Commit 7a47bfd8 authored by Apertis CI's avatar Apertis CI
Browse files

Import Upstream version 3.7

parent 52d04f74
# nettle -- Information about our contribution rules
# Test suite:
New functionality should be accompanied by a test case which verifies
its correctness, on successful use of the new functionality, as well as on
failure cases. The nettle test suite is run on "make check".
# Continuous Integration (CI)
We utilize a continuous integration systems, using gitlab-ci.
This is run on a repository mirror at:
# Sending patches
Please do not utilize the gitlab web interfaces. They are not
being followed on. Please send your patches to
This diff is collapsed.
This diff is collapsed.
NEWS for the Nettle 3.7 release
This release adds one new feature, the bcrypt password hashing
function, and lots of optimizations. There's also one
important change to how Nettle is configured: Fat builds are
now on by default.
The release adds PowerPC64 assembly for a few algorithms,
resulting in great speedups. Benchmarked on a Power9 machine,
speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5
times for Chacha. For fat builds (now the default), the new
code is used automatically, on processors supporting the needed
instruction set extensions.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are and, with sonames and
New features:
* Support for bcrypt, contributed by Stephen R. van den Berg.
* Much faster AES and GCM on PowerPC64 processors supporting
the corresponding crypto extensions. Contributed by Mamone
* Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon.
* Speed of Salsa20 improved on x86_64 and ARM Neon.
* Overhaul of some elliptic curve primitives, improving ECDSA
signature speed.
* Fat builds are enabled by default on the architectures where
it is supported (x86_64, arm and powerpc64). To disable
runtime selection, and instead specify the processor flavor
at configure time, you need to pass --disable-fat to the
configure script.
Known issues:
* The ARM assembly code in this release doesn't work correctly
on big-endian ARM systems. This will hopefully be fixed in a
later release.
* Use a few more gmp-6.1 functions: mpn_cnd_add_n,
mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal
Nettle functions.
* Convert all assembly files to use the default m4 quote
NEWS for the Nettle 3.6 release
This release adds a couple of new features, most notable being
support for ED448 signatures.
It is not binary compatible with earlier releases. The shared
library names are and, with
sonames and The changed
sonames are mainly to avoid upgrade problems with recent
GnuTLS versions, that depend on Nettle internals outside of
the advertised ABI. But also because of the removal of
internal poly1305 functions which were undocumented but
declared in an installed header file, see Interface changes
New features:
* Support for Curve448 and ED448 signatures. Contributed by
Daiki Ueno.
* Support for SHAKE256 (SHA3 variant with arbitrary output
size). Contributed by Daiki Ueno.
* Support for SIV-CMAC (Synthetic Initialization Vector) mode,
contributed by Nikos Mavrogiannopoulos.
* Support for CMAC64, contributed by Dmitry Baryshkov.
* Support for the "CryptoPro" variant of the GOST hash
function, as gosthash94cp. Contributed by Dmitry Baryshkov.
* Support for GOST DSA signatures, including GOST curves
gc256b and gc512a. Contributed by Dmitry Baryshkov.
* Support for Intel CET in x86 and x86_64 assembly files, if
enabled via CFLAGS (gcc --fcf-protection=full). Contributed
by H.J. Lu and Simo Sorce.
* A few new functions to improve support for the Chacha
variant with 96-bit nonce and 32-bit block counter (the
existing functions use nonce and counter of 64-bit each),
and functions to set the counter. Contributed by Daiki Ueno.
* New interface, struct nettle_mac, for MAC (message
authentication code) algorithms. This abstraction is only
for MACs that don't require a per-message nonce. For HMAC,
the key size is fixed, and equal the digest size of the
underlying hash function.
Bug fixes:
* Fix bug in cfb8_decrypt. Previously, the IV was not updated
correctly in the case of input data shorter than the block
size. Reported by Stephan Mueller, fixed by Daiki Ueno.
* Fix configure check for __builtin_bswap64, the incorrect
check would result in link errors on platforms missing this
function. Patch contributed by George Koehler.
* All use of old-fashioned suffix rules in the Makefiles have
been replaced with %-pattern rules. Nettle's use of suffix
rules in earlier versions depended on undocumented GNU make
behavior, which is being deprecated in GNU make 4.3.
Building with other make programs than GNU make is untested
and unsupported. (Building with BSD make or Solaris make
used to work years ago, but has not been tested recently).
Interface changes:
* Declarations of internal poly1305.h functions have been
removed from the header file poly1305.h, to make it clear
that they are not part of the advertised API or ABI.
* Building the public key support of nettle now requires GMP
version 6.1.0 or later (unless --enable-mini-gmp is used).
* A fair amount of changes to ECC internals, with a few
deleted and a few new fields in the internal struct
ecc_curve. Files and functions have been renamed to more
consistently match the curve name, e.g., ecc-256.c has been
renamed to ecc-secp256r1.c.
* Documentation for chacha-poly1305 updated. It is no longer
experimental. The implementation was updated to follow RFC
8439 in Nettle-3.1, but that was not documented or announced
at the time.
NEWS for the Nettle 3.5.1 release
The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
The new directory x86_64/sha_ni were missing in the tar file,
breaking x86_64 builds with --enable-fat, and producing worse
performance than promised for builds with --enable-x86-sha-ni.
Also a few unused in-progress assembly files were accidentally
included in the tar file.
These problems are corrected in Nettle-3.5.1. There are no
other changes, and also the library version numbers are
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations,
and deletes or deprecates a few obsolete features. It is *not*
binary (ABI) compatible with earlier versions. Except for
deprecations listed below, it is intended to be fully
source-level (API) compatible with Nettle-3.4.1.
The shared library names are and, with sonames and
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher
to process more than one block at a time. This is not a
change to the documented behavior, but unfortunately breaks
assumptions accidentally made in GnuTLS, up to and including
version 3.6.1.
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single
octet per block cipher operation), contributed by Dmitry
* Support for CMAC (RFC 4493), contributed by Nikos
* Support for XTS mode, contributed by Simo Sorce.
* Improved performance of the x86_64 AES implementation using
the aesni instructions. Gives a large speedup for operations
processing multiple blocks at a time (including CTR mode,
GCM mode, and CBC decrypt, but *not* CBC encrypt).
* Improved performance for CTR mode, for the common case of
16-byte block size. Pass more data at a time to underlying
block cipher, and fill the counter blocks more efficiently.
Extension to also handle GCM mode efficiently contributed
by Nikos Mavrogiannopoulos.
* New x86_64 implementation of sha1 and sha256, for processors
supporting the sha_ni instructions. Speedup of 3-5 times on
affected processors.
* Improved parameters for the precomputation of tables used
for ecc signatures. Roughly 10%-15% speedup of the ecdsa
sign operation using the secp_256r1, secp_384r1 and
secp_521r1 curves, and 25% speedup of ed25519 sign
operation, benchmarked on x86_64. Table sizes unchanged,
around 16 KB per curve.
* In ARM fat builds, automatically select Neon implementation
of Chacha, where possible. Contributed by Yuriy M.
Deleted features:
* The header file des-compat.h and everything declared therein
has been deleted, as announced earlier. This file provided a
subset of the old libdes/ssleay/openssl interface for DES
and triple-DES. DES is still supported, via the functions
declared in des.h.
* Functions using the old struct aes_ctx have been marked as
deprecated. Use the fixed key size interface instead, e.g.,
struct aes256_ctx, introduced in Nettle-3.0.
* The header file nettle-stdint.h, and corresponding autoconf
tests, have been deleted. Nettle now requires that the
compiler/libc provides <stdint.h>.
* Support for big-endian ARM systems, contributed by Michael
* The programs aesdata, desdata, twofishdata, shadata and
gcmdata are no longer built by default. Makefile
improvements contributed by Jay Foad.
* The "example" program examples/eratosthenes.c has been
* The contents of hash context structs, and the deprecated
aes_ctx struct, have been reorganized, to enable later
The shared library names are and
NEWS for the Nettle 3.4.1 release
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and include one new
public function, rsa_sec_decrypt, see below.
All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
still leak. I'm not aware of any attacks on RSA where knowing
a few bits of the factors makes a significant difference. This
leak will likely be plugged in later GMP versions.
Changes in behavior:
* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
New features:
* A new function rsa_sec_decrypt. It differs from
rsa_decrypt_tr in that the length of the decrypted message
is given a priori, and PKCS#1 padding indicating a different
length is treated as an error. For applications that may be
subject to chosen ciphertext attacks, it is recommended to
initialize the message area with random data, call this
function, and ignore the return value. This applies in
particular to RSA-based key exchange in the TLS protocol.
Bug fixes:
* Fix bug in pkcs1-conv, missing break statements in the
parsing of PEM input files.
* Fix link error on the pss-mgf1-test test, affecting builds
without public key support.
Performance regression:
* All RSA private key operations employing RSA blinding, i.e.,
rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
rsa_compute_root_tr, are significantly slower. This is
because (i) RSA blinding now use side-channel silent
operations, (ii) blinding includes a modular inversion, and
(iii) side-channel silent modular inversion, implemented as
mpn_sec_invert, is very expensive. A 60% slowdown for
2048-bit RSA keys have been measured.
* Building the public key support of nettle now requires GMP
version 6.0 or later (unless --enable-mini-gmp is used).
The shared library names are and, with sonames still and It is intended to be fully binary compatible
with nettle-3.1.
NEWS for the Nettle 3.4 release
This release fixes bugs and adds a few new features. It also
addresses an ABI compatibility issue affecting Nettle-3.1 and
later, see below.
Bug fixes:
* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
eddsa on certain platforms. Reported by Sergei Trofimovich.
* Fixed memory leak when handling invalid signatures in
ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
* Fix compilation error with --enable-fat om ARM. Fix
contributed by Andreas Schneider.
* Reorganized the way certain data items are made available.
Short version: Nettle header files now define the symbols
nettle_hashes, nettle_ciphers, and nettle_aeads, as
preprocessor macros invoking a corresponding accessor
function. For backwards ABI compatibility, the symbols are
still present in the compiled libraries, and with the same
sizes as in nettle-3.3.
New features:
* Support for RSA-PSS signatures, contributed by Daiki Ueno.
* Support for the HKDF key derivation function, defined by RFC
5869. Contributed by Nikos Mavrogiannopoulos.
* Support for the Cipher Feedback Mode (CFB), contributed by
Dmitry Eremin-Solenikov.
* New accessor functions: nettle_get_hashes,
nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
nettle_get_secp_224r1, nettle_get_secp_256r1,
nettle_get_secp_384r1, nettle_get_secp_521r1.
For source-level compatibility with future versions,
applications are encouraged to migrate to using these
functions instead of referring to the corresponding data
items directly.
* The base16 and base64 functions now use the type char * for
ascii data, rather than uint8_t *. This eliminates the last
pointer-signedness warnings when building Nettle. This is a
minor API change, and applications may need to be adjusted,
but the ABI is unaffected on all platforms I'm aware of.
* The contents of the header file nettle/version.h is now
architecture independent, except in --enable-mini-gmp
ABI issue:
Since the breakage was a bit subtle, let me document it
here. The nettle and hogweed libraries export a couple of
data symbols, and for some of these, the size was never
intended to be part of the ABI. E.g.,
extern const struct nettle_hash * const nettle_hashes[];
which is an NULL-terminated array.
It turns out the sizes nevertheless may leak into the ABI, and
that increasing the sizes can break old executables linked
with a newer version of the library.
When linking a classic non-PIE executable with a shared
library, we get ELF relocations of type R_X86_64_COPY for
references to data items. These mean that the linker allocates
space for the data item in the data segment of executable, at
a fixed address determined at link-time, and with size
extracted from the version of the .so-file seen when linking.
At load time, the run time linker then copies the contents of
the symbol from the .so file to that location, and uses the
copy instead of the version loaded with the .so-file. And if
the data item in the .so file used at load time is larger than
the data item seen at link time, it is silently truncated in
the process.
So when SHA3 hashes were was added to the nettle_hashes array
in the nettle-3.3 release, this way of linking produces a
truncated array at load time, no longer NULL-terminated.
We will get similar problems for planned extensions of the
internal struct ecc_curve, and exported data items like
extern const struct ecc_curve nettle_secp_256r1;
where the ecc_curve struct is only forward declared in the
public headers. To prepare, applications should migrate to
using the new function nettle_get_secp_256r1, and similarly
for the other curves.
In some future version, the plan is to add a leading
underscore to the name of the actual data items. E.g.,
nettle_hashes --> _nettle_hashes, breaking the ABI, while
keeping the nettle_get_hashes function and the nettle_hashes
macro as the supported ways to access it. We will also
rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
both ABI and API.
Note that data items like nettle_sha256 are *not* affected,
since the size and layout of this struct is considered part
of the ABI, and R_X86_64_COPY-relocations then work fine.
The shared library names are and, with sonames still and It is intended to be fully binary compatible
with nettle-3.1.
NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
Changes in behavior:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions
allowed such keys, even if results of using them were bogus).
Nettle applications are required to call
rsa_private_key_prepare and check the return value, before
using any other RSA private key functions; failing to do so
may result in crashes for invalid private keys. As a
workaround for versions of Gnutls which don't use
rsa_private_key_prepare, additional checks for even moduli
are added to the rsa_*_tr functions which are used by all
recent versions of Gnutls.
* Ignore bit 255 of the x coordinate of the input point to
curve25519_mul, as required by RFC 7748. To differentiate at
compile time, curve25519.h defines the constant
* RSA and DSA now use side-channel silent modular
exponentiation, to defend against attacks on the private key
from evil processes sharing the same processor cache. This
attack scenario is of particular relevance when running an
HTTPS server on a virtual machine, where you don't know who
you share the cache hardware with.
(Private key operations on elliptic curves were already
side-channel silent).
Bug fixes:
* Fix sexp-conv crashes on invalid input. Reported by Hanno
* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
* Fix a couple of formally undefined shift operations,
reported by Nikos Mavrogiannopoulos.
* Fix compilation with c89. Reported by Henrik Grubbström.
New features:
* New function memeql_sec, for side-channel silent comparison
of two memory areas.
* Building the public key support of nettle now requires GMP
version 5.0 or later (unless --enable-mini-gmp is used).
* Filenames of windows DLL libraries now include major number
only. So the dll names change at the same time as the
corresponding soname on ELF platforms. Fixed by Nikos
* Eliminate most pointer-signedness warnings. In the process,
the strings representing expression type for sexp_interator
functions were changed from const uint8_t * to const char *.
These functions are undocumented, and it doesn't change the
ABI on any platform I'm aware of.
The shared library names are and, with sonames still and It is intended to be fully binary compatible
with nettle-3.1.
NEWS for the Nettle 3.2 release
Bug fixes:
......@@ -30,7 +30,9 @@ information on how these licenses apply).
If you have downloaded a Nettle release, build it with the usual
./configure && make && make check && make install (see the INSTALL
file for further instructions).
file for further instructions). Using GNU make is strongly
recommended. Nettle's support for public key algorithms, such as RSA
and ECDSA, depends on the GNU GMP library.
You can also get Nettle from git, see for current instructions. In
......@@ -42,6 +44,8 @@ Read the manual. Mail me if you have any questions or suggestions.
You may want to subscribe to the nettle-bugs mailing list. See
See for information on contibuting patches.
Happy hacking,
/Niels Möller <>
Public key support, analogous to that provided by RSAREF. Suggested by
Dan Egnor. Signatures are done now, but RSA encryption is still
missing. References:
More feedback modes, in order of decreasing priority: CBC-MAC, OFB,
and CFB. Suggested by Rafael 'Dido' Sevilla. References:
Valgrind reports errors on the des-compat test program. Investigate.
The make rules for building position independent *_p.o files doesn't
get dependencies right.
This diff is collapsed.
......@@ -40,6 +40,16 @@
#include "aes-internal.h"
#include "macros.h"
/* For fat builds */
#if HAVE_NATIVE_aes_decrypt
_nettle_aes_decrypt_c(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
size_t length, uint8_t *dst,
const uint8_t *src);
#define _nettle_aes_decrypt _nettle_aes_decrypt_c
_nettle_aes_decrypt(unsigned rounds, const uint32_t *keys,
const struct aes_table *T,
......@@ -36,6 +36,7 @@
#include <assert.h>
#include <stdlib.h>
#include "aes-internal.h"
......@@ -349,9 +350,19 @@ aes_decrypt(const struct aes_ctx *ctx,
size_t length, uint8_t *dst,
const uint8_t *src)
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table,
length, dst, src);
switch (ctx->key_size)
default: abort();
case AES128_KEY_SIZE:
aes128_decrypt(&ctx->u.ctx128, length, dst, src);
case AES192_KEY_SIZE:
aes192_decrypt(&ctx->u.ctx192, length, dst, src);
case AES256_KEY_SIZE:
aes256_decrypt(&ctx->u.ctx256, length, dst, src);
......@@ -360,8 +371,8 @@ aes128_decrypt(const struct aes128_ctx *ctx,
const uint8_t *src)
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
_nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
......@@ -370,8 +381,8 @@ aes192_decrypt(const struct aes192_ctx *ctx,
const uint8_t *src)
assert(!(length % AES_BLOCK_SIZE) );
_aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
_nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table,
length, dst, src);
......@@ -380,6 +391,6 @@ aes256_decrypt(const struct aes256_ctx *ctx,
const uint8_t *src)
assert(!(length % AES_BLOCK_SIZE) );