NEWS 61.7 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
NEWS for the Nettle 3.8 release

	This release includes a couple of new features, and many
	performance improvements. It adds assembly code for two more
	architectures: ARM64 and S390x.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.5 and libhogweed.so.6.5, with sonames
	libnettle.so.8 and libhogweed.so.6.

	New features:

	* AES keywrap (RFC 3394), contributed by Nicolas Mora.

	* SM3 hash function, contributed by Tianjia Zhang.

	* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
	  cbc_aes256_encrypt.

	  On processors where AES is fast enough, e.g., x86_64 with
	  aesni instructions, the overhead of using Nettle's general
	  cbc_encrypt can be significant. The new functions can be
	  implemented in assembly, to do multiple blocks with reduced
	  per-block overhead.

	  Note that there's no corresponding new decrypt functions,
	  since the general cbc_decrypt doesn't suffer from the same
	  performance problem.

	Bug fixes:

	* Fix fat builds for x86_64 windows, these appear to never
          have worked.

	Optimizations:

	* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
	  SHA256, for processors supporting crypto extensions. Great
	  speedups, and fat builds are supported. Contributed by
	  Mamone Tarsha.

	* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
	  SHA256, SHA512 and SHA3. Great speedups, and fat builds are
	  supported. Contributed by Mamone Tarsha.

	* New PPC64 assembly for ecc modulo/redc operations,
	  contributed by Amitay Isaacs, Martin Schwenke and Alastair
	  D´Silva.

	* The x86_64 AES implementation using aesni instructions has
	  been reorganized with one separate function per key size,
	  each interleaving the processing of two blocks at a time
	  (when the caller processes multiple blocks with each call).
	  This gives a modest performance improvement on some
	  processors.

	* Rewritten and faster x86_64 poly1305 assembly.

60
61
62
63
64
65
66
67
68
69
	Known issues:

	* Nettle's testsuite doesn't work out-of-the-box on recent
	  MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH
	  environment variable. Nettle's test scripts handle this in
	  some cases, but currently fails the test cases that are
	  themselves written as /bin/sh scripts. As a workaround, use

	  make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'

Niels Möller's avatar
Niels Möller committed
70
71
72
73
74
75
76
77
78
79
80
81
82
	Miscellaneous:

	* Updated manual to current makeinfo conventions, with no
	  explicit node pointers. Generate pdf version with texi2pdf,
	  to get working hyper links.

	* Added square root functions for NIST ecc curves, as a
	  preparation for supporting compact point representation.

	* Reworked internal GCM/ghash interfaces, simplifying assembly
	  implementations. Deleted unused GCM C implementation
	  variants with less than 8-bit lookup table.

Niels Möller's avatar
Niels Möller committed
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
NEWS for the Nettle 3.7.3 release

	This is bugfix release, fixing bugs that could make the RSA
	decryption functions crash on invalid inputs.

	Upgrading to the new version is strongly recommended. For
	applications that want to support older versions of Nettle,
	the bug can be worked around by adding a check that the RSA
	ciphertext is in the range 0 < ciphertext < n, before
	attempting to decrypt it.

	Thanks to Paul Schaub and Justus Winter for reporting these
	problems.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.4 and libhogweed.so.6.4, with sonames
	libnettle.so.8 and libhogweed.so.6.

	Bug fixes:

	* Fix crash for zero input to rsa_sec_decrypt and
	  rsa_decrypt_tr. Potential denial of service vector.

	* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
	  failure for out of range inputs, instead of either crashing,
	  or silently reducing input modulo n. Potential denial of
	  service vector.

	* Ensure that rsa_decrypt returns failure for out of range
	  inputs, instead of silently reducing input modulo n.

	* Ensure that rsa_sec_decrypt returns failure if the message
	  size is too large for the given key. Unlike the other bugs,
	  this would typically be triggered by invalid local
	  configuration, rather than by processing untrusted remote
	  data.

Niels Möller's avatar
Niels Möller committed
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
NEWS for the Nettle 3.7.2 release

	This is a bugfix release, fixing a bug in ECDSA signature
	verification that could lead to a denial of service attack
	(via an assertion failure) or possibly incorrect results. It
	also fixes a few related problems where scalars are required
	to be canonically reduced modulo the ECC group order, but in
	fact may be slightly larger.

	Upgrading to the new version is strongly recommended.

	Even when no assert is triggered in ecdsa_verify, ECC point
	multiplication may get invalid intermediate values as input,
	and produce incorrect results. It's trivial to construct
	alleged signatures that result in invalid intermediate values.
	It appears difficult to construct an alleged signature that
	makes the function misbehave in such a way that an invalid
	signature is accepted as valid, but such attacks can't be
	ruled out without further analysis.

	Thanks to Guido Vranken for setting up the fuzzer tests that
	uncovered this problem.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.3 and libhogweed.so.6.3, with sonames
	libnettle.so.8 and libhogweed.so.6.

	Bug fixes:

	* Fixed bug in ecdsa_verify, and added a corresponding test
          case.

	* Similar fixes to ecc_gostdsa_verify and gostdsa_vko.

	* Similar fixes to eddsa signatures. The problem is less severe
          for these curves, because (i) the potentially out or range
          value is derived from output of a hash function, making it
          harder for the attacker to to hit the narrow range of
          problematic values, and (ii) the ecc operations are
          inherently more robust, and my current understanding is that
          unless the corresponding assert is hit, the verify
          operation should complete with a correct result.

	* Fix to ecdsa_sign, which with a very low probability could
          return out of range signature values, which would be
          rejected immediately by a verifier.

Niels Möller's avatar
Niels Möller committed
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
NEWS for the Nettle 3.7.1 release

	This is primarily a bug fix release, fixing a couple of
	problems found in Nettle-3.7.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.2 and libhogweed.so.6.2, with sonames
	libnettle.so.8 and libhogweed.so.6.

	Bug fixes:

	* Fix bug in chacha counter update logic. The problem affected
	  ppc64 and ppc64el, with the new altivec assembly code
	  enabled. Reported by Andreas Metzler, after breakage in
	  GnuTLS tests on ppc64.

	* Support for big-endian ARM platforms has been restored.
	  Fixes contributed by Michael Weiser.

	* Fix build problem on OpenBSD/powerpc64, reported by Jasper
	  Lievisse Adriaanse.

	* Fix corner case bug in ECDSA verify, it would produce
	  incorrect result in the unlikely case of an all-zero
	  message hash. Reported by Guido Vranken.

	New features:

	* Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512,
	  contributed by Nicolas Mora.

	Miscellaneous:

	* Poorly performing ARM Neon code for doing single-block
	  Salsa20 and Chacha has been deleted. The code to do two or
	  three blocks in parallel, introduced in Nettle-3.7, is
	  unchanged.

Niels Möller's avatar
Niels Möller committed
208
209
210
NEWS for the Nettle 3.7 release

	This release adds one new feature, the bcrypt password hashing
211
212
213
	function, and lots of optimizations. There's also one
	important change to how Nettle is configured: Fat builds are
	now on by default.
Niels Möller's avatar
Niels Möller committed
214
215
216
217

	The release adds PowerPC64 assembly for a few algorithms,
	resulting in great speedups. Benchmarked on a Power9 machine,
	speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5
218
219
220
	times for Chacha. For fat builds (now the default), the new
	code is used automatically, on processors supporting the needed
	instruction set extensions.
Niels Möller's avatar
Niels Möller committed
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.1 and libhogweed.so.6.1, with sonames
	libnettle.so.8 and libhogweed.so.6.

	New features:

	* Support for bcrypt, contributed by Stephen R. van den Berg.

	Optimizations:

	* Much faster AES and GCM on PowerPC64 processors supporting
	  the corresponding crypto extensions. Contributed by Mamone
	  Tarsha.

	* Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon.

	* Speed of Salsa20 improved on x86_64 and ARM Neon.

	* Overhaul of some elliptic curve primitives, improving ECDSA
	  signature speed.

244
245
246
247
248
249
250
251
	Configure:

	* Fat builds are enabled by default on the architectures where
	  it is supported (x86_64, arm and powerpc64). To disable
	  runtime selection, and instead specify the processor flavor
	  at configure time, you need to pass --disable-fat to the
	  configure script.

252
253
254
255
256
257
	Known issues:

	* The ARM assembly code in this release doesn't work correctly
	  on big-endian ARM systems. This will hopefully be fixed in a
	  later release.

Niels Möller's avatar
Niels Möller committed
258
259
260
261
262
263
264
265
266
	Miscellaneous:

	* Use a few more gmp-6.1 functions: mpn_cnd_add_n,
	  mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal
	  Nettle functions.

	* Convert all assembly files to use the default m4 quote
	  characters.

267
268
NEWS for the Nettle 3.6 release

269
270
271
272
273
	This release adds a couple of new features, most notable being
	support for ED448 signatures.

	It is not binary compatible with earlier releases. The shared
	library names are libnettle.so.8.0 and libhogweed.so.6.0, with
274
	sonames libnettle.so.8 and libhogweed.so.6. The changed
275
276
277
278
279
280
281
	sonames are mainly to avoid upgrade problems with recent
	GnuTLS versions, that depend on Nettle internals outside of
	the advertised ABI. But also because of the removal of
	internal poly1305 functions which were undocumented but
	declared in an installed header file, see Interface changes
	below.

282
283
284
	New features:

	* Support for Curve448 and ED448 signatures. Contributed by
285
	  Daiki Ueno.
286
287

	* Support for SHAKE256 (SHA3 variant with arbitrary output
288
	  size). Contributed by Daiki Ueno.
289
290

	* Support for SIV-CMAC (Synthetic Initialization Vector) mode,
291
	  contributed by Nikos Mavrogiannopoulos.
292
293
294
295

	* Support for CMAC64, contributed by Dmitry Baryshkov.

	* Support for the "CryptoPro" variant of the GOST hash
296
297
298
299
300
301
302
303
304
	  function, as gosthash94cp. Contributed by Dmitry Baryshkov.

	* Support for GOST DSA signatures, including GOST curves
	  gc256b and gc512a. Contributed by Dmitry Baryshkov.

	* Support for Intel CET in x86 and x86_64 assembly files, if
	  enabled via CFLAGS (gcc --fcf-protection=full). Contributed
	  by H.J. Lu and Simo Sorce.

Niels Möller's avatar
Niels Möller committed
305
306
307
308
	* A few new functions to improve support for the Chacha
	  variant with 96-bit nonce and 32-bit block counter (the
	  existing functions use nonce and counter of 64-bit each),
	  and functions to set the counter. Contributed by Daiki Ueno.
309
310

	* New interface, struct nettle_mac, for MAC (message
Niels Möller's avatar
Niels Möller committed
311
312
313
	  authentication code) algorithms. This abstraction is only
	  for MACs that don't require a per-message nonce. For HMAC,
	  the key size is fixed, and equal the digest size of the
314
	  underlying hash function.
315
316
317
318
319
320
321
322
323

	Bug fixes:

	* Fix bug in cfb8_decrypt. Previously, the IV was not updated
	  correctly in the case of input data shorter than the block
	  size. Reported by Stephan Mueller, fixed by Daiki Ueno.

	* Fix configure check for __builtin_bswap64, the incorrect
	  check would result in link errors on platforms missing this
Niels Möller's avatar
Niels Möller committed
324
	  function. Patch contributed by George Koehler.
325
326
327
328
329
330
331
332
333
334

	* All use of old-fashioned suffix rules in the Makefiles have
	  been replaced with %-pattern rules. Nettle's use of suffix
	  rules in earlier versions depended on undocumented GNU make
	  behavior, which is being deprecated in GNU make 4.3.

	  Building with other make programs than GNU make is untested
	  and unsupported. (Building with BSD make or Solaris make
	  used to work years ago, but has not been tested recently).

335
336
337
338
339
340
	Interface changes:

	* Declarations of internal poly1305.h functions have been
	  removed from the header file poly1305.h, to make it clear
	  that they are not part of the advertised API or ABI.

341
342
	Miscellaneous:

Niels Möller's avatar
Niels Möller committed
343
344
345
	* Building the public key support of nettle now requires GMP
	  version 6.1.0 or later (unless --enable-mini-gmp is used).

346
347
348
349
350
351
	* A fair amount of changes to ECC internals, with a few
	  deleted and a few new fields in the internal struct
	  ecc_curve. Files and functions have been renamed to more
	  consistently match the curve name, e.g., ecc-256.c has been
	  renamed to ecc-secp256r1.c.

352
353
354
355
356
	* Documentation for chacha-poly1305 updated. It is no longer
	  experimental. The implementation was updated to follow RFC
	  8439 in Nettle-3.1, but that was not documented or announced
	  at the time.

Niels Möller's avatar
Niels Möller committed
357
358
359
360
361
362
363
364
365
366
367
368
369
NEWS for the Nettle 3.5.1 release

	The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
	The new directory x86_64/sha_ni were missing in the tar file,
	breaking x86_64 builds with --enable-fat, and producing worse
	performance than promised for builds with --enable-x86-sha-ni.
	Also a few unused in-progress assembly files were accidentally
	included in the tar file.

	These problems are corrected in Nettle-3.5.1. There are no
	other changes, and also the library version numbers are
	unchanged.

370
371
NEWS for the Nettle 3.5 release

372
373
374
375
376
	This release adds a couple of new features and optimizations,
	and deletes or deprecates a few obsolete features. It is *not*
	binary (ABI) compatible with earlier versions. Except for
	deprecations listed below, it is intended to be fully
	source-level (API) compatible with Nettle-3.4.1.
Niels Möller's avatar
Niels Möller committed
377
378
379
380
381

	The shared library names are libnettle.so.7.0 and
	libhogweed.so.5.0, with sonames libnettle.so.7 and
	libhogweed.so.5.

382
383
384
385
386
	Changes in behavior:

	* Nettle's gcm_crypt will now call the underlying block cipher
	  to process more than one block at a time. This is not a
	  change to the documented behavior, but unfortunately breaks
Niels Möller's avatar
Niels Möller committed
387
	  assumptions accidentally made in GnuTLS, up to and including
388
389
390
391
392
393
394
395
	  version 3.6.1.

	New features:

	* Support for CFB8 (Cipher Feedback Mode, processing a single
	  octet per block cipher operation), contributed by Dmitry
	  Eremin-Solenikov.

Niels Möller's avatar
Niels Möller committed
396
397
398
	* Support for CMAC (RFC 4493), contributed by Nikos
	  Mavrogiannopoulos.

Niels Möller's avatar
Niels Möller committed
399
400
	* Support for XTS mode, contributed by Simo Sorce.

401
402
403
404
405
406
407
408
409
410
411
412
413
	Optimizations:

	* Improved performance of the x86_64 AES implementation using
	  the aesni instructions. Gives a large speedup for operations
	  processing multiple blocks at a time (including CTR mode,
	  GCM mode, and CBC decrypt, but *not* CBC encrypt).

	* Improved performance for CTR mode, for the common case of
	  16-byte block size. Pass more data at a time to underlying
	  block cipher, and fill the counter blocks more efficiently.
	  Extension to also handle GCM mode efficiently contributed
	  by Nikos Mavrogiannopoulos.

Niels Möller's avatar
Niels Möller committed
414
415
416
417
418
419
420
421
422
423
	* New x86_64 implementation of sha1 and sha256, for processors
	  supporting the sha_ni instructions. Speedup of 3-5 times on
	  affected processors.

	* Improved parameters for the precomputation of tables used
	  for ecc signatures. Roughly 10%-15% speedup of the ecdsa
	  sign operation using the secp_256r1, secp_384r1 and
	  secp_521r1 curves, and 25% speedup of ed25519 sign
	  operation, benchmarked on x86_64. Table sizes unchanged,
	  around 16 KB per curve.
424

Niels Möller's avatar
Niels Möller committed
425
426
427
428
	* In ARM fat builds, automatically select Neon implementation
	  of Chacha, where possible. Contributed by Yuriy M.
	  Kaminskiy.

429
	Deleted features:
Niels Möller's avatar
Niels Möller committed
430

431
432
433
434
435
436
437
438
439
	* The header file des-compat.h and everything declared therein
	  has been deleted, as announced earlier. This file provided a
	  subset of the old libdes/ssleay/openssl interface for DES
	  and triple-DES. DES is still supported, via the functions
	  declared in des.h.

	* Functions using the old struct aes_ctx have been marked as
	  deprecated. Use the fixed key size interface instead, e.g.,
	  struct aes256_ctx, introduced in Nettle-3.0.
Niels Möller's avatar
Niels Möller committed
440

441
442
443
444
	* The header file nettle-stdint.h, and corresponding autoconf
	  tests, have been deleted. Nettle now requires that the
	  compiler/libc provides <stdint.h>.

445
446
	Miscellaneous:

Niels Möller's avatar
Niels Möller committed
447
448
449
	* Support for big-endian ARM systems, contributed by Michael
	  Weiser.

450
	* The programs aesdata, desdata, twofishdata, shadata and
Niels Möller's avatar
Niels Möller committed
451
	  gcmdata are no longer built by default. Makefile
452
453
	  improvements contributed by Jay Foad.

Niels Möller's avatar
Niels Möller committed
454
455
456
457
458
459
460
	* The "example" program examples/eratosthenes.c has been
	  deleted.

	* The contents of hash context structs, and the deprecated
	  aes_ctx struct, have been reorganized, to enable later
	  optimizations.

461
462
463
	The shared library names are libnettle.so.7.0 and
	libhogweed.so.5.0.

464
465
NEWS for the Nettle 3.4.1 release

466
467
	This release fixes a few bugs, and makes the RSA private key
	operations side channel silent. The RSA improvements are
Niels Möller's avatar
Niels Möller committed
468
469
	contributed by Simo Sorce and Red Hat, and include one new
	public function, rsa_sec_decrypt, see below.
470

Niels Möller's avatar
Niels Möller committed
471
	All functions using RSA private keys are now side-channel
472
473
474
	silent, meaning that they try hard to avoid any branches or
	memory accesses depending on secret data. This applies both to
	the bignum calculations, which now use GMP's mpn_sec_* family
Niels Möller's avatar
Niels Möller committed
475
476
	of functions, and the processing of PKCS#1 padding needed for
	RSA decryption.
477
478
479
480
481
482

	Nettle's ECC functions were already side-channel silent, while
	the DSA functions still aren't. There's also one caveat
	regarding the improved RSA functions: due to small table
	lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
	lowest and highest few bits of the secret factors p and q may
Niels Möller's avatar
Niels Möller committed
483
484
485
	still leak. I'm not aware of any attacks on RSA where knowing
	a few bits of the factors makes a significant difference. This
	leak will likely be plugged in later GMP versions.
486
487
488

	Changes in behavior:

Niels Möller's avatar
Niels Möller committed
489
490
491
492
493
494
495
496
497
	* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
	  all of the provided message buffer, independent of the
	  actual message length. They are side-channel silent, in that
	  branches and memory accesses don't depend on the validity or
	  length of the message. Side-channel leakage from the
	  caller's use of length and return value may still provide an
	  oracle useable for a Bleichenbacher-style chosen ciphertext
	  attack. Which is why the new function rsa_sec_decrypt is
	  recommended.
498
499
500

	New features:

Niels Möller's avatar
Niels Möller committed
501
502
503
504
505
506
507
508
	* A new function rsa_sec_decrypt. It differs from
	  rsa_decrypt_tr in that the length of the decrypted message
	  is given a priori, and PKCS#1 padding indicating a different
	  length is treated as an error. For applications that may be
	  subject to chosen ciphertext attacks, it is recommended to
	  initialize the message area with random data, call this
	  function, and ignore the return value. This applies in
	  particular to RSA-based key exchange in the TLS protocol.
509
510
511
512
513
514
515
516
517

	Bug fixes:

	* Fix bug in pkcs1-conv, missing break statements in the
	  parsing of PEM input files.

	* Fix link error on the pss-mgf1-test test, affecting builds
	  without public key support.

Niels Möller's avatar
Niels Möller committed
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
	Performance regression:

	* All RSA private key operations employing RSA blinding, i.e.,
	  rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
	  rsa_compute_root_tr, are significantly slower. This is
	  because (i) RSA blinding now use side-channel silent
	  operations, (ii) blinding includes a modular inversion, and
	  (iii) side-channel silent modular inversion, implemented as
	  mpn_sec_invert, is very expensive. A 60% slowdown for
	  2048-bit RSA keys have been measured.

	Miscellaneous:

	* Building the public key support of nettle now requires GMP
	  version 6.0 or later (unless --enable-mini-gmp is used).

534
535
536
537
538
	The shared library names are libnettle.so.6.5 and
	libhogweed.so.4.5, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.

539
540
NEWS for the Nettle 3.4 release

541
542
543
544
	This release fixes bugs and adds a few new features. It also
	addresses an ABI compatibility issue affecting Nettle-3.1 and
	later, see below.

545
546
547
548
549
550
551
552
553
554
555
	Bug fixes:

	* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
	  eddsa on certain platforms. Reported by Sergei Trofimovich.

	* Fixed memory leak when handling invalid signatures in
	  ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.

	* Fix compilation error with --enable-fat om ARM. Fix
	  contributed by Andreas Schneider.

Niels Möller's avatar
Niels Möller committed
556
	* Reorganized the way certain data items are made available.
557
558

	  Short version: Nettle header files now define the symbols
Niels Möller's avatar
Niels Möller committed
559
560
561
562
563
	  nettle_hashes, nettle_ciphers, and nettle_aeads, as
	  preprocessor macros invoking a corresponding accessor
	  function. For backwards ABI compatibility, the symbols are
	  still present in the compiled libraries, and with the same
	  sizes as in nettle-3.3.
564

565
566
567
568
569
570
571
572
573
574
	New features:

	* Support for RSA-PSS signatures, contributed by Daiki Ueno.

	* Support for the HKDF key derivation function, defined by RFC
	  5869. Contributed by Nikos Mavrogiannopoulos.

	* Support for the Cipher Feedback Mode (CFB), contributed by
	  Dmitry Eremin-Solenikov.

Niels Möller's avatar
Niels Möller committed
575
576
577
578
579
580
581
582
583
584
	* New accessor functions: nettle_get_hashes,
	  nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
	  nettle_get_secp_224r1, nettle_get_secp_256r1,
	  nettle_get_secp_384r1, nettle_get_secp_521r1.

	  For source-level compatibility with future versions,
	  applications are encouraged to migrate to using these
	  functions instead of referring to the corresponding data
	  items directly.

585
586
	Miscellaneous:

587
588
589
590
591
592
	* The base16 and base64 functions now use the type char * for
	  ascii data, rather than uint8_t *. This eliminates the last
	  pointer-signedness warnings when building Nettle. This is a
	  minor API change, and applications may need to be adjusted,
	  but the ABI is unaffected on all platforms I'm aware of.

593
594
595
596
	* The contents of the header file nettle/version.h is now
	  architecture independent, except in --enable-mini-gmp
	  configurations.

597
598
	ABI issue:

Niels Möller's avatar
Niels Möller committed
599
600
601
602
	  Since the breakage was a bit subtle, let me document it
	  here. The nettle and hogweed libraries export a couple of
	  data symbols, and for some of these, the size was never
	  intended to be part of the ABI. E.g.,
603
604
605

	    extern const struct nettle_hash * const nettle_hashes[];

Niels Möller's avatar
Niels Möller committed
606
	  which is an NULL-terminated array.
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629

	  It turns out the sizes nevertheless may leak into the ABI, and
	  that increasing the sizes can break old executables linked
	  with a newer version of the library.

	  When linking a classic non-PIE executable with a shared
	  library, we get ELF relocations of type R_X86_64_COPY for
	  references to data items. These mean that the linker allocates
	  space for the data item in the data segment of executable, at
	  a fixed address determined at link-time, and with size
	  extracted from the version of the .so-file seen when linking.

	  At load time, the run time linker then copies the contents of
	  the symbol from the .so file to that location, and uses the
	  copy instead of the version loaded with the .so-file. And if
	  the data item in the .so file used at load time is larger than
	  the data item seen at link time, it is silently truncated in
	  the process.

	  So when SHA3 hashes were was added to the nettle_hashes array
	  in the nettle-3.3 release, this way of linking produces a
	  truncated array at load time, no longer NULL-terminated.

Niels Möller's avatar
Niels Möller committed
630
631
632
633
634
635
636
637
638
639
	  We will get similar problems for planned extensions of the
	  internal struct ecc_curve, and exported data items like

	    extern const struct ecc_curve nettle_secp_256r1;

	  where the ecc_curve struct is only forward declared in the
	  public headers. To prepare, applications should migrate to
	  using the new function nettle_get_secp_256r1, and similarly
	  for the other curves.

640
	  In some future version, the plan is to add a leading
Niels Möller's avatar
Niels Möller committed
641
642
	  underscore to the name of the actual data items. E.g.,
	  nettle_hashes --> _nettle_hashes, breaking the ABI, while
643
	  keeping the nettle_get_hashes function and the nettle_hashes
Niels Möller's avatar
Niels Möller committed
644
645
646
647
648
649
650
	  macro as the supported ways to access it. We will also
	  rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
	  both ABI and API.

	  Note that data items like nettle_sha256 are *not* affected,
	  since the size and layout of this struct is considered part
	  of the ABI, and R_X86_64_COPY-relocations then work fine.
651
652
653
654
655
656

	The shared library names are libnettle.so.6.4 and
	libhogweed.so.4.4, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.

Niels Möller's avatar
Niels Möller committed
657
658
659
NEWS for the Nettle 3.3 release

	This release fixes a couple of bugs, and improves resistance
Niels Möller's avatar
Niels Möller committed
660
	to side-channel attacks on RSA and DSA private key operations.
Niels Möller's avatar
Niels Möller committed
661

662
	Changes in behavior:
Niels Möller's avatar
Niels Möller committed
663
664
665
666
667
668
669

	* Invalid private RSA keys, with an even modulo, are now
	  rejected by rsa_private_key_prepare. (Earlier versions
	  allowed such keys, even if results of using them were bogus).

	  Nettle applications are required to call
	  rsa_private_key_prepare and check the return value, before
Niels Möller's avatar
Niels Möller committed
670
671
672
673
674
675
	  using any other RSA private key functions; failing to do so
	  may result in crashes for invalid private keys. As a
	  workaround for versions of Gnutls which don't use
	  rsa_private_key_prepare, additional checks for even moduli
	  are added to the rsa_*_tr functions which are used by all
	  recent versions of Gnutls.
Niels Möller's avatar
Niels Möller committed
676
677

	* Ignore bit 255 of the x coordinate of the input point to
Niels Möller's avatar
Niels Möller committed
678
679
680
	  curve25519_mul, as required by RFC 7748. To differentiate at
	  compile time, curve25519.h defines the constant
	  NETTLE_CURVE25519_RFC7748.
Niels Möller's avatar
Niels Möller committed
681
682
683
684
685
686
687
688
689
690

	Security:

	* RSA and DSA now use side-channel silent modular
	  exponentiation, to defend against attacks on the private key
	  from evil processes sharing the same processor cache. This
	  attack scenario is of particular relevance when running an
	  HTTPS server on a virtual machine, where you don't know who
	  you share the cache hardware with.

Niels Möller's avatar
Niels Möller committed
691
692
693
	  (Private key operations on elliptic curves were already
	  side-channel silent).

Niels Möller's avatar
Niels Möller committed
694
695
696
	Bug fixes:

	* Fix sexp-conv crashes on invalid input. Reported by Hanno
Niels Möller's avatar
Niels Möller committed
697
	  Böck.
Niels Möller's avatar
Niels Möller committed
698
699

	* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
Niels Möller's avatar
Niels Möller committed
700
	  Mavrogiannopoulos.
Niels Möller's avatar
Niels Möller committed
701
702

	* Fix a couple of formally undefined shift operations,
Niels Möller's avatar
Niels Möller committed
703
704
705
	  reported by Nikos Mavrogiannopoulos.

	* Fix compilation with c89. Reported by Henrik Grubbström.
Niels Möller's avatar
Niels Möller committed
706

Niels Möller's avatar
Niels Möller committed
707
708
709
710
711
	New features:

	* New function memeql_sec, for side-channel silent comparison
	  of two memory areas.

Niels Möller's avatar
Niels Möller committed
712
713
714
715
716
717
	Miscellaneous:

	* Building the public key support of nettle now requires GMP
	  version 5.0 or later (unless --enable-mini-gmp is used).

	* Filenames of windows DLL libraries now include major number
Niels Möller's avatar
Niels Möller committed
718
719
720
	  only. So the dll names change at the same time as the
	  corresponding soname on ELF platforms. Fixed by Nikos
	  Mavrogiannopoulos.
Niels Möller's avatar
Niels Möller committed
721
722

	* Eliminate most pointer-signedness warnings. In the process,
Niels Möller's avatar
Niels Möller committed
723
724
725
726
	  the strings representing expression type for sexp_interator
	  functions were changed from const uint8_t * to const char *.
	  These functions are undocumented, and it doesn't change the
	  ABI on any platform I'm aware of.
Niels Möller's avatar
Niels Möller committed
727
728
729
730
731
732

	The shared library names are libnettle.so.6.3 and
	libhogweed.so.4.3, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.

733
734
735
736
737
NEWS for the Nettle 3.2 release

	Bug fixes:

	* The SHA3 implementation is updated according to the FIPS 202
Niels Möller's avatar
Niels Möller committed
738
739
740
741
742
743
744
745
	  standard. It is not interoperable with earlier versions of
	  Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
	  differentiate at compile time, sha3.h defines the constant
	  NETTLE_SHA3_FIPS202.

	* Fix corner-case carry propagation bugs affecting elliptic
	  curve operations on the curves secp_256r1 and secp_384r1 on
	  certain platforms, including x86_64. Reported by Hanno Böck.
746
747
748

	New features:

Niels Möller's avatar
Niels Möller committed
749
750
751
752
753
754
	* New functions for RSA private key operations, identified by
	  the "_tr" suffix, with better resistance to side channel
	  attacks and to hardware or software failures which could
	  break the CRT optimization. See the Nettle manual for
	  details. Initial patch by Nikos Mavrogiannopoulos.

755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
	* New functions nettle_version_major, nettle_version_minor, as
	  a run-time variant of the compile-time constants
	  NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.

	Optimizations:

	* New ARM Neon implementation of the chacha stream cipher.

	Miscellaneous:

	* ABI detection on mips, with improved default libdir
	  location. Contributed by Klaus Ziegler.

	* Fixes for ARM assembly syntax, to work better with the clang
	  assembler. Thanks to Jukka Ukkonen.

771
	* Disabled use of ifunc relocations for fat builds, to fix
Niels Möller's avatar
Niels Möller committed
772
773
774
775
776
777
	  problems most easily triggered by using dlopen RTLD_NOW.

	The shared library names are libnettle.so.6.2 and
	libhogweed.so.4.2, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.
778

Niels Möller's avatar
Niels Möller committed
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
NEWS for the Nettle 3.1.1 release

	This release fixes a couple of non-critical bugs.

	Bug fixes:

	* By accident, nettle-3.1 disabled the assembly code for the
	  secp_224r1 and secp_521r1 elliptic curves on all x86_64
	  configurations, making signature operations on those curves
	  10%-30% slower. This code is now re-enabled.

	* The x86_64 assembly implementation of gcm hashing has been
          fixed to work with the Sun/Oracle assembler.

	The shared library names are libnettle.so.6.1 and
	libhogweed.so.4.1, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.

798
799
800
801
NEWS for the Nettle 3.1 release

	This release adds a couple of new features.

Niels Möller's avatar
Niels Möller committed
802
803
804
805
806
807
	The library is mostly source-level compatible with nettle-3.0.
	It is however not binary compatible, due to the introduction
	of versioned symbols, and extensions to the base64 context
	structs. The shared library names are libnettle.so.6.0 and
	libhogweed.so.4.0, with sonames libnettle.so.6 and
	libhogweed.so.4.
808
809
810

	Bug fixes:

Niels Möller's avatar
Niels Möller committed
811
812
813
814
	* Fixed a missing include of <limits.h>, which made the
	  camellia implementation fail on all 64-bit non-x86
	  platforms.

815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
	* Eliminate out-of-bounds reads in the C implementation of
	  memxor (related to valgrind's --partial-loads-ok flag).

	Interface changes:

	* Declarations of many internal functions are moved from ecc.h
	  to ecc-internal.h. The functions are undocumented, and
	  luckily they're apparently also unused by applications, so I
	  don't expect any problems from this change.

	New features:

	* Support for curve25519 and for EdDSA25519 signatures.

	* Support for "fat builds" on x86_64 and arm, where the
	  implementation of certain functions is selected at run-time
	  depending on available cpu features. Configure with
	  --enable-fat to try this out. If it turns out to work well
	  enough, it will likely be enabled by default in later
	  releases.

	* Support for building the hogweed library (public key
	  support) using "mini-gmp", a small but slower implementation
	  of a subset of the GMP interfaces. Note that builds using
	  mini-gmp are *not* binary compatible with regular builds,
	  and more likely to leak side-channel information.

Niels Möller's avatar
Niels Möller committed
842
	  One intended use-case is for small embedded applications
843
844
	  which need to verify digital signatures.

Niels Möller's avatar
Niels Möller committed
845
846
847
848
849
850
851
	* The shared libraries are now built with versioned symbols.
	  Should reduce problems in case a program links explicitly to
	  nettle and/or hogweed, and to gnutls, and the program and
	  gnutls expect different versions.

	* Support for "URL-safe" base64 encoding and decoding, as
          specified in RFC 4648. Contributed by Amos Jeffries.
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872

	Optimizations:

	* New x86_64 implementation of AES, using the "aesni"
	  instructions. Autodetected in fat builds. In non-fat builds,
	  it has to be enabled explicitly with --enable-x86-aesni.

	Build system:

	* Use the same object files for both static and shared
	  libraries. This eliminates the *.po object files which were
	  confusing to some tools (as well as humans). Like before,
	  PIC code is used by default; to build a non-pic static
	  library, configure with --disable-pic --disable-shared.

	Miscellaneous:

	* Made type-checking hack in CBC_ENCRYPT and similar macros
	  stricter, to generate warnings if they are used with
	  functions which have a length argument smaller than size_t.

873
NEWS for the Nettle 3.0 release
874

875
876
877
878
879
880
	This is a major release, including several interface changes,
	and new features, some of which are a bit experimental.
	Feedback is highly appreciated.

	It is *not* binary (ABI) compatible with earlier versions. It
	is mostly source-level (API) compatible, with a couple of
881
882
883
884
	incompatibilities noted below. The shared library names are
	libnettle.so.5.0 and libhogweed.so.3.0, with sonames
	libnettle.so.5 and libhogweed.so.3.
	
885
886
887
888
889
890
891
892
893
	There may be some problems in the new interfaces and new
	features which really need incompatible fixes. It is likely
	that there will be an update in the form of a 3.1 release in
	the not too distant future, with small but incompatible
	changes, and if that happens, bugfix-only releases 3.0.x are
	unlikely. Users and applications which desire better API and
	ABI stability are advised to stay with nettle-2.7.x (latest
	version is now 2.7.1) until the dust settles.

894
895
896
	Interface changes:

	* For the many _set_key functions, it is now consider the
897
898
899
900
	  normal case to have a fixed key size, with no key_size
	  arguments. _set_key functions with a length parameter are
	  provided only for algorithms with a truly variable keysize,
	  and where it makes sense for backwards compatibility.
901

902
903
904
	  INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
	  size argument. The old function is available under a new
	  name, cast5_set_key.
905
906
907
908
909

	  INCOMPATIBLE CHANGE: The function typedef
	  nettle_set_key_func no longer accepts a key size argument.
	  In particular, this affects users of struct nettle_cipher.

910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
	* The nettle_cipher abstraction (in nettle-meta.h) is
	  restricted to block ciphers only. The encrypt and decrypt
	  functions now take a const argument for the context.

	  INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
	  abstraction for the arcfour stream cipher, is deleted.

	  INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
	  encrypt and decrypt fields of struct nettle_cipher.

	* New DSA interface, with a separate struct dsa_param to
	  represent the underlying group, and generalized dsa_sign and
	  dsa_verify functions which don't care about the hash
	  function used. Limited backwards compatibility provided in
	  dsa-compat.h.

	  INCOMPATIBLE CHANGE: Declarations of the old interface,
	  e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to
	  dsa-compat.h.

	  INCOMPATIBLE CHANGE: The various key conversion functions,
	  e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
	  no backwards compatible functions.

	  INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
	  interface. dsa-compat.h declares a function
936
	  dsa_compat_generate_keypair, implementing the old
937
938
939
	  interface, and #defines dsa_generate_keypair to refer to
	  this backwards compatible function.

940
	* New AES and Camellia interfaces. There are now separate
941
942
943
944
945
	  context structs for each key size, e.g., aes128_ctx and
	  camellia256_ctx, and corresponding new functions. The old
	  interface, with struct aes_ctx and struct camellia_ctx, is
	  kept for backwards compatibility, but might be removed in
	  later versions.
946
947

	* The type of most length arguments is changed from unsigned
948
949
950
	  to size_t. The memxor functions have their pointer arguments
	  changed from uint8_t * to void *, for consistency with
	  related libc functions.
951

952
953
954
955
	* For hash functions, the constants *_DATA_SIZE have been
	  renamed to *_BLOCK_SIZE. Old names kept for backwards
	  compatibility.

956
957
958
959
960
	Removed features:

	* The nettle_next_prime function has been deleted.
	  Applications should use GMP's mpz_nextprime instead.

961
962
963
	* Deleted the RSAREF compatibility, including the header file
	  rsa-compat.h and everything declared therein.

964
965
966
967
968
969
970
	* Also under consideration for removal is des-compat.h and
	  everything declared therein. This implements a subset of the
	  old libdes/ssleay/openssl interface for DES and triple-DES,
	  and it is poorly tested. If anyone uses this interface,
	  please speak up! Otherwise, it will likely be removed in the
	  next release.
	
971
972
973
	Bug fixes:

	* Building with ./configure --disable-static now works.
974
975
976
977

	* Use GMP's allocation functions for temporary storage related
	  to bignums, to avoid potentially large stack allocations.

978
979
	* Fixes for shared libraries on M$ Windows.

980
981
	New features:

982
	* Support for Poly1305-AES MAC.
983

984
985
986
987
988
	* Support for the ChaCha stream cipher and EXPERIMENTAL
	  support for the ChaCha-Poly1305 AEAD mode. Specifications
	  are still in flux, and future releases may do incompatible
	  changes to track standardization. Currently uses 256-bit key
	  and 64-bit nonce.
989
990
991

	* Support for EAX mode.

992
993
	* Support for CCM mode. Contributed by Owen Kirby.

994
995
	* Additional variants of SHA512 with output size of 224 and
	  256 bits. Contributed by Joachim Strömbergson.
996
997
998
999
1000

	* New interface, struct nettle_aead, for mechanisms providing
	  authenticated encryption with associated data (AEAD).

	* DSA: Support a wider range for the size of q and a wider
For faster browsing, not all history is shown. View entire blame