: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun, 30 Oct 2016 12:11:24 +0000 (+0100)
Subject: Use CFB mode for meta-connections to improve security.
X-Git-Tag: release-1.0.30~1
X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;h=8bf4c160d69d980f818ca05ba482b2ffa8230632;p=tinc
Use CFB mode for meta-connections to improve security.
---
diff --git a/m4/openssl.m4 b/m4/openssl.m4
index 4cf26f47..adca5f7a 100644
--- a/m4/openssl.m4
+++ b/m4/openssl.m4
@@ -45,11 +45,11 @@ AC_DEFUN([tinc_OPENSSL],
[AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
)
- AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new EVP_aes_256_ctr], ,
+ AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
)
- AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
+ AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
[AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
[#include <openssl/evp.h>]
)
diff --git a/src/net_setup.c b/src/net_setup.c
index eeeefdf6..d7668885 100644
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -657,18 +657,18 @@ static bool setup_myself(void) {
else
myself->inkeylength = 1;
- /* We need to use OFB mode for the meta protocol. Use AES for this,
+ /* We need to use a stream mode for the meta protocol. Use AES for this,
but try to match the key size with the one from the cipher selected
by Cipher.
*/
int keylen = EVP_CIPHER_key_length(myself->incipher);
if(keylen <= 16)
- myself->connection->outcipher = EVP_aes_128_ctr();
+ myself->connection->outcipher = EVP_aes_128_cfb();
else if(keylen <= 24)
- myself->connection->outcipher = EVP_aes_192_ctr();
+ myself->connection->outcipher = EVP_aes_192_cfb();
else
- myself->connection->outcipher = EVP_aes_256_ctr();
+ myself->connection->outcipher = EVP_aes_256_cfb();
if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
keylifetime = 3600;