Add AES-256-GCM support to the new protocol

doc/SPTPS

@@ -18,8 +18,8 @@ Stream record layer
 
 A record consists of these fields:
 
-- uint32_t seqno (network byte order)
-- uint16_t length (network byte order)
+- uint32_t seqno (little endian)
+- uint16_t length (little endian)
 - uint8_t type
 - opaque data[length]
 - opaque hmac[HMAC_SIZE] (HMAC over all preceding fields)
@@ -45,8 +45,8 @@ Datagram record layer
 
 A record consists of these fields:
 
-- uint16_t length (network byte order)
-- uint32_t seqno (network byte order)
+- uint16_t length (little endian)
+- uint32_t seqno (little endian)
 - uint8_t type
 - opaque data[length]
 - opaque hmac[HMAC_SIZE] (HMAC over all preceding fields)
@@ -75,7 +75,7 @@ SIG ->
 ...encrypt and HMAC using session keys from now on...
 
 App ->
-            <- App 
+            <- App
 ...
             ...
 
@@ -91,7 +91,7 @@ ACK ->
 ...encrypt and HMAC using new session keys from now on...
 
 App ->
-            <- App 
+            <- App
 ...
             ...
 ---------------------
@@ -102,7 +102,11 @@ connection.
 
 Key EXchange message:
 
-- uint8_t kex_version (always 0 in this version of SPTPS)
+- uint8_t kex_version (always 1 in this version of SPTPS)
+- uint8_t
+  - high 4 bits: public key algorithm
+  - low 4 bits: preferred cipher suite
+- uint16_t bitmask of cipher suites supported
 - opaque nonce[32] (random number)
 - opaque ecdh_key[ECDH_SIZE]
 
@@ -162,9 +166,34 @@ The expanded key is used as follows:
 Where initiator_cipher_key is the key used by session initiator to encrypt
 messages sent to the responder.
 
+Public key suites
+-----------------
+
+0: Ed25519 + SHA512
+1: Ed448 + SHAKE256?
+
+Symmetric cipher suites
+-----------------------
+
+Value in parentheses is the static priority used to break ties in cipher suite
+negotiation. We favor those algorithms that run faster without hardware
+acceleration.
+
+0: Chacha20-Poly1305 (1)
+1: AES256-GCM        (0)
+
+Cipher suite selection
+----------------------
+
+Public key suites are required to match on both sides. The symmetric suite is chosen as follows:
+
+1. AND the supported cipher suite bitmasks
+2. If both preferred cipher suites are possible, choose the one with the highest static priority.
+3. If only one is possible, choose that one.
+4. If none is possible, choose the suite from the resulting bitmask that has the highest static priority.
+
 TODO:
 -----
 
 - Document format of ECDH public key, ECDSA signature
-- Document how CTR mode is used
 - Refer to TLS RFCs where appropriate

doc/tinc.conf.5.in

@@ -287,15 +287,6 @@ When combined with the IndirectData option,
 packets for nodes for which we do not have a meta connection with are also dropped.
 .It Va Ed25519PrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ed25519_key.priv Pc
 The file in which the private Ed25519 key of this tinc daemon resides.
-This is only used if
-.Va ExperimentalProtocol
-is enabled.
-.It Va ExperimentalProtocol Li = yes | no Pq yes
-When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
-Ephemeral ECDH will be used for key exchanges,
-and Ed25519 will be used instead of RSA for authentication.
-When enabled, an Ed25519 key must have been generated before with
-.Nm tinc generate-ed25519-keys .
 .It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
 This option selects the way indirect packets are forwarded.
 .Bl -tag -width indent
@@ -603,15 +594,14 @@ Multiple
 .Va Address
 variables can be specified, in which case each address will be tried until a working
 connection has been established.
-.It Va Cipher Li = Ar cipher Pq blowfish
+.It Va Cipher Li = Ar cipher Pq aes-256-cbc
 The symmetric cipher algorithm used to encrypt UDP packets.
 Any cipher supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying
 .Qq none
 will turn off packet encryption.
 It is best to use only those ciphers which support CBC mode.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
 .It Va ClampMSS Li = yes | no Pq yes
 This option specifies whether tinc should clamp the maximum segment size (MSS)
 of TCP packets to the path MTU. This helps in situations where ICMP
@@ -626,8 +616,7 @@ Any digest supported by LibreSSL or OpenSSL is recognised.
 Furthermore, specifying
 .Qq none
 will turn off packet authentication.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
 .It Va IndirectData Li = yes | no Pq no
 When set to yes, only nodes which already have a meta connection to you
 will try to establish direct communication with you.
@@ -637,8 +626,7 @@ The length of the message authentication code used to authenticate UDP packets.
 Can be anything from
 .Qq 0
 up to the length of the digest produced by the digest algorithm.
-This option has no effect for connections between nodes using
-.Va ExperimentalProtocol .
+This option only affects communication using the legacy protocol.
 .It Va PMTU Li = Ar mtu Po 1514 Pc
 This option controls the initial path MTU to this node.
 .It Va PMTUDiscovery Li = yes | no Po yes Pc

doc/tinc.texi

@@ -1025,15 +1025,6 @@ packets for nodes for which we do not have a meta connection with are also dropp
 @cindex Ed25519PrivateKeyFile
 @item Ed25519PrivateKeyFile = <@var{path}> (@file{@value{sysconfdir}/tinc/@var{netname}/ed25519_key.priv})
 The file in which the private Ed25519 key of this tinc daemon resides.
-This is only used if ExperimentalProtocol is enabled.
-
-@cindex ExperimentalProtocol
-@item ExperimentalProtocol = <yes|no> (yes)
-When this option is enabled, the SPTPS protocol will be used when connecting to nodes that also support it.
-Ephemeral ECDH will be used for key exchanges,
-and Ed25519 will be used instead of RSA for authentication.
-When enabled, an Ed25519 key must have been generated before with
-@command{tinc generate-ed25519-keys}.
 
 @cindex Forwarding
 @item Forwarding = <off|internal|kernel> (internal) [experimental]
@@ -1328,12 +1319,12 @@ Multiple Address variables can be specified, in which case each address will be
 tried until a working connection has been established.
 
 @cindex Cipher
-@item Cipher = <@var{cipher}> (blowfish)
+@item Cipher = <@var{cipher}> (aes-256-cbc)
 The symmetric cipher algorithm used to encrypt UDP packets using the legacy protocol.
 Any cipher supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying @samp{none} will turn off packet encryption.
 It is best to use only those ciphers which support CBC mode.
-This option has no effect for connections using the SPTPS protocol, which always use AES-256-CTR.
+This option only affects communication using the legacy protocol.
 
 @cindex ClampMSS
 @item ClampMSS = <yes|no> (yes)
@@ -1352,7 +1343,7 @@ Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
 The digest algorithm used to authenticate UDP packets using the legacy protocol.
 Any digest supported by LibreSSL or OpenSSL is recognized.
 Furthermore, specifying @samp{none} will turn off packet authentication.
-This option has no effect for connections using the SPTPS protocol, which always use HMAC-SHA-256.
+This option only affects communication using the legacy protocol.
 
 @cindex IndirectData
 @item IndirectData = <yes|no> (no)
@@ -1365,7 +1356,7 @@ It is best to leave this option out or set it to no.
 The length of the message authentication code used to authenticate UDP packets using the legacy protocol.
 Can be anything from 0
 up to the length of the digest produced by the digest algorithm.
-This option has no effect for connections using the SPTPS protocol, which never truncate MACs.
+This option only affects communication using the legacy protocol.
 
 @cindex PMTU
 @item PMTU = <@var{mtu}> (1514)
@@ -3030,9 +3021,9 @@ Therefore, tinc also authenticates the data.
 Finally, tinc uses sequence numbers (which themselves are also authenticated) to prevent an attacker from replaying valid packets.
 
 Since version 1.1pre3, tinc has two protocols used to protect your data; the legacy protocol, and the new Simple Peer-to-Peer Security (SPTPS) protocol.
-The SPTPS protocol is designed to address some weaknesses in the legacy protocol.
-The new authentication protocol is used when two nodes connect to each other that both have the ExperimentalProtocol option set to yes,
-otherwise the legacy protocol will be used.
+The SPTPS protocol is designed to address some weaknesses in the legacy protocol,
+and is used automatically if both sides support it.
+Once two nodes have connected with the new protocol, rollback to the legacy protocol is not allowed.
 
 @menu
 * Legacy authentication protocol::