From 844dfe986db35675c0639823decdee0b3dbbf55b Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Sun, 30 Oct 2016 14:18:39 +0100
Subject: [PATCH] Releasing 1.0.30.

---
 NEWS               |  8 ++++++++
 README             | 23 ++++++++++++++---------
 configure.ac       |  2 +-
 doc/tinc.conf.5.in |  2 +-
 src/connection.c   |  2 +-
 src/connection.h   |  2 +-
 src/meta.c         |  2 +-
 src/proxy.c        |  2 +-
 8 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/NEWS b/NEWS
index 73a4a622..5c547d13 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Version 1.0.30               October 30 2016
+
+ * Fix troubles connecting to some HTTP proxies.
+
+ * Add mitigations for the Sweet32 attack when using a 64-bit block cipher.
+
+ * Use AES256 and SHA256 as the default encryption and digest algorithms.
+
 Version 1.0.29               October 9 2016
 
  * Fix UDP communication with peers with link-local IPv6 addresses.
diff --git a/README b/README
index e0e5817f..b86063c1 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-This is the README file for tinc version 1.0.29. Installation
+This is the README file for tinc version 1.0.30. Installation
 instructions may be found in the INSTALL file.
 
 tinc is Copyright (C) 1998-2016 by:
@@ -39,6 +39,8 @@ practice and that the default length of the HMAC for packets is too short in
 his opinion. We do not know of a way to exploit these weaknesses, but these
 issues are being addressed in the tinc 1.1 branch.
 
+The Sweet32 attack affects versions of tinc prior to 1.0.30.
+
 Cryptography is a hard thing to get right. We cannot make any
 guarantees. Time, review and feedback are the only things that can
 prove the security of any cryptographic product. If you wish to review
@@ -52,22 +54,25 @@ Some configuration variables have different names now. Most notably "TapDevice"
 should be changed into "Device", and "Device" should be changed into
 "BindToDevice".
 
+
 Compatibility
 -------------
 
-Version 1.0.29 is compatible with 1.0pre8, 1.0 and later, but not with older
-versions of tinc.
+Version 1.0.30 is compatible with 1.0pre8, 1.0 and later, but not with older
+versions of tinc. Note that since version 1.0.30, tinc requires all nodes in
+the VPN to be compiled with a version of LibreSSL or OpenSSL that supports the
+AES256 and SHA256 algorithms.
 
 
 Requirements
 ------------
 
-Since 1.0pre3, we use OpenSSL for all cryptographic functions.  So you
-need to install this library first; grab it from
-http://www.openssl.org/.  You will need version 0.9.7 or later.  If
-this library is not installed on you system, configure will fail.  The
-manual in doc/tinc.texi contains more detailed information on how to
-install this library.
+Since 1.0pre3, we use OpenSSL for all cryptographic functions.  So you need to
+install this library first; grab it from http://www.openssl.org/. You will
+need version 1.0.1 or later with support for AES256 and SHA256 enabled. If
+this library is not installed on you system, configure will fail. The manual
+in doc/tinc.texi contains more detailed information on how to install this
+library. Alternatively, you may also use LibreSSL.
 
 Since 1.0pre6, the zlib library is used for optional compression. You can
 find it at http://www.gzip.org/zlib/. Because of a possible exploit in
diff --git a/configure.ac b/configure.ac
index 3ec50683..0f31b01c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 
 AC_PREREQ(2.61)
-AC_INIT([tinc], [1.0.29])
+AC_INIT([tinc], [1.0.30])
 AC_CONFIG_SRCDIR([src/tincd.c])
 AM_INIT_AUTOMAKE([1.11 check-news std-options subdir-objects nostdinc silent-rules -Wall])
 AC_CONFIG_HEADERS([config.h])
diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in
index b0d6c776..40ea1cc7 100644
--- a/doc/tinc.conf.5.in
+++ b/doc/tinc.conf.5.in
@@ -1,4 +1,4 @@
-.Dd 2016-04-10
+.Dd 2016-10-29
 .Dt TINC.CONF 5
 .\" Manual page created by:
 .\" Ivo Timmermans
diff --git a/src/connection.c b/src/connection.c
index 8966d65d..d27e6fd3 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1,6 +1,6 @@
 /*
     connection.c -- connection list management
-    Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
                   2000-2005 Ivo Timmermans
                   2008      Max Rijevski <maksuf@gmail.com>
 
diff --git a/src/connection.h b/src/connection.h
index 0922fbea..099d9d3b 100644
--- a/src/connection.h
+++ b/src/connection.h
@@ -1,6 +1,6 @@
 /*
     connection.h -- header for connection.c
-    Copyright (C) 2000-2012 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
                   2000-2005 Ivo Timmermans
 
     This program is free software; you can redistribute it and/or modify
diff --git a/src/meta.c b/src/meta.c
index 63f565fe..09c063d3 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -1,6 +1,6 @@
 /*
     meta.c -- handle the meta communication
-    Copyright (C) 2000-2015 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2000-2016 Guus Sliepen <guus@tinc-vpn.org>,
                   2000-2005 Ivo Timmermans
                   2006      Scott Lamb <slamb@slamb.org>
 
diff --git a/src/proxy.c b/src/proxy.c
index 32cb7973..52682721 100644
--- a/src/proxy.c
+++ b/src/proxy.c
@@ -1,6 +1,6 @@
 /*
     proxy.c -- Proxy handling functions.
-    Copyright (C) 2015 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2015-2016 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
-- 
2.20.1