I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This release includes a couple of new features and improved performance.
The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html.
The release can be downloaded from
https://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.5.tar.gz
Regards, /Niels
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1.
The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5.
Changes in behavior:
* Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1.
New features:
* Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov.
* Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos.
* Support for XTS mode, contributed by Simo Sorce.
Optimizations:
* Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt).
* Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos.
* New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors.
* Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve.
* In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy.
Deleted features:
* The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h.
* Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0.
* The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides <stdint.h>.
Miscellaneous:
* Support for big-endian ARM systems, contributed by Michael Weiser.
* The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad.
* The "example" program examples/eratosthenes.c has been deleted.
* The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations.
Hi, The x86_64/sha_ni directory is not included in the distribution, and thus compilation fails when --enable-fat is provided. I update my previous patch to add `make distcheck` to include enable-fat, so that missing files from distribution are caught earlier.
regards, Nikos
On Wed, Jun 26, 2019 at 8:22 AM Niels Möller nisse@lysator.liu.se wrote:
I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This release includes a couple of new features and improved performance.
The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html.
The release can be downloaded from
https://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.5.tar.gz
Regards, /Niels
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides <stdint.h>. Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations.-- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.
nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
I was going to note the same :) So we delay this feature?
On Wed, Jun 26, 2019 at 10:05 AM Nikos Mavrogiannopoulos nmav@redhat.com wrote:
Hi, The x86_64/sha_ni directory is not included in the distribution, and thus compilation fails when --enable-fat is provided. I update my previous patch to add `make distcheck` to include enable-fat, so that missing files from distribution are caught earlier.
regards, Nikos
On Wed, Jun 26, 2019 at 8:22 AM Niels Möller nisse@lysator.liu.se wrote:
I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This release includes a couple of new features and improved performance.
The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html.
The release can be downloaded from
https://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.5.tar.gz
Regards, /Niels
NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides <stdint.h>. Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations.-- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.
nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
Nikos Mavrogiannopoulos nmav@redhat.com writes:
The x86_64/sha_ni directory is not included in the distribution, and thus compilation fails when --enable-fat is provided. I update my previous patch to add `make distcheck` to include enable-fat, so that missing files from distribution are caught earlier.
Ouch. I'll have to make an updated release later today or tomorrow.
Thanks for finding it quickly. I've run at least a dozen of different tests on the rc1 tarball, but apparently none with x86_64 --enable-fat :-(
And problem is of course not limited to fat builds, it's just that --enable-fat happens to make it visible at compile time.
Regards, /Niels
On Wed, Jun 26, 2019 at 12:23 PM Niels Möller nisse@lysator.liu.se wrote:
Ouch. I'll have to make an updated release later today or tomorrow.
I sent three patches to cleanup our gentoo downstream patches, can you please consider them for the release so we have zero patching?
Thanks! Alon
Alon Bar-Lev alon.barlev@gmail.com writes:
I sent three patches to cleanup our gentoo downstream patches, can you please consider them for the release so we have zero patching?
Not for this release, sorry. I'll send comments on the patches separately.
Regards, /Niels
On Wed, 2019-06-26 at 11:23 +0200, Niels Möller wrote:
Nikos Mavrogiannopoulos nmav@redhat.com writes:
The x86_64/sha_ni directory is not included in the distribution, and thus compilation fails when --enable-fat is provided. I update my previous patch to add `make distcheck` to include enable-fat, so that missing files from distribution are caught earlier.
Ouch. I'll have to make an updated release later today or tomorrow.
Thanks for finding it quickly. I've run at least a dozen of different tests on the rc1 tarball, but apparently none with x86_64 --enable-fat :-(
And problem is of course not limited to fat builds, it's just that --enable-fat happens to make it visible at compile time.
Niels, it may be nice to use gitlab and it's CI features to have tests with all configurations to catch these things.
Simo.
nisse@lysator.liu.se (Niels Möller) writes:
Nikos Mavrogiannopoulos nmav@redhat.com writes:
The x86_64/sha_ni directory is not included in the distribution, and thus compilation fails when --enable-fat is provided. I update my previous patch to add `make distcheck` to include enable-fat, so that missing files from distribution are caught earlier.
Ouch. I'll have to make an updated release later today or tomorrow.
Below is the patch I'm considering, as well as the diff to the file list of the resulting tar file (I've also moved away two unfinished and uncommitted files from the x86_64 directory, which were unintentionally picked up by make dist).
I'm not changing the library versions, since any configuration of 3.5 that can be built succesfully will be completely compatible with 3.5.1, with the only difference being that x86_64 builds with --enable-x86-sha-ni will be a lot faster with 3.5.1.
Any last minute comments appreciated. I intend to do the updated release in a few hours, since I'm about to leave for summer vacation.
Regards, /Niels
diff --git a/ChangeLog b/ChangeLog index c3d298c7..32a3e3ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2019-06-26 Niels Möller nisse@lysator.liu.se
+ * configure.ac: Update version number to 3.5.1. + + * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed + directories. + * Released nettle-3.5.
2019-06-25 Niels Möller nisse@lysator.liu.se diff --git a/Makefile.in b/Makefile.in index a6b8ffd6..537e97d1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -586,7 +586,7 @@ distdir: $(DISTFILES) fi ; \ done set -e; for d in sparc32 sparc64 x86 \ - x86_64 x86_64/aesni x86_64/fat \ + x86_64 x86_64/aesni x86_64/sha_ni x86_64/fat \ arm arm/neon arm/v6 arm/fat ; do \ mkdir "$(distdir)/$$d" ; \ find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' ')' \ diff --git a/NEWS b/NEWS index 622377f3..5e94c893 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,16 @@ +NEWS for the Nettle 3.5.1 release + + The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5. + The new directory x86_64/sha_ni were missing in the tar file, + breaking x86_64 builds with --enable-fat, and producing worse + performance than promised for builds with --enable-x86-sha-ni. + Also a few unused in-progress assembly files were accidentally + included in the tar file. + + These problems are corrected in Nettle-3.5.1. There are no + other changes, and also the library version numbers are + unchanged. + NEWS for the Nettle 3.5 release
This release adds a couple of new features and optimizations, diff --git a/configure.ac b/configure.ac index 00d2bf5d..3547cae4 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ dnl -*- mode: shell-script; sh-indentation: 2; -*-
dnl Process this file with autoconf to produce a configure script.
-AC_INIT([nettle], [3.5], [nettle-bugs@lists.lysator.liu.se]) +AC_INIT([nettle], [3.5.1], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ(2.61) AC_CONFIG_SRCDIR([arcfour.c]) # Needed to stop autoconf from looking for files in parent directories.
--- /dev/fd/63 2019-06-26 19:24:14.688527655 +0200 +++ /dev/fd/62 2019-06-26 19:24:14.692527654 +0200 @@ -123,7 +123,6 @@ x86_64/aes-decrypt-internal.asm x86_64/ecc-256-redc.asm x86_64/salsa20-crypt.asm -x86_64/ecc-25519-modp-mul.asm x86_64/md5-compress.asm x86_64/gcm-hash8.asm x86_64/sha256-compress.asm @@ -157,13 +156,15 @@ x86_64/sha512-compress.asm x86_64/chacha-core-internal.asm x86_64/ecc-224-modp.asm +x86_64/sha_ni/ +x86_64/sha_ni/sha256-compress.asm +x86_64/sha_ni/sha1-compress.asm x86_64/salsa20.m4 x86_64/poly1305-internal.asm x86_64/serpent-decrypt.asm x86_64/umac-nh.asm x86_64/memxor.asm x86_64/ecc-25519-modp.asm -x86_64/sha1-compress-sse.asm x86_64/serpent-encrypt.asm x86_64/ecc-521-modp.asm camellia-absorb.c
onsdag 26 juni 2019 kl. 08:21:51 CEST skrev Niels Möller:
- Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0.
But surely common structs and functions are more convenient for library users, and the different fixed key size functions all call the same functions internally, so isn't there a value in keeping the old interface around?
Magnus Holmgren holmgren@debian.org writes:
But surely common structs and functions are more convenient for library users,
Maybe. Incompatible changes are surely highly inconvenient, but I'd expect separate functions to fit well in most applications.
There's no urgency in deleting the old functions, but I'd like to encourage library users to switch.
and the different fixed key size functions all call the same functions internally, so isn't there a value in keeping the old interface around?
Currently, yes, but I think the implementation in x86_64/aesni could be sped up by using separate functions for aes128, aes192 and aes256. To enable that, it's best to have separate functions all the way.
Regards, /Niels
nettle-bugs@lists.lysator.liu.se
-
Alon Bar-Lev -
Magnus Holmgren -
Nikos Mavrogiannopoulos -
nisse@lysator.liu.se -
Simo Sorce