if test "$with_libgcrypt" = yes; then
AM_PATH_LIBGCRYPT([1.4.0], [], [])
- ln -sf gcrypt/cipher.c gcrypt/cipher.h gcrypt/crypto.c gcrypt/crypto.h gcrypt/digest.c gcrypt/digest.h gcrypt/rsa.c gcrypt/rsa.h gcrypt/rsagen.c gcrypt/rsagen.h src/
+ ln -sf gcrypt/*.c gcrypt/*.h src/
else
tinc_OPENSSL
- ln -sf openssl/cipher.c openssl/cipher.h openssl/crypto.c openssl/crypto.h openssl/digest.c openssl/digest.h openssl/rsa.c openssl/rsa.h openssl/rsagen.c openssl/rsagen.h src/
+ ln -sf openssl/*.c openssl/*.h src/
fi
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
+.It Va ECDSAPrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ecdsa_key.priv Pc
+The file in which the private ECDSA key of this tinc daemon resides.
+This is only used if
+.Va ExperimentalProtocol
+is enabled.
+
+.It Va ExperimentalProtocol Li = yes | no Po no Pc Bq experimental
+When this option is enabled, experimental protocol enhancements will be used.
+Ephemeral ECDH will be used for key exchanges,
+and ECDSA will be used instead of RSA for authentication.
+When enabled, an ECDSA key must have been generated before with
+.Nm tincctl generate-ecdsa-keys .
+The experimental protocol may change at any time,
+and there is no guarantee that tinc will run stable when it is used.
+
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
Shows the PID of the currently running
.Xr tincd 8 .
.It generate-keys Op bits
+Generate both RSA and ECDSA keypairs (see below) and exit.
+.It generate-ecdsa-keys
+Generate public/private ECDSA keypair and exit.
+.It generate-rsa-keys Op bits
Generate public/private RSA keypair and exit.
If
.Ar bits
-is omitted, the default length will be 1024 bits.
+is omitted, the default length will be 2048 bits.
When saving keys to existing files, tinc will not delete the old keys;
you have to remove them manually.
.It dump nodes
read_config_file(config_tree, fname);
free(fname);
- if(!read_ecdsa_private_key())
+ get_config_bool(lookup_config(config_tree, "ExperimentalProtocol"), &experimental);
+
+ if(experimental && !read_ecdsa_private_key())
return false;
if(!read_rsa_private_key())
bool tunnelserver = false;
bool strictsubnets = false;
+bool experimental = false;
/* Jumptable for the request handlers */
extern bool tunnelserver;
extern bool strictsubnets;
+extern bool experimental;
/* Maximum size of strings in a request.
* scanf terminates %2048s with a NUL character,
bool send_id(connection_t *c) {
gettimeofday(&c->start, NULL);
- int minor = myself->connection->protocol_minor;
- if(c->config_tree && !read_ecdsa_public_key(c))
- minor = 1;
+ int minor = 0;
- return send_request(c, "%d %s %d.%d", ID, myself->connection->name,
- myself->connection->protocol_major, minor);
+ if(experimental) {
+ if(c->config_tree && !read_ecdsa_public_key(c))
+ minor = 1;
+ else
+ minor = myself->connection->protocol_minor;
+ }
+
+ return send_request(c, "%d %s %d.%d", ID, myself->connection->name, myself->connection->protocol_major, minor);
}
bool id_h(connection_t *c, char *request) {
return false;
}
- if(c->protocol_minor >= 2)
+ if(experimental && c->protocol_minor >= 2)
if(!read_ecdsa_public_key(c))
return false;
} else {
c->protocol_minor = 1;
}
+ if(!experimental)
+ c->protocol_minor = 0;
+
c->allow_request = METAKEY;
if(c->protocol_minor >= 2)
}
bool send_req_key(node_t *to) {
- return send_request(to->nexthop->connection, "%d %s %s 1", REQ_KEY, myself->name, to->name);
+ return send_request(to->nexthop->connection, "%d %s %s %d", REQ_KEY, myself->name, to->name, experimental ? 1 : 0);
}
bool req_key_h(connection_t *c, char *request) {
/* Check if this key request is for us */
if(to == myself) { /* Yes, send our own key back */
- if(kx_version > 0) {
+ if(experimental && kx_version >= 1) {
logger(LOG_DEBUG, "Got ECDH key request from %s", from->name);
from->status.ecdh = true;
}
}
bool send_ans_key(node_t *to) {
- if(to->status.ecdh)
+ if(experimental && to->status.ecdh)
return send_ans_key_ecdh(to);
size_t keylen = cipher_keylength(&myself->incipher);
/* ECDH or old-style key exchange? */
- if(!strncmp(key, "ECDH:", 5)) {
+ if(experimental && !strncmp(key, "ECDH:", 5)) {
keylen = (strlen(key) - 5) / 2;
if(keylen != ECDH_SIZE) {
projects / tinc / commitdiff