Release notes
DigiCert® TrustCore SDK U6 is a major release that extends TrustCore SDK with the following new features, enhancements, and fixes.
Upgrade considerations
For FIPS customers using a FIPS version of NanoCrypto v7.0.0_u1f, please build with --fips-700-compat or fips_700_compat=true option.
New
NanoCrypto 7.0
Post Quantum Cryptographic Algorithms Support: Added support for FIPS 203, 204, 205 – ML-KEM, ML-DSA, and SLH-DSA.
NanoSSL 7.0
Hybrid Key Exchange with PQC: Added support for Hybrid Key Exchange in TLSv1.3 using X25519MLKEM768 and SecP256r1MLKEM768.
NanoMQTT 7.0
MQTT Protocol Support: Added support for MQTT protocol versions v3.1.1 and v5.
NanoCert
EST Client Support: Added support for EST client functionality.
Enhancements
NanoSSH 7.0
DSA Disabled by Default: DSA is disabled by default to comply with RFC 8332.
Fixes
NanoSSL 7.0
Ticket #04187099: Resolved a memory leak issue.
Files modified:
src/ssl/server/ssl_server.inc
NanoSSH 7.0
Ticket #04186917: Added support for RSA-SHA2 Client public key for NanoSSH Server.
Files modified:
src/ssh/ssh_auth.c
src/ssh/ssh_context.h
src/ssh/ssh_defs.h
src/ssh/ssh_trans.c
src/ssh/dump_mesg.c
OpenSSL Connector 7.0
Ticket #03967808: Added fix for a Connector build failure on ARM64 due to an unrecognized command-line option
-mno-sse2.Files modified:
make/Makefile.ssl
projects/shared_cmake/MocPlatform.cmake
projects/shared_cmake/toolchains/aarch64-pokysdk-linux-toolchain.cmake
projects/shared_cmake/toolchains/x86-64-pokysdk-linux-toolchain.cmake
Ticket #04098358: Added fix for OpenSSL CVE-2023-3817 by addressing excessive time spent checking the DH q parameter value in OpenSSL Connector 1.1.
Files modified:
thirdparty/openssl-1.1.1X/crypto/dh/dh_check.c
thirdparty/openssl-1.1.1X/crypto/dh/dh_err.c
thirdparty/openssl-1.1.1X/crypto/err/openssl.txt
thirdparty/openssl-1.1.1X/include/openssl/dh.h
thirdparty/openssl-1.1.1X/include/openssl/dherr.h
Ticket #04036327: Added fix for updating the error code in debug logs.
Files modified:
src/openssl_wrapper/ossl_ssl.c
src/openssl_wrapper/ssl.h
src/ssl/client/ssl_client.inc
Ticket #04054495: Resolved an issue with the OpenSSL Connector 1.1 connector where WebDAVS using neon-0.31 was not functioning.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Common
Ticket #04172114: Allowed SAN to be used as a critical extension when checking if a certificate can be used to sign.
Files modified:
src/asn1/parsecert.c
Ticket #04110991 and #04099984: Applied Coverity fixes.
TrustCore SDK version: U5 | Date: 2024-10
DigiCert® TrustCore SDK U5 is a minor release that extends TrustCore SDK with the following enhancements and fixes.
Enhancements
NanoCrypto 7.0
FIPS 186-5 Compliance: Added a new compile flag
--fips-700-compatto ensure compatibility with the FIPS-certified binarylibmss.so(version: REL_700_U1).Files modified:
projects/crypto/build.sh
Fixes
NanoSSH 7.0
Ticket #04013814: Resolved an issue on the NanoSSH server side when a client negotiated with
aes128-gcm@openssh.comoraes256-gcm@openssh.comciphers but no matching MAC algorithm for authentication.Files modified:
src/ssh/ssh_context.h
src/ssh/ssh_trans.c
Ticket #03950943: Fixed an issue where the NanoSSH server sent an error when the Dropbear client included
'First KEX Packet follows'as 1 in the client key exchange initialization.Files modified:
src/ssh/ssh_context.h
src/ssh/ssh_trans.c
OpenSSL Connector 7.0
Fix for crypt() Function: Addressed an error in the
crypt()function withinlibssh2when using the OpenSSL Connector 3.0.12.Files modified:
openssl/openssl-3.0.12/providers/digicert/ciphers/digi_cipher_aes_gcm.c
Ticket #03864365: Removed
x25519andx448supported groups from FIPS builds to comply with security requirements.Files modified:
projects/nanossl/cmakeflags.txt
projects/nanossl/features/mocana_eddh_flags.txt
projects/nanossl/mocana_suiteb_flags.txt
Ticket #03973774: Fixed the compatibility issue where
tpm2toolswas not functioning with the OpenSSL Connector.Files modified:
thirdparty/openssl-3.0.12/Configure
thirdparty/openssl-3.0.12/providers/digiprov.c
thirdparty/openssl-3.0.7/Configure
thirdparty/openssl-3.0.7/providers/digiprov.c
TrustCore SDK version: U4 | Date: 2024-06
DigiCert® TrustCore SDK U4 is a major release that extends TrustCore SDK with the following enhancements and fixes.
New
OpenSSL Connector 7.0
Added support for OpenSSL 3.0.12 in OpenSSL Connector.
NanoSSL 7.0
Added support for DTLS 1.3 in NanoDTLS.
Enhancements
OpenSSL Connector 7.0
Tickets #3751120, #3781142: Added new APIs; for OpenSSL 1.1.1, added
SSL_CTX_set_client_hello_cb,SSL_COMP_get0_name,SSL_COMP_get_id,SSL_CTX_get_security_level,SSL_SESSION_up_ref, andSSL_has_pending; for OpenSSL 3.0.12, addedSSL_SESSION_set_time.Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/openssl_shim.h
src/openssl_wrapper/ossl_ssl.c
src/openssl_wrapper/ossl_types.h
src/openssl_wrapper/ossl_typesv3.h
src/openssl_wrapper/ssl.h
src/ssl/server/ssl_server.inc
src/ssl/ssl.c
src/ssl/sslsock.h
Fixes
NanoSSH 7.0
Ticket #3658904: Fixed a vulnerability where naturally occurring computational errors in RSA signature could potentially expose private keys.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
CVE-2023-48795, CVE-2023-46445, CVE-2023-46446: Addressed the Terrapin Attack by disabling chacha20 and poly1305 by default in build scripts.
Files modified:
projects/crypto/build.bat
projects/crypto/build.sh
projects/crypto/options/enable-ssh-no-chachapoly/mocana_flags.txt
projects/nanossh/CMakeLists.txt
projects/nanossh/build.bat
projects/nanossh/build.sh
projects/nanossh/cmakeflags.txt
projects/nanossh/mocana_chachapoly_flags.txt
projects/nanossh/ssh_client/mocana_flags.txt
projects/nanossh/ssh_server/mocana_flags.txt
scripts/nanossh/build_nanossh_target_nux.sh
scripts/nanossh/ssh_client/build_target_tap_local_ncrypto.bat
Ticket #03854089: SSH Server with Radius Authentication flow will utilize the extension. Added Message-Authenticator attribute to Access-Request packets.
Files modified:
src/radius/radius.c
OpenSSL Connector 7.0
Tickets #3834648, #3706260: Added the
--disable-tcp-initflag in build scripts to fix SIGALRM not working when linking to libcrypto.Files modified:
make/Makefile.ssl
projects/initialize/CMakeLists.txt
projects/initialize/build.sh
Ticket #3788916: Fixed implementation of SSL_set_verify function.
Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/ossl_ssl.c
src/ssl/ssl.c
Ticket #3717372: Fixed OpenSSL Connector not sending ALERT on cryptographic handshake error per RFC 5246.
Files modified:
src/openssl_wrapper/ossl_ssl.c
src/ssl/client/ssl_client.inc
src/ssl/sslsock.c
Ticket #2950173: Extended the
--keylogfeature to printout TLSv1.2 master secret keys for Wireshark.Files modified:
src/ssl/sslsock.c
Ticket #3821075: Added null check when freeing hash table in OpenSSL connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3740353: Fix for DTLS to work with OpenSSL 3.0.12 connector and radsecproxy.
Files modified:
src/dtls/dtlssock.inc
src/openssl_wrapper/ossl_ssl.c
Ticket #3746253: Fix for compatibility with TLSv1.2 XMC server and OpenSSL connector 3.0.12.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3728300: Added support to
SSL_CTX_get_security_callback.Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3678174: Fixed symbol not found error when using lighttpd with OpenSSL Connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
CVE-2016-2183, SP800-131A rev2: Disabled Triple-DES by default in build scripts to enhance cryptographic security.
Files modified:
make/Makefile.ssl
projects/nanossl/CMakeLists.txt
projects/nanossl/build.bat
projects/nanossl/build.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap.bat
scripts/nanossl/openssl_connector/build_openssl_connector_cap.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap_android.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local_android.sh
NanoCrypto 7.0
Ticket #3522713: Added build flag to enable vlong const time ops for CVE-2022-4304.
Files modified:
projects/common/CMakeLists.txt
projects/common/build.sh
projects/common/mocana_flags.txt
projects/common/mocana_vlong_flags.txt
projects/common/mss_sources.txt
projects/crypto/build.sh
projects/crypto/options/default/mocana_flags.txt
projects/crypto/options/enable-vlong-const/mocana_flags.txt
Ticket #3670987: Added new CMS APIs and updated example.
Files modified:
projects/cryptointerface_example/example_sources.txt
src/crypto/cms.h
src/crypto/cms.inc
src/crypto/pkcs7.c
crypto_interface/example/cert.der
crypto_interface/example/crypto_interface_cms_example.c
crypto_interface/example/crypto_interface_example.c
crypto_interface/example/crypto_interface_moccms_streaming_example.c
crypto_interface/example/key.der
Ticket #3742948: Support for the
rsassaPsscert generated by openssl-3.0 tool.Files modified:
src/crypto/malgo_id.c
NanoSec 7.0
Ticket #3582302: Fixed build issue in the kernel module for IPv6.
Files modified:
src/examples/ipsec/linux/gpl/nf_ipsecadm.c
src/examples/ipsec/mocana/moc_ipsec_main.c
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
NanoSSL 7.0
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
Common
Ticket #3767692: Fix for Coverity reported issues.
Files modified:
Various