+NEWS for the Nettle 3.5.1 release
+
+ The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
+ The new directory x86_64/sha_ni were missing in the tar file,
+ breaking x86_64 builds with --enable-fat, and producing worse
+ performance than promised for builds with --enable-x86-sha-ni.
+ Also a few unused in-progress assembly files were accidentally
+ included in the tar file.
+
+ These problems are corrected in Nettle-3.5.1. There are no
+ other changes, and also the library version numbers are
+ unchanged.
+
+NEWS for the Nettle 3.5 release
+
+ This release adds a couple of new features and optimizations,
+ and deletes or deprecates a few obsolete features. It is *not*
+ binary (ABI) compatible with earlier versions. Except for
+ deprecations listed below, it is intended to be fully
+ source-level (API) compatible with Nettle-3.4.1.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0, with sonames libnettle.so.7 and
+ libhogweed.so.5.
+
+ Changes in behavior:
+
+ * Nettle's gcm_crypt will now call the underlying block cipher
+ to process more than one block at a time. This is not a
+ change to the documented behavior, but unfortunately breaks
+ assumptions accidentally made in GnuTLS, up to and including
+ version 3.6.1.
+
+ New features:
+
+ * Support for CFB8 (Cipher Feedback Mode, processing a single
+ octet per block cipher operation), contributed by Dmitry
+ Eremin-Solenikov.
+
+ * Support for CMAC (RFC 4493), contributed by Nikos
+ Mavrogiannopoulos.
+
+ * Support for XTS mode, contributed by Simo Sorce.
+
+ Optimizations:
+
+ * Improved performance of the x86_64 AES implementation using
+ the aesni instructions. Gives a large speedup for operations
+ processing multiple blocks at a time (including CTR mode,
+ GCM mode, and CBC decrypt, but *not* CBC encrypt).
+
+ * Improved performance for CTR mode, for the common case of
+ 16-byte block size. Pass more data at a time to underlying
+ block cipher, and fill the counter blocks more efficiently.
+ Extension to also handle GCM mode efficiently contributed
+ by Nikos Mavrogiannopoulos.
+
+ * New x86_64 implementation of sha1 and sha256, for processors
+ supporting the sha_ni instructions. Speedup of 3-5 times on
+ affected processors.
+
+ * Improved parameters for the precomputation of tables used
+ for ecc signatures. Roughly 10%-15% speedup of the ecdsa
+ sign operation using the secp_256r1, secp_384r1 and
+ secp_521r1 curves, and 25% speedup of ed25519 sign
+ operation, benchmarked on x86_64. Table sizes unchanged,
+ around 16 KB per curve.
+
+ * In ARM fat builds, automatically select Neon implementation
+ of Chacha, where possible. Contributed by Yuriy M.
+ Kaminskiy.
+
+ Deleted features:
+
+ * The header file des-compat.h and everything declared therein
+ has been deleted, as announced earlier. This file provided a
+ subset of the old libdes/ssleay/openssl interface for DES
+ and triple-DES. DES is still supported, via the functions
+ declared in des.h.
+
+ * Functions using the old struct aes_ctx have been marked as
+ deprecated. Use the fixed key size interface instead, e.g.,
+ struct aes256_ctx, introduced in Nettle-3.0.
+
+ * The header file nettle-stdint.h, and corresponding autoconf
+ tests, have been deleted. Nettle now requires that the
+ compiler/libc provides <stdint.h>.
+
+ Miscellaneous:
+
+ * Support for big-endian ARM systems, contributed by Michael
+ Weiser.
+
+ * The programs aesdata, desdata, twofishdata, shadata and
+ gcmdata are no longer built by default. Makefile
+ improvements contributed by Jay Foad.
+
+ * The "example" program examples/eratosthenes.c has been
+ deleted.
+
+ * The contents of hash context structs, and the deprecated
+ aes_ctx struct, have been reorganized, to enable later
+ optimizations.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0.
+
+NEWS for the Nettle 3.4.1 release
+
+ This release fixes a few bugs, and makes the RSA private key
+ operations side channel silent. The RSA improvements are
+ contributed by Simo Sorce and Red Hat, and include one new
+ public function, rsa_sec_decrypt, see below.
+
+ All functions using RSA private keys are now side-channel
+ silent, meaning that they try hard to avoid any branches or
+ memory accesses depending on secret data. This applies both to
+ the bignum calculations, which now use GMP's mpn_sec_* family
+ of functions, and the processing of PKCS#1 padding needed for
+ RSA decryption.
+
+ Nettle's ECC functions were already side-channel silent, while
+ the DSA functions still aren't. There's also one caveat
+ regarding the improved RSA functions: due to small table
+ lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+ lowest and highest few bits of the secret factors p and q may
+ still leak. I'm not aware of any attacks on RSA where knowing
+ a few bits of the factors makes a significant difference. This
+ leak will likely be plugged in later GMP versions.
+
+ Changes in behavior:
+
+ * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+ all of the provided message buffer, independent of the
+ actual message length. They are side-channel silent, in that
+ branches and memory accesses don't depend on the validity or
+ length of the message. Side-channel leakage from the
+ caller's use of length and return value may still provide an
+ oracle useable for a Bleichenbacher-style chosen ciphertext
+ attack. Which is why the new function rsa_sec_decrypt is
+ recommended.
+
+ New features:
+
+ * A new function rsa_sec_decrypt. It differs from
+ rsa_decrypt_tr in that the length of the decrypted message
+ is given a priori, and PKCS#1 padding indicating a different
+ length is treated as an error. For applications that may be
+ subject to chosen ciphertext attacks, it is recommended to
+ initialize the message area with random data, call this
+ function, and ignore the return value. This applies in
+ particular to RSA-based key exchange in the TLS protocol.
+
+ Bug fixes:
+
+ * Fix bug in pkcs1-conv, missing break statements in the
+ parsing of PEM input files.
+
+ * Fix link error on the pss-mgf1-test test, affecting builds
+ without public key support.
+
+ Performance regression:
+
+ * All RSA private key operations employing RSA blinding, i.e.,
+ rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
+ rsa_compute_root_tr, are significantly slower. This is
+ because (i) RSA blinding now use side-channel silent
+ operations, (ii) blinding includes a modular inversion, and
+ (iii) side-channel silent modular inversion, implemented as
+ mpn_sec_invert, is very expensive. A 60% slowdown for
+ 2048-bit RSA keys have been measured.
+
+ Miscellaneous:
+
+ * Building the public key support of nettle now requires GMP
+ version 6.0 or later (unless --enable-mini-gmp is used).
+
+ The shared library names are libnettle.so.6.5 and
+ libhogweed.so.4.5, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.4 release
+
+ This release fixes bugs and adds a few new features. It also
+ addresses an ABI compatibility issue affecting Nettle-3.1 and
+ later, see below.
+
+ Bug fixes:
+
+ * Fixed an improper use of GMP mpn_mul, breaking curve2559 and
+ eddsa on certain platforms. Reported by Sergei Trofimovich.
+
+ * Fixed memory leak when handling invalid signatures in
+ ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
+
+ * Fix compilation error with --enable-fat om ARM. Fix
+ contributed by Andreas Schneider.
+
+ * Reorganized the way certain data items are made available.
+
+ Short version: Nettle header files now define the symbols
+ nettle_hashes, nettle_ciphers, and nettle_aeads, as
+ preprocessor macros invoking a corresponding accessor
+ function. For backwards ABI compatibility, the symbols are
+ still present in the compiled libraries, and with the same
+ sizes as in nettle-3.3.
+
+ New features:
+
+ * Support for RSA-PSS signatures, contributed by Daiki Ueno.
+
+ * Support for the HKDF key derivation function, defined by RFC
+ 5869. Contributed by Nikos Mavrogiannopoulos.
+
+ * Support for the Cipher Feedback Mode (CFB), contributed by
+ Dmitry Eremin-Solenikov.
+
+ * New accessor functions: nettle_get_hashes,
+ nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
+ nettle_get_secp_224r1, nettle_get_secp_256r1,
+ nettle_get_secp_384r1, nettle_get_secp_521r1.
+
+ For source-level compatibility with future versions,
+ applications are encouraged to migrate to using these
+ functions instead of referring to the corresponding data
+ items directly.
+
+ Miscellaneous:
+
+ * The base16 and base64 functions now use the type char * for
+ ascii data, rather than uint8_t *. This eliminates the last
+ pointer-signedness warnings when building Nettle. This is a
+ minor API change, and applications may need to be adjusted,
+ but the ABI is unaffected on all platforms I'm aware of.
+
+ * The contents of the header file nettle/version.h is now
+ architecture independent, except in --enable-mini-gmp
+ configurations.
+
+ ABI issue:
+
+ Since the breakage was a bit subtle, let me document it
+ here. The nettle and hogweed libraries export a couple of
+ data symbols, and for some of these, the size was never
+ intended to be part of the ABI. E.g.,
+
+ extern const struct nettle_hash * const nettle_hashes[];
+
+ which is an NULL-terminated array.
+
+ It turns out the sizes nevertheless may leak into the ABI, and
+ that increasing the sizes can break old executables linked
+ with a newer version of the library.
+
+ When linking a classic non-PIE executable with a shared
+ library, we get ELF relocations of type R_X86_64_COPY for
+ references to data items. These mean that the linker allocates
+ space for the data item in the data segment of executable, at
+ a fixed address determined at link-time, and with size
+ extracted from the version of the .so-file seen when linking.
+
+ At load time, the run time linker then copies the contents of
+ the symbol from the .so file to that location, and uses the
+ copy instead of the version loaded with the .so-file. And if
+ the data item in the .so file used at load time is larger than
+ the data item seen at link time, it is silently truncated in
+ the process.
+
+ So when SHA3 hashes were was added to the nettle_hashes array
+ in the nettle-3.3 release, this way of linking produces a
+ truncated array at load time, no longer NULL-terminated.
+
+ We will get similar problems for planned extensions of the
+ internal struct ecc_curve, and exported data items like
+
+ extern const struct ecc_curve nettle_secp_256r1;
+
+ where the ecc_curve struct is only forward declared in the
+ public headers. To prepare, applications should migrate to
+ using the new function nettle_get_secp_256r1, and similarly
+ for the other curves.
+
+ In some future version, the plan is to add a leading
+ underscore to the name of the actual data items. E.g.,
+ nettle_hashes --> _nettle_hashes, breaking the ABI, while
+ keeping the nettle_get_hashes function and the nettle_hashes
+ macro as the supported ways to access it. We will also
+ rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
+ both ABI and API.
+
+ Note that data items like nettle_sha256 are *not* affected,
+ since the size and layout of this struct is considered part
+ of the ABI, and R_X86_64_COPY-relocations then work fine.
+
+ The shared library names are libnettle.so.6.4 and
+ libhogweed.so.4.4, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.3 release
+
+ This release fixes a couple of bugs, and improves resistance
+ to side-channel attacks on RSA and DSA private key operations.
+
+ Changes in behavior:
+
+ * Invalid private RSA keys, with an even modulo, are now
+ rejected by rsa_private_key_prepare. (Earlier versions
+ allowed such keys, even if results of using them were bogus).
+
+ Nettle applications are required to call
+ rsa_private_key_prepare and check the return value, before
+ using any other RSA private key functions; failing to do so
+ may result in crashes for invalid private keys. As a
+ workaround for versions of Gnutls which don't use
+ rsa_private_key_prepare, additional checks for even moduli
+ are added to the rsa_*_tr functions which are used by all
+ recent versions of Gnutls.
+
+ * Ignore bit 255 of the x coordinate of the input point to
+ curve25519_mul, as required by RFC 7748. To differentiate at
+ compile time, curve25519.h defines the constant
+ NETTLE_CURVE25519_RFC7748.
+
+ Security:
+
+ * RSA and DSA now use side-channel silent modular
+ exponentiation, to defend against attacks on the private key
+ from evil processes sharing the same processor cache. This
+ attack scenario is of particular relevance when running an
+ HTTPS server on a virtual machine, where you don't know who
+ you share the cache hardware with.
+
+ (Private key operations on elliptic curves were already
+ side-channel silent).
+
+ Bug fixes:
+
+ * Fix sexp-conv crashes on invalid input. Reported by Hanno
+ Böck.
+
+ * Fix out-of-bounds read in des_weak_p. Fixed by Nikos
+ Mavrogiannopoulos.
+
+ * Fix a couple of formally undefined shift operations,
+ reported by Nikos Mavrogiannopoulos.
+
+ * Fix compilation with c89. Reported by Henrik Grubbström.
+
+ New features:
+
+ * New function memeql_sec, for side-channel silent comparison
+ of two memory areas.
+
+ Miscellaneous:
+
+ * Building the public key support of nettle now requires GMP
+ version 5.0 or later (unless --enable-mini-gmp is used).
+
+ * Filenames of windows DLL libraries now include major number
+ only. So the dll names change at the same time as the
+ corresponding soname on ELF platforms. Fixed by Nikos
+ Mavrogiannopoulos.
+
+ * Eliminate most pointer-signedness warnings. In the process,
+ the strings representing expression type for sexp_interator
+ functions were changed from const uint8_t * to const char *.
+ These functions are undocumented, and it doesn't change the
+ ABI on any platform I'm aware of.
+
+ The shared library names are libnettle.so.6.3 and
+ libhogweed.so.4.3, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.2 release
+
+ Bug fixes:
+
+ * The SHA3 implementation is updated according to the FIPS 202
+ standard. It is not interoperable with earlier versions of
+ Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
+ differentiate at compile time, sha3.h defines the constant
+ NETTLE_SHA3_FIPS202.
+
+ * Fix corner-case carry propagation bugs affecting elliptic
+ curve operations on the curves secp_256r1 and secp_384r1 on
+ certain platforms, including x86_64. Reported by Hanno Böck.
+
+ New features:
+
+ * New functions for RSA private key operations, identified by
+ the "_tr" suffix, with better resistance to side channel
+ attacks and to hardware or software failures which could
+ break the CRT optimization. See the Nettle manual for
+ details. Initial patch by Nikos Mavrogiannopoulos.
+
+ * New functions nettle_version_major, nettle_version_minor, as
+ a run-time variant of the compile-time constants
+ NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.
+
+ Optimizations:
+
+ * New ARM Neon implementation of the chacha stream cipher.
+
+ Miscellaneous:
+
+ * ABI detection on mips, with improved default libdir
+ location. Contributed by Klaus Ziegler.
+
+ * Fixes for ARM assembly syntax, to work better with the clang
+ assembler. Thanks to Jukka Ukkonen.
+
+ * Disabled use of ifunc relocations for fat builds, to fix
+ problems most easily triggered by using dlopen RTLD_NOW.
+
+ The shared library names are libnettle.so.6.2 and
+ libhogweed.so.4.2, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.1.1 release
+
+ This release fixes a couple of non-critical bugs.
+
+ Bug fixes:
+
+ * By accident, nettle-3.1 disabled the assembly code for the
+ secp_224r1 and secp_521r1 elliptic curves on all x86_64
+ configurations, making signature operations on those curves
+ 10%-30% slower. This code is now re-enabled.
+
+ * The x86_64 assembly implementation of gcm hashing has been
+ fixed to work with the Sun/Oracle assembler.
+
+ The shared library names are libnettle.so.6.1 and
+ libhogweed.so.4.1, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.1 release
+
+ This release adds a couple of new features.
+
+ The library is mostly source-level compatible with nettle-3.0.
+ It is however not binary compatible, due to the introduction
+ of versioned symbols, and extensions to the base64 context
+ structs. The shared library names are libnettle.so.6.0 and
+ libhogweed.so.4.0, with sonames libnettle.so.6 and
+ libhogweed.so.4.
+
+ Bug fixes:
+
+ * Fixed a missing include of <limits.h>, which made the
+ camellia implementation fail on all 64-bit non-x86
+ platforms.
+
+ * Eliminate out-of-bounds reads in the C implementation of
+ memxor (related to valgrind's --partial-loads-ok flag).
+
+ Interface changes:
+
+ * Declarations of many internal functions are moved from ecc.h
+ to ecc-internal.h. The functions are undocumented, and
+ luckily they're apparently also unused by applications, so I
+ don't expect any problems from this change.
+
+ New features:
+
+ * Support for curve25519 and for EdDSA25519 signatures.
+
+ * Support for "fat builds" on x86_64 and arm, where the
+ implementation of certain functions is selected at run-time
+ depending on available cpu features. Configure with
+ --enable-fat to try this out. If it turns out to work well
+ enough, it will likely be enabled by default in later
+ releases.
+
+ * Support for building the hogweed library (public key
+ support) using "mini-gmp", a small but slower implementation
+ of a subset of the GMP interfaces. Note that builds using
+ mini-gmp are *not* binary compatible with regular builds,
+ and more likely to leak side-channel information.
+
+ One intended use-case is for small embedded applications
+ which need to verify digital signatures.
+
+ * The shared libraries are now built with versioned symbols.
+ Should reduce problems in case a program links explicitly to
+ nettle and/or hogweed, and to gnutls, and the program and
+ gnutls expect different versions.
+
+ * Support for "URL-safe" base64 encoding and decoding, as
+ specified in RFC 4648. Contributed by Amos Jeffries.
+
+ Optimizations:
+
+ * New x86_64 implementation of AES, using the "aesni"
+ instructions. Autodetected in fat builds. In non-fat builds,
+ it has to be enabled explicitly with --enable-x86-aesni.
+
+ Build system:
+
+ * Use the same object files for both static and shared
+ libraries. This eliminates the *.po object files which were
+ confusing to some tools (as well as humans). Like before,
+ PIC code is used by default; to build a non-pic static
+ library, configure with --disable-pic --disable-shared.
+
+ Miscellaneous:
+
+ * Made type-checking hack in CBC_ENCRYPT and similar macros
+ stricter, to generate warnings if they are used with
+ functions which have a length argument smaller than size_t.
+
+NEWS for the Nettle 3.0 release
+
+ This is a major release, including several interface changes,
+ and new features, some of which are a bit experimental.
+ Feedback is highly appreciated.
+
+ It is *not* binary (ABI) compatible with earlier versions. It
+ is mostly source-level (API) compatible, with a couple of
+ incompatibilities noted below. The shared library names are
+ libnettle.so.5.0 and libhogweed.so.3.0, with sonames
+ libnettle.so.5 and libhogweed.so.3.
+
+ There may be some problems in the new interfaces and new
+ features which really need incompatible fixes. It is likely
+ that there will be an update in the form of a 3.1 release in
+ the not too distant future, with small but incompatible
+ changes, and if that happens, bugfix-only releases 3.0.x are
+ unlikely. Users and applications which desire better API and
+ ABI stability are advised to stay with nettle-2.7.x (latest
+ version is now 2.7.1) until the dust settles.
+
+ Interface changes:
+
+ * For the many _set_key functions, it is now consider the
+ normal case to have a fixed key size, with no key_size
+ arguments. _set_key functions with a length parameter are
+ provided only for algorithms with a truly variable keysize,
+ and where it makes sense for backwards compatibility.
+
+ INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
+ size argument. The old function is available under a new
+ name, cast5_set_key.
+
+ INCOMPATIBLE CHANGE: The function typedef
+ nettle_set_key_func no longer accepts a key size argument.
+ In particular, this affects users of struct nettle_cipher.
+
+ * The nettle_cipher abstraction (in nettle-meta.h) is
+ restricted to block ciphers only. The encrypt and decrypt
+ functions now take a const argument for the context.
+
+ INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
+ abstraction for the arcfour stream cipher, is deleted.
+
+ INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
+ encrypt and decrypt fields of struct nettle_cipher.
+
+ * New DSA interface, with a separate struct dsa_param to
+ represent the underlying group, and generalized dsa_sign and
+ dsa_verify functions which don't care about the hash
+ function used. Limited backwards compatibility provided in
+ dsa-compat.h.
+
+ INCOMPATIBLE CHANGE: Declarations of the old interface,
+ e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to
+ dsa-compat.h.
+
+ INCOMPATIBLE CHANGE: The various key conversion functions,
+ e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
+ no backwards compatible functions.
+
+ INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
+ interface. dsa-compat.h declares a function
+ dsa_compat_generate_keypair, implementing the old
+ interface, and #defines dsa_generate_keypair to refer to
+ this backwards compatible function.
+
+ * New AES and Camellia interfaces. There are now separate
+ context structs for each key size, e.g., aes128_ctx and
+ camellia256_ctx, and corresponding new functions. The old
+ interface, with struct aes_ctx and struct camellia_ctx, is
+ kept for backwards compatibility, but might be removed in
+ later versions.
+
+ * The type of most length arguments is changed from unsigned
+ to size_t. The memxor functions have their pointer arguments
+ changed from uint8_t * to void *, for consistency with
+ related libc functions.
+
+ * For hash functions, the constants *_DATA_SIZE have been
+ renamed to *_BLOCK_SIZE. Old names kept for backwards
+ compatibility.
+
+ Removed features:
+
+ * The nettle_next_prime function has been deleted.
+ Applications should use GMP's mpz_nextprime instead.
+
+ * Deleted the RSAREF compatibility, including the header file
+ rsa-compat.h and everything declared therein.
+
+ * Also under consideration for removal is des-compat.h and
+ everything declared therein. This implements a subset of the
+ old libdes/ssleay/openssl interface for DES and triple-DES,
+ and it is poorly tested. If anyone uses this interface,
+ please speak up! Otherwise, it will likely be removed in the
+ next release.
+
+ Bug fixes:
+
+ * Building with ./configure --disable-static now works.
+
+ * Use GMP's allocation functions for temporary storage related
+ to bignums, to avoid potentially large stack allocations.
+
+ * Fixes for shared libraries on M$ Windows.
+
+ New features:
+
+ * Support for Poly1305-AES MAC.
+
+ * Support for the ChaCha stream cipher and EXPERIMENTAL
+ support for the ChaCha-Poly1305 AEAD mode. Specifications
+ are still in flux, and future releases may do incompatible
+ changes to track standardization. Currently uses 256-bit key
+ and 64-bit nonce.
+
+ * Support for EAX mode.
+
+ * Support for CCM mode. Contributed by Owen Kirby.
+
+ * Additional variants of SHA512 with output size of 224 and
+ 256 bits. Contributed by Joachim Strömbergson.
+
+ * New interface, struct nettle_aead, for mechanisms providing
+ authenticated encryption with associated data (AEAD).
+
+ * DSA: Support a wider range for the size of q and a wider
+ range for the digest size.
+
+ Optimizations:
+
+ * New x86_64 assembly for GCM and MD5. Modest speedups on the
+ order of 10%-20%.
+
+ Miscellaneous:
+
+ * SHA3 is now documented as EXPERIMENTAL. Nettle currently
+ implements SHA3 as specified at the time Keccak won the SHA3
+ competition. However, the final standard specified by NIST
+ is likely to be incompatible, in which case future releases
+ may do incompatible changes to track standardization.
+
+ * The portability fix for the rotation macros, mentioned in
+ NEWS for 2.7.1, actually didn't make it into that release.
+ It is included now.
+
+ * cast128_set_key rewritten for clarity, also eliminating a
+ couple of compiler warnings.
+
+ * New command line tool nettle-pbkdf2.
+
+NEWS for the 2.7.1 release
+
+ This is a bugfix release.
+
+ Bug fixes:
+
+ * Fixed a bug in the new ECC code. The ecc_j_to_a function
+ called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
+ input and output arguments, which is not supported.
+
+ * The assembly files for SHA1, SHA256 and AES depend on ARMv6
+ instructions, breaking nettle-2.7 for pre-v6 ARM processors.
+ The configure script now enables those assembly files only
+ when building for ARMv6 or later.
+
+ * Use a more portable C expression for rotations. The
+ previous version used the following "standard" expression
+ for 32-bit rotation:
+
+ (x << n) | (x >> (32 - n))
+
+ But this gives undefined behavior (according to the C
+ specification) for n = 0. The rotate expression is replaced
+ by the more portable:
+
+ (x << n) | (x >> ((-n)&31))
+
+ This change affects only CAST128, which uses non-constant
+ rotation counts. Unfortunately, the new expression is poorly
+ optimized by released versions of gcc, making CAST128 a bit
+ slower. This is being fixed by the gcc hackers, see
+ http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
+
+ The following problems have been reported, but are *not* fixed
+ in this release:
+
+ * ARM assembly files use instruction syntax which is not
+ supported by all assemblers. Workaround: Use a current
+ version of GNU as, or configure with --disable-assembler.
+
+ * Configuring with --disable-static doesn't work on windows.
+
+ The libraries are intended to be binary compatible with
+ nettle-2.2 and later. The shared library names are
+ libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
+ libnettle.so.4 and libhogweed.so.2.
+
+NEWS for the 2.7 release
+
+ This release includes an implementation of elliptic curve
+ cryptography (ECC) and optimizations for the ARM architecture.
+ This work was done at the offices of South Pole AB, and
+ generously funded by the .SE Internet Fund.
+
+ Bug fixes:
+
+ * Fixed a bug in the buffer handling for incremental SHA3
+ hashing, with a possible buffer overflow. Patch by Edgar
+ E. Iglesias.
+
+ New features:
+
+ * Support for ECDSA signatures. Elliptic curve operations over
+ the following curves: secp192r1, secp224r1, secp256r1,
+ secp384r1 and secp521r1, including x86_64 and ARM assembly
+ for the most important primitives.
+
+ * Support for UMAC, including x86_64 and ARM assembly.
+
+ * Support for 12-round salsa20, "salsa20r12", as specified by
+ eSTREAM. Contributed by Nikos Mavrogiannopoulos.
+
+ Optimizations:
+
+ * ARM assembly code for several additional algorithms,
+ including AES, Salsa20, and the SHA family of hash
+ functions.
+
+ * x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
+ was included in the 2.6 release, but disabled due to poor
+ performance on some AMD processors. Hopefully, that
+ performance problem is fixed now).
+
+ The ARM code was tested and benchmarked on Cortex-A9. Some of
+ the functions use "neon" instructions. The configure script
+ decides if neon instructions can be used, and the command line
+ options --enable-arm-neon and --disable-arm-neon can be used
+ to override its choice. Feedback appreciated.
+
+ The libraries are intended to be binary compatible with
+ nettle-2.2 and later. The shared library names are
+ libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
+ libnettle.so.4 and libhogweed.so.2.
+
+NEWS for the 2.6 release
+
+ Bug fixes:
+
+ * Fixed a bug in ctr_crypt. For zero length (which should be a
+ NOP), it sometimes incremented the counter. Reported by Tim
+ Kosse.
+
+ * Fixed a small memory leak in nettle_realloc and
+ nettle_xrealloc.
+
+ New features:
+
+ * Support for PKCS #5 PBKDF2, to generate a key from a
+ password or passphrase. Contributed by Simon Josefsson.
+ Specification in RFC 2898 and test vectors in RFC 6070.
+
+ * Support for SHA3.
+
+ * Support for the GOST R 34.11-94 hash algorithm. Ported from
+ librhash by Nikos Mavrogiannopoulos. Written by Aleksey
+ Kravchenko. More information in RFC4357. Test vectors taken
+ from the GOST hash wikipedia page.
+
+ Miscellaneous:
+
+ * The include file <nettle/sha.h> has been split into
+ <nettle/sha1.h> and <nettle/sha2.h>. For now, sha.h is kept
+ for backwards compatibility and it simply includes both
+ files, but applications are encouraged to use the new names.
+ The new SHA3 functions are declared in <nettle/sha3.h>.
+
+ * Testsuite can be run under valgrind, using
+
+ make check EMULATOR='$(VALGRIND)'
+
+ For this to work, test programs and other executables now
+ deallocate storage.
+
+ * New configure options --disable-documentation and
+ --disable-static. Contributed by Sam Thursfield and Alon
+ Bar-Lev, respectively.
+
+ * The section on hash functions in the manual is split into
+ separate nodes for recommended hash functions and legacy
+ hash functions.
+
+ * Various smaller improvements, most of them portability
+ fixes. Credits go to David Woodhouse, Tim Rühsen, Martin
+ Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis
+ Clarke.
+
+ Finally, a note on the naming of the various "SHA" hash
+ functions. Naming is a bit inconsistent; we have, e.g.,
+
+ SHA1: sha1_digest
+ SHA2: sha256_digest (not sha2_256_digest)
+ SHA3: sha3_256_digest
+
+ Renaming the SHA2 functions to make Nettle's naming more
+ consistent has been considered, but the current naming follows
+ common usage. Most documents (including the specification for
+ SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather
+ than "SHA2-256".
+
+ The libraries are intended to be binary compatible with
+ nettle-2.2 and later. The shared library names are
+ libnettle.so.4.5 and libhogweed.so.2.3, with sonames still
+ libnettle.so.4 and libhogweed.so.2
+
NEWS for the 2.5 release
This release includes important portability fixes for Windows
New features:
- * Support for the salsa20 block cipher, including x86_64
+ * Support for the salsa20 stream cipher, including x86_64
assembler. Originally contributed by Simon Josefsson, based
on the reference implementation, then further optimized.