GnuTLS NEWS -- History of user-visible changes. -*- outline -*- Bug numbers referenced in this log correspond to bug numbers at our issue tracker, available at https://gitlab.com/gnutls/gnutls/issues Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. * Version 3.6.11 (released 2019-12-01) ** libgnutls: Use KERN_ARND for the system random number generator on NetBSD. This syscall provides an endless stream of random numbers from the kernel's ChaCha20-based random number generator, without blocking or requiring an open file descriptor. ** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption (#841). ** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations (#834). ** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle. ** certtool: CRL distribution points will be set in CA certificates even when non self-signed (#765). ** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and --rawpkfile flags. ** API and ABI modifications: No changes since last version. * Version 3.6.10 (released 2019-09-29) ** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979) Deterministic signing can be enabled by setting GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*() functions (#94). ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2 functions that will perform in-place encryption/decryption on data buffers (#718). ** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function() (#823). ** libgnutls: added interoperability tests with gnutls 2.12.x; addressed issue with large record handling due to random padding (#811). ** libgnutls: the server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first (#837). ** libgnutls: fix non-PIC assembly on i386 (#818). ** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT). For description of the modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in RFC 7836. ** certtool: when outputting an encrypted private key do not insert the textual description of it. This fixes a regression since 3.6.5 (#840). ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added * Version 3.6.9 (released 2019-07-25) ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy of digest or MAC context. Copying contexts for externally-registered digest and MAC contexts is unupported (#787). ** Marked the crypto implementation override APIs as deprecated. These APIs are rarely used, are for a niche use case, but have significant side effects, such as preventing any internal re-organization and extension of the internal cipher API. The APIs remain functional though a compiler warning will be issued, and a future minor version update may transform them to a no-op while keeping ABI compatibility (#789). ** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781). ** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash(). ** libgnutls: Added support for Generalname registeredID. ** The priority configuration was enhanced to allow more elaborate system-wide configuration of the library (#587). The following changes were included: - The file is read as an ini file with '#' indicating a comment. - The section "[priorities]" or global follows the existing semantics of the configuration file, and allows to specify system-wide priority strings which are accessed with the '@' prefix. - The section "[overrides]" is added with the parameters "insecure-hash", "insecure-sig", "insecure-sig-for-cert", "disabled-curve", "disabled-version", "min-verification-profile", "tls-disabled-cipher", "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit specific algorithms or options globally. Existing algorithms in the library can be marked as disabled and insecure, but no hard-coded insecure algorithm can be marked as secure (so that the configuration cannot be abused to make the system vulnerable). - Unknown sections or options are skipped with a debug message, unless the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is set to 1. ** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE - 0x20: Enable SHA_NI instruction set ** API and ABI modifications: gnutls_crypto_register_cipher: Deprecated gnutls_crypto_register_aead_cipher: Deprecated gnutls_crypto_register_digest: Deprecated gnutls_crypto_register_mac: Deprecated gnutls_get_system_config_file: Added gnutls_hash_copy: Added gnutls_hmac_copy: Added GNUTLS_MAC_AES_GMAC_128: Added GNUTLS_MAC_AES_GMAC_192: Added GNUTLS_MAC_AES_CMAC_256: Added GNUTLS_SAN_REGISTERED_ID: Added * Version 3.6.8 (released 2019-05-28) ** libgnutls: Added gnutls_prf_early() function to retrieve early keying material (#329) ** libgnutls: Added support for AES-XTS cipher (#354) ** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in 512 bit addition) ** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's public key is on the right subgroup (y^q=1 mod p), when q is available (under TLS 1.3 and under earlier versions when RFC7919 parameters are used). ** libgnutls: the gnutls_srp_set_server_credentials_function can now be used with the 8192 parameters as well (#995). ** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754) ** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow clients to communicate with the server advertising smaller limits than 512 ** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion (#720) ** certtool: allow the digital signature key usage flag in CA certificates. Previously certtool would ignore this flag for CA certificates even if specified (#767) ** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options. These allow testing the RFC5705 using these tools. ** API and ABI modifications: gnutls_prf_early: Added gnutls_record_set_max_recv_size: Added gnutls_dh_params_import_raw3: Added gnutls_ffdhe_2048_group_q: Added gnutls_ffdhe_3072_group_q: Added gnutls_ffdhe_4096_group_q: Added gnutls_ffdhe_6144_group_q: Added gnutls_ffdhe_8192_group_q: Added * Version 3.6.7 (released 2019-03-27) ** libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free(). ** libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694] ** libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] ** libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690). ** libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. ** libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. ** libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled (#713). ** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721). ** libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated (#689). ** gnutls-cli: Added option --logfile to redirect informational messages output. ** API and ABI modifications: No changes since last version. * Version 3.6.6 (released 2019-01-25) ** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key (#640). ** libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280). ** libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. ** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set (#667). ** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled. ** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional (#609). ** API and ABI modifications: GNUTLS_ENABLE_RAWPK: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated GNUTLS_PCERT_NO_CERT: Deprecated * Version 3.6.5 (released 2018-12-01) ** libgnutls: Provide the option of transparent re-handshake/reauthentication when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) ** libgnutls: The priority functions will ignore and not enable TLS1.3 if requested with legacy TLS versions enabled but not TLS1.2. That is because if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) servers which do not support TLS1.3 will negotiate TLS1.2 which will be rejected by the client as disabled (#621). ** libgnutls: Change RSA decryption to use a new side-channel silent function. This addresses a security issue where memory access patterns as well as timing on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher attacks. Side-channel resistant code is slower due to the need to mask access and timings. When used in TLS the new functions cause RSA based handshakes to be between 13% and 28% slower on average (Numbers are indicative, the tests where performed on a relatively modern Intel CPU, results vary depending on the CPU and architecture used). This change makes nettle 3.4.1 the minimum requirement of gnutls (#630). [CVSS: medium] ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword in the priority string. It is only accepted as legacy option and is ignored. ** libgnutls: Added support for EdDSA under PKCS#11 (#417) ** libgnutls: Added support for AES-CFB8 cipher (#357) ** libgnutls: Added support for AES-CMAC MAC (#351) ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now. ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016. ** gnutls-serv: It applies the default settings when no --priority option is given, using gnutls_set_default_priority(). ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin option (#561) ** certtool: Add parameter --no-text that prevents certtool from outputting text before PEM-encoded private key, public key, certificate, CRL or CSR. ** API and ABI modifications: GNUTLS_AUTO_REAUTH: Added GNUTLS_CIPHER_AES_128_CFB8: Added GNUTLS_CIPHER_AES_192_CFB8: Added GNUTLS_CIPHER_AES_256_CFB8: Added GNUTLS_MAC_AES_CMAC_128: Added GNUTLS_MAC_AES_CMAC_256: Added gnutls_record_get_max_early_data_size: Added gnutls_record_send_early_data: Added gnutls_record_recv_early_data: Added gnutls_db_check_entry_expire_time: Added gnutls_anti_replay_set_add_function: Added gnutls_anti_replay_init: Added gnutls_anti_replay_deinit: Added gnutls_anti_replay_set_window: Added gnutls_anti_replay_enable: Added gnutls_privkey_decrypt_data2: Added * Version 3.6.4 (released 2018-09-24) ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with gnutls_certificate_set_retrieve_function() which could not handle the case where no certificates were returned, or the callbacks were set to NULL (see #528). ** libgnutls: gnutls_handshake() on server returns early on handshake when no certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START is specified. ** libgnutls: Added session ticket key rotation on server side with TOTP. The key set with gnutls_session_ticket_enable_server() is used as a master key to generate time-based keys for tickets. The rotation relates to the gnutls_db_set_cache_expiration() period. ** libgnutls: The 'record size limit' extension is added and preferred to the 'max record size' extension when possible. ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier (#569) ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import and export GOST parameters in the "native" little endian format used for these curves. This is an intentional incompatible change with 3.6.3. ** libgnutls: Added support for seperately negotiating client and server certificate types as defined in RFC7250. This mechanism must be explicitly enabled via the GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). ** gnutls-cli: enable CRL validation on startup (#564) ** API and ABI modifications: GNUTLS_ENABLE_EARLY_START: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Added GNUTLS_TL_FAIL_ON_INVALID_CRL: Added GNUTLS_CERTIFICATE_VERIFY_CRLS: Added gnutls_ctype_target_t: New enumeration gnutls_record_set_max_early_data_size: Added gnutls_certificate_type_get2: Added gnutls_priority_certificate_type_list2: Added gnutls_ffdhe_6144_group_prime: Added gnutls_ffdhe_6144_group_generator: Added gnutls_ffdhe_6144_key_bits: Added * Version 3.6.3 (released 2018-07-16) ** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version negotiation, post handshake authentication, length hiding, multiple OCSP support, consistent ciphersuite support across protocols, hello retry requests, ability to adjust key shares via gnutls_init() flags, certificate authorities extension, and key usage limits. TLS1.3 draft-28 support can be enabled by default if the option --enable-tls13-support is given to configure script. ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority strings, then TLS 1.3 negotiation will be disabled if the session is associated only with an anonymous credentials structure. ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12, and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA 256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357), and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836). ** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default priority strings, as they are undefined under TLS1.3 and they provide no advantage over other options in earlier protocols. ** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled by specifying --enable-ssl3-support on configure script. ** libgnutls: Introduced function to switch the current FIPS140-2 operational mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 operations. ** libgnutls: Introduced low-level function to assist applications attempting client hello extension parsing, prior to GnuTLS' parsing of the message. ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no modifications to the certificate. That prevents DER re-encoding issues with incorrectly encoded certificates, or other DER incompatibilities to affect a TLS session. Relates with #403 ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups which are preferred by the server. That unfortunately has complicated semantics as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering, which could make group order unpredictable if TLS1.3 is negotiated. ** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium] ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API change for these functions which make them err towards safety. ** libgnutls: improved aarch64 cpu features detection by using getauxval(). ** certtool: It is now possible to specify certificate and serial CRL numbers greater than 2**63-2 as a hex-encoded string both when prompted and in a template file. Default certificate serial numbers are now fully random. Default CRL numbers include more random bits and are larger than in previous GnuTLS versions. Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually if you intend to later downgrade to previous versions as it was not possible to specify large CRL numbers in previous versions of certtool. ** API and ABI modifications: gnutls_fips140_set_mode: Added gnutls_session_key_update: Added gnutls_ext_get_current_msg: Added gnutls_reauth: Added gnutls_ocsp_status_request_get2: Added gnutls_ocsp_resp_import2: Added gnutls_ocsp_resp_export2: Added gnutls_ocsp_resp_list_import2: Added gnutls_certificate_set_retrieve_function3: Added gnutls_certificate_set_ocsp_status_request_file2: Added gnutls_certificate_set_ocsp_status_request_mem: Added gnutls_certificate_get_ocsp_expiration: Added gnutls_record_send2: Added gnutls_ext_raw_parse: Added gnutls_x509_crt_list_import_url: Added gnutls_pcert_list_import_x509_file: Added gnutls_pkcs11_token_get_ptr: Added gnutls_pkcs11_obj_get_ptr: Added gnutls_session_ticket_send: Added gnutls_aead_cipher_encryptv: Added gnutls_gost_paramset_get_name: Added gnutls_gost_paramset_get_oid: Added gnutls_oid_to_gost_paramset: Added gnutls_decode_gost_rs_value: Added gnutls_encode_gost_rs_value: Added gnutls_pubkey_export_gost_raw2: Added gnutls_pubkey_import_gost_raw: Added gnutls_x509_crt_get_pk_gost_raw: Added gnutls_privkey_export_gost_raw2: Added gnutls_privkey_import_gost_raw: Added gnutls_x509_privkey_export_gost_raw: Added gnutls_x509_privkey_import_gost_raw: Added gnutls_set_default_priority_append: Added gnutls_priority_init2: Added GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS: Added GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE: Added * Version 3.6.2 (released 2018-02-16) ** libgnutls: When verifying against a self signed certificate ignore issuer. That is, ignore issuer when checking the issuer's parameters strength, resolving issue #347 which caused self signed certificates to be additionally marked as of insufficient security level. ** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data MTU calculation now, it correctly accounts for the fixed overhead due to padding (as 1 byte), while at the same time considers the rest of the padding as part of data MTU. ** libgnutls: Address issue of loading of all PKCS#11 modules on startup on systems with a PKCS#11 trust store (as opposed to a file trust store). Introduced a multi-stage initialization which loads the trust modules, and other modules are deferred for the first pure PKCS#11 request. ** libgnutls: The SRP authentication will reject any parameters outside RFC5054. This protects any client from potential MitM due to insecure parameters. That also brings SRP in par with the RFC7919 changes to Diffie-Hellman. ** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters for SRP authentication. ** libgnutls: Addressed issue in the accelerated code affecting interoperability with versions of nettle >= 3.4. ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by Vitezslav Cizek). ** srptool: the --create-conf option no longer includes 1024-bit parameters. ** p11tool: Fixed the deletion of objects in batch mode. ** API and ABI modifications: gnutls_srp_8192_group_generator: Added gnutls_srp_8192_group_prime: Added * Version 3.6.1 (released 2017-10-21) ** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was used. Resolves gitlab issue #259. ** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign, gnutls_x509_crq_sign, were modified to sign with a better algorithm than SHA1. They will now sign with an algorithm that corresponds to the security level of the signer's key. ** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign() accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal the function to auto-detect an appropriate hash algorithm to use. ** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS. TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm in TLS 1.2. As such, no reason to keep supporting it. ** libgnutls: Refuse to use client certificates containing disallowed algorithms for a session. That reverts a change on 3.5.5, which allowed a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). The previous approach was to allow a smooth move for client infrastructure after the DSA algorithm became disabled by default, and is no longer necessary as DSA is now being universally depracated. ** libgnutls: Refuse to resume a session which had a different SNI advertised. That improves RFC6066 support in server side. Reported by Thomas Klute. * ...