Use CFB mode for meta-connections to improve security.

gsliepen · Oct 30, 2016 · 8bf4c16 · 8bf4c16
1 parent 848effe
commit 8bf4c16
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/m4/openssl.m4 b/m4/openssl.m4
@@ -45,11 +45,11 @@ AC_DEFUN([tinc_OPENSSL],
     [AC_MSG_ERROR([LibreSSL/OpenSSL libraries not found.])]
   )
 
-  AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new EVP_aes_256_ctr], ,
+  AC_CHECK_FUNCS([RAND_bytes EVP_EncryptInit_ex EVP_CIPHER_CTX_new], ,
     [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
   )
 
-  AC_CHECK_DECL([OpenSSL_add_all_algorithms], ,
+  AC_CHECK_DECLS([OpenSSL_add_all_algorithms, EVP_aes_256_cfb], ,
     [AC_MSG_ERROR([Missing LibreSSL/OpenSSL functionality, make sure you have installed the latest version.]); break],
     [#include <openssl/evp.h>]
   )

diff --git a/src/net_setup.c b/src/net_setup.c
@@ -657,18 +657,18 @@ static bool setup_myself(void) {
 	else
 		myself->inkeylength = 1;
 
-	/* We need to use OFB mode for the meta protocol. Use AES for this,
+	/* We need to use a stream mode for the meta protocol. Use AES for this,
 	   but try to match the key size with the one from the cipher selected
 	   by Cipher.
 	*/
 
 	int keylen = EVP_CIPHER_key_length(myself->incipher);
 	if(keylen <= 16)
-		myself->connection->outcipher = EVP_aes_128_ctr();
+		myself->connection->outcipher = EVP_aes_128_cfb();
 	else if(keylen <= 24)
-		myself->connection->outcipher = EVP_aes_192_ctr();
+		myself->connection->outcipher = EVP_aes_192_cfb();
 	else
-		myself->connection->outcipher = EVP_aes_256_ctr();
+		myself->connection->outcipher = EVP_aes_256_cfb();
 
 	if(!get_config_int(lookup_config(config_tree, "KeyExpire"), &keylifetime))
 		keylifetime = 3600;