GnuTLS NEWS -- History of user-visible changes. -*- outline -*- Bug numbers referenced in this log correspond to bug numbers at our issue tracker, available at https://gitlab.com/gnutls/gnutls/issues Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2017 Nikos Mavrogiannopoulos See the end for copying conditions. * Version 3.5.19 (released 2018-07-16) ** libgnutls: Backported PKCS#11 module improvements in initialization from master branch. ** libgnutls: Corrected infinite loop when an incorrect PIN was provided via pin-value or pin-source. ** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium] ** The ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default priority strings. They are not necessary for compatibility or other purpose and provide no advantage over their SHA1 counter-parts, as they all depend on the legacy TLS CBC block mode. ** API and ABI modifications: No changes since last version. * Version 3.5.18 (released 2018-02-16) ** libgnutls: Addressed issue in the accelerated code which may affect interoperability with versions of nettle > 3.4. ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by Vitezslav Cizek). ** p11tool: Fixed issue preventing the deletion of objects in batch mode. ** API and ABI modifications: No changes since last version. * Version 3.5.17 (released 2018-01-17) ** libgnutls: Address issue of loading of all PKCS#11 modules on startup on systems with a PKCS#11 trust store (as opposed to a file trust store). Introduced a multi-stage initialization which loads the trust modules, and other modules are deferred for the first pure PKCS#11 request. ** libgnutls: Improved getrandom() detection in newer glibc versions. ** libgnutls: When verifying against a self signed certificate ignore issuer. That is, ignore issuer when checking the issuer's parameters strength, resolving issue #347 which caused self signed certificates to be additionally marked as of insufficient security level. ** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data MTU calculation now, it correctly accounts for the fixed overhead due to padding (as 1 byte), while at the same time considers the rest of the padding as part of data MTU. Resolves issue #360. ** API and ABI modifications: No changes since last version. * Version 3.5.16 (released 2017-10-21) ** libgnutls: Fixed issue which causes 1-byte handshake fragments to be refused. Reported by Balázs Kéri. ** libgnutls: Refuse to resume a session which had a different SNI advertised. That improves RFC6066 support in server side. Reported by Thomas Klute. ** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was used. Resolves gitlab issue #259. ** libgnutls: When selecting a client side signature algorithm, prefer the signature schemes in the enabled list (Since 3.5.5 client certificates can be used even if they contain disallowed algorithms for a session, to allow utilizing old client certificates -like DSA-SHA1 without enabling DSA for the server certificate). ** p11tool: The options --set-pin and --set-so-pin can be used with all operations not only with --initialize. ** p11tool: Mark all generated objects as sensitive by default. ** certtool: Enable certificate fingerprint generation with sha512 (#295). ** API and ABI modifications: No changes since last version. * Version 3.5.15 (released 2017-08-21) ** libgnutls: Disable hardware acceleration on aarch64/ilp32 mode. There is no assembler code included for this CPU mode. ** certtool: Keys with provable RSA and DSA parameters are now only exported in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. This removes the need for a non-standard key format. ** API and ABI modifications: No changes since last version. * Version 3.5.14 (released 2017-07-04) ** libgnutls: Handle specially HSMs which request explicit authentication. There are HSMs which return CKR_USER_NOT_LOGGED_IN on the first private key operation. Detect that state and try to login. ** libgnutls: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs. That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag a login will be forced. This improves operation on certain Safenet HSMs. ** libgnutls: do not set leading zeros when copying integers on HSMs. PKCS#11 defines integers as unsigned having most significant byte first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by some HSMs which do not accept an integer with a leading zero. This improves operation with certain Atos HSMs. ** libgnutls: Fixed issue discovering certain OCSP signers, and improved the discovery of OCSP signer in the case where the Subject Public Key identifier field matches. Resolves gitlab issue #223. ** gnutls-cli: ensure OCSP responses are saved with --save-ocsp even if certificate verification fails. ** API and ABI modifications: No changes since last version. * Version 3.5.13 (released 2017-06-07) ** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in aarch64. Resolves gitlab issue #204. ** libgnutls: no longer parse the ResponseID field of the status response TLS extension. The field is not used by GnuTLS nor is made available to calling applications. That addresses a null pointer dereference on server side caused by packets containing the ResponseID field. Reported by Hubert Kario. [GNUTLS-SA-2017-4] ** libgnutls: tolerate certificates which do not have strict DER time encoding. It is possible using 3rd party tools to generate certificates with time fields that do not conform to DER requirements. Since 3.4.x these certificates were rejected and cannot be used with GnuTLS, however that caused problems with existing private certificate infrastructures, which were relying on such certificates (see gitlab issue #196). Tolerate reading and using these certificates. ** minitasn1: updated to libtasn1 4.11. ** certtool: allow multiple certificates to be used in --p7-sign with the --load-certificate option. Patch by Karl Tarbe. ** API and ABI modifications: No changes since last version. * Version 3.5.12 (released 2017-05-11) ** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen. ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses against DNS fields of certificate (CN or DNSname). The previous behavior was to tolerate some misconfigured servers, but that was non-standard and skipped any IP constraints present in higher level certificates. ** libgnutls: when converting to IDNA2008, fallback to IDNA2003 (i.e., transitional encoding) if the domain cannot be converted. That provides maximum compatibility with browsers like firefox that perform the same conversion. ** libgnutls: fix issue in RSA-PSK client callback which resulted in no username being sent to the peer. Patch by Nicolas Dufresne. ** libgnutls: fix regression causing stapled extensions in trust modules not to be considered. ** certtool: introduced the email_protection_key option. This option was introduced in documentation for certtool without an implementation of it. It is a shortcut for option 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'. ** certtool: made printing of key ID and key PIN consistent between certificates, public keys, and private keys. That is the private key printing now uses the same format as the rest. ** gnutls-cli: introduced the --sni-hostname option. This allows overriding the hostname advertised to the peer. ** API and ABI modifications: No changes since last version. * Version 3.5.11 (released 2017-04-07) ** gnutls.pc: do not include libtool options into Libs.private. ** libgnutls: Fixed issue when rehandshaking without a client certificate in a session which initially used one. Reported by Frantisek Sumsal. ** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP certificate parsing. Issues found using oss-fuzz project and were fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824 ** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. That allows PKCS#11 operations such as signing to be performed with the same object from multiple threads. ** libgnutls: Added support for MacOSX key chain for obtaining trust store's root CA certificates. That is, gnutls_x509_trust_list_add_system_trust() and gnutls_certificate_set_x509_system_trust() will load the certificates from the key chain. That also means that we no longer check for a default trust store file in configure when building on MacOSX (unless explicitly asked to). Patch by David Caldwell. ** libgnutls: when disabling OpenPGP authentication, the resulting library is ABI compatible (with openpgp related functions being stubs that fail on invocation). ** API and ABI modifications: No changes since last version. * Version 3.5.10 (released 2017-03-06) ** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions available do not include libidn2.pc, thus the inclusion was causing pkg-config issues. Instead we include -lidn2 in Libs.private when compile against libidn2. ** libgnutls: optimized access to subject alternative names (SANs) in parsed certificates. The previous implementation assumed a small number of SANs in a certificate, with repeated calls to ASN.1 decoding of the extension without any intermediate caching. That caused delays in certificates with a long list of names in functions such as gnutls_x509_crt_check_hostname(). With the current code, the SANs are parsed once on certificate import. Resolves gitlab issue #165. ** libgnutls: Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] ** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 ** libgnutls: Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] ** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] ** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 when printing certificate information. ** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() flags can be set from the gnutls_certificate_verify_flags enumeration. This allows the functions to pass the same flags available for certificates to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or GNUTLS_VERIFY_ALLOW_BROKEN). ** libgnutls: gnutls_store_commitment() can accept flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate in applications which use SHA1 for example, after SHA1 is deprecated. ** certtool: No longer ignore the 'add_critical_extension' template option if the 'add_extension' option is not present. ** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the starttls-proto command. Patch by Robert Scheck. ** API and ABI modifications: No changes since last version. * Version 3.5.9 (released 2017-02-12) ** libgnutls: Removed any references to OpenPGP functionality in documentation, and marked all functions in openpgp.h as deprecated. That functionality is considered deprecated and should not be used for other reason than backwards compatibility. ** libgnutls: Improve detection of AVX support. In certain cases when when the instruction was available on the host, but not on a VM running gnutls, detection could fail causing illegal instruction usage. ** libgnutls: Added support for IDNA2008 for internationalized DNS names. If gnutls is compiled using libidn2 (the latest version is recommended), it will support IDNA2008 instead of the now obsolete IDNA2003 standard. Resolves gitlab issue #150. Based on patch by Tim Ruehsen. ** p11tool: re-use ID from corresponding objects when writing certificates. That is, when writing a certificate which has a corresponding public key, or private key in the token, ensure that we use the same ID for the certificate. ** API and ABI modifications: gnutls_idna_map: Added gnutls_idna_reverse_map: Added * Version 3.5.8 (released 2016-01-09) ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_* functions will not leave the verification profiles field to an undefined state. The last call will take precedence. ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. ** libgnutls: Introduced option to override the default priority string used by the library. The intention is to allow support of system-wide priority strings (as set with --with-system-priority-file). The configure option is --with-default-priority-string. ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. This prevents crashes when decrypting malformed PKCS#8 keys. ** libgnutls: Fix crash on the loading of malformed private keys with certain parameters set to zero. ** libgnutls: Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. [GNUTLS-SA-2017-1] ** libgnutls: Addressed memory leaks in client and server side error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] ** API and ABI modifications: No changes since last version. * Version 3.5.7 (released 2016-12-8) ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128 and SECURE256 priority strings. ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly operate with OIDs which have elements that exceed 2^32. ** libgnutls: The DN decoding functions output the traditional DN format rather than the strict RFC4514 compliant textual DN. This reverts the 3.5.6 introduced change, and allows applications which depended on the previous format to continue to function. Introduced new functions which output the strict format by default, and can revert to the old one using a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that passwords are normalized according to RFC7613. When invalid UTF-8 passwords are detected, they are only tolerated for decryption. This introduces a libunistring dependency on GnuTLS. A version of libunistring is included in the library for the platforms that do not ship it; it can be used with the '--with-included-unistring' option to configure script. ** libgnutls: When setting a subject alternative name in a certificate which is in UTF-8 format, it will transparently be converted to IDNA form prior to storing. ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print() will print the SHA256 key-ID instead of a certificate fingerprint. ** libgnutls: enhance the PKCS#7 verification capabilities. In the case signers that are not discoverable using the trust list or input, use the stored list as pool to generate a trusted chain to the signer. ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites under DTLS. ** libgnutls: [added missing news entry since 3.5.0] No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** certtool: Include the SHA-256 variant of key ID in --certificate-info options. ** p11tool: Introduced the --initialize-pin and --initialize-so-pin options. ** API and ABI modifications: gnutls_utf8_password_normalize: Added gnutls_ocsp_resp_get_responder2: Added gnutls_x509_crt_get_issuer_dn3: Added gnutls_x509_crt_get_dn3: Added gnutls_x509_rdn_get2: Added gnutls_x509_dn_get_str2: Added gnutls_x509_crl_get_issuer_dn3: Added gnutls_x509_crq_get_dn3: Added * Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added * Version 3.5.5 (released 2016-10-09) ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file() to allow importing multiple OCSP request files, one for each chain provided. ** libgnutls: The gnutls_certificate_set_key* functions return an index of the added chain. That index can be used either with gnutls_certificate_set_ocsp_status_request_file(), or with gnutls_certificate_get_crt_raw() and friends. ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations for the aarch64 architecture. Uses Andy Polyakov's assembly code. ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** libgnutls: Reverted AESNI code on x86 to earlier version as the latest version was creating position depending code. Added checks in the CI to detect position depending code early. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: gnutls_certificate_set_ocsp_status_request_function2: Added gnutls_session_ext_register: Added gnutls_session_supplemental_register: Added GNUTLS_E_PK_INVALID_PUBKEY: Added GNUTLS_E_PK_INVALID_PRIVKEY: Added * Version 3.5.4 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP response. Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't (GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Added support for IP name constraints. Patch by Martin Ukrop. ** libgnutls: Added support of PKCS#8 file decryption using DES-CBC-MD5. This is added to allow decryption of PKCS #8 private keys from openssl prior to 1.1.0. ** libgnutls: Added support for decrypting PKCS#8 files which use HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys generated with openssl 1.1.0. ** libgnutls: Added support for internationalized passwords in PKCS#12 files. Previous versions would only encrypt or decrypt using passwords from the ASCII set. ** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA keys. The signature is now written as unsigned integers into the DSASignatureValue structure. Previously signed integers could be written depending on what the underlying module would produce. Addresses #122. ** gnutls-cli: Fixed starttls regression from 3.5.3. ** API and ABI modifications: GNUTLS_E_MALFORMED_CIDR: Added gnutls_x509_cidr_to_rfc5280: Added gnutls_oid_to_mac: Added * Version 3.5.3 (released 2016-08-09) ** libgnutls: Added support for TCP fast open (RFC7413), allowing to reduce by one round-trip the handshake process. Based on proposal and patch by Tim Ruehsen. ** libgnutls: Adopted a simpler with less memory requirements DTLS sliding window implementation. Based on Fridolin Pokorny's implementation for AF_KTLS. ** libgnutls: Use getrandom where available via the syscall interface. This works around an issue of not-using getrandom even if it exists since glibc doesn't declare such function. ** libgnutls: Fixed DNS name constraints checking in the case of empty intersection of domain names in the chain. Report and fix by Martin Ukrop. ** libgnutls: Fixed name constraints checking in the case of chains where the higher level certificates contained different types of constraints than the ones present in the lower intermediate CAs. R ...