"Fossies" - the Fresh Open Source Software Archive

Member "nettle-3.7.3/ChangeLog" (6 Jun 2021, 451245 Bytes) of package /linux/privat/nettle-3.7.3.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "ChangeLog": 3.7.2_vs_3.7.3.

    1 2021-05-22  Niels Möller  <nisse@lysator.liu.se>
    2 
    3 	* configure.ac: Bump package version, to 3.7.3.
    4 	(LIBNETTLE_MINOR): Bump minor number, to 8.4.
    5 	(LIBHOGWEED_MINOR): Bump minor number, to 6.4.
    6 
    7 2021-05-17  Niels Möller  <nisse@lysator.liu.se>
    8 
    9 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is
   10 	in range.
   11 	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.
   12 	* rsa-decrypt.c (rsa_decrypt): Likewise.
   13 	* testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n.
   14 
   15 2021-05-14  Niels Möller  <nisse@lysator.liu.se>
   16 
   17 	* rsa-sign-tr.c (rsa_sec_blind): Delete mn argument.
   18 	(_rsa_sec_compute_root_tr): Delete mn argument, instead require
   19 	that input size matches key size. Rearrange use of temporary
   20 	storage, to support in-place operation, x == m. Update all
   21 	callers.
   22 
   23 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of
   24 	input, for calling _rsa_sec_compute_root_tr.
   25 	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.
   26 
   27 	* testsuite/rsa-encrypt-test.c (test_main): Test calling all of
   28 	rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input.
   29 
   30 2021-05-06  Niels Möller  <nisse@lysator.liu.se>
   31 
   32 	* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
   33 	length is valid, for given key size.
   34 	* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
   35 	calls to rsa_sec_decrypt specifying a too large message length.
   36 
   37 2021-03-21  Niels Möller  <nisse@lysator.liu.se>
   38 
   39 	* NEWS: NEWS entries for 3.7.2.
   40 
   41 2021-03-17  Niels Möller  <nisse@lysator.liu.se>
   42 
   43 	* configure.ac: Bump package version, to 3.7.2.
   44 	(LIBNETTLE_MINOR): Bump minor number, to 8.3.
   45 	(LIBHOGWEED_MINOR): Bump minor number, to 6.3.
   46 
   47 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
   48 
   49 	* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
   50 	compute the scalar used for ecc multiplication.
   51 
   52 	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
   53 	reduced. Two of the three call sites need that.
   54 
   55 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
   56 	to compute the scalars used for ecc multiplication.
   57 
   58 	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
   59 	canonical range.
   60 
   61 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
   62 	to compute the scalars used for ecc multiplication.
   63 	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
   64 	triggers an assert on 64-bit platforms, without above fix.
   65 	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
   66 	the same signature.
   67 
   68 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
   69 
   70 	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
   71 
   72 2021-03-11  Niels Möller  <nisse@lysator.liu.se>
   73 
   74 	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
   75 	New functions.
   76 	* ecc-internal.h: Declare and document new functions.
   77 	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
   78 	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
   79 	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
   80 	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
   81 	* ecc-mul-m.c (ecc_mul_m): Likewise.
   82 
   83 2021-02-17  Niels Möller  <nisse@lysator.liu.se>
   84 
   85 	* Released Nettle-3.7.1.
   86 
   87 2021-02-15  Niels Möller  <nisse@lysator.liu.se>
   88 
   89 	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted
   90 	glue to openssl arcfour.
   91 	(openssl_arcfour128_set_encrypt_key)
   92 	(openssl_arcfour128_set_decrypt_key): Deleted.
   93 	* nettle-internal.h: Deleted declaration.
   94 	* examples/nettle-benchmark.c (aeads): Delete benchmarking.
   95 
   96 2021-02-13  Niels Möller  <nisse@lysator.liu.se>
   97 
   98 	* configure.ac: Bump package version, to 3.7.1.
   99 	(LIBNETTLE_MINOR): Bump minor number, to 8.2.
  100 	(LIBHOGWEED_MINOR): Bump minor number, to 6.2.
  101 
  102 2021-02-10  Niels Möller  <nisse@lysator.liu.se>
  103 
  104 	* chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
  105 	that counter increment should be 3 (129 <= message length <= 192).
  106 	(_nettle_chacha_crypt32_4core): Likewise.
  107 
  108 	* testsuite/chacha-test.c (test_chacha_rounds): New function, for
  109 	tests with non-standard round count. Extracted from _test_chacha.
  110 	(_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
  111 	handling. When testing message prefixes of varying length, also
  112 	encrypt the remainder of the message, to catch errors in counter
  113 	value update.
  114 	(test_main): Add a few tests with large messages (16 blocks, 1024
  115 	octets), to improve test coverage for _nettle_chacha_crypt_4core
  116 	and _nettle_chacha_crypt32_4core.
  117 
  118 2021-01-25  Niels Möller  <nisse@lysator.liu.se>
  119 
  120 	* arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon
  121 	implementation reportedly gave a speedup of 45% on Cortex A9,
  122 	compared to the C implementation, when it was added back in 2013.
  123 	That appears to no longer be the case with more recent processors
  124 	and compilers. And it's even significantly slower than the C
  125 	implementation on some platforms, including the Raspberry Pi 4.
  126 	With the introduction of salsa20-2core.asm, performance of this
  127 	function is also less important.
  128 	* arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons.
  129 	* arm/fat/salsa20-core-internal-2.asm: Deleted file.
  130 	* arm/fat/chacha-core-internal-2.asm: Deleted file.
  131 	* fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup.
  132 
  133 2021-01-31  Niels Möller  <nisse@lysator.liu.se>
  134 
  135 	New variants, contributed by Nicolas Mora.
  136 	* pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function.
  137 	* pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function.
  138 	* testsuite/pbkdf2-test.c (test_main): Corresponding tests.
  139 
  140 2021-01-20  Niels Möller  <nisse@lysator.liu.se>
  141 
  142 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with
  143 	all-zero hash. Reported by Guido Vranken.
  144 	* testsuite/ecdsa-verify-test.c: Add corresponding test case.
  145 
  146 2021-01-10  Niels Möller  <nisse@lysator.liu.se>
  147 
  148 	* fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor
  149 	conditional as defined(__GLIBC_PREREQ), but move to a nested #if
  150 	conditional. Fixes compile error on OpenBSD/powerpc64, reported by
  151 	Jasper Lievisse Adriaanse.
  152 
  153 2021-01-04  Niels Möller  <nisse@lysator.liu.se>
  154 
  155 	* Released Nettle-3.7.
  156 
  157 2020-12-27  Niels Möller  <nisse@lysator.liu.se>
  158 
  159 	* configure.ac: Enable fat build by default.
  160 
  161 2020-12-26  Niels Möller  <nisse@lysator.liu.se>
  162 
  163 	* NEWS: News entries for Nettle-3.7.
  164 
  165 	* Makefile.in (distdir): Distribute the README files in assembly
  166 	directories.
  167 
  168 	* configure.ac: Bump package version, to 3.7.
  169 	(LIBNETTLE_MINOR): Bump minor number, to 8.1.
  170 	(LIBHOGWEED_MINOR): Bump minor number, to 6.1.
  171 
  172 2020-12-21  Niels Möller  <nisse@lysator.liu.se>
  173 
  174 	From Mamone Tarsha:
  175 	* fat-ppc.c: Check glibc version, and use getauxval only when available.
  176 
  177 2020-12-12  Niels Möller  <nisse@lysator.liu.se>
  178 
  179 	* powerpc64/p7/chacha-4core.asm: More interleaving of independent
  180 	instructions, gives slight speedup on Power9.
  181 
  182 2020-12-01  Niels Möller  <nisse@lysator.liu.se>
  183 
  184 	* powerpc64/p7/chacha-4core.asm: Use protected zone below stack
  185 	pointer to save registers, without modifying the stack pointer.
  186 	(QR): Instruction level interleaving in the main loop, written by
  187 	Torbjörn Granlund.
  188 
  189 2020-11-30  Niels Möller  <nisse@lysator.liu.se>
  190 
  191 	* m4-utils.m4 (m4_unquote): New macro, copied from GMP's
  192 	mpn/asm-defs.m4.
  193 
  194 	* chacha-crypt.c: (_nettle_chacha_crypt_4core)
  195 	(_nettle_chacha_crypt32_4core): New functions.
  196 	(_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core):
  197 	Deleted, no longer needed.
  198 	* chacha-internal.h: Add prototypes for _nettle_chacha_4core and
  199 	related functions.
  200 	* configure.ac (asm_nettle_optional_list): Add chacha-4core.asm.
  201 	* powerpc64/fat/chacha-4core.asm: New file.
  202 	* powerpc64/p7/chacha-4core.asm: New file.
  203 	* fat-ppc.c (fat_init): When altivec is available, use
  204 	_nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core
  205 	instead of _2core variants.
  206 
  207 	* chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in
  208 	handling of counter; this function should not propagate any carry.
  209 
  210 	* aes-internal.h: Delete name mangling of internal symbols. Update
  211 	all internal references to use _nettle prefix.
  212 	* camellia-internal.h: Likewise.
  213 	* chacha-internal.h: Likewise.
  214 	* ctr-internal.h: Likewise.
  215 	* dsa-internal.h: Likewise.
  216 	* gost28147-internal.h: Likewise.
  217 	* poly1305-internal.h: Likewise.
  218 	* salsa20-internal.h: Likewise.
  219 	* sha3-internal.h: Likewise.
  220 	* umac-internal.h: Likewise.
  221 
  222 2020-11-26  Niels Möller  <nisse@lysator.liu.se>
  223 
  224 	Enable powerpc64 gcm code in fat builds. Based on patch
  225 	contributed by Mamone Tarsha:
  226 	* powerpc64/fat/gcm-hash.asm: New file.
  227 	* configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and
  228 	HAVE_NATIVE_fat_gcm_hash.
  229 	* gcm.c (gcm_init_key): Renamed, to ...
  230 	(_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals.
  231 	(gcm_hash): Renamed, to...
  232 	(_nettle_gcm_hash_c): ... new name. Add fat setup conditionals.
  233 	* fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs.
  234 	* fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash.
  235 	* gcm-internal.h: New file.
  236 	* Makefile.in (DISTFILES): Add gcm-internal.h.
  237 
  238 	* powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone
  239 	Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash.
  240 
  241 2020-11-28  Niels Möller  <nisse@lysator.liu.se>
  242 
  243 	* powerpc64/p7/chacha-2core.asm: Simplify counter carry handling
  244 	using the vaddcuw instruction.
  245 
  246 	Merge changes by Marco Bodrato and Torbjorn Granlund, from the
  247 	gmp/mini-gmp copy of this file.
  248 	* run-tests: Delete special handling of zero arguments. Update
  249 	WINEPATH, instead of overwriting it.
  250 
  251 2020-11-27  Niels Möller  <nisse@lysator.liu.se>
  252 
  253 	* aclocal.m4: Replace some calls to exit with return, since exit
  254 	requires stdlib.h. Including patch contributed by Adrien Béraud.
  255 
  256 	* testsuite/version-test.c: Include version.h. Patch contributed
  257 	by Brian Smith.
  258 
  259 2020-11-25  Niels Möller  <nisse@lysator.liu.se>
  260 
  261 	* powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for
  262 	big-endian builds.
  263 
  264 2020-11-24  Niels Möller  <nisse@lysator.liu.se>
  265 
  266 	Enable ppc chacha_2core in fat builds.
  267 	* configure.ac: Add HAVE_NATIVE_fat_chacha_2core.
  268 	* chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core.
  269 	* chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core):
  270 	Add declarations.
  271 	* fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and
  272 	_nettle_chacha_crypt32_2core when altivec is available.
  273 	* powerpc64/fat/chacha-2core.asm: New file, including p7 version.
  274 
  275 2020-11-23  Niels Möller  <nisse@lysator.liu.se>
  276 
  277 	* powerpc64/p7/chacha-2core.asm: New file.
  278 
  279 	* chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New
  280 	variants of chacha_crypt, using _chacha_2core to do two blocks at
  281 	a time.
  282 	* chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations.
  283 	* configure.ac (asm_nettle_optional_list): Add chacha-2core.asm.
  284 
  285 2020-11-14  Niels Möller  <nisse@lysator.liu.se>
  286 
  287 	* ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all
  288 	scratch needs, don't use memory after the result area.
  289 	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call.
  290 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise.
  291 	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
  292 	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
  293 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise.
  294 	* curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise.
  295 	* curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and
  296 	reduce scratch need from 9*size to 5*size.
  297 	* ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH)
  298 	(ECC_EH_TO_A_ITCH): Update accordingly, but no change in total
  299 	scratch need.
  300 
  301 2020-11-13  Niels Möller  <nisse@lysator.liu.se>
  302 
  303 	* ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert
  304 	itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all
  305 	secp and gost curve definitions to use it.
  306 
  307 2020-10-21  Niels Möller  <nisse@lysator.liu.se>
  308 
  309 	* ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular
  310 	inverse using powering.
  311 	(_nettle_secp_384r1): Analogous updates. Increases signing
  312 	performance roughly 15% on x86_64.
  313 
  314 2020-10-20  Niels Möller  <nisse@lysator.liu.se>
  315 
  316 	* ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed.
  317 	(ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv.
  318 
  319 	* ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular
  320 	inverse using powering.
  321 	(_nettle_secp_256r1): Analogous updates. Increases signing
  322 	performance roughly 6% on x86_64.
  323 
  324 	* ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular
  325 	inverse using powering.
  326 	(_nettle_secp_224r1): Analogous updates. Increases signing
  327 	performance roughly 17% on x86_64.
  328 
  329 2020-10-19  Niels Möller  <nisse@lysator.liu.se>
  330 
  331 	* ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular
  332 	inverse using powering.
  333 	(_nettle_secp_521r1): Analogous updates. Increases signing
  334 	performance roughly 15% on x86_64.
  335 
  336 2020-10-15  Niels Möller  <nisse@lysator.liu.se>
  337 
  338 	* ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular
  339 	inverse using powering.
  340 	(_nettle_secp_192r1): Use it for p.invert, and also update
  341 	h_to_a_itch. Increases signing performance roughly 25% on x86_64.
  342 
  343 	* testsuite/ecc-modinv-test.c (test_modulo): Allow invert function
  344 	to return a non-canonical representation.
  345 
  346 2020-11-08  Niels Möller  <nisse@lysator.liu.se>
  347 
  348 	Merge refactoring of ecc modulo and reduce functions.
  349 	* eddsa-sign.c (_eddsa_sign_itch): Update, since now point
  350 	multiplication needs less scratch than point compression.
  351 	* eddsa-pubkey.c (_eddsa_public_key_itch): Likewise.
  352 
  353 	* ecc-internal.h: Update *_ITCH macros for point multiplication
  354 	and signatures. They need slightly less scratch after optimization
  355 	of the point addition functions.
  356 
  357 	* ecc-mul-m.c (ecc_mul_m): Reduce scratch need.
  358 	(ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap
  359 	per iteration.
  360 
  361 	* ecc-add-jja.c (ecc_add_jja): Reduce scratch need.
  362 	* ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need.
  363 	* ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size.
  364 	(ECC_MUL_M_ITCH): New 8*size.
  365 
  366 2020-11-06  Niels Möller  <nisse@lysator.liu.se>
  367 
  368 	After these changes, both curve25519 and curve448 need 4*size for
  369 	invert and 6*size for sqrt.
  370 	* ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need.
  371 	(ecc_curve448_inv): Likewise.
  372 	(ecc_curve448_sqrt): Likewise.
  373 	* ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need.
  374 
  375 	* ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy.
  376 
  377 2020-11-05  Niels Möller  <nisse@lysator.liu.se>
  378 
  379 	* ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need.
  380 	* ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size.
  381 
  382 2020-11-03  Niels Möller  <nisse@lysator.liu.se>
  383 
  384 	* ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need.
  385 	* ecc-dup-th.c (ecc_dup_th): Analogous changes.
  386 	* ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size.
  387 
  388 	* ecc-internal.h (ecc_add_func): Document in-place operation.
  389 	* ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly.
  390 	* testsuite/ecc-add-test.c (test_main): Likewise.
  391 
  392 	* ecc-add-eh.c (ecc_add_eh): Reduce scratch need.
  393 	* ecc-add-th.c (ecc_add_th): Analogous changes.
  394 	* ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need.
  395 	* ecc-add-thh.c (ecc_add_thh): Analogous changes.
  396 	* ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH)
  397 	(ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size.
  398 
  399 2020-11-02  Niels Möller  <nisse@lysator.liu.se>
  400 
  401 	* ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need.
  402 	(ecc_curve25519_inv): Likewise.
  403 	(ecc_curve25519_sqrt): Likewise.
  404 
  405 2020-11-01  Niels Möller  <nisse@lysator.liu.se>
  406 
  407 	* ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument
  408 	for scratch area, reducing required size of result area. Update
  409 	all callers to naïvely keep using result in scratch area.
  410 	(ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing
  411 	required size of result area.
  412 
  413 	* testsuite/testutils.c (test_ecc_point): Show curve bits on failure.
  414 
  415 2020-10-31  Niels Möller  <nisse@lysator.liu.se>
  416 
  417 	* ecc-internal.h (typedef ecc_mod_func): Updated all assembly
  418 	implementations.
  419 
  420 	* testsuite/ecc-mod-test.c (test_one): Extend tests, to also test
  421 	with different destination area.
  422 	* testsuite/ecc-redc-test.c (test_main): Likewise.
  423 
  424 2020-10-30  Niels Möller  <nisse@lysator.liu.se>
  425 
  426 	* ecc-internal.h (typedef ecc_mod_func): Add separate result
  427 	argument. Updated all C implementations and callers.
  428 
  429 2020-10-29  Niels Möller  <nisse@lysator.liu.se>
  430 
  431 	* ecc-mod.c (ecc_mod): More unified handling of final carry
  432 	folding. Also eliminates a goto statement.
  433 
  434 2020-11-07  Niels Möller  <nisse@lysator.liu.se>
  435 
  436 	Merged initial powerpc64 implementation of chacha.
  437 	* configure.ac: New command line option --enable-power-altivec.
  438 	Update asm_path logic, and add altivec to FAT_TEST_LIST.
  439 	* fat-ppc.c (get_ppc_features): Add logic to check for altivec and
  440 	vsx support, and select aither C or altivec implementation of
  441 	chacha_core.
  442 	* powerpc64/p7/chacha-core-internal.asm: New file.
  443 
  444 2020-09-25  Niels Möller  <nisse@lysator.liu.se>
  445 
  446 	* powerpc64/p7/chacha-core-internal.asm: New file.
  447 	* Makefile.in (distdir): Add powerpc64/p7.
  448 
  449 2020-10-29  Niels Möller  <nisse@lysator.liu.se>
  450 
  451 	* blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids
  452 	undefined behavior, since shifting an 8-bit value left by 24 bits
  453 	overflows the range of signed int. Reported by Guido Vranken.
  454 
  455 2020-10-28  Niels Möller  <nisse@lysator.liu.se>
  456 
  457 	* gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use
  458 	corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n,
  459 	mpn_cnd_swap, available from GMP version 6.1.0. Update all
  460 	callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one
  461 	more argument than the old functions.
  462 
  463 	* gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap)
  464 	[NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds.
  465 
  466 2020-10-14  Niels Möller  <nisse@lysator.liu.se>
  467 
  468 	* ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved
  469 	functions here.
  470 	* ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more
  471 	general ecc_mod_pow_2k_mul.
  472 	* ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function.
  473 	* ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted
  474 	static functions.
  475 
  476 2020-10-13  Niels Möller  <nisse@lysator.liu.se>
  477 
  478 	* ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function,
  479 	not preserving input argument. Extracted from old ecc_mod_inv.
  480 	(ecc_mod_inv): Call ecc_mod_inv_destructive.
  481 	(ecc_mod_inv_redc): New inversion function, with input and output
  482 	in redc form.
  483 
  484 	* ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc.
  485 	* ecc-secp256r1.c: Likewise.
  486 
  487 	* ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking
  488 	advantage of ecc->p.invert handling redc, when appropriate. Reduce
  489 	scratch need from 5n to 4n in the process (assuming inversion
  490 	needs 2n).
  491 
  492 	* testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if
  493 	appropriate.
  494 
  495 2020-09-25  Niels Möller  <nisse@lysator.liu.se>
  496 
  497 	* gcm.c (gcm_fill): Added separate implementations for big- and
  498 	little-endian, to use uint64_t stores and less overhead.
  499 
  500 2020-09-24  Niels Möller  <nisse@lysator.liu.se>
  501 
  502 	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register
  503 	names. Can be tested by configuring with CC='gcc -Wa,-mregnames'.
  504 
  505 2020-09-21  Niels Möller  <nisse@lysator.liu.se>
  506 
  507 	* m4-utils.m4: New file with m4 utilities, copied from GMP's
  508 	mpn/asm-defs.m4.
  509 	* Makefile.in (DISTFILES): Add m4-utils.m4.
  510 	(%.asm): Include m4-utils.m4 for preprocessing of .asm files, and
  511 	include config.m4 before machine.m4.
  512 
  513 	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test,
  514 	adapted from corresponding test in GMP's acinlude.m4.
  515 	* configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted
  516 	variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64
  517 	assembly code is enabled.
  518 	* config.m4.in: Substituted here.
  519 	* powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and
  520 	if needed, replace register names like r0, r1, ... with integers.
  521 
  522 2020-09-15  Niels Möller  <nisse@lysator.liu.se>
  523 
  524 	* Makefile.in (DISTFILES): Add missing file blowfish-internal.h.
  525 
  526 2020-09-14  Niels Möller  <nisse@lysator.liu.se>
  527 
  528 	* asm.m4: Delete use of changequote, stick to the m4 default
  529 	quoting characters `'. Updated all assembly and m4 files.
  530 	* x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround.
  531 
  532 2020-09-12  Niels Möller  <nisse@lysator.liu.se>
  533 
  534 	* x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT.
  535 
  536 2020-08-29  Niels Möller  <nisse@lysator.liu.se>
  537 
  538 	Initial powerpc64 assembly support, contributed by Mamone Tarsha:
  539 	* configure.ac: New configure option --enable-power-crypto-ext.
  540 	(asm_path): Setup this and related variables for powerpc64.
  541 	* powerpc64/machine.m4: New file.
  542 	* powerpc64/README: New file.
  543 	* powerpc64/p8/aes-encrypt-internal.asm: New file.
  544 	* powerpc64/p8/aes-decrypt-internal.asm: New file.
  545 	* powerpc64/fat/aes-encrypt-internal-2.asm: New file.
  546 	* powerpc64/fat/aes-decrypt-internal-2.asm: New file.
  547 	* fat-ppc.c: New file.
  548 	* Makefile.in (OPT_SOURCES): Add fat-ppc.c.
  549 	(distdir): Add powerpc64 directories.
  550 	* aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative
  551 	name, for fat builds.
  552 	* aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise.
  553 
  554 2020-07-28  Niels Möller  <nisse@lysator.liu.se>
  555 
  556 	* configure.ac (FAT_TEST_LIST): New substituted variable. Set for
  557 	fat builds, otherwise empty.
  558 	* Makefile.in (check-fat): New target, using $(FAT_TEST_LIST).
  559 
  560 2020-07-13  Niels Möller  <nisse@lysator.liu.se>
  561 
  562 	* chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use
  563 	_chacha_3core.
  564 
  565 	* arm/neon/chacha-3core.asm: New file, 3-way interleaving of
  566 	chacha.
  567 
  568 2020-07-11  Niels Möller  <nisse@lysator.liu.se>
  569 
  570 	* testsuite/chacha-test.c (test_main): Delete obsolete tests for
  571 	chacha with 128-bit keys. #if:ed out since 2014-03-04, see below.
  572 	(test_chacha_core): New function, test chacha with simple input
  573 	structure.
  574 
  575 2020-07-10  Niels Möller  <nisse@lysator.liu.se>
  576 
  577 	* x86_64/salsa20-2core.asm: New file.
  578 	* x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is
  579 	faster.
  580 
  581 2020-07-08  Niels Möller  <nisse@lysator.liu.se>
  582 
  583 	Rearrange salsa20, enabling ARM fat builds to use sala20_2core.
  584 	* salsa20-crypt-internal.c (_salsa20_crypt_2core)
  585 	(_salsa20_crypt_1core): New file, new functions. One or the other
  586 	is used for implementing salsa20_crypt and salsa20r12_crypt,
  587 	depending on availability of salsa20_2core.
  588 	* salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt.
  589 	* salsa20r12-crypt.c (salsa20r12_crypt): Likewise.
  590 	* salsa20-internal.h: Declare new internal functions.
  591 	* Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c.
  592 	* fat-setup.h (salsa20_crypt_func): New typedef.
  593 	* fat-arm.c (_salsa20_crypt): Select _salsa20_crypt
  594 	implementation, use 2core version when Neon instructions are
  595 	available.
  596 	* arm/fat/salsa20-2core.asm: New file, including Neon
  597 	implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core,
  598 	* configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the
  599 	case that salsa20_2core is defined, but runtime checks are needed
  600 	to determine if it is usable.
  601 
  602 2020-07-06  Niels Möller  <nisse@lysator.liu.se>
  603 
  604 	* testsuite/salsa20-test.c (test_salsa20_core): New function, test
  605 	salsa20 with simple input structure.
  606 
  607 	* configure.ac: Obey --enable-arm-neon=yes, even if not explicitly
  608 	targetting ARM v6 or later.
  609 
  610 2020-07-01  Niels Möller  <nisse@lysator.liu.se>
  611 
  612 	* testsuite/bcrypt-test.c: New file. Moved bcrypt tests here.
  613 
  614 	Support for bcrypt, contributed by Stephen R. van den Berg.
  615 	* blowfish-bcrypt.c (blowfish_bcrypt_hash)
  616 	(blowfish_bcrypt_verify): New file, new functions.
  617 	* blowfish-internal.h: New header file, declaring internals needed
  618 	for bcrypt.
  619 	* testsuite/blowfish-test.c: Add bcrypt tests.
  620 	* nettle.texinfo (Cipher functions): Document bcrypt.
  621 
  622 2020-06-30  Niels Möller  <nisse@lysator.liu.se>
  623 
  624 	* nettle.texinfo (Miscellaneous hash functions): New section, with
  625 	Streebog documentation, contributed by Dmitry Baryshkov.
  626 	(Top): Added some missing entries to the detailed node listing
  627 
  628 2020-06-29  Niels Möller  <nisse@lysator.liu.se>
  629 
  630 	* .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch
  631 	by Maamoun TK.
  632 
  633 2020-06-25  Niels Möller  <nisse@lysator.liu.se>
  634 
  635 	* x86_64/chacha-core-internal.asm (QROUND): Fix use of macro
  636 	arguments. Spotted by Torbjörn Granlund.
  637 
  638 2020-06-02  Niels Möller  <nisse@lysator.liu.se>
  639 
  640 	* examples/nettle-benchmark.c (main): Delete call to
  641 	time_overhead. The attempt to measure function call overhead is
  642 	not very useful or accurate. The benchmarking loop is optimized
  643 	away by gcc-10, making the benchmark program hang.
  644 	(bench_nothing, time_overhead): Deleted.
  645 
  646 2020-04-29  Niels Möller  <nisse@lysator.liu.se>
  647 
  648 	* Released Nettle-3.6.
  649 
  650 2020-04-27  Niels Möller  <nisse@lysator.liu.se>
  651 
  652 	* configure.ac: Tweak gcc command line options. Delete checks for
  653 	older gcc versions. Add -Wno-sign-compare, since warnings for
  654 	signed/unsigned comparisons adds a lot of noise, in particular
  655 	when building mini-gmp.
  656 
  657 	* mini-gmp.c: Updated mini-gmp from the gmp repository, latest
  658 	change from 2020-04-20.
  659 	* mini-gmp.h: Likewise.
  660 
  661 2020-04-25  Niels Möller  <nisse@lysator.liu.se>
  662 
  663 	* gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify)
  664 	(mpz_limbs_finish, mpz_roinit_n): Delete compatibility
  665 	definitions. These functions available in GMP since version 6.0.0.
  666 	* gmp-glue.h: Delete corresponding declarations, and preprocessor
  667 	conditions.
  668 
  669 	* configure.ac: Update required version of GMP to 6.1.0, needed
  670 	for mpn_zero_p.
  671 	* ecc-ecdsa-verify.c (zero_p): Deleted static function, usage
  672 	replaced with mpn_zero_p.
  673 	* testsuite/testutils.c (mpn_zero_p): Delete conditional
  674 	definition.
  675 	* testsuite/testutils.h: Delete corresponding declarations.
  676 
  677 	* Makefile.in (DISTFILES): Add poly1305-internal.h.
  678 	* testsuite/Makefile.in (DISTFILES): Delete setup-env.
  679 
  680 2020-04-23  Niels Möller  <nisse@lysator.liu.se>
  681 
  682 	* run-tests: Set WINEPATH, since it appears wine doesn't search
  683 	for dlls in the unix PATH.
  684 	* examples/setup-env: Delete creation of extra dll symlinks.
  685 	* examples/teardown-env: Delete corresponding cleanup.
  686 	* testsuite/setup-env: Deleted file (same symlink creation).
  687 	* testsuite/teardown-env: Delete corresponding cleanup.
  688 
  689 	* testsuite/ecc-add-test.c (test_main): Delete ASSERTs with
  690 	functions pointer comparisons. They provide little value, and fail
  691 	when linking with hogweed.dll on windows.
  692 	* testsuite/ecc-dup-test.c (test_main): Likewise.
  693 
  694 2020-04-22  Niels Möller  <nisse@lysator.liu.se>
  695 
  696 	* testsuite/Makefile.in: Use pattern rules for test executables,
  697 	replacing...
  698 	(test-rules): ...deleted rule.
  699 	* testsuite/.test-rules.make: Deleted file.
  700 
  701 2020-04-21  Niels Möller  <nisse@lysator.liu.se>
  702 
  703 	From Dmitry Baryshkov:
  704 	* gostdsa-vko.c (gostdsa_vko): New file and function.
  705 	* testsuite/gostdsa-vko-test.c (test_vko): New test.
  706 	* nettle.texinfo (GOSTDSA): Document it.
  707 
  708 2020-04-19  Niels Möller  <nisse@lysator.liu.se>
  709 
  710 	From Dmitry Baryshkov:
  711 	* gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable
  712 	use of MD_UPDATE macro, in particular, replacing byte count with
  713 	block count and index. Also move buffer last, for consistency with
  714 	other hash functions.
  715 	* gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro.
  716 	(gosthash94_write_digest): Update for block count rather than byte
  717 	count.
  718 
  719 2020-04-17  Niels Möller  <nisse@lysator.liu.se>
  720 
  721 	* configure.ac (LIBNETTLE_MAJOR): Increase libnettle version
  722 	number to 8.0, for move of internal poly1305 functions.
  723 	(LIBNETTLE_MINOR): Reset to zero.
  724 
  725 2020-04-15  Niels Möller  <nisse@lysator.liu.se>
  726 
  727 	From Dmitry Baryshkov:
  728 	* poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block):
  729 	Removed declarations from this public header file.
  730 	* poly1305-internal.h: New file, with declarations of internal
  731 	poly1305 functions.
  732 	(_poly1305_set_key, _poly1305_digest): Renamed, with leading
  733 	underscore. Updated definitions and all uses.
  734 
  735 2020-04-12  Niels Möller  <nisse@lysator.liu.se>
  736 
  737 	* Makefile.in (DISTFILES): Reorder to ensure that generated des
  738 	headers can't be older than desdata.stamp.
  739 
  740 	* testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc
  741 	-std=c89.
  742 
  743 2020-04-06  Niels Möller  <nisse@lysator.liu.se>
  744 
  745 	* configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version
  746 	number to 6.0, at request of Gnutls team.
  747 	(LIBHOGWEED_MINOR): Reset to zero.
  748 
  749 2020-04-01  Niels Möller  <nisse@lysator.liu.se>
  750 
  751 	* config.guess: Update to 2020-01-01 version, from savannah's
  752 	config.git.
  753 	* config.sub: Likewise.
  754 
  755 2020-03-31  Niels Möller  <nisse@lysator.liu.se>
  756 
  757 	* aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP)
  758 	(LSH_MAKE_CONDITIONAL): Delete unused macros.
  759 
  760 	* config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables.
  761 
  762 	* run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and
  763 	related member variables.
  764 
  765 	* testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR
  766 	to the run-tests script, and leave setting of LD_LIBRARY_PATH and
  767 	related variables to that script.
  768 	* examples/Makefile.in (check): Likewise.
  769 
  770 2020-03-26  Niels Möller  <nisse@lysator.liu.se>
  771 
  772 	* configure.ac: Bump package version to 3.6.
  773 	(LIBNETTLE_MINOR): Bump minor number, now 7.1.
  774 	(LIBHOGWEED_MINOR): Bump minor numbers, now 5.1
  775 
  776 2020-03-14  Niels Möller  <nisse@lysator.liu.se>
  777 
  778 	From H.J. Lu:
  779 	* configure.ac (ASM_X86_ENDBR)
  780 	(ASM_X86_MARK_CETASM_X86_MARK_CET_ALIGN): New substituted
  781 	variables.
  782 	* config.m4.in: Substituted here. Add ASM_X86_MARK_CET to
  783 	diversion inserted at end of assembly files.
  784 	* asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point.
  785 
  786 2020-03-09  Niels Möller  <nisse@lysator.liu.se>
  787 
  788 	From Daiki Ueno:
  789 	* chacha-crypt.c (chacha_crypt32): New function.
  790 	* chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32):
  791 	New functions.
  792 	* chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants.
  793 	* chacha-poly1305.c (chacha_poly1305_encrypt)
  794 	(chacha_poly1305_decrypt): Use chacha_crypt32.
  795 	* testsuite/chacha-test.c: Update tests to use new functions.
  796 	* nettle.texinfo: Document new chacha functions, and update
  797 	out-of-date chacha-poly1305 documentation.
  798 
  799 2020-03-08  Niels Möller  <nisse@lysator.liu.se>
  800 
  801 	From Dmitry Baryshkov:
  802 	* cmac-des3-meta.c (nettle_cmac_des): New file, moving definition
  803 	from...
  804 	* testsuite/cmac-test.c: ... old location.
  805 	* nettle-meta.h (nettle_cmac_des): Declare it.
  806 
  807 2020-02-15  Niels Möller  <nisse@lysator.liu.se>
  808 
  809 	From Dmitry Baryshkov:
  810 	* ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr)
  811 	(ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add)
  812 	(ecc_modp_sub): Deleted macros. Updated callers to use respective
  813 	functions instead.
  814 	(ecc_modp_addmul_1): Delete unused macro.
  815 
  816 2020-02-09  Niels Möller  <nisse@lysator.liu.se>
  817 
  818 	Addition of struct nettle_mac based on patches by Daiki Ueno.
  819 	* nettle-meta-macs.c (nettle_get_macs): New file, new function.
  820 	* testsuite/meta-mac-test.c: New test.
  821 
  822 	* nettle-meta.h (_NETTLE_HMAC): New macro.
  823 	(nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1)
  824 	(nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384)
  825 	(nettle_hmac_sha512): Declare.
  826 	(struct nettle_mac): New public struct,
  827 	* testsuite/testutils.h: ...moved from this file.
  828 
  829 	* hmac-md5-meta.c: New file.
  830 	* hmac-ripemd160-meta.c: Likewise.
  831 	* hmac-sha1-meta.c: Likewise.
  832 	* hmac-sha224-meta.c: Likewise.
  833 	* hmac-sha256-meta.c: Likewise.
  834 	* hmac-sha384-meta.c: Likewise.
  835 	* hmac-sha512-meta.c: Likewise.
  836 
  837 	* Makefile.in (nettle_SOURCES): Add new files.
  838 
  839 	* testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of
  840 	this macro.
  841 	* testsuite/testutils.c (test_mac): Allow testing with smaller
  842 	digest size.
  843 	* testsuite/hmac-test.c (test_main): Use test_mac for tests using
  844 	key size == digest size.
  845 
  846 	* testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
  847 	Moved to...
  848 	* cmac-aes128-meta.c: New file.
  849 	* cmac-aes256-meta.c: New file.
  850 
  851 	* nettle-meta.h (struct nettle_mac): New public struct,
  852 	* testsuite/testutils.h: ...moved from this file.
  853 
  854 2020-02-06  Niels Möller  <nisse@lysator.liu.se>
  855 
  856 	From Dmitry Baryshkov:
  857 	* gost28147.h: Deleted, move declarations to gost28147-internal.h.
  858 
  859 2020-02-05  Niels Möller  <nisse@lysator.liu.se>
  860 
  861 	* configure.ac: On Solaris, link shared libraries with --shared
  862 	rather than -G. For gcc, --shared is the proper way. For Solaris'
  863 	proprietary cc, according to docs, it accepts --shared as an alias
  864 	for -G since Oracle Solaris Studio 12.4, and it was made more gcc
  865 	compatible in later versions. Since 12.4 was released in 2014,
  866 	don't attempt to cater for older versions.
  867 
  868 2020-01-26  Niels Möller  <nisse@lysator.liu.se>
  869 
  870 	* ecc-internal.h (struct ecc_curve): Delete g, the curve
  871 	generator, since it was used only by tests. Update all curve
  872 	instances.
  873 
  874 	* eccdata.c (output_curve): Delete output of ecc_g.
  875 	(output_point): Delete name argument, and update callers.
  876 
  877 	* testsuite/testutils.c (ecc_ref): Table of reference points moved
  878 	out of test_ecc_mul_a. Add generator to the list of points.
  879 	(test_ecc_mul_a): Use ecc_ref table also for the n == 1 case.
  880 	(test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions,
  881 	using the tabulated generator.
  882 
  883 	* testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of
  884 	accessing ecc->g.
  885 	* testsuite/ecc-dup-test.c: Likewise.
  886 	* testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga.
  887 	Delete special case for n == 1.
  888 	* testsuite/ecc-mul-g-test.c: Use test_ecc_ga.
  889 
  890 	Support for GOST DSA, contributed by Dmitry Baryshkov.
  891 	* gostdsa-verify.c (gostdsa_verify): New file and function.
  892 	* gostdsa-sign.c (gostdsa_sign): New file and function.
  893 	* ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch)
  894 	(ecc_gostdsa_verify): New file and functions.
  895 	* ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign):
  896 	New file and functions.
  897 	* ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro.
  898 	* ecc-hash.c (gost_hash): New function.
  899 	* testsuite/gostdsa-verify-test.c: New test.
  900 	* testsuite/gostdsa-sign-test.c: New test.
  901 	* testsuite/gostdsa-keygen-test.c: New test.
  902 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests.
  903 
  904 	Support for GOST gc256b and gc512a curves, contributed by Dmitry
  905 	Baryshkov.
  906 	* eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and
  907 	gost_gc512a.
  908 	* ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b.
  909 	* ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a.
  910 	* Makefile.in: Add rules to generate ecc-gost-gc256b.h and
  911 	ecc-gost-gc512a.h.
  912 	(hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c.
  913 	* examples/ecc-benchmark.c (curves): Add to list.
  914 	* testsuite/testutils.c (ecc_curves): Add to list.
  915 	(test_ecc_mul_a): Reference points for new curves.
  916 
  917 	* NEWS: Started on entries for Nettle-3.6.
  918 
  919 2020-01-25  Niels Möller  <nisse@lysator.liu.se>
  920 
  921 	* examples/hogweed-benchmark.c (bench_curve_init): Pass correct
  922 	sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov.
  923 
  924 2020-01-15  Niels Möller  <nisse@lysator.liu.se>
  925 
  926 	* Makefile.in: Replace suffix rules by pattern rules. Move .asm
  927 	rule above .c rule, since now the order of rules in the Makefile
  928 	matters, rather than the order in the .SUFFIXES list.
  929 	(aesdata, desdata, twofishdata, shadata, gcmdata, eccparams):
  930 	Individual rules replaced by a pattern rule.
  931 	(eccdata): Add explicit dependencies, to complement the pattern
  932 	rule.
  933 	* examples/Makefile.in: Replace suffix rules by pattern rules.
  934 	* testsuite/Makefile.in: Likewise.
  935 	* tools/Makefile.in: Likewise.
  936 
  937 	* config.make.in: Empty .SUFFIXES, to not accidentally use any
  938 	suffix rules.
  939 
  940 	* aclocal.m4 (DEP_INCLUDE): Delete substituted variable.
  941 
  942 	* Makefile.in: Use the GNU make directive -include to include
  943 	dependency .d files. Delete dependency files on make clean.
  944 	* examples/Makefile.in: Likewise.
  945 	* testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly.
  946 	* tools/Makefile.in: Likewise.
  947 
  948 	* configure.ac (dummy-dep-files): Delete these config commands.
  949 
  950 2020-01-10  Niels Möller  <nisse@lysator.liu.se>
  951 
  952 	From Dmitry Eremin-Solenikov: Consistently rename ecc files and
  953 	internal functions to include curve name rather than just number
  954 	of bits. E.g.,
  955 	* ecc-256.c (nettle_ecc_256_redc): File and function renamed to...
  956 	* ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names.
  957 	* eccdata.c (ecc_curve_init, main): Take curve name as input, not
  958 	bit size.
  959 
  960 2020-01-03  Niels Möller  <nisse@lysator.liu.se>
  961 
  962 	Add benchmarking of ed25519, ed448 and curve448.
  963 	* examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct.
  964 	(bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify)
  965 	(bench_eddsa_clear): New functions.
  966 	(struct curve_ctx): New struct, generalizing struct curve25519_ctx.
  967 	(bench_curve_init, bench_curve_mul_g, bench_curve_mul)
  968 	(bench_curve_clear): New functions.
  969 	(struct curve25519_ctx, bench_curve25519_mul_g)
  970 	(bench_curve25519_mul, bench_curve25519): Deleted.
  971 	(alg_list): Add eddsa and curve entries.
  972 	(main): Delete call to bench_curve25519.
  973 
  974 2020-01-02  Niels Möller  <nisse@lysator.liu.se>
  975 
  976 	* eddsa-internal.h (nettle_eddsa_dom_func): New typedef.
  977 	(struct ecc_eddsa): Use function pointer to represent eddsa dom
  978 	string. To avoid calling sha512_update with empty input for
  979 	ed25519.
  980 	* ed448-shake256.c (ed448_dom): New function, calling
  981 	sha3_256_update with the magic dom prefix.
  982 	(_nettle_ed448_shake256): Point to it.
  983 	* ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function.
  984 
  985 	* eddsa-sign.c (_eddsa_sign): Update to use dom function pointer.
  986 	* eddsa-verify.c (_eddsa_verify): Likewise.
  987 
  988 	* eddsa-internal.h (struct ecc_eddsa): Add magic dom string,
  989 	needed for ed448.
  990 	* ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string.
  991 	* ed448-shake256.c (_nettle_ed448_shake256): New file and
  992 	parameter struct.
  993 
  994 	* eddsa-hash.c (_eddsa_hash): Add digest_size as input argument.
  995 	Handle ed448 digests with two extra bytes. Update callers.
  996 	* eddsa-verify.c (_eddsa_verify): Hash dom string.
  997 	* eddsa-sign.c (_eddsa_sign_itch): Assert that
  998 	_eddsa_compress_itch isn't too large.
  999 	(_eddsa_sign): New argument k1, with the hash prefix. Add hashing
 1000 	of this prefix and the dom string. Update callers. Fix final
 1001 	reduction, it's different for ed25519, with q slightly larger than
 1002 	a power of two, and ed448, with q slightly smaller.
 1003 	* eddsa-pubkey.c (_eddsa_public_key_itch): Assert that
 1004 	_eddsa_compress_itch isn't too large.
 1005 
 1006 	Implementation of ed448-shake256, based on patch by Daiki Ueno.
 1007 	* ed448-shake256-pubkey.c (ed448_shake256_public_key): New file
 1008 	and function.
 1009 	* ed448-shake256-sign.c (ed448_shake256_sign): New file and function.
 1010 	* ed448-shake256-verify.c (ed448_shake256_verify): New file and function.
 1011 
 1012 	* Makefile.in (hogweed_SOURCES): Add new ed448 files.
 1013 
 1014 	* testsuite/eddsa-verify-test.c (test_ed448): New function.
 1015 	(test_main): New ed448 tests.
 1016 	* testsuite/eddsa-sign-test.c (test_ed448_sign): New function.
 1017 	(test_main): New ed448 tests.
 1018 	* testsuite/ed448-test.c: New tests.
 1019 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c.
 1020 
 1021 	* nettle.texinfo (Curve 25519 and Curve 448): Document ed448.
 1022 
 1023 2020-01-01  Niels Möller  <nisse@lysator.liu.se>
 1024 
 1025 	* ecc-448.c (ecc_mod_pow_2kp1): New function.
 1026 	(ecc_mod_pow_446m224m1): Reduce scratch usage from 6*n to 5*n, at
 1027 	the cost of one copy operation. Also use ecc_mod_pow_2kp1 where
 1028 	applicable.
 1029 	(ECC_448_INV_ITCH): Reduce to 5*ECC_LIMB_SIZE.
 1030 	(ECC_448_SQRT_ITCH): Reduce to 9*ECC_LIMB_SIZE.
 1031 
 1032 	* testsuite/eddsa-compress-test.c: Test also with curve448.
 1033 
 1034 2019-12-30  Niels Möller  <nisse@lysator.liu.se>
 1035 
 1036 	Preparation for ed448, based on patch by Daiki Ueno.
 1037 	* eddsa-internal.h (struct ecc_eddsa): New struct for eddsa
 1038 	parameters.
 1039 	* ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct.
 1040 	* eddsa-expand.c (_eddsa_expand_key): Replace input
 1041 	struct nettle_hash with struct ecc_eddsa, and generalize for
 1042 	ed448. Update all callers.
 1043 	* eddsa-sign.c (_eddsa_sign): Likewise.
 1044 	* eddsa-verify.c (_eddsa_verify): Likewise.
 1045 	* eddsa-compress.c (_eddsa_compress): Store sign bit in most
 1046 	significant bit of last byte, as specified by RFC 8032.
 1047 	* eddsa-decompress.c (_eddsa_decompress): Corresponding update.
 1048 	Also generalize to support ed448, and make validity checks
 1049 	stricter.
 1050 	* testsuite/eddsa-sign-test.c (test_ed25519_sign): New function.
 1051 	(test_main): Use it.
 1052 	* testsuite/eddsa-verify-test.c (test_ed25519): New function.
 1053 	(test_main): Use it.
 1054 
 1055 2019-12-28  Niels Möller  <nisse@lysator.liu.se>
 1056 
 1057 	* bignum.h: Drop unrelated include of nettle-meta.h.
 1058 	* pss.h: Include nettle-meta.h explicitly.
 1059 	* eddsa-internal.h: Likewise.
 1060 
 1061 2019-12-25  Niels Möller  <nisse@lysator.liu.se>
 1062 
 1063 	Support for SHAKE256, based on patch by Daiki Ueno.
 1064 	* shake256.c (sha3_256_shake): New file and function.
 1065 	* Makefile.in (nettle_SOURCES): Add shake256.c.
 1066 	* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
 1067 	if hash->digest_size == 0.
 1068 	* testsuite/shake.awk: New script to extract test vectors.
 1069 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
 1070 	(DISTFILES): Add shake.awk.
 1071 	* nettle.texinfo (Recommended hash functions): Document SHAKE-256.
 1072 
 1073 	* sha3.c (_sha3_pad): Generalized with an argument for the magic
 1074 	suffix defining the sha3 instance.
 1075 	* sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes.
 1076 	Updated all callers of _sha3_pad.
 1077 	(_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f.
 1078 
 1079 2019-12-19  Niels Möller  <nisse@lysator.liu.se>
 1080 
 1081 	* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
 1082 	add_hh rather than add_hhh.
 1083 	(table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise.
 1084 	* ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]:
 1085 	Reduced from 13*n to 12*n.
 1086 
 1087 2019-12-18  Niels Möller  <nisse@lysator.liu.se>
 1088 
 1089 	Rename add and dup functions for Edwards curves.
 1090 	* ecc-dup-th.c (ecc_dup_th): New file, move and rename ecc_dup_eh.
 1091 	* ecc-add-th.c (ecc_add_th): New file, move and rename ecc_add_eh.
 1092 	* ecc-add-thh.c (ecc_add_thh): New file, move and rename
 1093 	ecc_add_ehh.
 1094 	* ecc-dup-eh.c (ecc_dup_eh_untwisted): Rename to just ecc_dup_eh.
 1095 	* ecc-add-eh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_eh.
 1096 	* ecc-add-ehh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_ehh.
 1097 	* ecc-internal.h (ecc_dup_th, ecc_add_th, ecc_add_thh): Declare
 1098 	new functions, delete declarations of ecc_*_untwisted variants.
 1099 	(ECC_DUP_TH_ITCH, ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): New macros.
 1100 	* ecc-25519.c (_nettle_curve25519): Update, use ecc_dup_th and
 1101 	friends.
 1102 	* ecc-448.c (_nettle_curve448): Update for rename, without
 1103 	_untwisted suffix.
 1104 	* Makefile.in (hogweed_SOURCES): Added ecc-dup-th.c, ecc-add-th.c,
 1105 	and ecc-add-thh.c
 1106 	* testsuite/ecc-dup-test.c (test_main): Update asserts.
 1107 	* testsuite/ecc-add-test.c (test_main): Likewise.
 1108 
 1109 	* eddsa-verify.c (_eddsa_verify): Use function pointer rather than
 1110 	calling ecc_add_eh directly. Preparation for eddsa over curve448.
 1111 
 1112 2019-12-17  Niels Möller  <nisse@lysator.liu.se>
 1113 
 1114 	* examples/ecc-benchmark.c (bench_dup_hh): Rename, and use
 1115 	ecc->dup pointer.
 1116 	(bench_dup_jj): ... old name.
 1117 	(bench_add_hh): Rename, and use ecc->addd_hh pointer.
 1118 	(bench_add_jja): ... old name.
 1119 	(bench_dup_eh, bench_add_eh): Deleted.
 1120 	(bench_curve): Update, and delete curve25519 special case.
 1121 	(main): Update table headers accordingly.
 1122 
 1123 2019-12-15  Niels Möller  <nisse@lysator.liu.se>
 1124 
 1125 	* ecc-dup-eh.c (ecc_dup_eh): Eliminate one unneeded ecc_modp_add.
 1126 
 1127 2019-12-14  Niels Möller  <nisse@lysator.liu.se>
 1128 
 1129 	* ecc-mul-m.c (ecc_mul_m): New file and function. Implements
 1130 	multipliction for curves in Montgomery representation, as used for
 1131 	curve25519 and curve448. Extracted from curve25519_mul.
 1132 	* ecc-internal.h (ecc_mul_m): Declare.
 1133 	(ECC_MUL_M_ITCH): New macro.
 1134 	* Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c.
 1135 
 1136 	* curve25519-mul.c (curve25519_mul): Use ecc_mul_m.
 1137 	* curve448-mul.c (curve448_mul): Likewise.
 1138 
 1139 2019-12-13  Niels Möller  <nisse@lysator.liu.se>
 1140 
 1141 	* Merge curve448 implementation.
 1142 
 1143 2019-12-09  Niels Möller  <nisse@lysator.liu.se>
 1144 
 1145 	* ecc-internal.h: Revert itch macro changes. We now have
 1146 	h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few places
 1147 	relying on this.
 1148 	(ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros.
 1149 	(ECC_ECDSA_SIGN_ITCH): Revert previous change.
 1150 
 1151 	* ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n
 1152 	to 6*n.
 1153 	(ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly.
 1154 	* curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n.
 1155 
 1156 2019-12-08  Niels Möller  <nisse@lysator.liu.se>
 1157 
 1158 	* x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New
 1159 	assembly function.
 1160 	* ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use
 1161 	native nettle_ecc_curve448_modp if available.
 1162 	* configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm.
 1163 	(HAVE_NATIVE_ecc_curve448_modp): New config.h define.
 1164 
 1165 2019-12-03  Niels Möller  <nisse@lysator.liu.se>
 1166 
 1167 	* ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function.
 1168 
 1169 2019-12-01  Niels Möller  <nisse@lysator.liu.se>
 1170 
 1171 	Curve 448 support contributed by Daiki Ueno.
 1172 	* eccdata.c (enum ecc_type): Add ECC_TYPE_EDWARDS.
 1173 	(ecc_add): Support untwisted edwards curves.
 1174 	(ecc_curve_init): Add curve448 parameters.
 1175 	* ecc-internal.h (ECC_ECDSA_KEYGEN_ITCH): New macro.
 1176 	(ECC_ECDSA_SIGN_ITCH): Increased from 12*size to 13*size.
 1177 	(ECC_MAX): New macro.
 1178 	* ecc-448.c: New file.
 1179 	(ecc_mod_pow_2k, ecc_mod_pow_446m224m1, ecc_448_inv)
 1180 	(ecc_448_zero_p, ecc_448_sqrt): New functions.
 1181 	(_nettle_curve448): New curve definition.
 1182 	* curve448.h (CURVE448_SIZE): New constant.
 1183 	(curve448_mul_g, curve448_mul): Declare new public functions.
 1184 	* ecc-eh-to-a.c (ecc_eh_to_a): Update assert to allow the curve448
 1185 	Edwards curve.
 1186 	* curve448-mul.c (curve448_mul): New file and function.
 1187 	* curve448-mul-g.c (curve448_mul_g): New file and function.
 1188 	* curve448-eh-to-x.c (curve448_eh_to_x): New file and function.
 1189 	* ecc-dup-eh.c (ecc_dup_eh_untwisted): New function.
 1190 	* ecc-add-ehh.c (ecc_add_ehh_untwisted): New function.
 1191 	* ecc-add-eh.c (ecc_add_eh_untwisted): New function.
 1192 	* ecc-point.c (ecc_point_set): Add point validation for curve448.
 1193 	* ecc-point-mul.c (ecc_point_mul): Allow h_to_a_itch larger than
 1194 	mul_itch.
 1195 	* ecc-point-mul-g.c (ecc_point_mul_g): Allow h_to_a_itch
 1196 	larger than mul_g_itch. Switch from TMP_DECL/_ALLOC/_FREE to
 1197 	gmp_alloc_limbs/gmp_free_limbs.
 1198 	* ecdsa-keygen.c (ecdsa_generate_keypair): Use
 1199 	ECC_ECDSA_KEYGEN_ITCH.
 1200 	* Makefile.in (hogweed_SOURCES): Add ecc-448.c, curve448-mul-g.c,
 1201 	curve448-mul.c, and curve448-eh-to-x.c.
 1202 	(HEADERS): Add curve448.h.
 1203 	(ecc-448.h): New generated file.
 1204 
 1205 	* testsuite/testutils.c (ecc_curves): Add _nettle_curve448 to list
 1206 	of tested curves.
 1207 	(test_ecc_mul_a): Add curve448.
 1208 	* testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add curve448 support.
 1209 	* testsuite/ecdh-test.c (test_main): Add tests for (non-standard)
 1210 	curve448 diffie-hellman.
 1211 	* testsuite/ecc-add-test.c (test_main): Update for testing of curve448.
 1212 	* testsuite/ecc-dup-test.c (test_main): Likewise.
 1213 	* testsuite/ecc-mul-a-test.c (test_main): Likewise. Also increase
 1214 	scratch allocation for h_to_a_itch.
 1215 	* testsuite/ecc-mul-g-test.c (test_main): Likewise.
 1216 	* testsuite/curve448-dh-test.c: Test for curve448.
 1217 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add curve448-dh-test.c.
 1218 
 1219 	* examples/ecc-benchmark.c: Add curve448 to list of benchmarked
 1220 	curves.
 1221 
 1222 	* nettle.texinfo (Curve 25519 and Curve 448): Add docs.
 1223 
 1224 2019-12-07  Niels Möller  <nisse@lysator.liu.se>
 1225 
 1226 	* ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only
 1227 	used for non-standard ecdsa over curve25519.
 1228 	* testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa
 1229 	over curve25519.
 1230 	* testsuite/ecdsa-verify-test.c (test_main): Likewise.
 1231 	* testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519
 1232 	from test.
 1233 
 1234 2019-12-05  Niels Möller  <nisse@lysator.liu.se>
 1235 
 1236 	* configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to
 1237 	check for __builtin_bswap64. Since calling an non-existing
 1238 	function typically results in a warning only at compile time, but
 1239 	fails at link time. Patch contributed by by George Koehler.
 1240 
 1241 2019-12-04  Niels Möller  <nisse@lysator.liu.se>
 1242 
 1243 	* testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to
 1244 	unsigned long for argument to fprintf.
 1245 
 1246 2019-11-21  Niels Möller  <nisse@lysator.liu.se>
 1247 
 1248 	* eccdata.c (ecc_curve_init_str): Delete unused t and d arguments.
 1249 	Related to the the edwards_root member of struct ecc_curve, which
 1250 	was used by ecc_a_to_eh before it was deleted, see 2014-09-17
 1251 	entry below.
 1252 	(ecc_curve_init): Delete corresponding curve25519 constants, and
 1253 	NULL arguments passed for the other curves.
 1254 
 1255 	* Merge curve448 preparations, from September 2017.
 1256 
 1257 2017-09-23  Niels Möller  <nisse@lysator.liu.se>
 1258 
 1259 	* eccdata.c: Reorganize curve25519 precomputation to work directly
 1260 	with the twisted Edwards curve, with new point addition based on a
 1261 	patch from Daiki Ueno.
 1262 	* ecc-25519.c (_nettle_curve25519): Update for removed Montgomery
 1263 	curve constant.
 1264 
 1265 	* ecc-internal.h (struct ecc_curve): Delete unused pointer
 1266 	edwards_root. Update all instances.
 1267 	* eccdata.c (output_curve): Don't output it.
 1268 
 1269 	* testsuite/ecc-add-test.c (test_main): Reduce test duplication.
 1270 	Use ecc->add_hhh_itch.
 1271 	* testsuite/ecc-dup-test.c (test_main): Reduce test duplication.
 1272 	Use ecc->dup_itch.
 1273 
 1274 2017-09-23  Daiki Ueno  <dueno@redhat.com>
 1275 
 1276 	* ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of
 1277 	hard-coded value for curve25519.
 1278 	* eddsa-sign.c (_eddsa_sign): Likewise.
 1279 
 1280 	* ecc-internal.h (ecc_dup_func): New typedef.
 1281 	(struct ecc_curve): New constants add_hh_itch and dup_itch, new
 1282 	function pointers add_hh and dup.
 1283 	* ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c,
 1284 	ecc-25519.c: Update accordingly.
 1285 	* ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers.
 1286 	* ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh):
 1287 	Likewise.
 1288 	* testsuite/ecc-dup-test.c (test_main): Likewise.
 1289 	* testsuite/ecc-add-test.c (test_main): Likewise.
 1290 
 1291 2019-10-01  Niels Möller  <nisse@lysator.liu.se>
 1292 
 1293 	* testsuite/testutils.c (test_cipher_cfb8): Reset destination area
 1294 	between tests. Encrypt/decrypt final partial block.
 1295 
 1296 	From Daiki Ueno, fixing bug reported by Stephan Mueller:
 1297 	* cfb.c (cfb8_decrypt): Don't truncate output IV if input is
 1298 	shorter than block size.
 1299 	* testsuite/testutils.c (test_cipher_cfb8): Test splitting input
 1300 	into multiple calls to cfb8_encrypt and cfb8_decrypt.
 1301 
 1302 2019-09-30  Niels Möller  <nisse@lysator.liu.se>
 1303 
 1304 	* testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read.
 1305 	Trim allocation size for de_data, drop some uses of
 1306 	SIV_DIGEST_SIZE, call FAIL for unexpected returned values.
 1307 	(test_compare_results): Delete digest argument.
 1308 
 1309 2019-09-15  Niels Möller  <nisse@lysator.liu.se>
 1310 
 1311 	From Dmitry Eremin-Solenikov:
 1312 	* gost28147.c (_gost28147_encrypt_block): New file, encrypt
 1313 	function and sbox tables moved here.
 1314 	* gosthash94.c: Update functions to take sbox array as argument.
 1315 	(gost_block_compress): Use _gost28147_encrypt_block.
 1316 	(gosthash94cp_update,gosthash94cp_digest): New functions.
 1317 	* gost28147-internal.h: New file.
 1318 	* gost28147.h: New file.
 1319 	* gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm.
 1320 	* nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and
 1321 	nettle_gosthash94cp.
 1322 	* hmac-gosthash94.c (hmac_gosthash94_set_key)
 1323 	(hmac_gosthash94_update, hmac_gosthash94_digest)
 1324 	(hmac_gosthash94cp_set_key, hmac_gosthash94cp_update)
 1325 	(hmac_gosthash94cp_digest): New file and functions.
 1326 	* pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file
 1327 	and function.
 1328 	* testsuite/pbkdf2-test.c (test_main): Add
 1329 	pbkdf2-hmac-gosthash94cp tests.
 1330 	* testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests.
 1331 	* testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests.
 1332 	* nettle.texinfo (Legacy hash functions): Document gosthash94cp.
 1333 
 1334 	* testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS.
 1335 
 1336 2019-07-08  Niels Möller  <nisse@lysator.liu.se>
 1337 
 1338 	* nettle-types.h (union nettle_block16): Mark w member as deprecated.
 1339 	* eax.c (block16_xor): Use uint64_t member of nettle_block16.
 1340 	* gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise.
 1341 
 1342 2019-07-10  Niels Möller  <nisse@lysator.liu.se>
 1343 
 1344 	From Dmitry Eremin-Solenikov:
 1345 	* cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init)
 1346 	(cmac64_update, cmac64_digest): New file, new functions.
 1347 	* cmac-des3.c (cmac_des3_set_key, cmac_des3_update)
 1348 	(cmac_des3_digest): New file, new functions.
 1349 	* cmac.h: Add cmac64 and cmac_des3 declarations.
 1350 	* Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c.
 1351 	* testsuite/cmac-test.c (test_main): Add tests for cmac_des3.
 1352 
 1353 2019-07-02  Niels Möller  <nisse@lysator.liu.se>
 1354 
 1355 	From Dmitry Eremin-Solenikov:
 1356 	* testsuite/testutils.c (test_mac): New function.
 1357 	* testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
 1358 	New algorithm structs.
 1359 	(test_cmac_aes128, test_cmac_aes256): Use test_mac.
 1360 
 1361 2019-06-06  Niels Möller  <nisse@lysator.liu.se>
 1362 
 1363 	Update for cmac changes, enabling const for the _message functions.
 1364 	* siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument,
 1365 	and use a local struct cmac128_ctx for message-specific state.
 1366 	(siv_cmac_set_key): Take a struct cmac128_key as argument. Updated
 1367 	callers.
 1368 	(siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const
 1369 	struct cmac128_key as argument. Updated callers.
 1370 
 1371 	* siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key
 1372 	rather than struct cmac128_ctx.
 1373 
 1374 	* siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message)
 1375 	(siv_cmac_aes256_decrypt_message): Likewise.
 1376 	* siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message)
 1377 	(siv_cmac_aes128_decrypt_message): The ctx argument made const.
 1378 
 1379 2019-05-15  Niels Möller  <nisse@lysator.liu.se>
 1380 
 1381 	* siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE):
 1382 	New constants.
 1383 	* testsuite/siv-test.c: Simplify tests a little.
 1384 
 1385 	* siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1.
 1386 	* siv-cmac.c (_siv_s2v): Require non-empty nonce.
 1387 	* nettle.texinfo (SIV-CMAC): Update documentation.
 1388 
 1389 2019-05-06  Niels Möller  <nisse@lysator.liu.se>
 1390 
 1391 	SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos:
 1392 	* siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants.
 1393 	(SIV_CMAC_CTX): New macro.
 1394 	(struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New
 1395 	context structs.
 1396 	* siv-cmac.c (_siv_s2v, siv_cmac_set_key)
 1397 	(siv_cmac_encrypt_message)
 1398 	(siv_cmac_decrypt_message): New file, new functions.
 1399 	* siv-cmac-aes128.c (siv_cmac_aes128_set_key)
 1400 	(siv_cmac_aes128_encrypt_message)
 1401 	(siv_cmac_aes128_decrypt_message): New file, new functions.
 1402 	* siv-cmac-aes256.c (siv_cmac_aes256_set_key)
 1403 	(siv_cmac_aes256_encrypt_message)
 1404 	(siv_cmac_aes256_decrypt_message): New file, new functions.
 1405 	* Makefile.in (nettle_SOURCES): Add siv-cmac source files.
 1406 	(HEADERS): Add siv-cmac.h.
 1407 	* testsuite/siv-test.c: New file.
 1408 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c
 1409 	* nettle.texinfo (SIV-CMAC): Documentation.
 1410 
 1411 2019-04-30  Niels Möller  <nisse@lysator.liu.se>
 1412 
 1413 	Based on a patch contributed by Nikos Mavrogiannopoulos.
 1414 	* cmac.c (_cmac128_block_mulx): Renamed function...
 1415 	(block_mulx): ... from old name.
 1416 	* cmac-internal.h (_cmac128_block_mulx): New file, declare function.
 1417 	* Makefile.in (DISTFILES): Added cmac-internal.h.
 1418 
 1419 2019-06-26  Niels Möller  <nisse@lysator.liu.se>
 1420 
 1421 	* Released nettle-3.5.1.
 1422 
 1423 	* configure.ac: Update version number to 3.5.1.
 1424 
 1425 	* Makefile.in (distdir): Add x86_64/sha_ni to list of distributed
 1426 	directories.
 1427 
 1428 	* Released nettle-3.5.
 1429 
 1430 2019-06-25  Niels Möller  <nisse@lysator.liu.se>
 1431 
 1432 	* config.sub: Update to 2019-05-23 version, from savannah's
 1433 	config.git.
 1434 	* config.guess: Update to 2019-06-10 version, from savannah's
 1435 	config.git. Adds recognition of mips R6 and riscv.
 1436 
 1437 2019-06-05  Niels Möller  <nisse@lysator.liu.se>
 1438 
 1439 	Further separation of CMAC per-message state from the
 1440 	message-independent subkeys, analogous to the gcm implementation.
 1441 	* cmac.h (struct cmac128_ctx): Remove key, instead a struct
 1442 	cmac128_key should be passed separately to functions that need it.
 1443 	(CMAC128_CTX): Include both a struct cmac128_key and a struct
 1444 	cmac128_ctx.
 1445 	(CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly.
 1446 
 1447 	* cmac.c (cmac128_set_key): Change argument type from cmac128_ctx
 1448 	to cmac128_key. Use a nettle_block16 for the constant zero block.
 1449 	(cmac128_init): New function, to initialize a cmac128_ctx.
 1450 	(cmac128_digest): Add cmac128_key argument. Move padding memset
 1451 	into the block handling a partial block. Call cmac128_init to
 1452 	reset state.
 1453 
 1454 2019-06-01  Niels Möller  <nisse@lysator.liu.se>
 1455 
 1456 	* cmac.h (struct cmac128_key): New struct.
 1457 	* cmac.h (struct cmac128_ctx): Use struct cmac128_key.
 1458 	* cmac.c (cmac128_set_key, cmac128_digest): Update accordingly.
 1459 
 1460 2019-05-12  Niels Möller  <nisse@lysator.liu.se>
 1461 
 1462 	Delete old libdes/openssl compatibility interface.
 1463 	* des-compat.c: Delete file.
 1464 	* des-compat.h: Delete file.
 1465 	* testsuite/des-compat-test.c: Delete file.
 1466 	* nettle.texinfo (Compatibility functions): Delete mention in documentation.
 1467 
 1468 2019-05-11  Niels Möller  <nisse@lysator.liu.se>
 1469 
 1470 	* NEWS: More updates for Nettle-3.5.
 1471 
 1472 2019-04-27  Niels Möller  <nisse@lysator.liu.se>
 1473 
 1474 	From Simo Sorce:
 1475 	* x86_64/poly1305-internal.asm: Add missing EPILOGUE.
 1476 	* x86_64/serpent-decrypt.asm: Likewise.
 1477 	* x86_64/serpent-encrypt.asm: Likewise.
 1478 
 1479 2019-04-14  Niels Möller  <nisse@lysator.liu.se>
 1480 
 1481 	* tools/nettle-pbkdf2.c (main): Check strdup return value.
 1482 
 1483 2019-03-29  Niels Möller  <nisse@lysator.liu.se>
 1484 
 1485 	* aes.h (struct aes_ctx): Redefine using a union of key-size
 1486 	specific contexts.
 1487 	* aes-decrypt.c (aes_decrypt): Use switch on key_size.
 1488 	* aes-encrypt.c (aes_encrypt): Likewise.
 1489 	* aes-set-decrypt-key.c (aes_invert_key): Likewise.
 1490 	* aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise.
 1491 
 1492 2019-03-27  Niels Möller  <nisse@lysator.liu.se>
 1493 
 1494 	* xts.c (xts_shift): Arrange with a single write to u64[1].
 1495 	* cmac.c (block_mulx): Rewrite to work in the same way as
 1496 	xts_shift, with 64-bit operations. XTS and CMAC use opposite
 1497 	endianness, but otherwise, these two functions are identical.
 1498 
 1499 2019-03-24  Niels Möller  <nisse@lysator.liu.se>
 1500 
 1501 	From Simo Sorce:
 1502 	* xts.h: New file.
 1503 	* xts.c: New file.
 1504 	(BE_SHIFT): New macro.
 1505 	(xts_shift, check_length, xts_encrypt_message)
 1506 	(xts_decrypt_message): New functions.
 1507 	* xts-aes128.c (xts_aes128_set_encrypt_key)
 1508 	(xts_aes128_set_decrypt_key, xts_aes128_encrypt_message)
 1509 	(xts_aes128_decrypt_message): New file, new functions.
 1510 	* xts-aes256.c (xts_aes256_set_encrypt_key)
 1511 	(xts_aes256_set_decrypt_key, xts_aes256_encrypt_message)
 1512 	(xts_aes256_decrypt_message): New file, new functions.
 1513 	* nettle.texinfo (XTS): Document XTS mode.
 1514 	* Makefile.in (nettle_SOURCES): Add xts sourcce files.
 1515 	(HEADERS): New installed header xts.h.
 1516 	* testsuite/xts-test.c: New file.
 1517 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c.
 1518 
 1519 2019-02-06  Niels Möller  <nisse@lysator.liu.se>
 1520 
 1521 	* gosthash94.h (struct gosthash94_ctx): Move block buffer last in
 1522 	struct.
 1523 	* md2.h (struct md2_ctx): Likewise.
 1524 	* md4.h (struct md4_ctx): Likewise.
 1525 	* md5.h (struct md5_ctx): Likewise.
 1526 	* ripemd160.h (struct ripemd160_ctx): Likewise.
 1527 	* sha1.h (struct sha1_ctx): Likewise.
 1528 	* sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise.
 1529 
 1530 2019-01-19  Niels Möller  <nisse@lysator.liu.se>
 1531 
 1532 	* examples/Makefile.in (TARGETS): Delete eratosthenes, left over
 1533 	from earlier change.
 1534 
 1535 	* fat-arm.c: Fix declarations of chacha_core functions.
 1536 
 1537 	From Yuriy M. Kaminskiy:
 1538 	* fat-setup.h (chacha_core_func): New typedef.
 1539 	* fat-arm.c (fat_init): Enable choice between
 1540 	_nettle_chacha_core_c and _nettle_chacha_core_neon.
 1541 	* configure.ac (asm_nettle_optional_list): Add
 1542 	chacha-core-internal-2.asm.
 1543 	* chacha-core-internal.c: Enable fat build with C and asm version.
 1544 	* arm/fat/chacha-core-internal-2.asm: New file.
 1545 
 1546 2019-01-12  Niels Möller  <nisse@lysator.liu.se>
 1547 
 1548 	* examples/eratosthenes.c: Deleted program.
 1549 	* examples/Makefile.in: Delete rule to build and distribute it.
 1550 
 1551 2019-01-10  Niels Möller  <nisse@lysator.liu.se>
 1552 
 1553 	* testsuite/rsa-compute-root-test.c (test_one): Use %u and
 1554 	corresponding cast, when printing bit sizes.
 1555 
 1556 2019-01-09  Niels Möller  <nisse@lysator.liu.se>
 1557 
 1558 	* examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to
 1559 	inline asm.
 1560 
 1561 2019-01-08  Niels Möller  <nisse@lysator.liu.se>
 1562 
 1563 	* sha512-compress.c: Add missing include of sha2-internal.h.
 1564 
 1565 2019-01-06  Niels Möller  <nisse@lysator.liu.se>
 1566 
 1567 	* testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert
 1568 	call with side-effects.
 1569 
 1570 2019-01-06  Niels Möller  <nisse@lysator.liu.se>
 1571 
 1572 	* nettle-types.h: Don't use nettle-stdint.h, include <stdint.h>
 1573 	directly.
 1574 	* nettle-write.h: Likewise.
 1575 	* configure.ac: Delete use of AX_CREATE_STDINT_H.
 1576 	* aclocal.m4 (AX_CREATE_STDINT_H): Delete.
 1577 	* Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of
 1578 	nettle-stdint.h.
 1579 
 1580 2018-12-26  Niels Möller  <nisse@lysator.liu.se>
 1581 
 1582 	* examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper
 1583 	function. Call openssl's RSA_generate_key_ex rather then the
 1584 	deprecated RSA_generate_key.
 1585 	(bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it.
 1586 
 1587 	* eccdata.c (ecc_pippenger_precompute): Check that table size is
 1588 	at least 2. Intended to silence warning from the clang static
 1589 	analyzer.
 1590 
 1591 	* configure.ac: Bump package version to 3.5.
 1592 	(LIBNETTLE_MAJOR): Bump major number, now 7.
 1593 	(LIBHOGWEED_MAJOR): Bump major number, now 5.
 1594 	(LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero.
 1595 
 1596 	* pkcs1-internal.h: New header file, moved declarations of
 1597 	_pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here.
 1598 	* rsa-internal.h: ... old location.
 1599 	* Makefile.in (DISTFILES): Added pkcs1-internal.h.
 1600 	* pkcs1-decrypt.c: Include new file.
 1601 	* pkcs1-sec-decrypt.c: Likewise.
 1602 	* rsa-decrypt-tr.c: Likewise.
 1603 	* rsa-sec-decrypt.c: Likewise.
 1604 	* testsuite/pkcs1-sec-decrypt-test.c: Likewise.
 1605 
 1606 	* tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for
 1607 	strdup with gcc -std=c89.
 1608 	* testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for
 1609 	getline with gcc -std=c89.
 1610 
 1611 	* rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop.
 1612 	Reported by Andreas Gustafsson.
 1613 	* testsuite/rsa-sec-decrypt-test.c (test_main): Likewise.
 1614 
 1615 2018-12-04  Niels Möller  <nisse@lysator.liu.se>
 1616 
 1617 	* Released nettle-3.4.1.
 1618 
 1619 2018-11-28  Niels Möller  <nisse@lysator.liu.se>
 1620 
 1621 	* configure.ac: Update GMP check. Check for the function
 1622 	mpn_sec_div_r, available since GMP-6.0.0.
 1623 
 1624 	* testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
 1625 	decrypted storage. Update test of rsa_decrypt, to allow clobbering
 1626 	of all of the passed in message area.
 1627 
 1628 	* pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around
 1629 	_pkcs1_sec_decrypt_variable. Improves side-channel silence of the
 1630 	only caller, rsa_decrypt.
 1631 
 1632 	* Makefile.in (DISTFILES): Add rsa-internal.h, needed for make
 1633 	dist. Patch from Simo Sorce.
 1634 
 1635 	* rsa-internal.h: Add include of rsa.h.
 1636 
 1637 2018-11-27  Niels Möller  <nisse@lysator.liu.se>
 1638 
 1639 	* rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New
 1640 	local helper functions, with their own itch functions.
 1641 	(_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to
 1642 	use helpers, for clarity.
 1643 
 1644 2018-11-26  Niels Möller  <nisse@lysator.liu.se>
 1645 
 1646 	* testsuite/rsa-compute-root-test.c (generate_keypair): Simplify
 1647 	selection of psize and qsize, and fix so that qsize is used.
 1648 	(test_main): Add outer loop, to test with more than one key.
 1649 	Deallocate storage before exiting.
 1650 
 1651 2018-11-25  Niels Möller  <nisse@lysator.liu.se>
 1652 
 1653 	* testsuite/rsa-compute-root-test.c: Renamed, from ...
 1654 	* testsuite/rsa-sec-compute-root-test.c: ... old name.
 1655 
 1656 	* rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
 1657 	* rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
 1658 	* rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
 1659 	(rsa_sec_compute_root_tr): ... old name. Updated callers.
 1660 	(cnd_mpn_zero): Use a volatile-declared mask variable.
 1661 
 1662 	* testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
 1663 	masking of most significant bits.
 1664 
 1665 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Use
 1666 	NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
 1667 
 1668 	* testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
 1669 	valgrind marking, and document potential leakage of lowest and
 1670 	highest bits of p and q.
 1671 
 1672 	* rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
 1673 	mpz_sizeinbase, since that potentially leaks most significant bits
 1674 	of private key parameters a and b.
 1675 
 1676 	* testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
 1677 	valgrind marking of return value.
 1678 
 1679 	Merged below changes from Simo Sorce, to make RSA private key
 1680 	operations side-channel silent.
 1681 
 1682 2018-11-08  Simo Sorce  <simo@redhat.com>
 1683 
 1684 	* rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
 1685 	_rsa_sec_compute_root.
 1686 
 1687 	* testsuite/rsa-sec-compute-root-test.c: Add more tests for new
 1688 	side-channel silent functions.
 1689 
 1690 	* rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn,
 1691 	since that is required for one of the GMP calls in
 1692 	_rsa_sec_compute_root.
 1693 
 1694 	* rsa-decrypt-tr.c: Switch to use side-channel silent functions.
 1695 
 1696 	* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private
 1697 	function. Variable size version for backwards compatibility.
 1698 
 1699 	* testsuite/rsa-sec-decrypt-test.c: Adds more tests.
 1700 
 1701 	* rsa-sec-decrypt.c (rsa_sec_decrypt): New function.
 1702 	Fixed length side-channel silent version of rsa-decrypt.
 1703 	* testsuite/rsa-encrypt-test.c: add tests for the new fucntion.
 1704 
 1705 	* testsuite/pkcs1-sec-decrypt-test.c: Adds tests for
 1706 	_pkcs1_sec_decrypt.
 1707 
 1708 	* gmp-glue.c (mpn_get_base256): New function.
 1709 
 1710 	* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function.
 1711 	Fixed length side-channel silent version of pkcs1-decrypt.
 1712 
 1713 	* cnd-memcpy.c (cnd_memcpy): New function.
 1714 	* memops.h: Declare it.
 1715 	* testsuite/cnd-memcpy-test.c: New test case.
 1716 
 1717 	* rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses
 1718 	_rsa_sec_compute_root, as well as side-channel silent RSA
 1719 	blinding.
 1720 	(rsa_compute_root_tr) Rewritten as a wrapper around
 1721 	rsa_sec_compute_root_tr.
 1722 	(rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root)
 1723 	(cnd_mpn_zero): New helper functions.
 1724 	(rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not
 1725 	side-channel silent wrapper around rsa_compute_root_tr, and the
 1726 	latter function left unchanged.
 1727 
 1728 	* rsa-sec-compute-root.c (_rsa_sec_compute_root_itch)
 1729 	(_rsa_sec_compute_root): New file, new private functions.
 1730 	Side-channel silent version of rsa_compute_root.
 1731 	* rsa-internal.h: New header file with declarations.
 1732 
 1733 	* gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro.
 1734 
 1735 2018-11-24  Niels Möller  <nisse@lysator.liu.se>
 1736 
 1737 	* configure.ac: Bump package version to 3.4.1.
 1738 	(LIBNETTLE_MINOR): Bump library version to 6.5.
 1739 	(LIBHOGWEED_MINOR): Bump library version to 4.5.
 1740 
 1741 2018-11-17  Niels Möller  <nisse@lysator.liu.se>
 1742 
 1743 	* examples/hogweed-benchmark.c (bench_rsa_verify)
 1744 	(bench_openssl_rsa_tr_init): New functions.
 1745 	(alg_list): Benchmark timing-resistant RSA functions, i.e.,
 1746 	including RSA blinding.
 1747 	(main): Increase width of first column, here and in other
 1748 	printouts.
 1749 
 1750 2018-10-10  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>
 1751 
 1752 	* ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when
 1753 	processing more than on full block of size CTR_BUFFER_LIMIT, src
 1754 	and dst arguments to memxor3 were not properly updated.
 1755 
 1756 2018-10-10  Niels Möller  <nisse@lysator.liu.se>
 1757 
 1758 	* aes-set-encrypt-key.c: Add missing include of stdlib.h.
 1759 	* des-compat.c: Likewise.
 1760 
 1761 2018-09-13  Niels Möller  <nisse@lysator.liu.se>
 1762 
 1763 	* rsa-keygen.c (rsa_generate_keypair): Delete unlikely and
 1764 	redundant check for p == q.
 1765 
 1766 2018-08-09  Niels Möller  <nisse@lysator.liu.se>
 1767 
 1768 	* rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with
 1769 	_NETTLE_ATTRIBUTE_DEPRECATED.
 1770 
 1771 	* nettle-types.h (_NETTLE_ATTRIBUTE_PURE)
 1772 	(_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and
 1773 	lookalikes.
 1774 	* ecc-curve.h: Include nettle-types.h, and use
 1775 	_NETTLE_ATTRIBUTE_PURE instead of local definition.
 1776 	* nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit
 1777 	#ifdefs.
 1778 
 1779 	* aes.h: Mark functions using struct aes_ctx interface as
 1780 	deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where
 1781 	the functions are implemented or tested.
 1782 	* gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated.
 1783 
 1784 	* nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper)
 1785 	(blowfish128_set_key_wrapper): Wrapper functions, to avoid cast
 1786 	between incompatible function types (which gcc-8 warns about).
 1787 	Wrappers are expected to compile to a single jmp instruction.
 1788 
 1789 	* des-compat.c (des_compat_des3_encrypt)
 1790 	(des_compat_des3_decrypt): Change length argument type to size_t.
 1791 
 1792 2018-08-08  Niels Möller  <nisse@lysator.liu.se>
 1793 
 1794 	* nettle.texinfo (Compatibility): New section on ABI and API
 1795 	compatibility.
 1796 
 1797 2018-07-25  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>
 1798 
 1799 	* examples/nettle-benchmark.c: Add benchmarking for HMAC functions.
 1800 
 1801 2018-07-13  Niels Möller  <nisse@lysator.liu.se>
 1802 
 1803 	* examples/eratosthenes.c (vector_alloc): Add assert related to
 1804 	overflow in the size calculation. Fixes a corner case identified
 1805 	by static analysis.
 1806 	(vector_init): Analogous assert.
 1807 
 1808 2018-07-12  Niels Möller  <nisse@lysator.liu.se>
 1809 
 1810 	* examples/eratosthenes.c (main): Don't allocate bitmap storage
 1811 	for limit == 2 (early exit), closing memory leak at exit.
 1812 	(main): Fix handling of short -q option.
 1813 
 1814 	* eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui,
 1815 	to fix memory leak.
 1816 	(ecc_curve_clear): New function.
 1817 	(main): Call it, to deallocate storage before exit.
 1818 
 1819 2018-07-08  Niels Möller  <nisse@lysator.liu.se>
 1820 
 1821 	* fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress.
 1822 	* x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name.
 1823 	* x86_64/fat/sha1-compress-2.asm: Likewise.
 1824 
 1825 2018-07-07  Niels Möller  <nisse@lysator.liu.se>
 1826 
 1827 	From Nikos Mavrogiannopoulos.
 1828 	* sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to
 1829 	public function, since there's known appliation usage (filezilla).
 1830 	* sha1.h (_nettle_sha1_compress): Old name, now a preprocessor
 1831 	alias for the new name.
 1832 	* md5-compress.c (nettle_md5_compress): Similarly renamed (used by
 1833 	sogo).
 1834 	* md5.h (_nettle_md5_compress): Old name,, now a preprocessor
 1835 	alias for the new name.
 1836 
 1837 	* chacha-internal.h, dsa-internal.h, eddsa-internal.h:
 1838 	* hogweed-internal.h, ripemd160-internal.h, rsa-internal.h:
 1839 	* salsa20-internal.h, sha2-internal.h, sha3-internal.h:
 1840 	* umac-internal.h: Internal declarations moved to new header
 1841 	files, which are not installed..
 1842 	* Makefile.in (DISTFILES): Added above files.
 1843 
 1844 	* libnettle.map.in: Use a different symbol version for _nettle_*
 1845 	symbols, depending on the minor release. This marks these symbols
 1846 	explicitly not part of the public Nettle ABI.
 1847 	* libhogweed.map.in: Analogous change.
 1848 
 1849 2018-06-17  Niels Möller  <nisse@lysator.liu.se>
 1850 
 1851 	* aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed
 1852 	by Dmitry Eremin-Solenikov.
 1853 
 1854 	* testsuite/symbols-test: Exclude ____chkstk_darwin symbols,
 1855 	produced by Apple's Xcode 10 compiler. Patch contributed by
 1856 	Dominyk Tiller.
 1857 
 1858 2018-03-25  Niels Möller  <nisse@lysator.liu.se>
 1859 
 1860 	From Michael Weiser.
 1861 	* configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN.
 1862 	* config.m4.in: Use it to set WORDS_BIGENDIAN.
 1863 	* asm.m4 (IF_BE, IF_LE): New macros.
 1864 	* arm/memxor.asm: Support big-endian ARM.
 1865 	* arm/memxor3.asm: Likewise.
 1866 	* arm/neon/chacha-core-internal.asm: Likewise.
 1867 	* arm/neon/salsa20-core-internal.asm: Likewise.
 1868 	* arm/neon/umac-nh.asm: Likewise.
 1869 	* arm/v6/sha1-compress.asm: Likewise.
 1870 	* arm/v6/sha256-compress.asm: Likewise.
 1871 	* arm/README: Document big-endian considerations.
 1872 
 1873 2018-03-17  Niels Möller  <nisse@lysator.liu.se>
 1874 
 1875 	Discourage direct access to data symbols with non-public size.
 1876 	Direct references to these symbols may result in copy-relocations
 1877 	like R_X86_64_COPY, which make the symbol size leak into the ABI.
 1878 	* ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1)
 1879 	(_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add
 1880 	leading underscore on these data symbols.
 1881 
 1882 	* nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads)
 1883 	(_nettle_armors): Add leading underscore on these data symbols.
 1884 	Update all internal use. Macros without leading underscore remain,
 1885 	and expand to access via accessor functions nettle_get_ciphers and
 1886 	similar.
 1887 
 1888 2018-03-10  Niels Möller  <nisse@lysator.liu.se>
 1889 
 1890 	* eccdata.c (ecc_table_size): New helper function.
 1891 	(ecc_pippenger_precompute): Display warning for poor parameters.
 1892 
 1893 	* eccparams.c (main): New program, to list parameter alternatives
 1894 	for Pippenger's algorithm.
 1895 
 1896 	* Makefile.in: Tweak parameters for ecc tables.
 1897 	(ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6.
 1898 	Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3%
 1899 	for ecdsa signatures.
 1900 	(ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c =
 1901 	7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on
 1902 	64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures.
 1903 	(ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c =
 1904 	6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures.
 1905 	(ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c =
 1906 	6. Table size unchanged. 12% speedup for ecdsa signatures.
 1907 	(ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6.
 1908 	Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit
 1909 	platforms). 15% speedup for ecdsa signatures.
 1910 	(ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c =
 1911 	6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures.
 1912 
 1913 2018-03-14  Niels Möller  <nisse@lysator.liu.se>
 1914 
 1915 	Merge sha256 code using the x86_64 sha_ni instructions, starting
 1916 	2018-02-21.
 1917 
 1918 2018-03-11  Niels Möller  <nisse@lysator.liu.se>
 1919 
 1920 	* x86_64/fat/sha256-compress.asm: New file.
 1921 	* x86_64/fat/sha256-compress-2.asm: New file.
 1922 	* fat-x86_64.c (fat_init): Select plain x86_64 assembly version or
 1923 	sha_ni version for sha256_compress.
 1924 
 1925 2018-02-21  Niels Möller  <nisse@lysator.liu.se>
 1926 
 1927 	* x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni
 1928 	instructions.
 1929 
 1930 2018-02-20  Niels Möller  <nisse@lysator.liu.se>
 1931 
 1932 	* testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly.
 1933 
 1934 2018-02-19  Niels Möller  <nisse@lysator.liu.se>
 1935 
 1936 	Mostly aesthetic changes. Besides indentation:
 1937 	* cmac.h (struct cmac128): Rename, to cmac128_ctx.
 1938 	(CMAC128_CTX): Rename first member from data to ctx.
 1939 
 1940 	* cmac.c: Use const void * as the type for cipher arguments.
 1941 	(block_mulx): Un-inline.
 1942 	(cmac128_set_key): Make a constant function local.
 1943 
 1944 	* testsuite/cmac-test.c: Delete local typedefs.
 1945 
 1946 2018-02-19  Nikos Mavrogiannopoulos  <nmav@redhat.com>
 1947 
 1948 	Add support for CMAC.
 1949 	* cmac.h: New file.
 1950 	(struct cmac128): New struct.
 1951 	* cmac.c (block_mulx, cmac128_set_key, cmac128_update)
 1952 	(cmac128_digest): New file, new functions.
 1953 	* cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update)
 1954 	(cmac_aes128_digest): New file, new functions.
 1955 	* cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update)
 1956 	(cmac_aes256_digest): New file, new functions.
 1957 	* Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c.
 1958 	(HEADERS): Added cmac.h.
 1959 
 1960 	* testsuite/cmac-test.c: New tests.
 1961 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c.
 1962 
 1963 	* examples/nettle-benchmark.c (time_cmac): New function.
 1964 	(main): Use it.
 1965 
 1966 	* nettle.texinfo: Document CMAC.
 1967 
 1968 2018-02-20  Niels Möller  <nisse@lysator.liu.se>
 1969 
 1970 	* testsuite/cbc-test.c (test_cbc_bulk): Use struct
 1971 	aes256_ctx, instead of the deprecated struct aes_ctx.
 1972 	* testsuite/cfb-test.c (test_cfb_bulk): Likewise.
 1973 	* examples/rsa-session.h (struct rsa_session): Likewise.
 1974 	* examples/rsa-encrypt.c (rsa_session_set_encrypt_key)
 1975 	(process_file): Use aes256_* functions.
 1976 	* examples/rsa-decrypt.c (rsa_session_set_decrypt_key)
 1977 	(process_file): Likewise.
 1978 
 1979 2018-02-19  Niels Möller  <nisse@lysator.liu.se>
 1980 
 1981 	* nettle-internal.h: Include sha3.h, needed for the definition of
 1982 	NETTLE_MAX_HASH_CONTEXT_SIZE.
 1983 	(TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support
 1984 	allocation of context structs with alignment requirements.
 1985 	[!HAVE_ALLOCA]: Also use assert, rather than calling abort
 1986 	directly.
 1987 
 1988 	* pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros.
 1989 	* pss-mgf1.c (pss_mgf1): Likewise.
 1990 
 1991 2018-02-18  Niels Möller  <nisse@lysator.liu.se>
 1992 
 1993 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c...
 1994 	(TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds
 1995 	without public-key support.
 1996 
 1997 2018-02-18  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>
 1998 
 1999 	* examples/nettle-openssl.c): Move expressions with side effects
 2000 	out of asserts.
 2001 
 2002 2018-02-17  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>
 2003 
 2004 	(openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use
 2005 	EVP_CipherInit_ex.
 2006 	* examples/nettle-openssl.c (nettle_openssl_gcm_aes128)
 2007 	(nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead
 2008 	algorithms, for benchmarking purposes, and supporting wrapper functions.
 2009 	* nettle-internal.h: Corresponding declarations.
 2010 	* examples/nettle-benchmark.c (main): Include openssl's gcm aes in
 2011 	benchmark.
 2012 
 2013 2018-02-16  Niels Möller  <nisse@lysator.liu.se>
 2014 
 2015 	* nettle.texinfo: Improved index entries.
 2016 	(Cipher functions): Update CAST128/CAST5 docs. Inconsistencies
 2017 	spotted by Henrik Rindlöw.
 2018 
 2019 2018-02-10  Niels Möller  <nisse@lysator.liu.se>
 2020 
 2021 	* configure.ac: New configure option --enable-x86-sha-ni.
 2022 
 2023 2018-02-07  Niels Möller  <nisse@lysator.liu.se>
 2024 
 2025 	* x86_64/fat/sha1-compress.asm: New file.
 2026 	* x86_64/fat/sha1-compress-2.asm: New file.
 2027 	* fat-x86_64.c (fat_init): Select plain x86_64 assembly version or
 2028 	sha_ni version for sha1_compress.
 2029 
 2030 2018-02-05  Niels Möller  <nisse@lysator.liu.se>
 2031 
 2032 	* x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni
 2033 	instructions.
 2034 
 2035 	* fat-x86_64.c (get_x86_features): Check for sha_ni extension.
 2036 
 2037 	* x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction.
 2038 
 2039 2018-02-01  Nikos Mavrogiannopoulos  <nmav@redhat.com>
 2040 
 2041 	* gcm.c (gcm_fill): New function, for use with _ctr_crypt16.
 2042 	(gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of
 2043 	gcm_aes128, benchmarked on x86_64 with aesni instructions.
 2044 
 2045 2018-02-01  Niels Möller  <nisse@lysator.liu.se>
 2046 
 2047 	Based on a patch contributed by Nikos Mavrogiannopoulos.
 2048 	* ctr16.c (_ctr_crypt16): New file, renamed and generalized
 2049 	function. New function pointer argument, used to fill a block with
 2050 	counter values. Use nettle_block16 * as the type for the buffer to
 2051 	be filled. Always process any final and partial block, and return
 2052 	no value.
 2053 	* ctr.c (ctr_crypt): ... previous, replaced, function.
 2054 	(ctr_fill16): Updated to new argument type.
 2055 	(ctr_crypt): Return immediately after using _ctr_crypt16.
 2056 
 2057 	* ctr-internal.h: New file, declaring _ctr_crypt16.
 2058 	(nettle_fill16_func): New function typedef.
 2059 
 2060 	* Makefile.in (nettle_SOURCES): Added ctr16.c.
 2061 	(DISTFILES): Added ctr-internal.h.
 2062 
 2063 2018-01-30  Niels Möller  <nisse@lysator.liu.se>
 2064 
 2065 	* Makefile.in (clean-here): Don't delete desdata.stamp.
 2066 
 2067 2018-01-24  Jay Foad  <jay.foad@gmail.com>
 2068 
 2069 	* Makefile.in (TARGETS): Delete dependencies on aesdata, desdata,
 2070 	twofishdata, shadata and gcmdata. They are not needed for a normal
 2071 	build.
 2072 	(clean-here): Explicitly delete of above files.
 2073 	(desdata.stamp): New stamp target, to avoid building desdata twice
 2074 	in a parallell build.
 2075 
 2076 2018-01-23  Niels Möller  <nisse@lysator.liu.se>
 2077 
 2078 	* configure.ac (asm_path): Recognize "x86", in addition to "i?86",
 2079 	for 32-bit x86 processors. Reportedly needed for x86 android builds.
 2080 
 2081 2018-01-20  Niels Möller  <nisse@lysator.liu.se>
 2082 
 2083 	CFB8 support, contributed by Dmitry Eremin-Solenikov.
 2084 	* cfb.c (cfb8_encrypt, cfb8_decrypt): New functions.
 2085 	* cfb.h: Declare them.
 2086 	(CFB8_ENCRYPT, CFB8_DECRYPT): New macros.
 2087 	* testsuite/cfb-test.c: New tests for CFB8.
 2088 	* nettle.texinfo (CFB and CFB8): Documentation.
 2089 
 2090 2018-01-16  Niels Möller  <nisse@lysator.liu.se>
 2091 
 2092 	* tools/pkcs1-conv.c (convert_file): Add missing break statements.
 2093 
 2094 2018-01-09  Niels Möller  <nisse@lysator.liu.se>
 2095 
 2096 	* testsuite/testutils.c (test_cipher_ctr): Test operations with
 2097 	shorter sizes.
 2098 
 2099 	* testsuite/ctr-test.c: Additional unofficial test vectors, to
 2100 	exercise carry propagation in the counter, and block size
 2101 	different from 16.
 2102 
 2103 2018-01-08  Niels Möller  <nisse@lysator.liu.se>
 2104 
 2105 	* ctr.c (ctr_crypt16): New function, with optimizations specific
 2106 	to 16-byte block size.
 2107 	(ctr_fill16): New helper function, definition depending on
 2108 	WORDS_BIGENDIAN, and little endian version requiring
 2109 	HAVE_BUILTIN_BSWAP64.
 2110 	(ctr_crypt): Use ctr_crypt16, when appropriate.
 2111 
 2112 	* nettle-types.h (union nettle_block16): Add uint64_t field.
 2113 
 2114 	* configure.ac: Check for __builtin_bswap64, define
 2115 	HAVE_BUILTIN_BSWAP64 if available.
 2116 
 2117 	* ctr.c (ctr_fill): New function. Use in ctr_crypt.
 2118 
 2119 	* ctr.c (ctr_crypt): For in-place operation, increase max buffer
 2120 	size from 4 blocks to 512 bytes, similarly to CBC and CFB.
 2121 	Improves in-place aes128 CTR performance by 25% on x86_64.
 2122 
 2123 	* examples/nettle-benchmark.c (time_cipher): Benchmark in-place
 2124 	operation separately, for cbc_decrypt and ctr_crypt.
 2125 
 2126 	* cbc.c (cbc_decrypt): For in-place operation (src == dst case),
 2127 	eliminate use of src variable.
 2128 	* cfb.c (cfb_decrypt): Likewise.
 2129 	* gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor.
 2130 
 2131 2018-01-03  Niels Möller  <nisse@lysator.liu.se>
 2132 
 2133 	* x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm
 2134 	registers before the block loop, and completely unroll the round
 2135 	loop.
 2136 	* x86_64/aesni/aes-decrypt-internal.asm: Likewise.
 2137 
 2138 2017-11-19  Niels Möller  <nisse@lysator.liu.se>
 2139 
 2140 	* Released nettle-3.4.
 2141 
 2142 2017-11-12  Niels Möller  <nisse@lysator.liu.se>
 2143 
 2144 	* configure.ac: Update check of GMP_NUMB_BITS declaration in
 2145 	assembly files. Was broken by rename of configure variable
 2146 	GMP_NUMB_BITS --> NUMB_BITS.
 2147 
 2148 2017-11-11  Niels Möller  <nisse@lysator.liu.se>
 2149 
 2150 	* nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers
 2151 	and nettle_get_aeads, and replace nettle_secp_256r1 by
 2152 	nettle_get_secp_256r1. Update version numbers. Delete ancient
 2153 	setting of ispell-skip-region-alist as an emacs file-local
 2154 	variable.
 2155 
 2156 2017-11-08  Niels Möller  <nisse@lysator.liu.se>
 2157 
 2158 	* ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1)
 2159 	(nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete
 2160 	macro wrappers, partially reverting below 2017-04-09 change. They
 2161 	didn't work at all for applications that only see a forward
 2162 	declaration of struct ecc_curve. Instead, we will have to make an
 2163 	ABI and API break and delete these symbols, when the size of
 2164 	struct ecc_curve is increased.
 2165 
 2166 2017-11-05  Niels Möller  <nisse@lysator.liu.se>
 2167 
 2168 	* configure.ac Bump package version to 3.4.
 2169 	(LIBNETTLE_MINOR): Bump library version to 6.4.
 2170 	(LIBHOGWEED_MINOR): Bump library version to 4.4.
 2171 
 2172 2017-10-23  Niels Möller  <nisse@lysator.liu.se>
 2173 
 2174 	* examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the
 2175 	environment, to support Mac OSX shared libraries.
 2176 	* testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise.
 2177 
 2178 2017-10-23  Niels Möller  <nisse@lysator.liu.se>
 2179 
 2180 	Merge API fixes, starting at 2017-01-12.
 2181 
 2182 2017-04-09  Niels Möller  <nisse@lysator.liu.se>
 2183 
 2184 	* ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1)
 2185 	(nettle_get_secp_256r1, nettle_get_secp_384r1)
 2186 	(nettle_get_secp_521r1): New functions, returning a pointer to
 2187 	corresponding structure.
 2188 	(nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1)
 2189 	(nettle_secp_384r1, nettle_secp_521r1): Redefined as macros,
 2190 	calling the corresponding function.
 2191 
 2192 	* nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New
 2193 	macros, analogous to below change to nettle_hashes.
 2194 
 2195 	* nettle-meta-ciphers.c (nettle_get_ciphers): New function.
 2196 
 2197 	* nettle-meta-aeads.c (nettle_get_aeads): New function.
 2198 
 2199 	* nettle-meta-armors.c (nettle_get_armors): New function.
 2200 
 2201 2017-01-12  Niels Möller  <nisse@lysator.liu.se>
 2202 
 2203 	* tools/nettle-hash.c (find_algorithm): Deleted function.
 2204 	(main): Replaced by call to nettle_lookup_hash.
 2205 
 2206 	* testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash.
 2207 
 2208 	* nettle-meta.h (nettle_hashes): New macro, expanding to a call to
 2209 	nettle_get_hashes. Direct access to the array causes the array
 2210 	size to leak into the ABI, since a plain un-relocatable executable
 2211 	linking with libnettle.so gets copy relocations for any referenced
 2212 	data items in the shared library.
 2213 
 2214 	* nettle-meta-hashes.c (nettle_get_hashes): New function.
 2215 
 2216 2017-10-16  Niels Möller  <nisse@lysator.liu.se>
 2217 
 2218 	CFB support, contributed by Dmitry Eremin-Solenikov.
 2219 	* cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions.
 2220 	* cfb.h: New header file.
 2221 	(CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros.
 2222 	* Makefile.in (nettle_SOURCES): Add cfb.c.
 2223 	(HEADERS): Add cfb.h.
 2224 	* testsuite/cfb-test.c: New test case.
 2225 	* testsuite/testutils.c (test_cipher_cfb): New function.
 2226 	* nettle.texinfo (CFB): Documentation.
 2227 
 2228 2017-10-16  Niels Möller  <nisse@lysator.liu.se>
 2229 
 2230 	* aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with
 2231 	gcc.
 2232 
 2233 2017-09-27  Niels Möller  <nisse@lysator.liu.se>
 2234 
 2235 	Merged armor-signedness branch, starting 2017-08-27.
 2236 
 2237 2017-09-24  Niels Möller  <nisse@lysator.liu.se>
 2238 
 2239 	* tools/pkcs1-conv.c (base64_decode_in_place): New helper
 2240 	function.
 2241 	(decode_base64): Use it.
 2242 
 2243 	* sexp-transport-format.c (base64_encode_in_place): New helper
 2244 	function.
 2245 	(sexp_transport_vformat): Use it.
 2246 
 2247 	* testsuite/base64-test.c (test_fuzz_once): Update to use char
 2248 	type where appropriate.
 2249 	(test_main): Use helper functions base64_encode_in_place and
 2250 	base64_decode_in_place (copied to this file).
 2251 
 2252 	* testsuite/testutils.c (tstring_data): Use uint8_t for data
 2253 	argument.
 2254 	* testsuite/testutils.h (SDATA): Use US macro to cast data
 2255 	argument.
 2256 
 2257 2017-08-27  Niels Möller  <nisse@lysator.liu.se>
 2258 
 2259 	* base64-encode.c (base64_encode_raw, base64_encode_group)
 2260 	(base64_encode_single, base64_encode_update)
 2261 	(base64_encode_final): Change type of destination to char *.
 2262 	* base16-encode.c (base16_encode_single, base16_encode_update):
 2263 	Likewise.
 2264 	* base64-decode.c (base64_decode_single, base64_decode_update):
 2265 	Change type of source argument to const char *. Update (almost)
 2266 	all callers.
 2267 	* base16-decode.c (base16_decode_single, base16_decode_update):
 2268 	Likewise.
 2269 	* nettle-types.h (nettle_armor_encode_update_func)
 2270 	(nettle_armor_encode_final_func, nettle_armor_decode_update_func):
 2271 	Corresponding updates to typedefs.
 2272 
 2273 2017-09-14  Niels Möller  <nisse@lysator.liu.se>
 2274 
 2275 	* hkdf.c: Delete unneeded includes. Use Nettle licensing notice.
 2276 	* hkdf.h: Include only nettle-types.h, not nettle-meta.h.
 2277 
 2278 	* ecc-mod.c (ecc_mod): Workaround to silence a false positive from
 2279 	the clang static analyzer.
 2280 
 2281 2017-09-12  Niels Möller  <nisse@lysator.liu.se>
 2282 
 2283 	* testsuite/testutils.h (mpn_zero_p): Avoid redefining mpn_zero_p
 2284 	when building with mini-gmp. Since the mini-gmp update, this
 2285 	function is defined by mini-gmp, causing link errors if nettle is
 2286 	configured with --enable-mini-gmp --disable-shared. Reported by
 2287 	Tim Rühsen.
 2288 
 2289 2017-09-09  Daiki Ueno  <dueno@redhat.com>
 2290 
 2291 	* testsuite/ecc-mul-g-test.c (test_main): Fixed mpn_cmp call.
 2292 	* testsuite/ecc-mul-a-test.c (test_main): Likewise.
 2293 	* eccdata.c (ecc_point_out): Write to given stream, instead of
 2294 	stderr.
 2295 	* eccdata.c (output_curve): In curve448, the bit size of the order
 2296 	is slightly smaller than the one of p's. Adjust ecc_Bmodq_shifted
 2297 	accordingly.
 2298 
 2299 2017-09-09  Niels Möller  <nisse@lysator.liu.se>
 2300 
 2301 	* mini-gmp.c: Updated mini-gmp from the gmp repository, latest
 2302 	change from 2017-07-23.
 2303 	* mini-gmp.h: Likewise.
 2304 
 2305 2017-09-06  Niels Möller  <nisse@lysator.liu.se>
 2306 
 2307 	* hkdf.c (hkdf_expand): Eliminate a (signed) ssize_t variable, use
 2308 	break rather than return at loop termination.
 2309 
 2310 2017-09-06  Niels Möller  <nisse@lysator.liu.se>
 2311 
 2312 	HKDF implementation, contributed by Nikos Mavrogiannopoulos.
 2313 	* hkdf.c (hkdf_extract, hkdf_expand): New file, new functions.
 2314 	* hkdf.h: New file.
 2315 	* Makefile.in (nettle_SOURCES): Add hkdf.c.
 2316 	(HEADERS): Add hkdf.h.
 2317 	* testsuite/hkdf-test.c: Tests for hkdf-sha256 and hkdf-sha1.
 2318 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added hkdf-test.c.
 2319 	* nettle.texinfo (Key derivation functions): Document HKDF.
 2320 
 2321 2017-09-04  Andreas Schneider  <asn@samba.org>
 2322 
 2323 	* fat-arm.c: Add missing define for _GNU_SOURCE.
 2324 
 2325 2017-08-27  Niels Möller  <nisse@lysator.liu.se>
 2326 
 2327 	* configure.ac (GMP_NUMB_BITS): Set to dummy value "n/a" in
 2328 	mini-gmp builds.
 2329 	(NUMB_BITS): New substituted variable which always holds the
 2330 	configured value.
 2331 	* Makefile.in (GMP_NUMB_BITS): Renamed variable...
 2332 	(NUMB_BITS): ...new name
 2333 	* config.make.in: Update corresponding substitution.
 2334 
 2335 2017-08-26  Niels Möller  <nisse@lysator.liu.se>
 2336 
 2337 	* ecc-mod-inv.c (ecc_mod_inv): Add missing assert. Fixes a
 2338 	"dead increment" warning from the clang static analyzer.
 2339 
 2340 2017-08-26  Niels Möller  <nisse@lysator.liu.se>
 2341 
 2342 	* examples/nettle-openssl.c (struct openssl_cipher_ctx): New
 2343 	struct. Use everywhere, instead of typing EVP_CIPHER_CTX pointers
 2344 	directly.
 2345 
 2346 	* configure.ac: Update openssl-related tests. Checks for
 2347 	cipher-specific headers are replaced by a check for openssl/evp.h,
 2348 	and the check for the BF_ecb_encrypt function is replaced by a
 2349 	check for EVP_CIPHER_CTX_new.
 2350 
 2351 2017-08-03  Daniel P. Berrange  <berrange@redhat.com>
 2352 
 2353 	* examples/nettle-openssl.c: Rewritten to use openssl's EVP APIs.
 2354 	The older cipher-specific functions always use openssl's generic
 2355 	software implementation, while the EVP functions enables
 2356 	platform-specific code, e.g., using the x86 AES-NI instructions.
 2357 	(nettle_openssl_init): New function.
 2358 
 2359 2017-07-18  Niels Möller  <nisse@lysator.liu.se>
 2360 
 2361 	* ecc-add-eh.c (ecc_add_eh): Fix in-place operation by reordering
 2362 	two multiplies. Previously, in-place operation resulted in an
 2363 	invalid call to mpn_mul with overlapping operands. Reported by
 2364 	Sergei Trofimovich.
 2365 
 2366 2017-06-09  Niels Möller  <nisse@lysator.liu.se>
 2367 
 2368 	* pss.c (pss_verify_mgf1): Check for m being too large, fixing an
 2369 	assertion failure for certain invalid signatures. Based on a patch
 2370 	contributed by Daiki Ueno.
 2371 
 2372 	* testsuite/rsa-pss-sign-tr-test.c (test_main): Add test case
 2373 	contributed by Daiki Ueno. Problem originally found by oss-fuzz,
 2374 	see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132.
 2375 	That problem report is currently embargoed, but will hopefully be
 2376 	public in a month or two.
 2377 
 2378 2017-05-23  Niels Möller  <nisse@lysator.liu.se>
 2379 
 2380 	Rework the previous change, which had the unintended effect of
 2381 	always regenerating .test-rules.make after ./configure is run.
 2382 	* testsuite/Makefile.in (test-rules.stamp): New stamp file target,
 2383 	depend on Makefile.in, and run $(MAKE) test-rules.
 2384 	(.test-rules.make): Add a level of indirection, by depending on
 2385 	test-rules.stamp.
 2386 
 2387 2017-05-20  Niels Möller  <nisse@lysator.liu.se>
 2388 
 2389 	* testsuite/Makefile.in (test-rules): Use $(srddir)/-prefix for
 2390 	.test-rules.make target, and change dependency from Makefile.in to
 2391 	Makefile.
 2392 
 2393 2017-05-17  Nikos Mavrogiannopoulos  <nmav@redhat.com>
 2394 
 2395 	* testsuite/Makefile.in: Ensure .test-rules.make is regenerated
 2396 	when Makefile.in is modified.
 2397 
 2398 2017-04-09  Niels Möller  <nisse@lysator.liu.se>
 2399 
 2400 	* testsuite/dlopen-test.c (main): Call dlclose, to fix memory leak
 2401 	on success.
 2402 
 2403 	* testsuite/pss-test.c: Delete magic to let valgrind to check if
 2404 	pss_encode_mgf1 is side-channel silent with respect to the salt
 2405 	and digest inputs. It turns out that the most significant bits of
 2406 	the padded bignum, and hence its size, depends on these inputs.
 2407 	Which results in a data-dependent branch in the normalization code
 2408 	of at the end of gmp's mpz_import.
 2409 
 2410 2017-04-04  Niels Möller  <nisse@lysator.liu.se>
 2411 
 2412 	* pss.c (pss_verify_mgf1): Use const for input mpz_t argument.
 2413 	(pss_encode_mgf1): Avoid unnecessary memset and xor operations.
 2414 
 2415 	Merged RSA-PSS support, contributed by Daiki Ueno.
 2416 	* pss-mgf1.h, pss.h: New header files.
 2417 	* pss-mgf1.c (pss_mgf1): New file and function.
 2418 	* pss.c (pss_encode_mgf1, pss_verify_mgf1): New file and
 2419 	functions.
 2420 	* rsa-verify.c (_rsa_verify_recover): New function.
 2421 	* rsa-pss-sha256-sign-tr.c: (rsa_pss_sha256_sign_digest_tr): New
 2422 	file and function.
 2423 	* rsa-pss-sha256-verify.c (rsa_pss_sha256_verify_digest): New
 2424 	file and function.
 2425 	* rsa-pss-sha512-sign-tr.c (rsa_pss_sha384_sign_digest_tr)
 2426 	(rsa_pss_sha512_sign_digest_tr): New file and functions.
 2427 	* rsa-pss-sha512-verify.c (rsa_pss_sha384_verify_digest)
 2428 	(rsa_pss_sha512_verify_digest): New file and functions.
 2429 	* rsa.h: Prototypes for new functions.
 2430 	* testsuite/rsa-pss-sign-tr-test.c: New test case.
 2431 	* testsuite/pss-test.c: New test case.
 2432 	* testsuite/pss-mgf1-test.c: New test case.
 2433 	* Makefile.in, testsuite/Makefile.in: Added new files.
 2434 	* nettle.texinfo: Documentation of rsa-pss functions.
 2435 
 2436 2017-03-20  Niels Möller  <nisse@lysator.liu.se>
 2437 
 2438 	* nettle-internal.h (NETTLE_MAX_HASH_CONTEXT_SIZE): New constant.
 2439 	* testsuite/meta-hash-test.c (test_main): Add sanity check for
 2440 	NETTLE_MAX_HASH_CONTEXT_SIZE.
 2441 
 2442 	* tools/nettle-hash.c (list_algorithms): Also display the internal
 2443 	context size.
 2444 
 2445 2017-01-03  Nikos Mavrogiannopoulos <nmav@redhat.com>
 2446 
 2447 	* ecdsa-verify.c (ecdsa_verify): Eliminated memory leak on error
 2448 	path.
 2449 
 2450 2016-10-10  Niels Möller  <nisse@lysator.liu.se>
 2451 
 2452 	* write-be32.c (_nettle_write_be32): Use const for source argument.
 2453 	* write-le32.c (_nettle_write_le32): Likewise.
 2454 	* write-le64.c (_nettle_write_le64): Likewise.
 2455 	* nettle-write.h: Update prototypes.
 2456 
 2457 2016-10-01  Niels Möller  <nisse@lysator.liu.se>
 2458 
 2459 	* Released nettle-3.3.
 2460 
 2461 2016-09-13  Niels Möller  <nisse@lysator.liu.se>
 2462 
 2463 	* nettle-meta-hashes.c (nettle_hashes): Added SHA3 hashes.
 2464 	Reported missing by Thomas Walter.
 2465 	* testsuite/meta-hash-test.c: Update test accordingly.
 2466 
 2467 2016-09-07  Niels Möller  <nisse@lysator.liu.se>
 2468 
 2469 	* nettle.texinfo (Elliptic curves): Split into sub-nodes.
 2470 	(Miscellaneous functions): Document memeql_sec.
 2471 	* NEWS: Mention memeql_sec.
 2472 
 2473 2016-09-06  Niels Möller  <nisse@lysator.liu.se>
 2474 
 2475 	* NEWS: Update for 3.3.
 2476 
 2477 	* configure.ac: Bump package version to 3.3.
 2478 	(LIBNETTLE_MINOR): Bump library version to 6.3.
 2479 	(LIBHOGWEED_MINOR): Bump library version to 4.3.
 2480 
 2481 2016-09-05  Niels Möller  <nisse@lysator.liu.se>
 2482 
 2483 	* curve25519.h (NETTLE_CURVE25519_RFC7748): New preprocessor
 2484 	constant.
 2485 	* nettle.texinfo: Document it.
 2486 
 2487 2016-09-03  Niels Möller  <nisse@lysator.liu.se>
 2488 
 2489 	* config.make.in (.SUFFIXES): Delete no longer used .p$(OBJEXT).
 2490 
 2491 	* sexp.h (TOKEN_CHAR): Delete macro and declaration of
 2492 	sexp_token_chars. They belong in tools/misc.h, not here.
 2493 
 2494 	* examples/ecc-benchmark.c (die): Deleted unused function.
 2495 
 2496 	* testsuite/testutils.h (US): New macro, for unsigned string
 2497 	literals.
 2498 	(LDATA): Use the US macro, to eliminate pointer signedness
 2499 	warnings.
 2500 
 2501 	* testsuite/eddsa-verify-test.c (test_eddsa): Use LDATA.
 2502 	* testsuite/pbkdf2-test.c (test_main): Likewise.
 2503 	* testsuite/pkcs1-test.c (test_main): Likewise.
 2504 
 2505 	* testsuite/md5-compat-test.c (test_main): Use US macro.
 2506 
 2507 	* testsuite/sexp-test.c (test_main): Use const char * for assoc
 2508 	keys. Overlooked in 2016-08-16 change.
 2509 
 2510 	* testsuite/yarrow-test.c (test_main): Fix pointer
 2511 	signednesss warnings.
 2512 	* testsuite/sexp-format-test.c (test_main): Likewise.
 2513 	* testsuite/rsa-encrypt-test.c (test_main): Likewise.
 2514 	* tools/nettle-lfib-stream.c (main): Likewise.
 2515 	* tools/output.c (sexp_put_string): Likewise.
 2516 
 2517 	* testsuite/testutils.c (test_armor): Change ascii argument to
 2518 	const char *.
 2519 	* testsuite/base16-test.c (test_main): Use LDATA for the non-ascii
 2520 	argument to test_armor.
 2521 	* testsuite/base64-test.c (test_main): Likewise.
 2522 
 2523 	* tools/nettle-pbkdf2.c (main): Fix some pointer signedness warning.
 2524 	* tools/nettle-hash.c (hash_file): Likewise.
 2525 
 2526 	* examples/rsa-decrypt.c (process_file): Use memeql_sec to check
 2527 	the digest.
 2528 
 2529 	* memeql-sec.c (memeql_sec): New public function, moved from...
 2530 	* ccm.c (memeql_sec): ... previous location.
 2531 
 2532 	* memops.h: New header file, generalizing memxor.h.
 2533 
 2534 	* testsuite/memeql-test.c (test_main): New test case.
 2535 	(memeql_sec_for_test): Wrapper to get valgrind to check for
 2536 	side-channel silence.
 2537 
 2538 2016-08-29  Niels Möller  <nisse@lysator.liu.se>
 2539 
 2540 	* sexp-format.c (strlen_u8): New helper function.
 2541 	(sexp_vformat): Use uint8_t * for strings instead of char *.
 2542 
 2543 2016-08-16  Niels Möller  <nisse@lysator.liu.se>
 2544 
 2545 	* examples/io.c (hash_file): Use uint8_t for buffer.
 2546 
 2547 	* sexp.c (sexp_iterator_check_type, sexp_iterator_check_types)
 2548 	(sexp_iterator_assoc): Use const char * for caller's expression
 2549 	types. Updated all callers.
 2550 
 2551 	* rsa2openpgp.c (rsa_keypair_to_openpgp): Added cast to const
 2552 	uint8_t *.
 2553 
 2554 	* pgp-encode.c (write_string): New helper function, replacing...
 2555 	(WRITE): ... deleted macro.
 2556 
 2557 	* examples/io.c (write_data): Renamed, and use const void * for
 2558 	the input data. Updated all callers.
 2559 	(write_string): ... old name.
 2560 	(write_file): Use const void * for the input data.
 2561 
 2562 2016-08-05  Niels Möller  <nisse@lysator.liu.se>
 2563 
 2564 	* examples/hogweed-benchmark.c: Use uint8_t for curve25519 values.
 2565 	(bench_rsa_init): Use unsigned char for sexp strings.
 2566 	(bench_dsa_init): Likewise.
 2567 	(hash_string): Delete length argument, calling strlen instead.
 2568 	Cast string to const uint8_t *. Updated callers.
 2569 
 2570 	* examples/io.c (read_file): Use size_t for sizes, and uint8_t for
 2571 	the contents.
 2572 
 2573 2016-08-04  Niels Möller  <nisse@lysator.liu.se>
 2574 
 2575 	* dsa-sign.c (dsa_sign): Return failure if p is even, so that an
 2576 	invalid key doesn't result in a crash inside mpz_powm_sec.
 2577 
 2578 	* rsa-sign-tr.c (rsa_compute_root_tr): Return failure if any of p,
 2579 	q or n is even, to avoid crashing inside mpz_powm_sec. Invalid
 2580 	keys with even modulo are rejected by rsa_public_key_prepare and
 2581 	rsa_private_key_prepare, but some applications, notably gnutls,
 2582 	don't use them.
 2583 
 2584 2016-07-31  Niels Möller  <nisse@lysator.liu.se>
 2585 
 2586 	* rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using
 2587 	an invalid key may crash in mpz_powm_sec. Problem reported by
 2588 	Hanno Böck.
 2589 
 2590 2016-07-13  Niels Möller  <nisse@lysator.liu.se>
 2591 
 2592 	* bignum.c (nettle_mpz_from_octets): Unconditionally use
 2593 	mpz_import.
 2594 	* gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): Deleted
 2595 	compatibility definitions for older versions of GMP.
 2596 	* gmp-glue.h (mpn_sqr): Deleted compatibility definition.
 2597 	* testsuite/testutils.c (mpz_combit): Deleted compatibility
 2598 	definition.
 2599 
 2600 2016-07-12  Niels Möller  <nisse@lysator.liu.se>
 2601 
 2602 	* configure.ac: Check for mpz_powm_sec, and require GMP-5.0 or
 2603 	later.
 2604 	* bignum.h (mpz_powm_sec): Fall back to plain mpz_powm for
 2605 	mini-gmp build.
 2606 	* dsa-sign.c (dsa_sign): Use mpz_powm_sec.
 2607 	* rsa-sign.c (rsa_compute_root): Likewise.
 2608 	* rsa-sign-tr.c (rsa_blind, rsa_compute_root_tr): Likewise.
 2609 	* rsa-blind.c (_rsa_blind): Likewise.
 2610 
 2611 2016-05-02  Niels Möller  <nisse@lysator.liu.se>
 2612 
 2613 	* nettle.texinfo: Update Curve25519 documentation.
 2614 
 2615 	* testsuite/curve25519-dh-test.c: Test that inputs bits which must
 2616 	be ignored really are ignored.
 2617 
 2618 2016-04-25  Niels Möller  <nisse@lysator.liu.se>
 2619 
 2620 	* curve25519-mul.c (curve25519_mul): Ignore top bit of the input x
 2621 	coordinate, as required by RFC 7748.
 2622 
 2623 2016-03-30  Niels Möller  <nisse@lysator.liu.se>
 2624 
 2625 	From Nikos Mavrogiannopoulos.
 2626 	* configure.ac: Change dll names to follow the libtool convention
 2627 	with only major version number in the name.
 2628 
 2629 2016-03-15  Niels Möller  <nisse@lysator.liu.se>
 2630 
 2631 	* twofish.c (gf_multiply): Change return value to uint32_t, to
 2632 	make shifting of the return value well defined, without any type
 2633 	casts. Fixes an undefined shift in compute_s, reported by Nikos
 2634 	Mavrogiannopoulos.
 2635 	(h_byte): Deleted type casts.
 2636 
 2637 	* blowfish.c (blowfish_encrypt, blowfish_decrypt): Use READ_UINT32
 2638 	macro. Fixes an undefined shift, reported by Nikos
 2639 	Mavrogiannopoulos.
 2640 
 2641 	From Nikos Mavrogiannopoulos.
 2642 	* configure.ac (HOGWEED_EXTRA_SYMBOLS): Add "mp_*", when building
 2643 	with mini-gmp.
 2644 	* des.c (des_weak_p): Check that the hash value is in the proper
 2645 	range before using it. Fixes an out-of-bounds read.
 2646 
 2647 2016-03-14  Niels Möller  <nisse@lysator.liu.se>
 2648 
 2649 	* getopt.c (_getopt_internal_r): Fix c99-ism, move declarations to
 2650 	top of block. Reported by Henrik Grubbström.
 2651 
 2652 2016-02-16  Niels Möller  <nisse@lysator.liu.se>
 2653 
 2654 	* tools/input.c (sexp_get_string_length): Process advanced string
 2655 	syntax only when in advanced mode. Fixes an assertion failure
 2656 	reported by Hanno Böck, for input where advanced syntax is
 2657 	improperly wrapped inside transport syntax.
 2658 
 2659 	* tools/parse.c (sexp_parse): Fail with an error message for
 2660 	unexpected ']' characters. Fixes crash reported by Hanno Böck.
 2661 	Also handle SEXP_DISPLAY (internal error) explicitly, without a
 2662 	default clause.
 2663 
 2664 2016-01-28  Niels Möller  <nisse@lysator.liu.se>
 2665 
 2666 	* Released nettle-3.2.
 2667 
 2668 2016-01-26  Niels Möller  <nisse@lysator.liu.se>
 2669 
 2670 	* tools/nettle-pbkdf2.c (main): Fix handling of unrecognized
 2671 	options. Bug reported by Dongsheng Zhang. Display usage message
 2672 	and exit non-zero. Also added "Usage: "-prefix to the message.
 2673 	* tools/nettle-hash.c (usage): New function, extracted from main.
 2674 	(main): Analogous fix for unrecognized options.
 2675 
 2676 2016-01-23  Niels Möller  <nisse@lysator.liu.se>
 2677 
 2678 	* nettle.texinfo: Set UPDATED-FOR to 3.2.
 2679 
 2680 2016-01-21  Niels Möller  <nisse@lysator.liu.se>
 2681 
 2682 	* .gitlab-ci.yml: New file. Configuration for gitlab's continuous
 2683 	integration system.
 2684 
 2685 2016-01-20  Niels Möller  <nisse@lysator.liu.se>
 2686 
 2687 	* testsuite/dlopen-test.c (main): Mark arguments as UNUSED.
 2688 
 2689 	* testsuite/Makefile.in (clean): Delete dlopen-test.
 2690 
 2691 	* configure.ac: Bump package version, to nettle-3.2.
 2692 	(LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to
 2693 	libnettle.so.6.2 and and libhogweed.so.4.2.
 2694 
 2695 2016-01-10  Niels Möller  <nisse@lysator.liu.se>
 2696 
 2697 	* base64-encode.c (encode_raw): Use const uint8_t * for the
 2698 	alphabet argument.
 2699 
 2700 	* nettle.texinfo (RSA): Document the rsa_pkcs1_verify and
 2701 	rsa_pkcs1_sign functions, and the new rsa_*_tr functions.
 2702 
 2703 2015-12-18  Niels Möller  <nisse@lysator.liu.se>
 2704 
 2705 	* testsuite/testutils.h: Fix include order, system headers before
 2706 	nettle headers. Always include version.h, needed by
 2707 	version-test.c. It was included indirectly via bignum.h, but only
 2708 	if configured with publickey support.
 2709 
 2710 	* configure.ac (IF_DLOPEN_TEST): Fixed shell conditional.
 2711 
 2712 	* testsuite/ecc-mod-test.c (test_main): Handle random seeding if
 2713 	NETTLE_TEST_SEED is set in the environment.
 2714 
 2715 2015-12-15  Niels Möller  <nisse@lysator.liu.se>
 2716 
 2717 	* x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem
 2718 	reported by Hanno Böck. Simplified the folding to always use
 2719 	non-negative carry, the old code attempted to add in a carry which
 2720 	could be either positive or negative, but didn't get that case
 2721 	right.
 2722 
 2723 2015-12-10  Niels Möller  <nisse@lysator.liu.se>
 2724 
 2725 	* ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem
 2726 	reported by Hanno Böck.
 2727 	(ecc_256_modq): Fixed another carry propagation bug.
 2728 
 2729 2015-11-23  Niels Möller  <nisse@lysator.liu.se>
 2730 
 2731 	* nettle.texinfo: Document rsa_encrypt, rsa_decrypt and
 2732 	rsa_decrypt_tr. Text contributed by Andy Lawrence.
 2733 
 2734 2015-11-15  Niels Möller  <nisse@lysator.liu.se>
 2735 
 2736 	* rsa.h (_rsa_blind, _rsa_unblind): Mark as deprecated.
 2737 
 2738 2015-09-17  Niels Möller  <nisse@lysator.liu.se>
 2739 
 2740 	* rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New
 2741 	file, new functions.
 2742 	* rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr):
 2743 	Likewise.
 2744 	* rsa-sha256-sign-tr.c (rsa_sha256_sign_tr)
 2745 	(rsa_sha256_sign_digest_tr): Likewise.
 2746 	* rsa-sha512-sign-tr.c (rsa_sha512_sign_tr)
 2747 	(rsa_sha512_sign_digest_tr): Likewise.
 2748 	* rsa.h: Added corresponding prototypes.
 2749 	* Makefile.in (hogweed_SOURCES): Added new files.
 2750 
 2751 	* testsuite/testutils.c (SIGN): Extend macro to test new
 2752 	functions, and the rsa_*_sign_digest functions. Updated callers.
 2753 
 2754 2015-09-14  Niels Möller  <nisse@lysator.liu.se>
 2755 
 2756 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr.
 2757 	Mainly for simplicity and consistency, I'm not aware of any CRT
 2758 	fault attacks on RSA decryption.
 2759 
 2760 	* testsuite/rsa-encrypt-test.c (test_main): Added test with
 2761 	invalid private key.
 2762 
 2763 	* rsa-sign-tr.c (rsa_compute_root_tr): New file and function.
 2764 	* rsa.h: Declare it.
 2765 	* rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr.
 2766 	(rsa_verify_res): Deleted, replaced by rsa_compute_root_tr.
 2767 	* testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that
 2768 	signature argument is unchanged on failure.
 2769 	* Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c.
 2770 
 2771 2015-09-07  Niels Möller  <nisse@lysator.liu.se>
 2772 
 2773 	* testsuite/rsa-sign-tr-test.c: Drop include of nettle-internal.h.
 2774 	(test_main): Fix incorrect use of sizeof, and use LDATA macro.
 2775 
 2776 	From Nikos Mavrogiannopoulos.
 2777 	* rsa-pkcs1-sign-tr.c (rsa_verify_res): New function.
 2778 	(rsa_pkcs1_sign_tr): Check result of private key operation, to
 2779 	protect against hardware or software errors leaking the private
 2780 	key.
 2781 	* testsuite/rsa-sign-tr-test.c: New testcase.
 2782 
 2783 2015-09-06  Niels Möller  <nisse@lysator.liu.se>
 2784 
 2785 	* nettle.texinfo: Updated SHA3 documentation.
 2786 
 2787 2015-09-02  Niels Möller  <nisse@lysator.liu.se>
 2788 
 2789 	* testsuite/dlopen-test.c: New test program, exposing the problem
 2790 	with ifunc and RTLD_NOW.
 2791 
 2792 	* testsuite/Makefile.in (TS_ALL): Conditionally add dlopen-test.
 2793 	(SOURCES): Added dlopen-test.c.
 2794 	(dlopen-test): New target, unlike other test programs, *not*
 2795 	linked with -lnettle.
 2796 
 2797 	* configure.ac: Check for dlfcn.h and the dlopen function.
 2798 	(IF_DLOPEN_TEST): New substituted variable, true if dlopen is
 2799 	available and we are building a shared library.
 2800 
 2801 	* fat-setup.h: Disable use of ifunc, since it breaks dlopen with
 2802 	RTLD_NOW.
 2803 
 2804 2015-08-25  Niels Möller  <nisse@lysator.liu.se>
 2805 
 2806 	* NEWS: Started on entries for Nettle-3.2.
 2807 
 2808 	* sha3.h (NETTLE_SHA3_FIPS202): New preprocessor constant.
 2809 
 2810 2015-08-24  Niels Möller  <nisse@lysator.liu.se>
 2811 
 2812 	* testsuite/sha3.awk: Document origin of test vectors.
 2813 
 2814 	From Nikos Mavrogiannopoulos.
 2815 	* sha3.c (_sha3_pad): Update for NIST version.
 2816 	* testsuite/sha3-224-test.c: Updated test vectors.
 2817 	* testsuite/sha3-256-test.c: Likewise.
 2818 	* testsuite/sha3-384-test.c: Likewise.
 2819 	* testsuite/sha3-512-test.c: Likewise.
 2820 
 2821 2015-06-03  Niels Möller  <nisse@lysator.liu.se>
 2822 
 2823 	* arm/neon/chacha-core-internal.asm: New file. 55% speedup over C
 2824 	version on Cortex-A9.
 2825 
 2826 2015-05-19  Niels Möller  <nisse@lysator.liu.se>
 2827 
 2828 	* configure.ac: ABI detection (n32 or n64) on Irix, and
 2829 	appropriate default for libdir. Patch from Klaus Ziegler.
 2830 
 2831 2015-05-12  Niels Möller  <nisse@lysator.liu.se>
 2832 
 2833 	* version.c (nettle_version_major, nettle_version_minor): New
 2834 	file. New functions, returning the value of the corresponding
 2835 	preprocessor constant.
 2836 	* Makefile.in (nettle_SOURCES): Added version.c.
 2837 	* testsuite/version-test.c: New testcase.
 2838 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added version-test.c.
 2839 
 2840 2015-04-29  Niels Möller  <nisse@lysator.liu.se>
 2841 
 2842 	* arm/v6/sha256-compress.asm: Fix syntax error in offset
 2843 	addressing. Spotted by Jukka Ukkonen.
 2844 	* arm/v6/aes-decrypt-internal.asm: Drop %-prefix on r12 register.
 2845 	* arm/v6/aes-encrypt-internal.asm: Likewise.
 2846 
 2847 2015-04-24  Niels Möller  <nisse@lysator.liu.se>
 2848 
 2849 	* Released nettle-3.1.1.
 2850 
 2851 	* configure.ac: Bump package version, to nettle-3.1.1.
 2852 	(LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to
 2853 	libnettle.so.6.1 and and libhogweed.so.4.1.
 2854 
 2855 2015-04-22  Niels Möller  <nisse@lysator.liu.se>
 2856 
 2857 	* x86_64/gcm-hash8.asm: Use ".value" instead of ".short", since
 2858 	the latter is not supported by the Sun/Oracle assembler.
 2859 
 2860 2015-04-13  Niels Möller  <nisse@lysator.liu.se>
 2861 
 2862 	* configure.ac: Fix shell quoting in test of GMP_NUMB_BITS asm
 2863 	compatibility. Reported by Edward Sheldrake.
 2864 
 2865 2015-04-07  Niels Möller  <nisse@lysator.liu.se>
 2866 
 2867 	* Released nettle-3.1.
 2868 
 2869 2015-03-31  Niels Möller  <nisse@lysator.liu.se>
 2870 
 2871 	* x86_64/ecc-224-modp.asm: Require that GMP_NUMB_BITS == 64.
 2872 	* x86_64/ecc-521-modp.asm: Likewise. Note that the other
 2873 	ecc-*-modp.asm files happen to work fine on x86_64, with either 32
 2874 	or 64 bits.
 2875 
 2876 	* asm.m4 (GMP_NUMB_BITS): New macro, expanding to nothing.
 2877 
 2878 	* configure.ac: Move tests for compiler characteristics,
 2879 	libraries, and GMP_NUMB_BITS, before assembler-related tests.
 2880 	For files in $asm_hogweed_optional_list, check if they declare
 2881 	a GMP_NUMB_BITS requirement, and skip files which are incompatible
 2882 	with the configuration. Needed for --enable-mini-gmp om w64.
 2883 
 2884 	* Makefile.in (clean-here): Unconditionally delete *.a (including
 2885 	stub libraries like *.dll.a).
 2886 
 2887 2015-03-30  Niels Möller  <nisse@lysator.liu.se>
 2888 
 2889 	* version.h.in (GMP_NUMB_BITS) [NETTLE_USE_MINI_GMP]: Move
 2890 	definition here (uses configure substitution).
 2891 	* bignum.h (GMP_NUMB_BITS): ...old location.
 2892 
 2893 	* nettle.texinfo: Updated version number.
 2894 	(Installation): Document some more configure options.
 2895 
 2896 	* testsuite/symbols-test: Look for NETTLE_USE_MINI_GMP in
 2897 	version.h, not bignum.h. Allow leading underscore on mini-gmp
 2898 	symbols.
 2899 
 2900 2015-03-26  Niels Möller  <nisse@lysator.liu.se>
 2901 
 2902 	* Makefile.in (PRE_CPPFLAGS): Drop -I$(srcdir), no longer needed.
 2903 	(HEADERS): Added bignum.h. Removed version.h.
 2904 	(INSTALL_HEADERS): Added version.h.
 2905 	(DISTFILES): Removed bignum.h.in.
 2906 	(bignum.h): Deleted make target.
 2907 	(distclean-here): Don't delete bignum.h.
 2908 
 2909 	* configure.ac: No longer generate bignum.h.
 2910 
 2911 	* bignum.h: Renamed. Removed substitution of NETTLE_USE_MINI_GMP,
 2912 	and include version.h instead.
 2913 	* bignum.h.in: ... old name.
 2914 
 2915 	* version.h.in (NETTLE_USE_MINI_GMP): Substitute here.
 2916 
 2917 2015-03-25  Niels Möller  <nisse@lysator.liu.se>
 2918 
 2919 	* configure.ac (MAJOR_VERSION, MINOR_VERSION): Tweak sed
 2920 	expressions, to tolerate version suffixes.
 2921 
 2922 	* Makefile.in (distdir): Include assembly files from the new
 2923 	x86_64/aesni, x86_64/fat, and arm/fat directories.
 2924 
 2925 	* ed25519-sha512-pubkey.c: Fix stack overwrite. The digest array
 2926 	must have room for a complete sha512 digest.
 2927 
 2928 2015-03-19  Niels Möller  <nisse@lysator.liu.se>
 2929 
 2930 	* Makefile.in (OPT_HOGWEED_SOURCES): Deleted make variable.
 2931 	(nettle_SOURCES, hogweed_SOURCES): Don't include optional sources
 2932 	here.
 2933 	(OPT_SOURCES): New variable.
 2934 	(SOURCES): Include OPT_SOURCES.
 2935 	(DISTFILES): Drop mini-gmp.c here, included via OPT_SOURCES.
 2936 	(nettle_OBJS, hogweed_OBJS): Add the object files corresponding to
 2937 	the optional source files included in the build.
 2938 
 2939 	* ecc-curve.h (nettle_curve25519): Removed public declaration.
 2940 	* ecc-internal.h (_nettle_curve25519): New location, new name.
 2941 	Updated all users.
 2942 
 2943 	* nettle.texinfo: Updated EdDSA documentation.
 2944 
 2945 	* Makefile.in (DISTFILES): Added version.h.in, libnettle.map.in,
 2946 	and libhogweed.map.in (latter two patch by Nikos).
 2947 	(version.h): New make target.
 2948 	(distclean-here): Added version.h, libnettle.map, and
 2949 	libhogweed.map.
 2950 
 2951 	From Nikos Mavrogiannopoulos.
 2952 	* configure.ac (MAJOR_VERSION, MINOR_VERSION): New substituted
 2953 	variables.
 2954 	* version.h.in: New file, defining version numbers.
 2955 
 2956 2015-03-18  Niels Möller  <nisse@lysator.liu.se>
 2957 
 2958 	EdDSA interface change, use plain strings to represent keys.
 2959 	* eddsa.h (_ED25519_LIMB_SIZE): Deleted constant.
 2960 	(struct ed25519_private_key, ed25519_public_key): Deleted.
 2961 	* eddsa-expand.c (_eddsa_expand_key): Don't compute the public
 2962 	key.
 2963 	(_eddsa_expand_key_itch): Deleted function.
 2964 	* eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New
 2965 	file, new functions.
 2966 	* ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file
 2967 	and function.
 2968 	* ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted
 2969 	function.
 2970 	(ed25519_sha512_verify): Use a string to represent the public key.
 2971 	* ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted
 2972 	function.
 2973 	(ed25519_sha512_sign): Use strings for the input key pair.
 2974 	* Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and
 2975 	ed25519-sha512-pubkey.c.
 2976 	* testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to
 2977 	_eddsa_expand_key changes, and use _eddsa_public_key.
 2978 	* testsuite/ed25519-test.c (test_one): Test
 2979 	ed25519_sha512_public_key, and adapt to new ed25519 interface.
 2980 
 2981 2015-03-14  Niels Möller  <nisse@lysator.liu.se>
 2982 
 2983 	* ccm.c (memeql_sec): New function, more side-channel silent than
 2984 	memcmp.
 2985 	(ccm_decrypt_message): Use it.
 2986 
 2987 2015-03-12  Niels Möller  <nisse@lysator.liu.se>
 2988 
 2989 	* base64.h (struct base64_encode_ctx): Micro optimization of
 2990 	struct layout, saving a few bytes.
 2991 	(struct base64_decode_ctx): Likewise.
 2992 	* base16.h (struct base16_decode_ctx): Likewise.
 2993 
 2994 	* nettle.texinfo (ASCII encoding): Document base64url functions.
 2995 
 2996 2015-03-10  Niels Möller  <nisse@lysator.liu.se>
 2997 
 2998 	* nettle.texinfo: Update documentation of curve25519_mul. Say that
 2999 	the output is undefined for points belonging to the twist rather
 3000 	than the proper curve.
 3001 
 3002 	* curve25519-mul.c (curve25519_mul): Changed return type to void.
 3003 	* curve25519.h (curve25519_mul): Updated prototype.
 3004 	* examples/hogweed-benchmark.c (bench_curve25519_mul): Drop check
 3005 	of curve25519_mul return value.
 3006 	* testsuite/curve25519-dh-test.c (test_a): Likewise.
 3007 
 3008 2015-02-26  Niels Möller  <nisse@lysator.liu.se>
 3009 
 3010 	* nettle.texinfo: Document curve25519 and eddsa.
 3011 
 3012 2015-02-10  Niels Möller  <nisse@lysator.liu.se>
 3013 
 3014 	* base64url-meta.c (nettle_base64url): New file.
 3015 	* nettle-meta.h (nettle_base64url): Declare it.
 3016 	* nettle-meta-armors.c (nettle_armors): Added nettle_base64url.
 3017 	* testsuite/meta-armor-test.c: Updated testcase.
 3018 	* testsuite/base64-test.c (test_main): Additional tests, using
 3019 	nettle_base64url.
 3020 	* Makefile.in (nettle_SOURCES): Added base64url-meta.c.
 3021 
 3022 	Base-64 generalization to support RFC4648 URL safe alphabet,
 3023 	contributed by Amos Jeffries.
 3024 	* base64url-decode.c (base64url_decode_init): New file and
 3025 	function.
 3026 	* base64url-encode.c (base64url_encode_init): New file and
 3027 	function.
 3028 	* Makefile.in (nettle_SOURCES): Added base64url-encode.c and
 3029 	base64url-decode.c.
 3030 	* base64.h: Declare new functions.
 3031 	* testsuite/base64-test.c (test_fuzz): Test base64url encoding and
 3032 	decoding.
 3033 
 3034 	* base64.h (struct base64_encode_ctx): Added pointer to alphabet.
 3035 	(struct base64_decode_ctx): Added pointer to decoding table.
 3036 	* base64-decode.c (base64_decode_init): Initialize table pointer.
 3037 	Moved definition of table to local scope.
 3038 	(base64_decode_single): Use the context's decoding table.
 3039 	* base64-encode.c (ENCODE): Added alphabet argument. Updated all
 3040 	uses.
 3041 	(encode_raw): New static function, like base64_encode_raw
 3042 	but with an alphabet argument.
 3043 	(base64_encode_raw): Call encode_raw.
 3044 	(base64_encode_init): Initialize alphabet pointer.
 3045 	(base64_encode_single, base64_encode_update, base64_encode_final):
 3046 	Use the context's alphabet.
 3047 
 3048 2015-02-09  Niels Möller  <nisse@lysator.liu.se>
 3049 
 3050 	* base64-encode.c (base64_encode): Deleted old #if:ed out
 3051 	function.
 3052 
 3053 	* testsuite/base64-test.c (test_fuzz_once, test_fuzz): Additional
 3054 	tests, based on contribution by Amos Jeffries.
 3055 
 3056 2015-02-05  Niels Möller  <nisse@lysator.liu.se>
 3057 
 3058 	* configure.ac (LIBHOGWEED_MAJOR): Undo latest bump, 4 should be
 3059 	enough (previous release, nettle-3.0, used 3).
 3060 
 3061 2015-01-30  Niels Möller  <nisse@lysator.liu.se>
 3062 
 3063 	Update chacha-poly1305 for draft-irtf-cfrg-chacha20-poly1305-08.
 3064 	* chacha-poly1305.h (CHACHA_POLY1305_NONCE_SIZE): Increase to 12
 3065 	bytes, i.e., CHACHA_NONCE96_SIZE.
 3066 	* chacha-poly1305.c (chacha_poly1305_set_nonce): Use
 3067 	chacha_set_nonce96.
 3068 	(poly1305_pad): New function.
 3069 	(chacha_poly1305_encrypt): Use poly1305_pad.
 3070 	(chacha_poly1305_digest): Call poly1305_pad, and format length
 3071 	fields as a single poly1305 block.
 3072 
 3073 	* chacha-set-nonce.c (chacha_set_nonce96): New function.
 3074 	* chacha.h (CHACHA_NONCE96_SIZE): New constant.
 3075 	* testsuite/chacha-test.c: Add test for chacha with 96-bit nonce.
 3076 
 3077 2015-01-27  Niels Möller  <nisse@lysator.liu.se>
 3078 
 3079 	* ecc.h: Deleted declarations of unused itch functions. Moved
 3080 	declarations of internal functions to...
 3081 	* ecc-internal.h: ...new location. Also added a leading under
 3082 	score on the symbols.
 3083 	(ecc_a_to_j, ecc_j_to_a, ecc_eh_to_a, ecc_dup_jj, ecc_add_jja)
 3084 	(ecc_add_jjj, ecc_dup_eh, ecc_add_eh, ecc_add_ehh, ecc_mul_g)
 3085 	(ecc_mul_a, ecc_mul_g_eh, ecc_mul_a_eh): Affected functions.
 3086 
 3087 2015-01-26  Niels Möller  <nisse@lysator.liu.se>
 3088 
 3089 	* ecc-add-eh.c (ecc_add_eh_itch): Deleted.
 3090 	* ecc-add-ehh.c (ecc_add_ehh_itch): Deleted.
 3091 	* ecc-add-jja.c (ecc_add_jja_itch): Deleted.
 3092 	* ecc-add-jjj.c (ecc_add_jjj_itch): Deleted.
 3093 	* ecc-dup-eh.c (ecc_dup_eh_itch): Deleted.
 3094 	* ecc-dup-jj.c (ecc_dup_jj_itch): Deleted.
 3095 	* ecc-eh-to-a.c (ecc_eh_to_a_itch): Deleted.
 3096 	* ecc-j-to-a.c (ecc_j_to_a_itch): Deleted.
 3097 	* ecc-mul-a-eh.c (ecc_mul_a_eh_itch): Deleted.
 3098 	* ecc-mul-a.c (ecc_mul_a_itch): Deleted.
 3099 	* ecc-mul-g-eh.c (ecc_mul_g_eh_itch): Deleted.
 3100 	* ecc-mul-g.c (ecc_mul_g_itch): Deleted.
 3101 
 3102 2015-01-25  Niels Möller  <nisse@lysator.liu.se>
 3103 
 3104 	* arm/fat/sha1-compress-2.asm: New file.
 3105 	* arm/fat/sha256-compress-2.asm: Likewise.
 3106 	* fat-arm.c (fat_init): Setup for use of additional v6 assembly
 3107 	functions.
 3108 
 3109 	* sha1-compress.c: Prepare for fat build with C and assembly
 3110 	implementations.
 3111 	* sha256-compress.c: Likewise.
 3112 
 3113 	* fat-setup.h (sha1_compress_func, sha256_compress_func): New typedefs.
 3114 
 3115 	* configure.ac (asm_nettle_optional_list): Added
 3116 	sha1-compress-2.asm and sha256-compress-2.asm, and corresponding
 3117 	HAVE_NATIVE_*.
 3118 
 3119 	From Martin Storsjö:
 3120 	* arm: Add .arch directives for armv6. This allows building these
 3121 	files as part of a fat build, even if the assembler by default
 3122 	targets a lower architecture version.
 3123 
 3124 2015-01-23  Niels Möller  <nisse@lysator.liu.se>
 3125 
 3126 	* fat-setup.h (DEFINE_FAT_FUNC): Check value of function pointer,
 3127 	before calling fat_init. Should be correct even without memory
 3128 	barrier.
 3129 	* fat-x86_64.c (fat_init): Deleted static variable initialized.
 3130 	The checks of the relevant pointer in DEFINE_FAT_FUNC is more
 3131 	robust.
 3132 	* fat-arm.c (fat_init): Likewise.
 3133 
 3134 2015-01-21  Niels Möller  <nisse@lysator.liu.se>
 3135 
 3136 	* fat-arm.c (fat_init): Setup for use of neon assembly functions.
 3137 
 3138 	* arm/fat/salsa20-core-internal-2.asm: New file.
 3139 	* arm/fat/sha3-permute-2.asm: New file.
 3140 	* arm/fat/sha512-compress-2.asm: New file.
 3141 	* arm/fat/umac-nh-2.asm: New file.
 3142 	* arm/fat/umac-nh-n-2.asm: New file.
 3143 
 3144 	* salsa20-core-internal.c: Prepare for fat build with C and
 3145 	assembly implementations.
 3146 	* sha512-compress.c: Likewise.
 3147 	* sha3-permute.c: Likewise.
 3148 	* umac-nh.c: Likewise.
 3149 	* umac-nh-n.c: Likewise.
 3150 
 3151 	* configure.ac (asm_nettle_optional_list): Added more *-2.asm
 3152 	files, and corresponding HAVE_NATIVE_* defines. Recognize PROLOGUE
 3153 	macro in asm files, also when not at the start of the line.
 3154 
 3155 2015-01-20  Niels Möller  <nisse@lysator.liu.se>
 3156 
 3157 	* fat-arm.c (get_arm_features): Check NETTLE_FAT_OVERRIDE
 3158 	environment variable.
 3159 
 3160 	* fat-x86_64.c (get_x86_features): New function. Check
 3161 	NETTLE_FAT_OVERRIDE environment variable.
 3162 	(fat_init): Use it.
 3163 
 3164 	* fat-setup.h (secure_getenv) [!HAVE_SECURE_GETENV]: Dummy
 3165 	definition, returning NULL.
 3166 	(ENV_OVERRIDE): New constant.
 3167 
 3168 	* configure.ac: Check for secure_getenv function.
 3169 
 3170 2015-01-19  Niels Möller  <nisse@lysator.liu.se>
 3171 
 3172 	* configure.ac: Fat library setup for arm.
 3173 	* fat-arm.c: New file.
 3174 	* arm/fat/aes-encrypt-internal.asm: New files.
 3175 	* arm/fat/aes-encrypt-internal-2.asm: New file.
 3176 	* arm/fat/aes-decrypt-internal.asm: New file.
 3177 	* arm/fat/aes-decrypt-internal-2.asm: New file.
 3178 
 3179 	* Makefile.in (DISTFILES): Added fat-setup.h.
 3180 
 3181 	* fat-setup.h: New file, declarations moved from...
 3182 	* fat-x86_64.c: ... old location
 3183 
 3184 2015-01-17  Niels Möller  <nisse@lysator.liu.se>
 3185 
 3186 	* fat-x86_64.c (DECLARE_FAT_FUNC, DEFINE_FAT_FUNC)
 3187 	(DECLARE_FAT_FUNC_VAR): New macros, to define needed resolver and
 3188 	wrapper functions.
 3189 
 3190 	* config.m4.in (SYMBOL_PREFIX): Define from from autoconf
 3191 	ASM_SYMBOL_PREFIX.
 3192 	(C_NAMS): move definition to...
 3193 	* asm.m4 (C_NAME): Define here, also take fat_transform.
 3194 	(fat_suffix): Replaced by...
 3195 	(fat_transform): New macro, taking symbol name as argument.
 3196 	Updated all uses of fat_suffix.
 3197 	* fat-x86_64.c: Updated for internal "_nettle" prefix on
 3198 	cpu-specific memxor functions.
 3199 
 3200 	* fat-x86_64.c: Set up for sse2 vs non-sse2 memxor. Patch by Nikos
 3201 	Mavrogiannopoulos.
 3202 	* configure.ac (asm_nettle_optional_list): Added memxor-2.asm.
 3203 	* x86_64/fat/memxor-2.asm: New file.
 3204 	* x86_64/fat/memxor.asm: New file.
 3205 
 3206 	* x86_64/memxor.asm: Use ifdef, not ifelse, for testing USE_SSE2.
 3207 
 3208 2015-01-16  Niels Möller  <nisse@lysator.liu.se>
 3209 
 3210 	* configure.ac (OPT_NETTLE_SOURCES): New substituted variable.
 3211 	(asm_path): Fixed x86_64 fat setup. Include only x86_64 and
 3212 	x86_64/fat in the asm_path. Put fat-x86_64.c in
 3213 	OPT_NETTLE_SOURCES, with no symlinking.
 3214 
 3215 	* fat-x86_64.c: Renamed,...
 3216 	* x86_64/fat/fat.c: ... from old name.
 3217 
 3218 2015-01-13  Niels Möller  <nisse@lysator.liu.se>
 3219 
 3220 	* x86_64/fat/fat.c: For constructor hack, check
 3221 	HAVE_GCC_ATTRIBUTE, not __GNUC__. Also support sun compilers, as
 3222 	suggested by Nikos Mavrogiannopoulos, and attch the constructor
 3223 	attribute directly to fat_init.
 3224 	(fat_constructor): Deleted wrapper function.
 3225 
 3226 	* x86_64/fat/fat.c: New file, initialization for x86_64 fat
 3227 	library.
 3228 
 3229 	* x86_64/fat/cpuid.asm (_nettle_cpuid): New file and function.
 3230 
 3231 	* x86_64/fat/aes-encrypt-internal.asm: New file, including
 3232 	x86_64/aes-encrypt-internal.asm, after setting fat_suffix to
 3233 	_x86_64.
 3234 	* x86_64/fat/aes-decrypt-internal.asm: New file, analogous setup.
 3235 	* x86_64/fat/aes-encrypt-internal-2.asm: New file, including
 3236 	x86_64/aesni/aes-encrypt-internal.asm, after setting fat_suffix to
 3237 	_aesni.
 3238 	* x86_64/fat/aes-decrypt-internal.asm-2: New file, analogous
 3239 	setup.
 3240 
 3241 	* configure.ac: New command line option --enable-fat.
 3242 	(asm_nettle_optional_list): Added cpuid.asm, fat.c,
 3243 	aes-encrypt-internal-2.asm, and aes-decrypt-internal-2.asm.
 3244 
 3245 	* asm.m4 (fat_suffix): New suffix added to symbol names.
 3246 
 3247 	* x86_64/aesni/aes-encrypt-internal.asm: Use explicit .byte
 3248 	sequences for aes instructions, don't rely on assembler support.
 3249 	* x86_64/aesni/aes-decrypt-internal.asm: Likewise.
 3250 
 3251 	* aclocal.m4 (NETTLE_CHECK_IFUNC): New macro, checking for ifunc
 3252 	and settting HAVE_LINK_IFUNC if working.
 3253 	* configure.ac: Use it.
 3254 
 3255 2015-01-12  Niels Möller  <nisse@lysator.liu.se>
 3256 
 3257 	* asm.m4 (DECLARE_FUNC): New macro, extracted from PROLOGUE.
 3258 	(PROLOGUE): Use it.
 3259 
 3260 	* configure.ac (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Renamed
 3261 	substituted variables, and list the object files rather than
 3262 	source files.
 3263 	(OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES): ...Old names.
 3264 	* Makefile.in (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Use new
 3265 	variables.
 3266 
 3267 2015-01-11  Niels Möller  <nisse@lysator.liu.se>
 3268 
 3269 	* x86_64/aesni/aes-decrypt-internal.asm: New file.
 3270 	* x86_64/aesni/aes-encrypt-internal.asm: New file.
 3271 	* configure.ac: New configure flag --enable-x86-aesni.
 3272 
 3273 	* aclocal.m4 (LSH_RPATH_INIT): Handle freebsd, in the same way as
 3274 	gnu/linux, with -Wl,-rpath,.
 3275 
 3276 	Merged memxor-reorg changes, starting at 2014-10-23.
 3277 
 3278 2015-01-10  Niels Möller  <nisse@lysator.liu.se>
 3279 
 3280 	* arm/memxor.asm (memxor3): Moved to new file.
 3281 	* arm/memxor3.asm: New file.
 3282 
 3283 2014-11-24  Niels Möller  <nisse@lysator.liu.se>
 3284 
 3285 	* x86_64/memxor3.asm (memxor3): New file, code moved from old
 3286 	memxor.asm.
 3287 	* x86_64/memxor.asm (memxor): Rewritten, no longer jumps into
 3288 	memxor3.
 3289 
 3290 	* configure.ac (asm_replace_list): Added memxor.asm and
 3291 	memxor3.asm.
 3292 
 3293 2014-10-23  Niels Möller  <nisse@lysator.liu.se>
 3294 
 3295 	* configure.ac (IF_ASM): New substituted variable.
 3296 	* testsuite/Makefile.in (VALGRIND): Allow partial loads only when
 3297 	build includes assembly files.
 3298 
 3299 	* memxor-internal.h (READ_PARTIAL): New macro.
 3300 	* memxor.c (memxor_different_alignment): Avoid out-of-bounds
 3301 	reads, corresponding to valgrind's --partial-loads-ok. Use
 3302 	READ_PARTIAL.
 3303 	* memxor3.c: Analogous changes for unaligned operations.
 3304 
 3305 	* configure.ac (asm_replace_list): Deleted memxor.asm, now
 3306 	incompatible with the memxor/memxor3 split.
 3307 
 3308 	* memxor3.c: New file, split off from memxor.c.
 3309 	* memxor-internal.h: New file, declarations shared by memxor.c and
 3310 	memxor3.c.
 3311 	* memxor.c: memxor3 functions moved out from this file.
 3312 	* Makefile.in (nettle_SOURCES): Added memxor3.c.
 3313 	(DISTFILES): Added memxor-internal.h.
 3314 
 3315 	* memxor.c (memxor_common_alignment, memxor_different_alignment)
 3316 	(memxor): Change loop order, iterate from the end.
 3317 	(memxor3_common_alignment): Unroll twice.
 3318 	(word_t): On x86_64, unconditionally define as uint64_t, to get 64
 3319 	bits also in M$ windows. Replaced all uses of SIZEOF_LONG.
 3320 
 3321 2014-12-12  Niels Möller  <nisse@lysator.liu.se>
 3322 
 3323 	* cbc.h (CBC_ENCRYPT, CBC_DECRYPT): Make type-checking hack
 3324 	stricter, warn if type of length argument is smaller than size_t.
 3325 	* ctr.h (CTR_CRYPT): Likewise.
 3326 	* eax.h (EAX_SET_KEY, EAX_SET_NONCE, EAX_UPDATE, EAX_ENCRYPT)
 3327 	(EAX_DECRYPT, EAX_DIGEST): Likewise.
 3328 	* gcm.h (GCM_SET_KEY, GCM_ENCRYPT, GCM_DECRYPT, GCM_DIGEST):
 3329 	Likewise.
 3330 
 3331 2014-12-08  Niels Möller  <nisse@lysator.liu.se>
 3332 
 3333 	* aclocal.m4 (LD_VERSION_SCRIPT): Linker scripts no longer located
 3334 	in the source tree.
 3335 
 3336 	* configure.ac (LIBNETTLE_MAJOR): Bump major number, now 6.
 3337 	(LIBHOGWEED_MAJOR): Bump major number, now 5.
 3338 
 3339 	From Nikos Mavrogiannopoulos. Support for versioned symbols.
 3340 	* aclocal.m4 (LD_VERSION_SCRIPT): New macro. Substitute
 3341 	EXTRA_LINKER_FLAGS and EXTRA_HOGWEED_LINKER_FLAGS.
 3342 	* configure.ac: Use LD_VERSION_SCRIPT. Generate libnettle.map
 3343 	and libhogweed.map.
 3344 	(HOGWEED_EXTRA_SYMBOLS): New substituted variable.
 3345 	* libnettle.map.in: New file, libnettle.so linker script
 3346 	* libhogweed.map.in: New file, libhogweed.so linker script.
 3347 	* Makefile.in ($(LIBNETTLE_FORLINK)): Use EXTRA_LINKER_FLAGS.
 3348 	($(LIBHOGWEED_FORLINK)): Use EXTRA_HOGWEED_LINKER_FLAGS.
 3349 
 3350 2014-11-24  Niels Möller  <nisse@lysator.liu.se>
 3351 
 3352 	* gcm.h (GCM_SET_KEY): Rename macro argument KEY to avoid
 3353 	collision with a struct tag. Spotted by Nikos Mavrogiannopoulos.
 3354 
 3355 	* testsuite/eddsa-verify-test.c (test_eddsa): Fixed test case bug,
 3356 	showing up as use of uninitialized data with valgrind.
 3357 
 3358 2014-10-23  Niels Möller  <nisse@lysator.liu.se>
 3359 
 3360 	* examples/nettle-benchmark.c (time_memxor): Allocate buffers as
 3361 	arrays of unsigned long, for more reliable alignment.
 3362 
 3363 2014-10-22  Niels Möller  <nisse@lysator.liu.se>
 3364 
 3365 	* configure.ac: Check for getline function.
 3366 	* testsuite/ed25519-test.c (getline) [!HAVE_GETLINE]: Fallback
 3367 	definition.
 3368 
 3369 	* Makefile.in (clean-here): Unconditionally delete .so and .dll
 3370 	files.
 3371 	(IMPLICIT_TARGETS): Deleted variable.
 3372 
 3373 2014-10-21  Niels Möller  <nisse@lysator.liu.se>
 3374 
 3375 	* testsuite/ed25519-test.c: New test case. Optionally reads the
 3376 	file pointed to by $ED25519_SIGN_INPUT.
 3377 
 3378 	* testsuite/testutils.c (tstring_hex): Rewrite, using Nettle's
 3379 	base16 functions.
 3380 	(decode_hex, decode_hex_length): Deleted functions.
 3381 
 3382 2014-10-20  Niels Möller  <nisse@lysator.liu.se>
 3383 
 3384 	* eddsa.h (ED25519_KEY_SIZE): New constant.
 3385 	(ED25519_SIGNATURE_SIZE): New constant.
 3386 	(struct ed25519_private_key): New struct.
 3387 	(struct ed25519_public_key): New struct.
 3388 
 3389 	* ed25519-sha512-sign.c (ed25519_sha512_set_private_key)
 3390 	(ed25519_sha512_sign): New file and functions.
 3391 	* ed25519-sha512-verify.c (ed25519_sha512_set_public_key)
 3392 	(ed25519_sha512_verify): New file and functions.
 3393 	* Makefile.in (hogweed_SOURCES): Added ed25519-sha512-sign.c and
 3394 	ed25519-sha512-verify.c.
 3395 
 3396 
 3397 2014-10-18  Niels Möller  <nisse@lysator.liu.se>
 3398 
 3399 	* eddsa-verify.c (_eddsa_verify): Change argument order, putting A
 3400 	before ctx.
 3401 	* eddsa.h: Updated prototype.
 3402 	* testsuite/eddsa-verify-test.c (test_eddsa): Updated
 3403 	_eddsa_verify calls.
 3404 
 3405 2014-10-14  Niels Möller  <nisse@lysator.liu.se>
 3406 
 3407 	* eddsa-verify.c (equal_h): New function.
 3408 	(_eddsa_verify): Use it for a proper point compare, replacing an
 3409 	ecc_add_ehh.
 3410 
 3411 	* testsuite/eddsa-verify-test.c: New testcase.
 3412 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 3413 	eddsa-verify-test.c.
 3414 
 3415 	* eddsa-verify.c (_eddsa_verify, eddsa_verify_itch): New file, new
 3416 	functions.
 3417 	* eddsa.h: Declare new functions.
 3418 	* Makefile.in (hogweed_SOURCES): Added eddsa-verify.c.
 3419 
 3420 2014-10-08  Niels Möller  <nisse@lysator.liu.se>
 3421 
 3422 	* testsuite/eddsa-sign-test.c (test_eddsa_sign): Use
 3423 	_eddsa_expand_key, and check its public key output.
 3424 
 3425 	* eddsa-expand.c (_eddsa_expand_key): New file, new function.
 3426 	* eddsa.h (_eddsa_expand_key): Declare it.
 3427 	* Makefile.in (hogweed_SOURCES): Added eddsa-expand.c.
 3428 
 3429 	* eddsa-sign.c: Drop unneeded include of nettle-internal.h.
 3430 
 3431 2014-10-04  Niels Möller  <nisse@lysator.liu.se>
 3432 
 3433 	* testsuite/eddsa-sign-test.c: New testcase.
 3434 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 3435 	eddsa-sign-test.c.
 3436 
 3437 	* eddsa-sign.c (_eddsa_sign, _eddsa_sign_itch): New file, new
 3438 	functions.
 3439 	* eddsa-hash.c (_eddsa_hash): New file and function.
 3440 	* eddsa.h: Declare new functions.
 3441 	* Makefile.in (hogweed_SOURCES): Added eddsa-hash.c and
 3442 	eddsa-sign.c.
 3443 
 3444 2014-10-03  Niels Möller  <nisse@lysator.liu.se>
 3445 
 3446 	* testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Enable test.
 3447 	(test_main): Replace gmp_fprintf calls.
 3448 	* testsuite/ecc-mul-a-test.c: Likewise.
 3449 	* testsuite/ecc-mul-g-test.c: Likewise.
 3450 
 3451 	* testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Enable test.
 3452 	(ref_modinv): Use mpz_gcdext, instead of mpn_gcdext.
 3453 	(test_modulo): Replace gmp_fprintf calls.
 3454 
 3455 	* testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Enable test.
 3456 	(ref_mod): Use mpz_mod and mpz_limbs_copy, instead of mpn_tdiv_qr.
 3457 	(test_modulo): Replace gmp_fprintf calls by plain fprintf and
 3458 	mpn_out_str.
 3459 
 3460 	* testsuite/testutils.c (mpn_out_str): New function, needed to
 3461 	replace uses of gmp_fprintf.
 3462 
 3463 	* testsuite/ecc-sqrt-test.c (mpz_ui_kronecker)
 3464 	[NETTLE_USE_MINI_GMP]: New fallback definition when building with
 3465 	mini-gmp.
 3466 	* testsuite/testutils.c (gmp_randinit_default)
 3467 	[NETTLE_USE_MINI_GMP]: Likewise.
 3468 	(mpz_urandomb): Likewise.
 3469 	* testsuite/testutils.h (gmp_randstate_t) [NETTLE_USE_MINI_GMP]:
 3470 	Fallback typedef, using knuth_lfib_ctx.
 3471 
 3472 2014-10-02  Niels Möller  <nisse@lysator.liu.se>
 3473 
 3474 	* testsuite/eddsa-compress-test.c: New testcase.
 3475 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 3476 	eddsa-compress-test.c.
 3477 
 3478 	* eddsa-decompress.c (_eddsa_decompress): New file, new function.
 3479 	* eddsa-compress.c (_eddsa_compress): New file, new function.
 3480 	* eddsa.h: New file.
 3481 	* Makefile.in (HEADERS): Added eddsa.h.
 3482 	(hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c.
 3483 
 3484 	* testsuite/ecc-sqrt-test.c: New test case.
 3485 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 3486 	ecc-sqrt-test.c.
 3487 
 3488 	* ecc-25519.c (PHIGH_BITS): Always define this constant.
 3489 	(ecc_25519_zero_p): New function.
 3490 	(ecc_25519_sqrt): Take a ratio u/v as input. Added scratch
 3491 	argument. Made static.
 3492 	* ecc-internal.h (ecc_mod_sqrt_func): New typedef.
 3493 	(struct ecc_modulo): Added sqrt_itch and sqrt function pointer.
 3494 	Updated all instances.
 3495 	(ecc_25519_sqrt): Deleted declaration, function now static.
 3496 
 3497 2014-09-24  Niels Möller  <nisse@lysator.liu.se>
 3498 
 3499 	* curve25519.h [__cplusplus]: Fixed extern "C" block.
 3500 
 3501 2014-09-23  Niels Möller  <nisse@lysator.liu.se>
 3502 
 3503 	* ecc-hash.c (ecc_hash): Changed argument type from struct
 3504 	ecc_curve to struct ecc_modulo. Updated callers.
 3505 	* testsuite/ecdsa-sign-test.c (test_main): Updated curve25519
 3506 	signature s. Changed since the hash value is truncated a few bits
 3507 	more, to match the size of q.
 3508 	* testsuite/ecdsa-verify-test.c (test_main): Likewise.
 3509 
 3510 	* testsuite/ecc-modinv-test.c (zero_p): New function, checking for
 3511 	zero modulo p.
 3512 	(test_modulo): Use zero_p. Switch to dynamic allocation. Updated
 3513 	for larger modinv result area, and use invert_itch.
 3514 
 3515 	* ecc-25519.c (ecc_mod_pow_2kp1): Renamed, and take a struct
 3516 	ecc_modulo * as argument.
 3517 	(ecc_modp_powm_2kp1): ... old name.
 3518 	(ecc_mod_pow_252m3): New function, extracted from ecc_25519_sqrt.
 3519 	(ecc_25519_inv): New modp invert function, about 5.5 times faster
 3520 	then ecc_mod_inv.
 3521 	(ecc_25519_sqrt): Use ecc_mod_pow_252m3.
 3522 	(nettle_curve25519): Point to ecc_25519_inv. Updated p.invert_itch
 3523 	and h_to_a_itch.
 3524 
 3525 	* ecc-internal.h (struct ecc_modulo): New field invert_itch.
 3526 	Updated all implementations.
 3527 	(ECC_EH_TO_A_ITCH): Updated, and take invert itch as an argument.
 3528 	* ecc-eh-to-a.c (ecc_eh_to_a_itch): Take invert scratch into account.
 3529 
 3530 	* testsuite/testutils.c (test_ecc_mul_h): Use ecc->h_to_a_itch.
 3531 
 3532 	* ecc-mod-inv.c (ecc_mod_inv): Interface change, make ap input
 3533 	const, and require 2n limbs at rp. Preparing for powm-based
 3534 	alternative implementations. Drop #if:ed out code and dp
 3535 	temporary. Updated all callers, more complicated cases described
 3536 	below.
 3537 	* ecc-internal.h (typedef ecc_mod_inv_func): Added const to input
 3538 	argument.
 3539 	(ECC_MOD_INV_ITCH): Renamed, was ECC_MODINV_ITCH, and reduced to
 3540 	2*n.
 3541 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Overhauled allocation,
 3542 	putting mod_inv scratch at the end.
 3543 
 3544 2014-09-22  Niels Möller  <nisse@lysator.liu.se>
 3545 
 3546 	* ecc-random.c (ecc_mod_random): Renamed, and take a const struct
 3547 	ecc_modulo * as argument. Updated callers.
 3548 	(ecc_modq_random): ... old name.
 3549 
 3550 	* ecc-mod-arith.c: New file, replacing ecc-modp.c and ecc-modq.c.
 3551 	All functions take a struct ecc_modulo as argument.
 3552 	(ecc_mod_add, ecc_mod_sub, ecc_mod_mul_1, ecc_mod_addmul_1)
 3553 	(ecc_mod_submul_1, ecc_mod_mul, ecc_mod_sqr): New functions,
 3554 	replacing the corresponding ecc_modp_* functions. For convenience,
 3555 	old names are defined as macros wrapping the new functions.
 3556 	* ecc-modp.c: Deleted file.
 3557 	* ecc-modq.c: Deleted file.
 3558 	* Makefile.in (hogweed_SOURCES): Updated accordingly.
 3559 
 3560 	* testsuite/ecc-redc-test.c (test_main): Relaxed tests for which
 3561 	tests to run.
 3562 
 3563 	* testsuite/ecc-modinv-test.c (test_modulo): New function, same
 3564 	organization as in ecc-mod-test.c below.
 3565 
 3566 	* testsuite/ecc-mod-test.c (test_modulo): New function, testing
 3567 	one modulo. Replacing...
 3568 	(test_curve): ... old function.
 3569 	(test_main): Invoke test_modulo for p and q of each curve.
 3570 
 3571 	* ecc-internal.h (ecc_mod_inv_func): New typedef.
 3572 	(struct ecc_modulo): Added mp1h constant and invert function
 3573 	pointer. Updated all callers.
 3574 	* ecc-modp.c (ecc_modp_inv): Deleted wrapper function.
 3575 	* ecc-modq.c (ecc_modq_inv): Deleted wrapper function.
 3576 
 3577 	* ecc-mod-inv.c (ecc_mod_inv): Renamed file and function. Also
 3578 	take a struct ecc_modulo * as argument.
 3579 	* sec-modinv.c (sec_modinv): ... the old names. Deleted.
 3580 	* Makefile.in (hogweed_SOURCES): Updated accordingly.
 3581 
 3582 	* examples/ecc-benchmark.c (bench_modinv_powm, bench_curve):
 3583 	Updated benchmarking of mpn_sec_powm.
 3584 
 3585 	* ecc-internal.h (struct ecc_curve): Deleted redc function
 3586 	pointer. Use only reduce pointer, which is redc or modp as
 3587 	applicable. Updated all users.
 3588 	(struct ecc_modulo): Moved mod and reduce function pointers to
 3589 	this struct.
 3590 
 3591 	* ecc-generic-modp.c (ecc_generic_modp): Deleted file and
 3592 	function. We no longer need a wrapper around ecc_mod.
 3593 	* ecc-generic-modq.c (ecc_generic_modq): Likewise deleted.
 3594 	* Makefile.in (hogweed_SOURCES): Removed ecc-generic-modp.c and
 3595 	ecc-generic-modq.c.
 3596 
 3597 	* ecc-internal.h (typedef ecc_mod_func): Take a const struct
 3598 	ecc_modulo * argument, not const struct ecc_curve *. Updated all
 3599 	implementations and all callers.
 3600 
 3601 	* ecc-mod.c (ecc_mod): Use struct ecc_modulo to specify the
 3602 	modulo. Drop input size argument, always reduce from 2*size to
 3603 	size.
 3604 
 3605 	* ecc-internal.h (struct ecc_modulo): New struct, collecting
 3606 	constants needed for modulo arithmetic.
 3607 	(struct ecc_curve): Use struct ecc_modulo for p and q arithmetic.
 3608 	Updated all ecc-related files.
 3609 
 3610 2014-09-17  Niels Möller  <nisse@lysator.liu.se>
 3611 
 3612 	* gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn
 3613 	counter, making the function clear some bytes beyond the end of
 3614 	the output buffer. The bug triggered a make check failure on ARM.
 3615 
 3616 	* testsuite/testutils.c (ecc_curves): Include curve25519 in list.
 3617 	(test_ecc_mul_a): Include reference points for curve25519 (with
 3618 	Edwards coordinates). Allow n == 0 and n == 1, comparing to zero
 3619 	and the generator, respectively.
 3620 	* testsuite/ecc-add-test.c (point_zero_p): Deleted function.
 3621 	(test_main): Replace calls to point_zero_p by calls to
 3622 	test_ecc_mul_h with n == 0.
 3623 	* testsuite/ecc-dup-test.c: Likewise.
 3624 
 3625 	* testsuite/ecc-modinv-test.c (mpn_zero_p): Moved function, to...
 3626 	* testsuite/testutils.c (mpn_zero_p): New location. Also make
 3627 	non-static.
 3628 
 3629 	* testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add special case
 3630 	for curve25519.
 3631 
 3632 	* testsuite/ecc-mul-a-test.c (test_main): Fix point negation to
 3633 	support curve25519.
 3634 	* testsuite/ecc-mul-g-test.c (test_main): Likewise.
 3635 
 3636 	* ecc-a-to-eh.c (ecc_a_to_eh_itch, ecc_a_to_eh): Deleted file and
 3637 	functions.
 3638 	* ecc.h: Deleted corresponding declarations.
 3639 	* ecc-internal.h (ECC_A_TO_EH_ITCH): Deleted macro.
 3640 	* Makefile.in (hogweed_SOURCES): Removed ecc-a-to-eh.c.
 3641 
 3642 	* testsuite/ecdh-test.c (test_main): Update curve25519 test to use
 3643 	Edwards coordinates.
 3644 	* testsuite/ecdsa-sign-test.c (test_main): Likewise.
 3645 	* testsuite/ecdsa-verify-test.c (test_main): Likewise.
 3646 
 3647 	* ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery
 3648 	curve.
 3649 
 3650 	* ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point
 3651 	as input, not a Montgomery point. Hence, use ecc_a_to_j, not
 3652 	ecc_a_to_eh.
 3653 
 3654 	* ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates,
 3655 	don't transform from Edwards to Montgomery form. Also reduces
 3656 	scratch need slightly.
 3657 	* ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced.
 3658 
 3659 	* ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve
 3660 	function pointers.
 3661 
 3662 	* testsuite/curve25519-dup-test.c: Deleted file. In the way for
 3663 	conversion to Edwards coordinate convention, and in the end
 3664 	the tests will be done by ecc-dup-test.c.
 3665 	* testsuite/curve25519-add-test.c: Similarly deleted.
 3666 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Removed
 3667 	curve25519-dup-test.c and curve25519-add-test.c.
 3668 
 3669 2014-09-16  Niels Möller  <nisse@lysator.liu.se>
 3670 
 3671 	* testsuite/ecc-add-test.c: New generalized testcase, to replace
 3672 	curve25519-add-test.c.
 3673 	* testsuite/ecc-dup-test.c: New generalized testcase, to replace
 3674 	curve25519-dup-test.c.
 3675 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-add-test.c
 3676 	and ecc-dup-test.c.
 3677 
 3678 2014-09-14  Niels Möller  <nisse@lysator.liu.se>
 3679 
 3680 	* testsuite/ecc-mul-a-test.c (test_main): Use struct ecc_curve
 3681 	function pointers.
 3682 	* testsuite/ecc-mul-g-test.c (test_main): Likewise.
 3683 
 3684 2014-09-09  Niels Möller  <nisse@lysator.liu.se>
 3685 
 3686 	* curve25519-mul.c (curve25519_mul): Switch to use Montgomery
 3687 	ladder. About 20% faster than current Edwards curve operations.
 3688 	Difference is expected to shrink when Edwards operations are
 3689 	optimized to take advantage of the twist, but it seems unlikely to
 3690 	get significantly faster than the Montgomery ladder.
 3691 
 3692 	* gmp-glue.c (cnd_swap): Moved function here, made non-static.
 3693 	Changed cnd type to mp_limb_t, for consistency with GMP
 3694 	mpn_cnd_add_n.
 3695 	* sec-modinv.c (cnd_swap): ... old location.
 3696 	* gmp-glue.h (cnd_swap): Declare function.
 3697 
 3698 2014-09-06  Niels Möller  <nisse@lysator.liu.se>
 3699 
 3700 	* examples/hogweed-benchmark.c (bench_curve25519_mul_g)
 3701 	(bench_curve25519_mul, bench_curve25519): New functions.
 3702 	(main): Added benchmarking of curve25519 functions.
 3703 
 3704 2014-09-03  Niels Möller  <nisse@lysator.liu.se>
 3705 
 3706 	* Makefile.in: Revert 2013-02-06 Makefile changes: use a single
 3707 	rule for transforming .asm to .o, and drop include of asm.d.
 3708 	Possible now since we generate a single object file from each asm
 3709 	file. This change also helps Solaris' make recognize .asm files.
 3710 	* config.make.in (.SUFFIXES): Drop .s from list.
 3711 	* configure.ac: Delete code to generate asm.d.
 3712 
 3713 	* Makefile.in: Delete all uses of *.po files, use the same object
 3714 	files for both shared and static libraries.
 3715 	* configure.ac (dummy-dep-files): Don't create any .po.d files.
 3716 
 3717 	* aclocal.m4 (LSH_CCPIC): Don't substitute CCPIC here, let
 3718 	configure.ac do that if needed.
 3719 
 3720 	* configure.ac (CCPIC_MAYBE, SHLIBCFLAGS): Deleted substituted
 3721 	variables. Instead, use CCPIC directly when compiling all library
 3722 	files.
 3723 	(CCPIC): Set to empty, if --disable-pic is used.
 3724 
 3725 	* config.make.in (SHLIBCFLAGS, CCPIC_MAYBE): Deleted.
 3726 	(COMPILE, COMPILE_CXX): Drop CCPIC. New variable EXTRA_CFLAGS,
 3727 	which can be set by individual Makefiles.
 3728 
 3729 	* Makefile.in (EXTRA_CFLAGS): Set using CCPIC.
 3730 	Also delete all uses of CCPIC_MAYBE and SHLIBCFLAGS.
 3731 
 3732 2014-09-02  Niels Möller  <nisse@lysator.liu.se>
 3733 
 3734 	* curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new
 3735 	function. The curve25519 transform currently done by ecc_eh_to_a,
 3736 	but which should eventually be eliminted from that function.
 3737 	* Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c.
 3738 	* ecc-internal.h (curve25519_eh_to_x): Declare it.
 3739 
 3740 	* curve25519-mul.c (curve25519_mul): Use it.
 3741 	* curve25519-mul-g.c (curve25519_mul_g): Likewise. Also introduce
 3742 	local variable ecc, and use ecc->mul_g_itch.
 3743 
 3744 2014-08-29  Niels Möller  <nisse@lysator.liu.se>
 3745 
 3746 	* testsuite/testutils.c (test_ecc_mul_j): Renamed, to ...
 3747 	(test_ecc_mul_h): ... new name. Use ecc->h_to_a function pointer.
 3748 	Updated callers.
 3749 
 3750 	* examples/ecc-benchmark.c (bench_add_jjj): Renamed, to ...
 3751 	(bench_add_hhh): ... new name. Use ecc->add_hhh function pointer.
 3752 	(bench_add_ehh): Deleted.
 3753 	(bench_curve): Use bench_add_hhh for all curves. Use ecc->mul_itch
 3754 	for scratch size.
 3755 
 3756 	Switch the curve25519 implementation to use the isomorphism to the
 3757 	twisted Edwards curve which is used for Ed25519 signatures.
 3758 	* eccdata.c (ecc_curve_init): Tweaked the transformation constant
 3759 	for the isomorphism between curve25519 and the twisted Edwards
 3760 	curve.
 3761 	* ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve.
 3762 	* ecc-add-eh.c (ecc_add_eh): Likewise.
 3763 	* ecc-dup-eh.c (ecc_dup_eh): Likewise.
 3764 
 3765 2014-08-28  Niels Möller  <nisse@lysator.liu.se>
 3766 
 3767 	* ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h,
 3768 	use ecc_size function instead.
 3769 
 3770 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use the struct ecc_curve
 3771 	function pointers: mul, mul_g, add_hhh, h_to_a.
 3772 
 3773 	* ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed
 3774 	scratch depends on curve type, not just size.
 3775 	(ecc_add_func): New typedef.
 3776 	(struct ecc_curve): New function pointer add_hhh, and constant
 3777 	add_hhh_itch. Updated all instances.
 3778 
 3779 	* ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch
 3780 	function, not the corresponding macro.
 3781 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch
 3782 	into account. Also reduce to 5*ecc->size + ecc->mul_itch.
 3783 
 3784 	* testsuite/ecdsa-sign-test.c (test_main): Added test for the
 3785 	obscure case of ecdsa using curve25519.
 3786 	* testsuite/ecdsa-verify-test.c (test_main): Likewise (depends on
 3787 	above changes).
 3788 
 3789 	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use mul_g and h_to_a function
 3790 	pointers. Implies (obscure) support for curve25519.
 3791 
 3792 	* ecc-25519.c (ecc_25519_modq): Access q via the ecc struct.
 3793 
 3794 	* ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a.
 3795 	The modulo q case (op == 2) is hardcoded for curve25519.
 3796 
 3797 	* ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert
 3798 	back from redc form. When producing x coordinate only, optionally
 3799 	reduce it modulo q. Completely changes the meaning of the "flags"
 3800 	argument, and renames it to "op". Update all users of this
 3801 	function or ecc->h_to_a.
 3802 
 3803 	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q
 3804 	feature.
 3805 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise.
 3806 
 3807 	* testsuite/symbols-test: Regexp fixes, to better filter out
 3808 	get_pc_thunk functions.
 3809 
 3810 	* ecc-generic-redc.c (ecc_generic_redc): Deleted file and
 3811 	function. Split into...
 3812 	* ecc-pp1-redc.c (ecc_pp1_redc): New file and function.
 3813 	* ecc-pm1-redc.c (ecc_pm1_redc): New file and function.
 3814 	* ecc-internal.h: Updated declarations.
 3815 	* Makefile.in (hogweed_SOURCES): Replace ecc-generic-redc.c by
 3816 	ecc-pp1-redc.c and ecc-pm1-redc.c.
 3817 	* ecc-192.c: Use ecc_pp1_redc (benchmarking only).
 3818 	* ecc-224.c: Use ecc_pm1_redc when applicable.
 3819 	* ecc-256.c: Use ecc_pp1_redc when applicable.
 3820 	* ecc-384.c: Use ecc_pp1_redc (benchmarking only).
 3821 	* ecc-521.c: Use ecc_pp1_redc (benchmarking only).
 3822 	* testsuite/ecc-redc-test.c (test_main): Replace use of
 3823 	ecc_generic_redc by ecc_pp1_redc and ecc_pm1_redc.
 3824 
 3825 	* eccdata.c (output_curve): Don't output ecc_redc_g.
 3826 	* ecc-internal.h (struct ecc_curve): Deleted unused field redc_g.
 3827 	Updated all instances.
 3828 
 3829 2014-08-27  Niels Möller  <nisse@lysator.liu.se>
 3830 
 3831 	* ecc-modq.c (ecc_modq_inv): Use q_bit_size.
 3832 
 3833 	* ecc-internal.h (struct ecc_curve): New field q_bit_size. Updated
 3834 	all instances.
 3835 
 3836 	* configure.ac: Bumped package version number to 3.1.
 3837 	(LIBHOGWEED_MAJOR): Bumped library version to 4.0.
 3838 
 3839 	Merged curve25519 changes (starting at 2014-07-04).
 3840 	* Makefile.in (clean-here): Added ecc-25519.h.
 3841 
 3842 2014-08-26  Niels Möller  <nisse@lysator.liu.se>
 3843 
 3844 	* examples/ecc-benchmark.c (bench_mul_g, bench_mul_a): Use struct
 3845 	ecc_curve function pointers.
 3846 	(bench_mul_g_eh, bench_mul_a_eh): Deleted.
 3847 	(bench_curve): Make modq benchmark unconditional. Use bench_mul_g
 3848 	and bench_mul_a also for curve25519.
 3849 
 3850 	* testsuite/ecc-mod-test.c (test_curve): Make modq test
 3851 	unconditional, partially reverting 2014-07-04 change.
 3852 
 3853 	* ecc-25519.c (ecc_25519_modq): New function.
 3854 
 3855 	* eccdata.c (output_curve): Precomputation for curve25519 mod q.
 3856 
 3857 	* mini-gmp.c (mpz_abs_sub_bit): Do full normalization, needed in
 3858 	case the most significant bit is cleared.
 3859 
 3860 2014-08-25  Niels Möller  <nisse@lysator.liu.se>
 3861 
 3862 	* testsuite/ecdh-test.c (set_point): Check return value of
 3863 	ecc_point_set.
 3864 	(test_main): Enable curve25519 test.
 3865 
 3866 	* ecc-point-mul-g.c (ecc_point_mul_g): Use ecc->mul_g and
 3867 	ecc->h_to_a function pointers.
 3868 	* ecc-point-mul.c (ecc_point_mul): Use the ecc->mul and
 3869 	ecc->h_to_a function pointers.
 3870 
 3871 	* ecc-internal.h (ecc_mul_g_func, ecc_mul_func, ecc_h_to_a_func):
 3872 	New typedefs.
 3873 	(struct ecc_curve): New function pointers mul, mul_g, h_to_a, and
 3874 	constans for their scratch requirements. Updated all instances.
 3875 
 3876 	* ecc-point.c (ecc_point_set): Handle curve25519 as a special
 3877 	case, when checking if the point is on the curve.
 3878 
 3879 2014-08-24  Niels Möller  <nisse@lysator.liu.se>
 3880 
 3881 	* testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g,
 3882 	using test data generated by ecc-ref.gp. Tests for all curves
 3883 	except curve25519, which doesn't yet work with the general
 3884 	ecc_point interface.
 3885 
 3886 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c.
 3887 
 3888 	* misc/ecc-ref.gp: Script to generate ECDH test data.
 3889 
 3890 2014-08-23  Niels Möller  <nisse@lysator.liu.se>
 3891 
 3892 	* ecc-a-to-j.c (ecc_a_to_j): Deleted INITIAL argument.
 3893 	* ecc.h (ecc_a_to_j): Updated prototype.
 3894 	* ecc-mul-a.c (ecc_mul_a, table_init): Updated calls to ecc_a_to_j.
 3895 
 3896 	* ecc-mul-a.c (ecc_mul_a): Deleted INITIAL argument, all callers,
 3897 	except the tests, pass 1. Updated all callers.
 3898 	(table_init): Likewise deleted INITIAL.
 3899 	* ecc.h (ecc_mul_a): Updated prototype.
 3900 	* testsuite/ecc-mul-a-test.c (test_main): Deleted tests for
 3901 	ecc_mul_a with INITIAL == 0.
 3902 
 3903 	* ecc-internal.h (struct ecc_curve): Reordered struct, moved
 3904 	function pointers before pointers to bignum constants.
 3905 
 3906 	* sec-modinv.c (sec_modinv): Document that for a == 0 (mod m), we
 3907 	should produce the "inverse" 0.
 3908 
 3909 	* testsuite/ecc-modinv-test.c (test_main): Check that ecc_modp_inv
 3910 	produces 0 if a == 0 or a == p.
 3911 
 3912 2014-08-22  Niels Möller  <nisse@lysator.liu.se>
 3913 
 3914 	* x86_64/ecc-25519-modp.asm: New file. Assembly implementation,
 3915 	initial version yields 30% speedup of ecc_25519_modp. Early
 3916 	folding eliminates one pass of carry propagation, and yields
 3917 	almost 20% additional speedup.
 3918 
 3919 	* ecc-25519.c [HAVE_NATIVE_ecc_25519_modp]: Use assembly version
 3920 	if available.
 3921 
 3922 	* configure.ac (asm_hogweed_optional_list): Added ecc-25519-modp.asm.
 3923 	Also add HAVE_NATIVE_ecc_25519_modp to config.h.in.
 3924 
 3925 2014-08-19  Niels Möller  <nisse@lysator.liu.se>
 3926 
 3927 	* examples/ecc-benchmark.c (bench_curve): Support benchmarking of
 3928 	curve25519, for now handled as a special case.
 3929 	(curves): Added nettle_curve25519.
 3930 	(bench_dup_eh, bench_add_eh, bench_add_ehh, bench_mul_g_eh): New
 3931 	functions.
 3932 
 3933 2014-08-18  Niels Möller  <nisse@lysator.liu.se>
 3934 
 3935 	* testsuite/curve25519-dh-test.c (test_a): Use curve25519_mul.
 3936 	(test_main): Use little-endian inputs for test_a.
 3937 	(curve25519_sqrt, curve_25519): Deleted static helper functions,
 3938 	no longer needed.
 3939 
 3940 	* curve25519-mul.c (curve25519_mul): New file and function.
 3941 	* curve25519.h (curve25519_mul): Declare it.
 3942 	* Makefile.in (hogweed_SOURCES): Added curve25519-mul.c.
 3943 
 3944 	* curve25519-mul-g.c (curve25519_mul_g): Renamed file and
 3945 	function, updated callers.
 3946 	* curve25519-base.c (curve25519_base): ... old names.
 3947 	* Makefile.in (hogweed_SOURCES): Updated for rename.
 3948 
 3949 	* eccdata.c (output_curve): Compute constants needed for
 3950 	Shanks-Tonelli.
 3951 	* ecc-25519.c (ecc_modp_powm_2kp1, ecc_25519_sqrt): New functions.
 3952 	* ecc-internal.h (ecc_25519_sqrt): Declare it.
 3953 
 3954 2014-08-06  Niels Möller  <nisse@lysator.liu.se>
 3955 
 3956 	* testsuite/curve25519-dh-test.c (test_g): Use curve25519_base.
 3957 	(test_main): Use little-endian inputs for test_g.
 3958 
 3959 	* curve25519-base.c (curve25519_base): New file, new function.
 3960 	Analogous to NaCl's crypto_scalarmult_base.
 3961 	* curve25519.h: New file.
 3962 	* Makefile.in (hogweed_SOURCES): Added curve25519-base.c.
 3963 	(HEADERS): Added curve25519.h.
 3964 
 3965 	* gmp-glue.c (mpn_set_base256_le, mpn_get_base256_le): New functions.
 3966 	* gmp-glue.h: Declare them.
 3967 
 3968 2014-08-02  Niels Möller  <nisse@lysator.liu.se>
 3969 
 3970 	* testsuite/curve25519-dh-test.c (curve25519_sqrt): Fixed memory
 3971 	leak, a mpz_clear call was missing.
 3972 
 3973 	* ecc-internal.h (ECC_MUL_A_EH_WBITS): Set to 4, to enable
 3974 	window-based scalar multiplication.
 3975 
 3976 	* ecc-mul-a-eh.c (table_init) [ECC_MUL_A_EH_WBITS > 0]: Fixed
 3977 	initialization of TABLE(1).
 3978 
 3979 2014-07-29  Niels Möller  <nisse@lysator.liu.se>
 3980 
 3981 	* ecc-internal.h (ECC_MUL_A_EH_WBITS): New constant.
 3982 	(ECC_A_TO_EH_ITCH, ECC_MUL_A_EH_ITCH): New macros.
 3983 	* ecc-a-to-eh.c (ecc_a_to_eh, ecc_a_to_eh_itch): New file, new
 3984 	functions.
 3985 	* ecc-mul-a-eh.c: New file.
 3986 	(ecc_mul_a_eh): New function. The case [ECC_MUL_A_EH_WBITS > 0]
 3987 	not yet working).
 3988 	(ecc_mul_a_eh_itch): New function.
 3989 	* ecc.h: Declare new functions.
 3990 	* Makefile.in (hogweed_SOURCES): Added ecc-a-to-eh.c and
 3991 	ecc-mul-a-eh.c.
 3992 
 3993 	* testsuite/curve25519-dh-test.c (curve25519_sqrt): New function.
 3994 	(curve_25519): Use ecc_mul_a_eh.
 3995 	(test_a): New function.
 3996 	(test_main): Test construction of shared secret, using scalar
 3997 	multiplication with points other than the fix generator.
 3998 
 3999 2014-07-26  Niels Möller  <nisse@lysator.liu.se>
 4000 
 4001 	* ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need.
 4002 	* ecc-internal.h (ECC_ADD_EHH_ITCH): Reduced to 7*size.
 4003 
 4004 2014-07-23  Niels Möller  <nisse@lysator.liu.se>
 4005 
 4006 	* testsuite/curve25519-dh-test.c: New test case, based on
 4007 	draft-josefsson-tls-curve25519-05 test vectors.
 4008 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dh-test.c.
 4009 
 4010 2014-07-18  Niels Möller  <nisse@lysator.liu.se>
 4011 
 4012 	* ecc-mul-g-eh.c (ecc_mul_g_eh, ecc_mul_g_eh_itch): New file and
 4013 	functions. Untested.
 4014 	* ecc.h (ecc_mul_g_eh_itch): Declare new functions.
 4015 	* ecc-internal.h (ECC_MUL_G_EH_ITCH): New macro.
 4016 	* Makefile.in (hogweed_SOURCES): Added ecc-mul-g-eh.c.
 4017 
 4018 2014-07-17  Niels Möller  <nisse@lysator.liu.se>
 4019 
 4020 	* ecc-add-eh.c (ecc_add_eh): Reduce scratch need.
 4021 	* ecc-internal.h (ECC_ADD_EH_ITCH): Reduced to 6*size.
 4022 
 4023 	* testsuite/curve25519-dup-test.c (test_main): Free allocated
 4024 	storage.
 4025 
 4026 2014-07-15  Niels Möller  <nisse@lysator.liu.se>
 4027 
 4028 	* ecc-add-eh.c (ecc_add_eh, ecc_add_eh_itch): New file, new
 4029 	functions.
 4030 	* ecc.h: Declare new functions.
 4031 	* ecc-internal.h (ECC_ADD_EH_ITCH): New macro.
 4032 	* Makefile.in (hogweed_SOURCES): Added ecc-add-eh.c.
 4033 	* testsuite/curve25519-add-test.c (test_main): Test ecc_add_eh.
 4034 	Additional test for g2+g2. Free allocated storage.
 4035 
 4036 2014-07-14  Niels Möller  <nisse@lysator.liu.se>
 4037 
 4038 	* testsuite/curve25519-add-test.c: New test case.
 4039 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 4040 	curve25519-add-test.c.
 4041 
 4042 	* ecc-add-ehh.c (ecc_add_ehh, ecc_add_ehh_itch): New file, new
 4043 	functions.
 4044 	* ecc.h (ecc_add_ehh, ecc_add_ehh_itch): Declare them.
 4045 	* ecc-internal.h (ECC_ADD_EHH_ITCH): New macro.
 4046 	* Makefile.in (hogweed_SOURCES): Added ecc-add-ehh.c.
 4047 
 4048 	* ecc-25519.c (nettle_curve25519): Use ecc_d instead of ecc_b.
 4049 
 4050 	* eccdata.c: For curve25519, output the Edwards curve constant,
 4051 	ecc_d = (121665/121666) mod p.
 4052 
 4053 	* testsuite/curve25519-dup-test.c (test_main): Add test for 4g.
 4054 	Delete some left-over debug output.
 4055 
 4056 2014-07-11  Niels Möller  <nisse@lysator.liu.se>
 4057 
 4058 	* misc/ecc-formulas.tex: Some ECC notes.
 4059 
 4060 	* testsuite/curve25519-dup-test.c: New testcase.
 4061 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 4062 	curve25519-dup-test.c.
 4063 
 4064 	* testsuite/testutils.c (test_ecc_point): Made non-static.
 4065 	* testsuite/testutils.h (struct ecc_ref_point): Moved here, from
 4066 	testutils.h.
 4067 	(test_ecc_point): Declare it.
 4068 
 4069 	* ecc-dup-eh.c (ecc_dup_eh, ecc_dup_eh_itch): New file, new functions.
 4070 	* ecc-eh-to-a.c (ecc_eh_to_a, ecc_eh_to_a_itch): New file, new
 4071 	functions.
 4072 	* ecc.h: Declare new functions.
 4073 	* ecc-internal.h (ECC_EH_TO_A_ITCH, ECC_DUP_EH_ITCH): New macros.
 4074 	* Makefile.in (hogweed_SOURCES): Added ecc-dup-eh.c and
 4075 	ecc-eh-to-a.c.
 4076 
 4077 	* ecc-internal.h (struct ecc_curve): New constant edwards_root.
 4078 	* ecc-192.c (nettle_secp_192r1): Updated accordingly, additional
 4079 	NULL pointer.
 4080 	* ecc-224.c (nettle_secp_224r1): Likewise.
 4081 	* ecc-256.c (nettle_secp_256r1): Likewise.
 4082 	* ecc-384.c (nettle_secp_384r1): Likewise.
 4083 	* ecc-521.c (nettle_secp_521r1): Likewise.
 4084 	* ecc-25519.c (nettle_curve25519): Initialize new constant.
 4085 
 4086 	* eccdata.c (ecc_curve_init): For curve 25519, use correct
 4087 	constant for edwards coordinate transform, and output the constant
 4088 	as ecc_edwards.
 4089 
 4090 2014-07-06  Niels Möller  <nisse@lysator.liu.se>
 4091 
 4092 	* eccdata.c: Use separate is_zero flag to represent the neutral
 4093 	element.
 4094 	(output_point, output_point_redc): Unified to a single function,
 4095 	with a use_redc flag argument. Also support conversion to Edwards
 4096 	form.
 4097 	(ecc_curve_init_str): New argument for Edwards curve conversion
 4098 	constant.
 4099 
 4100 2014-07-04  Niels Möller  <nisse@lysator.liu.se>
 4101 
 4102 	Started curve25519 branch.
 4103 	* ecc-25519.c: New file.
 4104 	(ecc_25519_modp): New function.
 4105 	(nettle_curve25519): New curve.
 4106 
 4107 	* ecc-curve.h (nettle_curve25519): Declare it.
 4108 
 4109 	* Makefile.in (hogweed_SOURCES): Added ecc-25519.c.
 4110 	(ecc-25519.h): New generated file. Add as explicit dependency for
 4111 	ecc-25519.o.
 4112 
 4113 	* testsuite/ecc-mod-test.c (test_curve): New function, extracted
 4114 	from test_main. Tolerate NULL modq function pointer.
 4115 	(test_main): Use test_curve, iterate over supported curves, and
 4116 	also test curve_25519 for the new modp function.
 4117 
 4118 2014-08-23  Niels Möller  <nisse@lysator.liu.se>
 4119 
 4120 	* ecc-modp.c (ecc_modp_sub_1): Deleted unused function.
 4121 	* ecc-internal.h: Deleted corresponding declaration.
 4122 
 4123 	* examples/nettle-benchmark.c (time_cipher): Fixed memset calls,
 4124 	amending the totally broken change from 2014-02-06.
 4125 
 4126 2014-07-02  Niels Möller  <nisse@lysator.liu.se>
 4127 
 4128 	* eccdata.c (ecc_dup): Use mpz_submul_ui, now available in
 4129 	mini-gmp.
 4130 	(ecc_type): New enum, for Weierstrass and Montgomery curves
 4131 	(ecc_curve): New field type.
 4132 	(ecc_dup): Support montgomery curves.
 4133 	(ecc_add): Likewise.
 4134 	(ecc_curve_init_str): New argument, for the curve type.
 4135 	(ecc_curve_init): Pass curve type to all ecc_curve_init_str calls.
 4136 	Recognize curve25519, for bit_size 255.
 4137 	(output_modulo): Deleted assert, which isn't true for curve25519.
 4138 
 4139 2014-06-30  Niels Möller  <nisse@lysator.liu.se>
 4140 
 4141 	* camellia-absorb.c: Include <limits.h>, needed for correct use of
 4142 	HAVE_NATIVE_64_BIT. Reported and debugged by Magnus Holmgren.
 4143 	Fixes debian build failure on s390x.
 4144 
 4145 2014-06-26  Niels Möller  <nisse@lysator.liu.se>
 4146 
 4147 	From Martin Storsjö:
 4148 	* configure.ac (IF_NOT_SHARED): New substituted variable.
 4149 	* hogweed.pc.in: Use @LIBS@, instead of hardcoding -lgmp. When
 4150 	shared libraries are disabled, move needed libraries from
 4151 	Requires.private: to Requires: and from Libs.private: to Libs:.
 4152 
 4153  	From Nikos Mavrogiannopoulos.
 4154 	* examples/hogweed-benchmark.c (bench_alg): Tolerate alg->init
 4155 	returning NULL.
 4156 	(bench_openssl_ecdsa_init): Return NULL if
 4157 	EC_KEY_new_by_curve_name fails, indicating the curve is not
 4158 	supported.
 4159 
 4160 2014-06-25  Niels Möller  <nisse@lysator.liu.se>
 4161 
 4162 	Support for building with mini-gmp instead of the real GMP. Loosely
 4163 	based on work by Nikos Mavrogiannopoulos.
 4164 	* configure.ac: New command line option --enable-mini-gmp. Also
 4165 	disable all libgmp-related checks when enabled.
 4166 	(NETTLE_USE_MINI_GMP): New substituted variable.
 4167 	(LIBHOGWEED_LIBS): Use $(LIBS) instead of -lgmp.
 4168 	(IF_MINI_GMP): New Makefile conditional.
 4169 	(GMP_NUMB_BITS): Alternative test for the mini-gmp case.
 4170 	Substituted also in bignum.h.
 4171 	(HAVE_MPZ_POWM_SEC): Drop this unused check.
 4172 
 4173 	* bignum.h: Renamed, to...
 4174 	* bignum.h.in: New name.
 4175 	(NETTLE_USE_MINI_GMP): Substituted by configure.
 4176 	(GMP_NUMB_BITS): Substituted by configure, for the mini-gmp case.
 4177 
 4178 	* Makefile.in (OPT_HOGWEED_SOURCES): New variable, value
 4179 	conditional on @IF_MINI_GMP@.
 4180 	(hogweed_SOURCES): Add $(OPT_HOGWEED_SOURCES).
 4181 	(PRE_CPPFLAGS): Add -I$(srcdir).
 4182 	(HEADERS): Delete bignum.h.
 4183 	(INSTALL_HEADERS): Add bignum.h. Also add mini-gmp.h, if mini-gmp
 4184 	is enabled.
 4185 	(DISTFILES): Added bignum.h.in.
 4186 	(bignum.h): New target.
 4187 	(distclean-here): Delete bignum.h.
 4188 
 4189 	* examples/ecc-benchmark.c (modinv_gcd) [NETTLE_USE_MINI_GMP]:
 4190 	Disable this benchmark.
 4191 	(mpn_random) [NETTLE_USE_MINI_GMP]: Provide a simple implementation.
 4192 
 4193 	* testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Skip test, it
 4194 	depends on gmp_randstate_t.
 4195 	* testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Likewise.
 4196 	* testsuite/ecc-mul-a-test.c [NETTLE_USE_MINI_GMP]: Likewise.
 4197 	* testsuite/ecc-mul-g-test.c [NETTLE_USE_MINI_GMP]: Likewise.
 4198 	* testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Likewise.
 4199 
 4200 	Various preparations for mini-gmp support.
 4201 	* testsuite/bignum-test.c: Use WITH_HOGWEED instead of HAVE_LIBGMP
 4202 	for preprocessor conditionals.
 4203 	* testsuite/testutils.h: Likewise.
 4204 	* testsuite/sexp-format-test.c: Likewise.
 4205 
 4206 	* testsuite/ecdsa-keygen-test.c (test_main): Use printf,
 4207 	mpz_out_str and write_mpn instead of gmp_fprintf.
 4208 	* testsuite/ecdsa-sign-test.c (test_ecdsa): Likewise.
 4209 	* testsuite/ecdsa-verify-test.c (test_ecdsa): Likewise.
 4210 
 4211 	* dsa.h: Include bignum.h instead of gmp.h.
 4212 	* ecc-internal.h: Likewise.
 4213 	* ecc.h: Likewise.
 4214 	* gmp-glue.h: Likewise.
 4215 	* pkcs1.h: Likewise.
 4216 	* rsa.h: Likewise.
 4217 
 4218 	* testsuite/testutils.c (die): Use plain vfprintf, not
 4219 	gmp_vfprintf.
 4220 	(write_mpn): New function.
 4221 	(test_ecc_point): Use it, replacing gmp_fprintf.
 4222 	* testsuite/testutils.h (write_mpn): Declare it.
 4223 
 4224 	* der-iterator.c: Deleted HAVE_LIBGMP conditionals.
 4225 
 4226 2014-06-07  Niels Möller  <nisse@lysator.liu.se>
 4227 
 4228 	* Released nettle-3.0.
 4229 
 4230 2014-06-04  Niels Möller  <nisse@lysator.liu.se>
 4231 
 4232 	* NEWS: List des-compat.h as a candidate for removal in the next
 4233 	release.
 4234 
 4235 	* testsuite/des-compat-test.c (test_main): Fixed out of bounds
 4236 	memory read, reported by Nikos Mavrogiannopoulos.
 4237 
 4238 	* nettle-write.h: Include <stddef.h>, fixing compilation on
 4239 	freebsd.
 4240 
 4241 	* aclocal.m4 (ac_stdint): Fixed "unsinged" typo, spotted by Andy
 4242 	Goth.
 4243 
 4244 2014-06-01  Niels Möller  <nisse@lysator.liu.se>
 4245 
 4246 	* x86_64/gcm-hash8.asm: Pass correct argument count to W64_EXIT.
 4247 	* x86_64/camellia-crypt-internal.asm: Pass correct argument count
 4248 	to W64_ENTRY and W64_EXIT.
 4249 
 4250 	* x86_64/machine.m4 [W64_ABI]: Fix for the case of 6 function
 4251 	arguments. Also push %rdi unconditionally, and use aligned
 4252 	accesses for save and restore %xmm registers (movdqa).
 4253 
 4254 2014-05-31  Niels Möller  <nisse@lysator.liu.se>
 4255 
 4256 	* configure.ac: Check for COFF type directives.
 4257 	(ASM_COFF_STYLE): New substituted variable.
 4258 	* config.m4.in: Set COFF_STYLE from configure.
 4259 	* asm.m4 (PROLOGUE): Use COFF type directive, if enabled by
 4260 	configure. Fixes problem with windows dll linking.
 4261 
 4262 	* asm.m4: Deleted unused offsets for struct aes_ctx.
 4263 
 4264 2014-05-28  Niels Möller  <nisse@lysator.liu.se>
 4265 
 4266 	* testsuite/nettle-pbkdf2-test: Delete carriage return characters
 4267 	from output.
 4268 
 4269 	* configure.ac (LIBHOGWEED_LIBS): Be explicit and link
 4270 	libhogweed.so with libnettle.so, not -lnettle.
 4271 	(LIBHOGWEED_LINK): Drop -L. flag, no longer needed, and previously
 4272 	not at the correct position in the link command line.
 4273 
 4274 2014-05-27  Niels Möller  <nisse@lysator.liu.se>
 4275 
 4276 	* examples/ecc-benchmark.c: If mpn_sec_powm is available,
 4277 	benchmark it, for modinv.
 4278 	(bench_modinv_powm): New function.
 4279 	(bench_curve): Use it.
 4280 
 4281 2014-05-22  Niels Möller  <nisse@lysator.liu.se>
 4282 
 4283 	From Claudio Bley:
 4284 	* Makefile.in ($(des_headers)): Use the EXEEXT_FOR_BUILD.
 4285 
 4286 2014-05-15  Niels Möller  <nisse@lysator.liu.se>
 4287 
 4288 	* NEWS: Updated with library version numbers.
 4289 
 4290 	* configure.ac (dummy-dep-files): Use simpler and more portable
 4291 	sed expression. Problem reported by Peter Eriksson.
 4292 	(LIBHOGWEED_MAJOR): Bumped shared library version to 3.0.
 4293 	(LIBHOGWEED_MINOR): Reset to zero. Also increased the package
 4294 	version number to 3.0.
 4295 
 4296 	* getopt.c: Don't use gettext.
 4297 
 4298 2014-05-14  Niels Möller  <nisse@lysator.liu.se>
 4299 
 4300 	* testsuite/nettle-pbkdf2-test: Avoid the bash construction
 4301 	${#foo}.
 4302 
 4303 	* getopt.c: Copied from glibc tree, tag glibc-2.19.
 4304 	* getopt.h: Likewise.
 4305 	* getopt1.c: Likewise.
 4306 	* getopt_int.h: New file, also copied from glibc.
 4307 	* Makefile.in (DISTFILES): Added getopt_int.h.
 4308 
 4309 2014-05-09  Niels Möller  <nisse@lysator.liu.se>
 4310 
 4311 	* mini-gmp.c: Updated, use version from gmp-6.0.0.
 4312 	* mini-gmp.h: Likewise.
 4313 
 4314 	* testsuite/Makefile.in (all): Drop dependency on $(TARGETS), to
 4315 	delay building of test programs until make check.
 4316 
 4317 2014-05-08  Niels Möller  <nisse@lysator.liu.se>
 4318 
 4319 	* nettle.texinfo (nettle_aead abstraction): Document nettle_aead.
 4320 
 4321 	* Makefile.in (nettle_SOURCES): Added nettle-meta-aeads.c.
 4322 	* nettle-meta.h (nettle_aeads): Declare array.
 4323 	* nettle-meta-aeads.c (nettle_aeads): New file, new array.
 4324 	* testsuite/meta-aead-test.c: New test case.
 4325 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 4326 	meta-aead-test.c.
 4327 
 4328 	* aclocal.m4 (GMP_PROG_CC_FOR_BUILD): If CC_FOR_BUILD is gcc, add
 4329 	-O option. This makes eccdata twice as fast.
 4330 
 4331 2014-05-06  Niels Möller  <nisse@lysator.liu.se>
 4332 
 4333 	* nettle.texinfo: Document SHA3 and ChaCha-Poly1305 as
 4334 	experimental.
 4335 
 4336 2014-05-05  Niels Möller  <nisse@lysator.liu.se>
 4337 
 4338 	* nettle.texinfo (POLY1305): Document poly1305-aes.
 4339 	(Authenticated encryption): Move AEAD algorithms to their own
 4340 	section.
 4341 	(RSA, DSA, ECDSA): Change some subsections to subsubsections.
 4342 	(ChaCha-Poly1305): Document ChaCha-Poly1305.
 4343 
 4344 2014-05-04  Niels Möller  <nisse@lysator.liu.se>
 4345 
 4346 	* nettle.texinfo (DSA): Document new DSA interface.
 4347 	(Salsa20): Update salsa20 docs.
 4348 	(ChaCha): Document ChaCha.
 4349 
 4350 2014-05-03  Niels Möller  <nisse@lysator.liu.se>
 4351 
 4352 	* configure.ac: Check for SIZEOF_SIZE_T.
 4353 	* ccm.c (ccm_set_nonce): Skip code for 64-bit encoding when size_t
 4354 	is only 32 bits.
 4355 
 4356 	* nettle.texinfo (CCM): Document new ccm macros and constants.
 4357 	Describe ccm restrictions.
 4358 
 4359 	* ccm.h (CCM_DIGEST_SIZE): New constant.
 4360 
 4361 2014-04-30  Niels Möller  <nisse@lysator.liu.se>
 4362 
 4363 	* ccm.c (CCM_IV_MAX_SIZE, CCM_IV_MIN_SIZE): Deleted, replaced by
 4364 	public constants CCM_MIN_NONCE_SIZE and CCM_MAX_NONCE_SIZE.
 4365 	(ccm_build_iv): Updated for above rename.
 4366 	(CCM_L_MAX_SIZE): Deleted, no longer used.
 4367 
 4368 	* ccm.h (CCM_MIN_NONCE_SIZE, CCM_MAX_NONCE_SIZE): New constants.
 4369 	(CCM_MAX_MSG_SIZE): New macro.
 4370 
 4371 2014-04-27  Niels Möller  <nisse@lysator.liu.se>
 4372 
 4373 	* nettle.texinfo (Cipher modes): Subsection on AEAD constructions.
 4374 	(GCM): Update GCM documentation, including functions for
 4375 	gcm_aes128, gcm_camellia128, ...
 4376 
 4377 2014-04-26  Niels Möller  <nisse@lysator.liu.se>
 4378 
 4379 	* nettle.texinfo: Update for introduction of nettle_cipher_func.
 4380 	(GCM): Document GCM_DIGEST_SIZE.
 4381 	(UMAC): Document new UMAC constants.
 4382 	(Keyed hash functions): Make HMAC and UMAC their own info nodes.
 4383 	(EAX): Document EAX.
 4384 
 4385 	* umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New
 4386 	constants.
 4387 
 4388 2014-04-25  Niels Möller  <nisse@lysator.liu.se>
 4389 
 4390 	* All hash-related files: Renamed all _DATA_SIZE constants to
 4391 	_BLOCK_SIZE, for consistency. Old names kept for backwards
 4392 	compatibility.
 4393 
 4394 	* nettle.texinfo (CCM): Documentation for CCM mode, contributed by
 4395 	Owen Kirby.
 4396 
 4397 	* testsuite/ccm-test.c (test_cipher_ccm): And tests.
 4398 
 4399 	* ccm.c (ccm_decrypt_message): Change length argument, should now
 4400 	be clear text (dst) length.
 4401 	* ccm-aes128.c (ccm_aes128_decrypt_message): Likewise.
 4402 	* ccm-aes192.c (ccm_aes192_decrypt_message): Likewise.
 4403 	* ccm-aes256.c (ccm_aes256_decrypt_message): Likewise.
 4404 	* ccm.h: Updated prototypes.
 4405 
 4406 2014-04-22  Niels Möller  <nisse@lysator.liu.se>
 4407 
 4408 	* nettle.texinfo (Recommended hash functions): Document additional
 4409 	sha512 variants.
 4410 
 4411 	* sha2.h (sha512_224_ctx, sha512_256_ctx): New aliases for the
 4412 	sha512_ctx struct tag.
 4413 
 4414 2014-04-17  Niels Möller  <nisse@lysator.liu.se>
 4415 
 4416 	* examples/Makefile.in (SOURCES): Deleted next-prime.c (forgotten
 4417 	in 2014-04-13 change).
 4418 
 4419 2014-04-16  Niels Möller  <nisse@lysator.liu.se>
 4420 
 4421 	* testsuite/ccm-test.c (test_cipher_ccm): Deleted check for NULL
 4422 	authdata.
 4423 
 4424 	* sha3-224.c (sha3_224_init): Pass pointer to context struct, not
 4425 	pointer to first element, to memset.
 4426 	* sha3-256.c (sha3_256_init): Likewise.
 4427 	* sha3-384.c (sha3_384_init): Likewise.
 4428 	* sha3-512.c (sha3_512_init): Likewise.
 4429 
 4430 	* examples/eratosthenes.c (vector_alloc): Use sizeof(*vector)
 4431 	instead of explicit type in malloc call.
 4432 	(vector_init): Make constant explicitly unsigned long.
 4433 
 4434 	* tools/input.c (sexp_get_quoted_char): Deleted useless for loop.
 4435 
 4436 2014-04-13  Niels Möller  <nisse@lysator.liu.se>
 4437 
 4438 	* rsa-compat.c: Deleted file.
 4439 	* rsa-compat.h: Deleted file.
 4440 	* Makefile.in (hogweed_SOURCES): Deleted rsa-compat.c.
 4441 	(HEADERS): Deleted rsa-compat.h.
 4442 
 4443 	* examples/next-prime.c: Deleted file.
 4444 	* bignum-next-prime.c (nettle_next_prime): Deleted file and
 4445 	function.
 4446 	* prime-list.h: Deleted file.
 4447 	* bignum.h (nettle_next_prime): Deleted prototype.
 4448 	* Makefile.in (hogweed_SOURCES): Deleted bignum-next-prime.c.
 4449 	(DISTFILES): Deleted prime-list.h.
 4450 	* examples/Makefile.in (HOGWEED_TARGETS): Deleted next-prime, and
 4451 	corresponding make target.
 4452 
 4453 2014-04-12  Niels Möller  <nisse@lysator.liu.se>
 4454 
 4455 	* nettle.texinfo (Copyright): Updated licensing info.
 4456 	* README: Likewise.
 4457 
 4458 	* Makefile.in (DISTFILES): Distribute new COPYING* files.
 4459 
 4460 	* COPYING.LESSERv3: New file.
 4461 	* COPYINGv3: New file.
 4462 	* COPYING.LIB: Deleted.
 4463 	* COPYINGv2: New name for GPL version 2 file.
 4464 	* COPYING: Old name, deleted.
 4465 
 4466 	* Update license headers for LGPL3+ and GPL2+ dual licensing.
 4467 
 4468 2014-04-11  Niels Möller  <nisse@lysator.liu.se>
 4469 
 4470 	* testsuite/testutils.c (test_aead): Use aead->digest_size.
 4471 
 4472 	* configure.ac: Skip GMP tests if public key support is disabled.
 4473 
 4474 	* eax.c (block16_xor): Fixed bug effecting 32-bit platforms.
 4475 
 4476 	* Makefile.in (DISTFILES): Deleted memxor.c, already included via
 4477 	nettle_SOURCES.
 4478 	* tools/Makefile.in (SOURCES): Add nettle-pbkdf2.c.
 4479 
 4480 2014-04-10  Niels Möller  <nisse@lysator.liu.se>
 4481 
 4482 	From Nikos Mavrogiannopoulos:
 4483 	* examples/hogweed-benchmark.c (bench_openssl_ecdsa_init): Support
 4484 	for secp192r1 and secp256r1.
 4485 	(alg_list): Add them.
 4486 
 4487 2014-04-09  Niels Möller  <nisse@lysator.liu.se>
 4488 
 4489 	* examples/nettle-benchmark.c (main): Benchmark sha512_224 and
 4490 	sha512_256.
 4491 
 4492 	* testsuite/sha512-224-test.c: New file.
 4493 	* testsuite/sha512-256-test.c: New file.
 4494 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new files.
 4495 
 4496 	* nettle-meta.h (nettle_sha512_224, nettle_sha512_256): Declare.
 4497 	* sha512-224-meta.c (nettle_sha512_224): New file, new nettle_hash.
 4498 	* sha512-256-meta.c (nettle_sha512_256): New file, new nettle_hash.
 4499 
 4500 	* sha2.h (SHA512_224_DIGEST_SIZE, SHA512_224_DATA_SIZE)
 4501 	(SHA512_256_DIGEST_SIZE, SHA512_256_DATA_SIZE): New constants.
 4502 
 4503 	* sha512.c (sha512_256_digest): Typo fix, call sha512_256_init.
 4504 
 4505 	* testsuite/testutils.c (test_hash): Removed redundant init call.
 4506 	Tests that digest implies init.
 4507 
 4508 2014-03-28  Niels Möller  <nisse@lysator.liu.se>
 4509 
 4510 	* testsuite/dsa-keygen-test.c (test_main): Explicitly use
 4511 	dsa_compat_generate_keypair.
 4512 	(test_main): Test dsa_generate_params and dsa_generate_keypair
 4513 	with a large q; p_bits = 1024, q_bits = 768.
 4514 
 4515 	* testsuite/testutils.h: Undo dsa-compat.h name mangling.
 4516 
 4517 	* dsa-keygen.c (dsa_generate_keypair): New interface, generating
 4518 	only a keypair, and no new parameters.
 4519 	* dsa-compat-keygen.c (dsa_compat_generate_keypair): New file.
 4520 	Moved old key generation function here. Use dsa_generate_keypair.
 4521 
 4522 2014-03-27  Niels Möller  <nisse@lysator.liu.se>
 4523 
 4524 	* dsa-compat.c (dsa_public_key_init, dsa_public_key_clear)
 4525 	(dsa_private_key_init, dsa_private_key_clear): : Move deprecated
 4526 	DSA functions to a separate file...
 4527 	* dsa.c: ...from here.
 4528 	* dsa-compat.h: New file, declaring deprecated DSA interface.
 4529 	Include in corresponding C files.
 4530 	* Makefile.in (hogweed_SOURCES): Add dsa-compat.c.
 4531 	(HEADERS): Add dsa-compat.h.
 4532 
 4533 	* dsa-gen-params.c (dsa_generate_params): New file and function,
 4534 	extracted from DSA key generation.
 4535 	* dsa-keygen.c (dsa_generate_keypair): Use dsa_generate_params.
 4536 
 4537 2014-03-26  Niels Möller  <nisse@lysator.liu.se>
 4538 
 4539 	* der2dsa.c (dsa_params_from_der_iterator): Converted to new DSA
 4540 	interface. Allow q_size == 0, meaning any q < p is allowed.
 4541 	Additional validity checks.
 4542 	(dsa_public_key_from_der_iterator): Converted to new DSA
 4543 	interface. Also check that the public value is in the correct
 4544 	range.
 4545 	(dsa_openssl_private_key_from_der_iterator): Converted
 4546 	to new DSA interface. Additional validity checks.
 4547 	(dsa_openssl_private_key_from_der): Converted to new DSA
 4548 	interface.
 4549 	* tools/pkcs1-conv.c (convert_dsa_private_key): Update to use
 4550 	struct dsa_params, and adapt to the der decoding changes.
 4551 	(convert_public_key): Likewise.
 4552 
 4553 	* examples/hogweed-benchmark.c: Update dsa benchmarking to use new
 4554 	DSA interface.
 4555 
 4556 	* dsa.c (dsa_params_init, dsa_params_clear): New functions.
 4557 	(dsa_public_key_init): Use dsa_params_init.
 4558 	(dsa_public_key_clear): Use dsa_params_clear.
 4559 
 4560 	* sexp2dsa.c (dsa_keypair_from_sexp_alist): Converted to new DSA
 4561 	interface. Allow q_size == 0, meaning any q < p is allowed.
 4562 	Additional validity checks.
 4563 	(dsa_sha1_keypair_from_sexp, dsa_sha256_keypair_from_sexp):
 4564 	Converted to new DSA interface.
 4565 
 4566 	* dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA
 4567 	interface.
 4568 	* tools/pkcs1-conv.c: Updated uses of dsa_keypair_to_sexp.
 4569 
 4570 	* dsa.h (struct dsa_params): New struct.
 4571 
 4572 	* dsa-sign.c (dsa_sign): Use struct dsa_params, with key as a
 4573 	separate mpz_t.
 4574 	* dsa-verify.c (dsa_verify): Likewise.
 4575 	* dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use
 4576 	dsa_verify, cast the struct dsa_public_key * input to a struct
 4577 	dsa_params *
 4578 	* dsa-sha256-verify.c (dsa_sha256_verify_digest)
 4579 	(dsa_sha256_verify): Likewise.
 4580 	* dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise
 4581 	use dsa_sign, with a cast from struct dsa_public_key * to struct
 4582 	dsa_params *.
 4583 	* dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign):
 4584 	Likewise.
 4585 
 4586 	* testsuite/testutils.c (test_dsa_verify): Use struct dsa_params.
 4587 	(test_dsa_key): Likewise.
 4588 	* testsuite/dsa-test.c (test_main): Adapt to test_dsa_key and
 4589 	test_dsa_verify changes.
 4590 	* testsuite/dsa-keygen-test.c (test_main): Adapt to
 4591 	test_dsa_key change.
 4592 
 4593 	* testsuite/testutils.c (test_dsa_sign): #if out, currently
 4594 	unused.
 4595 
 4596 2014-03-23  Niels Möller  <nisse@lysator.liu.se>
 4597 
 4598 	From Owen Kirby:
 4599 	* ccm.c: New file.
 4600 	* ccm.h: New file.
 4601 	* ccm-aes128.c: New file.
 4602 	* ccm-aes192.c: New file.
 4603 	* ccm-aes256.c: New file.
 4604 	* Makefile.in (nettle_SOURCES): Added ccm source files.
 4605 	(HEADERS): Added ccm.h.
 4606 	* testsuite/ccm-test.c: New file.
 4607 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ccm-test.c.
 4608 
 4609 2014-03-20  Niels Möller  <nisse@lysator.liu.se>
 4610 
 4611 	From Joachim Strömbergson:
 4612 	* sha512.c (K): Indentation fix.
 4613 	(sha512_224_init, sha512_224_digest, sha512_256_init)
 4614 	(sha512_256_digest): New functions.
 4615 	* sha2.h: Add prototypes.
 4616 	(sha512_224_update, sha512_256_update): New aliases for
 4617 	sha512_update.
 4618 
 4619 2014-03-18  Niels Möller  <nisse@lysator.liu.se>
 4620 
 4621 	* examples/nettle-benchmark.c (main): Add benchmarking of arcfour,
 4622 	salsa20 and chacha, via time_aead.
 4623 
 4624 	* nettle-internal.c (nettle_arcfour128): Define, as a struct
 4625 	nettle_aead (with NULL set_nonce, update, and digest methods).
 4626 	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Likewise.
 4627 	* nettle-internal.h (nettle_arcfour128)
 4628 	(nettle_openssl_arcfour128): Declare.
 4629 
 4630 	* nettle-types.h (nettle_cipher_func): New typedef, similar to
 4631 	nettle_crypt_func, but with a const context, intended for block
 4632 	ciphers.
 4633 	* nettle-meta.h (struct nettle_cipher): Use the nettle_cipher_func
 4634 	type.
 4635 	* Many other files affected: aes*-meta.c, camellia*-meta.c,
 4636 	cast128-meta.c, serpent-meta.c, twofish-meta.c, cbc.[ch],
 4637 	ctr.[ch], ctr.[ch], des-compat.c, eax.[ch], gcm*.[ch],
 4638 	nettle-internal.*, testsuite/aes-test.c,
 4639 	examples/nettle-benchmark.c, examples/nettle-openssl.c.
 4640 
 4641 2014-03-16  Niels Möller  <nisse@lysator.liu.se>
 4642 
 4643 	* chacha-set-key.c: Include string.h.
 4644 
 4645 	* arcfour-meta.c: Deleted file.
 4646 	* nettle-meta.h (nettle_arcfour128): Deleted declaration.
 4647 	* nettle-meta-ciphers.c (nettle_ciphers): Deleted
 4648 	nettle_arcfour128 from list.
 4649 	* Makefile.in (nettle_SOURCES): Deleted arcfour-meta.c.
 4650 	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted.
 4651 	* testsuite/meta-cipher-test.c: Adjust test for removal of
 4652 	nettle_arcfour128.
 4653 
 4654 2014-03-15  Niels Möller  <nisse@lysator.liu.se>
 4655 
 4656 	* examples/nettle-benchmark.c (struct bench_aead_info): New
 4657 	struct.
 4658 	(bench_aead_crypt, bench_aead_update, init_nonce, time_aead): New
 4659 	functions, for benchmarking aead algorithms.
 4660 	(time_gcm, time_eax): Deleted functions.
 4661 	(main): Use time_aead to benchmark gcm, eax and chacha-poly1305.
 4662 
 4663 	* salsa20.h (SALSA20_NONCE_SIZE): Renamed constant, old name
 4664 	SALSA20_IV_SIZE kept as an alias.
 4665 	(salsa20_set_nonce): Update prototype for the 2014-01-20 rename.
 4666 
 4667 	* Makefile.in (.asm.s): Add dependencies.
 4668 	(.s.o, .s.po): Empty any dependency .d file.
 4669 
 4670 2014-03-04  Niels Möller  <nisse@lysator.liu.se>
 4671 
 4672 	* testsuite/chacha-test.c (test_main): Additional test cases, for
 4673 	256-bit keys.
 4674 
 4675 	* Makefile.in (nettle_SOURCES): Deleted chacha128-set-key.c and
 4676 	chacha256-set-key.c.
 4677 
 4678 	* chacha.h (CHACHA256_KEY_SIZE): Deleted.
 4679 	(chacha_set_key): Updated prototype.
 4680 	* chacha256-set-key.c (chacha256_set_key): Deleted file and
 4681 	function, moved to...
 4682 	* chacha-set-key.c (chacha_set_key): Do 256-bit keys only. Deleted
 4683 	length argument. Updated all callers.
 4684 
 4685 	* chacha128-set-key.c (chacha128_set_key): Deleted file and
 4686 	function. Support for 128-bit chacha keys may be reintroduced
 4687 	later, if really needed.
 4688 	* chacha.h: Deleted chacha128-related declarations.
 4689 	* chacha-set-key.c (chacha_set_key): Drop support for 128-bit
 4690 	keys.
 4691 	* testsuite/chacha-test.c (test_main): #if:ed out all tests with
 4692 	128-bit keys.
 4693 
 4694 2014-02-16  Niels Möller  <nisse@lysator.liu.se>
 4695 
 4696 	* gcm.h: Declarations for gcm-camellia256.
 4697 	* gcm-camellia256.c: New file.
 4698 	* gcm-camellia256-meta.c: New file.
 4699 	* nettle-meta.h (nettle_gcm_camellia256): Declare.
 4700 	* Makefile.in (nettle_SOURCES): Added gcm-camellia256.c and
 4701 	gcm-camellia256-meta.c.
 4702 	* testsuite/gcm-test.c (test_main): Test cases for
 4703 	nettle_gcm_camellia256.
 4704 
 4705 	* gcm.h: Include camellia.h. Declarations for gcm-camellia128.
 4706 	* gcm-camellia128.c: New file.
 4707 	* gcm-camellia128-meta.c: New file.
 4708 	* nettle-meta.h (nettle_gcm_camellia128): Declare.
 4709 	* Makefile.in (nettle_SOURCES): Added gcm-camellia128.c and
 4710 	gcm-camellia128-meta.c.
 4711 	* testsuite/gcm-test.c (test_main): Test cases for
 4712 	nettle_gcm_camellia128. From Nikos Mavrogiannopoulos.
 4713 
 4714 2014-02-13  Niels Möller  <nisse@lysator.liu.se>
 4715 
 4716 	* Makefile.in (nettle_SOURCES): Added eax-aes128.c
 4717 	eax-aes128-meta.c.
 4718 	* examples/nettle-benchmark.c: Include eax.h.
 4719 	* nettle-meta.h (nettle_eax_aes128): Declare, moved from
 4720 	nettle-internal.h.
 4721 	* eax.h: Declare eax_aes128_ctx and related functions. Moved from
 4722 	nettle-internal.h
 4723 	(EAX_IV_SIZE): New constant.
 4724 	* eax-aes128-meta.c (nettle_eax_aes128): Moved definition to new
 4725 	file.
 4726 	* eax-aes128.c (eax_aes128_set_key, eax_aes128_set_nonce)
 4727 	(eax_aes128_update, eax_aes128_encrypt, eax_aes128_decrypt)
 4728 	(eax_aes128_digest): Moved functions to a new file.
 4729 	* nettle-internal.c: ... from old location.
 4730 	* nettle-internal.h: Moved eax declarations elsewhere.
 4731 
 4732 	* tools/nettle-pbkdf2.c (main): Added missing deallocation.
 4733 
 4734 2014-02-12  Niels Möller  <nisse@lysator.liu.se>
 4735 
 4736 	* chacha-poly1305.h: New file.
 4737 	* chacha-poly1305.c: New file.
 4738 	* chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new
 4739 	aead algorithm.
 4740 	* nettle-meta.h (nettle_chacha_poly1305): Declare.
 4741 
 4742 	* Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and
 4743 	chacha-poly1305-meta.c.
 4744 	(HEADERS): Added chacha-poly1305.h.
 4745 
 4746 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 4747 	chacha-poly1305-test.c.
 4748 	* testsuite/chacha-poly1305-test.c: New file.
 4749 
 4750 	* nettle-meta.h (struct nettle_aead): New generalized version
 4751 	if this struct.
 4752 	(nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256)
 4753 	(nettle_eax_aes128): Declare, moved from nettle-internal.h.
 4754 	* nettle-internal.h (struct nettle_aead): Deleted struct, moved to
 4755 	nettle-meta.h. Deleted declarations of unused instances.
 4756 	(_NETTLE_AEAD): Deleted macro.
 4757 	* nettle-internal.c (nettle_eax_aes128): Updated for new
 4758 	nettle_aead struct.
 4759 	(nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256):
 4760 	Deleted, moved to new files.
 4761 	* gcm-aes128-meta.c (nettle_gcm_aes128): Moved to new file,
 4762 	updated for new nettle_aead struct.
 4763 	* gcm-aes192-meta.c (nettle_gcm_aes192): Likewise.
 4764 	* gcm-aes256-meta.c (nettle_gcm_aes256): Likewise.
 4765 	* testsuite/testutils.c (test_aead): Take alternative set_nonce
 4766 	function as argument, and use it when nonce size differs from
 4767 	aead->nonce_length.
 4768 	* testsuite/testutils.h (test_aead): Updated prototype.
 4769 	* testsuite/gcm-test.c (nettle_gcm_unified_aes128): Updated for
 4770 	new nettle_aead struct.
 4771 	(test_main): Pass additional argument to test_aead.
 4772 	* testsuite/eax-test.c (test_main): Pass additional NULL argument
 4773 	to test_aead.
 4774 
 4775 	* eax.h (EAX_DIGEST_SIZE): New constant.
 4776 	* gcm.h (GCM_DIGEST_SIZE): Likewise.
 4777 
 4778 2014-02-10  Niels Möller  <nisse@lysator.liu.se>
 4779 
 4780 	* chacha-set-nonce.c (chacha_set_nonce): Renamed file and
 4781 	function, updated callers and Makefile.in.
 4782 	* chacha-set-iv.c (chacha_set_iv): ... from old names.
 4783 
 4784 2014-02-08  Niels Möller  <nisse@lysator.liu.se>
 4785 
 4786 	* testsuite/chacha-test.c (test_chacha): For 20 rounds, use
 4787 	chacha_crypt, and test varying the message length.
 4788 	(test_main): Add second key stream block, for all testcases with
 4789 	20 rounds.
 4790 
 4791 	* chacha-crypt.c (chacha_crypt): Fixed block counter update.
 4792 
 4793 2014-02-07  Niels Möller  <nisse@lysator.liu.se>
 4794 
 4795 	* nettle.texinfo (ASCII encoding): Document that
 4796 	base16_encode_update and base64_encode_update now uses dst_length
 4797 	as an output only.
 4798 
 4799 	* testsuite/base64-test.c (test_main): Updated
 4800 	base64_decode_update test case.
 4801 
 4802 	* sexp-transport.c (sexp_transport_iterator_first): For
 4803 	base64_decode_update, omit initialization of coded_length.
 4804 	* examples/base64dec.c (main): Likewise.
 4805 	* examples/base16dec.c (main): Likewise, for base16_decode_update.
 4806 
 4807 	* base64-decode.c (base64_decode_update): Use *dst_length for
 4808 	output only. Don't require callers to pass a sane value.
 4809 	* base16-decode.c (base16_decode_update): Likewise.
 4810 
 4811 2014-02-06  Niels Möller  <nisse@lysator.liu.se>
 4812 
 4813 	* NEWS: List _set_key incompatibilities.
 4814 
 4815 	* nettle-meta.h (_NETTLE_CIPHER_SEP, _NETTLE_CIPHER_SEP_SET_KEY)
 4816 	(_NETTLE_CIPHER_FIX, _NETTLE_CIPHER): Deleted unused macros.
 4817 
 4818 	* nettle-internal.c (nettle_blowfish128): Deleted only use of
 4819 	_NETTLE_CIPHER.
 4820 
 4821 	* blowfish.c (blowfish128_set_key): New function.
 4822 	* blowfish.h (BLOWFISH128_KEY_SIZE): New constant.
 4823 
 4824 	* cast128-meta.c (nettle_cast128): Deleted only use of
 4825 	_NETTLE_CIPHER_FIX.
 4826 
 4827 	* examples/nettle-benchmark.c (time_cipher): Fixed memset calls.
 4828 
 4829 2014-01-30  Niels Möller  <nisse@lysator.liu.se>
 4830 
 4831 	* Makefile.in (nettle_SOURCES): Arrange in alphabetic order.
 4832 
 4833 	* nettle.texinfo: Updated, document size_t for length arguments.
 4834 	Document new AES and Camellia interfaces.
 4835 
 4836 	* ecc-size.c (ecc_bit_size): New function.
 4837 	* ecc.h (ecc_bit_size): Declare it.
 4838 
 4839 2014-01-29  Niels Möller  <nisse@lysator.liu.se>
 4840 
 4841 	* nettle-types.h (typedef nettle_set_key_func): Deleted length
 4842 	argument.
 4843 
 4844 	* arctwo.c (arctwo40_set_key, arctwo64_set_key)
 4845 	(arctwo128_set_key, arctwo128_set_key_gutmann): New functions.
 4846 	* arctwo.h: Declare them.
 4847 	* arctwo-meta.c (ARCTWO): New macro.
 4848 	(nettle_arctwo40, nettle_arctwo64, nettle_arctwo128)
 4849 	(nettle_arctwo_gutmann128): Use new _set_key functions.
 4850 
 4851 	* arcfour.h (ARCFOUR128_KEY_SIZE): New constant.
 4852 	* arcfour.c (arcfour128_set_key): New function.
 4853 	* arcfour-meta.c (nettle_arcfour128): Use arcfour128_set_key and
 4854 	ARCFOUR128_KEY_SIZE.
 4855 
 4856 	* cast128.c (cast5_set_key): Renamed, was cast128_set_key.
 4857 	(cast128_set_key): New definition, with fixed key size.
 4858 	* cast128.h (CAST128_MIN_KEY_SIZE, CAST128_MAX_KEY_SIZE): Renamed
 4859 	constants, to...
 4860 	(CAST5_MIN_KEY_SIZE, CAST5_MAX_KEY_SIZE): ... new names.
 4861 
 4862 	* eax.h (EAX_SET_KEY): Deleted length argument.
 4863 
 4864 	* aes128-meta.c: Deleted _set_key wrappers.
 4865 	* aes192-meta.c: Likewise.
 4866 	* aes256-meta.c: Likewise.
 4867 	* camellia128-meta.c: Likewise.
 4868 	* camellia192-meta.c: Likewise.
 4869 	* camellia256-meta.c: Likewise.
 4870 
 4871 	* gcm-aes128.c (gcm_aes128_set_key): Deleted length argument.
 4872 	* gcm-aes192.c (gcm_aes192_set_key): Likewise.
 4873 	* gcm-aes256.c (gcm_aes256_set_key): Likewise.
 4874 	* gcm.h: Updated prototypes.
 4875 
 4876 	* serpent-set-key.c (serpent128_set_key, serpent192_set_key)
 4877 	(serpent256_set_key): New functions.
 4878 	* serpent.h: Declare new functions.
 4879 	(SERPENT128_KEY_SIZE, SERPENT192_KEY_SIZE)
 4880 	(SERPENT256_KEY_SIZE): New constants.
 4881 	* serpent-meta.c (SERPENT): New macro.
 4882 	(nettle_serpent128, nettle_serpent192, nettle_serpent256): Use new
 4883 	_set_key functions.
 4884 
 4885 	* twofish-set-key.c (twofish128_set_key, twofish192_set_key)
 4886 	(twofish256_set_key): New functions.
 4887 	* twofish.h: Declare new functions.
 4888 	(TWOFISH128_KEY_SIZE, TWOFISH192_KEY_SIZE)
 4889 	(TWOFISH256_KEY_SIZE): New constants.
 4890 	* twofish-meta.c (TWOFISH): New macro.
 4891 	(nettle_twofish128, nettle_twofish192, nettle_twofish256): Use new
 4892 	_set_key functions.
 4893 
 4894 	* nettle-internal.h (struct nettle_aead): Use
 4895 	nettle_hash_update_func for the set_iv function pointer.
 4896 
 4897 	* nettle-internal.c (des_set_key_hack, des3_set_key_hack): Deleted
 4898 	wrapper functions.
 4899 	(chacha_set_key_hack): Deleted length argument. Use
 4900 	chacha256_set_key.
 4901 	(salsa20_set_key_hack): Deleted length argument. Use
 4902 	salsa20_256_set_key.
 4903 	(nettle_unified_aes128, nettle_unified_aes192)
 4904 	(nettle_unified_aes256): Deleted, moved to test program.
 4905 	(eax_aes128_set_key): Deleted length argument. Use EAX_SET_KEY.
 4906 
 4907 	* examples/nettle-benchmark.c: Updated for _set_key changes.
 4908 	* examples/nettle-openssl.c: Likewise.
 4909 	* testsuite/testutils.c: Likewise.
 4910 	* testsuite/gcm-test.c: Likewise.
 4911 
 4912 	* testsuite/aes-test.c (UNIFIED_AES): New macro. Moved glue for
 4913 	testing the old aes interface (struct aes_ctx) here.
 4914 
 4915 	* testsuite/arcfour-test.c (test_arcfour): New function, for key
 4916 	sizes != 128 bits.
 4917 	(test_main): Use it.
 4918 
 4919 	* testsuite/blowfish-test.c (test_blowfish): New function.
 4920 	(test_main): Use it. Also deleted old #if:ed out code.
 4921 
 4922 	* testsuite/cast128-test.c (test_cast5): New function.
 4923 	(test_main): Use it, for 40-bit and 80-bit tests.
 4924 
 4925 	* testsuite/serpent-test.c (test_serpent): New function.
 4926 	(test_main): Use it.
 4927 
 4928 2014-01-27  Niels Möller  <nisse@lysator.liu.se>
 4929 
 4930 	* eax.h (struct eax_key, struct eax_ctx): Use union
 4931 	nettle_block16, for alignment.
 4932 	* eax.c: Updated everything to use nettle_block16.
 4933 	(block16_xor): New function.
 4934 
 4935 	* examples/nettle-benchmark.c (time_eax): New function.
 4936 	(main): Use it.
 4937 
 4938 	* x86_64/chacha-core-internal.asm: Use pshufhw + pshuflw for the
 4939 	16-bit rotate.
 4940 
 4941 	* configure.ac (asm_replace_list): Added chacha-core-internal.asm.
 4942 	* x86_64/chacha-core-internal.asm: New file.
 4943 
 4944 	* examples/nettle-benchmark.c (main): Add benchmarking of chacha.
 4945 	* nettle-internal.c (nettle_chacha): New const struct, for the
 4946 	benchmark.
 4947 
 4948 	Chacha implementation, based on contribution by Joachim
 4949 	Strömbergson.
 4950 	* chacha.h: New file.
 4951 	* chacha256-set-key.c (chacha256_set_key): New file and function.
 4952 	* chacha128-set-key.c (chacha128_set_key): New file and function.
 4953 	* chacha-set-key.c (chacha_set_key): New file and function.
 4954 	* chacha-set-iv.c (chacha_set_iv): New file and function.
 4955 	* chacha-core-internal.c (_chacha_core): New file and function.
 4956 	* chacha-crypt.c (chacha_crypt): New file and function.
 4957 	* Makefile.in (nettle_SOURCES): Added chacha files.
 4958 	(HEADERS): Added chacha.h.
 4959 	* testsuite/chacha-test.c: New file.
 4960 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-test.c.
 4961 
 4962 2014-01-26  Niels Möller  <nisse@lysator.liu.se>
 4963 
 4964 	* nettle-internal.h (_NETTLE_AEAD_FIX): Renamed to...
 4965 	(_NETTLE_AEAD): ... new name, and deleted old definition. Also use
 4966 	_set_nonce instead of _set_iv.
 4967 	* nettle-internal.c (nettle_gcm_aes128, nettle_gcm_aes192)
 4968 	(nettle_gcm_aes256): Define in terms of new interface.
 4969 	(nettle_eax_aes128): Updated for _NETTLE_AEAD changes.
 4970 
 4971 	* testsuite/gcm-test.c (test_gcm_hash): Likewise use struct
 4972 	gcm_aes128_ctx.
 4973 	(test_main): Added a testcase using the old interface based on
 4974 	struct gcm_aes_ctx.
 4975 
 4976 	* examples/nettle-benchmark.c (time_gcm): Update to use new struct
 4977 	gcm_aes128_ctx. Also use name "gcm-aes128" in output.
 4978 
 4979 	* gcm.h: New interface for gcm_aes128, gcm_aes192, gcm_aes256,
 4980 	using the new AES interface.
 4981 	(GCM_CTX): Reorder fields, putting the cipher context
 4982 	last.
 4983 
 4984 	* Makefile.in (nettle_SOURCES): Added gcm-aes128.c, gcm-aes192.c,
 4985 	and gcm-aes256.c.
 4986 
 4987 	* gcm-aes128.c: New file.
 4988 	* gcm-aes192.c: New file
 4989 	* gcm-aes256.c: New file.
 4990 
 4991 2014-01-25  Niels Möller  <nisse@lysator.liu.se>
 4992 
 4993 	* gcm.h (GCM_SET_KEY): Deleted length argument.
 4994 	* gcm-aes.c (gcm_aes_set_key): Use aes_set_encrypt_key and
 4995 	gcm_set_key, can no longer use GCM_SET_KEY macro.
 4996 
 4997 2014-01-23  Niels Möller  <nisse@lysator.liu.se>
 4998 
 4999 	* testsuite/gcm-test.c (test_main): Use the correct
 5000 	nettle_gcm_aes128/192/256 object.
 5001 
 5002 2014-01-21  Niels Möller  <nisse@lysator.liu.se>
 5003 
 5004 	Merged camellia-reorg changes (starting at 2013-10-07).
 5005 
 5006 2013-10-10  Niels Möller  <nisse@lysator.liu.se>
 5007 
 5008 	* Makefile.in (nettle_SOURCES): Updated list of camellia files.
 5009 
 5010 	* testsuite/camellia-test.c (test_invert): Updated for new
 5011 	camellia interface.
 5012 
 5013 	* camellia.h: Reorganized camellia interface, with distinct
 5014 	context structs and functions for camellia128 and camellia256.
 5015 
 5016 	* camellia-meta.c: Deleted file.
 5017 	* camellia256-meta.c: New file.
 5018 	* camellia192-meta.c: New file.
 5019 	* camellia128-meta.c: New file.
 5020 
 5021 	* camellia-set-decrypt-key.c: Deleted file, code moved to:
 5022 	* camellia128-set-decrypt-key.c: New file.
 5023 	(camellia128_invert_key, camellia128_set_decrypt_key): New
 5024 	functions.
 5025 	* camellia256-set-decrypt-key.c: New file.
 5026 	(camellia256_invert_key, camellia256_set_decrypt_key)
 5027 	(camellia192_set_decrypt_key): New functions.
 5028 	* camellia-invert-key.c (_camellia_invert_key): New file and
 5029 	function.
 5030 
 5031 	* camellia-set-encrypt-key.c: Deleted file, code moved to:
 5032 	* camellia128-set-encrypt-key.c: New file.
 5033 	(camellia128_set_encrypt_key): New function.
 5034 	* camellia256-set-encrypt-key.c: New file.
 5035 	(_camellia256_set_encrypt_key, camellia256_set_encrypt_key)
 5036 	(camellia192_set_encrypt_key): New functions.
 5037 	* camellia-absorb.c (_camellia_absorb): New file and function.
 5038 	* camellia-internal.h: Moved key schedule macros here.
 5039 
 5040 	* camellia-crypt.c: Deleted file, code moved to:
 5041 	* camellia128-crypt.c (camellia128_crypt): New file and function.
 5042 	* camellia256-crypt.c (camellia256_crypt): New file and function.
 5043 
 5044 2013-10-07  Niels Möller  <nisse@lysator.liu.se>
 5045 
 5046 	* configure.ac: Delete check for ALIGNOF_UINT64_T, no longer
 5047 	needed.
 5048 	* config.m4.in: Likewise delete ALIGNOF_UINT64_T.
 5049 
 5050 	* camellia-crypt.c (camellia_crypt): Updated call to
 5051 	_camellia_crypt.
 5052 	* camellia-internal.h (_camellia_crypt): Updated prototype.
 5053 	* camellia-crypt-internal.c (_camellia_crypt): Take separate
 5054 	arguments for rounds and subkey array.
 5055 	* x86_64/camellia-crypt-internal.asm: Likewise.	Also corrected
 5056 	.file pseudo-ops.
 5057 	* x86/camellia-crypt-internal.asm: Likewise.
 5058 
 5059 2014-01-20  Niels Möller  <nisse@lysator.liu.se>
 5060 
 5061 	* poly1305-internal.c (poly1305_digest): Use union nettle_block16
 5062 	for s argument.
 5063 	* poly1305-aes.c (poly1305_aes_digest): Update for poly1305_digest
 5064 	change.
 5065 
 5066 	Merged poly1305 changes (starting at 2013-11-08).
 5067 	* x86_64/poly1305-internal.asm: Update to new interface.
 5068 	poly1305_digest much simplified.
 5069 
 5070 	* poly1305.h (struct poly1305_ctx): Moved block and index
 5071 	fields...
 5072 	(struct poly1305_aes_ctx): ... to here.
 5073 	* asm.m4: Delete also from the assembly definition of struct
 5074 	poly1305_ctx.
 5075 
 5076 	* poly1305-internal.c (poly1305_digest): Don't do final padding
 5077 	here, leave that to caller. Add digest to the provided nonce s,
 5078 	and deleted length and dst arguments. Also reset h0-h4 to zero
 5079 	when done.
 5080 	(_poly1305_block): Renamed, from...
 5081 	(poly1305_block): ...old name.
 5082 
 5083 	* poly1305-aes.c (poly1305_aes_update): New function.
 5084 	(poly1305_aes_digest): Update for poly1305_digest changes, do
 5085 	final padding here.
 5086 
 5087 	* poly1305.c (poly1305_update): Deleted file and function. Moved
 5088 	to poly1305-aes.c.
 5089 	* Makefile.in (nettle_SOURCES): Deleted poly1305.c.
 5090 
 5091 2014-01-17  Niels Möller  <nisse@lysator.liu.se>
 5092 
 5093 	* poly1305-internal.c (poly1305_block): Additional argument with
 5094 	the high bit.
 5095 	(poly1305_block_internal): Deleted function, code moved into the
 5096 	poly1305_block.
 5097 	(poly1305_digest): Simplified padding code, call poly1305_block
 5098 	with high bit 0.
 5099 	* poly1305.h (poly1305_block): Update prototype.
 5100 	* poly1305.c (poly1305_update): Call poly1305_block with high bit 1.
 5101 	* x86_64/poly1305-internal.asm (poly1305_block): Handle new
 5102 	argument.
 5103 
 5104 	* poly1305.h (struct poly1305_ctx): Moved nonce field from here...
 5105 	(struct poly1305_aes_ctx): ... to here.
 5106 	* poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest):
 5107 	Updated for above.
 5108 	* poly1305.c (poly1305_set_nonce): Deleted function.
 5109 	* asm.m4: Delete nonce also from the assembly definition of struct
 5110 	poly1305_ctx.
 5111 
 5112 2014-01-16  Niels Möller  <nisse@lysator.liu.se>
 5113 
 5114 	* poly1305-aes.c: Include poly1305.h. Rewrite functions without
 5115 	using the POLY1305_* macros.
 5116 
 5117 	* Makefile.in (HEADERS): Deleted poly1305-aes.h.
 5118 
 5119 	* poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE)
 5120 	(POLY1305_DIGEST): Deleted macros. Only implemented variant is
 5121 	poly1305-aes.
 5122 	(POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE):
 5123 	New constants.
 5124 	(POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here,
 5125 	from poly1305-aes.h.
 5126 	(struct poly1305_aes_ctx): Likewise.
 5127 	(poly1305_aes_set_key, poly1305_aes_set_nonce)
 5128 	(poly1305_aes_update, poly1305_aes_digest): Likewise.
 5129 	* poly1305-aes.h: Deleted file, declarations moved to poly1305.h.
 5130 	Update all users.
 5131 
 5132 	* poly1305-internal.c (s2, s3, s4): Fixed macros.
 5133 
 5134 	* poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx
 5135 	by struct aes128_ctx.
 5136 	* poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest):
 5137 	Update to use aes128_* functions.
 5138 	* poly1305.h (POLY1305_SET_KEY): Drop key size argument when
 5139 	calling set_key.
 5140 
 5141 2013-12-19  Niels Möller  <nisse@lysator.liu.se>
 5142 
 5143 	* poly1305-aes.h (poly1305_aes_update): Define as an alias for
 5144 	poly1305_update, using preprocessor and a type cast.
 5145 
 5146 	* poly1305-aes.c (poly1305_aes_update): Deleted function.
 5147 
 5148 	* poly1305.h (poly1305_update): Declare.
 5149 	(_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros.
 5150 
 5151 	* poly1305.c (poly1305_update): New function.
 5152 
 5153 2013-11-21  Niels Möller  <nisse@lysator.liu.se>
 5154 
 5155 	* x86_64/poly1305-internal.asm: New file. Almost a factor of two
 5156 	speedup.
 5157 
 5158 	* configure.ac (asm_replace_list): Added poly1305-internal.asm.
 5159 
 5160 	* asm.m4: Define struct offsets for 64-bit poly1305_ctx.
 5161 
 5162 	* poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an
 5163 	additional argument to poly1305_digest.
 5164 	(struct poly1305_ctx): Introduce unions, to support either 26-bit
 5165 	or 64-bit implementation.
 5166 
 5167 	* poly1305-internal.c (poly1305_digest): Added s argument.
 5168 
 5169 	* poly1305.c (poly1305_set_s): Deleted function.
 5170 
 5171 2013-11-12  Niels Möller  <nisse@lysator.liu.se>
 5172 
 5173 	* poly1305-internal.c: New file, for poly1305 functions depending
 5174 	on the internal mod (2^130 - 5) representation.
 5175 	(poly1305_block_internal): New helper function.
 5176 	(poly1305_block, poly1305_digest): Use it.
 5177 
 5178 2013-11-08  Nikos Mavrogiannopoulos  <nmav@gnutls.org>
 5179 
 5180 	* poly1305.h: New file.
 5181 	* poly1305.c: New file.
 5182 	* poly1305-aes.h: New file.
 5183 	* poly1305-aes.c: New file.
 5184 	* Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c.
 5185 	(HEADERS): Added poly1305-aes.h and poly1305.h.
 5186 
 5187 	* testsuite/poly1305-test.c: New file.
 5188 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c.
 5189 
 5190 	* examples/nettle-benchmark.c (time_poly1305_aes): New function.
 5191 	(main): Benchmark poly1305.
 5192 
 5193 2014-01-20  Niels Möller  <nisse@lysator.liu.se>
 5194 
 5195 	* Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c,
 5196 	salsa20-128-set-key.c, and salsa20-256-set-key.c.
 5197 
 5198 	* salsa20.h: Declare new functions.
 5199 	(SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants.
 5200 	(salsa20_set_iv): Define as an alias for salsa20_set_nonce.
 5201 
 5202 	* salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and
 5203 	salsa20_256_set_key.
 5204 	(salsa20_set_iv): Renamed and moved...
 5205 	* salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name.
 5206 
 5207 	* salsa20-256-set-key.c (salsa20_256_set_key): New file and
 5208 	function.
 5209 	* salsa20-128-set-key.c (salsa20_128_set_key): New file and
 5210 	function.
 5211 
 5212 2014-01-13  Niels Möller  <nisse@lysator.liu.se>
 5213 
 5214 	* nettle-types.h (union nettle_block16): New type, replacing union
 5215 	gcm_block.
 5216 	* gcm.h (union gcm_block): Deleted. Replaced by nettle_block16.
 5217 	* gcm.c: Replaced all use of gcm_block by nettle_block16.
 5218 
 5219 2014-01-04  Niels Möller  <nisse@lysator.liu.se>
 5220 
 5221 	* config.guess: Updated to 2014-01-01 version, from
 5222 	git://git.sv.gnu.org/config.git.
 5223 	* config.sub: Likewise.
 5224 
 5225 	* testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark):
 5226 	New function.
 5227 	(test_memxor, test_memxor3): Use test_mark to tell valgrind the
 5228 	start and end of src and destination areas.
 5229 
 5230 	* configure.ac: Check for valgrind/memcheck.h.
 5231 
 5232 	* testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes,
 5233 	needed for the way unaligned data is handled in, e.g., memxor.
 5234 
 5235 2014-01-03  Niels Möller  <nisse@lysator.liu.se>
 5236 
 5237 	* shadata.c (main): Zero-pad output values to 8 hex digits.
 5238 	* sha256.c (K): Updated table.
 5239 
 5240 2013-12-17  Niels Möller  <nisse@lysator.liu.se>
 5241 
 5242 	* configure.ac (ASM_RODATA): New substituted variable. Needed for
 5243 	portability to darwin.
 5244 	* config.m4.in: Define RODATA, using configure variable ASM_RODATA
 5245 	* x86_64/gcm-hash8.asm: Use RODATA macro.
 5246 
 5247 	* bignum-random-prime.c (_nettle_generate_pocklington_prime): Use
 5248 	stronger variants of Pocklington's theorem, to allow p0 of size
 5249 	down to bits/3.
 5250 
 5251 2013-12-15  Niels Möller  <nisse@lysator.liu.se>
 5252 
 5253 	* nettle-internal.h (NETTLE_MAX_BIGNUM_BITS)
 5254 	(NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits.
 5255 
 5256 2013-12-15  Nikos Mavrogiannopoulos <nmav@redhat.com>
 5257 
 5258 	Introduced TMP_GMP_ALLOC macro for temporary allocations of
 5259 	potentially large data, e.g, sized as an RSA key.
 5260 	* gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New
 5261 	macros.
 5262 	* gmp-glue.c (gmp_alloc, gmp_free): New functions.
 5263 	* bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC.
 5264 	* bignum-random.c (nettle_mpz_random_size): Likewise.
 5265 	* pkcs1-decrypt.c (pkcs1_decrypt): Likewise.
 5266 	* pkcs1-encrypt.c (pkcs1_encrypt): Likewise.
 5267 	* pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise.
 5268 	* pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode)
 5269 	(pkcs1_rsa_sha512_encode_digest): Likewise.
 5270 	* pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode)
 5271 	(pkcs1_rsa_sha256_encode_digest): Likewise.
 5272 	* pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode)
 5273 	(pkcs1_rsa_sha1_encode_digest): Likewise.
 5274 	* pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode)
 5275 	(pkcs1_rsa_md5_encode_digest): Likewise.
 5276 
 5277 2013-12-14  Niels Möller  <nisse@lysator.liu.se>
 5278 
 5279 	* x86_64/gcm-hash8.asm: Use .short rather than .hword, for
 5280 	compatibility with apple's assembler.
 5281 
 5282 2013-12-03  Niels Möller  <nisse@lysator.liu.se>
 5283 
 5284 	* x86_64/sha1-compress.asm: Reorganized, to get closer to the x86
 5285 	version. No difference in running time.
 5286 
 5287 	* configure.ac (dummy-dep-files): Don't overwrite any existing
 5288 	dependency files.
 5289 
 5290 	* x86_64/md5-compress.asm: New file, similar to the x86 version.
 5291 	35% speedup on AMD, 15% speedup on Intel.
 5292 
 5293 2013-11-25  Niels Möller  <nisse@lysator.liu.se>
 5294 
 5295 	* testsuite/dsa-test.c (test_main): Additional tests from NIST
 5296 	test vectors.
 5297 
 5298 	* testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New
 5299 	functions, supporting arbitrary digest size.
 5300 
 5301 	* testsuite/testutils.h (ASSERT): Improved failure message.
 5302 
 5303 	* dsa-verify.c (dsa_verify): Renamed, from _dsa_verify.
 5304 	* dsa-sign.c (dsa_sign): Renamed, from _dsa_sign.
 5305 
 5306 2013-11-24  Niels Möller  <nisse@lysator.liu.se>
 5307 
 5308 	* testsuite/dsa-keygen-test.c (test_main): Test generating a
 5309 	key with 224-bit q.
 5310 
 5311 	* dsa-verify.c (_dsa_verify): Use _dsa_hash.
 5312 
 5313 	* dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in
 5314 	error case, spotted by Nikos.
 5315 
 5316 	* dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224.
 5317 
 5318 	* dsa-hash.c (_dsa_hash): New file and function. Allows digest
 5319 	sizes not matching the bitsize of q.
 5320 	* dsa.h (_dsa_hash): Declare it.
 5321 	* Makefile.in (hogweed_SOURCES): Added dsa-hash.c.
 5322 
 5323 2013-11-23  Niels Möller  <nisse@lysator.liu.se>
 5324 
 5325 	* configure.ac: Check also for openssl/ecdsa.h.
 5326 
 5327 2013-10-05  Niels Möller  <nisse@lysator.liu.se>
 5328 
 5329 	* Makefile.in (nettle_SOURCES): Added eax.c.
 5330 	(HEADERS): Added eax.h.
 5331 
 5332 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added eax-test.c.
 5333 
 5334 	* testsuite/eax-test.c: New file.
 5335 
 5336 	* nettle-internal.c (nettle_eax_aes128): New aead algorithm.
 5337 	(eax_aes128_set_key, eax_aes128_set_nonce, eax_aes128_update)
 5338 	(eax_aes128_encrypt, eax_aes128_decrypt, eax_aes128_digest): New
 5339 	functions.
 5340 
 5341 	* eax.c: New file.
 5342 	* eax.h: New file.
 5343 
 5344 	* aes.h: Fixed typo in name mangling for new aes functions.
 5345 
 5346 2013-09-28  Niels Möller  <nisse@lysator.liu.se>
 5347 
 5348 	* Merge aes-reorg branch. Changes below,
 5349 	dated 2013-05-17 - 2013-08-13.
 5350 
 5351 2013-08-13  Niels Möller  <nisse@lysator.liu.se>
 5352 
 5353 	* yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx.
 5354 	* yarrow256.c: Adapted to use new aes256 interface.
 5355 
 5356 2013-08-07  Niels Möller  <nisse@lysator.liu.se>
 5357 
 5358 	* umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx.
 5359 	* umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface.
 5360 	* umac32.c (umac32_digest): Likewise.
 5361 	* umac64.c (umac64_digest): Likewise.
 5362 	* umac96.c (umac96_digest): Likewise.
 5363 	* umac128.c (umac128_digest): Likewise.
 5364 
 5365 2013-06-25  Niels Möller  <nisse@lysator.liu.se>
 5366 
 5367 	* aes-meta.c: Deleted file.
 5368 
 5369 	Analogous changes for new aes192 and aes256 interface.
 5370 
 5371 	* aes.h (struct aes128_ctx): New aes128 declarations.
 5372 	* aes-decrypt.c (aes128_decrypt): New function.
 5373 	* aes-encrypt.c (aes128_encrypt): New function.
 5374 	* aes128-meta.c: New file.
 5375 	* aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and
 5376 	function.
 5377 	* aes128-set-decrypt-key.c (aes128_set_decrypt_key)
 5378 	(aes128_invert_key): New file and functions.
 5379 	* Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c,
 5380 	aes128-set-decrypt-key.c and aes128-meta.c.
 5381 
 5382 	* nettle-internal.c (nettle_unified_aes128): For testing the old
 5383 	AES interface.
 5384 	* testsuite/aes-test.c (test_cipher2): New function.
 5385 	(test_main): Test both nettle_aes128 and nettle_unified_aes128.
 5386 
 5387 2013-05-22  Niels Möller  <nisse@lysator.liu.se>
 5388 
 5389 	* Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and
 5390 	aes-set-key-internal.c.
 5391 
 5392 	* aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants.
 5393 	Similarly also for aes192 and aes256.
 5394 
 5395 	* aes-internal.h: Declare new functions.
 5396 
 5397 	* aes-set-key-internal.c (_aes_set_key): New file and funxtion
 5398 	extracted from aes_set_encrypt_key.
 5399 	* aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key.
 5400 
 5401 	* aes-invert-internal.c (_aes_invert): New file and function,
 5402 	extracted from aes_invert_key.
 5403 	* aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert.
 5404 
 5405 	* arm/v6/aes-encrypt-internal.asm: Adapted to new interface.
 5406 	Unfortunately, 4% slowdown on Cortex-A9, for unknown reason.
 5407 	* arm/v6/aes-decrypt-internal.asm: Likewise.
 5408 	* arm/aes-encrypt-internal.asm: Adapted to new interface.
 5409 	* arm/aes-decrypt-internal.asm: Likewise.
 5410 
 5411 2013-05-21  Niels Möller  <nisse@lysator.liu.se>
 5412 
 5413 	* sparc32/aes-encrypt-internal.asm: Adapted to new interface.
 5414 	* sparc32/aes-decrypt-internal.asm: Likewise.
 5415 	* sparc64/aes-encrypt-internal.asm: Likewise.
 5416 	* sparc64/aes-decrypt-internal.asm: Likewise.
 5417 
 5418 	* x86/aes-encrypt-internal.asm: Adapted to new interface.
 5419 	* x86/aes-decrypt-internal.asm: Likewise.
 5420 
 5421 2013-05-20  Niels Möller  <nisse@lysator.liu.se>
 5422 
 5423 	* x86_64/aes-encrypt-internal.asm: Adapted to new interface.
 5424 	* x86_64/aes-decrypt-internal.asm: Likewise.
 5425 
 5426 2013-05-17  Niels Möller  <nisse@lysator.liu.se>
 5427 
 5428 	* aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved
 5429 	first in the structure.
 5430 	* aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming.
 5431 	* aes-set-decrypt-key.c (aes_invert_key): Likewise.
 5432 
 5433 	* aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and
 5434 	subkeys as separate arguments, not a struct aes_ctx *. Updated
 5435 	callers.
 5436 	* aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise.
 5437 	* aes-internal.h: Updated prototypes.
 5438 
 5439 	* Start of aes-reorg changes.
 5440 
 5441 2013-09-28  Niels Möller  <nisse@lysator.liu.se>
 5442 
 5443 	* md4.h (struct md4_ctx): Use single uint64_t variable for block
 5444 	count.
 5445 	* md4.c: Use new block count variable.
 5446 	* md5.c, md5.h (struct md5_ctx): Likewise.
 5447 	* ripemd160.c, ripemd160.h (struct ripemd160_ctx): Likewise.
 5448 	* sha1.c, sha1.h (struct sha1_ctx): Likewise.
 5449 	* sha256.c, sha2.h (struct sha256_ctx): Likewise.
 5450 
 5451 	* testsuite/testutils.c (test_hash_large): Added simple progress
 5452 	indicator.
 5453 
 5454 	* macros.h (MD_PAD): Use size argument, don't depend on
 5455 	sizeof of the count field(s).
 5456 
 5457 2013-09-22  Niels Möller  <nisse@lysator.liu.se>
 5458 
 5459 	* x86_64/gcm-hash8.asm: New file.
 5460 	* x86_64/gcm-gf-mul-8.asm: Deleted.
 5461 
 5462 	* configure.ac (asm_nettle_optional_list): Look for gcm-hash8.asm,
 5463 	not gcm-gf-mul-8.asm.
 5464 	* gcm.c [HAVE_NATIVE_gcm_hash8]: Make use of (optional) assembly
 5465 	implementation.
 5466 
 5467 2013-09-21  Niels Möller  <nisse@lysator.liu.se>
 5468 
 5469 	* Makefile.in (des.po): Add same dependencies as for des.o.
 5470 	Reported by Vincent Torri.
 5471 
 5472 2013-09-20  Niels Möller  <nisse@lysator.liu.se>
 5473 
 5474 	* testsuite/gcm-test.c: Added tests with associated data of
 5475 	varying size.
 5476 
 5477 	* testsuite/testutils.c (tstring_alloc): Add NUL-termination.
 5478 
 5479 2013-09-18  Niels Möller  <nisse@lysator.liu.se>
 5480 
 5481 	* Makefile.in: New stampfiles, libnettle.stamp and
 5482 	libhogweed.stamp, updated when both static and shared libraries
 5483 	are rebuilt. Used as link dependencies in subdirectories.
 5484 	* examples/Makefile.in: Make executable targets depend on
 5485 	../libnettle.stamp and libhogweed.stamp, not directly on the
 5486 	static library files.
 5487 	* testsuite/Makefile.in: Likewise.
 5488 	* tools/Makefile.in: Likewise.
 5489 
 5490 2013-09-09  Niels Möller  <nisse@lysator.liu.se>
 5491 
 5492 	* gcm.c [HAVE_NATIVE_gcm_gf_mul_8]: Make use of (optional)
 5493 	assembly implementation.
 5494 
 5495 	* configure.ac: Support optional assembly files for both nettle
 5496 	and hogweed. Replaced OPT_ASM_SOURCES with OPT_ASM_NETTLE_SOURCES,
 5497 	OPT_ASM_HOGWEED_SOURCES, and asm_optional_list with
 5498 	asm_nettle_optional_list and asm_hogweed_optional_list.
 5499 	(asm_nettle_optional_list): Added gcm-gf-mul-8.asm.
 5500 
 5501 2013-06-25  Niels Möller  <nisse@lysator.liu.se>
 5502 
 5503 	* testsuite/gcm-test.c: Deleted redundant include of aes.h.
 5504 
 5505 	* testsuite/testutils.c (test_aead): Allow digest size smaller
 5506 	than the block size.
 5507 
 5508 	* tools/nettle-pbkdf2.c: New command line tool.
 5509 	* tools/Makefile.in (TARGETS): Added nettle-pbkdf2.
 5510 	(nettle-pbkdf2$(EXEEXT)): New target.
 5511 	* testsuite/nettle-pbkdf2-test: New test case.
 5512 	* testsuite/Makefile.in (TS_SH): Added nettle-pbkdf2-test.
 5513 
 5514 	* tools/nettle-hash.c (digest_file): Use stack allocation for the
 5515 	small hex output buffer.
 5516 
 5517 	* examples/io.c (MIN): Deleted unused macro.
 5518 
 5519 2013-05-21  Niels Möller  <nisse@lysator.liu.se>
 5520 
 5521 	From nettle-2.7-fixes branch:
 5522 	* Makefile.in (distdir): Distribute files in arm/v6 subdirectory.
 5523 
 5524 2013-05-20  Niels Möller  <nisse@lysator.liu.se>
 5525 
 5526 	* arm/v6/sha1-compress.asm: Moved into v6 directory, since it uses
 5527 	the v6 instruction uadd8, sel and rev.
 5528 	* arm/v6/sha256-compress.asm: Likewise.
 5529 
 5530 	* nettle-types.h: Include <stddef.h>, for size_t.
 5531 
 5532 2013-05-17  Niels Möller  <nisse@lysator.liu.se>
 5533 
 5534 	* macros.h (ROTL32, ROTL64): Avoid undefined behaviour for zero
 5535 	rotation count. Unfortunately makes CAST128 a bit slower with
 5536 	gcc-4.6.3.
 5537 
 5538 	* ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid
 5539 	invalid overlap of arguments to mpn_mul_n. Problem tracked down by
 5540 	Magnus Holmgren.
 5541 
 5542 2013-05-16  Niels Möller  <nisse@lysator.liu.se>
 5543 
 5544 	* arm/aes-encrypt-internal.asm: New file, for pre-v6 processors.
 5545 	* arm/aes-decrypt-internal.asm: New file, likewise.
 5546 
 5547 	* arm/aes.m4 (AES_FINAL_ROUND_V5): Variant without using uxtb.
 5548 	(AES_FINAL_ROUND_V6): New name, updated callers.
 5549 	(AES_FINAL_ROUND): ... old name. Also eliminated one uxtb
 5550 	instruction.
 5551 	(AES_ENCRYPT_ROUND, AES_DECRYPT): Moved macros to the
 5552 	files using them.
 5553 
 5554 	* arm/v6/aes-encrypt-internal.asm: Use ALIGN macro. Use 16-byte
 5555 	alignment for loops.
 5556 	* arm/v6/aes-decrypt-internal.asm: Likewise. Also added a nop
 5557 	which mysteriously improves benchmark performance on Cortex-A9.
 5558 
 5559 2013-05-15  Niels Möller  <nisse@lysator.liu.se>
 5560 
 5561 	* configure.ac (asm_path): Handle armv6 and armv7 differently from
 5562 	older ARMs. Add the arm/v6 directory to asm_path when appropriate.
 5563 
 5564 	* arm/v6/aes-encrypt-internal.asm: Moved into v6 directory. Uses
 5565 	the uxtb instruction which is not available for older ARMs.
 5566 	* arm/v6/aes-decrypt-internal.asm: Likewise.
 5567 
 5568 2013-05-03  Niels Möller  <nisse@lysator.liu.se>
 5569 
 5570 	* cast128.c: Adapt to new struct cast128_ctx.
 5571 	(cast128_set_key): Rewrite, eliminating lots of conditions and
 5572 	some false warnings.
 5573 
 5574 	* cast128.h (struct cast128_ctx): Separate the small 5-bit
 5575 	rotation subkeys and the larger 32-bit masking subkeys.
 5576 
 5577 2013-05-02  Niels Möller  <nisse@lysator.liu.se>
 5578 
 5579 	* testsuite/testutils.c (mpz_combit): Renamed. Define only if not
 5580 	provided GMP. Updated all uses.
 5581 	(mpz_togglebit): ... old name.
 5582 
 5583 	* sexp-format.c (sexp_vformat): Use type mpz_srcptr rather
 5584 	than the old MP_INT *.
 5585 
 5586 2013-04-26  Niels Möller  <nisse@lysator.liu.se>
 5587 
 5588 	* Many files: Use size_t rather than unsigned for data sizes.
 5589 	* x86_64/aes-encrypt-internal.asm: Accept 64-bit length.
 5590 	* x86_64/aes-decrypt-internal.asm: Likewise.
 5591 
 5592 2013-04-25  Niels Möller  <nisse@lysator.liu.se>
 5593 
 5594 	* configure.ac: Changed version number, to 2.8.
 5595 	(LIBNETTLE_MAJOR): Bumped major number, following
 5596 	nettle_memxor ABI break.
 5597 	(LIBNETTLE_MINOR): Reset to zero.
 5598 
 5599 	* examples/hogweed-benchmark.c: Add benchmarking of OpenSSL's RSA
 5600 	functions.
 5601 	(all functions): Deleted unneeded casts.
 5602 
 5603 2013-04-24  Niels Möller  <nisse@lysator.liu.se>
 5604 
 5605 	* nettle.texinfo (Miscellaneous functions): Updated memxor
 5606 	prototype. Document memxor3.
 5607 
 5608 	* salsa20-crypt.c (salsa20_crypt): Deleted cast of memxor
 5609 	argument, no longer needed.
 5610 	* salsa20r12-crypt.c (salsa20r12_crypt): Likewise.
 5611 	* sha3.c (sha3_absorb): Likewise.
 5612 
 5613 	* memxor.h: Updated prototypes. Drop include of nettle-types.h.
 5614 
 5615 	* memxor.c: Include nettle-types.h, for uintptr_t. Replace all
 5616 	internal uses of uint8_t by plain char.
 5617 	(memxor): Use void * rather than uint8_t * for
 5618 	arguments.
 5619 	(memxor3): Likewise.
 5620 
 5621 	* x86_64/memxor.asm: Added nettle_ prefix to symbols.
 5622 	* arm/memxor.asm: Likewise.
 5623 
 5624 	* testsuite/symbols-test: Don't allow memxor functions without
 5625 	nettle prefix,
 5626 
 5627 	* memxor.h (memxor3): Added name mangling to add "nettle_" prefix
 5628 	to memxor and memxor3 symbols.
 5629 
 5630 	* Makefile.in (nettle_OBJS): Deleted $(LIBOBJS), and also deleted
 5631 	LIBOBJS substitution.
 5632 	(nettle_SOURCES): Added memxor.c, to include it in the library
 5633 	unconditionally.
 5634 
 5635 	* configure.ac: Deleted AC_REPLACE_FUNCS for memxor.
 5636 
 5637 	* Released nettle-2.7.
 5638 
 5639 2013-04-23  Niels Möller  <nisse@lysator.liu.se>
 5640 
 5641 	From Martin Storsjö:
 5642 	* x86_64/sha256-compress.asm: Add forgotten W64_EXIT.
 5643 	* x86_64/sha512-compress.asm: Likewise.
 5644 	* x86_64/salsa20-crypt.asm (Lpartial): Don't return via W64_EXIT
 5645 	within this subfunction.
 5646 	* x86_64/machine.m4 (W64_ENTRY): Use movdqu instead of movdqa for
 5647 	saving xmm registers, since the stack is not guaranteed to be
 5648 	16-byte aligned on win64. Take pushed xmm registers into account
 5649 	when reading the fifth parameter from the stack.
 5650 
 5651 	* Makefile.in: Consistently use EXEEXT_FOR_BUILD.
 5652 
 5653 2013-04-21  Niels Möller  <nisse@lysator.liu.se>
 5654 
 5655 	* Makefile.in (DISTFILES): Added mini-gmp.c and mini-gmp.h.
 5656 	(distdir): Use find, for identifying assembly files to copy.
 5657 
 5658 2013-04-18  Niels Möller  <nisse@lysator.liu.se>
 5659 
 5660 	* configure.ac: Recognize cpu type "arm*", not just "armv7*'.
 5661 
 5662 	* arm/aes-encrypt-internal.asm: Updated include of aes.m4.
 5663 	* arm/aes-decrypt-internal.asm: Likewise.
 5664 
 5665 	* Makefile.in (distdir): Updated for ARM reorganization.
 5666 
 5667 	* configure.ac (asm_path): Generalized, can now be a list of
 5668 	directories. On ARM, check for neon instructions, and add arm/neon
 5669 	if appropriate. New command line options
 5670 	--enable-arm-neon/--disable-arm-neon, for overriding the default.
 5671 
 5672 	arm/neon: New subdirectory, for assembly files making use of neon
 5673 	instructions.
 5674 
 5675 	arm: Renamed directory, from...
 5676 	armv7: ...old name.
 5677 
 5678 	* aclocal.m4 (NETTLE_CHECK_ARM_NEON): New macro.
 5679 
 5680 	* nettle.texinfo (Keyed hash functions): Document UMAC.
 5681 
 5682 	* umac.h (UMAC32_DIGEST_SIZE, UMAC64_DIGEST_SIZE)
 5683 	(UMAC96_DIGEST_SIZE, UMAC128_DIGEST_SIZE): New constants.
 5684 	(UMAC_DATA_SIZE): New name, for consistency with hash functions.
 5685 	Updated all uses.
 5686 	(UMAC_BLOCK_SIZE): ... old name.
 5687 
 5688 2013-04-17  Niels Möller  <nisse@lysator.liu.se>
 5689 
 5690 	* examples/nettle-benchmark.c (main): Benchmark salsa20r12.
 5691 
 5692 	* nettle-internal.c (nettle_salsa20r12): Cipher struct for
 5693 	benchmarking only.
 5694 	* nettle-internal.h (nettle_salsa20): Declare it.
 5695 
 5696 	* Makefile.in (eccdata): Depend on mini-gmp files. Drop -lgmp.
 5697 
 5698 	* eccdata.c: Use mini-gmp, to avoid gmp dependency and associated
 5699 	configure tests for the *build* system. Replaced mpz_submul_ui by
 5700 	mpz_mul_ui + mpz_sub, and gmp_printf and gmp_fprintf by calls to
 5701 	mpz_out_str.
 5702 
 5703 	* mini-gmp.h, mini-gmp.c: New files, copied from gmp-5.1.1.
 5704 
 5705 2013-04-16  Niels Möller  <nisse@lysator.liu.se>
 5706 
 5707 	* umac-set-key.c (BE_SWAP32_N): Fixed dummy definition used for
 5708 	big-endian systems.
 5709 
 5710 	* Makefile.in (TARGETS): Deleted eccdata, it should be build only
 5711 	when public key support is enabled.
 5712 	(clean-here): Exlicitly list it here.
 5713 
 5714 	* asm.m4 (m4_log2): New macro, similar to the one in gmp.
 5715 	(ALIGN): Changed to take alignment in bytes. Updated all callers,
 5716 	currently used only in x86 and x86_64 files.
 5717 
 5718 	* umac.h (umac32_ctx, umac64_ctx, umac96_ctx, umac128_ctx): Make
 5719 	block count an uint64_t. Reorder some elements to put short values
 5720 	together.
 5721 	* umac-l2.c (_umac_l2, _umac_l2_final): Make count argument an uint64_t.
 5722 	(_umac_l2): Deleted redundant memcpy.
 5723 	(_umac_l2, _umac_l2_final): Store input buffer at end of the
 5724 	poly64/poly128 state. Deleted l1_out from corresponding context
 5725 	structs, and updated all callers.
 5726 
 5727 	* configure.ac: Changed version number to 2.7.
 5728 	(LIBNETTLE_MINOR): Bumped library version, to 4.6.
 5729 	(LIBHOGWEED_MINOR): And to 2.4.
 5730 
 5731 	* Makefile.in (distdir): Include files from armv7 subdirectory.
 5732 
 5733 	* x86_64/umac-nh-n.asm: New file, 3.5 time speedup.
 5734 
 5735 	* umac32.c (umac32_digest): Fix nonce caching.
 5736 	* umac64.c (umac64_digest): Likewise.
 5737 
 5738 	* testsuite/umac-test.c (test_incr): New function.
 5739 	(test_main): Test nonce increment.
 5740 
 5741 	* misc/umac/umac.py: UMAC reference implementation.
 5742 	* misc/umac/rijndael.py: AES implementation used by umac.py.
 5743 	* misc/umac/mkvectors: Script to generate UMAC test vectors.
 5744 	* misc/umac/vectors.out: Generated test vectors.
 5745 
 5746 	* umac32.c (umac32_digest): Fix nonce increment, use INCREMENT
 5747 	macro.
 5748 	* umac64.c (umac64_digest): Likewise.
 5749 	* umac96.c (umac96_digest): Likewise.
 5750 	* umac128.c (umac128_digest): Likewise.
 5751 
 5752 	* macros.h (INCREMENT): Allow size == 1.
 5753 
 5754 2013-04-15  Niels Möller  <nisse@lysator.liu.se>
 5755 
 5756 	* x86_64/umac-nh.asm: New file. 4.4 time speedup.
 5757 
 5758 	* armv7/umac-nh-n.asm: New file. 2.0-2.3 time speedup.
 5759 
 5760 	* testsuite/umac-test.c (test_align): Fixed memory leak.
 5761 
 5762 2013-04-12  Niels Möller  <nisse@lysator.liu.se>
 5763 
 5764 	* armv7/umac-nh.asm: New file. 2.4 time speedup.
 5765 
 5766 	* armv7/machine.m4 (D0REG, D1REG): New macros.
 5767 
 5768 	* configure.ac (asm_replace_list): Added umac-nh.asm and
 5769 	umac-nh-n.asm.
 5770 
 5771 	* testsuite/umac-test.c: Test different alignments for the
 5772 	message.
 5773 
 5774 2013-04-11  Niels Möller  <nisse@lysator.liu.se>
 5775 
 5776 	* umac-nh-n.c (_umac_nh_n): Rewrote as a single pass over the
 5777 	message data.
 5778 
 5779 	* examples/nettle-benchmark.c (time_umac): New function.
 5780 	(main): Call it.
 5781 
 5782 	* umac-set-key.c (_umac_set_key): Drop byteswapping of l3_key2, it
 5783 	can be xored directly to the pad in native byteorder.
 5784 	* umac-l3.c (_umac_l3): Drop key_2 argument, let caller do that
 5785 	xor. Updated all callers.
 5786 	* umac32.c (umac32_digest): Adapt to l3 changes.
 5787 	* umac64.c (umac64_digest): Likewise.
 5788 	* umac96.c (umac96_digest): Likewise.
 5789 	* umac128.c (umac128_digest): Likewise.
 5790 
 5791 	Initial implementation of umac.
 5792 	* umac.h: New file.
 5793 	* umac-nh.c: New file.
 5794 	* umac-nh-n.c: New file.
 5795 	* umac-poly64.c: New file.
 5796 	* umac-poly128.c: New file.
 5797 	* umac-l2.c: New file.
 5798 	* umac-l3.c: New file.
 5799 	* Makefile.in (nettle_SOURCES): Added umac source files.
 5800 	(HEADERS): Added umac.h.
 5801 	* testsuite/umac-test.c: New file.
 5802 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added umac-test.c.
 5803 
 5804 	* ecc-mul-a.c (ecc_mul_a): Avoid using mp_bitcnt_t, for
 5805 	compatibility with older GMP versions.
 5806 	* ecc-mul-g.c (ecc_mul_g): Likewise.
 5807 	* eccdata.c (ecc_mul_binary): Likewise.
 5808 	* sec-modinv.c (sec_modinv): Likewise.
 5809 
 5810 	* x86_64/sha3-permute.asm: Go via memory for moves between general
 5811 	registers and xmm registers.
 5812 
 5813 2013-04-06  Niels Möller  <nisse@lysator.liu.se>
 5814 
 5815 	From Edgar E. Iglesias:
 5816 	* sha3.c (_sha3_update): Fix condition for when the block buffer
 5817 	is full.
 5818 
 5819 2013-04-04  Niels Möller  <nisse@lysator.liu.se>
 5820 
 5821 	* ecc-point.c (ecc_point_get): Allow NULL x or y, ignore
 5822 	corresponding coordinate.
 5823 
 5824 	* nettle.texinfo (Elliptic curves): Document high-level ECDSA
 5825 	support.
 5826 
 5827 	From Martin Storsjö. Fallback functions for older GMP releases.
 5828 	* gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): New functions.
 5829 	* gmp-glue.h: Declare them.
 5830 	(mpn_sqr): Fallback macro.
 5831 
 5832 	* gmp-glue.h (cnd_add_n, cnd_sub_n): Moved here, define in terms
 5833 	of mpn_cnd_add_n and mpn_sub_n if available, otherwise in terms of
 5834 	mpn_addmul_1 and mpn_submul_1. This seems to be an improvement for
 5835 	subtraction, but more questionable for addition.
 5836 
 5837 	* ecc-internal.h: Include gmp-glue.h. Deleted corresponding
 5838 	include in all files using ecc-internal.h.
 5839 	(cnd_add_n, cnd_sub_n): Moved from here.
 5840 
 5841 2013-04-03  Niels Möller  <nisse@lysator.liu.se>
 5842 
 5843 	* ecc-point-mul-g.c (ecc_point_mul_g): New file and function.
 5844 	* ecc-point-mul.c (ecc_point_mul): New file and function.
 5845 	* ecc.h: Updated declarations and name mangling.
 5846 	* Makefile.in (hogweed_SOURCES): Added ecc-point-mul.c and
 5847 	ecc-point-mul-g.c.
 5848 
 5849 	* testsuite/salsa20-test.c (test_main): Tests for salsa20r12,
 5850 	contributed by Nikos Mavrogiannopoulos.
 5851 
 5852 2013-03-26  Niels Möller  <nisse@lysator.liu.se>
 5853 
 5854 	* armv7/salsa20-core-internal.asm: New file. 45% speedup.
 5855 
 5856 2013-03-25  Niels Möller  <nisse@lysator.liu.se>
 5857 
 5858 	From Martin Storsjö:
 5859 	* examples/timing.c: New file, extracted from nettle-benchmark.c.
 5860 	* examples/timing.h: New file.
 5861 	* examples/Makefile.in (SOURCES): Added timing.c.
 5862 	(DISTFILES): Added timing.h.
 5863 	(BENCH_OBJS, ECC_BENCH_OBJS, HOGWEED_BENCH_OBJS): Added timing.o.
 5864 	* examples/nettle-benchmark.c: Use timing.h.
 5865 	* examples/hogweed-benchmark.c: Likewise.
 5866 	* examples/ecc-benchmark.c: Likewise.
 5867 
 5868 	From Nikos Mavrogiannopoulos:
 5869 	* salsa20r12-crypt.c (salsa20r12_crypt): New file and function.
 5870 	* salsa20.h (salsa20r12_crypt): Declare.
 5871 	* Makefile.in (nettle_SOURCES): Added salsa20r12-crypt.c.
 5872 
 5873 	From Martin Storsjö:
 5874 	* examples/hogweed-benchmark.c: Include local headers.
 5875 	* testsuite/ecdsa-keygen-test.c: Likewise.
 5876 	* x86_64/sha3-permute.asm: Workaround for Apple's assembler; write
 5877 	movq instructions as movd.
 5878 
 5879 	* Makefile.in (hogweed_PURE_OBJS): Don't include OPT_ASM_SOURCES
 5880 	twice.
 5881 
 5882 2013-03-15  Niels Möller  <nisse@lysator.liu.se>
 5883 
 5884 	* armv7/sha3-permute.asm: New file. 4.5 time speedup.
 5885 
 5886 	* armv7/machine.m4 (QREG): New macro.
 5887 
 5888 2013-03-14  Niels Möller  <nisse@lysator.liu.se>
 5889 
 5890 	* configure.ac (asm_replace_list): Added sha3-permute.asm,
 5891 	revering 2012-12-30 change. 34% speedup on intel i5, from 2190
 5892 	cycles for the C implementation down to 1630.
 5893 
 5894 	* armv7/sha512-compress.asm: Optimized. Keep expanded data in
 5895 	registers, exploit parallelism. Another 70% speedup.
 5896 
 5897 	* testsuite/sha512-test.c (test_main): Additional test vectors,
 5898 	including some longer than 128 bytes.
 5899 
 5900 2013-03-13  Niels Möller  <nisse@lysator.liu.se>
 5901 
 5902 	* armv7/sha512-compress.asm: New file, using neon instructions.
 5903 	2.3 time speedup.
 5904 
 5905 	* configure.ac (asm_replace_list): Added sha512-compress.asm.
 5906 	* x86_64/machine.m4 (OFFSET64): New macro.
 5907 	* x86_64/sha512-compress.asm: New file, 20% speedup.
 5908 
 5909 	* sha512-compress.c (ROUND): Eliminated a temporary, analogous to
 5910 	sha256 change below.
 5911 
 5912 	* x86_64/sha256-compress.asm: New file, 16% speedup (benchmarked
 5913 	on intel i5).
 5914 
 5915 2013-03-11  Niels Möller  <nisse@lysator.liu.se>
 5916 
 5917 	* armv7/sha256-compress.asm: New file, 25% speedup.
 5918 
 5919 	* configure.ac (asm_replace_list): Added sha256-compress.asm.
 5920 
 5921 	* sha256-compress.c (ROUND): Eliminated a temporary.
 5922 
 5923 	* armv7/sha1-compress.asm: New file, 9% speedup.
 5924 
 5925 	* testsuite/testutils.c (test_hash): Test different alignments for
 5926 	the hash input.
 5927 
 5928 2013-03-08  Niels Möller  <nisse@lysator.liu.se>
 5929 
 5930 	* armv7/aes-decrypt-internal.asm: New file, 15% speedup.
 5931 	* armv7/aes-encrypt-internal.asm: New file, 25% speedup.
 5932 	* armv7/aes.m4: New file.
 5933 
 5934 2013-03-07  Niels Möller  <nisse@lysator.liu.se>
 5935 
 5936 	* gmp-glue.c (mpz_limbs_cmp): Don't use PTR and SIZ macros.
 5937 
 5938 	* Makefile.in (aesdata, desdata, twofishdata, shadata, gcmdata)
 5939 	(eccdata): Arrange for compiling these programs for running on the
 5940 	build system, also when cross compiling everything else.
 5941 
 5942 	* config.make.in (CC_FOR_BUILD, EXEEXT_FOR_BUILD): New variables.
 5943 
 5944 	* configure.ac: Use GMP_PROG_CC_FOR_BUILD and
 5945 	GMP_PROG_EXEEXT_FOR_BUILD.
 5946 
 5947 	* aclocal.m4 (GMP_PROG_CC_FOR_BUILD, GMP_PROG_CC_FOR_BUILD_WORKS)
 5948 	(GMP_PROG_EXEEXT_FOR_BUILD): New macros, based on GMP's.
 5949 
 5950 	* aesdata.c: Deleted includes of config.h and nettle-types.h. Use
 5951 	unsigned char and unsigned long instead of stdint.h types.
 5952 
 5953 	* desdata.c: Deleted includes of config.h and desCode.h.
 5954 	(main): Return 1 on invalid argument. Don't use ROR macro. Use
 5955 	unsigned long instead of uint32_t, and make it work if unsigned
 5956 	long is larger than 32 bits.
 5957 
 5958 	* gcmdata.c: Deleted include of config.h and use UNUSED macro.
 5959 	* shadata.c: Likewise.
 5960 
 5961 	* twofishdata.c: Deleted include of nettle-types.h. Use unsigned
 5962 	char instead of stdint.h types.
 5963 
 5964 	* x86_64/ecc-521-modp.asm: New file. 2.4 time speedup.
 5965 
 5966 2013-03-06  Niels Möller  <nisse@lysator.liu.se>
 5967 
 5968 	* x86_64/ecc-384-modp.asm: New file, 3 time speedup.
 5969 	* x86_64/ecc-256-redc.asm: New file, 2.5 time speedup.
 5970 	* x86_64/ecc-224-modp.asm: New file, 5 time speedup over C
 5971 	version.
 5972 
 5973 2013-03-05  Niels Möller  <nisse@lysator.liu.se>
 5974 
 5975 	* configure.ac (asm_optional_list): Added ecc-521-modp.asm.
 5976 	* ecc-521.c: Check HAVE_NATIVE_ecc_521_modp, and use native
 5977 	version if available.
 5978 	* armv7/ecc-521-modp.asm: New file, 2 time speedup over C version.
 5979 
 5980 2013-03-04  Niels Möller  <nisse@lysator.liu.se>
 5981 
 5982 	* configure.ac (asm_optional_list): Added ecc-384-modp.asm. Deleted
 5983 	bogus reference to $asm_search_list.
 5984 	* ecc-384.c: Check HAVE_NATIVE_ecc_384_modp, and use native
 5985 	version if available.
 5986 	* armv7/ecc-384-modp.asm: New file, 3 time speedup over C version.
 5987 
 5988 2013-03-03  Niels Möller  <nisse@lysator.liu.se>
 5989 
 5990 	* ecc-256.c: Fixed definition of USE_REDC.
 5991 
 5992 2013-03-01  Niels Möller  <nisse@lysator.liu.se>
 5993 
 5994 	* ecc-256.c: Check HAVE_NATIVE_ecc_256_redc, and use native
 5995 	version if available.
 5996 	* armv7/ecc-256-redc.asm: New file, 4 time speedup over C version.
 5997 
 5998 	* testsuite/ecc-redc-test.c: Increased test count.
 5999 
 6000 	* ecc-224.c: Check HAVE_NATIVE_ecc_224_modp, and use native
 6001 	version if available.
 6002 	* armv7/ecc-224-modp.asm: New file, 4.5 time speedup over C
 6003 	version.
 6004 
 6005 	* configure.ac (asm_optional_list): Added ecc-224-modp.asm.
 6006 	(OPT_ASM_SOURCES): Fixed assignment.
 6007 
 6008 2013-02-28  Niels Möller  <nisse@lysator.liu.se>
 6009 
 6010 	* x86_64/ecc-192-modp.asm: Reorganized to reduce number of
 6011 	additions. Use setc instruction.
 6012 
 6013 	* examples/Makefile.in: Let $(HOGWEED_TARGETS) depend on
 6014 	../libhogweed.a.
 6015 
 6016 	* armv7/ecc-192-modp.asm: New file. 2.5 time speedup over C
 6017 	version.
 6018 
 6019 2013-02-27  Niels Möller  <nisse@lysator.liu.se>
 6020 
 6021 	* ecc-192.c: Check HAVE_NATIVE_ecc_192_modp, and use native
 6022 	version if available.
 6023 	(ecc_192_modp): Fixed carry handling bug in 32-bit version.
 6024 
 6025 	* x86_64/ecc-192-modp.asm: New file. 3.8 times speedup over C
 6026 	version.
 6027 
 6028 	* configure.ac (OPT_ASM_SOURCES): New substituted variable.
 6029 	(asm_replace_list, asm_optional_list): New variables. For files in
 6030 	asm_optional_list, also add them to OPT_ASM_SOURCES and define
 6031 	appropriate HAVE_NATIVE_* symbols found.
 6032 
 6033 	* Makefile.in (OPT_ASM_SOURCES): New variable. Used for setting
 6034 	hogweed_OBJS and hogweed_PURE_OBJS.
 6035 
 6036 	* testsuite/ecc-mod-test.c: Increased test count.
 6037 
 6038 	* ecc-384.c (ecc_384_modp): Fixed typo which broke carry handling
 6039 	in the 64-bit version.
 6040 
 6041 	* examples/ecc-benchmark.c (bench_add_jjj): Typo fix, benchmark
 6042 	the right function.
 6043 
 6044 	* gmp-glue.h: Check if GMP provides mpz_limbs_read (expected in
 6045 	next release).
 6046 	* gmp-glue.c: Use GMP's mpz_limbs_read and friends if available.
 6047 	Renamed all functions for consistency with GMP. Updated all
 6048 	callers.
 6049 
 6050 2013-02-20  Niels Möller  <nisse@lysator.liu.se>
 6051 
 6052 	* examples/Makefile.in (HOGWEED_TARGETS): Added
 6053 	hogweed-benchmark$(EXEEXT).
 6054 	(SOURCES): Added hogweed-benchmark.c.
 6055 	(hogweed-benchmark$(EXEEXT)): New target.
 6056 
 6057 	* examples/hogweed-benchmark.c: New file.
 6058 
 6059 	* ecdsa-keygen.c (ecdsa_generate_keypair): New file and function.
 6060 	* Makefile.in (hogweed_SOURCES): Added ecdsa-keygen.c.
 6061 	* testsuite/ecdsa-keygen-test.c: New testcase.
 6062 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 6063 	ecdsa-keygen-test.c.
 6064 
 6065 	* nettle-internal.h (TMP_ALLOC): Added missing parentheses.
 6066 
 6067 2013-02-18  Niels Möller  <nisse@lysator.liu.se>
 6068 
 6069 	* testsuite/ecdsa-verify-test.c: New testcase.
 6070 	* testsuite/ecdsa-sign-test.c: New testcase.
 6071 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 6072 	ecdsa-sign-test.c and ecdsa-verify-test.c.
 6073 	* testsuite/testutils.h: Include ecdsa.h.
 6074 	(SHEX): Deleted const cast.
 6075 
 6076 	* ecc-point.c: New file, struct ecc_point abstraction.
 6077 	* ecc-scalar.c: New file, struct ecc_scalar abstraction.
 6078 	* ecc-random.c (ecc_modq_random, ecc_scalar_random): New file, new
 6079 	functions.
 6080 	* ecc-hash.c (ecc_hash): New file and function.
 6081 	* ecc-ecdsa-sign.c: New file, low-level signing interface.
 6082 	* ecc-ecdsa-verify.c: New file, low-level ecdsa verify.
 6083 	* ecdsa-sign.c: (ecdsa_sign): New file and function.
 6084 	* ecdsa-verify.c (ecdsa_verify): New file and function.
 6085 	* ecdsa.h: New header file.
 6086 	* ecc.h: Declare ecc_point and ecc_scalar functions.
 6087 	* ecc-internal.h: Added declarations.
 6088 	* Makefile.in (hogweed_SOURCES): Added new source files.
 6089 	(HEADERS): Added ecdsa.h.
 6090 
 6091 	* gmp-glue.c (_mpz_set_mpn): New convenience function.
 6092 	(_mpn_set_base256): New function.
 6093 	(_gmp_alloc_limbs): New function.
 6094 	(_gmp_free_limbs): New function.
 6095 	* gmp-glue.h: Corresponding declarations. Include nettle-stdinh.h.
 6096 
 6097 	* examples/Makefile.in (HOGWEED_TARGETS): Renamed, was
 6098 	RSA_TARGETS. Added ecc-benchmark$(EXEEXT).
 6099 	(SOURCES): Added ecc-benchmark.c.
 6100 	(ecc-benchmark$(EXEEXT)): New target.
 6101 
 6102 	* examples/ecc-benchmark.c: New file, benchmarking ecc primitives.
 6103 
 6104 2013-02-15  Niels Möller  <nisse@lysator.liu.se>
 6105 
 6106 	Integrate ecc_mul_a.
 6107 	* ecc-a-to-j.c: New file.
 6108 	* ecc-add-jjj.c: New file.
 6109 	* ecc-mul-a.c: New file.
 6110 	* Makefile.in (hogweed_SOURCES): Added new files.
 6111 	* testsuite/ecc-mul-a-test.c: New file.
 6112 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 6113 	ecc-mul-a-test.c.
 6114 
 6115 	* testsuite/testutils.c: Removed redundant includes.
 6116 	(die): New function.
 6117 
 6118 	Integrate ecc_mul_g.
 6119 	* ecc.h: New file.
 6120 	* ecc-j-to-a.c: New file.
 6121 	* ecc-size.c: New file.
 6122 	* ecc-add-jja.c: New file.
 6123 	* ecc-dup-jj.c: New file.
 6124 	* ecc-mul-g.c: New file.
 6125 	* sec-tabselect.c: New file.
 6126 	* Makefile.in (hogweed_SOURCES): Added new files.
 6127 	(HEADERS): Added ecc.h
 6128 	* testsuite/ecc-mul-g-test.c: New file.
 6129 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
 6130 	ecc-mul-g-test.c.
 6131 	* testsuite/testutils.c (xalloc_limbs): New function.
 6132 	(test_mpn): New function.
 6133 	(test_ecc_point): New function.
 6134 	(test_ecc_mul_a): New function.
 6135 	(test_ecc_mul_j): New function.
 6136 	* testsuite/testutils.h: Corresponding declarations.
 6137 
 6138 	Integrate ECC internals.
 6139 	* ecc-curve.h: New file.
 6140 	* ecc-internal.h: New file.
 6141 	* cnd-copy.c: New file.
 6142 	* ecc-192.c: New file.
 6143 	* ecc-224.c: New file.
 6144 	* ecc-256.c: New file.
 6145 	* ecc-384.c: New file.
 6146 	* ecc-521.c: New file.
 6147 	* ecc-generic-modp.c: New file.
 6148 	* ecc-generic-modq.c: New file.
 6149 	* ecc-generic-redc.c: New file.
 6150 	* ecc-mod.c: New file.
 6151 	* ecc-modp.c: New file.
 6152 	* ecc-modq.c: New file.
 6153 	* sec-add-1.c: New file.
 6154 	* sec-modinv.c: New file.
 6155 	* sec-sub-1.c: New file.
 6156 	* Makefile.in (hogweed_SOURCES): Added new files.
 6157 	(HEADERS): Added ecc-curve.h.
 6158 	(DISTFILES): Added ecc-internal.h.
 6159 	* testsuite/ecc-mod-test.c: New file.
 6160 	* testsuite/ecc-modinv-test.c: New file.
 6161 	* testsuite/ecc-redc-test.c: New file.
 6162 	* testsuite/testutils.c (ecc_curves): New constant array.
 6163 	* testsuite/testutils.h: Include ecc-related headers. Declare
 6164 	ecc_curves array.
 6165 	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mod-test.c
 6166 	ecc-modinv-test.c ecc-redc-test.c.
 6167 
 6168 	* gmp-glue.c: New file, mpn <-> mpz conversions.
 6169 	* gmp-glue.h: New file.
 6170 	* Makefile.in: Added to hogweed_SOURCES and DISTFILES, respectively.
 6171 
 6172 	* eccdata.c: New program, for generating ECC-related tables.
 6173 	* Makefile.in (ecc-192.h, ecc-224.h, ecc-256.h, ecc-384.h)
 6174 	(ecc-512.h): New generated files.
 6175 
 6176 2013-02-19  Niels Möller  <nisse@lysator.liu.se>
 6177 
 6178 	* armv7/memxor.asm (memxor): Software pipelining for the aligned
 6179 	case. Runs at 6 cycles (0.5 cycles per byte). Delayed push of
 6180 	registers until we know how many registers we need.
 6181 	(memxor3): Use 3-way unrolling also for aligned memxor3.
 6182 	Runs at 8 cycles (0.67 cycles per byte)
 6183 
 6184 2013-02-14  Niels Möller  <nisse@lysator.liu.se>
 6185 
 6186 	* configure.ac: Find GMP's GMP_NUMB_BITS. Substitute in Makefile.
 6187 	* config.make.in (GMP_NUMB_BITS): New variable.
 6188 
 6189 	* examples/rsa-keygen.c (uint_arg): New function.
 6190 	(main): New options -s and -e, to specify key size and public
 6191 	exponent. Increased default key size to 2048.
 6192 
 6193 2013-02-12  Niels Möller  <nisse@lysator.liu.se>
 6194 
 6195 	* armv7/memxor.asm (memxor): Optimized aligned case, using 3-way
 6196 	unrolling.
 6197 
 6198 2013-02-06  Niels Möller  <nisse@lysator.liu.se>
 6199 
 6200 	* armv7/memxor.asm (memxor, memxor3): Optimized aligned case, now
 6201 	runs at 0.75 cycles/byte.
 6202 
 6203 	* armv7/README: New file.
 6204 	* armv7/machine.m4: New (empty) file.
 6205 	* armv7/memxor.asm: Initial assembly implementation.
 6206 
 6207 	* config.m4.in: Substitute ASM_TYPE_PROGBITS as TYPE_PROGBITS.
 6208 
 6209 	* config.make.in: Added .s to the suffix list.
 6210 
 6211 	* Makefile.in (.asm.s): Use a separate make target for .asm
 6212 	preprocessing. Include asm.d, which the corresponding
 6213 	dependencies.
 6214 
 6215 	* configure.ac (asm_file_list): Collect assembly files into this
 6216 	variable.
 6217 	(asm.d): Make config.status write dependencies for .s files into
 6218 	asm.d.
 6219 	(ASM_ALIGN_LOG): Set to "no" when appropriate.
 6220 	(ASM_TYPE_FUNCTION): Default to "@function".
 6221 	(ASM_TYPE_PROGBITS): New substituted variable, set in the same way
 6222 	as ASM_TYPE_FUNCTION.
 6223 	(ASM_MARK_NOEXEC_STACK): Use TYPE_PROGBITS.
 6224 	(asm_path): Set up asm_path for armv7.
 6225 
 6226 	* asm.m4: Use changecom to disable m4 quoting. Use divert to
 6227 	suppress output.
 6228 
 6229 2013-02-05  Niels Möller  <nisse@lysator.liu.se>
 6230 
 6231 	* testsuite/rsa-keygen-test.c (test_main): Updated expected
 6232 	signatures, after the nettle_mpz_random change below.
 6233 	* testsuite/dsa-test.c (test_main): Likewise. Also fixed the
 6234 	dsa256 test to actually use the expected signature.
 6235 
 6236 2013-01-31  Niels Möller  <nisse@lysator.liu.se>
 6237 
 6238 	* bignum-random.c (nettle_mpz_random): Increased number of extra
 6239 	bits to 64, following FIPS 186-3.
 6240 
 6241 2013-01-16  Niels Möller  <nisse@lysator.liu.se>
 6242 
 6243 	* Released nettle-2.6.
 6244 
 6245 2013-01-12  Niels Möller  <nisse@lysator.liu.se>
 6246 
 6247 	* configure.ac: Use AC_LANG_SOURCE.
 6248 
 6249 2013-01-02  Niels Möller  <nisse@lysator.liu.se>
 6250 
 6251 	* configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.5.
 6252 	(LIBHOGWEED_MINOR): And to 2.3.
 6253 
 6254 	* examples/Makefile.in: Explicit rules for building objects in
 6255 	parent directory.
 6256 	* tools/Makefile.in: Likewise.
 6257 	* testsuite/Makefile.in: Likewise.
 6258 
 6259 2013-01-01  Niels Möller  <nisse@lysator.liu.se>
 6260 
 6261 	* nettle.texinfo (Recommended hash functions): Document additional
 6262 	sha3 functions.
 6263 
 6264 	* examples/nettle-benchmark.c (main): Benchmark additional sha3
 6265 	functions.
 6266 
 6267 2012-12-30  Niels Möller  <nisse@lysator.liu.se>
 6268 
 6269 	* sha3-224.c, sha3-224-meta.c: New files.
 6270 	* sha3-384.c, sha3-384-meta.c: New files.
 6271 	* sha3-512.c, sha3-512-meta.c: New files.
 6272 	* sha3.h: Prototypes for sha3 with sizes 224, 384 and 512.
 6273 	* nettle-meta.h: Declare nettle_sha3_224, nettle_sha3_384 and
 6274 	nettle_sha3_512.
 6275 	* Makefile.in (nettle_SOURCES): Added new sha3 files.
 6276 
 6277 	* testsuite/sha3-224-test.c: New file.
 6278 	* testsuite/sha3-384-test.c: New file.
 6279 	* testsuite/sha3-512-test.c: New file.
 6280 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new sha3 test files.
 6281 
 6282 	* configure.ac: Disabled use of sha3-permute.asm.
 6283 
 6284 2012-12-20  Niels Möller  <nisse@lysator.liu.se>
 6285 
 6286 	From Tim Rühsen:
 6287 	* testsuite/des-compat-test.c (pt): Use proper prototype, use
 6288 	const.
 6289 	* testsuite/testutils.c (test_dsa_key): Deleted spurious
 6290 	semicolon.
 6291 
 6292 2012-12-15  Niels Möller  <nisse@lysator.liu.se>
 6293 
 6294 	Based on a patch from Alon Bar-Lev:
 6295 	* Makefile.in (LIBTARGETS, SHLIBTARGET): Define as empty if static
 6296 	or shared libraries, respectively, are disabled.
 6297 	(TARGETS): Deleted @IF_SHARED@ conditional, now in the definition
 6298 	of SHLIBTARGET.
 6299 
 6300 	From Alon Bar-Lev:
 6301 	* configure.ac: Check for ar program. New option --disable-static.
 6302 	* config.make.in (AR): Use configured value.
 6303 
 6304 2012-12-13  Niels Möller  <nisse@lysator.liu.se>
 6305 
 6306 	* x86_64/sha3-permute.asm: Rewrote, to keep all state in
 6307 	registers. 2400 cycles on x86_64, only slightly faster than the
 6308 	current C code.
 6309 
 6310 2012-12-09  Niels Möller  <nisse@lysator.liu.se>
 6311 
 6312 	* sha3-permute.c (sha3_permute): Rewrote to do permutation in
 6313 	place. 80% speedup on x86_64, 2500 cycles.
 6314 
 6315 2012-12-04  Niels Möller  <nisse@lysator.liu.se>
 6316 
 6317 	* ctr.c (ctr_crypt): Fix bug reported by Tim Kosse. Don't
 6318 	increment the counter when length is zero (was broken for the
 6319 	in-place case).
 6320 
 6321 	* testsuite/ctr-test.c (test_main): Added test with zero-length
 6322 	data.
 6323 	* testsuite/testutils.c (test_cipher_ctr): Check the ctr value
 6324 	after encrypt and decrypt.
 6325 
 6326 2012-12-03  Niels Möller  <nisse@lysator.liu.se>
 6327 
 6328 	* sha3-permute.c (sha3_permute): Optimized, to reduce number of
 6329 	passes over the data. 20% speedup on x86_64, 4700 cycles.
 6330 
 6331 	* configure.ac: Added sha3-permute.asm.
 6332 
 6333 	* x86_64/sha3-permute.asm: New file. 30% speedup over current C
 6334 	code, 4300 cycles.
 6335 
 6336 	* nettle.texinfo (Hash functions): Split into several sections,
 6337 	separating recommended hash functions and legacy hash functions.
 6338 	Document sha3-256.
 6339 
 6340 2012-12-02  Niels Möller  <nisse@lysator.liu.se>
 6341 
 6342 	Split sha.h into new files sha1.h and sha2.h. Replaced all
 6343 	internal usage of sha.h in all files.
 6344 	* sha.h: Kept for compatibility, just includes both new files.
 6345 	* sha1.h: New file.
 6346 	* sha2.h: New file.
 6347 	* Makefile.in (HEADERS): Added sha1.h and sha2.h.
 6348 
 6349 2012-11-28  Niels Möller  <nisse@lysator.liu.se>
 6350 
 6351 	From Fredrik Thulin:
 6352 	* testsuite/pbkdf2-test.c (test_main): Add PBKDF2-HMAC-SHA512 test
 6353 	cases.
 6354 
 6355 2012-11-15  Niels Möller  <nisse@lysator.liu.se>
 6356 
 6357 	* sha3-permute.c (sha3_permute): Use ULL suffix on round
 6358 	constants. Avoid passing shift count 0 to ROTL64.
 6359 
 6360 	* sha3.c (sha3_absorb): Fixed big-endian code. Need macros.h.
 6361 
 6362 	* macros.h (LE_READ_UINT64): New macro.
 6363 
 6364 2012-11-13  Niels Möller  <nisse@lysator.liu.se>
 6365 
 6366 	* sha3-permute.c (sha3_permute): Micro optimizations. Partial
 6367 	unrolling. Use lookup table for the permutation. On an x86_64,
 6368 	execution time reduced from appr. 13000 cycles to appr. 6000.
 6369 
 6370 	* examples/nettle-benchmark.c (TIME_CYCLES): New macro.
 6371 	(bench_sha1_compress, bench_salsa20_core): Use it.
 6372 	(bench_sha3_permute): New function.
 6373 	(main): Call bench_sha3_permute.
 6374 
 6375 2012-11-12  Niels Möller  <nisse@lysator.liu.se>
 6376 
 6377 	* examples/nettle-benchmark.c (main): Benchmark sha3_256.
 6378 
 6379 	* sha3-permute.c: New file. Permutation function for sha3, aka
 6380 	Keccak.
 6381 	* sha3.h: New header file.
 6382 	* sha3.c: New file, absorption and padding for sha3.
 6383 	* sha3-256.c: New file.
 6384 	* sha3-256-meta.c: New file.
 6385 	* nettle-meta.h (nettle_sha3_256): Declare.
 6386 	* Makefile.in (nettle_SOURCES): Added sha3 files.
 6387 	(HEADERS): Added sha3.h.
 6388 	* testsuite/sha3.awk: New file. Script to extract test vectors.
 6389 	* testsuite/sha3-256-test.c: New file.
 6390 	* testsuite/sha3-permute-test.c: New file.
 6391 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 6392 	sha3-permute-test.c and sha3-256-test.c.
 6393 	(DISTFILES): Added sha3.awk.
 6394 	* testsuite/.test-rules.make: Added sha3 targets.
 6395 
 6396 	* macros.h (LE_WRITE_UINT64): New macro.
 6397 	* write-le64.c (_nettle_write_le64): New file and function.
 6398 	* nettle-write.h (_nettle_write_le64): Declare. Also deleted
 6399 	declaration of non-existent _nettle_write_be64.
 6400 	* Makefile.in (nettle_SOURCES): Added write-le64.c.
 6401 
 6402 	* macros.h (ROTL64): New macro, moved from...
 6403 	* sha512-compress.c (ROTL64): ... old location, deleted.
 6404 
 6405 	* serpent-internal.h [HAVE_NATIVE_64_BIT] (DROTL32): Renamed from...
 6406 	(ROTL64): ... old name.
 6407 	(DRSHIFT32): Renamed from ...
 6408 	(RSHIFT64): ... old name.
 6409 	* serpent-encrypt.c (LINEAR_TRANSFORMATION64): Updated for above
 6410 	renames.
 6411 	* serpent-decrypt.c (LINEAR_TRANSFORMATION64_INVERSE): Likewise.
 6412 
 6413 2012-11-11  Niels Möller  <nisse@lysator.liu.se>
 6414 
 6415 	From Nikos Mavrogiannopoulos:
 6416 	* nettle.texinfo (Hash functions): Added documentation for
 6417 	gosthash94.
 6418 	* examples/nettle-benchmark.c (main): Benchmark gosthash94.
 6419 
 6420 2012-11-10  Niels Möller  <nisse@lysator.liu.se>
 6421 
 6422 	* nettle.texinfo (nettle_hashes, nettle_ciphers): Use deftypevr,
 6423 	not deftypevrx. Spotted by Nikos Mavrogiannopoulos.
 6424 
 6425 2012-11-08  Niels Möller  <nisse@lysator.liu.se>
 6426 
 6427 	Gost hash function, ported from Aleksey Kravchenko's rhash library
 6428 	by Nikos Mavrogiannopoulos.
 6429 	* gosthash94.c: New file.
 6430 	* gosthash94.h: New file.
 6431 	* gosthash94-meta.c: New file.
 6432 	* nettle-meta.h (nettle_gosthash94): Declare.
 6433 	* Makefile.in (nettle_SOURCES): Added gosthash94.c and
 6434 	gosthash94-meta.c.
 6435 	(HEADERS): Added gosthash94.h.
 6436 	* testsuite/gosthash94-test.c: New file.
 6437 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 6438 	gosthash94-test.c.
 6439 
 6440 2012-10-29  Niels Möller  <nisse@lysator.liu.se>
 6441 
 6442 	From Martin Storsjö:
 6443 	* configure.ac (dummy-dep-files): Avoid non-posix \|-operator in
 6444 	sed regexp.
 6445 
 6446 2012-10-29  Niels Möller  <nisse@lysator.liu.se>
 6447 
 6448 	* x86_64/salsa20-core-internal.asm: New file.
 6449 	* configure.ac: Added salsa20-core-internal.asm.
 6450 	* examples/nettle-benchmark.c (bench_salsa20_core): New function.
 6451 
 6452 2012-10-27  Niels Möller  <nisse@lysator.liu.se>
 6453 
 6454 	* testsuite/Makefile.in (TS_SOURCES, CXX_SOURCES): Include sources
 6455 	unconditionally.
 6456 	(TS_CXX): Moved @IF_CXX@ conditional here.
 6457 	(DISTFILES): Use $(SOURCES), which now includes all C source
 6458 	files. testutils.c was lost in a the 2012-09-20 change.
 6459 
 6460 	* x86_64/salsa20-crypt.asm: Include x86_64/salsa20.m4.
 6461 	Make all exits go via .Lend and W64_EXIT.
 6462 
 6463 	* x86_64/salsa20.m4: New file, extracted from
 6464 	x86_64/salsa20-crypt.asm.
 6465 
 6466 2012-10-26  Niels Möller  <nisse@lysator.liu.se>
 6467 
 6468 	* configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LIBS): Add $(CFLAGS) on
 6469 	the link command line. Reported by Dennis Clarke.
 6470 
 6471 2012-10-03  Niels Möller  <nisse@lysator.liu.se>
 6472 
 6473 	From: Nikos Mavrogiannopoulos:
 6474 	* testsuite/testutils.c (test_hash): On failure, print the
 6475 	expected and returned hash values.
 6476 
 6477 2012-09-23  Niels Möller  <nisse@lysator.liu.se>
 6478 
 6479 	* Makefile.in (nettle_SOURCES): Added salsa20-core-internal.c.
 6480 
 6481 	* salsa20-core-internal.c (_salsa20_core): New file and function,
 6482 	extracted from salsa20_crypt.
 6483 	* salsa20.h (_salsa20_core): Declare it.
 6484 	* salsa20-crypt.c (salsa20_crypt): Use _salsa20_core.
 6485 
 6486 2012-09-21  Niels Möller  <nisse@lysator.liu.se>
 6487 
 6488 	* pbkdf2.c (pbkdf2): assert that iterations > 0. Reorganized
 6489 	loops.
 6490 
 6491 	* nettle.texinfo (Cipher functions): Stress that the salsa20 hash
 6492 	function is not suitable as a general hash function.
 6493 
 6494 2012-09-20  Simon Josefsson  <simon@josefsson.org>
 6495 
 6496 	* pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files.
 6497 	* pbkdf2.h (pbkdf2_hmac_sha1, pbkdf2_hmac_sha256): New prototypes.
 6498 	* Makefile.in (nettle_SOURCES): Add pbkdf2-hmac-sha1.c and
 6499 	pbkdf2-hmac-sha256.c.
 6500 	* nettle.texinfo (Key derivation functions): Improve.
 6501 	* testsuite/pbkdf2-test.c (test_main): Test new functions.
 6502 
 6503 2012-09-20  Niels Möller  <nisse@lysator.liu.se>
 6504 
 6505 	* pbkdf2.c (pbkdf2): Reordered arguments, for consistency.
 6506 	* pbkdf2.h (PBKDF2): Analogous reordering.
 6507 	* testsuite/pbkdf2-test.c: Adapted to new argument order. Also use
 6508 	LDATA for the salt.
 6509 	* nettle.texinfo (Key derivation functions): Updated documented
 6510 	pbkdf2 prototype.
 6511 
 6512 	* testsuite/Makefile.in (VALGRIND): New variable, to make valgrind
 6513 	checking easier.
 6514 
 6515 	* configure.ac: New substitution IF_CXX, replacing CXX_TESTS.
 6516 	(dummy-dep-files): Handle .cxx files.
 6517 
 6518 	* testsuite/Makefile.in: Use IF_CXX. Include dependency file for
 6519 	cxx-test.o.
 6520 
 6521 2012-09-19  Niels Möller  <nisse@lysator.liu.se>
 6522 
 6523 	From Tim Rühsen:
 6524 	* examples/rsa-encrypt.c (main): Added missing mpz_clear.
 6525 	* examples/rsa-keygen.c (main): Added missing deallocation.
 6526 
 6527 	* testsuite/meta-hash-test.c (test_main): Validate
 6528 	NETTLE_MAX_HASH_DIGEST_SIZE.
 6529 
 6530 	* pbkdf2.h (PBKDF2): New macro.
 6531 	* testsuite/pbkdf2-test.c: Use it.
 6532 
 6533 2012-09-12  Simon Josefsson  <simon@josefsson.org>
 6534 
 6535 	* NEWS: Mention addition of PBKDF2.
 6536 	* pbkdf2.c (pbkdf2): New file and function.
 6537 	* pbkdf2.h: Declare it.
 6538 	* Makefile.in (nettle_SOURCES): Add pbkdf2.c.
 6539 	(HEADERS): Add pbkdf2.h.
 6540 	* nettle.texinfo (Key derivation functions): New section.
 6541 	* testsuite/pbkdf2-test.c: New test case.
 6542 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add pbkdf2-test.c.
 6543 	* testsuite/.test-rules.make (pbkdf2-test): New target.
 6544 
 6545 2012-09-16  Niels Möller  <nisse@lysator.liu.se>
 6546 
 6547 	* testsuite/: Overhaul of testsuite, affecting almost all files.
 6548 	+ Use struct tstring for allocated strings, and deallocate before
 6549 	exit.
 6550 	+ Changed most test functions to take struct tstring as arguments.
 6551 	+ Made all test_main return on success.
 6552 
 6553 	* testsuite/testutils.h (struct tstring): New struct type.
 6554 	(H2, HL, MEMEQH, SUCCESS): Deleted macros.
 6555 	(SHEX, SDATA): New macros.
 6556 	(H): Redefined to track storage.
 6557 
 6558 	* testsuite/testutils.c (tstring_alloc): New function.
 6559 	(tstring_clear): New function.
 6560 	(tstring_data): New function.
 6561 	(tstring_hex): New function.
 6562 	(tstring_print_hex): New function.
 6563 	(decode_hex_length): Made static.
 6564 	(decode_hex): Made static. No return value, abort on error.
 6565 	(main): Expect test_main to return, and call tstring_clear before
 6566 	exit.
 6567 	(test_dsa_key): Added missing mpz_clear.
 6568 	(test_mac): Deleted unused function.
 6569 
 6570 	* testsuite/rsa2sexp-test.c (test_main): Added missing
 6571 	nettle_buffer_clear.
 6572 
 6573 	* testsuite/yarrow-test.c (open_file): Don't leak filename.
 6574 	(test_main): fclose input file properly.
 6575 
 6576 	* testsuite/sexp-format-test.c (test_main): Added missing calls to
 6577 	nettle_buffer_clear and mpz_clear.
 6578 
 6579 	* testsuite/serpent-test.c (tstring_hex_reverse): New function,
 6580 	replacing...
 6581 	(decode_hex_reverse): ... deleted function.
 6582 	(RHEX): New macro, replacing...
 6583 	(RH, RHL): ... deleted macros.
 6584 
 6585 	* testsuite/rsa2sexp-test.c (test_main): Added missing
 6586 	nettle_buffer_clear.
 6587 
 6588 	* testsuite/random-prime-test.c (test_main): Added missing
 6589 	mpz_clear.
 6590 
 6591 	* realloc.c (nettle_realloc): Only call libc realloc if length >
 6592 	0, otherwise call free. Fixes a small memory leak.
 6593 	(nettle_xrealloc): Likewise.
 6594 
 6595 	* run-tests (test_program): Don't quote $EMULATOR; allow it to
 6596 	expand to program and arguments (e.g., valgrind).
 6597 
 6598 	* tools/pkcs1-conv.c (convert_public_key): Added missing calls to
 6599 	dsa_public_key_clear and rsa_public_key_clear.
 6600 	(main): Added missing nettle_buffer_clear.
 6601 
 6602 2012-09-10  Niels Möller  <nisse@lysator.liu.se>
 6603 
 6604 	* examples/eratosthenes.c (main): Explicitly deallocate storage
 6605 	before exit.
 6606 
 6607 	* examples/io.c (read_file): Explicitly treat an empty file as an
 6608 	error. Rearrange loop, check for short fread return value.
 6609 
 6610 	* desdata.c: Don't declare printf, include <stdio.h> instead. Also
 6611 	deleted casts of printf return value.
 6612 
 6613 	From Tim Rühsen:
 6614 	* examples/nettle-benchmark.c (die): Use PRINTF_STYLE attribute.
 6615 	* pgp-encode.c (pgp_put_rsa_sha1_signature): Deleted unused variable.
 6616 	* rsa2openpgp.c (rsa_keypair_to_openpgp): Likewise.
 6617 	* examples/base16enc.c (main): Deleted useless allocations.
 6618 
 6619 2012-09-07  Niels Möller  <nisse@lysator.liu.se>
 6620 
 6621 	* examples/nettle-benchmark.c (die): Add NORETURN attribute. Patch
 6622 	from Tim Rühsen.
 6623 	* tools/misc.h (die, werror): Use PRINTF_STYLE and NORETURN macros
 6624 	for attributes. Patch from Tim Rühsen.
 6625 
 6626 	* examples/io.h (werror): Use PRINTF_STYLE macro.
 6627 
 6628 2012-08-22  Niels Möller  <nisse@lysator.liu.se>
 6629 
 6630 	From Sam Thursfield <sam.thursfield@codethink.co.uk>:
 6631 	* configure.ac: Make documentation optional, to avoid requiring
 6632 	TeX. New option --disable-documentation, and Makefile substitution
 6633 	IF_DOCUMENTATION.
 6634 	* Makefile.in: Use IF_DOCUMENTATION.
 6635 
 6636 2012-07-12  Niels Möller  <nisse@lysator.liu.se>
 6637 
 6638 	* asm.m4 (ALIGN): Use << operator rather than **, with m4 eval.
 6639 	The latter is not supported by BSD m4.
 6640 
 6641 2012-07-07  Niels Möller  <nisse@lysator.liu.se>
 6642 
 6643 	Copyright headers: Updated FSF address. Patch from David Woodhouse.
 6644 
 6645 	* examples/Makefile.in (BENCH_LIBS): Added -lm, needed for the
 6646 	ldexp function. Reported by Anthony G. Basile.
 6647 
 6648 	* configure.ac: Changed version number to 2.6.
 6649 
 6650 	* Released nettle-2.5.
 6651 
 6652 2012-07-05  Niels Möller  <nisse@lysator.liu.se>
 6653 
 6654 	* x86_64/salsa20-crypt.asm (salsa20_crypt): Write the 64-bit movq
 6655 	instructions as "movd", since that makes the osx assembler
 6656 	happier. Assembles to the same machine code on gnu/linux.
 6657 
 6658 2012-07-03  Niels Möller  <nisse@lysator.liu.se>
 6659 
 6660 	* aclocal.m4 (LSH_FUNC_ALLOCA): In the config.h boilerplate,
 6661 	include malloc.h if it exists, also when compiling with gcc.
 6662 	Needed for cross-compiling with --host=i586-mingw32msvc.
 6663 
 6664 	* examples/base16dec.c: Don't #include files using <nettle/...>,
 6665 	we don't want to pick up installed versions. On windows, include
 6666 	<fcntl.h>, needed for _setmode.
 6667 	* examples/base16enc.c: Likewise.
 6668 	* examples/base64dec.c: Likewise.
 6669 	* examples/base64enc.c: Likewise
 6670 
 6671 	* nettle.texinfo (Cipher functions): Document Salsa20.
 6672 
 6673 2012-06-25  Niels Möller  <nisse@lysator.liu.se>
 6674 
 6675 	* pkcs1.c (_pkcs1_signature_prefix): Renamed function, adding a
 6676 	leading underscore. Updated all callers.
 6677 
 6678 	* bignum-next-prime.c (nettle_next_prime): Consistently use the
 6679 	type nettle_random_func * (rather then just nettle_random_func)
 6680 	when passing the function pointer as argument. Similar change for
 6681 	nettle_progress_func. Should have been done for the 2.0 release,
 6682 	but a few arguments were overlooked.
 6683 	* bignum-random-prime.c (_nettle_generate_pocklington_prime)
 6684 	(nettle_random_prime): Likewise.
 6685 	* bignum-random.c (nettle_mpz_random_size, nettle_mpz_random):
 6686 	Likewise.
 6687 	* dsa-keygen.c (dsa_generate_keypair): Likewise.
 6688 	* dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise.
 6689 	* dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign):
 6690 	Likewise.
 6691 	* dsa-sign.c (_dsa_sign): Likewise.
 6692 	* pkcs1-encrypt.c (pkcs1_encrypt): Likewise.
 6693 	* rsa-blind.c (_rsa_blind): Likewise.
 6694 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Likewise.
 6695 	* rsa-encrypt.c (rsa_encrypt): Likewise.
 6696 	* rsa-keygen.c (rsa_generate_keypair): Likewise.
 6697 	* rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Likewise.
 6698 
 6699 	* cbc.c (cbc_encrypt, cbc_decrypt): Similarly, use the type
 6700 	nettle_crypt_func * rather than just nettle_crypt_func.
 6701 	* ctr.c (ctr_crypt): Likewise.
 6702 	* gcm.c (gcm_set_key): Likewise.
 6703 
 6704 	* testsuite/des-compat-test.c (test_main): Disable declarations of
 6705 	disabled functions and variables, to avoid warnings. No verbose
 6706 	output unless verbose flag is set.
 6707 
 6708 2012-06-09  Niels Möller  <nisse@lysator.liu.se>
 6709 
 6710 	* examples/Makefile.in (SOURCES): Added base16dec.c, forgotten
 6711 	earlier.
 6712 
 6713 	General pkcs1 signatures, with a "DigestInfo" input. Suggested by
 6714 	Nikos Mavrogiannopoulos.
 6715 	* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-digest.c,
 6716 	rsa-pkcs1-sign.c, rsa-pkcs1-sign-tr.c, and rsa-pkcs1-verify.c.
 6717 
 6718 	* pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): New file and
 6719 	function.
 6720 	* pkcs1.h: Declare it.
 6721 
 6722 	* rsa-pkcs1-verify.c (rsa_pkcs1_verify): New file and function.
 6723 	* rsa-pkcs1-sign.c (rsa_pkcs1_sign): New file and function.
 6724 	* rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): New file and function,
 6725 	contributed by Nikos Mavrogiannopoulos.
 6726 	* rsa.h: Declare new functions.
 6727 
 6728 	* rsa.h (_rsa_blind, _rsa_unblind): Declare functions.
 6729 	* rsa-blind.c (_rsa_blind, _rsa_unblind): Functions moved to a
 6730 	separate file, renamed and made non-static. Moved from...
 6731 	* rsa-decrypt-tr.c: ... here.
 6732 
 6733 2012-06-03  Niels Möller  <nisse@lysator.liu.se>
 6734 
 6735 	* testsuite/pkcs1-test.c (test_main): Include leading zero in
 6736 	expected result.
 6737 
 6738 	* pkcs1.c (pkcs1_signature_prefix): Return pointer to where the
 6739 	digest should be written. Let the size input be the key size in
 6740 	octets, rather then key size - 1.
 6741 	* pkcs1-rsa-*.c: Updated for above.
 6742 	* rsa-*-sign.c, rsa-*-verify.c: Pass key->size, not key->size - 1.
 6743 
 6744 2012-05-18  Niels Möller  <nisse@lysator.liu.se>
 6745 
 6746 	* pkcs1-encrypt.c (pkcs1_encrypt): New file and function.
 6747 	* rsa-encrypt.c (rsa_encrypt): Use pkcs1_encrypt.
 6748 
 6749 2012-05-09  Niels Möller  <nisse@lysator.liu.se>
 6750 
 6751 	* rsa-decrypt-tr.c (rsa_decrypt_tr): Added missing mpz_clear,
 6752 	spotted by Nikos Mavrogiannopoulos.
 6753 
 6754 2012-05-07  Niels Möller  <nisse@lysator.liu.se>
 6755 
 6756 	* nettle-types.h (_STDINT_HAVE_INT_FAST32_T): Define here, to
 6757 	force nettle-stdint.h to not try to define the int_fast*_t types.
 6758 	Avoids compilation problems with gnutls on SunOS-5.8, where the
 6759 	definitions here collide with gnulib's.
 6760 
 6761 2012-04-23  Niels Möller  <nisse@lysator.liu.se>
 6762 
 6763 	* nettle-internal.h (NETTLE_MAX_BIGNUM_SIZE): New constant. Based
 6764 	on NETTLE_MAX_BIGNUM_BITS, rounded upwards. Replaced all uses of
 6765 	NETTLE_MAX_BIGNUM_BITS.
 6766 
 6767 2012-04-19  Niels Möller  <nisse@lysator.liu.se>
 6768 
 6769 	* list-obj-sizes.awk: Use decimal rather than hexadecimal output.
 6770 	(hex2int): Use local variables.
 6771 
 6772 2012-04-18  Niels Möller  <nisse@lysator.liu.se>
 6773 
 6774 	* x86_64/salsa20-crypt.asm: New file.
 6775 
 6776 2012-04-17  Niels Möller  <nisse@lysator.liu.se>
 6777 
 6778 	* testsuite/salsa20-test.c (test_salsa20_stream): Check that
 6779 	salsa20_crypt doesn't write beyond the given destination area.
 6780 	(test_salsa20): Likewise.
 6781 
 6782 	* salsa20-crypt.c: Renamed file, from...
 6783 	* salsa20.c: ... old name.
 6784 
 6785 	* x86_64/machine.m4 (WREG): New macro.
 6786 
 6787 	* salsa20.c (salsa20_hash): Deleted function, inlined into
 6788 	salsa20_crypt.
 6789 	(salsa20_set_key, salsa20_set_iv): Moved, to...
 6790 	* salsa20-set-key.c: ...new file.
 6791 
 6792 2012-04-15  Niels Möller  <nisse@lysator.liu.se>
 6793 
 6794 	* testsuite/salsa20-test.c (test_salsa20_stream): New function.
 6795 	(test_main): Tests for encrypting more than one block at a time.
 6796 
 6797 2012-04-14  Niels Möller  <nisse@lysator.liu.se>
 6798 
 6799 	* examples/io.c (write_file): Use write_string.
 6800 
 6801 	* examples/Makefile.in (base64enc): New targets. Also
 6802 	added missing io.o dependency to several other targets.
 6803 	(base64dec, base16enc, base16dec): Likewise.
 6804 
 6805 	* examples/base64enc.c: New file, based on example code
 6806 	contributed by Jeronimo Pellegrini.
 6807 	* examples/base64dec.c: Likewise.
 6808 	* examples/base16enc.c: Likewise.
 6809 	* examples/base16dec.c: Likewise.
 6810 
 6811 	* examples/rsa-encrypt.c (process_file): Reorganized fread loop.
 6812 	(usage): New function.
 6813 	(main): Implemented --help option.
 6814 
 6815 	* examples/rsa-decrypt.c (process_file): Improved error message
 6816 	for too short input file.
 6817 
 6818 	* aes-set-decrypt-key.c (gf2_log, gf2_exp): Deleted tables.
 6819 	(mult, inv_mix_column): Deleted functions.
 6820 	(mtable): New table.
 6821 	(MIX_COLUMN): New macro.
 6822 	(aes_invert_key): Use MIX_COLUMN and mtable.
 6823 
 6824 	* aesdata.c (compute_mtable): New table, for the inv mix column
 6825 	operation in aes_invert_key.
 6826 
 6827 2012-04-13  Niels Möller  <nisse@lysator.liu.se>
 6828 
 6829 	* aes-set-encrypt-key.c (aes_set_encrypt_key): Use LE_READ_UINT32.
 6830 	Tabulate the needed "round constants".
 6831 	(xtime): Deleted function.
 6832 
 6833 	* aes-internal.h (SUBBYTE): Cast to uint32_t. Use B0, ..., B3
 6834 	macros.
 6835 
 6836 2012-04-09  Niels Möller  <nisse@lysator.liu.se>
 6837 
 6838 	Timing resistant RSA decryption, based on RSA blinding code
 6839 	contributed by Nikos Mavrogiannopoulos.
 6840 	* rsa-decrypt-tr.c (rsa_decrypt_tr): New function.
 6841 	(rsa_blind): Helper function.
 6842 	(rsa_unblind): Helper function.
 6843 	* rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include
 6844 	nettle-meta.h, more consistent declarations of function pointer
 6845 	arguments.
 6846 	* testsuite/rsa-encrypt-test.c (test_main): Test rsa_decrypt_tr.
 6847 	Check for writes past the end of the message area.
 6848 
 6849 	* Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c.
 6850 	* rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt.
 6851 	* pkcs1-decrypt.c (pkcs1_decrypt): New file and function,
 6852 	extracted from rsa_decrypt.
 6853 
 6854 2012-04-01  Niels Möller  <nisse@lysator.liu.se>
 6855 
 6856 	* salsa20.c (LE_SWAP32): Typo fix for big-endian case.
 6857 	(QROUND): New macro.
 6858 	(salsa20_hash): Use it.
 6859 
 6860 2012-03-31  Niels Möller  <nisse@lysator.liu.se>
 6861 
 6862 	* salsa20.c: (salsa20_set_iv): Deleted size argument, only one
 6863 	size allowed.
 6864 	(U8TO32_LITTLE): Deleted macro. Use LE_READ_UINT32 instead, which
 6865 	avoids unaligned reads.
 6866 	(salsa20_set_key): Rearranged slightly, to avoid unnecessary
 6867 	byte-to-word conversions.
 6868 
 6869 	(LE_SWAP32): Renamed macro from...
 6870 	(U32TO32_LITTLE): ... old name.
 6871 	(U32TO8_LITTLE): Deleted macro.
 6872 	(salsa20_wordtobyte): Renamed function to...
 6873 	(salsa20_hash): ... new name. Changed output argument from byte
 6874 	array to word array. Use memxor3, which brings a considerable
 6875 	performance gain.
 6876 
 6877 	* nettle-internal.c (salsa20_set_key_hack): Updated salsa20_set_iv
 6878 	call.
 6879 	* testsuite/salsa20-test.c (test_salsa20): Deleted iv_length
 6880 	argument, updated all calls.
 6881 
 6882 	* salsa20.h (SALSA20_BLOCK_SIZE): New constant.
 6883 	(_SALSA20_INPUT_LENGTH): New constant.
 6884 	* salsa20.c: Use these constants.
 6885 
 6886 	* salsa20.c (ROTL32): Deleted macro, use the one from macros.h
 6887 	instead, with reversed order of arguments.
 6888 	(ROTATE, XOR, PLUS, PLUSONE): Deleted macros, use ROTL32 and
 6889 	builtin operators directly.
 6890 
 6891 	Unification of rotation macros.
 6892 	* macros.h (ROTL32): New macro, to replace (almost) all other
 6893 	rotation macros.
 6894 
 6895 	* aes-set-encrypt-key.c: Include macros.h.
 6896 	(aes_set_encrypt_key): Use ROTL32.
 6897 	* aes-internal.h (ROTBYTE, ROTRBYTE): Deleted macros.
 6898 
 6899 	* camellia-internal.h (ROL32): Deleted macro.
 6900 	(ROTL128): Renamed for consistency, from...
 6901 	(ROL128): ... old name.
 6902 	* camellia-crypt-internal.c: Updated for renamed rotation macros.
 6903 	* camellia-set-encrypt-key.c: Likewise.
 6904 	* cast128.c (ROL): Deleted macro.
 6905 	(F1, F2, F3): Updated to use ROTL32 (reversed order of arguments).
 6906 	Also added proper do { ... } while (0) wrappers.
 6907 
 6908 	* ripemd160-compress.c (ROL32): Deleted macro.
 6909 	(R): Updated to use ROTL32 (reversed order of arguments).
 6910 
 6911 	* serpent-internal.h (ROL32): Deleted macro.
 6912 	(ROTL64): Renamed (from ROL64) and reorderd arguments, for
 6913 	consistency.
 6914 	(RSHIFT64): Reordered arguments, for consistency.
 6915 	* serpent-decrypt.c: Updated for renamed rotation macros, with
 6916 	reversed argument order.
 6917 	* serpent-encrypt.c: Likewise.
 6918 	* serpent-set-key.c: Likewise.
 6919 
 6920 	* sha1-compress.c (ROTL): Deleted macro, use ROTL32 instead.
 6921 
 6922 	* sha256-compress.c (ROTR): Deleted macro. Replaced by ROTL32,
 6923 	with complemented shift count.
 6924 	(SHR): Deleted macro, use plain shift operator instead.
 6925 
 6926 	* sha512-compress.c (ROTR): Deleted macro, replaced by...
 6927 	(ROTL64): ...new macro, with complemented shift count
 6928 	(SHR): Deleted macro, use plain shift operator instead.
 6929 	(S0, S1, s0, s1): Updated accordingly.
 6930 
 6931 2012-03-30  Niels Möller  <nisse@lysator.liu.se>
 6932 
 6933 	* nettle-internal.c (nettle_salsa20): Cipher struct for
 6934 	benchmarking only. Sets a fix zero IV, and ignores block size.
 6935 	* nettle-internal.h (nettle_salsa20): Declare it.
 6936 
 6937 	* examples/nettle-benchmark.c (block_cipher_p): New function.
 6938 	(time_cipher): Use block_cipher_p.
 6939 	(main): Include salsa20 in benchmark.
 6940 
 6941 	* Makefile.in (soname link): Fixed logic.
 6942 	(nettle_SOURCES): Removed nettle-internal.c, so that it's not
 6943 	part of the library...
 6944 	(internal_SOURCES): ...and put it here.
 6945 	* testsuite/Makefile.in (TEST_OBJS): Added ../nettle-internal.o.
 6946 	* examples/Makefile.in (BENCH_OBJS): New variable, to simplify the
 6947 	nettle-benchmark rule. Also link with ../nettle-internal.o.
 6948 
 6949 2012-03-29  Niels Möller  <nisse@lysator.liu.se>
 6950 
 6951 	Implementation of Salsa20, contributed by Simon Josefsson.
 6952 	* salsa20.h: New file.
 6953 	* salsa20.c: New file.
 6954 	* Makefile.in (nettle_SOURCES): Added salsa20.c
 6955 	(HEADERS): Added salsa20.h.
 6956 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added salsa20-test.c.
 6957 	* testsuite/salsa20-test.c: New test case.
 6958 
 6959 	* Makefile.in (soname links): Adding missing space before ].
 6960 
 6961 2012-03-23  Niels Möller  <nisse@lysator.liu.se>
 6962 
 6963 	* arcfour.h (arcfour_stream): Deleted obsolete prototype.
 6964 
 6965 2012-03-05  Niels Möller  <nisse@lysator.liu.se>
 6966 
 6967 	* configure.ac (enable_shared): Build shared libraries by default.
 6968 
 6969 2012-03-04  Niels Möller  <nisse@lysator.liu.se>
 6970 
 6971 	* configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.4.
 6972 	(LIBHOGWEED_MINOR): And to 2.2.
 6973 
 6974 2012-02-27  Niels Möller  <nisse@lysator.liu.se>
 6975 
 6976 	* list-obj-sizes.awk: Recognize elf64 objects.
 6977 
 6978 	* Makefile.in (.texinfo.dvi): Pass -b option to texi2dvi.
 6979 
 6980 	* Makefile.in (TARGETS): Added twofishdata.
 6981 	(SOURCES): Added twofishdata.c.
 6982 	(twofishdata): New rule.
 6983 
 6984 	* twofish.c (q0, q1): Made const, and reformatted to match the
 6985 	twofishdata program.
 6986 
 6987 	* twofishdata.c: Resurrected old file. Used to be called
 6988 	generate_q.c, when the twofish code was contributed back in 1999.
 6989 
 6990 	* nettle.texinfo: Documentation for base16 and base64 encoding.
 6991 	Text contributed by Jeronimo Pellegrini
 6992 	<pellegrini@mpcnet.com.br>, back in April 2006.
 6993 
 6994 2012-02-18  Niels Möller  <nisse@lysator.liu.se>
 6995 
 6996 	* run-tests, getopt.c, getopt1.c, getopt.h: These files were moved
 6997 	to the top-level in the conversion to an independent git
 6998 	repository. They used to be symlinks to lsh files, from the
 6999 	subdirectories which use them.
 7000 
 7001 	* Makefile.in: Build and distribute getopt files. Distribute
 7002 	run-tests script.
 7003 	* examples/Makefile.in: Adapt to getopt files and the run-tests
 7004 	script now located in the parent directory.
 7005 	* testsuite/Makefile.in: Likewise.
 7006 	* tools/Makefile.in: Likewise.
 7007 
 7008 	* index.html: Converted to xhtml (from lsh repository, change
 7009 	dated 2012-02-03). Updated git instructions.
 7010 
 7011 	* nettle.texinfo: Updated charset declaration.
 7012 	* misc/plan.html: Likewise.
 7013 
 7014 2012-01-17  Niels Möller  <nisse@lysator.liu.se>
 7015 
 7016 	* testsuite/Makefile.in (DISTFILES): Added setup-env.
 7017 
 7018 	* examples/rsa-decrypt.c (main): Use _setmode rather than setmode,
 7019 	suggested by Eli Zaretskii. Affects windows builds only.
 7020 	* examples/rsa-encrypt.c: Likewise.
 7021 
 7022 	* Makefile.in ($(LIBNETTLE_FORLINK)): Always create a .lib symlink
 7023 	to the library file. Use LN_S.
 7024 	($(LIBHOGWEED_FORLINK)): Likewise.
 7025 
 7026 	(install-shared-nettle): Use LN_S.
 7027 	(install-shared-hogweed): Likewise.
 7028 
 7029 	* configure.ac: Use AC_PROG_LN_S.
 7030 	* config.make.in (LN_S): New substitution.
 7031 
 7032 	* testsuite/setup-env: New file. Wine workaround. Can't get
 7033 	../.lib into wine's dll search path, so create additional
 7034 	symlinks.
 7035 	* testsuite/teardown-env: ...and delete them here. Also delete
 7036 	file testtmp.
 7037 	* examples/setup-env: Similar links setup here.
 7038 	* examples/teardown-env: ... and deleted.
 7039 
 7040 2012-01-07  Niels Möller  <nisse@lysator.liu.se>
 7041 
 7042 	* examples/Makefile.in (check): Add ../.lib to PATH, like in
 7043 	testsuite/Makefile. Needed for w*ndows. Reported by Eli Zaretskii.
 7044 
 7045 2011-11-25  Niels Möller  <nisse@lysator.liu.se>
 7046 
 7047 	From Martin Storsjö:
 7048 	* x86_64/machine.m4 (W64_ENTRY, W64_EXIT): New macros for
 7049 	supporting W64 ABI.
 7050 	* x86_64: Updated all assembly files to use them.
 7051 
 7052 	* configure.ac (W64_ABI): New variable, set when compiling for
 7053 	W64 ABI (64-bit M$ windows).
 7054 	* config.m4.in (W64_ABI): Define, from configure substitution.
 7055 
 7056 2011-11-24  Niels Möller  <nisse@lysator.liu.se>
 7057 
 7058 	From Martin Storsjö:
 7059 	* examples/Makefile.in (check): Pass $(EMULATOR) and $(EXEEXT) in
 7060 	the environment of run-tests.
 7061 	* examples/rsa-encrypt-test: Use $EXEEXT and $EMULATOR.
 7062 	* examples/rsa-sign-test: Likewise.
 7063 	* examples/rsa-verify-test: Likewise.
 7064 	* examples/setup-env: Likewise.
 7065 
 7066 	* testsuite/Makefile.in (check): Pass $(EXEEXT) in the environment of
 7067 	run-tests.
 7068 	* testsuite/pkcs1-conv-test: Use $EXEEXT and $EMULATOR. Ignore \r
 7069 	in rsa-sign output.
 7070 
 7071 	* examples/rsa-decrypt.c (main) [WIN32]: Set stdout/stdin to
 7072 	binary mode.
 7073 	* examples/rsa-encrypt.c (main): Likewise.
 7074 
 7075 2011-11-24  Niels Möller  <nisse@lysator.liu.se>
 7076 
 7077 	* configure.ac (HAVE_NATIVE_64_BIT): Workaround to get it set to 1
 7078 	on w64.
 7079 
 7080 	* serpent-internal.h (ROL64): Use (uint64_t) 1 rather than 1L, for
 7081 	M$ w64.
 7082 	(RSHIFT64): Likewise. Also added a missing parenthesis.
 7083 
 7084 2011-11-24  Niels Möller  <nisse@lysator.liu.se>
 7085 
 7086 	From Martin Storsjö:
 7087 	* testsuite/symbols-test: Use $NM, falling back to nm if undefined.
 7088 	* testsuite/Makefile.in (check): Pass $(NM) in the environment of
 7089 	run-tests.
 7090 	* config.make.in (NM): Set NM.
 7091 
 7092 	* testsuite/sexp-conv-test: Use $EMULATOR when running test
 7093 	programs. Also ignore \r for output in the non-canonical output
 7094 	formats.
 7095 	* testsuite/Makefile.in (check): Pass $(EMULATOR) in the
 7096 	environment of run-tests.
 7097 	* configure.ac (EMULATOR): New substituted variable. Set to wine
 7098 	or wine64 when cross compiling for windows, otherwise empty.
 7099 	* config.make.in (EMULATOR): Set from autoconf value.
 7100 
 7101 2011-11-20  Niels Möller  <nisse@lysator.liu.se>
 7102 
 7103 	* x86/camellia-crypt-internal.asm: Take ALIGNOF_UINT64_T into
 7104 	account when getting the offset for the subkeys. Differs between
 7105 	w32 and other systems. w32 problem identified by Martin Storsjö.
 7106 
 7107 	* config.m4.in: Define ALIGNOF_UINT64_T (from configure).
 7108 
 7109 	* configure.ac: Check alignment of uint64_t, and also use AC_SUBST
 7110 	for use in config.m4.in.
 7111 
 7112 2011-11-19  Niels Möller  <nisse@lysator.liu.se>
 7113 
 7114 	Cygwin/mingw32 improvements contributed by Martin Storsjö:
 7115 	* Makefile.in (IMPLICIT_TARGETS): New variable for DLL link
 7116 	libraries.
 7117 	(clean-here): Delete the DLL import libraries.
 7118 
 7119 	* configure.ac: Setup installation of DLL files in $bindir.
 7120 	(IF_DLL, LIBNETTLE_FILE_SRC, LIBHOGWEED_FILE_SRC): New
 7121 	substitutions.
 7122 
 7123 	* config.make.in (LIBNETTLE_FILE_SRC): Substitute new autoconf
 7124 	variable.
 7125 	(LIBHOGWEED_FILE_SRC): Likewise.
 7126 
 7127 	* Makefile.in (install-dll-nettle, uninstall-dll-nettle): New
 7128 	target for installing the DLL file in $bindir.
 7129 	(install-shared-nettle): Conditionally
 7130 	depend on install-dll-nettle. Use LIBNETTLE_FILE_SRC.
 7131 	(uninstall-shared-nettle): Conditionally depend on
 7132 	install-dll-nettle.
 7133 	(various hogweed targets): Analogous changes.
 7134 
 7135 	* configure.ac: Unify shared lib setup for cygwin and mingw.
 7136 
 7137 2011-10-31  Niels Möller  <nisse@lysator.liu.se>
 7138 
 7139 	* configure.ac (LIBHOGWEED_LIBS): Typo fix for the darwin case.
 7140 	Spotted by Martin Storsjö.
 7141 
 7142 2011-10-25  Niels Möller  <nisse@lysator.liu.se>
 7143 
 7144 	* configure.ac (LIBHOGWEED_LIBS): cygwin fix, added
 7145 	libnettle.dll.a. Reported by Volker Zell.
 7146 
 7147 2011-10-18  Niels Möller  <nisse@lysator.liu.se>
 7148 
 7149 	* configure.ac: Improved setup för darwin shared libraries.
 7150 	Patch contributed by Ryan Schmidt.
 7151 
 7152 2011-10-03  Niels Möller  <nisse@lysator.liu.se>
 7153 
 7154 	* x86_64/memxor.asm: Implemented sse2-loop. Configured at compile
 7155 	time, and currently disabled.
 7156 
 7157 	* testsuite/testutils.h (ASSERT): Write message to stderr.
 7158 
 7159 	* testsuite/memxor-test.c: Use 16-byte alignment for "fully
 7160 	aligned" operands.
 7161 
 7162 2011-09-03  Niels Möller  <nisse@lysator.liu.se>
 7163 
 7164 	* x86/camellia-crypt-internal.asm: Use "l"-suffix on instructions
 7165 	more consistently. Reportedly, freebsd and netbsd systems with
 7166 	clang are more picky about this.
 7167 
 7168 	* configure.ac: Changed version number to 2.5.
 7169 
 7170 	* Released nettle-2.4.
 7171 
 7172 	* configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.3.
 7173 
 7174 	* gcm-aes.c: Include config.h.
 7175 	* tools/nettle-lfib-stream.c: Likewise.
 7176 
 7177 	* ripemd160-compress.c: Added missing include of config.h. Needed
 7178 	for correct operation on big-endian systems.
 7179 
 7180 2011-09-02  Niels Möller  <nisse@amfibolit.hack.org>
 7181 
 7182 	* configure.ac: Changed version number to 2.4.
 7183 
 7184 	* Released nettle-2.3.
 7185 
 7186 2011-08-30  Niels Möller  <nisse@lysator.liu.se>
 7187 
 7188 	* testsuite/hmac-test.c: Added tests for hmac-ripemd160.
 7189 
 7190 	* hmac.h: Declare hmac-ripemd160 related functions.
 7191 
 7192 	* Makefile.in (nettle_SOURCES): Added hmac-ripemd160.c.
 7193 
 7194 2011-08-30  Niels Möller  <nisse@amfibolit.hack.org>
 7195 
 7196 	* nettle.texinfo (Hash functions): Document ripemd-160.
 7197 
 7198 	* hmac-ripemd160.c: New file.
 7199 
 7200 	* hmac.h: Declare hmac-ripemd160 functions.
 7201 
 7202 2011-08-29  Niels Möller  <nisse@lysator.liu.se>
 7203 
 7204 	* sha256.c (sha256_update): Updated MD_UPDATE call for new
 7205 	conventions.
 7206 	(sha256_write_digest): Use MD_PAD rather than MD_FINAL, and insert
 7207 	the length manually.
 7208 	* sha512.c: Analogous changes.
 7209 
 7210 	* sha1.c (COMPRESS): New macro.
 7211 	(sha1_update): Updated MD_UPDATE call for new conventions.
 7212 	(sha1_digest): Use MD_PAD rather than MD_FINAL, and insert the
 7213 	length manually.
 7214 
 7215 	* ripemd160.c (ripemd160_init): Use memcpy for initializing the
 7216 	state vector.
 7217 	(COMPRESS): New macro.
 7218 	(ripemd160_update): Use MD_UPDATE.
 7219 	(ripemd160_digest): Inline ripemd160_final processing. Use MD_PAD
 7220 	and _nettle_write_le32.
 7221 	(ripemd160_final): Deleted function.
 7222 
 7223 	* ripemd160.h (struct ripemd160_ctx): Use a 64-bit block count.
 7224 	Renamed digest to state.
 7225 
 7226 	* md5.c (md5_init): Use memcpy for initializing the state vector.
 7227 	(COMPRESS): New macro, wrapping _nettle_md5_compress.
 7228 	(md5_update): Use MD_UPDATE.
 7229 	(md5_digest): Inline md5_final processing. Use MD_PAD and
 7230 	_nettle_write_le32.
 7231 	(md5_final): Deleted.
 7232 
 7233 	* md5.h (struct md5_ctx): Renamed some fields, for consistency.
 7234 
 7235 	* md4.h (struct md4_ctx): Renamed some fields, for consistency.
 7236 
 7237 	* md4.c (md4_init): Use memcpy for initializing the state vector.
 7238 	(md4_update): Use MD_UPDATE.
 7239 	(md4_digest): Inline md4_final processing, using MD_PAD. Use
 7240 	_nettle_write_le32.
 7241 	(md4_block): Renamed, to...
 7242 	(md4_compress): ... new name. Take ctx pinter as argument.
 7243 	(md4_final): Deleted function.
 7244 
 7245 	* md2.c (md2_update): Use MD_UPDATE.
 7246 
 7247 	* macros.h (MD_UPDATE): Added incr argument. Invoke compression
 7248 	function with ctx pointer as argument, rather than ctx->state.
 7249 	(MD_FINAL): Just pad, don't store length field. Renamed to MD_PAD.
 7250 	(MD_PAD): Analogous change of compression invocations.
 7251 
 7252 	* sha512.c: (COMPRESS): New macro wrapping _nettle_sha512_compress.
 7253 	(sha512_update): Use MD_UPDATE.
 7254 	(sha512_final): Deleted function.
 7255 	(sha512_write_digest): Use MD_FINAL.
 7256 
 7257 	* sha256.c (COMPRESS): New macro wrapping _nettle_sha256_compress.
 7258 	(SHA256_INCR): Deleted macro.
 7259 	(sha256_update): Use MD_UPDATE.
 7260 	(sha256_final): Deleted function.
 7261 	(sha256_write_digest): New function, replacing sha256_final, and
 7262 	using MD_FINAL.
 7263 	(sha256_digest): Use sha256_write_digest.
 7264 	(sha224_digest): Likewise.
 7265 
 7266 	* tools/nettle-hash.c (list_algorithms): Fixed typo in header.
 7267 
 7268 	* sha1.c (SHA1_DATA_LENGTH): Deleted unused macro.
 7269 	(sha1_init): Use memcpy to initialize the state vector.
 7270 	(SHA1_INCR): Deleted macro.
 7271 	(sha1_update): Use MD_UPDATE macro, to reduce code duplication.
 7272 	(sha1_digest): Use MD_FINAL macro.
 7273 	(sha1_final): Deleted function.
 7274 
 7275 	* sha.h (struct sha1_ctx): Renamed attribute digest to state.
 7276 
 7277 	* macros.h (MD_UPDATE): New macro.
 7278 	(MD_FINAL): New macro.
 7279 
 7280 2011-08-28  Niels Möller  <nisse@lysator.liu.se>
 7281 
 7282 	* ripemd160.c (ripemd160_final): Use LE_WRITE_UINT32. Deleted byte
 7283 	swapping at the end, leaving it to ripemd160_digest.
 7284 	(ripemd160_digest): Use _nettle_write_le32.
 7285 
 7286 	* Makefile.in (nettle_SOURCES): Added write-le32.c.
 7287 
 7288 	* md5.c (md5_digest): Use _nettle_write_le32.
 7289 
 7290 	* write-le32.c (_nettle_write_le32): New file and function.
 7291 
 7292 	* ripemd160-compress.c (ROL32): Renamed macro (was "rol"). Deleted
 7293 	x86 version using inline assembly; at least gcc-4.4.5 recognizes
 7294 	shift-and-or expressions which are in fact rotations.
 7295 	(_nettle_ripemd160_compress): Use LE_READ_UINT32.
 7296 
 7297 	* configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.2.
 7298 
 7299 	* testsuite/meta-hash-test.c: Updated for the addition of
 7300 	ripemd-160.
 7301 
 7302 	* testsuite/.test-rules.make: Added rule for ripemd160-test.
 7303 
 7304 	* examples/nettle-benchmark.c (main): Benchmark ripemd-160.
 7305 
 7306 2011-08-28  Niels Möller  <nisse@lysator.liu.se>
 7307 
 7308 	RIPEMD-160 hash function. Ported from libgcrypt by Andres Mejia.
 7309 	* testsuite/ripemd160-test.c: New file.
 7310 	* ripemd160.h: New file.
 7311 	* nettle-meta.h: Declare nettle_ripemd160.
 7312 	* ripemd160.c: New file, ported from libgcrypt.
 7313 	* ripemd160-compress.c: Likewise.
 7314 	* ripemd160-meta.c: New file.
 7315 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 7316 	ripemd160-test.c.
 7317 	* nettle-meta-hashes.c (nettle_hashes): Added nettle_ripemd160.
 7318 	* Makefile.in (nettle_SOURCES): Added ripemd160.c,
 7319 	ripemd160-compress.c, and ripemd160-meta.c.
 7320 	(HEADERS): Added ripemd160.h.
 7321 
 7322 2011-08-10  Niels Möller  <nisse@amfibolit.hack.org>
 7323 
 7324 	* nettle.texinfo: Fixed mis-placed const in various prototypes.
 7325 	Spotted by Tatsuhiro Tsujikawa.
 7326 
 7327 2011-07-24  Niels Möller  <nisse@lysator.liu.se>
 7328 
 7329 	* Makefile.in (PKGCONFIG_FILES, pkgconfigdir): New variables.
 7330 	(DISTFILES): Added nettle.pc.in and hogweed.pc.in.
 7331 	(nettle.pc, hogweed.pc): New targets (invoking config.status).
 7332 	(install-pkgconfig, uninstall-pkgconfig): New targets.
 7333 	(install-here): Depend on install-pkgconfig.
 7334 	(uninstall-here): Depend on uninstall-pkgconfig.
 7335 	(distclean-here): Delete nettle.pc and hogweed.pc.
 7336 
 7337 2011-07-20  Niels Möller  <nisse@lysator.liu.se>
 7338 
 7339 	* configure.ac: Generate nettle.pc and hogweed.pc.
 7340 
 7341 	* nettle.pc.in, hogweed.pc.in: New files.
 7342 
 7343 2011-07-17  Niels Möller  <nisse@lysator.liu.se>
 7344 
 7345 	* nettle-internal.h: Added missing extern declarations.
 7346 
 7347 2011-07-11  Niels Möller  <nisse@lysator.liu.se>
 7348 
 7349 	* configure.ac: Changed version number to 2.3.
 7350 
 7351 	* Released nettle-2.2.
 7352 
 7353 	* Makefile.in (DISTFILES): Distribute COPYING.LIB, not COPYING,
 7354 
 7355 2011-07-07  Niels Möller  <nisse@lysator.liu.se>
 7356 
 7357 	* tools/misc.h (werror): Removed incorrect noreturn attribute from
 7358 	declaration.
 7359 
 7360 	* examples/io.c (read_file): Bug fix, in dependence of initial
 7361 	size on max_size.
 7362 
 7363 2011-07-01  Niels Möller  <nisse@lysator.liu.se>
 7364 
 7365 	* cbc.c	(CBC_BUFFER_LIMIT): Reduced to 512 bytes.
 7366 	(cbc_decrypt): For in-place operation, use overlapping memxor3 and
 7367 	eliminate a memcpy.
 7368 
 7369 	* ctr.c (ctr_crypt): Reorganized to call the encryption function
 7370 	with several blocks at a time. Handle the case of a single block
 7371 	specially.
 7372 
 7373 	* x86_64/memxor.asm: Added ALIGN for shifting loop. Deleted
 7374 	obsolete ifelse.
 7375 
 7376 2011-06-30  Niels Möller  <nisse@lysator.liu.se>
 7377 
 7378 	* configure.ac: Link in serpent-decrypt.asm, if found.
 7379 
 7380 	* x86_64/serpent-decrypt.asm: Added an SSE2 loop, doing four
 7381 	blocks at a time in parallel.
 7382 
 7383 	* x86_64/serpent-encrypt.asm: Include serpent.m4. Deleted a
 7384 	redundant label.
 7385 
 7386 	* x86_64/serpent.m4: New file, with serpent-related macros.
 7387 
 7388 2011-06-29  Niels Möller  <nisse@lysator.liu.se>
 7389 
 7390 	* x86_64/serpent-decrypt.asm: Wrote main (32-bit) loop.
 7391 	(SBOX0I, SBOX1I, SBOX7I): Fixed bugs.
 7392 
 7393 	* nettle.texinfo (Copyright): Updated for license change to
 7394 	LGPLv2+. Updated copyright info on serpent.
 7395 
 7396 	* NEWS: Updated information for nettle-2.2.
 7397 
 7398 	* x86_64/serpent-decrypt.asm: New file.
 7399 
 7400 	* x86_64/serpent-encrypt.asm: Fixed .file pseudo op.
 7401 
 7402 	* testsuite/testutils.c (test_cipher_ctr): Display more info on
 7403 	failure.
 7404 
 7405 	* examples/nettle-benchmark.c (bench_ctr): New function.
 7406 	(time_cipher): Also benchmark CTR mode.
 7407 
 7408 	* configure.ac (LIBNETTLE_MINOR): Updated library version number
 7409 	to 4.1.
 7410 	(LIBHOGWEED_MINOR): And to 2.1.
 7411 
 7412 2011-06-22  Niels Möller  <nisse@lysator.liu.se>
 7413 
 7414 	* configure.ac: Use pwd -P when examining lib directories.
 7415 	Link in serpent-encrypt.asm, if found.
 7416 
 7417 2011-06-21  Niels Möller  <nisse@lysator.liu.se>
 7418 
 7419 	* serpent-decrypt.c (SBOX3_INVERSE): Eliminated temporaries.
 7420 	(SBOX4_INVERSE): Likewise.
 7421 	(SBOX5_INVERSE): Likewise.
 7422 	(SBOX6_INVERSE): Likewise.
 7423 	(SBOX7_INVERSE): Likewise.
 7424 	(All SBOX_INVERSE-macros): Deleted type argument, and updated users.
 7425 
 7426 2011-06-20  Niels Möller  <nisse@lysator.liu.se>
 7427 
 7428 	* serpent-decrypt.c: Renamed arguments in sbox macros.
 7429 	(SBOX0_INVERSE): Eliminated temporaries.
 7430 	(SBOX1_INVERSE): Likewise.
 7431 	(SBOX2_INVERSE): Likewise.
 7432 
 7433 	* x86_64/serpent-encrypt.asm: Added an SSE2 loop, doing four
 7434 	blocks at a time in parallel.
 7435 
 7436 	* testsuite/serpent-test.c (test_main): Added some more multiple
 7437 	block tests.
 7438 
 7439 2011-06-15  Niels Möller  <nisse@lysator.liu.se>
 7440 
 7441 	* configure.ac (libdir): On 64-bit Linux, we used to assume that
 7442 	libraries are installed according to the FHS. Since at least
 7443 	Fedora and Gentoo follow the FHS convention, while at least Debian
 7444 	doesn't, we have to try to figure out which convention is used.
 7445 
 7446 2011-06-14  Niels Möller  <nisse@lysator.liu.se>
 7447 
 7448 	* x86_64/serpent-encrypt.asm: Slight simplification of loop logic.
 7449 
 7450 	* x86_64/serpent-encrypt.asm: New file.
 7451 
 7452 2011-06-12  Niels Möller  <nisse@lysator.liu.se>
 7453 
 7454 	* testsuite/serpent-test.c (test_main): Added tests with multiple
 7455 	blocks at a time.
 7456 
 7457 	* serpent-encrypt.c (SBOX6): Renamed arguments. Eliminated
 7458 	temporaries.
 7459 	(SBOX7): Likewise.
 7460 	(All SBOX-macros): Deleted type argument, and updated users.
 7461 
 7462 	* configure.ac: Display summary at the end of configure..
 7463 	(asm_path): Set only if enable_assember is yes.
 7464 
 7465 2011-06-10  Niels Möller  <nisse@lysator.liu.se>
 7466 
 7467 	* serpent-encrypt.c (SBOX5): Renamed arguments. Eliminated
 7468 	temporaries.
 7469 
 7470 2011-06-09  Niels Möller  <nisse@lysator.liu.se>
 7471 
 7472 	* serpent-encrypt.c (SBOX4): Renamed arguments. Eliminated
 7473 	temporaries.
 7474 
 7475 	* configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LINK): Cygwin fix, from
 7476 	Vincent Torri.
 7477 
 7478 2011-06-08  Niels Möller  <nisse@lysator.liu.se>
 7479 
 7480 	* examples/eratosthenes.c (find_first_one): Fixed c99-style
 7481 	declaration. Reported by Sebastian Reitenbach.
 7482 	(find_first_one): Declare the lookup table as static const, and
 7483 	use unsigned char rather than unsigned..
 7484 
 7485 2011-06-07  Niels Möller  <nisse@lysator.liu.se>
 7486 
 7487 	* serpent-encrypt.c (SBOX0): Renamed arguments. Eliminated
 7488 	temporaries.
 7489 	(SBOX1): Likewise.
 7490 	(SBOX2): Likewise.
 7491 	(SBOX3): Likewise.
 7492 
 7493 2011-06-06  Niels Möller  <nisse@lysator.liu.se>
 7494 
 7495 	* Makefile.in (DISTFILES): Added serpent-internal.h.
 7496 	(nettle_SOURCES): Replaced serpent.c by serpent-set-key.c,
 7497 	serpent-encrypt.c, and serpent-decrypt.c.
 7498 
 7499 	* serpent.c: Replaced by several new files.
 7500 	* serpent-set-key.c: New file.
 7501 	* serpent-encrypt.c: New file.
 7502 	* serpent-decrypt.c: New file.
 7503 	* serpent-internal.h: New file.
 7504 
 7505 	* serpent.c [HAVE_NATIVE_64_BIT]: Process two blocks at a time in
 7506 	parallel. Measured speedup of 10%--25% (higher for encryption) on
 7507 	x86_64.
 7508 
 7509 2011-06-01  Niels Möller  <nisse@lysator.liu.se>
 7510 
 7511 	* serpent.c (ROUNDS): Deleted macro.
 7512 	(serpent_block_t): Deleted array typedef.
 7513 	(KEYXOR): New macro, replacing BLOCK_XOR.
 7514 	(BLOCK_COPY, SBOX, SBOX_INVERSE): Deleted macros.
 7515 	(LINEAR_TRANSFORMATION): Use four separate arguments.
 7516 	(LINEAR_TRANSFORMATION_INVERSE): Likewise.
 7517 	(ROUND): Take separate arguments for all input and output words.
 7518 	(ROUND_INVERSE): Likewise.
 7519 	(ROUND_LAST, ROUND_FIRST_INVERSE): Deleted macros.
 7520 	(serpent_set_key): Moved loop termination test.
 7521 	(serpent_encrypt): Rewrote with unrolling of just eight rounds,
 7522 	and without serpent_block_t.
 7523 	(serpent_decrypt): Likewise.
 7524 
 7525 	* serpent.c: Added do { ... } while (0) around block macros.
 7526 	(serpent_key_t): Deleted array typedef.
 7527 	(ROL32, ROR32): Renamed macros, were rol and ror.
 7528 	(KS_RECURRENCE, KS): New macros.
 7529 	(serpent_key_pad): Renamed, from...
 7530 	(serpent_key_prepare): ...old name.
 7531 	(serpent_subkeys_generate): Deleted function.
 7532 	(serpent_set_key): Rewrote the generation of subkeys. Reduced both
 7533 	temporary storage and code size (less unrolling)
 7534 
 7535 2011-05-31  Niels Möller  <nisse@lysator.liu.se>
 7536 
 7537 	* testsuite/serpent-test.c (test_main): Enabled test with short,
 7538 	40-bit, key.
 7539 
 7540 	* serpent.c (byte_swap_32): Deleted macro.
 7541 	(serpent_key_prepare): Use LE_READ_UINT32. Don't require aligned
 7542 	input, and support arbitrary key sizes.
 7543 
 7544 2011-05-30  Simon Josefsson  <simon@josefsson.org>
 7545 
 7546 	* serpent.c: Rewrite, based on libgcrypt code.  License changed
 7547 	from GPL to LGPL.
 7548 	* serpent_sboxes.h: Removed.
 7549 	* Makefile.in: Drop serpent_sboxes.h.
 7550 
 7551 2011-05-31  Niels Möller  <nisse@lysator.liu.se>
 7552 
 7553 	* testsuite/serpent-test.c (test_main): Added some tests for
 7554 	padding of keys of length which is not a multiple of four bytes.
 7555 
 7556 2011-05-30  Simon Josefsson  <simon@josefsson.org>
 7557 
 7558 	* testsuite/serpent-test.c (test_main): Add test vectors from
 7559 	libgcrypt.
 7560 
 7561 2011-05-21  Niels Möller  <nisse@lysator.liu.se>
 7562 
 7563 	* dsa-keygen.c (dsa_generate_keypair): Avoid double init of mpz
 7564 	variable. Spotted by Nikos Mavrogiannopoulos.
 7565 
 7566 2011-05-06  Niels Möller  <nisse@lysator.liu.se>
 7567 
 7568 	* configure.ac: Fix link flags for shared libraries on Solaris,
 7569 	which needs -h to set the soname. Patch contributed by Dagobert
 7570 	Michelsen.
 7571 
 7572 2011-05-06  Niels Möller  <nisse@lysator.liu.se>
 7573 
 7574 	* configure.ac: New configure option --enable-gcov.
 7575 
 7576 	* arcfour.h (arcfour_stream): Deleted obsolete define.
 7577 
 7578 2011-04-27  Niels Möller  <nisse@lysator.liu.se>
 7579 
 7580 	* tools/nettle-hash.c (find_algorithm): Require exact match.
 7581 
 7582 2011-04-15  Niels Möller  <nisse@lysator.liu.se>
 7583 
 7584 	Reverted broken byte-order change from 2001-06-17:
 7585 	* serpent.c (serpent_set_key): Use correct byteorder.
 7586 	(serpent_encrypt): Likewise.
 7587 	(serpent_decrypt): Likewise.
 7588 
 7589 	* testsuite/serpent-test.c (decode_hex_reverse): New function.
 7590 	(RH, RHL): New macros.
 7591 	(test_main): Byte reverse inputs and outputs for the testvectors
 7592 	taken from the serpent submission package. Enable test vectors
 7593 	from http://www.cs.technion.ac.il/~biham/Reports/Serpent/.
 7594 
 7595 2011-03-23  Niels Möller  <nisse@lysator.liu.se>
 7596 
 7597 	* tools/sexp-conv.c (xalloc): Deleted function, now it's in misc.c
 7598 	instead.
 7599 
 7600 	* configure.ac: Use LSH_FUNC_STRERROR.
 7601 
 7602 	* tools/Makefile.in (TARGETS): Added nettle-hash, and related
 7603 	build rules.
 7604 	(SOURCES): Added nettle-hash.c.
 7605 
 7606 	* tools/misc.c (xalloc): New function.
 7607 
 7608 	* tools/pkcs1-conv.c (main): Made the OPT_* constants local, and
 7609 	fixed numerical values to start with non-ASCII 0x300.
 7610 
 7611 	* tools/nettle-hash.c: New file.
 7612 
 7613 2011-03-23  Niels Möller  <nisse@lysator.liu.se>
 7614 
 7615 	Contributed by Daniel Kahn Gillmor:
 7616 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 7617 	meta-hash-test.c, meta-cipher-test.c, and meta-armor-test.c.
 7618 
 7619 	* testsuite/meta-hash-test.c: New file.
 7620 	* testsuite/meta-cipher-test.c: New file.
 7621 	* testsuite/meta-armor-test.c: New file.
 7622 
 7623 	* nettle.texinfo: Document nettle_hashes and nettle_ciphers.
 7624 
 7625 	* nettle-meta.h: Declare algorithm lists nettle_ciphers,
 7626 	nettle_hashes, nettle_armors.
 7627 
 7628 	* Makefile.in (nettle_SOURCES): Added nettle-meta-hashes.c,
 7629 	nettle-meta-ciphers.c, and nettle-meta-armors.c.
 7630 
 7631 	* nettle-meta-armors.c: New file.
 7632 	* nettle-meta-ciphers.c: New file.
 7633 	* nettle-meta-hashes.c: New file.
 7634 
 7635 2011-02-18  Niels Möller  <nisse@lysator.liu.se>
 7636 
 7637 	* arcfour.c (arcfour_stream): Deleted function. It's not very
 7638 	useful, and neither documented nor tested.
 7639 
 7640 2011-02-16  Niels Möller  <nisse@lysator.liu.se>
 7641 
 7642 	* cbc.h (CBC_ENCRYPT): Avoid using NULL; we don't ensure that it
 7643 	is defined.
 7644 	(CBC_DECRYPT): Likewise.
 7645 
 7646 	* gcm-aes.c (gcm_aes_set_iv): Use GCM_SET_IV.
 7647 	(gcm_aes_set_key): Deleted cast.
 7648 	(gcm_aes_encrypt): Likewise.
 7649 	(gcm_aes_decrypt): Likewise.
 7650 	(gcm_aes_digest): Likewise.
 7651 	(gcm_aes_update): One less argument to GCM_UPDATE.
 7652 
 7653 	* gcm.h (GCM_SET_KEY): Added cast to nettle_crypt_func *. Help
 7654 	compiler type checking despite this cast.
 7655 	(GCM_ENCRYPT): Likewise.
 7656 	(GCM_DECRYPT): Likewise.
 7657 	(GCM_DIGEST): Likewise.
 7658 	(GCM_SET_IV): New macro, for completeness.
 7659 	(GCM_UPDATE): Deleted unused argument encrypt.
 7660 
 7661 2011-02-14  Niels Möller  <nisse@lysator.liu.se>
 7662 
 7663 	* nettle.texinfo: Split node on cipher modes, and started on
 7664 	the GCM documentation.
 7665 
 7666 	* testsuite/gcm-test.c (test_gcm_aes): Deleted function, replaced
 7667 	by test_aead.
 7668 	(test_main): Use test_aead.
 7669 
 7670 	* testsuite/testutils.c (test_aead): New function, replacing
 7671 	test_gcm_aes and before that test_cipher_gcm.
 7672 
 7673 	* nettle-internal.c (nettle_gcm_aes128): New const struct.
 7674 	(nettle_gcm_aes192): Likewise.
 7675 	(nettle_gcm_aes256): Likewise.
 7676 
 7677 	* nettle-internal.h (struct nettle_aead): Tentative interface for
 7678 	authenticated encryption with associated data.
 7679 
 7680 	* examples/nettle-benchmark.c (time_gcm): Renamed. Updated for
 7681 	gcm_aes_auth to gcm_aes_update renaming. Benchmark both encryption
 7682 	and hashing.
 7683 	(time_gmac): ...old name.
 7684 
 7685 	* nettle-internal.c (des_set_key_hack): Don't touch the bits
 7686 	parity, since thay are now ignored.
 7687 	(des3_set_key_hack): Likewise.
 7688 
 7689 	* cast128-meta.c (nettle_cast128): Don't pass keysize.
 7690 	* nettle-meta.h (_NETTLE_CIPHER_FIX): Deleted keysize parameter
 7691 	derived from the appropriate constant instead.
 7692 
 7693 	* testsuite/gcm-test.c (test_gcm_aes): Updated for gcm_aes_auth to
 7694 	gcm_aes_update renaming.
 7695 
 7696 2011-02-13  Niels Möller  <nisse@lysator.liu.se>
 7697 
 7698 	* gcm.h (GCM_UPDATE): Renamed, from...
 7699 	(GCM_AUTH): ...old name.
 7700 
 7701 	* gcm-aes.c (gcm_aes_update): Renamed, from...
 7702 	(gcm_aes_auth): ...old name.
 7703 
 7704 	* gcm.c (gcm_update): Renamed, and fixed an assert. From...
 7705 	(gcm_auth): ...old name.
 7706 
 7707 	* gcm.h (GCM_TABLE_BITS): Increase table size to 8 bits,
 7708 	corresponding to 4 KByte of key-dependent tables.
 7709 
 7710 2011-02-10  Niels Möller  <nisse@lysator.liu.se>
 7711 
 7712 	* x86_64/memxor.asm: New file. Improves performance by 22% for the
 7713 	unaligned01 case and 35% for the unaligned12 case, benchmarked on
 7714 	Intel SU1400.
 7715 
 7716 	* examples/nettle-benchmark.c (cgt_works_p): New function.
 7717 	(cgt_time_start): Likewise.
 7718 	(cgt_time_end): Likewise.
 7719 	(clock_time_start): Likewise.
 7720 	(clock_time_end): Likewise.
 7721 	(time_function): Read clock via function pointers time_start and
 7722 	time_end, so we can select method at runtime.
 7723 	(xalloc): Use die function.
 7724 	(main): Choose timing function. If available, try clock_gettime,
 7725 	and fall back to clock if it doesn't exist.
 7726 
 7727 	* examples/nettle-benchmark.c (die): New function.
 7728 	(TIME_END, TIME_START): Check return value from clock_gettime.
 7729 
 7730 	* gcm.h (union gcm_block): Use correct length for w array.
 7731 
 7732 	* testsuite/gcm-test.c (test_main): Added the rest of the
 7733 	testcases from the spec.
 7734 
 7735 2011-02-09  Niels Möller  <nisse@lysator.liu.se>
 7736 
 7737 	* testsuite/gcm-test.c (test_main): Enabled testcases 5 and 6,
 7738 	with different IV lengths.
 7739 
 7740 	* gcm-aes.c (gcm_aes_set_iv): Updated for gcm_set_iv change.
 7741 
 7742 	* gcm.c (gcm_hash_sizes): New function.
 7743 	(gcm_set_iv): Added support for IVs of arbitrary size. Needed
 7744 	another argument, for the hash subkey.
 7745 	(gcm_digest): Use gcm_hash_sizes.
 7746 
 7747 	* examples/nettle-benchmark.c (time_gmac): Use gcm_aes interface.
 7748 
 7749 	* testsuite/gcm-test.c (test_gcm_aes): New function, replacing
 7750 	test_cipher_gcm and using the new gcm_aes interface.
 7751 	(test_main): Updated to use test_gcm_aes.
 7752 	* testsuite/testutils.c (test_cipher_gcm): Deleted function.
 7753 
 7754 	* Makefile.in (nettle_SOURCES): Added gcm-aes.c.
 7755 
 7756 	* gcm.c (gcm_set_key): Replaced context argument by a struct
 7757 	gcm_key *.
 7758 	(gcm_hash): Replaced context argument by a struct gcm_key * and a
 7759 	pointer to the hashing state block.
 7760 	(gcm_auth): Added struct gcm_key * argument.
 7761 	(gcm_encrypt): Likewise.
 7762 	(gcm_decrypt): Likewise.
 7763 	(gcm_digest): Likewise.
 7764 
 7765 	* gcm-aes.c: New file.
 7766 	(gcm_aes_set_key): New function.
 7767 	(gcm_aes_set_iv): Likewise.
 7768 	(gcm_aes_auth): Likewise.
 7769 	(gcm_aes_encrypt): Likewise.
 7770 	(gcm_aes_decrypt): Likewise.
 7771 	(gcm_aes_digest): Likewise.
 7772 
 7773 	* gcm.h (struct gcm_key): Moved the key-dependent and
 7774 	message-independent state to its own struct.
 7775 	(struct gcm_ctx): ... and removed it here.
 7776 	(GCM_CTX): New macro.
 7777 	(GCM_SET_KEY): Likewise.
 7778 	(GCM_AUTH): Likewise.
 7779 	(GCM_ENCRYPT): Likewise.
 7780 	(GCM_DECRYPT): Likewise.
 7781 	(GCM_DIGEST): Likewise.
 7782 	(struct gcm_aes_ctx): New struct.
 7783 
 7784 2011-02-08  Niels Möller  <nisse@lysator.liu.se>
 7785 
 7786 	* gcm.h (struct gcm_ctx): The hash key is now always an array,
 7787 	named h, with array size depending on GCM_TABLE_BITS.
 7788 	* gcm.c (gcm_gf_shift): Added a separate result argument.
 7789 	(gcm_gf_mul): Compile bitwise version only when GCM_TABLE_BITS ==
 7790 	0. Simplified interface with just two arguments pointing to
 7791 	complete blocks.
 7792 	(gcm_gf_shift_4, gcm_gf_shift_8): Renamed table-based functions, from...
 7793 	(gcm_gf_shift_chunk): ... old name.
 7794 	(gcm_gf_mul): Renamed both table-based versions and made the
 7795 	argument types compatible with the bitwise gcm_gf_mul.
 7796 	(gcm_gf_mul_chunk): ... the old name.
 7797 	(gcm_set_key): Initialize the table using adds and shifts only.
 7798 	When GCM_TABLE_BITS > 0, this eliminates the only use of the
 7799 	bitwise multiplication.
 7800 	(gcm_hash): Simplified, now that we have the same interface for
 7801 	gcm_gf_mul, regardless of table size.
 7802 
 7803 	* gcm.c	(GHASH_POLYNOMIAL): Use unsigned long for this constant.
 7804 	(gcm_gf_shift_chunk): Fixed bugs for the big endian 64-bit case,
 7805 	e.g., sparc64. For both 4-bit and 8-bit tables.
 7806 
 7807 	* gcm.c: Use the new union gcm_block for all gf operations.
 7808 
 7809 	* gcm.h (union gcm_block): New union, used to enforce alignment.
 7810 
 7811 2011-02-07  Niels Möller  <nisse@lysator.liu.se>
 7812 
 7813 	* gcm.c (gcm_gf_shift_chunk) : Bug fix for little-endian 8-bit
 7814 	tables.
 7815 
 7816 	* gcm.c (gcm_gf_mul_chunk): Special case first and last iteration.
 7817 	(gcm_gf_add): New function, a special case of memxor. Use it for
 7818 	all memxor calls with word-aligned 16 byte blocks. Improves
 7819 	performance to 152 cycles/byte with no tables, 28 cycles per byte
 7820 	with 4-bit tables and 10.5 cycles per byte with 8-bit tables.
 7821 
 7822 	Introduced 8-bit tables. If enabled, gives gmac performance of 19
 7823 	cycles per byte (still on intel x86_64).
 7824 	* gcm.c (gcm_gf_shift_chunk): New implementation for 8-bit tables.
 7825 	(gcm_gf_mul_chunk): Likewise.
 7826 	(gcm_set_key): Generate 8-bit tables.
 7827 
 7828 	* Makefile.in (SOURCES): Added gcmdata.c.
 7829 
 7830 	* gcm.h (GCM_TABLE_BITS): Set to 4.
 7831 
 7832 2011-02-06  Niels Möller  <nisse@lysator.liu.se>
 7833 
 7834 	* Makefile.in (TARGETS): Added gcmdata.
 7835 	(gcmdata): New rule.
 7836 
 7837 	Introduced 4-bit tables. Gives gmac performance of 45 cycles per
 7838 	byte (still on intel x86_64).
 7839 	* gcm.c (gcm_gf_shift): Renamed. Tweaked little-endian masks.
 7840 	(gcm_rightshift): ... old name.
 7841 	(gcm_gf_mul): New argument for the output. Added length argument
 7842 	for one of the inputs (implicitly padding with zeros).
 7843 	(shift_table): New table (in 4-bit and 8-bit versions), generated
 7844 	by gcmdata.
 7845 	(gcm_gf_shift_chunk): New function shifting 4 bits at
 7846 	a time.
 7847 	(gcm_gf_mul_chunk): New function processing 4 bits at a time.
 7848 	(gcm_set_key): Generation of 4-bit key table.
 7849 	(gcm_hash): Use tables, when available.
 7850 
 7851 	* gcmdata.c (main): New file.
 7852 
 7853 	* gcm.c (gcm_rightshift): Moved the reduction of the shifted out
 7854 	bit here.
 7855 	(gcm_gf_mul): Updated for gcm_rightshift change. Improves gmac
 7856 	performance to 181 cycles/byte.
 7857 
 7858 	* gcm.c (gcm_gf_mul): Rewrote. Still uses the bitwise algorithm from the
 7859 	specification, but with separate byte and bit loops. Improves gmac
 7860 	performance a bit further, to 227 cycles/byte.
 7861 
 7862 	* gcm.c (gcm_rightshift): Complete rewrite, to use word rather
 7863 	than byte operations. Improves gmac performance from 830 cycles /
 7864 	byte to (still poor) 268 cycles per byte on intel x86_64.
 7865 
 7866 2011-02-05  Niels Möller  <nisse@lysator.liu.se>
 7867 
 7868 	* examples/nettle-benchmark.c (time_gmac): New function.
 7869 	(main): Call time_gmac.
 7870 
 7871 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gcm-test.c.
 7872 
 7873 	* testsuite/testutils.c (test_cipher_gcm): New function,
 7874 	contributed by Nikos Mavrogiannopoulos.
 7875 
 7876 	* testsuite/gcm-test.c: New file, contributed by Nikos
 7877 	Mavrogiannopoulos.
 7878 
 7879 	* Makefile.in (nettle_SOURCES): Added gcm.c.
 7880 	(HEADERS): Added gcm.h.
 7881 
 7882 	* gcm.c: New file, contributed by Nikos Mavrogiannopoulos.
 7883 	* gcm.h: New file, contributed by Nikos Mavrogiannopoulos.
 7884 
 7885 	* macros.h (INCREMENT): New macro, moved from ctr.c. Deleted third
 7886 	argument.
 7887 	* ctr.c: Use INCREMENT macro from macros.h, deleted local version.
 7888 
 7889 2011-01-07  Niels Möller  <nisse@lysator.liu.se>
 7890 
 7891 	* testsuite/Makefile.in (check): Add ../.lib to PATH, since that's
 7892 	where w*ndows looks for dlls.
 7893 
 7894 	* testsuite/testutils.c (test_cipher_stream): More debug output on
 7895 	failure.
 7896 
 7897 2010-12-14  Niels Möller  <nisse@lysator.liu.se>
 7898 
 7899 	* nettle-types.h: Deleted some unnecessary parenthesis from
 7900 	function typedefs.
 7901 	(nettle_realloc_func): Moved typedef here...
 7902 	* realloc.h: ...from here.
 7903 
 7904 	* buffer.c (nettle_buffer_init_realloc): Use an explicit pointer
 7905 	for realloc argument.
 7906 
 7907 2010-12-07  Niels Möller  <nisse@lysator.liu.se>
 7908 
 7909 	* nettle.texinfo (Copyright): Updated info on blowfish.
 7910 
 7911 2010-11-26  Niels Möller  <nisse@lysator.liu.se>
 7912 
 7913 	Reapplied optimizations (150% speedup on x86_32) and other fixes,
 7914 	relicensing them as LGPL.
 7915 	* blowfish.c (do_encrypt): Renamed, to...
 7916 	(encrypt): ...new name.
 7917 	(F): Added context argument. Shift input explicitly, instead of
 7918 	reading individual bytes via memory.
 7919 	(R): Added context argument.
 7920 	(encrypt): Deleted a bunch of local variables. Using the context
 7921 	pointer for everything should consume less registers.
 7922 	(decrypt): Likewise.
 7923 	(initial_ctx): Arrange constants into a struct, to simplify key
 7924 	setup.
 7925 	(blowfish_set_key): Some simplification.
 7926 
 7927 2010-11-26  Simon Josefsson  <simon@josefsson.org>
 7928 
 7929 	* blowfish.c: New version ported from libgcrypt. License changed
 7930 	from GPL to LGPL.
 7931 
 7932 2010-11-25  Niels Möller  <nisse@lysator.liu.se>
 7933 
 7934 	* Makefile.in (install-shared-nettle): Use INSTALL_DATA, which
 7935 	clears the execute permission bits.
 7936 	(install-shared-hogweed): Likewise.
 7937 
 7938 2010-11-16  Niels Möller  <nisse@lysator.liu.se>
 7939 
 7940 	* configure.ac: Updated gmp url.
 7941 
 7942 2010-11-01  Niels Möller  <nisse@lysator.liu.se>
 7943 
 7944 	* tools/misc.c (werror): Don't call exit (copy&paste-error).
 7945 
 7946 2010-10-26  Niels Möller  <nisse@lysator.liu.se>
 7947 
 7948 	* examples/rsa-encrypt.c (main): No extra message for bad options.
 7949 
 7950 	* examples/rsa-keygen.c (main): Added long options. Deleted -?,
 7951 	and fixed handling of bad options.
 7952 
 7953 	* examples/next-prime.c (main): Deleted -?, and fixed handling of
 7954 	bad options.
 7955 	* examples/random-prime.c (main): Likewise.
 7956 
 7957 2010-10-22  Niels Möller  <nisse@lysator.liu.se>
 7958 
 7959 	* examples/nettle-benchmark.c (main): Added long options. Deleted -?,
 7960 	and fixed handling of bad options.
 7961 
 7962 	* examples/eratosthenes.c (main): Added long options. Deleted -?,
 7963 	and fixed handling of bad options. Renamed -s to -q (long option
 7964 	--quiet).
 7965 
 7966 	* tools/pkcs1-conv.c (main): Deleted short alias -? for --help,
 7967 	and fixed handling of bad options.
 7968 	* tools/sexp-conv.c (parse_options): Likewise.
 7969 
 7970 2010-10-06  Niels Möller  <nisse@lysator.liu.se>
 7971 
 7972 	* memxor.c (memxor3): Optimized.
 7973 	(memxor3_common_alignment): New function.
 7974 	(memxor3_different_alignment_b): New function.
 7975 	(memxor3_different_alignment_ab): New function.
 7976 	(memxor3_different_alignment_all): New function.
 7977 
 7978 	* examples/nettle-benchmark.c (time_function): Reorganized, to
 7979 	reduce overhead.
 7980 	(time_memxor): Also benchmark memxor3.
 7981 
 7982 	* x86_64/memxor.asm: New file.
 7983 
 7984 	* examples/nettle-benchmark.c (overhead): New global variable.
 7985 	(time_function): Compensate for call overhead.
 7986 	(bench_nothing, time_overhead): New functions.
 7987 	(time_memxor): Tweaked src size, making it an integral number of
 7988 	words.
 7989 	(main): Call time_overhead.
 7990 
 7991 2010-10-01  Niels Möller  <nisse@lysator.liu.se>
 7992 
 7993 	* x86_64/camellia-crypt-internal.asm (ROUND): Reordered sbox
 7994 	lookups.
 7995 
 7996 	* testsuite/memxor-test.c: Also test memxor3.
 7997 
 7998 2010-09-30  Niels Möller  <nisse@lysator.liu.se>
 7999 
 8000 	* configure.ac: Link in memxor.asm, if found.
 8001 
 8002 	* testsuite/testutils.c (test_cipher_cbc): Print more info when
 8003 	failing.
 8004 
 8005 	* testsuite/memxor-test.c (test_xor): Added verbose printout.
 8006 
 8007 	* examples/nettle-benchmark.c (time_memxor): Count size of
 8008 	unsigned long as "block size" for memxor.
 8009 
 8010 2010-09-24  Niels Möller  <nisse@lysator.liu.se>
 8011 
 8012 	* testsuite/.test-rules.make: Added rule for memxor-test.
 8013 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added memxor-test.c
 8014 	* testsuite/memxor-test.c: New file.
 8015 
 8016 	* memxor.c (memxor_common_alignment): New function.
 8017 	(memxor_different_alignment): New function.
 8018 	(memxor): Optimized to do word-operations rather than byte
 8019 	operations.
 8020 
 8021 	* configure.ac (HAVE_NATIVE_64_BIT): New config.h define.
 8022 
 8023 	Partial revert of 2010-09-20 changes.
 8024 	* camellia-set-encrypt-key.c (camellia_set_encrypt_key):
 8025 	Reintroduce CAMELLIA_F_HALF_INV, for 32-bit machines.
 8026 	* camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Two variants,
 8027 	differing in where addition of the key is done.
 8028 	* x86/camellia-crypt-internal.asm: Moved addition of key.
 8029 
 8030 2010-09-22  Niels Möller  <nisse@lysator.liu.se>
 8031 
 8032 	* examples/nettle-benchmark.c (BENCH_INTERVAL): Changed unit to
 8033 	seconds.
 8034 	(time_function): Use clock_gettime with CLOCK_PROCESS_CPUTIME_ID,
 8035 	if available. This gives better accuracy, at least on recent
 8036 	linux.
 8037 	(BENCH_INTERVAL): Reduced to 0.1 s.
 8038 	(struct bench_memxor_info): New struct.
 8039 	(bench_memxor): New function.
 8040 	(time_memxor): New function.
 8041 	(main): Use time_memxor. Added optional argument used to limit the
 8042 	algorithms being benchmarked.
 8043 	(GET_CYCLE_COUNTER): Define also for x86_64.
 8044 	(time_memxor): Improved display.
 8045 
 8046 	* examples/Makefile.in (nettle-benchmark): Link using
 8047 	$(BENCH_LIBS) rather than $(LIBS).
 8048 
 8049 	* configure.ac: Check for clock_gettime, and add -lrt to
 8050 	BENCH_LIBS if needed.
 8051 
 8052 2010-09-20  Niels Möller  <nisse@lysator.liu.se>
 8053 
 8054 	* configure.ac: Less quoting when invoking $CC, to allow CC="gcc
 8055 	-m32".
 8056 
 8057 	* x86/camellia-crypt-internal.asm (ROUND): Adapted to new key
 8058 	convention, moving key xor to the end.
 8059 
 8060 	* camellia-set-encrypt-key.c (CAMELLIA_F_HALF_INV): Deleted macro.
 8061 	(camellia_set_encrypt_key): Deleted the CAMELLIA_F_HALF_INV
 8062 	operations intended for moving the key xor into the middle of the
 8063 	round.
 8064 
 8065 	* camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Moved addition of
 8066 	key to the end, to use a 64-bit xor operation.
 8067 
 8068 	* x86_64/camellia-crypt-internal.asm: New file.
 8069 
 8070 	* x86_64/machine.m4 (LREG, HREG, XREG): New macros.
 8071 
 8072 2010-09-17  Niels Möller  <nisse@lysator.liu.se>
 8073 
 8074 	* configure.ac: Support shared libraries (dlls) with mingw32.
 8075 	Contributed by David Hoyt.
 8076 
 8077 2010-07-25  Niels Möller  <nisse@lysator.liu.se>
 8078 
 8079 	* configure.ac: Changed version number to nettle-2.2.
 8080 
 8081 	* Released nettle-2.1.
 8082 
 8083 	* configure.ac: Use camellia-crypt-internal.asm, if available.
 8084 	Bumped soname to libnettle.so.4, and reset LIBNETTLE_MINOR to
 8085 	zero.
 8086 
 8087 	* x86/machine.m4 (LREG, HREG): Moved macros here, from...
 8088 	* x86/aes.m4: ...here.
 8089 
 8090 	* x86/camellia-crypt-internal.asm: New file.
 8091 
 8092 	* nettle.texinfo: Updated and expanded section on DSA.
 8093 	Document aes_invert_key, and camellia. Added missing functions
 8094 	rsa_sha512_verify and rsa_sha512_verify_digest.
 8095 
 8096 	* camellia.h (struct camellia_ctx): Eliminate the two unused
 8097 	subkeys, and renumber the remaining ones.
 8098 	* camellia-crypt-internal.c (_camellia_crypt): Updated for
 8099 	renumbered subkeys.
 8100 	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise.
 8101 	* camellia-set-decrypt-key.c (camellia_invert_key): Likewise.
 8102 
 8103 	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline
 8104 	the expansion of camellia_setup128 and camellia_setup256, keeping
 8105 	the unexpanded key in scalar variables.
 8106 	(camellia_setup128): Deleted.
 8107 	(camellia_setup256): Deleted.
 8108 
 8109 2010-07-24  Niels Möller  <nisse@lysator.liu.se>
 8110 
 8111 	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced
 8112 	code size, no complete loop unroll. Use one loop for each phase of
 8113 	the post-processing.
 8114 
 8115 	* testsuite/camellia-test.c: New tests for camellia_invert_key.
 8116 	* testsuite/aes-test.c: New tests for aes_invert_key.
 8117 
 8118 	* aes.h (aes_invert_key): Declare it.
 8119 
 8120 	* aes-set-decrypt-key.c (aes_invert_key): New function, key
 8121 	inversion code extracted from aes_set_decrypt_key.
 8122 	(aes_set_decrypt_key): Use aes_invert_key.
 8123 
 8124 	* camellia-set-encrypt-key.c (camellia_setup128): Generate
 8125 	unmodified subkeys according to the spec. Moved clever combination
 8126 	of subkeys to camellia_set_encrypt_key.
 8127 	(camellia_setup256): Likewise.
 8128 	(camellia_set_encrypt_key): Moved subkey post-processing code
 8129 	here, and reduce code duplication between 128-bit keys and larger
 8130 	keys.
 8131 
 8132 	* camellia.c: Deleted file, split into several new files...
 8133 	* camellia-table.c (_camellia_table): New file with the constant
 8134 	sbox tables.
 8135 	* camellia-set-encrypt-key.c: New file.
 8136 	(camellia_setup128): Generate unmodified subkeys according to the
 8137 	spec. Moved clever combination of subkeys to camellia_set_encrypt_key.
 8138 	(camellia_setup256): Likewise.
 8139 
 8140 	* camellia-set-decrypt-key.c: New file.
 8141 	(camellia_invert_key): Key inversion function.
 8142 	(camellia_set_decrypt_key): New key setup function.
 8143 	* camellia-internal.h: New file.
 8144 	* camellia-crypt.c (camellia_crypt): New file, new wrapper
 8145 	function passing the sbox table to _camellia_crypt.
 8146 	* camellia-crypt-internal.c (_camellia_crypt): New file, with main
 8147 	encrypt/decrypt function.
 8148 	* Makefile.in (nettle_SOURCES): Updated list of camellia source files.
 8149 	(DISTFILES): Added camellia-internal.h.
 8150 
 8151 2010-07-20  Niels Möller  <nisse@lysator.liu.se>
 8152 
 8153 	* camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY.
 8154 
 8155 	* camellia.h (struct camellia_ctx): Replaced flag camellia128 by
 8156 	expanded key length nkeys.
 8157 
 8158 	* camellia.c (camellia_set_encrypt_key): Renamed, from...
 8159 	(camellia_set_key): ... old name.
 8160 	(camellia_invert_key): New function.
 8161 	(camellia_set_decrypt_key): New function, using
 8162 	camellia_invert_key.
 8163 	(camellia_crypt): Renamed, from...
 8164 	(camellia_encrypt): ... old name.
 8165 	(camellia_decrypt): Deleted, no longer needed. camellia_crypt used
 8166 	for both encryption and decryption.
 8167 
 8168 	* nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro.
 8169 
 8170 	* dsa-keygen.c: Removed unnecessary include of memxor.h.
 8171 
 8172 	* camellia.c: Rewrote to use 64-bit type for subkeys and use
 8173 	64-bit operations throughout. Performance on x86_32, when compiled
 8174 	with gcc-4.4.4, is reduced by roughly 15%, this should be fixed
 8175 	later.
 8176 
 8177 	* camellia.h (struct camellia_ctx): Use type uint64_t for subkeys.
 8178 
 8179 2010-07-07  Niels Möller  <nisse@lysator.liu.se>
 8180 
 8181 	* aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const.
 8182 	Also updated implementation.
 8183 	* blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise.
 8184 	* cast128.h (cast128_encrypt, cast128_decrypt): Likewise.
 8185 	* serpent.h (serpent_encrypt, serpent_decrypt): Likewise.
 8186 	* twofish.h (twofish_encrypt, twofish_decrypt): Likewise.
 8187 
 8188 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
 8189 	camellia-test.c.
 8190 
 8191 	* examples/nettle-benchmark.c: Added camellia ciphers.
 8192 
 8193 	* Makefile.in (nettle_SOURCES): Added camellia.c and
 8194 	camellia-meta.c.
 8195 	(HEADERS): Added camellia.h.
 8196 
 8197 	* nettle-meta.h (nettle_camellia128): Declare.
 8198 	(nettle_camellia192): Likewise.
 8199 	(nettle_camellia256): Likewise.
 8200 
 8201 	* camellia-meta.c: New file.
 8202 
 8203 	* camellia.h: Rewrote interface to match nettle conventions.
 8204 
 8205 	* camellia.c: Converted to nettle conventions.
 8206 	(camellia_encrypt128, camellia_encrypt256): Unified to new
 8207 	function...
 8208 	(camellia_encrypt): ...New function, with a loop doing 6
 8209 	regular rounds, one FL round and one FLINV round per iteration,
 8210 	with iteration count depending on the key size.
 8211 
 8212 	(camellia_decrypt128, camellia_decrypt256): Similarly unified
 8213 	as...
 8214 	(camellia_decrypt): ...New function, analogous to
 8215 	camellia_encrypt.
 8216 
 8217 2010-07-06  Niels Möller  <nisse@lysator.liu.se>
 8218 
 8219 	* camellia.c, camellia.h: New files, copied from
 8220 	http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.
 8221 
 8222 	* testsuite/camellia-test.c: New file.
 8223 
 8224 2010-07-05  Niels Möller  <nisse@lysator.liu.se>
 8225 
 8226 	* nettle.texinfo: Document new conventions for weak key and des
 8227 	parity checks. Document des_check_parity.
 8228 
 8229 	* testsuite/des-test.c (test_weak): Don't check the deleted status
 8230 	attribute.
 8231 
 8232 	* des-compat.c (des_key_sched): Rewrote error checking logic for
 8233 	the case of non-zero des_check_key.
 8234 
 8235 	* des3.c (des3_set_key): Changed weak key detection logic.
 8236 	Complete key setup also for weak keys, and don't set the status
 8237 	attribute.
 8238 
 8239 	* des.c (des_set_key): New iteration logic, to keep key pointer
 8240 	unchanged. Moved weak key check to the end, and don't set the
 8241 	status attribute.
 8242 	(des_encrypt): Ignore status attribute.
 8243 	(des_decrypt): Likewise.
 8244 
 8245 	* des.h (enum des_error): Deleted.
 8246 	(struct des_ctx): Deleted status attribute.
 8247 	(struct des3_ctx): Likewise.
 8248 
 8249 	* blowfish.c (initial_ctx): Deleted status value.
 8250 	(blowfish_encrypt): Ignore status attribute.
 8251 	(blowfish_decrypt): Likewise.
 8252 	(blowfish_set_key): Return result from weak key check, without
 8253 	setting the status attribute.
 8254 
 8255 	* blowfish.h (enum blowfish_error): Deleted.
 8256 	(struct blowfish_ctx): Deleted status attribute.
 8257 
 8258 	* Makefile.in (des_headers): Deleted parity.h.
 8259 
 8260 2010-06-30  Niels Möller  <nisse@lysator.liu.se>
 8261 
 8262 	* testsuite/des-test.c (test_des): New function.
 8263 	(test_weak): New function.
 8264 	(test_main): Use test_des and test_weak. Added tests for all the
 8265 	weak keys. Added some tests with invalid (to be ignored) parity
 8266 	bits.
 8267 
 8268 	* des.c (parity_16): New smaller parity table.
 8269 	(des_check_parity): New function.
 8270 	(des_fix_parity): Use parity_16.
 8271 	(des_weak_p): New weak-key detection. Ignores parity bits, and
 8272 	uses a hash table.
 8273 	(des_set_key): Deleted parity checking code. Replaced old weak-key
 8274 	detection code by a call to des_weak_p.
 8275 
 8276 2010-06-04  Niels Möller  <nisse@lysator.liu.se>
 8277 
 8278 	* testsuite/testutils.c (test_dsa_key): Updated for new name
 8279 	DSA_SHA1_MIN_P_BITS.
 8280 
 8281 	* dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and
 8282 	DSA_SHA256_MIN_P_BITS.
 8283 
 8284 	* dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to...
 8285 	(DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New
 8286 	names.
 8287 
 8288 	* sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits.
 8289 	Renamed parameter limit to p_max_bits.
 8290 	(dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp.
 8291 	Updated to call dsa_keypair_from_sexp_alist with the new argument.
 8292 	(dsa_sha256_keypair_from_sexp): New function.
 8293 	(dsa_signature_from_sexp): New argument q_bits.
 8294 
 8295 	* der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit
 8296 	on q. Renamed parameter limit to p_max_bits.
 8297 	(dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit
 8298 	on q and x. Renamed parameter limit to p_max_bits.
 8299 
 8300 2010-06-03  Niels Möller  <nisse@lysator.liu.se>
 8301 
 8302 	* testsuite/dsa-test.c (test_main): Added test for dsa-sha256.
 8303 
 8304 2010-06-02  Niels Möller  <nisse@lysator.liu.se>
 8305 
 8306 	* testsuite/dsa-test.c (test_main): Provide expected value of the
 8307 	signature.
 8308 
 8309 	* testsuite/testutils.c (test_dsa160): Added argument for expected
 8310 	signature.
 8311 	(test_dsa256): Likewise.
 8312 
 8313 2010-06-01  Niels Möller  <nisse@lysator.liu.se>
 8314 
 8315 	* testsuite/rsa-keygen-test.c (test_main): Updated expected
 8316 	signatures.
 8317 
 8318 	* examples/random-prime.c (main): Updated for nettle_random_prime
 8319 	change.
 8320 	* testsuite/random-prime-test.c (test_main): Likewise.
 8321 
 8322 	* rsa-keygen.c (bignum_random_prime): Deleted function.
 8323 	(rsa_generate_keypair): Use new nettle_random_prime. Generate
 8324 	secret factors p and q with the two most significant bits set.
 8325 
 8326 	* dsa-keygen.c (dsa_generate_keypair): Updated for changes in
 8327 	nettle_random_prime and _nettle_generate_pocklington_prime. Invoke
 8328 	progress callback.
 8329 
 8330 	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
 8331 	argument top_bits_set, to optionally generate primes with the two
 8332 	most significant bits set. Reordered argument list.
 8333 	(nettle_random_prime): Likewise, added top_bits_set argument.
 8334 	Invoke progress callback when a prime is generated.
 8335 
 8336 2010-05-26  Niels Möller  <nisse@lysator.liu.se>
 8337 
 8338 	* dsa-keygen.c (dsa_generate_keypair): Use
 8339 	_nettle_generate_pocklington_prime. Deleted old key generation
 8340 	code.
 8341 
 8342 	* bignum-random-prime.c (_nettle_generate_pocklington_prime): Also
 8343 	return the used r. Updated caller.
 8344 
 8345 	* examples/random-prime.c (main): Allow sizes down to 3 bits.
 8346 
 8347 	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
 8348 	function. Rely on mpz_probab_prime_p (for lack of a trial division
 8349 	function) for trial division.
 8350 	(nettle_random_prime): Rewritten. Uses the prime table for the
 8351 	smallest sizes, then trial division using a new set of tables, and
 8352 	then Maurer's algorithm, calling the new
 8353 	_nettle_generate_pocklington_prime for the final search.
 8354 
 8355 2010-05-25  Niels Möller  <nisse@lysator.liu.se>
 8356 
 8357 	* testsuite/dsa-test.c (test_main): Updated for dsa testing
 8358 	changes.
 8359 
 8360 	* testsuite/dsa-keygen-test.c (test_main): Test dsa256.
 8361 
 8362 	* testsuite/testutils.h (struct nettle_mac): New struct, currently
 8363 	unused.
 8364 
 8365 	* testsuite/testutils.c (test_mac): New function (currently not
 8366 	used).
 8367 	(test_dsa): Replaced by two new functions...
 8368 	(test_dsa160): New function.
 8369 	(test_dsa256): New function.
 8370 	(test_dsa_key): New argument q_size.
 8371 	(DSA_VERIFY): Generalized.
 8372 
 8373 	* dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating
 8374 	primes using Pocklington's theorem. Takes both p_size and q_size
 8375 	as arguments.
 8376 
 8377 2010-05-20  Niels Möller  <nisse@lysator.liu.se>
 8378 
 8379 	* bignum-random-prime.c (miller_rabin_pocklington): Fixed broken
 8380 	logic when Miller-rabin succeeds early.
 8381 
 8382 2010-04-09  Niels Möller  <nisse@lysator.liu.se>
 8383 
 8384 	* bignum-next-prime.c: Include stdlib.h, needed for alloca on
 8385 	freebsd.
 8386 	* hmac.c: Likewise.
 8387 
 8388 	* examples/Makefile.in (SOURCES): Added random-prime.c.
 8389 
 8390 	* examples/random-prime.c: New program.
 8391 
 8392 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved
 8393 	knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from
 8394 	TS_HOGWEED_SOURCES.
 8395 	(TS_HOGWEED_SOURCES): Added random-prime-test.c.
 8396 
 8397 	* testsuite/random-prime-test.c: New test case.
 8398 
 8399 	* examples/next-prime.c (main): With no command line arguments.
 8400 	exit after dislaying usage message.
 8401 
 8402 	* examples/io.c (simple_random): Free buffer when done.
 8403 
 8404 	* configure.ac: Changed message, say CC is the recommended
 8405 	way to configure the ABI.
 8406 
 8407 	* bignum-random.c: Deleted test of HAVE_LIBGMP.
 8408 	* bignum.c: Likewise.
 8409 	* sexp2bignum.c: Likewise.
 8410 
 8411 	* Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c.
 8412 
 8413 	* bignum-random-prime.c (nettle_random_prime): New file, new
 8414 	function.
 8415 
 8416 2010-03-31  Niels Möller  <nisse@lysator.liu.se>
 8417 
 8418 	* examples/nettle-benchmark.c (main): Benchmark sha224.
 8419 
 8420 2010-03-30  Niels Möller  <nisse@lysator.liu.se>
 8421 
 8422 	* testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify
 8423 	rename.
 8424 	(test_dsa): Check return value from dsa_sha1_sign.
 8425 
 8426 	* Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c,
 8427 	dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c.
 8428 
 8429 	* dsa.h: Updated and added dsa declarations.
 8430 
 8431 	* dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new
 8432 	function.
 8433 	(dsa_sha256_verify): New function.
 8434 	* dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new
 8435 	function.
 8436 	(dsa_sha256_sign): New function.
 8437 
 8438 	* dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and
 8439 	renamed function, from dsa_verify_digest, rewrote to use
 8440 	_dsa_verify.
 8441 	(dsa_sha1_verify): Analogous change, renamed from dsa_verify.
 8442 	* dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and
 8443 	renamed function, from dsa_sign_digest, rewrote to use _dsa_sign,
 8444 	and added return value.
 8445 	(dsa_sha1_sign): Analogous change, renamed from dsa_sign.
 8446 
 8447 	* dsa-verify.c (_dsa_verify): New general verification function,
 8448 	for any hash.
 8449 	* dsa-sign.c (_dsa_sign): New general signing function, for any
 8450 	hash. Returns success code, like the rsa signture functions.
 8451 
 8452 2010-03-29  Niels Möller  <nisse@lysator.liu.se>
 8453 
 8454 	* configure.ac (ABI): Attempt to use a better, ABI-dependant,
 8455 	default value for libdir.
 8456 
 8457 	* x86/md5-compress.asm: Fixed function name in epilogue.
 8458 
 8459 	* asm.m4 (EPILOGUE): Use . to refer to current address.
 8460 
 8461 	* configure.ac (ABI): Detect which ABI the compiler is using.
 8462 	On x86_64, also check for __arch64__.
 8463 
 8464 2010-03-28  Niels Möller  <nisse@lysator.liu.se>
 8465 
 8466 	* configure.ac (asm_path): For x86_64, check if compiler is
 8467 	generating 32-bit code.
 8468 
 8469 2010-03-27  Niels Möller  <nisse@lysator.liu.se>
 8470 
 8471 	* testsuite/hmac-test.c (test_main): Rewrote rest of tests to use
 8472 	HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from
 8473 	RFC 4231.
 8474 
 8475 	* Makefile.in (nettle_SOURCES): Added hmac-sha224.c and
 8476 	hmac-sha384.c.
 8477 
 8478 	* hmac.h: Added declarations of hmac-sha224 and hmac-sha384.
 8479 
 8480 	* hmac-sha224.c: New file.
 8481 
 8482 2010-03-26  Niels Möller  <nisse@lysator.liu.se>
 8483 
 8484 	* testsuite/hmac-test.c (HMAC_TEST): New macro.
 8485 	(test_main): Use HMAC_TEST for the md5 and sha1 tests, and add
 8486 	test vectors from Daniel Kahn Gillmor.
 8487 
 8488 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c.
 8489 
 8490 	* Makefile.in (nettle_SOURCES): Added sha224-meta.c and
 8491 	write-be32.c.
 8492 	(DISTFILES): Added nettle-write.h.
 8493 
 8494 	* sha.h: Added declarations for sha224. Some are aliases for the
 8495 	corresponding sha256 definition.
 8496 
 8497 	* sha256.c (sha256_digest): Use _nettle_write_be32.
 8498 	(sha224_init): New function.
 8499 	(sha224_digest): New function.
 8500 
 8501 	* sha1.c (sha1_digest): Use _nettle_write_be32.
 8502 
 8503 	* nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE)
 8504 	(NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into
 8505 	account.
 8506 
 8507 	* nettle-write.h: New file.
 8508 
 8509 	* write-be32.c (_nettle_write_be32): New file, new function.
 8510 
 8511 	* sha224-meta.c: New file.
 8512 
 8513 2010-03-25  Niels Möller  <nisse@lysator.liu.se>
 8514 
 8515 	* hmac-sha384.c: New file.
 8516 
 8517 	* testsuite/sha224-test.c: New file.
 8518 
 8519 	* testsuite/md4-test.c (test_main): More test vectors, provided by
 8520 	Daniel Kahn Gillmor.
 8521 	* testsuite/md5-test.c (test_main): Likewise.
 8522 	* testsuite/sha1-test.c (test_main): Likewise.
 8523 	* testsuite/sha256-test.c (test_main): Likewise.
 8524 	* testsuite/sha384-test.c (test_main): Likewise.
 8525 	* testsuite/sha512-test.c (test_main): Likewise.
 8526 
 8527 	* configure.ac: Bumped version numbers. Package version
 8528 	nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0.
 8529 
 8530 	* examples/nettle-benchmark.c (main): Benchmark sha384.
 8531 
 8532 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c.
 8533 
 8534 	* testsuite/sha384-test.c: New file.
 8535 
 8536 	* Makefile.in (nettle_SOURCES): Added sha384-meta.c.
 8537 
 8538 	* sha384-meta.c: New file.
 8539 
 8540 	* sha.h: Added declarations for sha384. Some are aliases for the
 8541 	corresponding sha512 definition.
 8542 
 8543 	* sha512.c (sha512_write_digest): New function.
 8544 	(sha512_digest): Use it.
 8545 	(sha384_init): New function.
 8546 	(sha384_digest): New function.
 8547 
 8548 2010-03-24  Niels Möller  <nisse@lysator.liu.se>
 8549 
 8550 	* sha512.c: (sha512_digest): Simplified handling of any final
 8551 	partial word of the digest.
 8552 
 8553 	* sha512.c: Reorganized to use _nettle_sha512_compress.
 8554 
 8555 	* sha512-compress.c (_nettle_sha512_compress): Compression
 8556 	function extracted from sha512.c to a new file.
 8557 
 8558 	* Makefile.in (nettle_SOURCES): Added sha256-compress.c and
 8559 	sha512-compress.c.
 8560 
 8561 	* sha256.c: Reorganized to use _nettle_sha256_compress.
 8562 
 8563 	* sha256-compress.c (_nettle_sha256_compress): Compression
 8564 	function extracted from sha256.c to a new file.
 8565 
 8566 	* examples/nettle-benchmark.c (main): Benchmark sha512.
 8567 
 8568 	* rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e
 8569 	is less than bit size of n, and check for the unlikely case p = q.
 8570 
 8571 	* rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to
 8572 	correspond to pkcs#1 encryption of single byte messagees.
 8573 
 8574 	* pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value
 8575 	from rsa_sha1_sign.
 8576 	* rsa-compat.c (R_SignFinal): Likewise.
 8577 
 8578 	* rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value
 8579 	from pkcs1_rsa_md5_encode.
 8580 	(rsa_md5_sign_digest): Check and propagate return value from
 8581 	pkcs1_rsa_md5_encode_digest.
 8582 	* rsa-md5-verify.c (rsa_md5_verify): Check return value from
 8583 	pkcs1_rsa_md5_encode.
 8584 	(rsa_md5_verify_digest): Check return value from
 8585 	pkcs1_rsa_md5_encode_digest.
 8586 	* rsa-sha1-sign.c: Analogous changes.
 8587 	* rsa-sha1-verify.c: Analogous changes.
 8588 	* rsa-sha256-sign.c: Analogous changes.
 8589 	* rsa-sha256-verify.c: Analogous changes.
 8590 	* rsa-sha512-sign.c: Analogous changes.
 8591 	* rsa-sha512-verify.c: Analogous changes.
 8592 
 8593 	* pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode)
 8594 	(pkcs1_rsa_md5_encode_digest): Added return value. Check and
 8595 	propagate return value from pkcs1_signature_prefix.
 8596 	* pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode)
 8597 	(pkcs1_rsa_sha256_encode_digest): Likewise.
 8598 	* pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode)
 8599 	(pkcs1_rsa_sha1_encode_digest): Likewise.
 8600 	* pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode)
 8601 	(pkcs1_rsa_sha512_encode_digest): Likewise.
 8602 
 8603 	* pkcs1.c (pkcs1_signature_prefix): Interface change, take both
 8604 	the total size and digest size as arguments, and return a status
 8605 	code to say if the size was large enough.
 8606 
 8607 	* testsuite/Makefile.in: Added hogweed dependency for the test
 8608 	programs.
 8609 
 8610 2010-03-23  Niels Möller  <nisse@lysator.liu.se>
 8611 
 8612 	* testsuite/rsa-test.c (test_main): Test signing with sha512.
 8613 
 8614 	* testsuite/testutils.c (test_rsa_sha512): New function.
 8615 
 8616 	* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c,
 8617 	rsa-sha512-sign.c and rsa-sha512-verify.c.
 8618 
 8619 	* rsa.h: Added prototypes for sha512-related functions.
 8620 	(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased.
 8621 	* pkcs1.h: Added prototypes for sha512-related functions.
 8622 
 8623 	* rsa-sha512-verify.c: New file.
 8624 	* rsa-sha512-sign.c: New file.
 8625 	* pkcs1-rsa-sha512.c: New file.
 8626 
 8627 2010-03-22  Niels Möller  <nisse@lysator.liu.se>
 8628 
 8629 	* Makefile.in (nettle_SOURCES): Added hmac-sha512.c.
 8630 
 8631 	* testsuite/hmac-test.c (test_main): Added test cases for
 8632 	hmac-sha512.
 8633 
 8634 	* hmac.h: Declare functions sha512-related functions.
 8635 	* hmac-sha512.c (hmac_sha512_set_key): New file.
 8636 
 8637 	Basic sha512 support.
 8638 	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c.
 8639 	* testsuite/sha512-test.c: New file.
 8640 
 8641 	* macros.h (READ_UINT64, WRITE_UINT64): New macros.
 8642 
 8643 	* Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c.
 8644 	* sha.h: Added sha512-related declarations.
 8645 	* nettle-meta.h: Likewise.
 8646 	* sha512-meta.c: New file.
 8647 	* sha512.c: New file.
 8648 
 8649 2010-03-06  Niels Möller  <nisse@lysator.liu.se>
 8650 
 8651 	* Makefile.in (distdir): Include x86_64 assembler files.
 8652 
 8653 2010-01-20  Niels Möller  <nisse@lysator.liu.se>
 8654 
 8655 	* configure.ac: Check for mpz_powm_sec.
 8656 
 8657 2010-01-13  Niels Möller  <nisse@lysator.liu.se>
 8658 
 8659 	* Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on
 8660 	$(LIBNETTLE_FORLINK).
 8661 
 8662 	* configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the
 8663 	default case. Follows debian, and also makes dlopen of
 8664 	libhogweed.so work, without having to use RTLD_GLOBAL.
 8665 	(LIBHOGWEED_LINK): Added -L., to find our libnettle.so.
 8666 
 8667 2009-10-21  Niels Möller  <nisse@lysator.liu.se>
 8668 
 8669 	* tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on
 8670 	../libhogweed.a.
 8671 
 8672 2009-10-19  Niels Möller  <nisse@lysator.liu.se>
 8673 
 8674 	* tools/pkcs1-conv.c: Updated for dsa/der interface change.
 8675 
 8676 	* der2dsa.c (dsa_public_key_from_der_iterators): Split into two
 8677 	new functions...
 8678 	(dsa_params_from_der_iterator): New function.
 8679 	(dsa_public_key_from_der_iterator): New function.
 8680 	(dsa_openssl_private_key_from_der_iterator): Renamed, was
 8681 	dsa_private_key_from_der_iterator.
 8682 	(dsa_openssl_private_key_from_der): Likewise.
 8683 	* dsa.h: Corresponding changees to prototypes and #defines.
 8684 
 8685 2009-10-12  Niels Möller  <nisse@lysator.liu.se>
 8686 
 8687 	* sexp-format.c: Removed conditioning on HAVE_LIBGMP.
 8688 
 8689 	* tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus
 8690 	Holmgren.
 8691 
 8692 	* Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c.
 8693 
 8694 	* der2dsa.c: New file, contributed by Magnus Holmgren.
 8695 	* dsa2sexp.c: Likewise.
 8696 	* dsa.h: Added prototypes.
 8697 
 8698 	* configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor
 8699 	version, now it's 1.1.
 8700 
 8701 	* testsuite/rsa2sexp-test.c (test_main): Updated testcase for
 8702 	"rsa-pkcs1".
 8703 
 8704 2009-10-11  Niels Möller  <nisse@lysator.liu.se>
 8705 
 8706 	* rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name
 8707 	to "rsa-pkcs1".
 8708 
 8709 2009-09-20  Niels Möller  <nisse@lysator.liu.se>
 8710 
 8711 	* x86/sha1-compress.asm: Improved performance by 17% on AMD K7,
 8712 	by letting loopmix scramble the instruction order.
 8713 
 8714 2009-09-15  Niels Möller  <nisse@lysator.liu.se>
 8715 
 8716 	* x86/sha1-compress.asm: Cleanup, removing old cruft. Slight
 8717 	improvement to ROUND_F1_NOEXP. Slight reduction of
 8718 	dependency-chains.
 8719 
 8720 2009-08-25  Niels Möller  <nisse@lysator.liu.se>
 8721 
 8722 	* x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds.
 8723 
 8724 	* examples/nettle-benchmark.c (bench_sha1_compress): New function,
 8725 	for precise benchmarking of the compression function.
 8726 
 8727 2009-06-08  Niels Möller  <nisse@lysator.liu.se>
 8728 
 8729 	* Released nettle-2.0.
 8730 
 8731 2009-06-04  Niels Möller  <nisse@lysator.liu.se>
 8732 
 8733 	* configure.ac: Set version to 2.0
 8734 
 8735 2009-05-30  Niels Möller  <nisse@lysator.liu.se>
 8736 
 8737 	* Makefile.in (.texinfo.info): Don't use a temporary output file
 8738 	$@T, trust makeinfo to remove output file on errors.
 8739 
 8740 2009-05-19  Niels Möller  <nisse@lysator.liu.se>
 8741 
 8742 	* nettle.texinfo: Changed license to public domain.
 8743 
 8744 2009-05-11  Niels Möller  <nisse@lysator.liu.se>
 8745 
 8746 	* nettle.texinfo: Fixes from Karl Berry. Added some more index
 8747 	terms.
 8748 
 8749 2009-03-06  Niels Möller  <nisse@lysator.liu.se>
 8750 
 8751 	* x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state
 8752 	in %eax--%edx only.
 8753 	* x86_64/aes-decrypt-internal.asm: Likewise.
 8754 
 8755 	* x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed.
 8756 	(AES_STORE): Reduced offsets.
 8757 	(AES_ROUND): Use HREG directly, not MOVE_HREG.
 8758 
 8759 	* x86_64/aes-decrypt-internal.asm: Rearrange register allocation.
 8760 	Put SA--SD in %eax--%edx, so the second byte can be accessed as
 8761 	%ah-%dh. TD is not needed, SD can be reused. Use the register that
 8762 	is saved for the outer loop counter, getting it off the stack.
 8763 	* x86_64/aes-encrypt-internal.asm: Likewise.
 8764 
 8765 	* x86_64/aes.m4 (HREG, MOVE_HREG): New macros.
 8766 	(XREG): Fixed bug in handling of %r8 and %r9.
 8767 	(AES_ROUND): Use MOVE_HREG.
 8768 
 8769 2009-02-10  Niels Möller  <nisse@lysator.liu.se>
 8770 
 8771 	* base16-meta.c (base16_encode_update_wrapper): Mark ctx argument
 8772 	as UNUSED.
 8773 
 8774 	* testsuite/sexp-conv-test: Updated testcases for improved
 8775 	handling of comments.
 8776 
 8777 	* tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline
 8778 	to terminate comments, and modify indentation for the case that a
 8779 	list starts with a comment.
 8780 
 8781 	* tools/output.c (sexp_output_init): Initialize soft_newline.
 8782 	(sexp_put_raw_char): Clear soft_newline.
 8783 	(sexp_put_newline): Check and reset soft_newline.
 8784 	(sexp_put_soft_newline): New function.
 8785 
 8786 	* tools/output.h (struct sexp_output): Removed union with single
 8787 	element, and updated all users. New attribute soft_newline.
 8788 
 8789 2008-12-22  Niels Möller  <nisse@lysator.liu.se>
 8790 
 8791 	* Makefile.in ($(des_headers)): Create files in $(srcdir).
 8792 
 8793 2008-11-28  Niels Möller  <nisse@lysator.liu.se>
 8794 
 8795 	* testsuite/cxx-test.cxx: Include <cstdio>.
 8796 
 8797 2008-11-22  Niels Möller  <nisse@lysator.liu.se>
 8798 
 8799 	* yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so
 8800 	that it is set if and only if the aes context has been initialized
 8801 	with aes_set_encrypt_key.
 8802 	(yarrow256_seed): No need to set ctx->seeded here.
 8803 	(yarrow256_update): Likewise.
 8804 
 8805 2008-11-04  Niels Möller  <nisse@lysator.liu.se>
 8806 
 8807 	* examples/next-prime.c (main): Avoid using gmp_fprintf, to stay
 8808 	compatible with gmp-3.1.
 8809 
 8810 2008-11-01  Niels Möller  <nisse@lysator.liu.se>
 8811 
 8812 	* nettle.texinfo: Updated for 2.0. New section on linking.
 8813 
 8814 	* nettle-types.h, nettle-meta.h: Moved all typedefs for function
 8815 	types to nettle-types.h. Use non-pointer types, so that the types
 8816 	can be used to declare functions. Updated all users.
 8817 
 8818 2008-10-31  Niels Möller  <nisse@lysator.liu.se>
 8819 
 8820 	* testsuite/yarrow-test.c (test_main): Updated for seed file
 8821 	changes.
 8822 
 8823 	* sha-example.c (display_hex): Use %02x, not %2x.
 8824 
 8825 2008-10-30  Niels Möller  <nisse@lysator.liu.se>
 8826 
 8827 	* tools/sexp-conv.c (main): Fixed file locking.
 8828 
 8829 2008-10-25  Niels Möller  <nisse@lysator.liu.se>
 8830 
 8831 	* configure.ac: Set version to 2.0rc1.
 8832 
 8833 	* examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to
 8834 	linker.
 8835 
 8836 2008-10-24  Niels Möller  <nisse@lysator.liu.se>
 8837 
 8838 	* sha256.c (ROUND): Simplified macro.
 8839 
 8840 	* yarrow256.c (yarrow256_fast_reseed): Renamed (was
 8841 	yarrow_fast_reseed) and made non-static. Don't generate seed file
 8842 	here, let the application use yarrow256_random instead.
 8843 	(yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made
 8844 	non-static.
 8845 	(yarrow256_force_reseed): Deleted function, use
 8846 	yarrow256_slow_reseed instead. For backwards compatibility,
 8847 	yarrow.h defines yarrow256_force_reseed as an alias for that
 8848 	function.
 8849 
 8850 	* yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer.
 8851 
 8852 2008-09-17  Niels Möller  <nisse@lysator.liu.se>
 8853 
 8854 	* x86/arcfour-crypt.asm: Improved loop logic, and unrolled
 8855 	loop twice. Gave a modest speedup.
 8856 
 8857 2008-09-15  Niels Möller  <nisse@lysator.liu.se>
 8858 
 8859 	* yarrow256.c (yarrow256_seed): Disallow length == 0.
 8860 
 8861 	* base64-decode.c (decode_table): Added vertical tab (VT) and form
 8862 	feed (FF) as white space characters.
 8863 
 8864 	* x86_64/aes-decrypt-internal.asm: New file.
 8865 
 8866 2008-09-13  Niels Möller  <nisse@lysator.liu.se>
 8867 
 8868 	* x86/aes-encrypt-internal.asm: Replaced pushl and popl in the
 8869 	loop with movl.	Eliminated redundant movl.
 8870 	* x86/aes-decrypt-internal.asm: Likewise.
 8871 
 8872 	* x86_64/aes.m4: New file.
 8873 
 8874 	* x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only
 8875 	three times through the substitution loop.
 8876 	* x86/aes-decrypt-internal.asm: Likewise.
 8877 	* x86_64/aes-encrypt-internal.asm: Likewise.
 8878 
 8879 	* x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least
 8880 	significant byte here.
 8881 
 8882 	* x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe
 8883 	decl for outer loop.
 8884 	* x86/aes-decrypt-internal.asm: Likewise.
 8885 
 8886 	* x86/aes.m4 (LREG, HREG): New macros.
 8887 	(AES_SUBST_BYTE): Take state registers as argument. Use LREG to
 8888 	get the corresponding byte register.
 8889 	(AES_ROUND): Use movzbl together with LREG and HREG.
 8890 	(AES_SUBST_BYTE): Likewise.
 8891 
 8892 2008-09-10  Niels Möller  <nisse@lysator.liu.se>
 8893 
 8894 	* x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp,
 8895 	which must be preserved.
 8896 
 8897 2008-09-08  Niels Möller  <nisse@lysator.liu.se>
 8898 
 8899 	* Makefile.in (stamp-h.in): Use $(AUTOHEADER).
 8900 
 8901 	* x86_64/sha1-compress.asm: New x86_64 assembler, based on the x86
 8902 	version.
 8903 
 8904 	* configure.ac (asm_path): Set up asm_path for x86_64.
 8905 
 8906 	* x86_64/machine.m4: New file, new directory.
 8907 
 8908 2008-08-28  Niels Möller  <nisse@lysator.liu.se>
 8909 
 8910 	* examples/eratosthenes.c (main): Rewrote block-wise sieving to
 8911 	use less memory. New options -s and -v.
 8912 
 8913 2008-08-27  Niels Möller  <nisse@lysator.liu.se>
 8914 
 8915 	* testsuite/sexp-conv-test (print_raw, print_nl): Use printf.
 8916 	Updated testcases with comments; comments are now preserved.
 8917 
 8918 	* tools/sexp-conv.c (sexp_convert_item): Keep comments in advanced
 8919 	output.
 8920 	(parse_options): New --lock option.
 8921 	(main): Optionally lock output file.
 8922 
 8923 	* tools/parse.c (sexp_check_token): Removed check for "any" token.
 8924 	All callers specify the token they expect.
 8925 	(sexp_parse): Pass on comment tokens.
 8926 
 8927 	* tools/output.c (sexp_put_data): Made non-static.
 8928 
 8929 	* tools/input.c (sexp_get_comment): New function.
 8930 	(sexp_get_token): Use sexp_get_comment.
 8931 
 8932 	* tools/misc.h (enum sexp_token): Start enumeration with zero, zero
 8933 	is no longer used to mean any type. New type SEXP_COMMENT.
 8934 
 8935 	* configure.ac: Check for fcntl file locking.
 8936 
 8937 2008-08-26  Niels Möller  <nisse@lysator.liu.se>
 8938 
 8939 	* Makefile.in (tags-here): Put TAGS file in the source directory.
 8940 	* examples/Makefile.in (tags): Likewise.
 8941 	* testsuite/Makefile.in (tags): Likewise.
 8942 	* tools/Makefile.in (tags): Likewise.
 8943 
 8944 2008-02-29  Niels Möller  <nisse@lysator.liu.se>
 8945 
 8946 	* examples/Makefile.in (SOURCES): Added next-prime.c.
 8947 
 8948 2008-01-05  Niels Möller  <nisse@lysator.liu.se>
 8949 
 8950 	* examples/Makefile.in (TARGETS): Added eratosthenes and next-prime.
 8951 	(next-prime, eratosthenes): New rules.
 8952 	(nettle-benchmark): Don't rely on $@.
 8953 
 8954 	* examples/eratosthenes.c (find_first_one): Optimized, using
 8955 	slightly larger table.
 8956 	(main): Use atol, rather than atoi.
 8957 
 8958 	* testsuite/symbols-test: Check symbols also in libhogweed.
 8959 
 8960 	* examples/next-prime.c: New file.
 8961 	Deleted code for detailed timing.
 8962 
 8963 	* Makefile.in (hogweed_SOURCES): Added bignum-next-prime.c.
 8964 	(DISTFILES): Added prime-list.h.
 8965 	(hogweed_OBJS): Removed $(LIBOBJS).
 8966 
 8967 	* bignum-next-prime.c (nettle_next_prime): Renamed function, for
 8968 	name space reasons. Was bignum_next_prime. Updated call in
 8969 	rsa-keygen.c.
 8970 	(primes): Use prime-list.h.
 8971 	(nettle_next_prime): Skip Fermat test. Use mpz_millerrabin
 8972 	directly, rather than mpz_probab_prime_p, when the former is
 8973 	available.
 8974 
 8975 	* bignum.h (nettle_next_prime): New prototype.
 8976 
 8977 	* rsa-keygen.c (bignum_next_prime): Deleted, moved to
 8978 	bignum-next-prime.c. Call with a larger prime limit, this improves
 8979 	the running time of lsh-keygen by roughly 25%.
 8980 
 8981 	* prime-list.h: List of odd primes < 2^16.
 8982 
 8983 	* configure.ac: Check for sizeof(long).
 8984 
 8985 2008-01-03  Niels Möller  <nisse@lysator.liu.se>
 8986 
 8987 	* examples/nettle-benchmark.c (main): Removed incorrect UNUSED
 8988 	from declaration.
 8989 
 8990 	* bignum-next-prime.c: Moved the bignum_next_prime function to a
 8991 	separate file.
 8992 
 8993 2007-09-08  Niels Möller  <nisse@lysator.liu.se>
 8994 
 8995 	* sparc64/aes-encrypt-internal.asm: The directory with the aes.m4
 8996 	include file was renamed from "sparc" to "sparc32". Updated include.
 8997 	* sparc64/aes-decrypt-internal.asm: Likewise.
 8998 	* sparc32/aes-encrypt-internal.asm: Likewise.
 8999 	* sparc32/aes-decrypt-internal.asm: Likewise.
 9000 
 9001 2007-09-07  Niels Möller  <nisse@lysator.liu.se>
 9002 
 9003 	* examples/read_rsa_key.c: Include stdlib.h.
 9004 
 9005 2007-06-02  Niels Möller  <nisse@lysator.liu.se>
 9006 
 9007 	* Makefile.in: Typo fixes to install targets, spotted by Magnus
 9008 	Holmgren.
 9009 
 9010 2007-05-14  Niels Möller  <niels@s3.kth.se>
 9011 
 9012 	* configure.ac: Fixed copy-and-paste errors in shared library
 9013 	name setup.
 9014 
 9015 	* config.make.in (LIBNETTLE_SONAME, LIBHOGWEED_SONAME): Define.
 9016 
 9017 	* Makefile.in (libnettle.so, libhogweed.so): Fixed rules.
 9018 
 9019 	* Makefile.in: Split nettle library into two files, libnettle.a
 9020 	and libhogweed.a, and similarly for the shared libraries.
 9021 
 9022 	* configure.ac: Bumped nettle so-versions to 3.0. Set hogweed
 9023 	so-versions to 1.0. New makefile conditionals IF_SHARED and
 9024 	IF_HOGWEED. Renamed WITH_PUBLIC_KEY to WITH_HOGWEED. Deleted
 9025 	SHLIBTARGET, SHLIBINSTALL, RSA_EXAMPLES and RSA_TOOLS.
 9026 
 9027 	* config.make.in: Updated for hogweed split.
 9028 
 9029 	* C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the
 9030 	Makefile sorts out which files should be compiled.
 9031 
 9032 	* pgp.h: Include bignum.h, don't pretend to work without bignums.
 9033 
 9034 	* pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key)
 9035 	(pgp_put_rsa_sha1_signature): Define unconditionally. Removed the
 9036 	checking of HAVE_LIBGMP and WITH_PUBLIC_KEY.
 9037 
 9038 	* examples/io.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY.
 9039 	* examples/io.c (read_rsa_key): Deleted, moved to...
 9040 	* examples/read_rsa_key.c: New file, extracted from io.c.
 9041 
 9042 	* examples/Makefile.in: Use IF_HOGWEED instead of RSA_EXAMPLES.
 9043 	Link appropriate programs with -lhogweed.
 9044 	(SOURCES): Added read_rsa_key.c.
 9045 
 9046 	* tools/Makefile.in (pkcs1-conv): Use IF_HOGWEED, not @RSA_TOOLS@,
 9047 	for configuration. Link with -lhogweed.
 9048 
 9049 	* testsuite/testutils.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY.
 9050 	* testsuite/testutils.c: Likewise.
 9051 
 9052 	* testsuite/Makefile.in (TS_NETTLE_SOURCES, TS_HOGWEED_SOURCES):
 9053 	Separate test cases using nettle and those also using hogweed.
 9054 
 9055 2007-04-05  Niels Möller  <nisse@lysator.liu.se>
 9056 
 9057 	* Moved in CVS tree. Also renamed directory sparc to sparc32.
 9058 
 9059 2007-02-24  Niels Möller  <nisse@lysator.liu.se>
 9060 
 9061 	* Makefile.in (clean-here): Remove .lib directory.
 9062 	(distclean-here): Remove machine.m4.
 9063 
 9064 2006-12-05  Niels Möller  <nisse@lysator.liu.se>
 9065 
 9066 	* configure.ac: AC_PREREQ 2.61, for AC_PROG_MKDIR_P.
 9067 
 9068 	* config.make.in (datarootdir): New directory variable (for
 9069 	autoconf-2.61).
 9070 
 9071 2006-11-28  Niels Möller  <nisse@lysator.liu.se>
 9072 
 9073 	* configure.ac: Bumped version to 1.16.
 9074 
 9075 	* Released nettle-1.15.
 9076 
 9077 2006-11-27  Niels Möller  <nisse@lysator.liu.se>
 9078 
 9079 	* NEWS: New entry for nettle-1.15.
 9080 
 9081 	* configure.ac (SHLIBMINOR): Bumped version. Library name is now
 9082 	libnettle.so.2.6.
 9083 
 9084 	* sha256.c: Changed copyright notice to use the LGPL.
 9085 
 9086 	* Makefile.in (DISTFILES): Added COPYING.LIB.
 9087 
 9088 	* COPYING.LIB: New file (previously only the plain GPL was
 9089 	included in the distribution).
 9090 
 9091 	* nettle.texinfo: Updated vor nettle-1.15.
 9092 
 9093 	* testsuite/rsa-test.c (test_main): Use test_rsa_sha256.
 9094 	* testsuite/testutils.c (test_rsa_sha256): New function.
 9095 
 9096 	* testsuite/Makefile.in (DISTFILES): Replaces rfc1750.txt by
 9097 	gold-bug.txt.
 9098 
 9099 	* rsa.h (rsa_sha256_sign, rsa_sha256_verify)
 9100 	(rsa_sha256_sign_digest, rsa_sha256_verify_digest): New declarations.
 9101 	(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased to
 9102 	62 octets and  489 bits, respectively, for supporting sha256.
 9103 
 9104 	* pkcs1.h (pkcs1_rsa_sha256_encode)
 9105 	(pkcs1_rsa_sha256_encode_digest): New declarations and name
 9106 	mangling symbols.
 9107 
 9108 	* Makefile.in (nettle_SOURCES): Added pkcs1-rsa-sha256.c,
 9109 	rsa-sha256-sign.c, rsa-sha256-verify.c.
 9110 
 9111 	* pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c: New
 9112 	files.
 9113 
 9114 	* COPYING, INSTALL, install-sh, texinfo.tex: Updated files, from
 9115 	automake-1.10.
 9116 
 9117 2006-11-27  Niels Möller  <niels@s3.kth.se>
 9118 
 9119 	* tools/Makefile.in (install): Use MKDIR_P to create installation
 9120 	directory. Install only one file at a time.
 9121 
 9122 	* Makefile.in (MKDIR_P): Use MKDIR_P for creating installation
 9123 	directories.
 9124 
 9125 	* configure.ac: Use AC_PROG_MKDIR_P.
 9126 
 9127 2006-11-24  Niels Möller  <nisse@lysator.liu.se>
 9128 
 9129 	* testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input
 9130 	file, instead of rfc1750.txt.
 9131 
 9132 	* testsuite/gold-bug.txt: New test input file for yarrow-test.
 9133 	The copyright on this short story by Edgar Allan Poe has expired.
 9134 
 9135 	* testsuite/rfc1750.txt: Deleted file. Debian considers RFC:s
 9136 	non-free, and it was expired anyway. Replaced by gold-bug.txt.
 9137 
 9138 2006-11-24  Niels Möller  <niels@s3.kth.se>
 9139 
 9140 	* Almost all header files: Added C++ guards.
 9141 
 9142 	* configure.ac: Test if the system has any C++ compiler.
 9143 
 9144 	* config.make.in (CXX, CXXFLAGS, COMPILE_CXX, LINK_CXX): New variables.
 9145 
 9146 	* testsuite/Makefile.in: New variables TS_C and TS_CXX. Setup for
 9147 	compiling the C++ file cxx-test.cxx.
 9148 
 9149 	* testsuite/cxx-test.cxx: New testcase, trying to use nettle from
 9150 	a C++ program.
 9151 
 9152 2006-08-28  Niels Möller  <niels@s3.kth.se>
 9153 
 9154 	* index.html: Added section on language bindings.
 9155 
 9156 2006-06-10  Niels Möller  <niels@s3.kth.se>
 9157 
 9158 	* configure.ac: Darwin shared library support, from Grant
 9159 	Robinsson.
 9160 
 9161 2006-05-18  Niels Möller  <nisse@lysator.liu.se>
 9162 
 9163 	* src/nettle/x86/aes.asm: Deleted unused file.
 9164 
 9165 	* aes-decrypt.c (_aes_decrypt_table): Deleted the indexing array,
 9166 	previously commented out.
 9167 	* aes-encrypt-table.c (_aes_encrypt_table): Likewise.
 9168 
 9169 	* Makefile.in (.texinfo.info, .dvi.ps): Use more quotes with
 9170 	basename.
 9171 	(install-here, install-shared, install-info, install-headers): Use
 9172 	plain mkdir, not $(INSTALL) -d.
 9173 
 9174 2006-05-16  Niels Möller  <niels@s3.kth.se>
 9175 	Merged from the lsh experimental branch.
 9176 
 9177 2006-04-26  Niels Möller  <nisse@lysator.liu.se>
 9178 
 9179 	* examples/rsa-decrypt.c: Don't include "getopt.h", since it's not used.
 9180 	* examples/nettle-benchmark.c: Include "getopt.h".
 9181 
 9182 	* examples/Makefile.in (GETOPT_OBJS): New variable.
 9183 	(rsa-keygen, rsa-encrypt, nettle-benchmark): Depend on and link
 9184 	with $(GETOPT_OBJS).
 9185 
 9186 	* x86/aes-decrypt-internal.asm: Use ALIGN.
 9187 	* x86/aes-encrypt-internal.asm: Likewise.
 9188 	* x86/arcfour-crypt.asm: Likewise.
 9189 	* x86/md5-compress.asm: Likewise.
 9190 	* x86/sha1-compress.asm: Likewise.
 9191 
 9192 	* config.m4.in (ASM_ALIGN_LOG): Substitute.
 9193 	* configure.ac (ASM_ALIGN_LOG): Check if .align directive is
 9194 	logarithmic.
 9195 	* asm.m4 (ALIGN): New macro. Takes a logarithmic argument, and
 9196 	expands to a .align directive.
 9197 
 9198 2006-04-21  Niels Möller  <nisse@lysator.liu.se>
 9199 
 9200 	* nettle.texinfo (Public-key algorithms): Say that the public key
 9201 	operations are undocumented, not unsupported. Reported by Jeronimo
 9202 	Pellegrini.
 9203 
 9204 2006-04-08  Niels Möller  <nisse@lysator.liu.se>
 9205 
 9206 	* tools/pkcs1-conv.c (read_pem): Fixed c99-style declaration.
 9207 	Reported by Henrik Grubbström.
 9208 
 9209 2006-01-31  Niels Möller  <niels@s3.kth.se>
 9210 
 9211 	* examples/rsa-verify.c: Fixed typo in usage message.
 9212 
 9213 2005-12-05  Niels Möller  <nisse@lysator.liu.se>
 9214 
 9215 	* configure.ac: Bumped version to 1.15,
 9216 
 9217 	* Released nettle-1.14.
 9218 
 9219 	* NEWS: Updated for 1.14.
 9220 
 9221 	* configure.ac (SHLIBMINOR): Increased minor number. Library
 9222 	version is now libnettle.so.2.5, soname still libnettle.so.2.
 9223 
 9224 2005-11-28  Niels Möller  <nisse@lysator.liu.se>
 9225 
 9226 	* config.make.in (INSTALL): Don't substitute INSTALL, INSTALL_DATA
 9227 	and friends here, to get a correct a relative filename for
 9228 	install-sh when used in tools/Makefile.
 9229 
 9230 	* tools/Makefile.in (INSTALL): Substitute INSTALL, INSTALL_DATA
 9231 	and friends here.
 9232 	* Makefile.in (INSTALL): Likewise.
 9233 
 9234 2005-11-27  Niels Möller  <nisse@lysator.liu.se>
 9235 
 9236 	* Makefile.in (.texinfo.pdf): New rule. Avoid dependency on
 9237 	intermediate .dvi and .ps files.
 9238 
 9239 	* testsuite/Makefile.in (clean): Delete sha1-huge-test.
 9240 
 9241 	* Makefile.in (install-info, install-headers): Don't use $< and
 9242 	$?; Solaris make doesn't support them in explicit rules.
 9243 
 9244 2005-11-26  Niels Möller  <nisse@lysator.liu.se>
 9245 
 9246 	* testsuite/Makefile.in: Include .test-rules.make, which contains
 9247 	the rules for all the test executables.
 9248 	(test-rules): New rule, to update this file.
 9249 	(DISTFILES): Added $(EXTRA_SOURCES).
 9250 
 9251 	* testsuite/.test-rules.make: Automatically generated file for
 9252 	building the test programs.
 9253 
 9254 2005-11-25  Niels Möller  <nisse@lysator.liu.se>
 9255 
 9256 	* configure.ac: Disable assembler when compiling with rntcl.
 9257 
 9258 	* tools/Makefile.in (pkcs1_conv_SOURCES): New variable.
 9259 	(pkcs1-conv): Link with getopt.o and getopt1.o.
 9260 
 9261 	* Makefile.in (aesdata, desdata, shadata): Use explicit rules for
 9262 	executables.
 9263 
 9264 	* testsuite/Makefile.in: Use %-rules for building the -test
 9265 	executables, in addition to the suffix rules. Hopefully, this
 9266 	should make all of GNU make, BSD make and Solaris make happy.
 9267 	Use $(EXEEXT) and $(OBJEXT) more consistently.
 9268 
 9269 	* examples/Makefile.in: Use explicit rules for all executable
 9270 	targets. Use $(EXEEXT) and $(OBJEXT) more consistently.
 9271 
 9272 2005-11-25  Niels Möller  <niels@s3.kth.se>
 9273 
 9274 	* testsuite/Makefile.in: Avoid using single-suffix rule to build
 9275 	executables.
 9276 
 9277 2005-11-24  Niels Möller  <niels@s3.kth.se>
 9278 
 9279 	* Makefile.in (distdir): Use [ -f, not [ -e, since the latter
 9280 	is less portable, and not supported by Solaris /bin/sh.
 9281 
 9282 2005-11-23  Niels Möller  <niels@s3.kth.se>
 9283 
 9284 	* testsuite/Makefile.in (DISTFILES): Added teardown-env.
 9285 	* testsuite/teardown-env: New file. Delete files created by the
 9286 	testsuite.
 9287 
 9288 2005-11-21  Niels Möller  <nisse@lysator.liu.se>
 9289 
 9290 	* testsuite/testutils.c (main): Fixed check for -v option. Spotted
 9291 	by Goran K.
 9292 
 9293 2005-11-21  Niels Möller  <niels@s3.kth.se>
 9294 
 9295 	* ctr.h (CTR_CTX, CTR_CRYPT): Fixed bugs, spotted by Goran K.
 9296 
 9297 2005-11-20  Niels Möller  <nisse@lysator.liu.se>
 9298 
 9299 	* Makefile.in (nettle_SOURCES): Added der2rsa.c.
 9300 
 9301 	* testsuite/Makefile.in (TS_SH): Added pkcs1-conv-test.
 9302 
 9303 	* tools/Makefile.in (TARGETS): Added @RSA_TOOLS@.
 9304 	(SOURCES): Added pkcs1-conv.c.
 9305 	(pkcs1-conv): New rule.
 9306 
 9307 	* tools/pkcs1-conv.c: New program.
 9308 
 9309 	* testsuite/pkcs1-conv-test: New file.
 9310 
 9311 	* examples/rsa-verify-test: Use rsa-sign to create signature.
 9312 
 9313 	* examples/io.c (read_file): Fixed spelling in error message.
 9314 
 9315 	* rsa.h (rsa_public_key_from_der_iterator)
 9316 	(rsa_private_key_from_der_iterator, rsa_keypair_from_der): Declare
 9317 	functions.
 9318 
 9319 	* der2rsa.c: New file.
 9320 
 9321 	* der-iterator.c (asn1_der_iterator_init): Initialize length and
 9322 	data.
 9323 	(asn1_der_iterator_next): Support for lengths >= 0x80.
 9324 	(asn1_der_decode_constructed_last, asn1_der_decode_bitstring)
 9325 	(asn1_der_decode_bitstring_last): New functions.
 9326 	(asn1_der_get_bignum): Check for non-mininal encodings.
 9327 
 9328 	* configure.ac (RSA_TOOLS): New substituted variable. Includes
 9329 	pkcs1-conv, when public-key support is enabled.
 9330 
 9331 	* bignum.h (nettle_asn1_der_get_bignum): Include nettle_-prefix in
 9332 	declaration.
 9333 
 9334 	* asn1.h: Added name mangling defines, and a few new declarations.
 9335 
 9336 2005-11-13  Niels Möller  <nisse@lysator.liu.se>
 9337 
 9338 	* Makefile.in (nettle_SOURCES): Added der-iterator.c.
 9339 	(HEADERS): Added asn1.h.
 9340 
 9341 	* bignum.h (asn1_der_get_bignum): Declare function.
 9342 
 9343 	* der-iterator.c: New file.
 9344 	* asn1.h: New file.
 9345 
 9346 2005-11-07  Niels Möller  <nisse@lysator.liu.se>
 9347 
 9348 	* examples/nettle-benchmark.c: Check HAVE_UNISTD_H.
 9349 
 9350 	* examples/Makefile.in (TARGETS): Use $(EXEEXT).
 9351 	* tools/Makefile.in (TARGETS, sexp-conv, nettle-lfib-stream): Likewise.
 9352 
 9353 	* configure.ac: Use $host_cpu, not $host, when setting up the
 9354 	assembler path. Use $host_os, not uname, when setting up shared
 9355 	library flags.
 9356 
 9357 	* Makefile.in (des.$(OBJEXT)): Use OBJEXT.
 9358 
 9359 	* config.guess, config.sub: In the CVS tree, moved files to the
 9360 	lsh top-level directory.
 9361 
 9362 2005-10-23  Niels Möller  <nisse@lysator.liu.se>
 9363 
 9364 	* sparc64/arcfour-crypt.asm: New file, almost the same as
 9365 	sparc/arcfour-crypt.asm.
 9366 
 9367 	* examples/nettle-benchmark.c (display): Use two decimal places.
 9368 
 9369 	* sparc/arcfour-crypt.asm: Reorganized. Main loop unrolled four
 9370 	times. Uses aligned 32-bit write accesses at DST. Still uses 8-bit
 9371 	read accesses at SRC; could be improved int he case that SRC and
 9372 	DST have compatible alignment.
 9373 
 9374 2005-10-19  Niels Möller  <niels@s3.kth.se>
 9375 
 9376 	* testsuite/arcfour-test.c (test_main): New testcase with 512
 9377 	bytes of data.
 9378 
 9379 2005-10-19  Niels Möller  <nisse@lysator.liu.se>
 9380 
 9381 	* sparc/arcfour-crypt.asm: Fixed bug, spotted by Mikael Kalms. We
 9382 	must order the store at [CTX+I] before the load of [CTX+SI+SJ].
 9383 
 9384 2005-10-18  Niels Möller  <nisse@lysator.liu.se>
 9385 
 9386 	* sparc/arcfour-crypt.asm: Special unrolled code if SRC and DST
 9387 	have compatible alignment. Improves performance by 20%, but I'm
 9388 	not sure it's worth the extra complexity.
 9389 
 9390 	* bignum.c (nettle_mpz_from_octets): Removed sign argument. If
 9391 	mpz_import is available, define nettle_mpz_from_octets as a macro
 9392 	calling mpz_import.
 9393 	(nettle_mpz_from_octets): Start by setting x to zero; callers no
 9394 	longer need to do that.
 9395 	(nettle_mpz_set_str_256_s): New logic for the handling of negative
 9396 	numbers. Convert in the same way as for positive numbers, and then
 9397 	subtract the appropriate power of two.
 9398 
 9399 2005-10-17  Niels Möller  <nisse@lysator.liu.se>
 9400 
 9401 	* bignum.c (nettle_mpz_from_octets): Improved loop. Removed the
 9402 	digit temporary (suggested by Torbjörn Granlund).
 9403 
 9404 	* sparc/arcfour-crypt.asm: Improved instruction scheduling.
 9405 
 9406 	* sparc/arcfour-crypt.asm: Bugfix, use lduh and stuh.
 9407 
 9408 	* sparc/arcfour-crypt.asm: New file.
 9409 
 9410 	* sparc64/aes.asm: Deleted unused file.
 9411 
 9412 	* x86/arcfour-crypt.asm: Use ARCFOUR_I and ARCFOUR_J
 9413 	* asm.m4 (ARCFOUR): New struct.
 9414 
 9415 2005-10-17  Niels Möller  <niels@s3.kth.se>
 9416 
 9417 	* aes-internal.h (struct aes_table): Deleted idx and sparc_idx
 9418 	arrays.
 9419 	* aes-encrypt-table.c (_aes_encrypt_table): Likewise.
 9420 	* aes-decrypt.c (_aes_decrypt_table): Likewise.
 9421 	* asm.m4 (AES): Likewise
 9422 
 9423 2005-10-16  Niels Möller  <nisse@lysator.liu.se>
 9424 
 9425 	* tools/input.c (sexp_get_char): Use unsigned for the done flag.
 9426 
 9427 	* sparc64/aes-encrypt-internal.asm: Include sparc/aes.m4.
 9428 	* sparc64/aes-decrypt-internal.asm: Likewise.
 9429 
 9430 	* sparc64/machine.m4: Use .register pseudo op to say that we use
 9431 	%g2 and %g3 as scratch registers.
 9432 
 9433 	* sparc/aes-encrypt-internal.asm: Explicitly include sparc/aes.m4.
 9434 	* sparc/aes-decrypt-internal.asm: Likewise.
 9435 
 9436 	* sparc/aes.m4: New file. Moved aes-related macros here...
 9437 	* sparc/machine.m4: ... removed aes macros.
 9438 
 9439 	* x86/aes-encrypt-internal.asm: Explicitly include x86/aes.m4.
 9440 	* x86/aes-decrypt-internal.asm: Likewise.
 9441 
 9442 	* x86/aes.m4: New file. Moved aes-related macros here, from...
 9443 	* x86/machine.m4: ... removed aes macros.
 9444 
 9445 	* sparc64/aes-encrypt-internal.asm: New file.
 9446 	* sparc64/aes-decrypt-internal.asm: New file.
 9447 
 9448 	* sparc64/machine.m4: Include the same aes macros used for
 9449 	sparc32.
 9450 	(BIAS): Define magic stack bias constant.
 9451 
 9452 	* sparc/aes-encrypt-internal.asm, sparc/aes-decrypt-internal.asm:
 9453 	Reduced frame size to 104 bytes, since we no longer need wtxt and
 9454 	tmp on the stack.
 9455 
 9456 	* sparc/aes.asm: Deleted old aes implementation.
 9457 
 9458 	* sparc/aes-decrypt-internal.asm: New file.
 9459 
 9460 	* sparc/machine.m4: Don't use m4 eval, instead rely on the
 9461 	assembler's arithmetic.
 9462 
 9463 	* sparc/machine.m4 (AES_FINAL_ROUND): Better scheduling, by
 9464 	interleaving independent operations.
 9465 
 9466 	* sparc/machine.m4 (TMP3): A third temporary register.
 9467 	(AES_FINAL_ROUND): Prepared for scheduling.
 9468 
 9469 	* sparc/machine.m4 (AES_ROUND): Deleted unused argument T. Updated
 9470 	all calls in aes-encrypt-internal.asm.
 9471 
 9472 	* sparc/machine.m4 (AES_ROUND): New loop invariants T0-T3, to
 9473 	avoid the additions of the AES_TABLEx constants in the inner loop.
 9474 
 9475 	* sparc/machine.m4 (AES_ROUND): Better scheduling, by
 9476 	interleaving independent operations.
 9477 
 9478 	* sparc/machine.m4 (AES_ROUND): Alternate between using TMP1 and
 9479 	TMP2, to prepare for scheduling.
 9480 
 9481 	* sparc/aes-encrypt-internal.asm: Renamed Ti -> Xi.
 9482 
 9483 	* sparc/aes-encrypt-internal.asm: Fixed bugs. Now passes the
 9484 	testsuite.
 9485 
 9486 	* sparc/machine.m4 (AES_ROUND, AES_FINAL_ROUND): Bugfixes. Put
 9487 	NOPs in the load dely slots.
 9488 
 9489 	* sparc/aes-encrypt-internal.asm: Implemented. Not yet working,
 9490 	and not optimized.
 9491 
 9492 	* sparc/machine.m4: Use TMP1 and TMP2, so we don't need to pass
 9493 	them as arguments.
 9494 	(AES_FINAL_ROUND): New macro.
 9495 
 9496 2005-10-15  Niels Möller  <nisse@lysator.liu.se>
 9497 
 9498 	* configure.ac (OBJDUMP): Substitute the program false if objdump
 9499 	is not found.
 9500 
 9501 	* asm.m4 (PROLOGUE): Use TYPE_FUNCTION.
 9502 
 9503 	* config.m4.in: Substitute ASM_TYPE_FUNCTION as TYPE_FUNCTION.
 9504 
 9505 	* configure.ac (ASM_ELF_STYLE): Check for %function and #function,
 9506 	but not for @function.
 9507 	(ASM_TYPE_FUNCTION): New substituted variable.
 9508 
 9509 	* configure.ac (ASM_ELF_STYLE): Fixed .type foo,@function statement
 9510 	used when checking for pseudo operations.
 9511 
 9512 	* sparc/machine.m4 (AES_LOAD, AES_ROUND): Started writing new AES
 9513 	macros.
 9514 
 9515 	* sparc/aes-encrypt-internal.asm: New file.
 9516 
 9517 2005-10-14  Niels Möller  <nisse@lysator.liu.se>
 9518 
 9519 	* x86/aes-decrypt.asm, x86/aes-encrypt.asm: Deleted files.
 9520 
 9521 	* x86/aes-decrypt-internal.asm: New file.
 9522 
 9523 	* x86/machine.m4: Changed AES macros, to handle a table register.
 9524 	Also take more of the used registers as argument.
 9525 
 9526 	* x86/aes-encrypt-internal.asm: Rewritten to match new interface,
 9527 	with the table pointer as an argument. Unlike the old code, this
 9528 	should really be position independent.
 9529 
 9530 	* configure.ac: When looking for assembler files, link in
 9531 	aes-encrypt-internal.asm and aes-decrypt-internal.asm. Don't look
 9532 	for aes.asm, aes-encrypt.asm and aes-decrypt.asm.
 9533 
 9534 	* configure.ac (OBJDUMP): Use AC_CHECK_TOOL to check for objdump.
 9535 	(ASM_MARK_NOEXEC_STACK): Use $OBJDUMP when examining the object file.
 9536 
 9537 	* Makefile.in (nettle_SOURCES): Removed aes.c,
 9538 	aes-decrypt-table.c. Added aes-decrypt-internal.c and aes-encrypt-internal.c.
 9539 
 9540 	* aes.c, aes-decrypt-table.c: Deleted files.
 9541 
 9542 	* aes-decrypt.c (_aes_decrypt_table): Moved table here, and made
 9543 	static.
 9544 
 9545 	* aes-internal.h (_aes_decrypt_table): Don't declare, it's no
 9546 	longer globally visible.
 9547 
 9548 	* aes-decrypt-internal.c (_nettle_aes_decrypt): New AES decryption
 9549 	function, analogous to _nettle_aes_encrypt.
 9550 
 9551 2005-10-14  Niels Möller  <niels@s3.kth.se>
 9552 
 9553 	* aes-internal.h (AES_ROUND, AES_FINAL_ROUND): New macros.
 9554 
 9555 	* aes-encrypt-internal.c (_nettle_aes_encrypt): New AES encryption
 9556 	function, avoiding the table-based indexing.
 9557 
 9558 	* sha1-compress.c: Added debugging code.
 9559 	* md5-compress.c: Likewise.
 9560 
 9561 2005-10-13  Niels Möller  <niels@s3.kth.se>
 9562 
 9563 	* config.m4.in (ASM_MARK_NOEXEC_STACK): Use a diversion, to
 9564 	substitute the value of ASM_MARK_NOEXEC_STACK at the end of each
 9565 	assembler file.
 9566 
 9567 	* configure.ac (ASM_MARK_NOEXEC_STACK): Check if the C compiler
 9568 	generates a .note.GNU-stack section. If so, we should do the same
 9569 	in our assembler files.
 9570 
 9571 	* sparc64/aes.asm: New file. Copy of sparc/aes.asm, with minor
 9572 	changes to the stack frame layout. Patch contributed by Henrik
 9573 	Grubbström. Not yet tested.
 9574 
 9575 	* x86/md5-compress.asm: Skip copying of input to the stack, and
 9576 	don't allocate space for it.
 9577 	(F1): Fixed bug.
 9578 
 9579 	* testsuite/md5-test.c: Document intermediate values for first
 9580 	test case.
 9581 
 9582 	* configure.ac (asm_path): Check for sparc64, and use sparc64
 9583 	subdirectory. Link in md5-compress.asm, if it exists.
 9584 
 9585 2005-10-13  Niels Möller  <nisse@lysator.liu.se>
 9586 
 9587 	* x86/md5-compress.asm (REF): Fixed calculation of offset.
 9588 
 9589 2005-10-12  Niels Möller  <nisse@lysator.liu.se>
 9590 
 9591 	* x86/machine.m4 (OFFSET): Moved macro, used to be in...
 9592 	* x86/sha1-compress.asm (OFFSET): ... removed macro.
 9593 
 9594 	* x86/md5-compress.asm: New file, with first attempt at md5
 9595 	assembler. Not yet working.
 9596 
 9597 2005-10-11  Niels Möller  <nisse@lysator.liu.se>
 9598 
 9599 	* Makefile.in (nettle_SOURCES): Added md5-compress.c.
 9600 
 9601 	* md5.c: Reorganized to use _nettle_md5_compress, in analogy with
 9602 	sha1.c.
 9603 
 9604 	* md5-compress.c (_nettle_md5_compress): New file and new function.
 9605 
 9606 2005-10-10  Niels Möller  <niels@s3.kth.se>
 9607 
 9608 	* testsuite/Makefile.in (EXTRA_SOURCES, EXTRA_TARGETS): New
 9609 	variables, for test cases that are not run by default.
 9610 
 9611 	* testsuite/sha1-huge-test.c (test_main): New test case, with a
 9612 	very large sha1 input.
 9613 
 9614 	* testsuite/testutils.c (test_hash_large): New function.
 9615 
 9616 	* sha1.c (sha1_block): Deleted function; inlined where used.
 9617 	(SHA1_INCR): New macro for incrementing the block count.
 9618 
 9619 2005-10-06  Niels Möller  <nisse@lysator.liu.se>
 9620 
 9621 	* configure.ac: Bumped version to 1.14.
 9622 
 9623 	* Released nettle-1.13.
 9624 
 9625 	* configure.ac: Check for openssl/aes.h.
 9626 
 9627 	* Makefile.in (distdir): Use a loop to pick up the contents of
 9628 	$(DISTFILES) from source and build directories. For some reason,
 9629 	$? failed to find stamp-h.in in the source directory.
 9630 
 9631 2005-10-05  Niels Möller  <nisse@lysator.liu.se>
 9632 
 9633 	* x86/aes-decrypt.asm: Use C_NAME(_nettle_aes_decrypt_table) when
 9634 	using the AES_SUBST_BYTE macro. Use PROLOGUE and EPILOGUE.
 9635 	* x86/sha1-compress.asm: Use PROLOGUE and EPILOGUE.
 9636 	* x86/arcfour-crypt.asm: Likewise.
 9637 	* x86/aes-encrypt.asm: Likewise.
 9638 
 9639 	* config.m4.in (ELF_STYLE): Substitute configure's ASM_ELF_STYLE.
 9640 
 9641 	* asm.m4 (PROLOGUE, EPILOGUE): New macros, checking the value of
 9642 	ELF_STYLE. So far, used and tested only for the x86 assembler
 9643 	files, and needed to make the assembler happy both with ELF
 9644 	(linux, solaris) and COFF (windows).
 9645 
 9646 	* configure.ac (NM): Use AC_CHECK_TOOL to check for nm.
 9647 	(ASM_SYMBOL_PREFIX): Use $NM when examining the object file.
 9648 	(ASM_ELF_STYLE): New variable. Set to 'yes' if assembling a file
 9649 	with ELF-style .type and .size pseudo ops works.
 9650 
 9651 	* Makefile.in (TARGETS, DISTFILES): Added nettle.pdf.
 9652 	(.texinfo.dvi, .dvi.ps, .ps.pdf): New targets, to build nettle.pdf.
 9653 	(DOCTARGETS): New variable with targets that shouldn't be deleted
 9654 	by make clean.
 9655 	(maintainer-clean-here): New target. Deletes generated
 9656 	documentation files.
 9657 
 9658 	* nettle.texinfo: Define AUTHOR with accents, when running in TeX
 9659 	mode, which doesn't handle latin-1 properly. Set UPDATED-FOR to
 9660 	1.13. Updated copyright years, and introduced a COPYRIGHT-YEARS
 9661 	symbol. Updated copyright section, to mention assembler
 9662 	implementations.
 9663 	(Cipher modes): Transformed the Cipher Block Chaining to a section
 9664 	Cipher modes, describing both CBC and the new CTR mode.
 9665 
 9666 	* src/nettle/x86/aes_tables.asm: Deleted unused file.
 9667 
 9668 	* x86/aes.asm: Deleted contents. This file is needed just to
 9669 	override aes.c, which isn't needed for the x86 implementation.
 9670 
 9671 	* configure.ac (SHLIBMINOR): Increased minor number. Library
 9672 	version is now libnettle.so.2.4, soname still libnettle.so.2.
 9673 
 9674 	* examples/nettle-benchmark.c (main): Reordered hash benchmarks.
 9675 
 9676 	* x86/sha1-compress.asm (EXPAND): Use % 16 instead of & 15 to
 9677 	compute offsets mod 16, since m4 on FreeBSD 49.RELEASE and NetBSD
 9678 	doesn't implement & correctly in eval.
 9679 
 9680 2005-10-03  Niels Möller  <nisse@lysator.liu.se>
 9681 
 9682 	* x86/sha1-compress.asm (OFFSET): New macro.
 9683 	(F3): Eliminated a movl.
 9684 	(ROUND): New argument, for k. When using F3, it's TMP3, on the
 9685 	stack, otherwise, it is kept in TMP2, a register.
 9686 
 9687 2005-10-03  Niels Möller  <niels@s3.kth.se>
 9688 
 9689 	* examples/nettle-openssl.c: Use correct block sizes for openssl
 9690 	ciphers.
 9691 
 9692 	* examples/nettle-benchmark.c: Also display cycles per block.
 9693 
 9694 2005-10-02  Niels Möller  <nisse@lysator.liu.se>
 9695 
 9696 	* sha1-compress.c (_nettle_sha1_compress): Updated to new
 9697 	interface. Now responsible for byte conversion.
 9698 
 9699 	* x86/sha1-compress.asm (_nettle_sha1_compress): Do byte order
 9700 	conversion, and store the input data on the stack. This leaves one
 9701 	more register free for other uses.
 9702 
 9703 	* examples/nettle-benchmark.c: Now display cycles/byte, if the -f
 9704 	option is used to say what the clock frequency is.
 9705 
 9706 	* sha1.c (sha1_block): Don't convert data from uint8_t to
 9707 	uint32_t, that's now the responsibility of _nettle_sha1_compress.
 9708 
 9709 	* sha.h (_nettle_sha1_compress): Changed interface. Second
 9710 	argument is now a pointer to the input data in unaligned,
 9711 	big-endian form.
 9712 
 9713 2005-09-28  Niels Möller  <niels@s3.kth.se>
 9714 
 9715 	* sha1.c (sha1_final): Call sha1_block, don't call the compression
 9716 	function _nettle_sha1_compress directly.
 9717 
 9718 	* nettle-internal.h (nettle_openssl_md5)
 9719 	(nettle_openssl_sha1): Declare.
 9720 
 9721 	* examples/nettle-benchmark.c (main): Benchmark openssl md5 and
 9722 	sha1.
 9723 
 9724 	* examples/nettle-openssl.c (nettle_openssl_md5)
 9725 	(nettle_openssl_sha1): Added glue for openssl hash functions.
 9726 
 9727 	* nettle-internal.h (nettle_openssl_aes128, nettle_openssl_aes192)
 9728 	(nettle_openssl_aes256, nettle_openssl_arcfour128): Declare.
 9729 
 9730 	* examples/nettle-benchmark.c: Check WITH_OPENSSL, not
 9731 	HAVE_LIBCRYPTO. Benchmark openssl's aes and arcfour code.
 9732 
 9733 	* examples/nettle-openssl.c: Updated openssl des glue to use the
 9734 	new openssl des interface. Added glue for arcfour and aes.
 9735 
 9736 2005-09-27  Niels Möller  <nisse@lysator.liu.se>
 9737 
 9738 	* nettle.texinfo (RSA): Improved text about the RSA patent.
 9739 	Use @documentencoding ISO-8859-1.
 9740 
 9741 2005-09-07  Niels Möller  <niels@s3.kth.se>
 9742 
 9743 	* tools/sexp-conv.c (parse_options): New option --raw-hash, for
 9744 	compatibility with lsh-1.x. Equivalent to --hash.
 9745 
 9746 2005-09-06  Niels Möller  <niels@s3.kth.se>
 9747 
 9748 	* tools/sexp-conv.c (main): With --hash, output a newline after
 9749 	each hash.
 9750 
 9751 2005-07-02  Niels Möller  <nisse@lysator.liu.se>
 9752 
 9753 	* testsuite/Makefile.in (TS_SOURCES): Added ctr-test.c.
 9754 
 9755 	* testsuite/testutils.c (test_cipher_ctr): New function.
 9756 
 9757 	* testsuite/ctr-test.c: New file.
 9758 
 9759 	* testsuite/cbc-test.c (test_main): Use static const for msg.
 9760 
 9761 	* Makefile.in (nettle_SOURCES): Added ctr.c.
 9762 	(HEADERS): Added ctr.h.
 9763 	(HEADERS): Added nettle-types.h.
 9764 	(INSTALL_HEADERS): Install nettle-stdint.h.
 9765 	(distclean-here): Delete nettle-stdint.h, not nettle-types.h.
 9766 
 9767 	* ctr.c (ctr_crypt): New file, new function.
 9768 
 9769 	* memxor.c (memxor3): New function, suggested by Adam Langley.
 9770 
 9771 	* nettle-internal.h (NETTLE_MAX_CIPHER_BLOCK_SIZE): New constant.
 9772 
 9773 	* nettle.texinfo (Cipher functions): Fixed typo in prototype for
 9774 	arctwo_encrypt (noticed by Adam Langley).
 9775 
 9776 	* nettle-meta.h: No longer needs to include cbc.h.
 9777 
 9778 	* cbc.h (nettle_crypt_func): Moved typedef to nettle-types.h.
 9779 	(CBC_ENCRYPT, CBC_DECRYPT): Deleted older #if:ed out versions.
 9780 
 9781 	* configure.ac (AX_CREATE_STDINT_H): Use the file name
 9782 	nettle-stdint.h, not nettle-types.h.
 9783 
 9784 	* nettle-types.h: New file. Automatically generated declarations
 9785 	are now in nettle-stdint.h.
 9786 
 9787 2005-03-17  Niels Möller  <niels@s3.kth.se>
 9788 
 9789 	* config.guess: Support Solaris on x86_64. Fix by Henrik
 9790 	Grubbström.
 9791 
 9792 2005-01-03  Niels Möller  <niels@s3.kth.se>
 9793 
 9794 	* examples/io.h: Include RSA declarations only when public key
 9795 	algorithms are enabled. Problem reported by Meilof Veeningen
 9796 	<meilof@gmail.com>.
 9797 
 9798 2004-12-07  Niels Möller  <nisse@lysator.liu.se>
 9799 
 9800 	* Makefile.in: Install directories, using $(INSTALL) -d, only if
 9801 	they don't exist already.
 9802 
 9803 2004-12-05  Niels Möller  <nisse@lysator.liu.se>
 9804 
 9805 	* config.make.in (.PRECIOUS): Reverted earlier change. We need
 9806 	.PRECIOUS to stop GNU make from deleting object files for the test
 9807 	programs.
 9808 
 9809 2004-12-02  Niels Möller  <nisse@lysator.liu.se>
 9810 
 9811 	* Makefile.in (.SUFFIXES): Moved from Makefile.in to...
 9812 	* config.make.in (.SUFFIXES): ... here.	This helps compilation
 9813 	with BSD make.
 9814 	* testsuite/Makefile.in (.SUFFIXES): Deleted target.
 9815 
 9816 	* config.make.in (.c): Disable default rule for BSD-make.
 9817 
 9818 	* Makefile.in (all check install uninstall)
 9819 	(clean distclean mostlyclean maintainer-clean): Don't use the -C
 9820 	flag when invoking make, for compatibility with Solaris make.
 9821 
 9822 2004-12-02  Niels Möller  <niels@s3.kth.se>
 9823 
 9824 	* Makefile.in (aesdata, desdata): Commented out the explicit
 9825 	targets.
 9826 	(shadata): Avoid using $< in non-pattern rule.
 9827 
 9828 2004-12-01  Niels Möller  <nisse@lysator.liu.se>
 9829 
 9830 	* config.make.in: Added a default target.
 9831 
 9832 2004-11-29  Niels Möller  <nisse@lysator.liu.se>
 9833 
 9834 	* testsuite/Makefile.in: Use .$(OBJEXT). Explicitly set .SUFFIXES.
 9835 
 9836 	* Makefile.in: Use .$(OBJEXT).
 9837 
 9838 2004-11-28  Niels Möller  <nisse@lysator.liu.se>
 9839 
 9840 	* tools/Makefile.in (nettle-lfib-stream): Avoid using $< in
 9841 	non-suffix rule.
 9842 
 9843 	* Makefile.in (distdir): Handle absolute $distdir.
 9844 	Avoid using the GNU extension $^.
 9845 
 9846 	* examples/Makefile.in: Avoid using the GNU extension $^.
 9847 	* tools/Makefile.in: Likewise.
 9848 	* testsuite/Makefile.in: Likewise.
 9849 
 9850 2004-11-24  Niels Möller  <niels@s3.kth.se>
 9851 
 9852 	* configure.ac: Fixed typo, preventing the creation of dependency
 9853 	files.
 9854 
 9855 2004-11-23  Niels Möller  <nisse@lysator.liu.se>
 9856 
 9857 	* Makefile.in: Use DEP_INCLUDE.
 9858 	* tools/Makefile.in: Likewise.
 9859 	* testsuite/Makefile.in: Likewise.
 9860 	* examples/Makefile.in: Likewise.
 9861 
 9862 	* configure.ac (dummy-dep-files): Generate only of dependency
 9863 	tracking is enabled.
 9864 
 9865 2004-11-18  Niels Möller  <nisse@lysator.liu.se>
 9866 
 9867 	* Makefile.in (clean-here): The clean target should not delete the
 9868 	dependency files. Moved to the distclean target.
 9869 	* examples/Makefile.in: Likewise.
 9870 	* testsuite/Makefile.in: Likewise.
 9871 	* tools/Makefile.in: Likewise.
 9872 
 9873 	* configure.ac (ASM_SYMBOL_PREFIX): Fixed test.
 9874 	(dummy-dep-files): Added quotes to sed command.
 9875 
 9876 2004-11-17  Niels Möller  <nisse@lysator.liu.se>
 9877 
 9878 	* testsuite/symbols-test: Try plain nm if nm -g doesn't work.
 9879 
 9880 	* x86/sha1-compress.asm: Use C_NAME for global symbols.
 9881 	* x86/aes-encrypt.asm: Likewise.
 9882 	* x86/aes-decrypt.asm: Likewise.
 9883 	* x86/arcfour-crypt.asm: Likewise.
 9884 
 9885 	* Makefile.in (config.m4): New rule.
 9886 
 9887 	* config.m4.in (C_NAME): New macro.
 9888 
 9889 	* configure.ac (ASM_SYMBOL_PREFIX): Check if global symbols have a
 9890 	leading underscore.
 9891 
 9892 2004-11-16  Niels Möller  <nisse@lysator.liu.se>
 9893 
 9894 	* Deleted getopt.c, getopt.h and getopt1.c from the CVS tree. Link
 9895 	them from shared copies in lsh/misc instead.
 9896 
 9897 2004-11-14  Niels Möller  <nisse@lysator.liu.se>
 9898 
 9899 	* Makefile.in (DEP_FILES): Try include with only one macro
 9900 	argument to be expanted.
 9901 
 9902 	* configure.ac (dummy-dep-files): Create dummy dependency files,
 9903 	so that they can be included by the makefiles.
 9904 
 9905 2004-11-13  Niels Möller  <nisse@lysator.liu.se>
 9906 
 9907 	* Makefile.in: Don't use -include, as it's GNU make specific.
 9908 	* examples/Makefile.in, tools/Makefile.in, testsuite/Makefile.in:
 9909 	Likewise.
 9910 
 9911 	* examples/nettle-openssl.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO.
 9912 
 9913 	* configure.ac: Check for individual openssl headers blowfish.h,
 9914 	cast.h, des.h. Renamed symbol HAVE_LIBCRYPTO to WITH_OPENSSL. New
 9915 	configure option --disable-openssl.
 9916 
 9917 2004-11-04  Niels Möller  <nisse@lysator.liu.se>
 9918 
 9919 	* configure.ac: Bumped version to 1.13.
 9920 
 9921 	* Released nettle-1.12.
 9922 
 9923 2004-11-04  Niels Möller  <niels@s3.kth.se>
 9924 
 9925 	* nettle.texinfo (UPDATED-FOR): Bumped to 1.12.
 9926 
 9927 2004-11-02  Niels Möller  <nisse@lysator.liu.se>
 9928 
 9929 	* nettle.texinfo (Cipher functions): Updated AES documentation,
 9930 	for aes_set_encrypt_key and aes_set_decrypt_key.
 9931 	(UPDATED-FOR): Set to 1.11. I think the manual should be updated
 9932 	with all user-visible changes.
 9933 
 9934 	* aclocal.m4 (LSH_DEPENDENCY_TRACKING): Need extra quoting in case
 9935 	pattern. (This file really lives in the lsh tree, as
 9936 	lsh/acinclude.m4. For a complete ChangeLog, see lsh/Changelog).
 9937 
 9938 2004-10-26  Niels Möller  <nisse@lysator.liu.se>
 9939 
 9940 	* configure.ac: Bumped version to 1.12.
 9941 
 9942 	* Released nettle-1.11.
 9943 
 9944 	* Makefile.in (clean-here): Delete *.s files.
 9945 	(PRE_CPPFLAGS): Use this variable, not INCLUDES. Removed
 9946 	-I$(srcdir).
 9947 
 9948 	* x86/arcfour-crypt.asm: Use movzbl when extending %cl to 32 bits.
 9949 
 9950 2004-10-24  Niels Möller  <nisse@lysator.liu.se>
 9951 
 9952 	* x86/arcfour-crypt.asm: Reverted the latest two changes; update
 9953 	bost src and dst pointers in the loop, and use plain addb when
 9954 	updating j. These two previous changes slowed the code down on AMD
 9955 	Duron.
 9956 
 9957 2004-10-21  Niels Möller  <nisse@lysator.liu.se>
 9958 
 9959 	* Makefile.in (install-shared): Use $(INSTALL_PROGRAM).
 9960 
 9961 	* configure.ac (SHLIBMINOR): Updated, shared library version is
 9962 	now libnettle.so.2.3, soname still libnettle.so.2.
 9963 
 9964 	* Makefile.in (DISTFILES): Added asm.m4.
 9965 
 9966 2004-10-21  Niels Möller  <niels@s3.kth.se>
 9967 
 9968 	* examples/Makefile.in: Deleted all configure-related rules,
 9969 	except the one rebuilding this Makefile. One should run make at
 9970 	top level if other configure related files change.
 9971 	* tools/Makefile.in: Likewise.
 9972 	* testsuite/Makefile.in: Likewise.
 9973 
 9974 	* configure.ac: Replaced AC_OUTPUT(list...) with an AC_OUTPUT
 9975 	without arguments, and AC_CONFIG_FILES listing the files.
 9976 
 9977 	* Makefile.in: Changed the assembler rules as suffix rules.
 9978 	Rewrote the configure-related rules, mostly based on the example
 9979 	in the autoconf manual.
 9980 
 9981 2004-10-20  Niels Möller  <nisse@lysator.liu.se>
 9982 
 9983 	* examples/nettle-openssl.c (NCOMPAT): Disable openssl backwards
 9984 	compatibility.
 9985 
 9986 	* config.make.in: Insert $(PRE_CPPFLAGS) and $(PRE_LDFLAGS) before
 9987 	$(CPPFLAGS) and $(LDFLAGS). This mechanism replaces $(INCLUDES).
 9988 
 9989 	* examples/Makefile.in (PRE_CPPFLAGS, PRE_LDFLAGS): Use these
 9990 	flags to get -I.. and -L.. early on the command line.
 9991 	* testsuite/Makefile.in: Likewise
 9992 	* tools/Makefile.in: Likewise.
 9993 
 9994 2004-10-20  Niels Möller  <niels@s3.kth.se>
 9995 
 9996 	* Makefile.in: In the assembler rules, there's no need to look in
 9997 	$(srcdir) for the input file.
 9998 
 9999 	* x86/arcfour-crypt.asm: Reduced inner loop by one instruction, by
10000 	precomputing the offset between src and dst.
10001 
10002 	* tools/Makefile.in (.c.$(OBJEXT)): Removed redundant -I.. flag.
10003 
10004 	* x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replaced addb ->
10005 	addl + andl $0xff, improving speed on PPro by another 15%.
10006 
10007 2004-10-20  Niels Möller  <nisse@lysator.liu.se>
10008 
10009 	* tools/Makefile.in (install): Support DESTDIR.
10010 	(uninstall): New target.
10011 
10012 	* testsuite/Makefile.in (uninstall): New dummy target.
10013 
10014 	* config.sub: Copied from automake-1.8.5.
10015 
10016 	* examples/Makefile.in (SOURCES): Added rsa-sign.c and rsa-verify.c.
10017 	(DISTFILES): Added getopt.h.
10018 	(install uninstall): New dummy targets.
10019 
10020 	* config.make.in (.PHONY): Added more targets.
10021 
10022 	* Makefile.in (.texinfo.info, .texinfo.html): New targets. Added
10023 	support for uninstall and DESTDIR. Various fixes to install and
10024 	distcheck.
10025 
10026 	* examples/Makefile.in (INCLUDES): Added -I flags.
10027 	(distdir): Use $^ to refer to the files.
10028 	(distclean): New target.
10029 	* testsuite/Makefile.in: Likewise.
10030 	* tools/Makefile.in: Likewise.
10031 
10032 	* Makefile.in (INCLUDES): Need -I flags for VPATH build.
10033 	(clean distclean mostlyclean maintainer-clean): Clean
10034 	subdirectories first.
10035 	(DISTFILES): Added a bunch of files.
10036 	(des_headers): Added desCore rules.
10037 	(install-here): Split off target install-headers, which uses $^ to
10038 	refer to the files.
10039 	(distdir): Use $^ to refer to the files.
10040 	distcheck): Fixes.
10041 
10042 	* config.make.in (COMPILE): Add $(INCLUDE) to the line.
10043 
10044 2004-10-19  Niels Möller  <nisse@lysator.liu.se>
10045 
10046 	Stop using automake. Replaced each Makefile.am with a hand-written
10047 	Makefile.in.
10048 	* configure.ac: New output variable CCPIC_MAYBE. New output file
10049 	config.make. Replaced automake constructions.
10050 	* .bootstrap: Don't run aclocal and automake.
10051 	* config.make.in: New file, with shared Makefile variables and rules.
10052 
10053 2004-10-18  Niels Möller  <nisse@lysator.liu.se>
10054 
10055 	* x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replace incb ->
10056 	incl + andl, to improve speed on PPro and PII. Suggested by
10057 	Fredrik Olsson.
10058 
10059 2004-10-08  Niels Möller  <niels@s3.kth.se>
10060 
10061 	* examples/rsa-encrypt-test: Avoid reading and executing a file at
10062 	the same time.
10063 	* examples/setup-env: Likewise.
10064 
10065 2004-10-06  Niels Möller  <niels@s3.kth.se>
10066 
10067 	* testsuite/symbols-test: Ignore __i686.get_pc_thunk.bx and
10068 	similar symbols.
10069 
10070 2004-10-05  Niels Möller  <nisse@lysator.liu.se>
10071 
10072 	* twofish.c (q_table): Use a const pointer array.
10073 
10074 	* sexp2dsa.c (dsa_keypair_from_sexp_alist): Use a const pointer
10075 	array for the keywords.
10076 	(dsa_signature_from_sexp): Likewise.
10077 	* sexp2rsa.c (rsa_keypair_from_sexp_alist): Likewise.
10078 	(rsa_keypair_from_sexp): Likewise.
10079 
10080 	* sexp.c (sexp_iterator_check_types): Use an argument of type
10081 	"const uint8_t * const *" for the types list.
10082 	(sexp_iterator_assoc): Likewise, for the keys list.
10083 
10084 	* list-obj-sizes.awk: Fixes to handle multiple .data and .rodata
10085 	sections. Also fixed to handle the last file correctly.
10086 
10087 2004-09-23  Niels Möller  <nisse@lysator.liu.se>
10088 
10089 	* configure.ac (SHLIBLINK, SHLIBLIBS): On cygwin, linking needs
10090 	-Wl,--whole-archive $(OBJECTS) -Wl,--no-whole-archive $(LIBS).
10091 
10092 2004-09-22  Niels Möller  <niels@s3.kth.se>
10093 
10094 	* configure.ac: Setup SHLIBFORLINK and friends for cygwin.
10095 
10096 	* list-obj-sizes.awk: Strip *_a-prefix from all file names.
10097 
10098 	* Makefile.am (libnettle_a_SOURCES): List only .c files. Headers
10099 	moved to noinst_HEADERS.
10100 	(SHLIBOBJECTS): Substitute from libnettle_a_SOURCES, not
10101 	am_libnettle_a_OBJECTS, since the latter includes
10102 	libnettle_a-prefixes with some automake versions.
10103 	(SHLIBSONAME): Check if this name is empty, which is the case on
10104 	cygwin, before using it.
10105 
10106 2004-08-31  Niels Möller  <nisse@lysator.liu.se>
10107 
10108 	* configure.ac: New command line option --disable-pic. Use
10109 	LSH_CCPIC.
10110 
10111 	* Makefile.am (libnettle_a_CFLAGS): Added $(CCPIC), to attempt to
10112 	build also the static library as position independent code.
10113 
10114 2004-08-24  Niels Möller  <nisse@lysator.liu.se>
10115 
10116 	* des-compat.c (des_cbc_cksum): Pad input with NUL's, if it's not
10117 	an integral number of blocks.
10118 
10119 2004-08-24  Niels Möller  <niels@s3.kth.se>
10120 
10121 	* testsuite/arctwo-test.c, arctwo.h, arctwo.c
10122 	(arctwo_set_key_ekb): Fixed typo; it should be "ekb", not "ebk".
10123 
10124 	Integrated arctwo patch from Simon Josefsson.
10125 	* testsuite/Makefile.am (noinst_PROGRAMS): Added arctwo-test.
10126 
10127 	* Makefile.am (libnettleinclude_HEADERS): Added arctwo.h.
10128 	(libnettle_a_SOURCES): Added arctwo.c, arctwo.h and arctwo-meta.c.
10129 
10130 	* nettle-meta.h (nettle_arctwo40, nettle_arctwo64)
10131 	(nettle_arctwo64, nettle_arctwo_gutmann128): Declare ciphers.
10132 
10133 	* arctwo-meta.c, arctwo.c, arctwo.h, testsuite/arctwo-test.c: New
10134 	files.
10135 
10136 	* macros.h (LE_READ_UINT16, LE_WRITE_UINT16): New macros.
10137 
10138 2004-08-23  Niels Möller  <nisse@lysator.liu.se>
10139 
10140 	* testsuite/md5-test.c (test_main): Added collision, found in 2004.
10141 	(test_main): Added second collision.
10142 
10143 2004-08-23  Niels Möller  <niels@s3.kth.se>
10144 
10145 	* testsuite/md5-test.c (test_main): Added first half of a
10146 	collision test case.
10147 
10148 	* des-compat.c (des_cbc_cksum): Changed input argument to be of
10149 	type const uint8_t * (was const des_cblock *).
10150 
10151 	* des-compat.h (const_des_cblock): New bogus type. Disabled use of
10152 	const, for compatibility with openssl.
10153 
10154 2004-06-08  Niels Möller  <niels@s3.kth.se>
10155 
10156 	* aesdata.c: Renamed log and ilog to gf2_log and gf2_exp.
10157 
10158 2004-04-07  Niels Möller  <nisse@lysator.liu.se>
10159 
10160 	* aes-set-encrypt-key.c (log, ilog): Deleted unused tables.
10161 
10162 	* aes-set-decrypt-key.c (gf2_log, gf2_exp, mult): Renamed tables,
10163 	were log and ilog.
10164 
10165 2004-03-20  Niels Möller  <nisse@lysator.liu.se>
10166 
10167 	* configure.ac: Use AC_CONFIG_AUX_DIR([.]).
10168 
10169 2004-03-18  Niels Möller  <niels@s3.kth.se>
10170 
10171 	* examples/io.c (read_file): Display a message if fopen fails.
10172 
10173 2004-03-05  Niels Möller  <nisse@lysator.liu.se>
10174 
10175 	* Released nettle-1.10.
10176 
10177 	* configure.ac (SHLIBMINOR): Shared library version is now 2.2.
10178 
10179 2004-03-04  Niels Möller  <nisse@lysator.liu.se>
10180 
10181 	* testsuite/symbols-test: Pass -g flag to nm.
10182 
10183 2004-03-02  Niels Möller  <nisse@lysator.liu.se>
10184 
10185 	* configure.ac: Fixed EXEEXT workaround.
10186 
10187 2004-03-02  Niels Möller  <niels@s3.kth.se>
10188 
10189 	* configure.ac: Added workaround to get the correct $(EXEEXT)=''
10190 	when compiling with rntcl.
10191 
10192 2004-03-02  Niels Möller  <nisse@lysator.liu.se>
10193 
10194 	* testsuite/Makefile.am (noinst_PROGRAMS): Put test program list
10195 	here, to let automake add $(EXEEXT).
10196 
10197 	* configure.ac (RSA_EXAMPLES): Append $(EXEEXT) to the filenames.
10198 
10199 2004-03-01  Niels Möller  <nisse@lysator.liu.se>
10200 
10201 	* examples/rsa-keygen.c, examples/rsa-encrypt.c,
10202 	examples/rsa-decrypt.c: Include "getopt.h" instead of <unistd.h>.
10203 
10204 	* examples/Makefile.am (rsa_encrypt_SOURCES, rsa_decrypt_SOURCES)
10205 	(rsa_keygen_SOURCES): Added getopt.h, getopt.c and getopt1.c.
10206 
10207 	* examples/getopt.h, examples/getopt.c, examples/getopt1.c: New
10208 	files.
10209 
10210 	* testsuite/des-compat-test.c: Don't include <unistd.h>.
10211 
10212 	* testsuite/testutils.c (main): Don't use getopt. Then we don't
10213 	need to include <unistd.h>.
10214 
10215 2004-03-01  Niels Möller  <niels@s3.kth.se>
10216 
10217 	* config.guess: Copied from automake-1.8.2. Hacked to recognize
10218 	Windows_NT (and Windows_95 and Windows_98) running on "x86" and
10219 	"686".
10220 
10221 	* install-sh: Removed from CVS repository. Let automake supply it.
10222 
10223 2004-02-26  Niels Möller  <nisse@lysator.liu.se>
10224 
10225 	* nettle-meta.h (nettle_crypt_func): Typedef moved to cbc.h.
10226 	Include cbc.h instead.
10227 
10228 	* des-compat.c: Reverted const change, now all the des_key_sched
10229 	arguments are not const. This is also what openssl's interface
10230 	looks like.
10231 	(cbc_crypt_func): Deleted typedef, use nettle_crypt_func instead.
10232 
10233 	* cbc.h (nettle_crypt_func): Moved typedef here.
10234 	* cbc.c (cbc_encrypt, cbc_decrypt_internal, cbc_decrypt): Use it
10235 	for typing the f argument. Reverted the const change, for
10236 	compatibility with nettle_crypt_func.
10237 
10238 2004-02-25  Niels Möller  <nisse@lysator.liu.se>
10239 
10240 	* testsuite/des-compat-test.c: Use des_cblock for typing more of
10241 	the variables. Use const. Got rid of most of the explicit casts.
10242 	Disabled the input/output alignment tests.
10243 
10244 	* des.c (des_encrypt, des_decrypt): Use a const context pointer.
10245 	* des3.c (des3_encrypt, des3_decrypt): Likewise.
10246 
10247 	* cbc.c (cbc_encrypt, cbc_decrypt): Use a _const_ void *ctx argument.
10248 
10249 	* des-compat.c: Use const for all unchanged arguments.
10250 	(des_key_sched): Use a copy of the key if we need to fix the
10251 	parity.
10252 
10253 	* testsuite/des-compat-test.c (C_Block, Key_schedule): Deleted
10254 	defines. Deleted some of the explicit casts.
10255 
10256 	* des-compat.c (des_cbc_cksum): Dereference DST pointer.
10257 
10258 2004-02-25  Niels Möller  <niels@s3.kth.se>
10259 
10260 	* pgp.h: Include nettle-types.h.
10261 
10262 2004-02-24  Niels Möller  <nisse@lysator.liu.se>
10263 
10264 	* testsuite/symbols-test: Allow symbols starting with double
10265 	underscores, like on darwin.
10266 
10267 2004-02-17  Niels Möller  <niels@s3.kth.se>
10268 
10269 	* Makefile.am: Protected %-rules used for building pure objects,
10270 	and for assembler files, by automake conditionals. Needed for
10271 	makes such as tru64's, which tries to understand %-patterns, but
10272 	doesn't get it right.
10273 	(SUFFIXES): Added .html.
10274 	(.texinfo.html): Rewrote rule to use a traditional suffix target.
10275 
10276 	* configure.ac (enable_assembler): Explicitly set
10277 	enable_assembler=no, on architectures where we have no assembler
10278 	files.
10279 	(ENABLE_ASSEMBLER, ENABLE_SHARED): New automake conditionals.
10280 
10281 	* testsuite/testutils.c (xalloc): xalloc(0) should work also on
10282 	systems where malloc(0) returns NULL.
10283 
10284 2004-02-16  Niels Möller  <niels@s3.kth.se>
10285 
10286 	* Makefile.am (%.o: %.asm): Added comment about OSF1 make problem.
10287 
10288 2004-02-15  Niels Möller  <nisse@lysator.liu.se>
10289 
10290 	* testsuite/testutils.h: #include nettle-types.h instead of
10291 	inttypes.h.
10292 
10293 2004-02-12  Niels Möller  <nisse@lysator.liu.se>
10294 
10295 	* examples/rsa-encrypt-test: Use -r option when invoking
10296 	rsa-encrypt. Needed for the test to work on systems with no
10297 	/dev/urandom.
10298 
10299 2004-02-12  Niels Möller  <niels@s3.kth.se>
10300 
10301 	* configure.ac (CPPFLAGS, LDFLAGS): No spaces after -I and -L, as
10302 	some C compilers, in particular True64 cc, don't like that.
10303 
10304 2004-02-08  Niels Möller  <nisse@lysator.liu.se>
10305 
10306 	* configure.ac: Bumped version number to 1.10.
10307 
10308 2004-02-07  Niels Möller  <nisse@lysator.liu.se>
10309 
10310 	* Released nettle-1.9.
10311 
10312 	* configure.ac (SHLIBMINOR): Bumped, library version is now 2.1.
10313 
10314 	* testsuite/sexp-format-test.c: Include bignum.h only if HAVE_LIBGMP.
10315 	* testsuite/rsa-encrypt-test.c: Include rsa.h only if WITH_PUBLIC_KEY.
10316 	* testsuite/pkcs1-test.c: Include pkcs1.h only if WITH_PUBLIC_KEY.
10317 
10318 	* pgp-encode.c [!HAVE_LIBGMP]: Kludge around the pgp.h's
10319 	dependency on gmp.h.
10320 	(pgp_put_mpi): Condition on HAVE_LIBGMP.
10321 
10322 	* pgp.h: Don't include bignum.h, to make it possible to compile
10323 	the non-bignum parts of pgp-encode.c without bignum support. Needs
10324 	to be fixed properly before the pgp interface is advertised.
10325 
10326 	* tools/sexp-conv.c (xalloc): New function.
10327 	(main): Use xalloc.
10328 
10329 	* tools/output.c (sexp_put_digest): Use TMP_DECL instead of alloca.
10330 
10331 	* testsuite/testutils.c (xalloc): New function. Made all other
10332 	functions use xalloc instead of alloca.
10333 
10334 	* examples/rsa-keygen.c (main): Use xalloc for allocation.
10335 	* examples/rsa-encrypt.c (write_bignum): Likewise.
10336 	* examples/rsa-decrypt.c (read_bignum): Likewise.
10337 	* testsuite/yarrow-test.c (open_file): Likewise.
10338 	* testsuite/rsa-encrypt-test.c (test_main): Likewise.
10339 	* testsuite/bignum-test.c (test_bignum): Likewise.
10340 
10341 	* examples/nettle-openssl.c: When calling des_key_sched and
10342 	des_ecb_encrypt, cst arguments to (void *). Openssl's typedefs
10343 	des_cblock and const_des_cblock are too broken.
10344 
10345 	* examples/nettle-benchmark.c (xalloc): New function. Use instead
10346 	of alloca, for better portability.
10347 
10348 	* examples/io.c (xalloc): New function.
10349 
10350 	* Makefile.am (nodist_libnettleinclude_HEADERS): nettle-types.h
10351 	should not be distributed.
10352 
10353 2004-02-06  Niels Möller  <niels@s3.kth.se>
10354 
10355 	* x86/sha1-compress.asm: Rename round -> ROUND.
10356 
10357 	* x86/sha1-compress.asm: Store the magic constants on stack.
10358 	Accessing them via %esp should be a little faster than using large
10359 	immediate operands.
10360 
10361 	* Makefile.am (EXTRA_DIST, DISTCLEANFILES): Handle
10362 	sha1-compress.asm.
10363 
10364 	* configure.ac: Use assembler file sha1-compress.asm if available.
10365 
10366 	* x86/sha1-compress.asm (EXPAND): Fixed the rotation part of the
10367 	data expansion.
10368 
10369 2004-02-06  Niels Möller  <nisse@lysator.liu.se>
10370 
10371 	* x86/sha1-compress.asm: Assembler implementation of
10372 	sha1_compress. (Not yet working).
10373 
10374 	* Makefile.am (libnettle_a_SOURCES): Added sha1-compress.c.
10375 
10376 	* sha1.c (sha1_transform): Function renamed to sha1_compress, and
10377 	moved to...
10378 	* sha1-compress.c: ... New file.
10379 
10380 2004-02-05  Niels Möller  <nisse@lysator.liu.se>
10381 
10382 	* examples/rsa-encrypt.c (process_file): Copy the leftover to the
10383 	start of the buffer, when preparing for the final processing.
10384 
10385 	* examples/nettle-benchmark.c (bench_hash, time_hash): New functions.
10386 	(main): Benchmark hash functions too.
10387 	(BENCH_BLOCK): Increased 10K.
10388 	(BENCH_INTERVAL): Decreased to 0.25s.
10389 
10390 	* examples/nettle-benchmark.c (time_function): Loop around calling
10391 	f, until 1s has elapsed. Returns seconds per call. Updated bench
10392 	functions to not loop themselves.
10393 	(display): Updated MB/s calculation.
10394 
10395 	* testsuite/arcfour-test.c (test_main): Use test_cipher_stream.
10396 
10397 	* testsuite/testutils.c (test_cipher_stream): New function, that
10398 	tries dividing the input into varying size blocks before
10399 	processing.
10400 
10401 	* x86/arcfour-crypt.asm (nettle_arcfour_crypt): Bug fix, half of
10402 	the S array swap was forgotten.
10403 	* arcfour.c (arcfour_stream): Likewise.
10404 	* arcfour-crypt.c (arcfour_crypt): Likewise.
10405 
10406 2004-02-05  Niels Möller  <niels@s3.kth.se>
10407 
10408 	* x86/arcfour-crypt.asm (nettle_arcfour_crypt): Must store the new
10409 	i, j at the end of the loop.
10410 
10411 	* Makefile.am (EXTRA_DIST): Make sure x86 assembler files are
10412 	distributed.
10413 	(DISTCLEANFILES): And that the symlinks and .s files are deleted.
10414 
10415 	* x86/aes-encrypt.asm, x86/aes-decrypt.asm, x86/arcfour-crypt.asm:
10416 	Fixed debug information.
10417 
10418 	* x86/arcfour-crypt.asm: New file. About three times faster than
10419 	the optimized C code.
10420 
10421 	* configure.ac: Use assembler file arcfour-crypt.asm if available.
10422 
10423 	* arcfour.c (arcfour_crypt): Moved function too...
10424 	* arcfour-crypt.c (arcfour_crypt): New file.
10425 
10426 	* arcfour.c (arcfour_crypt): Optimization suggested by Jonas
10427 	Walldén. Makes arcfour up to 50% faster on x86 and ppc, and
10428 	probably on other architectures as well.
10429 
10430 2004-01-31  Niels Möller  <nisse@lysator.liu.se>
10431 
10432 	* configure.ac (AX_CREATE_STDINT_H): Also look for uint32_t and
10433 	friends in sys/types.h.
10434 
10435 2004-01-11  Niels Möller  <nisse@harpo.hack.org>
10436 
10437 	* Makefile.am (libnettleinclude_HEADERS): Added bignum.h,
10438 	memxor.h, pkcs1.h and rsa-compat.h.
10439 
10440 	* configure.ac: Bumped version to 1.9.
10441 
10442 2004-01-10  Niels Möller  <nisse@harpo.hack.org>
10443 
10444 	* Released nettle-1.8.
10445 
10446 	* examples/teardown-env: Delete more test files.
10447 
10448 	* nettle.texinfo (Hash functions): Documented md2 and md4.
10449 
10450 	* configure.ac (SHLIBMAJOR): Bumped to 2.
10451 
10452 2004-01-09  Niels Möller  <nisse@harpo.hack.org>
10453 
10454 	* examples/rsa-encrypt-test: New testcase.
10455 
10456 	* examples/rsa-encrypt.c, examples/rsa-session.h: Expanded the
10457 	comment describing the file format, and moved to rsa-session.h.
10458 
10459 	* examples/rsa-decrypt.c (process_file): Finished this function.
10460 	(main): Initialize x. Check the size of the session key after rsa
10461 	decryption.
10462 
10463 	* examples/io.c (write_string): Treat short item count as an error.
10464 
10465 2004-01-08  Niels Möller  <niels@s3.kth.se>
10466 
10467 	* index.html: Added instructions for CVS access.
10468 
10469 	* dsa-keygen.c (dsa_nist_gen): Fixed declaration/statement order.
10470 
10471 	* rsa-keygen.c (bignum_next_prime): Fixed off-by-one error when
10472 	comparing input to the largest listed prime. General cleanup, as
10473 	prime_limit > 0 always. Use TMP_DECL and TMP_ALLOC.
10474 
10475 	* nettle-internal.h (TMP_DECL, TMP_ALLOC): New macros. When alloca
10476 	is unavailable, they work by allocating a fix amount of stack and
10477 	imposing a hard limit on what can be allocated. Updated all users
10478 	of alloca.
10479 
10480 2004-01-07  Niels Möller  <nisse@harpo.hack.org>
10481 
10482 	* nettle-types.h: New (generated) file, to be used instead of
10483 	including <inttypes.h> directly. Updated all users of inttypes.h.
10484 
10485 	* Makefile.am (DISTCLEANFILES, libnettleinclude_HEADERS): Added
10486 	nettle-types.h.
10487 
10488 	* configure.ac (AX_CREATE_STDINT_H): Create nettle-types.h.
10489 
10490 2003-11-16  Niels Möller  <nisse@harpo.hack.org>
10491 
10492 	* yarrow256.c (yarrow256_seed): Use const for the seed_file input.
10493 
10494 2003-11-12  Niels Möller  <niels@s3.kth.se>
10495 
10496 	* list-obj-sizes.awk: New function for decoding hex values, with a
10497 	new function hex2int. Also implemented calculation of total
10498 	storage, removed the dependence on the .comment section, and use
10499 	the $FILTER environment variable as a regexp for restricting the
10500 	object files that are considered.
10501 
10502 2003-09-21  Niels Möller  <nisse@cuckoo.hack.org>
10503 
10504 	* testsuite/rsa-encrypt-test.c (test_main): Don't use gmp_printf,
10505 	as it seems it's only available with the newer gmp. Use
10506 	mpz_out_str instead.
10507 
10508 2003-09-19  Niels Möller  <niels@s3.kth.se>
10509 
10510 	* examples/Makefile.am (EXTRA_DIST): Added rsa-session.h.
10511 
10512 	* tools/nettle-lfib-stream.c: New tool, which outputs a sequence
10513 	of pseudorandom (non-cryptographic) bytes, using Knuth's lagged
10514 	fibonacci generator.
10515 
10516 	* examples/rsa-decrypt.c: Fixes to get the file to compile. It
10517 	won't work yet.
10518 
10519 	* examples/Makefile.am (EXTRA_PROGRAMS): Added rsa-encrypt and
10520 	rsa-decrypt.
10521 
10522 	* examples/io.c (write_file): New function.
10523 	(write_string): Simplified error check, it's no real point in
10524 	calling ferror unless we also call fflush.
10525 
10526 	* examples/rsa-keygen.c (main): Check return value from
10527 	simple_random.
10528 
10529 	* examples/rsa-decrypt.c, examples/rsa-encrypt.c,
10530 	examples/rsa-session.h: New files, demonstrating rsa encryption
10531 	and decryption.
10532 
10533 	* configure.ac (RSA_EXAMPLES): Added rsa-encrypt and rsa-decrypt.
10534 
10535 2003-09-01  Niels Möller  <nisse@cuckoo.hack.org>
10536 
10537 	* testsuite/testutils.c (print_hex): Use const.
10538 
10539 2003-08-30  Niels Möller  <niels@s3.kth.se>
10540 
10541 	* md2.c, md2.h: Added reference to RFC 1319.
10542 	* md4.c, md4.h: Added reference to RFC 1320
10543 
10544 2003-08-26  Niels Möller  <niels@s3.kth.se>
10545 
10546 	* Makefile.am: Added md2 and md5 files. Deleted the print-path
10547 	hack.
10548 
10549 	* configure.ac: Bumped version to 1.8.
10550 
10551 	* testsuite/testutils.c (test_rsa_set_key_1): New function.
10552 	* testsuite/rsa-test.c (test_main): Use it.
10553 
10554 	* testsuite/dsa-keygen-test.c: Deleted definition of UNUSED, it's
10555 	now in config.h.
10556 	* testsuite/rsa-keygen-test.c: Likewise.
10557 
10558 	* testsuite/Makefile.am (TS_PROGS): Added rsa-encrypt-test,
10559 	md4-test, and md2-test.
10560 
10561 	* testsuite/rsa-encrypt-test.c, testsuite/md4-test.c,
10562 	testsuite/md2-test.c: New test cases.
10563 
10564 	* nettle-meta.h: Declare nettle_md2 and nettle_md4.
10565 
10566 	* md5.c: Reorderd functions, putting md5_final at the end.
10567 
10568 	* md2.c, md2.h, md2-meta.c: New files, implemented md2.
10569 	* md4.c, md4.h, md4-meta.c: New files, implemented md4.
10570 
10571 2003-08-17  Niels Möller  <nisse@cuckoo.hack.org>
10572 
10573 	* desCode.h (des_keymap, des_bigmap): Deleted extern declarations,
10574 	they conficted with the static definition in des.c. Reported by
10575 	Simon Josefsson.
10576 
10577 	* des.c (DesSmallFipsEncrypt, DesSmallFipsDecrypt): Moved
10578 	definitions after the definition of the des_kemap array.
10579 
10580 2003-08-11  Niels Möller  <nisse@cuckoo.hack.org>
10581 
10582 	* rsa-encrypt.c (rsa_encrypt): Bugfix contributed by
10583 	leg@terra.com.br.
10584 
10585 2003-06-10  Niels Möller  <niels@s3.kth.se>
10586 
10587 	* Makefile.am (EXTRA_DIST): Distribute sha-example.c.
10588 
10589 2003-06-05  Niels Möller  <nisse@lysator.liu.se>
10590 
10591 	* Makefile.am (DISTCLEANFILES): Delete .s files.
10592 
10593 2003-05-27  Niels Möller  <nisse@cuckoo.hack.org>
10594 
10595 	* testsuite/symbols-test: And allow symbols that start at the
10596 	beginning of the line, as output by AIX nm.
10597 
10598 2003-05-26  Niels Möller  <nisse@cuckoo.hack.org>
10599 
10600 	* testsuite/symbols-test: Allow symbols to start with a dot.
10601 
10602 2003-05-14  Niels Möller  <niels@s3.kth.se>
10603 
10604 	* pgp.h (enum pgp_subpacket_tag): Copied values from RFC 2440.
10605 	Renamed PGP_SUBPACKET_ISSUER to PGP_SUBPACKET_ISSUER_KEY_ID.
10606 
10607 2003-05-13  Niels Möller  <nisse@cuckoo.hack.org>
10608 
10609 	* pgp.h: Do proper namemangling for pgp_put_public_rsa_key and
10610 	pgp_put_rsa_sha1_signature.
10611 
10612 	* pgp-encode.c (pgp_put_mpi): Fixed nettle_mpz_get_str_256 call.
10613 
10614 2003-05-12  Niels Möller  <nisse@cuckoo.hack.org>
10615 
10616 	* rsa2openpgp.c (rsa_keypair_to_openpgp): Some bugfixes.
10617 
10618 	* pgp.h (enum pgp_subpacket_tag): New enum. Definition is bogus
10619 	and needs to be fixed.
10620 	Added forward declarations of structs, and prototypes for
10621 	pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature.
10622 
10623 	* pgp-encode.c (pgp_put_mpi): Take a const mpz_t argument. Gugfix,
10624 	use nettle_mpz_get_str_256.
10625 	(pgp_put_public_rsa_key, pgp_put_rsa_sha1_signature):
10626 	Constification. Some bugfixes.
10627 
10628 	* Use "config.h", not <config.h>.
10629 
10630 	* Reordered includes in most or all .c-files. All should now
10631 	include config.h.
10632 
10633 2003-05-12  Niels Möller  <niels@s3.kth.se>
10634 
10635 	* configure.ac: Use LSH_FUNC_ALLOCA.
10636 
10637 2003-04-25  Niels Möller  <niels@s3.kth.se>
10638 
10639 	* Makefile.am (libnettle_a_SOURCES): Added hmac-sha256.c.
10640 
10641 	* testsuite/hmac-test.c (test_main): Added tests for hmac-sha256,
10642 	from draft-ietf-ipsec-ciph-sha-256-01.txt.
10643 
10644 	* hmac-sha256.c (hmac_sha256_digest): New file.
10645 
10646 2003-04-22  Niels Möller  <nisse@cuckoo.hack.org>
10647 
10648 	* sha-example.c (display_hex): Simplified by using printf better.
10649 
10650 	* nettle.texinfo (Example): Use @verbatiminclude to include the
10651 	example program.
10652 
10653 	* sha-example.c: Example program, for inclusion in the manual.
10654 	Fixed bugs reported by Mark Arking.
10655 
10656 2003-04-14  Niels Möller  <niels@s3.kth.se>
10657 
10658 	* x86/aes-encrypt.asm (nettle_aes_encrypt): Fixed references to
10659 	_nettle_aes_encrypt_table.
10660 	* x86/aes-decrypt.asm (nettle_aes_decrypt): Fixed references to
10661 	_nettle_aes_decrypt_table.
10662 
10663 2003-04-12  Niels Möller  <nisse@cuckoo.hack.org>
10664 
10665 	* testsuite/Makefile.am (TS_SH): New test case symbols-test.
10666 	(EXTRA_PROGRAMS): Added testutils, as a kludge to
10667 	get automake to track dependencies for testutils.o.
10668 
10669 	* x86/aes-encrypt.asm (nettle_aes_encrypt): Renamed function to
10670 	use the nettle_ prefix.
10671 	* x86/aes-decrypt.asm (nettle_aes_decrypt): Likewise.
10672 	* sparc/aes.asm (_nettle_aes_crypt): Likewise.
10673 
10674 	* examples/Makefile.am (EXTRA_PROGRAMS): Add "io", as a kludge to
10675 	get automake to track dependencies for io.o.
10676 	(LDADD): Added ../libnettle.a, for the dependency.
10677 
10678 	* des-compat.c: Use names with the nettle_ prefix when using
10679 	Nettle's des functions.
10680 
10681 	* base16-meta.c (base16_encode_update): Need to undef before
10682 	redefining.
10683 
10684 	* New name mangling, to reduce the risk of link collisions. All
10685 	functions (except memxor) now use a nettle_ or _nettle prefix when
10686 	seen by the linker. For most functions, the header file that
10687 	declares a function also use #define to provide a shorter more
10688 	readable name without the prefix.
10689 
10690 2003-03-11  Niels Möller  <nisse@cuckoo.hack.org>
10691 
10692 	* Released nettle-1.7.
10693 
10694 	* configure.ac: Bumped version to 1.7.
10695 
10696 	* nettle.texinfo (DSA): New section.
10697 	(RSA): Updated documentation.
10698 
10699 2003-03-02  Niels Möller  <nisse@cuckoo.hack.org>
10700 
10701 	* examples/nettle-benchmark.c (time_cipher): Don't use GNU C
10702 	non-constant initializers.
10703 
10704 2003-02-23  Niels Moller  <nisse@carduelis>
10705 
10706 	* configure.ac: Use LSH_GCC_ATTRIBUTES.
10707 
10708 2003-02-19  Niels Möller  <nisse@cuckoo.hack.org>
10709 
10710 	* acinclude.m4: Deleted file from cvs, use a link to lsh's
10711 	acinclude.m4 instead.
10712 
10713 2003-02-16  Niels Möller  <nisse@cuckoo.hack.org>
10714 
10715 	* Makefile.am (libnettleinclude_HEADERS): Added macros.h.
10716 
10717 	* tools/Makefile.am (EXTRA_DIST): Added getopt.h.
10718 
10719 2003-02-14  Niels Möller  <niels@s3.kth.se>
10720 
10721 	* Makefile.am (print_path): Added target to print the used PATH,
10722 	for debugging.
10723 	(print-path): Moved dependency to all-local.
10724 
10725 2003-02-11  Niels Möller  <niels@s3.kth.se>
10726 
10727 	* buffer.c (nettle_buffer_copy): Bug fix, it didn't return any
10728 	value.
10729 
10730 2003-02-11  Niels Möller  <nisse@cuckoo.hack.org>
10731 
10732 	* testsuite/sexp-format-test.c (test_main): Added test for %( and
10733 	%).
10734 
10735 	* sexp-format.c (sexp_vformat): Handle %( and %).
10736 
10737 	* realloc.c (nettle_xrealloc): Fixed out-of-memory check.
10738 
10739 	* configure.ac (SHLIBMAJOR): Bumped version number to 1.
10740 
10741 	* buffer.c (nettle_buffer_init_realloc): New function.
10742 	* buffer-init.c (nettle_buffer_init): Use nettle_buffer_init_realloc.
10743 
10744 2003-02-10  Niels Möller  <nisse@cuckoo.hack.org>
10745 
10746 	* testsuite/sexp-format-test.c (test_main): New test with tokens
10747 	in the format string.
10748 	(test_main): Test space-searated literals too.
10749 
10750 	* rsa2sexp.c (rsa_keypair_to_sexp): New argument ALGORITHM_NAME.
10751 	* examples/rsa-keygen.c (main): Updated call to rsa_keypair_to_sexp.
10752 	* testsuite/rsa2sexp-test.c (test_main): Likewise.
10753 
10754 	* sexp-format.c (sexp_vformat): Allow whitespace in format string.
10755 
10756 	* rsa2sexp.c (rsa_keypair_to_sexp): Use literals with sexp_format.
10757 
10758 	* sexp-format.c (format_string): New function.
10759 	(sexp_vformat): Implemented support for literals in the format
10760 	string.
10761 
10762 2003-02-06  Niels Möller  <nisse@lysator.liu.se>
10763 
10764 	* testsuite/sexp-conv-test (print_raw, print_nl): New functions.
10765 	The testfunctions use these instead of using echo directly.
10766 	Use the test input '3:"\x' instead of '2:"\', to be friendlier to
10767 	sysv echo.
10768 
10769 2003-02-05  Niels Möller  <nisse@lysator.liu.se>
10770 
10771 	* des-compat.h (des_set_key): Different name mangling, if this
10772 	file is included, des_set_key should refer to a function that
10773 	behaves like openssl's.
10774 
10775 	* des-compat.c (des_key_sched, des_is_weak_key): Use the name
10776 	nettle_des_set_key for referring to Nettle's function.
10777 
10778 	* des.h (des_set_key): Name mangling, linker symbols should use a
10779 	"nettle_" prefix, and this one collided with openssl. Perhaps all
10780 	symbols should be mangled in a similar way, but that's for later.
10781 
10782 	* configure.ac (LDFLAGS): --with-lib-path should add to LDFLAGS,
10783 	not replace it.
10784 
10785 2003-01-30  Niels Möller  <nisse@cuckoo.hack.org>
10786 
10787 	* tools/output.c (sexp_put_string): Fixed handling of escapable
10788 	characters. The code generated random escape sequences for
10789 	characters in the 0x10-0x1f range.
10790 
10791 	* testsuite/sexp-conv-test: More tests for hex and base64 input
10792 	and output.
10793 
10794 2003-01-30  Niels Möller  <niels@s3.kth.se>
10795 
10796 	* sexp2bignum.c (nettle_mpz_set_sexp): Call sexp_iterator_next on
10797 	success. That means the iterator argument can't be const.
10798 
10799 2003-01-29  Niels Möller  <niels@s3.kth.se>
10800 
10801 	* tools/Makefile.am (LDADD): Add libnettle.a, for the dependency.
10802 
10803 2003-01-27  Niels Möller  <nisse@cuckoo.hack.org>
10804 
10805 	* sexp2dsa.c (dsa_signature_from_sexp): New function.
10806 
10807 	RSA renaming. Updated all callers.
10808 	* rsa-sign.c (rsa_private_key_init, rsa_private_key_clear)
10809 	(rsa_private_key_prepare): Renamed functions.
10810 	* rsa.c (rsa_public_key_init, rsa_public_key_clear)
10811 	(rsa_public_key_prepare): Renamed functions.
10812 
10813 2003-01-23  Niels Möller  <nisse@cuckoo.hack.org>
10814 
10815 	* Makefile.am (libnettle_a_SOURCES): Added new rsa and pkcs1
10816 	files. Removed old rsa_md5.c and rsa_sha1.c.
10817 
10818 	* testsuite/Makefile.am (TS_PROGS): Added pkcs1-test.
10819 
10820 	* dsa-verify.c (dsa_verify_digest): New function.
10821 	(dsa_verify): Most of the code moved to dsa_verify_digest, which
10822 	is used here.
10823 	* dsa-sign.c (dsa_sign_digest): New function.
10824 	(dsa_sign): Most of the code moved to dsa_sign_digest, which is
10825 	used here.
10826 	* dsa.c (_dsa_hash): Deleted function.
10827 
10828 	* rsa_md5.c, rsa_sha1.c: Deleted files, contents spread over
10829 	several files for signing and verification.
10830 	* rsa-sign.c, rsa-sha1-verify.c, rsa-sha1-sign.c,
10831 	rsa-md5-verify.c, rsa-md5-sign.c:  New files.
10832 
10833 	* rsa-sha1-verify.c (rsa_sha1_verify_digest): New function.
10834 	* rsa-sha1-sign.c (rsa_sha1_sign_digest):  New function.
10835 	* rsa-md5-verify.c (rsa_md5_verify_digest):  New function.
10836 	* rsa-md5-sign.c (rsa_md5_sign_digest):  New function.
10837 	* rsa-verify.c (_rsa_verify): New file, new function.
10838 
10839 	* rsa.c (_rsa_check_size): Renamed from rsa_check_size, and made
10840 	non-static. Private key functions moved to rsa-sign.c.
10841 
10842 	* pkcs1.c, pkcs1.h, pkcs1-rsa-md5.c, pkcs1-rsa-sha1.c: New files.
10843 	(pkcs1_signature_prefix): New function.
10844 
10845 	* testsuite/pkcs1-test.c: New test.
10846 
10847 2003-01-22  Niels Möller  <niels@s3.kth.se>
10848 
10849 	* examples/Makefile.am (nettle_benchmark_LDADD): Use
10850 	OPENSSL_LIBFLAGS.
10851 
10852 	* configure.ac (OPENSSL_LIBFLAGS): If libcrypto is found, add
10853 	-lcrypto to OPENSSL_LIBFLAGS, not the plain LDFLAGS.
10854 
10855 2003-01-20  Niels Möller  <nisse@cuckoo.hack.org>
10856 
10857 	* testsuite/Makefile.am (CLEANFILES): Delete test.in, test1.out
10858 	and test2.out.
10859 
10860 2003-01-17  Niels Möller  <niels@s3.kth.se>
10861 
10862 	* examples/Makefile.am (AM_CPPFLAGS): Use AM_CPPFLAGS instead of
10863 	AM_CFLAGS.
10864 	* testsuite/Makefile.am (AM_CPPFLAGS): Likewise.
10865 
10866 2003-01-16  Niels Möller  <niels@s3.kth.se>
10867 
10868 	* testsuite/Makefile.am (check): Can't use quotes around
10869 	$(srcdir).
10870 
10871 2003-01-14  Niels Möller  <nisse@lysator.liu.se>
10872 
10873 	* testsuite/Makefile.am (check): Don't use "run-tests" as a
10874 	target, as it's confused with the file with the same name.
10875 
10876 	* .bootstrap: Added missing #! /bin/sh.
10877 
10878 2003-01-12  Niels Möller  <nisse@cuckoo.hack.org>
10879 
10880 	* buffer.c (nettle_buffer_reset): New function.
10881 	(nettle_buffer_copy): New function.
10882 
10883 	* tools/input.c, tools/input.h, tools/output.c, tools/output.h,
10884 	tools/parse.c, tools/parse.h, tools/misc.c, tools/misc.h: Moved
10885 	parts ov sexp-conv.c to separate files
10886 
10887 	* tools/sexp-conv.c (sexp_convert_list): Inlined into
10888 	sexp_convert_item.
10889 
10890 	* tools/sexp-conv.c (struct sexp_input): Deleted string attribute.
10891 	Changed all related functions to take a struct nettle_buffer *
10892 	argument instead.
10893 	(struct sexp_compound_token): New struct.
10894 	(sexp_compound_token_init, sexp_compound_token_clear): New
10895 	functions.
10896 	(struct sexp_parser): Added a struct sexp_compound_token
10897 	attribute, as a temporary measure.
10898 	(sexp_parse): Take a struct sexp_compound_token * as argument.
10899 	Updated all callers. Simplified handling of display types and
10900 	transport encoding.
10901 
10902 	* tools/sexp-conv.c (struct sexp_parser): Renamed struct (was
10903 	struct sexp_parse_state). Added input pointer. Updated users to
10904 	not pass around both parser and input.
10905 	(sexp_check_token): handle token == 0.
10906 	(sexp_parse): Simplified a little by calling sexp_check_token
10907 	unconditionally.
10908 
10909 	* tools/sexp-conv.c (sexp_convert_string): Deleted function.
10910 	(sexp_skip_token): Likewise.
10911 
10912 	* tools/sexp-conv.c (enum sexp_token): New constant SEXP_DISPLAY.
10913 	Start constants from 1, to keep 0 free for special uses.
10914 	(struct sexp_parse_state): New struct for keeping track of parser
10915 	state.
10916 	(sexp_parse_init): New function.
10917 	(sexp_check_token): New function, replacing sexp_skip_token.
10918 	(sexp_parse): New function.
10919 	(sexp_convert_item): Simplified by using sexp_parse.
10920 	(sexp_convert_list): Use sexp_parse.
10921 	(main): Likewise.
10922 
10923 2003-01-08  Niels Möller  <niels@s3.kth.se>
10924 
10925 	* tools/sexp-conv.c (parse_options): Initialize prefer_hex.
10926 
10927 2003-01-07  Niels Möller  <nisse@cuckoo.hack.org>
10928 
10929 	* Makefile.am (des_headers): Refer to the desdata binary using
10930 	$(EXEEXT).
10931 
10932 2003-01-01  Niels Möller  <nisse@cuckoo.hack.org>
10933 
10934 	* testsuite/sexp-conv-test: New tests for hex and base64 literal
10935 	output.
10936 
10937 	* tools/sexp-conv.c (sexp_put_string): Print binary strings using
10938 	either hex or base 64 (in advanced mode).
10939 	(parse_options): Implemented -s hex, for output using hex rather
10940 	than base64.
10941 
10942 2002-12-30  Niels Möller  <nisse@cuckoo.hack.org>
10943 
10944 	* testsuite/rsa2sexp-test.c: Don't include rsa.h (done by
10945 	testutils.h, if enabled).
10946 	* testsuite/sexp2rsa-test.c: Likewise.
10947 
10948 	* rsa-decrypt.c: Make compilation conditional on WITH_PUBLIC_KEY.
10949 	* rsa-encrypt.c: Likewise.
10950 	* rsa-compat.c: Likewise.
10951 
10952 2002-12-04  Niels Möller  <niels@s3.kth.se>
10953 
10954 	* testsuite/Makefile.am (LDADD): Added path to ../libnettle.a,
10955 	which is redundant except for the dependency.
10956 
10957 2002-12-04  Niels Möller  <nisse@cuckoo.hack.org>
10958 
10959 	* testsuite/sexp-format-test.c (test_main): Use %0s instead of %z.
10960 	New test for %t.
10961 
10962 	* sexp-format.c (format_length_string): Deleted function.
10963 	(format_string): Deleted function.
10964 	(sexp_vformat): New %t specifier, formatting an optional display
10965 	type. Deleted %z specifier. Instead, introduced a new modifier "0"
10966 	that can be used with %s, %l and %t, which says that the data is
10967 	NUL-terminated.
10968 
10969 	* rsa2sexp.c (rsa_keypair_to_sexp): Use %0s rather than %z, when
10970 	formatting s-expressions.
10971 
10972 	* buffer.c (nettle_buffer_grow): Fixed assertion.
10973 
10974 2002-11-22  Niels Möller  <niels@s3.kth.se>
10975 
10976 	* buffer.c: Include assert.h.
10977 
10978 2002-11-21  Niels Möller  <nisse@cuckoo.hack.org>
10979 
10980 	* testsuite/testutils.c (print_hex): Add line breaks.
10981 
10982 	* Makefile.am (libnettleinclude_HEADERS): Added realloc.h.
10983 	(libnettle_a_SOURCES): Added buffer-init.c and realloc.c.
10984 
10985 	* sexp.c (sexp_iterator_exit_lists): New function, #if:ed out for
10986 	now.
10987 
10988 	* desdata.c: Include config.h, to get definition of UNUSED.
10989 	* shadata.c: Likewise.
10990 
10991 	* buffer.c (nettle_buffer_grow): New function, replacing
10992 	grow_realloc.
10993 	(nettle_buffer_clear): Rewritten to use buffer->realloc.
10994 
10995 	* buffer.h (struct nettle_buffer): Replaced the GROW function
10996 	pointer with a nettle_realloc_func pointer and a
10997 	void *realloc_ctx.
10998 	(NETTLE_BUFFER_GROW): Deleted macro, use function instead.
10999 
11000 	* buffer-init.c (nettle_buffer_init): Moved to a separate file.
11001 
11002 	* realloc.c (nettle_realloc): New function.
11003 	(nettle_xrealloc): New function.
11004 
11005 	* realloc.h (nettle_realloc_func): New typedef.
11006 
11007 	* configure.ac: Check for gcc:s __attribute__.
11008 
11009 2002-11-16  Niels Möller  <nisse@cuckoo.hack.org>
11010 
11011 	* sexp2dsa.c, sexp2rsa.c: (macro GET): Check sign of parsed
11012 	numbers.
11013 
11014 	* sexp2bignum.c (nettle_mpz_set_sexp): In the first check against
11015 	limit, added some margin to allow for sign octets.
11016 
11017 2002-11-15  Niels Möller  <nisse@cuckoo.hack.org>
11018 
11019 	* testsuite/testutils.h (LDATA): Use sizeof instead of strlen. Now
11020 	handles strings including NUL-characters. But works only with
11021 	literals and character arrays, no char pointers.
11022 	(LLENGTH): New macro, computing length the same way as LDATA.
11023 
11024 	* testsuite/sexp-test.c (test_main): Test sexp_iterator_get_uint32.
11025 
11026 	* testsuite/sexp-format-test.c (test_main): Check that %i and %b
11027 	generate leading zeroes when needed. Check that %b handles
11028 	negative numbers.
11029 
11030 	* testsuite/rsa2sexp-test.c (test_main): Updated test, one leading
11031 	zero is needed in the private key expression. In verbose mode,
11032 	print the generated keys.
11033 
11034 	* testsuite/sexp2rsa-test.c (test_main): Added a leading zero in
11035 	the private key expression.
11036 
11037 	* testsuite/bignum-test.c (test_bignum): Use
11038 	nettle_mpz_init_set_str_256_s.
11039 	(test_size): New function.
11040 	(test_main): Test size computation and formatting of negative
11041 	numbers.
11042 
11043 	* sexp2bignum.c (nettle_mpz_set_sexp): Use
11044 	nettle_mpz_set_str_256_s, to handle negative numbers correctly.
11045 
11046 	* sexp-format.c (sexp_vformat): For %i, output a leading zero when
11047 	needed to get a correct, positive, sign. For %b, use
11048 	nettle_mpz_sizeinbase_256_s, to handle negative numbers properly.
11049 
11050 	* bignum.c (nettle_mpz_sizeinbase_256_s): New function.
11051 	(nettle_mpz_sizeinbase_256_u): New name, was
11052 	nettle_mpz_sizeinbase_256. Updated all callers.
11053 	(nettle_mpz_to_octets): New function.
11054 	(nettle_mpz_get_str_256): Handle negative numbers.
11055 	(nettle_mpz_from_octets): New function.
11056 	(nettle_mpz_set_str_256_u): New name, was nettle_mpz_set_str_256.
11057 	(nettle_mpz_init_set_str_256_u): New name, was
11058 	nettle_mpz_init_set_str_256.
11059 	(nettle_mpz_set_str_256_s): New function, handling negative two's
11060 	complement numbers.
11061 	(nettle_mpz_init_set_str_256_s): And an init variant.
11062 
11063 	* sexp.c (sexp_iterator_get_uint32): New function.
11064 
11065 2002-11-10  Niels Möller  <nisse@cuckoo.hack.org>
11066 
11067 	* testsuite/sexp-conv-test: Use input files without any trailing
11068 	newline character, in order to stress the end of file handling.
11069 
11070 	* tools/sexp-conv.c (sexp_get_token_string): Fixed end of file
11071 	handling.
11072 	(sexp_get_string): Fixed end of encoding/end of file handling.
11073 	(parse_options): Check for negative width and complain.
11074 
11075 	* tools/sexp-conv.c: Use supplied getopt.
11076 	(werror): New function.
11077 	(sexp_output_hash_init): New function.
11078 	(sexp_put_char): Made base64 linebreaking configurable.
11079 	Implemented hashing.
11080 	(sexp_put_code_start, sexp_put_code_end): Don't output any
11081 	delimiters here.
11082 	(sexp_put_string): Output base64 delimiters.
11083 	(sexp_put_digest): New function.
11084 	(sexp_convert_item): Output transport delimiters.
11085 	(sexp_convert_file): Deleted function, folded with main.
11086 	(parse_options): New function.
11087 	(main): Implemented --hash and --once, needed by lsh-authorize.
11088 
11089 	* sexp.h (struct sexp_iterator): New field start.
11090 
11091 	* sexp.c (sexp_iterator_subexpr): New function.
11092 	(sexp_iterator_parse): Initialize ITERATOR->start.
11093 
11094 	* sexp-format.c (sexp_vformat): Abort if format string contains
11095 	unhandled characters.
11096 
11097 2002-11-08  Niels Möller  <niels@s3.kth.se>
11098 
11099 	* des-compat.c (des_ecb3_encrypt): Don't use struct initialization
11100 	(c89 doesn't allow non-constant initializers). Reported by James
11101 	Ralston.
11102 	(des_ede3_cbc_encrypt): Likewise.
11103 
11104 	* examples/nettle-openssl.c: Moved from the top-level directory.
11105 	Should *not* be included in the nettle library.
11106 
11107 2002-11-08  Niels Möller  <nisse@cuckoo.hack.org>
11108 
11109 	* testsuite/testutils.c (test_dsa_key): Bugfix for renamed DSA
11110 	constant (noted by James Ralston).
11111 
11112 2002-11-07  Niels Möller  <niels@s3.kth.se>
11113 
11114 	* testsuite/run-tests: Copied new version rom lsh/src/testsuite.
11115 	This version handles test scripts located in $srcdir.
11116 
11117 	* examples/Makefile.am (AM_CFLAGS): We need -I$(top_srcdir).
11118 	* tools/Makefile.am (AM_CFLAGS): Likewise.
11119 	* testsuite/Makefile.am (AM_CFLAGS): Likewise.
11120 
11121 2002-11-07  Niels Möller  <nisse@cuckoo.hack.org>
11122 
11123 	* Makefile.am (SUBDIRS): Added tools.
11124 	(libnettle_a_SOURCES): Added sexp-transport-format.c,
11125 	sexp2bignum.c, sexp2dsa.c.
11126 
11127 	* sexp2dsa.c (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp):
11128 	New file, new functions.
11129 
11130 	* rsa2sexp.c (rsa_keypair_to_sexp): %s -> %z renaming.
11131 
11132 	* sexp-transport.c (sexp_transport_iterator_first): Fixed bug,
11133 	length was mishandled.
11134 
11135 	* sexp-transport-format.c (sexp_transport_format,
11136 	sexp_transport_vformat): New file, new functions.
11137 
11138 	* sexp-format.c (sexp_format): Return length of output. Allow
11139 	buffer == NULL, and only compute the needed length in this case.
11140 	Renamed %s to %z. New format specifiers %s, %i, and %l.
11141 	(sexp_vformat): New function.
11142 	(format_prefix): Rewrote to not use snprintf.
11143 
11144 	* sexp2rsa.c (rsa_keypair_from_sexp): New limit argument. Use
11145 	nettle_mpz_set_sexp.
11146 
11147 	* dsa-keygen.c (dsa_generate_keypair): Added some newlines to
11148 	progress display. Use DSA_P_MIN_BITS.
11149 
11150 	* dsa.h (DSA_MIN_P_BITS): New constant (was DSA_MINIMUM_BITS).
11151 	(DSA_Q_OCTETS, DSA_Q_BITS): New constants.
11152 	(dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New
11153 	prototypes.
11154 
11155 	* configure.ac: Output tools/Makefile.
11156 
11157 	* sexp2bignum.c (nettle_mpz_set_sexp): New file, and new function.
11158 	Moved from sexp2rsa.c:get_value.
11159 
11160 	* examples/io.c (read_rsa_key): New limit argument in
11161 	call of rsa_keypair_from_sexp_alist.
11162 
11163 	* examples/Makefile.am (noinst_PROGRAMS): Removed sexp-conv.
11164 
11165 	* tools/sexp-conv.c: Moved file from examples directory.
11166 
11167 	* testsuite/Makefile.am (TS_SH): New variable. Added
11168 	sexp-conv-test.
11169 
11170 	* testsuite/testutils.h (LDUP): New macro.
11171 
11172 	* testsuite/sexp2rsa-test.c (test_main): New limit argument in
11173 	call of rsa_keypair_from_sexp_alist.
11174 
11175 	* testsuite/sexp-test.c (test_main): Added test for lengths with
11176 	more than one digit. Added tests for transport mode decoding.
11177 
11178 	* testsuite/sexp-format-test.c (test_main): Added tests for %i and
11179 	%l.
11180 
11181 	* testsuite/sexp-conv-test: Moved test from examples directory.
11182 	Updated path to sexp-conv, now in ../tools/sexp-conv.
11183 
11184 2002-11-03  Niels Möller  <nisse@cuckoo.hack.org>
11185 
11186 	* sexp-format.c, sexp_format.c: Renamed sexp_format.c to
11187 	sexp-format.c.
11188 	* Makefile.am (libnettle_a_SOURCES): Renamed sexp_format.c to
11189 	sexp-format.c.
11190 
11191 	* examples/Makefile.am: Don't set CFLAGS or CPPFLAGS explicitly,
11192 	let automake handle that.
11193 	* testsuite/Makefile.am: Likewise.
11194 
11195 	* sexp2rsa.c (rsa_keypair_from_sexp_alist): New function.
11196 	(rsa_keypair_from_sexp): Use it.
11197 
11198 2002-11-01  Niels Möller  <niels@s3.kth.se>
11199 
11200 	* examples/Makefile.am (LDADD): Use -lnettle, instead of an
11201 	explicit filename libnettle.a, so that we will use the shared
11202 	library, if it exists.
11203 	(AM_LDFLAGS): Added -L.., so we can find -lnettle.
11204 	(run-tests): Set LD_LIBRARY_PATH to ../.lib, when running the
11205 	testsuite.
11206 	* testsuite/Makefile.am: Similar changes.
11207 
11208 	* Makefile.am (LIBOBJS): Put @LIBOBJS@ into the make variable
11209 	LIBOBJS.
11210 	(CLEANFILES): Delete libnettle.so.
11211 	(clean-local): Delete the .lib linkfarm.
11212 	($(SHLIBFORLINK)): When building libnettle.so, create a link from
11213 	.lib/$SHLIBSONAME. Needed at runtime, for the testsuite.
11214 
11215 2002-11-01  Niels Möller  <nisse@lysator.liu.se>
11216 
11217 	* configure.ac: Fixed definitions using SHLIBMAJOR and SHLIBMINOR.
11218 	Also AC_SUBST SHLIBMAJOR and SHLIBMINOR. Reported by James
11219 	Ralston.
11220 
11221 2002-10-31  Niels Möller  <niels@s3.kth.se>
11222 
11223 	* examples/sexp-conv.c(sexp_put_list_start): Deleted function.
11224 	(sexp_put_list_end): Likewise.
11225 	(sexp_put_display_start): Likewise.
11226 	(sexp_put_display_end): Likewise.
11227 	(sexp_puts): Likewise.
11228 
11229 	* examples/sexp-conv.c (sexp_get_quoted_string): Deleted function.
11230 	Merged with sexp_get_String.
11231 	(sexp_get_hex_string): Likewise.
11232 	(sexp_get_base64_string): Likewise.
11233 	(sexp_get_string): Do hex and base64 decoding.
11234 
11235 	* examples/sexp-conv.c (enum sexp_char_type): New enum, for end
11236 	markers in the input strem.
11237 	(struct sexp_input): Deleted LEVEL attribute. Deleted all usage of
11238 	it.
11239 	(sexp_get_raw_char): Use INPUT->c and INPUT->ctype to store
11240 	results. Deleted OUT argument.
11241 	(sexp_get_char): Likewise. Also removed the
11242 	INPUT->coding->decode_final call, for symmetry.
11243 	(sexp_input_end_coding): Call INPUT->coding->decode_final.
11244 	(sexp_next_char): New function.
11245 	(sexp_push_char): New function.
11246 	(sexp_get_token_char): Deleted function.
11247 	(sexp_get_quoted_char): Simplified. Deleted output argument.
11248 	(sexp_get_quoted_string): Simplified.
11249 	(sexp_get_base64_string): Likewise.
11250 	(sexp_get_token_string): Likewise.
11251 	(sexp_get_string_length): Skip the character that terminates the
11252 	string.
11253 	(sexp_get_token): Cleared upp calling conventions. Always consume
11254 	the final character of the token.
11255 	(sexp_convert_list): Take responsibility for converting the start
11256 	and end of the list.
11257 	(sexp_convert_file): Call sexp_get_char first, to get the token
11258 	reading started.
11259 	(sexp_convert_item): Cleared up calling conventions. Should be
11260 	called with INPUT->token being the first token of the expression,
11261 	and returns with INPUT->token being the final token of the
11262 	expression. Return value changed to void..
11263 
11264 	* examples/sexp-conv-test: Added test for transport mode input.
11265 
11266 	* examples/sexp-conv.c (sexp_get_char): Use the nettle_armor
11267 	interface for decoding.
11268 	(sexp_input_start_coding): New function.
11269 	(sexp_input_end_coding): New function.
11270 	(sexp_get_base64_string): Rewrote to use sexp_input_start_coding
11271 	and sexp_input_end_coding.
11272 	(sexp_get_token): Generate SEXP_TRANSPORT_START tokens.
11273 	(sexp_convert_list): Lists are ended only by SEXP_LIST_END.
11274 	(sexp_convert_item): Implemented transport mode, using
11275 	sexp_input_start_coding and sexp_input_end_coding.
11276 
11277 2002-10-30  Niels Möller  <nisse@cuckoo.hack.org>
11278 
11279 	* Makefile.am: Added base16 files.
11280 
11281 	* examples/sexp-conv-test: New tests for transport output.
11282 
11283 	* examples/sexp-conv.c: Deleted hex functions, moved to Nettle's
11284 	base16 files.
11285 	(struct sexp_output): Represent the current encoding as a
11286 	nettle_armor pointer and a state struct.
11287 	(sexp_output_init): Deleted MODE argument. Now passed to functions
11288 	that need it.
11289 	(sexp_get_char): Updated to new base64 conventions.
11290 	(sexp_get_base64_string): Likewise.
11291 	(sexp_put_raw_char): New function.
11292 	(sexp_put_newline): Use sexp_put_raw_char.
11293 	(sexp_put_char): Use nettle_armor interface for encoding data.
11294 	Use OUTPUT->coding_indent for line breaking, so the INDENT
11295 	argument was deleted.
11296 	(sexp_put_code_start): New function, replacing sexp_put_base64_start.
11297 	(sexp_put_code_end): New function, replacing sexp_put_base64_end.
11298 	(sexp_put_data): Deleted argument INDENT.
11299 	(sexp_puts): Likewise.
11300 	(sexp_put_length): Likewise.
11301 	(sexp_put_list_start): Likewise.
11302 	(sexp_put_list_end): Likewise.
11303 	(sexp_put_display_start): Likewise.
11304 	(sexp_put_display_end): Likewise.
11305 	(sexp_put_string): Likewise. Also changed base64 handling.
11306 	(sexp_convert_string): Deleted argument INDENT. New argument
11307 	MODE_OUT.
11308 	(sexp_convert_list): New argument MODE_OUT.
11309 	(sexp_convert_file): Likewise.
11310 	(sexp_convert_item): Likewise. Also handle output in transport
11311 	mode.
11312 	(match_argument): Simple string comparison.
11313 	(main): Adapted to above changes.
11314 
11315 	* testsuite/testutils.c (test_armor): Allocate a larger buffer
11316 	CHECK, to make decode_update happy. Updated to new base64
11317 	conventions.
11318 
11319 	* testsuite/base64-test.c (test_main): Fixed overlap test to not
11320 	change the base64 before decoding. Updated to new base64
11321 	conventions.
11322 
11323 	* testsuite/Makefile.am (TS_PROGS): Added base16-test.
11324 
11325 	* testsuite/base16-test.c: New test.
11326 
11327 	* sexp-transport.c (sexp_transport_iterator_first): Updated to new
11328 	conventions for base64_decode_update and base64_decode_final.
11329 
11330 	* nettle-meta.h: Updated ascii armor declarations. New declaration
11331 	for nettle_base16.
11332 
11333 	* base64-decode.c (base64_decode_single): Return -1 on error.
11334 	Also keep track of the number of padding characters ('=') seen.
11335 	(base64_decode_update): New argument dst_length. Return -1 on error.
11336 	(base64_decode_status):  Renamed function...
11337 	(base64_decode_final): ... to this.
11338 
11339 	* base64.h (struct base64_decode_ctx): Deleted STATUS attribute.
11340 	Added PADDING attribute.
11341 
11342 	* base16.h, base16-encode.c, base16-decode.c, base16-meta.c: New
11343 	files.
11344 
11345 2002-10-28  Niels Möller  <nisse@cuckoo.hack.org>
11346 
11347 	* examples/sexp-conv.c (struct hex_decode_ctx): New hex decoding
11348 	functions.
11349 	(sexp_get_raw_char): New function.
11350 	(sexp_get_char): Use sexp_get_raw_char.
11351 
11352 2002-10-26  Niels Möller  <nisse@cuckoo.hack.org>
11353 
11354 	* examples/sexp-conv.c (sexp_put_length): Bugfix, don't output any
11355 	leading zero.
11356 	(main): Implemented -s option.
11357 
11358 	* examples/sexp-conv-test: Test for echo -n vs echo '\c'. Added a
11359 	few tests for canonical output.
11360 
11361 2002-10-25  Niels Möller  <niels@s3.kth.se>
11362 
11363 	* examples/sexp-conv.c (struct sexp_input): Deleted the mode from
11364 	the state, that should be passed as argument to relevant
11365 	functions. Instead, introduces enum sexp_coding, to say if base64
11366 	coding is in effect.
11367 	(struct sexp_output): Added coding attribute.
11368 	(sexp_put_char): Use output->coding.
11369 	(sexp_put_base64_start): Likewise.
11370 	(sexp_put_base64_end): Likewise.
11371 
11372 	* base64-decode.c (base64_decode_single): Simplified, got rid of
11373 	the done variable.
11374 
11375 2002-10-25  Niels Möller  <nisse@cuckoo.hack.org>
11376 
11377 	* examples/sexp-conv.c (sexp_put_newline): Return void, die on
11378 	error.
11379 	(sexp_put_char, sexp_put_data, sexp_puts, sexp_put_length,
11380 	sexp_put_base64_start, sexp_put_base64_end, sexp_put_string,
11381 	sexp_put_list_start, sexp_put_list_end, sexp_put_display_start,
11382 	sexp_put_display_end, sexp_convert_string, sexp_convert_list,
11383 	sexp_skip_token): Likewise.
11384 	(sexp_convert_item): Die on error.
11385 
11386 2002-10-24  Niels Möller  <nisse@cuckoo.hack.org>
11387 
11388 	* examples/sexp-conv-test: Doesn't need echo -n anymore.
11389 
11390 	* examples/sexp-conv.c (die): New function.
11391 	(struct sexp_input): Deleted field ITEM.
11392 	(sexp_get_char): Die on failure, never return -1.
11393 	(sexp_get_quoted_char): Likewise.
11394 	(sexp_get_quoted_string): Die on failure, no returned value.
11395 	(sexp_get_base64_string): Likewise.
11396 	(sexp_get_token_string): Likewise.
11397 	(sexp_get_string): Likewise.
11398 	(sexp_get_string_length): Likewise.
11399 	(sexp_get_token): Likewise.
11400 	(sexp_convert_string): Adapted to sexp_get_token.
11401 	(sexp_convert_list): Likewise.
11402 	(sexp_convert_file): New function.
11403 	(main): Use sexp_convert_file.
11404 
11405 2002-10-23  Niels Möller  <nisse@cuckoo.hack.org>
11406 
11407 	* examples/Makefile.am (TS_PROGS): Added sexp-conv-test.
11408 
11409 	* examples/sexp-conv.c (sexp_input_init): Initialize input->string
11410 	properly.
11411 	(sexp_get_char): Fixed non-transport case.
11412 	(sexp_get_quoted_char): Fixed default case.
11413 	(sexp_get_token): Loop over sexp_get_char (needed for handling of
11414 	white space). Don't modify input->level. Fixed the code that skips
11415 	comments.
11416 	(sexp_put_char): Fixed off-by-one bug in assertion.
11417 	(sexp_put_string): Fixed escape handling for output of quoted
11418 	strings.
11419 	(sexp_convert_list): Prettier output, hanging indent after the
11420 	first list element.
11421 	(sexp_skip_token): New function.
11422 	(sexp_convert_item): Use sexp_skip_token to skip the end of a
11423 	"[display-type]".
11424 
11425 2002-10-22  Niels Möller  <nisse@cuckoo.hack.org>
11426 
11427 	* examples/sexp-conv-test: New test program.
11428 
11429 	* examples/Makefile.am (noinst_PROGRAMS): Added sexp-conv.
11430 
11431 	* examples/sexp-conv.c (sexp_convert_list): New function.
11432 	(sexp_convert_item): New function.
11433 	(main): New function. Compiles and runs now, but doesn't work.
11434 
11435 	* base64-decode.c (base64_decode_single): New function.
11436 	(base64_decode_update): Use base64_decode_single.
11437 
11438 	* examples/sexp-conv.c: Added output functions.
11439 
11440 2002-10-21  Pontus Sköld  <pont@soua.net>
11441 
11442 	* base64-encode.c (base64_encode_raw): Fixed null statement
11443 	amongst variable declarations, broke compilation for non C99
11444 	compilers.
11445 
11446 2002-10-21  Niels Möller  <nisse@lysator.liu.se>
11447 
11448 	* examples/sexp-conv.c: New sexp conversion program.
11449 
11450 2002-10-21  Niels Möller  <niels@s3.kth.se>
11451 
11452 	* Makefile.am (libnettle_a_SOURCES): Added
11453 	sexp-format-transport.c.
11454 
11455 	* sexp-transport.c (sexp_transport_iterator_first): New file and
11456 	function.
11457 	* sexp.h (sexp_transport_iterator_first): Added protoype.
11458 
11459 	* sexp.c (sexp_iterator_next): Abort if iterator type is boogus.
11460 
11461 2002-10-19  Niels Möller  <nisse@cuckoo.hack.org>
11462 
11463 	* testsuite/testutils.c (test_armor): Updated to new armor
11464 	conventions.
11465 
11466 	* testsuite/base64-test.c (test_main): Test BASE64_ENCODE_LENGTH
11467 	and BASE64_DECODE_LENGTH. Updated test of base64_encode_raw (used
11468 	to be base64_encode).
11469 
11470 	* base64.h (BASE64_ENCODE_LENGTH, BASE64_DECODE_LENGTH): Fixed and
11471 	documented macros.
11472 
11473 	* base64-meta.c (base64_encode_length, base64_decode_length): New
11474 	functions, corresponding to the macros with the same name.
11475 
11476 	* Makefile.am (libnettle_a_SOURCES): base64.c replaced by
11477 	base64-encode.c and base64-decode.c.
11478 
11479 	* pgp-encode.c (pgp_armor): Use new base64 conventions.
11480 
11481 	* nettle-meta.h: Updated nettle_armor definitions.
11482 
11483 	* base64.h: Major reorganization.
11484 
11485 	* base64.c: Deleted file, contents moved to base64-encode.c or
11486 	base64-decode.c.
11487 
11488 	* base64-encode.c: New file. New supporting both encode-at-once
11489 	and streamed operation.
11490 
11491 	* base64-decode.c: New file.
11492 
11493 2002-10-09  Niels Möller  <nisse@cuckoo.hack.org>
11494 
11495 	* testsuite/Makefile.am (TS_PROGS): Added dsa-keygen-test.
11496 
11497 	* dsa-keygen.c: Call the progress callback only if it's non-NULL.
11498 
11499 	* Makefile.am (libnettle_a_SOURCES): Added bignum-random.c and
11500 	dsa-keygen.c.
11501 
11502 	* testsuite/testutils.c (test_dsa_key): New function to sanity
11503 	check a dsa keypair.
11504 
11505 	* testsuite/dsa-test.c (test_main): Call dsa_test_key.
11506 
11507 	* testsuite/dsa-keygen-test.c: New test case.
11508 
11509 	* dsa.h (DSA_MINIMUM_BITS): New constant.
11510 
11511 	* bignum.h (nettle_mpz_random, nettle_mpz_random_size): Added
11512 	prototypes.
11513 
11514 	* dsa-keygen.c: New file.
11515 
11516 	* bignum-random.c: New file.
11517 	(nettle_mpz_random): New function, moved from...
11518 	* dsa-sign.c (nettle_mpz_random): ... here. Also changed argument
11519 	ordering and updated callers.
11520 
11521 	* bignum-random.c: (nettle_mpz_random_size): New function, renamed
11522 	and moved here from...
11523 	* rsa-keygen.c (bignum_random_size): ... here. Updated all
11524 	callers.
11525 
11526 	* testsuite/testutils.c (test_dsa): Needs both public and private
11527 	key as arguments.
11528 
11529 	* testsuite/dsa-test.c (test_main): Updated to changes of the
11530 	private key struct.
11531 
11532 	* testsuite/Makefile.am (TS_PROGS): Added dsa-test.
11533 
11534 	* rsa-decrypt.c (rsa_decrypt): Constification.
11535 	* rsa-encrypt.c (rsa_encrypt): Likewise.
11536 	* rsa.c (rsa_compute_root): Likewise.
11537 	* rsa_md5.c (rsa_md5_sign): Likewise.
11538 	(rsa_md5_verify): Likewise.
11539 	* rsa_sha1.c (rsa_sha1_sign): Likewise.
11540 	(rsa_sha1_verify): Likewise.
11541 
11542 	* dsa-verify.c (dsa_verify): Use const for the public key
11543 	argument.
11544 
11545 	* dsa-sign.c (dsa_sign): Needs the public key as argument, in
11546 	addition to the private key. Use const.
11547 
11548 	* dsa.h (struct dsa_private_key): Don't include the public
11549 	information here.
11550 	* dsa.c (dsa_private_key_init, dsa_private_key_clear): Updated to
11551 	new struct dsa_private_key.
11552 
11553 	* dsa-sign.c (dsa_sign): Bugfix, added missing mpz_init call.
11554 
11555 	* Makefile.am (libnettle_a_SOURCES): Added dsa files.
11556 	(libnettleinclude_HEADERS): Added dsa.h.
11557 
11558 	* testsuite/testutils.c (test_dsa): New function.
11559 
11560 	* testsuite/dsa-test.c: New test.
11561 
11562 	* dsa.h, dsa.c, dsa-sign.c, dsa-verify.c: New files.
11563 
11564 	* nettle-meta.h: Moved the nettle_random_func and
11565 	nettle_progress_func typedefs here...
11566 	* rsa.h: ... from here.
11567 
11568 2002-10-07  Niels Möller  <nisse@cuckoo.hack.org>
11569 
11570 	* sexp.h (enum sexp_type): Deleted SEXP_START.
11571 
11572 	* sexp.c (sexp_iterator_parse): New function, similar to the old
11573 	sexp_iterator_next, but independent of the previous value of the
11574 	iterator->type.
11575 	(sexp_iterator_first): Use sexp_iterator_parse.
11576 	(sexp_iterator_next): Likewise.
11577 	(sexp_iterator_enter_list): Use sexp_iterator_parse. SEXP_START
11578 	not needed anymore.
11579 	(sexp_iterator_exit_list): Likewise.
11580 
11581 2002-10-06  Niels Möller  <nisse@cuckoo.hack.org>
11582 
11583 	* sexp2rsa.c (get_value): No need to call sexp_iterator_next
11584 	anymore.
11585 
11586 	* sexp.c (sexp_iterator_assoc): Advance the iterator to the
11587 	element after a matching tag, before recording it.
11588 	* testsuite/sexp-test.c (test_main): Updated test.
11589 
11590 	* testsuite/sexp-test.c (test_main): No need to call
11591 	sexp_iterator_next after sexp_iterator_exit_list.
11592 
11593 	* sexp2rsa.c (rsa_keypair_from_sexp): No need to call
11594 	sexp_iterator_next anymore.
11595 
11596 	* sexp.c (sexp_iterator_next): Updated to new sexp_iterator_exit_list.
11597 	(sexp_iterator_exit_list): Return with iterator pointing to the
11598 	element after the list.
11599 	(sexp_iterator_check_type): Call sexp_iterator_next before
11600 	returning.
11601 	(sexp_iterator_check_types): Likewise.
11602 	(sexp_iterator_assoc): Rearranged calls of sexp_iterator_next.
11603 
11604 	* sexp.c (sexp_iterator_enter_list): Call sexp_iterator_next to
11605 	get to the first element of the list. Updated callers.
11606 
11607 	* base64.c (base64_encode_group): New function, used by openpgp
11608 	armoring code.
11609 
11610 	* Makefile.am: Added openpgp files.
11611 
11612 	* sexp2rsa.c (rsa_keypair_from_sexp): Use sexp_iterator_first.
11613 	* testsuite/sexp-test.c (test_main): Likewise.
11614 
11615 	* sexp.c (sexp_iterator_init): Made this function static.
11616 	(sexp_iterator_first): New, friendlier, initialization function.
11617 
11618 	* pgp-encode.c: New file. Functions for writing openpgp data
11619 	packets.
11620 
11621 	* pgp.h: New file, with pgp related declarations.
11622 
11623 	* rsa2openpgp.c (rsa_keypair_to_openpgp): New file, new function.
11624 
11625 2002-10-04  Niels Möller  <niels@s3.kth.se>
11626 
11627 	* examples/rsa-keygen.c: Use malloc, instead of asprintf.
11628 
11629 2002-10-03  Niels Möller  <nisse@cuckoo.hack.org>
11630 
11631 	* Released nettle-1.6.
11632 
11633 	* NEWS: Note the aes api change.
11634 
11635 	* examples/Makefile.am (EXTRA_DIST): Distribute setup-env and
11636 	teardown-env.
11637 
11638 2002-10-02  Niels Möller  <nisse@cuckoo.hack.org>
11639 
11640 	* examples/rsa-keygen.c (main): Comment on the lax security of the
11641 	private key file.
11642 
11643 	* index.html: Added link to mailing list.
11644 
11645 2002-10-02  Niels Möller  <niels@s3.kth.se>
11646 
11647 	* Makefile.am: Fixed assembler rules, and shared libraries.
11648 
11649 	* configure.ac: Fixed the enable-shared option.
11650 
11651 2002-10-01  Niels Möller  <nisse@cuckoo.hack.org>
11652 
11653 	* configure.ac: New option --enable-shared, and a first attempt at
11654 	building a shared library (*without* using libtool).
11655 
11656 	* Makefile.am: A first attempt at rules for building a shared
11657 	libnettle.so.
11658 
11659 2002-10-01  Niels Möller  <niels@s3.kth.se>
11660 
11661 	* examples/run-tests (test_program): Use basename.
11662 
11663 	* examples/teardown-env: Delete some more files.
11664 
11665 	* examples/run-tests (test_program): Strip directory part of
11666 	displayed name.
11667 
11668 	* examples/Makefile.am (TS_PROGS): New variable. Run tests.
11669 
11670 	* examples/io.c (read_file): Bug fix, used to overwrite pointer.
11671 
11672 	* examples/rsa-keygen.c (main): Bug fix, private key wasn't
11673 	written properly.
11674 
11675 	* testsuite/Makefile.am: Some cleanup of make check.
11676 
11677 	* examples/setup-env, examples/teardown-env: Test environment scripts.
11678 	* examples/rsa-verify-test, examples/rsa-sign-test: New test cases.
11679 
11680 	* examples/run-tests: New file (copied from lsh testsuite).
11681 
11682 	* examples/Makefile.am: Use EXTRA_PROGRAMS and @RSA_EXAMPLES@.
11683 
11684 	* examples/rsa-sign.c: No need to include config.h. Use werror
11685 	instead of fprintf.
11686 	* examples/rsa-verify.c: Likewise.
11687 	* examples/rsa-keygen.c: Likewise.
11688 
11689 	* examples/io.h: Forward declare struct rsa_public_key and struct
11690 	rsa_private_key, to avoid dependences on config.h.
11691 
11692 	* configure.ac (RSA_EXAMPLES): New substituted variable,
11693 	controlling which example programs to build.
11694 
11695 	* examples/rsa-verify.c: New example program.
11696 
11697 	* examples/rsa-keygen.c: Use functions from io.c.
11698 	* examples/rsa-sign.c: Likewise.
11699 
11700 	* examples/Makefile.am (noinst_PROGRAMS): Added rsa-verify.
11701 	(LDADD): Added io.o.
11702 
11703 	* configure.ac: New define WITH_PUBLIC_KEY, and new configure flag
11704 	--disable-public-key. Updated rsa-files to check for that, rather
11705 	than for HAVE_LIBGMP.
11706 
11707 	* examples/io.c, examples/io.c: New files. Miscellaneous functions
11708 	used by the example programs.
11709 
11710 	* base64.h (BASE64_DECODE_LENGTH): Comment fix.
11711 
11712 2002-09-30  Niels Möller  <nisse@cuckoo.hack.org>
11713 
11714 	* sexp2rsa.c (rsa_keypair_from_sexp): Bugfix: Call
11715 	rsa_prepare_public_key and rsa_prepare_private_key.
11716 
11717 	* examples/Makefile.am (noinst_PROGRAMS): Added rsa-sign.
11718 
11719 	* examples/rsa-sign.c: New example program.
11720 
11721 	* testsuite/base64-test.c (test_main): Test encoding and decoding
11722 	in place.
11723 
11724 	* base64.c (base64_encode): Encode from the end of the data
11725 	towards the start, in order to support overlapping areas.
11726 	(base64_encode): Broke out some common code from the switch..
11727 
11728 2002-09-30  Niels Möller  <niels@s3.kth.se>
11729 
11730 	* sexp_format.c (sexp_format): Don't mix code and declarations.
11731 
11732 2002-09-29  Niels Möller  <nisse@cuckoo.hack.org>
11733 
11734 	* testsuite/Makefile.am (TS_PROGS): Added buffer-test
11735 	sexp-format-test rsa2sexp-test sexp2rsa-test.
11736 
11737 
11738 	* testsuite/sexp-test.c (test_main): Updated calls to
11739 	sexp_iterator_assoc.
11740 
11741 	* testsuite/testutils.h (MEMEQH): New macro.
11742 
11743 	* testsuite/sexp2rsa-test.c: New test.
11744 	* testsuite/sexp-format-test.c: New test.
11745 	* testsuite/rsa2sexp-test.c: New test.
11746 	* testsuite/buffer-test.c: New test.
11747 
11748 	* testsuite/testutils.c (test_rsa_key): Copied this function
11749 	from...
11750 	testsuite/rsa-keygen-test.c: ... here.
11751 
11752 	* examples/rsa-keygen.c: New file.
11753 
11754 	* Makefile.am: Added new source files and headers buffer.h,
11755 	buffer.c, sexp_format.c, sexp2rsa.c, rsa2sexp.c.
11756 
11757 	* rsa.h (rsa_keypair_to_sexp, rsa_keypair_from_sexp): New
11758 	prototypes.
11759 
11760 	* rsa2sexp.c, sexp2rsa.c: New files.
11761 
11762 	* sexp.c (sexp_iterator_assoc): Don't enter the list, associate
11763 	keys within the current list. Still exit the list when done.
11764 	(sexp_iterator_assoc): Represent keys as plain NUL-terminated
11765 	strings.
11766 	(sexp_iterator_check_type, sexp_iterator_check_types): New
11767 	functions.
11768 
11769 	* sexp_format.c: New file, implementing an sexp canonical syntax
11770 	formatter.
11771 
11772 	* buffer.c, buffer.h: New files, implementing a bare-bones string
11773 	stream.
11774 
11775 	* bignum.c (nettle_mpz_sizeinbase_256): New function.
11776 
11777 2002-09-28  Niels Möller  <nisse@cuckoo.hack.org>
11778 
11779 	* sexp.c (sexp_iterator_assoc): Return 0 for missing or duplicate
11780 	keys. Now passes all the tests.
11781 
11782 	* sexp.c (sexp_iterator_simple): Bugfixes. Check earlier that
11783 	length doesn't grow too large.
11784 	(sexp_iterator_next): Skip the current list only if type is
11785 	SEXP_LIST. Handle ')'.
11786 	(sexp_iterator_enter_list): Set type to SEXP_START.
11787 	(sexp_iterator_exit_list): Likewise. Don't skip the ')' here.
11788 	(sexp_iterator_assoc): Bug fix.
11789 
11790 	* testsuite/sexp-test.c (test_main): Reordered sexp_iterator_assoc
11791 	tests.
11792 
11793 	* nettle.texinfo (Randomness): Documented that yarrow256_init can
11794 	be called with a zero number of sources.
11795 
11796 	* testsuite/testutils.h (ASSERT): New macro.
11797 
11798 	* testsuite/sexp-test.c: Test sexp parser.
11799 
11800 	* Makefile.am (SUBDIRS): Added sexp files.
11801 
11802 	* sexp.c, sexp.h: New files, implementing an sexp-parser.
11803 
11804 2002-08-27  Niels Möller  <niels@s3.kth.se>
11805 
11806 	* Makefile.am (DISTCLEANFILES): make distclean should delete the
11807 	assembler-related symlinks.
11808 
11809 2002-08-26  Niels Möller  <nisse@cuckoo.hack.org>
11810 
11811 	* Makefile.am (%.o: %.asm): Create an empty (and unused)
11812 	dependency file, to make the make/automake dependency tracking
11813 	happier.
11814 
11815 2002-07-18  Niels Möller  <niels@s3.kth.se>
11816 
11817 	* examples/nettle-benchmark.c (main): Try openssl's ciphers as
11818 	well, if available.
11819 
11820 	* Makefile.am (libnettle_a_SOURCES): Added nettle-openssl.c.
11821 
11822 	* nettle-openssl.c: New file.
11823 
11824 	* nettle-internal.h: Declare openssl glue ciphers.
11825 
11826 	* des-compat.h: Extra name-mangling, to avoid collisions in case a
11827 	program links with both nettle and libcrypto (the nettle-benchmark
11828 	program does).
11829 
11830 	* configure.ac: Don't use -ggdb3 with gcc-2.96.
11831 	Check for openssl's libcrypto (for benchmarking).
11832 
11833 2002-05-16  Niels Möller  <nisse@cuckoo.hack.org>
11834 
11835 	* sparc/aes.asm: Deleted registers i and t3.
11836 	(_aes_crypt): Moved some registers around. We now use input
11837 	registers only for arguments, local registers for loop invariants,
11838 	output registers for temporaries and loop variables, and no global
11839 	registers at all.
11840 
11841 	* sparc/aes.asm (AES_FINAL_ROUND): New macro.
11842 	(_aes_crypt): Use AES_FINAL_ROUND for the first word of the final
11843 	round.
11844 	(_aes_crypt): And for the rest of the final round.
11845 	(AES_FINAL_ROUND): Don't update dst, just access it offseted by i.
11846 	(_aes_crypt): Add 16 to dst at the end of the final round.
11847 	(AES_ROUND): Use ldub, not ld + and, to get the third byte
11848 	of wtxt.
11849 	(AES_ROUND): Use ldub, not lduh + and, to get the second
11850 	byte of a word.
11851 	(AES_ROUND): Reordered instructions, so that we can save one
11852 	register.
11853 	(AES_ROUND): Eliminated use of t3.
11854 	(AES_FINAL_ROUND): Eliminated ands.
11855 	(AES_FINAL_ROUND): Reordered, so that we can save one register.
11856 	(AES_FINAL_ROUND): Eliminated t3.
11857 	(AES_LOAD): New macro.
11858 	(_aes_crypt): Unrolled source loop.
11859 	(_aes_crypt): Use AES_LOAD macro.
11860 	(_aes_crypt): Deleted cruft from the old source loop.
11861 	(AES_LOAD): Eliminated t3.
11862 
11863 2002-05-15  Niels Möller  <nisse@cuckoo.hack.org>
11864 
11865 	* sparc/aes.asm (AES_ROUND): New macro.
11866 	(_aes_crypt): Use AES_ROUND for first word of the
11867 	round function.
11868 	(_aes_crypt): And for the rest of the round function.
11869 
11870 	* sparc/aes.asm (_aes_crypt): Deleted a bunch of additions,
11871 	after accessing IDX1.
11872 
11873 	* aes-internal.h (struct aes_table): sparc_idx[0] should now
11874 	contain index values shifted by the size of a word, and with 2
11875 	added. This saves some additions in the sparc assembler code.
11876 	Updates aes-encrypt-table.c and aes-decrypt-table.c.
11877 
11878 	* sparc/aes.asm (_aes_crypt): Unrolled final loop, preparing for
11879 	optimizations.
11880 	(_aes_crypt): Eliminated i from forst copy of the loop. Some
11881 	cleanup.
11882 	(_aes_crypt): And from second copy.
11883 	(_aes_crypt): And from third.
11884 	(_aes_crypt): And fourth.
11885 	(_aes_crypt): Eliminated updates of i from the loop.
11886 	(_aes_crypt): Access IDX1 and IDX3 through the T pointer, saving
11887 	two registers.
11888 
11889 	* aes-internal.h (struct aes_table): Renamed the shift_idx field
11890 	to sparc_idx, as it will be tweaked to improve the sparc code.
11891 	Also reduced its size to [2][4].
11892 	(IDX_FACTOR): Deleted constant.
11893 	* aes-encrypt-table.c (_aes_encrypt_table): Adapted initializer of
11894 	sparc_idx.
11895 	* aes-decrypt-table.c (_aes_decrypt_table): Likewise.
11896 	* asm.m4: Deleted AES_SIDX2, to match struct aes_table.
11897 
11898 	* sparc/aes.asm (_aes_crypt): Unrolled the inner loop, preparing
11899 	for optimizations suggested by Marcus Comstedt.
11900 	(_aes_crypt): Eliminated i from the first copy of the inner loop.
11901 	(_aes_crypt): And from the second copy.
11902 	(_aes_crypt): And from the third copy.
11903 	(_aes_crypt): And from the fourth copy.
11904 	(_aes_crypt): Renamed .Linner_loop to .Lround_loop.
11905 	(_aes_crypt): Eliminated the loop variable i from the unrolled
11906 	loop.
11907 	(_aes_crypt): Deleted moves of constants into t2.
11908 
11909 2002-05-15  Niels Möller  <niels@s3.kth.se>
11910 
11911 	* x86/aes-encrypt.asm (aes_encrypt): Use AES_SUBST_BYTE.
11912 	* x86/aes-decrypt.asm (aes_decrypt): Likewise.
11913 	(aes_decrypt): Use AES_STORE.
11914 	(aes_decrypt): Deleted first xchgl instruction into, permuting the
11915 	AES_ROUND calls instead.
11916 	(aes_decrypt): Likewise for the final round.
11917 	(aes_decrypt): Got rid if the xchgl instruction after the final
11918 	round, folding it into the final round.
11919 
11920 	* x86/machine.m4: Renamed AES_LAST_ROUND to AES_FINAL_ROUND.
11921 	Updated users.
11922 
11923 	* x86/aes-decrypt.asm (aes_decrypt): Use the AES_LOAD macro.
11924 	(aes_decrypt): Start using AES_ROUND.
11925 	(aes_decrypt): Use AES_LAST_ROUND.
11926 
11927 	* x86/aes-decrypt.asm (aes_decrypt): Moved function to a separate
11928 	file...
11929 	* x86/aes.asm: ... from here.
11930 
11931 	* x86/aes.asm (aes_decrypt): Use _aes_decrypt_table instead of
11932 	itbl1-4. Commented out the inclusion of aes_tables.asm.
11933 	(aes_decrypt): Use _aes_decrypt_table instead of isbox.
11934 
11935 
11936 	* x86/aes-decrypt.asm: New file, empty at the start.
11937 
11938 	* Makefile.am (libnettle_a_SOURCES): Added aes-decrypt-table.c.
11939 
11940 	* aes-decrypt.c (_aes_decrypt_table): Moved from this file...
11941 	* aes-decrypt-table.c (_aes_decrypt_table): ... to a new file.
11942 
11943 	* testsuite/aes-test.out: New file, with the output of
11944 	testsuite/aes-test, when aes.c has been compiled with debugging
11945 	printouts of intermediate state.
11946 
11947 2002-05-15  Niels Möller  <nisse@cuckoo.hack.org>
11948 
11949 	* sparc/aes.asm: (_aes_crypt): Restore %fp at end of function, to
11950 	make %fp available for other uses.
11951 
11952 	* sparc/aes.asm: The frame setup was broken. Tried to fix it.
11953 	Reverted to revision 1.70 + minor changes from the head revision.
11954 
11955 	* x86/aes-encrypt.asm (aes_encrypt): Use test instead of cmpl $0,.
11956 
11957 	* x86/machine.m4 (AES_SUBST_BYTE): New macro.
11958 
11959 	* sparc/aes.asm: wtxt needs no register of it's own, as its
11960 	pointed to by %sp. %g5 moved to %l0, the register previously
11961 	allocated for wtxt, so that we stay clean of the reserved %g
11962 	registers.
11963 
11964 2002-05-14  Niels Möller  <nisse@cuckoo.hack.org>
11965 
11966 	* sparc/aes.asm: Avoid using %g6 and %g7, as they are reserved for
11967 	operating sytem use. Use %i5 and %o7 instead. Also moved %g4 to %g1.
11968 	(_aes_crypt): Allocate only 32 bytes local storage on the stack.
11969 	Calculate wtxt and tmp using offsets from %sp, not %fp.
11970 
11971 2002-05-14  Niels Möller  <niels@s3.kth.se>
11972 
11973 	* x86/aes-encrypt.asm (aes_encrypt): Replaced first quarter of the
11974 	round function with an invocation of AES_ROUND.
11975 	(aes_encrypt): Similarly for the second column.
11976 	(aes_encrypt): Similarly for the rest of the round function.
11977 
11978 	* x86/machine.m4 (AES_ROUND): New macro.
11979 
11980 	* x86/aes-encrypt.asm (aes_encrypt): Use AES_LOAD macro.
11981 
11982 	* x86/machine.m4 (AES_LOAD): New macro.
11983 
11984 	* x86/aes-encrypt.asm (aes_encrypt): Use AES_STORE.
11985 
11986 	* x86/machine.m4 (AES_STORE): New macro.
11987 
11988 	* x86/aes-encrypt.asm (aes_encrypt): Use the AES_LAST_ROUND macro
11989 	for the first column of the final round.
11990 	(aes_encrypt): Similarly for the second column.
11991 	(aes_encrypt): Similarly for the third and fourth column.
11992 
11993 	(aes_encrypt): Deleted xchgl instruction in final round, by
11994 	reordering the second and fourth round.
11995 
11996 	* x86/machine.m4 (AES_LAST_ROUND): New macro.
11997 
11998 	* x86/aes-encrypt.asm (aes_encrypt): Move code here...
11999 	* x86/aes.asm: ...from here.
12000 
12001 	* x86/aes.asm: Use addl and subl, not add and sub. Replaced
12002 	references to dtbl1-4 with references to _aes_encrypt_table.
12003 
12004 	* configure.ac (asm_path): Enable x86 assembler.
12005 
12006 	* x86/aes.asm (aes_decrypt): Adapted to the current interface.
12007 	Notably, the order of the subkeys was reversed. Single block
12008 	encrypt/decrypt works now.
12009 	(aes_encrypt, aes_decrypt): Added an outer loop, so that we can
12010 	encrypt more than one block at a time.
12011 
12012 2002-05-07  Niels Möller  <niels@s3.kth.se>
12013 
12014 	* configure.ac: Generate config.m4.
12015 
12016 	* x86/aes.asm: Use C for comments, include the tables using
12017 	include_src, and commented out the key setup functions.
12018 	Fixed the processing of the first handling of the round function.
12019 	Now, encryption of a single block works! Multiple blocks, and
12020 	decryption, is still broken.
12021 
12022 	* x86/machine.m4: New file (empty).
12023 
12024 	* x86/aes-encrypt.asm: New file, empty for now.
12025 
12026 	* Makefile.am (%.asm): Added asm.m4, machine.m4 and config.m4 to
12027 	the m4 command line.
12028 	(libnettle_a_SOURCES): Added aes-encrypt-table.c.
12029 
12030 	* sparc/aes.asm: No need to include asm.m4, that is taken care of
12031 	by the Makefile.
12032 
12033 	* config.m4.in: New file, configuration for asm.m4.
12034 
12035 	* asm.m4 (C, include_src): New macros.
12036 
12037 	* aes-encrypt-table.c: New file, table moved out from
12038 	aes-encrypt.c.
12039 
12040 2002-05-06  Niels Möller  <niels@s3.kth.se>
12041 
12042 	* configure.ac (CFLAGS): Don't enable -Waggregate-return.
12043 
12044 2002-05-05  Niels Möller  <nisse@lysator.liu.se>
12045 
12046 	* configure.ac: Pass no arguments to AM_INIT_AUTOMAKE.
12047 
12048 2002-05-05  Niels Möller  <nisse@cuckoo.hack.org>
12049 
12050 	* configure.ac: Update for automake-1.6.
12051 
12052 	* configure.ac: Renamed file, used to be configure.in.
12053 
12054 2002-03-20  Niels Möller  <nisse@cuckoo.hack.org>
12055 
12056 	* testsuite/run-tests (test_program): Added missing single quote.
12057 
12058 2002-03-20  Niels Möller  <nisse@lysator.liu.se>
12059 
12060 	* testsuite/run-tests (test_program): Test the exit status of the
12061 	right process.
12062 
12063 2002-03-19  Pontus Sköld  <pont@it.uu.se>
12064 
12065 	* testsuite/run-tests: Removed /bin/bashisms to use with /bin/sh.
12066 
12067 2002-03-18  Niels Möller  <nisse@cuckoo.hack.org>
12068 
12069 	* rsa-keygen.c (rsa_generate_keypair): Output a newline after a
12070 	non-empty line of 'e':s (bad e was chosen, try again).
12071 
12072 2002-03-16  Niels Möller  <nisse@cuckoo.hack.org>
12073 
12074 	* configure.in (asm_path): AC_CONFIG_LINKS adds $srcdir
12075 	automatically.
12076 
12077 2002-03-14  Niels Möller  <nisse@cuckoo.hack.org>
12078 
12079 	* sparc/aes.asm, x86/aes.asm: Added copyright notice.
12080 
12081 	* Makefile.am (libnettle_a_SOURCES): Added aes-internal.h.
12082 	(EXTRA_DIST): Added assembler files.
12083 
12084 	* configure.in (asm_path): Use $srcdir when looking for the files.
12085 	* configure.in (asm_path): For now, disable x86 assembler code.
12086 	Bumped version to 1.6.
12087 
12088 2002-02-25  Niels Möller  <nisse@cuckoo.hack.org>
12089 
12090 	* sparc/aes.asm (_aes_crypt): Moved increment of src into the
12091 	source_loop. Also fixed stop condition, the loop was run 5 times,
12092 	not 4, as it should.
12093 	(_aes_crypt): Use src directly when accessing the source data,
12094 	don't use %o5.
12095 	(_aes_crypt): Renamed variables in source_loop.
12096 	(_aes_crypt): Changed stop condition in source_loop to not depend
12097 	on i. Finally reduced the source_loop to 16 instructions. Also
12098 	increased the alignment of the code to 16.
12099 	(_aes_crypt): In final_loop, use preshifted indices.
12100 	(_aes_crypt): In final_loop, construct the result in t0. Use t0-t3
12101 	for intermediate values.
12102 	(_aes_crypt): In final_loop, use the register idx.
12103 	(_aes_crypt): In final_loop, keep i multiplied by 4. Use key to
12104 	get to the current roundkey.
12105 	(_aes_crypt): In final_loop, use i for indexing.
12106 	(_aes_crypt): Update dst in the output loop. This yields a delay
12107 	slot that isn't filled yet.
12108 	(_aes_crypt): Decrement round when looping, saving yet some
12109 	instructions.
12110 	(_aes_crypt): Reformatted code as blocks of four instructions
12111 	each.
12112 	(_aes_crypt): Copy the addresses of the indexing tables into
12113 	registers at the start. No more need for the idx register.
12114 	(_aes_crypt): Deleted idx register.
12115 	(_aes_crypt): Some peep hole optimizations, duplicating some
12116 	instructions to fill nop:s, and put branch instructions on even
12117 	word addresses.
12118 
12119 2002-02-22  Niels Möller  <nisse@cuckoo.hack.org>
12120 
12121 	* sparc/aes.asm (_aes_crypt): Moved some more additions out of the
12122 	inner loop, using additional registers.
12123 	(_aes_crypt): Deleted one more addition from the inner loop, by
12124 	using the subkey pointer.
12125 
12126 2002-02-19  Niels Möller  <nisse@cuckoo.hack.org>
12127 
12128 	* configure.in (asm_path): Renamed "path" to "asm_path". Also look
12129 	for a machine.m4.
12130 
12131 2002-02-16  Niels Möller  <nisse@cuckoo.hack.org>
12132 
12133 	* sparc/aes.asm: Use that IDX2(j) == j ^ 2
12134 
12135 	* Makefile.am (libnettle_a_SOURCES): Reordered aes-decrypt.c and
12136 	aes-encrypt.c. For some strange reason it makes the benchmark go
12137 	faster...
12138 
12139 	* sparc/aes.asm (_aes_crypt): Use double-buffering, and no
12140 	separate loop for adding the round key.
12141 	(round): Keep round index muliplied by 16, so it can be used
12142 	directly for indexing the subkeys.
12143 	(_aes_crypt): In the final loop, use ctx+round to access the
12144 	subkeys, no need for an extra register.
12145 
12146 2002-02-15  Niels Möller  <nisse@cuckoo.hack.org>
12147 
12148 	* sparc/aes.asm (_aes_crypt): Renaming variables, allocating
12149 	locals starting from %l0.
12150 	(_aes_crypt): Consistently use %l4, aka i, as the variable for the
12151 	innermost loops.
12152 	(_aes_crypt): Moved reading of ctx->nrounds out of the loop.
12153 	(_aes_crypt): In final_loop, deleted a redundant mov, and use i as
12154 	loop variable.
12155 	(_aes_crypt): Started renumbering registers in the inner loop. The
12156 	computation for the table[j] sub-expression should be kept in
12157 	register %o[j].
12158 	(_aes_crypt): Renamed more variables in the inner loop. Now the
12159 	primary variables are t0, t1, t2, t3.
12160 
12161 	* sparc/aes.asm (_aes_crypt): Swapped register %i0 and %o5, %i1
12162 	and %o0, %i2 and %o4, %i3 and %o3, %i4 and %o2.
12163 	(_aes_crypt): wtxt was stored in both %l1 and %l2 for the entire
12164 	function. Freed %l2 for other uses.
12165 	(_aes_crypt): Likewise for tmp, freeing register %o1.
12166 
12167 	* sparc/machine.m4: New file, for sparc-specific macros.
12168 
12169 	* sparc/aes.asm (_aes_crypt): Hacked the source_loop, to get rid
12170 	of yet another redundant loop variable, and one instruction.
12171 	(_aes_crypt): Strength reduce loop variable in the
12172 	inner loop, getting rid of one register.
12173 	(_aes_crypt): Use pre-shifted indices (aes_table.idx_shift), to
12174 	avoid some shifts in the inner loop.
12175 	(_aes_crypt): Don't check for nrounds==0 at the start of the loop.
12176 
12177 	* asm.m4: Define and use structure-defining macros.
12178 
12179 	* Makefile.am (%.asm): Use a GNU pattern rule, to make %.o depend
12180 	on both %.asm and asm.m4.
12181 
12182 	* aes-internal.h (struct aes_table): New subtable idx_shift.
12183 	Updated tables in aes_encrypt.c and aes_decrypt.c.
12184 
12185 	* asm.m4: Use eval to compute values.
12186 
12187 	* sparc/aes.asm (_aes_crypt): Deleted commented out old version of
12188 	the code.
12189 
12190 	* asm.m4: Added constants for individual rows of the aes table.
12191 
12192 	* aes.c (IDX0, IDX1, IDX2, IDX3): New macros, encapsualting the
12193 	structure of the idx table.
12194 
12195 	* asm.m4: Define various aes struct offsets.
12196 
12197 	* testsuite/cbc-test.c (test_cbc_bulk): Use aes_set_encrypt_key
12198 	and aes_set_decrypt_key.
12199 
12200 	* sparc/aes.asm (_aes_crypt): Use symbolic names for the fucntion
12201 	arguments.
12202 
12203 2002-02-14  Niels Möller  <nisse@cuckoo.hack.org>
12204 
12205 	* sparc/aes.asm: Copied gcc assembler code for _aes_crypt.
12206 
12207 	* aesdata.c: New program for generating AES-related tables.
12208 
12209 	* testsuite/testutils.c (print_hex): New function (moved from
12210 	yarrow-test.c).
12211 
12212 	* testsuite/rsa-keygen-test.c (progress): Declare the ctx argument
12213 	as UNUSED.
12214 
12215 	* testsuite/cbc-test.c (test_cbc_bulk): New function, testing CBC
12216 	with larger blocks.
12217 
12218 	* yarrow256.c: Replaced uses of aes_set_key with
12219 	aes_set_encrypt_key.
12220 
12221 	* nettle-meta.h (_NETTLE_CIPHER_SEP): New macro, useful for
12222 	algorithms with separate encyption and decryption key setup.
12223 
12224 	* aes-internal.h (struct aes_table): New structure, including all
12225 	constant tables needed by the unified encryption or decryption
12226 	function _aes_crypt.
12227 
12228 	* aes.c (_aes_crypt): New function, which unifies encryption and
12229 	decryption.
12230 
12231 	AES key setup now uses two separate functions for setting
12232 	encryption and decryption keys. Applications that don't do
12233 	decryption need no inverted subkeys and no code to generate them.
12234 	Similarly, the tables (about 4K each for encryption and
12235 	decryption), are put into separate files.
12236 
12237 	* aes.h (struct aes_ctx): Deleted space for inverse subkeys. For
12238 	decryption, the inverse subkeys replace the normal subkeys, and
12239 	they are stored _in the order they are used_.
12240 
12241 	* aes-set-key.c (aes_set_key): Deleted file, code moved...
12242 	* aes-set-decrypt-key.c, aes-set-encrypt-key.c: New files,
12243 	separated normal and inverse key setup.
12244 
12245 	* aes-tables.c: Deleted, tables moved elsewhere...
12246 	* aes-encrypt.c, aes-decrypt.c: New files; moved encryption and
12247 	decryption funktions, and needed tables, into separate files.
12248 
12249 2002-02-13  Niels Möller  <nisse@cuckoo.hack.org>
12250 
12251 	* aes.c (aes_encrypt): Don't unroll the innerloop.
12252 	(aes_encrypt): Don't unroll the loop for the final round.
12253 	(aes_decrypt): Likewise, no loop unrolling.
12254 
12255 	* aes-set-key.c (aes_set_key): Reversed the order of the inverted
12256 	subkeys. They are now stored in the same order as they are used.
12257 
12258 	* aes-tables.c (itable): New bigger table, generated by aesdata.c.
12259 
12260 	* aes.c (aes_decrypt): Rewrote to use the bigger tables.
12261 
12262 2002-02-12  Niels Möller  <nisse@cuckoo.hack.org>
12263 
12264 	* aes.c (aes_encrypt): Interleave computation and output in the
12265 	final round.
12266 
12267 	* aes-internal.h (AES_SMALL): New macro.
12268 
12269 	* aes.c (aes_encrypt): Optionally use smaller rotating inner loop.
12270 
12271 	* aes-tables.c (dtbl): Replaced with table generated by aesdata.
12272 
12273 	* aes.c (aes_encrypt): Rewrite, now uses larger tables in order to
12274 	avoid rotates.
12275 
12276 	* sparc/aes.asm (aes_encrypt): Strength reduced on j, getting rid
12277 	of one register and one instruction in the inner loop.
12278 
12279 	* sparc/aes.asm (idx, aes_encrypt): Multiplied tabled values by 4,
12280 	making it possible to get rid of some shifts in the inner loop.
12281 
12282 	* configure.in: Fixed spelling of --enable-assembler. Commented
12283 	out debug echo:s.
12284 
12285 	* asm.m4: New file. For now, only doing changequote and changecom.
12286 
12287 	* sparc/aes.asm (aes_encrypt): Added comments.
12288 	(aes_encrypt): Cut off redundant instruction per block, also
12289 	saving one redundant register pointing to idx.
12290 	(idx_row): New macro. Include asm.m4.
12291 
12292 2002-02-11  Niels Möller  <nisse@cuckoo.hack.org>
12293 
12294 	* sparc/aes.asm (key_addition_8to32): Cleaned up.
12295 	Deleted gcc-generated debugging information.
12296 
12297 	* sparc/aes.asm (key_addition32): First attempt at optimization.
12298 	Made it slower ;-)
12299 
12300 	* sparc/aes.asm (key_addition32): Unrolled loop, gained 4%
12301 	speed, payed four instructions compared to gcc
12302 	generated code.
12303 
12304 	* Makefile.am (.asm.o): New rule for assembling via m4.
12305 	(libnettle_a_SOURCES): Added new rsa and aes files.
12306 
12307 	* configure.in: New command line option --enable-assembler.
12308 	Selects assembler code depending on the host system.
12309 
12310 	* rsa-decrypt.c, rsa-encrypt.c: New files for rsa pkcs#1
12311 	encryption.
12312 
12313 	* aes-set-key.c, aes-tables.c: New files, split off from aes.c.
12314 	Tables are now not static, but use a _aes_ prefix on their names.
12315 
12316 	* aes-internal.h: New file.
12317 
12318 	* cast128-meta.c (_NETTLE_CIPHER_FIX): Use _NETTLE_CIPHER_FIX.
12319 
12320 	* cbc.c (cbc_decrypt_internal): New function, doing the real CBC
12321 	procesing and requiring that src != dst.
12322 	(cbc_decrypt): Use cbc_decrypt_internal. If src == dst, use a
12323 	buffer of limited size to copy the ciphertext.
12324 
12325 	* nettle-internal.c (nettle_blowfish128): Fixed definition, with
12326 	key size in bits.
12327 
12328 	* nettle-meta.h (_NETTLE_CIPHER_FIX): New macro, suitable for
12329 	ciphers with a fixed key size.
12330 
12331 	* examples/nettle-benchmark.c (display): New function for
12332 	displaying the results, including MB/s figures.
12333 
12334 	* sparc/aes.asm: New file. Not yet tuned in any way (it's just the
12335 	code generated by gcc).
12336 
12337 2002-02-11  Niels Möller  <nisse@lysator.liu.se>
12338 
12339 	* x86/aes.asm, x86/aes_tables.asm: New assembler implementation by
12340 	Rafael Sevilla.
12341 
12342 2002-02-06  Niels Möller  <nisse@cuckoo.hack.org>
12343 
12344 	Applied patch from Dan Egnor improving the base64 code.
12345 	* base64.h (BASE64_ENCODE_LENGTH): New macro.
12346 	(struct base64_ctx): New context struct, for decoding.
12347 	(BASE64_DECODE_LENGTH): New macro.
12348 	* base64.c (base64_decode_init): New function.
12349 	(base64_decode_update): New function, replacing base64_decode.
12350 	Takes a struct base64_ctx argument.
12351 	* nettle-meta.h: Updated nettle_armor, and related typedefs and
12352 	macros.
12353 	* testsuite/testutils.c (test_armor): Updated.
12354 	* configure.in: Use AC_PREREQ(2.50).
12355 
12356 2002-02-01  Niels Möller  <nisse@cuckoo.hack.org>
12357 
12358 	* Released nettle-1.5.
12359 
12360 2002-01-31  Niels Möller  <nisse@cuckoo.hack.org>
12361 
12362 	* acinclude.m4: Commented out gmp-related macros, they're probably
12363 	not needed anymore.
12364 
12365 2002-01-31  Niels Möller  <nisse@lysator.liu.se>
12366 
12367 	* configure.in: Added command line options --with-lib-path and
12368 	--with-include-path. Use the RPATH-macros to get correct flags for
12369 	linking the test programs with gmp.
12370 
12371 	* acinclude.m4: New file.
12372 
12373 2002-01-31  Niels Möller  <nisse@cuckoo.hack.org>
12374 
12375 	* nettle.texinfo (Randomness): New subsection on Yarrow.
12376 
12377 2002-01-30  Niels Möller  <nisse@cuckoo.hack.org>
12378 
12379 	* nettle.texinfo (Randomness): New chapter.
12380 	Spell checking and ispell configuration.
12381 
12382 	* md5.c: Added reference to RFC 1321.
12383 
12384 2002-01-24  Niels Möller  <nisse@cuckoo.hack.org>
12385 
12386 	* nettle.texinfo (Public-key algorithms): Minor fixes.
12387 
12388 2002-01-22  Niels Möller  <nisse@cuckoo.hack.org>
12389 
12390 	* nettle.texinfo (Nettle soup): New chapter.
12391 	(Hash functions): New subsection on struct nettle_hash.
12392 	(Hash functions): New subsection on struct nettle_cipher.
12393 	(Keyed hash functions): New section, describing MAC:s and HMAC.
12394 	(Public-key algorithms): New chapter.
12395 
12396 	* testsuite/testutils.c (test_armor): New function.
12397 
12398 	* testsuite/base64-test.c: New testcase.
12399 
12400 	* testsuite/Makefile.am (TS_PROGS): Added base64-test.
12401 
12402 	* nettle-meta.h (struct nettle_armor): New struct.
12403 
12404 	* configure.in: Bumped version to 1.5.
12405 
12406 	* Makefile.am (libnettle_a_SOURCES): Added base64 files, and some
12407 	missing header files.
12408 
12409 	* base64.c, base64.h, base64-meta.c: New files, hacked by Dan
12410 	Egnor.
12411 
12412 2002-01-16  Niels Möller  <nisse@cuckoo.hack.org>
12413 
12414 	* testsuite/yarrow-test.c: Deleted ran_array code, use
12415 	knuth-lfib.h instead.
12416 
12417 	* testsuite/testutils.c (test_rsa_md5, test_rsa_sha1): Moved
12418 	functions here...
12419 	* testsuite/rsa-test.c: ...from here.
12420 
12421 	* testsuite/rsa-keygen-test.c: New file.
12422 
12423 	* testsuite/knuth-lfib-test.c: New file.
12424 
12425 	* Makefile.am (libnettle_a_SOURCES): Added knuth-lfib.c and
12426 	rsa-keygen.c.
12427 
12428 	* rsa-keygen.c: New file.
12429 
12430 	* rsa.h (RSA_MINIMUM_N_OCTETS): New constant.
12431 	(RSA_MINIMUM_N_BITS): New constant.
12432 	(nettle_random_func, nettle_progress_func): New typedefs. Perhaps
12433 	they don't really belong in this file.
12434 	(rsa_generate_keypair): Added progress-callback argument.
12435 
12436 	* macros.h (READ_UINT24, WRITE_UINT24, READ_UINT16, WRITE_UINT16):
12437 	New macros.
12438 
12439 	* knuth-lfib.c, knuth-lfib.h: New files, implementing a
12440 	non-cryptographic prng.
12441 
12442 2002-01-15  Niels Möller  <nisse@cuckoo.hack.org>
12443 
12444 	* hmac-sha1.c: New file.
12445 
12446 2002-01-14  Niels Möller  <nisse@cuckoo.hack.org>
12447 
12448 	* configure.in: Bumped version to 1.1.
12449 
12450 	* testsuite/hmac-test.c (test_main): Added hmac-sha1 test cases.
12451 
12452 	* rsa.c (rsa_init_private_key, rsa_clear_private_key): Handle d.
12453 
12454 	* rsa.h (struct rsa_private_key): Reintroduced d attribute, to be
12455 	used only for key generation output.
12456 	(rsa_generate_keypair): Wrote a prototype.
12457 
12458 	* Makefile.am (libnettle_a_SOURCES): Added hmac-sha1.c and
12459 	nettle-internal.h.
12460 
12461 	* des.c: Use static const for all tables.
12462 	(des_set_key): Use a new const * variable for the parity
12463 	procesing, for constness reasons.
12464 
12465 	* list-obj-sizes.awk: New file.
12466 
12467 	* nettle-internal.c, nettle-internal.h: New files.
12468 
12469 	* testsuite/Makefile.am (TS_PROGS): Added hmac-test. Deleted old
12470 	m4-stuff.
12471 
12472 	* testsuite/testutils.h (LDATA): Moved this macro here,...
12473 	* testsuite/rsa-test.c: ... from here.
12474 
12475 	* testsuite/hmac-test.c: New file.
12476 
12477 	* hmac.h: General cleanup. Added declarations of hmac-md5,
12478 	hmac-sha1 and hmac-sha256.
12479 
12480 	* hmac.c: Bug fixes.
12481 
12482 	* hmac-md5.c: First working version.
12483 
12484 	* Makefile.am (libnettle_a_SOURCES): Added hmac.c and hmac-md5.c.
12485 	(libnettleinclude_HEADERS): Added hmac.h.
12486 
12487 	* testsuite/rsa-test.c: Also test a 777-bit key.
12488 
12489 	* rsa.c (rsa_check_size): Changed argument to an mpz_t. Updated
12490 	callers.
12491 	(rsa_prepare_private_key): Compute the size of the key by
12492 	computing n = p * q.
12493 
12494 	* rsa-compat.c: Adapted to new private key struct.
12495 	* rsa_md5.c: Likewise.
12496 	* rsa_sha1.c: Likewise.
12497 
12498 	* rsa.c (rsa_check_size): New function, for computing and checking
12499 	the size of the modulo in octets.
12500 	(rsa_prepare_public_key): Usa rsa_check_size.
12501 	(rsa_init_private_key): Removed code handling n, e and d.
12502 	(rsa_clear_private_key): Likewise.
12503 	(rsa_compute_root): Always use CRT.
12504 
12505 	* rsa.h (struct rsa_private_key): Deleted public key and d from
12506 	the struct, as they are not needed. Added size attribute.
12507 
12508 2002-01-12  Niels Möller  <nisse@cuckoo.hack.org>
12509 
12510 	* Makefile.am: Added *-meta files.
12511 
12512 	* rsa.c (rsa_init_public_key): New function.
12513 	(rsa_clear_public_key): Likewise.
12514 	(rsa_init_private_key): Likewise.
12515 	(rsa_clear_private_key): Likewise.
12516 
12517 	* aes-meta.c: New file.
12518 	* arcfour-meta.c: New file.
12519 	* cast128-meta.c: New file.
12520 	* serpent-meta.c: New file.
12521 	* twofish-meta.c: New file.
12522 
12523 	* examples/nettle-benchmark.c: Use the interface in nettle-meta.h.
12524 
12525 2002-01-11  Niels Möller  <nisse@cuckoo.hack.org>
12526 
12527 	Don't use m4 for generating test programs, it's way overkill. Use
12528 	the C preprocessor instead.
12529 	* testsuite/*-test.c: New file.
12530 
12531 	* hmac.c, hmac.h, hmac-md5.c: New files.
12532 
12533 	Defined structures describing the algoriths. Useful for code that
12534 	wants to treat an algorithm as a black box.
12535 	* nettle-meta.h, md5-meta.c, sha1-meta.c, sha256-meta.c: New
12536 	files.
12537 
12538 2002-01-09  Niels Möller  <nisse@cuckoo.hack.org>
12539 
12540 	* rsa-compat.c: Updated for new md5 and rsa conventions.
12541 
12542 	* rsa_md5.c: Represent a signature as an mpz_t, not a string.
12543 	Updated calls of md5 functions.
12544 	* rsa_sha1.c: Likewise.
12545 
12546 	* rsa.c (rsa_prepare_public_key): Renamed function, was
12547 	rsa_init_public_key.
12548 	(rsa_prepare_private_key): Renamed function, was
12549 	rsa_init_private_key.
12550 
12551 	* nettle.texinfo (Hash functions): Update for the changed
12552 	interface without *_final. Document sha256.
12553 
12554 	* testsuite/md5-test.m4, testsuite/sha1-test.m4,
12555 	testsuite/sha256-test.m4, testsuite/yarrow-test.c: Updated for new
12556 	hash function interface.
12557 
12558 	* yarrow256.c: Removed calls of sha256_final and and some calls of
12559 	sha256_init.
12560 
12561 	* md5-compat.c (MD5Final): Call only md5_digest.
12562 
12563 	* md5.c (md5_digest): Call md5_final and md5_init.
12564 	(md5_final): Declared static.
12565 	sha1.c, sha256.c: Analogous changes.
12566 
12567 	* bignum.c (nettle_mpz_get_str_256): Declare the input argument
12568 	const.
12569 
12570 2001-12-14  Niels Möller  <nisse@cuckoo.hack.org>
12571 
12572 	* Makefile.am (EXTRA_DIST): Added $(des_headers). Changed
12573 	dependencies for $(des_headers) to depend only on the source file
12574 	desdata.c, not on the executable.
12575 
12576 2001-12-12  Niels Möller  <nisse@cuckoo.hack.org>
12577 
12578 	* testsuite/yarrow-test.c (main): Updated testcase to match fixed
12579 	generator. Send verbose output to stdout, not stderr.
12580 
12581 	* yarrow256.c (yarrow_slow_reseed): Bug fix, update the fast pool
12582 	with the digest of the slow pool.
12583 	(yarrow256_init): Initialize seed_file and counter to zero, to
12584 	ease debugging.
12585 
12586 2001-12-07  Niels Möller  <nisse@cuckoo.hack.org>
12587 
12588 	* bignum.c (nettle_mpz_get_str_256): Fixed handling of leading
12589 	zeroes.
12590 
12591 2001-12-05  Niels Möller  <nisse@cuckoo.hack.org>
12592 
12593 	* testsuite/yarrow-test.c (main): Updated test to match the fixed
12594 	key event estimator.
12595 
12596 	* yarrow_key_event.c (yarrow_key_event_estimate): Fixed handling
12597 	of timing info.
12598 
12599 	* nettle.texinfo (Copyright): Say that under certain
12600 	circumstances, Nettle can be used as if under the LGPL.
12601 
12602 	* README: Added a paragraph on copyright.
12603 
12604 2001-11-15  Niels Möller  <nisse@cuckoo.hack.org>
12605 
12606 	* yarrow256.c (yarrow256_force_reseed): New function.
12607 
12608 2001-11-14  Niels Möller  <nisse@ehand.com>
12609 
12610 	* testsuite/yarrow-test.c (main): Use yarrow256_is_seeded.
12611 
12612 	* yarrow256.c (yarrow256_needed_sources): New function.
12613 	(yarrow256_is_seeded): New function.
12614 	(yarrow256_update): Use yarrow256_needed_sources.
12615 
12616 2001-11-14  Niels Möller  <nisse@cuckoo.hack.org>
12617 
12618 	* testsuite/yarrow-test.out: Updated, to match the seed-file aware
12619 	generator.
12620 
12621 	* testsuite/yarrow-test.c: Updated expected_output. Check the seed
12622 	file contents at the end.
12623 
12624 	* yarrow256.c (yarrow256_seed): New function.
12625 	(yarrow_fast_reseed): Create new seed file contents.
12626 
12627 2001-11-13  Niels Möller  <nisse@cuckoo.hack.org>
12628 
12629 	* yarrow.h: Deleted yarrow160 declarations.
12630 
12631 2001-11-02  Niels Möller  <nisse@ehand.com>
12632 
12633 	* yarrow256.c (yarrow256_init): Fixed order of code and
12634 	declarations.
12635 
12636 2001-10-30  Niels Möller  <nisse@ehand.com>
12637 
12638 	* rsa-compat.h: Added real prototypes and declarations.
12639 
12640 	* Makefile.am (libnettle_a_SOURCES): Added rsa-compat.h and
12641 	rsa-compat.c.
12642 
12643 	* rsa-compat.c: New file, implementing RSA ref signature and
12644 	verification functions.
12645 
12646 	* configure.in: Check for libgmp. Deleted tests for SIZEOF_INT and
12647 	friends.
12648 
12649 	* rsa_sha1.c: New file, PKCS#1 rsa-sha1 signatures.
12650 	* rsa_md5.c: New file, PKCS#1 rsa-md5 signatures.
12651 
12652 	* rsa.c: New file with general rsa functions.
12653 
12654 	* Makefile.am (libnettle_a_SOURCES): Added rsa and bignum files.
12655 
12656 	* bignum.c, bignum.h: New file, with base256 functions missing in
12657 	gmp.
12658 
12659 	* testsuite/Makefile.am: Added bignum-test.
12660 
12661 	* testsuite/run-tests (test_program): Check the exit code more
12662 	carefully, and treat 77 as skip. This convention was borrowed from
12663 	autotest.
12664 
12665 	* testsuite/macros.m4: New macro SKIP which exits with code 77.
12666 
12667 	* testsuite/bignum-test.m4: New file.
12668 
12669 2001-10-15  Niels Möller  <nisse@ehand.com>
12670 
12671 	* testsuite/Makefile.am (EXTRA_DIST): Include rfc1750.txt in the
12672 	distribution.
12673 
12674 2001-10-14  Niels Möller  <nisse@cuckoo.hack.org>
12675 
12676 	* testsuite/des-test.m4: Added testcase taken from applied
12677 	cryptography.
12678 
12679 	* testsuite/yarrow-test.c: Use sha256 instead of sha1 for checking
12680 	input and output. Updated the expected values.
12681 
12682 	* yarrow256.c (YARROW_RESEED_ITERATIONS): New constant.
12683 	(yarrow_iterate): New function.
12684 	(yarrow_fast_reseed): Call yarrow_iterate.
12685 
12686 	* testsuite/yarrow-test.c: Added verbose flag, disabled by
12687 	default.
12688 
12689 2001-10-12  Niels Möller  <nisse@ehand.com>
12690 
12691 	* examples/nettle-benchmark.c: Added more ciphers.
12692 
12693 	* Makefile.am (SUBDIRS): Added the examples subdir.
12694 
12695 	* configure.in: Output examples/Makefile.
12696 
12697 2001-10-12  Niels Möller  <nisse@cuckoo.hack.org>
12698 
12699 	* examples/nettle-benchmark.c: New benchmarking program.
12700 
12701 2001-10-10  Niels Möller  <nisse@ehand.com>
12702 
12703 	* testsuite/yarrow-test.c: Open rfc1750.txt. Hash input and
12704 	output, and compare to expected values.
12705 
12706 	* testsuite/Makefile.am (CFLAGS): Don't disable optimization.
12707 	(run-tests): Set srcdir in the environment when running run-tests.
12708 
12709 	* testsuite/rfc1750.txt: Added this rfc as test input for yarrow.
12710 
12711 	* yarrow_key_event.c (yarrow_key_event_estimate): Check if
12712 	previous is zero.
12713 	(yarrow_key_event_init): Initialize previous to zero.
12714 
12715 	* yarrow256.c: Added debug some output.
12716 
12717 	* testsuite/yarrow-test.c (main): Better output of entropy
12718 	estimates at the end.
12719 
12720 2001-10-09  Niels Möller  <nisse@ehand.com>
12721 
12722 	* testsuite/Makefile.am (TS_PROGS): Added yarrow-test.
12723 
12724 	* testsuite/yarrow-test.c: New file.
12725 
12726 	* yarrow256.c (yarrow256_init): Initialize the sources.
12727 	(yarrow256_random): Fixed loop condition.
12728 
12729 	* yarrow.h (YARROW_KEY_EVENT_BUFFER): New constant.
12730 
12731 	* yarrow_key_event.c: New file.
12732 
12733 	* Makefile.am (libnettle_a_SOURCES): Added yarrow_key_event.c.
12734 
12735 2001-10-08  Niels Möller  <nisse@cuckoo.hack.org>
12736 
12737 	* yarrow.h (struct yarrow_key_event_ctx): New struct.
12738 
12739 	* yarrow256.c (yarrow_fast_reseed): Generate two block of output
12740 	using the old key and feed into the pool.
12741 
12742 	* yarrow.h (struct yarrow256_ctx): Deleted buffer, index and
12743 	block_count.
12744 
12745 	* yarrow256.c (yarrow_fast_reseed): New function.
12746 	(yarrow_slow_reseed): New function.
12747 	(yarrow256_update): Check seed/reseed thresholds.
12748 	(yarrow_gate): New function, extracted from
12749 	yarrow_generate_block_with_gate which was deleted.
12750 	(yarrow_generate_block_with_gate): Deleted function.
12751 	(yarrow256_random): Don't buffer any output, instead gate after
12752 	each request.
12753 	(YARROW_GATE_THRESHOLD): Deleted constant.
12754 
12755 2001-10-07  Niels Möller  <nisse@cuckoo.hack.org>
12756 
12757 	* Makefile.am: Added yarrow files.
12758 
12759 	* yarrow256.c: New file, implementing Yarrow. Work in progress.
12760 
12761 	* sha256.c: New file, implementing sha256.
12762 
12763 	* testsuite/Makefile.am (CFLAGS): Added sha256-test.
12764 
12765 	* testsuite/sha256-test.m4: New testcases for sha256.
12766 
12767 	* shadata.c: New file, for generating sha256 constants.
12768 
12769 	* sha.h: Renamed sha1.h to sha.h, and added declarations for
12770 	sha256.
12771 
12772 2001-10-05  Niels Möller  <nisse@ehand.com>
12773 
12774 	* testsuite/aes-test.m4: Added a comment with NIST test vectors.
12775 
12776 2001-10-04  Niels Möller  <nisse@ehand.com>
12777 
12778 	* rsa.h, rsa-compat.h, yarrow.h: New files.
12779 
12780 2001-09-25  Niels Möller  <nisse@cuckoo.hack.org>
12781 
12782 	* Released version 1.0.
12783 
12784 2001-09-25  Niels Möller  <nisse@ehand.com>
12785 
12786 	* sha1.c: Include stdlib.h, for abort.
12787 
12788 	* md5.c: Include string.h, for memcpy.
12789 
12790 	* testsuite/Makefile.am (M4_FILES): New variable. Explicitly list
12791 	those C source files that should be generated by m4.
12792 
12793 	* configure.in: Changed package name from "libnettle" to "nettle".
12794