pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
NEWS for the Nettle 3.5.1 release
The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
The new directory x86_64/sha_ni were missing in the tar file,
breaking x86_64 builds with --enable-fat, and producing worse
performance than promised for builds with --enable-x86-sha-ni.
Also a few unused in-progress assembly files were accidentally
included in the tar file.
These problems are corrected in Nettle-3.5.1. There are no
other changes, and also the library version numbers are
unchanged.
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations,
and deletes or deprecates a few obsolete features. It is *not*
binary (ABI) compatible with earlier versions. Except for
deprecations listed below, it is intended to be fully
source-level (API) compatible with Nettle-3.4.1.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0, with sonames libnettle.so.7 and
libhogweed.so.5.
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher
to process more than one block at a time. This is not a
change to the documented behavior, but unfortunately breaks
assumptions accidentally made in GnuTLS, up to and including
version 3.6.1.
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single
octet per block cipher operation), contributed by Dmitry
Eremin-Solenikov.
* Support for CMAC (RFC 4493), contributed by Nikos
Mavrogiannopoulos.
* Support for XTS mode, contributed by Simo Sorce.
Optimizations:
* Improved performance of the x86_64 AES implementation using
the aesni instructions. Gives a large speedup for operations
processing multiple blocks at a time (including CTR mode,
GCM mode, and CBC decrypt, but *not* CBC encrypt).
* Improved performance for CTR mode, for the common case of
16-byte block size. Pass more data at a time to underlying
block cipher, and fill the counter blocks more efficiently.
Extension to also handle GCM mode efficiently contributed
by Nikos Mavrogiannopoulos.
* New x86_64 implementation of sha1 and sha256, for processors
supporting the sha_ni instructions. Speedup of 3-5 times on
affected processors.
* Improved parameters for the precomputation of tables used
for ecc signatures. Roughly 10%-15% speedup of the ecdsa
sign operation using the secp_256r1, secp_384r1 and
secp_521r1 curves, and 25% speedup of ed25519 sign
operation, benchmarked on x86_64. Table sizes unchanged,
around 16 KB per curve.
* In ARM fat builds, automatically select Neon implementation
of Chacha, where possible. Contributed by Yuriy M.
Kaminskiy.
Deleted features:
* The header file des-compat.h and everything declared therein
has been deleted, as announced earlier. This file provided a
subset of the old libdes/ssleay/openssl interface for DES
and triple-DES. DES is still supported, via the functions
declared in des.h.
* Functions using the old struct aes_ctx have been marked as
deprecated. Use the fixed key size interface instead, e.g.,
struct aes256_ctx, introduced in Nettle-3.0.
* The header file nettle-stdint.h, and corresponding autoconf
tests, have been deleted. Nettle now requires that the
compiler/libc provides <stdint.h>.
Miscellaneous:
* Support for big-endian ARM systems, contributed by Michael
Weiser.
* The programs aesdata, desdata, twofishdata, shadata and
gcmdata are no longer built by default. Makefile
improvements contributed by Jay Foad.
* The "example" program examples/eratosthenes.c has been
deleted.
* The contents of hash context structs, and the deprecated
aes_ctx struct, have been reorganized, to enable later
optimizations.
The shared library names are libnettle.so.7.0 and
libhogweed.so.5.0.
Changes:
3.4.1
-----
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and include one new
public function, rsa_sec_decrypt, see below.
All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
still leak. I'm not aware of any attacks on RSA where knowing
a few bits of the factors makes a significant difference. This
leak will likely be plugged in later GMP versions.
Changes in behavior:
* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
recommended.
New features:
* A new function rsa_sec_decrypt. It differs from
rsa_decrypt_tr in that the length of the decrypted message
is given a priori, and PKCS#1 padding indicating a different
length is treated as an error. For applications that may be
subject to chosen ciphertext attacks, it is recommended to
initialize the message area with random data, call this
function, and ignore the return value. This applies in
particular to RSA-based key exchange in the TLS protocol.
Bug fixes:
* Fix bug in pkcs1-conv, missing break statements in the
parsing of PEM input files.
* Fix link error on the pss-mgf1-test test, affecting builds
without public key support.
Performance regression:
* All RSA private key operations employing RSA blinding, i.e.,
rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
rsa_compute_root_tr, are significantly slower. This is
because (i) RSA blinding now use side-channel silent
operations, (ii) blinding includes a modular inversion, and
(iii) side-channel silent modular inversion, implemented as
mpn_sec_invert, is very expensive. A 60% slowdown for
2048-bit RSA keys have been measured.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 6.0 or later (unless --enable-mini-gmp is used).
The shared library names are libnettle.so.6.5 and
libhogweed.so.4.5, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
NEWS for the Nettle 3.4 release
This release fixes bugs and adds a few new features. It also
addresses an ABI compatibility issue affecting Nettle-3.1 and
later, see below.
Bug fixes:
* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
eddsa on certain platforms. Reported by Sergei Trofimovich.
* Fixed memory leak when handling invalid signatures in
ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
* Fix compilation error with --enable-fat om ARM. Fix
contributed by Andreas Schneider.
* Reorganized the way certain data items are made available.
Short version: Nettle header files now define the symbols
nettle_hashes, nettle_ciphers, and nettle_aeads, as
preprocessor macros invoking a corresponding accessor
function. For backwards ABI compatibility, the symbols are
still present in the compiled libraries, and with the same
sizes as in nettle-3.3.
New features:
* Support for RSA-PSS signatures, contributed by Daiki Ueno.
* Support for the HKDF key derivation function, defined by RFC
5869. Contributed by Nikos Mavrogiannopoulos.
* Support for the Cipher Feedback Mode (CFB), contributed by
Dmitry Eremin-Solenikov.
* New accessor functions: nettle_get_hashes,
nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
nettle_get_secp_224r1, nettle_get_secp_256r1,
nettle_get_secp_384r1, nettle_get_secp_521r1.
For source-level compatibility with future versions,
applications are encouraged to migrate to using these
functions instead of referring to the corresponding data
items directly.
Miscellaneous:
* The base16 and base64 functions now use the type char * for
ascii data, rather than uint8_t *. This eliminates the last
pointer-signedness warnings when building Nettle. This is a
minor API change, and applications may need to be adjusted,
but the ABI is unaffected on all platforms I'm aware of.
* The contents of the header file nettle/version.h is now
architecture independent, except in --enable-mini-gmp
configurations.
ABI issue:
Since the breakage was a bit subtle, let me document it
here. The nettle and hogweed libraries export a couple of
data symbols, and for some of these, the size was never
intended to be part of the ABI. E.g.,
extern const struct nettle_hash * const nettle_hashes[];
which is an NULL-terminated array.
It turns out the sizes nevertheless may leak into the ABI, and
that increasing the sizes can break old executables linked
with a newer version of the library.
When linking a classic non-PIE executable with a shared
library, we get ELF relocations of type R_X86_64_COPY for
references to data items. These mean that the linker allocates
space for the data item in the data segment of executable, at
a fixed address determined at link-time, and with size
extracted from the version of the .so-file seen when linking.
At load time, the run time linker then copies the contents of
the symbol from the .so file to that location, and uses the
copy instead of the version loaded with the .so-file. And if
the data item in the .so file used at load time is larger than
the data item seen at link time, it is silently truncated in
the process.
So when SHA3 hashes were was added to the nettle_hashes array
in the nettle-3.3 release, this way of linking produces a
truncated array at load time, no longer NULL-terminated.
We will get similar problems for planned extensions of the
internal struct ecc_curve, and exported data items like
extern const struct ecc_curve nettle_secp_256r1;
where the ecc_curve struct is only forward declared in the
public headers. To prepare, applications should migrate to
using the new function nettle_get_secp_256r1, and similarly
for the other curves.
In some future version, the plan is to add a leading
underscore to the name of the actual data items. E.g.,
nettle_hashes --> _nettle_hashes, breaking the ABI, while
keeping the nettle_get_hashes function and the nettle_hashes
macro as the supported ways to access it. We will also
rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
both ABI and API.
Note that data items like nettle_sha256 are *not* affected,
since the size and layout of this struct is considered part
of the ABI, and R_X86_64_COPY-relocations then work fine.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
Changes in behavoir:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions
allowed such keys, even if results of using them were bogus).
Nettle applications are required to call
rsa_private_key_prepare and check the return value, before
using any other RSA private key functions; failing to do so
may result in crashes for invalid private keys. As a
workaround for versions of Gnutls which don't use
rsa_private_key_prepare, additional checks for even moduli
are added to the rsa_*_tr functions which are used by all
recent versions of Gnutls.
* Ignore bit 255 of the x coordinate of the input point to
curve25519_mul, as required by RFC 7748. To differentiate at
compile time, curve25519.h defines the constant
NETTLE_CURVE25519_RFC7748.
Security:
* RSA and DSA now use side-channel silent modular
exponentiation, to defend against attacks on the private key
from evil processes sharing the same processor cache. This
attack scenario is of particular relevance when running an
HTTPS server on a virtual machine, where you don't know who
you share the cache hardware with.
(Private key operations on elliptic curves were already
side-channel silent).
Bug fixes:
* Fix sexp-conv crashes on invalid input. Reported by Hanno
Böck.
* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
Mavrogiannopoulos.
* Fix a couple of formally undefined shift operations,
reported by Nikos Mavrogiannopoulos.
* Fix compilation with c89. Reported by Henrik Grubbström.
New features:
* New function memeql_sec, for side-channel silent comparison
of two memory areas.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 5.0 or later (unless --enable-mini-gmp is used).
* Filenames of windows DLL libraries now include major number
only. So the dll names change at the same time as the
corresponding soname on ELF platforms. Fixed by Nikos
Mavrogiannopoulos.
* Eliminate most pointer-signedness warnings. In the process,
the strings representing expression type for sexp_interator
functions were changed from const uint8_t * to const char *.
These functions are undocumented, and it doesn't change the
ABI on any platform I'm aware of.
The shared library names are libnettle.so.6.3 and
libhogweed.so.4.3, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
Fix some pkglint while here.
NEWS for the Nettle 3.2 release
Bug fixes:
* The SHA3 implementation is updated according to the FIPS 202
standard. It is not interoperable with earlier versions of
Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
differentiate at compile time, sha3.h defines the constant
NETTLE_SHA3_FIPS202.
* Fix corner-case carry propagation bugs affecting elliptic
curve operations on the curves secp_256r1 and secp_384r1 on
certain platforms, including x86_64. Reported by Hanno Böck.
New features:
* New functions for RSA private key operations, identified by
the "_tr" suffix, with better resistance to side channel
attacks and to hardware or software failures which could
break the CRT optimization. See the Nettle manual for
details. Initial patch by Nikos Mavrogiannopoulos.
* New functions nettle_version_major, nettle_version_minor, as
a run-time variant of the compile-time constants
NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.
Optimizations:
* New ARM Neon implementation of the chacha stream cipher.
Miscellaneous:
* ABI detection on mips, with improved default libdir
location. Contributed by Klaus Ziegler.
* Fixes for ARM assembly syntax, to work better with the clang
assembler. Thanks to Jukka Ukkonen.
* Disabled use of ifunc relocations for fat builds, to fix
problems most easily triggered by using dlopen RTLD_NOW.
The shared library names are libnettle.so.6.2 and
libhogweed.so.4.2, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
NEWS for the Nettle 3.1.1 release
This release fixes a couple of non-critical bugs.
Bug fixes:
* By accident, nettle-3.1 disabled the assembly code for the
secp_224r1 and secp_521r1 elliptic curves on all x86_64
configurations, making signature operations on those curves
10%-30% slower. This code is now re-enabled.
* The x86_64 assembly implementation of gcm hashing has been
fixed to work with the Sun/Oracle assembler.
The shared library names are libnettle.so.6.1 and
libhogweed.so.4.1, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
NEWS for the Nettle 3.1 release
This release adds a couple of new features.
The library is mostly source-level compatible with nettle-3.0.
It is however not binary compatible, due to the introduction
of versioned symbols, and extensions to the base64 context
structs. The shared library names are libnettle.so.6.0 and
libhogweed.so.4.0, with sonames libnettle.so.6 and
libhogweed.so.4.
Bug fixes:
* Fixed a missing include of <limits.h>, which made the
camellia implementation fail on all 64-bit non-x86
platforms.
* Eliminate out-of-bounds reads in the C implementation of
memxor (related to valgrind's --partial-loads-ok flag).
Interface changes:
* Declarations of many internal functions are moved from ecc.h
to ecc-internal.h. The functions are undocumented, and
luckily they're apparently also unused by applications, so I
don't expect any problems from this change.
New features:
* Support for curve25519 and for EdDSA25519 signatures.
* Support for "fat builds" on x86_64 and arm, where the
implementation of certain functions is selected at run-time
depending on available cpu features. Configure with
--enable-fat to try this out. If it turns out to work well
enough, it will likely be enabled by default in later
releases.
* Support for building the hogweed library (public key
support) using "mini-gmp", a small but slower implementation
of a subset of the GMP interfaces. Note that builds using
mini-gmp are *not* binary compatible with regular builds,
and more likely to leak side-channel information.
One intended use-case is for small embedded applications
which need to verify digital signatures.
* The shared libraries are now built with versioned symbols.
Should reduce problems in case a program links explicitly to
nettle and/or hogweed, and to gnutls, and the program and
gnutls expect different versions.
* Support for "URL-safe" base64 encoding and decoding, as
specified in RFC 4648. Contributed by Amos Jeffries.
Optimizations:
* New x86_64 implementation of AES, using the "aesni"
instructions. Autodetected in fat builds. In non-fat builds,
it has to be enabled explicitly with --enable-x86-aesni.
Build system:
* Use the same object files for both static and shared
libraries. This eliminates the *.po object files which were
confusing to some tools (as well as humans). Like before,
PIC code is used by default; to build a non-pic static
library, configure with --disable-pic --disable-shared.
Miscellaneous:
* Made type-checking hack in CBC_ENCRYPT and similar macros
stricter, to generate warnings if they are used with
functions which have a length argument smaller than size_t.
This is a bugfix release.
Bug fixes:
* Fixed a bug in the new ECC code. The ecc_j_to_a function
called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
input and output arguments, which is not supported.
* The assembly files for SHA1, SHA256 and AES depend on ARMv6
instructions, breaking nettle-2.7 for pre-v6 ARM processors.
The configure script now enables those assembly files only
when building for ARMv6 or later.
* Use a more portable C expression for rotations. The
previous version used the following "standard" expression
for 32-bit rotation:
(x << n) | (x >> (32 - n))
But this gives undefined behavior (according to the C
specification) for n = 0. The rotate expression is replaced
by the more portable:
(x << n) | (x >> ((-n)&31))
This change affects only CAST128, which uses non-constant
rotation counts. Unfortunately, the new expression is poorly
optimized by released versions of gcc, making CAST128 a bit
slower. This is being fixed by the gcc hackers, see
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
The following problems have been reported, but are *not* fixed
in this release:
* ARM assembly files use instruction syntax which is not
supported by all assemblers. Workaround: Use a current
version of GNU as, or configure with --disable-assembler.
* Configuring with --disable-static doesn't work on windows.
The libraries are intended to be binary compatible with
nettle-2.2 and later. The shared library names are
libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
libnettle.so.4 and libhogweed.so.2.
This release includes an implementation of elliptic curve
cryptography (ECC) and optimizations for the ARM architecture.
This work was done at the offices of South Pole AB, and
generously funded by the .SE Internet Fund.
Bug fixes:
* Fixed a bug in the buffer handling for incremental SHA3
hashing, with a possible buffer overflow. Patch by Edgar
E. Iglesias.
New features:
* Support for ECDSA signatures. Elliptic curve operations over
the following curves: secp192r1, secp224r1, secp256r1,
secp384r1 and secp521r1, including x86_64 and ARM assembly
for the most important primitives.
* Support for UMAC, including x86_64 and ARM assembly.
* Support for 12-round salsa20, "salsa20r12", as specified by
eSTREAM. Contributed by Nikos Mavrogiannopoulos.
Optimizations:
* ARM assembly code for several additional algorithms,
including AES, Salsa20, and the SHA family of hash
functions.
* x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
was included in the 2.6 release, but disabled due to poor
performance on some AMD processors. Hopefully, that
performance problem is fixed now).
The ARM code was tested and benchmarked on Cortex-A9. Some of
the functions use "neon" instructions. The configure script
decides if neon instructions can be used, and the command line
options --enable-arm-neon and --disable-arm-neon can be used
to override its choice. Feedback appreciated.
The libraries are intended to be binary compatible with
nettle-2.2 and later. The shared library names are
libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
libnettle.so.4 and libhogweed.so.2.
NEWS for the 2.4 release
This is a bugfix release only. It turned out ripemd160 in the
2.3 release was broken on all big-endian systems, due to a
missing include of config.h. nettle-2.4 fixes this.
The library is intended to be binary compatible with
nettle-2.2 and nettle-2.3. The shared library names are
libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
libnettle.so.4 and libhogweed.so.2.
NEWS for the 2.3 release
* Support for the ripemd-160 hash function.
* Generates and installs nettle.pc and hogweed.pc files, for
use with pkg-config. Feedback appreciated. For projects
using autoconf, the traditional non-pkg-config ways of
detecting libraries, and setting LIBS and LDFLAGS, is still
recommended.
* Fixed a bug which made the testsuite fail in the GCM test on
certain platforms. Should not affect any documented features
of the library.
* Reorganization of the code for the various Merkle-Damg
hash functions. Some fields in the context structs for md4,
md5 and sha1 have been renamed, for consistency.
Applications should not peek inside these structs, and the
ABI is unchanged.
* In the manual, fixed mis-placed const in certain function
prototypes.
The library is intended to be binary compatible with
nettle-2.2. The shared library names are libnettle.so.4.2 and
libhogweed.so.2.1, with sonames still libnettle.so.4 and
libhogweed.so.2.
NEWS for the 2.2 release
Licensing change:
* Relicensed as LGPL v2.1 or later (user's option).
* Replaced blowfish and serpent implementation. New code is
based on the LGPLed code in libgcrypt.
New features:
* Support for Galois/Counter Mode (GCM).
* New interface for enumerating (most) available algorithms,
contributed by Daniel Kahn Gillmor.
* New tool nettle-hash. Can generate hash digests using any
supported hash function, with output compatible with md5sum
and friends from GNU coreutils. Checking (like md5sum -c)
not yet implemented.
Bug fixes:
* The old serpent code had a byte order bug (introduced by
yours truly about ten years ago). New serpent implementation
does not interoperate with earlier versions of nettle.
* Fixed ABI-dependent libdir default for Linux-based systems
which do not follow the Linux File Hierarchy Standard, e.g.,
Debian GNU/Linux.
Optimizations:
* x86_64 implemention of serpent.
* x86_64 implemention of camellia.
* Optimized memxor using word rather than byte operations.
Both generic C and x86_64 assembler.
* Eliminated a memcpy for in-place CBC decrypt.
Miscellaneous:
* In command line tools, no longer support -? for requesting
help, since using it without shell quoting is a dangerous
habit. Use long option --help instead.
The shared library names are libnettle.so.4.1 and
libhogweed.so.2.1, with sonames libnettle.so.4 and
libhogweed.so.2.
or less any context: In crypto toolkits for object-oriented languages
(C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in
kernel space. In most contexts, you need more than the basic
cryptographic algorithms, you also need some way to keep track of available
algorithms, their properties and variants. You often have some algorithm
selection process, often dictated by a protocol you want to implement.
And as the requirements of applications differ in subtle and not so
subtle ways, an API that fits one application well can be a pain to use
in a different context. And that is why there are so many different
cryptographic libraries around.
Nettle tries to avoid this problem by doing one thing, the low-level
crypto stuff, and providing a simple but general interface to it.
In particular, Nettle doesn't do algorithm selection. It doesn't do
memory allocation. It doesn't do any I/O.
The idea is that one can build several application and context specific
interfaces on top of Nettle, and share the code, test cases, benchmarks,
documentation, etc. Examples are the Nettle module for the Pike
language, and LSH, which both use an object-oriented abstraction on top
of the library.
