I'm happy to announce a new major release of GNU Nettle, a low-level cryptographics library. This release includes a couple of API changes, a few of which are rather disruptive, as well as deletion of obsolete features. There's only one notable new feature: Support for SLH-DSA signatures (stateless hash-based digital signature algorithm).
Please review NEWS (see below) carefully before upgrading. Since upgrading requires application code changes, nettle-3 (latest version 3.10.2) will get bug fix releases as needed to fix any severe bugs found, until the dust has settled and users, applications and distros have had reasonable time to upgrade. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-4.0.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-4.0.tar.gz Happy hacking, /Niels Möller NEWS for the Nettle 4.0 release This is a new major release. It includes one new feature, support for SLH-DSA. There are several changes to Nettle's API, as well as deletion of obsolete features. There are also several improvements to the ABI that leaves the API mostly unchanged, in particular, smaller context structs for several algorithms. The most disruptive API change is that the *_digest functions no longer takes the desired digest size as argument. Truncated hashes appeared to be an important use case decades ago when the previous interface was designed, but that is now rather obscure. Feedback on the new interfaces is appreciated, e.g., if the variable tag length for OCB and CCM should be supported differently, if additional types would benefit from larger alignment, or if there are remaining interface bugs or inconsistencies. Smaller additional API or ABI changes may be considered for the next release, Nettle-4.1, but after that, the intention is that both ABI and API should stay backwards compatible for a longer time. The shared library names are libnettle.so.9.0 and libhogweed.so.7.0, with new sonames libnettle.so.9 and libhogweed.so.7. Interface changes: * The _digest functions for hash algorithms, MACs and AEADs no longer take the desired digest size as argument, instead, they always produce the full-size digest. The typedef nettle_hash_digest_func has also been changed accordingly. There are two exceptions: CCM and OCB. These AEAD algorithms are specified with a variable tag length, which is not a mere truncation of the output. Their _digest functions (ccm_digest, ocb_digest, ccm_ae128_digest, ...) also have their length argument deleted, but they still produce a variable size digest. The number of octets to write (at most 16) is stored into the context struct by the corresponding _set_nonce function. * The functions to process complete messages using CCM AES now take a const cipher context as the first argument, e.g, first argument to ccm_aes128_encrypt_message is now a const struct aes128_ctx *. It used to be a struct ccm_aes128_ctx *, where everything but the underlying cipher context was ignored. * The SHA3 functions now use the same struct sha3_ctx for all flavors, and the same function sha3_init. Old names, e.g., sha3_256_ctx and sha3_256_init, are defined as preprocessor aliases, for backwards compatibility. * The dst_length argument to base16_decode_update and base64_decode_update is now both an input and output argument. On input it must now hold the size of the destination buffer, and decoding fails if that is not sufficient. Previously, dst_length was an output only, and it was required that the destination buffer was large enough for any input of the given src_length. Interface deletions: * Deleted the old struct aes_ctx, and all functions operating on it. Use the fixed key size interfaces instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * Deleted dsa-compat.h, and everything declared therein. Use the interface in dsa.h, introduced in Nettle-3.0. * Deleted old header sha.h. Use sha1.h or sha2.h instead, as appropriate. * Deleted the general HMAC interface, with functions like hmac_set_key that work with an arbitrary underlying hash function. Use the specific hmac functions instead, e.g., hmac_sha256_set_key, or the mac abstraction defined in nettle-meta.h, e.g, the nettle_hmac_sha256 instance. * Deleted the undocumented struct nettle_armor abstraction. * Deleted the undocumented function base64_encode_group. * Deleted md5-compat.h, and everything declared therein. Use the interface in md5.h instead (or even better, stop using md5). * Deleted pgp.h, and everything declared therein. This attempt to support openpgp formats was incomplete, undocumented, and mostly obsolete. * Delete all the *_DATA_SIZE compatibility aliases. Use corresponding *_BLOCK_SIZE constants instead, introduced in Nettle-3.0. * Deleted the obsolete functions _rsa_blind and _rsa_unblind. (Current RSA blinding in Nettle uses internal functions with a different interface). * Delete compatibility aliases salsa20_set_iv, SALSA20_IV_SIZE. These were renamed to salsa20_set_nonce and SALSA20_NONCE_SIZE in Nettle-3.0. * Deleted compatibility aliases _nettle_md5_compress, _nettle_sha1_compress. These internal functions were promoted to documented and supported functions in Nettle-3.9, with new names md5_compress and sha1_compress. * Deleted compatibility alias yarrow_force_reseed. Renamed to yarrow_slow_reseed in Nettle-2.0. ABI changes and improvements. * Introduce 16-byte alignment on certain types. Applied to union nettle_block16, and subkey arrays of AES and UMAC. This is intended to improve performance for SIMD load and store instructions, which on some platforms may be faster with proper alignment. The larger alignment is enabled only for platforms where the alignment of the uint64_t type is 8. * Size of struct gcm_key is reduced from 4096 bytes to 2048. * Size of the new sha3_ctx is considerable smaller, 216 bytes, than the previous types that included a buffer for a complete block. E.g., the largest one, for sha3_128_ctx (shake128), used to be 376 bytes. * Size of HMAC contexts have been reduced, by not including multiple block buffers. E.g, size of struct hmac_sha256_ctx reduced from 336 bytes to 192. This change has been discussed for a long time, with first attempt made by Dmitry Baryshkov years ago, but delayed, since it implies an ABI break. * For OCB block counters, use type uint32_t for blocks of associated data, and uint64_t for message blocks, instead of size_t. This makes the implementation limits the same for 32-bit and 64-bit platforms. Bug fixes: * Fix off-by-one bug in sexp parser, which could result in a one byte overread on invalid input. Also fix excessive recursion and stack usage for some inputs. Both problems reported via oss-fuzz. * Fix ed448_shake256_verify to check that the final signature octet is zero (previous versions completely ignored this somewhat redundant octet). Reported by Oren Yomtov. New features: * Support for SLH-DSA signatures (stateless hash-based digital signature algorithm). See the Nettle manual for details. * New public function drbg_ctr_aes256_update, to enable FIPS-compliant reseeding. Contributed by Daiki Ueno. Configure and build changes: * Support for at least C99 is required when building Nettle. In addition, support for alignof and alignas is required; these are part of C11, but intention is that this is the only required C11 feature. * The unusual configure options --with-lib-path and --with-include-path has been deleted. Use CFLAGS and LDFLAGS instead. This implies that Nettle's configure script no longer attempts to add rpath-related linker flags automagically; if any are needed, they must be passed in LDFLAGS. * The logic to sometimes change the default libdir has been deleted. Previously, configure tried to be helpful and change the default, e.g., to ${exec_prefix}/lib32 when you build 32-bit libraries on a system where ${exec_prefix}/lib is for 64-bit libraries. If you relied on this behavior, you now have to use the --libdir configure option. * Rearranged getopt files, now based on gnulib copies. -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.
