Received: by mail.netbsd.org (Postfix, from userid 605) id 1FC0984D82; Sun, 9 Dec 2018 20:11:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 146A384D8C for ; Sun, 9 Dec 2018 20:11:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 8EGg0Yzsx9dQ for ; Sun, 9 Dec 2018 20:11:40 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id CEC2584D82 for ; Sun, 9 Dec 2018 20:11:40 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id CB521FB16; Sun, 9 Dec 2018 20:11:40 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1544386300139430" MIME-Version: 1.0 Date: Sun, 9 Dec 2018 20:11:40 +0000 From: "Leonardo Taccari" Subject: CVS commit: pkgsrc/security/nettle To: pkgsrc-changes@NetBSD.org Reply-To: leot@netbsd.org X-Mailer: log_accum Message-Id: <20181209201140.CB521FB16@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1544386300139430 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: leot Date: Sun Dec 9 20:11:40 UTC 2018 Modified Files: pkgsrc/security/nettle: Makefile buildlink3.mk distinfo Log Message: nettle: Update security/nettle to 3.4.1 Changes: 3.4.1 ----- This release fixes a few bugs, and makes the RSA private key operations side channel silent. The RSA improvements are contributed by Simo Sorce and Red Hat, and include one new public function, rsa_sec_decrypt, see below. All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. Nettle's ECC functions were already side-channel silent, while the DSA functions still aren't. There's also one caveat regarding the improved RSA functions: due to small table lookups in relevant mpn_sec_* functions in GMP-6.1.2, the lowest and highest few bits of the secret factors p and q may still leak. I'm not aware of any attacks on RSA where knowing a few bits of the factors makes a significant difference. This leak will likely be plugged in later GMP versions. Changes in behavior: * The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. New features: * A new function rsa_sec_decrypt. It differs from rsa_decrypt_tr in that the length of the decrypted message is given a priori, and PKCS#1 padding indicating a different length is treated as an error. For applications that may be subject to chosen ciphertext attacks, it is recommended to initialize the message area with random data, call this function, and ignore the return value. This applies in particular to RSA-based key exchange in the TLS protocol. Bug fixes: * Fix bug in pkcs1-conv, missing break statements in the parsing of PEM input files. * Fix link error on the pss-mgf1-test test, affecting builds without public key support. Performance regression: * All RSA private key operations employing RSA blinding, i.e., rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and rsa_compute_root_tr, are significantly slower. This is because (i) RSA blinding now use side-channel silent operations, (ii) blinding includes a modular inversion, and (iii) side-channel silent modular inversion, implemented as mpn_sec_invert, is very expensive. A 60% slowdown for 2048-bit RSA keys have been measured. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.0 or later (unless --enable-mini-gmp is used). The shared library names are libnettle.so.6.5 and libhogweed.so.4.5, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 pkgsrc/security/nettle/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/nettle/buildlink3.mk cvs rdiff -u -r1.16 -r1.17 pkgsrc/security/nettle/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1544386300139430 Content-Disposition: inline Content-Length: 2936 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/nettle/Makefile diff -u pkgsrc/security/nettle/Makefile:1.19 pkgsrc/security/nettle/Makefile:1.20 --- pkgsrc/security/nettle/Makefile:1.19 Tue Nov 28 14:06:12 2017 +++ pkgsrc/security/nettle/Makefile Sun Dec 9 20:11:40 2018 @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.19 2017/11/28 14:06:12 wiz Exp $ +# $NetBSD: Makefile,v 1.20 2018/12/09 20:11:40 leot Exp $ -DISTNAME= nettle-3.4 +DISTNAME= nettle-3.4.1 CATEGORIES= devel security MASTER_SITES= http://www.lysator.liu.se/~nisse/archive/ MASTER_SITES+= ftp://ftp.lysator.liu.se/pub/security/lsh/ @@ -28,6 +28,6 @@ TEST_TARGET= check PKGCONFIG_OVERRIDE= hogweed.pc.in PKGCONFIG_OVERRIDE+= nettle.pc.in -BUILDLINK_API_DEPENDS.gmp+= gmp>=5.0 +BUILDLINK_API_DEPENDS.gmp+= gmp>=6.0 .include "../../devel/gmp/buildlink3.mk" .include "../../mk/bsd.pkg.mk" Index: pkgsrc/security/nettle/buildlink3.mk diff -u pkgsrc/security/nettle/buildlink3.mk:1.6 pkgsrc/security/nettle/buildlink3.mk:1.7 --- pkgsrc/security/nettle/buildlink3.mk:1.6 Sun Jan 7 13:04:29 2018 +++ pkgsrc/security/nettle/buildlink3.mk Sun Dec 9 20:11:40 2018 @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.6 2018/01/07 13:04:29 rillig Exp $ +# $NetBSD: buildlink3.mk,v 1.7 2018/12/09 20:11:40 leot Exp $ BUILDLINK_TREE+= nettle @@ -6,9 +6,10 @@ BUILDLINK_TREE+= nettle NETTLE_BUILDLINK3_MK:= BUILDLINK_API_DEPENDS.nettle+= nettle>=2.4 -BUILDLINK_ABI_DEPENDS.nettle?= nettle>=3.1.1 +BUILDLINK_ABI_DEPENDS.nettle+= nettle>=3.1.1 BUILDLINK_PKGSRCDIR.nettle?= ../../security/nettle +BUILDLINK_API_DEPENDS.gmp+= gmp>=6.0 .include "../../devel/gmp/buildlink3.mk" .endif # NETTLE_BUILDLINK3_MK Index: pkgsrc/security/nettle/distinfo diff -u pkgsrc/security/nettle/distinfo:1.16 pkgsrc/security/nettle/distinfo:1.17 --- pkgsrc/security/nettle/distinfo:1.16 Tue Nov 28 14:06:12 2017 +++ pkgsrc/security/nettle/distinfo Sun Dec 9 20:11:40 2018 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.16 2017/11/28 14:06:12 wiz Exp $ +$NetBSD: distinfo,v 1.17 2018/12/09 20:11:40 leot Exp $ -SHA1 (nettle-3.4.tar.gz) = f3c8495b7c43cba9cdd19503e7567095c680b490 -RMD160 (nettle-3.4.tar.gz) = 56c59906e4bec5c0859abdd96645d5d54a8f78c4 -SHA512 (nettle-3.4.tar.gz) = 3bea3aabd2c99cc42d084a94fd6b0b5dbdb24cd6c7020271a6ee87a81a904b21b21756f590cb1afdf2e85fd1cb59e5c3651c5c4032e30204e7ea6f8801d1ea3b -Size (nettle-3.4.tar.gz) = 1935069 bytes +SHA1 (nettle-3.4.1.tar.gz) = 56a81ed4a8d35489d8bddd99d5262fe3958a52b4 +RMD160 (nettle-3.4.1.tar.gz) = ecf0b73ffa9020037161fa10bc3d7e0e578e5b3e +SHA512 (nettle-3.4.1.tar.gz) = 26aefbbe9927e90e28f271e56d2ba876611831222d0e1e1a58bdb75bbd50934fcd84418a4fe47b845f557e60a9786a72a4de2676c930447b104f2256aca7a54f +Size (nettle-3.4.1.tar.gz) = 1947053 bytes SHA1 (patch-Makefile.in) = 96771c1fb195603d108717970eb32767d2c26799 SHA1 (patch-aa) = 2332668b077a6e3a1add603c87f60167755554ec SHA1 (patch-config.make.in) = 708fb3cac9c44825e0d231541cbecade2239c850 --_----------=_1544386300139430--