ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/NEWS
(Generate patch)

Comparing gvpe/NEWS (file contents):
Revision 1.106 by root, Tue Dec 4 10:29:43 2012 UTC vs.
Revision 1.140 by root, Mon Jan 13 11:30:35 2020 UTC

1GVPE NEWS 1GVPE NEWS
2 2
3New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 3TODO: updqate donna?
4 with this defined it will not be affected by any changes to ssl internal 4TODO: clear one-time key/auth material from memory?
5 structures. Add several utility functions to allow openssl application 5 - update embedded liblzf.
6 to work with OPENSSL_NO_SSL_INTERN defined. 6 - use liblzf with static hash table: lowers stack usage.
7 [Steve Henson] 7 - do not initialise liblzf hash table for faster operation.
8TODO: bridge mode, finally? 8 - use C++ variadic templates for callback.h, get rid of callback.pl.
9 9
103.1 Sat Oct 27 07:50:43 CEST 2018
11 - port to openssl 1.1 BUT SEE WARNING IN configure.ac. Do not use!
12 - tinc cruft removal: remove getopt.[ch], it's less portable to
13 have it then to not have it.
14 - tinc cruft removal: use pkg-config to detect libressl/openssl.
15 - minor cleanups.
16
173.0 Thu Nov 10 15:39:58 CET 2016
18 - INCOMPATIBLE CHANGE: core protocol version 1.0.
19 - INCOMPATIBLE CHANGE: node sections are now introduced
20 with "node nodename", not "node = nodename".
21 - INCOMPATIBLE CHANGE: gvpectrl -g will now generate a single
22 keypair, while -G will try to generate all keypairs as before.
23 - openssl 1.0.2 is the latest supported openssl release,
24 openssl 1.1.0 is not supported at the moment as the work to
25 make it compatible to both versions is just too much. a switch
26 to openssl 1.1 or another library will be done in a future release.
27 - update examples to not generate keys centrally, but locally on each
28 node.
29 - add workaround for temporary/rare ENOBUFS condition.
30 - while individual packets couldn't be replayed, a whole session
31 could be replayed - this has been fixed by an extra key exchange.
32 - fix a delete vs. delete [] mismatch in the central logging function.
33 - in addition to rsa key exchange and authentication, the handshake now
34 adds a diffie-hellman key exchange (using curve25119) for perfect
35 forward secrecy. mac and cipher keys are derived using HKDF.
36 - rsa key sizes are now configurable and larger (default is 3072).
37 correspondingly, the minimum mtu is no longer 296 but 576.
38 - fixed a potential (unverified) buffer overrun on rsa decryption.
39 - new per-node low-power setting that tries to reduce cpu/network usage.
40 - router reconnects could cause excessive rekeying on other connections.
41 - gvpectrl no longer generates all missing public keys, but
42 only missing private keys. private keys are also put
43 into the configured location.
44 - the pid-file now accepts %s as nodename as elsewhere.
45 - switch to counter mode (only aes supported at the moment in
46 openssl). this gets rid of the need to generate a random iv,
47 is likely more secure (and, as a side effect, gets rid of
48 slow randomness generation. counter mode is often faster
49 then cbc mode as well, and packets are smaller).
50 - no longer use RAND_bytes to generate session keys - you NEED
51 a real source of entropy now (e.g. egd or /dev/random - see the
52 openssl documentation).
53 - multiple node statements for the same node are now supported
54 and will be merged.
55 - a new directive "global" switches back to the global section
56 of the config file.
57 - if-up scripts can now be specified with absolute paths.
58 - new global option: serial, to detect configuration mismatches.
59 - use HKDF as authentication proof, not HMAC or a plain hash
60 (hint by Ilmari Karonen).
61 - during rekeying or connection establishments, hmac authentication
62 errors could occur and reset the connection. Transient hmac
63 authentication errors are now being ignored for 3 seconds.
64 - log the reason for a conneciton loss.
65 - use a (hopefully) constant time memcmp to compare internal secrets.
66 - fix a (harmless) errornous out of bounds stack read that would trigger
67 gcc's -fsanitize=address.
68 - bump old packet window size from 512 to 65536.
69 - update for big changes in openssl 1.1 API, wrap primitives
70 to make further changes easier.
71 - correctly check return values for openssl 1.0.0 and later.
72 - check for both public and private key file when deciding whether
73 to skip generating a key to avoid accidental overwrites.
74
752.25 Sat Jul 13 06:42:33 CEST 2013
10 - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other 76 - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other
11 protocols are enabled - this is necessary when you have nodes with 77 protocols are enabled - this is necessary when you have nodes with
12 completely unknown protocols, to force mediated connection requests. 78 completely unknown protocols, to force mediated connection requests.
13 - INCOMPATIBLE CHANGE: dns transport protocol bumped to version 2. 79 - INCOMPATIBLE CHANGE: dns transport protocol bumped to version 2.
80 - core protocol version 0.1, compatible with older releases.
81 - switch to using RSA_generate_key_ex, which is the badly documented
82 and needlessly more complicated replacement for the RSA_generate_key
83 function which is now deprecated.
84 - support additional hmac hashes: sha256 and sha512, usually truncated.
85 - change public exponent for rsa keys from 65535 to 65537, for
86 efficiency reasons - only affects new keys.
14 - nodes would sometimes declare transport endpoints valid despite 87 - nodes would sometimes declare transport endpoints valid despite
15 the protocol not being configured locally. 88 the protocol not being configured locally.
16 - new global configuration options: chroot, chuser, chuid, chgid, 89 - new global configuration options: chroot, chuser, chuid, chgid,
17 to chroot to a specified or anonymous new root, and change user id. 90 to chroot to a specified or anonymous new root, and change user id.
91 - new global configuration options seed_device and seed_interval,
92 to configure another device than /dev/urandom for random seeds,
93 and to configure a regular interval to reseed the rng.
94 - prefer inet_aton over gethostbyname, as the latter is not guaranteed
95 to "resolve" literal ip addresses.
18 - configure didn't detect openssl 1.0 because SHA1_version became private 96 - configure didn't detect openssl 1.0 because SHA1_version became private
19 (patch by TANIGUCHI Takaki). 97 (patch by TANIGUCHI Takaki).
20 - core protocol version 0.1, compatible with older releases.
21 - fix a bug where nodes would tell the other side that it supports 98 - fix a bug where nodes would tell the other side that it supports
22 the same protocols as that other side, instead of its own. 99 the same protocols as that other side, instead of its own.
23 - add zlib when found, as openssl depends on it in newer versions. 100 - add zlib when found, as openssl depends on it in newer versions.
24 - work around append-bugs in uclibc by using an extra seek. 101 - work around append-bugs in uclibc by using an extra seek.
25 - new "include" directive for the config file. 102 - new "include" directive for the config file.
26 - gvpectrl no longer evaluates any "on" directives. 103 - gvpectrl no longer evaluates any "on" directives.
27 - icmp and rawip protocols weren't upgradable to each other. 104 - icmp and rawip protocols weren't upgradable to each other.
28 - major, but incremental, dns transport improvements: 105 - major, but incremental, dns transport improvements:
29 - do not simply abort in some error cases in the dns transport, 106 - do not simply abort in some error cases in the dns transport,
30 but try to recover. 107 but try to recover.
31 - allow lowercase/uppercase alises for base-n encodings that do 108 - allow lowercase/uppercase aliases for base-n encodings that do
32 not rely on case. 109 not rely on case.
33 - use base26 instead of base22 encoding for dns syn's, and 110 - use base26 instead of base22 encoding for dns syn's, and
34 base36 instead of base22 for headers (saves one byte/packet). 111 base36 instead of base22 for headers (saves one byte/packet).
35 - back off far quicker in dns tunnel when idling - increases 112 - back off far quicker in dns tunnel when idling - increases
36 latency on an idle link somewhat, but avoids hundreds of 113 latency on an idle link somewhat, but avoids hundreds of
39 second as opposed to once per 5 seconds). 116 second as opposed to once per 5 seconds).
40 - reduce dns send payload size to allow greater rate of ack 117 - reduce dns send payload size to allow greater rate of ack
41 messages (should help sack and ipv6). 118 messages (should help sack and ipv6).
42 - allow for ip options in rawip/icmp transports, even though gvpe 119 - allow for ip options in rawip/icmp transports, even though gvpe
43 doesn't generate them. 120 doesn't generate them.
121 - upgrade to autoconf 2.69, automake 1.11.
44 - upgrade to libev 4 API. 122 - upgrade to libev 4 API.
123 - replace COPYING file by actual GPLv3 - files were relicensed to GPLv3
124 earlier but COPYING was forgotten.
45 125
462.24 Sat Feb 12 05:15:48 CET 2011 1262.24 Sat Feb 12 05:15:48 CET 2011
47 - protocol version 0.1, compatible with older releases. 127 - protocol version 0.1, compatible with older releases.
48 - due to a bug, when packets were lost, a connection could go into a 128 - due to a bug, when packets were lost, a connection could go into a
49 state where a ping/connection request from another node would be 129 state where a ping/connection request from another node would be

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines