GnuTLS NEWS -- History of user-visible changes. -*- outline -*- Bug numbers referenced in this log correspond to bug numbers at our issue tracker, available at https://gitlab.com/gnutls/gnutls/issues Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2016 Nikos Mavrogiannopoulos See the end for copying conditions. * Version 3.5.7 (released 2016-12-8) ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128 and SECURE256 priority strings. ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly operate with OIDs which have elements that exceed 2^32. ** libgnutls: The DN decoding functions output the traditional DN format rather than the strict RFC4514 compliant textual DN. This reverts the 3.5.6 introduced change, and allows applications which depended on the previous format to continue to function. Introduced new functions which output the strict format by default, and can revert to the old one using a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that passwords are normalized according to RFC7613. When invalid UTF-8 passwords are detected, they are only tolerated for decryption. This introduces a libunistring dependency on GnuTLS. A version of libunistring is included in the library for the platforms that do not ship it; it can be used with the '--with-included-unistring' option to configure script. ** libgnutls: When setting a subject alternative name in a certificate which is in UTF-8 format, it will transparently be converted to IDNA form prior to storing. ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print() will print the SHA256 key-ID instead of a certificate fingerprint. ** libgnutls: enhance the PKCS#7 verification capabilities. In the case signers that are not discoverable using the trust list or input, use the stored list as pool to generate a trusted chain to the signer. ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites under DTLS. ** libgnutls: [added missing news entry since 3.5.0] No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** certtool: Include the SHA-256 variant of key ID in --certificate-info options. ** p11tool: Introduced the --initialize-pin and --initialize-so-pin options. ** API and ABI modifications: gnutls_utf8_password_normalize: Added gnutls_ocsp_resp_get_responder2: Added gnutls_x509_crt_get_issuer_dn3: Added gnutls_x509_crt_get_dn3: Added gnutls_x509_rdn_get2: Added gnutls_x509_dn_get_str2: Added gnutls_x509_crl_get_issuer_dn3: Added gnutls_x509_crq_get_dn3: Added * Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added * Version 3.5.5 (released 2016-10-09) ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file() to allow importing multiple OCSP request files, one for each chain provided. ** libgnutls: The gnutls_certificate_set_key* functions return an index of the added chain. That index can be used either with gnutls_certificate_set_ocsp_status_request_file(), or with gnutls_certificate_get_crt_raw() and friends. ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations for the aarch64 architecture. Uses Andy Polyakov's assembly code. ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** libgnutls: Reverted AESNI code on x86 to earlier version as the latest version was creating position depending code. Added checks in the CI to detect position depending code early. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: gnutls_certificate_set_ocsp_status_request_function2: Added gnutls_session_ext_register: Added gnutls_session_supplemental_register: Added GNUTLS_E_PK_INVALID_PUBKEY: Added GNUTLS_E_PK_INVALID_PRIVKEY: Added * Version 3.5.4 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP response. Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't (GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Added support for IP name constraints. Patch by Martin Ukrop. ** libgnutls: Added support of PKCS#8 file decryption using DES-CBC-MD5. This is added to allow decryption of PKCS #8 private keys from openssl prior to 1.1.0. ** libgnutls: Added support for decrypting PKCS#8 files which use HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys generated with openssl 1.1.0. ** libgnutls: Added support for internationalized passwords in PKCS#12 files. Previous versions would only encrypt or decrypt using passwords from the ASCII set. ** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA keys. The signature is now written as unsigned integers into the DSASignatureValue structure. Previously signed integers could be written depending on what the underlying module would produce. Addresses #122. ** gnutls-cli: Fixed starttls regression from 3.5.3. ** API and ABI modifications: GNUTLS_E_MALFORMED_CIDR: Added gnutls_x509_cidr_to_rfc5280: Added gnutls_oid_to_mac: Added * Version 3.5.3 (released 2016-08-09) ** libgnutls: Added support for TCP fast open (RFC7413), allowing to reduce by one round-trip the handshake process. Based on proposal and patch by Tim Ruehsen. ** libgnutls: Adopted a simpler with less memory requirements DTLS sliding window implementation. Based on Fridolin Pokorny's implementation for AF_KTLS. ** libgnutls: Use getrandom where available via the syscall interface. This works around an issue of not-using getrandom even if it exists since glibc doesn't declare such function. ** libgnutls: Fixed DNS name constraints checking in the case of empty intersection of domain names in the chain. Report and fix by Martin Ukrop. ** libgnutls: Fixed name constraints checking in the case of chains where the higher level certificates contained different types of constraints than the ones present in the lower intermediate CAs. Report and fix by Martin Ukrop. ** libgnutls: Dropped support for the EGD random generator. ** libgnutls: Allow the decoding of raw elements (starting with #) in RFC4514 DN string decoding. ** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was ignoring flags if all certificates in the list fit within the initially allocated memory. Patch by Tim Kosse. ** libgnutls: Corrected issue which made gnutls_certificate_get_x509_crt() to return invalid pointers when returned more than a single certificate. Report and fix by Stefan Sørensen. ** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain, even when the extra_certs was non-null. Report and fix by Stefan Sørensen. ** certtool: Added the "add_extension" and "add_critical_extension" template options. This allows specifying arbitrary extensions into certificates and certificate requests. ** gnutls-cli: Added the --fastopen option. ** API and ABI modifications: GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added gnutls_x509_crq_set_extension_by_oid: Added gnutls_x509_dn_set_str: Added gnutls_transport_set_fastopen: Added * Version 3.5.2 (released 2016-07-06) ** libgnutls: Address issue when utilizing the p11-kit trust store for certificate verification (GNUTLS-SA-2016-2). ** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by Guillaume Roguez. ** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects from SafeNet Network HSM. Reported by Anthony Alba in #108. ** libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER. Report and fix by Stanislav Židek. ** libgnutls: Added AES-GCM optimizations using the AVX and MOVBE instructions. Uses Andy Polyakov's assembly code. ** API and ABI modifications: No changes since last version. * Version 3.5.1 (released 2016-06-14) ** libgnutls: The SSL 3.0 protocol support can completely be removed using a compile time option. The configure option is --disable-ssl3-support. ** libgnutls: The SSL 2.0 client hello support can completely be removed using a compile time option. The configure option is --disable-ssl2-support. ** libgnutls: Added support for OCSP Must staple PKIX extension. That is, implemented the RFC7633 TLSFeature for OCSP status request extension. Feature implemented by Tim Kosse. ** libgnutls: More strict OCSP staple verification. That is, no longer ignore invalid or too old OCSP staples. The previous behavior was to rely on application use gnutls_ocsp_status_request_is_checked(), while the new behavior is to include OCSP verification by default and set the GNUTLS_CERT_INVALID_OCSP_STATUS verification flag on error. ** libgnutls: Treat CA certificates with the "Server Gated Cryptography" key purpose OIDs equivalent to having the GNUTLS_KP_TLS_WWW_SERVER OID. This improves interoperability with several old intermediate CA certificates carrying these legacy OIDs. ** libgnutls: Re-read the system wide priority file when needed. Patch by Daniel P. Berrange. ** libgnutls: Allow for fallback in system-specific initial keywords (prefixed with '@'). That allows to specify a keyword such as "@KEYWORD1,KEYWORD2" which will use the first available of these two keywords. Patch by Daniel P. Berrange. ** libgnutls: The SSLKEYLOGFILE environment variable can be used to log session keys. These session keys are compatible with the NSS Key Log Format and can be used to decrypt the session for debugging using wireshark. ** API and ABI modifications: GNUTLS_CERT_INVALID_OCSP_STATUS: Added gnutls_x509_crt_set_crq_extension_by_oid: Added gnutls_x509_ext_import_tlsfeatures: Added gnutls_x509_ext_export_tlsfeatures: Added gnutls_x509_tlsfeatures_add: Added gnutls_x509_tlsfeatures_init: Added gnutls_x509_tlsfeatures_deinit: Added gnutls_x509_tlsfeatures_get: Added gnutls_x509_crt_get_tlsfeatures: Added gnutls_x509_crt_set_tlsfeatures: Added gnutls_x509_crq_get_tlsfeatures: Added gnutls_x509_crq_set_tlsfeatures: Added gnutls_ext_get_name: Added * Version 3.5.0 (released 2016-05-09) ** libgnutls: Added SHA3 based signing algorithms for DSA, RSA and ECDSA, based on http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html ** libgnutls: Added support for curve X25519 (RFC 7748, draft-ietf-tls-rfc4492bis-07). This curve is disabled by default as it is still on specification status. It can be enabled using the priority string modifier +CURVE-X25519. ** libgnutls: Added support for TLS false start (draft-ietf-tls-falsestart-01) by introducing gnutls_init() flag GNUTLS_ENABLE_FALSE_START (#73). ** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor based) provable RSA and DSA parameter generation from a seed. ** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This cipher is prioritized after AES-GCM. ** libgnutls: On a rehandshake ensure that the certificate of the peer or its username remains the same as in previous handshakes. That is to protect applications which do not check user credentials on rehandshakes. The threat to address depends on the application protocol. Primarily it protects against applications which authenticate the peer initially and perform accounting using the session's information, from being misled by a rehandshake which switches the peer's identity. Applications can disable this protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in gnutls_init(). ** libgnutls: No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** libgnutls: Be strict in TLS extension decoding. That is, do not tolerate parsing errors in the extensions field and treat it as a typical Hello message structure. Reported by Hubert Kario (#40). ** libgnutls: Old and unsupported version numbers in client hellos are rejected with a "protocol_version" alert message. Reported by Hubert Kario (#42). ** libgnutls: Lifted the limitation of calling the gnutls_session_get_data*() functions, only on non-resumed sessions. This brings the API in par with its usage (#79). ** libgnutls: Follow RFC5280 strictly in name constraints computation. The permitted subtrees is intersected with any previous values. Report and patch by Daiki Ueno. ** libgnutls: Enforce the RFC 7627 (extended master secret) requirements on session resumption. Reported by Hubert Kario (#69). ** libgnutls: Consider the max-record TLS extension even when under DTLS. Reported by Peter Dettman (#61). ** libgnutls: Replaced writev() system call with sendmsg(). ** libgnutls: Replaced select() system call with poll() on POSIX systems. ** libgnutls: Preload the system priority file on library load. This allows applications that chroot() to also use the system priorities. ** libgnutls: Applications are allowed to override the built-in key and certificate URLs. ** libgnutls: The gnutls.h header marks constant and pure functions explictly. ** certtool: Added the ability to sign certificates using SHA3. ** certtool: Added the --provable and --verify-allow-broken options. ** gnutls-cli: The --dane option will cause verification failure if gnutls is not compiled with DANE support. ** crywrap: The tool was unbundled from gnutls' distribution. It can be found at https://github.com/nmav/crywrap ** guile: .go files are now built and installed ** guile: Fix compatibility issue of the test suite with Guile 2.1 ** guile: When --with-guile-site-dir is passed, modules are installed in a versioned directory, typically $(datadir)/guile/site/2.0 ** guile: Tests no longer leave zombie processes behind ** API and ABI modifications: GNUTLS_FORCE_CLIENT_CERT: Added GNUTLS_ENABLE_FALSE_START: Added GNUTLS_INDEFINITE_TIMEOUT: Added GNUTLS_ALPN_SERVER_PRECEDENCE: Added GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING: Added GNUTLS_E_HANDSHAKE_DURING_FALSE_START: Added gnutls_check_version_numeric: Added gnutls_x509_crt_equals: Added gnutls_x509_crt_equals2: Added gnutls_x509_crt_set_subject_alt_othername: Added gnutls_x509_crt_set_issuer_alt_othername: Added gnutls_x509_crt_get_signature_oid: Added gnutls_x509_crt_get_pk_oid: Added gnutls_x509_crq_set_subject_alt_othername: Added gnutls_x509_crq_get_pk_oid: Added gnutls_x509_crq_get_signature_oid: Added gnutls_x509_crl_get_signature_oid: Added gnutls_x509_privkey_generate2: Added gnutls_x509_privkey_get_seed: Added gnutls_x509_privkey_verify_seed: Added gnutls_privkey_generate2: Added gnutls_privkey_get_seed: Added gnutls_privkey_verify_seed: Added gnutls_decode_ber_digest_info: Added gnutls_encode_ber_digest_info: Added gnutls_dh_params_import_dsa: Added gnutls_session_get_master_secret: Added * Version 3.4.3 (released 2015-07-12) ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for dates prior to 2050. ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it was done only when cryptodev was enabled). ** libgnutls: Removed support for pthread_atfork() as it has undefined semantics when used with dlopen(), and may lead to a crash. ** libgnutls: corrected failure when importing plain files with gnutls_x509_privkey_import2(), and a password was provided. ** libgnutls: Don't reject certificates if a CA has the URI or IP address name constraints, and the end certificate doesn't have an IP address name or a URI set. ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. ** p11tool: Added --list-token-urls option, and print the token module name in list-tokens. ** API and ABI modifications: gnutls_ecc_curve_get_oid: Added gnutls_digest_get_oid: Added gnutls_pk_get_oid: Added gnutls_sign_get_oid: Added gnutls_ecc_curve_get_id: Added gnutls_oid_to_digest: Added gnutls_oid_to_pk: Added gnutls_oid_to_sign: Added gnutls_oid_to_ecc_curve: Added gnutls_pkcs7_get_signature_count: Added * Version 3.4.2 (released 2015-06-16) ** libgnutls: DTLS blocking API is more robust against infinite blocking, and will notify of more possible timeouts. ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported by Manuel Pegourie-Gonnard. ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That allows to disable SIGPIPE for writes done within gnutls. ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification of structures. API moved to gnutls/pkcs7.h header. ** certtool: Added options to generate PKCS #7 bundles and signed structures. ** API and ABI modifications: gnutls_x509_dn_get_str: Added gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added gnutls_x509_crt_verify_data2: Added gnutls_pkcs7_get_crt_raw2: Added gnutls_pkcs7_signature_info_deinit: Added gnutls_pkcs7_get_signature_info: Added gnutls_pkcs7_verify_direct: Added gnutls_pkcs7_verify: Added gnutls_pkcs7_get_crl_raw2: Added gnutls_pkcs7_sign: Added gnutls_pkcs7_attrs_deinit: Added gnutls_pkcs7_add_attr: Added gnutls_pkcs7_get_attr: Added gnutls_pkcs7_print: Added * Version 3.4.1 (released 2015-05-03) ** libgnutls: gnutls_certificate_get_ours: will return the certificate even if a callback was used to send it. ** libgnutls: Check for invalid length in the X.509 version field. Without the check certificates with invalid length would be detected as having an arbitrary version. Reported by Hanno Böck. ** libgnutls: Handle DNS name constraints with a leading dot. Patch by Fotis Loukos. ** libgnutls: Updated system-keys support for windows to compile in more versions of mingw. Patch by Tim Kosse. ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. ** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout by default. That caused issues with non-blocking programs. ** certtool: It can generate SHA256 key IDs. ** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos. ** configure: re-enabled the --enable-local-libopts flag ** API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added * Version 3.4.0 (released 2015-04-08) ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) ciphersuites. The former are enabled by default, the latter need to be explicitly enabled, since they reduce the overall security level. ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by default, since there are no assigned ciphersuite points by IETF and there is no guarrantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". ** libgnutls: Added support for encrypt-then-authenticate in CBC ciphersuites (RFC7366 -taking into account its errata text). This is enabled by default and can be disabled using the %NO_ETM priority string. ** libgnutls: Added support for the extended master secret (triple-handshake fix) following draft-ietf-tls-session-hash-02. ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". ** libgnutls: DSA signatures and DHE-DSS are no longer included in the default priorities list. They have to be explicitly enabled, e.g., with a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The DSA ciphersuites were dropped because they had no deployment at all on the internet, to justify their inclusion. ** libgnutls: The priority string EXPORT was completely removed. The string was already defunc as support for the EXPORT ciphersuites was removed in GnuTLS 3.2.0. ** libgnutls: Added API to utilize system specific private keys in "gnutls/system-keys.h". It is currently provided as technology preview and is restricted to windows CNG keys. ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use RFC6125 comparison of hostnames. That introduces a dependency on libidn. ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). ** libgnutls: Depend on nettle 3.1. ** libgnutls: Use getrandom() or getentropy ...