Upstream changes:
================================================================================
## 0.30.0 - 2019-01-02
### Added
* Added the `update_account` subcommand for account management commands.
### Changed
* Copied account management functionality from the `register` subcommand
to the `update_account` subcommand.
* Marked usage `register --update-registration` for deprecation and
removal in a future release.
### Fixed
* Older modules in the josepy library can now be accessed through acme.jose
like it could in previous versions of acme. This is only done to preserve
backwards compatibility and support for doing this with new modules in josepy
will not be added. Users of the acme library should switch to using josepy
directly if they haven't done so already.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
More details about these changes can be found on our GitHub repo.
## 0.29.1 - 2018-12-05
### Added
*
### Changed
*
### Fixed
* The default work and log directories have been changed back to
/var/lib/letsencrypt and /var/log/letsencrypt respectively.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot
More details about these changes can be found on our GitHub repo.
## 0.29.0 - 2018-12-05
### Added
* Noninteractive renewals with `certbot renew` (those not started from a
terminal) now randomly sleep 1-480 seconds before beginning work in
order to spread out load spikes on the server side.
* Added External Account Binding support in cli and acme library.
Command line arguments --eab-kid and --eab-hmac-key added.
### Changed
* Private key permissioning changes: Renewal preserves existing group mode
& gid of previous private key material. Private keys for new
lineages (i.e. new certs, not renewed) default to 0o600.
### Fixed
* Update code and dependencies to clean up Resource and Deprecation Warnings.
* Only depend on imgconverter extension for Sphinx >= 1.6
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudflare
* certbot-dns-digitalocean
* certbot-dns-google
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/62?closed=1
## 0.28.0 - 2018-11-7
### Added
* `revoke` accepts `--cert-name`, and doesn't accept both `--cert-name` and `--cert-path`.
* Use the ACMEv2 newNonce endpoint when a new nonce is needed, and newNonce is available in the directory.
### Changed
* Removed documentation mentions of `#letsencrypt` IRC on Freenode.
* Write README to the base of (config-dir)/live directory
* `--manual` will explicitly warn users that earlier challenges should remain in place when setting up subsequent challenges.
* Warn when using deprecated acme.challenges.TLSSNI01
* Log warning about TLS-SNI deprecation in Certbot
* Stop preferring TLS-SNI in the Apache, Nginx, and standalone plugins
* OVH DNS plugin now relies on Lexicon>=2.7.14 to support HTTP proxies
* Default time the Linode plugin waits for DNS changes to propogate is now 1200 seconds.
### Fixed
* Match Nginx parser update in allowing variable names to start with `${`.
* Fix ranking of vhosts in Nginx so that all port-matching vhosts come first
* Correct OVH integration tests on machines without internet access.
* Stop caching the results of ipv6_info in http01.py
* Test fix for Route53 plugin to prevent boto3 making outgoing connections.
* The grammar used by Augeas parser in Apache plugin was updated to fix various parsing errors.
* The CloudXNS, DNSimple, DNS Made Easy, Gehirn, Linode, LuaDNS, NS1, OVH, and
Sakura Cloud DNS plugins are now compatible with Lexicon 3.0+.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* acme
* certbot
* certbot-apache
* certbot-dns-cloudxns
* certbot-dns-dnsimple
* certbot-dns-dnsmadeeasy
* certbot-dns-gehirn
* certbot-dns-linode
* certbot-dns-luadns
* certbot-dns-nsone
* certbot-dns-ovh
* certbot-dns-route53
* certbot-dns-sakuracloud
* certbot-nginx
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/59?closed=1
## 0.27.1 - 2018-09-06
### Fixed
* Fixed parameter name in OpenSUSE overrides for default parameters in the
Apache plugin. Certbot on OpenSUSE works again.
Despite us having broken lockstep, we are continuing to release new versions of
all Certbot components during releases for the time being, however, the only
package with changes other than its version number was:
* certbot-apache
More details about these changes can be found on our GitHub repo:
https://github.com/certbot/certbot/milestone/60?closed=1
Changelog:
2.3.4 (2018-08-21)
=========================
- Show all URL schemes in entry view [#1768]
- Disable merge when database is locked [#1975]
- Fix intermittent crashes with favorite icon downloads [#1980]
- Provide potential crash warning to Qt 5.5.x users [#2211]
- Disable apply button when creating new entry/group to prevent data loss [#2204]
- Allow for 12 hour timeout to lock idle database [#2173]
- Multiple SSH Agent fixes [#1981, #2117]
- Multiple Browser Integration enhancements [#1993, #2003, #2055, #2116, #2159, #2174, #2185]
- Fix browser proxy application not closing properly [#2142]
- Add real names and Patreon supporters to about dialog [#2214]
- Add settings button to toolbar, Donate button, and Report a Bug button to help menu [#2214]
- Enhancements to release-tool to appsign intermediate build products [#2101]
Version 1.0.17
- Bug fix: sodium_pad() didn't properly support block sizes >= 256 bytes.
- JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
module; fall back to Javascript on these.
- JS/WebAssembly: compatibility with newer Emscripten versions.
- Bug fix: crypto_pwhash_scryptsalsa208sha256_str_verify() and
crypto_pwhash_scryptsalsa208sha256_str_needs_rehash() didn't return
EINVAL on input strings with a short length, unlike their high-level
counterpart.
- Added a workaround for Visual Studio 2010 bug causing CPU features
not to be detected.
- Portability improvements.
- Test vectors from Project Wycheproof have been added.
- New low-level APIs for arithmetic mod the order of the prime order group:
crypto_core_ed25519_scalar_random(), crypto_core_ed25519_scalar_reduce(),
crypto_core_ed25519_scalar_invert(), crypto_core_ed25519_scalar_negate(),
crypto_core_ed25519_scalar_complement(), crypto_core_ed25519_scalar_add()
and crypto_core_ed25519_scalar_sub().
- New low-level APIs for scalar multiplication without clamping:
crypto_scalarmult_ed25519_base_noclamp() and
crypto_scalarmult_ed25519_noclamp(). These new APIs are especially useful
for blinding.
- sodium_sub() has been implemented.
- Support for WatchOS has been added.
- getrandom(2) is now used on FreeBSD 12+.
- The nonnull attribute has been added to all relevant prototypes.
- More reliable AVX512 detection.
- Javascript/Webassembly builds now use dynamic memory growth.
Revision 0.4.5:
- Debug logging refactored for more efficiency when disabled and
for more functionality when in use. Specifically, the global
LOG object can easily be used from any function/method, not just
from codec main loop as it used to be.
- More debug logging added to BER family of codecs to ease encoding
problems troubleshooting.
- Copyright notice extended to the year 2019
- Fixed defaulted constructed SEQUENCE component initialization.
18.1.0
- pyOpenSSL is optional now if you use service_identity.cryptography.* only.
- Added support for iPAddress subjectAltName\ s.
You can now verify whether a connection or a certificate is valid for an IP address using service_identity.pyopenssl.verify_ip_address() and service_identity.cryptography.verify_certificate_ip_address().
Major changes in 1.16.2
This is a bug fix release.
Fix bugs with concurrent use of MEMORY ccache handles.
Fix a KDC crash when falling back between multiple OTP tokens configured for a principal entry.
Fix memory bugs when gss_add_cred() is used to create a new credential, and fix a bug where it ignores the desired_name.
Fix the behavior of gss_inquire_cred_by_mech() when the credential does not contain an element of the requested mechanism.
Make cross-realm S4U2Self requests work on the client when no default_realm is configured.
Add a kerberos(7) man page containing documentation of the environment variables that affect Kerberos programs.
= mbed TLS 2.14.1 branch released 2018-11-30
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
= mbed TLS 2.14.0 branch released 2018-11-19
Security
* Fix overly strict DN comparison when looking for CRLs belonging to a
particular CA. This previously led to ignoring CRLs when the CRL's issuer
name and the CA's subject name differed in their string encoding (e.g.,
one using PrintableString and the other UTF8String) or in the choice of
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
#1784.
* Fix a flawed bounds check in server PSK hint parsing. In case the
incoming message buffer was placed within the first 64KiB of address
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
to trigger a memory access up to 64KiB beyond the incoming message buffer,
potentially leading to an application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
primes with high probability. This does not have an impact on the
security of TLS, but can matter in other contexts with numbers chosen
potentially by an adversary that should be prime and can be validated.
For example, the number of rounds was enough to securely generate RSA key
pairs or Diffie-Hellman parameters, but was insufficient to validate
Diffie-Hellman parameters properly.
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
Kenneth G. Paterson and Juraj Somorovsky.
Features
* Add support for temporarily suspending expensive ECC computations after
some configurable amount of operations. This is intended to be used in
constrained, single-threaded systems where ECC is time consuming and can
block other operations until they complete. This is disabled by default,
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
yet), and to existing functions in ECDH and SSL (currently only
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
including client authentication).
* Add support for Arm CPU DSP extensions to accelerate asymmetric key
operations. On CPUs where the extensions are available, they can accelerate
MPI multiplications used in ECC and RSA cryptography. Contributed by
Aurelien Jarno.
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
signature always used a salt with the same length as the hash, and returned
an error if this was not possible. Now the salt size may be up to two bytes
shorter. This allows the library to support all hash and signature sizes
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
than 256 bits limits the security of generated material to 128 bits.
API Changes
* Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
a feature that is not supported by underlying alternative
implementations implementing cryptographic primitives. This is useful for
hardware accelerators that don't implement all options or features.
New deprecations
* All module specific errors following the form
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
supported are deprecated and are now replaced by the new equivalent
platform error.
* All module specific generic hardware acceleration errors following the
form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
by the equivalent plaform error.
* Deprecate the function mbedtls_mpi_is_prime() in favor of
mbedtls_mpi_is_prime_ext() which allows specifying the number of
Miller-Rabin rounds.
Bugfix
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
application leading to a memory leak in case both
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
Fixes#2069.
* Fix a bug in the update function for SSL ticket keys which previously
invalidated keys of a lifetime of less than a 1s. Fixes#1968.
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
* Fix a bug in the record decryption routine ssl_decrypt_buf()
which lead to accepting properly authenticated but improperly
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
* Fix memory leak and freeing without initialization in the example
program programs/x509/cert_write. Fixes#1422.
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes#1091.
* Zeroize memory used for buffering or reassembling handshake messages
after use.
* Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
of sensitive data in the example programs aescrypt2 and crypt_and_hash.
* Change the default string format used for various X.509 DN attributes to
UTF8String. Previously, the use of the PrintableString format led to
wildcards and non-ASCII characters being unusable in some DN attributes.
Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
Thomas-Dee.
* Fix compilation failure for configurations which use compile time
replacements of standard calloc/free functions through the macros
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
Reported by ole-de and ddhome2006. Fixes#882, #1642 and #1706.
Changes
* Removed support for Yotta as a build tool.
* Add tests for session resumption in DTLS.
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
* Change the dtls_client and dtls_server samples to work by default over
IPv6 and optionally by a build option over IPv4.
* Change the use of Windows threading to use Microsoft Visual C++ runtime
calls, rather than Win32 API calls directly. This is necessary to avoid
conflict with C runtime usage. Found and fixed by irwir.
* Remember the string format of X.509 DN attributes when replicating
X.509 DNs. Previously, DN attributes were always written in their default
string format (mostly PrintableString), which could lead to CRTs being
created which used PrintableStrings in the issuer field even though the
signing CA used UTF8Strings in its subject field; while X.509 compliant,
such CRTs were rejected in some applications, e.g. some versions of
Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
Thomas-Dee.
* Improve documentation of mbedtls_ssl_get_verify_result().
Fixes#517 reported by github-monoculture.
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
use it to reduce error probability in RSA key generation to levels mandated
by FIPS-186-4.
= mbed TLS 2.13.1 branch released 2018-09-06
API Changes
* Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
whose implementation should behave as a thread-safe version of gmtime().
This allows users to configure such an implementation at compile time when
the target system cannot be deduced automatically, by setting the option
MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
automatically select implementations for Windows and POSIX C libraries.
Bugfix
* Fix build failures on platforms where only gmtime() is available but
neither gmtime_r() nor gmtime_s() are present. Fixes#1907.
= mbed TLS 2.13.0 branch released 2018-08-31
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing. In case of receiving malformed
input (extensions length field equal to 0), an illegal read of one byte
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
Features
* Add support for fragmentation of outgoing DTLS handshake messages. This
is controlled by the maximum fragment length as set locally or negotiated
with the peer, as well as by a new per-connection MTU option, set using
mbedtls_ssl_set_mtu().
* Add support for auto-adjustment of MTU to a safe value during the
handshake when flights do not get through (RFC 6347, section 4.1.1.1,
last paragraph).
* Add support for packing multiple records within a single datagram,
enabled by default.
* Add support for buffering out-of-order handshake messages in DTLS.
The maximum amount of RAM used for this can be controlled by the
compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
in mbedtls/config.h.
API Changes
* Add function mbedtls_ssl_set_datagram_packing() to configure
the use of datagram packing (enabled by default).
Bugfix
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
failure in the function could lead to other buffers being leaked.
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
Fix contributed by Espressif Systems.
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
* Replace printf with mbedtls_printf in the ARIA module. Found by
TrinityTonic in #1908.
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes#1941.
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
with TLS versions 1.1 and earlier when the server requested authentication
without providing a list of CAs. This was due to an overly strict bounds
check in parsing the CertificateRequest message,
introduced in Mbed TLS 2.12.0. Fixes#1954.
* Fix a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes#1913, #1914.
* Fix undefined shifts with negative values in certificates parsing
(found by Catena cyber using oss-fuzz)
* Fix memory leak and free without initialization in pk_encrypt
and pk_decrypt example programs. Reported by Brace Stout. Fixes#1128.
* Remove redundant else statement. Raised by irwir. Fixes#1776.
Changes
* Copy headers preserving timestamps when doing a "make install".
Contributed by xueruini.
* Allow the forward declaration of public structs. Contributed by Dawid
Drozd. Fixes#1215 raised by randombit.
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
* Add support for buffering of out-of-order handshake messages.
* Add warnings to the documentation of the HKDF module to reduce the risk
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
functions. Fixes#1775. Reported by Brian J. Murray.
= mbed TLS 2.12.0 branch released 2018-07-25
Security
* Fix a vulnerability in TLS ciphersuites based on CBC and using SHA-384,
in (D)TLS 1.0 to 1.2, that allowed an active network attacker to
partially recover the plaintext of messages under some conditions by
exploiting timing measurements. With DTLS, the attacker could perform
this recovery by sending many messages in the same connection. With TLS
or if mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only
worked if the same secret (for example a HTTP Cookie) has been repeatedly
sent over connections manipulated by the attacker. Connections using GCM
or CCM instead of CBC, using hash sizes other than SHA-384, or using
Encrypt-then-Mac (RFC 7366) were not affected. The vulnerability was
caused by a miscalculation (for SHA-384) in a countermeasure to the
original Lucky 13 attack. Found by Kenny Paterson, Eyal Ronen and Adi
Shamir.
* Fix a vulnerability in TLS ciphersuites based on CBC, in (D)TLS 1.0 to
1.2, that allowed a local attacker, able to execute code on the local
machine as well as manipulate network packets, to partially recover the
plaintext of messages under some conditions by using a cache attack
targetting an internal MD/SHA buffer. With TLS or if
mbedtls_ssl_conf_dtls_badmac_limit() was used, the attack only worked if
the same secret (for example a HTTP Cookie) has been repeatedly sent over
connections manipulated by the attacker. Connections using GCM or CCM
instead of CBC or using Encrypt-then-Mac (RFC 7366) were not affected.
Found by Kenny Paterson, Eyal Ronen and Adi Shamir.
* Add a counter-measure against a vulnerability in TLS ciphersuites based
on CBC, in (D)TLS 1.0 to 1.2, that allowed a local attacker, able to
execute code on the local machine as well as manipulate network packets,
to partially recover the plaintext of messages under some conditions (see
previous entry) by using a cache attack targeting the SSL input record
buffer. Connections using GCM or CCM instead of CBC or using
Encrypt-then-Mac (RFC 7366) were not affected. Found by Kenny Paterson,
Eyal Ronen and Adi Shamir.
Features
* Add new crypto primitives from RFC 7539: stream cipher Chacha20, one-time
authenticator Poly1305 and AEAD construct Chacha20-Poly1305. Contributed
by Daniel King.
* Add support for CHACHA20-POLY1305 ciphersuites from RFC 7905.
* Add platform support for the Haiku OS. (https://www.haiku-os.org).
Contributed by Augustin Cavalier.
* Make the receive and transmit buffers independent sizes, for situations
where the outgoing buffer can be fixed at a smaller size than the incoming
buffer, which can save some RAM. If buffer lengths are kept equal, there
is no functional difference. Contributed by Angus Gratton, and also
independently contributed again by Paul Sokolovsky.
* Add support for key wrapping modes based on AES as defined by
NIST SP 800-38F algorithms KW and KWP and by RFC 3394 and RFC 5649.
Bugfix
* Fix the key_app_writer example which was writing a leading zero byte which
was creating an invalid ASN.1 tag. Found by Aryeh R. Fixes#1257.
* Fix compilation error on C++, because of a variable named new.
Found and fixed by Hirotaka Niisato in #1783.
* Fix "no symbols" warning issued by ranlib when building on Mac OS X. Fix
contributed by tabascoeye.
* Clarify documentation for mbedtls_ssl_write() to include 0 as a valid
return value. Found by @davidwu2000. #839
* Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber,
Philippe Antoine. Fixes#1623.
* Remove unused headers included in x509.c. Found by Chris Hanson and fixed
by Brendan Shanks. Part of a fix for #992.
* Fix compilation error when MBEDTLS_ARC4_C is disabled and
MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
* Added length checks to some TLS parsing functions. Found and fixed by
Philippe Antoine from Catena cyber. #1663.
* Fix the inline assembly for the MPI multiply helper function for i386 and
i386 with SSE2. Found by László Langó. Fixes#1550
* Fix namespacing in header files. Remove the `mbedtls` namespacing in
the `#include` in the header files. Resolves#857
* Fix compiler warning of 'use before initialisation' in
mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid
Drozd. #1098
* Fix decryption for zero length messages (which contain all padding) when a
CBC based ciphersuite is used together with Encrypt-then-MAC. Previously,
such a message was wrongly reported as an invalid record and therefore lead
to the connection being terminated. Seen most often with OpenSSL using
TLS 1.0. Reported by @kFYatek and by Conor Murphy on the forum. Fix
contributed by Espressif Systems. Fixes#1632
* Fix ssl_client2 example to send application data with 0-length content
when the request_size argument is set to 0 as stated in the documentation.
Fixes#1833.
* Correct the documentation for `mbedtls_ssl_get_session()`. This API has
deep copy of the session, and the peer certificate is not lost. Fixes#926.
* Fix build using -std=c99. Fixed by Nick Wilson.
Changes
* Fail when receiving a TLS alert message with an invalid length, or invalid
zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
* Change the default behaviour of mbedtls_hkdf_extract() to return an error
when calling with a NULL salt and non-zero salt_len. Contributed by
Brian J Murray
* Change the shebang line in Perl scripts to look up perl in the PATH.
Contributed by fbrosson.
* Allow overriding the time on Windows via the platform-time abstraction.
Fixed by Nick Wilson.
* Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson.
= mbed TLS 2.11.0 branch released 2018-06-18
Features
* Add additional block mode, OFB (Output Feedback), to the AES module and
cipher abstraction module.
* Implement the HMAC-based extract-and-expand key derivation function
(HKDF) per RFC 5869. Contributed by Thomas Fossati.
* Add support for the CCM* block cipher mode as defined in IEEE Std. 802.15.4.
* Add support for the XTS block cipher mode with AES (AES-XTS).
Contributed by Aorimn in pull request #414.
* In TLS servers, support offloading private key operations to an external
cryptoprocessor. Private key operations can be asynchronous to allow
non-blocking operation of the TLS server stack.
Bugfix
* Fix the cert_write example to handle certificates signed with elliptic
curves as well as RSA. Fixes#777 found by dbedev.
* Fix for redefinition of _WIN32_WINNT to avoid overriding a definition
used by user applications. Found and fixed by Fabio Alessandrelli.
* Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683
* Fix braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden, #552.
Changes
* Changed CMake defaults for IAR to treat all compiler warnings as errors.
* Changed the Clang parameters used in the CMake build files to work for
versions later than 3.6. Versions of Clang earlier than this may no longer
work. Fixes#1072
= mbed TLS 2.10.0 branch released 2018-06-06
Features
* Add support for ARIA cipher (RFC 5794) and associated TLS ciphersuites
(RFC 6209). Disabled by default, see MBEDTLS_ARIA_C in config.h
API Changes
* Extend the platform module with a util component that contains
functionality shared by multiple Mbed TLS modules. At this stage
platform_util.h (and its associated platform_util.c) only contain
mbedtls_platform_zeroize(), which is a critical function from a security
point of view. mbedtls_platform_zeroize() needs to be regularly tested
against compilers to ensure that calls to it are not removed from the
output binary as part of redundant code elimination optimizations.
Therefore, mbedtls_platform_zeroize() is moved to the platform module to
facilitate testing and maintenance.
Bugfix
* Fix an issue with MicroBlaze support in bn_mul.h which was causing the
build to fail. Found by zv-io. Fixes#1651.
Changes
* Support TLS testing in out-of-source builds using cmake. Fixes#1193.
* Fix redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by
TrinityTonic. #1359.
= mbed TLS 2.9.0 branch released 2018-04-30
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate validation. Additionally, the issue could also lead to
unnecessary callback checks being made or to some validation checks to be
omitted. The overread could be triggered remotely, while the other issues
would require a non DER-compliant certificate to be correctly signed by a
trusted CA, or a trusted CA with a non DER-compliant certificate. Found by
luocm. Fixes#825.
* Fix the buffer length assertion in the ssl_parse_certificate_request()
function which led to an arbitrary overread of the message buffer. The
overreads could be caused by receiving a malformed message at the point
where an optional signature algorithms list is expected when the signature
algorithms section is too short. In builds with debug output, the overread
data is output with the debug data.
* Fix a client-side bug in the validation of the server's ciphersuite choice
which could potentially lead to the client accepting a ciphersuite it didn't
offer or a ciphersuite that cannot be used with the TLS or DTLS version
chosen by the server. This could lead to corruption of internal data
structures for some configurations.
Features
* Add an option, MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES
tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB.
Suggested and contributed by jkivilin in pull request #394.
* Add initial support for Curve448 (RFC 7748). Only mbedtls_ecp_mul() and
ECDH primitive functions (mbedtls_ecdh_gen_public(),
mbedtls_ecdh_compute_shared()) are supported for now. Contributed by
Nicholas Wilson in pull request #348.
API Changes
* Extend the public API with the function of mbedtls_net_poll() to allow user
applications to wait for a network context to become ready before reading
or writing.
* Add function mbedtls_ssl_check_pending() to the public API to allow
a check for whether more more data is pending to be processed in the
internal message buffers.
This function is necessary to determine when it is safe to idle on the
underlying transport in case event-driven IO is used.
Bugfix
* Fix a spurious uninitialized variable warning in cmac.c. Fix independently
contributed by Brian J Murray and David Brown.
* Add missing dependencies in test suites that led to build failures
in configurations that omit certain hashes or public-key algorithms.
Fixes#1040.
* Fix C89 incompatibility in benchmark.c. Contributed by Brendan Shanks.
#1353
* Add missing dependencies for MBEDTLS_HAVE_TIME_DATE and
MBEDTLS_VERSION_FEATURES in some test suites. Contributed by
Deomid Ryabkov. Fixes#1299, #1475.
* Fix the Makefile build process for building shared libraries on Mac OS X.
Fixed by mnacamura.
* Fix parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was
unable to parse keys which had only the optional parameters field of the
ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379.
* Return the plaintext data more quickly on unpadded CBC decryption, as
stated in the mbedtls_cipher_update() documentation. Contributed by
Andy Leiserson.
* Fix overriding and ignoring return values when parsing and writing to
a file in pk_sign program. Found by kevlut in #1142.
* Restrict usage of error code MBEDTLS_ERR_SSL_WANT_READ to situations
where data needs to be fetched from the underlying transport in order
to make progress. Previously, this error code was also occasionally
returned when unexpected messages were being discarded, ignoring that
further messages could potentially already be pending to be processed
in the internal buffers; these cases led to deadlocks when event-driven
I/O was used. Found and reported by Hubert Mis in #772.
* Fix buffer length assertions in the ssl_parse_certificate_request()
function which leads to a potential one byte overread of the message
buffer.
* Fix invalid buffer sizes passed to zlib during record compression and
decompression.
* Fix the soversion of libmbedcrypto to match the soversion of the
maintained 2.7 branch. The soversion was increased in Mbed TLS
version 2.7.1 to reflect breaking changes in that release, but the
increment was missed in 2.8.0 and later releases outside of the 2.7 branch.
Changes
* Remove some redundant code in bignum.c. Contributed by Alexey Skalozub.
* Support cmake builds where Mbed TLS is a subproject. Fix contributed
independently by Matthieu Volat and Arne Schwabe.
* Improve testing in configurations that omit certain hashes or
public-key algorithms. Includes contributions by Gert van Dijk.
* Improve negative testing of X.509 parsing.
* Do not define global mutexes around readdir() and gmtime() in
configurations where the feature is disabled. Found and fixed by Gergely
Budai.
* Harden the function mbedtls_ssl_config_free() against misuse, so that it
doesn't leak memory if the user doesn't use mbedtls_ssl_conf_psk() and
instead incorrectly manipulates the configuration structure directly.
Found and fix submitted by junyeonLEE in #1220.
* Provide an empty implementation of mbedtls_pkcs5_pbes2() when
MBEDTLS_ASN1_PARSE_C is not enabled. This allows the use of PBKDF2
without PBES2. Fixed by Marcos Del Sol Vives.
* Add the order of the base point as N in the mbedtls_ecp_group structure
for Curve25519 (other curves had it already). Contributed by Nicholas
Wilson #481
* Improve the documentation of mbedtls_net_accept(). Contributed by Ivan
Krylov.
* Improve the documentation of mbedtls_ssl_write(). Suggested by
Paul Sokolovsky in #1356.
* Add an option in the Makefile to support ar utilities where the operation
letter must not be prefixed by '-', such as LLVM. Found and fixed by
Alex Hixon.
* Allow configuring the shared library extension by setting the DLEXT
environment variable when using the project makefiles.
* Optimize unnecessary zeroing in mbedtls_mpi_copy. Based on a contribution
by Alexey Skalozub in #405.
* In the SSL module, when f_send, f_recv or f_recv_timeout report
transmitting more than the required length, return an error. Raised by
Sam O'Connor in #1245.
* Improve robustness of mbedtls_ssl_derive_keys against the use of
HMAC functions with non-HMAC ciphersuites. Independently contributed
by Jiayuan Chen in #1377. Fixes#1437.
* Improve security of RSA key generation by including criteria from
FIPS 186-4. Contributed by Jethro Beekman. #1380
* Declare functions in header files even when an alternative implementation
of the corresponding module is activated by defining the corresponding
MBEDTLS_XXX_ALT macro. This means that alternative implementations do
not need to copy the declarations, and ensures that they will have the
same API.
* Add platform setup and teardown calls in test suites.
= mbed TLS 2.8.0 branch released 2018-03-16
Default behavior changes
* The truncated HMAC extension now conforms to RFC 6066. This means
that when both sides of a TLS connection negotiate the truncated
HMAC extension, Mbed TLS can now interoperate with other
compliant implementations, but this breaks interoperability with
prior versions of Mbed TLS. To restore the old behavior, enable
the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
config.h. Found by Andreas Walz (ivESK, Offenburg University of
Applied Sciences).
Security
* Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no
resumption of the session).
* Verify results of RSA private key operations to defend
against Bellcore glitch attack.
* Fix a buffer overread in ssl_parse_server_key_exchange() that could cause
a crash on invalid input.
* Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a
crash on invalid input.
* Fix CRL parsing to reject CRLs containing unsupported critical
extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
Features
* Extend PKCS#8 interface by introducing support for the entire SHA
algorithms family when encrypting private keys using PKCS#5 v2.0.
This allows reading encrypted PEM files produced by software that
uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli,
OpenVPN Inc. Fixes#1339
* Add support for public keys encoded in PKCS#1 format. #1122
New deprecations
* Deprecate support for record compression (configuration option
MBEDTLS_ZLIB_SUPPORT).
Bugfix
* Fix the name of a DHE parameter that was accidentally changed in 2.7.0.
Fixes#1358.
* Fix test_suite_pk to work on 64-bit ILP32 systems. #849
* Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates
with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct.
In the context of SSL, this resulted in handshake failure. Reported by
daniel in the Mbed TLS forum. #1351
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
* Fix setting version TLSv1 as minimal version, even if TLS 1
is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
* Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
Nick Wilson on issue #355
* In test_suite_pk, pass valid parameters when testing for hash length
overflow. #1179
* Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
by Guido Vranken. #639
* Log correct number of ciphersuites used in Client Hello message. #918
* Fix X509 CRT parsing that would potentially accept an invalid tag when
parsing the subject alternative names.
* Fix a possible arithmetic overflow in ssl_parse_server_key_exchange()
that could cause a key exchange to fail on valid data.
* Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that
could cause a key exchange to fail on valid data.
* Don't define mbedtls_aes_decrypt and mbedtls_aes_encrypt under
MBEDTLS_DEPRECATED_REMOVED. #1388
* Fix a 1-byte heap buffer overflow (read-only) during private key parsing.
Found through fuzz testing.
Changes
* Fix tag lengths and value ranges in the documentation of CCM encryption.
Contributed by Mathieu Briand.
* Fix typo in a comment ctr_drbg.c. Contributed by Paul Sokolovsky.
* Remove support for the library reference configuration for picocoin.
* MD functions deprecated in 2.7.0 are no longer inline, to provide
a migration path for those depending on the library's ABI.
* Clarify the documentation of mbedtls_ssl_setup.
* Use (void) when defining functions with no parameters. Contributed by
Joris Aerts. #678
= mbed TLS 2.7.0 branch released 2018-02-03
Security
* Fix a heap corruption issue in the implementation of the truncated HMAC
extension. When the truncated HMAC extension is enabled and CBC is used,
sending a malicious application packet could be used to selectively corrupt
6 bytes on the peer's heap, which could potentially lead to crash or remote
code execution. The issue could be triggered remotely from either side in
both TLS and DTLS. CVE-2018-0488
* Fix a buffer overflow in RSA-PSS verification when the hash was too large
for the key size, which could potentially lead to crash or remote code
execution. Found by Seth Terashima, Qualcomm Product Security Initiative,
Qualcomm Technologies Inc. CVE-2018-0487
* Fix buffer overflow in RSA-PSS verification when the unmasked data is all
zeros.
* Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding
64 KiB to the address of the SSL buffer and causing a wrap around.
* Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by
default enabled) maximum fragment length extension is disabled in the
config and the application data buffer passed to mbedtls_ssl_write
is larger than the internal message buffer (16384 bytes by default), the
latter overflows. The exploitability of this issue depends on whether the
application layer can be forced into sending such large packets. The issue
was independently reported by Tim Nordell via e-mail and by Florin Petriuc
and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022.
Fixes#707.
* Add a provision to prevent compiler optimizations breaking the time
constancy of mbedtls_ssl_safer_memcmp().
* Ensure that buffers are cleared after use if they contain sensitive data.
Changes were introduced in multiple places in the library.
* Set PEM buffer to zero before freeing it, to avoid decoded private keys
being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mbedtls_mpi_read_binary() constant-time with respect to the input
data. Previously, trailing zero bytes were detected and omitted for the
sake of saving memory, but potentially leading to slight timing
differences. Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
* Fix a potential heap buffer over-read in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server.
* Change default choice of DHE parameters from untrustworthy RFC 5114
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
manner.
Features
* Allow comments in test data files.
* The selftest program can execute a subset of the tests based on command
line arguments.
* New unit tests for timing. Improve the self-test to be more robust
when run on a heavily-loaded machine.
* Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT,
MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs.
* Add support for alternative implementations of GCM, selected by the
configuration flag MBEDTLS_GCM_ALT.
* Add support for alternative implementations for ECDSA, controlled by new
configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and
MBEDTLS_ECDSDA_GENKEY_AT in config.h.
The following functions from the ECDSA module can be replaced
with alternative implementation:
mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey().
* Add support for alternative implementation of ECDH, controlled by the
new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and
MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.
The following functions from the ECDH module can be replaced
with an alternative implementation:
mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared().
* Add support for alternative implementation of ECJPAKE, controlled by
the new configuration flag MBEDTLS_ECJPAKE_ALT.
* Add mechanism to provide alternative implementation of the DHM module.
API Changes
* Extend RSA interface by multiple functions allowing structure-
independent setup and export of RSA contexts. Most notably,
mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting
up RSA contexts from partial key material and having them completed to the
needs of the implementation automatically. This allows to setup private RSA
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
purpose or CRT and/or blinding.
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
implementations of the RSA interface declared in rsa.h.
* The following functions in the message digest modules (MD2, MD4, MD5,
SHA1, SHA256, SHA512) have been deprecated and replaced as shown below.
The new functions change the return type from void to int to allow
returning error codes when using MBEDTLS_<MODULE>_ALT.
mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret()
mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret()
mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret()
mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process()
New deprecations
* Deprecate usage of RSA primitives with non-matching key-type
(e.g. signing with a public key).
* Direct manipulation of structure fields of RSA contexts is deprecated.
Users are advised to use the extended RSA API instead.
* Deprecate usage of message digest functions that return void
(mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update,
mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is
any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions
that can return an error code.
* Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by
parameters from RFC 3526 or the newly added parameters from RFC 7919.
* Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
etc.
* Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters
from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin()
accepting DHM parameters in binary form, matching the new constants.
Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
as recommended in RFC 6347 Section 4.1.2.7.
* Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times.
Found by projectgus and Jethro Beekman, #836.
* Fix usage help in ssl_server2 example. Found and fixed by Bei Lin.
* Parse signature algorithm extension when renegotiating. Previously,
renegotiated handshakes would only accept signatures using SHA-1
regardless of the peer's preferences, or fail if SHA-1 was disabled.
* Fix leap year calculation in x509_date_is_valid() to ensure that invalid
dates on leap years with 100 and 400 intervals are handled correctly. Found
by Nicholas Wilson. #694
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
accepted. Generating these signatures required the private key.
* Fix out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys.
Found independently by Florian in the mbed TLS forum and by Mishamax.
#878, #1019.
* Fix variable used before assignment compilation warnings with IAR
toolchain. Found by gkerrien38.
* Fix unchecked return codes from AES, DES and 3DES functions in
pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively.
If a call to one of the functions of the cryptographic primitive modules
failed, the error may not be noticed by the function
mbedtls_pem_read_buffer() causing it to return invalid values. Found by
Guido Vranken. #756
* Include configuration file in md.h, to fix compilation warnings.
Reported by aaronmdjones in #1001
* Correct extraction of signature-type from PK instance in X.509 CRT and CSR
writing routines that prevented these functions to work with alternative
RSA implementations. Raised by J.B. in the Mbed TLS forum. Fixes#1011.
* Don't print X.509 version tag for v1 CRT's, and omit extensions for
non-v3 CRT's.
* Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023#1024
* Fix net_would_block() to avoid modification by errno through fcntl() call.
Found by nkolban. Fixes#845.
* Fix handling of handshake messages in mbedtls_ssl_read() in case
MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.
* Add a check for invalid private parameters in mbedtls_ecdsa_sign().
Reported by Yolan Romailler.
* Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.
* Fix incorrect unit in benchmark output. #850
* Add size-checks for record and handshake message content, securing
fragile yet non-exploitable code-paths.
* Fix crash when calling mbedtls_ssl_cache_free() twice. Found by
MilenkoMitrovic, #1104
* Fix mbedtls_timing_alarm(0) on Unix and MinGW.
* Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.
* Fix possible memory leaks in mbedtls_gcm_self_test().
* Added missing return code checks in mbedtls_aes_self_test().
* Fix issues in RSA key generation program programs/x509/rsa_genkey and the
RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization
beforehand.
* Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.
* Fix programs/pkey/dh_server.c so that it actually works with dh_client.c.
Found and fixed by Martijn de Milliano.
* Fix an issue in the cipher decryption with the mode
MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding.
Note, this padding mode is not used by the TLS protocol. Found and fixed by
Micha Kraus.
* Fix the entropy.c module to not call mbedtls_sha256_starts() or
mbedtls_sha512_starts() in the mbedtls_entropy_init() function.
* Fix the entropy.c module to ensure that mbedtls_sha256_init() or
mbedtls_sha512_init() is called before operating on the relevant context
structure. Do not assume that zeroizing a context is a correct way to
reset it. Found independently by ccli8 on Github.
* In mbedtls_entropy_free(), properly free the message digest context.
* Fix status handshake status message in programs/ssl/dtls_client.c. Found
and fixed by muddog.
Changes
* Extend cert_write example program by options to set the certificate version
and the message digest. Further, allow enabling/disabling of authority
identifier, subject identifier and basic constraints extensions.
* Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In
particular, don't require P,Q if neither CRT nor blinding are
used. Reported and fix proposed independently by satur9nine and sliai
on GitHub.
* Only run AES-192 self-test if AES-192 is available. Fixes#963.
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module.
* Update all internal usage of deprecated message digest functions to the
new ones with return codes. In particular, this modifies the
mbedtls_md_info_t structure. Propagate errors from these functions
everywhere except some locations in the ssl_tls.c module.
* Improve CTR_DRBG error handling by propagating underlying AES errors.
* Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography
modules where the software implementation can be replaced by a hardware
implementation.
* Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4
throughout the library.
= mbed TLS 2.6.0 branch released 2017-08-10
Security
* Fix authentication bypass in SSL/TLS: when authmode is set to optional,
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's
X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA
(default: 8) intermediates, even when it was not trusted. This could be
triggered remotely from either side. (With authmode set to 'required'
(the default), the handshake was correctly aborted).
* Reliably wipe sensitive data after use in the AES example applications
programs/aes/aescrypt2 and programs/aes/crypt_and_hash.
Found by Laurent Simon.
Features
* Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown()
and the context struct mbedtls_platform_context to perform
platform-specific setup and teardown operations. The macro
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden
by the user in a platform_alt.h file. These new functions are required in
some embedded environments to provide a means of initialising underlying
cryptographic acceleration hardware.
API Changes
* Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the
API consistent with mbed TLS 2.5.0. Specifically removed the inline
qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt,
mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found
by James Cowgill. #978
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
* With authmode set to optional, the TLS handshake is now aborted if the
verification of the peer's certificate failed due to an overlong chain or
a fatal error in the verify callback.
Bugfix
* Add a check if iv_len is zero in GCM, and return an error if it is zero.
Reported by roberto. #716
* Replace preprocessor condition from #if defined(MBEDTLS_THREADING_PTHREAD)
to #if defined(MBEDTLS_THREADING_C) as the library cannot assume they will
always be implemented by pthread support. #696
* Fix a resource leak on Windows platforms in mbedtls_x509_crt_parse_path(),
in the case of an error. Found by redplait. #590
* Add MBEDTLS_MPI_CHK to check for error value of mbedtls_mpi_fill_random.
Reported and fix suggested by guidovranken. #740
* Fix conditional preprocessor directives in bignum.h to enable 64-bit
compilation when using ARM Compiler 6.
* Fix a potential integer overflow in the version verification for DER
encoded X.509 CRLs. The overflow could enable maliciously constructed CRLs
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
KNOX Security, Samsung Research America
* Fix potential integer overflow in the version verification for DER
encoded X.509 CSRs. The overflow could enable maliciously constructed CSRs
to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
KNOX Security, Samsung Research America
* Fix a potential integer overflow in the version verification for DER
encoded X.509 certificates. The overflow could enable maliciously
constructed certificates to bypass the certificate verification check.
* Fix a call to the libc function time() to call the platform abstraction
function mbedtls_time() instead. Found by wairua. #666
* Avoid shadowing of time and index functions through mbed TLS function
arguments. Found by inestlerode. #557.
Changes
* Added config.h option MBEDTLS_NO_UDBL_DIVISION, to prevent the use of
64-bit division. This is useful on embedded platforms where 64-bit division
created a dependency on external libraries. #708
* Removed mutexes from ECP hardware accelerator code. Now all hardware
accelerator code in the library leaves concurrency handling to the
platform. Reported by Steven Cooreman. #863
* Define the macro MBEDTLS_AES_ROM_TABLES in the configuration file
config-no-entropy.h to reduce the RAM footprint.
* Added a test script that can be hooked into git that verifies commits
before they are pushed.
* Improve documentation of PKCS1 decryption functions.
= mbed TLS 2.5.1 released 2017-06-21
Security
* Fixed unlimited overread of heap-based buffer in mbedtls_ssl_read().
The issue could only happen client-side with renegotiation enabled.
Could result in DoS (application crash) or information leak
(if the application layer sent data read from mbedtls_ssl_read()
back to the server or to a third party). Can be triggered remotely.
* Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
certificate verification. SHA-1 can be turned back on with a compile-time
option if needed.
* Fixed offset in FALLBACK_SCSV parsing that caused TLS server to fail to
detect it sometimes. Reported by Hugo Leisink. #810
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher/BERserk-style attack.
Bugfix
* Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not
valid C and they prevented the test from compiling in Visual Studio 2015
and with GCC using the -Wpedantic compilation option.
* Fix insufficient support for signature-hash-algorithm extension,
resulting in compatibility problems with Chrome. Found by hfloyrd. #823
* Fix behaviour that hid the original cause of fatal alerts in some cases
when sending the alert failed. The fix makes sure not to hide the error
that triggered the alert.
* Fix SSLv3 renegotiation behaviour and stop processing data received from
peer after sending a fatal alert to refuse a renegotiation attempt.
Previous behaviour was to keep processing data even after the alert has
been sent.
* Accept empty trusted CA chain in authentication mode
MBEDTLS_SSL_VERIFY_OPTIONAL. Found by Jethro Beekman. #864
* Fix implementation of mbedtls_ssl_parse_certificate() to not annihilate
fatal errors in authentication mode MBEDTLS_SSL_VERIFY_OPTIONAL and to
reflect bad EC curves within verification result.
* Fix bug that caused the modular inversion function to accept the invalid
modulus 1 and therefore to hang. Found by blaufish. #641.
* Fix incorrect sign computation in modular exponentiation when the base is
a negative MPI. Previously the result was always negative. Found by Guido
Vranken.
* Fix a numerical underflow leading to stack overflow in mpi_read_file()
that was triggered uppon reading an empty line. Found by Guido Vranken.
Changes
* Send fatal alerts in more cases. The previous behaviour was to skip
sending the fatal alert and just drop the connection.
* Clarify ECDSA documentation and improve the sample code to avoid
misunderstanding and potentially dangerous use of the API. Pointed out
by Jean-Philippe Aumasson.
= mbed TLS 2.5.0 branch released 2017-05-17
Security
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt). Found by Laurent
Simon.
* Add exponent blinding to RSA private operations as a countermeasure
against side-channel attacks like the cache attack described in
https://arxiv.org/abs/1702.08719v2.
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
Clémentine Maurice and Stefan Mangard.
Features
* Add hardware acceleration support for the Elliptic Curve Point module.
This involved exposing parts of the internal interface to enable
replacing the core functions and adding and alternative, module level
replacement support for enabling the extension of the interface.
* Add a new configuration option to 'mbedtls_ssl_config' to enable
suppressing the CA list in Certificate Request messages. The default
behaviour has not changed, namely every configured CAs name is included.
API Changes
* The following functions in the AES module have been deprecated and replaced
by the functions shown below. The new functions change the return type from
void to int to allow returning error codes when using MBEDTLS_AES_ALT,
MBEDTLS_AES_DECRYPT_ALT or MBEDTLS_AES_ENCRYPT_ALT.
mbedtls_aes_decrypt() -> mbedtls_internal_aes_decrypt()
mbedtls_aes_encrypt() -> mbedtls_internal_aes_encrypt()
Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most
recent versions of the library. Found by Kyle Keen.
* Fixed issue in the Threading module that prevented mutexes from
initialising. Found by sznaider. #667#843
* Add checks in the PK module for the RSA functions on 64-bit systems.
The PK and RSA modules use different types for passing hash length and
without these checks the type cast could lead to data loss. Found by Guido
Vranken.
= mbed TLS 2.4.2 branch released 2017-03-08
Security
* Add checks to prevent signature forgeries for very large messages while
using RSA through the PK module in 64-bit systems. The issue was caused by
some data loss when casting a size_t to an unsigned int value in the
functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
* Fixed potential livelock during the parsing of a CRL in PEM format in
mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
characters after the footer could result in the execution of an infinite
loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Microsoft.
* Removed MD5 from the allowed hash algorithms for CertificateRequest and
CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Introduced by interoperability fix for #513.
* Fixed a bug that caused freeing a buffer that was allocated on the stack,
when verifying the validity of a key on secp224k1. This could be
triggered remotely for example with a maliciously constructed certificate
and potentially could lead to remote code execution on some platforms.
Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
team. #569 CVE-2017-2784
Bugfix
* Fix output certificate verification flags set by x509_crt_verify_top() when
traversing a chain of trusted CA. The issue would cause both flags,
MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
set when the verification conditions are not met regardless of the cause.
Found by Harm Verhagen and inestlerode. #665#561
* Fix the redefinition of macro ssl_set_bio to an undefined symbol
mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
Found by omlib-lin. #673
* Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
x509_csr.c that are reported when building mbed TLS with a config.h that
does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
would compare 64 bits of the record counter instead of 48 bits as indicated
in RFC 6347 Section 4.3.1. This could cause the execution of the
renegotiation routines at unexpected times when the protocol is DTLS. Found
by wariua. #687
* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
the input string in PEM format to extract the different components. Found
by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
by missing calls to mbedtls_pem_free() in cases when a
MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
fix proposed by Guido Vranken. #722
* Fixed the templates used to generate project and solution files for Visual
Studio 2015 as well as the files themselves, to remove a build warning
generated in Visual Studio 2015. Reported by Steve Valliere. #742
* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
number to write in hexadecimal is negative and requires an odd number of
digits. Found and fixed by Guido Vranken.
* Fix unlisted DES configuration dependency in some pkparse test cases. Found
by inestlerode. #555
= mbed TLS 2.4.1 branch released 2016-12-13
Changes
* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication – October 2016
= mbed TLS 2.4.0 branch released 2016-10-17
Security
* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
with RFC-5116 and could lead to session key recovery in very long TLS
sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
https://eprint.iacr.org/2016/475.pdf
* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
mbedtls_x509write_csr_der() when the signature is copied to the buffer
without checking whether there is enough space in the destination. The
issue cannot be triggered remotely. Found by Jethro Beekman.
Features
* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
NIST SP 800-38B, RFC-4493 and RFC-4615.
* Added hardware entropy selftest to verify that the hardware entropy source
is functioning correctly.
* Added a script to print build environment info for diagnostic use in test
scripts, which is also now called by all.sh.
* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
configure the maximum length of a file path that can be buffered when
calling mbedtls_x509_crt_parse_path().
* Added a configuration file config-no-entropy.h that configures the subset of
library features that do not require an entropy source.
* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
to configure the minimum number of bytes for entropy sources using the
mbedtls_hardware_poll() function.
Bugfix
* Fix for platform time abstraction to avoid dependency issues where a build
may need time but not the standard C library abstraction, and added
configuration consistency checks to check_config.h
* Fix dependency issue in Makefile to allow parallel builds.
* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
when GCM is used. Found by udf2457. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428
* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
a contribution from Tobias Tangemann. #541
* Fixed cert_app.c sample program for debug output and for use when no root
certificates are provided.
* Fix conditional statement that would cause a 1 byte overread in
mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
* Fixed pthread implementation to avoid unintended double initialisations
and double frees. Found by Niklas Amnebratt.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
data structure until after error checks are successful. Found by
subramanyam-c. #622
* Fix documentation and implementation missmatch for function arguments of
mbedtls_gcm_finish(). Found by cmiatpaar. #602
* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
* Fix potential byte overread when verifying malformed SERVER_HELLO in
ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
* Fix check for validity of date when parsing in mbedtls_x509_get_time().
Found by subramanyam-c. #626
* Fix compatibility issue with Internet Explorer client authentication,
where the limited hash choices prevented the client from sending its
certificate. Found by teumas. #513
* Fix compilation without MBEDTLS_SELF_TEST enabled.
Changes
* Extended test coverage of special cases, and added new timing test suite.
* Removed self-tests from the basic-built-test.sh script, and added all
missing self-tests to the test suites, to ensure self-tests are only
executed once.
* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
* Added support for a Yotta specific configuration file -
through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
* Added optimization for code space for X.509/OID based on configured
features. Contributed by Aviv Palivoda.
* Renamed source file library/net.c to library/net_sockets.c to avoid
naming collision in projects which also have files with the common name
net.c. For consistency, the corresponding header file, net.h, is marked as
deprecated, and its contents moved to net_sockets.h.
* Changed the strategy for X.509 certificate parsing and validation, to no
longer disregard certificates with unrecognised fields.
= mbed TLS 2.3.0 branch released 2016-06-28
Security
* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
required by PKCS1 v2.2
* Fix potential integer overflow to buffer overflow in
mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
(not triggerable remotely in (D)TLS).
* Fix a potential integer underflow to buffer overread in
mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
SSL/TLS.
Features
* Support for platform abstraction of the standard C library time()
function.
Bugfix
* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
arguments where the same (in-place doubling). Found and fixed by Janos
Follath. #309
* Fix potential build failures related to the 'apidoc' target, introduced
in the previous patch release. Found by Robert Scheck. #390#391
* Fix issue in Makefile that prevented building using armar. #386
* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
ECDSA was disabled in config.h . The leak didn't occur by default.
* Fix an issue that caused valid certificates to be rejected whenever an
expired or not yet valid certificate was parsed before a valid certificate
in the trusted certificate list.
* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
buffer after DER certificates to be included in the raw representation.
* Fix issue that caused a hang when generating RSA keys of odd bitlength
* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
dereference possible.
* Fix issue that caused a crash if invalid curves were passed to
mbedtls_ssl_conf_curves. #373
* Fix issue in ssl_fork_server which was preventing it from functioning. #429
* Fix memory leaks in test framework
* Fix test in ssl-opt.sh that does not run properly with valgrind
* Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
don't use the optimized assembly for bignum multiplication. This removes
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
* Disabled SSLv3 in the default configuration.
* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
Skalozub).
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
ignored, as required by RFC6101.
Noteworthy changes in version 2.2.12:
* tools: New commands --install-key and --remove-key for
gpg-wks-client. This allows to prepare a Web Key Directory on a
local file system for later upload to a web server.
* gpg: New --list-option "show-only-fpr-mbox". This makes the use
of the new gpg-wks-client --install-key command easier on Windows.
* gpg: Improve processing speed when --skip-verify is used.
* gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
option --with-agent-s2k-calibration=MSEC.
* dirmngr: Try another keyserver from the pool on receiving a 502,
503, or 504 error.
* dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP
query will not anymore follow a 3xx redirect unless the Location
header gives the same host. If the host is different only the
host and port is taken from the Location header and the original
path and query parts are kept.
* dirmngr: New command FLUSHCRL to flush all CRLS from disk and
memory.
* New simplified Chinese translation (zh_CN).
Changes:
2.0.0:
Bug
[SANTUARIO-496] - DSA verification crashes OpenSSL on invalid combinations of key content
2.0.1:
Bug
[SANTUARIO-491] - Default KeyInfo resolver doesn't check for empty element content.
2.0.0:
Bug
[SANTUARIO-382] - Unconditionally enable large file support
[SANTUARIO-418] - Invalid acceptance of unpadded RSA signatures
[SANTUARIO-435] - Automake misses the subdir-objects option
[SANTUARIO-437] - Cannot compile as C++11
[SANTUARIO-447] - XSECCryptoX509::loadX509PEM() can read past unterminated buffer
[SANTUARIO-449] - TXFMOutputFile can try to close unopened stream
[SANTUARIO-470] - dsig/DSIGReference.cpp:931: bad type ?
[SANTUARIO-471] - Patch for C++11 compile failures
[SANTUARIO-473] - Build failure using NSS
[SANTUARIO-474] - Better overflow checking
[SANTUARIO-479] - xml-security-cpp compilation errors
Improvement
[SANTUARIO-460] - Support for OpenSSL 1.1
[SANTUARIO-461] - Internal key store should be deleted on any CryptoAcquireContext() error
[SANTUARIO-472] - Conditional inclusion of XMKS code in library
[SANTUARIO-476] - Change default behavior for inferring attribute IDness by name
3.1.5
Added support for compilation on AIX.
Dropped Python 2.6 and 3.3 support.
Switched to using abi3 wheels for Python 3. If you are not getting a wheel on a compatible platform please upgrade your pip version.
Without providing `--with-default-trust-store-file=' configure
argument gnutls try to check a list of hardcoded paths for the
trust store file and use the first found.
If none of them is found gnutls_certificate_set_x509_system_trust()
returns GNUTLS_E_UNIMPLEMENTED_FEATURE and the location of trust
store file should be provided (e.g. in gnutls-cli via --x509cafile
option).
Depends on mozilla-rootcerts and pass `--with-default-trust-store-file='
similarly to security/p11-kit to always have a consistent default
trust store file and an implemented
gnutls_certificate_set_x509_system_trust().
Bump PKGREVISION
Noteworthy changes in version 1.12.0
* Enhanced the JSON based interface tool gpgme-json to support Native
Messaging as well as new Javascript code to support the browser
site. See lang/js/README for details.
* Major overhaul of the Python language bindings documentation.
* Even for old versions of gpg a missing MDC will now lead to a
decryption failure.
* Added context flag "auto-key-locate" to control the
behavior of GPGME_KEYLIST_MODE_LOCATE.
* New data function to create a data object from an estream.
* Add more interfaces to the C++ bindings.
* Improved error codes on decryption failure.
* Lots of minor fixes.
GCR is a library for displaying certificates, and crypto UI, accessing
key stores. It also provides the viewer for crypto files on the GNOME
desktop.
GCK is a library for accessing PKCS#11 modules like smart cards, in a
(G)object oriented way.
pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
unconditionally due REPLACE_BASH usages)
Changes:
3.6.5
-----
** libgnutls: Provide the option of transparent re-handshake/reauthentication
when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
requested with legacy TLS versions enabled but not TLS1.2. That is because
if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
servers which do not support TLS1.3 will negotiate TLS1.2 which will be
rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
This addresses a security issue where memory access patterns as well as timing
on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
attacks. Side-channel resistant code is slower due to the need to mask
access and timings. When used in TLS the new functions cause RSA based
handshakes to be between 13% and 28% slower on average (Numbers are indicative,
the tests where performed on a relatively modern Intel CPU, results vary
depending on the CPU and architecture used). This change makes nettle 3.4.1
the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
text before PEM-encoded private key, public key, certificate, CRL or CSR.
** API and ABI modifications:
GNUTLS_AUTO_REAUTH: Added
GNUTLS_CIPHER_AES_128_CFB8: Added
GNUTLS_CIPHER_AES_192_CFB8: Added
GNUTLS_CIPHER_AES_256_CFB8: Added
GNUTLS_MAC_AES_CMAC_128: Added
GNUTLS_MAC_AES_CMAC_256: Added
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added
Changes:
3.4.1
-----
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and include one new
public function, rsa_sec_decrypt, see below.
All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
still leak. I'm not aware of any attacks on RSA where knowing
a few bits of the factors makes a significant difference. This
leak will likely be plugged in later GMP versions.
Changes in behavior:
* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
recommended.
New features:
* A new function rsa_sec_decrypt. It differs from
rsa_decrypt_tr in that the length of the decrypted message
is given a priori, and PKCS#1 padding indicating a different
length is treated as an error. For applications that may be
subject to chosen ciphertext attacks, it is recommended to
initialize the message area with random data, call this
function, and ignore the return value. This applies in
particular to RSA-based key exchange in the TLS protocol.
Bug fixes:
* Fix bug in pkcs1-conv, missing break statements in the
parsing of PEM input files.
* Fix link error on the pss-mgf1-test test, affecting builds
without public key support.
Performance regression:
* All RSA private key operations employing RSA blinding, i.e.,
rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
rsa_compute_root_tr, are significantly slower. This is
because (i) RSA blinding now use side-channel silent
operations, (ii) blinding includes a modular inversion, and
(iii) side-channel silent modular inversion, implemented as
mpn_sec_invert, is very expensive. A 60% slowdown for
2048-bit RSA keys have been measured.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 6.0 or later (unless --enable-mini-gmp is used).
The shared library names are libnettle.so.6.5 and
libhogweed.so.4.5, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
Noteworthy changes in version 1.33:
* New unified config script gpgrt-config which can now be used by all
GnuPG related packages.
* Support for ARC and arm64ilp32.
* The log functions now sanitize strings printed with the "%s" format
specifier. All control characters are C-escaped in the output.
Users of that function may want to remove their own escaping to
avoid doubling of backslashes.
* New fprintf style function to apply a custom filter for string
arguments.
* New function to compare version strings.
version 0.8.5:
* Added support to get known_hosts locations with ssh_options_get()
* Fixed preferred algorithm for known hosts negotiations
* Fixed KEX with some server implementations (e.g. Cisco)
* Fixed issues with MSVC
* Fixed keyboard-interactive auth in server mode
(regression from CVE-2018-10933)
* Fixed gssapi auth in server mode (regression from CVE-2018-10933)
* Fixed socket fd handling with proxy command
* Fixed a memory leak with OpenSSL
version 0.8.4:
* Fixed CVE-2018-10933
* Fixed building without globbing support
* Fixed possible memory leaks
* Avoid SIGPIPE on sockets
version 0.8.3:
* Added support for rsa-sha2
* Added support to parse private keys in openssh container format
(other than ed25519)
* Added support for diffie-hellman-group18-sha512 and
diffie-hellman-group16-sha512
* Added ssh_get_fingerprint_hash()
* Added ssh_pki_export_privkey_base64()
* Added support for Match keyword in config file
* Improved performance and reduced memory footprint for sftp
* Fixed ecdsa publickey auth
* Fixed reading a closed channel
* Added support to announce posix-rename@openssh.com and
hardlink@openssh.com in the sftp server
version 0.8.2:
* Added sha256 fingerprints for pubkeys
* Improved compiler flag detection
* Fixed race condition in reading sftp messages
* Fixed doxygen generation and added modern style
* Fixed library initialization on Windows
* Fixed __bounded__ attribute detection
* Fixed a bug in the options parser
* Fixed documentation for new knwon_hosts API
version 0.8.1:
* Fixed version number in the header
* Fixed version number in pkg-config and cmake config
* Fixed library initialization
* Fixed attribute detection
version 0.8.0:
* Removed support for deprecated SSHv1 protocol
* Added new connector API for clients
* Added new known_hosts parsing API
* Added support for OpenSSL 1.1
* Added support for chacha20-poly1305 cipher
* Added crypto backend for mbedtls crypto library
* Added ECDSA support with gcrypt backend
* Added advanced client and server testing using cwrap.org
* Added support for curve25519-sha256 alias
* Added support for global known_hosts file
* Added support for symbol versioning
* Improved ssh_config parsing
* Improved threading support
Release 1.15.0:
Added the ability to pass keyword arguments provided in the scp() command through to asyncssh.connect() calls it makes, allowing things like custom credentials to be specified.
Added support for a reuse_port argument in create_server(). If set, this will be passed to the asyncio loop.create_server() call which creates listening sockets.
Added support for “soft” EOF when line editing in enabled so that EOF can be signalled multiple times on a channel. When Ctrl-D is received on a channel with line editing enabled, EOF is returned to the application but the channel remains open and capable of accepting more input, allowing an interactive shell to process the EOF for one command but still accept input for subsequent commands.
Added support for the Windows 10 OpenSSH ssh-agent. Thanks go to SamP20 for providing an initial proof of concept and a suggested implementation.
Reworked scoped link-local IPv6 address normalization to work better on Linux systems.
Fixed a problem preserving directory structure in recursive scp().
Fixed SFTP chmod tests to avoid attempting to set the sticky bit on a plain file, as this caused test failures on FreeBSD.
Updated note in SSHClientChannel’s send_signal() documentation to reflect that OpenSSH 7.9 and later should now support processing of signal messages.
3.7.1:
New features
Added type stubs to enable static type checking with mypy.
New update_after_digest flag for CMAC.
Resolved issues
Fixed problem with gcc 4.x when compiling ghash_clmul.c.
Incorrect digest value produced by CMAC after cloning the object.
Method update() of an EAX cipher object was returning the underlying CMAC object, instead of the EAX object itself.
Method update() of a CMAC object was not throwing an exception after the digest was computed (with digest() or verify()).
A pure Unix shell script implementing ACME client protocol
* An ACME protocol client written purely in Shell (Unix shell) language.
* Full ACME protocol implementation.
* Support ACME v1 and ACME v2
* Support ACME v2 wildcard certs
* Simple, powerful and very easy to use. You only need 3 minutes to learn it.
* Bash, dash and sh compatible.
* Simplest shell script for Let's Encrypt free certificate client.
* Purely written in Shell with no dependencies on python or the official
Let's Encrypt client.
* Just one script to issue, renew and install your certificates automatically.
* DOES NOT require root/sudoer access.
* Docker friendly
* IPv6 support
What's new in Sudo 1.8.26
* Fixed a bug in cvtsudoers when converting to JSON format when
alias expansion is enabled.
* Sudo no long sets the USERNAME environment variable when running
commands. This is a non-standard environment variable that was
set on some older Linux systems.
* Sudo now treats the LOGNAME and USER environment variables (as
well as the LOGIN variable on AIX) as a single unit. If one is
preserved or removed from the environment using env_keep, env_check
or env_delete, so is the other.
* Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
* Sudo now logs when the command was suspended and resumed in the
I/O logs. This information is used by sudoreplay to skip the
time suspended when replaying the session unless the new -S flag
is used.
* Fixed documentation problems found by the igor utility.
* Sudo now prints a warning message when there is an error or end
of file while reading the password instead of exiting silently.
* Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
role, type, privs and limitprivs sudoOptions. This also affected
cvtsudoers conversion from LDIF to sudoers or JSON.
* Fixed a bug that prevented timeout settings in sudoers from
functioning unless a timeout was also specified on the command
line.
* Asturian translation for sudo from translationproject.org.
* When generating LDIF output, cvtsudoers can now be configured
to pad the sudoOrder increment such that the start order is used
as a prefix.
* Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
properly setting the user's groups on AIX.
* If the user specifies a group via sudo's -g option that matches
any of the target user's groups, it is now allowed even if no
groups are present in the Runas_Spec. Previously, it was only
allowed if it matched the target user's primary group.
* The sudoers LDAP back-end now supports negated sudoRunAsUser and
sudoRunAsGroup entries.
* Sudo now provides a proper error message when the "fqdn" sudoers
option is set and it is unable to resolve the local host name.
* Portuguese translation for sudo and sudoers from translationproject.org.
* Sudo now includes sudoers LDAP schema for the on-line configuration
supported by OpenLDAP.
18.3.0:
Changes:
- argon2.PasswordHasher's hash type is configurable now.
18.2.0:
Changes:
- The hash type for argon2.PasswordHasher is Argon2\ **id** now.
This decision has been made based on the recommendations in the latest Argon2 RFC draft <https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-4>_.
- To make the change of hash type backward compatible, argon2.PasswordHasher.verify() now determines the type of the hash and verifies it accordingly.
- Some of the hash parameters have been made stricter to be closer to said recommendations.
The current goal for a hash verification times is around 50ms.
- To allow for bespoke decisions about upgrading Argon2 parameters, it's now possible to extract them from a hash via the argon2.extract_parameters() function.
- Additionally argon2.PasswordHasher now has a check_needs_rehash() method that allows to verify whether a hash has been created with the instance's parameters or whether it should be rehashed.
0.31.0:
- Compatibility with OpenSSL 1.1.1 (partly workaround, maybe requires
further investigation)
- Fixes for Windows builds
- Fixes of installs on AWS Lambda
- Fixes of Mac OS X related failures
- Fix Python 2.6 compatibility issues
2.4.1:
Fixed a build breakage in our manylinux1 wheels.
2.4:
BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.4.x.
Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by the OpenSSL project. At this time there is no time table for dropping support, however we strongly encourage all users to upgrade or install cryptography from a wheel.
Added initial :doc:OCSP </x509/ocsp> support.
Added support for :class:~cryptography.x509.PrecertPoison.
* Version 3.6.4 (released 2018-09-24)
** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.
** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
gnutls_certificate_set_retrieve_function() which could not handle the case where
no certificates were returned, or the callbacks were set to NULL (see #528).
** libgnutls: gnutls_handshake() on server returns early on handshake when no
certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
is specified.
** libgnutls: Added session ticket key rotation on server side with TOTP.
The key set with gnutls_session_ticket_enable_server() is used as a
master key to generate time-based keys for tickets. The rotation
relates to the gnutls_db_set_cache_expiration() period.
** libgnutls: The 'record size limit' extension is added and preferred to the
'max record size' extension when possible.
** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
This addresses the problem where the CA certificate doesn't have a subject key
identifier whereas the end certificates have an authority key identifier (#569)
** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
and export GOST parameters in the "native" little endian format used for these
curves. This is an intentional incompatible change with 3.6.3.
** libgnutls: Added support for seperately negotiating client and server certificate types
as defined in RFC7250. This mechanism must be explicitly enabled via the
GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().
** gnutls-cli: enable CRL validation on startup (#564)
** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added
Noteworthy changes in version 2.2.11:
* gpgsm: Fix CRL loading when intermediate certicates are not yet
trusted.
* gpgsm: Fix an error message about the digest algo.
* gpg: Fix a wrong warning due to new sign usage check introduced
with 2.2.9.
* gpg: Print the "data source" even for an unsuccessful keyserver
query.
* gpg: Do not store the TOFU trust model in the trustdb. This
allows to enable or disable a TOFO model without triggering a
trustdb rebuild.
* scd: Fix cases of "Bad PIN" after using "forcesig".
* agent: Fix possible hang in the ssh handler.
* dirmngr: Tack the unmodified mail address to a WKD request. See
commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.
* dirmngr: Tweak diagnostic about missing LDAP server file.
* dirmngr: In verbose mode print the OCSP responder id.
* dirmngr: Fix parsing of the LDAP port.
* wks: Add option --directory/-C to the server. Always build the
server on Unix systems.
* wks: Add option --with-colons to the client. Support sites which
use the policy file instead of the submission-address file.
* Fix EBADF when gpg et al. are called by broken CGI scripts.
* Fix some minor memory leaks and bugs.
Noteworthy changes in version 1.8.4:
* Bug fixes:
- Fix infinite loop due to applications using fork the wrong
way.
- Fix possible leak of a few bits of secret primes to pageable
memory.
- Fix possible hang in the RNG (1.8.3 only).
- Several minor fixes.
* Performance:
- On Linux always make use of getrandom if possible and then use
its /dev/urandom behaviour.
3.7.0:
New features
* Added support for Poly1305 MAC (with AES and ChaCha20 ciphers for key derivation).
* Added support for ChaCha20-Poly1305 AEAD cipher.
* New parameter output for Crypto.Util.strxor.strxor, Crypto.Util.strxor.strxor_c,
encrypt and decrypt methods in symmetric ciphers (Crypto.Cipher package).
output is a pre-allocated buffer (a bytearray or a writeable memoryview)
where the result must be stored.
This requires less memory for very large payloads; it is also more efficient when
encrypting (or decrypting) several small payloads.
Resolved issues
* AES-GCM hangs when processing more than 4GB at a time on x86 with PCLMULQDQ instruction.
Breaks in compatibility
* Drop support for Python 3.3.
* Remove Crypto.Util.py3compat.unhexlify and Crypto.Util.py3compat.hexlify.
* With the old Python 2.6, use only ctypes (and not cffi) to interface to native code.
version 0.7.6 (released 2018-10-16)
* Fixed CVE-2018-10933
* Added support for OpenSSL 1.1
* Added SHA256 support for ssh_get_publickey_hash()
* Fixed config parsing
* Fixed random memory corruption when importing pubkeys
version 0.7.5 (released 2017-04-13)
* Fixed a memory allocation issue with buffers
* Fixed PKI on Windows
* Fixed some SSHv1 functions
* Fixed config hostname expansion
version 0.7.4 (released 2017-02-03)
* Added id_ed25519 to the default identity list
* Fixed sftp EOF packet handling
* Fixed ssh_send_banner() to confirm with RFC 4253
* Fixed some memory leaks
Changes include:
- use jbuilder for building
- allow picking different versions of Bcrypt hashes
- use unbuffered IO to read only required number of bytes from /dev/urandom
Version 1.1.111:
Update clients.py to work with Python 2.6, 3.3, 3.5, and 3.6.
Add Python 3.6 support.
Handle Unicode- and byte-strings consistently.
Add timeout parameter to call_taxii_service2 (@mbekavac)
Add support for STIX 1.2.
Add user_agent parameter to call_taxii_service2
3.0.5:
Fix: use AES256 for CA key
Also, don't use read -s, use stty -echo
Fix broken "nopass" option
Add -r to read to stop errors reported by shellcheck (and to behave)
remove overzealous quotes around $pkcs_opts (more SC errors)
Support for LibreSSL (now works on latest version of MacOS)
EasyRSA version will be reported in certificate comments
Client certificates now expire in 3 year (1080 days) by default
CHANGES:
- `sys/seal-status` now includes an `initialized` boolean in the
output. If Vault is not initialized, it will return a `200` with
this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
being provided to backends based on a global denylist.
FEATURES:
- AWS Secret Engine Root Credential Rotation: The credential used by
the AWS secret engine can now be rotated, to ensure that only Vault
knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
AliCloud KMS can now be used a support seal for Auto Unseal and
Seal Wrapping.
BUG FIXES:
- auth/okta: Fix reading deprecated `token` parameter if a token was
previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
written
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
early
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry
IMPROVEMENTS:
- auth/aws: The identity alias name can now configured to be either
IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
to allow operators to include environment variables during plugin
execution.
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
Bearer header
- replication: Reindex process now runs in the background and does not
block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
with a "force" flag
Version 4.0:
- Removed deprecated modules:
- rsa.varblock
- rsa.bigfile
- rsa._version133
- rsa._version200
- Removed CLI commands that use the VARBLOCK/bigfile format.
- Ensured that PublicKey.save_pkcs1() and PrivateKey.save_pkcs1() always return bytes.
- Dropped support for Python 2.6 and 3.3.
- Dropped support for Psyco.
- Miller-Rabin iterations determined by bitsize of key.
- Added function rsa.find_signature_hash() to return the name of the hashing
algorithm used to sign a message. rsa.verify() now also returns that name,
instead of always returning True.
- Add support for SHA-224 for PKCS1 signatures.
- Transitioned from requirements.txt to Pipenv for package management.
Upstream changes:
0.31 Mon Sep 24 2018
- Remove default of SHA256 for RSA keys. This has caused significant
problems with downstream modules and it has always been possible to
do $key->use_sha256_hash()
Upstream changes:
2.060 2018/09/16
- support for TLS 1.3 with OpenSSL 1.1.1 (needs support in Net::SSLeay too)
Thanks to ppisar[AT]redhat.com for major help
see also https://rt.cpan.org/Ticket/Display.html?id=126899
TLS 1.3 support is not complete yet for session resume
v4.1.3
**Note**: oauth2client is deprecated. No more features will be added to the
libraries and the core team is turning down support.
* Changed OAuth2 endpoints to use oauth2.googleapis.com variants.
0.1.78 (2018-06-21)
* Land #13, Update cmd_psh_payload to simplify exec_in_place
0.1.79 (2018-08-01)
* Land #12, Update GetMethod for GetProcAddress for Windows 10 1803
0.2.17 (2018-02-09)
* Land #9, remove use of 'fun' keyword
* Land #10, add rand_country
0.2.18 (2018-04-12)
* Land #11, ranges for rand_base and rand_text_*
0.2.19 (2018-04-18)
* Land #13, add text encryption / encoding wrappers
0.2.20 (2018-04-18)
* Land #14, remove RC4/SHA256 support
* Land #12, bump ruby deps
0.2.21 (2018-06-13)
* Land #16, simplify shuffle_a implementation
* Land #17, speedup to_mixed_case_array
* Land #18, use single regular expression for strict case
* Land #19, remove unnecessary gsub regex to remove newline
* Land #21, add SHA2 digest wrappers
=== 5.0.2
* fix ctr for jruby [#612]
=== 5.0.1
* default_keys were not loaded even if no keys or key_data options specified [#607]
=== 5.0.0
* Breaking change: ed25519 now requires ed25519 gem instead of RbNaCl gem [#563]
* Verify_host_key options rename (true, false, :very, :secure depreacted new equivalents are :never, :accept_new_or_local_tunnel :accept_new :always) [Jared Beck, #595]
=== 5.0.0.rc2
* Add .dll extensions to dlopen on cygwin [#603]
* Fix host certificate validation [#601]
=== 5.0.0.rc1
* Fix larger than 4GB file transfers [#599]
* Update HTTP proxy to version 1.1 [Connor Dunn, #597]
=== 5.0.0.beta2
* Support for sha256 pubkey fingerprint [Tom Maher, #585]
* Don't try to load default_keys if key_data option is used [Josh Larson, #589]
* Added fingerprint_hash defaulting to SHA256 as fingerprint format, and MD5 can be used as an option [Miklós Fazekas, #591]
=== 5.0.0.beta1
* Don't leave proxy command as zombie on timeout [DimitriosLisenko, #560]
* Use OpenSSL for aes*-ctr for up to 5x throughput improvement [Miklós Fazekas, Harald Sitter, #570]
* Optimize slice! usage in CTR for up to 2x throughput improvement [Harald Sitter, #569]
* Replace RbNaCl dependency with ed25519 gem [Tony Arcieri ,#563]
* Add initial Match support [Kasumi Hanazuki, #553]
Instead of using a generic `base64' initialize the BASE64 variable in order to
actually use converters/base64 (this was problematic when for example NetBSD
base64(1) was used).
Bump PKGREVISION
What's new in Sudo 1.8.25p1
* Fixed a bug introduced in sudo 1.8.25 that caused a crash on
systems that have the poll() function but not the ppoll() function.
Bug #851.
2.4.2:
Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where hostile clients could trick the server into thinking they were authenticated without actually submitting valid authentication.
Specifically, steps have been taken to start separating client and server related message types in the message handling tables within Transport and AuthHandler; this work is not complete but enough has been performed to close off this particular exploit (which was the only obvious such exploit for this particular channel).
Modify protocol message handling such that Transport does not respond to MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs and could cause (non-infinite) feedback loops in some scenarios (usually those involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of which previously only existed in the 2.4 branch and above) to everything 2.0 and newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography sign/verify APIs when available, without requiring them (as is the case with Paramiko 2.3+).
Release 1.14.0:
Changed license from EPL 1.0 to EPL 2.0 with GPL 2.0 or later as an available secondary license.
Added support for automatically parallelizing large reads and write made using the SFTPClientFile class, similar to what was already available in the get/put/copy methods of SFTPClient.
Added support for get_extra_info() in SSH process classes, returning information associated with the channel the process is tied to.
Added new set_extra_info() method on SSH connection and channel classes, allowing applications to store additional information on these objects.
Added handlers for OpenSSH keepalive global & channel requests to avoid messages about unknown requests in the debug log. These requests are still logged, but at debug level 2 instead of 1 and they are not labeled as unknown.
Fixed race condition when closing sockets associated with forwarded connections.
Improved error handling during connection close in SFTPClient.
Worked around issues with integer overflow on systems with a 32-bit time_t value when dates beyond 2038 are used in X.509 certificates.
Added guards around some imports and tests which were causing problems on Fedora 27.
Changed debug level for reporting PTY modes from 1 to 2 to reduce noise in the logs.
Improved SFTP debug log output when sending EOF responses.
What's new in Sudo 1.8.25
* Fixed a bug introduced in sudo 1.8.20 that broke formatting of
I/O log timing file entries on systems without a C99-compatible
snprintf() function. Our replacement snprintf() doesn't support
floating point so we can't use the "%f" format directive.
* I/O log timing file entries now use a monotonic timer and include
nanosecond precision. A monotonic timer that does not increment
while the system is sleeping is used where available.
* Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
backend was not being properly parsed.
* When sudo runs a command in a pseudo-tty, the slave device is
now closed in the main process immediately after starting the
monitor process. This removes the need for an AIX-specific
workaround that was added in sudo 1.8.24.
* Added support for monotonic timers on HP-UX.
* Fixed a bug displaying timeout values the "sudo -V" output.
The value displayed was 3600 times the actual value.
* Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
and define rsize_t in string.h.
* The testsudoers utility now supports querying an LDIF-format
policy.
* Sudo now sets the LOGIN environment variable to the same value as
LOGNAME on AIX systems.
* Fixed a regression introduced in sudo 1.8.24 where the LDAP and
SSSD backends evaluated the rules in reverse sudoOrder.
xdotool-3.20160805.1 supports the --file option.
Please also note that with the previous patch spaces in password
were ignored possibly leading to surprising and incorrect paste,
sorry for that! (now they should work fine)
Bump PKGREVISION
- Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
- Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
- Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
- Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
- Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
- Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
- Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
- When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
- Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
* New features
- Performance optimizations.
- Logging of negotiated or resumed TLS session IDs (thx
to ANSSI - National Cybersecurity Agency of France).
- Merged Debian 10-enabled.patch and 11-killproc.patch
(thx to Peter Pentchev).
* Bugfixes
- Fixed a crash in the session persistence implementation.
- Fixed syslog identifier after configuration file reload.
- Fixed non-interactive "make check" invocations.
- Fixed reloading syslog configuration.
- stunnel.pem created with SHA-256 instead of SHA-1.
- SHA-256 "make check" certificates.
- Make regular expression accept a whitespace after CN.
- Don't fail on openssl 1.1 output
- Add documentation and support for Red Hat openssl directories
- fix parsing of new (?) openssl output format
- Fix broken Markdown headings
- FIX CN parsing to work with OpenSSL 1.1
- Make acme_tiny.py executable in index
- Minor tweak that makes deploying a tiny bit easier
- OpenSSL output seems to have changed another time.
- fixed changing error message
- fixed more error message case changes
- Fix typos
- switched to grabbing the agreement url from /directory, addresses #145, #148, #172, #189
- damn python3 bytes-to-strings encoding gets you again...
- added python 3.6 to test coverage
- update SSL config
- mostly working ACMEv2, except for letsencrypt/boulder#3367
- deprecated CA url in favor of using the direct certificate authority directory url
- added badNonce retries
- consolidated external commandline execution error handling to bring back under 200 lines of code
- removed challenge payload that is no longer needed in new acme spec
- updated test coverage to ignore new setup.py file (setup install still gets tested via test_install.py)
- updated readme to note that ACME v2 certificate downloads now include the intermediate certificate
- added optional contact details
- fixed buffer to unicode decoding for tests
- cleaned up help and copyright text
- Readme: Only needs access to private account key
- added tiny user agent
- don't skip ValueError when urlopen(Request(nonvalid, ...))
hitch-1.4.8 (2018-04-19)
------------------------
- Reworked the dynamic backend bits.
- Update docs to recommend running Hitch as a separate non-privileged
user.
hitch-1.4.7 (2018-01-11)
------------------------
- Massive test suite refactor and update.
- Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to
OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in
the test suite, switch from sockstat(1) to fstat(1)
- Add an OCSP refresh timeout parameter
- Autotools polish
- Random usage of config section if reduntant
- Support for separate key files
- Fix logging to syslog even when set to syslog = off
- Making log-filename, recv-bufsize and send-bufsize parameters
available though command line and config file.
- Fix: global backaddr is assumed to be static
- Add support for session-cache in config file and as cmdline option
- Plug file descriptor leak: killing worker processes would leave the
pipe's write end open, leaking one file descriptor per worker upon
reload
SECURITY:
- Random Byte Reading in Barrier: Prior to this release, Vault was not
properly checking the error code when reading random bytes for the IV for
AES operations in its cryptographic barrier. Specifically, this means that
such an IV could potentially be zero multiple times, causing nonce re-use
and weakening the security of the key. On most platforms this should never
happen because reading from kernel random sources is non-blocking and always
successful, but there may be platform-specific behavior that has not been
accounted for. (Vault has tests to check exactly this, and the tests have
never seen nonce re-use.)
FEATURES:
- AliCloud Agent Support: Vault Agent can now authenticate against the
AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.
IMPROVEMENTS:
- core: Logging level for most logs (not including secrets/auth plugins) can
now be changed on-the-fly via `SIGHUP`, reading the desired value from
Vault's config file
BUG FIXES:
- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
to show up for unauthenticated users
trustme is a tiny Python package that does one thing: it gives you a fake
certificate authority (CA) that you can use to generate fake TLS certs to use
in your tests. Well, technically they're real certs, they're just signed by
your CA, which nobody trusts. But you can trust it. Trust me.
## 0.27.0 - 2018-09-05
### Added
- The Apache plugin now accepts the parameter --apache-ctl which can
be used to configure the path to the Apache control script.
### Changed
- When using `acme.client.ClientV2` (or
`acme.client.BackwardsCompatibleClientV2` with an ACME server that
supports a newer version of the ACME protocol), an
`acme.errors.ConflictError` will be raised if you try to create
an ACME account with a key that has already been used. Previously,
a JSON parsing error was raised in this scenario when using the
library with Let's Encrypt's ACMEv2 endpoint.
### Fixed
- When Apache is not installed, Certbot's Apache plugin no longer
prints messages about being unable to find apachectl to the
terminal when the plugin is not selected.
- If you're using the Apache plugin with the --apache-vhost-root flag
set to a directory containing a disabled virtual host for the
domain you're requesting a certificate for, the virtual host will
now be temporarily enabled if necessary to pass the HTTP challenge.
- The documentation for the Certbot package can now be built using
Sphinx 1.6+.
- You can now call `query_registration` without having to first call
`new_account` on `acme.client.ClientV2` objects.
- The requirement of `setuptools>=1.0` has been removed from
`certbot-dns-ovh`.
- Names in certbot-dns-sakuracloud's tests have been updated to refer
to Sakura Cloud rather than NS1 whose plugin certbot-dns-sakuracloud
was based on.
## 0.26.1 - 2018-07-17
### Fixed
- Fix a bug that was triggered when users who had previously manually
set `--server` to get ACMEv2 certs tried to renew ACMEv1 certs.
Changelog:
Noteworthy changes in version 2.2.10 (2018-08-30)
-------------------------------------------------
gpg: Refresh expired keys originating from the WKD. [#2917]
gpg: Use a 256 KiB limit for a WKD imported key.
gpg: New option --known-notation. [#4060]
scd: Add support for the Trustica Cryptoucan reader.
agent: Speed up starting during on-demand launching. [#3490]
dirmngr: Validate SRV records in WKD queries.
duo_unix-1.10.4:
- Removed failmode decision from auth endpoint and moved it to only
preauth according to standards in our other integrations
- Updated Duo Unix to speak up to TLS 1.2
- Support for LibreSSL 2.7.0 and up
- Minor memory leak fixes
- Output message when user is locked out
duo_unix-1.10.3:
- Added support for http_proxy with SELinux enabled
duo_unix-1.10.2:
- Added default failmode values in config files
DEPRECATIONS/CHANGES:
- Request Timeouts: A default request timeout of 90s is now enforced. This
setting can be overwritten in the config file. If you anticipate requests
taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
will be some further guidelines around when this will be removed again.)
* `sys/` Top Level Injection: For the last two years for backwards
compatibility data for various `sys/` routes has been injected into both the
Secret's Data map and into the top level of the JSON response object.
However, this has some subtle issues that pop up from time to time and is
becoming increasingly complicated to maintain, so it's finally being
removed.
- Path Fallback for List Operations: For a very long time Vault has
automatically adjusted `list` operations to always end in a `/`, as list
operations operates on prefixes, so all list operations by definition end
with `/`. This was done server-side so affects all clients. However, this
has also led to a lot of confusion for users writing policies that assume
that the path that they use in the CLI is the path used internally. Starting
in 0.11, ACL policies gain a new fallback rule for listing: they will use a
matching path ending in `/` if available, but if not found, they will look
for the same path without a trailing `/`. This allows putting `list`
capabilities in the same path block as most other capabilities for that
path, while not providing any extra access if `list` wasn't actually
provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
Enterprise supports Performance Standbys, they are on by default. You can
disable this behavior per-node with the `disable_performance_standby`
configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
the type of AWS credential they are generating; this reduces reduce
ambiguity that existed previously as well as enables new features for
specific credential types. Writing role data and generating credentials
remain backwards compatible; however, the data returned when reading a
role's configuration has changed in backwards-incompatible ways. Anything
that depended on reading role data from the AWS secret engine will break
until it is updated to work with the new format.
FEATURES:
- Namespaces (Enterprise): A set of features within Vault Enterprise
that allows Vault environments to support *Secure Multi-tenancy* within a
single Vault Enterprise infrastructure. Through namespaces, Vault
administrators can support tenant isolation for teams and individuals as
well as empower those individuals to self-manage their own tenant
environment.
- Performance Standbys (Enterprise): Standby nodes can now service
requests that do not modify storage. This provides near-horizontal scaling
of a cluster in some workloads, and is the intra-cluster analogue of
the existing Performance Replication feature, which replicates to distinct
clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
allows generating credentials to allow access to Azure. See the plugin
repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
guidance, linking out to relevant links or guides on vaultproject.io for
various workflows in Vault.
IMPROVEMENTS:
- agent: Add `exit_after_auth` to be able to use the Agent for a single
authentication
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.
BUG FIXES:
- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
(IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
could cause Vault not to start up due to two entities referencing the same
alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
legal, doing so inherently means the CRL can't be trusted anyways, so it's
not useful and easy to footgun.
- storage/gcp,spanner: Fix data races
