+NEWS for the Nettle 3.5.1 release
+
+ The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
+ The new directory x86_64/sha_ni were missing in the tar file,
+ breaking x86_64 builds with --enable-fat, and producing worse
+ performance than promised for builds with --enable-x86-sha-ni.
+ Also a few unused in-progress assembly files were accidentally
+ included in the tar file.
+
+ These problems are corrected in Nettle-3.5.1. There are no
+ other changes, and also the library version numbers are
+ unchanged.
+
+NEWS for the Nettle 3.5 release
+
+ This release adds a couple of new features and optimizations,
+ and deletes or deprecates a few obsolete features. It is *not*
+ binary (ABI) compatible with earlier versions. Except for
+ deprecations listed below, it is intended to be fully
+ source-level (API) compatible with Nettle-3.4.1.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0, with sonames libnettle.so.7 and
+ libhogweed.so.5.
+
+ Changes in behavior:
+
+ * Nettle's gcm_crypt will now call the underlying block cipher
+ to process more than one block at a time. This is not a
+ change to the documented behavior, but unfortunately breaks
+ assumptions accidentally made in GnuTLS, up to and including
+ version 3.6.1.
+
+ New features:
+
+ * Support for CFB8 (Cipher Feedback Mode, processing a single
+ octet per block cipher operation), contributed by Dmitry
+ Eremin-Solenikov.
+
+ * Support for CMAC (RFC 4493), contributed by Nikos
+ Mavrogiannopoulos.
+
+ * Support for XTS mode, contributed by Simo Sorce.
+
+ Optimizations:
+
+ * Improved performance of the x86_64 AES implementation using
+ the aesni instructions. Gives a large speedup for operations
+ processing multiple blocks at a time (including CTR mode,
+ GCM mode, and CBC decrypt, but *not* CBC encrypt).
+
+ * Improved performance for CTR mode, for the common case of
+ 16-byte block size. Pass more data at a time to underlying
+ block cipher, and fill the counter blocks more efficiently.
+ Extension to also handle GCM mode efficiently contributed
+ by Nikos Mavrogiannopoulos.
+
+ * New x86_64 implementation of sha1 and sha256, for processors
+ supporting the sha_ni instructions. Speedup of 3-5 times on
+ affected processors.
+
+ * Improved parameters for the precomputation of tables used
+ for ecc signatures. Roughly 10%-15% speedup of the ecdsa
+ sign operation using the secp_256r1, secp_384r1 and
+ secp_521r1 curves, and 25% speedup of ed25519 sign
+ operation, benchmarked on x86_64. Table sizes unchanged,
+ around 16 KB per curve.
+
+ * In ARM fat builds, automatically select Neon implementation
+ of Chacha, where possible. Contributed by Yuriy M.
+ Kaminskiy.
+
+ Deleted features:
+
+ * The header file des-compat.h and everything declared therein
+ has been deleted, as announced earlier. This file provided a
+ subset of the old libdes/ssleay/openssl interface for DES
+ and triple-DES. DES is still supported, via the functions
+ declared in des.h.
+
+ * Functions using the old struct aes_ctx have been marked as
+ deprecated. Use the fixed key size interface instead, e.g.,
+ struct aes256_ctx, introduced in Nettle-3.0.
+
+ * The header file nettle-stdint.h, and corresponding autoconf
+ tests, have been deleted. Nettle now requires that the
+ compiler/libc provides <stdint.h>.
+
+ Miscellaneous:
+
+ * Support for big-endian ARM systems, contributed by Michael
+ Weiser.
+
+ * The programs aesdata, desdata, twofishdata, shadata and
+ gcmdata are no longer built by default. Makefile
+ improvements contributed by Jay Foad.
+
+ * The "example" program examples/eratosthenes.c has been
+ deleted.
+
+ * The contents of hash context structs, and the deprecated
+ aes_ctx struct, have been reorganized, to enable later
+ optimizations.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0.
+
+NEWS for the Nettle 3.4.1 release
+
+ This release fixes a few bugs, and makes the RSA private key
+ operations side channel silent. The RSA improvements are
+ contributed by Simo Sorce and Red Hat, and include one new
+ public function, rsa_sec_decrypt, see below.
+
+ All functions using RSA private keys are now side-channel
+ silent, meaning that they try hard to avoid any branches or
+ memory accesses depending on secret data. This applies both to
+ the bignum calculations, which now use GMP's mpn_sec_* family
+ of functions, and the processing of PKCS#1 padding needed for
+ RSA decryption.
+
+ Nettle's ECC functions were already side-channel silent, while
+ the DSA functions still aren't. There's also one caveat
+ regarding the improved RSA functions: due to small table
+ lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+ lowest and highest few bits of the secret factors p and q may
+ still leak. I'm not aware of any attacks on RSA where knowing
+ a few bits of the factors makes a significant difference. This
+ leak will likely be plugged in later GMP versions.
+
+ Changes in behavior:
+
+ * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+ all of the provided message buffer, independent of the
+ actual message length. They are side-channel silent, in that
+ branches and memory accesses don't depend on the validity or
+ length of the message. Side-channel leakage from the
+ caller's use of length and return value may still provide an
+ oracle useable for a Bleichenbacher-style chosen ciphertext
+ attack. Which is why the new function rsa_sec_decrypt is
+ recommended.
+
+ New features:
+
+ * A new function rsa_sec_decrypt. It differs from
+ rsa_decrypt_tr in that the length of the decrypted message
+ is given a priori, and PKCS#1 padding indicating a different
+ length is treated as an error. For applications that may be
+ subject to chosen ciphertext attacks, it is recommended to
+ initialize the message area with random data, call this
+ function, and ignore the return value. This applies in
+ particular to RSA-based key exchange in the TLS protocol.
+
+ Bug fixes:
+
+ * Fix bug in pkcs1-conv, missing break statements in the
+ parsing of PEM input files.
+
+ * Fix link error on the pss-mgf1-test test, affecting builds
+ without public key support.
+
+ Performance regression:
+
+ * All RSA private key operations employing RSA blinding, i.e.,
+ rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
+ rsa_compute_root_tr, are significantly slower. This is
+ because (i) RSA blinding now use side-channel silent
+ operations, (ii) blinding includes a modular inversion, and
+ (iii) side-channel silent modular inversion, implemented as
+ mpn_sec_invert, is very expensive. A 60% slowdown for
+ 2048-bit RSA keys have been measured.
+
+ Miscellaneous:
+
+ * Building the public key support of nettle now requires GMP
+ version 6.0 or later (unless --enable-mini-gmp is used).
+
+ The shared library names are libnettle.so.6.5 and
+ libhogweed.so.4.5, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
+NEWS for the Nettle 3.4 release
+
+ This release fixes bugs and adds a few new features. It also
+ addresses an ABI compatibility issue affecting Nettle-3.1 and
+ later, see below.
+
+ Bug fixes:
+
+ * Fixed an improper use of GMP mpn_mul, breaking curve2559 and
+ eddsa on certain platforms. Reported by Sergei Trofimovich.
+
+ * Fixed memory leak when handling invalid signatures in
+ ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
+
+ * Fix compilation error with --enable-fat om ARM. Fix
+ contributed by Andreas Schneider.
+
+ * Reorganized the way certain data items are made available.
+
+ Short version: Nettle header files now define the symbols
+ nettle_hashes, nettle_ciphers, and nettle_aeads, as
+ preprocessor macros invoking a corresponding accessor
+ function. For backwards ABI compatibility, the symbols are
+ still present in the compiled libraries, and with the same
+ sizes as in nettle-3.3.
+
+ New features:
+
+ * Support for RSA-PSS signatures, contributed by Daiki Ueno.
+
+ * Support for the HKDF key derivation function, defined by RFC
+ 5869. Contributed by Nikos Mavrogiannopoulos.
+
+ * Support for the Cipher Feedback Mode (CFB), contributed by
+ Dmitry Eremin-Solenikov.
+
+ * New accessor functions: nettle_get_hashes,
+ nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
+ nettle_get_secp_224r1, nettle_get_secp_256r1,
+ nettle_get_secp_384r1, nettle_get_secp_521r1.
+
+ For source-level compatibility with future versions,
+ applications are encouraged to migrate to using these
+ functions instead of referring to the corresponding data
+ items directly.
+
+ Miscellaneous:
+
+ * The base16 and base64 functions now use the type char * for
+ ascii data, rather than uint8_t *. This eliminates the last
+ pointer-signedness warnings when building Nettle. This is a
+ minor API change, and applications may need to be adjusted,
+ but the ABI is unaffected on all platforms I'm aware of.
+
+ * The contents of the header file nettle/version.h is now
+ architecture independent, except in --enable-mini-gmp
+ configurations.
+
+ ABI issue:
+
+ Since the breakage was a bit subtle, let me document it
+ here. The nettle and hogweed libraries export a couple of
+ data symbols, and for some of these, the size was never
+ intended to be part of the ABI. E.g.,
+
+ extern const struct nettle_hash * const nettle_hashes[];
+
+ which is an NULL-terminated array.
+
+ It turns out the sizes nevertheless may leak into the ABI, and
+ that increasing the sizes can break old executables linked
+ with a newer version of the library.
+
+ When linking a classic non-PIE executable with a shared
+ library, we get ELF relocations of type R_X86_64_COPY for
+ references to data items. These mean that the linker allocates
+ space for the data item in the data segment of executable, at
+ a fixed address determined at link-time, and with size
+ extracted from the version of the .so-file seen when linking.
+
+ At load time, the run time linker then copies the contents of
+ the symbol from the .so file to that location, and uses the
+ copy instead of the version loaded with the .so-file. And if
+ the data item in the .so file used at load time is larger than
+ the data item seen at link time, it is silently truncated in
+ the process.
+
+ So when SHA3 hashes were was added to the nettle_hashes array
+ in the nettle-3.3 release, this way of linking produces a
+ truncated array at load time, no longer NULL-terminated.
+
+ We will get similar problems for planned extensions of the
+ internal struct ecc_curve, and exported data items like
+
+ extern const struct ecc_curve nettle_secp_256r1;
+
+ where the ecc_curve struct is only forward declared in the
+ public headers. To prepare, applications should migrate to
+ using the new function nettle_get_secp_256r1, and similarly
+ for the other curves.
+
+ In some future version, the plan is to add a leading
+ underscore to the name of the actual data items. E.g.,
+ nettle_hashes --> _nettle_hashes, breaking the ABI, while
+ keeping the nettle_get_hashes function and the nettle_hashes
+ macro as the supported ways to access it. We will also
+ rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
+ both ABI and API.
+
+ Note that data items like nettle_sha256 are *not* affected,
+ since the size and layout of this struct is considered part
+ of the ABI, and R_X86_64_COPY-relocations then work fine.
+
+ The shared library names are libnettle.so.6.4 and
+ libhogweed.so.4.4, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
- Changes in behavoir:
+ Changes in behavior:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions