* Bug fixes:
- Fix buffer overread in the new sha256 assembly for
powerpc64, as well as a stack alignment issue.
- Added missing nettle_mac structs for hmac-gosthash.
- Fix configure test for valgrind, to not attempt to run
valgrind on executables built using memory sanitizers.
* Enable back the gcm regression test:
- Remove libnettle-powerpc64-skip-AES-GCM-test.patch
* Remove patches upstream:
- libnettle-powerpc64-sha256-fix-loading-overreads.patch
- libnettle-powerpc64-sha256-adjust-stack-offset-for-non-volatile-registers.patch
- libnettle-powerpc64-remove-m4_unquote-sha256.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=44
* Bug fixes:
- Add missing hash functions sha512_224 and sha512_256 to the
nettle_get_hashes() list. The name values in the
corresponding nettle_hash structs also changed to use
underscore instead of dash, for consistency.
- Fix a few cases of formally undefined calls to memcpy(dst,
NULL, 0), resulting from valid calls to, e.g.,
sha256_update(ctx, 0, NULL).
* New features:
- Support RSA-OAEP encryption. Contributed by Nicolas Mora and Daiki Ueno.
- New function sha3_256_shake_output, new functions
sha3_128_init, sha3_128_update, sha3_128_shake,
sha3_128_shake_output. Contributed by Daiki Ueno.
- Added DRBG-CTR with AES256, contributed by Simon Josefsson.
* Optimizations:
- New combined gcm-aes assembly for powerpc64, contributed by Danny Tsen.
- New sha256 assembly for powerpc64, contributed by Eric Richter.
- Improved performance for powerpc64 AES decrypt, by skipping
subkey transformations that don't suit the vncipher instructions.
- Add arm64 CPU feature detection for Android and for Apple systems,
contributed by Foolbar and Tim Kosse, prespectively.
* Miscellaneous:
- New tests for side-channel silence, based on valgrind.
- Delete all md5 assembly code. Delete all sparc32 assembly code.
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=40
- update to 3.8:
This release includes a couple of new features, and many
performance improvements. It adds assembly code for two more
architectures: ARM64 and S390x.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.5 and libhogweed.so.6.5, with sonames
libnettle.so.8 and libhogweed.so.6.
New features:
* AES keywrap (RFC 3394), contributed by Nicolas Mora.
* SM3 hash function, contributed by Tianjia Zhang.
* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
cbc_aes256_encrypt.
On processors where AES is fast enough, e.g., x86_64 with
aesni instructions, the overhead of using Nettle's general
cbc_encrypt can be significant. The new functions can be
implemented in assembly, to do multiple blocks with reduced
per-block overhead.
Note that there's no corresponding new decrypt functions,
since the general cbc_decrypt doesn't suffer from the same
performance problem.
Bug fixes:
* Fix fat builds for x86_64 windows, these appear to never
have worked.
Optimizations:
* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
SHA256, for processors supporting crypto extensions. Great
speedups, and fat builds are supported. Contributed by
Mamone Tarsha.
* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
OBS-URL: https://build.opensuse.org/request/show/988627
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnettle?expand=0&rev=42
- update to 3.8:
This release includes a couple of new features, and many
performance improvements. It adds assembly code for two more
architectures: ARM64 and S390x.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.5 and libhogweed.so.6.5, with sonames
libnettle.so.8 and libhogweed.so.6.
New features:
* AES keywrap (RFC 3394), contributed by Nicolas Mora.
* SM3 hash function, contributed by Tianjia Zhang.
* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
cbc_aes256_encrypt.
On processors where AES is fast enough, e.g., x86_64 with
aesni instructions, the overhead of using Nettle's general
cbc_encrypt can be significant. The new functions can be
implemented in assembly, to do multiple blocks with reduced
per-block overhead.
Note that there's no corresponding new decrypt functions,
since the general cbc_decrypt doesn't suffer from the same
performance problem.
Bug fixes:
* Fix fat builds for x86_64 windows, these appear to never
have worked.
Optimizations:
* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
SHA256, for processors supporting crypto extensions. Great
speedups, and fat builds are supported. Contributed by
Mamone Tarsha.
* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
OBS-URL: https://build.opensuse.org/request/show/988487
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=27
- GNU Nettle 3.7.3:
* Fix crash for zero input to rsa_sec_decrypt and
rsa_decrypt_tr. Potential denial of service vector.
* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
failure for out of range inputs, instead of either crashing,
or silently reducing input modulo n. Potential denial of
service vector.
* Ensure that rsa_decrypt returns failure for out of range
inputs, instead of silently reducing input modulo n.
* Ensure that rsa_sec_decrypt returns failure if the message
size is too large for the given key. Unlike the other bugs,
this would typically be triggered by invalid local
configuration, rather than by processing untrusted remote
data.
OBS-URL: https://build.opensuse.org/request/show/898784
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=21
- Update to 3.4.1 release
* Fix CVE-2018-16869 (bsc#1118086)
All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.
* Changes in behavior:
The functions rsa_decrypt and rsa_decrypt_tr may now clobber
all of the provided message buffer, independent of the
actual message length. They are side-channel silent, in that
branches and memory accesses don't depend on the validity or
length of the message. Side-channel leakage from the
caller's use of length and return value may still provide an
oracle useable for a Bleichenbacher-style chosen ciphertext
attack. Which is why the new function rsa_sec_decrypt is
recommended.
* New features:
A new function rsa_sec_decrypt.
* Bug fixes:
- Fix bug in pkcs1-conv, missing break statements in the
parsing of PEM input files.
- Fix link error on the pss-mgf1-test test, affecting builds
without public key support.
OBS-URL: https://build.opensuse.org/request/show/662469
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=5
