Log message:
nettle: updated to 3.6

Nettle 3.6:

This release adds a couple of new features, most notable being
support for ED448 signatures.

It is not binary compatible with earlier releases. The shared
library names are libnettle.so.8.0 and libhogweed.so.6.0, with
sonames nibnettle.so.8 and libhogweed.so.6. The changed
sonames are mainly to avoid upgrade problems with recent
GnuTLS versions, that depend on Nettle internals outside of
the advertised ABI. But also because of the removal of
internal poly1305 functions which were undocumented but
declared in an installed header file, see Interface changes
below.

New features:

* Support for Curve448 and ED448 signatures. Contributed by
  Daiki Ueno.

* Support for SHAKE256 (SHA3 variant with arbitrary output
  size). Contributed by Daiki Ueno.

* Support for SIV-CMAC (Synthetic Initialization Vector) mode,
  contributed by Nikos Mavrogiannopoulos.

* Support for CMAC64, contributed by Dmitry Baryshkov.

* Support for the "CryptoPro" variant of the GOST hash
  function, as gosthash94cp. Contributed by Dmitry Baryshkov.

* Support for GOST DSA signatures, including GOST curves
  gc256b and gc512a. Contributed by Dmitry Baryshkov.

* Support for Intel CET in x86 and x86_64 assembly files, if
  enabled via CFLAGS (gcc --fcf-protection=full). Contributed
  by H.J. Lu and Simo Sorce.

* A few new functions to improve support for the Chacha
  variant with 96-bit nonce and 32-bit block counter (the
  existing functions use nonce and counter of 64-bit each),
  and functions to set the counter. Contributed by Daiki Ueno.

* New interface, struct nettle_mac, for MAC (message
  authentication code) algorithms. This abstraction is only
  for MACs that don't require a per-message nonce. For HMAC,
  the key size is fixed, and equal the digest size of the
  underlying hash function.

Bug fixes:

* Fix bug in cfb8_decrypt. Previously, the IV was not updated
  correctly in the case of input data shorter than the block
  size. Reported by Stephan Mueller, fixed by Daiki Ueno.

* Fix configure check for __builtin_bswap64, the incorrect
  check would result in link errors on platforms missing this
  function. Patch contributed by George Koehler.

* All use of old-fashioned suffix rules in the Makefiles have
  been replaced with %-pattern rules. Nettle's use of suffix
  rules in earlier versions depended on undocumented GNU make
  behavior, which is being deprecated in GNU make 4.3.

  Building with other make programs than GNU make is untested
  and unsupported. (Building with BSD make or Solaris make
  used to work years ago, but has not been tested recently).

Interface changes:

* Declarations of internal poly1305.h functions have been
  removed from the header file poly1305.h, to make it clear
  that they are not part of the advertised API or ABI.

Miscellaneous:

* Building the public key support of nettle now requires GMP
  version 6.1.0 or later (unless --enable-mini-gmp is used).

* A fair amount of changes to ECC internals, with a few
  deleted and a few new fields in the internal struct
  ecc_curve. Files and functions have been renamed to more
  consistently match the curve name, e.g., ecc-256.c has been
  renamed to ecc-secp256r1.c.

* Documentation for chacha-poly1305 updated. It is no longer
  experimental. The implementation was updated to follow RFC
  8439 in Nettle-3.1, but that was not documented or announced
  at the time.

Log message:
all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.

Log message:
nettle: bump ABI depends because of shlib major bump

Log message:
nettle: update to 3.5.1.

NEWS for the Nettle 3.5.1 release

	The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5.
	The new directory x86_64/sha_ni were missing in the tar file,
	breaking x86_64 builds with --enable-fat, and producing worse
	performance than promised for builds with --enable-x86-sha-ni.
	Also a few unused in-progress assembly files were accidentally
	included in the tar file.

	These problems are corrected in Nettle-3.5.1. There are no
	other changes, and also the library version numbers are
	unchanged.

NEWS for the Nettle 3.5 release

	This release adds a couple of new features and optimizations,
	and deletes or deprecates a few obsolete features. It is *not*
	binary (ABI) compatible with earlier versions. Except for
	deprecations listed below, it is intended to be fully
	source-level (API) compatible with Nettle-3.4.1.

	The shared library names are libnettle.so.7.0 and
	libhogweed.so.5.0, with sonames libnettle.so.7 and
	libhogweed.so.5.

	Changes in behavior:

	* Nettle's gcm_crypt will now call the underlying block cipher
	  to process more than one block at a time. This is not a
	  change to the documented behavior, but unfortunately breaks
	  assumptions accidentally made in GnuTLS, up to and including
	  version 3.6.1.

	New features:

	* Support for CFB8 (Cipher Feedback Mode, processing a single
	  octet per block cipher operation), contributed by Dmitry
	  Eremin-Solenikov.

	* Support for CMAC (RFC 4493), contributed by Nikos
	  Mavrogiannopoulos.

	* Support for XTS mode, contributed by Simo Sorce.

	Optimizations:

	* Improved performance of the x86_64 AES implementation using
	  the aesni instructions. Gives a large speedup for operations
	  processing multiple blocks at a time (including CTR mode,
	  GCM mode, and CBC decrypt, but *not* CBC encrypt).

	* Improved performance for CTR mode, for the common case of
	  16-byte block size. Pass more data at a time to underlying
	  block cipher, and fill the counter blocks more efficiently.
	  Extension to also handle GCM mode efficiently contributed
	  by Nikos Mavrogiannopoulos.

	* New x86_64 implementation of sha1 and sha256, for processors
	  supporting the sha_ni instructions. Speedup of 3-5 times on
	  affected processors.

	* Improved parameters for the precomputation of tables used
	  for ecc signatures. Roughly 10%-15% speedup of the ecdsa
	  sign operation using the secp_256r1, secp_384r1 and
	  secp_521r1 curves, and 25% speedup of ed25519 sign
	  operation, benchmarked on x86_64. Table sizes unchanged,
	  around 16 KB per curve.

	* In ARM fat builds, automatically select Neon implementation
	  of Chacha, where possible. Contributed by Yuriy M.
	  Kaminskiy.

	Deleted features:

	* The header file des-compat.h and everything declared therein
	  has been deleted, as announced earlier. This file provided a
	  subset of the old libdes/ssleay/openssl interface for DES
	  and triple-DES. DES is still supported, via the functions
	  declared in des.h.

	* Functions using the old struct aes_ctx have been marked as
	  deprecated. Use the fixed key size interface instead, e.g.,
	  struct aes256_ctx, introduced in Nettle-3.0.

	* The header file nettle-stdint.h, and corresponding autoconf
	  tests, have been deleted. Nettle now requires that the
	  compiler/libc provides <stdint.h>.

	Miscellaneous:

	* Support for big-endian ARM systems, contributed by Michael
	  Weiser.

	* The programs aesdata, desdata, twofishdata, shadata and
	  gcmdata are no longer built by default. Makefile
	  improvements contributed by Jay Foad.

	* The "example" program examples/eratosthenes.c has been
	  deleted.

	* The contents of hash context structs, and the deprecated
	  aes_ctx struct, have been reorganized, to enable later
	  optimizations.

	The shared library names are libnettle.so.7.0 and
	libhogweed.so.5.0.

Log message:
nettle: use c99

Add c99 to USE_LANGUAGES as nettle 3.4.1 uses c99 for loop syntax, and
won't build on NetBSD 7.1 without it.

Log message:
nettle: Update security/nettle to 3.4.1

Changes:
3.4.1
-----
This release fixes a few bugs, and makes the RSA private key
operations side channel silent. The RSA improvements are
contributed by Simo Sorce and Red Hat, and include one new
public function, rsa_sec_decrypt, see below.

All functions using RSA private keys are now side-channel
silent, meaning that they try hard to avoid any branches or
memory accesses depending on secret data. This applies both to
the bignum calculations, which now use GMP's mpn_sec_* family
of functions, and the processing of PKCS#1 padding needed for
RSA decryption.

Nettle's ECC functions were already side-channel silent, while
the DSA functions still aren't. There's also one caveat
regarding the improved RSA functions: due to small table
lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
lowest and highest few bits of the secret factors p and q may
still leak. I'm not aware of any attacks on RSA where knowing
a few bits of the factors makes a significant difference. This
leak will likely be plugged in later GMP versions.

Changes in behavior:

* The functions rsa_decrypt and rsa_decrypt_tr may now clobber
  all of the provided message buffer, independent of the
  actual message length. They are side-channel silent, in that
  branches and memory accesses don't depend on the validity or
  length of the message. Side-channel leakage from the
  caller's use of length and return value may still provide an
  oracle useable for a Bleichenbacher-style chosen ciphertext
  attack. Which is why the new function rsa_sec_decrypt is
  recommended.

New features:

* A new function rsa_sec_decrypt. It differs from
  rsa_decrypt_tr in that the length of the decrypted message
  is given a priori, and PKCS#1 padding indicating a different
  length is treated as an error. For applications that may be
  subject to chosen ciphertext attacks, it is recommended to
  initialize the message area with random data, call this
  function, and ignore the return value. This applies in
  particular to RSA-based key exchange in the TLS protocol.

Bug fixes:

* Fix bug in pkcs1-conv, missing break statements in the
  parsing of PEM input files.

* Fix link error on the pss-mgf1-test test, affecting builds
  without public key support.

Performance regression:

* All RSA private key operations employing RSA blinding, i.e.,
  rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and
  rsa_compute_root_tr, are significantly slower. This is
  because (i) RSA blinding now use side-channel silent
  operations, (ii) blinding includes a modular inversion, and
  (iii) side-channel silent modular inversion, implemented as
  mpn_sec_invert, is very expensive. A 60% slowdown for
  2048-bit RSA keys have been measured.

Miscellaneous:

* Building the public key support of nettle now requires GMP
  version 6.0 or later (unless --enable-mini-gmp is used).

The shared library names are libnettle.so.6.5 and
libhogweed.so.4.5, with sonames still libnettle.so.6 and
libhogweed.so.4. It is intended to be fully binary compatible
with nettle-3.1.

Log message:
Fix indentation in buildlink3.mk files.

The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.

There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.

Log message:
nettle: update to 3.4.

NEWS for the Nettle 3.4 release

	This release fixes bugs and adds a few new features. It also
	addresses an ABI compatibility issue affecting Nettle-3.1 and
	later, see below.

	Bug fixes:

	* Fixed an improper use of GMP mpn_mul, breaking curve2559 and
	  eddsa on certain platforms. Reported by Sergei Trofimovich.

	* Fixed memory leak when handling invalid signatures in
	  ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos.

	* Fix compilation error with --enable-fat om ARM. Fix
	  contributed by Andreas Schneider.

	* Reorganized the way certain data items are made available.

	  Short version: Nettle header files now define the symbols
	  nettle_hashes, nettle_ciphers, and nettle_aeads, as
	  preprocessor macros invoking a corresponding accessor
	  function. For backwards ABI compatibility, the symbols are
	  still present in the compiled libraries, and with the same
	  sizes as in nettle-3.3.

	New features:

	* Support for RSA-PSS signatures, contributed by Daiki Ueno.

	* Support for the HKDF key derivation function, defined by RFC
	  5869. Contributed by Nikos Mavrogiannopoulos.

	* Support for the Cipher Feedback Mode (CFB), contributed by
	  Dmitry Eremin-Solenikov.

	* New accessor functions: nettle_get_hashes,
	  nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1,
	  nettle_get_secp_224r1, nettle_get_secp_256r1,
	  nettle_get_secp_384r1, nettle_get_secp_521r1.

	  For source-level compatibility with future versions,
	  applications are encouraged to migrate to using these
	  functions instead of referring to the corresponding data
	  items directly.

	Miscellaneous:

	* The base16 and base64 functions now use the type char * for
	  ascii data, rather than uint8_t *. This eliminates the last
	  pointer-signedness warnings when building Nettle. This is a
	  minor API change, and applications may need to be adjusted,
	  but the ABI is unaffected on all platforms I'm aware of.

	* The contents of the header file nettle/version.h is now
	  architecture independent, except in --enable-mini-gmp
	  configurations.

	ABI issue:

	  Since the breakage was a bit subtle, let me document it
	  here. The nettle and hogweed libraries export a couple of
	  data symbols, and for some of these, the size was never
	  intended to be part of the ABI. E.g.,

	    extern const struct nettle_hash * const nettle_hashes[];

	  which is an NULL-terminated array.

	  It turns out the sizes nevertheless may leak into the ABI, and
	  that increasing the sizes can break old executables linked
	  with a newer version of the library.

	  When linking a classic non-PIE executable with a shared
	  library, we get ELF relocations of type R_X86_64_COPY for
	  references to data items. These mean that the linker allocates
	  space for the data item in the data segment of executable, at
	  a fixed address determined at link-time, and with size
	  extracted from the version of the .so-file seen when linking.

	  At load time, the run time linker then copies the contents of
	  the symbol from the .so file to that location, and uses the
	  copy instead of the version loaded with the .so-file. And if
	  the data item in the .so file used at load time is larger than
	  the data item seen at link time, it is silently truncated in
	  the process.

	  So when SHA3 hashes were was added to the nettle_hashes array
	  in the nettle-3.3 release, this way of linking produces a
	  truncated array at load time, no longer NULL-terminated.

	  We will get similar problems for planned extensions of the
	  internal struct ecc_curve, and exported data items like

	    extern const struct ecc_curve nettle_secp_256r1;

	  where the ecc_curve struct is only forward declared in the
	  public headers. To prepare, applications should migrate to
	  using the new function nettle_get_secp_256r1, and similarly
	  for the other curves.

	  In some future version, the plan is to add a leading
	  underscore to the name of the actual data items. E.g.,
	  nettle_hashes --> _nettle_hashes, breaking the ABI, while
	  keeping the nettle_get_hashes function and the nettle_hashes
	  macro as the supported ways to access it. We will also
	  rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking
	  both ABI and API.

	  Note that data items like nettle_sha256 are *not* affected,
	  since the size and layout of this struct is considered part
	  of the ABI, and R_X86_64_COPY-relocations then work fine.

Log message:
Convert all occurrences (353 by my count) of

	MASTER_SITES= 	site1 \
			site2

style continuation lines to be simple repeated

	MASTER_SITES+= site1
	MASTER_SITES+= site2

lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.

Log message:
Updated nettle to 3.3.

NEWS for the Nettle 3.3 release

	This release fixes a couple of bugs, and improves resistance
	to side-channel attacks on RSA and DSA private key operations.

	Changes in behavoir:

	* Invalid private RSA keys, with an even modulo, are now
	  rejected by rsa_private_key_prepare. (Earlier versions
	  allowed such keys, even if results of using them were bogus).

	  Nettle applications are required to call
	  rsa_private_key_prepare and check the return value, before
	  using any other RSA private key functions; failing to do so
	  may result in crashes for invalid private keys. As a
	  workaround for versions of Gnutls which don't use
	  rsa_private_key_prepare, additional checks for even moduli
	  are added to the rsa_*_tr functions which are used by all
	  recent versions of Gnutls.

	* Ignore bit 255 of the x coordinate of the input point to
	  curve25519_mul, as required by RFC 7748. To differentiate at
	  compile time, curve25519.h defines the constant
	  NETTLE_CURVE25519_RFC7748.

	Security:

	* RSA and DSA now use side-channel silent modular
	  exponentiation, to defend against attacks on the private key
	  from evil processes sharing the same processor cache. This
	  attack scenario is of particular relevance when running an
	  HTTPS server on a virtual machine, where you don't know who
	  you share the cache hardware with.

	  (Private key operations on elliptic curves were already
	  side-channel silent).

	Bug fixes:

	* Fix sexp-conv crashes on invalid input. Reported by Hanno
	  Böck.

	* Fix out-of-bounds read in des_weak_p. Fixed by Nikos
	  Mavrogiannopoulos.

	* Fix a couple of formally undefined shift operations,
	  reported by Nikos Mavrogiannopoulos.

	* Fix compilation with c89. Reported by Henrik Grubbström.

	New features:

	* New function memeql_sec, for side-channel silent comparison
	  of two memory areas.

	Miscellaneous:

	* Building the public key support of nettle now requires GMP
	  version 5.0 or later (unless --enable-mini-gmp is used).

	* Filenames of windows DLL libraries now include major number
	  only. So the dll names change at the same time as the
	  corresponding soname on ELF platforms. Fixed by Nikos
	  Mavrogiannopoulos.

	* Eliminate most pointer-signedness warnings. In the process,
	  the strings representing expression type for sexp_interator
	  functions were changed from const uint8_t * to const char *.
	  These functions are undocumented, and it doesn't change the
	  ABI on any platform I'm aware of.

	The shared library names are libnettle.so.6.3 and
	libhogweed.so.4.3, with sonames still libnettle.so.6 and
	libhogweed.so.4. It is intended to be fully binary compatible
	with nettle-3.1.