Use AES256 and SHA256 by default, also for the meta-connections.

At the start of the decade, there were still distributions that shipped
with versions of OpenSSL that did not support these algorithms. By now
everyone should support them. The old defaults were Blowfish and SHA1,
both of which are not considered secure anymore.

The meta-protocol now always uses AES in OFB mode, but the key length
will adapt to the one specified by the Cipher option. The digest for the
meta-protocol is hardcoded to SHA256.

diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index e2e206e..b0d6c77 100644 (file)
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -468,7 +468,7 @@ Multiple
 .Va Address
 variables can be specified, in which case each address will be tried until a working
 connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
 The symmetric cipher algorithm used to encrypt UDP packets.
 Any cipher supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying
@@ -483,7 +483,7 @@ Fragmentation Needed or Packet too Big messages are dropped by firewalls.
 This option sets the level of compression used for UDP packets.
 Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
 10 (fast lzo) and 11 (best lzo).
-.It Va Digest Li = Ar digest Pq sha1
+.It Va Digest Li = Ar digest Pq sha256
 The digest algorithm used to authenticate UDP packets.
 Any digest supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying

diff --git a/doc/tinc.texi b/doc/tinc.texi
index 90cc380..132a1c4 100644 (file)
--- a/doc/tinc.texi
+++ b/doc/tinc.texi
@@ -1143,7 +1143,7 @@ Multiple Address variables can be specified, in which case each address will be
 tried until a working connection has been established.
 
 @cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
 The symmetric cipher algorithm used to encrypt UDP packets.
 Any cipher supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying "none" will turn off packet encryption.
@@ -1162,7 +1162,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
 10 (fast lzo) and 11 (best lzo).
 
 @cindex Digest
-@item Digest = <@var{digest}> (sha1)
+@item Digest = <@var{digest}> (sha256)
 The digest algorithm used to authenticate UDP packets.
 Any digest supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying "none" will turn off packet authentication.

diff --git a/src/net_setup.c b/src/net_setup.c
index 6c50f9d..5b985c3 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -650,14 +650,25 @@ static bool setup_myself(void) {
                }
                free(cipher);
        } else
-               myself->incipher = EVP_bf_cbc();
+               myself->incipher = EVP_aes_256_cbc();
 
        if(myself->incipher)
                myself->inkeylength = EVP_CIPHER_key_length(myself->incipher) + EVP_CIPHER_iv_length(myself->incipher);
        else
                myself->inkeylength = 1;
 
-       myself->connection->outcipher = EVP_bf_ofb();
+       /* We need to use OFB mode for the meta protocol. Use AES for this,
+          but try to match the key size with the one from the cipher selected
+          by Cipher.
+       */
+
+       int keylen = EVP_CIPHER_key_length(myself->incipher);
+       if(keylen <= 16)
+               myself->connection->outcipher = EVP_aes_128_ofb();
+       else if(keylen <= 24)
+               myself->connection->outcipher = EVP_aes_192_ofb();
+       else
+               myself->connection->outcipher = EVP_aes_256_ofb();
 
        if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
                keylifetime = 3600;
@@ -681,9 +692,9 @@ static bool setup_myself(void) {
 
                free(digest);
        } else
-               myself->indigest = EVP_sha1();
+               myself->indigest = EVP_sha256();
 
-       myself->connection->outdigest = EVP_sha1();
+       myself->connection->outdigest = EVP_sha256();
 
        if(get_config_int(lookup_config(config_tree, "MACLength"), &myself->inmaclength)) {
                if(myself->indigest) {