… | |
… | |
17 | req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1 |
17 | req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1 |
18 | res hmac0(rsa-contents ecdh2) |
18 | res hmac0(rsa-contents ecdh2) |
19 | hmac_key = hkdf(hkdf-salt, hmac | ecdh) |
19 | hmac_key = hkdf(hkdf-salt, hmac | ecdh) |
20 | aes_key = hkdf(hkdf-salt, aes | ecdh) |
20 | aes_key = hkdf(hkdf-salt, aes | ecdh) |
21 | |
21 | |
|
|
22 | TODO: very much larger intiial seed |
|
|
23 | TODO: don't use RAND_pseudo_bytes :/ |
22 | - INCOMPATIBLE CHANGE: core protocol version 1.0. |
24 | - INCOMPATIBLE CHANGE: core protocol version 1.0. |
23 | - while individual packets couldn't be replayed, a whole session |
25 | - while individual packets couldn't be replayed, a whole session |
24 | could be replayed - this has been fixed by an extra key exchange. |
26 | could be replayed - this has been fixed by an extra key exchange. |
25 | - in addition to rsa key exchange and authentication, the handshake now |
27 | - in addition to rsa key exchange and authentication, the handshake now |
26 | adds a diffie-hellman key exchange (using curve25119) for perfect |
28 | adds a diffie-hellman key exchange (using curve25119) for perfect |
27 | forward secrecy. mac and cipher keys are derived using HKDF. |
29 | forward secrecy. mac and cipher keys are derived using HKDF. |
28 | - rsa key sizes are now configurable and larger (default is 3072). |
30 | - rsa key sizes are now configurable and larger (default is 3072). |
29 | correspondingly, the minimum mtu is no longer 296 but 576. |
31 | correspondingly, the minimum mtu is no longer 296 but 576. |
30 | - fixed a potential (unverified) buffer overrun on rsa decryption. |
32 | - fixed a potential (unverified) buffer overrun on rsa decryption. |
31 | - RAND_bytes was used when generating session keys, potentially |
|
|
32 | leading to temporary freezes when entropy was low. |
|
|
33 | - gvpectrl no longer generates all missing public keys, but |
33 | - gvpectrl no longer generates all missing public keys, but |
34 | only missing private keys. private keys are also put |
34 | only missing private keys. private keys are also put |
35 | into the configured location. |
35 | into the configured location. |
36 | - the pid-file now accepts %s as nodename as elsewhere. |
36 | - the pid-file now accepts %s as nodename as elsewhere. |
|
|
37 | - no longer use RAND_bytes to generate session keys - you NEED |
|
|
38 | a real source of entropy now (e.g. egd or /dev/random - see the |
|
|
39 | openssl documentation). |
37 | |
40 | |
38 | 2.25 Sat Jul 13 06:42:33 CEST 2013 |
41 | 2.25 Sat Jul 13 06:42:33 CEST 2013 |
39 | - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other |
42 | - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other |
40 | protocols are enabled - this is necessary when you have nodes with |
43 | protocols are enabled - this is necessary when you have nodes with |
41 | completely unknown protocols, to force mediated connection requests. |
44 | completely unknown protocols, to force mediated connection requests. |