"Fossies" - the Fresh Open Source Software Archive

Member "nettle-3.7.3/NEWS" (6 Jun 2021, 60337 Bytes) of package /linux/privat/nettle-3.7.3.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "NEWS": 3.7.2_vs_3.7.3.

    1 NEWS for the Nettle 3.7.3 release
    3 	This is bugfix release, fixing bugs that could make the RSA
    4 	decryption functions crash on invalid inputs.
    6 	Upgrading to the new version is strongly recommended. For
    7 	applications that want to support older versions of Nettle,
    8 	the bug can be worked around by adding a check that the RSA
    9 	ciphertext is in the range 0 < ciphertext < n, before
   10 	attempting to decrypt it.
   12 	Thanks to Paul Schaub and Justus Winter for reporting these
   13 	problems.
   15 	The new version is intended to be fully source and binary
   16 	compatible with Nettle-3.6. The shared library names are
   17 	libnettle.so.8.4 and libhogweed.so.6.4, with sonames
   18 	libnettle.so.8 and libhogweed.so.6.
   20 	Bug fixes:
   22 	* Fix crash for zero input to rsa_sec_decrypt and
   23 	  rsa_decrypt_tr. Potential denial of service vector.
   25 	* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
   26 	  failure for out of range inputs, instead of either crashing,
   27 	  or silently reducing input modulo n. Potential denial of
   28 	  service vector.
   30 	* Ensure that rsa_decrypt returns failure for out of range
   31 	  inputs, instead of silently reducing input modulo n.
   33 	* Ensure that rsa_sec_decrypt returns failure if the message
   34 	  size is too large for the given key. Unlike the other bugs,
   35 	  this would typically be triggered by invalid local
   36 	  configuration, rather than by processing untrusted remote
   37 	  data.
   39 NEWS for the Nettle 3.7.2 release
   41 	This is a bugfix release, fixing a bug in ECDSA signature
   42 	verification that could lead to a denial of service attack
   43 	(via an assertion failure) or possibly incorrect results. It
   44 	also fixes a few related problems where scalars are required
   45 	to be canonically reduced modulo the ECC group order, but in
   46 	fact may be slightly larger.
   48 	Upgrading to the new version is strongly recommended.
   50 	Even when no assert is triggered in ecdsa_verify, ECC point
   51 	multiplication may get invalid intermediate values as input,
   52 	and produce incorrect results. It's trivial to construct
   53 	alleged signatures that result in invalid intermediate values.
   54 	It appears difficult to construct an alleged signature that
   55 	makes the function misbehave in such a way that an invalid
   56 	signature is accepted as valid, but such attacks can't be
   57 	ruled out without further analysis.
   59 	Thanks to Guido Vranken for setting up the fuzzer tests that
   60 	uncovered this problem.
   62 	The new version is intended to be fully source and binary
   63 	compatible with Nettle-3.6. The shared library names are
   64 	libnettle.so.8.3 and libhogweed.so.6.3, with sonames
   65 	libnettle.so.8 and libhogweed.so.6.
   67 	Bug fixes:
   69 	* Fixed bug in ecdsa_verify, and added a corresponding test
   70           case.
   72 	* Similar fixes to ecc_gostdsa_verify and gostdsa_vko.
   74 	* Similar fixes to eddsa signatures. The problem is less severe
   75           for these curves, because (i) the potentially out or range
   76           value is derived from output of a hash function, making it
   77           harder for the attacker to to hit the narrow range of
   78           problematic values, and (ii) the ecc operations are
   79           inherently more robust, and my current understanding is that
   80           unless the corresponding assert is hit, the verify
   81           operation should complete with a correct result.
   83 	* Fix to ecdsa_sign, which with a very low probability could
   84           return out of range signature values, which would be
   85           rejected immediately by a verifier.
   87 NEWS for the Nettle 3.7.1 release
   89 	This is primarily a bug fix release, fixing a couple of
   90 	problems found in Nettle-3.7.
   92 	The new version is intended to be fully source and binary
   93 	compatible with Nettle-3.6. The shared library names are
   94 	libnettle.so.8.2 and libhogweed.so.6.2, with sonames
   95 	libnettle.so.8 and libhogweed.so.6.
   97 	Bug fixes:
   99 	* Fix bug in chacha counter update logic. The problem affected
  100 	  ppc64 and ppc64el, with the new altivec assembly code
  101 	  enabled. Reported by Andreas Metzler, after breakage in
  102 	  GnuTLS tests on ppc64.
  104 	* Support for big-endian ARM platforms has been restored.
  105 	  Fixes contributed by Michael Weiser.
  107 	* Fix build problem on OpenBSD/powerpc64, reported by Jasper
  108 	  Lievisse Adriaanse.
  110 	* Fix corner case bug in ECDSA verify, it would produce
  111 	  incorrect result in the unlikely case of an all-zero
  112 	  message hash. Reported by Guido Vranken.
  114 	New features:
  116 	* Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512,
  117 	  contributed by Nicolas Mora.
  119 	Miscellaneous:
  121 	* Poorly performing ARM Neon code for doing single-block
  122 	  Salsa20 and Chacha has been deleted. The code to do two or
  123 	  three blocks in parallel, introduced in Nettle-3.7, is
  124 	  unchanged.
  126 NEWS for the Nettle 3.7 release
  128 	This release adds one new feature, the bcrypt password hashing
  129 	function, and lots of optimizations. There's also one
  130 	important change to how Nettle is configured: Fat builds are
  131 	now on by default.
  133 	The release adds PowerPC64 assembly for a few algorithms,
  134 	resulting in great speedups. Benchmarked on a Power9 machine,
  135 	speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5
  136 	times for Chacha. For fat builds (now the default), the new
  137 	code is used automatically, on processors supporting the needed
  138 	instruction set extensions.
  140 	The new version is intended to be fully source and binary
  141 	compatible with Nettle-3.6. The shared library names are
  142 	libnettle.so.8.1 and libhogweed.so.6.1, with sonames
  143 	libnettle.so.8 and libhogweed.so.6.
  145 	New features:
  147 	* Support for bcrypt, contributed by Stephen R. van den Berg.
  149 	Optimizations:
  151 	* Much faster AES and GCM on PowerPC64 processors supporting
  152 	  the corresponding crypto extensions. Contributed by Mamone
  153 	  Tarsha.
  155 	* Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon.
  157 	* Speed of Salsa20 improved on x86_64 and ARM Neon.
  159 	* Overhaul of some elliptic curve primitives, improving ECDSA
  160 	  signature speed.
  162 	Configure:
  164 	* Fat builds are enabled by default on the architectures where
  165 	  it is supported (x86_64, arm and powerpc64). To disable
  166 	  runtime selection, and instead specify the processor flavor
  167 	  at configure time, you need to pass --disable-fat to the
  168 	  configure script.
  170 	Known issues:
  172 	* The ARM assembly code in this release doesn't work correctly
  173 	  on big-endian ARM systems. This will hopefully be fixed in a
  174 	  later release.
  176 	Miscellaneous:
  178 	* Use a few more gmp-6.1 functions: mpn_cnd_add_n,
  179 	  mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal
  180 	  Nettle functions.
  182 	* Convert all assembly files to use the default m4 quote
  183 	  characters.
  185 NEWS for the Nettle 3.6 release
  187 	This release adds a couple of new features, most notable being
  188 	support for ED448 signatures.
  190 	It is not binary compatible with earlier releases. The shared
  191 	library names are libnettle.so.8.0 and libhogweed.so.6.0, with
  192 	sonames libnettle.so.8 and libhogweed.so.6. The changed
  193 	sonames are mainly to avoid upgrade problems with recent
  194 	GnuTLS versions, that depend on Nettle internals outside of
  195 	the advertised ABI. But also because of the removal of
  196 	internal poly1305 functions which were undocumented but
  197 	declared in an installed header file, see Interface changes
  198 	below.
  200 	New features:
  202 	* Support for Curve448 and ED448 signatures. Contributed by
  203 	  Daiki Ueno.
  205 	* Support for SHAKE256 (SHA3 variant with arbitrary output
  206 	  size). Contributed by Daiki Ueno.
  208 	* Support for SIV-CMAC (Synthetic Initialization Vector) mode,
  209 	  contributed by Nikos Mavrogiannopoulos.
  211 	* Support for CMAC64, contributed by Dmitry Baryshkov.
  213 	* Support for the "CryptoPro" variant of the GOST hash
  214 	  function, as gosthash94cp. Contributed by Dmitry Baryshkov.
  216 	* Support for GOST DSA signatures, including GOST curves
  217 	  gc256b and gc512a. Contributed by Dmitry Baryshkov.
  219 	* Support for Intel CET in x86 and x86_64 assembly files, if
  220 	  enabled via CFLAGS (gcc --fcf-protection=full). Contributed
  221 	  by H.J. Lu and Simo Sorce.
  223 	* A few new functions to improve support for the Chacha
  224 	  variant with 96-bit nonce and 32-bit block counter (the
  225 	  existing functions use nonce and counter of 64-bit each),
  226 	  and functions to set the counter. Contributed by Daiki Ueno.
  228 	* New interface, struct nettle_mac, for MAC (message
  229 	  authentication code) algorithms. This abstraction is only
  230 	  for MACs that don't require a per-message nonce. For HMAC,
  231 	  the key size is fixed, and equal the digest size of the
  232 	  underlying hash function.
  234 	Bug fixes:
  236 	* Fix bug in cfb8_decrypt. Previously, the IV was not updated
  237 	  correctly in the case of input data shorter than the block
  238 	  size. Reported by Stephan Mueller, fixed by Daiki Ueno.
  240 	* Fix configure check for __builtin_bswap64, the incorrect
  241 	  check would result in link errors on platforms missing this
  242 	  function. Patch contributed by George Koehler.
  244 	* All use of old-fashioned suffix rules in the Makefiles have
  245 	  been replaced with %-pattern rules. Nettle's use of suffix
  246 	  rules in earlier versions depended on undocumented GNU make
  247 	  behavior, which is being deprecated in GNU make 4.3.
  249 	  Building with other make programs than GNU make is untested
  250 	  and unsupported. (Building with BSD make or Solaris make
  251 	  used to work years ago, but has not been tested recently).
  253 	Interface changes:
  255 	* Declarations of internal poly1305.h functions have been
  256 	  removed from the header file poly1305.h, to make it clear
  257 	  that they are not part of the advertised API or ABI.
  259 	Miscellaneous:
  261 	* Building the public key support of nettle now requires GMP
  262 	  version 6.1.0 or later (unless --enable-mini-gmp is used).
  264 	* A fair amount of changes to ECC internals, with a few
  265 	  deleted and a few new fields in the internal struct
  266 	  ecc_curve. Files and functions have been renamed to more
  267 	  consistently match the curve name, e.g., ecc-256.c has been
  268 	  renamed to ecc-secp256r1.c.
  270 	* Documentation for chacha-poly1305 updated. It is no longer
  271 	  experimental. The implementation was updated to follow RFC
  272 	  8439 in Nettle-3.1, but that was not documented or announced
  273 	  at the time.
  275 NEWS for the Nettle 3.5.1 release
  277 	The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
  278 	The new directory x86_64/sha_ni were missing in the tar file,
  279 	breaking x86_64 builds with --enable-fat, and producing worse
  280 	performance than promised for builds with --enable-x86-sha-ni.
  281 	Also a few unused in-progress assembly files were accidentally
  282 	included in the tar file.
  284 	These problems are corrected in Nettle-3.5.1. There are no
  285 	other changes, and also the library version numbers are
  286 	unchanged.
  288 NEWS for the Nettle 3.5 release
  290 	This release adds a couple of new features and optimizations,
  291 	and deletes or deprecates a few obsolete features. It is *not*
  292 	binary (ABI) compatible with earlier versions. Except for
  293 	deprecations listed below, it is intended to be fully
  294 	source-level (API) compatible with Nettle-3.4.1.
  296 	The shared library names are libnettle.so.7.0 and
  297 	libhogweed.so.5.0, with sonames libnettle.so.7 and
  298 	libhogweed.so.5.
  300 	Changes in behavior:
  302 	* Nettle's gcm_crypt will now call the underlying block cipher
  303 	  to process more than one block at a time. This is not a
  304 	  change to the documented behavior, but unfortunately breaks
  305 	  assumptions accidentally made in GnuTLS, up to and including
  306 	  version 3.6.1.
  308 	New features:
  310 	* Support for CFB8 (Cipher Feedback Mode, processing a single
  311 	  octet per block cipher operation), contributed by Dmitry
  312 	  Eremin-Solenikov.
  314 	* Support for CMAC (RFC 4493), contributed by Nikos
  315 	  Mavrogiannopoulos.
  317 	* Support for XTS mode, contributed by Simo Sorce.
  319 	Optimizations:
  321 	* Improved performance of the x86_64 AES implementation using
  322 	  the aesni instructions. Gives a large speedup for operations
  323 	  processing multiple blocks at a time (including CTR mode,
  324 	  GCM mode, and CBC decrypt, but *not* CBC encrypt).
  326 	* Improved performance for CTR mode, for the common case of
  327 	  16-byte block size. Pass more data at a time to underlying
  328 	  block cipher, and fill the counter blocks more efficiently.
  329 	  Extension to also handle GCM mode efficiently contributed
  330 	  by Nikos Mavrogiannopoulos.
  332 	* New x86_64 implementation of sha1 and sha256, for processors
  333 	  supporting the sha_ni instructions. Speedup of 3-5 times on
  334 	  affected processors.
  336 	* Improved parameters for the precomputation of tables used
  337 	  for ecc signatures. Roughly 10%-15% speedup of the ecdsa
  338 	  sign operation using the secp_256r1, secp_384r1 and
  339 	  secp_521r1 curves, and 25% speedup of ed25519 sign
  340 	  operation, benchmarked on x86_64. Table sizes unchanged,
  341 	  around 16 KB per curve.
  343 	* In ARM fat builds, automatically select Neon implementation
  344 	  of Chacha, where possible. Contributed by Yuriy M.
  345 	  Kaminskiy.
  347 	Deleted features:
  349 	* The header file des-compat.h and everything declared therein
  350 	  has been deleted, as announced earlier. This file provided a
  351 	  subset of the old libdes/ssleay/openssl interface for DES
  352 	  and triple-DES. DES is still supported, via the functions
  353 	  declared in des.h.
  355 	* Functions using the old struct aes_ctx have been marked as
  356 	  deprecated. Use the fixed key size interface instead, e.g.,
  357 	  struct aes256_ctx, introduced in Nettle-3.0.
  359 	* The header file nettle-stdint.h, and corresponding autoconf
  360 	  tests, have been deleted. Nettle now requires that the
  361 	  compiler/libc provides <stdint.h>.
  363 	Miscellaneous:
  365 	* Support for big-endian ARM systems, contributed by Michael
  366 	  Weiser.
  368 	* The programs aesdata, desdata, twofishdata, shadata and
  369 	  gcmdata are no longer built by default. Makefile
  370 	  improvements contributed by Jay Foad.
  372 	* The "example" program examples/eratosthenes.c has been
  373 	  deleted.
  375 	* The contents of hash context structs, and the deprecated
  376 	  aes_ctx struct, have been reorganized, to enable later
  377 	  optimizations.
  379 	The shared library names are libnettle.so.7.0 and
  380 	libhogweed.so.5.0.
  382 NEWS for the Nettle 3.4.1 release
  384 	This release fixes a few bugs, and makes the RSA private key
  385 	operations side channel silent. The RSA improvements are
  386 	contributed by Simo Sorce and Red Hat, and include one new
  387 	public function, rsa_sec_decrypt, see below.
  389 	All functions using RSA private keys are now side-channel
  390 	silent, meaning that they try hard to avoid any branches or
  391 	memory accesses depending on secret data. This applies both to
  392 	the bignum calculations, which now use GMP's mpn_sec_* family
  393 	of functions, and the processing of PKCS#1 padding needed for
  394 	RSA decryption.
  396 	Nettle's ECC functions were already side-channel silent, while
  397 	the DSA functions still aren't. There's also one caveat
  398 	regarding the improved RSA functions: due to small table
  399 	lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
  400 	lowest and highest few bits of the secret factors p and q may
  401 	still leak. I'm not aware of any attacks on RSA where knowing
  402 	a few bits of the factors makes a significant difference. This
  403 	leak will likely be plugged in later GMP versions.
  405 	Changes in behavior:
  407 	* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
  408 	  all of the provided message buffer, independent of the
  409 	  actual message length. They are side-channel silent, in that
  410 	  branches and memory accesses don't depend on the validity or
  411 	  length of the message. Side-channel leakage from the
  412 	  caller's use of length and return value may still provide an
  413 	  oracle useable for a Bleichenbacher-style chosen ciphertext
  414 	  attack. Which is why the new function rsa_sec_decrypt is
  415 	  recommended.
  417 	New features:
  419 	* A new function rsa_sec_decrypt. It differs from
  420 	  rsa_decrypt_tr in that the length of the decrypted message
  421 	  is given a priori, and PKCS#1 padding indicating a different
  422 	  length is treated as an error. For applications that may be
  423 	  subject to chosen ciphertext attacks, it is recommended to
  424 	  initialize the message area with random data, call this
  425 	  function, and ignore the return value. This applies in
  426 	  particular to RSA-based key exchange in the TLS protocol.
  428 	Bug fixes:
  430 	* Fix bug in pkcs1-conv, missing break statements in the
  431 	  parsing of PEM input files.
  433 	* Fix link error on the pss-mgf1-test test, affecting builds
  434 	  without public key support.
  436 	Performance regression:
  438 	* All RSA private key operations employing RSA blinding, i.e.,
  439 	  rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
  440 	  rsa_compute_root_tr, are significantly slower. This is
  441 	  because (i) RSA blinding now use side-channel silent
  442 	  operations, (ii) blinding includes a modular inversion, and
  443 	  (iii) side-channel silent modular inversion, implemented as
  444 	  mpn_sec_invert, is very expensive. A 60% slowdown for
  445 	  2048-bit RSA keys have been measured.
  447 	Miscellaneous:
  449 	* Building the public key support of nettle now requires GMP
  450 	  version 6.0 or later (unless --enable-mini-gmp is used).
  452 	The shared library names are libnettle.so.6.5 and
  453 	libhogweed.so.4.5, with sonames still libnettle.so.6 and
  454 	libhogweed.so.4. It is intended to be fully binary compatible
  455 	with nettle-3.1.
  457 NEWS for the Nettle 3.4 release
  459 	This release fixes bugs and adds a few new features. It also
  460 	addresses an ABI compatibility issue affecting Nettle-3.1 and
  461 	later, see below.
  463 	Bug fixes:
  465 	* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
  466 	  eddsa on certain platforms. Reported by Sergei Trofimovich.
  468 	* Fixed memory leak when handling invalid signatures in
  469 	  ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
  471 	* Fix compilation error with --enable-fat om ARM. Fix
  472 	  contributed by Andreas Schneider.
  474 	* Reorganized the way certain data items are made available.
  476 	  Short version: Nettle header files now define the symbols
  477 	  nettle_hashes, nettle_ciphers, and nettle_aeads, as
  478 	  preprocessor macros invoking a corresponding accessor
  479 	  function. For backwards ABI compatibility, the symbols are
  480 	  still present in the compiled libraries, and with the same
  481 	  sizes as in nettle-3.3.
  483 	New features:
  485 	* Support for RSA-PSS signatures, contributed by Daiki Ueno.
  487 	* Support for the HKDF key derivation function, defined by RFC
  488 	  5869. Contributed by Nikos Mavrogiannopoulos.
  490 	* Support for the Cipher Feedback Mode (CFB), contributed by
  491 	  Dmitry Eremin-Solenikov.
  493 	* New accessor functions: nettle_get_hashes,
  494 	  nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
  495 	  nettle_get_secp_224r1, nettle_get_secp_256r1,
  496 	  nettle_get_secp_384r1, nettle_get_secp_521r1.
  498 	  For source-level compatibility with future versions,
  499 	  applications are encouraged to migrate to using these
  500 	  functions instead of referring to the corresponding data
  501 	  items directly.
  503 	Miscellaneous:
  505 	* The base16 and base64 functions now use the type char * for
  506 	  ascii data, rather than uint8_t *. This eliminates the last
  507 	  pointer-signedness warnings when building Nettle. This is a
  508 	  minor API change, and applications may need to be adjusted,
  509 	  but the ABI is unaffected on all platforms I'm aware of.
  511 	* The contents of the header file nettle/version.h is now
  512 	  architecture independent, except in --enable-mini-gmp
  513 	  configurations.
  515 	ABI issue:
  517 	  Since the breakage was a bit subtle, let me document it
  518 	  here. The nettle and hogweed libraries export a couple of
  519 	  data symbols, and for some of these, the size was never
  520 	  intended to be part of the ABI. E.g.,
  522 	    extern const struct nettle_hash * const nettle_hashes[];
  524 	  which is an NULL-terminated array.
  526 	  It turns out the sizes nevertheless may leak into the ABI, and
  527 	  that increasing the sizes can break old executables linked
  528 	  with a newer version of the library.
  530 	  When linking a classic non-PIE executable with a shared
  531 	  library, we get ELF relocations of type R_X86_64_COPY for
  532 	  references to data items. These mean that the linker allocates
  533 	  space for the data item in the data segment of executable, at
  534 	  a fixed address determined at link-time, and with size
  535 	  extracted from the version of the .so-file seen when linking.
  537 	  At load time, the run time linker then copies the contents of
  538 	  the symbol from the .so file to that location, and uses the
  539 	  copy instead of the version loaded with the .so-file. And if
  540 	  the data item in the .so file used at load time is larger than
  541 	  the data item seen at link time, it is silently truncated in
  542 	  the process.
  544 	  So when SHA3 hashes were was added to the nettle_hashes array
  545 	  in the nettle-3.3 release, this way of linking produces a
  546 	  truncated array at load time, no longer NULL-terminated.
  548 	  We will get similar problems for planned extensions of the
  549 	  internal struct ecc_curve, and exported data items like
  551 	    extern const struct ecc_curve nettle_secp_256r1;
  553 	  where the ecc_curve struct is only forward declared in the
  554 	  public headers. To prepare, applications should migrate to
  555 	  using the new function nettle_get_secp_256r1, and similarly
  556 	  for the other curves.
  558 	  In some future version, the plan is to add a leading
  559 	  underscore to the name of the actual data items. E.g.,
  560 	  nettle_hashes --> _nettle_hashes, breaking the ABI, while
  561 	  keeping the nettle_get_hashes function and the nettle_hashes
  562 	  macro as the supported ways to access it. We will also
  563 	  rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
  564 	  both ABI and API.
  566 	  Note that data items like nettle_sha256 are *not* affected,
  567 	  since the size and layout of this struct is considered part
  568 	  of the ABI, and R_X86_64_COPY-relocations then work fine.
  570 	The shared library names are libnettle.so.6.4 and
  571 	libhogweed.so.4.4, with sonames still libnettle.so.6 and
  572 	libhogweed.so.4. It is intended to be fully binary compatible
  573 	with nettle-3.1.
  575 NEWS for the Nettle 3.3 release
  577 	This release fixes a couple of bugs, and improves resistance
  578 	to side-channel attacks on RSA and DSA private key operations.
  580 	Changes in behavior:
  582 	* Invalid private RSA keys, with an even modulo, are now
  583 	  rejected by rsa_private_key_prepare. (Earlier versions
  584 	  allowed such keys, even if results of using them were bogus).
  586 	  Nettle applications are required to call
  587 	  rsa_private_key_prepare and check the return value, before
  588 	  using any other RSA private key functions; failing to do so
  589 	  may result in crashes for invalid private keys. As a
  590 	  workaround for versions of Gnutls which don't use
  591 	  rsa_private_key_prepare, additional checks for even moduli
  592 	  are added to the rsa_*_tr functions which are used by all
  593 	  recent versions of Gnutls.
  595 	* Ignore bit 255 of the x coordinate of the input point to
  596 	  curve25519_mul, as required by RFC 7748. To differentiate at
  597 	  compile time, curve25519.h defines the constant
  598 	  NETTLE_CURVE25519_RFC7748.
  600 	Security:
  602 	* RSA and DSA now use side-channel silent modular
  603 	  exponentiation, to defend against attacks on the private key
  604 	  from evil processes sharing the same processor cache. This
  605 	  attack scenario is of particular relevance when running an
  606 	  HTTPS server on a virtual machine, where you don't know who
  607 	  you share the cache hardware with.
  609 	  (Private key operations on elliptic curves were already
  610 	  side-channel silent).
  612 	Bug fixes:
  614 	* Fix sexp-conv crashes on invalid input. Reported by Hanno
  615 	  Böck.
  617 	* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
  618 	  Mavrogiannopoulos.
  620 	* Fix a couple of formally undefined shift operations,
  621 	  reported by Nikos Mavrogiannopoulos.
  623 	* Fix compilation with c89. Reported by Henrik Grubbström.
  625 	New features:
  627 	* New function memeql_sec, for side-channel silent comparison
  628 	  of two memory areas.
  630 	Miscellaneous:
  632 	* Building the public key support of nettle now requires GMP
  633 	  version 5.0 or later (unless --enable-mini-gmp is used).
  635 	* Filenames of windows DLL libraries now include major number
  636 	  only. So the dll names change at the same time as the
  637 	  corresponding soname on ELF platforms. Fixed by Nikos
  638 	  Mavrogiannopoulos.
  640 	* Eliminate most pointer-signedness warnings. In the process,
  641 	  the strings representing expression type for sexp_interator
  642 	  functions were changed from const uint8_t * to const char *.
  643 	  These functions are undocumented, and it doesn't change the
  644 	  ABI on any platform I'm aware of.
  646 	The shared library names are libnettle.so.6.3 and
  647 	libhogweed.so.4.3, with sonames still libnettle.so.6 and
  648 	libhogweed.so.4. It is intended to be fully binary compatible
  649 	with nettle-3.1.
  651 NEWS for the Nettle 3.2 release
  653 	Bug fixes:
  655 	* The SHA3 implementation is updated according to the FIPS 202
  656 	  standard. It is not interoperable with earlier versions of
  657 	  Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
  658 	  differentiate at compile time, sha3.h defines the constant
  659 	  NETTLE_SHA3_FIPS202.
  661 	* Fix corner-case carry propagation bugs affecting elliptic
  662 	  curve operations on the curves secp_256r1 and secp_384r1 on
  663 	  certain platforms, including x86_64. Reported by Hanno Böck.
  665 	New features:
  667 	* New functions for RSA private key operations, identified by
  668 	  the "_tr" suffix, with better resistance to side channel
  669 	  attacks and to hardware or software failures which could
  670 	  break the CRT optimization. See the Nettle manual for
  671 	  details. Initial patch by Nikos Mavrogiannopoulos.
  673 	* New functions nettle_version_major, nettle_version_minor, as
  674 	  a run-time variant of the compile-time constants
  677 	Optimizations:
  679 	* New ARM Neon implementation of the chacha stream cipher.
  681 	Miscellaneous:
  683 	* ABI detection on mips, with improved default libdir
  684 	  location. Contributed by Klaus Ziegler.
  686 	* Fixes for ARM assembly syntax, to work better with the clang
  687 	  assembler. Thanks to Jukka Ukkonen.
  689 	* Disabled use of ifunc relocations for fat builds, to fix
  690 	  problems most easily triggered by using dlopen RTLD_NOW.
  692 	The shared library names are libnettle.so.6.2 and
  693 	libhogweed.so.4.2, with sonames still libnettle.so.6 and
  694 	libhogweed.so.4. It is intended to be fully binary compatible
  695 	with nettle-3.1.
  697 NEWS for the Nettle 3.1.1 release
  699 	This release fixes a couple of non-critical bugs.
  701 	Bug fixes:
  703 	* By accident, nettle-3.1 disabled the assembly code for the
  704 	  secp_224r1 and secp_521r1 elliptic curves on all x86_64
  705 	  configurations, making signature operations on those curves
  706 	  10%-30% slower. This code is now re-enabled.
  708 	* The x86_64 assembly implementation of gcm hashing has been
  709           fixed to work with the Sun/Oracle assembler.
  711 	The shared library names are libnettle.so.6.1 and
  712 	libhogweed.so.4.1, with sonames still libnettle.so.6 and
  713 	libhogweed.so.4. It is intended to be fully binary compatible
  714 	with nettle-3.1.
  716 NEWS for the Nettle 3.1 release
  718 	This release adds a couple of new features.
  720 	The library is mostly source-level compatible with nettle-3.0.
  721 	It is however not binary compatible, due to the introduction
  722 	of versioned symbols, and extensions to the base64 context
  723 	structs. The shared library names are libnettle.so.6.0 and
  724 	libhogweed.so.4.0, with sonames libnettle.so.6 and
  725 	libhogweed.so.4.
  727 	Bug fixes:
  729 	* Fixed a missing include of <limits.h>, which made the
  730 	  camellia implementation fail on all 64-bit non-x86
  731 	  platforms.
  733 	* Eliminate out-of-bounds reads in the C implementation of
  734 	  memxor (related to valgrind's --partial-loads-ok flag).
  736 	Interface changes:
  738 	* Declarations of many internal functions are moved from ecc.h
  739 	  to ecc-internal.h. The functions are undocumented, and
  740 	  luckily they're apparently also unused by applications, so I
  741 	  don't expect any problems from this change.
  743 	New features:
  745 	* Support for curve25519 and for EdDSA25519 signatures.
  747 	* Support for "fat builds" on x86_64 and arm, where the
  748 	  implementation of certain functions is selected at run-time
  749 	  depending on available cpu features. Configure with
  750 	  --enable-fat to try this out. If it turns out to work well
  751 	  enough, it will likely be enabled by default in later
  752 	  releases.
  754 	* Support for building the hogweed library (public key
  755 	  support) using "mini-gmp", a small but slower implementation
  756 	  of a subset of the GMP interfaces. Note that builds using
  757 	  mini-gmp are *not* binary compatible with regular builds,
  758 	  and more likely to leak side-channel information.
  760 	  One intended use-case is for small embedded applications
  761 	  which need to verify digital signatures.
  763 	* The shared libraries are now built with versioned symbols.
  764 	  Should reduce problems in case a program links explicitly to
  765 	  nettle and/or hogweed, and to gnutls, and the program and
  766 	  gnutls expect different versions.
  768 	* Support for "URL-safe" base64 encoding and decoding, as
  769           specified in RFC 4648. Contributed by Amos Jeffries.
  771 	Optimizations:
  773 	* New x86_64 implementation of AES, using the "aesni"
  774 	  instructions. Autodetected in fat builds. In non-fat builds,
  775 	  it has to be enabled explicitly with --enable-x86-aesni.
  777 	Build system:
  779 	* Use the same object files for both static and shared
  780 	  libraries. This eliminates the *.po object files which were
  781 	  confusing to some tools (as well as humans). Like before,
  782 	  PIC code is used by default; to build a non-pic static
  783 	  library, configure with --disable-pic --disable-shared.
  785 	Miscellaneous:
  787 	* Made type-checking hack in CBC_ENCRYPT and similar macros
  788 	  stricter, to generate warnings if they are used with
  789 	  functions which have a length argument smaller than size_t.
  791 NEWS for the Nettle 3.0 release
  793 	This is a major release, including several interface changes,
  794 	and new features, some of which are a bit experimental.
  795 	Feedback is highly appreciated.
  797 	It is *not* binary (ABI) compatible with earlier versions. It
  798 	is mostly source-level (API) compatible, with a couple of
  799 	incompatibilities noted below. The shared library names are
  800 	libnettle.so.5.0 and libhogweed.so.3.0, with sonames
  801 	libnettle.so.5 and libhogweed.so.3.
  803 	There may be some problems in the new interfaces and new
  804 	features which really need incompatible fixes. It is likely
  805 	that there will be an update in the form of a 3.1 release in
  806 	the not too distant future, with small but incompatible
  807 	changes, and if that happens, bugfix-only releases 3.0.x are
  808 	unlikely. Users and applications which desire better API and
  809 	ABI stability are advised to stay with nettle-2.7.x (latest
  810 	version is now 2.7.1) until the dust settles.
  812 	Interface changes:
  814 	* For the many _set_key functions, it is now consider the
  815 	  normal case to have a fixed key size, with no key_size
  816 	  arguments. _set_key functions with a length parameter are
  817 	  provided only for algorithms with a truly variable keysize,
  818 	  and where it makes sense for backwards compatibility.
  820 	  INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
  821 	  size argument. The old function is available under a new
  822 	  name, cast5_set_key.
  824 	  INCOMPATIBLE CHANGE: The function typedef
  825 	  nettle_set_key_func no longer accepts a key size argument.
  826 	  In particular, this affects users of struct nettle_cipher.
  828 	* The nettle_cipher abstraction (in nettle-meta.h) is
  829 	  restricted to block ciphers only. The encrypt and decrypt
  830 	  functions now take a const argument for the context.
  832 	  INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
  833 	  abstraction for the arcfour stream cipher, is deleted.
  835 	  INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
  836 	  encrypt and decrypt fields of struct nettle_cipher.
  838 	* New DSA interface, with a separate struct dsa_param to
  839 	  represent the underlying group, and generalized dsa_sign and
  840 	  dsa_verify functions which don't care about the hash
  841 	  function used. Limited backwards compatibility provided in
  842 	  dsa-compat.h.
  844 	  INCOMPATIBLE CHANGE: Declarations of the old interface,
  845 	  e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to
  846 	  dsa-compat.h.
  848 	  INCOMPATIBLE CHANGE: The various key conversion functions,
  849 	  e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
  850 	  no backwards compatible functions.
  852 	  INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
  853 	  interface. dsa-compat.h declares a function
  854 	  dsa_compat_generate_keypair, implementing the old
  855 	  interface, and #defines dsa_generate_keypair to refer to
  856 	  this backwards compatible function.
  858 	* New AES and Camellia interfaces. There are now separate
  859 	  context structs for each key size, e.g., aes128_ctx and
  860 	  camellia256_ctx, and corresponding new functions. The old
  861 	  interface, with struct aes_ctx and struct camellia_ctx, is
  862 	  kept for backwards compatibility, but might be removed in
  863 	  later versions.
  865 	* The type of most length arguments is changed from unsigned
  866 	  to size_t. The memxor functions have their pointer arguments
  867 	  changed from uint8_t * to void *, for consistency with
  868 	  related libc functions.
  870 	* For hash functions, the constants *_DATA_SIZE have been
  871 	  renamed to *_BLOCK_SIZE. Old names kept for backwards
  872 	  compatibility.
  874 	Removed features:
  876 	* The nettle_next_prime function has been deleted.
  877 	  Applications should use GMP's mpz_nextprime instead.
  879 	* Deleted the RSAREF compatibility, including the header file
  880 	  rsa-compat.h and everything declared therein.
  882 	* Also under consideration for removal is des-compat.h and
  883 	  everything declared therein. This implements a subset of the
  884 	  old libdes/ssleay/openssl interface for DES and triple-DES,
  885 	  and it is poorly tested. If anyone uses this interface,
  886 	  please speak up! Otherwise, it will likely be removed in the
  887 	  next release.
  889 	Bug fixes:
  891 	* Building with ./configure --disable-static now works.
  893 	* Use GMP's allocation functions for temporary storage related
  894 	  to bignums, to avoid potentially large stack allocations.
  896 	* Fixes for shared libraries on M$ Windows.
  898 	New features:
  900 	* Support for Poly1305-AES MAC.
  902 	* Support for the ChaCha stream cipher and EXPERIMENTAL
  903 	  support for the ChaCha-Poly1305 AEAD mode. Specifications
  904 	  are still in flux, and future releases may do incompatible
  905 	  changes to track standardization. Currently uses 256-bit key
  906 	  and 64-bit nonce.
  908 	* Support for EAX mode.
  910 	* Support for CCM mode. Contributed by Owen Kirby.
  912 	* Additional variants of SHA512 with output size of 224 and
  913 	  256 bits. Contributed by Joachim Strömbergson.
  915 	* New interface, struct nettle_aead, for mechanisms providing
  916 	  authenticated encryption with associated data (AEAD).
  918 	* DSA: Support a wider range for the size of q and a wider
  919 	  range for the digest size.
  921 	Optimizations:
  923 	* New x86_64 assembly for GCM and MD5. Modest speedups on the
  924 	  order of 10%-20%.
  926 	Miscellaneous:
  928 	* SHA3 is now documented as EXPERIMENTAL. Nettle currently
  929 	  implements SHA3 as specified at the time Keccak won the SHA3
  930 	  competition. However, the final standard specified by NIST
  931 	  is likely to be incompatible, in which case future releases
  932 	  may do incompatible changes to track standardization.
  934 	* The portability fix for the rotation macros, mentioned in
  935 	  NEWS for 2.7.1, actually didn't make it into that release.
  936 	  It is included now.
  938 	* cast128_set_key rewritten for clarity, also eliminating a
  939 	  couple of compiler warnings.
  941 	* New command line tool nettle-pbkdf2.
  943 NEWS for the 2.7.1 release
  945         This is a bugfix release.
  947         Bug fixes:
  949         * Fixed a bug in the new ECC code. The ecc_j_to_a function
  950           called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
  951           input and output arguments, which is not supported.
  953         * The assembly files for SHA1, SHA256 and AES depend on ARMv6
  954           instructions, breaking nettle-2.7 for pre-v6 ARM processors.
  955           The configure script now enables those assembly files only
  956           when building for ARMv6 or later.
  958         * Use a more portable C expression for rotations. The
  959           previous version used the following "standard" expression
  960           for 32-bit rotation:
  962             (x << n) | (x >> (32 - n))
  964           But this gives undefined behavior (according to the C
  965           specification) for n = 0. The rotate expression is replaced
  966           by the more portable:
  968             (x << n) | (x >> ((-n)&31))
  970           This change affects only CAST128, which uses non-constant
  971           rotation counts. Unfortunately, the new expression is poorly
  972           optimized by released versions of gcc, making CAST128 a bit
  973           slower. This is being fixed by the gcc hackers, see
  974           http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
  976         The following problems have been reported, but are *not* fixed
  977         in this release:
  979         * ARM assembly files use instruction syntax which is not
  980           supported by all assemblers. Workaround: Use a current
  981           version of GNU as, or configure with --disable-assembler.
  983         * Configuring with --disable-static doesn't work on windows.
  985         The libraries are intended to be binary compatible with
  986         nettle-2.2 and later. The shared library names are
  987         libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
  988         libnettle.so.4 and libhogweed.so.2.
  990 NEWS for the 2.7 release
  992 	This release includes an implementation of elliptic curve
  993 	cryptography (ECC) and optimizations for the ARM architecture.
  994 	This work was done at the offices of South Pole AB, and
  995 	generously funded by the .SE Internet Fund.
  997 	Bug fixes:
  999 	* Fixed a bug in the buffer handling for incremental SHA3
 1000 	  hashing, with a possible buffer overflow. Patch by Edgar
 1001 	  E. Iglesias.
 1003 	New features:
 1005 	* Support for ECDSA signatures. Elliptic curve operations over
 1006 	  the following curves: secp192r1, secp224r1, secp256r1,
 1007 	  secp384r1 and secp521r1, including x86_64 and ARM assembly
 1008 	  for the most important primitives.
 1010 	* Support for UMAC, including x86_64 and ARM assembly.
 1012 	* Support for 12-round salsa20, "salsa20r12", as specified by
 1013 	  eSTREAM. Contributed by Nikos Mavrogiannopoulos.
 1015 	Optimizations:
 1017 	* ARM assembly code for several additional algorithms,
 1018 	  including AES, Salsa20, and the SHA family of hash
 1019 	  functions. 
 1021 	* x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
 1022           was included in the 2.6 release, but disabled due to poor
 1023           performance on some AMD processors. Hopefully, that
 1024           performance problem is fixed now).
 1026 	The ARM code was tested and benchmarked on Cortex-A9. Some of
 1027 	the functions use "neon" instructions. The configure script
 1028 	decides if neon instructions can be used, and the command line
 1029 	options --enable-arm-neon and --disable-arm-neon can be used
 1030 	to override its choice. Feedback appreciated.
 1032 	The libraries are intended to be binary compatible with
 1033 	nettle-2.2 and later. The shared library names are
 1034 	libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
 1035 	libnettle.so.4 and libhogweed.so.2.
 1037 NEWS for the 2.6 release
 1039 	Bug fixes:
 1041 	* Fixed a bug in ctr_crypt. For zero length (which should be a
 1042 	  NOP), it sometimes incremented the counter. Reported by Tim
 1043 	  Kosse.
 1045 	* Fixed a small memory leak in nettle_realloc and
 1046           nettle_xrealloc.
 1048 	New features:
 1050 	* Support for PKCS #5 PBKDF2, to generate a key from a
 1051           password or passphrase. Contributed by Simon Josefsson.
 1052           Specification in RFC 2898 and test vectors in RFC 6070.
 1054 	* Support for SHA3.
 1056 	* Support for the GOST R 34.11-94 hash algorithm. Ported from
 1057 	  librhash by Nikos Mavrogiannopoulos. Written by Aleksey
 1058 	  Kravchenko. More information in RFC4357. Test vectors taken
 1059 	  from the GOST hash wikipedia page.
 1061 	Miscellaneous:
 1063 	* The include file <nettle/sha.h> has been split into
 1064           <nettle/sha1.h> and <nettle/sha2.h>. For now, sha.h is kept
 1065           for backwards compatibility and it simply includes both
 1066           files, but applications are encouraged to use the new names.
 1067           The new SHA3 functions are declared in <nettle/sha3.h>.
 1069 	* Testsuite can be run under valgrind, using
 1071 	  make check EMULATOR='$(VALGRIND)'
 1073 	  For this to work, test programs and other executables now
 1074 	  deallocate storage.
 1076 	* New configure options --disable-documentation and
 1077           --disable-static. Contributed by Sam Thursfield and Alon
 1078 	  Bar-Lev, respectively.
 1080 	* The section on hash functions in the manual is split into
 1081           separate nodes for recommended hash functions and legacy
 1082           hash functions.
 1084 	* Various smaller improvements, most of them portability
 1085           fixes. Credits go to David Woodhouse, Tim Rühsen, Martin
 1086           Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis
 1087           Clarke.
 1089 	Finally, a note on the naming of the various "SHA" hash
 1090 	functions. Naming is a bit inconsistent; we have, e.g.,
 1092 	  SHA1: sha1_digest
 1093 	  SHA2: sha256_digest   (not sha2_256_digest)
 1094 	  SHA3: sha3_256_digest
 1096 	Renaming the SHA2 functions to make Nettle's naming more
 1097 	consistent has been considered, but the current naming follows
 1098 	common usage. Most documents (including the specification for
 1099 	SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather
 1100 	than "SHA2-256".
 1102 	The libraries are intended to be binary compatible with
 1103 	nettle-2.2 and later. The shared library names are
 1104 	libnettle.so.4.5 and libhogweed.so.2.3, with sonames still
 1105 	libnettle.so.4 and libhogweed.so.2
 1107 NEWS for the 2.5 release
 1109 	This release includes important portability fixes for Windows
 1110 	and MacOS. There are also a few new features.
 1112 	First a *warning*: Some internal functions have been removed
 1113 	from the library. Since the functions in question are internal
 1114 	and not documented, this is not considered a change of ABI or
 1115 	API. Programs explicitly using any of these functions will
 1116 	break.
 1118 	* The function pkcs1_signature_prefix has been renamed to
 1119 	  _pkcs1_signature_prefix, and with slightly different
 1120 	  behavior.
 1122 	* The file nettle-internal.c is no longer included in the
 1123           library (the features defined there are used by the
 1124           benchmark and test programs, and were never intended for
 1125           public use).
 1127 	New features:
 1129 	* Support for the salsa20 stream cipher, including x86_64
 1130           assembler. Originally contributed by Simon Josefsson, based
 1131           on the reference implementation, then further optimized.
 1133 	* Tentative interface for timing-resistant RSA functions,
 1134           contributed by Nikos Mavrogiannopoulos.
 1136 	* A more general interface for PKCS#1 signatures, taking the
 1137           input in the form of a "DigestInfo". Suggested by Nikos
 1138           Mavrogiannopoulos.
 1140 	Configuration:
 1142 	* Building of shared libraries (./configure --enable-shared)
 1143           is now enabled by default.
 1145 	* Various portability fixes for MacOS and M$ Windows. A lot of
 1146 	  this work done by Martin Storsjö.
 1148 	* In particular, Nettle now hopefully works on 64-bit Windows
 1149 	  builds, "W64", including the x86_64 assembly code.
 1151 	Miscellaneous:
 1153 	* Documentation and example programs for the base16 and base64
 1154 	  functions. Was contributed by Jeronimo Pellegrini back in
 1155 	  2006, but unfortunately forgotten until now.
 1157 	* Use an additional table to avoid GF2^8 multiplications in
 1158 	  aes_invert_key (mainly used by aes_set_decrypt_key). Also
 1159 	  tabulate round constants in aes_set_encrypt_key.
 1161 	* The nettle repository has been migrated from cvs to git,
 1162 	  with a public repository at
 1163 	  http://git.lysator.liu.se/nettle. To make it independent of
 1164 	  the LSH repository, a few files have been moved around.
 1165 	  While at it, files have also been converted from latin-1 to
 1166 	  utf-8.
 1168 	The libraries are intended to be binary compatible with
 1169 	nettle-2.2 and later. The shared library names are
 1170 	libnettle.so.4.4 and libhogweed.so.2.2, with sonames still
 1171 	libnettle.so.4 and libhogweed.so.2
 1173 NEWS for the 2.4 release
 1175 	This is a bugfix release only. It turned out ripemd160 in the
 1176 	2.3 release was broken on all big-endian systems, due to a
 1177 	missing include of config.h. nettle-2.4 fixes this.
 1179 	The library is intended to be binary compatible with
 1180 	nettle-2.2 and nettle-2.3. The shared library names are
 1181 	libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
 1182 	libnettle.so.4 and libhogweed.so.2.
 1184 NEWS for the 2.3 release
 1186 	* Support for the ripemd-160 hash function.
 1188 	* Generates and installs nettle.pc and hogweed.pc files, for
 1189           use with pkg-config. Feedback appreciated. For projects
 1190           using autoconf, the traditional non-pkg-config ways of
 1191           detecting libraries, and setting LIBS and LDFLAGS, is still
 1192           recommended.
 1194 	* Fixed a bug which made the testsuite fail in the GCM test on
 1195 	  certain platforms. Should not affect any documented features
 1196 	  of the library.
 1198 	* Reorganization of the code for the various Merkle-Damgård
 1199 	  hash functions. Some fields in the context structs for md4,
 1200 	  md5 and sha1 have been renamed, for consistency.
 1201 	  Applications should not peek inside these structs, and the
 1202 	  ABI is unchanged.
 1204 	* In the manual, fixed mis-placed const in certain function
 1205           prototypes.
 1207 	The library is intended to be binary compatible with
 1208 	nettle-2.2. The shared library names are libnettle.so.4.2 and
 1209 	libhogweed.so.2.1, with sonames still libnettle.so.4 and
 1210 	libhogweed.so.2.
 1212 NEWS for the 2.2 release
 1214 	Licensing change:
 1216 	* Relicensed as LGPL v2.1 or later (user's option).
 1218 	* Replaced blowfish and serpent implementation. New code is
 1219           based on the LGPLed code in libgcrypt.
 1221 	New features:
 1223 	* Support for Galois/Counter Mode (GCM).
 1225 	* New interface for enumerating (most) available algorithms,
 1226 	  contributed by Daniel Kahn Gillmor.
 1228 	* New tool nettle-hash. Can generate hash digests using any
 1229 	  supported hash function, with output compatible with md5sum
 1230 	  and friends from GNU coreutils. Checking (like md5sum -c)
 1231 	  not yet implemented.
 1233 	Bug fixes:
 1235 	* The old serpent code had a byte order bug (introduced by
 1236 	  yours truly about ten years ago). New serpent implementation
 1237 	  does not interoperate with earlier versions of nettle.
 1239 	* Fixed ABI-dependent libdir default for Linux-based systems
 1240 	  which do not follow the Linux File Hierarchy Standard, e.g.,
 1241 	  Debian GNU/Linux.
 1243 	Optimizations:
 1245 	* x86_64 implemention of serpent.
 1247 	* x86_64 implemention of camellia.
 1249 	* Optimized memxor using word rather than byte operations.
 1250           Both generic C and x86_64 assembler.
 1252 	* Eliminated a memcpy for in-place CBC decrypt.
 1254 	Miscellaneous:
 1256 	* In command line tools, no longer support -? for requesting
 1257           help, since using it without shell quoting is a dangerous
 1258           habit. Use long option --help instead.
 1260 	The shared library names are libnettle.so.4.1 and
 1261 	libhogweed.so.2.1, with sonames libnettle.so.4 and
 1262 	libhogweed.so.2.
 1264 NEWS for the 2.1 release
 1266 	*Important*: this release breaks source and binary
 1267 	compatibility for the digital signature functions, and for the
 1268 	DES and BLOWFISH ciphers which have weak keys.
 1270 	Incompatible changes:
 1272 	* The functions rsa_md5_sign, rsa_sha1_sign and
 1273           rsa_sha256_sign, and the corresponding _digest variants, now
 1274           have a return value which callers should check. The functions
 1275           return failure if the key is too small for the type of
 1276           signature.
 1278 	* The functions dsa_sign and dsa_verify are renamed to
 1279           dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are
 1280           renamed similarly. These functions now have a return value
 1281           which callers should check, and they return failure if the
 1282           number q is not of the appropriate size.
 1284 	* The return value from des_set_key, des3_set_key and
 1285 	  blowfish_set_key now indicates whether or not the given key
 1286 	  is weak. But in either case, the key setup is done, and
 1287 	  applications that don't care about weak keys can ignore the
 1288 	  return value.
 1290 	  The incompatible part of this change is that enum des_error
 1291 	  and enum blowfish_error has been deleted, and so has the
 1292 	  status attribute in struct des_ctx, struct des3_ctx, and
 1293 	  struct blowfish_ctx.
 1295 	The shared library names are libnettle.so.4.0 and
 1296 	libhogweed.so.2.0, with sonames libnettle.so.4 and
 1297 	libhogweed.so.2.
 1299 	Other changes:
 1301 	* Support for the Camellia block cipher, including an
 1302           assembler implementation for x86_32.
 1304 	* New function aes_invert_key, useful for applications that
 1305 	  need both encryption and decryption using the same AES key.
 1307 	* des_set_key and des3_set_key no longer check the key parity
 1308 	  bits. Parity bits are silently ignored. A new function
 1309 	  des_check_parity is provided, for applications that care
 1310 	  about the DES parity bits.
 1312 	* Support for sha224, sha384 and sha512.
 1314 	* Support for digital signatures using rsa-sha512 and
 1315           dsa-sha256. Due to lack of official test vectors and interop
 1316           testing, this support should be considered somewhat
 1317           experimental.
 1319 	* Key generation for RSA and DSA changed to use Maurer's
 1320 	  algorithm to generate provably prime numbers (as usual, the
 1321 	  mathematical proof does not guaranteee that the
 1322 	  implementation is bug free).
 1324 	* x86_64 assembler implementation actually included in the
 1325 	  distribution (was accidentally left out in nettle-2.0).
 1327 	* Configure script now detects if the compiler uses a 32-bit
 1328           or 64-bit ABI on x86_64 (prevously did this for sparc only).
 1329           Also sets the default location for installing libraries
 1330           (libdir) depending on system type and the ABI used.
 1332 	* Added the nettle and gmp libraries as dependencies when
 1333           linking shared library libhogweed.so. On systems using
 1334           shared libraries where such dependencies work (in
 1335           particular, ELF systems), it is sufficient to link
 1336           applications with -lhogweed. For static linking -lhogweed
 1337           -lnettle -lgmp is still required.
 1339 	* The program pkcs1-conv is extended to also handle dsa keys.
 1340           Contributed by Magnus Holmgren.
 1342 	* Slightly improved sha1 performance on x86.
 1344 NEWS for the 2.0 release
 1346 	This release breaks binary compatibility by splitting the
 1347 	library into two. Some other smaller changes that are not
 1348 	backwards compatible are also done at the same time.
 1350 	* The nettle library is split into two libraries, libnettle
 1351 	  and libhogweed. libnettle contains the symmetric crypto
 1352 	  algorithms that don't depend on GMP, while libhogweed
 1353 	  contains the public key algorithms that depend on GMP.
 1354 	  Using a single library worked fine with static linking, but
 1355 	  not with dynamic linking. Consider an application that uses
 1356 	  nettle and which doesn't use any public key cryptography. If
 1357 	  this application is linked dynamically to nettle, it would
 1358 	  have to be linked also with GMP if and only if public key
 1359 	  support was enabled when the nettle library was installed.
 1361 	  The library names are libnettle.so.3.0 and
 1362 	  libhogweed.so.1.0, with sonames libnettle.so.3 and
 1363 	  libhogweed.so.1.
 1365 	* Function typedefs have been changed to non-pointer types.
 1366 	  E.g, the
 1368 	    typedef void (nettle_hash_init_func *)(void *ctx);
 1370 	  of previous versions is replaced by
 1372 	    typedef void (nettle_hash_init_func)(void *ctx);
 1374 	  This makes it possible to use the type when declaring
 1375 	  functions, like
 1377 	    nettle_hash_init_func foo_hash_init;
 1379 	    void foo_hash_init(void *ctx) { ... }
 1381 	* Changes to the yarrow256 interface. The automatic seed file
 1382 	  generation, and the seed_file member in struct
 1383 	  yarrow256_ctx, has been removed. To generate a new seed
 1384 	  file, use yarrow256_random. The function
 1385 	  yarrow256_force_reseed has been replaced by the two
 1386 	  functions yarrow256_fast_reseed and yarrow256_slow_reseed,
 1387 	  which were previously static. This interface change makes it
 1388 	  easier to mix in the current content of the seed file before
 1389 	  overwriting it with newly generated data.
 1391 	Other changes:
 1393 	* Nettle manual now contributed to the public domain, to
 1394           enable remixing into documentation of programs that use
 1395           Nettle.	  
 1397 	* The sexp-conv program preserves comments when using the
 1398 	  advanced syntax for output. Optionally locks the output
 1399 	  file.
 1401 	* The base64 decoder recognizes ASCII FF (form feed) and VT
 1402           (vertical tab) as white space.
 1404 	* New x86_64 implementations of AES and SHA1. On a 2.2 GHz
 1405           opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at
 1406           110 MByte/s.
 1408 	* Performance of AES increased by 20-30% on x86.
 1410 	* New programs in the examples directory: erathostenes and
 1411           next-prime.
 1413 NEWS for the 1.15 release
 1415 	Added support for PKCS#1 style RSA signatures using SHA256,
 1416 	according to RFC 3447. Currently lacks interoperability
 1417 	testing.
 1419 	Header files are now C++ aware, so C++ programs using Nettle
 1420 	should now use plain
 1422 	  #include <nettle/foo.h>
 1424 	rather than
 1426 	  #extern "C" {
 1427 	  #include <nettle/foo.h>
 1428 	  }
 1430 	as was the recommendation for the previous version. This
 1431 	breaks source-level compatibility with C++, even though
 1432 	there's full binary compatibility.
 1434 	The file rfc1750.txt (which is considered non-free by debian)
 1435 	has been removed from the distribution. The file was used as input
 1436 	for the Yarrow testcase, and has been replaced by the short
 1437 	story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is
 1438 	obsoleted by RFC 4086.
 1440 	Fixes for Darwin shared library support, contributed by Grant
 1441 	Robinsson.
 1443 	Example programs now use a supplied getopt.c.
 1445 	Configure tests for assemblers with a logarithmic .align
 1446 	directive.
 1448 	The library is intended to be upwards binary compatible with
 1449 	earlier versions. The library name is libnettle.so.2.6, soname
 1450 	is still libnettle.so.2.
 1452 NEWS for the 1.14 release
 1454 	Experimental support for reading keys in PKCS#1 ASN1/DER
 1455 	format, and a new command line tool pkcs1-conv.
 1457 	Improved MD5 performance on x86.
 1459 	Fixed support for sparc64.
 1461 	Reorganized AES code. Better performance for all three
 1462 	implementations (C, x86 assembler, sparc assembler).
 1464 	New sparc assembler for arcfour. Compared to the code
 1465 	generated by gcc, the new code is about 25% faster on old
 1466 	sparcs, and 6 times faster on ultrasparc.
 1468 	Replaced the internal function nettle_mpz_from_octets with a
 1469 	call to mpz_import, if available in the installed GMP library.
 1471 	More Makefile fixes; it now seems to work to build with
 1472 	the the make programs on Solaris and FreeBSD (although
 1473 	--disable-dependency-tracking is required for the latter).
 1475 	The library is intended to be binary compatible with earlier
 1476 	versions. The library name is libnettle.so.2.5, soname is
 1477 	still libnettle.so.2.
 1479 NEWS for the 1.13 release
 1481 	Fixed problem with broken m4 on bsd, which resulted in
 1482 	corrupted x86 assembler for sha1.
 1484 	Nettle probably works on windows: I've been able to cross
 1485 	compile it with ./configure --host=i586-mingw32msvc (without
 1486 	public-key support), and the testsuite binaries seem to run
 1487 	fine in Wine.
 1489 	Implemented CTR mode.
 1491 	Improved sha1 performance on x86.
 1493 	Configure check to figure out if symbols in assembler files
 1494 	need a leading underscore.
 1496 	Improved benchmark program. Displays cycles per byte and block,
 1497 	and compares with openssl (if openssl is installed).
 1499 	Terminating newline in output from sexp-conv --hash.
 1501 	The library is intended to be binary compatible with earlier
 1502 	versions. The library name is libnettle.so.2.4. However, the
 1503 	interface for the internal function _nettle_sha1_compress has
 1504 	changed; any program that calls this function directly will
 1505 	break.
 1507 NEWS for the 1.12 release
 1509 	Fixed a bug in the configure script.
 1511 	Updated the description of aes_set_encrypt_key and
 1512 	aes_set_decrypt_key in the manual.
 1514 NEWS for the 1.11 release
 1516 	Nettle no longer uses automake. Side effects:
 1518 	  * Dependency tracking is enabled only for gcc-3 (help with
 1519 	    supporting dependency tracking with other compilers is
 1520 	    appreciated).
 1522 	  * Makefile compatibility with make programs other than GNU
 1523 	    make is mostly unknown, please report any problems.
 1525 	Support for arctwo.
 1527 	Fixes to the libdes compatibility code. Declarations should
 1528 	now match openssl/libdes better. des_cbc_cksum pads
 1529 	input with NUL's, if it's not an integral number of blocks (in
 1530 	general, such unreversible padding is a bad idea).
 1532 	By default, also the static library is compiled as position
 1533 	independent code. This is needed on some systems to make it
 1534 	possible to link nettle into a dynamically loaded module. Use
 1535 	the configure flag --disable-pic if this is not desired.
 1537 	Stricter constness typing for the sexp_iterator_assoc and
 1538 	sexp_iterator_check_types arguments.
 1540 	Minor tweaks of arcfour on x86 cpu:s, to speed it up on older
 1541 	x86 variants such as PII and PPro.
 1543 	The shared library is intended to be binary compatible with
 1544 	nettle-1.8 - nettle-1.10. Only the minor version number of the
 1545 	shared library is increased. The soname is still
 1546 	libnettle.so.2.
 1548 NEWS for the 1.10 release
 1550 	Nettle should now compile also on Tru64, Darwin, FreeBSD and
 1551 	Windows. (The only tested windows build uses the rntcl rsh
 1552 	wrapper to run the command line M$ C compiler "cl". See
 1553 	http://pike.ida.liu.se for those tools, I don't know all
 1554 	details about the Pike team's windows setup).
 1556 	There are some known testsuite failures, on Windows and on one
 1557 	of the xenofarm HPUX machines, see
 1558 	http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help
 1559 	tracking these down is appreciated.
 1561 	There are no new features.
 1563 	This release is intended to be binary compatible with
 1564 	nettle-1.8 and nettle-1.9.
 1566 NEWS for the 1.9 release
 1568 	Optimized C implementation of arcfour. Optimized x86
 1569 	implementations of arcfour and sha1.
 1571 	Improved benchmark program.
 1573 	Fixed bug in the rsa-encrypt example program.
 1575 	Fixed bug in make install, some of the header files were
 1576 	forgotten.
 1578 	Portability fixes. Fixes to make Nettle compile on systems
 1579 	without gmp. This version has been tested on GNU/Linux,
 1580 	Solaris, HPUX and AIX.
 1582 	The shared library is intended to be binary compatible with
 1583 	nettle-1.8. Only the minor version number of the shared
 1584 	library is increased.
 1586 NEWS for the 1.8 release
 1588 	New example programs, demonstrating encrypting and decrypting
 1589 	files using RSA, and random sessions keys for bulk encryption
 1590 	and message authentication.
 1592 	Support for systems that don't have alloca. On such systems,
 1593 	some of Nettle's functions have arbitrary limits applied to
 1594 	their input.
 1596 	Uses AX_CREATE_STDINT_H, to support systems without
 1597 	inttypes.h.
 1599 	Support for the md2 and md4 hash functions.
 1601 	New name mangling, to reduce the risk of link collisions. All
 1602 	functions (except memxor) now use a nettle_ or _nettle_ prefix
 1603 	when seen by the linker. For most functions, the header file
 1604 	that declares a function also uses #define to provide a
 1605 	shorter more readable name without the prefix.
 1607 	The shared library soname for this version is libnettle.so.2.
 1609 NEWS for the 1.7 release
 1611 	Implemented DSA.
 1613 	Renamed RSA functions for consistency. Now it's
 1614 	rsa_public_key_init, not rsa_init_public_key, etc.
 1616 	Both RSA and DSA now have sign/verify functions that take the
 1617 	hash digest as argument.
 1619 	A rewritten and much more powerful sexp-conv program.
 1621 	Other changes to the sexp code, in particular updating it to
 1622 	the latest SPKI draft.
 1624 	Building nettle as a shared library (ELF only) seems to work.
 1625 	The version number is increased, so the library "soname" for
 1626 	this release is "libnettle.so.1".
 1628 	Bugfixes. Fixes for build and portability problems.
 1630 NEWS for the 1.6 release
 1632 	Optimized assembler implementations of aes, for sparc and x86.
 1634 	The aes interface has changed slightly. The function
 1635 	aes_set_key is no more. Instead one has to use
 1636 	aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that. 
 1638 	New example programs, rsa-keygen, rsa-sign and rsa-verify,
 1639 	located in the examples directory.
 1641 	New configure option --enable-shared, which builds a shared
 1642 	library. Not tested.
 1644 	New experimental features, including sexp parsing and
 1645 	formatting, and changes to base64 encoding and decoding. The
 1646 	interfaces to these functions are subject to change, and are
 1647 	documented only in the source code.
 1649 NEWS for the 1.5 release
 1651 	RSA support. Key generation and signatures.
 1653 	Support for HMAC (RFC-2104).
 1655 	An implementation of the Yarrow-256 PRNG.
 1657 	New sections in the manual.
 1659 	Changed the interface for hash functions. The md5_digest
 1660 	function is now equivalent to the old sequence of md5_final,
 1661 	md5_digest, md5_init, and similarly for the other hashing
 1662 	algorithms. This makes the interface simpler.
 1664 NEWS for the 1.0 release
 1666 	Fixed twofish bug spotted by Jean-Pierre Stierlin.
 1668 	Added des3 and cbc.
 1670 	New RFC-1321-like interface in nettle/md5-compat.h, suggested
 1671 	by Assar Westerlund.
 1673 	New libdes-style compatibility interface in nettle/des-compat.h.