ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/NEWS
(Generate patch)

Comparing gvpe/NEWS (file contents):
Revision 1.106 by root, Tue Dec 4 10:29:43 2012 UTC vs.
Revision 1.139 by root, Mon Apr 1 03:10:26 2019 UTC

1GVPE NEWS 1GVPE NEWS
2 2
3New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 3 - update embedded liblzf.
4 with this defined it will not be affected by any changes to ssl internal 4 - use liblzf with static hash table: lowers stack usage.
5 structures. Add several utility functions to allow openssl application 5 - do not initialise liblzf hash table for faster operation.
6 to work with OPENSSL_NO_SSL_INTERN defined. 6 - use C++ variadic templates for callback.h, get rid of callback.pl.
7 [Steve Henson]
8TODO: bridge mode, finally?
9 7
83.1 Sat Oct 27 07:50:43 CEST 2018
9 - port to openssl 1.1 BUT SEE WARNING IN configure.ac. Do not use!
10 - tinc cruft removal: remove getopt.[ch], it's less portable to
11 have it then to not have it.
12 - tinc cruft removal: use pkg-config to detect libressl/openssl.
13 - minor cleanups.
14
153.0 Thu Nov 10 15:39:58 CET 2016
16 - INCOMPATIBLE CHANGE: core protocol version 1.0.
17 - INCOMPATIBLE CHANGE: node sections are now introduced
18 with "node nodename", not "node = nodename".
19 - INCOMPATIBLE CHANGE: gvpectrl -g will now generate a single
20 keypair, while -G will try to generate all keypairs as before.
21 - openssl 1.0.2 is the latest supported openssl release,
22 openssl 1.1.0 is not supported at the moment as the work to
23 make it compatible to both versions is just too much. a switch
24 to openssl 1.1 or another library will be done in a future release.
25 - update examples to not generate keys centrally, but locally on each
26 node.
27 - add workaround for temporary/rare ENOBUFS condition.
28 - while individual packets couldn't be replayed, a whole session
29 could be replayed - this has been fixed by an extra key exchange.
30 - fix a delete vs. delete [] mismatch in the central logging function.
31 - in addition to rsa key exchange and authentication, the handshake now
32 adds a diffie-hellman key exchange (using curve25119) for perfect
33 forward secrecy. mac and cipher keys are derived using HKDF.
34 - rsa key sizes are now configurable and larger (default is 3072).
35 correspondingly, the minimum mtu is no longer 296 but 576.
36 - fixed a potential (unverified) buffer overrun on rsa decryption.
37 - new per-node low-power setting that tries to reduce cpu/network usage.
38 - router reconnects could cause excessive rekeying on other connections.
39 - gvpectrl no longer generates all missing public keys, but
40 only missing private keys. private keys are also put
41 into the configured location.
42 - the pid-file now accepts %s as nodename as elsewhere.
43 - switch to counter mode (only aes supported at the moment in
44 openssl). this gets rid of the need to generate a random iv,
45 is likely more secure (and, as a side effect, gets rid of
46 slow randomness generation. counter mode is often faster
47 then cbc mode as well, and packets are smaller).
48 - no longer use RAND_bytes to generate session keys - you NEED
49 a real source of entropy now (e.g. egd or /dev/random - see the
50 openssl documentation).
51 - multiple node statements for the same node are now supported
52 and will be merged.
53 - a new directive "global" switches back to the global section
54 of the config file.
55 - if-up scripts can now be specified with absolute paths.
56 - new global option: serial, to detect configuration mismatches.
57 - use HKDF as authentication proof, not HMAC or a plain hash
58 (hint by Ilmari Karonen).
59 - during rekeying or connection establishments, hmac authentication
60 errors could occur and reset the connection. Transient hmac
61 authentication errors are now being ignored for 3 seconds.
62 - log the reason for a conneciton loss.
63 - use a (hopefully) constant time memcmp to compare internal secrets.
64 - fix a (harmless) errornous out of bounds stack read that would trigger
65 gcc's -fsanitize=address.
66 - bump old packet window size from 512 to 65536.
67 - update for big changes in openssl 1.1 API, wrap primitives
68 to make further changes easier.
69 - correctly check return values for openssl 1.0.0 and later.
70 - check for both public and private key file when deciding whether
71 to skip generating a key to avoid accidental overwrites.
72
732.25 Sat Jul 13 06:42:33 CEST 2013
10 - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other 74 - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other
11 protocols are enabled - this is necessary when you have nodes with 75 protocols are enabled - this is necessary when you have nodes with
12 completely unknown protocols, to force mediated connection requests. 76 completely unknown protocols, to force mediated connection requests.
13 - INCOMPATIBLE CHANGE: dns transport protocol bumped to version 2. 77 - INCOMPATIBLE CHANGE: dns transport protocol bumped to version 2.
78 - core protocol version 0.1, compatible with older releases.
79 - switch to using RSA_generate_key_ex, which is the badly documented
80 and needlessly more complicated replacement for the RSA_generate_key
81 function which is now deprecated.
82 - support additional hmac hashes: sha256 and sha512, usually truncated.
83 - change public exponent for rsa keys from 65535 to 65537, for
84 efficiency reasons - only affects new keys.
14 - nodes would sometimes declare transport endpoints valid despite 85 - nodes would sometimes declare transport endpoints valid despite
15 the protocol not being configured locally. 86 the protocol not being configured locally.
16 - new global configuration options: chroot, chuser, chuid, chgid, 87 - new global configuration options: chroot, chuser, chuid, chgid,
17 to chroot to a specified or anonymous new root, and change user id. 88 to chroot to a specified or anonymous new root, and change user id.
89 - new global configuration options seed_device and seed_interval,
90 to configure another device than /dev/urandom for random seeds,
91 and to configure a regular interval to reseed the rng.
92 - prefer inet_aton over gethostbyname, as the latter is not guaranteed
93 to "resolve" literal ip addresses.
18 - configure didn't detect openssl 1.0 because SHA1_version became private 94 - configure didn't detect openssl 1.0 because SHA1_version became private
19 (patch by TANIGUCHI Takaki). 95 (patch by TANIGUCHI Takaki).
20 - core protocol version 0.1, compatible with older releases.
21 - fix a bug where nodes would tell the other side that it supports 96 - fix a bug where nodes would tell the other side that it supports
22 the same protocols as that other side, instead of its own. 97 the same protocols as that other side, instead of its own.
23 - add zlib when found, as openssl depends on it in newer versions. 98 - add zlib when found, as openssl depends on it in newer versions.
24 - work around append-bugs in uclibc by using an extra seek. 99 - work around append-bugs in uclibc by using an extra seek.
25 - new "include" directive for the config file. 100 - new "include" directive for the config file.
26 - gvpectrl no longer evaluates any "on" directives. 101 - gvpectrl no longer evaluates any "on" directives.
27 - icmp and rawip protocols weren't upgradable to each other. 102 - icmp and rawip protocols weren't upgradable to each other.
28 - major, but incremental, dns transport improvements: 103 - major, but incremental, dns transport improvements:
29 - do not simply abort in some error cases in the dns transport, 104 - do not simply abort in some error cases in the dns transport,
30 but try to recover. 105 but try to recover.
31 - allow lowercase/uppercase alises for base-n encodings that do 106 - allow lowercase/uppercase aliases for base-n encodings that do
32 not rely on case. 107 not rely on case.
33 - use base26 instead of base22 encoding for dns syn's, and 108 - use base26 instead of base22 encoding for dns syn's, and
34 base36 instead of base22 for headers (saves one byte/packet). 109 base36 instead of base22 for headers (saves one byte/packet).
35 - back off far quicker in dns tunnel when idling - increases 110 - back off far quicker in dns tunnel when idling - increases
36 latency on an idle link somewhat, but avoids hundreds of 111 latency on an idle link somewhat, but avoids hundreds of
39 second as opposed to once per 5 seconds). 114 second as opposed to once per 5 seconds).
40 - reduce dns send payload size to allow greater rate of ack 115 - reduce dns send payload size to allow greater rate of ack
41 messages (should help sack and ipv6). 116 messages (should help sack and ipv6).
42 - allow for ip options in rawip/icmp transports, even though gvpe 117 - allow for ip options in rawip/icmp transports, even though gvpe
43 doesn't generate them. 118 doesn't generate them.
119 - upgrade to autoconf 2.69, automake 1.11.
44 - upgrade to libev 4 API. 120 - upgrade to libev 4 API.
121 - replace COPYING file by actual GPLv3 - files were relicensed to GPLv3
122 earlier but COPYING was forgotten.
45 123
462.24 Sat Feb 12 05:15:48 CET 2011 1242.24 Sat Feb 12 05:15:48 CET 2011
47 - protocol version 0.1, compatible with older releases. 125 - protocol version 0.1, compatible with older releases.
48 - due to a bug, when packets were lost, a connection could go into a 126 - due to a bug, when packets were lost, a connection could go into a
49 state where a ping/connection request from another node would be 127 state where a ping/connection request from another node would be

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines