[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ANNOUNCE: Nettle-3.4

From: Niels Möller
Subject: ANNOUNCE: Nettle-3.4
Date: Sun, 19 Nov 2017 15:08:02 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix)

I'm happy to announce a new release of GNU Nettle, a low-level
cryptographics library. This release includes a couple of bugfixes and
new features. Next release is likely to break ABI compatibility, to make
that transition easier, applications are encourraged to adopt the new
accessor functions introduced in this release.

The Nettle home page can be found at, and the manual at

The release can be downloaded from

Happy hacking,
/Niels möller

NEWS for the Nettle 3.4 release

        This release fixes bugs and adds a few new features. It also
        addresses an ABI compatibility issue affecting Nettle-3.1 and
        later, see below.

        Bug fixes:

        * Fixed an improper use of GMP mpn_mul, breaking curve2559 and
          eddsa on certain platforms. Reported by Sergei Trofimovich.

        * Fixed memory leak when handling invalid signatures in
          ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.

        * Fix compilation error with --enable-fat om ARM. Fix
          contributed by Andreas Schneider.

        * Reorganized the way certain data items are made available.

          Short version: Nettle header files now define the symbols
          nettle_hashes, nettle_ciphers, and nettle_aeads, as
          preprocessor macros invoking a corresponding accessor
          function. For backwards ABI compatibility, the symbols are
          still present in the compiled libraries, and with the same
          sizes as in nettle-3.3.

        New features:

        * Support for RSA-PSS signatures, contributed by Daiki Ueno.

        * Support for the HKDF key derivation function, defined by RFC
          5869. Contributed by Nikos Mavrogiannopoulos.

        * Support for the Cipher Feedback Mode (CFB), contributed by
          Dmitry Eremin-Solenikov.

        * New accessor functions: nettle_get_hashes,
          nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
          nettle_get_secp_224r1, nettle_get_secp_256r1,
          nettle_get_secp_384r1, nettle_get_secp_521r1.

          For source-level compatibility with future versions,
          applications are encouraged to migrate to using these
          functions instead of referring to the corresponding data
          items directly.


        * The base16 and base64 functions now use the type char * for
          ascii data, rather than uint8_t *. This eliminates the last
          pointer-signedness warnings when building Nettle. This is a
          minor API change, and applications may need to be adjusted,
          but the ABI is unaffected on all platforms I'm aware of.

        * The contents of the header file nettle/version.h is now
          architecture independent, except in --enable-mini-gmp

        ABI issue:

          Since the breakage was a bit subtle, let me document it
          here. The nettle and hogweed libraries export a couple of
          data symbols, and for some of these, the size was never
          intended to be part of the ABI. E.g.,

            extern const struct nettle_hash * const nettle_hashes[];

          which is an NULL-terminated array.

          It turns out the sizes nevertheless may leak into the ABI, and
          that increasing the sizes can break old executables linked
          with a newer version of the library.

          When linking a classic non-PIE executable with a shared
          library, we get ELF relocations of type R_X86_64_COPY for
          references to data items. These mean that the linker allocates
          space for the data item in the data segment of executable, at
          a fixed address determined at link-time, and with size
          extracted from the version of the .so-file seen when linking.

          At load time, the run time linker then copies the contents of
          the symbol from the .so file to that location, and uses the
          copy instead of the version loaded with the .so-file. And if
          the data item in the .so file used at load time is larger than
          the data item seen at link time, it is silently truncated in
          the process.

          So when SHA3 hashes were was added to the nettle_hashes array
          in the nettle-3.3 release, this way of linking produces a
          truncated array at load time, no longer NULL-terminated.

          We will get similar problems for planned extensions of the
          internal struct ecc_curve, and exported data items like

            extern const struct ecc_curve nettle_secp_256r1;

          where the ecc_curve struct is only forward declared in the
          public headers. To prepare, applications should migrate to
          using the new function nettle_get_secp_256r1, and similarly
          for the other curves.

          In some future version, the plan is to add a leading
          underscore to the name of the actual data items. E.g.,
          nettle_hashes --> _nettle_hashes, breaking the ABI, while
          keeping the nettle_get_hashes function and the nettle_hashes
          macro as the supported ways to access it. We will also
          rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
          both ABI and API.

          Note that data items like nettle_sha256 are *not* affected,
          since the size and layout of this struct is considered part
          of the ABI, and R_X86_64_COPY-relocations then work fine.

        The shared library names are and, with sonames still and It is intended to be fully binary compatible
        with nettle-3.1.

Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]