GnuTLS NEWS -- History of user-visible changes. -*- outline -*-
Bug numbers referenced in this log correspond to bug numbers at our issue tracker,
available at https://gitlab.com/gnutls/gnutls/issues
Copyright (C) 2000-2016 Free Software Foundation, Inc.
Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
See the end for copying conditions.
* Version 3.6.3 (released 2018-07-16)
** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
negotiation, post handshake authentication, length hiding, multiple OCSP support,
consistent ciphersuite support across protocols, hello retry requests, ability
to adjust key shares via gnutls_init() flags, certificate authorities extension,
and key usage limits. TLS1.3 draft-28 support can be enabled by default if
the option --enable-tls13-support is given to configure script.
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
strings, then TLS 1.3 negotiation will be disabled if the session is associated
only with an anonymous credentials structure.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).
** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings, as they are undefined under TLS1.3 and they provide not advantage
over other options in earlier protocols.
** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
by specifying --enable-ssl3-support on configure script.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
operations.
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate. That prevents DER re-encoding issues with incorrectly
encoded certificates, or other DER incompatibilities to affect a TLS session.
Relates with #403
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server. That unfortunately has complicated semantics
as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
which could make group order unpredictable if TLS1.3 is negotiated.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random. Default CRL
numbers include more random bits and are larger than in previous GnuTLS versions.
Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
if you intend to later downgrade to previous versions as it was not possible
to specify large CRL numbers in previous versions of certtool.
** API and ABI modifications:
gnutls_fips140_set_mode: Added
gnutls_session_key_update: Added
gnutls_ext_get_current_msg: Added
gnutls_reauth: Added
gnutls_ocsp_status_request_get2: Added
gnutls_ocsp_resp_import2: Added
gnutls_ocsp_resp_export2: Added
gnutls_ocsp_resp_list_import2: Added
gnutls_certificate_set_retrieve_function3: Added
gnutls_certificate_set_ocsp_status_request_file2: Added
gnutls_certificate_set_ocsp_status_request_mem: Added
gnutls_certificate_get_ocsp_expiration: Added
gnutls_record_send2: Added
gnutls_ext_raw_parse: Added
gnutls_x509_crt_list_import_url: Added
gnutls_pcert_list_import_x509_file: Added
gnutls_pkcs11_token_get_ptr: Added
gnutls_pkcs11_obj_get_ptr: Added
gnutls_session_ticket_send: Added
gnutls_aead_cipher_encryptv: Added
gnutls_gost_paramset_get_name: Added
gnutls_gost_paramset_get_oid: Added
gnutls_oid_to_gost_paramset: Added
gnutls_decode_gost_rs_value: Added
gnutls_encode_gost_rs_value: Added
gnutls_pubkey_export_gost_raw2: Added
gnutls_pubkey_import_gost_raw: Added
gnutls_x509_crt_get_pk_gost_raw: Added
gnutls_privkey_export_gost_raw2: Added
gnutls_privkey_import_gost_raw: Added
gnutls_x509_privkey_export_gost_raw: Added
gnutls_x509_privkey_import_gost_raw: Added
gnutls_set_default_priority_append: Added
gnutls_priority_init2: Added
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS: Added
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE: Added
* Version 3.6.2 (released 2018-02-16)
** libgnutls: When verifying against a self signed certificate ignore issuer.
That is, ignore issuer when checking the issuer's parameters strength, resolving
issue #347 which caused self signed certificates to be additionally marked as of
insufficient security level.
** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
MTU calculation now, it correctly accounts for the fixed overhead due to
padding (as 1 byte), while at the same time considers the rest of the
padding as part of data MTU.
** libgnutls: Address issue of loading of all PKCS#11 modules on startup
on systems with a PKCS#11 trust store (as opposed to a file trust store).
Introduced a multi-stage initialization which loads the trust modules, and
other modules are deferred for the first pure PKCS#11 request.
** libgnutls: The SRP authentication will reject any parameters outside
RFC5054. This protects any client from potential MitM due to insecure
parameters. That also brings SRP in par with the RFC7919 changes to
Diffie-Hellman.
** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
for SRP authentication.
** libgnutls: Addressed issue in the accelerated code affecting interoperability
with versions of nettle >= 3.4.
** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
Vitezslav Cizek).
** srptool: the --create-conf option no longer includes 1024-bit parameters.
** p11tool: Fixed the deletion of objects in batch mode.
** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
gnutls_x509_crq_sign, were modified to sign with a better algorithm than
SHA1. They will now sign with an algorithm that corresponds to the security
level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
algorithms for a session. That reverts a change on 3.5.5, which allowed
a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
The previous approach was to allow a smooth move for client infrastructure
after the DSA algorithm became disabled by default, and is no longer necessary
as DSA is now being universally depracated.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
* Version 3.6.0 (released 2017-08-21)
** libgnutls: tlsfuzzer is part of the CI testsuite. This is a TLS testing and
fuzzying toolkit, allowing for corner case testing, and ensuring that the
behavior of the library will not change across releases.
https://github.com/tomato42/tlsfuzzer
** libgnutls: Introduced a lock-free random generator which operates per-thread
and eliminates random-generator related bottlenecks in multi-threaded operation.
Resolves gitlab issue #141.
http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html
** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA.
The goal is to reduce code needed in cache (CHACHA is also used for TLS),
and the number of primitives used by the library. That does not affect the
AES-DRBG random generator used in FIPS140-2 mode.
** libgnutls: Added support for RSA-PSS key type as well as signatures in
certificates, and TLS key exchange. Contributed by Daiki Ueno.
RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys,
but not vice-versa. The feature includes:
* RSA-PSS key generation and key handling (in PKCS#8 form)
* RSA-PSS key generation and key handling from PKCS#11 (with CKM_RSA_PKCS_PSS mech)
* Handling of RSA-PSS subjectPublicKeyInfo parameters, when present
in either the private key or certificate.
* RSA-PSS signing and verification of PKIX certificates
* RSA-PSS signing and verification of TLS 1.2 handshake
* RSA-PSS signing and verification of PKCS#7 structures
* RSA-PSS and RSA key combinations for TLS credentials. That is, when
multiple keys are supplied, RSA-PSS keys are preferred over RSA for RSA-PSS
TLS signatures, to contain risks of cross-protocol attacks between the algorithms.
* RSA-PSS key conversion to RSA PKCS#1 form (certtool --to-rsa)
Note that RSA-PSS signatures with SHA1 are (intentionally) not supported.
** libgnutls: Added support for Ed25519 signing in certificates and TLS key
exchange following draft-ietf-tls-rfc4492bis-17. The feature includes:
* Ed25519 key generation and key handling (in PKCS#8 form)
* Ed25519 signing and verification of PKIX certificates
* Ed25519 signing and verification of TLS 1.2 handshake
* Ed25519 signing and verification of PKCS#7 structures
** libgnutls: Enabled X25519 key exchange by default, following draft-ietf-tls-rfc4492bis-17.
** libgnutls: Added support for Diffie-Hellman group negotiation following RFC7919.
That makes the DH parameters negotiation more robust and less prone to errors
due to insecure parameters. Servers are no longer required to specific explicit
DH parameters, though if they do these parameters will be used. Group
selection can be done via priority strings. The introduced strings are
GROUP-ALL, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and
GROUP-FFDHE8192, as well as the corresponding to curves groups. Note that
the 6144 group from RFC7919 is not supported.
** libgnutls: Introduced various sanity checks on certificate import. Refuse
to import certificates which have fractional seconds in Time fields, X.509v1
certificates which have the unique identifiers set, and certificates with illegal
version numbers. All of these are prohibited by RFC5280.
** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags
in the crt structure. The only flag supported at the moment is
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the certificate sanity
checks on import.
** libgnutls: PKIX certificates with unknown critical extensions are rejected
on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This
behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
to verification functions. Resolves gitlab issue #177.
** libgnutls: Refuse to generate a certificate with an illegal version, or an
illegal serial number. That is, gnutls_x509_crt_set_version() and
gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
in RFC5280.
** libgnutls: Calls to gnutls_record_send() and gnutls_record_recv()
prior to handshake being complete are now refused. Addresses gitlab issue #158.
** libgnutls: Added support for PKCS#12 files with no salt (zero length) in their
password encoding, and PKCS#12 files using SHA384 and SHA512 as MAC.
** libgnutls: Exported functions to encode and decode DSA and ECDSA r,s values.
** libgnutls: Added new callback setting function to gnutls_privkey_t for external
keys. The new function (gnutls_privkey_import_ext4), allows signing in addition
to previous algorithms (RSA PKCS#1 1.5, DSA, ECDSA), with RSA-PSS and Ed25519
keys.
** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
priority string options. These allows enabling all broken and SHA1-based signature
algorithms in certificate verification, respectively.
** libgnutls: 3DES-CBC is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+3DES-CBC".
** libgnutls: SHA1 was marked as insecure for signing certificates. Verification
of certificates signed with SHA1 is now considered insecure and will
fail, unless flags intended to enable broken algorithms are set. Other uses
of SHA1 are still allowed. This can be reverted on compile time with the configure
flag --enable-sha1-support.
** libgnutls: RIPEMD160 was marked as insecure for certificate signatures. Verification
of certificates signed with RIPEMD160 hash algorithm is now considered insecure and
will fail, unless flags intended to enable broken algorithms are set.
** libgnutls: No longer enable SECP192R1 and SECP224R1 by default on TLS handshakes.
These curves were rarely used for that purpose, provide no advantage over
x25519 and were deprecated by TLS 1.3.
** libgnutls: Removed support for DEFLATE, or any other compression method.
** libgnutls: OpenPGP authentication was removed; the resulting library is ABI
compatible, with the openpgp related functions being stubs that fail
on invocation.
** libgnutls: Removed support for libidn (i.e., IDNA2003); gnutls can now be compiled
only with libidn2 which provides IDNA2008.
** certtool: The option '--load-ca-certificate' can now accept PKCS#11
URLs in addition to files.
** certtool: The option '--load-crl' can now be used when generating PKCS#12
files (i.e., in conjunction with '--to-p12' option).
** certtool: Keys with provable RSA and DSA parameters are now only read and
exported from PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
This removes support for the previous a non-standard key format.
** certtool: Added support for generating, printing and handling RSA-PSS and
Ed25519 keys and certificates.
** certtool: the parameters --rsa, --dsa and --ecdsa to --generate-privkey are now
deprecated, replaced by the --key-type option.
** p11tool: The --generate-rsa, --generate-ecc and --generate-dsa options were
replaced by the --generate-privkey option.
** psktool: Generate 256-bit keys by default.
** gnutls-server: Increase request buffer size to 16kb, and added the --alpn and
--alpn-fatal options, allowing testing of ALPN negotiation.
** API and ABI modifications:
gnutls_encode_rs_value: Added
gnutls_decode_rs_value: Added
gnutls_base64_encode2: Added
gnutls_base64_decode2: Added
gnutls_x509_crt_set_flags: Added
gnutls_x509_crt_check_ip: Added
gnutls_x509_ext_import_inhibit_anypolicy: Added
gnutls_x509_ext_export_inhibit_anypolicy: Added
gnutls_x509_crt_get_inhibit_anypolicy: Added
gnutls_x509_crt_set_inhibit_anypolicy: Added
gnutls_pubkey_export_rsa_raw2: Added
gnutls_pubkey_export_dsa_raw2: Added
gnutls_pubkey_export_ecc_raw2: Added
gnutls_privkey_export_rsa_raw2: Added
gnutls_privkey_export_dsa_raw2: Added
gnutls_privkey_export_ecc_raw2: Added
gnutls_x509_spki_init: Added
gnutls_x509_spki_deinit: Added
gnutls_x509_spki_get_pk_algorithm: Added
gnutls_x509_spki_set_pk_algorithm: Added
gnutls_x509_spki_get_digest_algorithm: Added
gnutls_x509_spki_set_digest_algorithm: Added
gnutls_x509_spki_get_salt_size: Added
gnutls_x509_spki_set_salt_size: Added
gnutls_x509_crt_set_spki: Added
gnutls_x509_crt_get_spki: Added
gnutls_x509_privkey_get_spki: Added
gnutls_x509_privkey_set_spki: Added
gnutls_x509_crq_get_spki: Added
gnutls_x509_crq_set_spki: Added
gnutls_pubkey_set_spki: Added
gnutls_pubkey_get_spki: Added
gnutls_privkey_set_spki: Added
gnutls_privkey_get_spki: Added
gnutls_privkey_import_ext4: Added
GNUTLS_EXPORT_FLAG_NO_LZ: Added
GNUTLS_DT_IP_ADDRESS: Added
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: Added
GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_SFLAGS_RFC7919: Added
* Version 3.5.7 (released 2016-12-8)
** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
and SECURE256 priority strings.
** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
operate with OIDs which have elements that exceed 2^32.
** libgnutls: The DN decoding functions output the traditional DN format
rather than the strict RFC4514 compliant textual DN. This reverts the
3.5.6 introduced change, and allows applications which depended on the
previous format to continue to function. Introduced new functions which
output the strict format by default, and can revert to the old one using
a flag.
** libgnutls: Improved TPM key handling. Check authorization requirements
prior to using a key and fix issue on loop for PIN input. Patches by
James Bottomley.
** libgnutls: In all functions accepting UTF-8 passwords, ensure that
passwords are normalized according to RFC7613. When invalid UTF-8
passwords are detected, they are only tolerated for decryption.
This introduces a libunistring dependency on GnuTLS. A version of
libunistring is included in the library for the platforms that do
not ship it; it can be used with the '--with-included-unistring'
option to configure script.
** libgnutls: When setting a subject alternative name in a certificate
which is in UTF-8 format, it will transparently be converted to IDNA form
prior to storing.
** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
will print the SHA256 key-ID instead of a certificate fingerprint.
** libgnutls: enhance the PKCS#7 verification capabilities. In the case
signers that are not discoverable using the trust list or input, use
the stored list as pool to generate a trusted chain to the signer.
** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
under DTLS.
** libgnutls: [added missing news entry since 3.5.0]
No longer tolerate certificate key usage violations for
TLS signature verification, and decryption. That is GnuTLS will fail
to connect to servers which incorrectly use a restricted to signing certificate
for decryption, or vice-versa. This reverts the lax behavior introduced
in 3.1.0, due to several such broken servers being available. The %COMPAT
priority keyword can be used to work-around connecting on these servers.
** certtool: When exporting a CRQ in DER format ensure no text data are
intermixed. Patch by Dmitry Eremin-Solenikov.
** certtool: Include the SHA-256 variant of key ID in --certificate-info
options.
** p11tool: Introduced the --initialize-pin and --initialize-so-pin
options.
** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added
* Version 3.5.6 (released 2016-11-04)
** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
(pre-rfc5652) structures with arbitrary encapsulated content.
** libgnutls: Introduced a function group to set known DH parameters
using groups from RFC7919.
** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
Now the generated textual DN is in reverse order according to RFC4514,
and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
set the expected DN (reverse of the provided string).
** libgnutls: Introduced time and constraints checks in the end certificate
in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
functions.
** libgnutls: Set limits on the maximum number of alerts handled. That is,
applications using gnutls could be tricked into an busy loop if the
peer sends continuously alert messages. Applications which set a maximum
handshake time (via gnutls_handshake_set_timeout) will eventually recover
but others may remain in a busy loops indefinitely. This is related but
not identical to CVE-2016-8610, due to the difference in alert handling
of the libraries (gnutls delegates that handling to applications).
** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
functions return an index (introduced in 3.5.5), to avoid affecting programs
which explicitly check success of the function as equality to zero. In order
for these functions to return an index an explicit call to gnutls_certificate_set_flags
with the GNUTLS_CERTIFICATE_API_V2 flag is now required.
** libgnutls: Reverted the behavior of sending a status request extension even
without a response (introduced in 3.5.5). That is, we no longer reply to a
client's hello with a status request, with a status request extension. Although
that behavior is legal, it creates incompatibility issues with releases in
the gnutls 3.3.x branch.
** libgnutls: Delayed the initialization of the random generator at
the first call of gnutls_rnd(). This allows applications to load
on systems which getrandom() would block, without blocking until
real random data are needed.
** certtool: --get-dh-params will output parameters from the RFC7919
groups.
** p11tool: improvements in --initialize option.
** API and ABI modifications:
GNUTLS_CERTIFICATE_API_V2: Added
GNUTLS_NO_TICKETS: Added
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added
* Version 3.5.5 (released 2016-10-09)
** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
to allow importing multiple OCSP request files, one for each chain
provided.
** libgnutls: The gnutls_certificate_set_key* functions return an
index of the added chain. That index can be used either with
gnutls_certificate_set_ocsp_status_request_file(), or with
gnutls_certificate_get_crt_raw() and friends.
** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
for the aarch64 architecture. Uses Andy Polyakov's assembly code.
** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
failures due to key mismatch. This prevents leaks or double freeing
on such failures.
** libgnutls: Increased the maximum size of the handsha
...
ABI Laboratory
