Public bug reported: This is a backwards incompatible release, but better security by default (keys are 3072 bit and configurable now.)
Upstream changelog: 3.0 Thu Nov 10 15:39:58 CET 2016 - INCOMPATIBLE CHANGE: core protocol version 1.0. - INCOMPATIBLE CHANGE: node sections are now introduced with "node nodename", not "node = nodename". - INCOMPATIBLE CHANGE: gvpectrl -g will now generate a single keypair, while -G will try to generate all keypairs as before. - openssl 1.0.2 is the latest supported openssl release, openssl 1.1.0 is not supported at the moment as the work to make it compatible to both versions is just too much. a switch to openssl 1.1 or another library will be done in a future release. - update examples to not generate keys centrally, but locally on each node. - add workaround for temporary/rare ENOBUFS condition. - while individual packets couldn't be replayed, a whole session could be replayed - this has been fixed by an extra key exchange. - fix a delete vs. delete [] mismatch in the central logging function. - in addition to rsa key exchange and authentication, the handshake now adds a diffie-hellman key exchange (using curve25119) for perfect forward secrecy. mac and cipher keys are derived using HKDF. - rsa key sizes are now configurable and larger (default is 3072). correspondingly, the minimum mtu is no longer 296 but 576. - fixed a potential (unverified) buffer overrun on rsa decryption. - new per-node low-power setting that tries to reduce cpu/network usage. - router reconnects could cause excessive rekeying on other connections. - gvpectrl no longer generates all missing public keys, but only missing private keys. private keys are also put into the configured location. - the pid-file now accepts %s as nodename as elsewhere. - switch to counter mode (only aes supported at the moment in openssl). this gets rid of the need to generate a random iv, is likely more secure (and, as a side effect, gets rid of slow randomness generation. counter mode is often faster then cbc mode as well, and packets are smaller). - no longer use RAND_bytes to generate session keys - you NEED a real source of entropy now (e.g. egd or /dev/random - see the openssl documentation). - multiple node statements for the same node are now supported and will be merged. - a new directive "global" switches back to the global section of the config file. - if-up scripts can now be specified with absolute paths. - new global option: serial, to detect configuration mismatches. - use HKDF as authentication proof, not HMAC or a plain hash (hint by Ilmari Karonen). - during rekeying or connection establishments, hmac authentication errors could occur and reset the connection. Transient hmac authentication errors are now being ignored for 3 seconds. - log the reason for a conneciton loss. - use a (hopefully) constant time memcmp to compare internal secrets. - fix a (harmless) errornous out of bounds stack read that would trigger gcc's -fsanitize=address. - bump old packet window size from 512 to 65536. - update for big changes in openssl 1.1 API, wrap primitives to make further changes easier. - correctly check return values for openssl 1.0.0 and later. - check for both public and private key file when deciding whether to skip generating a key to avoid accidental overwrites. ** Affects: gvpe (Ubuntu) Importance: Undecided Status: New ** Attachment added: "gvpe_minimal.debdiff" https://bugs.launchpad.net/bugs/1658268/+attachment/4806981/+files/gvpe_minimal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658268 Title: Please update to 3.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvpe/+bug/1658268/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs