| … | |
… | |
| 17 | req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1 |
17 | req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1 |
| 18 | res hmac0(rsa-contents ecdh2) |
18 | res hmac0(rsa-contents ecdh2) |
| 19 | hmac_key = hkdf(hkdf-salt, hmac | ecdh) |
19 | hmac_key = hkdf(hkdf-salt, hmac | ecdh) |
| 20 | aes_key = hkdf(hkdf-salt, aes | ecdh) |
20 | aes_key = hkdf(hkdf-salt, aes | ecdh) |
| 21 | |
21 | |
|
|
22 | TODO: very much larger intiial seed |
|
|
23 | TODO: don't use RAND_pseudo_bytes :/ |
| 22 | - INCOMPATIBLE CHANGE: core protocol version 1.0. |
24 | - INCOMPATIBLE CHANGE: core protocol version 1.0. |
| 23 | - while individual packets couldn't be replayed, a whole session |
25 | - while individual packets couldn't be replayed, a whole session |
| 24 | could be replayed - this has been fixed by an extra key exchange. |
26 | could be replayed - this has been fixed by an extra key exchange. |
| 25 | - in addition to rsa key exchange and authentication, the handshake now |
27 | - in addition to rsa key exchange and authentication, the handshake now |
| 26 | adds a diffie-hellman key exchange (using curve25119) for perfect |
28 | adds a diffie-hellman key exchange (using curve25119) for perfect |
| 27 | forward secrecy. mac and cipher keys are derived using HKDF. |
29 | forward secrecy. mac and cipher keys are derived using HKDF. |
| 28 | - rsa key sizes are now configurable and larger (default is 3072). |
30 | - rsa key sizes are now configurable and larger (default is 3072). |
| 29 | correspondingly, the minimum mtu is no longer 296 but 576. |
31 | correspondingly, the minimum mtu is no longer 296 but 576. |
| 30 | - fixed a potential (unverified) buffer overrun on rsa decryption. |
32 | - fixed a potential (unverified) buffer overrun on rsa decryption. |
| 31 | - RAND_bytes was used when generating session keys, potentially |
|
|
| 32 | leading to temporary freezes when entropy was low. |
|
|
| 33 | - gvpectrl no longer generates all missing public keys, but |
33 | - gvpectrl no longer generates all missing public keys, but |
| 34 | only missing private keys. private keys are also put |
34 | only missing private keys. private keys are also put |
| 35 | into the configured location. |
35 | into the configured location. |
| 36 | - the pid-file now accepts %s as nodename as elsewhere. |
36 | - the pid-file now accepts %s as nodename as elsewhere. |
|
|
37 | - no longer use RAND_bytes to generate session keys - you NEED |
|
|
38 | a real source of entropy now (e.g. egd or /dev/random - see the |
|
|
39 | openssl documentation). |
| 37 | |
40 | |
| 38 | 2.25 Sat Jul 13 06:42:33 CEST 2013 |
41 | 2.25 Sat Jul 13 06:42:33 CEST 2013 |
| 39 | - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other |
42 | - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other |
| 40 | protocols are enabled - this is necessary when you have nodes with |
43 | protocols are enabled - this is necessary when you have nodes with |
| 41 | completely unknown protocols, to force mediated connection requests. |
44 | completely unknown protocols, to force mediated connection requests. |
