Release notes
TrustCore SDK version: U5 | Date: 2024-10
DigiCert® TrustCore SDK U5 is a minor release that extends TrustCore SDK with the following enhancements and fixes.
Enhancements
NanoCrypto 7.0
FIPS 186-5 Compliance: Added a new compile flag
--fips-700-compat
to ensure compatibility with the FIPS-certified binarylibmss.so
(version: REL_700_U1).Files modified:
projects/crypto/build.sh
Fixes
NanoSSH 7.0
Ticket #04013814: Resolved an issue on the NanoSSH server side when a client negotiated with
aes128-gcm@openssh.com
oraes256-gcm@openssh.com
ciphers but no matching MAC algorithm for authentication.Files modified:
src/ssh/ssh_context.h
src/ssh/ssh_trans.c
Ticket #03950943: Fixed an issue where the NanoSSH server sent an error when the Dropbear client included
'First KEX Packet follows'
as 1 in the client key exchange initialization.Files modified:
src/ssh/ssh_context.h
src/ssh/ssh_trans.c
OpenSSL Connector 7.0
Fix for crypt() Function: Addressed an error in the
crypt()
function withinlibssh2
when using the OpenSSL Connector 3.0.12.Files modified:
openssl/openssl-3.0.12/providers/digicert/ciphers/digi_cipher_aes_gcm.c
Ticket #03864365: Removed
x25519
andx448
supported groups from FIPS builds to comply with security requirements.Files modified:
projects/nanossl/cmakeflags.txt
projects/nanossl/features/mocana_eddh_flags.txt
projects/nanossl/mocana_suiteb_flags.txt
Ticket #03973774: Fixed the compatibility issue where
tpm2tools
was not functioning with the OpenSSL Connector.Files modified:
thirdparty/openssl-3.0.12/Configure
thirdparty/openssl-3.0.12/providers/digiprov.c
thirdparty/openssl-3.0.7/Configure
thirdparty/openssl-3.0.7/providers/digiprov.c
TrustCore SDK version: U4 | Date: 2024-06
DigiCert® TrustCore SDK U4 is a major release that extends TrustCore SDK with the following enhancements and fixes.
New
OpenSSL Connector 7.0
Added support for OpenSSL 3.0.12 in OpenSSL Connector.
NanoSSL 7.0
Added support for DTLS 1.3 in NanoDTLS.
Enhancements
OpenSSL Connector 7.0
Tickets #3751120, #3781142: Added new APIs; for OpenSSL 1.1.1, added
SSL_CTX_set_client_hello_cb
,SSL_COMP_get0_name
,SSL_COMP_get_id
,SSL_CTX_get_security_level
,SSL_SESSION_up_ref
, andSSL_has_pending
; for OpenSSL 3.0.12, addedSSL_SESSION_set_time
.Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/openssl_shim.h
src/openssl_wrapper/ossl_ssl.c
src/openssl_wrapper/ossl_types.h
src/openssl_wrapper/ossl_typesv3.h
src/openssl_wrapper/ssl.h
src/ssl/server/ssl_server.inc
src/ssl/ssl.c
src/ssl/sslsock.h
Fixes
NanoSSH 7.0
Ticket #3658904: Fixed a vulnerability where naturally occurring computational errors in RSA signature could potentially expose private keys.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
CVE-2023-48795, CVE-2023-46445, CVE-2023-46446: Addressed the Terrapin Attack by disabling chacha20 and poly1305 by default in build scripts.
Files modified:
projects/crypto/build.bat
projects/crypto/build.sh
projects/crypto/options/enable-ssh-no-chachapoly/mocana_flags.txt
projects/nanossh/CMakeLists.txt
projects/nanossh/build.bat
projects/nanossh/build.sh
projects/nanossh/cmakeflags.txt
projects/nanossh/mocana_chachapoly_flags.txt
projects/nanossh/ssh_client/mocana_flags.txt
projects/nanossh/ssh_server/mocana_flags.txt
scripts/nanossh/build_nanossh_target_nux.sh
scripts/nanossh/ssh_client/build_target_tap_local_ncrypto.bat
Ticket #03854089: SSH Server with Radius Authentication flow will utilize the extension. Added Message-Authenticator attribute to Access-Request packets.
Files modified:
src/radius/radius.c
OpenSSL Connector 7.0
Tickets #3834648, #3706260: Added the
--disable-tcp-init
flag in build scripts to fix SIGALRM not working when linking to libcrypto.Files modified:
make/Makefile.ssl
projects/initialize/CMakeLists.txt
projects/initialize/build.sh
Ticket #3788916: Fixed implementation of SSL_set_verify function.
Files modified:
src/openssl_wrapper/openssl_compat.c
src/openssl_wrapper/ossl_ssl.c
src/ssl/ssl.c
Ticket #3717372: Fixed OpenSSL Connector not sending ALERT on cryptographic handshake error per RFC 5246.
Files modified:
src/openssl_wrapper/ossl_ssl.c
src/ssl/client/ssl_client.inc
src/ssl/sslsock.c
Ticket #2950173: Extended the
--keylog
feature to printout TLSv1.2 master secret keys for Wireshark.Files modified:
src/ssl/sslsock.c
Ticket #3821075: Added null check when freeing hash table in OpenSSL connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3740353: Fix for DTLS to work with OpenSSL 3.0.12 connector and radsecproxy.
Files modified:
src/dtls/dtlssock.inc
src/openssl_wrapper/ossl_ssl.c
Ticket #3746253: Fix for compatibility with TLSv1.2 XMC server and OpenSSL connector 3.0.12.
Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3728300: Added support to
SSL_CTX_get_security_callback
.Files modified:
src/openssl_wrapper/ossl_ssl.c
Ticket #3678174: Fixed symbol not found error when using lighttpd with OpenSSL Connector.
Files modified:
src/openssl_wrapper/ossl_ssl.c
CVE-2016-2183, SP800-131A rev2: Disabled Triple-DES by default in build scripts to enhance cryptographic security.
Files modified:
make/Makefile.ssl
projects/nanossl/CMakeLists.txt
projects/nanossl/build.bat
projects/nanossl/build.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap.bat
scripts/nanossl/openssl_connector/build_openssl_connector_cap.sh
scripts/nanossl/openssl_connector/build_openssl_connector_cap_android.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local.sh
scripts/nanossl/openssl_connector/build_openssl_connector_tap_local_android.sh
NanoCrypto 7.0
Ticket #3522713: Added build flag to enable vlong const time ops for CVE-2022-4304.
Files modified:
projects/common/CMakeLists.txt
projects/common/build.sh
projects/common/mocana_flags.txt
projects/common/mocana_vlong_flags.txt
projects/common/mss_sources.txt
projects/crypto/build.sh
projects/crypto/options/default/mocana_flags.txt
projects/crypto/options/enable-vlong-const/mocana_flags.txt
Ticket #3670987: Added new CMS APIs and updated example.
Files modified:
projects/cryptointerface_example/example_sources.txt
src/crypto/cms.h
src/crypto/cms.inc
src/crypto/pkcs7.c
crypto_interface/example/cert.der
crypto_interface/example/crypto_interface_cms_example.c
crypto_interface/example/crypto_interface_example.c
crypto_interface/example/crypto_interface_moccms_streaming_example.c
crypto_interface/example/key.der
Ticket #3742948: Support for the
rsassaPss
cert generated by openssl-3.0 tool.Files modified:
src/crypto/malgo_id.c
NanoSec 7.0
Ticket #3582302: Fixed build issue in the kernel module for IPv6.
Files modified:
src/examples/ipsec/linux/gpl/nf_ipsecadm.c
src/examples/ipsec/mocana/moc_ipsec_main.c
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
NanoSSL 7.0
Ticket #3658904: Fixed vulnerability where naturally occurring computational errors resulted in a faulty RSA signature, which could be used to compute the private portion of the underlying key pair.
Files modified:
src/ike/ike_state.c
src/ike2/ike2_state.c
src/ssh/ssh_rsa.c
src/ssl/server/ssl_server.inc
src/ssl/sslsock.c
Common
Ticket #3767692: Fix for Coverity reported issues.
Files modified:
Various