2021-05-22  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.7.3.
	(LIBNETTLE_MINOR): Bump minor number, to 8.4.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.4.

2021-05-17  Niels Möller  <nisse@lysator.liu.se>

	* rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is
	in range.
	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.
	* rsa-decrypt.c (rsa_decrypt): Likewise.
	* testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n.

2021-05-14  Niels Möller  <nisse@lysator.liu.se>

	* rsa-sign-tr.c (rsa_sec_blind): Delete mn argument.
	(_rsa_sec_compute_root_tr): Delete mn argument, instead require
	that input size matches key size. Rearrange use of temporary
	storage, to support in-place operation, x == m. Update all
	callers.

	* rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of
	input, for calling _rsa_sec_compute_root_tr.
	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.

	* testsuite/rsa-encrypt-test.c (test_main): Test calling all of
	rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input.

2021-05-06  Niels Möller  <nisse@lysator.liu.se>

	* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
	length is valid, for given key size.
	* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
	calls to rsa_sec_decrypt specifying a too large message length.

2021-03-21  Niels Möller  <nisse@lysator.liu.se>

	* NEWS: NEWS entries for 3.7.2.

2021-03-17  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.7.2.
	(LIBNETTLE_MINOR): Bump minor number, to 8.3.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.3.

2021-03-13  Niels Möller  <nisse@lysator.liu.se>

	* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
	compute the scalar used for ecc multiplication.

	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
	reduced. Two of the three call sites need that.

	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.

	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
	canonical range.

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.
	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
	triggers an assert on 64-bit platforms, without above fix.
	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
	the same signature.

2021-03-13  Niels Möller  <nisse@lysator.liu.se>

	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.

2021-03-11  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	New functions.
	* ecc-internal.h: Declare and document new functions.
	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	* ecc-mul-m.c (ecc_mul_m): Likewise.

2021-02-17  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.7.1.

2021-02-15  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted
	glue to openssl arcfour.
	(openssl_arcfour128_set_encrypt_key)
	(openssl_arcfour128_set_decrypt_key): Deleted.
	* nettle-internal.h: Deleted declaration.
	* examples/nettle-benchmark.c (aeads): Delete benchmarking.

2021-02-13  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.7.1.
	(LIBNETTLE_MINOR): Bump minor number, to 8.2.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.2.

2021-02-10  Niels Möller  <nisse@lysator.liu.se>

	* chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
	that counter increment should be 3 (129 <= message length <= 192).
	(_nettle_chacha_crypt32_4core): Likewise.

	* testsuite/chacha-test.c (test_chacha_rounds): New function, for
	tests with non-standard round count. Extracted from _test_chacha.
	(_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
	handling. When testing message prefixes of varying length, also
	encrypt the remainder of the message, to catch errors in counter
	value update.
	(test_main): Add a few tests with large messages (16 blocks, 1024
	octets), to improve test coverage for _nettle_chacha_crypt_4core
	and _nettle_chacha_crypt32_4core.

2021-01-25  Niels Möller  <nisse@lysator.liu.se>

	* arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon
	implementation reportedly gave a speedup of 45% on Cortex A9,
	compared to the C implementation, when it was added back in 2013.
	That appears to no longer be the case with more recent processors
	and compilers. And it's even significantly slower than the C
	implementation on some platforms, including the Raspberry Pi 4.
	With the introduction of salsa20-2core.asm, performance of this
	function is also less important.
	* arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons.
	* arm/fat/salsa20-core-internal-2.asm: Deleted file.
	* arm/fat/chacha-core-internal-2.asm: Deleted file.
	* fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup.

2021-01-31  Niels Möller  <nisse@lysator.liu.se>

	New variants, contributed by Nicolas Mora.
	* pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function.
	* pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function.
	* testsuite/pbkdf2-test.c (test_main): Corresponding tests.

2021-01-20  Niels Möller  <nisse@lysator.liu.se>

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with
	all-zero hash. Reported by Guido Vranken.
	* testsuite/ecdsa-verify-test.c: Add corresponding test case.

2021-01-10  Niels Möller  <nisse@lysator.liu.se>

	* fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor
	conditional as defined(__GLIBC_PREREQ), but move to a nested #if
	conditional. Fixes compile error on OpenBSD/powerpc64, reported by
	Jasper Lievisse Adriaanse.

2021-01-04  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.7.

2020-12-27  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Enable fat build by default.

2020-12-26  Niels Möller  <nisse@lysator.liu.se>

	* NEWS: News entries for Nettle-3.7.

	* Makefile.in (distdir): Distribute the README files in assembly
	directories.

	* configure.ac: Bump package version, to 3.7.
	(LIBNETTLE_MINOR): Bump minor number, to 8.1.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.1.

2020-12-21  Niels Möller  <nisse@lysator.liu.se>

	From Mamone Tarsha:
	* fat-ppc.c: Check glibc version, and use getauxval only when available.

2020-12-12  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-4core.asm: More interleaving of independent
	instructions, gives slight speedup on Power9.

2020-12-01  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-4core.asm: Use protected zone below stack
	pointer to save registers, without modifying the stack pointer.
	(QR): Instruction level interleaving in the main loop, written by
	Torbjörn Granlund.

2020-11-30  Niels Möller  <nisse@lysator.liu.se>

	* m4-utils.m4 (m4_unquote): New macro, copied from GMP's
	mpn/asm-defs.m4.

	* chacha-crypt.c: (_nettle_chacha_crypt_4core)
	(_nettle_chacha_crypt32_4core): New functions.
	(_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core):
	Deleted, no longer needed.
	* chacha-internal.h: Add prototypes for _nettle_chacha_4core and
	related functions.
	* configure.ac (asm_nettle_optional_list): Add chacha-4core.asm.
	* powerpc64/fat/chacha-4core.asm: New file.
	* powerpc64/p7/chacha-4core.asm: New file.
	* fat-ppc.c (fat_init): When altivec is available, use
	_nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core
	instead of _2core variants.

	* chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in
	handling of counter; this function should not propagate any carry.

	* aes-internal.h: Delete name mangling of internal symbols. Update
	all internal references to use _nettle prefix.
	* camellia-internal.h: Likewise.
	* chacha-internal.h: Likewise.
	* ctr-internal.h: Likewise.
	* dsa-internal.h: Likewise.
	* gost28147-internal.h: Likewise.
	* poly1305-internal.h: Likewise.
	* salsa20-internal.h: Likewise.
	* sha3-internal.h: Likewise.
	* umac-internal.h: Likewise.

2020-11-26  Niels Möller  <nisse@lysator.liu.se>

	Enable powerpc64 gcm code in fat builds. Based on patch
	contributed by Mamone Tarsha:
	* powerpc64/fat/gcm-hash.asm: New file.
	* configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and
	HAVE_NATIVE_fat_gcm_hash.
	* gcm.c (gcm_init_key): Renamed, to ...
	(_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals.
	(gcm_hash): Renamed, to...
	(_nettle_gcm_hash_c): ... new name. Add fat setup conditionals.
	* fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs.
	* fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash.
	* gcm-internal.h: New file.
	* Makefile.in (DISTFILES): Add gcm-internal.h.

	* powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone
	Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash.

2020-11-28  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-2core.asm: Simplify counter carry handling
	using the vaddcuw instruction.

	Merge changes by Marco Bodrato and Torbjorn Granlund, from the
	gmp/mini-gmp copy of this file.
	* run-tests: Delete special handling of zero arguments. Update
	WINEPATH, instead of overwriting it.

2020-11-27  Niels Möller  <nisse@lysator.liu.se>

	* aclocal.m4: Replace some calls to exit with return, since exit
	requires stdlib.h. Including patch contributed by Adrien Béraud.

	* testsuite/version-test.c: Include version.h. Patch contributed
	by Brian Smith.

2020-11-25  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for
	big-endian builds.

2020-11-24  Niels Möller  <nisse@lysator.liu.se>

	Enable ppc chacha_2core in fat builds.
	* configure.ac: Add HAVE_NATIVE_fat_chacha_2core.
	* chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core.
	* chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core):
	Add declarations.
	* fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and
	_nettle_chacha_crypt32_2core when altivec is available.
	* powerpc64/fat/chacha-2core.asm: New file, including p7 version.

2020-11-23  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-2core.asm: New file.

	* chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New
	variants of chacha_crypt, using _chacha_2core to do two blocks at
	a time.
	* chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations.
	* configure.ac (asm_nettle_optional_list): Add chacha-2core.asm.

2020-11-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all
	scratch needs, don't use memory after the result area.
	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call.
	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise.
	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise.
	* curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise.
	* curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and
	reduce scratch need from 9*size to 5*size.
	* ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH)
	(ECC_EH_TO_A_ITCH): Update accordingly, but no change in total
	scratch need.

2020-11-13  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert
	itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all
	secp and gost curve definitions to use it.

2020-10-21  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_384r1): Analogous updates. Increases signing
	performance roughly 15% on x86_64.

2020-10-20  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed.
	(ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv.

	* ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_256r1): Analogous updates. Increases signing
	performance roughly 6% on x86_64.

	* ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_224r1): Analogous updates. Increases signing
	performance roughly 17% on x86_64.

2020-10-19  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_521r1): Analogous updates. Increases signing
	performance roughly 15% on x86_64.

2020-10-15  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_192r1): Use it for p.invert, and also update
	h_to_a_itch. Increases signing performance roughly 25% on x86_64.

	* testsuite/ecc-modinv-test.c (test_modulo): Allow invert function
	to return a non-canonical representation.

2020-11-08  Niels Möller  <nisse@lysator.liu.se>

	Merge refactoring of ecc modulo and reduce functions.
	* eddsa-sign.c (_eddsa_sign_itch): Update, since now point
	multiplication needs less scratch than point compression.
	* eddsa-pubkey.c (_eddsa_public_key_itch): Likewise.

	* ecc-internal.h: Update *_ITCH macros for point multiplication
	and signatures. They need slightly less scratch after optimization
	of the point addition functions.

	* ecc-mul-m.c (ecc_mul_m): Reduce scratch need.
	(ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap
	per iteration.

	* ecc-add-jja.c (ecc_add_jja): Reduce scratch need.
	* ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need.
	* ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size.
	(ECC_MUL_M_ITCH): New 8*size.

2020-11-06  Niels Möller  <nisse@lysator.liu.se>

	After these changes, both curve25519 and curve448 need 4*size for
	invert and 6*size for sqrt.
	* ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need.
	(ecc_curve448_inv): Likewise.
	(ecc_curve448_sqrt): Likewise.
	* ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need.

	* ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy.

2020-11-05  Niels Möller  <nisse@lysator.liu.se>

	* ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need.
	* ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size.

2020-11-03  Niels Möller  <nisse@lysator.liu.se>

	* ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need.
	* ecc-dup-th.c (ecc_dup_th): Analogous changes.
	* ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size.

	* ecc-internal.h (ecc_add_func): Document in-place operation.
	* ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly.
	* testsuite/ecc-add-test.c (test_main): Likewise.

	* ecc-add-eh.c (ecc_add_eh): Reduce scratch need.
	* ecc-add-th.c (ecc_add_th): Analogous changes.
	* ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need.
	* ecc-add-thh.c (ecc_add_thh): Analogous changes.
	* ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH)
	(ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size.

2020-11-02  Niels Möller  <nisse@lysator.liu.se>

	* ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need.
	(ecc_curve25519_inv): Likewise.
	(ecc_curve25519_sqrt): Likewise.

2020-11-01  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument
	for scratch area, reducing required size of result area. Update
	all callers to naïvely keep using result in scratch area.
	(ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing
	required size of result area.

	* testsuite/testutils.c (test_ecc_point): Show curve bits on failure.

2020-10-31  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (typedef ecc_mod_func): Updated all assembly
	implementations.

	* testsuite/ecc-mod-test.c (test_one): Extend tests, to also test
	with different destination area.
	* testsuite/ecc-redc-test.c (test_main): Likewise.

2020-10-30  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (typedef ecc_mod_func): Add separate result
	argument. Updated all C implementations and callers.

2020-10-29  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod.c (ecc_mod): More unified handling of final carry
	folding. Also eliminates a goto statement.

2020-11-07  Niels Möller  <nisse@lysator.liu.se>

	Merged initial powerpc64 implementation of chacha.
	* configure.ac: New command line option --enable-power-altivec.
	Update asm_path logic, and add altivec to FAT_TEST_LIST.
	* fat-ppc.c (get_ppc_features): Add logic to check for altivec and
	vsx support, and select aither C or altivec implementation of
	chacha_core.
	* powerpc64/p7/chacha-core-internal.asm: New file.

2020-09-25  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-core-internal.asm: New file.
	* Makefile.in (distdir): Add powerpc64/p7.

2020-10-29  Niels Möller  <nisse@lysator.liu.se>

	* blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids
	undefined behavior, since shifting an 8-bit value left by 24 bits
	overflows the range of signed int. Reported by Guido Vranken.

2020-10-28  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use
	corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n,
	mpn_cnd_swap, available from GMP version 6.1.0. Update all
	callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one
	more argument than the old functions.

	* gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap)
	[NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds.

2020-10-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved
	functions here.
	* ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more
	general ecc_mod_pow_2k_mul.
	* ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function.
	* ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted
	static functions.

2020-10-13  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function,
	not preserving input argument. Extracted from old ecc_mod_inv.
	(ecc_mod_inv): Call ecc_mod_inv_destructive.
	(ecc_mod_inv_redc): New inversion function, with input and output
	in redc form.

	* ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc.
	* ecc-secp256r1.c: Likewise.

	* ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking
	advantage of ecc->p.invert handling redc, when appropriate. Reduce
	scratch need from 5n to 4n in the process (assuming inversion
	needs 2n).

	* testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if
	appropriate.

2020-09-25  Niels Möller  <nisse@lysator.liu.se>

	* gcm.c (gcm_fill): Added separate implementations for big- and
	little-endian, to use uint64_t stores and less overhead.

2020-09-24  Niels Möller  <nisse@lysator.liu.se>

	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register
	names. Can be tested by configuring with CC='gcc -Wa,-mregnames'.

2020-09-21  Niels Möller  <nisse@lysator.liu.se>

	* m4-utils.m4: New file with m4 utilities, copied from GMP's
	mpn/asm-defs.m4.
	* Makefile.in (DISTFILES): Add m4-utils.m4.
	(%.asm): Include m4-utils.m4 for preprocessing of .asm files, and
	include config.m4 before machine.m4.

	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test,
	adapted from corresponding test in GMP's acinlude.m4.
	* configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted
	variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64
	assembly code is enabled.
	* config.m4.in: Substituted here.
	* powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and
	if needed, replace register names like r0, r1, ... with integers.

2020-09-15  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (DISTFILES): Add missing file blowfish-internal.h.

2020-09-14  Niels Möller  <nisse@lysator.liu.se>

	* asm.m4: Delete use of changequote, stick to the m4 default
	quoting characters `'. Updated all assembly and m4 files.
	* x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround.

2020-09-12  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT.

2020-08-29  Niels Möller  <nisse@lysator.liu.se>

	Initial powerpc64 assembly support, contributed by Mamone Tarsha:
	* configure.ac: New configure option --enable-power-crypto-ext.
	(asm_path): Setup this and related variables for powerpc64.
	* powerpc64/machine.m4: New file.
	* powerpc64/README: New file.
	* powerpc64/p8/aes-encrypt-internal.asm: New file.
	* powerpc64/p8/aes-decrypt-internal.asm: New file.
	* powerpc64/fat/aes-encrypt-internal-2.asm: New file.
	* powerpc64/fat/aes-decrypt-internal-2.asm: New file.
	* fat-ppc.c: New file.
	* Makefile.in (OPT_SOURCES): Add fat-ppc.c.
	(distdir): Add powerpc64 directories.
	* aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative
	name, for fat builds.
	* aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise.

2020-07-28  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (FAT_TEST_LIST): New substituted variable. Set for
	fat builds, otherwise empty.
	* Makefile.in (check-fat): New target, using $(FAT_TEST_LIST).

2020-07-13  Niels Möller  <nisse@lysator.liu.se>

	* chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use
	_chacha_3core.

	* arm/neon/chacha-3core.asm: New file, 3-way interleaving of
	chacha.

2020-07-11  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/chacha-test.c (test_main): Delete obsolete tests for
	chacha with 128-bit keys. #if:ed out since 2014-03-04, see below.
	(test_chacha_core): New function, test chacha with simple input
	structure.

2020-07-10  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/salsa20-2core.asm: New file.
	* x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is
	faster.

2020-07-08  Niels Möller  <nisse@lysator.liu.se>

	Rearrange salsa20, enabling ARM fat builds to use sala20_2core.
	* salsa20-crypt-internal.c (_salsa20_crypt_2core)
	(_salsa20_crypt_1core): New file, new functions. One or the other
	is used for implementing salsa20_crypt and salsa20r12_crypt,
	depending on availability of salsa20_2core.
	* salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt.
	* salsa20r12-crypt.c (salsa20r12_crypt): Likewise.
	* salsa20-internal.h: Declare new internal functions.
	* Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c.
	* fat-setup.h (salsa20_crypt_func): New typedef.
	* fat-arm.c (_salsa20_crypt): Select _salsa20_crypt
	implementation, use 2core version when Neon instructions are
	available.
	* arm/fat/salsa20-2core.asm: New file, including Neon
	implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core,
	* configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the
	case that salsa20_2core is defined, but runtime checks are needed
	to determine if it is usable.

2020-07-06  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/salsa20-test.c (test_salsa20_core): New function, test
	salsa20 with simple input structure.

	* configure.ac: Obey --enable-arm-neon=yes, even if not explicitly
	targetting ARM v6 or later.

2020-07-01  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/bcrypt-test.c: New file. Moved bcrypt tests here.

	Support for bcrypt, contributed by Stephen R. van den Berg.
	* blowfish-bcrypt.c (blowfish_bcrypt_hash)
	(blowfish_bcrypt_verify): New file, new functions.
	* blowfish-internal.h: New header file, declaring internals needed
	for bcrypt.
	* testsuite/blowfish-test.c: Add bcrypt tests.
	* nettle.texinfo (Cipher functions): Document bcrypt.

2020-06-30  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (Miscellaneous hash functions): New section, with
	Streebog documentation, contributed by Dmitry Baryshkov.
	(Top): Added some missing entries to the detailed node listing

2020-06-29  Niels Möller  <nisse@lysator.liu.se>

	* .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch
	by Maamoun TK.

2020-06-25  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/chacha-core-internal.asm (QROUND): Fix use of macro
	arguments. Spotted by Torbjörn Granlund.

2020-06-02  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Delete call to
	time_overhead. The attempt to measure function call overhead is
	not very useful or accurate. The benchmarking loop is optimized
	away by gcc-10, making the benchmark program hang.
	(bench_nothing, time_overhead): Deleted.

2020-04-29  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.6.

2020-04-27  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Tweak gcc command line options. Delete checks for
	older gcc versions. Add -Wno-sign-compare, since warnings for
	signed/unsigned comparisons adds a lot of noise, in particular
	when building mini-gmp.

	* mini-gmp.c: Updated mini-gmp from the gmp repository, latest
	change from 2020-04-20.
	* mini-gmp.h: Likewise.

2020-04-25  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify)
	(mpz_limbs_finish, mpz_roinit_n): Delete compatibility
	definitions. These functions available in GMP since version 6.0.0.
	* gmp-glue.h: Delete corresponding declarations, and preprocessor
	conditions.

	* configure.ac: Update required version of GMP to 6.1.0, needed
	for mpn_zero_p.
	* ecc-ecdsa-verify.c (zero_p): Deleted static function, usage
	replaced with mpn_zero_p.
	* testsuite/testutils.c (mpn_zero_p): Delete conditional
	definition.
	* testsuite/testutils.h: Delete corresponding declarations.

	* Makefile.in (DISTFILES): Add poly1305-internal.h.
	* testsuite/Makefile.in (DISTFILES): Delete setup-env.

2020-04-23  Niels Möller  <nisse@lysator.liu.se>

	* run-tests: Set WINEPATH, since it appears wine doesn't search
	for dlls in the unix PATH.
	* examples/setup-env: Delete creation of extra dll symlinks.
	* examples/teardown-env: Delete corresponding cleanup.
	* testsuite/setup-env: Deleted file (same symlink creation).
	* testsuite/teardown-env: Delete corresponding cleanup.

	* testsuite/ecc-add-test.c (test_main): Delete ASSERTs with
	functions pointer comparisons. They provide little value, and fail
	when linking with hogweed.dll on windows.
	* testsuite/ecc-dup-test.c (test_main): Likewise.

2020-04-22  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/Makefile.in: Use pattern rules for test executables,
	replacing...
	(test-rules): ...deleted rule.
	* testsuite/.test-rules.make: Deleted file.

2020-04-21  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gostdsa-vko.c (gostdsa_vko): New file and function.
	* testsuite/gostdsa-vko-test.c (test_vko): New test.
	* nettle.texinfo (GOSTDSA): Document it.

2020-04-19  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable
	use of MD_UPDATE macro, in particular, replacing byte count with
	block count and index. Also move buffer last, for consistency with
	other hash functions.
	* gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro.
	(gosthash94_write_digest): Update for block count rather than byte
	count.

2020-04-17  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (LIBNETTLE_MAJOR): Increase libnettle version
	number to 8.0, for move of internal poly1305 functions.
	(LIBNETTLE_MINOR): Reset to zero.

2020-04-15  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block):
	Removed declarations from this public header file.
	* poly1305-internal.h: New file, with declarations of internal
	poly1305 functions.
	(_poly1305_set_key, _poly1305_digest): Renamed, with leading
	underscore. Updated definitions and all uses.

2020-04-12  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (DISTFILES): Reorder to ensure that generated des
	headers can't be older than desdata.stamp.

	* testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc
	-std=c89.

2020-04-06  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version
	number to 6.0, at request of Gnutls team.
	(LIBHOGWEED_MINOR): Reset to zero.

2020-04-01  Niels Möller  <nisse@lysator.liu.se>

	* config.guess: Update to 2020-01-01 version, from savannah's
	config.git.
	* config.sub: Likewise.

2020-03-31  Niels Möller  <nisse@lysator.liu.se>

	* aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP)
	(LSH_MAKE_CONDITIONAL): Delete unused macros.

	* config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables.

	* run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and
	related member variables.

	* testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR
	to the run-tests script, and leave setting of LD_LIBRARY_PATH and
	related variables to that script.
	* examples/Makefile.in (check): Likewise.

2020-03-26  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version to 3.6.
	(LIBNETTLE_MINOR): Bump minor number, now 7.1.
	(LIBHOGWEED_MINOR): Bump minor numbers, now 5.1

2020-03-14  Niels Möller  <nisse@lysator.liu.se>

	From H.J. Lu:
	* configure.ac (ASM_X86_ENDBR)
	(ASM_X86_MARK_CETASM_X86_MARK_CET_ALIGN): New substituted
	variables.
	* config.m4.in: Substituted here. Add ASM_X86_MARK_CET to
	diversion inserted at end of assembly files.
	* asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point.

2020-03-09  Niels Möller  <nisse@lysator.liu.se>

	From Daiki Ueno:
	* chacha-crypt.c (chacha_crypt32): New function.
	* chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32):
	New functions.
	* chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants.
	* chacha-poly1305.c (chacha_poly1305_encrypt)
	(chacha_poly1305_decrypt): Use chacha_crypt32.
	* testsuite/chacha-test.c: Update tests to use new functions.
	* nettle.texinfo: Document new chacha functions, and update
	out-of-date chacha-poly1305 documentation.

2020-03-08  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* cmac-des3-meta.c (nettle_cmac_des): New file, moving definition
	from...
	* testsuite/cmac-test.c: ... old location.
	* nettle-meta.h (nettle_cmac_des): Declare it.

2020-02-15  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr)
	(ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add)
	(ecc_modp_sub): Deleted macros. Updated callers to use respective
	functions instead.
	(ecc_modp_addmul_1): Delete unused macro.

2020-02-09  Niels Möller  <nisse@lysator.liu.se>

	Addition of struct nettle_mac based on patches by Daiki Ueno.
	* nettle-meta-macs.c (nettle_get_macs): New file, new function.
	* testsuite/meta-mac-test.c: New test.

	* nettle-meta.h (_NETTLE_HMAC): New macro.
	(nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1)
	(nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384)
	(nettle_hmac_sha512): Declare.
	(struct nettle_mac): New public struct,
	* testsuite/testutils.h: ...moved from this file.

	* hmac-md5-meta.c: New file.
	* hmac-ripemd160-meta.c: Likewise.
	* hmac-sha1-meta.c: Likewise.
	* hmac-sha224-meta.c: Likewise.
	* hmac-sha256-meta.c: Likewise.
	* hmac-sha384-meta.c: Likewise.
	* hmac-sha512-meta.c: Likewise.

	* Makefile.in (nettle_SOURCES): Add new files.

	* testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of
	this macro.
	* testsuite/testutils.c (test_mac): Allow testing with smaller
	digest size.
	* testsuite/hmac-test.c (test_main): Use test_mac for tests using
	key size == digest size.

	* testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
	Moved to...
	* cmac-aes128-meta.c: New file.
	* cmac-aes256-meta.c: New file.

	* nettle-meta.h (struct nettle_mac): New public struct,
	* testsuite/testutils.h: ...moved from this file.

2020-02-06  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gost28147.h: Deleted, move declarations to gost28147-internal.h.

2020-02-05  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: On Solaris, link shared libraries with --shared
	rather than -G. For gcc, --shared is the proper way. For Solaris'
	proprietary cc, according to docs, it accepts --shared as an alias
	for -G since Oracle Solaris Studio 12.4, and it was made more gcc
	compatible in later versions. Since 12.4 was released in 2014,
	don't attempt to cater for older versions.

2020-01-26  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (struct ecc_curve): Delete g, the curve
	generator, since it was used only by tests. Update all curve
	instances.

	* eccdata.c (output_curve): Delete output of ecc_g.
	(output_point): Delete name argument, and update callers.

	* testsuite/testutils.c (ecc_ref): Table of reference points moved
	out of test_ecc_mul_a. Add generator to the list of points.
	(test_ecc_mul_a): Use ecc_ref table also for the n == 1 case.
	(test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions,
	using the tabulated generator.

	* testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of
	accessing ecc->g.
	* testsuite/ecc-dup-test.c: Likewise.
	* testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga.
	Delete special case for n == 1.
	* testsuite/ecc-mul-g-test.c: Use test_ecc_ga.

	Support for GOST DSA, contributed by Dmitry Baryshkov.
	* gostdsa-verify.c (gostdsa_verify): New file and function.
	* gostdsa-sign.c (gostdsa_sign): New file and function.
	* ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch)
	(ecc_gostdsa_verify): New file and functions.
	* ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign):
	New file and functions.
	* ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro.
	* ecc-hash.c (gost_hash): New function.
	* testsuite/gostdsa-verify-test.c: New test.
	* testsuite/gostdsa-sign-test.c: New test.
	* testsuite/gostdsa-keygen-test.c: New test.
	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests.

	Support for GOST gc256b and gc512a curves, contributed by Dmitry
	Baryshkov.
	* eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and
	gost_gc512a.
	* ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b.
	* ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a.
	* Makefile.in: Add rules to generate ecc-gost-gc256b.h and
	ecc-gost-gc512a.h.
	(hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c.
	* examples/ecc-benchmark.c (curves): Add to list.
	* testsuite/testutils.c (ecc_curves): Add to list.
	(test_ecc_mul_a): Reference points for new curves.

	* NEWS: Started on entries for Nettle-3.6.

2020-01-25  Niels Möller  <nisse@lysator.liu.se>

	* examples/hogweed-benchmark.c (bench_curve_init): Pass correct
	sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov.

2020-01-15  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in: Replace suffix rules by pattern rules. Move .asm
	rule above .c rule, since now the order of rules in the Makefile
	matters, rather than the order in the .SUFFIXES list.
	(aesdata, desdata, twofishdata, shadata, gcmdata, eccparams):
	Individual rules replaced by a pattern rule.
	(eccdata): Add explicit dependencies, to complement the pattern
	rule.
	* examples/Makefile.in: Replace suffix rules by pattern rules.
	* testsuite/Makefile.in: Likewise.
	* tools/Makefile.in: Likewise.

	* config.make.in: Empty .SUFFIXES, to not accidentally use any
	suffix rules.

	* aclocal.m4 (DEP_INCLUDE): Delete substituted variable.

	* Makefile.in: Use the GNU make directive -include to include
	dependency .d files. Delete dependency files on make clean.
	* examples/Makefile.in: Likewise.
	* testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly.
	* tools/Makefile.in: Likewise.

	* configure.ac (dummy-dep-files): Delete these config commands.

2020-01-10  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Eremin-Solenikov: Consistently rename ecc files and
	internal functions to include curve name rather than just number
	of bits. E.g.,
	* ecc-256.c (nettle_ecc_256_redc): File and function renamed to...
	* ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names.
	* eccdata.c (ecc_curve_init, main): Take curve name as input, not
	bit size.

2020-01-03  Niels Möller  <nisse@lysator.liu.se>

	Add benchmarking of ed25519, ed448 and curve448.
	* examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct.
	(bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify)
	(bench_eddsa_clear): New functions.
	(struct curve_ctx): New struct, generalizing struct curve25519_ctx.
	(bench_curve_init, bench_curve_mul_g, bench_curve_mul)
	(bench_curve_clear): New functions.
	(struct curve25519_ctx, bench_curve25519_mul_g)
	(bench_curve25519_mul, bench_curve25519): Deleted.
	(alg_list): Add eddsa and curve entries.
	(main): Delete call to bench_curve25519.

2020-01-02  Niels Möller  <nisse@lysator.liu.se>

	* eddsa-internal.h (nettle_eddsa_dom_func): New typedef.
	(struct ecc_eddsa): Use function pointer to represent eddsa dom
	string. To avoid calling sha512_update with empty input for
	ed25519.
	* ed448-shake256.c (ed448_dom): New function, calling
	sha3_256_update with the magic dom prefix.
	(_nettle_ed448_shake256): Point to it.
	* ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function.

	* eddsa-sign.c (_eddsa_sign): Update to use dom function pointer.
	* eddsa-verify.c (_eddsa_verify): Likewise.

	* eddsa-internal.h (struct ecc_eddsa): Add magic dom string,
	needed for ed448.
	* ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string.
	* ed448-shake256.c (_nettle_ed448_shake256): New file and
	parameter struct.

	* eddsa-hash.c (_eddsa_hash): Add digest_size as input argument.
	Handle ed448 digests with two extra bytes. Update callers.
	* eddsa-verify.c (_eddsa_verify): Hash dom string.
	* eddsa-sign.c (_eddsa_sign_itch): Assert that
	_eddsa_compress_itch isn't too large.
	(_eddsa_sign): New argument k1, with the hash prefix. Add hashing
	of this prefix and the dom string. Update callers. Fix final
