nettle-bugs December 2014

nettle-bugs@lists.lysator.liu.se

5 participants
8 discussions

ANNOUNCE: Nettle-3.0
by nisse＠lysator.liu.se 13 Apr '15

13 Apr '15

I'm happy to announce a new version of GNU Nettle, a low-level cryptographics library. The Nettle home page can be found at http://www.lysator.liu.se/~nisse/nettle/. This release is dual licensed as LGPLv3 or later, or GPLv2 or later. See the manual for details. NEWS for the Nettle 3.0 release This is a major release, including several interface changes, and new features, some of which are a bit experimental. Feedback is highly appreciated. It is *not* binary (ABI) compatible with earlier versions. It is mostly source-level (API) compatible, with a couple of incompatibilities noted below. The shared library names are libnettle.so.5.0 and libhogweed.so.3.0, with sonames libnettle.so.5 and libhogweed.so.3. There may be some problems in the new interfaces and new features which really need incompatible fixes. It is likely that there will be an update in the form of a 3.1 release in the not too distant future, with small but incompatible changes, and if that happens, bugfix-only releases 3.0.x are unlikely. Users and applications which desire better API and ABI stability are advised to stay with nettle-2.7.x (latest version is now 2.7.1) until the dust settles. Interface changes: * For the many _set_key functions, it is now consider the normal case to have a fixed key size, with no key_size arguments. _set_key functions with a length parameter are provided only for algorithms with a truly variable keysize, and where it makes sense for backwards compatibility. INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key size argument. The old function is available under a new name, cast5_set_key. INCOMPATIBLE CHANGE: The function typedef nettle_set_key_func no longer accepts a key size argument. In particular, this affects users of struct nettle_cipher. * The nettle_cipher abstraction (in nettle-meta.h) is restricted to block ciphers only. The encrypt and decrypt functions now take a const argument for the context. INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher abstraction for the arcfour stream cipher, is deleted. INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the encrypt and decrypt fields of struct nettle_cipher. * New DSA interface, with a separate struct dsa_param to represent the underlying group, and generalized dsa_sign and dsa_verify functions which don't care about the hash function used. Limited backwards compatibility provided in dsa-compat.h. INCOMPATIBLE CHANGE: Declarations of the old interface, e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to dsa-compat.h. INCOMPATIBLE CHANGE: The various key conversion functions, e.g., dsa_keypair_to_sexp, all use the new DSA interface, with no backwards compatible functions. INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new interface. dsa-compat.h declares a function dsa_compat_generate_keypair, implementing the old interface, and #defines dsa_generate_keypair to refer to this backwards compatible function. * New AES and Camellia interfaces. There are now separate context structs for each key size, e.g., aes128_ctx and camellia256_ctx, and corresponding new functions. The old interface, with struct aes_ctx and struct camellia_ctx, is kept for backwards compatibility, but might be removed in later versions. * The type of most length arguments is changed from unsigned to size_t. The memxor functions have their pointer arguments changed from uint8_t * to void *, for consistency with related libc functions. * For hash functions, the constants *_DATA_SIZE have been renamed to *_BLOCK_SIZE. Old names kept for backwards compatibility. Removed features: * The nettle_next_prime function has been deleted. Applications should use GMP's mpz_nextprime instead. * Deleted the RSAREF compatibility, including the header file rsa-compat.h and everything declared therein. * Also under consideration for removal is des-compat.h and everything declared therein. This implements a subset of the old libdes/ssleay/openssl interface for DES and triple-DES, and it is poorly tested. If anyone uses this interface, please speak up! Otherwise, it will likely be removed in the next release. Bug fixes: * Building with ./configure --disable-static now works. * Use GMP's allocation functions for temporary storage related to bignums, to avoid potentially large stack allocations. * Fixes for shared libraries on M$ Windows. New features: * Support for Poly1305-AES MAC. * Support for the ChaCha stream cipher and EXPERIMENTAL support for the ChaCha-Poly1305 AEAD mode. Specifications are still in flux, and future releases may do incompatible changes to track standardization. Currently uses 256-bit key and 64-bit nonce. * Support for EAX mode. * Support for CCM mode. Contributed by Owen Kirby. * Additional variants of SHA512 with output size of 224 and 256 bits. Contributed by Joachim Strömbergson. * New interface, struct nettle_aead, for mechanisms providing authenticated encryption with associated data (AEAD). * DSA: Support a wider range for the size of q and a wider range for the digest size. Optimizations: * New x86_64 assembly for GCM and MD5. Modest speedups on the order of 10%-20%. Miscellaneous: * SHA3 is now documented as EXPERIMENTAL. Nettle currently implements SHA3 as specified at the time Keccak won the SHA3 competition. However, the final standard specified by NIST is likely to be incompatible, in which case future releases may do incompatible changes to track standardization. * The portability fix for the rotation macros, mentioned in NEWS for 2.7.1, actually didn't make it into that release. It is included now. * cast128_set_key rewritten for clarity, also eliminating a couple of compiler warnings. * New command line tool nettle-pbkdf2. Available at: https://ftp.gnu.org/gnu/nettle/nettle-3.0.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.0.tar.gz http://www.lysator.liu.se/~nisse/archive/nettle-3.0.tar.gz ftp://ftp.lysator.liu.se/pub/security/lsh/nettle-3.0.tar.gz (soon) Happy hacking, /Niels Möller -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.

5 12

patch: define API version number
by Nikos Mavrogiannopoulos 19 Mar '15

19 Mar '15

Hello, This patch adds a definition in nettle-meta.h with nettle's version number. That way applications can be easily modified to support both the 2.7 and the 3.x API. I didn't add for hogweed because it didn't seem to make sense, the API version is fully determined by nettle only. regards, Nikos

2 8

Please add base-64 URL-safe alphabet
by Amos Jeffries 10 Feb '15

10 Feb '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RFC 4648 (https://tools.ietf.org/html/rfc4648) standardizes two Base-64 alphabets. Nettle currently only supports the traditional base-64 alphabet from section 4. There is growing use amongst new protocol definitions and extensions, particularly in the HTTP area for the URL-safe extension alphabet instead of the classical Base-64 alphabet. The attached patch implements a proposed API/ABI extension adding support for RFC 4648 section 5 "Base 64 Encoding with URL and Filename Safe Alphabet" External code simply calls the init() function relevant to the alphabet it is needing to encode/decode with. The library internally uses the context to select which lookup table to use for later base64 function calls. The base64_encode_raw() and base64_encode_group() functions which do not use contexts are left untouched for now. Amos Jeffries Treehouse Networks Ltd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUiXerAAoJELJo5wb/XPRjPxEIAJGMXNF0H84kJntKpe1idimr +x7/xg55GJ2sWEBAbVIHvKvjFZoBIeqNmPeeK+yrqMdA+dtALA37AuezqhiNBtuj YfGd/DyRvys2O2bQ4XNRHxj6zGQU6tlRHHZzSnWp9ywwN4xk/zfNc5JM0EKYqiuu 8crNPzQxP91N33gkdi9LrOkAA8v+/bTYJgTrT46D/2Ut+8ECAcpjS5jwsJiljETu uqO50QlhqGC3ZsHKs1kYnjrbl1Peiqw/b/srEnY3shfS9MKrTYe3qLOsvU5CQpnD A7e8w/SW716D0s4t0SGf85WvUnS6UvDTfAdm3EXAPKNU8PaYpK9D8izq8kgxCP4= =NgGG -----END PGP SIGNATURE-----

4 15

OCB mode
by Nikos Mavrogiannopoulos 28 Jan '15

28 Jan '15

Hello, What do you think of having OCB mode in nettle? I particularly like OCB due to it's simplicity and performance comparing to GCM/CCM, but was always patented. However in [0] there is license1 which states: "Under this license, you are authorized to make, use, and distribute open-source software implementations of OCB. This license terminates for you if you sue someone over their open-source software implementation of OCB claiming that you have a patent covering their implementation." What do you think? Should the FSF be consulted on that? regards, Nikos [0]. http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm

4 8

[Fwd: [gnutls-help] Generating DH Parameters larger than 3072 bits]
by Nikos Mavrogiannopoulos 16 Dec '14

16 Dec '14

Hello, It seems that by switching gnutls to nettle 2.7.x for DSA (and DH) key generation the forwarded issues occur. Would it be possible to have a 2.7.x release with the attached patch? That would allow gnutls 3.3.x generate arbitrary DH parameters. regards, Nikos

1 0

function casts
by Nikos Mavrogiannopoulos 13 Dec '14

13 Dec '14

It seems that in the GCM macros nettle uses casts to functions. That is pretty dangerous with the changes of parameters in functions in nettle 3. The issue is the compiler will not warn for serious errors such as different function type. An example macro is GCM_ENCRYPT. #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0) \ : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) I don't think that nettle should be casting functions. The issue seems to be present in ctr, eax and cbc modes as well. regards, Nikos

2 10

Potential bug in nettle-benchmark.c
by Eli Zaretskii 12 Dec '14

12 Dec '14

This was flagged by GCC: nettle-benchmark.c: In function 'time_cipher': nettle-benchmark.c:504:29: warning: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Wsizeof-pointer-memaccess] memset(iv, 0, sizeof(iv)); ^ nettle-benchmark.c:520:29: warning: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Wsizeof-pointer-memaccess] memset(iv, 0, sizeof(iv)); ^ nettle-benchmark.c:537:29: warning: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Wsizeof-pointer-memaccess] memset(iv, 0, sizeof(iv)); ^ Here's a suggested patch: --- examples/nettle-benchmark.c~0 2013-05-28 17:21:54.000000000 +0300 +++ examples/nettle-benchmark.c 2014-12-12 17:58:10.670625000 +0200 @@ -501,7 +501,7 @@ time_cipher(const struct nettle_cipher * info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, sizeof(iv)); + memset(iv, 0, sizeof(*iv)); cipher->set_encrypt_key(ctx, cipher->key_size, key); @@ -517,7 +517,7 @@ time_cipher(const struct nettle_cipher * info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, sizeof(iv)); + memset(iv, 0, sizeof(*iv)); cipher->set_decrypt_key(ctx, cipher->key_size, key); @@ -534,7 +534,7 @@ time_cipher(const struct nettle_cipher * info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, sizeof(iv)); + memset(iv, 0, sizeof(*iv)); cipher->set_encrypt_key(ctx, cipher->key_size, key);

2 2

issues found while converting from 2.7 to 3.0
by Nikos Mavrogiannopoulos 08 Dec '14

08 Dec '14

Hello, * gcm.h: The GCM_SET_KEY macro uses key both as input and to access a ctx element, and thus requires the last parameter to be called "key" as well. #define GCM_SET_KEY(ctx, set_key, encrypt, key) \ do { \ (set_key)(&(ctx)->cipher, (key)); \ if (0) (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0); \ gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt)); \ } while (0) * cbc.h: cbc_encrypt and decrypt use const void* as first parameter. That is, it cannot be wrapped over a function that works for cbc_encrypt as well as gcm_aes_encrypt (the latter doesn't use const). Without casts that is. Overall, what I didn't like it that the new cipher API required more code to wrap around it. * macros.h: The MD_INCR(ctx) macro is now only applicable for sha512. * nettle-types.h: There is still nettle_crypt_func which is identical to nettle_cipher_func. Is that intentional? I was wondering what was its use. * dsa_verify() Note sure if this is a regression, but this function will now succeed verifying data signed with a DSA-2048 key and SHA1 as hash. * libhogweed soname: libhogweed has the same soname with 2.7.1, so applications crash if they are linked against nettle 2.7.1 and 3.0 is installed (that is because hogweed links against libnettle.so.5). It may make sense for both libraries to share the same so version. regards, Nikos

2 16

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs December 2014