diff options
author | wiz <wiz@pkgsrc.org> | 2016-10-03 12:28:19 +0000 |
---|---|---|
committer | wiz <wiz@pkgsrc.org> | 2016-10-03 12:28:19 +0000 |
commit | 10957d95e541dc53bfd214911903a56358b6d474 (patch) | |
tree | ebed2ded750b71b2e898e2a10c818cb7797d62da /security/nettle | |
parent | 4ee08fcec4f56288c0da5d5bd79ca1f473d83b9b (diff) | |
download | pkgsrc-10957d95e541dc53bfd214911903a56358b6d474.tar.gz |
Updated nettle to 3.3.
NEWS for the Nettle 3.3 release
This release fixes a couple of bugs, and improves resistance
to side-channel attacks on RSA and DSA private key operations.
Changes in behavoir:
* Invalid private RSA keys, with an even modulo, are now
rejected by rsa_private_key_prepare. (Earlier versions
allowed such keys, even if results of using them were bogus).
Nettle applications are required to call
rsa_private_key_prepare and check the return value, before
using any other RSA private key functions; failing to do so
may result in crashes for invalid private keys. As a
workaround for versions of Gnutls which don't use
rsa_private_key_prepare, additional checks for even moduli
are added to the rsa_*_tr functions which are used by all
recent versions of Gnutls.
* Ignore bit 255 of the x coordinate of the input point to
curve25519_mul, as required by RFC 7748. To differentiate at
compile time, curve25519.h defines the constant
NETTLE_CURVE25519_RFC7748.
Security:
* RSA and DSA now use side-channel silent modular
exponentiation, to defend against attacks on the private key
from evil processes sharing the same processor cache. This
attack scenario is of particular relevance when running an
HTTPS server on a virtual machine, where you don't know who
you share the cache hardware with.
(Private key operations on elliptic curves were already
side-channel silent).
Bug fixes:
* Fix sexp-conv crashes on invalid input. Reported by Hanno
Böck.
* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
Mavrogiannopoulos.
* Fix a couple of formally undefined shift operations,
reported by Nikos Mavrogiannopoulos.
* Fix compilation with c89. Reported by Henrik Grubbström.
New features:
* New function memeql_sec, for side-channel silent comparison
of two memory areas.
Miscellaneous:
* Building the public key support of nettle now requires GMP
version 5.0 or later (unless --enable-mini-gmp is used).
* Filenames of windows DLL libraries now include major number
only. So the dll names change at the same time as the
corresponding soname on ELF platforms. Fixed by Nikos
Mavrogiannopoulos.
* Eliminate most pointer-signedness warnings. In the process,
the strings representing expression type for sexp_interator
functions were changed from const uint8_t * to const char *.
These functions are undocumented, and it doesn't change the
ABI on any platform I'm aware of.
The shared library names are libnettle.so.6.3 and
libhogweed.so.4.3, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.
Diffstat (limited to 'security/nettle')
-rw-r--r-- | security/nettle/Makefile | 5 | ||||
-rw-r--r-- | security/nettle/PLIST | 3 | ||||
-rw-r--r-- | security/nettle/distinfo | 10 |
3 files changed, 10 insertions, 8 deletions
diff --git a/security/nettle/Makefile b/security/nettle/Makefile index 96ecb7a377e..cf68de1274a 100644 --- a/security/nettle/Makefile +++ b/security/nettle/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.16 2016/02/01 13:27:36 wiz Exp $ +# $NetBSD: Makefile,v 1.17 2016/10/03 12:28:19 wiz Exp $ -DISTNAME= nettle-3.2 +DISTNAME= nettle-3.3 CATEGORIES= devel security MASTER_SITES= http://www.lysator.liu.se/~nisse/archive/ \ ftp://ftp.lysator.liu.se/pub/security/lsh/ @@ -28,5 +28,6 @@ TEST_TARGET= check PKGCONFIG_OVERRIDE= hogweed.pc.in PKGCONFIG_OVERRIDE+= nettle.pc.in +BUILDLINK_API_DEPENDS.gmp+= gmp>=5.0 .include "../../devel/gmp/buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/nettle/PLIST b/security/nettle/PLIST index 148e98498f5..1a6f40ca238 100644 --- a/security/nettle/PLIST +++ b/security/nettle/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.6 2015/08/23 14:22:10 wiz Exp $ +@comment $NetBSD: PLIST,v 1.7 2016/10/03 12:28:19 wiz Exp $ bin/nettle-hash bin/nettle-lfib-stream bin/nettle-pbkdf2 @@ -39,6 +39,7 @@ include/nettle/md2.h include/nettle/md4.h include/nettle/md5-compat.h include/nettle/md5.h +include/nettle/memops.h include/nettle/memxor.h include/nettle/nettle-meta.h include/nettle/nettle-stdint.h diff --git a/security/nettle/distinfo b/security/nettle/distinfo index 3cbc6c15ce1..17e666e7b6a 100644 --- a/security/nettle/distinfo +++ b/security/nettle/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.14 2016/02/01 13:27:36 wiz Exp $ +$NetBSD: distinfo,v 1.15 2016/10/03 12:28:19 wiz Exp $ -SHA1 (nettle-3.2.tar.gz) = b2eb5b36e65a8d3ed60ff81ec897044dead6dae0 -RMD160 (nettle-3.2.tar.gz) = 84b1bc8c1103ef825c614bf7e95d9a8dad10490e -SHA512 (nettle-3.2.tar.gz) = 9f2c802e8b683d1c2fd8d16ab33b2a1efda33a1bf33196be39031a2d0677f2e78d67221a718997780e157aa72973da7d9d549429e706fcfcdff97ee3bbef615a -Size (nettle-3.2.tar.gz) = 1879604 bytes +SHA1 (nettle-3.3.tar.gz) = bf2b4d3a41192ff6177936d7bc3bee4cebeb86c4 +RMD160 (nettle-3.3.tar.gz) = 7d535a12074b268f982ae111c07a0fcb6355909f +SHA512 (nettle-3.3.tar.gz) = 271981d89766f151af3cdc4e5fc43c438222f0f6f44475bad114f4209955b5235fced6526c7abca001cca223e8cfcd2a6bf389b160b305a499e7acf52425ec70 +Size (nettle-3.3.tar.gz) = 1887927 bytes SHA1 (patch-Makefile.in) = 96771c1fb195603d108717970eb32767d2c26799 SHA1 (patch-aa) = 2332668b077a6e3a1add603c87f60167755554ec SHA1 (patch-config.make.in) = 708fb3cac9c44825e0d231541cbecade2239c850 |