Skip to main content

Release notes

TrustCore SDK version: U5 | Date: 2024-10

 DigiCert​​®​​ TrustCore SDK U5 is a minor release that extends TrustCore SDK with the following enhancements and fixes.

Enhancements

NanoCrypto 7.0

  • FIPS 186-5 Compliance: Added a new compile flag --fips-700-compat to ensure compatibility with the FIPS-certified binary libmss.so (version: REL_700_U1).

    Files modified:

    • projects/crypto/build.sh

Fixes

NanoSSH 7.0

  • Ticket #04013814: Resolved an issue on the NanoSSH server side when a client negotiated with aes128-gcm@openssh.com or aes256-gcm@openssh.com ciphers but no matching MAC algorithm for authentication.

    Files modified:

    • src/ssh/ssh_context.h

    • src/ssh/ssh_trans.c

  • Ticket #03950943: Fixed an issue where the NanoSSH server sent an error when the Dropbear client included 'First KEX Packet follows' as 1 in the client key exchange initialization.

    Files modified:

    • src/ssh/ssh_context.h

    • src/ssh/ssh_trans.c

OpenSSL Connector 7.0

  • Fix for crypt() Function: Addressed an error in the crypt() function within libssh2 when using the OpenSSL Connector 3.0.12.

    Files modified:

    • openssl/openssl-3.0.12/providers/digicert/ciphers/digi_cipher_aes_gcm.c

  • Ticket #03864365: Removed x25519 and x448 supported groups from FIPS builds to comply with security requirements.

    Files modified:

    • projects/nanossl/cmakeflags.txt

    • projects/nanossl/features/mocana_eddh_flags.txt

    • projects/nanossl/mocana_suiteb_flags.txt

  • Ticket #03973774: Fixed the compatibility issue where tpm2tools was not functioning with the OpenSSL Connector.

    Files modified:

    • thirdparty/openssl-3.0.12/Configure

    • thirdparty/openssl-3.0.12/providers/digiprov.c

    • thirdparty/openssl-3.0.7/Configure

    • thirdparty/openssl-3.0.7/providers/digiprov.c

TrustCore SDK version: U4 | Date: 2024-06

 DigiCert​​®​​ TrustCore SDK U4 is a major release that extends TrustCore SDK with the following enhancements and fixes.

New

OpenSSL Connector 7.0

  • Added support for OpenSSL 3.0.12 in OpenSSL Connector.

NanoSSL 7.0

  • Added support for DTLS 1.3 in NanoDTLS.

Enhancements

OpenSSL Connector 7.0

  • Tickets #3751120, #3781142: Added new APIs; for OpenSSL 1.1.1, added SSL_CTX_set_client_hello_cb, SSL_COMP_get0_name, SSL_COMP_get_id, SSL_CTX_get_security_level, SSL_SESSION_up_ref, and SSL_has_pending; for OpenSSL 3.0.12, added SSL_SESSION_set_time.

    Files modified:

    • src/openssl_wrapper/openssl_compat.c

    • src/openssl_wrapper/openssl_shim.h

    • src/openssl_wrapper/ossl_ssl.c

    • src/openssl_wrapper/ossl_types.h

    • src/openssl_wrapper/ossl_typesv3.h

    • src/openssl_wrapper/ssl.h

    • src/ssl/server/ssl_server.inc

    • src/ssl/ssl.c

    • src/ssl/sslsock.h

Fixes

NanoSSH 7.0

  • Ticket #3658904: Fixed a vulnerability where naturally occurring computational errors in RSA signature could potentially expose private keys.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

  • CVE-2023-48795, CVE-2023-46445, CVE-2023-46446: Addressed the Terrapin Attack by disabling chacha20 and poly1305 by default in build scripts.

    Files modified:

    • projects/crypto/build.bat

    • projects/crypto/build.sh

    • projects/crypto/options/enable-ssh-no-chachapoly/mocana_flags.txt

    • projects/nanossh/CMakeLists.txt

    • projects/nanossh/build.bat

    • projects/nanossh/build.sh

    • projects/nanossh/cmakeflags.txt

    • projects/nanossh/mocana_chachapoly_flags.txt

    • projects/nanossh/ssh_client/mocana_flags.txt

    • projects/nanossh/ssh_server/mocana_flags.txt

    • scripts/nanossh/build_nanossh_target_nux.sh

    • scripts/nanossh/ssh_client/build_target_tap_local_ncrypto.bat

  • Ticket #03854089: SSH Server with Radius Authentication flow will utilize the extension. Added Message-Authenticator attribute to Access-Request packets.

    Files modified:

    • src/radius/radius.c

OpenSSL Connector 7.0

  • Tickets #3834648, #3706260: Added the --disable-tcp-init flag in build scripts to fix SIGALRM not working when linking to libcrypto.

    Files modified:

    • make/Makefile.ssl

    • projects/initialize/CMakeLists.txt

    • projects/initialize/build.sh

  • Ticket #3788916: Fixed implementation of SSL_set_verify function.

    Files modified:

    • src/openssl_wrapper/openssl_compat.c

    • src/openssl_wrapper/ossl_ssl.c

    • src/ssl/ssl.c

  • Ticket #3717372: Fixed OpenSSL Connector not sending ALERT on cryptographic handshake error per RFC 5246.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

    • src/ssl/client/ssl_client.inc

    • src/ssl/sslsock.c

  • Ticket #2950173: Extended the --keylog feature to printout TLSv1.2 master secret keys for Wireshark.

    Files modified:

    • src/ssl/sslsock.c

  • Ticket #3821075: Added null check when freeing hash table in OpenSSL connector.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3740353: Fix for DTLS to work with OpenSSL 3.0.12 connector and radsecproxy.

    Files modified:

    • src/dtls/dtlssock.inc

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3746253: Fix for compatibility with TLSv1.2 XMC server and OpenSSL connector 3.0.12.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3728300: Added support to SSL_CTX_get_security_callback.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • Ticket #3678174: Fixed symbol not found error when using lighttpd with OpenSSL Connector.

    Files modified:

    • src/openssl_wrapper/ossl_ssl.c

  • CVE-2016-2183, SP800-131A rev2: Disabled Triple-DES by default in build scripts to enhance cryptographic security.

    Files modified:

    • make/Makefile.ssl

    • projects/nanossl/CMakeLists.txt

    • projects/nanossl/build.bat

    • projects/nanossl/build.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap.bat

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_cap_android.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_tap_local.sh

    • scripts/nanossl/openssl_connector/build_openssl_connector_tap_local_android.sh

NanoCrypto 7.0

  • Ticket #3522713: Added build flag to enable vlong const time ops for CVE-2022-4304.

    Files modified:

    • projects/common/CMakeLists.txt

    • projects/common/build.sh

    • projects/common/mocana_flags.txt

    • projects/common/mocana_vlong_flags.txt

    • projects/common/mss_sources.txt

    • projects/crypto/build.sh

    • projects/crypto/options/default/mocana_flags.txt

    • projects/crypto/options/enable-vlong-const/mocana_flags.txt

  • Ticket #3670987: Added new CMS APIs and updated example.

    Files modified:

    • projects/cryptointerface_example/example_sources.txt

    • src/crypto/cms.h

    • src/crypto/cms.inc

    • src/crypto/pkcs7.c

    • crypto_interface/example/cert.der

    • crypto_interface/example/crypto_interface_cms_example.c

    • crypto_interface/example/crypto_interface_example.c

    • crypto_interface/example/crypto_interface_moccms_streaming_example.c

    • crypto_interface/example/key.der

  • Ticket #3742948: Support for the rsassaPss cert generated by openssl-3.0 tool.

    Files modified:

    • src/crypto/malgo_id.c

NanoSec 7.0

  • Ticket #3582302: Fixed build issue in the kernel module for IPv6.

    Files modified:

    • src/examples/ipsec/linux/gpl/nf_ipsecadm.c

    • src/examples/ipsec/mocana/moc_ipsec_main.c

  • Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

NanoSSL 7.0

  • Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.

    Files modified:

    • src/ike/ike_state.c

    • src/ike2/ike2_state.c

    • src/ssh/ssh_rsa.c

    • src/ssl/server/ssl_server.inc

    • src/ssl/sslsock.c

Common

  • Ticket #3767692: Fix for Coverity reported issues.

    Files modified:

    • Various