1 NEWS for the Nettle 3.5.1 release
3 The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
4 The new directory x86_64/sha_ni were missing in the tar file,
5 breaking x86_64 builds with --enable-fat, and producing worse
6 performance than promised for builds with --enable-x86-sha-ni.
7 Also a few unused in-progress assembly files were accidentally
8 included in the tar file.
10 These problems are corrected in Nettle-3.5.1. There are no
11 other changes, and also the library version numbers are
14 NEWS for the Nettle 3.5 release
16 This release adds a couple of new features and optimizations,
17 and deletes or deprecates a few obsolete features. It is *not*
18 binary (ABI) compatible with earlier versions. Except for
19 deprecations listed below, it is intended to be fully
20 source-level (API) compatible with Nettle-3.4.1.
22 The shared library names are libnettle.so.7.0 and
23 libhogweed.so.5.0, with sonames libnettle.so.7 and
28 * Nettle's gcm_crypt will now call the underlying block cipher
29 to process more than one block at a time. This is not a
30 change to the documented behavior, but unfortunately breaks
31 assumptions accidentally made in GnuTLS, up to and including
36 * Support for CFB8 (Cipher Feedback Mode, processing a single
37 octet per block cipher operation), contributed by Dmitry
40 * Support for CMAC (RFC 4493), contributed by Nikos
43 * Support for XTS mode, contributed by Simo Sorce.
47 * Improved performance of the x86_64 AES implementation using
48 the aesni instructions. Gives a large speedup for operations
49 processing multiple blocks at a time (including CTR mode,
50 GCM mode, and CBC decrypt, but *not* CBC encrypt).
52 * Improved performance for CTR mode, for the common case of
53 16-byte block size. Pass more data at a time to underlying
54 block cipher, and fill the counter blocks more efficiently.
55 Extension to also handle GCM mode efficiently contributed
56 by Nikos Mavrogiannopoulos.
58 * New x86_64 implementation of sha1 and sha256, for processors
59 supporting the sha_ni instructions. Speedup of 3-5 times on
62 * Improved parameters for the precomputation of tables used
63 for ecc signatures. Roughly 10%-15% speedup of the ecdsa
64 sign operation using the secp_256r1, secp_384r1 and
65 secp_521r1 curves, and 25% speedup of ed25519 sign
66 operation, benchmarked on x86_64. Table sizes unchanged,
67 around 16 KB per curve.
69 * In ARM fat builds, automatically select Neon implementation
70 of Chacha, where possible. Contributed by Yuriy M.
75 * The header file des-compat.h and everything declared therein
76 has been deleted, as announced earlier. This file provided a
77 subset of the old libdes/ssleay/openssl interface for DES
78 and triple-DES. DES is still supported, via the functions
81 * Functions using the old struct aes_ctx have been marked as
82 deprecated. Use the fixed key size interface instead, e.g.,
83 struct aes256_ctx, introduced in Nettle-3.0.
85 * The header file nettle-stdint.h, and corresponding autoconf
86 tests, have been deleted. Nettle now requires that the
87 compiler/libc provides <stdint.h>.
91 * Support for big-endian ARM systems, contributed by Michael
94 * The programs aesdata, desdata, twofishdata, shadata and
95 gcmdata are no longer built by default. Makefile
96 improvements contributed by Jay Foad.
98 * The "example" program examples/eratosthenes.c has been
101 * The contents of hash context structs, and the deprecated
102 aes_ctx struct, have been reorganized, to enable later
105 The shared library names are libnettle.so.7.0 and
108 NEWS for the Nettle 3.4.1 release
110 This release fixes a few bugs, and makes the RSA private key
111 operations side channel silent. The RSA improvements are
112 contributed by Simo Sorce and Red Hat, and include one new
113 public function, rsa_sec_decrypt, see below.
115 All functions using RSA private keys are now side-channel
116 silent, meaning that they try hard to avoid any branches or
117 memory accesses depending on secret data. This applies both to
118 the bignum calculations, which now use GMP's mpn_sec_* family
119 of functions, and the processing of PKCS#1 padding needed for
122 Nettle's ECC functions were already side-channel silent, while
123 the DSA functions still aren't. There's also one caveat
124 regarding the improved RSA functions: due to small table
125 lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
126 lowest and highest few bits of the secret factors p and q may
127 still leak. I'm not aware of any attacks on RSA where knowing
128 a few bits of the factors makes a significant difference. This
129 leak will likely be plugged in later GMP versions.
133 * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
134 all of the provided message buffer, independent of the
135 actual message length. They are side-channel silent, in that
136 branches and memory accesses don't depend on the validity or
137 length of the message. Side-channel leakage from the
138 caller's use of length and return value may still provide an
139 oracle useable for a Bleichenbacher-style chosen ciphertext
140 attack. Which is why the new function rsa_sec_decrypt is
145 * A new function rsa_sec_decrypt. It differs from
146 rsa_decrypt_tr in that the length of the decrypted message
147 is given a priori, and PKCS#1 padding indicating a different
148 length is treated as an error. For applications that may be
149 subject to chosen ciphertext attacks, it is recommended to
150 initialize the message area with random data, call this
151 function, and ignore the return value. This applies in
152 particular to RSA-based key exchange in the TLS protocol.
156 * Fix bug in pkcs1-conv, missing break statements in the
157 parsing of PEM input files.
159 * Fix link error on the pss-mgf1-test test, affecting builds
160 without public key support.
162 Performance regression:
164 * All RSA private key operations employing RSA blinding, i.e.,
165 rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
166 rsa_compute_root_tr, are significantly slower. This is
167 because (i) RSA blinding now use side-channel silent
168 operations, (ii) blinding includes a modular inversion, and
169 (iii) side-channel silent modular inversion, implemented as
170 mpn_sec_invert, is very expensive. A 60% slowdown for
171 2048-bit RSA keys have been measured.
175 * Building the public key support of nettle now requires GMP
176 version 6.0 or later (unless --enable-mini-gmp is used).
178 The shared library names are libnettle.so.6.5 and
179 libhogweed.so.4.5, with sonames still libnettle.so.6 and
180 libhogweed.so.4. It is intended to be fully binary compatible
183 NEWS for the Nettle 3.4 release
185 This release fixes bugs and adds a few new features. It also
186 addresses an ABI compatibility issue affecting Nettle-3.1 and
191 * Fixed an improper use of GMP mpn_mul, breaking curve2559 and
192 eddsa on certain platforms. Reported by Sergei Trofimovich.
194 * Fixed memory leak when handling invalid signatures in
195 ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
197 * Fix compilation error with --enable-fat om ARM. Fix
198 contributed by Andreas Schneider.
200 * Reorganized the way certain data items are made available.
202 Short version: Nettle header files now define the symbols
203 nettle_hashes, nettle_ciphers, and nettle_aeads, as
204 preprocessor macros invoking a corresponding accessor
205 function. For backwards ABI compatibility, the symbols are
206 still present in the compiled libraries, and with the same
207 sizes as in nettle-3.3.
211 * Support for RSA-PSS signatures, contributed by Daiki Ueno.
213 * Support for the HKDF key derivation function, defined by RFC
214 5869. Contributed by Nikos Mavrogiannopoulos.
216 * Support for the Cipher Feedback Mode (CFB), contributed by
217 Dmitry Eremin-Solenikov.
219 * New accessor functions: nettle_get_hashes,
220 nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
221 nettle_get_secp_224r1, nettle_get_secp_256r1,
222 nettle_get_secp_384r1, nettle_get_secp_521r1.
224 For source-level compatibility with future versions,
225 applications are encouraged to migrate to using these
226 functions instead of referring to the corresponding data
231 * The base16 and base64 functions now use the type char * for
232 ascii data, rather than uint8_t *. This eliminates the last
233 pointer-signedness warnings when building Nettle. This is a
234 minor API change, and applications may need to be adjusted,
235 but the ABI is unaffected on all platforms I'm aware of.
237 * The contents of the header file nettle/version.h is now
238 architecture independent, except in --enable-mini-gmp
243 Since the breakage was a bit subtle, let me document it
244 here. The nettle and hogweed libraries export a couple of
245 data symbols, and for some of these, the size was never
246 intended to be part of the ABI. E.g.,
248 extern const struct nettle_hash * const nettle_hashes[];
250 which is an NULL-terminated array.
252 It turns out the sizes nevertheless may leak into the ABI, and
253 that increasing the sizes can break old executables linked
254 with a newer version of the library.
256 When linking a classic non-PIE executable with a shared
257 library, we get ELF relocations of type R_X86_64_COPY for
258 references to data items. These mean that the linker allocates
259 space for the data item in the data segment of executable, at
260 a fixed address determined at link-time, and with size
261 extracted from the version of the .so-file seen when linking.
263 At load time, the run time linker then copies the contents of
264 the symbol from the .so file to that location, and uses the
265 copy instead of the version loaded with the .so-file. And if
266 the data item in the .so file used at load time is larger than
267 the data item seen at link time, it is silently truncated in
270 So when SHA3 hashes were was added to the nettle_hashes array
271 in the nettle-3.3 release, this way of linking produces a
272 truncated array at load time, no longer NULL-terminated.
274 We will get similar problems for planned extensions of the
275 internal struct ecc_curve, and exported data items like
277 extern const struct ecc_curve nettle_secp_256r1;
279 where the ecc_curve struct is only forward declared in the
280 public headers. To prepare, applications should migrate to
281 using the new function nettle_get_secp_256r1, and similarly
282 for the other curves.
284 In some future version, the plan is to add a leading
285 underscore to the name of the actual data items. E.g.,
286 nettle_hashes --> _nettle_hashes, breaking the ABI, while
287 keeping the nettle_get_hashes function and the nettle_hashes
288 macro as the supported ways to access it. We will also
289 rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
292 Note that data items like nettle_sha256 are *not* affected,
293 since the size and layout of this struct is considered part
294 of the ABI, and R_X86_64_COPY-relocations then work fine.
296 The shared library names are libnettle.so.6.4 and
297 libhogweed.so.4.4, with sonames still libnettle.so.6 and
298 libhogweed.so.4. It is intended to be fully binary compatible
301 NEWS for the Nettle 3.3 release
303 This release fixes a couple of bugs, and improves resistance
304 to side-channel attacks on RSA and DSA private key operations.
308 * Invalid private RSA keys, with an even modulo, are now
309 rejected by rsa_private_key_prepare. (Earlier versions
310 allowed such keys, even if results of using them were bogus).
312 Nettle applications are required to call
313 rsa_private_key_prepare and check the return value, before
314 using any other RSA private key functions; failing to do so
315 may result in crashes for invalid private keys. As a
316 workaround for versions of Gnutls which don't use
317 rsa_private_key_prepare, additional checks for even moduli
318 are added to the rsa_*_tr functions which are used by all
319 recent versions of Gnutls.
321 * Ignore bit 255 of the x coordinate of the input point to
322 curve25519_mul, as required by RFC 7748. To differentiate at
323 compile time, curve25519.h defines the constant
324 NETTLE_CURVE25519_RFC7748.
328 * RSA and DSA now use side-channel silent modular
329 exponentiation, to defend against attacks on the private key
330 from evil processes sharing the same processor cache. This
331 attack scenario is of particular relevance when running an
332 HTTPS server on a virtual machine, where you don't know who
333 you share the cache hardware with.
335 (Private key operations on elliptic curves were already
336 side-channel silent).
340 * Fix sexp-conv crashes on invalid input. Reported by Hanno
343 * Fix out-of-bounds read in des_weak_p. Fixed by Nikos
346 * Fix a couple of formally undefined shift operations,
347 reported by Nikos Mavrogiannopoulos.
349 * Fix compilation with c89. Reported by Henrik Grubbström.
353 * New function memeql_sec, for side-channel silent comparison
358 * Building the public key support of nettle now requires GMP
359 version 5.0 or later (unless --enable-mini-gmp is used).
361 * Filenames of windows DLL libraries now include major number
362 only. So the dll names change at the same time as the
363 corresponding soname on ELF platforms. Fixed by Nikos
366 * Eliminate most pointer-signedness warnings. In the process,
367 the strings representing expression type for sexp_interator
368 functions were changed from const uint8_t * to const char *.
369 These functions are undocumented, and it doesn't change the
370 ABI on any platform I'm aware of.
372 The shared library names are libnettle.so.6.3 and
373 libhogweed.so.4.3, with sonames still libnettle.so.6 and
374 libhogweed.so.4. It is intended to be fully binary compatible
377 NEWS for the Nettle 3.2 release
381 * The SHA3 implementation is updated according to the FIPS 202
382 standard. It is not interoperable with earlier versions of
383 Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
384 differentiate at compile time, sha3.h defines the constant
387 * Fix corner-case carry propagation bugs affecting elliptic
388 curve operations on the curves secp_256r1 and secp_384r1 on
389 certain platforms, including x86_64. Reported by Hanno Böck.
393 * New functions for RSA private key operations, identified by
394 the "_tr" suffix, with better resistance to side channel
395 attacks and to hardware or software failures which could
396 break the CRT optimization. See the Nettle manual for
397 details. Initial patch by Nikos Mavrogiannopoulos.
399 * New functions nettle_version_major, nettle_version_minor, as
400 a run-time variant of the compile-time constants
401 NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.
405 * New ARM Neon implementation of the chacha stream cipher.
409 * ABI detection on mips, with improved default libdir
410 location. Contributed by Klaus Ziegler.
412 * Fixes for ARM assembly syntax, to work better with the clang
413 assembler. Thanks to Jukka Ukkonen.
415 * Disabled use of ifunc relocations for fat builds, to fix
416 problems most easily triggered by using dlopen RTLD_NOW.
418 The shared library names are libnettle.so.6.2 and
419 libhogweed.so.4.2, with sonames still libnettle.so.6 and
420 libhogweed.so.4. It is intended to be fully binary compatible
423 NEWS for the Nettle 3.1.1 release
425 This release fixes a couple of non-critical bugs.
429 * By accident, nettle-3.1 disabled the assembly code for the
430 secp_224r1 and secp_521r1 elliptic curves on all x86_64
431 configurations, making signature operations on those curves
432 10%-30% slower. This code is now re-enabled.
434 * The x86_64 assembly implementation of gcm hashing has been
435 fixed to work with the Sun/Oracle assembler.
437 The shared library names are libnettle.so.6.1 and
438 libhogweed.so.4.1, with sonames still libnettle.so.6 and
439 libhogweed.so.4. It is intended to be fully binary compatible
442 NEWS for the Nettle 3.1 release
444 This release adds a couple of new features.
446 The library is mostly source-level compatible with nettle-3.0.
447 It is however not binary compatible, due to the introduction
448 of versioned symbols, and extensions to the base64 context
449 structs. The shared library names are libnettle.so.6.0 and
450 libhogweed.so.4.0, with sonames libnettle.so.6 and
455 * Fixed a missing include of <limits.h>, which made the
456 camellia implementation fail on all 64-bit non-x86
459 * Eliminate out-of-bounds reads in the C implementation of
460 memxor (related to valgrind's --partial-loads-ok flag).
464 * Declarations of many internal functions are moved from ecc.h
465 to ecc-internal.h. The functions are undocumented, and
466 luckily they're apparently also unused by applications, so I
467 don't expect any problems from this change.
471 * Support for curve25519 and for EdDSA25519 signatures.
473 * Support for "fat builds" on x86_64 and arm, where the
474 implementation of certain functions is selected at run-time
475 depending on available cpu features. Configure with
476 --enable-fat to try this out. If it turns out to work well
477 enough, it will likely be enabled by default in later
480 * Support for building the hogweed library (public key
481 support) using "mini-gmp", a small but slower implementation
482 of a subset of the GMP interfaces. Note that builds using
483 mini-gmp are *not* binary compatible with regular builds,
484 and more likely to leak side-channel information.
486 One intended use-case is for small embedded applications
487 which need to verify digital signatures.
489 * The shared libraries are now built with versioned symbols.
490 Should reduce problems in case a program links explicitly to
491 nettle and/or hogweed, and to gnutls, and the program and
492 gnutls expect different versions.
494 * Support for "URL-safe" base64 encoding and decoding, as
495 specified in RFC 4648. Contributed by Amos Jeffries.
499 * New x86_64 implementation of AES, using the "aesni"
500 instructions. Autodetected in fat builds. In non-fat builds,
501 it has to be enabled explicitly with --enable-x86-aesni.
505 * Use the same object files for both static and shared
506 libraries. This eliminates the *.po object files which were
507 confusing to some tools (as well as humans). Like before,
508 PIC code is used by default; to build a non-pic static
509 library, configure with --disable-pic --disable-shared.
513 * Made type-checking hack in CBC_ENCRYPT and similar macros
514 stricter, to generate warnings if they are used with
515 functions which have a length argument smaller than size_t.
517 NEWS for the Nettle 3.0 release
519 This is a major release, including several interface changes,
520 and new features, some of which are a bit experimental.
521 Feedback is highly appreciated.
523 It is *not* binary (ABI) compatible with earlier versions. It
524 is mostly source-level (API) compatible, with a couple of
525 incompatibilities noted below. The shared library names are
526 libnettle.so.5.0 and libhogweed.so.3.0, with sonames
527 libnettle.so.5 and libhogweed.so.3.
529 There may be some problems in the new interfaces and new
530 features which really need incompatible fixes. It is likely
531 that there will be an update in the form of a 3.1 release in
532 the not too distant future, with small but incompatible
533 changes, and if that happens, bugfix-only releases 3.0.x are
534 unlikely. Users and applications which desire better API and
535 ABI stability are advised to stay with nettle-2.7.x (latest
536 version is now 2.7.1) until the dust settles.
540 * For the many _set_key functions, it is now consider the
541 normal case to have a fixed key size, with no key_size
542 arguments. _set_key functions with a length parameter are
543 provided only for algorithms with a truly variable keysize,
544 and where it makes sense for backwards compatibility.
546 INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
547 size argument. The old function is available under a new
550 INCOMPATIBLE CHANGE: The function typedef
551 nettle_set_key_func no longer accepts a key size argument.
552 In particular, this affects users of struct nettle_cipher.
554 * The nettle_cipher abstraction (in nettle-meta.h) is
555 restricted to block ciphers only. The encrypt and decrypt
556 functions now take a const argument for the context.
558 INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
559 abstraction for the arcfour stream cipher, is deleted.
561 INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
562 encrypt and decrypt fields of struct nettle_cipher.
564 * New DSA interface, with a separate struct dsa_param to
565 represent the underlying group, and generalized dsa_sign and
566 dsa_verify functions which don't care about the hash
567 function used. Limited backwards compatibility provided in
570 INCOMPATIBLE CHANGE: Declarations of the old interface,
571 e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to
574 INCOMPATIBLE CHANGE: The various key conversion functions,
575 e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
576 no backwards compatible functions.
578 INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
579 interface. dsa-compat.h declares a function
580 dsa_compat_generate_keypair, implementing the old
581 interface, and #defines dsa_generate_keypair to refer to
582 this backwards compatible function.
584 * New AES and Camellia interfaces. There are now separate
585 context structs for each key size, e.g., aes128_ctx and
586 camellia256_ctx, and corresponding new functions. The old
587 interface, with struct aes_ctx and struct camellia_ctx, is
588 kept for backwards compatibility, but might be removed in
591 * The type of most length arguments is changed from unsigned
592 to size_t. The memxor functions have their pointer arguments
593 changed from uint8_t * to void *, for consistency with
594 related libc functions.
596 * For hash functions, the constants *_DATA_SIZE have been
597 renamed to *_BLOCK_SIZE. Old names kept for backwards
602 * The nettle_next_prime function has been deleted.
603 Applications should use GMP's mpz_nextprime instead.
605 * Deleted the RSAREF compatibility, including the header file
606 rsa-compat.h and everything declared therein.
608 * Also under consideration for removal is des-compat.h and
609 everything declared therein. This implements a subset of the
610 old libdes/ssleay/openssl interface for DES and triple-DES,
611 and it is poorly tested. If anyone uses this interface,
612 please speak up! Otherwise, it will likely be removed in the
617 * Building with ./configure --disable-static now works.
619 * Use GMP's allocation functions for temporary storage related
620 to bignums, to avoid potentially large stack allocations.
622 * Fixes for shared libraries on M$ Windows.
626 * Support for Poly1305-AES MAC.
628 * Support for the ChaCha stream cipher and EXPERIMENTAL
629 support for the ChaCha-Poly1305 AEAD mode. Specifications
630 are still in flux, and future releases may do incompatible
631 changes to track standardization. Currently uses 256-bit key
634 * Support for EAX mode.
636 * Support for CCM mode. Contributed by Owen Kirby.
638 * Additional variants of SHA512 with output size of 224 and
639 256 bits. Contributed by Joachim Strömbergson.
641 * New interface, struct nettle_aead, for mechanisms providing
642 authenticated encryption with associated data (AEAD).
644 * DSA: Support a wider range for the size of q and a wider
645 range for the digest size.
649 * New x86_64 assembly for GCM and MD5. Modest speedups on the
654 * SHA3 is now documented as EXPERIMENTAL. Nettle currently
655 implements SHA3 as specified at the time Keccak won the SHA3
656 competition. However, the final standard specified by NIST
657 is likely to be incompatible, in which case future releases
658 may do incompatible changes to track standardization.
660 * The portability fix for the rotation macros, mentioned in
661 NEWS for 2.7.1, actually didn't make it into that release.
664 * cast128_set_key rewritten for clarity, also eliminating a
665 couple of compiler warnings.
667 * New command line tool nettle-pbkdf2.
669 NEWS for the 2.7.1 release
671 This is a bugfix release.
675 * Fixed a bug in the new ECC code. The ecc_j_to_a function
676 called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
677 input and output arguments, which is not supported.
679 * The assembly files for SHA1, SHA256 and AES depend on ARMv6
680 instructions, breaking nettle-2.7 for pre-v6 ARM processors.
681 The configure script now enables those assembly files only
682 when building for ARMv6 or later.
684 * Use a more portable C expression for rotations. The
685 previous version used the following "standard" expression
688 (x << n) | (x >> (32 - n))
690 But this gives undefined behavior (according to the C
691 specification) for n = 0. The rotate expression is replaced
692 by the more portable:
694 (x << n) | (x >> ((-n)&31))
696 This change affects only CAST128, which uses non-constant
697 rotation counts. Unfortunately, the new expression is poorly
698 optimized by released versions of gcc, making CAST128 a bit
699 slower. This is being fixed by the gcc hackers, see
700 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
702 The following problems have been reported, but are *not* fixed
705 * ARM assembly files use instruction syntax which is not
706 supported by all assemblers. Workaround: Use a current
707 version of GNU as, or configure with --disable-assembler.
709 * Configuring with --disable-static doesn't work on windows.
711 The libraries are intended to be binary compatible with
712 nettle-2.2 and later. The shared library names are
713 libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
714 libnettle.so.4 and libhogweed.so.2.
716 NEWS for the 2.7 release
718 This release includes an implementation of elliptic curve
719 cryptography (ECC) and optimizations for the ARM architecture.
720 This work was done at the offices of South Pole AB, and
721 generously funded by the .SE Internet Fund.
725 * Fixed a bug in the buffer handling for incremental SHA3
726 hashing, with a possible buffer overflow. Patch by Edgar
731 * Support for ECDSA signatures. Elliptic curve operations over
732 the following curves: secp192r1, secp224r1, secp256r1,
733 secp384r1 and secp521r1, including x86_64 and ARM assembly
734 for the most important primitives.
736 * Support for UMAC, including x86_64 and ARM assembly.
738 * Support for 12-round salsa20, "salsa20r12", as specified by
739 eSTREAM. Contributed by Nikos Mavrogiannopoulos.
743 * ARM assembly code for several additional algorithms,
744 including AES, Salsa20, and the SHA family of hash
747 * x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
748 was included in the 2.6 release, but disabled due to poor
749 performance on some AMD processors. Hopefully, that
750 performance problem is fixed now).
752 The ARM code was tested and benchmarked on Cortex-A9. Some of
753 the functions use "neon" instructions. The configure script
754 decides if neon instructions can be used, and the command line
755 options --enable-arm-neon and --disable-arm-neon can be used
756 to override its choice. Feedback appreciated.
758 The libraries are intended to be binary compatible with
759 nettle-2.2 and later. The shared library names are
760 libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
761 libnettle.so.4 and libhogweed.so.2.
763 NEWS for the 2.6 release
767 * Fixed a bug in ctr_crypt. For zero length (which should be a
768 NOP), it sometimes incremented the counter. Reported by Tim
771 * Fixed a small memory leak in nettle_realloc and
776 * Support for PKCS #5 PBKDF2, to generate a key from a
777 password or passphrase. Contributed by Simon Josefsson.
778 Specification in RFC 2898 and test vectors in RFC 6070.
782 * Support for the GOST R 34.11-94 hash algorithm. Ported from
783 librhash by Nikos Mavrogiannopoulos. Written by Aleksey
784 Kravchenko. More information in RFC4357. Test vectors taken
785 from the GOST hash wikipedia page.
789 * The include file <nettle/sha.h> has been split into
790 <nettle/sha1.h> and <nettle/sha2.h>. For now, sha.h is kept
791 for backwards compatibility and it simply includes both
792 files, but applications are encouraged to use the new names.
793 The new SHA3 functions are declared in <nettle/sha3.h>.
795 * Testsuite can be run under valgrind, using
797 make check EMULATOR='$(VALGRIND)'
799 For this to work, test programs and other executables now
802 * New configure options --disable-documentation and
803 --disable-static. Contributed by Sam Thursfield and Alon
804 Bar-Lev, respectively.
806 * The section on hash functions in the manual is split into
807 separate nodes for recommended hash functions and legacy
810 * Various smaller improvements, most of them portability
811 fixes. Credits go to David Woodhouse, Tim Rühsen, Martin
812 Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis
815 Finally, a note on the naming of the various "SHA" hash
816 functions. Naming is a bit inconsistent; we have, e.g.,
819 SHA2: sha256_digest (not sha2_256_digest)
820 SHA3: sha3_256_digest
822 Renaming the SHA2 functions to make Nettle's naming more
823 consistent has been considered, but the current naming follows
824 common usage. Most documents (including the specification for
825 SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather
828 The libraries are intended to be binary compatible with
829 nettle-2.2 and later. The shared library names are
830 libnettle.so.4.5 and libhogweed.so.2.3, with sonames still
831 libnettle.so.4 and libhogweed.so.2
833 NEWS for the 2.5 release
835 This release includes important portability fixes for Windows
836 and MacOS. There are also a few new features.
838 First a *warning*: Some internal functions have been removed
839 from the library. Since the functions in question are internal
840 and not documented, this is not considered a change of ABI or
841 API. Programs explicitly using any of these functions will
844 * The function pkcs1_signature_prefix has been renamed to
845 _pkcs1_signature_prefix, and with slightly different
848 * The file nettle-internal.c is no longer included in the
849 library (the features defined there are used by the
850 benchmark and test programs, and were never intended for
855 * Support for the salsa20 stream cipher, including x86_64
856 assembler. Originally contributed by Simon Josefsson, based
857 on the reference implementation, then further optimized.
859 * Tentative interface for timing-resistant RSA functions,
860 contributed by Nikos Mavrogiannopoulos.
862 * A more general interface for PKCS#1 signatures, taking the
863 input in the form of a "DigestInfo". Suggested by Nikos
868 * Building of shared libraries (./configure --enable-shared)
869 is now enabled by default.
871 * Various portability fixes for MacOS and M$ Windows. A lot of
872 this work done by Martin Storsjö.
874 * In particular, Nettle now hopefully works on 64-bit Windows
875 builds, "W64", including the x86_64 assembly code.
879 * Documentation and example programs for the base16 and base64
880 functions. Was contributed by Jeronimo Pellegrini back in
881 2006, but unfortunately forgotten until now.
883 * Use an additional table to avoid GF2^8 multiplications in
884 aes_invert_key (mainly used by aes_set_decrypt_key). Also
885 tabulate round constants in aes_set_encrypt_key.
887 * The nettle repository has been migrated from cvs to git,
888 with a public repository at
889 http://git.lysator.liu.se/nettle. To make it independent of
890 the LSH repository, a few files have been moved around.
891 While at it, files have also been converted from latin-1 to
894 The libraries are intended to be binary compatible with
895 nettle-2.2 and later. The shared library names are
896 libnettle.so.4.4 and libhogweed.so.2.2, with sonames still
897 libnettle.so.4 and libhogweed.so.2
899 NEWS for the 2.4 release
901 This is a bugfix release only. It turned out ripemd160 in the
902 2.3 release was broken on all big-endian systems, due to a
903 missing include of config.h. nettle-2.4 fixes this.
905 The library is intended to be binary compatible with
906 nettle-2.2 and nettle-2.3. The shared library names are
907 libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
908 libnettle.so.4 and libhogweed.so.2.
910 NEWS for the 2.3 release
912 * Support for the ripemd-160 hash function.
914 * Generates and installs nettle.pc and hogweed.pc files, for
915 use with pkg-config. Feedback appreciated. For projects
916 using autoconf, the traditional non-pkg-config ways of
917 detecting libraries, and setting LIBS and LDFLAGS, is still
920 * Fixed a bug which made the testsuite fail in the GCM test on
921 certain platforms. Should not affect any documented features
924 * Reorganization of the code for the various Merkle-Damgård
925 hash functions. Some fields in the context structs for md4,
926 md5 and sha1 have been renamed, for consistency.
927 Applications should not peek inside these structs, and the
930 * In the manual, fixed mis-placed const in certain function
933 The library is intended to be binary compatible with
934 nettle-2.2. The shared library names are libnettle.so.4.2 and
935 libhogweed.so.2.1, with sonames still libnettle.so.4 and
938 NEWS for the 2.2 release
942 * Relicensed as LGPL v2.1 or later (user's option).
944 * Replaced blowfish and serpent implementation. New code is
945 based on the LGPLed code in libgcrypt.
949 * Support for Galois/Counter Mode (GCM).
951 * New interface for enumerating (most) available algorithms,
952 contributed by Daniel Kahn Gillmor.
954 * New tool nettle-hash. Can generate hash digests using any
955 supported hash function, with output compatible with md5sum
956 and friends from GNU coreutils. Checking (like md5sum -c)
961 * The old serpent code had a byte order bug (introduced by
962 yours truly about ten years ago). New serpent implementation
963 does not interoperate with earlier versions of nettle.
965 * Fixed ABI-dependent libdir default for Linux-based systems
966 which do not follow the Linux File Hierarchy Standard, e.g.,
971 * x86_64 implemention of serpent.
973 * x86_64 implemention of camellia.
975 * Optimized memxor using word rather than byte operations.
976 Both generic C and x86_64 assembler.
978 * Eliminated a memcpy for in-place CBC decrypt.
982 * In command line tools, no longer support -? for requesting
983 help, since using it without shell quoting is a dangerous
984 habit. Use long option --help instead.
986 The shared library names are libnettle.so.4.1 and
987 libhogweed.so.2.1, with sonames libnettle.so.4 and
990 NEWS for the 2.1 release
992 *Important*: this release breaks source and binary
993 compatibility for the digital signature functions, and for the
994 DES and BLOWFISH ciphers which have weak keys.
996 Incompatible changes:
998 * The functions rsa_md5_sign, rsa_sha1_sign and
999 rsa_sha256_sign, and the corresponding _digest variants, now
1000 have a return value which callers should check. The functions
1001 return failure if the key is too small for the type of
1004 * The functions dsa_sign and dsa_verify are renamed to
1005 dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are
1006 renamed similarly. These functions now have a return value
1007 which callers should check, and they return failure if the
1008 number q is not of the appropriate size.
1010 * The return value from des_set_key, des3_set_key and
1011 blowfish_set_key now indicates whether or not the given key
1012 is weak. But in either case, the key setup is done, and
1013 applications that don't care about weak keys can ignore the
1016 The incompatible part of this change is that enum des_error
1017 and enum blowfish_error has been deleted, and so has the
1018 status attribute in struct des_ctx, struct des3_ctx, and
1019 struct blowfish_ctx.
1021 The shared library names are libnettle.so.4.0 and
1022 libhogweed.so.2.0, with sonames libnettle.so.4 and
1027 * Support for the Camellia block cipher, including an
1028 assembler implementation for x86_32.
1030 * New function aes_invert_key, useful for applications that
1031 need both encryption and decryption using the same AES key.
1033 * des_set_key and des3_set_key no longer check the key parity
1034 bits. Parity bits are silently ignored. A new function
1035 des_check_parity is provided, for applications that care
1036 about the DES parity bits.
1038 * Support for sha224, sha384 and sha512.
1040 * Support for digital signatures using rsa-sha512 and
1041 dsa-sha256. Due to lack of official test vectors and interop
1042 testing, this support should be considered somewhat
1045 * Key generation for RSA and DSA changed to use Maurer's
1046 algorithm to generate provably prime numbers (as usual, the
1047 mathematical proof does not guaranteee that the
1048 implementation is bug free).
1050 * x86_64 assembler implementation actually included in the
1051 distribution (was accidentally left out in nettle-2.0).
1053 * Configure script now detects if the compiler uses a 32-bit
1054 or 64-bit ABI on x86_64 (prevously did this for sparc only).
1055 Also sets the default location for installing libraries
1056 (libdir) depending on system type and the ABI used.
1058 * Added the nettle and gmp libraries as dependencies when
1059 linking shared library libhogweed.so. On systems using
1060 shared libraries where such dependencies work (in
1061 particular, ELF systems), it is sufficient to link
1062 applications with -lhogweed. For static linking -lhogweed
1063 -lnettle -lgmp is still required.
1065 * The program pkcs1-conv is extended to also handle dsa keys.
1066 Contributed by Magnus Holmgren.
1068 * Slightly improved sha1 performance on x86.
1070 NEWS for the 2.0 release
1072 This release breaks binary compatibility by splitting the
1073 library into two. Some other smaller changes that are not
1074 backwards compatible are also done at the same time.
1076 * The nettle library is split into two libraries, libnettle
1077 and libhogweed. libnettle contains the symmetric crypto
1078 algorithms that don't depend on GMP, while libhogweed
1079 contains the public key algorithms that depend on GMP.
1080 Using a single library worked fine with static linking, but
1081 not with dynamic linking. Consider an application that uses
1082 nettle and which doesn't use any public key cryptography. If
1083 this application is linked dynamically to nettle, it would
1084 have to be linked also with GMP if and only if public key
1085 support was enabled when the nettle library was installed.
1087 The library names are libnettle.so.3.0 and
1088 libhogweed.so.1.0, with sonames libnettle.so.3 and
1091 * Function typedefs have been changed to non-pointer types.
1094 typedef void (nettle_hash_init_func *)(void *ctx);
1096 of previous versions is replaced by
1098 typedef void (nettle_hash_init_func)(void *ctx);
1100 This makes it possible to use the type when declaring
1103 nettle_hash_init_func foo_hash_init;
1105 void foo_hash_init(void *ctx) { ... }
1107 * Changes to the yarrow256 interface. The automatic seed file
1108 generation, and the seed_file member in struct
1109 yarrow256_ctx, has been removed. To generate a new seed
1110 file, use yarrow256_random. The function
1111 yarrow256_force_reseed has been replaced by the two
1112 functions yarrow256_fast_reseed and yarrow256_slow_reseed,
1113 which were previously static. This interface change makes it
1114 easier to mix in the current content of the seed file before
1115 overwriting it with newly generated data.
1119 * Nettle manual now contributed to the public domain, to
1120 enable remixing into documentation of programs that use
1123 * The sexp-conv program preserves comments when using the
1124 advanced syntax for output. Optionally locks the output
1127 * The base64 decoder recognizes ASCII FF (form feed) and VT
1128 (vertical tab) as white space.
1130 * New x86_64 implementations of AES and SHA1. On a 2.2 GHz
1131 opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at
1134 * Performance of AES increased by 20-30% on x86.
1136 * New programs in the examples directory: erathostenes and
1139 NEWS for the 1.15 release
1141 Added support for PKCS#1 style RSA signatures using SHA256,
1142 according to RFC 3447. Currently lacks interoperability
1145 Header files are now C++ aware, so C++ programs using Nettle
1146 should now use plain
1148 #include <nettle/foo.h>
1153 #include <nettle/foo.h>
1156 as was the recommendation for the previous version. This
1157 breaks source-level compatibility with C++, even though
1158 there's full binary compatibility.
1160 The file rfc1750.txt (which is considered non-free by debian)
1161 has been removed from the distribution. The file was used as input
1162 for the Yarrow testcase, and has been replaced by the short
1163 story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is
1164 obsoleted by RFC 4086.
1166 Fixes for Darwin shared library support, contributed by Grant
1169 Example programs now use a supplied getopt.c.
1171 Configure tests for assemblers with a logarithmic .align
1174 The library is intended to be upwards binary compatible with
1175 earlier versions. The library name is libnettle.so.2.6, soname
1176 is still libnettle.so.2.
1178 NEWS for the 1.14 release
1180 Experimental support for reading keys in PKCS#1 ASN1/DER
1181 format, and a new command line tool pkcs1-conv.
1183 Improved MD5 performance on x86.
1185 Fixed support for sparc64.
1187 Reorganized AES code. Better performance for all three
1188 implementations (C, x86 assembler, sparc assembler).
1190 New sparc assembler for arcfour. Compared to the code
1191 generated by gcc, the new code is about 25% faster on old
1192 sparcs, and 6 times faster on ultrasparc.
1194 Replaced the internal function nettle_mpz_from_octets with a
1195 call to mpz_import, if available in the installed GMP library.
1197 More Makefile fixes; it now seems to work to build with
1198 the the make programs on Solaris and FreeBSD (although
1199 --disable-dependency-tracking is required for the latter).
1201 The library is intended to be binary compatible with earlier
1202 versions. The library name is libnettle.so.2.5, soname is
1203 still libnettle.so.2.
1205 NEWS for the 1.13 release
1207 Fixed problem with broken m4 on bsd, which resulted in
1208 corrupted x86 assembler for sha1.
1210 Nettle probably works on windows: I've been able to cross
1211 compile it with ./configure --host=i586-mingw32msvc (without
1212 public-key support), and the testsuite binaries seem to run
1215 Implemented CTR mode.
1217 Improved sha1 performance on x86.
1219 Configure check to figure out if symbols in assembler files
1220 need a leading underscore.
1222 Improved benchmark program. Displays cycles per byte and block,
1223 and compares with openssl (if openssl is installed).
1225 Terminating newline in output from sexp-conv --hash.
1227 The library is intended to be binary compatible with earlier
1228 versions. The library name is libnettle.so.2.4. However, the
1229 interface for the internal function _nettle_sha1_compress has
1230 changed; any program that calls this function directly will
1233 NEWS for the 1.12 release
1235 Fixed a bug in the configure script.
1237 Updated the description of aes_set_encrypt_key and
1238 aes_set_decrypt_key in the manual.
1240 NEWS for the 1.11 release
1242 Nettle no longer uses automake. Side effects:
1244 * Dependency tracking is enabled only for gcc-3 (help with
1245 supporting dependency tracking with other compilers is
1248 * Makefile compatibility with make programs other than GNU
1249 make is mostly unknown, please report any problems.
1253 Fixes to the libdes compatibility code. Declarations should
1254 now match openssl/libdes better. des_cbc_cksum pads
1255 input with NUL's, if it's not an integral number of blocks (in
1256 general, such unreversible padding is a bad idea).
1258 By default, also the static library is compiled as position
1259 independent code. This is needed on some systems to make it
1260 possible to link nettle into a dynamically loaded module. Use
1261 the configure flag --disable-pic if this is not desired.
1263 Stricter constness typing for the sexp_iterator_assoc and
1264 sexp_iterator_check_types arguments.
1266 Minor tweaks of arcfour on x86 cpu:s, to speed it up on older
1267 x86 variants such as PII and PPro.
1269 The shared library is intended to be binary compatible with
1270 nettle-1.8 - nettle-1.10. Only the minor version number of the
1271 shared library is increased. The soname is still
1274 NEWS for the 1.10 release
1276 Nettle should now compile also on Tru64, Darwin, FreeBSD and
1277 Windows. (The only tested windows build uses the rntcl rsh
1278 wrapper to run the command line M$ C compiler "cl". See
1279 http://pike.ida.liu.se for those tools, I don't know all
1280 details about the Pike team's windows setup).
1282 There are some known testsuite failures, on Windows and on one
1283 of the xenofarm HPUX machines, see
1284 http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help
1285 tracking these down is appreciated.
1287 There are no new features.
1289 This release is intended to be binary compatible with
1290 nettle-1.8 and nettle-1.9.
1292 NEWS for the 1.9 release
1294 Optimized C implementation of arcfour. Optimized x86
1295 implementations of arcfour and sha1.
1297 Improved benchmark program.
1299 Fixed bug in the rsa-encrypt example program.
1301 Fixed bug in make install, some of the header files were
1304 Portability fixes. Fixes to make Nettle compile on systems
1305 without gmp. This version has been tested on GNU/Linux,
1306 Solaris, HPUX and AIX.
1308 The shared library is intended to be binary compatible with
1309 nettle-1.8. Only the minor version number of the shared
1310 library is increased.
1312 NEWS for the 1.8 release
1314 New example programs, demonstrating encrypting and decrypting
1315 files using RSA, and random sessions keys for bulk encryption
1316 and message authentication.
1318 Support for systems that don't have alloca. On such systems,
1319 some of Nettle's functions have arbitrary limits applied to
1322 Uses AX_CREATE_STDINT_H, to support systems without
1325 Support for the md2 and md4 hash functions.
1327 New name mangling, to reduce the risk of link collisions. All
1328 functions (except memxor) now use a nettle_ or _nettle_ prefix
1329 when seen by the linker. For most functions, the header file
1330 that declares a function also uses #define to provide a
1331 shorter more readable name without the prefix.
1333 The shared library soname for this version is libnettle.so.2.
1335 NEWS for the 1.7 release
1339 Renamed RSA functions for consistency. Now it's
1340 rsa_public_key_init, not rsa_init_public_key, etc.
1342 Both RSA and DSA now have sign/verify functions that take the
1343 hash digest as argument.
1345 A rewritten and much more powerful sexp-conv program.
1347 Other changes to the sexp code, in particular updating it to
1348 the latest SPKI draft.
1350 Building nettle as a shared library (ELF only) seems to work.
1351 The version number is increased, so the library "soname" for
1352 this release is "libnettle.so.1".
1354 Bugfixes. Fixes for build and portability problems.
1356 NEWS for the 1.6 release
1358 Optimized assembler implementations of aes, for sparc and x86.
1360 The aes interface has changed slightly. The function
1361 aes_set_key is no more. Instead one has to use
1362 aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that.
1364 New example programs, rsa-keygen, rsa-sign and rsa-verify,
1365 located in the examples directory.
1367 New configure option --enable-shared, which builds a shared
1368 library. Not tested.
1370 New experimental features, including sexp parsing and
1371 formatting, and changes to base64 encoding and decoding. The
1372 interfaces to these functions are subject to change, and are
1373 documented only in the source code.
1375 NEWS for the 1.5 release
1377 RSA support. Key generation and signatures.
1379 Support for HMAC (RFC-2104).
1381 An implementation of the Yarrow-256 PRNG.
1383 New sections in the manual.
1385 Changed the interface for hash functions. The md5_digest
1386 function is now equivalent to the old sequence of md5_final,
1387 md5_digest, md5_init, and similarly for the other hashing
1388 algorithms. This makes the interface simpler.
1390 NEWS for the 1.0 release
1392 Fixed twofish bug spotted by Jean-Pierre Stierlin.
1396 New RFC-1321-like interface in nettle/md5-compat.h, suggested
1397 by Assar Westerlund.
1399 New libdes-style compatibility interface in nettle/des-compat.h.