--- gvpe/NEWS 2005/07/07 14:41:51 1.62 +++ gvpe/NEWS 2013/10/11 04:07:24 1.119 @@ -1,19 +1,200 @@ -TODO: enable bridging (compile-time option? ignore fragmentation?) -TODO: explore DTLS +GVPE NEWS -2.0 +TODO: bridge mode, finally? +TODO: gcm mode? +TODO: replace ripemd160 as the only authentication hash. +TODO: increase rsa size. +TODO: replace transport bits by transport endpoint structs? +TODO: ecdh to avoid session replay attacks +TODO: http://incog-izick.blogspot.de/2011/08/using-openssl-aes-gcm.html +TODO: http://stackoverflow.com/questions/12153009/openssl-c-example-of-aes-gcm-using-evp-interfaces + +proposed: 3 types, req, resreq, res + +req (hmac1) rsa(seqno1 hmac1 aes1 seqno2 hmac2 aes2 auth) ecdh1 +res (hmac1) hash(rsa-contents) ecdh2 + +req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1 +res hmac0(rsa-contents ecdh2) + hmac_key = hkdf(hkdf-salt, hmac | ecdh) + aes_key = hkdf(hkdf-salt, aes | ecdh) + +TODO: protocol magic fixen(!!!) +TODO: "global" +TODO: verify +TODO: make sense of overhead calculation +TODO: if-up &c should not be scripts? + - INCOMPATIBLE CHANGE: core protocol version 1.0. + - INCOMPATIBLE CHANGE: node sextions are now introduced + with "node nodename", not "node = nodename". + - while individual packets couldn't be replayed, a whole session + could be replayed - this has been fixed by an extra key exchange. + - in addition to rsa key exchange and authentication, the handshake now + adds a diffie-hellman key exchange (using curve25119) for perfect + forward secrecy. mac and cipher keys are derived using HKDF. + - rsa key sizes are now configurable and larger (default is 3072). + correspondingly, the minimum mtu is no longer 296 but 576. + - fixed a potential (unverified) buffer overrun on rsa decryption. + - router reconnects could cause excessive rekeying on other connections. + - gvpectrl no longer generates all missing public keys, but + only missing private keys. private keys are also put + into the configured location. + - the pid-file now accepts %s as nodename as elsewhere. + - no longer use RAND_bytes to generate session keys - you NEED + a real source of entropy now (e.g. egd or /dev/random - see the + openssl documentation). + - multiple node statements for the same node are now supported + and will be merged. + - a new directive "global" switches back to the global section + of the config file. + - 12 random prefix bytes are now properly supported, leading to + a fully random IV. + - use aes with a random key in counter-mode to generate IVs, + for speed reasons (generating 12 random bytes with openssl can + take longer than encrypting and mac'ing a 1.5kb packet, and IVs + do not need to be cryptographically strong random numbers + (and in fact, shouldn't be)). + - if-up scripts can now be specified with absolute paths. + - new global option: serial, to detect configuration mismatches. + - use HKDF as authentication proof, not HMAC or a plain hash + (hint by Ilmari Karonen). + - during rekeying or conenction establishments, hmac authentication + errors could occur and reset the connection. Transient hmac + authentication errors are now being ignored for 3 seconds. + - log the reason for a conneciton loss. + +2.25 Sat Jul 13 06:42:33 CEST 2013 + - INCOMPATIBLE CHANGE: no longer enable udp protocol if no other + protocols are enabled - this is necessary when you have nodes with + completely unknown protocols, to force mediated connection requests. + - INCOMPATIBLE CHANGE: dns transport protocol bumped to version 2. + - core protocol version 0.1, compatible with older releases. + - switch to using RSA_generate_key_ex, which is the badly documented + and needlessly more complicated replacement for the RSA_generate_key + function which is now deprecated. + - support additional hmac hashes: sha256 and sha512, usually truncated. + - change public exponent for rsa keys from 65535 to 65537, for + efficiency reasons - only affects new keys. + - nodes would sometimes declare transport endpoints valid despite + the protocol not being configured locally. + - new global configuration options: chroot, chuser, chuid, chgid, + to chroot to a specified or anonymous new root, and change user id. + - new global configuration options seed_device and seed_interval, + to configure another device than /dev/urandom for random seeds, + and to configure a regular interval to reseed the rng. + - prefer inet_aton over gethostbyname, as the latter is not guaranteed + to "resolve" literal ip addresses. + - configure didn't detect openssl 1.0 because SHA1_version became private + (patch by TANIGUCHI Takaki). + - fix a bug where nodes would tell the other side that it supports + the same protocols as that other side, instead of its own. + - add zlib when found, as openssl depends on it in newer versions. + - work around append-bugs in uclibc by using an extra seek. + - new "include" directive for the config file. + - gvpectrl no longer evaluates any "on" directives. + - icmp and rawip protocols weren't upgradable to each other. + - major, but incremental, dns transport improvements: + - do not simply abort in some error cases in the dns transport, + but try to recover. + - allow lowercase/uppercase aliases for base-n encodings that do + not rely on case. + - use base26 instead of base22 encoding for dns syn's, and + base36 instead of base22 for headers (saves one byte/packet). + - back off far quicker in dns tunnel when idling - increases + latency on an idle link somewhat, but avoids hundreds of + needless packets. + - poll more aggressively when idling in dns (poll once per + second as opposed to once per 5 seconds). + - reduce dns send payload size to allow greater rate of ack + messages (should help sack and ipv6). + - allow for ip options in rawip/icmp transports, even though gvpe + doesn't generate them. + - upgrade to autoconf 2.69, automake 1.11. + - upgrade to libev 4 API. + - replace COPYING file by actual GPLv3 - files were relicensed to GPLv3 + earlier but COPYING was forgotten. + +2.24 Sat Feb 12 05:15:48 CET 2011 - protocol version 0.1, compatible with older releases. + - due to a bug, when packets were lost, a connection could go into a + state where a ping/connection request from another node would be + ignored, leading to connections not being re-established. + - due to a bug, compression was almost always enabled. + - enable-max-mtu was actually enable-mtu, contrary to documentation. + - add nfmark support. + - add node-change script support. + - new DESTSI variable for node-xxx scripts. + - updated codingstyle a bit, declared truly static stuff as static. + - clarify compression docs. + +2.22 Sun Feb 1 17:25:28 CET 2009 + - protocol version 0.1, compatible with older releases. + - enabled icmp/tcp/http-proxy protocols by default. + - updated copyright in program greetings. + - fix some configure messages. + - updated to libev 3.52. + +2.21 Wed Sep 3 06:56:27 CEST 2008 + - protocol version 0.1, compatible with older releases. + - add missing ev++.h include header to tarball, which everybody + who tested it apparently had in their include path :(. Caught + by Karl Kleinpaste and Marcus Kong. + +2.2 Mon Sep 1 06:28:09 CEST 2008 + - protocol version 0.1, compatible with older releases. + but upgrade is recommended to due changed ondemand behaviour. + - new per-node options max-ttl and max-queue. + - convert from iom.C to libev, a high-performance event loop + (http://software.schmorp.de/pkg/libev). + - tcp connections were leaking in some cases. + - retry more aggressively (once/s) to establish a connection if + new packets arrive for it. + - save a lot of setsockopt calls when the tos doesn't change. + - honor disabled even on initial connect attempt. + - changed callback mechanism to be slightly less portable + but more efficient mechanism (standards-compliant c++ compilers + should work). + - increased receive window positive size, to allow for massive + packet loss due to occasional longer drop-outs. + - send RST when a positive window size violation is detected, but + not in other cases, to reconnect more quickly. + - upgraded liblzf to version 3.4. + - dropped -fno-exceptions due to ev++.h using it. + - node-up/down scripts are now run in sequence. + - new -q switch for gvpectrl, for when you run it often. + - work around the horribly inconsistent, ad-hoc, ever-changing + and broken texinfo syntax. YMMV. avoid texinfo. + - keepalive is more aggressive now, sensding ping's every 3 seconds + and killing the conenction after 15 seconds. + - bugfixes. + +2.01 Thu Mar 29 19:26:04 CEST 2007 + - protocol version 0.1, compatible with older releases. + - bugfix of callback.h, might have cause callback return values to + be corrupted on architectures like sparc before. + - dns transport retries more aggressively. + - updated documentation, improved dns transport reliability + and throughput. + - added experimental support for sha256 and sha512 digests. + +2.0 Mon Dec 5 13:59:26 CET 2005 + - protocol version 0.1, compatible with older releases. + - implement allow-direct, deny-direct node config statements. - implemented != for sockinfo. This fixes a bug where gvpe sent packets to the old ip address of another host even though it had received packets from it's new address. This only causes problems if you forget to -HUP your gvpe after your ip address changed, which is *required*. - - tighter limit for the maximum sequence # to avoid overflow - conditions + allow more headroom for packet reordering. + - sets close-on-exec flag on tcp connections. This fixes a bug + where child processes kept tcp connections open and caused + connections to fail when only one side can connect. - fixed a bug in receive sequence checking that made gvpe accept out-of-window packets in most cases. - - replace some asserts that trapped config msimatches by + - tighter limit for the maximum sequence # to avoid overflow + conditions + allow more headroom for packet reordering. + - replace some asserts that trapped config mismatches by more useful log messages. + - fix spurious extra newline in some log messages. 1.9 Tue Apr 19 06:21:50 CEST 2005 - protocol version 0.1, compatible with older releases.