From: Guus Sliepen Date: Sun, 30 Oct 2016 12:11:24 +0000 (+0100) Subject: Use CFB mode for meta-connections to improve security. X-Git-Tag: release-1.0.30~1 X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;h=8bf4c160d69d980f818ca05ba482b2ffa8230632;p=tinc Use CFB mode for meta-connections to improve security. --- diff --git a/m4/openssl.m4 b/m4/openssl.m4 index 4cf26f47..adca5f7a 100644 --- a/m4/openssl.m4 +++ b/m4/openssl.m4 @@ -45,11 +45,11 @@ AC_DEFUN([tinc_OPENSSL], [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])] ) - AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new EVP_aes_256_ctr], , + AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], , [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], ) - AC_CHECK_DECL([OpenSSL_add_all_algorithms], , + AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], , [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break], [#include ] ) diff --git a/src/net_setup.c b/src/net_setup.c index eeeefdf6..d7668885 100644 --- a/src/net_setup.c +++ b/src/net_setup.c @@ -657,18 +657,18 @@ static bool setup_myself(void) { else myself->inkeylength = 1; - /* We need to use OFB mode for the meta protocol. Use AES for this, + /* We need to use a stream mode for the meta protocol. Use AES for this, but try to match the key size with the one from the cipher selected by Cipher. */ int keylen = EVP_CIPHER_key_length(myself->incipher); if(keylen <= 16) - myself->connection->outcipher = EVP_aes_128_ctr(); + myself->connection->outcipher = EVP_aes_128_cfb(); else if(keylen <= 24) - myself->connection->outcipher = EVP_aes_192_ctr(); + myself->connection->outcipher = EVP_aes_192_cfb(); else - myself->connection->outcipher = EVP_aes_256_ctr(); + myself->connection->outcipher = EVP_aes_256_cfb(); if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime)) keylifetime = 3600;