summaryrefslogtreecommitdiff
path: root/security/nettle
diff options
context:
space:
mode:
authorwiz <wiz@pkgsrc.org>2016-10-03 12:28:19 +0000
committerwiz <wiz@pkgsrc.org>2016-10-03 12:28:19 +0000
commit10957d95e541dc53bfd214911903a56358b6d474 (patch)
treeebed2ded750b71b2e898e2a10c818cb7797d62da /security/nettle
parent4ee08fcec4f56288c0da5d5bd79ca1f473d83b9b (diff)
downloadpkgsrc-10957d95e541dc53bfd214911903a56358b6d474.tar.gz
Updated nettle to 3.3.
NEWS for the Nettle 3.3 release This release fixes a couple of bugs, and improves resistance to side-channel attacks on RSA and DSA private key operations. Changes in behavoir: * Invalid private RSA keys, with an even modulo, are now rejected by rsa_private_key_prepare. (Earlier versions allowed such keys, even if results of using them were bogus). Nettle applications are required to call rsa_private_key_prepare and check the return value, before using any other RSA private key functions; failing to do so may result in crashes for invalid private keys. As a workaround for versions of Gnutls which don't use rsa_private_key_prepare, additional checks for even moduli are added to the rsa_*_tr functions which are used by all recent versions of Gnutls. * Ignore bit 255 of the x coordinate of the input point to curve25519_mul, as required by RFC 7748. To differentiate at compile time, curve25519.h defines the constant NETTLE_CURVE25519_RFC7748. Security: * RSA and DSA now use side-channel silent modular exponentiation, to defend against attacks on the private key from evil processes sharing the same processor cache. This attack scenario is of particular relevance when running an HTTPS server on a virtual machine, where you don't know who you share the cache hardware with. (Private key operations on elliptic curves were already side-channel silent). Bug fixes: * Fix sexp-conv crashes on invalid input. Reported by Hanno Böck. * Fix out-of-bounds read in des_weak_p. Fixed by Nikos Mavrogiannopoulos. * Fix a couple of formally undefined shift operations, reported by Nikos Mavrogiannopoulos. * Fix compilation with c89. Reported by Henrik Grubbström. New features: * New function memeql_sec, for side-channel silent comparison of two memory areas. Miscellaneous: * Building the public key support of nettle now requires GMP version 5.0 or later (unless --enable-mini-gmp is used). * Filenames of windows DLL libraries now include major number only. So the dll names change at the same time as the corresponding soname on ELF platforms. Fixed by Nikos Mavrogiannopoulos. * Eliminate most pointer-signedness warnings. In the process, the strings representing expression type for sexp_interator functions were changed from const uint8_t * to const char *. These functions are undocumented, and it doesn't change the ABI on any platform I'm aware of. The shared library names are libnettle.so.6.3 and libhogweed.so.4.3, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1.
Diffstat (limited to 'security/nettle')
-rw-r--r--security/nettle/Makefile5
-rw-r--r--security/nettle/PLIST3
-rw-r--r--security/nettle/distinfo10
3 files changed, 10 insertions, 8 deletions
diff --git a/security/nettle/Makefile b/security/nettle/Makefile
index 96ecb7a377e..cf68de1274a 100644
--- a/security/nettle/Makefile
+++ b/security/nettle/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2016/02/01 13:27:36 wiz Exp $
+# $NetBSD: Makefile,v 1.17 2016/10/03 12:28:19 wiz Exp $
-DISTNAME= nettle-3.2
+DISTNAME= nettle-3.3
CATEGORIES= devel security
MASTER_SITES= http://www.lysator.liu.se/~nisse/archive/ \
ftp://ftp.lysator.liu.se/pub/security/lsh/
@@ -28,5 +28,6 @@ TEST_TARGET= check
PKGCONFIG_OVERRIDE= hogweed.pc.in
PKGCONFIG_OVERRIDE+= nettle.pc.in
+BUILDLINK_API_DEPENDS.gmp+= gmp>=5.0
.include "../../devel/gmp/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
diff --git a/security/nettle/PLIST b/security/nettle/PLIST
index 148e98498f5..1a6f40ca238 100644
--- a/security/nettle/PLIST
+++ b/security/nettle/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2015/08/23 14:22:10 wiz Exp $
+@comment $NetBSD: PLIST,v 1.7 2016/10/03 12:28:19 wiz Exp $
bin/nettle-hash
bin/nettle-lfib-stream
bin/nettle-pbkdf2
@@ -39,6 +39,7 @@ include/nettle/md2.h
include/nettle/md4.h
include/nettle/md5-compat.h
include/nettle/md5.h
+include/nettle/memops.h
include/nettle/memxor.h
include/nettle/nettle-meta.h
include/nettle/nettle-stdint.h
diff --git a/security/nettle/distinfo b/security/nettle/distinfo
index 3cbc6c15ce1..17e666e7b6a 100644
--- a/security/nettle/distinfo
+++ b/security/nettle/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.14 2016/02/01 13:27:36 wiz Exp $
+$NetBSD: distinfo,v 1.15 2016/10/03 12:28:19 wiz Exp $
-SHA1 (nettle-3.2.tar.gz) = b2eb5b36e65a8d3ed60ff81ec897044dead6dae0
-RMD160 (nettle-3.2.tar.gz) = 84b1bc8c1103ef825c614bf7e95d9a8dad10490e
-SHA512 (nettle-3.2.tar.gz) = 9f2c802e8b683d1c2fd8d16ab33b2a1efda33a1bf33196be39031a2d0677f2e78d67221a718997780e157aa72973da7d9d549429e706fcfcdff97ee3bbef615a
-Size (nettle-3.2.tar.gz) = 1879604 bytes
+SHA1 (nettle-3.3.tar.gz) = bf2b4d3a41192ff6177936d7bc3bee4cebeb86c4
+RMD160 (nettle-3.3.tar.gz) = 7d535a12074b268f982ae111c07a0fcb6355909f
+SHA512 (nettle-3.3.tar.gz) = 271981d89766f151af3cdc4e5fc43c438222f0f6f44475bad114f4209955b5235fced6526c7abca001cca223e8cfcd2a6bf389b160b305a499e7acf52425ec70
+Size (nettle-3.3.tar.gz) = 1887927 bytes
SHA1 (patch-Makefile.in) = 96771c1fb195603d108717970eb32767d2c26799
SHA1 (patch-aa) = 2332668b077a6e3a1add603c87f60167755554ec
SHA1 (patch-config.make.in) = 708fb3cac9c44825e0d231541cbecade2239c850