+NEWS for the Nettle 3.5.1 release
+
+ The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
+ The new directory x86_64/sha_ni were missing in the tar file,
+ breaking x86_64 builds with --enable-fat, and producing worse
+ performance than promised for builds with --enable-x86-sha-ni.
+ Also a few unused in-progress assembly files were accidentally
+ included in the tar file.
+
+ These problems are corrected in Nettle-3.5.1. There are no
+ other changes, and also the library version numbers are
+ unchanged.
+
NEWS for the Nettle 3.5 release
+ This release adds a couple of new features and optimizations,
+ and deletes or deprecates a few obsolete features. It is *not*
+ binary (ABI) compatible with earlier versions. Except for
+ deprecations listed below, it is intended to be fully
+ source-level (API) compatible with Nettle-3.4.1.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0, with sonames libnettle.so.7 and
+ libhogweed.so.5.
+
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher
assumptions accidentally made in GnuTLS, up to and including
version 3.6.1.
- Bug fixes:
-
- * Fix bug in pkcs1-conv, missing break statements in the
- parsing of PEM input files.
-
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single
* Support for CMAC (RFC 4493), contributed by Nikos
Mavrogiannopoulos.
+ * Support for XTS mode, contributed by Simo Sorce.
+
Optimizations:
* Improved performance of the x86_64 AES implementation using
operation, benchmarked on x86_64. Table sizes unchanged,
around 16 KB per curve.
+ * In ARM fat builds, automatically select Neon implementation
+ of Chacha, where possible. Contributed by Yuriy M.
+ Kaminskiy.
+
+ Deleted features:
+
+ * The header file des-compat.h and everything declared therein
+ has been deleted, as announced earlier. This file provided a
+ subset of the old libdes/ssleay/openssl interface for DES
+ and triple-DES. DES is still supported, via the functions
+ declared in des.h.
+
+ * Functions using the old struct aes_ctx have been marked as
+ deprecated. Use the fixed key size interface instead, e.g.,
+ struct aes256_ctx, introduced in Nettle-3.0.
+
+ * The header file nettle-stdint.h, and corresponding autoconf
+ tests, have been deleted. Nettle now requires that the
+ compiler/libc provides <stdint.h>.
+
Miscellaneous:
* Support for big-endian ARM systems, contributed by Michael
gcmdata are no longer built by default. Makefile
improvements contributed by Jay Foad.
+ * The "example" program examples/eratosthenes.c has been
+ deleted.
+
+ * The contents of hash context structs, and the deprecated
+ aes_ctx struct, have been reorganized, to enable later
+ optimizations.
+
+ The shared library names are libnettle.so.7.0 and
+ libhogweed.so.5.0.
+
+NEWS for the Nettle 3.4.1 release
+
+ This release fixes a few bugs, and makes the RSA private key
+ operations side channel silent. The RSA improvements are
+ contributed by Simo Sorce and Red Hat, and include one new
+ public function, rsa_sec_decrypt, see below.
+
+ All functions using RSA private keys are now side-channel
+ silent, meaning that they try hard to avoid any branches or
+ memory accesses depending on secret data. This applies both to
+ the bignum calculations, which now use GMP's mpn_sec_* family
+ of functions, and the processing of PKCS#1 padding needed for
+ RSA decryption.
+
+ Nettle's ECC functions were already side-channel silent, while
+ the DSA functions still aren't. There's also one caveat
+ regarding the improved RSA functions: due to small table
+ lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+ lowest and highest few bits of the secret factors p and q may
+ still leak. I'm not aware of any attacks on RSA where knowing
+ a few bits of the factors makes a significant difference. This
+ leak will likely be plugged in later GMP versions.
+
+ Changes in behavior:
+
+ * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+ all of the provided message buffer, independent of the
+ actual message length. They are side-channel silent, in that
+ branches and memory accesses don't depend on the validity or
+ length of the message. Side-channel leakage from the
+ caller's use of length and return value may still provide an
+ oracle useable for a Bleichenbacher-style chosen ciphertext
+ attack. Which is why the new function rsa_sec_decrypt is
+ recommended.
+
+ New features:
+
+ * A new function rsa_sec_decrypt. It differs from
+ rsa_decrypt_tr in that the length of the decrypted message
+ is given a priori, and PKCS#1 padding indicating a different
+ length is treated as an error. For applications that may be
+ subject to chosen ciphertext attacks, it is recommended to
+ initialize the message area with random data, call this
+ function, and ignore the return value. This applies in
+ particular to RSA-based key exchange in the TLS protocol.
+
+ Bug fixes:
+
+ * Fix bug in pkcs1-conv, missing break statements in the
+ parsing of PEM input files.
+
+ * Fix link error on the pss-mgf1-test test, affecting builds
+ without public key support.
+
+ Performance regression:
+
+ * All RSA private key operations employing RSA blinding, i.e.,
+ rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
+ rsa_compute_root_tr, are significantly slower. This is
+ because (i) RSA blinding now use side-channel silent
+ operations, (ii) blinding includes a modular inversion, and
+ (iii) side-channel silent modular inversion, implemented as
+ mpn_sec_invert, is very expensive. A 60% slowdown for
+ 2048-bit RSA keys have been measured.
+
+ Miscellaneous:
+
+ * Building the public key support of nettle now requires GMP
+ version 6.0 or later (unless --enable-mini-gmp is used).
+
+ The shared library names are libnettle.so.6.5 and
+ libhogweed.so.4.5, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
NEWS for the Nettle 3.4 release
This release fixes bugs and adds a few new features. It also
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
- Changes in behavoir:
+ Changes in behavior:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions