X-Git-Url: http://www.git.cypherpunks.ru/?p=govpn.git;a=blobdiff_plain;f=doc%2Fnews.texi;h=10a2aab6d134519e72530c49d4fb0f33d7dff6e0;hp=f8b597b3b2b7a47ed5ada67088aaaa5427bd53df;hb=0bf04621961589bc735dc8bd8a075d7db24c4178;hpb=aa800c9e50233ac39cf8c3eae3c84c0e8e9fdb80 diff --git a/doc/news.texi b/doc/news.texi index f8b597b..10a2aab 100644 --- a/doc/news.texi +++ b/doc/news.texi @@ -1,19 +1,150 @@ @node News @unnumbered News -@table @strong +See also this page @ref{Новости, on russian}. -@item Release 4.0 -@itemize @bullet -@item Handshake messages can be noised. Now they are indistinguishable -from transport ones and from the noise. -@item Parallelization of clients processing on the server side. -@item Much higher overall performance of handshake and transport -protocols. +@node Release 7.0 +@section Release 7.0 +@itemize +@item (X)Salsa20 is replaced with ChaCha20. Theoretically it should be +faster and more secure. @end itemize -@item Release 3.5 -@itemize @bullet +@node Release 6.0 +@section Release 6.0 +@itemize +@item Argon2d is replaced with Balloon hashing. Found Argon2 libraries +written on pure Go have various problems. Moreover Argon2i should be +used instead, but it has some possible +@url{http://eprint.iacr.org/2016/027, cryptographic defects}. So it is +replaced with much more simpler (and seems even cryptographically +better) @url{https://crypto.stanford.edu/balloon/, Balloon hashing}. +@end itemize + +@node Release 5.10 +@section Release 5.10 +@itemize +@item @option{-version} option added, printing program version. +@end itemize + +@node Release 5.9 +@section Release 5.9 +@itemize +@item Client reconnects in the loop when connection is lost. Optionally +you can disable that behaviour: client will exit immediately, as it +previously did. +@end itemize + +@node Release 5.8 +@section Release 5.8 +@itemize +@item Optional ability to use syslog for logging, with +@url{https://tools.ietf.org/html/rfc5424, RFC 5424}-like +structured records. +@item XTEA algorithm is not used anymore for nonce obfuscation, but +BLAKE2b-MAC instead. Encryptionless mode now really does not depend on +encryption functions. +@end itemize + +@node Release 5.7 +@section Release 5.7 +@itemize +@item TAP interface name and remote peer's address are passed to up- and +down- scripts through environment variables. +@item Update Argon2 library to use version 1.3 of the algorithm. +@end itemize + +@node Release 5.6 +@section Release 5.6 +@itemize +@item Added up/down example script for replacing default route (thanks +to Zhuoyun Wei). +@item Fixed documentation bug: @file{.info} was not installing. +@end itemize + +@node Release 5.5 +@section Release 5.5 +@itemize +@item Ability to work on 32-bit platforms. @emph{sync/atomic} library +has some specific issues that caused panics on previous versions. +@end itemize + +@node Release 5.4 +@section Release 5.4 +@itemize +@item Added optional @ref{Timesync, time synchronization} requirement. +It will add timestamps in handshake PRP authentication, disallowing to +repeat captured packet and get reply from the server, making it visible +to DPI. +@end itemize + +@node Release 5.3 +@section Release 5.3 +@itemize +@item Fixed minor bug with @command{newclient.sh} that caught +"Passphrase:" prompt and inserted it into example YAML output. +Just replaced stdout output to stderr for that prompt. +@end itemize + +@node Release 5.2 +@section Release 5.2 +@itemize +@item Ability to read passphrases directly from the terminal (user's +input) without using of keyfiles. @command{storekey.sh} utility removed. +@end itemize + +@node Release 5.1 +@section Release 5.1 +@itemize +@item Server is configured using @url{http://yaml.org/, YAML} file. It +is very convenient to have comments and templates, comparing to JSON. +@item Incompatible with previous versions replacement of @emph{HSalsa20} +with @emph{BLAKE2b} in handshake code. +@end itemize + +@node Release 5.0 +@section Release 5.0 +@itemize +@item New optional @ref{Encless, encryptionless mode} of operation. +Technically no encryption functions are applied for outgoing packets, so +you can not be forced to reveal your encryption keys or sued for +encryption usage. +@item @ref{MTU}s are configured on per-user basis. +@item Simplified payload padding scheme, saving one byte of data. +@item Ability to specify TAP interface name explicitly without any +up-scripts for convenience. +@item @command{govpn-verifier} utility also can use @ref{EGD}. +@end itemize + +@node Release 4.2 +@section Release 4.2 +@itemize +@item Fixed non-critical bug when server may fail if up-script is not +executed successfully. +@end itemize + +@node Release 4.1 +@section Release 4.1 +@itemize +@item @url{https://password-hashing.net/#argon2, Argon2d} is used instead +of PBKDF2 for password verifier hashing. +@item Client's identity is stored inside the verifier, so it simplifies +server-side configuration and the code. +@end itemize + +@node Release 4.0 +@section Release 4.0 +@itemize +@item Handshake messages can be noised: their messages lengths are +hidden. Now they are indistinguishable from transport messages. +@item Parallelized clients processing on the server side. +@item Much higher overall performance. +@item Single JSON file server configuration. +@end itemize + +@node Release 3.5 +@section Release 3.5 +@itemize @item Ability to use @ref{Network, TCP} network transport. Server can listen on both UDP and TCP sockets. @item Ability to use @ref{Proxy, HTTP proxies} (through CONNECT method) @@ -23,40 +154,40 @@ for accessing the server. Server can also emulate HTTP proxy behaviour. reasons. @end itemize -@item Release 3.4 -@itemize @bullet +@node Release 3.4 +@section Release 3.4 +@itemize @item Ability to use external @ref{EGD}-compatible PRNGs. Now you are -able to use GoVPN even on systems with the bad @code{/dev/random}, +able to use GoVPN even on systems with the bad @file{/dev/random}, providing higher quality entropy from external sources. -@item Removed @code{-noncediff} option. It is replaced with in-memory +@item Removed @option{-noncediff} option. It is replaced with in-memory storage of seen nonces, thus eliminating possible replay attacks at all without performance degradation related to inbound packets reordering. @end itemize -@item Release 3.3 -@itemize @bullet +@node Release 3.3 +@section Release 3.3 +@itemize @item Compatibility with an old GNU Make 3.x. Previously only BSD Make and GNU Make 4.x were supported. -@item /dev/urandom is used for correct client identity generation under -GNU/Linux systems. Previously /dev/random can produce less than required -128-bits of random. -@item Updated user manual examples. +@item @file{/dev/urandom} is used for correct client identity generation +under GNU/Linux systems. Previously @file{/dev/random} can produce less +than required 128-bits of random. @end itemize -@item Release 3.2 -@itemize @bullet -@item -Deterministic building: dependent libraries source code commits are -fixed in our makefiles. -@item -No Internet connection is needed for building the source code: all +@node Release 3.2 +@section Release 3.2 +@itemize +@item Deterministic building: dependent libraries source code commits +are fixed in our makefiles. +@item No Internet connection is needed for building the source code: all required libraries are included in release tarballs. -@item -FreeBSD Make compatibility. GNU Make is not necessary anymore. +@item FreeBSD Make compatibility. GNU Make is not necessary anymore. @end itemize -@item Release 3.1 -@itemize @bullet +@node Release 3.1 +@section Release 3.1 +@itemize @item Diffie-Hellman public keys are encoded with Elligator algorithm when sending over the wire, making them indistinguishable from the random @@ -65,8 +196,9 @@ passwords (that are used to create DSA public keys). But this will consume twice entropy for DH key generation in average. @end itemize -@item Release 3.0 -@itemize @bullet +@node Release 3.0 +@section Release 3.0 +@itemize @item EKE protocol is replaced by Augmented-EKE and static symmetric (both sides have it) pre-shared key replaced with server-side verifier. This @@ -93,78 +225,80 @@ maximal MTU size. Ability to hide underlying packets appearance rate, by generating Constant Packet Rate traffic. This includes noise generation too. @item -Per-peer @code{-timeout}, @code{-noncediff}, @code{-noise} and -@code{-cpr} configuration options for server. +Per-peer @option{-timeout}, @option{-noncediff}, @option{-noise} and +@option{-cpr} configuration options for server. @end itemize -@item Release 2.4 -@itemize @bullet -@item -Added ability to optionally run built-in HTTP-server responding with -JSON of all known connected peers information. Real-time client's +@node Release 2.4 +@section Release 2.4 +@itemize +@item Added ability to optionally run built-in HTTP-server responding +with JSON of all known connected peers information. Real-time client's statistics. - -@item -Documentation is explicitly licenced under GNU FDL 1.3+. +@item Documentation is explicitly licenced under GNU FDL 1.3+. @end itemize -@item Release 2.3 -@itemize @bullet -@item -Handshake packets became indistinguishable from the random. -Now all GoVPN's traffic is the noise for men in the middle. +@node Release 2.3 +@section Release 2.3 +@itemize +@item Handshake packets became indistinguishable from the random. Now +all GoVPN's traffic is the noise for men in the middle. -@item -Handshake messages are smaller (16% traffic reduce). +@item Handshake messages are smaller (16% traffic reduce). -@item -Adversary now can not create malicious fake handshake packets that +@item Adversary now can not create malicious fake handshake packets that will force server to generate private DH key, preventing entropy consuming and resource heavy computations. @end itemize -@item Release 2.2 -@itemize @bullet +@node Release 2.2 +@section Release 2.2 +@itemize @item Fixed several possible channel deadlocks. @end itemize -@item Release 2.1 -@itemize @bullet +@node Release 2.1 +@section Release 2.1 +@itemize @item Fixed Linux-related building. @end itemize -@item Release 2.0 -@itemize @bullet +@node Release 2.0 +@section Release 2.0 +@itemize @item Added clients identification. @item Simultaneous several clients support by server. @item Per-client up/down scripts. @end itemize -@item Release 1.5 -@itemize @bullet +@node Release 1.5 +@section Release 1.5 +@itemize @item Nonce obfuscation/encryption. @end itemize -@item Release 1.4 -@itemize @bullet +@node Release 1.4 +@section Release 1.4 +@itemize @item Performance optimizations. @end itemize -@item Release 1.3 -@itemize @bullet +@node Release 1.3 +@section Release 1.3 +@itemize @item Heartbeat feature. @item Rehandshake feature. -@item up- and down- optinal scripts. +@item up- and down- optional scripts. @end itemize -@item Release 1.1 -@itemize @bullet +@node Release 1.1 +@section Release 1.1 +@itemize @item FreeBSD support. @end itemize -@item Release 1.0 -@itemize @bullet +@node Release 1.0 +@section Release 1.0 +@itemize @item Initial stable release. @end itemize - -@end table