Release notes
TrustCore SDK version: U4 | Date: 2024-06
DigiCert® TrustCore SDK U4 is a major release that extends TrustCore SDK with the following enhancements and fixes.
New
OpenSSL Connector 7.0
Added support for OpenSSL 3.0.12 in OpenSSL Connector.
NanoSSL 7.0
Added support for DTLS 1.3 in NanoDTLS.
Enhancements
OpenSSL Connector 7.0
Tickets #3751120, #3781142: Added new APIs; for OpenSSL 1.1.1, added
SSL_CTX_set_client_hello_cb
,SSL_COMP_get0_name
,SSL_COMP_get_id
,SSL_CTX_get_security_level
,SSL_SESSION_up_ref
, andSSL_has_pending
; for OpenSSL 3.0.12, addedSSL_SESSION_set_time
.Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/openssl_shim.h
src/openssl_wrapper/ossl_ssl.c
src/openssl_wrapper/ossl_types.h
src/openssl_wrapper/ossl_typesv3.h
src/openssl_wrapper/ssl.h
src/ssl/server/ssl_server.inc
src/ssl/ssl.c
src/ssl/sslsock.h
Fixes
NanoSSH 7.0
Ticket #3658904: Fixed a vulnerability where naturally occurring computational errors in RSA signature could potentially expose private keys.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
CVE-2023-48795, CVE-2023-46445, CVE-2023-46446: Addressed the Terrapin Attack by disabling chacha20 and poly1305 by default in build scripts.
Files modified:
projects/crypto/build.bat
projects/crypto/build.sh
projects/crypto/options/enable-ssh-no-chachapoly/mocana_flags.txt
projects/nanossh/CMakeLists.txt
projects/nanossh/build.bat
projects/nanossh/build.sh
projects/nanossh/cmakeflags.txt
projects/nanossh/mocana_chachapoly_flags.txt
projects/nanossh/ssh_client/mocana_flags.txt
projects/nanossh/ssh_server/mocana_flags.txt
scripts/nanossh/build_nanossh_target_nux.sh
scripts/nanossh/ssh_client/build_target_tap_local_ncrypto.bat
Ticket #03854089: SSH Server with Radius Authentication flow will utilize the extension. Added Message-Authenticator attribute to Access-Request packets.
Files modified:
src/radius/radius.c
OpenSSL Connector 7.0
Tickets #3834648, #3706260: Added the
--disable-tcp-init
flag in build scripts to fix SIGALRM not working when linking to libcrypto.Files modified:
make/Makefile.ssl
projects/initialize/CMakeLists.txt
projects/initialize/build.sh
Ticket #3788916: Fixed implementation of SSL_set_verify function.
Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/ossl_ssl.c
src/ssl/ssl.c
Ticket #3717372: Fixed OpenSSL Connector not sending ALERT on cryptographic handshake error per RFC 5246.
Files modified:
src/openssl_wrapper/ossl_ssl.c
src/ssl/client/ssl_client.inc
src/ssl/sslsock.c
Ticket #2950173: Extended the
--keylog
feature to printout TLSv1.2 master secret keys for Wireshark.Files modified:
src/ssl/sslsock.c
Ticket #3821075: Added null check when freeing hash table in OpenSSL connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3740353: Fix for DTLS to work with OpenSSL 3.0.12 connector and radsecproxy.
Files modified:
src/dtls/dtlssock.inc
src/openssl_wrapper/ossl_ssl.c
Ticket #3746253: Fix for compatibility with TLSv1.2 XMC server and OpenSSL connector 3.0.12.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3728300: Added support to
SSL_CTX_get_security_callback
.Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3678174: Fixed symbol not found error when using lighttpd with OpenSSL Connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
CVE-2016-2183, SP800-131A rev2: Disabled Triple-DES by default in build scripts to enhance cryptographic security.
Files modified:
make/Makefile.ssl
projects/nanossl/CMakeLists.txt
projects/nanossl/build.bat
projects/nanossl/build.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap.bat
scripts/nanossl/openssl_connector/build_openssl_connector_cap.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap_android.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local_android.sh
NanoCrypto 7.0
Ticket #3522713: Added build flag to enable vlong const time ops for CVE-2022-4304.
Files modified:
projects/common/CMakeLists.txt
projects/common/build.sh
projects/common/mocana_flags.txt
projects/common/mocana_vlong_flags.txt
projects/common/mss_sources.txt
projects/crypto/build.sh
projects/crypto/options/default/mocana_flags.txt
projects/crypto/options/enable-vlong-const/mocana_flags.txt
Ticket #3670987: Added new CMS APIs and updated example.
Files modified:
projects/cryptointerface_example/example_sources.txt
src/crypto/cms.h
src/crypto/cms.inc
src/crypto/pkcs7.c
crypto_interface/example/cert.der
crypto_interface/example/crypto_interface_cms_example.c
crypto_interface/example/crypto_interface_example.c
crypto_interface/example/crypto_interface_moccms_streaming_example.c
crypto_interface/example/key.der
Ticket #3742948: Support for the
rsassaPss
cert generated by openssl-3.0 tool.Files modified:
src/crypto/malgo_id.c
NanoSec 7.0
Ticket #3582302: Fixed build issue in the kernel module for IPv6.
Files modified:
src/examples/ipsec/linux/gpl/nf_ipsecadm.c
src/examples/ipsec/mocana/moc_ipsec_main.c
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
NanoSSL 7.0
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
Common
Ticket #3767692: Fix for Coverity reported issues.
Files modified:
Various