Changelog:
This is a SECURITY UPDATE, fixing vulnerabilities in the obsolete SSH-1
protocol. It also includes many bug fixes over 0.71. We recommend that
everybody update.
Vulnerabilities fixed in this release include:
- A malicious SSH-1 server could trigger a buffer overrun by sending
extremely short RSA keys, or certain bad packet length fields.
Either of these could happen before host key verification, so even
if you trust the server you *intended* to connect to, you would
still be at risk.
(However, the SSH-1 protocol is obsolete, and recent versions of
PuTTY do not try it by default, so you are only at risk if you work
with old servers and have explicitly configured SSH-1.)
- If a malicious process found a way to impersonate Pageant, then it
could cause an integer overflow in any of the SSH client tools
(PuTTY, Plink, PSCP, PSFTP) which accessed the malicious Pageant.
Other security-related bug fixes include:
- The 'trust sigil' system introduced in PuTTY 0.71 to protect
against server spoofing attacks had multiple bugs. Trust sigils
were not turned off after login in the SSH-1 and Rlogin protocols,
and not turned back on if you used the Restart Session command.
Both are now fixed.
Other bug fixes include:
- Kerberos key exchange could crash at the start of an SSH session
in the presence of a third-party Windows provider such as
MIT Kerberos for Windows, and could also crash if the server sent
an ordinary SSH host key as part of the Kerberos exchange.
- In SSH-2 keyboard-interactive authentication, one of the message
fields sent by the server (namely the 'instructions' message) was
accidentally never displayed to the user.
- When using SSH-2 connection sharing, pasting text into a downstream
PuTTY window that included a line longer than 16Kb could cause that
window's connection to be closed.
- When using PSCP in old-fashioned SCP mode, downloading files
specified by a wildcard could cause a newline character to be
appended to the downloaded file names. Also, using the -p option to
preserve file times failed with a spurious error message.
- On Windows, the numeric keypad key that should generate '.' or ','
depending on keyboard layout was always generating '.'.
- RSA keys generated by PuTTYgen could be 1 bit shorter than
requested. (Harmless, but a regression in 0.71 compared to 0.70.)
8.5.4:
All platforms
Update Firefox to 60.8.0esr
Update Torbutton to 2.1.12
Bug 30577: Add Fundraising Banner
Bug 31041: Stop syncing network.cookie.lifetimePolicy
Translations update
Update HTTPS Everywhere to 2019.6.27
Bug 31055+31058: Remove four default bridges
Bug 30712: Backport fix for Mozilla's bug 1552993
Bug 30849: Backport fixes for Mozilla's bug 1552627 and 1549833
Windows + OS X + Linux
Update Tor to 0.4.0.5
Update OpenSSL to 1.0.2s
Bug 29045: Ensure that tor does not start up in dormant mode
OS X
Bug 30631: Blurry Tor Browser icon on macOS app switcher
8.5.3:
All platforms
Pick up fix for Mozilla's bug 1560192
8.5.2:
All platforms
Pick up fix for Mozilla's bug 1544386
Update NoScript to 10.6.3
Bug 29904: NoScript blocks MP4 on higher security levels
Bug 30624+29043+29647: Prevent XSS protection from freezing the browser
8.5.1:
All platforms
Update Torbutton to 2.1.10
Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
Bug 30464: Add WebGL to safer descriptions
Translations update
Update NoScript to 10.6.2
Bug 29969: Remove workaround for Mozilla's bug 1532530
Update HTTPS Everywhere to 2019.5.13
Bug 30541: Disable WebGL readPixel() for web content
Windows + OS X + Linux
Bug 30560: Better match actual toolbar in onboarding toolbar graphic
Bug 30571: Correct more information URL for security settings
Android
Bug 30635: Sync mobile default bridges list with desktop one
Build System
All platforms
Bug 30480: Check that signed tag contains expected tag name
- apparently the Let's Encrypt test server is rejecting example.com emails
- added official python 3.7 support in setup.py
- fixed#226, start using POST-as-GET for GET requests
- fixed additional POST-as-GET
- addresses #205, a situation where polling may hang indefinitely
- Also accept critical SAN extensions.
- fixed#222, we shouldn't delete the challenge files on errors, but we
should clean them up on success
pkgsrc changes:
- Remove PYTHON_VERSIONS_INCOMPATIBLE, Python 3.x is now supported too
- Take MAINTAINERship
Changes:
- Upstream doesn't provide changelog (and CHANGELOG file just reference to
commit messages). According skimming of commit messages mostly bugfixes and
improvements.
NEWS for the Nettle 3.5.1 release
The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
The new directory x86_64/sha_ni were missing in the tar file,
breaking x86_64 builds with --enable-fat, and producing worse
performance than promised for builds with --enable-x86-sha-ni.
Also a few unused in-progress assembly files were accidentally
included in the tar file.
These problems are corrected in Nettle-3.5.1. There are no
other changes, and also the library version numbers are
unchanged.
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations,
and deletes or deprecates a few obsolete features. It is *not*
binary (ABI) compatible with earlier versions. Except for
deprecations listed below, it is intended to be fully
source-level (API) compatible with Nettle-3.4.1.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0, with sonames libnettle.so.7 and
libhogweed.so.5.
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher
to process more than one block at a time. This is not a
change to the documented behavior, but unfortunately breaks
assumptions accidentally made in GnuTLS, up to and including
version 3.6.1.
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single
octet per block cipher operation), contributed by Dmitry
Eremin-Solenikov.
* Support for CMAC (RFC 4493), contributed by Nikos
Mavrogiannopoulos.
* Support for XTS mode, contributed by Simo Sorce.
Optimizations:
* Improved performance of the x86_64 AES implementation using
the aesni instructions. Gives a large speedup for operations
processing multiple blocks at a time (including CTR mode,
GCM mode, and CBC decrypt, but *not* CBC encrypt).
* Improved performance for CTR mode, for the common case of
16-byte block size. Pass more data at a time to underlying
block cipher, and fill the counter blocks more efficiently.
Extension to also handle GCM mode efficiently contributed
by Nikos Mavrogiannopoulos.
* New x86_64 implementation of sha1 and sha256, for processors
supporting the sha_ni instructions. Speedup of 3-5 times on
affected processors.
* Improved parameters for the precomputation of tables used
for ecc signatures. Roughly 10%-15% speedup of the ecdsa
sign operation using the secp_256r1, secp_384r1 and
secp_521r1 curves, and 25% speedup of ed25519 sign
operation, benchmarked on x86_64. Table sizes unchanged,
around 16 KB per curve.
* In ARM fat builds, automatically select Neon implementation
of Chacha, where possible. Contributed by Yuriy M.
Kaminskiy.
Deleted features:
* The header file des-compat.h and everything declared therein
has been deleted, as announced earlier. This file provided a
subset of the old libdes/ssleay/openssl interface for DES
and triple-DES. DES is still supported, via the functions
declared in des.h.
* Functions using the old struct aes_ctx have been marked as
deprecated. Use the fixed key size interface instead, e.g.,
struct aes256_ctx, introduced in Nettle-3.0.
* The header file nettle-stdint.h, and corresponding autoconf
tests, have been deleted. Nettle now requires that the
compiler/libc provides <stdint.h>.
Miscellaneous:
* Support for big-endian ARM systems, contributed by Michael
Weiser.
* The programs aesdata, desdata, twofishdata, shadata and
gcmdata are no longer built by default. Makefile
improvements contributed by Jay Foad.
* The "example" program examples/eratosthenes.c has been
deleted.
* The contents of hash context structs, and the deprecated
aes_ctx struct, have been reorganized, to enable later
optimizations.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0.
* Change MASTER_SITES to https://
Changelog:
Version 5.55, 2019.06.10, urgency: HIGH
* Security bugfixes
- Fixed a Windows local privilege escalation vulnerability
caused insecure OpenSSL cross-compilation defaults.
Successful exploitation requires stunnel to be deployed
as a Windows service, and user-writable C:\ folder. This
vulnerability was discovered and reported by Rich Mirch.
- OpenSSL DLLs updated to version 1.1.1c.
* Bugfixes
- Implemented a workaround for Windows hangs caused by its
inability to the monitor the same socket descriptor from
multiple threads.
- Windows configuration (including cryptographic keys)
is now completely removed at uninstall.
- A number of testing framework fixes and improvements.
Version 5.54, 2019.05.15, urgency: LOW
* New features
- New "ticketKeySecret" and "ticketMacSecret" options
to control confidentiality and integrity protection
of the issued session tickets. These options allow
for session resumption on other nodes in a cluster.
- Added logging the list of active connections on
SIGUSR2 or with Windows GUI.
- Logging of the assigned bind address instead of the
requested bind address.
* Bugfixes
- Service threads are terminated before OpenSSL cleanup
to prevent occasional stunnel crashes at shutdown.
Version 5.53, 2019.04.10, urgency: HIGH
* New features
- Android binary updated to support Android 4.x.
* Bugfixes
- Fixed data transfer stalls introduced in stunnel 5.51.
Version 5.52, 2019.04.08, urgency: HIGH
* Bugfixes
- Fixed a transfer() loop bug introduced in stunnel 5.51.
0.36.0:
Added
-----
Turn off session tickets for nginx plugin by default
Added missing error types from RFC8555 to acme
Changed
-------
Support for Ubuntu 14.04 Trusty has been removed.
Update the 'manage your account' help to be more generic.
The error message when Certbot's Apache plugin is unable to modify your Apache configuration has been improved.
Certbot's config_changes subcommand has been deprecated and will be removed in a future release.
certbot config_changes no longer accepts a --num parameter.
The functions certbot.plugins.common.Installer.view_config_changes and certbot.reverter.Reverter.view_config_changes have been deprecated and will be removed in a future release.
Fixed
-----
Replace some unnecessary platform-specific line separation.
The libtool-ification caused plugins to have a "lib" prefix, causing a mismatch
with what the code was trying to dlopen(), and failures. Bump PKGREVISION.
Changes
=======
* Version 3.6.8 (released 2019-05-28)
** libgnutls: Added gnutls_prf_early() function to retrieve early keying
material (#329)
** libgnutls: Added support for AES-XTS cipher (#354)
** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
512 bit addition)
** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
public key is on the right subgroup (y^q=1 mod p), when q is available (under
TLS 1.3 and under earlier versions when RFC7919 parameters are used).
** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
with the 8192 parameters as well (#995).
** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)
** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
clients to communicate with the server advertising smaller limits than 512
** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
hostname/domain crafting via IDNA conversion (#720)
** certtool: allow the digital signature key usage flag in CA certificates.
Previously certtool would ignore this flag for CA certificates even if
specified (#767)
** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
These allow testing the RFC5705 using these tools.
** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added
Noteworthy changes in version 2.2.17:
* gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures. The old behaviour can be achieved by adding
keyserver-options no-self-sigs-only,no-import-clean
to your gpg.conf.
* gpg: If an imported keyblocks is too large to be stored in the
keybox (pubring.kbx) do not error out but fallback to an import
using the options "self-sigs-only,import-clean".
* gpg: New command --locate-external-key which can be used to
refresh keys from the Web Key Directory or via other methods
configured with --auto-key-locate.
* gpg: New import option "self-sigs-only".
* gpg: In --auto-key-retrieve prefer WKD over keyservers.
* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07.
* dirmngr: Add an exception for the "openpgpkey" subdomain to the
CSRF protection.
* dirmngr: Fix endless loop due to http errors 503 and 504.
* dirmngr: Fix TLS bug during redirection of HKP requests.
* gpgconf: Fix a race condition when killing components.
July 1st, 2018
v1.18.2
-- Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408)
-- Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373)
-- Fix two-key 3DES (PR #390)
-- Fix accelerated CTR mode (PR #359)
-- Fix Fortuna PRNG (PR #363)
-- Fix compilation on platforms where cc doesn't point to gcc (PR #382)
-- Fix using the wrong environment variable LT instead of LIBTOOL (PR #392)
-- Fix build on platforms where the compiler provides __WCHAR_MAX__ but wchar.h is not available (PR #390)
-- Fix & re-factor crypt_list_all_sizes() and crypt_list_all_constants() (PR #414)
-- Minor fixes (PR's #350#351#375#377#378#379)
January 22nd, 2018
v1.18.1
-- Fix wrong SHA3 blocksizes, thanks to Claus Fischer for reporting this via Mail (PR #329)
-- Fix NULL-pointer dereference in `ccm_memory()` with LTC_CLEAN_STACK enabled (PR #327)
-- Fix `ccm_process()` being unable to process input buffers longer than 256 bytes (PR #326)
-- Fix the `register_all_{ciphers,hashes,prngs}()` return values (PR #316)
-- Fix some typos, warnings and duplicate prototypes in code & doc (PR's #310#320#321#335)
-- Fix possible undefined behavior with LTC_PTHREAD (PR #337)
-- Fix some DER bugs (PR #339)
-- Fix CTR-mode when accelerator is used (OP-TEE/optee_os #2086)
-- Fix installation procedure (Issue #340)
October 10th, 2017
v1.18.0
-- Bugfix multi2
-- Bugfix Noekeon
-- Bugfix XTEA
-- Bugfix rng_get_bytes() on windows where we could read from c:\dev\random
-- Fixed the Bleichbacher Signature attack in PKCS#1 v1.5 EMSA, thanks to Alex Dent
-- Fixed a potential cache-based timing attack in CCM, thanks to Sebastian Verschoor
-- Fix GCM counter reuse and potential timing attacks in EAX, OCB and OCBv3,
thanks to Raphaël Jamet
-- Implement hardened RSA operations when CRT is used
-- Enabled timing resistant calculations of ECC and RSA operations per default
-- Applied some patches from the OLPC project regarding PKCS#1 and preventing
the hash algorithms from overflowing
-- Larry Bugbee contributed the necessary stuff to more easily call libtomcrypt
from a dynamic language like Python, as shown in his pyTomCrypt
-- Nikos Mavrogiannopoulos contributed RSA blinding and export of RSA and DSA keys
in OpenSSL/GnuTLS compatible format
-- Patrick Pelletier contributed a smart volley of patches
-- Christopher Brown contributed some patches and additions to ASN.1/DER
-- Pascal Brand of STMicroelectronics contributed patches regarding CCM, the
XTS mode and RSA private key operations with keys without CRT parameters
-- RC2 now also works with smaller key-sizes
-- Improved/extended several tests & demos
-- Hardened DSA and RSA by testing (through Karel's perl-CryptX)
against Google's "Wycheproof" and Kudelski Security's "CDF"
-- Fixed all compiler warnings
-- Fixed several build issues on FreeBSD, NetBSD, Linux x32 ABI, HP-UX/IA64,
Mac OS X, Windows (32&64bit, Cygwin, MingW & MSVC) ...
-- Re-worked all makefiles
-- Re-worked most PRNG's
-- The code is now verified by a linter, thanks to Francois Perrad
-- Documentation (crypt.pdf) is now built deterministically, thanks to Michael Stapelberg
-- Add Adler32 and CRC32 checksum algorithms
-- Add Base64-URL de-/encoding and some strict variants
-- Add Blake2b & Blake2s (hash & mac), thanks to Kelvin Sherlock
-- Add Camellia block cipher
-- Add ChaCha (stream cipher), Poly1305 (mac), ChaCha20Poly1305 (encauth)
-- Add constant-time mem-compare mem_neq()
-- Add DER GeneralizedTime de-/encoding
-- Add DSA and ECC key generation FIPS-186-4 compliance
-- Add HKDF, thanks to RyanC (especially for also providing documentation :-) )
-- Add OCBv3
-- Add PKCS#1 v1.5 mode of SSL3.0
-- Add PKCS#1 testvectors from RSA
-- Add PKCS#8 & X.509 import for RSA keys
-- Add stream cipher API
-- Add SHA3 & SHAKE
-- Add SHA512/256 and SHA512/224
-- Add Triple-DES 2-key mode, thanks to Paul Howarth
-- Brought back Diffie-Hellman
Changes:
- adds ECDSA keys and host key support when using OpenSSL
- adds ED25519 key and host key support when using OpenSSL 1.1.1
- adds OpenSSH style key file reading
- adds AES CTR mode support when using WinCNG
- adds PEM passphrase protected file support for Libgcrypt and WinCNG
- adds SHA256 hostkey fingerprint
- adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
- adds explicit zeroing of sensitive data in memory
- adds additional bounds checks to network buffer reads
- adds the ability to use the server default permissions when creating sftp directories
- adds support for building with OpenSSL no engine flag
- adds support for building with LibreSSL
- increased sftp packet size to 256k
- fixed oversized packet handling in sftp
- fixed building with OpenSSL 1.1
- fixed a possible crash if sftp stat gets an unexpected response
- fixed incorrect parsing of the KEX preference string value
- fixed conditional RSA and AES-CTR support
- fixed a small memory leak during the key exchange process
- fixed a possible memory leak of the ssh banner string
- fixed various small memory leaks in the backends
- fixed possible out of bounds read when parsing public keys from the server
- fixed possible out of bounds read when parsing invalid PEM files
- no longer null terminates the scp remote exec command
- now handle errors when diffie hellman key pair generation fails
- fixed compiling on Windows with the flag STDCALL=ON
- improved building instructions
- improved unit tests
3.0.2:
* Fixed space encoding in base string URI used in the signature base string.
* Fixed OIDC /token response which wrongly returned "&state=None"
* Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* Fixed OIDC "nonce" checks: raise errors when it's mandatory
Noteworthy changes in version 1.13.1:
* cpp: gpgme_set_global_flag is now wrapped.
* w32: Improved handling of unicode install paths.
* w32: The gpgme_io_spawn error message is now only shown once.
* Fixed a crash introduced in 1.13.0 when working with S/MIME.
* w32: Fixed format string errors introduced in 1.13.0 that could
cause crashes.
* w32: Fixed an error in the new diagnostic gpgsm support introduced
in 1.13.0 that caused crashes in low fd scenarios.
* python: Fixed a DecryptionError Exception.
* python: No longer raises BadSignatures from decrypt(verify=True).
* Add security/libsodium as dependency
Changelog:
2.4.3 (2019-06-12)
=========================
- Fix library loading issues in the Snap and macOS releases [#3247]
- Fix various keyboard navigation issues [#3248]
- Fix main window toggling regression when clicking the tray icon on KDE [#3258]
- Add documentation for keyboard shortcuts to source code distribution [#3215]
2.4.2 (2019-05-31)
=========================
- Improve resilience against memory attacks - overwrite memory before free [#3020]
- Prevent infinite save loop when location is unavailable [#3026]
- Attempt to fix quitting application when shutdown or logout issued [#3199]
- Support merging database custom data [#3002]
- Fix opening URL's with non-http schemes [#3153]
- Fix data loss due to not reading all database attachments if duplicates exist [#3180]
- Fix entry context menu disabling when using keyboard navigation [#3199]
- Fix behaviors when canceling an entry edit [#3199]
- Fix processing of tray icon click and doubleclick [#3112]
- Update group in preview widget when focused [#3199]
- Prefer DuckDuckGo service over direct icon download (increases resolution) [#2996]
- Remove apply button in application settings [#3019]
- Use winqtdeploy on Windows to correct deployment issues [#3025]
- Don't mark entry edit as modified when attribute selection changes [#3041]
- Use console code page CP_UTF8 on Windows if supported [#3050]
- Snap: Fix locking database with session lock [#3046]
- Snap: Fix theming across Linux distributions [#3057]
- Snap: Use SNAP_USER_COMMON and SNAP_USER_DATA directories [#3131]
- KeeShare: Automatically enable WITH_XC_KEESHARE_SECURE if quazip is found [#3088]
- macOS: Fix toolbar text when in dark mode [#2998]
- macOS: Lock database on switching user [#3097]
- macOS: Fix global Auto-Type when the database is locked [#3138]
- Browser: Close popups when database is locked [#3093]
- Browser: Add tests [#3016]
- Browser: Don't create default group if custom group is enabled [#3127]
2.6.0:
Add a new keyword argument to SSHClient.connect and Transport, disabled_algorithms, which allows selectively disabling one or more kex/key/cipher/etc algorithms. This can be useful when disabling algorithms your target server (or client) does not support cleanly, or to work around unpatched bugs in Paramiko’s own implementation thereof.
SSHClient.exec_command previously returned a naive ChannelFile object for its stdin value; such objects don’t know to properly shut down the remote end’s stdin when they .close(). This lead to issues (such as hangs) when running remote commands that read from stdin.
Add backwards-compatible support for the gssapi GSSAPI library, as the previous backend (python-gssapi) has since become defunct. This change also includes tests for the GSSAPI functionality.
Tweak many exception classes so their string representations are more human-friendly; this also includes incidental changes to some super() calls.
Tested on OS X Tiger PowerPC and NetBSD-HEAD amd64
Changes between 1.0.2r and 1.0.2s [28 May 2019]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Add FIPS support for Android Arm 64-bit
Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
Module in Version 2.0.10. For some reason, the corresponding target
'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
built with FIPS support on Android Arm 64-bit. This omission has been
fixed.
[Matthias St. Pierre]
Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
*) 0-byte record padding oracle
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.
In order for this to be exploitable "non-stitched" ciphersuites must be in
use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call SSL_shutdown()
twice even if a protocol error has occurred (applications should not do
this but some do anyway).
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
Aviram, with additional investigation by Steven Collison and Andrew
Hourselt. It was reported to OpenSSL on 10th December 2018.
(CVE-2019-1559)
[Matt Caswell]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
Module, accidentally introduced while backporting security fixes from the
development branch and hindering the use of ECC in FIPS mode.
[Nicola Tuveri]
3.1.7:
Set a setuptools lower bound for PEP517 wheel building.
We no longer distribute 32-bit manylinux1 wheels. Continuing to produce them was a maintenance burden.
0.35.1:
Fixed
Support for specifying an authoritative base domain in our dns-rfc2136 plugin has been removed. This feature was added in our last release but had a bug which caused the plugin to fail so the feature has been removed until it can be added properly.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
certbot-dns-rfc2136
py-certbot: update to 0.35.0
py-certbot-apache: update to 0.35.0
py-certbot-dns-luadns: update to 0.35.0
py-certbot-dns-nsone: update to 0.35.0
py-certbot-dns-ovh: update to 0.35.0
py-certbot-dns-rfc2136: update to 0.35.0
py-certbot-dns-route53: update to 0.35.0
py-certbot-dns-sakuracloud: update to 0.35.0
py-certbot-nginx: update to 0.35.0
pkgsrc changes:
---------------
* Add py-certbot/Makefile.common to make version number coherent
upstream changes:
-----------------
- Added
o dns_rfc2136 plugin now supports explicitly specifing an authorative base domain for cases when the automatic method does not work (e.g. Split horizon DNS)
- Fixed
o Renewal parameter webroot_path is always saved, avoiding some regressions when webroot authenticator plugin is invoked with no challenge to perform.
o Certbot now accepts OCSP responses when an explicit authorized responder, different from the issuer, is used to sign OCSP responses.
o Scripts in Certbot hook directories are no longer executed when their filenames end in a tilde.
- Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
o certbot
o certbot-dns-rfc2136
Release 1.17.0:
Added support for “reverse direction” SSH connections, useful to support applications like NETCONF Call Home, described in RFC 8071.
Added support for the PyCA implementation of Chacha20-Poly1305, eliminating the dependency on libnacl/libsodium to provide this functionality, as long as OpenSSL 1.1.1b or later is installed.
Restored libnacl support for Curve25519/Ed25519 on systems which have an older version of OpenSSL that doesn’t have that support. This fallback also applies to Chacha20-Poly1305.
Fixed Pageant support on Windows to use the Pageant agent by default when it is available and client keys are not explicitly configured.
Disabled the use of RSA SHA-2 signatures when using the Pageant or Windows 10 OpenSSH agent on Windows, since neither of those support the signature flags options to request them.
Fixed a regression where a callable was no longer usable in the sftp_factory argument of create_server.
2.5.0:
[Feature] Updated SSHConfig.lookup so it returns a new, type-casting-friendly dict subclass (SSHConfigDict) in lieu of dict literals. This ought to be backwards compatible, and allows an easier way to check boolean or int type ssh_config values.
[Feature] Add support for Curve25519 key exchange (aka curve25519-sha256@libssh.org).
[Feature] Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange algorithms (group14, using SHA256; and group16, using SHA512). Patch courtesy of Edgar Sousa.
[Support] Update our install docs with (somewhat) recently added additional dependencies; we previously only required Cryptography, but the docs never got updated after we incurred bcrypt and pynacl requirements for Ed25519 key support.
Additionally, pyasn1 was never actually hard-required; it was necessary during a development branch, and is used by the optional GSSAPI support, but is not required for regular installation. Thus, it has been removed from our setup.py and its imports in the GSSAPI code made optional.
[Support] Add *.pub files to the MANIFEST so distributed source packages contain some necessary test assets. Credit: Alexander Kapshuna.
[Support] Add support for the modern (as of Python 3.3) import location of MutableMapping (used in host key management) to avoid the old location becoming deprecated in Python 3.8.
[Support] Raise Cryptography dependency requirement to version 2.5 (from 1.5) and update some deprecated uses of its API.
Version 8.2.0
minor release, no recompile of programs required
expanded community input and support
56 unique contributors as of this release
use PowerPC unaligned loads and stores with Power8
add SKIPJACK test vectors
fix SHAKE-128 and SHAKE-256 compile
removed IS_NEON from Makefile
fix Aarch64 build on Fedora 29
fix missing GF2NT_233_Multiply_Reduce_CLMUL in FIPS DLL
add missing BLAKE2 constructors
fix missing BlockSize() in BLAKE2 classes
Version 8.1.0
minor release, no recompile of programs required
expanded community input and support
56 unique contributors as of this release
fix OS X PowerPC builds with Clang
add Microsoft ARM64 support
fix iPhone Simulator build due to missign symbols
add CRYPTOPP_BUGGY_SIMD_LOAD_AND_STORE
add carryless multiplies for NIST b233 and k233 curves
fix OpenMP build due to use of OpenMP 4 with down-level compilers
add SignStream and VerifyStream for ed25519 and large files
fix missing AlgorithmProvider in PanamaHash
add SHAKE-128 and SHAKE-256
fix AVX2 build due to _mm256_broadcastsi128_si256
add IETF ChaCha, XChaCha, ChaChaPoly1305 and XChaChaPoly1305
Version 8.0.0
major release, recompile of programs required
expanded community input and support
54 unique contributors as of this release
add x25519 key exchange and ed25519 signature scheme
add limited Asymmetric Key Package support from RFC 5958
add Power9 DARN random number generator support
add CHAM, HC-128, HC-256, Hight, LEA, Rabbit, Simeck
fix FixedSizeAllocatorWithCleanup may be unaligned on some platforms
cutover to GNU Make-based cpu feature tests
rename files with dashes to underscores
fix LegacyDecryptor and LegacyDecryptorWithMAC use wrong MAC
fix incorrect AES/CBC decryption on Windows
avoid Singleton<T> when possible, avoid std::call_once completely
fix SPARC alignment problems due to GetAlignmentOf<T>() on word64
add ARM AES asm implementation from Cryptogams
remove CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS support
Noteworthy changes in version 2.2.16:
* gpg,gpgsm: Fix deadlock on Windows due to a keybox sharing
violation.
* gpg: Allow deletion of subkeys with --delete-key. This finally
makes the bang-suffix work as expected for that command.
* gpg: Replace SHA-1 by SHA-256 in self-signatures when updating
them with --quick-set-expire or --quick-set-primary-uid.
* gpg: Improve the photo image viewer selection.
* gpg: Fix decryption with --use-embedded-filename.
* gpg: Remove hints on using the --keyserver option.
* gpg: Fix export of certain secret keys with comments.
* gpg: Reject too long user-ids in --quick-gen-key.
* gpg: Fix a double free in the best key selection code.
* gpg: Fix the key generation dialog for switching back from EdDSA
to ECDSA.
* gpg: Use AES-192 with SHA-384 to comply with RFC-6637.
* gpg: Use only the addrspec from the Signer's UID subpacket to
mitigate a problem with another implementation.
* gpg: Skip invalid packets during a keyring listing and sync
diagnostics with the output.
* gpgsm: Avoid confusing diagnostic when signing with the default
key.
* agent: Do not delete any secret key in --dry-run mode.
* agent: Fix failures on 64 bit big-endian boxes related to URIs in
a keyfile.
* agent: Stop scdaemon after a reload with disable-scdaemon newly
configured.
* dirmngr: Improve caching algorithm for WKD domains.
* dirmngr: Support other hash algorithms than SHA-1 for OCSP.
* gpgconf: Make --homedir work for --launch.
* gpgconf: Before --launch check for a valid config file.
* wkd: Do not import more than 5 keys from one WKD address.
* wkd: Accept keys which are stored in armored format in the
directory.
* The installer for Windows now comes with signed binaries.
Pick up two more NetBSD bugfixes from firefox60:
* use /dev/audio instead of /dev/sound
* use libGL.so instead of the versioned libGL.so.1, which does not exist
on NetBSD
Version 1.0.18
- The Enterprise versions of Visual Studio are now supported.
- Visual Studio 2019 is now supported.
- 32-bit binaries for Visual Studio 2010 are now provided.
- A test that didn't work properly on Linux systems with overcommit
memory turned on has been removed. This fixes Ansible builds.
- Emscripten: print and printErr functions are overridden to send
errors to the console, if there is one.
- Emscripten: UTF8ToString() is now exported since Pointer_stringify()
has been deprecated.
- Libsodium version detection has been fixed in the CMake recipe.
- Generic hashing got a 10% speedup on AVX2.
- New target: WebAssembly/WASI (compile with dist-builds/wasm32-wasi.sh).
- New functions to map a hash to an edwards25519 point or get a random point:
core_ed25519_from_hash() and core_ed25519_random().
- crypto_core_ed25519_scalar_mul() has been implemented for scalar*scalar
(mod L) multiplication.
- Support for the Ristretto group has been implemented, for compatibility
with wasm-crypto.
- Improvements have been made to the test suite.
- Portability improvements has been made.
- getentropy() is now used on systems providing this system call.
- randombytes_salsa20 has been renamed to randombytes_internal.
- Support for (p)nacl has been removed.
- Most ((nonnull)) attributes have been relaxed to allow 0-length inputs
to be NULL.
- The -ftree-vectorize and -ftree-slp-vectorize compiler switches are
now used, if available, for optimized builds.
2.7:
BACKWARDS INCOMPATIBLE: We no longer distribute 32-bit manylinux1 wheels. Continuing to produce them was a maintenance burden.
BACKWARDS INCOMPATIBLE: Removed the cryptography.hazmat.primitives.mac.MACContext interface. The CMAC and HMAC APIs have not changed, but they are no longer registered as MACContext instances.
Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.1c.
Removed support for running our tests with setup.py test. Users interested in running our tests can continue to follow the directions in our :doc:development documentation</development/getting-started>.
Add support for :class:~cryptography.hazmat.primitives.poly1305.Poly1305 when using OpenSSL 1.1.1 or newer.
Support serialization with Encoding.OpenSSH and PublicFormat.OpenSSH in :meth:Ed25519PublicKey.public_bytes <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes> .
Correctly allow passing a SubjectKeyIdentifier to :meth:~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier and deprecate passing an Extension object. The documentation always required SubjectKeyIdentifier but the implementation previously required an Extension.
copy tsutsui's commit to firefox:
fix wrong latency unit in stream_init() function.
Based on a patch in PR pkg/54206 from Y.Sugahara.
Bump PKGREVISION.
Avoid a situation where a build host can use SSE2, but opt.c is then
compiled without SSE2 support (which fails).
Also check for CFLAGS for this compile test while here.
amend comment: we avoid -march=native not because of netbsd, but because
it results in shiny package builders creating packages not usable by
some users with older machines.
PR pkg/54238: security/argon2 build fails on i386-current (8.99.41)
signing-party (2.10-1) unstable; urgency=high
* gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
shell injection via a User ID. Use Perl's (core) module Encode.pm instead
of shelling out to `iconv`. (Closes: #928256.)
2016-Jul-30 v3.1 - Added the purge command.
Added Data::Password::passwdqc support to the
pwck command and prefer it over Data::Password.
Minor improvements in cli_pwck().
Applied SF patch #6 from Chris van Marle.
Addressed items pointed out in SF patch #7.
In cli_save(), worked around a File::KeePass bug.
- rt.cpan.org tik# 113391; https://goo.gl/v65HKE
Applied SF patch #8 from Maciej Grela.
Optional better RNG; SF bug #30 from Aaron Toponce.
2017-Dec-22 v3.2 - Added xpx command per the request in SF ticket #32.
Added autosave functionality (shadow copies).
Fixed a bug in new_edit_multiline_input() that was
preventing blank lines between paragraphs.
Fixed a typo in the --help info for --pwfile.
Fixed a small bug in subroutine destroy_found().
0.34.2:
Fixed
certbot-auto no longer writes a check_permissions.py script at the root of the filesystem.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only changes in this release were to certbot-auto.
Changelog:
2.4.1 (2019-04-12)
=========================
- Fix database deletion when using unsafe saves to a different file system [#2889]
- Fix opening databases with legacy key files that contain '/' [#2872]
- Fix opening database files from the command line [#2919]
- Fix crash when editing master key [#2836]
- Fix multiple issues with apply button behavior [#2947]
- Fix issues on application startup (tab order, --pw-stdin, etc.) [#2830]
- Fix building without WITH_XC_KEESHARE
- Fix reference entry coloring on macOS dark mode [#2984]
- Hide window when performing entry auto-type on macOS [#2969]
- Improve UX of update checker; reduce checks to every 7 days [#2968]
- KeeShare improvements [#2946, #2978, #2824]
- Re-enable Ctrl+C to copy password from search box [#2947]
- Add KeePassXC-Browser integration for Brave browser [#2933]
- SSH Agent: Re-Add keys on database unlock [#2982]
- SSH Agent: Only remove keys on app exit if they are removed on lock [#2985]
- CLI: Add --no-password option [#2708]
- CLI: Improve database extraction to XML [#2698]
- CLI: Don't call mandb on build [#2774]
- CLI: Add debug info [#2714]
- Improve support for Snap theming [#2832]
- Add support for building on Haiku OS [#2859]
- Ctrl+PgDn now goes to the next tab and Ctrl+PgUp to the previous
- Fix compiling on GCC 5 / Xenial [#2990]
- Add .gitrev output to tarball for third-party builds [#2970]
- Add WITH_XC_UPDATECHECK compile flag to toggle the update checker [#2968]
0.34.1:
Fixed
certbot-auto no longer prints a blank line when there are no permissions problems.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only changes in this release were to certbot-auto.
More details about these changes can be found on our GitHub repo.
0.34.0:
Changed
Apache plugin now tries to restart httpd on Fedora using systemctl if a configuration test error is detected. This has to be done due to the way Fedora now generates the self signed certificate files upon first restart.
Updated Certbot and its plugins to improve the handling of file system permissions on Windows as a step towards adding proper Windows support to Certbot.
Updated urllib3 to 1.24.2 in certbot-auto.
Removed the fallback introduced with 0.32.0 in acme to retry a challenge response with a keyAuthorization if sending the response without this field caused a malformed error to be received from the ACME server.
Linode DNS plugin now supports api keys created from their new panel at cloud.linode.com
Adding a warning noting that future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.
certbot-auto now prints warnings when run as root with insecure file system permissions. If you see these messages, you should fix the problem by following the instructions at https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/, however, these warnings can be disabled as necessary with the flag --no-permissions-check.
acme module uses now a POST-as-GET request to retrieve the registration from an ACME v2 server
Convert the tsig algorithm specified in the certbot_dns_rfc2136 configuration file to all uppercase letters before validating. This makes the value in the config case insensitive.
Fix conflict with hmac symbol from libc, from Naveen Narayanan.
Update configure option, it was renamed. Bump PKGREVISION for that.
Small pkglint fix while here.
Distfile does not exist and was not redistributable.
Package was marked BROKEN for this reason for some time.
Newer version available, package could be re-added if someone is interested.
(Last update was 2007.)
Update provided by Aleksej Lebedev in pkgsrc-wip.
I removed Interix support. We've been moving the patches for a
while, without a real test on Interix. the support for interix
is quite invasive and makes updating this package difficult.
Will reconsider re-adding if I knew we had actual users on
Interix (I strongly suspect we don't).
OpenSSH 8.0 was released on 2019-04-17. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Security
========
This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.
This release adds client-side checking that the filenames sent from
the server match the command-line request,
The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* scp(1): Relating to the above changes to scp(1); the scp protocol
relies on the remote shell for wildcard expansion, so there is no
infallible way for the client's wildcard matching to perfectly
reflect the server's. If there is a difference between client and
server wildcard expansion, the client may refuse files from the
server. For this reason, we have provided a new "-T" flag to scp
that disables these client-side checks at the risk of
reintroducing the attack described above.
* sshd(8): Remove support for obsolete "host/port" syntax. Slash-
separated host/port was added in 2001 as an alternative to
host:port syntax for the benefit of IPv6 users. These days there
are establised standards for this like [::1]:22 and the slash
syntax is easily mistaken for CIDR notation, which OpenSSH
supports for some things. Remove the slash notation from
ListenAddress and PermitOpen; bz#2335
Changes since OpenSSH 7.9
=========================
This release is focused on new features and internal refactoring.
New Features
------------
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
* ssh(1), sshd(8): Add experimental quantum-computing resistant
key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config; bz#2974
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect; bz#2960
* ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
* ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks. bz#2067
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making. bz#2741
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled. bz#2906
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
commands; bz#2926
* ssh-keygen(1): When printing certificate contents using
"ssh-keygen -Lf /path/certificate", include the algorithm that
the CA used to sign the cert.
Bugfixes
--------
* sshd(8): Fix authentication failures when sshd_config contains
"AuthenticationMethods any" inside a Match block that overrides
a more restrictive default.
* sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
is enabled.
* sshd(8): Fix two race conditions related to SIGHUP daemon restart.
Remnant file descriptors in recently-forked child processes could
block the parent sshd's attempt to listen(2) to the configured
addresses. Also, the restarting parent sshd could exit before any
child processes that were awaiting their re-execution state had
completed reading it, leaving them in a fallback path.
* ssh(1): Fix stdout potentially being redirected to /dev/null when
ProxyCommand=- was in use.
* sshd(8): Avoid sending SIGPIPE to child processes if they attempt
to write to stderr after their parent processes have exited;
bz#2071
* ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
and ConnectionAttempts directives - connection attempts after the
first were ignoring the requested timeout; bz#2918
* ssh-keyscan(1): Return a non-zero exit status if no keys were
found; bz#2903
* scp(1): Sanitize scp filenames to allow UTF-8 characters without
terminal control sequences; bz#2434
* sshd(8): Fix confusion between ClientAliveInterval and time-based
RekeyLimit that could cause connections to be incorrectly closed.
bz#2757
* ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
handling at initial token login. The attempt to read the PIN
could be skipped in some cases, particularly on devices with
integrated PIN readers. This would lead to an inability to
retrieve keys from these tokens. bz#2652
* ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
C_SignInit operation. bz#2638
* ssh(1): Improve documentation for ProxyJump/-J, clarifying that
local configuration does not apply to jump hosts.
* ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
public keys, not private.
* ssh(1), sshd(8): be more strict in processing protocol banners,
allowing \r characters only immediately before \n.
* Various: fix a number of memory leaks, including bz#2942 and
bz#2938
* scp(1), sftp(1): fix calculation of initial bandwidth limits.
Account for bytes written before the timer starts and adjust the
schedule on which recalculations are performed. Avoids an initial
burst of traffic and yields more accurate bandwidth limits;
bz#2927
* sshd(8): Only consider the ext-info-c extension during the initial
key eschange. It shouldn't be sent in subsequent ones, but if it
is present we should ignore it. This prevents sshd from sending a
SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929
* ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options
may accept either a bare hostname or a [hostname]:port combo.
bz#2935
* ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936
* sshd(8): Silence error messages when sshd fails to load some of
the default host keys. Failure to load an explicitly-configured
hostkey is still an error, and failure to load any host key is
still fatal. pr/103
* ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
started with ControlPersist; prevents random ProxyCommand output
from interfering with session output.
* ssh(1): The ssh client was keeping a redundant ssh-agent socket
(leftover from authentication) around for the life of the
connection; bz#2912
* sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
were specified, then authentication would always fail for RSA keys
as the monitor checks only the base key (not the signature
algorithm) type against *AcceptedKeyTypes. bz#2746
* ssh(1): Request correct signature types from ssh-agent when
certificate keys and RSA-SHA2 signatures are in use.
Portability
-----------
* sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for
token creation if it supports MsV1_0 S4U Logon.
* sshd(8): On Cygwin, use custom user/group matching code that
respects the OS' behaviour of case-insensitive matching.
* sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies
the user environment if it's enabled; bz#2937
* sshd(8) Cygwin: Change service name to cygsshd to avoid collision
with Microsoft's OpenSSH port.
* Allow building against OpenSSL -dev (3.x)
* Fix a number of build problems against version configurations and
versions of OpenSSL. Including bz#2931 and bz#2921
* Improve warnings in cygwin service setup. bz#2922
* Remove hardcoded service name in cygwin setup. bz#2922
Right now, a user installing xscreensaver with the "pam" option will
see two messages about how to configure it, one of which comes from
this package. This needs to be disentangled properly, but there are
some broader questions that also apply to gnome-screensaver and mate-
screensaver, so for now, add a bit more detail here just in case. (This
relates to, but doesn't particularly address, PR pkg/50622.)
1.3.0:
Added optional dependency for cryptography for faster RC4 cipher calls
Removed the deprecation warning for Ntlm, this is still advised not to use but there's no major harm keep it in place for older hosts
Add CI test for Python 3.7 and 3.8
Changes in 2.2
- support for openssl 1.1
- support for AES GCM and AES CCM modes
- new base64 convenience functions
- new botan2 support
- new hkdf support
- various build improvements and (deprecation) cleanups
There may be trouble building this release on windows. Feedback/input
would be very welcome.
(2.2.0 was not announced due to defects noticed after tagging)
Add new package option "editline" (enabled by default) which adds
command line editing and filename completion to the "sftp" client.
Bump the package revision because of this change.
Revision 0.2.5:
- Added module RFC5958 providing Asymmetric Key Packages,
which is essentially version 2 of the PrivateKeyInfo
structure in PKCS#8 in RFC 5208
- Added module RFC8410 providing algorithm Identifiers for
Ed25519, Ed448, X25519, and X448
- Added module RFC8418 providing Elliptic Curve Diffie-Hellman
(ECDH) Key Agreement Algorithm with X25519 and X448
- Added module RFC3565 providing Elliptic Curve Diffie-Hellman
Key Agreement Algorithm use with X25519 and X448 in the
Cryptographic Message Syntax (CMS)
- Added module RFC4108 providing CMS Firmware Wrapper
- Added module RFC3779 providing X.509 Extensions for IP
Addresses and AS Identifiers
- Added module RFC4055 providing additional Algorithms and
Identifiers for RSA Cryptography for use in Certificates
and CRLs
Upstream changes:
**** 1.12 Mar 19, 2019
Avoid use of EC_POINT_set_affine_coordinates_GFp which is
deprecated in OpenSSL 3.0.0
Reduce level of support for OpenSSL non-LTS releases.
Changelog:
Noteworthy changes in version 0.10.0 (2018-10-16)
-------------------------------------------------
* Added key manager context menu items to copy the key fingerprint
and the secret key to the clipboard.
* Added "Details" buttons to many error popups to show raw
diagnostic output from gpg.
* Changed the "Retrieve Key" dialog to first try the Web Key
Directory if a mail address is given. Only if this lookup fails
the keyservers are searched.
* Added a user-ID notebook page to show per user-ID info.
* Made location of locale dir under Windows more flexible.
* Fixed crash on filename conversion error. [#2185]
* Fixed listing of key algos in the subkey windows. [#3405]
* Removed lazy loading of the secret keyring. [#3748]
Release-info: https://dev.gnupg.org/T4186
0.33.1:
Fixed
A bug causing certbot-auto to print warnings or crash on some RHEL based systems has been resolved.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only changes in this release were to certbot-auto.
0.33.0:
Added
Fedora 29+ is now supported by certbot-auto. Since Python 2.x is on a deprecation path in Fedora, certbot-auto will install and use Python 3.x on Fedora 29+.
CLI flag --https-port has been added for Nginx plugin exclusively, and replaces --tls-sni-01-port. It defines the HTTPS port the Nginx plugin will use while setting up a new SSL vhost. By default the HTTPS port is 443.
Changed
Support for TLS-SNI-01 has been removed from all official Certbot plugins.
Attributes related to the TLS-SNI-01 challenge in acme.challenges and acme.standalone modules are deprecated and will be removed soon.
CLI flags --tls-sni-01-port and --tls-sni-01-address are now no-op, will generate a deprecation warning if used, and will be removed soon.
Options tls-sni and tls-sni-01 in --preferred-challenges flag are now no-op, will generate a deprecation warning if used, and will be removed soon.
CLI flag --standalone-supported-challenges has been removed.
Fixed
Certbot uses the Python library cryptography for OCSP when cryptography>=2.5 is installed. We fixed a bug in Certbot causing it to interpret timestamps in the OCSP response as being in the local timezone rather than UTC.
Issue causing the default CentOS 6 TLS configuration to ignore some of the HTTPS VirtualHosts created by Certbot. mod_ssl loading is now moved to main http.conf for this environment where possible.
Version 5.51, 2019.04.04, urgency: MEDIUM
New features
Hexadecimal PSK keys are automatically converted to binary.
Session ticket support (requires OpenSSL 1.1.1 or later). "connect"
address persistence is currently unsupported with session tickets.
SMTP HELO before authentication (thx to Jacopo Giudici).
New "curves" option to control the list of elliptic curves in OpenSSL
1.1.0 and later.
New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
Include file name and line number in OpenSSL errors.
Compatibility with the current OpenSSL 3.0.0-dev branch.
Better performance with SSL_set_read_ahead()/SSL_pending().
Bugfixes
Fixed PSKsecrets as a global option (thx to Teodor Robas).
Fixed a memory allocation bug (thx to matanfih).
Changes:
(No changelog is provided upstream, this is based on commit messages.)
1.3.4
-----
- Add support for preprocess response data (`--preprocess' option)
- Misc bug fixes and improvements
1.3.3
-----
- Misc bug fixes and improvements
1.3.2
-----
- Add and update WAF scripts
- Misc bug fixes and improvements
1.3.1
-----
(Not released)
1.3
---
- Add Approach and Bluedon WAF scripts
- Misc bug fixes and improvements
1.2.12
------
- Misc bug fixes and improvements
3.8.1:
New features
* Add support for loading PEM files encrypted with AES192-CBC, AES256-CBC, and AES256-GCM.
* When importing ECC keys, ignore EC PARAMS section that was included by some openssl commands.
Noteworthy changes in version 1.13.0:
* Support GPGME_AUDITLOG_DIAG for gpgsm.
* New context flag "trust-model".
* Removed support for WindowsCE and Windows ME.
* Aligned the gpgrt-config code with our other libaries.
* Auto-check for all installed Python versions.
* Fixed generating card key in the C++ bindings.
* Fixed a segv due to bad parameters in genkey.
* Fixed crash if the plaintext is ignored in a CMS verify.
* Fixed memleak on Windows.
* Tweaked the Windows I/O code.
* Fixed random crashes on Windows due to closing an arbitrary
handle.
* Fixed a segv on Windows.
* Fixed test suite problems related to dtags.
* Fixed bunch of python bugs.
* Several fixes to the Common Lisp bindings.
* Fixed minor bugs in gpgme-json.
* Require trace level 8 to dump all I/O data.
* The compiler must now support variadic macros.
Changelog:
Version 5.50, 2018.12.02, urgency: MEDIUM
* New features
- 32-bit Windows builds replaced with 64-bit builds.
- OpenSSL DLLs updated to version 1.1.1.
- Check whether "output" is not a relative file name.
- Major code cleanup in the configuration file parser.
- Added sslVersion, sslVersionMin and sslVersionMax
for OpenSSL 1.1.0 and later.
* Bugfixes
- Fixed PSK session resumption with TLS 1.3.
- Fixed a memory leak in WIN32 logging subsystem.
- Allow for zero value (ignored) TLS options.
- Partially refactored configuration file parsing
and logging subsystems for clearer code and minor
bugfixes.
* Caveats
- We removed FIPS support from our standard builds.
FIPS will still be available with bespoke builds.
Version 1.8.2 (25 Mar 2019)
Daniel Stenberg (25 Mar 2019)
- RELEASE-NOTES: version 1.8.2
- [Will Cosgrove brought this change]
moved MAX size declarations #330
- [Will Cosgrove brought this change]
Fixed misapplied patch (#327)
Fixes for user auth
Changelog:
These features were new in 0.70 (released 2017-07-08):
Security fix: the Windows PuTTY binaries should no longer be
vulnerable to hijacking by specially named DLLs in the same
directory, even a name we missed when we thought we'd fixed
this in 0.69. See vuln-indirect-dll-hijack-3.
Windows PuTTY should be able to print again, after our DLL
hijacking defences broke that functionality.
Windows PuTTY should be able to accept keyboard input outside
the current code page, after our DLL hijacking defences broke
that too.
These features are new in 0.71 (released 2019-03-16):
Security fixes found by an EU-funded bug bounty programme:
a remotely triggerable memory overwrite in RSA key exchange,
which can occur before host key verification
potential recycling of random numbers used in cryptography
on Windows, hijacking by a malicious help file in the same
directory as the executable
on Unix, remotely triggerable buffer overflow in any kind
of server-to-client forwarding
multiple denial-of-service attacks that can be triggered
by writing to the terminal
Other security enhancements: major rewrite of the crypto code
to remove cache and timing side channels.
User interface changes to protect against fake authentication
prompts from a malicious server.
We now provide pre-built binaries for Windows on Arm.
Hardware-accelerated versions of the most common cryptographic
primitives: AES, SHA-256, SHA-1.
GTK PuTTY now supports non-X11 displays (e.g. Wayland) and
high-DPI configurations.
Type-ahead now works as soon as a PuTTY window is opened:
keystrokes typed before authentication has finished will be
buffered instead of being dropped.
Support for GSSAPI key exchange: an alternative to the older
GSSAPI authentication system which can keep your forwarded
Kerberos credentials updated during a long session.
More choices of user interface for clipboard handling.
New terminal features: support the REP escape sequence (fixing
an ncurses screen redraw failure), true colour, and SGR 2 dim
text.
Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you
straight to the top or bottom of the terminal scrollback.
Release 1.16.1:
Added channel, connection, and env properties to SFTPServer instances, so connection and channel information can be used to influence the SFTP server's behavior. Previously, connection information was made avaiable through the constructor, but channel and environment information was not. Now, all of these are available as properties on the SFTPServer instance without the need to explicitly store anything in a custom constructor.
Optimized SFTP glob matching when the glob pattern contains directory names without glob characters in them. Thanks go to Mikhail Terekhov for contributing this improvement!
Added support for PurePath in a few places that were missed when this support was originally added. Once again, thanks go to Mikhail Terehkov for these fixes.
Fixed bug in SFTP parallel I/O file reader where it sometimes returned EOF prematurely. Thanks go to David G for reporting this problem and providing a reproducible test case.
Fixed test failures seen on Fedora Rawhide. Thanks go to Georg Sauthof for reporting this issue and providing a test environment to help debug it.
Updated Ed25519/448 and Curve25519/448 tests to only run when these algorithms are available. Thanks go to Ondřej Súkup for reporting this issue and providing a suggested fix.
Noteworthy changes in version 2.2.15:
* sm: Fix --logger-fd and --status-fd on Windows for non-standard
file descriptors.
* sm: Allow decryption even if expired keys are configured.
* agent: Change command KEYINFO to print ssh fingerprints with other
hash algos.
* dirmngr: Fix build problems on Solaris due to the use of reserved
symbol names.
* wkd: New commands --print-wkd-hash and --print-wkd-url for
gpg-wks-client.
Bug fix and security release on the stable 3.6.x branch.
OK during the freeze by <jperkin>, thanks!
Changes:
3.6.7
-----
- libgnutls, gnutls tools: Every gnutls_free() will automatically set
the free'd pointer to NULL. This prevents possible use-after-free and
double free issues. Use-after-free will be turned into NULL dereference.
The counter-measure does not extend to applications using gnutls_free().
- libgnutls: Fixed a memory corruption (double free) vulnerability in the
certificate verification API. Reported by Tavis Ormandy; addressed with
the change above. [GNUTLS-SA-2019-03-27, #694]
- libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
- libgnutls: enforce key usage limitations on certificates more actively.
Previously we would enforce it for TLS1.2 protocol, now we enforce it
even when TLS1.3 is negotiated, or on client certificates as well. When
an inappropriate for TLS1.3 certificate is seen on the credentials structure
GnuTLS will disable TLS1.3 support for that session (#690).
- libgnutls: the default number of tickets sent under TLS 1.3 was increased to
two. This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server.
- libgnutls: enforce the equality of the two signature parameters fields in
a certificate. We were already enforcing the signature algorithm, but there
was a bug in parameter checking code.
- libgnutls: fixed issue preventing sending and receiving from different
threads when false start was enabled (#713).
- libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
session, as non-writeable security officer sessions are undefined in PKCS#11
(#721).
- libgnutls: no longer send downgrade sentinel in TLS 1.3.
Previously the sentinel value was embedded to early in version
negotiation and was sent even on TLS 1.3. It is now sent only when
TLS 1.2 or earlier is negotiated (#689).
- gnutls-cli: Added option --logfile to redirect informational messages output.
- No API and ABI modifications since last version.
Version 1.8.1 (14 Mar 2019)
Will Cosgrove (14 Mar 2019)
- [Michael Buckley brought this change]
More 1.8.0 security fixes (#316)
* Defend against possible integer overflows in comp_method_zlib_decomp.
* Defend against writing beyond the end of the payload in _libssh2_transport_read().
* Sanitize padding_length - _libssh2_transport_read(). https://libssh2.org/CVE-2019-3861.html
This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent.
* Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. https://libssh2.org/CVE-2019-3858.html
* Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads.
* Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. https://libssh2.org/CVE-2019-3860.html
* Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html
GitHub (14 Mar 2019)
- [Will Cosgrove brought this change]
1.8 Security fixes (#314)
* fixed possible integer overflow in packet_length
CVE https://www.libssh2.org/CVE-2019-3861.html
* fixed possible interger overflow with userauth_keyboard_interactive
CVE https://www.libssh2.org/CVE-2019-3856.html
* fixed possible out zero byte/incorrect bounds allocation
CVE https://www.libssh2.org/CVE-2019-3857.html
* bounds checks for response packets
* fixed integer overflow in userauth_keyboard_interactive
CVE https://www.libssh2.org/CVE-2019-3863.html
Changelog:
trust: Improve error handling if backed trust file is corrupted [#206]
url: Prefer upper-case letters in hex characters when encoding [#193]
trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [#202]
virtual: Prefer fixed closures to libffi closures [#196]
Fix issues spotted by coverity and cppcheck [#194, #204]
Build and test fixes [#164, #191, #199, #201]
3.8.0:
New features
* Speed-up ECC performance. ECDSA is 33 times faster on the NIST P-256 curve.
* Added support for NIST P-384 and P-521 curves.
* EccKey has new methods size_in_bits() and size_in_bytes().
* Support HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 in PBE2/PBKDF2.
Resolved issues
* DER objects were not rejected if their length field had a leading zero.
* Allow legacy RC2 ciphers to have 40-bit keys.
* ASN.1 Object IDs did not allow the value 0 in the path.
Breaks in compatibility
* point_at_infinity() becomes an instance method for Crypto.PublicKey.ECC.EccKey, from a static one.
version 0.8.7 (released 2019-02-25)
* Fixed handling extension flags in the server implementation
* Fixed exporting ed25519 private keys
* Fixed corner cases for rsa-sha2 signatures
* Fixed some issues with connector
Noteworthy changes in version 2.2.14:
* gpg: Allow import of PGP desktop exported secret keys. Also avoid
importing secret keys if the secret keyblock is not valid.
* gpg: Do not error out on version 5 keys in the local keyring.
* gpg: Make invalid primary key algo obvious in key listings.
* sm: Do not mark a certificate in a key listing as de-vs compliant
if its use for a signature will not be possible.
* sm: Fix certificate creation with key on card.
* sm: Create rsa3072 bit certificates by default.
* sm: Print Yubikey attestation extensions with --dump-cert.
* agent: Fix cancellation handling for scdaemon.
* agent: Support --mode=ssh option for CLEAR_PASSPHRASE.
* scd: Fix flushing of the CA-FPR DOs in app-openpgp.
* scd: Avoid a conflict error with the "undefined" app.
* dirmngr: Add CSRF protection exception for protonmail.
* dirmngr: Fix build problems with gcc 9 in libdns.
* gpgconf: New option --show-socket for use wity --launch.
* gpgtar: Make option -C work for archive creation.
Version 3.6.6:
* libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
on the public key.
* libgnutls: Added support for raw public-key authentication as defined in RFC7250.
Raw public-keys can be negotiated by enabling the corresponding certificate
types via the priority strings. The raw public-key mechanism must be explicitly
enabled via the GNUTLS_ENABLE_RAWPK init flag.
* libgnutls: When on server or client side we are sending no extensions we do
not set an empty extensions field but we rather remove that field competely.
This solves a regression since 3.5.x and improves compatibility of the server
side with certain clients.
* libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
the CKA_SIGN is not set.
* libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
disable extensions at all cases, while providing a functional session. This
also implies that when specified, TLS1.3 is disabled.
* libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
The previous definition was non-functional.
* API and ABI modifications:
GNUTLS_ENABLE_RAWPK: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK)
GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
GNUTLS_PCERT_NO_CERT: Deprecated
Noteworthy changes in version 1.36:
* Two new error codes to better support PIV cards.
* Support armv7a-unknown-linux-gnueabihf.
* Increased estream buffer sizes for Windows.
* Interface changes relative to the 1.34 release:
GPG_ERR_NO_AUTH NEW.
GPG_ERR_BAD_AUTH NEW.
Monocypher is an easy to use crypto library. It is:
- Small. Sloccount counts about 1700 lines of code, small enough to
allow audits. The binaries are under 65KB.
= Easy to deploy. Just add monocypher.c and monocypher.h to your
project. They compile as C99 or C++, have no dependency, and
are dedicated to the public domain.
- Easy to use. The API is small, consistent, and cannot fail
on correct input.
- Fast. The primitives are fast to begin with, and performance
wasn't needlessly sacrificed. Monocypher holds up pretty well
against Libsodium, despite being closer in size to TweetNaCl.
Added
If possible, Certbot uses built-in support for OCSP from recent cryptography versions instead of the OpenSSL binary: as a consequence Certbot does not need the OpenSSL binary to be installed anymore if cryptography>=2.5 is installed.
Changed
Certbot and its acme module now depend on josepy>=1.1.0 to avoid printing the warnings described at https://github.com/certbot/josepy/issues/13.
Apache plugin now respects CERTBOT_DOCS environment variable when adding command line defaults.
The running of manual plugin hooks is now always included in Certbot's log output.
Tests execution for certbot, certbot-apache and certbot-nginx packages now relies on pytest.
An ACME CA server may return a "Retry-After" HTTP header on authorization polling, as specified in the ACME protocol, to indicate when the next polling should occur. Certbot now reads this header if set and respect its value.
The acme module avoids sending the keyAuthorization field in the JWS payload when responding to a challenge as the field is not included in the current ACME protocol. To ease the migration path for ACME CA servers, Certbot and its acme module will first try the request without the keyAuthorization field but will temporarily retry the request with the field included if a malformed error is received. This fallback will be removed in version 0.34.0.
0.32.0:
- setup.py: use ${CPP} as path to cpp
- Bump pipeline OpenSSL from 1.1.0i to 1.1.0j
- Stub wchar_t helpers and ignore unused WCHAR defs
- Add type comment to setup.py
Support for UNIX domain socket connections.
New configuration file settings pem-dir and pem-dir-glob.
Support for TLS 1.3.
Fixed a bug that would cause a crash on reload if ocsp-dir was changed.
Add log-level. This supersedes the previous quiet setting.
Add proxy-tlv. This enables extra reporting of cipher and protocol.
Drop TLSv1.1 from the default TLS protocols list.
Remove f-prot-antivirus6-ws-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
Remove f-prot-antivirus6-fs-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
Remove f-prot-antivirus6-ms-bin package version 6.2.3.
Althoguth F-PROT Antivirus is still supported for licensed users,
its antivirus engine (i.e. program itself) did not updated since 2013 and
it is sold for Linux and Windows (no *BSD).
So it's time to remove it from pkgsrc.
1.16.0:
Added support for Ed448 host/client keys and certificates and rewrote Ed25519 support to use the PyCA implementation, reducing the dependency on libnacl and libsodium to only be needed to support the chacha20-poly1305 cipher.
Added support for PKCS-8 format Ed25519 and Ed448 private and public keys (in addition to the OpenSSH format previously supported).
Added support for multiple delimiters in SSHReader’s readuntil() function, causing it to return data as soon as any of the specified delimiters are matched.
Added the ability to register custom key handlers in the line editor which can modify the input line, extending the built-in editing functionality.
Added SSHSubprocessProtocol and SSHSubprocessTransport classes to provide compatibility with asyncio.SubprocessProtocol and asyncio.SubprocessTransport. Code which is designed to call BaseEventLoop.subprocess_shell() or BaseEventLoop.subprocess_exec() can be easily adapted to work against a remote process by calling SSHClientConnection.create_subprocess().
Added support for sending keepalive messages when the SSH connection is idle, with an option to automatically disconnect the connection if the remote system doesn’t respond to these keepalives.
Changed AsyncSSH to ignore errors when loading unsupported key types from the default file locations.
Changed the reuse_port option to only be available on Python releases which support it (3.4.4 and later).
Fixed an issue where MSG_IGNORE packets could sometimes be sent between MSG_NEWKEYS and MSG_EXT_INFO, which caused some SSH implementations to fail to properly parse the MSG_EXT_INFO.
Fixed a couple of errors in the handling of disconnects occurring prior to authentication completing.
Renamed “session_encoding” and “session_errors” arguments in asyncssh.create_server() to “encoding” and “errors”, to match the names used for these arguments in other AsyncSSH APIs. The old names are still supported for now, but they are marked as deprecated and will be removed in a future release.
2.6.1:
* Resolved an error in our build infrastructure that broke our Python3 wheels
for macOS and Linux.
2.6:
* **BACKWARDS INCOMPATIBLE:** Removed
cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature
and
cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature,
which had been deprecated for nearly 4 years. Use
:func:~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature
and
:func:~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature
instead.
* **BACKWARDS INCOMPATIBLE**: Removed cryptography.x509.Certificate.serial,
which had been deprecated for nearly 3 years. Use
:attr:~cryptography.x509.Certificate.serial_number instead.
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.1b.
* Added support for :doc:/hazmat/primitives/asymmetric/ed448 when using
OpenSSL 1.1.1b or newer.
* Added support for :doc:/hazmat/primitives/asymmetric/ed25519 when using
OpenSSL 1.1.1b or newer.
* :func:~cryptography.hazmat.primitives.serialization.load_ssh_public_key can
now load ed25519 public keys.
* Add support for easily mapping an object identifier to its elliptic curve
class via
:func:~cryptography.hazmat.primitives.asymmetric.ec.get_curve_for_oid.
* Add support for OpenSSL when compiled with the no-engine
(OPENSSL_NO_ENGINE) flag.
18.0.0
* On macOS, the backend now raises a KeyringLocked
when access to the keyring is denied (on get or set) instead
of PasswordSetError or KeyringError. Any API users
may need to account for this change, probably by catching
the parent KeyringError.
Additionally, the error message from the underying error is
now included in any errors that occur.
17.1.1
* Update packaging technique to avoid 0.0.0 releases.
17.1.0
* When calling keyring.core.init_backend, if any
limit function is supplied, it is saved and later honored by
the ChainerBackend as well.
17.0.0
* Remove application attribute from stored passwords
using SecretService, addressing regression introduced in
10.5.0. Impacted Linux keyrings will once again
prompt for a password for "Python program".
16.1.1
* Fix error on import due to circular imports
on Python 3.4.
16.1.0
* Refactor ChainerBackend, introduced in 16.0 to function
as any other backend, activating when relevant.
16.0.2
* In Windows backend, trap all exceptions when
attempting to import pywin32.
16.0.1
* Once again allow all positive, non-zero priority
keyrings to participate.
16.0.0
* Fix race condition in delete_password on Windows.
* All suitable backends (priority 1 and greater) are
allowed to participate.
15.2.0
* Added new API for get_credentials, for backends
that can resolve both a username and password for a service.
15.1.0
* Add the Null keyring, disabled by default.
* Added --disable option to command-line
interface.
* Now honor a PYTHON_KEYRING_BACKEND
environment variable to select a backend. Environments
may set to keyring.backends.null.Keyring to disable
keyring.
This is based on a git checkout from a couple days ago; not completely
sure about the version number.
The Makefile now contains a short how-to for updating this package.
Many thanks for the www/firefox60 patches!
Use at your own risk!
Survives basic browsing and check.torproject.org claims it connects via tor.
Changes: too many to document.
1.3.0 2018-09-26
- Added support for Python 3.7.
- Update libsodium to 1.0.16.
- Run and test all code examples in PyNaCl docs through sphinx's doctest builder.
- Add low-level bindings for chacha20-poly1305 AEAD constructions.
- Add low-level bindings for the chacha20-poly1305 secretstream constructions.
- Add low-level bindings for ed25519ph pre-hashed signing construction.
- Add low-level bindings for constant-time increment and addition on fixed-precision big integers represented as little-endian byte sequences.
- Add low-level bindings for the ISO/IEC 7816-4 compatible padding API.
- Add low-level bindings for libsodium's crypto_kx... key exchange construction.
- Set hypothesis deadline to None in tests/test_pwhash.py to avoid incorrect test failures on slower processor architectures. GitHub issue #370
1.2.1 - 2017-12-04
- Update hypothesis minimum allowed version.
- Infrastructure: add proper configuration for readthedocs builder runtime environment.
1.2.0 - 2017-11-01
- Update libsodium to 1.0.15.
- Infrastructure: add jenkins support for automatic build of manylinux1 binary wheels
- Added support for SealedBox construction.
- Added support for argon2i and argon2id password hashing constructs and restructured high-level password hashing implementation to expose the same interface for all hashers.
- Added support for 128 bit siphashx24 variant of siphash24.
- Added support for from_seed APIs for X25519 keypair generation.
- Dropped support for Python 3.3.
version 0.8.6 (released 2018-12-24)
* Fixed compilation issues with different OpenSSL versions
* Fixed StrictHostKeyChecking in new knownhosts API
* Fixed ssh_send_keepalive() with packet filter
* Fixed possible crash with knownhosts options
* Fixed issus with rekeying
* Fixed strong ECDSA keys
* Fixed some issues with rsa-sha2 extentions
* Fixed access violation in ssh_init() (static linking)
* Fixed ssh_channel_close() handling
signing-party (2.8-1) unstable; urgency=low
[ Guilhem Moulin ]
* caff:
+ Add the "only-sign-text-ids" to the list of gpg(1) options imported from
~/.gnupg/gpg.conf.
+ Ensure the terminal is "sane enough" when asking questions ('echo',
'echok', 'icanon', 'icrnl' settings are all set), and restore original
settings when exit()'ing the program. (Closes: #872529)
* caff, gpglist, gpgsigs: in `gpg --with-colons` output, allow signature
class to be followed with an optional revocation reason. gpg(1) does that
since 2.2.9. (Closes: #905097.)
* caff, gpg-key2latex, gpg-key2ps, gpglist, gpgsigs, keylookup: Remove
references to https://pgp-tools.alioth.debian.org/ .
* caff, gpg-key2latex, gpg-key2ps, gpg-mailkeys, gpglist, gpgparticipants,
gpgsigs, keylookup: Remove SVN keywords ($Id$, $Rev$, etc.)
-- Guilhem Moulin <guilhem@debian.org> Mon, 28 Jan 2019 03:05:33 +0100
0.18.7
* Migrate from intltool to gettext [!2]
* Fix uninitialized memory returned by secret_item_get_schema_name() [#15]
* secret-session: Avoid double-free in service_encode_plain_secret()
* Port tap script to Python 3 [!4]
* Build and test fixes [#734630]
* Updated translations
Packaged for wip by Michael Bäuerle.
This is a collection of simple PIN or passphrase entry dialogs which
utilize the Assuan protocol as described by the aegypten project.
It provides programs for several graphical toolkits, such as FLTK,
GTK+ and QT, as well as for the console, using curses.
This package contains the FLTK frontend.
Noteworthy changes in version 2.2.13:
* gpg: Implement key lookup via keygrip (using the & prefix).
* gpg: Allow generating Ed25519 key from existing key.
* gpg: Emit an ERROR status line if no key was found with -k.
* gpg: Stop early when trying to create a primary Elgamal key.
* gpgsm: Print the card's key algorithms along with their keygrips
in interactive key generation.
* agent: Clear bogus pinentry cache in the error case.
* scd: Support "acknowledge button" feature.
* scd: Fix for USB INTERRUPT transfer.
* wks: Do no use compression for the the encrypted challenge and
response
Noteworthy changes in version 2.5.3:
* Add a timeout for writing to a SOCKS5 proxy. This helps if another
service is running on the standard tor socket (e.g. Windows 10).
* Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
0.31.0:
Added
Avoid reprocessing challenges that are already validated when a certificate is issued.
Support for initiating (but not solving end-to-end) TLS-ALPN-01 challenges with the acme module.
Changed
Certbot's official Docker images are now based on Alpine Linux 3.9 rather than 3.7. The new version comes with OpenSSL 1.1.1.
Lexicon-based DNS plugins are now fully compatible with Lexicon 3.x (support on 2.x branch is maintained).
Apache plugin now attempts to configure all VirtualHosts matching requested domain name instead of only a single one when answering the HTTP-01 challenge.
Fixed
Fixed accessing josepy contents through acme.jose when the full acme.jose path is used.
Clarify behavior for deleting certs as part of revocation.
Despite us having broken lockstep, we are continuing to release new versions of all Certbot components during releases for the time being, however, the only package with changes other than its version number was:
acme
certbot
certbot-apache
certbot-dns-cloudxns
certbot-dns-dnsimple
certbot-dns-dnsmadeeasy
certbot-dns-gehirn
certbot-dns-linode
certbot-dns-luadns
certbot-dns-nsone
certbot-dns-ovh
certbot-dns-sakuracloud
More details about these changes can be found on our GitHub repo.
3.0.6:
Certifcates that are revoked now move to a revoked subdirectory
EasyRSA no longer clobbers non-EASYRSA environment variables
More sane string checking, allowingn for commas in CN
Support for reasonCode in CRL
Better handling for capturing passphrases
Improved LibreSSL/MacOS support
Adds support to renew certificates up to 30 days before expiration
This changes previous behavior allowing for certificate creation using
duplicate CNs.
Revision 0.2.4:
- Added modules for RFC8226 implementing JWT Claim Constraints
and TN Authorization List for X.509 certificate extensions
- Fixed bug in rfc5280.AlgorithmIdentifier ANY type definition
Trustme 0.5.0:
Features
Added CA.create_child_ca() to allow for certificate chains
Added CA.private_key_pem to export CA private keys; this allows signing other certs with the same CA outside of trustme.
CAs now include the KeyUsage and ExtendedKeyUsage extensions configured for SSL certificates.
CA.issue_cert now accepts email addresses as a valid form of identity.
It’s now possible to set the “common name” of generated certs; see CA.issue_cert for details
CA.issue_server_cert has been renamed to CA.issue_cert, since it supports both server and client certs. To preserve backwards compatibility, the old name is retained as an undocumented alias.
Bugfixes
Make sure cert expiration dates don’t exceed 2038-01-01, to avoid issues on some 32-bit platforms that suffer from the Y2038 problem.
2.5:
* **BACKWARDS INCOMPATIBLE:** :term:U-label strings were deprecated in
version 2.1, but this version removes the default idna dependency as
well. If you still need this deprecated path please install cryptography
with the idna extra: pip install cryptography[idna].
* **BACKWARDS INCOMPATIBLE:** The minimum supported PyPy version is now 5.4.
* Numerous classes and functions have been updated to allow :term:bytes-like
types for keying material and passwords, including symmetric algorithms, AEAD
ciphers, KDFs, loading asymmetric keys, and one time password classes.
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.1a.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHA512_224
and :class:~cryptography.hazmat.primitives.hashes.SHA512_256 when using
OpenSSL 1.1.1.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHA3_224,
:class:~cryptography.hazmat.primitives.hashes.SHA3_256,
:class:~cryptography.hazmat.primitives.hashes.SHA3_384, and
:class:~cryptography.hazmat.primitives.hashes.SHA3_512 when using OpenSSL
1.1.1.
* Added support for :doc:/hazmat/primitives/asymmetric/x448 when using
OpenSSL 1.1.1.
* Added support for :class:~cryptography.hazmat.primitives.hashes.SHAKE128
and :class:~cryptography.hazmat.primitives.hashes.SHAKE256 when using
OpenSSL 1.1.1.
* Added initial support for parsing PKCS12 files with
:func:~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates.
* Added support for :class:~cryptography.x509.IssuingDistributionPoint.
* Added rfc4514_string() method to
:meth:x509.Name <cryptography.x509.Name.rfc4514_string>,
:meth:x509.RelativeDistinguishedName
<cryptography.x509.RelativeDistinguishedName.rfc4514_string>, and
:meth:x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_string>
to format the name or component an :rfc:4514 Distinguished Name string.
* Added
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point,
which immediately checks if the point is on the curve and supports compressed
points. Deprecated the previous method
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point.
* Added :attr:~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm
to OCSPResponse.
* Updated :doc:/hazmat/primitives/asymmetric/x25519 support to allow
additional serialization methods. Calling
:meth:~cryptography.hazmat.primitives.asymmetric.x25519.X25519PublicKey.public_bytes
with no arguments has been deprecated.
* Added support for encoding compressed and uncompressed points via
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes. Deprecated the previous method
:meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point.
Release 1.15.1:
Added callback-based host validation in SSHClient, allowing callers to decide programmatically whether to trust server host keys and certificates rather than having to provide a list of trusted values in advance.
Changed SSH client code to only load the default known hosts file if if exists. Previously an error was returned if a known_hosts value wasn’t specified and the default known_hosts file didn’t exist. For host validate to work in this case, verification callbacks must be implemented or other forms of validation such as X.509 trusted CAs or GSS-based key exchange must be used.
Fixed known hosts validation to completely disable certificate checks when known_hosts is set to None. Previously, key checking was disabled in this case but other checks for certificate expiration and hostname mismatch were still performed, causing connections to fail even when checking was supposed to be disabled.
Switched curve25519 key exchange to use the PyCA implementation, avoiding a dependency on libnacl/libsodium. For now, support for Ed25519 keys still requires these libraries, but once that support appears in PyCA, it may be possible to remove this dependency entirely.
Added get_fingerprint() method to return a fingerprint of an SSHKey.
19.0.0:
Backward-incompatible changes:
- X509Store.add_cert no longer raises an error if you add a duplicate cert.
Changes:
- pyOpenSSL now works with OpenSSL 1.1.1.
- pyOpenSSL now handles NUL bytes in X509Name.get_components()
Changes since previous version:
+ Added general-purpose implementations of EAX and CCM modes (including
shared precomputation support for EAX).
+ Added general-purpose RSA/OAEP implementation.
+ Added general-purpose HKDF implementation.
+ Added support for CCM and CCM_8 TLS cipher suites (RFC 6655 and RFC 7251).
+ Added RSA and EC key generation.
+ Added private key encoding support ("raw" and PKCS#8 formats, both
in DER and PEM, for RSA and EC key pairs).
+ Made Base64 encoding/decoding constant-time (with regards to the
encoded data bytes).
+ Added a generic API for random seed providers.
+ Added an extra DRBG based on AES/CTR + Hirose construction for reseeding.
+ Some cosmetic fixes to avoid warnings with picky compilers.
+ Makefile fix to achieve compatibility with OpenBSD.
+ Fixed a bug in bit length computation for big integers (this was
breaking RSA signatures with some specific implementations and key lengths).
+ Made SSL/TLS client stricter in cipher suite selection (to align with
server behaviour).
3.7.3:
Resolved issues
False positive on PSS signatures when externally provided salt is too long.
Include type stub files for Crypto.IO and Crypto.Util.
Potentially-incompatible changes
================================
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
option (see below) bans the use of DSA keys as certificate
authorities.
* sshd(8): the authentication success/failure log message has
changed format slightly. It now includes the certificate
fingerprint (previously it included only key ID and CA key
fingerprint).
New Features
------------
* ssh(1), sshd(8): allow most port numbers to be specified using
service names from getservbyname(3) (typically /etc/services).
* ssh(1): allow the IdentityAgent configuration directive to accept
environment variable names. This supports the use of multiple
agent sockets without needing to use fixed paths.
* sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or
command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424
* ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
authentication log messages.
Bugfixes
--------
* ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
attempting to load PEM private keys while using an incorrect
passphrase. bz#2901
* sshd(8): when a channel closed message is received from a client,
close the stderr file descriptor at the same time stdout is
closed. This avoids stuck processes if they were waiting for
stderr to close and were insensitive to stdin/out closing. bz#2863
* ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
forwarding timeout and support X11 forwarding indefinitely.
Previously the behaviour of ForwardX11Timeout=0 was undefined.
* sshd(8): when compiled with GSSAPI support, cache supported method
OIDs regardless of whether GSSAPI authentication is enabled in the
main section of sshd_config. This avoids sandbox violations if
GSSAPI authentication was later enabled in a Match block. bz#2107
* sshd(8): do not fail closed when configured with a text key
revocation list that contains a too-short key. bz#2897
* ssh(1): treat connections with ProxyJump specified the same as
ones with a ProxyCommand set with regards to hostname
canonicalisation (i.e. don't try to canonicalise the hostname
unless CanonicalizeHostname is set to 'always'). bz#2896
* ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
key authentication using certificates hosted in a ssh-agent(1)
or against sshd(8) from OpenSSH <7.8.
Portability
-----------
* All: support building against the openssl-1.1 API (releases 1.1.0g
and later). The openssl-1.0 API will remain supported at least
until OpenSSL terminates security patch support for that API version.
* sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
apparently required by some glibc/OpenSSL combinations.
* sshd(8): handle getgrouplist(3) returning more than
_SC_NGROUPS_MAX groups. Some platforms consider this limit more
as a guideline.
OpenSSH 7.8:
Potentially-incompatible changes
================================
* ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format. The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports
key comments in private keys. If necessary, it is possible to write
old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
when generating or updating a key.
* sshd(8): remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): remove vestigal support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long
gone) rhosts-style authentication, but has not been necessary for
a long time. Attempting to execute ssh as a setuid binary, or with
uid != effective uid will now yield a fatal error at runtime.
* sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted
key types. This distinction matters when using the RSA/SHA2
signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
certificate counterparts. Configurations that override these
options but omit these algorithm names may cause unexpected
authentication failures (no action is required for configurations
that accept the default for these options).
* sshd(8): the precedence of session environment variables has
changed. ~/.ssh/environment and environment="..." options in
authorized_keys files can no longer override SSH_* variables set
implicitly by sshd.
* ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
They will now use DSCP AF21 for interactive traffic and CS1 for
bulk. For a detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
New Features
------------
* ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-
v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to
explicitly force use of RSA/SHA2 signatures in authentication.
* sshd(8): extend the PermitUserEnvironment option to accept a
whitelist of environment variable names in addition to global
"yes" or "no" settings.
* sshd(8): add a PermitListen directive to sshd_config(5) and a
corresponding permitlisten= authorized_keys option that control
which listen addresses and port numbers may be used by remote
forwarding (ssh -R ...).
* sshd(8): add some countermeasures against timing attacks used for
account validation/enumeration. sshd will enforce a minimum time
or each failed authentication attempt consisting of a global 5ms
minimum plus an additional per-user 0-4ms delay derived from a
host secret.
* sshd(8): add a SetEnv directive to allow an administrator to
explicitly specify environment variables in sshd_config.
Variables set by SetEnv override the default and client-specified
environment.
* ssh(1): add a SetEnv directive to request that the server sets
an environment variable in the session. Similar to the existing
SendEnv option, these variables are set subject to server
configuration.
* ssh(1): allow "SendEnv -PATTERN" to clear environment variables
previously marked for sending to the server. bz#1285
* ssh(1)/sshd(8): make UID available as a %-expansion everywhere
that the username is available currently. bz#2870
* ssh(1): allow setting ProxyJump=none to disable ProxyJump
functionality. bz#2869
Bugfixes
--------
* sshd(8): avoid observable differences in request parsing that could
be used to determine whether a target user is valid.
* all: substantial internal refactoring
* ssh(1)/sshd(8): fix some memory leaks; bz#2366
* ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could
occur during key loading, manifesting as crash on some platforms.
* sshd_config(5): clarify documentation for AuthenticationMethods
option; bz#2663
* ssh(1): ensure that the public key algorithm sent in a
public key SSH_MSG_USERAUTH_REQUEST matches the content of the
signature blob. Previously, these could be inconsistent when a
legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature
when asked to make a RSA/SHA2 signature.
* sshd(8): fix failures to read authorized_keys caused by faulty
supplemental group caching. bz#2873
* scp(1): apply umask to directories, fixing potential mkdir/chmod
race when copying directory trees bz#2839
* ssh-keygen(1): return correct exit code when searching for and
hashing known_hosts entries in a single operation; bz#2772
* ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when
re-executing ssh for ProxyJump. bz#2831
* sshd(8): do not ban PTY allocation when a sshd session is
restricted because the user password is expired as it breaks
password change dialog. (regression in openssh-7.7).
* ssh(1)/sshd(8): fix error reporting from select() failures.
* ssh(1): improve documentation for -w (tunnel) flag, emphasising
that -w implicitly sets Tunnel=point-to-point. bz#2365
* ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent
will no longer spin when its file descriptor limit is exceeded.
bz#2576
* ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch
clients. Twisted Conch versions that lack a version number in
their identification strings will mishandle these messages when
running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422)
* sftp(1): notify user immediately when underlying ssh process dies
expectedly. bz#2719
* ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release.
bz#2855
* ssh-agent(1): don't kill ssh-agent's listening socket entirely if
it fails to accept(2) a connection. bz#2837
* sshd(8): relax checking of authorized_keys environment="..."
options to allow underscores in variable names (regression
introduced in 7.7). bz#2851
* ssh(1): add some missing options in the configuration dump output
(ssh -G). bz#2835
Portability
-----------
* sshd(8): Expose details of completed authentication to PAM auth
modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408
* Fix compilation problems caused by fights between zlib and OpenSSL
colliding uses of "free_func"
* Improve detection of unsupported compiler options. Recently these
may have manifested as "unsupported -Wl,-z,retpoline" warnings
during linking.
* sshd(8): some sandbox support for Linux/s390 bz#2752.
* regress tests: unbreak key-options.sh test on platforms without
openpty(3). bz#2856
* use getrandom(2) for PRNG seeding when built without OpenSSL.
OpenSSH 7.7:
Potentially-incompatible changes
================================
* ssh(1)/sshd(8): Drop compatibility support for some very old SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
versions were all released in or before 2001 and predate the final
SSH RFCs. The support in question isn't necessary for RFC-compliant
SSH implementations.
New Features
------------
* All: Add experimental support for PQC XMSS keys (Extended Hash-
Based Signatures) based on the algorithm described in
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
The XMSS signature code is experimental and not compiled in by
default.
* sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
to allow conditional configuration that depends on which routing
domain a connection was received on (currently supported on OpenBSD
and Linux).
* sshd_config(5): Add an optional rdomain qualifier to the
ListenAddress directive to allow listening on different routing
domains. This is supported only on OpenBSD and Linux at present.
* sshd_config(5): Add RDomain directive to allow the authenticated
session to be placed in an explicit routing domain. This is only
supported on OpenBSD at present.
* sshd(8): Add "expiry-time" option for authorized_keys files to
allow for expiring keys.
* ssh(1): Add a BindInterface option to allow binding the outgoing
connection to an interface's address (basically a more usable
BindAddress)
* ssh(1): Expose device allocated for tun/tap forwarding via a new
%T expansion for LocalCommand. This allows LocalCommand to be used
to prepare the interface.
* sshd(8): Expose the device allocated for tun/tap forwarding via a
new SSH_TUNNEL environment variable. This allows automatic setup of
the interface and surrounding network configuration automatically on
the server.
* ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
ssh://user@host or sftp://user@host/path. Additional connection
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
implemented since the ssh fingerprint format in the draft uses the
deprecated MD5 hash with no way to specify the any other algorithm.
* ssh-keygen(1): Allow certificate validity intervals that specify
only a start or stop time (instead of both or neither).
* sftp(1): Allow "cd" and "lcd" commands with no explicit path
argument. lcd will change to the local user's home directory as
usual. cd will change to the starting directory for session (because
the protocol offers no way to obtain the remote user's home
directory). bz#2760
* sshd(8): When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.
Bugfixes
--------
* ssh(1)/sshd(8): More strictly check signature types during key
exchange against what was negotiated. Prevents downgrade of RSA
signatures made with SHA-256/512 to SHA-1.
* sshd(8): Fix support for client that advertise a protocol version
of "1.99" (indicating that they are prepared to accept both SSHv1 and
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
support. bz#2810
* ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
a rsa-sha2-256/512 signature was requested. This condition is possible
when an old or non-OpenSSH agent is in use. bz#2799
* ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
to fatally exit if presented an invalid signature request message.
* sshd_config(5): Accept yes/no flag options case-insensitively, as
has been the case in ssh_config(5) for a long time. bz#2664
* ssh(1): Improve error reporting for failures during connection.
Under some circumstances misleading errors were being shown. bz#2814
* ssh-keyscan(1): Add -D option to allow printing of results directly
in SSHFP format. bz#2821
* regress tests: fix PuTTY interop test broken in last release's SSHv1
removal. bz#2823
* ssh(1): Compatibility fix for some servers that erroneously drop the
connection when the IUTF8 (RFC8160) option is sent.
* scp(1): Disable RemoteCommand and RequestTTY in the ssh session
started by scp (sftp was already doing this.)
* ssh-keygen(1): Refuse to create a certificate with an unusable
number of principals.
* ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
public key during key generation. Previously it would silently
ignore errors writing the comment and terminating newline.
* ssh(1): Do not modify hostname arguments that are addresses by
automatically forcing them to lower-case. Instead canonicalise them
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
against known_hosts. bz#2763
* ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
prompts. bz#2803
* sftp(1): Have sftp print a warning about shell cleanliness when
decoding the first packet fails, which is usually caused by shells
polluting stdout of non-interactive startups. bz#2800
* ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
time to monotonic time, allowing the packet layer to better function
over a clock step and avoiding possible integer overflows during
steps.
* Numerous manual page fixes and improvements.
Portability
-----------
* sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
sandbox violations on some environments.
* sshd(8): Remove UNICOS support. The hardware and software are literal
museum pieces and support in sshd is too intrusive to justify
maintaining.
* All: Build and link with "retpoline" flags when available to mitigate
the "branch target injection" style (variant 2) of the Spectre
branch-prediction vulnerability.
* All: Add auto-generated dependency information to Makefile.
* Numerous fixed to the RPM spec files.
Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or
Perforce). These commands make it easy for you to Gnu Privacy Guard (GPG)
encrypt specific files in a repo so they are "encrypted at rest" in your
repository. However, the scripts make it easy to decrypt them when you need
to view or edit them, and decrypt them for use in production. Originally
written for Puppet, BlackBox now works with any Git or Mercurial repository.
jperkin reported a bootstrapping failure in the newer pre-processor
conditionals, so revert to the older, less comprehensive versions without
gcc version level checks.
1.0.0:
Security related: Bewit MACs were not compared in constant time and were thus possibly circumventable by an attacker.
Breaking change: Escape characters in header values (such as a back slash) are no longer allowed, potentially breaking clients that depended on this behavior. See https://github.com/kumar303/mohawk/issues/34
A sender is allowed to omit the content hash as long as their request has no content. The mohawk.Receiver will skip the content hash check in this situation, regardless of the value of accept_untrusted_content. See Empty requests for more details.
Introduced max limit of 4096 characters in the Authorization header
Changed default values of content and content_type arguments to mohawk.base.EmptyValue in order to differentiate between misconfiguration and cases where these arguments are explicitly given as None (as with some web frameworks). See Skipping content checks for more details.
Failing to pass content and content_type arguments to mohawk.Receiver or mohawk.Sender.accept_response() without specifying accept_untrusted_content=True will now raise mohawk.exc.MissingContent instead of ValueError.
Noteworthy changes in version 1.34:
* Support for riscv32.
* New API to allow emergency cleanup after internal fatal errors.
* Minor bug and portability fixes.
v1.2.0:
This project now depends on OAuthlib 3.0.0 and above. It does not support versions of OAuthlib before 3.0.0.
Updated oauth2 tests to use 'sess' for an OAuth2Session instance instead of auth because OAuth2Session objects and methods acceept an auth paramether which is typically an instance of requests.auth.HTTPBasicAuth
OAuth2Session.fetch_token previously tried to guess how and where to provide "client" and "user" credentials incorrectly. This was incompatible with some OAuth servers and incompatible with breaking changes in oauthlib that seek to correctly provide the client_id. The older implementation also did not raise the correct exceptions when username and password are not present on Legacy clients.
Avoid automatic netrc authentication for OAuth2Session.
v1.1.0:
Adjusted version specifier for oauthlib dependency: this project is not yet compatible with oauthlib 3.0.0.
Dropped dependency on nose.
Minor changes to clean up the code and make it more readable/maintainable.
3.0.0 (2019-01-01)
OAuth2.0 Provider - outstanding Features
OpenID Connect Core support
RFC7662 Introspect support
RFC8414 OAuth2.0 Authorization Server Metadata support
RFC7636 PKCE support
OAuth2.0 Provider - API/Breaking Changes
Add "request" to confirm_redirect_uri
confirm_redirect_uri/get_default_redirect_uri has a bit changed
invalid_client is now a FatalError
Changed errors status code from 401 to 400:
invalid_grant:
invalid_scope:
access_denied/unauthorized_client/consent_required/login_required
401 must have WWW-Authenticate HTTP Header set
OAuth2.0 Provider - Bugfixes
empty scopes no longer raise exceptions for implicit and authorization_code
OAuth2.0 Client - Bugfixes / Changes:
expires_in in Implicit flow is now an integer
expires is no longer overriding expires_in
parse_request_uri_response is now required
Unknown error=xxx raised by OAuth2 providers was not understood
OAuth2's prepare_token_request supports sending an empty string for client_id
OAuth2's WebApplicationClient.prepare_request_body was refactored to better support sending or omitting the client_id via a new include_client_id kwarg. By default this is included. The method will also emit a DeprecationWarning if a client_id parameter is submitted; the already configured self.client_id is the preferred option.
OAuth1.0 Client:
Support for HMAC-SHA256
General fixes:
$ and ' are allowed to be unencoded in query strings
Request attributes are no longer overriden by HTTP Headers
Removed unnecessary code for handling python2.6
Add support of python3.7
Several minors updates to setup.py and tox
Set pytest as the default unittest framework
Changes since previous version:
+ fuller emulation of openssl API, including
BN_is_one()
BN_mod_add()
BN_mod_sub()
BN_sub_word()
BN_add_word()
+ provide all functions and macros with compatibility definitions
What's new in Sudo 1.8.27
* On HP-UX, sudo will now update the utmps file when running a command
in a pseudo-tty. Previously, only the utmp and utmpx files were
updated.
* Nanosecond precision file time stamps are now supported in HP-UX.
* Fixes and clarifications to the sudo plugin documentation.
* The sudo manuals no longer require extensive post-processing to
hide system-specific features. Conditionals in the roff source
are now used instead. This fixes corruption of the sudo manual
on systems without BSD login classes.
* If an I/O logging plugin is configured but the plugin does not
actually log any I/O, sudo will no longer force the command to
be run in a pseudo-tty.
* The fix for bug 843 in sudo 1.8.24 was incomplete. If the
user's password was expired or needed to be updated, but no sudo
password was required, the PAM handle was freed too early,
resulting in a failure when processing PAM session modules.
* In visudo, it is now possible to specify the path to sudoers
without using the -f option.
* Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
file would not be updated when a command was run in a pseudo-tty.
* Sudo now sets the silent flag when opening the PAM session except
when running a shell via "sudo -s" or "sudo -i". This prevents
the pam_lastlog module from printing the last login information
for each sudo command.
* Fixed the default AIX hard resource limit for the maximum number
of files a user may have open. If no hard limit for "nofiles"
is explicitly set in /etc/security/limits, the default should
be "unlimited". Previously, the default hard limit was 8196.
Upstream changes:
================================================================================
## 0.30.0 - 2019-01-02
### Added
* Added the `update_account` subcommand for account management commands.
### Changed
* Copied account management functionality from the `register` subcommand
to the `update_account` subcommand.
* Marked usage `register --update-registration` for deprecation and
removal in a future release.
### Fixed
* Older modules in the josepy library can now be accessed through acme.jose
like it could in previous versions of acme. This is only done to preserve
backwards compatibility and support for doing this with new modules in josepy
will not be added. Users of the acme library should switch to using josepy
directly if they haven't done so already.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
More details about these changes can be found on our GitHub repo.
## 0.29.1 - 2018-12-05
### Added
*
### Changed
*
### Fixed
* The default work and log directories have been changed back to
/var/lib/letsencrypt and /var/log/letsencrypt respectively.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot
More details about these changes can be found on our GitHub repo.
## 0.29.0 - 2018-12-05
### Added
* Noninteractive renewals with `certbot renew` (those not started from a
terminal) now randomly sleep 1-480 seconds before beginning work in
order to spread out load spikes on the server side.
* Added External Account Binding support in cli and acme library.
Command line arguments --eab-kid and --eab-hmac-key added.
### Changed
* Private key permissioning changes: Renewal preserves existing group mode
& gid of previous private key material. Private keys for new
lineages (i.e. new certs, not renewed) default to 0o600.
### Fixed
* Update code and dependencies to clean up Resource and Deprecation Warnings.
* Only depend on imgconverter extension for Sphinx >= 1.6
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudflare
* certbot-dns-digitalocean
* certbot-dns-google
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/62?closed=1
## 0.28.0 - 2018-11-7
### Added
* `revoke` accepts `--cert-name`, and doesn't accept both `--cert-name` and `--cert-path`.
* Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory.
### Changed
* Removed documentation mentions of `#letsencrypt` IRC on Freenode.
* Write README to the base of (config-dir)/live directory
* `--manual` will explicitly warn users that earlier challenges should remain in place when setting up subsequent challenges.
* Warn when using deprecated acme.challenges.TLSSNI01
* Log warning about TLS-SNI deprecation in Certbot
* Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins
* OVH DNS plugin now relies on Lexicon>=2.7.14 to support HTTP proxies
* Default time the Linode plugin waits for DNS changes to propogate is now 1200 seconds.
### Fixed
* Match Nginx parser update in allowing variable names to start with `${`.
* Fix ranking of vhosts in Nginx so that all port-matching vhosts come first
* Correct OVH integration tests on machines without internet access.
* Stop caching the results of ipv6_info in http01.py
* Test fix for Route53 plugin to prevent boto3 making outgoing connections.
* The grammar used by Augeas parser in Apache plugin was updated to fix various parsing errors.
* The CloudXNS, DNSimple, DNS Made Easy, Gehirn, Linode, LuaDNS, NS1, OVH, and
Sakura Cloud DNS plugins are now compatible with Lexicon 3.0+.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudxns
* certbot-dns-dnsimple
* certbot-dns-dnsmadeeasy
* certbot-dns-gehirn
* certbot-dns-linode
* certbot-dns-luadns
* certbot-dns-nsone
* certbot-dns-ovh
* certbot-dns-route53
* certbot-dns-sakuracloud
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/59?closed=1
## 0.27.1 - 2018-09-06
### Fixed
* Fixed parameter name in OpenSUSE overrides for default parameters in the
Apache plugin. Certbot on OpenSUSE works again.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot-apache
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/60?closed=1
Changelog:
2.3.4 (2018-08-21)
=========================
- Show all URL schemes in entry view [#1768]
- Disable merge when database is locked [#1975]
- Fix intermittent crashes with favorite icon downloads [#1980]
- Provide potential crash warning to Qt 5.5.x users [#2211]
- Disable apply button when creating new entry/group to prevent data loss [#2204]
- Allow for 12 hour timeout to lock idle database [#2173]
- Multiple SSH Agent fixes [#1981, #2117]
- Multiple Browser Integration enhancements [#1993, #2003, #2055, #2116, #2159, #2174, #2185]
- Fix browser proxy application not closing properly [#2142]
- Add real names and Patreon supporters to about dialog [#2214]
- Add settings button to toolbar, Donate button, and Report a Bug button to help menu [#2214]
- Enhancements to release-tool to appsign intermediate build products [#2101]
Version 1.0.17
- Bug fix: sodium_pad() didn't properly support block sizes >= 256 bytes.
- JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
module; fall back to Javascript on these.
- JS/WebAssembly: compatibility with newer Emscripten versions.
- Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and
crypto_pwhash_scryptsalsa208sha256_str_needs_rehash() didn't return
EINVAL on input strings with a short length, unlike their high-level
counterpart.
- Added a workaround for Visual Studio 2010 bug causing CPU features
not to be detected.
- Portability improvements.
- Test vectors from Project Wycheproof have been added.
- New low-level APIs for arithmetic mod the order of the prime order group:
crypto_core_ed25519_scalar_random(), crypto_core_ed25519_scalar_reduce(),
crypto_core_ed25519_scalar_invert(), crypto_core_ed25519_scalar_negate(),
crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add()
and crypto_core_ed25519_scalar_sub().
- New low-level APIs for scalar multiplication without clamping:
crypto_scalarmult_ed25519_base_noclamp() and
crypto_scalarmult_ed25519_noclamp(). These new APIs are especially useful
for blinding.
- sodium_sub() has been implemented.
- Support for WatchOS has been added.
- getrandom(2) is now used on FreeBSD 12+.
- The nonnull attribute has been added to all relevant prototypes.
- More reliable AVX512 detection.
- Javascript/Webassembly builds now use dynamic memory growth.
Revision 0.4.5:
- Debug logging refactored for more efficiency when disabled and
for more functionality when in use. Specifically, the global
LOG object can easily be used from any function/method, not just
from codec main loop as it used to be.
- More debug logging added to BER family of codecs to ease encoding
problems troubleshooting.
- Copyright notice extended to the year 2019
- Fixed defaulted constructed SEQUENCE component initialization.
18.1.0
- pyOpenSSL is optional now if you use service_identity.cryptography.* only.
- Added support for iPAddress subjectAltName\ s.
You can now verify whether a connection or a certificate is valid for an IP address using service_identity.pyopenssl.verify_ip_address() and service_identity.cryptography.verify_certificate_ip_address().
Major changes in 1.16.2
This is a bug fix release.
Fix bugs with concurrent use of MEMORY ccache handles.
Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry.
Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name.
Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism.
Make cross-realm S4U2Self requests work on the client when no default_realm is configured.
Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.
= mbed TLS 2.14.1 branch released 2018-11-30
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
= mbed TLS 2.14.0 branch released 2018-11-19
Security
* Fix overly strict DN comparison when looking for CRLs belonging to a
particular CA. This previously led to ignoring CRLs when the CRL's issuer
name and the CA's subject name differed in their string encoding (e.g.,
one using PrintableString and the other UTF8String) or in the choice of
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
#1784.
* Fix a flawed bounds check in server PSK hint parsing. In case the
incoming message buffer was placed within the first 64KiB of address
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
to trigger a memory access up to 64KiB beyond the incoming message buffer,
potentially leading to an application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
primes with high probability. This does not have an impact on the
security of TLS, but can matter in other contexts with numbers chosen
potentially by an adversary that should be prime and can be validated.
For example, the number of rounds was enough to securely generate RSA key
pairs or Diffie-Hellman parameters, but was insufficient to validate
Diffie-Hellman parameters properly.
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
Kenneth G. Paterson and Juraj Somorovsky.
Features
* Add support for temporarily suspending expensive ECC computations after
some configurable amount of operations. This is intended to be used in
constrained, single-threaded systems where ECC is time consuming and can
block other operations until they complete. This is disabled by default,
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
yet), and to existing functions in ECDH and SSL (currently only
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
including client authentication).
* Add support for Arm CPU DSP extensions to accelerate asymmetric key
operations. On CPUs where the extensions are available, they can accelerate
MPI multiplications used in ECC and RSA cryptography. Contributed by
Aurelien Jarno.
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
signature always used a salt with the same length as the hash, and returned
an error if this was not possible. Now the salt size may be up to two bytes
shorter. This allows the library to support all hash and signature sizes
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
than 256 bits limits the security of generated material to 128 bits.
API Changes
* Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
a feature that is not supported by underlying alternative
implementations implementing cryptographic primitives. This is useful for
hardware accelerators that don't implement all options or features.
New deprecations
* All module specific errors following the form
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
supported are deprecated and are now replaced by the new equivalent
platform error.
* All module specific generic hardware acceleration errors following the
form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
by the equivalent plaform error.
* Deprecate the function mbedtls_mpi_is_prime() in favor of
mbedtls_mpi_is_prime_ext() which allows specifying the number of
Miller-Rabin rounds.
Bugfix
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
application leading to a memory leak in case both
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
Fixes#2069.
* Fix a bug in the update function for SSL ticket keys which previously
invalidated keys of a lifetime of less than a 1s. Fixes#1968.
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
* Fix a bug in the record decryption routine ssl_decrypt_buf()
which lead to accepting properly authenticated but improperly
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
* Fix memory leak and freeing without initialization in the example
program programs/x509/cert_write. Fixes#1422.
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes#1091.
* Zeroize memory used for buffering or reassembling handshake messages
after use.
* Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
of sensitive data in the example programs aescrypt2 and crypt_and_hash.
* Change the default string format used for various X.509 DN attributes to
UTF8String. Previously, the use of the PrintableString format led to
wildcards and non-ASCII characters being unusable in some DN attributes.
Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
Thomas-Dee.
* Fix compilation failure for configurations which use compile time
replacements of standard calloc/free functions through the macros
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
Reported by ole-de and ddhome2006. Fixes#882, #1642 and #1706.
Changes
* Removed support for Yotta as a build tool.
* Add tests for session resumption in DTLS.
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
* Change the dtls_client and dtls_server samples to work by default over
IPv6 and optionally by a build option over IPv4.
* Change the use of Windows threading to use Microsoft Visual C++ runtime
calls, rather than Win32 API calls directly. This is necessary to avoid
conflict with C runtime usage. Found and fixed by irwir.
* Remember the string format of X.509 DN attributes when replicating
X.509 DNs. Previously, DN attributes were always written in their default
string format (mostly PrintableString), which could lead to CRTs being
created which used PrintableStrings in the issuer field even though the
signing CA used UTF8Strings in its subject field; while X.509 compliant,
such CRTs were rejected in some applications, e.g. some versions of
Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
Thomas-Dee.
* Improve documentation of mbedtls_ssl_get_verify_result().
Fixes#517 reported by github-monoculture.
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
use it to reduce error probability in RSA key generation to levels mandated
by FIPS-186-4.
= mbed TLS 2.13.1 branch released 2018-09-06
API Changes
* Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
whose implementation should behave as a thread-safe version of gmtime().
This allows users to configure such an implementation at compile time when
the target system cannot be deduced automatically, by setting the option
MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
automatically select implementations for Windows and POSIX C libraries.
Bugfix
* Fix build failures on platforms where only gmtime() is available but
neither gmtime_r() nor gmtime_s() are present. Fixes#1907.
= mbed TLS 2.13.0 branch released 2018-08-31
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing. In case of receiving malformed
input (extensions length field equal to 0), an illegal read of one byte
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
Features
* Add support for fragmentation of outgoing DTLS handshake messages. This
is controlled by the maximum fragment length as set locally or negotiated
with the peer, as well as by a new per-connection MTU option, set using
mbedtls_ssl_set_mtu().
* Add support for auto-adjustment of MTU to a safe value during the
handshake when flights do not get through (RFC 6347, section 4.1.1.1,
last paragraph).
* Add support for packing multiple records within a single datagram,
enabled by default.
* Add support for buffering out-of-order handshake messages in DTLS.
The maximum amount of RAM used for this can be controlled by the
compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
in mbedtls/config.h.
API Changes
* Add function mbedtls_ssl_set_datagram_packing() to configure
the use of datagram packing (enabled by default).
Bugfix
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
failure in the function could lead to other buffers being leaked.
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
Fix contributed by Espressif Systems.
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
* Replace printf with mbedtls_printf in the ARIA module. Found by
TrinityTonic in #1908.
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes#1941.
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
with TLS versions 1.1 and earlier when the server requested authentication
without providing a list of CAs. This was due to an overly strict bounds
check in parsing the CertificateRequest message,
introduced in Mbed TLS 2.12.0. Fixes#1954.
* Fix a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes#1913, #1914.
* Fix undefined shifts with negative values in certificates parsing
(found by Catena cyber using oss-fuzz)
* Fix memory leak and free without initialization in pk_encrypt
and pk_decrypt example programs. Reported by Brace Stout. Fixes#1128.
* Remove redundant else statement. Raised by irwir. Fixes#1776.
Changes
* Copy headers preserving timestamps when doing a "make install".
Contributed by xueruini.
* Allow the forward declaration of public structs. Contributed by Dawid
Drozd. Fixes#1215 raised by randombit.
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
* Add support for buffering of out-of-order handshake messages.
* Add warnings to the documentation of the HKDF module to reduce the risk
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
functions. Fixes#1775. Reported by Brian J. Murray.
= mbed TLS 2.12.0 branch released 2018-07-25
Security
* Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
partially recover the plaintext of messages under some conditions by
exploiting timing measurements. With DTLS, the attacker could perform
this recovery by sending many messages in the same connection. With TLS
or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
worked if the same secret (for example a HTTP Cookie) has been repeatedly
sent over connections manipulated by the attacker. Connections using GCM
or CCM instead of CBC, using hash sizes other than SHA-384, or using
Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
caused by a miscalculation (for SHA-384) in a countermeasure to the
original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
Shamir.
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
1.2, that allowed a local attacker, able to execute code on the local
machine as well as manipulate network packets, to partially recover the
plaintext of messages under some conditions by using a cache attack
targetting an internal MD/SHA buffer. With TLS or if
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
the same secret (for example a HTTP Cookie) has been repeatedly sent over
connections manipulated by the attacker. Connections using GCM or CCM
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
* Add a counter-measure against a vulnerability in TLS ciphersuites based
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
execute code on the local machine as well as manipulate network packets,
to partially recover the plaintext of messages under some conditions (see
previous entry) by using a cache attack targeting the SSL input record
buffer. Connections using GCM or CCM instead of CBC or using
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
Eyal Ronen and Adi Shamir.
Features
* Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
by Daniel King.
* Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
* Add platform support for the Haiku OS. (https://www.haiku-os.org).
Contributed by Augustin Cavalier.
* Make the receive and transmit buffers independent sizes, for situations
where the outgoing buffer can be fixed at a smaller size than the incoming
buffer, which can save some RAM. If buffer lengths are kept equal, there
is no functional difference. Contributed by Angus Gratton, and also
independently contributed again by Paul Sokolovsky.
* Add support for key wrapping modes based on AES as defined by
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
Bugfix
* Fix the key_app_writer example which was writing a leading zero byte which
was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes#1257.
* Fix compilation error on C++, because of a variable named new.
Found and fixed by Hirotaka Niisato in #1783.
* Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
contributed by tabascoeye.
* Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
return value. Found by @davidwu2000. #839
* Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
Philippe Antoine. Fixes#1623.
* Remove unused headers included in x509.c. Found by Chris Hanson and fixed
by Brendan Shanks. Part of a fix for #992.
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
* Added length checks to some TLS parsing functions. Found and fixed by
Philippe Antoine from Catena cyber. #1663.
* Fix the inline assembly for the MPI multiply helper function for i386 and
i386 with SSE2. Found by László Langó. Fixes#1550
* Fix namespacing in header files. Remove the `mbedtls` namespacing in
the `#include` in the header files. Resolves#857
* Fix compiler warning of 'use before initialisation' in
mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
Drozd. #1098
* Fix decryption for zero length messages (which contain all padding) when a
CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
such a message was wrongly reported as an invalid record and therefore lead
to the connection being terminated. Seen most often with OpenSSL using
TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
contributed by Espressif Systems. Fixes#1632
* Fix ssl_client2 example to send application data with 0-length content
when the request_size argument is set to 0 as stated in the documentation.
Fixes#1833.
* Correct the documentation for `mbedtls_ssl_get_session()`. This API has
deep copy of the session, and the peer certificate is not lost. Fixes#926.
* Fix build using -std=c99. Fixed by Nick Wilson.
Changes
* Fail when receiving a TLS alert message with an invalid length, or invalid
zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
* Change the default behaviour of mbedtls_hkdf_extract() to return an error
when calling with a NULL salt and non-zero salt_len. Contributed by
Brian J Murray
* Change the shebang line in Perl scripts to look up perl in the PATH.
Contributed by fbrosson.
* Allow overriding the time on Windows via the platform-time abstraction.
Fixed by Nick Wilson.
* Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
= mbed TLS 2.11.0 branch released 2018-06-18
Features
* Add additional block mode, OFB (Output Feedback), to the AES module and
cipher abstraction module.
* Implement the HMAC-based extract-and-expand key derivation function
(HKDF) per RFC 5869. Contributed by Thomas Fossati.
* Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
* Add support for the XTS block cipher mode with AES (AES-XTS).
Contributed by Aorimn in pull request #414.
* In TLS servers, support offloading private key operations to an external
cryptoprocessor. Private key operations can be asynchronous to allow
non-blocking operation of the TLS server stack.
Bugfix
* Fix the cert_write example to handle certificates signed with elliptic
curves as well as RSA. Fixes#777 found by dbedev.
* Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
used by user applications. Found and fixed by Fabio Alessandrelli.
* Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683
* Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
Changes
* Changed CMake defaults for IAR to treat all compiler warnings as errors.
* Changed the Clang parameters used in the CMake build files to work for
versions later than 3.6. Versions of Clang earlier than this may no longer
work. Fixes#1072
= mbed TLS 2.10.0 branch released 2018-06-06
Features
* Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
(RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
API Changes
* Extend the platform module with a util component that contains
functionality shared by multiple Mbed TLS modules. At this stage
platform_util.h (and its associated platform_util.c) only contain
mbedtls_platform_zeroize(), which is a critical function from a security
point of view. mbedtls_platform_zeroize() needs to be regularly tested
against compilers to ensure that calls to it are not removed from the
output binary as part of redundant code elimination optimizations.
Therefore, mbedtls_platform_zeroize() is moved to the platform module to
facilitate testing and maintenance.
Bugfix
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
build to fail. Found by zv-io. Fixes#1651.
Changes
* Support TLS testing in out-of-source builds using cmake. Fixes#1193.
* Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
TrinityTonic. #1359.
= mbed TLS 2.9.0 branch released 2018-04-30
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate validation. Additionally, the issue could also lead to
unnecessary callback checks being made or to some validation checks to be
omitted. The overread could be triggered remotely, while the other issues
would require a non DER-compliant certificate to be correctly signed by a
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
luocm. Fixes#825.
* Fix the buffer length assertion in the ssl_parse_certificate_request()
function which led to an arbitrary overread of the message buffer. The
overreads could be caused by receiving a malformed message at the point
where an optional signature algorithms list is expected when the signature
algorithms section is too short. In builds with debug output, the overread
data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice
which could potentially lead to the client accepting a ciphersuite it didn't
offer or a ciphersuite that cannot be used with the TLS or DTLS version
chosen by the server. This could lead to corruption of internal data
structures for some configurations.
Features
* Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
Suggested and contributed by jkivilin in pull request #394.
* Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
ECDH primitive functions (mbedtls_ecdh_gen_public(),
mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
Nicholas Wilson in pull request #348.
API Changes
* Extend the public API with the function of mbedtls_net_poll() to allow user
applications to wait for a network context to become ready before reading
or writing.
* Add function mbedtls_ssl_check_pending() to the public API to allow
a check for whether more more data is pending to be processed in the
internal message buffers.
This function is necessary to determine when it is safe to idle on the
underlying transport in case event-driven IO is used.
Bugfix
* Fix a spurious uninitialized variable warning in cmac.c. Fix independently
contributed by Brian J Murray and David Brown.
* Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms.
Fixes#1040.
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
#1353
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
Deomid Ryabkov. Fixes#1299, #1475.
* Fix the Makefile build process for building shared libraries on Mac OS X.
Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
unable to parse keys which had only the optional parameters field of the
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
* Return the plaintext data more quickly on unpadded CBC decryption, as
stated in the mbedtls_cipher_update() documentation. Contributed by
Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142.
* Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
where data needs to be fetched from the underlying transport in order
to make progress. Previously, this error code was also occasionally
returned when unexpected messages were being discarded, ignoring that
further messages could potentially already be pending to be processed
in the internal buffers; these cases led to deadlocks when event-driven
I/O was used. Found and reported by Hubert Mis in #772.
* Fix buffer length assertions in the ssl_parse_certificate_request()
function which leads to a potential one byte overread of the message
buffer.
* Fix invalid buffer sizes passed to zlib during record compression and
decompression.
* Fix the soversion of libmbedcrypto to match the soversion of the
maintained 2.7 branch. The soversion was increased in Mbed TLS
version 2.7.1 to reflect breaking changes in that release, but the
increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
Changes
* Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
* Support cmake builds where Mbed TLS is a subproject. Fix contributed
independently by Matthieu Volat and Arne Schwabe.
* Improve testing in configurations that omit certain hashes or
public-key algorithms. Includes contributions by Gert van Dijk.
* Improve negative testing of X.509 parsing.
* Do not define global mutexes around readdir() and gmtime() in
configurations where the feature is disabled. Found and fixed by Gergely
Budai.
* Harden the function mbedtls_ssl_config_free() against misuse, so that it
doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
instead incorrectly manipulates the configuration structure directly.
Found and fix submitted by junyeonLEE in #1220.
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
without PBES2. Fixed by Marcos Del Sol Vives.
* Add the order of the base point as N in the mbedtls_ecp_group structure
for Curve25519 (other curves had it already). Contributed by Nicholas
Wilson #481
* Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356.
* Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT
environment variable when using the project makefiles.
* Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
by Alexey Skalozub in #405.
* In the SSL module, when f_send, f_recv or f_recv_timeout report
transmitting more than the required length, return an error. Raised by
Sam O'Connor in #1245.
* Improve robustness of mbedtls_ssl_derive_keys against the use of
HMAC functions with non-HMAC ciphersuites. Independently contributed
by Jiayuan Chen in #1377. Fixes#1437.
* Improve security of RSA key generation by including criteria from
FIPS 186-4. Contributed by Jethro Beekman. #1380
* Declare functions in header files even when an alternative implementation
of the corresponding module is activated by defining the corresponding
MBEDTLS_XXX_ALT macro. This means that alternative implementations do
not need to copy the declarations, and ensures that they will have the
same API.
* Add platform setup and teardown calls in test suites.
= mbed TLS 2.8.0 branch released 2018-03-16
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
Security
* Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no
resumption of the session).
* Verify results of RSA private key operations to defend
against Bellcore glitch attack.
* Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
a crash on invalid input.
* Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
crash on invalid input.
* Fix CRL parsing to reject CRLs containing unsupported critical
extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
Features
* Extend PKCS#8 interface by introducing support for the entire SHA
algorithms family when encrypting private keys using PKCS#5 v2.0.
This allows reading encrypted PEM files produced by software that
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
OpenVPN Inc. Fixes#1339
* Add support for public keys encoded in PKCS#1 format. #1122
New deprecations
* Deprecate support for record compression (configuration option
MBEDTLS_ZLIB_SUPPORT).
Bugfix
* Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
Fixes#1358.
* Fix test_suite_pk to work on 64-bit ILP32 systems. #849
* Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
In the context of SSL, this resulted in handshake failure. Reported by
daniel in the Mbed TLS forum. #1351
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
* Fix setting version TLSv1 as minimal version, even if TLS 1
is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
* Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
Nick Wilson on issue #355
* In test_suite_pk, pass valid parameters when testing for hash length
overflow. #1179
* Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
by Guido Vranken. #639
* Log correct number of ciphersuites used in Client Hello message. #918
* Fix X509 CRT parsing that would potentially accept an invalid tag when
parsing the subject alternative names.
* Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
that could cause a key exchange to fail on valid data.
* Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
could cause a key exchange to fail on valid data.
* Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
MBEDTLS_DEPRECATED_REMOVED. #1388
* Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
Found through fuzz testing.
Changes
* Fix tag lengths and value ranges in the documentation of CCM encryption.
Contributed by Mathieu Briand.
* Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
* Remove support for the library reference configuration for picocoin.
* MD functions deprecated in 2.7.0 are no longer inline, to provide
a migration path for those depending on the library's ABI.
* Clarify the documentation of mbedtls_ssl_setup.
* Use (void) when defining functions with no parameters. Contributed by
Joris Aerts. #678
= mbed TLS 2.7.0 branch released 2018-02-03
Security
* Fix a heap corruption issue in the implementation of the truncated HMAC
extension. When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet could be used to selectively corrupt
6 bytes on the peer's heap, which could potentially lead to crash or remote
code execution. The issue could be triggered remotely from either side in
both TLS and DTLS. CVE-2018-0488
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
for the key size, which could potentially lead to crash or remote code
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
Qualcomm Technologies Inc. CVE-2018-0487
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
zeros.
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
64 KiB to the address of the SSL buffer and causing a wrap around.
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
default enabled) maximum fragment length extension is disabled in the
config and the application data buffer passed to mbedtls_ssl_write
is larger than the internal message buffer (16384 bytes by default), the
latter overflows. The exploitability of this issue depends on whether the
application layer can be forced into sending such large packets. The issue
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
Fixes#707.
* Add a provision to prevent compiler optimizations breaking the time
constancy of mbedtls_ssl_safer_memcmp().
* Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
data. Previously, trailing zero bytes were detected and omitted for the
sake of saving memory, but potentially leading to slight timing
differences. Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
* Fix a potential heap buffer over-read in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server.
* Change default choice of DHE parameters from untrustworthy RFC 5114
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
manner.
Features
* Allow comments in test data files.
* The selftest program can execute a subset of the tests based on command
line arguments.
* New unit tests for timing. Improve the self-test to be more robust
when run on a heavily-loaded machine.
* Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs.
* Add support for alternative implementations of GCM, selected by the
configuration flag MBEDTLS_GCM_ALT.
* Add support for alternative implementations for ECDSA, controlled by new
configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and
MBEDTLS_ECDSDA_GENKEY_AT in config.h.
The following functions from the ECDSA module can be replaced
with alternative implementation:
mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey().
* Add support for alternative implementation of ECDH, controlled by the
new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and
MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
The following functions from the ECDH module can be replaced
with an alternative implementation:
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
* Add support for alternative implementation of ECJPAKE, controlled by
the new configuration flag MBEDTLS_ECJPAKE_ALT.
* Add mechanism to provide alternative implementation of the DHM module.
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
* The following functions in the message digest modules (MD2, MD4, MD5,
SHA1, SHA256, SHA512) have been deprecated and replaced as shown below.
The new functions change the return type from void to int to allow
returning error codes when using MBEDTLS_<MODULE>_ALT.
mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
New deprecations
* Deprecate usage of RSA primitives with non-matching key-type
(e.g. signing with a public key).
* Direct manipulation of structure fields of RSA contexts is deprecated.
Users are advised to use the extended RSA API instead.
* Deprecate usage of message digest functions that return void
(mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update,
mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
that can return an error code.
* Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by
parameters from RFC 3526 or the newly added parameters from RFC 7919.
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
etc.
* Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
accepting DHM parameters in binary form, matching the new constants.
Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
as recommended in RFC 6347 Section 4.1.2.7.
* Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
Found by projectgus and Jethro Beekman, #836.
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
* Parse signature algorithm extension when renegotiating. Previously,
renegotiated handshakes would only accept signatures using SHA-1
regardless of the peer's preferences, or fail if SHA-1 was disabled.
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
dates on leap years with 100 and 400 intervals are handled correctly. Found
by Nicholas Wilson. #694
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
accepted. Generating these signatures required the private key.
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
Found independently by Florian in the mbed TLS forum and by Mishamax.
#878, #1019.
* Fix variable used before assignment compilation warnings with IAR
toolchain. Found by gkerrien38.
* Fix unchecked return codes from AES, DES and 3DES functions in
pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
If a call to one of the functions of the cryptographic primitive modules
failed, the error may not be noticed by the function
mbedtls_pem_read_buffer() causing it to return invalid values. Found by
Guido Vranken. #756
* Include configuration file in md.h, to fix compilation warnings.
Reported by aaronmdjones in #1001
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
writing routines that prevented these functions to work with alternative
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes#1011.
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
non-v3 CRT's.
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023#1024
* Fix net_would_block() to avoid modification by errno through fcntl() call.
Found by nkolban. Fixes#845.
* Fix handling of handshake messages in mbedtls_ssl_read() in case
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
* Add a check for invalid private parameters in mbedtls_ecdsa_sign().
Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
* Fix incorrect unit in benchmark output. #850
* Add size-checks for record and handshake message content, securing
fragile yet non-exploitable code-paths.
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
MilenkoMitrovic, #1104
* Fix mbedtls_timing_alarm(0) on Unix and MinGW.
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
* Fix possible memory leaks in mbedtls_gcm_self_test().
* Added missing return code checks in mbedtls_aes_self_test().
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the
RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization
beforehand.
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
Found and fixed by Martijn de Milliano.
* Fix an issue in the cipher decryption with the mode
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
Note, this padding mode is not used by the TLS protocol. Found and fixed by
Micha Kraus.
* Fix the entropy.c module to not call mbedtls_sha256_starts() or
mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
mbedtls_sha512_init() is called before operating on the relevant context
structure. Do not assume that zeroizing a context is a correct way to
reset it. Found independently by ccli8 on Github.
* In mbedtls_entropy_free(), properly free the message digest context.
* Fix status handshake status message in programs/ssl/dtls_client.c. Found
and fixed by muddog.
Changes
* Extend cert_write example program by options to set the certificate version
and the message digest. Further, allow enabling/disabling of authority
identifier, subject identifier and basic constraints extensions.
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
particular, don't require P,Q if neither CRT nor blinding are
used. Reported and fix proposed independently by satur9nine and sliai
on GitHub.
* Only run AES-192 self-test if AES-192 is available. Fixes#963.
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module.
* Update all internal usage of deprecated message digest functions to the
new ones with return codes. In particular, this modifies the
mbedtls_md_info_t structure. Propagate errors from these functions
everywhere except some locations in the ssl_tls.c module.
* Improve CTR_DRBG error handling by propagating underlying AES errors.
* Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
modules where the software implementation can be replaced by a hardware
implementation.
* Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
throughout the library.
= mbed TLS 2.6.0 branch released 2017-08-10
Security
* Fix authentication bypass in SSL/TLS: when authmode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. This could be
triggered remotely from either side. (With authmode set to 'required'
(the default), the handshake was correctly aborted).
* Reliably wipe sensitive data after use in the AES example applications
programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
Found by Laurent Simon.
Features
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
and the context struct mbedtls_platform_context to perform
platform-specific setup and teardown operations. The macro
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
by the user in a platform_alt.h file. These new functions are required in
some embedded environments to provide a means of initialising underlying
cryptographic acceleration hardware.
API Changes
* Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
API consistent with mbed TLS 2.5.0. Specifically removed the inline
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found
by James Cowgill. #978
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, the TLS handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the verify callback.
Bugfix
* Add a check if iv_len is zero in GCM, and return an error if it is zero.
Reported by roberto. #716
* Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
always be implemented by pthread support. #696
* Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
in the case of an error. Found by redplait. #590
* Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken. #740
* Fix conditional preprocessor directives in bignum.h to enable 64-bit
compilation when using ARM Compiler 6.
* Fix a potential integer overflow in the version verification for DER
encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
KNOX Security, Samsung Research America
* Fix potential integer overflow in the version verification for DER
encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
KNOX Security, Samsung Research America
* Fix a potential integer overflow in the version verification for DER
encoded X.509 certificates. The overflow could enable maliciously
constructed certificates to bypass the certificate verification check.
* Fix a call to the libc function time() to call the platform abstraction
function mbedtls_time() instead. Found by wairua. #666
* Avoid shadowing of time and index functions through mbed TLS function
arguments. Found by inestlerode. #557.
Changes
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
64-bit division. This is useful on embedded platforms where 64-bit division
created a dependency on external libraries. #708
* Removed mutexes from ECP hardware accelerator code. Now all hardware
accelerator code in the library leaves concurrency handling to the
platform. Reported by Steven Cooreman. #863
* Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
config-no-entropy.h to reduce the RAM footprint.
* Added a test script that can be hooked into git that verifies commits
before they are pushed.
* Improve documentation of PKCS1 decryption functions.
= mbed TLS 2.5.1 released 2017-06-21
Security
* Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
The issue could only happen client-side with renegotiation enabled.
Could result in DoS (application crash) or information leak
(if the application layer sent data read from mbedtls_ssl_read()
back to the server or to a third party). Can be triggered remotely.
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
certificate verification. SHA-1 can be turned back on with a compile-time
option if needed.
* Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
detect it sometimes. Reported by Hugo Leisink. #810
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher/BERserk-style attack.
Bugfix
* Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
valid C and they prevented the test from compiling in Visual Studio 2015
and with GCC using the -Wpedantic compilation option.
* Fix insufficient support for signature-hash-algorithm extension,
resulting in compatibility problems with Chrome. Found by hfloyrd. #823
* Fix behaviour that hid the original cause of fatal alerts in some cases
when sending the alert failed. The fix makes sure not to hide the error
that triggered the alert.
* Fix SSLv3 renegotiation behaviour and stop processing data received from
peer after sending a fatal alert to refuse a renegotiation attempt.
Previous behaviour was to keep processing data even after the alert has
been sent.
* Accept empty trusted CA chain in authentication mode
MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864
* Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
reflect bad EC curves within verification result.
* Fix bug that caused the modular inversion function to accept the invalid
modulus 1 and therefore to hang. Found by blaufish. #641.
* Fix incorrect sign computation in modular exponentiation when the base is
a negative MPI. Previously the result was always negative. Found by Guido
Vranken.
* Fix a numerical underflow leading to stack overflow in mpi_read_file()
that was triggered uppon reading an empty line. Found by Guido Vranken.
Changes
* Send fatal alerts in more cases. The previous behaviour was to skip
sending the fatal alert and just drop the connection.
* Clarify ECDSA documentation and improve the sample code to avoid
misunderstanding and potentially dangerous use of the API. Pointed out
by Jean-Philippe Aumasson.
= mbed TLS 2.5.0 branch released 2017-05-17
Security
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
Simon.
* Add exponent blinding to RSA private operations as a countermeasure
against side-channel attacks like the cache attack described in
https://arxiv.org/abs/1702.08719v2.
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
Clémentine Maurice and Stefan Mangard.
Features
* Add hardware acceleration support for the Elliptic Curve Point module.
This involved exposing parts of the internal interface to enable
replacing the core functions and adding and alternative, module level
replacement support for enabling the extension of the interface.
* Add a new configuration option to 'mbedtls_ssl_config' to enable
suppressing the CA list in Certificate Request messages. The default
behaviour has not changed, namely every configured CAs name is included.
API Changes
* The following functions in the AES module have been deprecated and replaced
by the functions shown below. The new functions change the return type from
void to int to allow returning error codes when using MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most
recent versions of the library. Found by Kyle Keen.
* Fixed issue in the Threading module that prevented mutexes from
initialising. Found by sznaider. #667#843
* Add checks in the PK module for the RSA functions on 64-bit systems.
The PK and RSA modules use different types for passing hash length and
without these checks the type cast could lead to data loss. Found by Guido
Vranken.
= mbed TLS 2.4.2 branch released 2017-03-08
Security
* Add checks to prevent signature forgeries for very large messages while
using RSA through the PK module in 64-bit systems. The issue was caused by
some data loss when casting a size_t to an unsigned int value in the
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
* Fixed potential livelock during the parsing of a CRL in PEM format in
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
characters after the footer could result in the execution of an infinite
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Microsoft.
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Introduced by interoperability fix for #513.
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
when verifying the validity of a key on secp224k1. This could be
triggered remotely for example with a maliciously constructed certificate
and potentially could lead to remote code execution on some platforms.
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
team. #569 CVE-2017-2784
Bugfix
* Fix output certificate verification flags set by x509_crt_verify_top() when
traversing a chain of trusted CA. The issue would cause both flags,
MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
set when the verification conditions are not met regardless of the cause.
Found by Harm Verhagen and inestlerode. #665#561
* Fix the redefinition of macro ssl_set_bio to an undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
Found by omlib-lin. #673
* Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
x509_csr.c that are reported when building mbed TLS with a config.h that
does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
would compare 64 bits of the record counter instead of 48 bits as indicated
in RFC 6347 Section 4.3.1. This could cause the execution of the
renegotiation routines at unexpected times when the protocol is DTLS. Found
by wariua. #687
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
the input string in PEM format to extract the different components. Found
by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
by missing calls to mbedtls_pem_free() in cases when a
MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
fix proposed by Guido Vranken. #722
* Fixed the templates used to generate project and solution files for Visual
Studio 2015 as well as the files themselves, to remove a build warning
generated in Visual Studio 2015. Reported by Steve Valliere. #742
* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
number to write in hexadecimal is negative and requires an odd number of
digits. Found and fixed by Guido Vranken.
* Fix unlisted DES configuration dependency in some pkparse test cases. Found
by inestlerode. #555
= mbed TLS 2.4.1 branch released 2016-12-13
Changes
* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication – October 2016
= mbed TLS 2.4.0 branch released 2016-10-17
Security
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC-5116 and could lead to session key recovery in very long TLS
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
https://eprint.iacr.org/2016/475.pdf
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The
issue cannot be triggered remotely. Found by Jethro Beekman.
Features
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
NIST SP 800-38B, RFC-4493 and RFC-4615.
* Added hardware entropy selftest to verify that the hardware entropy source
is functioning correctly.
* Added a script to print build environment info for diagnostic use in test
scripts, which is also now called by all.sh.
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
configure the maximum length of a file path that can be buffered when
calling mbedtls_x509_crt_parse_path().
* Added a configuration file config-no-entropy.h that configures the subset of
library features that do not require an entropy source.
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
to configure the minimum number of bytes for entropy sources using the
mbedtls_hardware_poll() function.
Bugfix
* Fix for platform time abstraction to avoid dependency issues where a build
may need time but not the standard C library abstraction, and added
configuration consistency checks to check_config.h
* Fix dependency issue in Makefile to allow parallel builds.
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
when GCM is used. Found by udf2457. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
a contribution from Tobias Tangemann. #541
* Fixed cert_app.c sample program for debug output and for use when no root
certificates are provided.
* Fix conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
* Fixed pthread implementation to avoid unintended double initialisations
and double frees. Found by Niklas Amnebratt.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
data structure until after error checks are successful. Found by
subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
* Fix potential byte overread when verifying malformed SERVER_HELLO in
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
Found by subramanyam-c. #626
* Fix compatibility issue with Internet Explorer client authentication,
where the limited hash choices prevented the client from sending its
certificate. Found by teumas. #513
* Fix compilation without MBEDTLS_SELF_TEST enabled.
Changes
* Extended test coverage of special cases, and added new timing test suite.
* Removed self-tests from the basic-built-test.sh script, and added all
missing self-tests to the test suites, to ensure self-tests are only
executed once.
* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
* Added support for a Yotta specific configuration file -
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
* Added optimization for code space for X.509/OID based on configured
features. Contributed by Aviv Palivoda.
* Renamed source file library/net.c to library/net_sockets.c to avoid
naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file, net.h, is marked as
deprecated, and its contents moved to net_sockets.h.
* Changed the strategy for X.509 certificate parsing and validation, to no
longer disregard certificates with unrecognised fields.
= mbed TLS 2.3.0 branch released 2016-06-28
Security
* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
required by PKCS1 v2.2
* Fix potential integer overflow to buffer overflow in
mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
(not triggerable remotely in (D)TLS).
* Fix a potential integer underflow to buffer overread in
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
SSL/TLS.
Features
* Support for platform abstraction of the standard C library time()
function.
Bugfix
* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
arguments where the same (in-place doubling). Found and fixed by Janos
Follath. #309
* Fix potential build failures related to the 'apidoc' target, introduced
in the previous patch release. Found by Robert Scheck. #390#391
* Fix issue in Makefile that prevented building using armar. #386
* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
ECDSA was disabled in config.h . The leak didn't occur by default.
* Fix an issue that caused valid certificates to be rejected whenever an
expired or not yet valid certificate was parsed before a valid certificate
in the trusted certificate list.
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer after DER certificates to be included in the raw representation.
* Fix issue that caused a hang when generating RSA keys of odd bitlength
* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
dereference possible.
* Fix issue that caused a crash if invalid curves were passed to
mbedtls_ssl_conf_curves. #373
* Fix issue in ssl_fork_server which was preventing it from functioning. #429
* Fix memory leaks in test framework
* Fix test in ssl-opt.sh that does not run properly with valgrind
* Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
don't use the optimized assembly for bignum multiplication. This removes
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
* Disabled SSLv3 in the default configuration.
* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
Skalozub).
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
ignored, as required by RFC6101.
Noteworthy changes in version 2.2.12:
* tools: New commands --install-key and --remove-key for
gpg-wks-client. This allows to prepare a Web Key Directory on a
local file system for later upload to a web server.
* gpg: New --list-option "show-only-fpr-mbox". This makes the use
of the new gpg-wks-client --install-key command easier on Windows.
* gpg: Improve processing speed when --skip-verify is used.
* gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
option --with-agent-s2k-calibration=MSEC.
* dirmngr: Try another keyserver from the pool on receiving a 502,
503, or 504 error.
* dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP
query will not anymore follow a 3xx redirect unless the Location
header gives the same host. If the host is different only the
host and port is taken from the Location header and the original
path and query parts are kept.
* dirmngr: New command FLUSHCRL to flush all CRLS from disk and
memory.
* New simplified Chinese translation (zh_CN).
