"Fossies" - the Fresh Open Source Software Archive

Member "nettle-3.7.3/NEWS" (6 Jun 2021, 60337 Bytes) of package /linux/privat/nettle-3.7.3.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "NEWS": 3.7.2_vs_3.7.3.

    1 NEWS for the Nettle 3.7.3 release
    2 
    3 	This is bugfix release, fixing bugs that could make the RSA
    4 	decryption functions crash on invalid inputs.
    5 
    6 	Upgrading to the new version is strongly recommended. For
    7 	applications that want to support older versions of Nettle,
    8 	the bug can be worked around by adding a check that the RSA
    9 	ciphertext is in the range 0 < ciphertext < n, before
   10 	attempting to decrypt it.
   11 
   12 	Thanks to Paul Schaub and Justus Winter for reporting these
   13 	problems.
   14 
   15 	The new version is intended to be fully source and binary
   16 	compatible with Nettle-3.6. The shared library names are
   17 	libnettle.so.8.4 and libhogweed.so.6.4, with sonames
   18 	libnettle.so.8 and libhogweed.so.6.
   19 
   20 	Bug fixes:
   21 
   22 	* Fix crash for zero input to rsa_sec_decrypt and
   23 	  rsa_decrypt_tr. Potential denial of service vector.
   24 
   25 	* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
   26 	  failure for out of range inputs, instead of either crashing,
   27 	  or silently reducing input modulo n. Potential denial of
   28 	  service vector.
   29 
   30 	* Ensure that rsa_decrypt returns failure for out of range
   31 	  inputs, instead of silently reducing input modulo n.
   32 
   33 	* Ensure that rsa_sec_decrypt returns failure if the message
   34 	  size is too large for the given key. Unlike the other bugs,
   35 	  this would typically be triggered by invalid local
   36 	  configuration, rather than by processing untrusted remote
   37 	  data.
   38 
   39 NEWS for the Nettle 3.7.2 release
   40 
   41 	This is a bugfix release, fixing a bug in ECDSA signature
   42 	verification that could lead to a denial of service attack
   43 	(via an assertion failure) or possibly incorrect results. It
   44 	also fixes a few related problems where scalars are required
   45 	to be canonically reduced modulo the ECC group order, but in
   46 	fact may be slightly larger.
   47 
   48 	Upgrading to the new version is strongly recommended.
   49 
   50 	Even when no assert is triggered in ecdsa_verify, ECC point
   51 	multiplication may get invalid intermediate values as input,
   52 	and produce incorrect results. It's trivial to construct
   53 	alleged signatures that result in invalid intermediate values.
   54 	It appears difficult to construct an alleged signature that
   55 	makes the function misbehave in such a way that an invalid
   56 	signature is accepted as valid, but such attacks can't be
   57 	ruled out without further analysis.
   58 
   59 	Thanks to Guido Vranken for setting up the fuzzer tests that
   60 	uncovered this problem.
   61 
   62 	The new version is intended to be fully source and binary
   63 	compatible with Nettle-3.6. The shared library names are
   64 	libnettle.so.8.3 and libhogweed.so.6.3, with sonames
   65 	libnettle.so.8 and libhogweed.so.6.
   66 
   67 	Bug fixes:
   68 
   69 	* Fixed bug in ecdsa_verify, and added a corresponding test
   70           case.
   71 
   72 	* Similar fixes to ecc_gostdsa_verify and gostdsa_vko.
   73 
   74 	* Similar fixes to eddsa signatures. The problem is less severe
   75           for these curves, because (i) the potentially out or range
   76           value is derived from output of a hash function, making it
   77           harder for the attacker to to hit the narrow range of
   78           problematic values, and (ii) the ecc operations are
   79           inherently more robust, and my current understanding is that
   80           unless the corresponding assert is hit, the verify
   81           operation should complete with a correct result.
   82 
   83 	* Fix to ecdsa_sign, which with a very low probability could
   84           return out of range signature values, which would be
   85           rejected immediately by a verifier.
   86 
   87 NEWS for the Nettle 3.7.1 release
   88 
   89 	This is primarily a bug fix release, fixing a couple of
   90 	problems found in Nettle-3.7.
   91 
   92 	The new version is intended to be fully source and binary
   93 	compatible with Nettle-3.6. The shared library names are
   94 	libnettle.so.8.2 and libhogweed.so.6.2, with sonames
   95 	libnettle.so.8 and libhogweed.so.6.
   96 
   97 	Bug fixes:
   98 
   99 	* Fix bug in chacha counter update logic. The problem affected
  100 	  ppc64 and ppc64el, with the new altivec assembly code
  101 	  enabled. Reported by Andreas Metzler, after breakage in
  102 	  GnuTLS tests on ppc64.
  103 
  104 	* Support for big-endian ARM platforms has been restored.
  105 	  Fixes contributed by Michael Weiser.
  106 
  107 	* Fix build problem on OpenBSD/powerpc64, reported by Jasper
  108 	  Lievisse Adriaanse.
  109 
  110 	* Fix corner case bug in ECDSA verify, it would produce
  111 	  incorrect result in the unlikely case of an all-zero
  112 	  message hash. Reported by Guido Vranken.
  113 
  114 	New features:
  115 
  116 	* Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512,
  117 	  contributed by Nicolas Mora.
  118 
  119 	Miscellaneous:
  120 
  121 	* Poorly performing ARM Neon code for doing single-block
  122 	  Salsa20 and Chacha has been deleted. The code to do two or
  123 	  three blocks in parallel, introduced in Nettle-3.7, is
  124 	  unchanged.
  125 
  126 NEWS for the Nettle 3.7 release
  127 
  128 	This release adds one new feature, the bcrypt password hashing
  129 	function, and lots of optimizations. There's also one
  130 	important change to how Nettle is configured: Fat builds are
  131 	now on by default.
  132 
  133 	The release adds PowerPC64 assembly for a few algorithms,
  134 	resulting in great speedups. Benchmarked on a Power9 machine,
  135 	speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5
  136 	times for Chacha. For fat builds (now the default), the new
  137 	code is used automatically, on processors supporting the needed
  138 	instruction set extensions.
  139 
  140 	The new version is intended to be fully source and binary
  141 	compatible with Nettle-3.6. The shared library names are
  142 	libnettle.so.8.1 and libhogweed.so.6.1, with sonames
  143 	libnettle.so.8 and libhogweed.so.6.
  144 
  145 	New features:
  146 
  147 	* Support for bcrypt, contributed by Stephen R. van den Berg.
  148 
  149 	Optimizations:
  150 
  151 	* Much faster AES and GCM on PowerPC64 processors supporting
  152 	  the corresponding crypto extensions. Contributed by Mamone
  153 	  Tarsha.
  154 
  155 	* Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon.
  156 
  157 	* Speed of Salsa20 improved on x86_64 and ARM Neon.
  158 
  159 	* Overhaul of some elliptic curve primitives, improving ECDSA
  160 	  signature speed.
  161 
  162 	Configure:
  163 
  164 	* Fat builds are enabled by default on the architectures where
  165 	  it is supported (x86_64, arm and powerpc64). To disable
  166 	  runtime selection, and instead specify the processor flavor
  167 	  at configure time, you need to pass --disable-fat to the
  168 	  configure script.
  169 
  170 	Known issues:
  171 
  172 	* The ARM assembly code in this release doesn't work correctly
  173 	  on big-endian ARM systems. This will hopefully be fixed in a
  174 	  later release.
  175 
  176 	Miscellaneous:
  177 
  178 	* Use a few more gmp-6.1 functions: mpn_cnd_add_n,
  179 	  mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal
  180 	  Nettle functions.
  181 
  182 	* Convert all assembly files to use the default m4 quote
  183 	  characters.
  184 
  185 NEWS for the Nettle 3.6 release
  186 
  187 	This release adds a couple of new features, most notable being
  188 	support for ED448 signatures.
  189 
  190 	It is not binary compatible with earlier releases. The shared
  191 	library names are libnettle.so.8.0 and libhogweed.so.6.0, with
  192 	sonames libnettle.so.8 and libhogweed.so.6. The changed
  193 	sonames are mainly to avoid upgrade problems with recent
  194 	GnuTLS versions, that depend on Nettle internals outside of
  195 	the advertised ABI. But also because of the removal of
  196 	internal poly1305 functions which were undocumented but
  197 	declared in an installed header file, see Interface changes
  198 	below.
  199 
  200 	New features:
  201 
  202 	* Support for Curve448 and ED448 signatures. Contributed by
  203 	  Daiki Ueno.
  204 
  205 	* Support for SHAKE256 (SHA3 variant with arbitrary output
  206 	  size). Contributed by Daiki Ueno.
  207 
  208 	* Support for SIV-CMAC (Synthetic Initialization Vector) mode,
  209 	  contributed by Nikos Mavrogiannopoulos.
  210 
  211 	* Support for CMAC64, contributed by Dmitry Baryshkov.
  212 
  213 	* Support for the "CryptoPro" variant of the GOST hash
  214 	  function, as gosthash94cp. Contributed by Dmitry Baryshkov.
  215 
  216 	* Support for GOST DSA signatures, including GOST curves
  217 	  gc256b and gc512a. Contributed by Dmitry Baryshkov.
  218 
  219 	* Support for Intel CET in x86 and x86_64 assembly files, if
  220 	  enabled via CFLAGS (gcc --fcf-protection=full). Contributed
  221 	  by H.J. Lu and Simo Sorce.
  222 
  223 	* A few new functions to improve support for the Chacha
  224 	  variant with 96-bit nonce and 32-bit block counter (the
  225 	  existing functions use nonce and counter of 64-bit each),
  226 	  and functions to set the counter. Contributed by Daiki Ueno.
  227 
  228 	* New interface, struct nettle_mac, for MAC (message
  229 	  authentication code) algorithms. This abstraction is only
  230 	  for MACs that don't require a per-message nonce. For HMAC,
  231 	  the key size is fixed, and equal the digest size of the
  232 	  underlying hash function.
  233 
  234 	Bug fixes:
  235 
  236 	* Fix bug in cfb8_decrypt. Previously, the IV was not updated
  237 	  correctly in the case of input data shorter than the block
  238 	  size. Reported by Stephan Mueller, fixed by Daiki Ueno.
  239 
  240 	* Fix configure check for __builtin_bswap64, the incorrect
  241 	  check would result in link errors on platforms missing this
  242 	  function. Patch contributed by George Koehler.
  243 
  244 	* All use of old-fashioned suffix rules in the Makefiles have
  245 	  been replaced with %-pattern rules. Nettle's use of suffix
  246 	  rules in earlier versions depended on undocumented GNU make
  247 	  behavior, which is being deprecated in GNU make 4.3.
  248 
  249 	  Building with other make programs than GNU make is untested
  250 	  and unsupported. (Building with BSD make or Solaris make
  251 	  used to work years ago, but has not been tested recently).
  252 
  253 	Interface changes:
  254 
  255 	* Declarations of internal poly1305.h functions have been
  256 	  removed from the header file poly1305.h, to make it clear
  257 	  that they are not part of the advertised API or ABI.
  258 
  259 	Miscellaneous:
  260 
  261 	* Building the public key support of nettle now requires GMP
  262 	  version 6.1.0 or later (unless --enable-mini-gmp is used).
  263 
  264 	* A fair amount of changes to ECC internals, with a few
  265 	  deleted and a few new fields in the internal struct
  266 	  ecc_curve. Files and functions have been renamed to more
  267 	  consistently match the curve name, e.g., ecc-256.c has been
  268 	  renamed to ecc-secp256r1.c.
  269 
  270 	* Documentation for chacha-poly1305 updated. It is no longer
  271 	  experimental. The implementation was updated to follow RFC
  272 	  8439 in Nettle-3.1, but that was not documented or announced
  273 	  at the time.
  274 
  275 NEWS for the Nettle 3.5.1 release
  276 
  277 	The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
  278 	The new directory x86_64/sha_ni were missing in the tar file,
  279 	breaking x86_64 builds with --enable-fat, and producing worse
  280 	performance than promised for builds with --enable-x86-sha-ni.
  281 	Also a few unused in-progress assembly files were accidentally
  282 	included in the tar file.
  283 
  284 	These problems are corrected in Nettle-3.5.1. There are no
  285 	other changes, and also the library version numbers are
  286 	unchanged.
  287 
  288 NEWS for the Nettle 3.5 release
  289 
  290 	This release adds a couple of new features and optimizations,
  291 	and deletes or deprecates a few obsolete features. It is *not*
  292 	binary (ABI) compatible with earlier versions. Except for
  293 	deprecations listed below, it is intended to be fully
  294 	source-level (API) compatible with Nettle-3.4.1.
  295 
  296 	The shared library names are libnettle.so.7.0 and
  297 	libhogweed.so.5.0, with sonames libnettle.so.7 and
  298 	libhogweed.so.5.
  299 
  300 	Changes in behavior:
  301 
  302 	* Nettle's gcm_crypt will now call the underlying block cipher
  303 	  to process more than one block at a time. This is not a
  304 	  change to the documented behavior, but unfortunately breaks
  305 	  assumptions accidentally made in GnuTLS, up to and including
  306 	  version 3.6.1.
  307 
  308 	New features:
  309 
  310 	* Support for CFB8 (Cipher Feedback Mode, processing a single
  311 	  octet per block cipher operation), contributed by Dmitry
  312 	  Eremin-Solenikov.
  313 
  314 	* Support for CMAC (RFC 4493), contributed by Nikos
  315 	  Mavrogiannopoulos.
  316 
  317 	* Support for XTS mode, contributed by Simo Sorce.
  318 
  319 	Optimizations:
  320 
  321 	* Improved performance of the x86_64 AES implementation using
  322 	  the aesni instructions. Gives a large speedup for operations
  323 	  processing multiple blocks at a time (including CTR mode,
  324 	  GCM mode, and CBC decrypt, but *not* CBC encrypt).
  325 
  326 	* Improved performance for CTR mode, for the common case of
  327 	  16-byte block size. Pass more data at a time to underlying
  328 	  block cipher, and fill the counter blocks more efficiently.
  329 	  Extension to also handle GCM mode efficiently contributed
  330 	  by Nikos Mavrogiannopoulos.
  331 
  332 	* New x86_64 implementation of sha1 and sha256, for processors
  333 	  supporting the sha_ni instructions. Speedup of 3-5 times on
  334 	  affected processors.
  335 
  336 	* Improved parameters for the precomputation of tables used
  337 	  for ecc signatures. Roughly 10%-15% speedup of the ecdsa
  338 	  sign operation using the secp_256r1, secp_384r1 and
  339 	  secp_521r1 curves, and 25% speedup of ed25519 sign
  340 	  operation, benchmarked on x86_64. Table sizes unchanged,
  341 	  around 16 KB per curve.
  342 
  343 	* In ARM fat builds, automatically select Neon implementation
  344 	  of Chacha, where possible. Contributed by Yuriy M.
  345 	  Kaminskiy.
  346 
  347 	Deleted features:
  348 
  349 	* The header file des-compat.h and everything declared therein
  350 	  has been deleted, as announced earlier. This file provided a
  351 	  subset of the old libdes/ssleay/openssl interface for DES
  352 	  and triple-DES. DES is still supported, via the functions
  353 	  declared in des.h.
  354 
  355 	* Functions using the old struct aes_ctx have been marked as
  356 	  deprecated. Use the fixed key size interface instead, e.g.,
  357 	  struct aes256_ctx, introduced in Nettle-3.0.
  358 
  359 	* The header file nettle-stdint.h, and corresponding autoconf
  360 	  tests, have been deleted. Nettle now requires that the
  361 	  compiler/libc provides <stdint.h>.
  362 
  363 	Miscellaneous:
  364 
  365 	* Support for big-endian ARM systems, contributed by Michael
  366 	  Weiser.
  367 
  368 	* The programs aesdata, desdata, twofishdata, shadata and
  369 	  gcmdata are no longer built by default. Makefile
  370 	  improvements contributed by Jay Foad.
  371 
  372 	* The "example" program examples/eratosthenes.c has been
  373 	  deleted.
  374 
  375 	* The contents of hash context structs, and the deprecated
  376 	  aes_ctx struct, have been reorganized, to enable later
  377 	  optimizations.
  378 
  379 	The shared library names are libnettle.so.7.0 and
  380 	libhogweed.so.5.0.
  381 
  382 NEWS for the Nettle 3.4.1 release
  383 
  384 	This release fixes a few bugs, and makes the RSA private key
  385 	operations side channel silent. The RSA improvements are
  386 	contributed by Simo Sorce and Red Hat, and include one new
  387 	public function, rsa_sec_decrypt, see below.
  388 
  389 	All functions using RSA private keys are now side-channel
  390 	silent, meaning that they try hard to avoid any branches or
  391 	memory accesses depending on secret data. This applies both to
  392 	the bignum calculations, which now use GMP's mpn_sec_* family
  393 	of functions, and the processing of PKCS#1 padding needed for
  394 	RSA decryption.
  395 
  396 	Nettle's ECC functions were already side-channel silent, while
  397 	the DSA functions still aren't. There's also one caveat
  398 	regarding the improved RSA functions: due to small table
  399 	lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
  400 	lowest and highest few bits of the secret factors p and q may
  401 	still leak. I'm not aware of any attacks on RSA where knowing
  402 	a few bits of the factors makes a significant difference. This
  403 	leak will likely be plugged in later GMP versions.
  404 
  405 	Changes in behavior:
  406 
  407 	* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
  408 	  all of the provided message buffer, independent of the
  409 	  actual message length. They are side-channel silent, in that
  410 	  branches and memory accesses don't depend on the validity or
  411 	  length of the message. Side-channel leakage from the
  412 	  caller's use of length and return value may still provide an
  413 	  oracle useable for a Bleichenbacher-style chosen ciphertext
  414 	  attack. Which is why the new function rsa_sec_decrypt is
  415 	  recommended.
  416 
  417 	New features:
  418 
  419 	* A new function rsa_sec_decrypt. It differs from
  420 	  rsa_decrypt_tr in that the length of the decrypted message
  421 	  is given a priori, and PKCS#1 padding indicating a different
  422 	  length is treated as an error. For applications that may be
  423 	  subject to chosen ciphertext attacks, it is recommended to
  424 	  initialize the message area with random data, call this
  425 	  function, and ignore the return value. This applies in
  426 	  particular to RSA-based key exchange in the TLS protocol.
  427 
  428 	Bug fixes:
  429 
  430 	* Fix bug in pkcs1-conv, missing break statements in the
  431 	  parsing of PEM input files.
  432 
  433 	* Fix link error on the pss-mgf1-test test, affecting builds
  434 	  without public key support.
  435 
  436 	Performance regression:
  437 
  438 	* All RSA private key operations employing RSA blinding, i.e.,
  439 	  rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
  440 	  rsa_compute_root_tr, are significantly slower. This is
  441 	  because (i) RSA blinding now use side-channel silent
  442 	  operations, (ii) blinding includes a modular inversion, and
  443 	  (iii) side-channel silent modular inversion, implemented as
  444 	  mpn_sec_invert, is very expensive. A 60% slowdown for
  445 	  2048-bit RSA keys have been measured.
  446 
  447 	Miscellaneous:
  448 
  449 	* Building the public key support of nettle now requires GMP
  450 	  version 6.0 or later (unless --enable-mini-gmp is used).
  451 
  452 	The shared library names are libnettle.so.6.5 and
  453 	libhogweed.so.4.5, with sonames still libnettle.so.6 and
  454 	libhogweed.so.4. It is intended to be fully binary compatible
  455 	with nettle-3.1.
  456 
  457 NEWS for the Nettle 3.4 release
  458 
  459 	This release fixes bugs and adds a few new features. It also
  460 	addresses an ABI compatibility issue affecting Nettle-3.1 and
  461 	later, see below.
  462 
  463 	Bug fixes:
  464 
  465 	* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
  466 	  eddsa on certain platforms. Reported by Sergei Trofimovich.
  467 
  468 	* Fixed memory leak when handling invalid signatures in
  469 	  ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.
  470 
  471 	* Fix compilation error with --enable-fat om ARM. Fix
  472 	  contributed by Andreas Schneider.
  473 
  474 	* Reorganized the way certain data items are made available.
  475 
  476 	  Short version: Nettle header files now define the symbols
  477 	  nettle_hashes, nettle_ciphers, and nettle_aeads, as
  478 	  preprocessor macros invoking a corresponding accessor
  479 	  function. For backwards ABI compatibility, the symbols are
  480 	  still present in the compiled libraries, and with the same
  481 	  sizes as in nettle-3.3.
  482 
  483 	New features:
  484 
  485 	* Support for RSA-PSS signatures, contributed by Daiki Ueno.
  486 
  487 	* Support for the HKDF key derivation function, defined by RFC
  488 	  5869. Contributed by Nikos Mavrogiannopoulos.
  489 
  490 	* Support for the Cipher Feedback Mode (CFB), contributed by
  491 	  Dmitry Eremin-Solenikov.
  492 
  493 	* New accessor functions: nettle_get_hashes,
  494 	  nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
  495 	  nettle_get_secp_224r1, nettle_get_secp_256r1,
  496 	  nettle_get_secp_384r1, nettle_get_secp_521r1.
  497 
  498 	  For source-level compatibility with future versions,
  499 	  applications are encouraged to migrate to using these
  500 	  functions instead of referring to the corresponding data
  501 	  items directly.
  502 
  503 	Miscellaneous:
  504 
  505 	* The base16 and base64 functions now use the type char * for
  506 	  ascii data, rather than uint8_t *. This eliminates the last
  507 	  pointer-signedness warnings when building Nettle. This is a
  508 	  minor API change, and applications may need to be adjusted,
  509 	  but the ABI is unaffected on all platforms I'm aware of.
  510 
  511 	* The contents of the header file nettle/version.h is now
  512 	  architecture independent, except in --enable-mini-gmp
  513 	  configurations.
  514 
  515 	ABI issue:
  516 
  517 	  Since the breakage was a bit subtle, let me document it
  518 	  here. The nettle and hogweed libraries export a couple of
  519 	  data symbols, and for some of these, the size was never
  520 	  intended to be part of the ABI. E.g.,
  521 
  522 	    extern const struct nettle_hash * const nettle_hashes[];
  523 
  524 	  which is an NULL-terminated array.
  525 
  526 	  It turns out the sizes nevertheless may leak into the ABI, and
  527 	  that increasing the sizes can break old executables linked
  528 	  with a newer version of the library.
  529 
  530 	  When linking a classic non-PIE executable with a shared
  531 	  library, we get ELF relocations of type R_X86_64_COPY for
  532 	  references to data items. These mean that the linker allocates
  533 	  space for the data item in the data segment of executable, at
  534 	  a fixed address determined at link-time, and with size
  535 	  extracted from the version of the .so-file seen when linking.
  536 
  537 	  At load time, the run time linker then copies the contents of
  538 	  the symbol from the .so file to that location, and uses the
  539 	  copy instead of the version loaded with the .so-file. And if
  540 	  the data item in the .so file used at load time is larger than
  541 	  the data item seen at link time, it is silently truncated in
  542 	  the process.
  543 
  544 	  So when SHA3 hashes were was added to the nettle_hashes array
  545 	  in the nettle-3.3 release, this way of linking produces a
  546 	  truncated array at load time, no longer NULL-terminated.
  547 
  548 	  We will get similar problems for planned extensions of the
  549 	  internal struct ecc_curve, and exported data items like
  550 
  551 	    extern const struct ecc_curve nettle_secp_256r1;
  552 
  553 	  where the ecc_curve struct is only forward declared in the
  554 	  public headers. To prepare, applications should migrate to
  555 	  using the new function nettle_get_secp_256r1, and similarly
  556 	  for the other curves.
  557 
  558 	  In some future version, the plan is to add a leading
  559 	  underscore to the name of the actual data items. E.g.,
  560 	  nettle_hashes --> _nettle_hashes, breaking the ABI, while
  561 	  keeping the nettle_get_hashes function and the nettle_hashes
  562 	  macro as the supported ways to access it. We will also
  563 	  rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
  564 	  both ABI and API.
  565 
  566 	  Note that data items like nettle_sha256 are *not* affected,
  567 	  since the size and layout of this struct is considered part
  568 	  of the ABI, and R_X86_64_COPY-relocations then work fine.
  569 
  570 	The shared library names are libnettle.so.6.4 and
  571 	libhogweed.so.4.4, with sonames still libnettle.so.6 and
  572 	libhogweed.so.4. It is intended to be fully binary compatible
  573 	with nettle-3.1.
  574 
  575 NEWS for the Nettle 3.3 release
  576 
  577 	This release fixes a couple of bugs, and improves resistance
  578 	to side-channel attacks on RSA and DSA private key operations.
  579 
  580 	Changes in behavior:
  581 
  582 	* Invalid private RSA keys, with an even modulo, are now
  583 	  rejected by rsa_private_key_prepare. (Earlier versions
  584 	  allowed such keys, even if results of using them were bogus).
  585 
  586 	  Nettle applications are required to call
  587 	  rsa_private_key_prepare and check the return value, before
  588 	  using any other RSA private key functions; failing to do so
  589 	  may result in crashes for invalid private keys. As a
  590 	  workaround for versions of Gnutls which don't use
  591 	  rsa_private_key_prepare, additional checks for even moduli
  592 	  are added to the rsa_*_tr functions which are used by all
  593 	  recent versions of Gnutls.
  594 
  595 	* Ignore bit 255 of the x coordinate of the input point to
  596 	  curve25519_mul, as required by RFC 7748. To differentiate at
  597 	  compile time, curve25519.h defines the constant
  598 	  NETTLE_CURVE25519_RFC7748.
  599 
  600 	Security:
  601 
  602 	* RSA and DSA now use side-channel silent modular
  603 	  exponentiation, to defend against attacks on the private key
  604 	  from evil processes sharing the same processor cache. This
  605 	  attack scenario is of particular relevance when running an
  606 	  HTTPS server on a virtual machine, where you don't know who
  607 	  you share the cache hardware with.
  608 
  609 	  (Private key operations on elliptic curves were already
  610 	  side-channel silent).
  611 
  612 	Bug fixes:
  613 
  614 	* Fix sexp-conv crashes on invalid input. Reported by Hanno
  615 	  Böck.
  616 
  617 	* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
  618 	  Mavrogiannopoulos.
  619 
  620 	* Fix a couple of formally undefined shift operations,
  621 	  reported by Nikos Mavrogiannopoulos.
  622 
  623 	* Fix compilation with c89. Reported by Henrik Grubbström.
  624 
  625 	New features:
  626 
  627 	* New function memeql_sec, for side-channel silent comparison
  628 	  of two memory areas.
  629 
  630 	Miscellaneous:
  631 
  632 	* Building the public key support of nettle now requires GMP
  633 	  version 5.0 or later (unless --enable-mini-gmp is used).
  634 
  635 	* Filenames of windows DLL libraries now include major number
  636 	  only. So the dll names change at the same time as the
  637 	  corresponding soname on ELF platforms. Fixed by Nikos
  638 	  Mavrogiannopoulos.
  639 
  640 	* Eliminate most pointer-signedness warnings. In the process,
  641 	  the strings representing expression type for sexp_interator
  642 	  functions were changed from const uint8_t * to const char *.
  643 	  These functions are undocumented, and it doesn't change the
  644 	  ABI on any platform I'm aware of.
  645 
  646 	The shared library names are libnettle.so.6.3 and
  647 	libhogweed.so.4.3, with sonames still libnettle.so.6 and
  648 	libhogweed.so.4. It is intended to be fully binary compatible
  649 	with nettle-3.1.
  650 
  651 NEWS for the Nettle 3.2 release
  652 
  653 	Bug fixes:
  654 
  655 	* The SHA3 implementation is updated according to the FIPS 202
  656 	  standard. It is not interoperable with earlier versions of
  657 	  Nettle. Thanks to Nikos Mavrogiannopoulos. To easily
  658 	  differentiate at compile time, sha3.h defines the constant
  659 	  NETTLE_SHA3_FIPS202.
  660 
  661 	* Fix corner-case carry propagation bugs affecting elliptic
  662 	  curve operations on the curves secp_256r1 and secp_384r1 on
  663 	  certain platforms, including x86_64. Reported by Hanno Böck.
  664 
  665 	New features:
  666 
  667 	* New functions for RSA private key operations, identified by
  668 	  the "_tr" suffix, with better resistance to side channel
  669 	  attacks and to hardware or software failures which could
  670 	  break the CRT optimization. See the Nettle manual for
  671 	  details. Initial patch by Nikos Mavrogiannopoulos.
  672 
  673 	* New functions nettle_version_major, nettle_version_minor, as
  674 	  a run-time variant of the compile-time constants
  675 	  NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR.
  676 
  677 	Optimizations:
  678 
  679 	* New ARM Neon implementation of the chacha stream cipher.
  680 
  681 	Miscellaneous:
  682 
  683 	* ABI detection on mips, with improved default libdir
  684 	  location. Contributed by Klaus Ziegler.
  685 
  686 	* Fixes for ARM assembly syntax, to work better with the clang
  687 	  assembler. Thanks to Jukka Ukkonen.
  688 
  689 	* Disabled use of ifunc relocations for fat builds, to fix
  690 	  problems most easily triggered by using dlopen RTLD_NOW.
  691 
  692 	The shared library names are libnettle.so.6.2 and
  693 	libhogweed.so.4.2, with sonames still libnettle.so.6 and
  694 	libhogweed.so.4. It is intended to be fully binary compatible
  695 	with nettle-3.1.
  696 
  697 NEWS for the Nettle 3.1.1 release
  698 
  699 	This release fixes a couple of non-critical bugs.
  700 
  701 	Bug fixes:
  702 
  703 	* By accident, nettle-3.1 disabled the assembly code for the
  704 	  secp_224r1 and secp_521r1 elliptic curves on all x86_64
  705 	  configurations, making signature operations on those curves
  706 	  10%-30% slower. This code is now re-enabled.
  707 
  708 	* The x86_64 assembly implementation of gcm hashing has been
  709           fixed to work with the Sun/Oracle assembler.
  710 
  711 	The shared library names are libnettle.so.6.1 and
  712 	libhogweed.so.4.1, with sonames still libnettle.so.6 and
  713 	libhogweed.so.4. It is intended to be fully binary compatible
  714 	with nettle-3.1.
  715 
  716 NEWS for the Nettle 3.1 release
  717 
  718 	This release adds a couple of new features.
  719 
  720 	The library is mostly source-level compatible with nettle-3.0.
  721 	It is however not binary compatible, due to the introduction
  722 	of versioned symbols, and extensions to the base64 context
  723 	structs. The shared library names are libnettle.so.6.0 and
  724 	libhogweed.so.4.0, with sonames libnettle.so.6 and
  725 	libhogweed.so.4.
  726 
  727 	Bug fixes:
  728 
  729 	* Fixed a missing include of <limits.h>, which made the
  730 	  camellia implementation fail on all 64-bit non-x86
  731 	  platforms.
  732 
  733 	* Eliminate out-of-bounds reads in the C implementation of
  734 	  memxor (related to valgrind's --partial-loads-ok flag).
  735 
  736 	Interface changes:
  737 
  738 	* Declarations of many internal functions are moved from ecc.h
  739 	  to ecc-internal.h. The functions are undocumented, and
  740 	  luckily they're apparently also unused by applications, so I
  741 	  don't expect any problems from this change.
  742 
  743 	New features:
  744 
  745 	* Support for curve25519 and for EdDSA25519 signatures.
  746 
  747 	* Support for "fat builds" on x86_64 and arm, where the
  748 	  implementation of certain functions is selected at run-time
  749 	  depending on available cpu features. Configure with
  750 	  --enable-fat to try this out. If it turns out to work well
  751 	  enough, it will likely be enabled by default in later
  752 	  releases.
  753 
  754 	* Support for building the hogweed library (public key
  755 	  support) using "mini-gmp", a small but slower implementation
  756 	  of a subset of the GMP interfaces. Note that builds using
  757 	  mini-gmp are *not* binary compatible with regular builds,
  758 	  and more likely to leak side-channel information.
  759 
  760 	  One intended use-case is for small embedded applications
  761 	  which need to verify digital signatures.
  762 
  763 	* The shared libraries are now built with versioned symbols.
  764 	  Should reduce problems in case a program links explicitly to
  765 	  nettle and/or hogweed, and to gnutls, and the program and
  766 	  gnutls expect different versions.
  767 
  768 	* Support for "URL-safe" base64 encoding and decoding, as
  769           specified in RFC 4648. Contributed by Amos Jeffries.
  770 
  771 	Optimizations:
  772 
  773 	* New x86_64 implementation of AES, using the "aesni"
  774 	  instructions. Autodetected in fat builds. In non-fat builds,
  775 	  it has to be enabled explicitly with --enable-x86-aesni.
  776 
  777 	Build system:
  778 
  779 	* Use the same object files for both static and shared
  780 	  libraries. This eliminates the *.po object files which were
  781 	  confusing to some tools (as well as humans). Like before,
  782 	  PIC code is used by default; to build a non-pic static
  783 	  library, configure with --disable-pic --disable-shared.
  784 
  785 	Miscellaneous:
  786 
  787 	* Made type-checking hack in CBC_ENCRYPT and similar macros
  788 	  stricter, to generate warnings if they are used with
  789 	  functions which have a length argument smaller than size_t.
  790 
  791 NEWS for the Nettle 3.0 release
  792 
  793 	This is a major release, including several interface changes,
  794 	and new features, some of which are a bit experimental.
  795 	Feedback is highly appreciated.
  796 
  797 	It is *not* binary (ABI) compatible with earlier versions. It
  798 	is mostly source-level (API) compatible, with a couple of
  799 	incompatibilities noted below. The shared library names are
  800 	libnettle.so.5.0 and libhogweed.so.3.0, with sonames
  801 	libnettle.so.5 and libhogweed.so.3.
  802 	
  803 	There may be some problems in the new interfaces and new
  804 	features which really need incompatible fixes. It is likely
  805 	that there will be an update in the form of a 3.1 release in
  806 	the not too distant future, with small but incompatible
  807 	changes, and if that happens, bugfix-only releases 3.0.x are
  808 	unlikely. Users and applications which desire better API and
  809 	ABI stability are advised to stay with nettle-2.7.x (latest
  810 	version is now 2.7.1) until the dust settles.
  811 
  812 	Interface changes:
  813 
  814 	* For the many _set_key functions, it is now consider the
  815 	  normal case to have a fixed key size, with no key_size
  816 	  arguments. _set_key functions with a length parameter are
  817 	  provided only for algorithms with a truly variable keysize,
  818 	  and where it makes sense for backwards compatibility.
  819 
  820 	  INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key
  821 	  size argument. The old function is available under a new
  822 	  name, cast5_set_key.
  823 
  824 	  INCOMPATIBLE CHANGE: The function typedef
  825 	  nettle_set_key_func no longer accepts a key size argument.
  826 	  In particular, this affects users of struct nettle_cipher.
  827 
  828 	* The nettle_cipher abstraction (in nettle-meta.h) is
  829 	  restricted to block ciphers only. The encrypt and decrypt
  830 	  functions now take a const argument for the context.
  831 
  832 	  INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher
  833 	  abstraction for the arcfour stream cipher, is deleted.
  834 
  835 	  INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the
  836 	  encrypt and decrypt fields of struct nettle_cipher.
  837 
  838 	* New DSA interface, with a separate struct dsa_param to
  839 	  represent the underlying group, and generalized dsa_sign and
  840 	  dsa_verify functions which don't care about the hash
  841 	  function used. Limited backwards compatibility provided in
  842 	  dsa-compat.h.
  843 
  844 	  INCOMPATIBLE CHANGE: Declarations of the old interface,
  845 	  e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to
  846 	  dsa-compat.h.
  847 
  848 	  INCOMPATIBLE CHANGE: The various key conversion functions,
  849 	  e.g., dsa_keypair_to_sexp, all use the new DSA interface, with
  850 	  no backwards compatible functions.
  851 
  852 	  INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new
  853 	  interface. dsa-compat.h declares a function
  854 	  dsa_compat_generate_keypair, implementing the old
  855 	  interface, and #defines dsa_generate_keypair to refer to
  856 	  this backwards compatible function.
  857 
  858 	* New AES and Camellia interfaces. There are now separate
  859 	  context structs for each key size, e.g., aes128_ctx and
  860 	  camellia256_ctx, and corresponding new functions. The old
  861 	  interface, with struct aes_ctx and struct camellia_ctx, is
  862 	  kept for backwards compatibility, but might be removed in
  863 	  later versions.
  864 
  865 	* The type of most length arguments is changed from unsigned
  866 	  to size_t. The memxor functions have their pointer arguments
  867 	  changed from uint8_t * to void *, for consistency with
  868 	  related libc functions.
  869 
  870 	* For hash functions, the constants *_DATA_SIZE have been
  871 	  renamed to *_BLOCK_SIZE. Old names kept for backwards
  872 	  compatibility.
  873 
  874 	Removed features:
  875 
  876 	* The nettle_next_prime function has been deleted.
  877 	  Applications should use GMP's mpz_nextprime instead.
  878 
  879 	* Deleted the RSAREF compatibility, including the header file
  880 	  rsa-compat.h and everything declared therein.
  881 
  882 	* Also under consideration for removal is des-compat.h and
  883 	  everything declared therein. This implements a subset of the
  884 	  old libdes/ssleay/openssl interface for DES and triple-DES,
  885 	  and it is poorly tested. If anyone uses this interface,
  886 	  please speak up! Otherwise, it will likely be removed in the
  887 	  next release.
  888 	
  889 	Bug fixes:
  890 
  891 	* Building with ./configure --disable-static now works.
  892 
  893 	* Use GMP's allocation functions for temporary storage related
  894 	  to bignums, to avoid potentially large stack allocations.
  895 
  896 	* Fixes for shared libraries on M$ Windows.
  897 
  898 	New features:
  899 
  900 	* Support for Poly1305-AES MAC.
  901 
  902 	* Support for the ChaCha stream cipher and EXPERIMENTAL
  903 	  support for the ChaCha-Poly1305 AEAD mode. Specifications
  904 	  are still in flux, and future releases may do incompatible
  905 	  changes to track standardization. Currently uses 256-bit key
  906 	  and 64-bit nonce.
  907 
  908 	* Support for EAX mode.
  909 
  910 	* Support for CCM mode. Contributed by Owen Kirby.
  911 
  912 	* Additional variants of SHA512 with output size of 224 and
  913 	  256 bits. Contributed by Joachim Strömbergson.
  914 
  915 	* New interface, struct nettle_aead, for mechanisms providing
  916 	  authenticated encryption with associated data (AEAD).
  917 
  918 	* DSA: Support a wider range for the size of q and a wider
  919 	  range for the digest size.
  920 
  921 	Optimizations:
  922 
  923 	* New x86_64 assembly for GCM and MD5. Modest speedups on the
  924 	  order of 10%-20%.
  925 
  926 	Miscellaneous:
  927 
  928 	* SHA3 is now documented as EXPERIMENTAL. Nettle currently
  929 	  implements SHA3 as specified at the time Keccak won the SHA3
  930 	  competition. However, the final standard specified by NIST
  931 	  is likely to be incompatible, in which case future releases
  932 	  may do incompatible changes to track standardization.
  933 
  934 	* The portability fix for the rotation macros, mentioned in
  935 	  NEWS for 2.7.1, actually didn't make it into that release.
  936 	  It is included now.
  937 
  938 	* cast128_set_key rewritten for clarity, also eliminating a
  939 	  couple of compiler warnings.
  940 
  941 	* New command line tool nettle-pbkdf2.
  942 
  943 NEWS for the 2.7.1 release
  944 
  945         This is a bugfix release.
  946 
  947         Bug fixes:
  948 
  949         * Fixed a bug in the new ECC code. The ecc_j_to_a function
  950           called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
  951           input and output arguments, which is not supported.
  952 
  953         * The assembly files for SHA1, SHA256 and AES depend on ARMv6
  954           instructions, breaking nettle-2.7 for pre-v6 ARM processors.
  955           The configure script now enables those assembly files only
  956           when building for ARMv6 or later.
  957           
  958         * Use a more portable C expression for rotations. The
  959           previous version used the following "standard" expression
  960           for 32-bit rotation:
  961 
  962             (x << n) | (x >> (32 - n))
  963 
  964           But this gives undefined behavior (according to the C
  965           specification) for n = 0. The rotate expression is replaced
  966           by the more portable:
  967 
  968             (x << n) | (x >> ((-n)&31))
  969 
  970           This change affects only CAST128, which uses non-constant
  971           rotation counts. Unfortunately, the new expression is poorly
  972           optimized by released versions of gcc, making CAST128 a bit
  973           slower. This is being fixed by the gcc hackers, see
  974           http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
  975           
  976         The following problems have been reported, but are *not* fixed
  977         in this release:
  978 
  979         * ARM assembly files use instruction syntax which is not
  980           supported by all assemblers. Workaround: Use a current
  981           version of GNU as, or configure with --disable-assembler.
  982 
  983         * Configuring with --disable-static doesn't work on windows.
  984         
  985         The libraries are intended to be binary compatible with
  986         nettle-2.2 and later. The shared library names are
  987         libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
  988         libnettle.so.4 and libhogweed.so.2.
  989 	
  990 NEWS for the 2.7 release
  991 
  992 	This release includes an implementation of elliptic curve
  993 	cryptography (ECC) and optimizations for the ARM architecture.
  994 	This work was done at the offices of South Pole AB, and
  995 	generously funded by the .SE Internet Fund.
  996 
  997 	Bug fixes:
  998 
  999 	* Fixed a bug in the buffer handling for incremental SHA3
 1000 	  hashing, with a possible buffer overflow. Patch by Edgar
 1001 	  E. Iglesias.
 1002 
 1003 	New features:
 1004 
 1005 	* Support for ECDSA signatures. Elliptic curve operations over
 1006 	  the following curves: secp192r1, secp224r1, secp256r1,
 1007 	  secp384r1 and secp521r1, including x86_64 and ARM assembly
 1008 	  for the most important primitives.
 1009 	  
 1010 	* Support for UMAC, including x86_64 and ARM assembly.
 1011 
 1012 	* Support for 12-round salsa20, "salsa20r12", as specified by
 1013 	  eSTREAM. Contributed by Nikos Mavrogiannopoulos.
 1014 	
 1015 	Optimizations:
 1016 
 1017 	* ARM assembly code for several additional algorithms,
 1018 	  including AES, Salsa20, and the SHA family of hash
 1019 	  functions. 
 1020 
 1021 	* x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
 1022           was included in the 2.6 release, but disabled due to poor
 1023           performance on some AMD processors. Hopefully, that
 1024           performance problem is fixed now).
 1025 	
 1026 	The ARM code was tested and benchmarked on Cortex-A9. Some of
 1027 	the functions use "neon" instructions. The configure script
 1028 	decides if neon instructions can be used, and the command line
 1029 	options --enable-arm-neon and --disable-arm-neon can be used
 1030 	to override its choice. Feedback appreciated.
 1031 	  
 1032 	The libraries are intended to be binary compatible with
 1033 	nettle-2.2 and later. The shared library names are
 1034 	libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
 1035 	libnettle.so.4 and libhogweed.so.2.
 1036 
 1037 NEWS for the 2.6 release
 1038 
 1039 	Bug fixes:
 1040 
 1041 	* Fixed a bug in ctr_crypt. For zero length (which should be a
 1042 	  NOP), it sometimes incremented the counter. Reported by Tim
 1043 	  Kosse.
 1044 
 1045 	* Fixed a small memory leak in nettle_realloc and
 1046           nettle_xrealloc.
 1047 
 1048 	New features:
 1049 
 1050 	* Support for PKCS #5 PBKDF2, to generate a key from a
 1051           password or passphrase. Contributed by Simon Josefsson.
 1052           Specification in RFC 2898 and test vectors in RFC 6070.
 1053 
 1054 	* Support for SHA3.
 1055 	  
 1056 	* Support for the GOST R 34.11-94 hash algorithm. Ported from
 1057 	  librhash by Nikos Mavrogiannopoulos. Written by Aleksey
 1058 	  Kravchenko. More information in RFC4357. Test vectors taken
 1059 	  from the GOST hash wikipedia page.
 1060 
 1061 	Miscellaneous:
 1062 
 1063 	* The include file <nettle/sha.h> has been split into
 1064           <nettle/sha1.h> and <nettle/sha2.h>. For now, sha.h is kept
 1065           for backwards compatibility and it simply includes both
 1066           files, but applications are encouraged to use the new names.
 1067           The new SHA3 functions are declared in <nettle/sha3.h>.
 1068 
 1069 	* Testsuite can be run under valgrind, using
 1070 
 1071 	  make check EMULATOR='$(VALGRIND)'
 1072 
 1073 	  For this to work, test programs and other executables now
 1074 	  deallocate storage.
 1075 	  
 1076 	* New configure options --disable-documentation and
 1077           --disable-static. Contributed by Sam Thursfield and Alon
 1078 	  Bar-Lev, respectively.
 1079 	  
 1080 	* The section on hash functions in the manual is split into
 1081           separate nodes for recommended hash functions and legacy
 1082           hash functions.
 1083 
 1084 	* Various smaller improvements, most of them portability
 1085           fixes. Credits go to David Woodhouse, Tim Rühsen, Martin
 1086           Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis
 1087           Clarke.
 1088 
 1089 	Finally, a note on the naming of the various "SHA" hash
 1090 	functions. Naming is a bit inconsistent; we have, e.g.,
 1091 
 1092 	  SHA1: sha1_digest
 1093 	  SHA2: sha256_digest   (not sha2_256_digest)
 1094 	  SHA3: sha3_256_digest
 1095 
 1096 	Renaming the SHA2 functions to make Nettle's naming more
 1097 	consistent has been considered, but the current naming follows
 1098 	common usage. Most documents (including the specification for
 1099 	SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather
 1100 	than "SHA2-256".
 1101 
 1102 	The libraries are intended to be binary compatible with
 1103 	nettle-2.2 and later. The shared library names are
 1104 	libnettle.so.4.5 and libhogweed.so.2.3, with sonames still
 1105 	libnettle.so.4 and libhogweed.so.2
 1106 
 1107 NEWS for the 2.5 release
 1108 
 1109 	This release includes important portability fixes for Windows
 1110 	and MacOS. There are also a few new features.
 1111 
 1112 	First a *warning*: Some internal functions have been removed
 1113 	from the library. Since the functions in question are internal
 1114 	and not documented, this is not considered a change of ABI or
 1115 	API. Programs explicitly using any of these functions will
 1116 	break.
 1117 	
 1118 	* The function pkcs1_signature_prefix has been renamed to
 1119 	  _pkcs1_signature_prefix, and with slightly different
 1120 	  behavior.
 1121 
 1122 	* The file nettle-internal.c is no longer included in the
 1123           library (the features defined there are used by the
 1124           benchmark and test programs, and were never intended for
 1125           public use).
 1126 
 1127 	New features:
 1128 
 1129 	* Support for the salsa20 stream cipher, including x86_64
 1130           assembler. Originally contributed by Simon Josefsson, based
 1131           on the reference implementation, then further optimized.
 1132 
 1133 	* Tentative interface for timing-resistant RSA functions,
 1134           contributed by Nikos Mavrogiannopoulos.
 1135 
 1136 	* A more general interface for PKCS#1 signatures, taking the
 1137           input in the form of a "DigestInfo". Suggested by Nikos
 1138           Mavrogiannopoulos.
 1139 
 1140 	Configuration:
 1141 	
 1142 	* Building of shared libraries (./configure --enable-shared)
 1143           is now enabled by default.
 1144 
 1145 	* Various portability fixes for MacOS and M$ Windows. A lot of
 1146 	  this work done by Martin Storsjö.
 1147 
 1148 	* In particular, Nettle now hopefully works on 64-bit Windows
 1149 	  builds, "W64", including the x86_64 assembly code.
 1150 
 1151 	Miscellaneous:
 1152 	
 1153 	* Documentation and example programs for the base16 and base64
 1154 	  functions. Was contributed by Jeronimo Pellegrini back in
 1155 	  2006, but unfortunately forgotten until now.
 1156 
 1157 	* Use an additional table to avoid GF2^8 multiplications in
 1158 	  aes_invert_key (mainly used by aes_set_decrypt_key). Also
 1159 	  tabulate round constants in aes_set_encrypt_key.
 1160 
 1161 	* The nettle repository has been migrated from cvs to git,
 1162 	  with a public repository at
 1163 	  http://git.lysator.liu.se/nettle. To make it independent of
 1164 	  the LSH repository, a few files have been moved around.
 1165 	  While at it, files have also been converted from latin-1 to
 1166 	  utf-8.
 1167 
 1168 	The libraries are intended to be binary compatible with
 1169 	nettle-2.2 and later. The shared library names are
 1170 	libnettle.so.4.4 and libhogweed.so.2.2, with sonames still
 1171 	libnettle.so.4 and libhogweed.so.2
 1172 
 1173 NEWS for the 2.4 release
 1174 
 1175 	This is a bugfix release only. It turned out ripemd160 in the
 1176 	2.3 release was broken on all big-endian systems, due to a
 1177 	missing include of config.h. nettle-2.4 fixes this.
 1178 
 1179 	The library is intended to be binary compatible with
 1180 	nettle-2.2 and nettle-2.3. The shared library names are
 1181 	libnettle.so.4.3 and libhogweed.so.2.1, with sonames still
 1182 	libnettle.so.4 and libhogweed.so.2.
 1183 	
 1184 NEWS for the 2.3 release
 1185 
 1186 	* Support for the ripemd-160 hash function.
 1187 
 1188 	* Generates and installs nettle.pc and hogweed.pc files, for
 1189           use with pkg-config. Feedback appreciated. For projects
 1190           using autoconf, the traditional non-pkg-config ways of
 1191           detecting libraries, and setting LIBS and LDFLAGS, is still
 1192           recommended.
 1193 
 1194 	* Fixed a bug which made the testsuite fail in the GCM test on
 1195 	  certain platforms. Should not affect any documented features
 1196 	  of the library.
 1197 
 1198 	* Reorganization of the code for the various Merkle-Damgård
 1199 	  hash functions. Some fields in the context structs for md4,
 1200 	  md5 and sha1 have been renamed, for consistency.
 1201 	  Applications should not peek inside these structs, and the
 1202 	  ABI is unchanged.
 1203 	  
 1204 	* In the manual, fixed mis-placed const in certain function
 1205           prototypes.
 1206 
 1207 	The library is intended to be binary compatible with
 1208 	nettle-2.2. The shared library names are libnettle.so.4.2 and
 1209 	libhogweed.so.2.1, with sonames still libnettle.so.4 and
 1210 	libhogweed.so.2.
 1211 
 1212 NEWS for the 2.2 release
 1213 
 1214 	Licensing change:
 1215      	
 1216 	* Relicensed as LGPL v2.1 or later (user's option).
 1217 
 1218 	* Replaced blowfish and serpent implementation. New code is
 1219           based on the LGPLed code in libgcrypt.
 1220 
 1221 	New features:
 1222 
 1223 	* Support for Galois/Counter Mode (GCM).
 1224 
 1225 	* New interface for enumerating (most) available algorithms,
 1226 	  contributed by Daniel Kahn Gillmor.
 1227 
 1228 	* New tool nettle-hash. Can generate hash digests using any
 1229 	  supported hash function, with output compatible with md5sum
 1230 	  and friends from GNU coreutils. Checking (like md5sum -c)
 1231 	  not yet implemented.
 1232 
 1233 	Bug fixes:
 1234 
 1235 	* The old serpent code had a byte order bug (introduced by
 1236 	  yours truly about ten years ago). New serpent implementation
 1237 	  does not interoperate with earlier versions of nettle.
 1238 
 1239 	* Fixed ABI-dependent libdir default for Linux-based systems
 1240 	  which do not follow the Linux File Hierarchy Standard, e.g.,
 1241 	  Debian GNU/Linux.
 1242 
 1243 	Optimizations:
 1244 	
 1245 	* x86_64 implemention of serpent.
 1246 
 1247 	* x86_64 implemention of camellia.
 1248 
 1249 	* Optimized memxor using word rather than byte operations.
 1250           Both generic C and x86_64 assembler.
 1251 
 1252 	* Eliminated a memcpy for in-place CBC decrypt.
 1253 	
 1254 	Miscellaneous:
 1255 
 1256 	* In command line tools, no longer support -? for requesting
 1257           help, since using it without shell quoting is a dangerous
 1258           habit. Use long option --help instead.
 1259 
 1260 	The shared library names are libnettle.so.4.1 and
 1261 	libhogweed.so.2.1, with sonames libnettle.so.4 and
 1262 	libhogweed.so.2.
 1263 
 1264 NEWS for the 2.1 release
 1265 
 1266 	*Important*: this release breaks source and binary
 1267 	compatibility for the digital signature functions, and for the
 1268 	DES and BLOWFISH ciphers which have weak keys.
 1269 
 1270 	Incompatible changes:
 1271 
 1272 	* The functions rsa_md5_sign, rsa_sha1_sign and
 1273           rsa_sha256_sign, and the corresponding _digest variants, now
 1274           have a return value which callers should check. The functions
 1275           return failure if the key is too small for the type of
 1276           signature.
 1277 
 1278 	* The functions dsa_sign and dsa_verify are renamed to
 1279           dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are
 1280           renamed similarly. These functions now have a return value
 1281           which callers should check, and they return failure if the
 1282           number q is not of the appropriate size.
 1283 
 1284 	* The return value from des_set_key, des3_set_key and
 1285 	  blowfish_set_key now indicates whether or not the given key
 1286 	  is weak. But in either case, the key setup is done, and
 1287 	  applications that don't care about weak keys can ignore the
 1288 	  return value.
 1289 
 1290 	  The incompatible part of this change is that enum des_error
 1291 	  and enum blowfish_error has been deleted, and so has the
 1292 	  status attribute in struct des_ctx, struct des3_ctx, and
 1293 	  struct blowfish_ctx.
 1294 
 1295 	The shared library names are libnettle.so.4.0 and
 1296 	libhogweed.so.2.0, with sonames libnettle.so.4 and
 1297 	libhogweed.so.2.
 1298 
 1299 	Other changes:
 1300 
 1301 	* Support for the Camellia block cipher, including an
 1302           assembler implementation for x86_32.
 1303 
 1304 	* New function aes_invert_key, useful for applications that
 1305 	  need both encryption and decryption using the same AES key.
 1306 	  
 1307 	* des_set_key and des3_set_key no longer check the key parity
 1308 	  bits. Parity bits are silently ignored. A new function
 1309 	  des_check_parity is provided, for applications that care
 1310 	  about the DES parity bits.
 1311 
 1312 	* Support for sha224, sha384 and sha512.
 1313 
 1314 	* Support for digital signatures using rsa-sha512 and
 1315           dsa-sha256. Due to lack of official test vectors and interop
 1316           testing, this support should be considered somewhat
 1317           experimental.
 1318 
 1319 	* Key generation for RSA and DSA changed to use Maurer's
 1320 	  algorithm to generate provably prime numbers (as usual, the
 1321 	  mathematical proof does not guaranteee that the
 1322 	  implementation is bug free).
 1323 	  
 1324 	* x86_64 assembler implementation actually included in the
 1325 	  distribution (was accidentally left out in nettle-2.0).
 1326 
 1327 	* Configure script now detects if the compiler uses a 32-bit
 1328           or 64-bit ABI on x86_64 (prevously did this for sparc only).
 1329           Also sets the default location for installing libraries
 1330           (libdir) depending on system type and the ABI used.
 1331 
 1332 	* Added the nettle and gmp libraries as dependencies when
 1333           linking shared library libhogweed.so. On systems using
 1334           shared libraries where such dependencies work (in
 1335           particular, ELF systems), it is sufficient to link
 1336           applications with -lhogweed. For static linking -lhogweed
 1337           -lnettle -lgmp is still required.
 1338 
 1339 	* The program pkcs1-conv is extended to also handle dsa keys.
 1340           Contributed by Magnus Holmgren.
 1341 
 1342 	* Slightly improved sha1 performance on x86.
 1343 
 1344 NEWS for the 2.0 release
 1345 
 1346 	This release breaks binary compatibility by splitting the
 1347 	library into two. Some other smaller changes that are not
 1348 	backwards compatible are also done at the same time.
 1349 
 1350 	* The nettle library is split into two libraries, libnettle
 1351 	  and libhogweed. libnettle contains the symmetric crypto
 1352 	  algorithms that don't depend on GMP, while libhogweed
 1353 	  contains the public key algorithms that depend on GMP.
 1354 	  Using a single library worked fine with static linking, but
 1355 	  not with dynamic linking. Consider an application that uses
 1356 	  nettle and which doesn't use any public key cryptography. If
 1357 	  this application is linked dynamically to nettle, it would
 1358 	  have to be linked also with GMP if and only if public key
 1359 	  support was enabled when the nettle library was installed.
 1360 
 1361 	  The library names are libnettle.so.3.0 and
 1362 	  libhogweed.so.1.0, with sonames libnettle.so.3 and
 1363 	  libhogweed.so.1.
 1364 
 1365 	* Function typedefs have been changed to non-pointer types.
 1366 	  E.g, the
 1367 
 1368 	    typedef void (nettle_hash_init_func *)(void *ctx);
 1369 
 1370 	  of previous versions is replaced by
 1371 
 1372 	    typedef void (nettle_hash_init_func)(void *ctx);
 1373 
 1374 	  This makes it possible to use the type when declaring
 1375 	  functions, like
 1376 
 1377 	    nettle_hash_init_func foo_hash_init;
 1378 
 1379 	    void foo_hash_init(void *ctx) { ... }
 1380 
 1381 	* Changes to the yarrow256 interface. The automatic seed file
 1382 	  generation, and the seed_file member in struct
 1383 	  yarrow256_ctx, has been removed. To generate a new seed
 1384 	  file, use yarrow256_random. The function
 1385 	  yarrow256_force_reseed has been replaced by the two
 1386 	  functions yarrow256_fast_reseed and yarrow256_slow_reseed,
 1387 	  which were previously static. This interface change makes it
 1388 	  easier to mix in the current content of the seed file before
 1389 	  overwriting it with newly generated data.
 1390 
 1391 	Other changes:
 1392 
 1393 	* Nettle manual now contributed to the public domain, to
 1394           enable remixing into documentation of programs that use
 1395           Nettle.	  
 1396 
 1397 	* The sexp-conv program preserves comments when using the
 1398 	  advanced syntax for output. Optionally locks the output
 1399 	  file.
 1400 
 1401 	* The base64 decoder recognizes ASCII FF (form feed) and VT
 1402           (vertical tab) as white space.
 1403 
 1404 	* New x86_64 implementations of AES and SHA1. On a 2.2 GHz
 1405           opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at
 1406           110 MByte/s.
 1407 
 1408 	* Performance of AES increased by 20-30% on x86.
 1409 
 1410 	* New programs in the examples directory: erathostenes and
 1411           next-prime.
 1412 	
 1413 NEWS for the 1.15 release
 1414 
 1415 	Added support for PKCS#1 style RSA signatures using SHA256,
 1416 	according to RFC 3447. Currently lacks interoperability
 1417 	testing.
 1418 	
 1419 	Header files are now C++ aware, so C++ programs using Nettle
 1420 	should now use plain
 1421 
 1422 	  #include <nettle/foo.h>
 1423 
 1424 	rather than
 1425 
 1426 	  #extern "C" {
 1427 	  #include <nettle/foo.h>
 1428 	  }
 1429 
 1430 	as was the recommendation for the previous version. This
 1431 	breaks source-level compatibility with C++, even though
 1432 	there's full binary compatibility.
 1433 
 1434 	The file rfc1750.txt (which is considered non-free by debian)
 1435 	has been removed from the distribution. The file was used as input
 1436 	for the Yarrow testcase, and has been replaced by the short
 1437 	story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is
 1438 	obsoleted by RFC 4086.
 1439 
 1440 	Fixes for Darwin shared library support, contributed by Grant
 1441 	Robinsson.
 1442 
 1443 	Example programs now use a supplied getopt.c.
 1444 
 1445 	Configure tests for assemblers with a logarithmic .align
 1446 	directive.
 1447 
 1448 	The library is intended to be upwards binary compatible with
 1449 	earlier versions. The library name is libnettle.so.2.6, soname
 1450 	is still libnettle.so.2.
 1451 		
 1452 NEWS for the 1.14 release
 1453 
 1454 	Experimental support for reading keys in PKCS#1 ASN1/DER
 1455 	format, and a new command line tool pkcs1-conv.
 1456 	
 1457 	Improved MD5 performance on x86.
 1458 
 1459 	Fixed support for sparc64.
 1460 
 1461 	Reorganized AES code. Better performance for all three
 1462 	implementations (C, x86 assembler, sparc assembler).
 1463 
 1464 	New sparc assembler for arcfour. Compared to the code
 1465 	generated by gcc, the new code is about 25% faster on old
 1466 	sparcs, and 6 times faster on ultrasparc.
 1467 
 1468 	Replaced the internal function nettle_mpz_from_octets with a
 1469 	call to mpz_import, if available in the installed GMP library.
 1470 
 1471 	More Makefile fixes; it now seems to work to build with
 1472 	the the make programs on Solaris and FreeBSD (although
 1473 	--disable-dependency-tracking is required for the latter).
 1474 
 1475 	The library is intended to be binary compatible with earlier
 1476 	versions. The library name is libnettle.so.2.5, soname is
 1477 	still libnettle.so.2.
 1478 
 1479 NEWS for the 1.13 release
 1480 
 1481 	Fixed problem with broken m4 on bsd, which resulted in
 1482 	corrupted x86 assembler for sha1.
 1483 
 1484 	Nettle probably works on windows: I've been able to cross
 1485 	compile it with ./configure --host=i586-mingw32msvc (without
 1486 	public-key support), and the testsuite binaries seem to run
 1487 	fine in Wine.
 1488 
 1489 	Implemented CTR mode.
 1490 
 1491 	Improved sha1 performance on x86.
 1492 
 1493 	Configure check to figure out if symbols in assembler files
 1494 	need a leading underscore.
 1495 
 1496 	Improved benchmark program. Displays cycles per byte and block,
 1497 	and compares with openssl (if openssl is installed).
 1498 	
 1499 	Terminating newline in output from sexp-conv --hash.
 1500 
 1501 	The library is intended to be binary compatible with earlier
 1502 	versions. The library name is libnettle.so.2.4. However, the
 1503 	interface for the internal function _nettle_sha1_compress has
 1504 	changed; any program that calls this function directly will
 1505 	break.
 1506 
 1507 NEWS for the 1.12 release
 1508 	
 1509 	Fixed a bug in the configure script.
 1510 
 1511 	Updated the description of aes_set_encrypt_key and
 1512 	aes_set_decrypt_key in the manual.
 1513 
 1514 NEWS for the 1.11 release
 1515 
 1516 	Nettle no longer uses automake. Side effects:
 1517 
 1518 	  * Dependency tracking is enabled only for gcc-3 (help with
 1519 	    supporting dependency tracking with other compilers is
 1520 	    appreciated).
 1521 	  
 1522 	  * Makefile compatibility with make programs other than GNU
 1523 	    make is mostly unknown, please report any problems.
 1524 
 1525 	Support for arctwo.
 1526 
 1527 	Fixes to the libdes compatibility code. Declarations should
 1528 	now match openssl/libdes better. des_cbc_cksum pads
 1529 	input with NUL's, if it's not an integral number of blocks (in
 1530 	general, such unreversible padding is a bad idea).
 1531 
 1532 	By default, also the static library is compiled as position
 1533 	independent code. This is needed on some systems to make it
 1534 	possible to link nettle into a dynamically loaded module. Use
 1535 	the configure flag --disable-pic if this is not desired.
 1536 
 1537 	Stricter constness typing for the sexp_iterator_assoc and
 1538 	sexp_iterator_check_types arguments.
 1539 
 1540 	Minor tweaks of arcfour on x86 cpu:s, to speed it up on older
 1541 	x86 variants such as PII and PPro.
 1542 
 1543 	The shared library is intended to be binary compatible with
 1544 	nettle-1.8 - nettle-1.10. Only the minor version number of the
 1545 	shared library is increased. The soname is still
 1546 	libnettle.so.2.
 1547 
 1548 NEWS for the 1.10 release
 1549 
 1550 	Nettle should now compile also on Tru64, Darwin, FreeBSD and
 1551 	Windows. (The only tested windows build uses the rntcl rsh
 1552 	wrapper to run the command line M$ C compiler "cl". See
 1553 	http://pike.ida.liu.se for those tools, I don't know all
 1554 	details about the Pike team's windows setup).
 1555 
 1556 	There are some known testsuite failures, on Windows and on one
 1557 	of the xenofarm HPUX machines, see
 1558 	http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help
 1559 	tracking these down is appreciated.
 1560 
 1561 	There are no new features.
 1562 	
 1563 	This release is intended to be binary compatible with
 1564 	nettle-1.8 and nettle-1.9.
 1565 	
 1566 NEWS for the 1.9 release
 1567 
 1568 	Optimized C implementation of arcfour. Optimized x86
 1569 	implementations of arcfour and sha1.
 1570 
 1571 	Improved benchmark program.
 1572 	
 1573 	Fixed bug in the rsa-encrypt example program.
 1574 
 1575 	Fixed bug in make install, some of the header files were
 1576 	forgotten.
 1577 	
 1578 	Portability fixes. Fixes to make Nettle compile on systems
 1579 	without gmp. This version has been tested on GNU/Linux,
 1580 	Solaris, HPUX and AIX.
 1581 
 1582 	The shared library is intended to be binary compatible with
 1583 	nettle-1.8. Only the minor version number of the shared
 1584 	library is increased.
 1585 
 1586 NEWS for the 1.8 release
 1587 
 1588 	New example programs, demonstrating encrypting and decrypting
 1589 	files using RSA, and random sessions keys for bulk encryption
 1590 	and message authentication.
 1591 
 1592 	Support for systems that don't have alloca. On such systems,
 1593 	some of Nettle's functions have arbitrary limits applied to
 1594 	their input.
 1595 
 1596 	Uses AX_CREATE_STDINT_H, to support systems without
 1597 	inttypes.h.
 1598 
 1599 	Support for the md2 and md4 hash functions.
 1600 	 
 1601 	New name mangling, to reduce the risk of link collisions. All
 1602 	functions (except memxor) now use a nettle_ or _nettle_ prefix
 1603 	when seen by the linker. For most functions, the header file
 1604 	that declares a function also uses #define to provide a
 1605 	shorter more readable name without the prefix.
 1606 
 1607 	The shared library soname for this version is libnettle.so.2.
 1608 	
 1609 NEWS for the 1.7 release
 1610 
 1611 	Implemented DSA.
 1612 
 1613 	Renamed RSA functions for consistency. Now it's
 1614 	rsa_public_key_init, not rsa_init_public_key, etc.
 1615 
 1616 	Both RSA and DSA now have sign/verify functions that take the
 1617 	hash digest as argument.
 1618 
 1619 	A rewritten and much more powerful sexp-conv program.
 1620 
 1621 	Other changes to the sexp code, in particular updating it to
 1622 	the latest SPKI draft.
 1623 
 1624 	Building nettle as a shared library (ELF only) seems to work.
 1625 	The version number is increased, so the library "soname" for
 1626 	this release is "libnettle.so.1".
 1627 
 1628 	Bugfixes. Fixes for build and portability problems.
 1629 
 1630 NEWS for the 1.6 release
 1631 
 1632 	Optimized assembler implementations of aes, for sparc and x86.
 1633 
 1634 	The aes interface has changed slightly. The function
 1635 	aes_set_key is no more. Instead one has to use
 1636 	aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that. 
 1637 
 1638 	New example programs, rsa-keygen, rsa-sign and rsa-verify,
 1639 	located in the examples directory.
 1640 
 1641 	New configure option --enable-shared, which builds a shared
 1642 	library. Not tested.
 1643 
 1644 	New experimental features, including sexp parsing and
 1645 	formatting, and changes to base64 encoding and decoding. The
 1646 	interfaces to these functions are subject to change, and are
 1647 	documented only in the source code.
 1648 	
 1649 NEWS for the 1.5 release
 1650 
 1651 	RSA support. Key generation and signatures.
 1652 	
 1653 	Support for HMAC (RFC-2104).
 1654 
 1655 	An implementation of the Yarrow-256 PRNG.
 1656 
 1657 	New sections in the manual.
 1658 	
 1659 	Changed the interface for hash functions. The md5_digest
 1660 	function is now equivalent to the old sequence of md5_final,
 1661 	md5_digest, md5_init, and similarly for the other hashing
 1662 	algorithms. This makes the interface simpler.
 1663 
 1664 NEWS for the 1.0 release
 1665 
 1666 	Fixed twofish bug spotted by Jean-Pierre Stierlin.
 1667 
 1668 	Added des3 and cbc.
 1669 	
 1670 	New RFC-1321-like interface in nettle/md5-compat.h, suggested
 1671 	by Assar Westerlund.
 1672 
 1673 	New libdes-style compatibility interface in nettle/des-compat.h.