Skip to main content

Release notes

U7 (minor release)

The U7 is a minor release that extends the DigiCert​​®​​ TrustCore SDK with new post-quantum capabilities, improved protocol coverage, and important stability fixes across NanoSSL, NanoSSH, NanoCert, NanoCrypto, NanoSec, and the OpenSSL Connector modules. These updates enhance interoperability, improve performance, and prepare your device security stack for evolving cryptographic standards.

The following are the enhancements and fixes.

Important

Upgrade considerations

This version deprecates support for OpenSSL 1.0.2 (all versions), OpenSSL 1.1.1c, and OpenSSL 1.1.1f.

Enhancements

NanoSSH 7.0

  • Support for Encrypt-then-MAC algorithms: Added support for Encrypt-then-MAC algorithms, enhancing message-authentication security during SSH sessions.

    Ticket: #04270562

    Files modified: src/ssh/ssh_context.h ,src/ssh/ssh_in_mesg.c, src/ssh/ssh_in_mesg.hsrc/ssh/ssh_out_mesg.c, src/ssh/ssh_out_mesg.h, and src/ssh/ssh_trans.c.

  • Support for pure and composite MLDSA signatures: Added support for pure and composite MLDSA signatures for server host key and client public key authentication.

    Files modified: src/asn1/, src/crypto/, src/crypto_interface/, src/crypto_interface/, src/ssh/client/, and src/ssh/ssh.c.

NanoSSL 7.0

Support for pure and composite MLDSA signatures: Added support for pure and composite MLDSA signatures for server host key and client public key authentication.

Files modified: src/asn1/, src/common/win32oid.c, src/crypto/, src/crypto_interface/, src/ssl/client/ssl_client.inc, src/ssl/server/ssl_server.inc, src/ssl/sslsock.c, and src/ssl/sslsock.h.

Fixes

NanoSSL 7.0

  • Ticket #4454769: Resolved the handshakeRecLen zero check in the processCertificate function.

    Files modified:

    src/ssl/sslsock.c

  • Ticket #4392422: Resolved the OOB error in handleServerHandshakeMessages.

    Files modified:

    src/ssl/server/ssl_server.inc

  • Ticket #04276156: Resolved the TLS handshake succeeding issue even when a server’s certificate chain was corrupted.

    Files modified:

    src/crypto/cert_chain.c, src/crypto/cert_chain.h, src/examples/ssl_client_example.c, src/ssl/ssl.c, src/ssl/ssl.h, src/ssl/sslsock.c, and src/ssl/sslsock.h.

  • Ticket #04115411: Resolved the TLS client authentication issues when using smartcard-based PKCS#11 keys.

    Files modified:

    src/openssl_wrapper/openssl_shim.h, src/openssl_wrapper/ossl_ssl.c, and src/ssl/ssl.c.

NanoCert

  • Ticket #4383284: Resolved the OCSP HTTP initialization timeout from 128 seconds to the expected default.

    Files modified:

    src/common/mtcp.h, src/ocsp/ocsp_http.c, src/ocsp/ocsp_http.h, and src/platform/linux_tcp.c.

  • Ticket #4349944: Resolved the HTTP POST command for handling of empty path values in OCSP URIs.

NanoSec 7.0

  • Ticket #4327273: Resolved an issue allowing ESP cipher stronger than IKE cipher.

    Files modified:

    src/ike/ike_childsa.c, src/ike/ike_childsa.h, src/ike/ike_state.c, and src/ike2/ike2_state.c.

  • Ticket #4317881: Resolved the handling of Quick Mode RESPONDER-LIFETIME notification not accepted by Windows clients.

    Files modified:

    src/examples/ike_example.c, src/ike/ike_state.c, and src/ike/ike_state.h.

OpenSSL Connector 7.0

  • Ticket #4311467: Adjusted error reporting so ERR_SSL_PROTOCOL_VERSION is returned instead of ERR_SSL_FATAL_ALERT.

  • Ticket #04284238: Resolved the incorrect client reaction to corrupted encrypted handshake messages.

NanoCrypto 7.0

Ticket #04277714: Added support for SubjectKeyIdentifier form in CMS SignerIdentifier.

Files modified:

src/crypto/cms.h, src/crypto/cms.inc, src/crypto/moccms_decode.c, src/crypto/moccms_util.c, src/crypto/pkcs7.c, and src/crypto/pkcs7.h.

Common

  • Ticket #4437055: Resolved the build warnings.

    Files modified:

    src/common/hash_value.c and src/common/mocana.h.

  • Ticket #4335167: Resolved an issue with top-level X.509 data type not being fully validated during certificate parsing.

U6 (major release)

DigiCert® TrustCore SDK U6 is a major release that extends TrustCore SDK with the following new features, enhancements, and fixes.

Upgrade considerations

For FIPS customers using a FIPS version of NanoCrypto v7.0.0_u1f, please build with --fips-700-compat or fips_700_compat=true option.

New

NanoCrypto 7.0

  • Post Quantum Cryptographic Algorithms Support: Added support for FIPS 203, 204, 205 – ML-KEM, ML-DSA, and SLH-DSA.

NanoSSL 7.0

  • Hybrid Key Exchange with PQC: Added support for Hybrid Key Exchange in TLSv1.3 using X25519MLKEM768 and SecP256r1MLKEM768.

NanoMQTT 7.0

  • MQTT Protocol Support: Added support for MQTT protocol versions v3.1.1 and v5.

NanoCert

  • EST Client Support: Added support for EST client functionality.

Enhancements

NanoSSH 7.0

  • DSA Disabled by Default: DSA is disabled by default to comply with RFC 8332.

Fixes

NanoSSL 7.0

  • Ticket #04187099: Resolved a memory leak issue.

    Files modified:

    • src/ssl/server/ssl_server.inc

NanoSSH 7.0

  • Ticket #04186917: Added support for RSA-SHA2 Client public key for NanoSSH Server.

    Files modified:

    • src/ssh/ssh_auth.c

    • src/ssh/ssh_context.h

    • src/ssh/ssh_defs.h

    • src/ssh/ssh_trans.c

    • src/ssh/dump_mesg.c

OpenSSL Connector 7.0

  • Ticket #03967808: Added fix for a Connector build failure on ARM64 due to an unrecognized command-line option -mno-sse2.

    Files modified:

    • make/Makefile.ssl

    • projects/shared_cmake/MocPlatform.cmake

    • projects/shared_cmake/toolchains/aarch64-pokysdk-linux-toolchain.cmake

    • projects/shared_cmake/toolchains/x86-64-pokysdk-linux-toolchain.cmake

  • Ticket #04098358: Added fix for OpenSSL CVE-2023-3817 by addressing excessive time spent checking the DH q parameter value in OpenSSL Connector 1.1.

    Files modified:

    • thirdparty/openssl-1.1.1X/crypto/dh/dh_check.c

    • thirdparty/openssl-1.1.1X/crypto/dh/dh_err.c

    • thirdparty/openssl-1.1.1X/crypto/err/openssl.txt

    • thirdparty/openssl-1.1.1X/include/openssl/dh.h

    • thirdparty/openssl-1.1.1X/include/openssl/dherr.h

  • Ticket #04036327: Added fix for updating the error code in debug logs.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

    • src/openssl_wrapper/ssl.h

    • src/ssl/client/ssl_client.inc

  • Ticket #04054495: Resolved an issue with the OpenSSL Connector 1.1 connector where WebDAVS using neon-0.31 was not functioning.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

Common

  • Ticket #04172114: Allowed SAN to be used as a critical extension when checking if a certificate can be used to sign.

    Files modified:

    • src/asn1/parsecert.c

  • Ticket #04110991 and #04099984: Applied Coverity fixes.

U5 (minor release)

TrustCore SDK version: U5 | Date: 2024-10

 DigiCert​​®​​ TrustCore SDK U5 is a minor release that extends TrustCore SDK with the following enhancements and fixes.

Enhancements

NanoCrypto 7.0

  • FIPS 186-5 Compliance: Added a new compile flag --fips-700-compat to ensure compatibility with the FIPS-certified binary libmss.so (version: REL_700_U1).

    Files modified:

    • projects/crypto/build.sh

Fixes

NanoSSH 7.0

  • Ticket #04013814: Resolved an issue on the NanoSSH server side when a client negotiated with aes128-gcm@openssh.com or aes256-gcm@openssh.com ciphers but no matching MAC algorithm for authentication.

    Files modified:

    • src/ssh/ssh_context.h

    • src/ssh/ssh_trans.c

  • Ticket #03950943: Fixed an issue where the NanoSSH server sent an error when the Dropbear client included 'First KEX Packet follows' as 1 in the client key exchange initialization.

    Files modified:

    • src/ssh/ssh_context.h

    • src/ssh/ssh_trans.c

OpenSSL Connector 7.0

  • Fix for crypt() Function: Addressed an error in the crypt() function within libssh2 when using the OpenSSL Connector 3.0.12.

    Files modified:

    • openssl/openssl-3.0.12/providers/digicert/ciphers/digi_cipher_aes_gcm.c

  • Ticket #03864365: Removed x25519 and x448 supported groups from FIPS builds to comply with security requirements.

    Files modified:

    • projects/nanossl/cmakeflags.txt

    • projects/nanossl/features/mocana_eddh_flags.txt

    • projects/nanossl/mocana_suiteb_flags.txt

  • Ticket #03973774: Fixed the compatibility issue where tpm2tools was not functioning with the OpenSSL Connector.

    Files modified:

    • thirdparty/openssl-3.0.12/Configure

    • thirdparty/openssl-3.0.12/providers/digiprov.c

    • thirdparty/openssl-3.0.7/Configure

    • thirdparty/openssl-3.0.7/providers/digiprov.c

U4 (major release)

TrustCore SDK version: U4 | Date: 2024-06

 DigiCert​​®​​ TrustCore SDK U4 is a major release that extends TrustCore SDK with the following enhancements and fixes.

New

OpenSSL Connector 7.0

  • Added support for OpenSSL 3.0.12 in OpenSSL Connector.

NanoSSL 7.0

  • Added support for DTLS 1.3 in NanoDTLS.

Enhancements

OpenSSL Connector 7.0

  • Tickets #3751120, #3781142: Added new APIs; for OpenSSL 1.1.1, added SSL_CTX_set_client_hello_cb, SSL_COMP_get0_name, SSL_COMP_get_id, SSL_CTX_get_security_level, SSL_SESSION_up_ref, and SSL_has_pending; for OpenSSL 3.0.12, added SSL_SESSION_set_time.

    Files modified:

    • src/openssl_wrapper/openssl_compat.c

    • src/openssl_wrapper/openssl_shim.h

    • src/openssl_wrapper/ossl_ssl.c

    • src/openssl_wrapper/ossl_types.h

    • src/openssl_wrapper/ossl_typesv3.h

    • src/openssl_wrapper/ssl.h

    • src/ssl/server/ssl_server.inc

    • src/ssl/ssl.c

    • src/ssl/sslsock.h

Fixes

NanoSSH 7.0

  • Ticket #3658904: Fixed a vulnerability where naturally occurring computational errors in RSA signature could potentially expose private keys.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

  • CVE-2023-48795, CVE-2023-46445, CVE-2023-46446: Addressed the Terrapin Attack by disabling chacha20 and poly1305 by default in build scripts.

    Files modified:

    • projects/crypto/build.bat

    • projects/crypto/build.sh

    • projects/crypto/options/enable-ssh-no-chachapoly/mocana_flags.txt

    • projects/nanossh/CMakeLists.txt

    • projects/nanossh/build.bat

    • projects/nanossh/build.sh

    • projects/nanossh/cmakeflags.txt

    • projects/nanossh/mocana_chachapoly_flags.txt

    • projects/nanossh/ssh_client/mocana_flags.txt

    • projects/nanossh/ssh_server/mocana_flags.txt

    • scripts/nanossh/build_nanossh_target_nux.sh

    • scripts/nanossh/ssh_client/build_target_tap_local_ncrypto.bat

  • Ticket #03854089: SSH Server with Radius Authentication flow will utilize the extension. Added Message-Authenticator attribute to Access-Request packets.

    Files modified:

    • src/radius/radius.c

OpenSSL Connector 7.0

  • Tickets #3834648, #3706260: Added the --disable-tcp-init flag in build scripts to fix SIGALRM not working when linking to libcrypto.

    Files modified:

    • make/Makefile.ssl

    • projects/initialize/CMakeLists.txt

    • projects/initialize/build.sh

  • Ticket #3788916: Fixed implementation of SSL_set_verify function.

    Files modified:

    • src/openssl_wrapper/openssl_compat.c

    • src/openssl_wrapper/ossl_ssl.c

    • src/ssl/ssl.c

  • Ticket #3717372: Fixed OpenSSL Connector not sending ALERT on cryptographic handshake error per RFC 5246.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

    • src/ssl/client/ssl_client.inc

    • src/ssl/sslsock.c

  • Ticket #2950173: Extended the --keylog feature to printout TLSv1.2 master secret keys for Wireshark.

    Files modified:

    • src/ssl/sslsock.c

  • Ticket #3821075: Added null check when freeing hash table in OpenSSL connector.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3740353: Fix for DTLS to work with OpenSSL 3.0.12 connector and radsecproxy.

    Files modified:

    • src/dtls/dtlssock.inc

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3746253: Fix for compatibility with TLSv1.2 XMC server and OpenSSL connector 3.0.12.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3728300: Added support to SSL_CTX_get_security_callback.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3678174: Fixed symbol not found error when using lighttpd with OpenSSL Connector.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • CVE-2016-2183, SP800-131A rev2: Disabled Triple-DES by default in build scripts to enhance cryptographic security.

    Files modified:

    • make/Makefile.ssl

    • projects/nanossl/CMakeLists.txt

    • projects/nanossl/build.bat

    • projects/nanossl/build.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap.bat

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap_android.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_tap_local.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_tap_local_android.sh

NanoCrypto 7.0

  • Ticket #3522713: Added build flag to enable vlong const time ops for CVE-2022-4304.

    Files modified:

    • projects/common/CMakeLists.txt

    • projects/common/build.sh

    • projects/common/mocana_flags.txt

    • projects/common/mocana_vlong_flags.txt

    • projects/common/mss_sources.txt

    • projects/crypto/build.sh

    • projects/crypto/options/default/mocana_flags.txt

    • projects/crypto/options/enable-vlong-const/mocana_flags.txt

  • Ticket #3670987: Added new CMS APIs and updated example.

    Files modified:

    • projects/cryptointerface_example/example_sources.txt

    • src/crypto/cms.h

    • src/crypto/cms.inc

    • src/crypto/pkcs7.c

    • crypto_interface/example/cert.der

    • crypto_interface/example/crypto_interface_cms_example.c

    • crypto_interface/example/crypto_interface_example.c

    • crypto_interface/example/crypto_interface_moccms_streaming_example.c

    • crypto_interface/example/key.der

  • Ticket #3742948: Support for the rsassaPss cert generated by openssl-3.0 tool.

    Files modified:

    • src/crypto/malgo_id.c

NanoSec 7.0

  • Ticket #3582302: Fixed build issue in the kernel module for IPv6.

    Files modified:

    • src/examples/ipsec/linux/gpl/nf_ipsecadm.c

    • src/examples/ipsec/mocana/moc_ipsec_main.c

  • Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

NanoSSL 7.0

  • Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

Common

  • Ticket #3767692: Fix for Coverity reported issues.

    Files modified:

    • Various

In this section: