+ 2018-12-26 Niels Möller <nisse@lysator.liu.se>
+
+ * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for
+ strdup with gcc -std=c89.
+ * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for
+ getline with gcc -std=c89.
+
+ * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop.
+ Reported by Andreas Gustafsson.
+ * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise.
+
+ 2018-12-04 Niels Möller <nisse@lysator.liu.se>
+
+ * Released nettle-3.4.1.
+
+ 2018-11-28 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: Update GMP check. Check for the function
+ mpn_sec_div_r, available since GMP-6.0.0.
+
+ * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
+ decrypted storage. Update test of rsa_decrypt, to allow clobbering
+ of all of the passed in message area.
+
+ * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around
+ _pkcs1_sec_decrypt_variable. Improves side-channel silence of the
+ only caller, rsa_decrypt.
+
+ * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make
+ dist. Patch from Simo Sorce.
+
+ * rsa-internal.h: Add include of rsa.h.
+
+ 2018-11-27 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New
+ local helper functions, with their own itch functions.
+ (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to
+ use helpers, for clarity.
+
+ 2018-11-26 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify
+ selection of psize and qsize, and fix so that qsize is used.
+ (test_main): Add outer loop, to test with more than one key.
+ Deallocate storage before exiting.
+
+ 2018-11-25 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c: Renamed, from ...
+ * testsuite/rsa-sec-compute-root-test.c: ... old name.
+
+ * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
+ * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
+ * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
+ (rsa_sec_compute_root_tr): ... old name. Updated callers.
+ (cnd_mpn_zero): Use a volatile-declared mask variable.
+
+ * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
+ masking of most significant bits.
+
+ * rsa-decrypt-tr.c (rsa_decrypt_tr): Use
+ NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
+
+ * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
+ valgrind marking, and document potential leakage of lowest and
+ highest bits of p and q.
+
+ * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
+ mpz_sizeinbase, since that potentially leaks most significant bits
+ of private key parameters a and b.
+
+ * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
+ valgrind marking of return value.
+
+ Merged below changes from Simo Sorce, to make RSA private key
+ operations side-channel silent.
+
+ 2018-11-08 Simo Sorce <simo@redhat.com>
+
+ * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
+ _rsa_sec_compute_root.
+
+ * testsuite/rsa-sec-compute-root-test.c: Add more tests for new
+ side-channel silent functions.
+
+ * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn,
+ since that is required for one of the GMP calls in
+ _rsa_sec_compute_root.
+
+ * rsa-decrypt-tr.c: Switch to use side-channel silent functions.
+
+ * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private
+ function. Variable size version for backwards compatibility.
+
+ * testsuite/rsa-sec-decrypt-test.c: Adds more tests.
+
+ * rsa-sec-decrypt.c (rsa_sec_decrypt): New function.
+ Fixed length side-channel silent version of rsa-decrypt.
+ * testsuite/rsa-encrypt-test.c: add tests for the new fucntion.
+
+ * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for
+ _pkcs1_sec_decrypt.
+
+ * gmp-glue.c (mpn_get_base256): New function.
+
+ * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function.
+ Fixed length side-channel silent version of pkcs1-decrypt.
+
+ * cnd-memcpy.c (cnd_memcpy): New function.
+ * memops.h: Declare it.
+ * testsuite/cnd-memcpy-test.c: New test case.
+
+ * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses
+ _rsa_sec_compute_root, as well as side-channel silent RSA
+ blinding.
+ (rsa_compute_root_tr) Rewritten as a wrapper around
+ rsa_sec_compute_root_tr.
+ (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root)
+ (cnd_mpn_zero): New helper functions.
+ (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not
+ side-channel silent wrapper around rsa_compute_root_tr, and the
+ latter function left unchanged.
+
+ * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch)
+ (_rsa_sec_compute_root): New file, new private functions.
+ Side-channel silent version of rsa_compute_root.
+ * rsa-internal.h: New header file with declarations.
+
+ * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro.
+
+ 2018-11-24 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: Bump package version to 3.4.1.
+ (LIBNETTLE_MINOR): Bump library version to 6.5.
+ (LIBHOGWEED_MINOR): Bump library version to 4.5.
+
+2018-11-17 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/hogweed-benchmark.c (bench_rsa_verify)
+ (bench_openssl_rsa_tr_init): New functions.
+ (alg_list): Benchmark timing-resistant RSA functions, i.e.,
+ including RSA blinding.
+ (main): Increase width of first column, here and in other
+ printouts.
+
+2018-10-10 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when
+ processing more than on full block of size CTR_BUFFER_LIMIT, src
+ and dst arguments to memxor3 were not properly updated.
+
+2018-10-10 Niels Möller <nisse@lysator.liu.se>
+
+ * aes-set-encrypt-key.c: Add missing include of stdlib.h.
+ * des-compat.c: Likewise.
+
+2018-09-13 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and
+ redundant check for p == q.
+
+2018-08-09 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with
+ _NETTLE_ATTRIBUTE_DEPRECATED.
+
+ * nettle-types.h (_NETTLE_ATTRIBUTE_PURE)
+ (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and
+ lookalikes.
+ * ecc-curve.h: Include nettle-types.h, and use
+ _NETTLE_ATTRIBUTE_PURE instead of local definition.
+ * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit
+ #ifdefs.
+
+ * aes.h: Mark functions using struct aes_ctx interface as
+ deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where
+ the functions are implemented or tested.
+ * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated.
+
+ * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper)
+ (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast
+ between incompatible function types (which gcc-8 warns about).
+ Wrappers are expected to compile to a single jmp instruction.
+
+ * des-compat.c (des_compat_des3_encrypt)
+ (des_compat_des3_decrypt): Change length argument type to size_t.
+
+2018-08-08 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle.texinfo (Compatibility): New section on ABI and API
+ compatibility.
+
+2018-07-25 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ * examples/nettle-benchmark.c: Add benchmarking for HMAC functions.
+
+2018-07-13 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/eratosthenes.c (vector_alloc): Add assert related to
+ overflow in the size calculation. Fixes a corner case identified
+ by static analysis.
+ (vector_init): Analogous assert.
+
+2018-07-12 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/eratosthenes.c (main): Don't allocate bitmap storage
+ for limit == 2 (early exit), closing memory leak at exit.
+ (main): Fix handling of short -q option.
+
+ * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui,
+ to fix memory leak.
+ (ecc_curve_clear): New function.
+ (main): Call it, to deallocate storage before exit.
+
+2018-07-08 Niels Möller <nisse@lysator.liu.se>
+
+ * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress.
+ * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name.
+ * x86_64/fat/sha1-compress-2.asm: Likewise.
+
+2018-07-07 Niels Möller <nisse@lysator.liu.se>
+
+ From Nikos Mavrogiannopoulos.
+ * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to
+ public function, since there's known appliation usage (filezilla).
+ * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor
+ alias for the new name.
+ * md5-compress.c (nettle_md5_compress): Similarly renamed (used by
+ sogo).
+ * md5.h (_nettle_md5_compress): Old name,, now a preprocessor
+ alias for the new name.
+
+ * chacha-internal.h, dsa-internal.h, eddsa-internal.h:
+ * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h:
+ * salsa20-internal.h, sha2-internal.h, sha3-internal.h:
+ * umac-internal.h: Internal declarations moved to new header
+ files, which are not installed..
+ * Makefile.in (DISTFILES): Added above files.
+
+ * libnettle.map.in: Use a different symbol version for _nettle_*
+ symbols, depending on the minor release. This marks these symbols
+ explicitly not part of the public Nettle ABI.
+ * libhogweed.map.in: Analogous change.
+
2018-06-17 Niels Möller <nisse@lysator.liu.se>
- Backported from master branch.
* aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed
by Dmitry Eremin-Solenikov.
+
* testsuite/symbols-test: Exclude ____chkstk_darwin symbols,
produced by Apple's Xcode 10 compiler. Patch contributed by
Dominyk Tiller.
- Bug fixes:
-
- * Fix bug in pkcs1-conv, missing break statements in the
- parsing of PEM input files.
-
+NEWS for the Nettle 3.5 release
+
+ Changes in behavior:
+
+ * Nettle's gcm_crypt will now call the underlying block cipher
+ to process more than one block at a time. This is not a
+ change to the documented behavior, but unfortunately breaks
+ assumptions accidentally made in GnuTLS, up to and including
+ version 3.6.1.
+
+ New features:
+
+ * Support for CFB8 (Cipher Feedback Mode, processing a single
+ octet per block cipher operation), contributed by Dmitry
+ Eremin-Solenikov.
+
+ * Support for CMAC (RFC 4493), contributed by Nikos
+ Mavrogiannopoulos.
+
+ Optimizations:
+
+ * Improved performance of the x86_64 AES implementation using
+ the aesni instructions. Gives a large speedup for operations
+ processing multiple blocks at a time (including CTR mode,
+ GCM mode, and CBC decrypt, but *not* CBC encrypt).
+
+ * Improved performance for CTR mode, for the common case of
+ 16-byte block size. Pass more data at a time to underlying
+ block cipher, and fill the counter blocks more efficiently.
+ Extension to also handle GCM mode efficiently contributed
+ by Nikos Mavrogiannopoulos.
+
+ * New x86_64 implementation of sha1 and sha256, for processors
+ supporting the sha_ni instructions. Speedup of 3-5 times on
+ affected processors.
+
+ * Improved parameters for the precomputation of tables used
+ for ecc signatures. Roughly 10%-15% speedup of the ecdsa
+ sign operation using the secp_256r1, secp_384r1 and
+ secp_521r1 curves, and 25% speedup of ed25519 sign
+ operation, benchmarked on x86_64. Table sizes unchanged,
+ around 16 KB per curve.
+
+ Miscellaneous:
+
+ * Support for big-endian ARM systems, contributed by Michael
+ Weiser.
+
+ * The programs aesdata, desdata, twofishdata, shadata and
+ gcmdata are no longer built by default. Makefile
+ improvements contributed by Jay Foad.
+
+ NEWS for the Nettle 3.4.1 release
+
+ This release fixes a few bugs, and makes the RSA private key
+ operations side channel silent. The RSA improvements are
+ contributed by Simo Sorce and Red Hat, and include one new
+ public function, rsa_sec_decrypt, see below.
+
+ All functions using RSA private keys are now side-channel
+ silent, meaning that they try hard to avoid any branches or
+ memory accesses depending on secret data. This applies both to
+ the bignum calculations, which now use GMP's mpn_sec_* family
+ of functions, and the processing of PKCS#1 padding needed for
+ RSA decryption.
+
+ Nettle's ECC functions were already side-channel silent, while
+ the DSA functions still aren't. There's also one caveat
+ regarding the improved RSA functions: due to small table
+ lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+ lowest and highest few bits of the secret factors p and q may
+ still leak. I'm not aware of any attacks on RSA where knowing
+ a few bits of the factors makes a significant difference. This
+ leak will likely be plugged in later GMP versions.
+
+ Changes in behavior:
+
+ * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+ all of the provided message buffer, independent of the
+ actual message length. They are side-channel silent, in that
+ branches and memory accesses don't depend on the validity or
+ length of the message. Side-channel leakage from the
+ caller's use of length and return value may still provide an
+ oracle useable for a Bleichenbacher-style chosen ciphertext
+ attack. Which is why the new function rsa_sec_decrypt is
+ recommended.
+
+ New features:
+
+ * A new function rsa_sec_decrypt. It differs from
+ rsa_decrypt_tr in that the length of the decrypted message
+ is given a priori, and PKCS#1 padding indicating a different
+ length is treated as an error. For applications that may be
+ subject to chosen ciphertext attacks, it is recommended to
+ initialize the message area with random data, call this
+ function, and ignore the return value. This applies in
+ particular to RSA-based key exchange in the TLS protocol.
+
+ Bug fixes:
+
+ * Fix bug in pkcs1-conv, missing break statements in the
+ parsing of PEM input files.
+
+ * Fix link error on the pss-mgf1-test test, affecting builds
+ without public key support.
+
+ Performance regression:
+
+ * All RSA private key operations employing RSA blinding, i.e.,
+ rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
+ rsa_compute_root_tr, are significantly slower. This is
+ because (i) RSA blinding now use side-channel silent
+ operations, (ii) blinding includes a modular inversion, and
+ (iii) side-channel silent modular inversion, implemented as
+ mpn_sec_invert, is very expensive. A 60% slowdown for
+ 2048-bit RSA keys have been measured.
+
+ Miscellaneous:
+
+ * Building the public key support of nettle now requires GMP
+ version 6.0 or later (unless --enable-mini-gmp is used).
+
+ The shared library names are libnettle.so.6.5 and
+ libhogweed.so.4.5, with sonames still libnettle.so.6 and
+ libhogweed.so.4. It is intended to be fully binary compatible
+ with nettle-3.1.
+
NEWS for the Nettle 3.4 release
This release fixes bugs and adds a few new features. It also
#ifndef NETTLE_RSA_INTERNAL_H_INCLUDED
#define NETTLE_RSA_INTERNAL_H_INCLUDED
--#include "nettle-types.h"
-
+ #include "rsa.h"
+#define _rsa_verify _nettle_rsa_verify
+#define _rsa_verify_recover _nettle_rsa_verify_recover
+#define _rsa_check_size _nettle_rsa_check_size
+#define _rsa_blind _nettle_rsa_blind
+#define _rsa_unblind _nettle_rsa_unblind
+ #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch
+ #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root
+ #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr
+ #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt
+ #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable
+/* Internal functions. */
+int
+_rsa_verify(const struct rsa_public_key *key,
+ const mpz_t m,
+ const mpz_t s);
+
+int
+_rsa_verify_recover(const struct rsa_public_key *key,
+ mpz_t m,
+ const mpz_t s);
+
+size_t
+_rsa_check_size(mpz_t n);
+
+/* _rsa_blind and _rsa_unblind are deprecated, unused in the library,
+ and will likely be removed with the next ABI break. */
+void
+_rsa_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+ mpz_t c, mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED;
+void
+_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri)
+ _NETTLE_ATTRIBUTE_DEPRECATED;
+
+ /* side-channel silent root computation */
+ mp_size_t
+ _rsa_sec_compute_root_itch(const struct rsa_private_key *key);
+ void
+ _rsa_sec_compute_root(const struct rsa_private_key *key,
+ mp_limb_t *rp, const mp_limb_t *mp,
+ mp_limb_t *scratch);
+
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+ * result after CRT. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+ mp_limb_t *x, const mp_limb_t *m, size_t mn);
+
+ /* additional resistance to memory access side-channel attacks.
+ * Note: message buffer is returned unchanged on error */
+ int
+ _pkcs1_sec_decrypt (size_t length, uint8_t *message,
+ size_t padded_message_length,
+ const volatile uint8_t *padded_message);
+
+ int
+ _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message,
+ size_t padded_message_length,
+ const volatile uint8_t *padded_message);
+
#endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
projects / thirdparty / nettle.git / commitdiff
