Changes:
3.6.14
------
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added
Version 3.6.13:
** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
The DTLS client would not contribute any randomness to the DTLS negotiation,
breaking the security guarantees of the DTLS protocol
[GNUTLS-SA-2020-03-31, CVSS: high]
** libgnutls: Added new APIs to access KDF algorithms.
** libgnutls: Added new callback gnutls_keylog_func that enables a custom
logging functionality.
** libgnutls: Added support for non-null terminated usernames in PSK
negotiation.
** gnutls-cli-debug: Improved support for old servers that only support
SSL 3.0.
** API and ABI modifications:
gnutls_hkdf_extract: Added
gnutls_hkdf_expand: Added
gnutls_pbkdf2: Added
gnutls_session_get_keylog_function: Added
gnutls_session_set_keylog_function: Added
gnutls_prf_hash_get: Added
gnutls_psk_server_get_username2: Added
gnutls_psk_set_client_credentials2: Added
gnutls_psk_set_client_credentials_function2: Added
gnutls_psk_set_server_credentials_function2: Added
* Version 3.6.12 (released 2020-02-01)
** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
to identify sessions that client request OCSP status request (#829).
** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
signature algorithm (RFC 8032) under TLS (#86).
** libgnutls: Added the default-priority-string option to system configuration;
it allows overriding the compiled-in default-priority-string.
** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
draft-smyshlyaev-tls12-gost-suites-07).
By default this ciphersuite is disabled. It can be enabled by adding
+GOST to priority string. In the future this priority string may enable
other GOST ciphersuites as well. Note, that server will fail to negotiate
GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
are enabled on GnuTLS-based servers.
** libgnutls: added priority shortcuts for different GOST categories like
CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.
** libgnutls: Reject certificates with invalid time fields. That is we reject
certificates with invalid characters in Time fields, or invalid time formatting
To continue accepting the invalid form compile with --disable-strict-der-time
(#207, #870).
** libgnutls: Reject certificates which contain duplicate extensions. We were
previously printing warnings when printing such a certificate, but that is
not always sufficient to flag such certificates as invalid. Instead we now
refuse to import them (#887).
** libgnutls: If a CA is found in the trusted list, check in addition to
time validity, whether the algorithms comply to the expected level prior
to accepting it. This addresses the problem of accepting CAs which would
have been marked as insecure otherwise (#877).
** libgnutls: The min-verification-profile from system configuration applies
for all certificate verifications, not only under TLS. The configuration can
be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
** libgnutls: The stapled OCSP certificate verification adheres to the convention
used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.
** libgnutls: On client side only send OCSP staples if they have been requested
by the server, and on server side always advertise that we support OCSP stapling
(#876).
** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
with gnutls_ocsp_req_t but const.
** certtool: Added the --verify-profile option to set a certificate
verification profile. Use '--verify-profile low' for certificate verification
to apply the 'NORMAL' verification profile.
** certtool: The add_extension template option is considered even when generating
a certificate from a certificate request.
** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added
Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?
These changes from apply:
* Version 3.6.11 (released 2019-12-01)
** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
This syscall provides an endless stream of random numbers from the kernel's
ChaCha20-based random number generator, without blocking or requiring an open file
descriptor.
** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
during resumption (#841).
** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
the empty string. This is a behavioral change of the API but it conforms
to the RFC4648 expectations (#834).
** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
the block size. Fix backported from nettle.
** certtool: CRL distribution points will be set in CA certificates even when
non self-signed (#765).
** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
Key material can be set via the --rawpkkeyfile and --rawpkfile flags.
** API and ABI modifications:
No changes since last version.
* Version 3.6.10 (released 2019-09-29)
** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
Deterministic signing can be enabled by setting
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
functions (#94).
** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
functions that will perform in-place encryption/decryption on data buffers (#718).
** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function()
(#823).
** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
issue with large record handling due to random padding (#811).
** libgnutls: the server now selects the highest TLS protocol version,
if TLS 1.3 is enabled and the client advertises an older protocol version first (#837).
** libgnutls: fix non-PIC assembly on i386 (#818).
** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
and MAC generation based on GOST 28147-89 (IMIT). For description of the
modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
RFC 7836.
** certtool: when outputting an encrypted private key do not insert the textual description
of it. This fixes a regression since 3.6.5 (#840).
** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added
GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added
Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
* Version 3.6.9 (released 2019-07-25)
** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
of digest or MAC context. Copying contexts for externally-registered digest and MAC
contexts is unupported (#787).
** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
used, are for a niche use case, but have significant side effects, such as preventing
any internal re-organization and extension of the internal cipher API. The APIs remain
functional though a compiler warning will be issued, and a future minor version update
may transform them to a no-op while keeping ABI compatibility (#789).
** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).
** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().
** libgnutls: Added support for Generalname registeredID.
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
- The file is read as an ini file with '#' indicating a comment.
- The section "[priorities]" or global follows the existing semantics of
the configuration file, and allows to specify system-wide priority strings
which are accessed with the '@' prefix.
- The section "[overrides]" is added with the parameters "insecure-hash",
"insecure-sig", "insecure-sig-for-cert", "disabled-curve",
"disabled-version", "min-verification-profile", "tls-disabled-cipher",
"tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
specific algorithms or options globally. Existing algorithms in the
library can be marked as disabled and insecure, but no hard-coded
insecure algorithm can be marked as secure (so that the configuration
cannot be abused to make the system vulnerable).
- Unknown sections or options are skipped with a debug message, unless
the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
set to 1.
** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
- 0x20: Enable SHA_NI instruction set
** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
Changes
=======
* Version 3.6.8 (released 2019-05-28)
** libgnutls: Added gnutls_prf_early() function to retrieve early keying
material (#329)
** libgnutls: Added support for AES-XTS cipher (#354)
** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
512 bit addition)
** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
public key is on the right subgroup (y^q=1 mod p), when q is available (under
TLS 1.3 and under earlier versions when RFC7919 parameters are used).
** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
with the 8192 parameters as well (#995).
** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)
** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
clients to communicate with the server advertising smaller limits than 512
** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
hostname/domain crafting via IDNA conversion (#720)
** certtool: allow the digital signature key usage flag in CA certificates.
Previously certtool would ignore this flag for CA certificates even if
specified (#767)
** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
These allow testing the RFC5705 using these tools.
** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added
Bug fix and security release on the stable 3.6.x branch.
OK during the freeze by <jperkin>, thanks!
Changes:
3.6.7
-----
- libgnutls, gnutls tools: Every gnutls_free() will automatically set
the free'd pointer to NULL. This prevents possible use-after-free and
double free issues. Use-after-free will be turned into NULL dereference.
The counter-measure does not extend to applications using gnutls_free().
- libgnutls: Fixed a memory corruption (double free) vulnerability in the
certificate verification API. Reported by Tavis Ormandy; addressed with
the change above. [GNUTLS-SA-2019-03-27, #694]
- libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
- libgnutls: enforce key usage limitations on certificates more actively.
Previously we would enforce it for TLS1.2 protocol, now we enforce it
even when TLS1.3 is negotiated, or on client certificates as well. When
an inappropriate for TLS1.3 certificate is seen on the credentials structure
GnuTLS will disable TLS1.3 support for that session (#690).
- libgnutls: the default number of tickets sent under TLS 1.3 was increased to
two. This makes it easier for clients which perform multiple connections
to the server to use the tickets sent by a default server.
- libgnutls: enforce the equality of the two signature parameters fields in
a certificate. We were already enforcing the signature algorithm, but there
was a bug in parameter checking code.
- libgnutls: fixed issue preventing sending and receiving from different
threads when false start was enabled (#713).
- libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
session, as non-writeable security officer sessions are undefined in PKCS#11
(#721).
- libgnutls: no longer send downgrade sentinel in TLS 1.3.
Previously the sentinel value was embedded to early in version
negotiation and was sent even on TLS 1.3. It is now sent only when
TLS 1.2 or earlier is negotiated (#689).
- gnutls-cli: Added option --logfile to redirect informational messages output.
- No API and ABI modifications since last version.
Version 3.6.6:
* libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
on the public key.
* libgnutls: Added support for raw public-key authentication as defined in RFC7250.
Raw public-keys can be negotiated by enabling the corresponding certificate
types via the priority strings. The raw public-key mechanism must be explicitly
enabled via the GNUTLS_ENABLE_RAWPK init flag.
* libgnutls: When on server or client side we are sending no extensions we do
not set an empty extensions field but we rather remove that field competely.
This solves a regression since 3.5.x and improves compatibility of the server
side with certain clients.
* libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
the CKA_SIGN is not set.
* libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
disable extensions at all cases, while providing a functional session. This
also implies that when specified, TLS1.3 is disabled.
* libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
The previous definition was non-functional.
* API and ABI modifications:
GNUTLS_ENABLE_RAWPK: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK)
GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
GNUTLS_PCERT_NO_CERT: Deprecated
Without providing `--with-default-trust-store-file=' configure
argument gnutls try to check a list of hardcoded paths for the
trust store file and use the first found.
If none of them is found gnutls_certificate_set_x509_system_trust()
returns GNUTLS_E_UNIMPLEMENTED_FEATURE and the location of trust
store file should be provided (e.g. in gnutls-cli via --x509cafile
option).
Depends on mozilla-rootcerts and pass `--with-default-trust-store-file='
similarly to security/p11-kit to always have a consistent default
trust store file and an implemented
gnutls_certificate_set_x509_system_trust().
Bump PKGREVISION
pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
unconditionally due REPLACE_BASH usages)
Changes:
3.6.5
-----
** libgnutls: Provide the option of transparent re-handshake/reauthentication
when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
requested with legacy TLS versions enabled but not TLS1.2. That is because
if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
servers which do not support TLS1.3 will negotiate TLS1.2 which will be
rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
This addresses a security issue where memory access patterns as well as timing
on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
attacks. Side-channel resistant code is slower due to the need to mask
access and timings. When used in TLS the new functions cause RSA based
handshakes to be between 13% and 28% slower on average (Numbers are indicative,
the tests where performed on a relatively modern Intel CPU, results vary
depending on the CPU and architecture used). This change makes nettle 3.4.1
the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
text before PEM-encoded private key, public key, certificate, CRL or CSR.
** API and ABI modifications:
GNUTLS_AUTO_REAUTH: Added
GNUTLS_CIPHER_AES_128_CFB8: Added
GNUTLS_CIPHER_AES_192_CFB8: Added
GNUTLS_CIPHER_AES_256_CFB8: Added
GNUTLS_MAC_AES_CMAC_128: Added
GNUTLS_MAC_AES_CMAC_256: Added
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added
* Version 3.6.4 (released 2018-09-24)
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
gnutls_certificate_set_retrieve_function() which could not handle the case where
no certificates were returned, or the callbacks were set to NULL (see #528).
** libgnutls: gnutls_handshake() on server returns early on handshake when no
certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
is specified.
** libgnutls: Added session ticket key rotation on server side with TOTP.
The key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
** libgnutls: The 'record size limit' extension is added and preferred to the
'max record size' extension when possible.
** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
This addresses the problem where the CA certificate doesn't have a subject key
identifier whereas the end certificates have an authority key identifier (#569)
** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
and export GOST parameters in the "native" little endian format used for these
curves. This is an intentional incompatible change with 3.6.3.
** libgnutls: Added support for seperately negotiating client and server certificate types
as defined in RFC7250. This mechanism must be explicitly enabled via the
GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().
** gnutls-cli: enable CRL validation on startup (#564)
** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added
* Version 3.6.3 (released 2018-07-16)
** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
negotiation, post handshake authentication, length hiding, multiple OCSP support,
consistent ciphersuite support across protocols, hello retry requests, ability
to adjust key shares via gnutls_init() flags, certificate authorities extension,
and key usage limits. TLS1.3 draft-28 support can be enabled by default if
the option --enable-tls13-support is given to configure script.
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
strings, then TLS 1.3 negotiation will be disabled if the session is associated
only with an anonymous credentials structure.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).
** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
priority strings, as they are undefined under TLS1.3 and they provide not advantage
over other options in earlier protocols.
** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
by specifying --enable-ssl3-support on configure script.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
operations.
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate. That prevents DER re-encoding issues with incorrectly
encoded certificates, or other DER incompatibilities to affect a TLS session.
Relates with #403
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server. That unfortunately has complicated semantics
as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
which could make group order unpredictable if TLS1.3 is negotiated.
** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random. Default CRL
numbers include more random bits and are larger than in previous GnuTLS versions.
Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
if you intend to later downgrade to previous versions as it was not possible
to specify large CRL numbers in previous versions of certtool.
* Version 3.6.2 (released 2018-02-16)
** libgnutls: When verifying against a self signed certificate ignore issuer.
That is, ignore issuer when checking the issuer's parameters strength, resolving
issue #347 which caused self signed certificates to be additionally marked as of
insufficient security level.
** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
MTU calculation now, it correctly accounts for the fixed overhead due to
padding (as 1 byte), while at the same time considers the rest of the
padding as part of data MTU.
** libgnutls: Address issue of loading of all PKCS#11 modules on startup
on systems with a PKCS#11 trust store (as opposed to a file trust store).
Introduced a multi-stage initialization which loads the trust modules, and
other modules are deferred for the first pure PKCS#11 request.
** libgnutls: The SRP authentication will reject any parameters outside
RFC5054. This protects any client from potential MitM due to insecure
parameters. That also brings SRP in par with the RFC7919 changes to
Diffie-Hellman.
** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
for SRP authentication.
** libgnutls: Addressed issue in the accelerated code affecting interoperability
with versions of nettle >= 3.4.
** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.
** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
Vitezslav Cizek).
** srptool: the --create-conf option no longer includes 1024-bit parameters.
** p11tool: Fixed the deletion of objects in batch mode.
** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added
* Version 3.6.1 (released 2017-10-21)
** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
used. Resolves gitlab issue #259.
** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
gnutls_x509_crq_sign, were modified to sign with a better algorithm than
SHA1. They will now sign with an algorithm that corresponds to the security
level of the signer's key.
** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
the function to auto-detect an appropriate hash algorithm to use.
** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
in TLS 1.2. As such, no reason to keep supporting it.
** libgnutls: Refuse to use client certificates containing disallowed
algorithms for a session. That reverts a change on 3.5.5, which allowed
a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
The previous approach was to allow a smooth move for client infrastructure
after the DSA algorithm became disabled by default, and is no longer necessary
as DSA is now being universally deprecated.
** libgnutls: Refuse to resume a session which had a different SNI advertised. That
improves RFC6066 support in server side. Reported by Thomas Klute.
** p11tool: Mark all generated objects as sensitive by default.
** p11tool: added options --sign-params and --hash. This allows testing
signature with multiple algorithms, including RSA-PSS.
** API and ABI modifications:
No changes since last version.
Without including the autogen bl3 if devel/autogen package was
installed autogen (the tool) was used but then the build failed
because it tried to include <autoopts/options.h> unconditionally.
Add `--enable-local-libopts' to CONFIGURE_ARGS to avoid that.
* Version 3.6.0 (released 2017-08-21)
** libgnutls: tlsfuzzer is part of the CI testsuite. This is a TLS testing and
fuzzying toolkit, allowing for corner case testing, and ensuring that the
behavior of the library will not change across releases.
https://github.com/tomato42/tlsfuzzer
** libgnutls: Introduced a lock-free random generator which operates per-thread
and eliminates random-generator related bottlenecks in multi-threaded operation.
Resolves gitlab issue #141.
http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html
** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA.
The goal is to reduce code needed in cache (CHACHA is also used for TLS),
and the number of primitives used by the library. That does not affect the
AES-DRBG random generator used in FIPS140-2 mode.
** libgnutls: Added support for RSA-PSS key type as well as signatures in
certificates, and TLS key exchange. Contributed by Daiki Ueno.
RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys,
but not vice-versa. The feature includes:
* RSA-PSS key generation and key handling (in PKCS#8 form)
* RSA-PSS key generation and key handling from PKCS#11 (with CKM_RSA_PKCS_PSS mech)
* Handling of RSA-PSS subjectPublicKeyInfo parameters, when present
in either the private key or certificate.
* RSA-PSS signing and verification of PKIX certificates
* RSA-PSS signing and verification of TLS 1.2 handshake
* RSA-PSS signing and verification of PKCS#7 structures
* RSA-PSS and RSA key combinations for TLS credentials. That is, when
multiple keys are supplied, RSA-PSS keys are preferred over RSA for RSA-PSS
TLS signatures, to contain risks of cross-protocol attacks between the algorithms.
* RSA-PSS key conversion to RSA PKCS#1 form (certtool --to-rsa)
Note that RSA-PSS signatures with SHA1 are (intentionally) not supported.
** libgnutls: Added support for Ed25519 signing in certificates and TLS key
exchange following draft-ietf-tls-rfc4492bis-17. The feature includes:
* Ed25519 key generation and key handling (in PKCS#8 form)
* Ed25519 signing and verification of PKIX certificates
* Ed25519 signing and verification of TLS 1.2 handshake
* Ed25519 signing and verification of PKCS#7 structures
** libgnutls: Enabled X25519 key exchange by default, following draft-ietf-tls-rfc4492bis-17.
** libgnutls: Added support for Diffie-Hellman group negotiation following RFC7919.
That makes the DH parameters negotiation more robust and less prone to errors
due to insecure parameters. Servers are no longer required to specific explicit
DH parameters, though if they do these parameters will be used. Group
selection can be done via priority strings. The introduced strings are
GROUP-ALL, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and
GROUP-FFDHE8192, as well as the corresponding to curves groups. Note that
the 6144 group from RFC7919 is not supported.
** libgnutls: Introduced various sanity checks on certificate import. Refuse
to import certificates which have fractional seconds in Time fields, X.509v1
certificates which have the unique identifiers set, and certificates with illegal
version numbers. All of these are prohibited by RFC5280.
** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags
in the crt structure. The only flag supported at the moment is
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the certificate sanity
checks on import.
** libgnutls: PKIX certificates with unknown critical extensions are rejected
on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This
behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
to verification functions. Resolves gitlab issue #177.
** libgnutls: Refuse to generate a certificate with an illegal version, or an
illegal serial number. That is, gnutls_x509_crt_set_version() and
gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
in RFC5280.
** libgnutls: Calls to gnutls_record_send() and gnutls_record_recv()
prior to handshake being complete are now refused. Addresses gitlab issue #158.
** libgnutls: Added support for PKCS#12 files with no salt (zero length) in their
password encoding, and PKCS#12 files using SHA384 and SHA512 as MAC.
** libgnutls: Exported functions to encode and decode DSA and ECDSA r,s values.
** libgnutls: Added new callback setting function to gnutls_privkey_t for external
keys. The new function (gnutls_privkey_import_ext4), allows signing in addition
to previous algorithms (RSA PKCS#1 1.5, DSA, ECDSA), with RSA-PSS and Ed25519
keys.
** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
priority string options. These allows enabling all broken and SHA1-based signature
algorithms in certificate verification, respectively.
** libgnutls: 3DES-CBC is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+3DES-CBC".
** libgnutls: SHA1 was marked as insecure for signing certificates. Verification
of certificates signed with SHA1 is now considered insecure and will
fail, unless flags intended to enable broken algorithms are set. Other uses
of SHA1 are still allowed. This can be reverted on compile time with the configure
flag --enable-sha1-support.
** libgnutls: RIPEMD160 was marked as insecure for certificate signatures. Verification
of certificates signed with RIPEMD160 hash algorithm is now considered insecure and
will fail, unless flags intended to enable broken algorithms are set.
** libgnutls: No longer enable SECP192R1 and SECP224R1 by default on TLS handshakes.
These curves were rarely used for that purpose, provide no advantage over
x25519 and were deprecated by TLS 1.3.
** libgnutls: Removed support for DEFLATE, or any other compression method.
** libgnutls: OpenPGP authentication was removed; the resulting library is ABI
compatible, with the openpgp related functions being stubs that fail
on invocation.
** libgnutls: Removed support for libidn (i.e., IDNA2003); gnutls can now be compiled
only with libidn2 which provides IDNA2008.
** certtool: The option '--load-ca-certificate' can now accept PKCS#11
URLs in addition to files.
** certtool: The option '--load-crl' can now be used when generating PKCS#12
files (i.e., in conjunction with '--to-p12' option).
** certtool: Keys with provable RSA and DSA parameters are now only read and
exported from PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
This removes support for the previous a non-standard key format.
** certtool: Added support for generating, printing and handling RSA-PSS and
Ed25519 keys and certificates.
** certtool: the parameters --rsa, --dsa and --ecdsa to --generate-privkey are now
deprecated, replaced by the --key-type option.
** p11tool: The --generate-rsa, --generate-ecc and --generate-dsa options were
replaced by the --generate-privkey option.
** psktool: Generate 256-bit keys by default.
** gnutls-server: Increase request buffer size to 16kb, and added the --alpn and
--alpn-fatal options, allowing testing of ALPN negotiation.
** API and ABI modifications:
gnutls_encode_rs_value: Added
gnutls_decode_rs_value: Added
gnutls_base64_encode2: Added
gnutls_base64_decode2: Added
gnutls_x509_crt_set_flags: Added
gnutls_x509_crt_check_ip: Added
gnutls_x509_ext_import_inhibit_anypolicy: Added
gnutls_x509_ext_export_inhibit_anypolicy: Added
gnutls_x509_crt_get_inhibit_anypolicy: Added
gnutls_x509_crt_set_inhibit_anypolicy: Added
gnutls_pubkey_export_rsa_raw2: Added
gnutls_pubkey_export_dsa_raw2: Added
gnutls_pubkey_export_ecc_raw2: Added
gnutls_privkey_export_rsa_raw2: Added
gnutls_privkey_export_dsa_raw2: Added
gnutls_privkey_export_ecc_raw2: Added
gnutls_x509_spki_init: Added
gnutls_x509_spki_deinit: Added
gnutls_x509_spki_get_pk_algorithm: Added
gnutls_x509_spki_set_pk_algorithm: Added
gnutls_x509_spki_get_digest_algorithm: Added
gnutls_x509_spki_set_digest_algorithm: Added
gnutls_x509_spki_get_salt_size: Added
gnutls_x509_spki_set_salt_size: Added
gnutls_x509_crt_set_spki: Added
gnutls_x509_crt_get_spki: Added
gnutls_x509_privkey_get_spki: Added
gnutls_x509_privkey_set_spki: Added
gnutls_x509_crq_get_spki: Added
gnutls_x509_crq_set_spki: Added
gnutls_pubkey_set_spki: Added
gnutls_pubkey_get_spki: Added
gnutls_privkey_set_spki: Added
gnutls_privkey_get_spki: Added
gnutls_privkey_import_ext4: Added
GNUTLS_EXPORT_FLAG_NO_LZ: Added
GNUTLS_DT_IP_ADDRESS: Added
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: Added
GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_SFLAGS_RFC7919: Added
* Version 3.5.15 (released 2017-08-21)
** libgnutls: Disable hardware acceleration on aarch64/ilp32 mode. There is
no assembler code included for this CPU mode.
** certtool: Keys with provable RSA and DSA parameters are now only exported
in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
This removes the need for a non-standard key format.
** API and ABI modifications:
No changes since last version.
* Version 3.5.14 (released 2017-07-04)
** libgnutls: Handle specially HSMs which request explicit authentication.
There are HSMs which return CKR_USER_NOT_LOGGED_IN on the first private key
operation. Detect that state and try to login.
** libgnutls: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs.
That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
a login will be forced. This improves operation on certain Safenet HSMs.
** libgnutls: do not set leading zeros when copying integers on HSMs.
PKCS#11 defines integers as unsigned having most significant byte
first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by
some HSMs which do not accept an integer with a leading zero. This
improves operation with certain Atos HSMs.
** libgnutls: Fixed issue discovering certain OCSP signers, and improved the
discovery of OCSP signer in the case where the Subject Public Key
identifier field matches. Resolves gitlab issue #223.
** gnutls-cli: ensure OCSP responses are saved with --save-ocsp even if
certificate verification fails.
** API and ABI modifications:
No changes since last version.
While here, remove empty line from PLIST.
* Version 3.5.13 (released 2017-06-07)
** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in
aarch64. Resolves gitlab issue #204.
** libgnutls: no longer parse the ResponseID field of the status response
TLS extension. The field is not used by GnuTLS nor is made available to
calling applications. That addresses a null pointer dereference on server
side caused by packets containing the ResponseID field. Reported
by Hubert Kario. [GNUTLS-SA-2017-4]
** libgnutls: tolerate certificates which do not have strict DER time encoding.
It is possible using 3rd party tools to generate certificates with time fields
that do not conform to DER requirements. Since 3.4.x these certificates were rejected
and cannot be used with GnuTLS, however that caused problems with existing private
certificate infrastructures, which were relying on such certificates (see gitlab
issue #196). Tolerate reading and using these certificates.
** minitasn1: updated to libtasn1 4.11.
** certtool: allow multiple certificates to be used in --p7-sign with
the --load-certificate option. Patch by Karl Tarbe.
Pkgsrc changes:
Adapt PLIST.
Upstream changes:
* Version 3.5.12 (released 2017-05-11)
** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.
** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
against DNS fields of certificate (CN or DNSname). The previous behavior
was to tolerate some misconfigured servers, but that was non-standard
and skipped any IP constraints present in higher level certificates.
** libgnutls: when converting to IDNA2008, fallback to IDNA2003
(i.e., transitional encoding) if the domain cannot be converted.
That provides maximum compatibility with browsers like firefox
that perform the same conversion.
** libgnutls: fix issue in RSA-PSK client callback which resulted
in no username being sent to the peer. Patch by Nicolas Dufresne.
** libgnutls: fix regression causing stapled extensions in trust modules not
to be considered.
** certtool: introduced the email_protection_key option. This
option was introduced in documentation for certtool without an
implementation of it. It is a shortcut for option 'key_purpose_oid
= 1.3.6.1.5.5.7.3.4'.
** certtool: made printing of key ID and key PIN consistent between
certificates, public keys, and private keys. That is the private
key printing now uses the same format as the rest.
** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
hostname advertised to the peer.
** API and ABI modifications:
No changes since last version.
* Version 3.5.11 (released 2017-04-07)
** gnutls.pc: do not include libtool options into Libs.private.
** libgnutls: Fixed issue when rehandshaking without a client certificate in
a session which initially used one. Reported by Frantisek Sumsal.
** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
certificate parsing. Issues found using oss-fuzz project and were fixed
by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824
** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
That allows PKCS#11 operations such as signing to be performed with the
same object from multiple threads.
** libgnutls: Added support for MacOSX key chain for obtaining
trust store's root CA certificates. That is,
gnutls_x509_trust_list_add_system_trust() and
gnutls_certificate_set_x509_system_trust() will load the certificates
from the key chain. That also means that we no longer check for a
default trust store file in configure when building on MacOSX (unless
explicitly asked to). Patch by David Caldwell.
** libgnutls: when disabling OpenPGP authentication, the resulting library
is ABI compatible (with openpgp related functions being stubs that fail
on invocation).
** API and ABI modifications:
No changes since last version.
* Version 3.5.10 (released 2017-03-06)
** gnutls.pc: do not include libidn2 in Requires.private. The
libidn2 versions available do not include libidn2.pc, thus the
inclusion was causing pkg-config issues. Instead we include
-lidn2 in Libs.private when compile against libidn2.
** libgnutls: optimized access to subject alternative names (SANs)
in parsed certificates. The previous implementation assumed a
small number of SANs in a certificate, with repeated calls to
ASN.1 decoding of the extension without any intermediate caching.
That caused delays in certificates with a long list of names in
functions such as gnutls_x509_crt_check_hostname(). With the
current code, the SANs are parsed once on certificate import.
Resolves gitlab issue #165.
** libgnutls: Addressed integer overflow resulting to invalid memory
write in OpenPGP certificate parsing. Issue found using oss-fuzz
project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
[GNUTLS-SA-2017-3A]
** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
certificate parsing. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
to private key parser. No longer allow OpenPGP certificates (public keys)
to contain private key sub-packets. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]
** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
could lead in out-of-memory condition. Issue found using oss-fuzz project,
and was fixed by Alex Gaynor:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]
** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
when printing certificate information.
** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
flags can be set from the gnutls_certificate_verify_flags enumeration.
This allows the functions to pass the same flags available for certificates
to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
GNUTLS_VERIFY_ALLOW_BROKEN).
** libgnutls: gnutls_store_commitment() can accept flag
GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
in applications which use SHA1 for example, after SHA1 is deprecated.
** certtool: No longer ignore the 'add_critical_extension' template option if
the 'add_extension' option is not present.
** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
starttls-proto command. Patch by Robert Scheck.
** API and ABI modifications:
No changes since last version.
** libgnutls: Removed any references to OpenPGP functionality in documentation,
and marked all functions in openpgp.h as deprecated. That functionality
is considered deprecated and should not be used for other reason than
backwards compatibility.
** libgnutls: Improve detection of AVX support. In certain cases when
when the instruction was available on the host, but not on a VM running
gnutls, detection could fail causing illegal instruction usage.
** libgnutls: Added support for IDNA2008 for internationalized DNS names.
If gnutls is compiled using libidn2 (the latest version is recommended),
it will support IDNA2008 instead of the now obsolete IDNA2003 standard.
Resolves gitlab issue 150. Based on patch by Tim Ruehsen.
** p11tool: re-use ID from corresponding objects when writing certificates.
That is, when writing a certificate which has a corresponding public key,
or private key in the token, ensure that we use the same ID for the
certificate.
** API and ABI modifications:
gnutls_idna_map: Added
gnutls_idna_reverse_map: Added
