File: ChangeLog

package info (click to toggle)
libgcrypt20 1.11.2-3
links: PTS, VCS
area: main
in suites: forky, sid
size: 19,224 kB
sloc: ansic: 181,767; asm: 57,270; sh: 13,057; makefile: 880; sed: 37
file content (21845 lines) | stat: -rw-r--r-- 912,440 bytes
parent folder | download | duplicates (2)
2025-08-04  Werner Koch  <wk@gnupg.org>

	Release 1.11.2.
	+ commit 737cc63600146f196738a6768679eb016cf866e9


2025-07-31  NIIBE Yutaka  <gniibe@fsij.org>

	Mark nonstring use cases with __nonstring__ attribute.
	+ commit db55dfb74e64520a4a1c67ecb67d4a3f31979087
	* src/gcrypt.h.in (_GCRY_GCC_ATTR_NONSTRING): New.
	* cipher/chacha20.c (chacha20_keysetup): Use _GCRY_GCC_ATTR_NONSTRING.
	* cipher/cipher-gcm-siv.c (gcm_siv_selftest): Likewise.
	* cipher/ecc.c (compute_keygrip): Likewise.
	* cipher/serpent.c (serpent_test): Likewise.
	* tests/basic.c (check_aes128_cbc_cts_cipher): Likewise.
	(_check_gcm_cipher, check_gcm_siv_cipher): Likewise.
	(check_ocb_cipher_largebuf_split, check_ocb_cipher_checksum): Likewise.
	* tests/keygrip.c (key_grips): Likewise.

2025-07-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	poly1305-p10le: use '.rodata' section for read-only data.
	+ commit c720dd8927a5c3f6b132527276fde2780067653e
	* cipher/poly1305-p10le.s: Change '.data' section to '.rodata'.

	Add missing abiversion tag for PowerPC assembly.
	+ commit 013bcc18676dfe8f3b5a7da1ff9a2de97dfc4979
	* cipher/chacha20-p10le-8x.s: Add abiversion tag.
	* cipher/poly1305-p10le.s: Likewise.
	* configure.ac (gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00): Likewise.

	Add missing machine tags for PowerPC assembly.
	+ commit 210562de650d14701356633ad7a27809e7250c49
	* cipher/chacha20-p10le-8x.s: Add "any" machine tag.
	* cipher/poly1305-p10le.s: Likewise.
	* configure.ac (gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00): Likewise.

2025-07-31  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Provide the function prototype of __udiv_qrnnd.
	+ commit aced8fd2323650f4fc85fdedcb8a28bab4792372
	* mpi/longlong.h [__alpha] (__udiv_qrnnd): Add the prototype.
	[__hppa] (__udiv_qrnnd): Likewise.
	[__sparc__] (__udiv_qrnnd): Likewise.

	cipher:ecc: Silence GCC 15 warning.
	+ commit 7ebe90e5553b59f0e5c1421f293f1ca29948ef31
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): Initialize
	ENC and ENCLEN before use.

2025-07-18  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:rsa: Fix missing initialization in generate_fips.
	+ commit 448693047fac163960f132528cff6a9d5e5444d6
	* cipher/rsa.c (generate_fips): Initialize E, P and Q.

	build: More changes to allow build with no Kyber.
	+ commit d54d834eb43453bd4749df89fa709f6429d4d5d4
	* cipher/Makefile.am (libcipher_la_SOURCES): Move kyber.c and kyber.h
	to ...
	(EXTRA_libcipher_la_SOURCES): ... here.
	* cipher/kem.c: [USE_KYBER]: Only include kyber.h when USE_KYBER.
	(_gcry_kem_genkey, _gcry_kem_encap, _gcry_kem_decap): [USE_KYBER]:
	Enable Kyber when USE_KYBER.
	* tests/keygen.c (check_kem_keys): [USE_KYBER]: Enable Kyber when
	USE_KYBER.

	build: Allow build with no Kyber.
	+ commit acd0b4347002d002bb4f141894e757da6df70c57
	* configure.ac (GCRYPT_PUBKEY_CIPHERS): It's kyber.lo.
	* tests/Makefile.am (tests_bin): [USE_KYBER]: Add t-mlkem only when
	USE_KYBER.
	* tests/t-kem.c: Allow building with no Kyber.

2025-07-17  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem: Provide each enum constant as macro.
	+ commit f7e06f8a29fc4c347016fc32f0878ad6a3ffee8e
	src/gcrypt.h.in (GCRY_KEM_CM6688128F, GCRY_KEM_DHKEM25519)
	(GCRY_KEM_DHKEM448, GCRY_KEM_DHKEMP256R1, GCRY_KEM_DHKEMP384R1)
	(GCRY_KEM_DHKEMP521R1, GCRY_KEM_RAW_BP256, GCRY_KEM_RAW_BP384)
	(GCRY_KEM_RAW_BP512, GCRY_KEM_RAW_MLKEM512, GCRY_KEM_RAW_MLKEM768)
	(GCRY_KEM_RAW_MLKEM1024, GCRY_KEM_RAW_P256K1, GCRY_KEM_RAW_P256R1)
	(GCRY_KEM_RAW_P384R1, GCRY_KEM_RAW_P521R1, GCRY_KEM_RAW_X25519)
	(GCRY_KEM_RAW_X448, GCRY_KEM_SNTRUP761): New defines.

	cipher:kem:ecc: Support secp256k1 by KEM API.
	+ commit d9ebc6c4e8b514704defd27f8115e1f6311da19c
	* src/gcrypt.h.in (GCRY_KEM_RAW_P256K1): New.
	* cipher/kem-ecc.c (algo_to_curve, algo_to_seckey_len): Support
	GCRY_KEM_RAW_P256K1.

2025-05-19  Collin Funk via Gcrypt-devel  <gcrypt-devel@gnupg.org>

	Fix missing simd-common-riscv.h in libgcrypt tarball.
	+ commit 62f84bb3040fc138f061032889574f82ce72a0bc
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add
	simd-common-riscv.h.

2025-05-15  Collin Funk  <collin.funk1@gmail.com>

	tests: Fix link errors for t-thread-local.
	+ commit a47fb91496554316045a8a62f49b1a45aef25d4c
	On platforms where pthread_create is not in libc t-thread-local fails to
	link.  Issue found on NetBSD 10.0.
	* tests/Makefile.am (t_thread_local_LDADD): Add $(standard_ldadd),
	$(GPG_ERROR_MT_LIBS), and @LDADD_FOR_TESTS_KLUDGE@.
	(t_thread_local_CFLAGS): Add $(GPG_ERROR_MT_CFLAGS).

2025-05-12  Paul Eggert  <eggert@cs.ucla.edu>

	Fix ungrammatical use of "allow to"
	+ commit a1806adc5e7f7149f044c73176fa51b96d384b5b


2025-05-07  Werner Koch  <wk@gnupg.org>

	Release 1.11.1.
	+ commit 81ce5321b1b79bde6dfdc3c164efb40c13cf656b


	Disable new constants in gcrypt.h unless used internally.
	+ commit 4d1a42d082aef66413f3ee822b0afc8b72cd7af5
	* src/gcrypt.h.in: Disable unless _GCRYPT_IN_LIBGCRYPT is defined.

2025-03-14  NIIBE Yutaka  <gniibe@fsij.org>

	Merge commit '4876a1a4' into LIBGCRYPT-1.11-BRANCH.
	+ commit a6267ad91dcdff34e2a7c0fc8fbfcfb90a04be59


	cipher:kyber: No change ABI/API for gcry_kem_genkey.
	+ commit f3bad2deb0246f9f70c0aaae5d210148d9090193
	* src/gcrypt.h.in (gcry_kem_genkey): Revert the change.
	* src/libgcrypt.def (gcry_kem_genkey): Likewise.
	* src/libgcrypt.vers (gcry_kem_genkey): Likewise.
	* src/visibility.c (gcry_kem_genkey): Likewise.
	* src/visibility.h (gcry_kem_genkey): Likewise.

2025-03-13  NIIBE Yutaka  <gniibe@fsij.org>

	doc: Add about GCRYCTL_FIPS_SERVICE_INDICATOR.
	+ commit 636f40cb78587635ef663bfc3430937cf140f245
	* doc/gcrypt.texi (GCRYCTL_FIPS_SERVICE_INDICATOR): Add a description.
	(GCRYCTL_FIPS_REJECT_NON_FIPS): Likewise.

	fips: Fix GCRY_FIPS_FLAG_REJECT_MD.
	+ commit b9eb8f4cb81801d68580627ad2188607a8c5f2ec
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_MD): Include SHA1.

2025-03-11  NIIBE Yutaka  <gniibe@fsij.org>
	    Lucas Mulling  <lucas.mulling@suse.com>

	md: Make SHA-1 non-FIPS internally for 1.12 API.
	+ commit 4ee91a94bcdad32aed4364d09e3daf8841fa579f
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_MD_SHA1): New.
	* cipher/md.c (check_digest_algo_spec, _gcry_md_open, md_enable)
	(_gcry_md_enable, md_copy): Care about SHA1.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Make SHA1 non-FIPS.
	* tests/t-fips-service-ind.c (check_mac_o_w_r_c): SHA1 is non-FIPS.
	(check_md_o_w_r_c, check_hash_buffer, check_hash_buffers): Likewise.
	(main): Add GCRY_FIPS_FLAG_REJECT_MD_SHA1 for gcry_control.

2025-03-06  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Use const-time modular exponentiation on 64-bit arch.
	+ commit 71d17c0b4c01728aec2b587a85a60354ba67f354
	* mpi/mpi-pow.c (USE_ALGORITHM_LLI_EXPONENTIATION): Enable on 64-bit.
	* src/global.c (print_config): Fix to "mpi-powm".

	cipher,fips: Fix for random-override.
	+ commit ca8bf05e111b41e482a2a4b34cda6bcf5aa1f27e
	* cipher/pubkey-util.c (gcry_pk_util_data_to_mpi): Keep
	the behavior of 1.10.
	* src/visibility.c (gcry_pk_random_override_new): Likewise.
	* tests/t-fips-service-ind.c (main): Use GCRY_FIPS_FLAG_REJECT_PK_FLAGS.

2025-03-06  Lucas Mulling via Gcrypt-devel  <gcrypt-devel@gnupg.org>

	cipher,visibility: Differentiate use of random-override in the SLI.
	+ commit 234eb316b0a04c50e8511a570775ded45060f18b
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi,
	_gcry_pk_single_data_push, _gcry_pk_util_free_encoding_ctx):
	Differentiate use of random-override in the SLI.
	* src/visibility.c (gcry_pk_random_override_new):
	Differentiate use explicit random override in the SLI.

2025-03-06  NIIBE Yutaka  <gniibe@fsij.org>

	cipher,ecc: Fix for supplied K.
	+ commit 755e6dce727915249cbb1a98f22832d940b99c24
	* cipher/ecc.c (ecc_sign): Check if it's under FIPS mode.
	(ecc_verify): Supplied K does no sense for verification, but add
	comment of clarification mark/reject-ing under FIPS mode.

	fips,cipher: Add GCRY_FIPS_FLAG_REJECT_PK_FLAGS.
	+ commit 0414e126b939f0b11ecf441908d923e87c1caf02
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_PK_FLAGS): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Keep the
	behavior of 1.10.
	* cipher/rsa.c (rsa_decrypt, rsa_sign): Likewise.

2025-03-05  Lucas Mulling via Gcrypt-devel  <gcrypt-devel@gnupg.org>

	cipher: Differentiate no-blinding flag in the SLI.
	+ commit cc0a40bd74120dc06fd80f163b30abb91f60b63b
	* cipher/rsa.c (rsa_decrypt, rsa_encrypt): Differentiate use of flag
	no-blinding in the service level indicator.

	cipher: Differentiate igninvflag in the SLI.
	+ commit 3bdb59c21b77711cf7d44d692a7a02f5f469033e
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Differentiate use
	of igninvflag.

2025-03-04  Lucas Mulling via Gcrypt-devel  <gcrypt-devel@gnupg.org>

	cipher: Differentiate use of label K in the SLI.
	+ commit 2f6d2db1a4c28775a568c1f81ca127d2daebaf1c
	* cipher/ecc.c (ecc_sign, ecc_verify): Use of label K is not allowed in
	fips mode, differentiate with the GCRY_FIPS_FLAG_REJECT_PK_ECC_K flag.
	* src/gcrypt.h.in: New GCRY_FIPS_FLAG_REJECT_PK_ECC_K.
	* tests/t-fips-service-ind.c (check_pk_hash_sign_verify): Mark non
	compliant use of label.

	cipher: Add KAT for non-rfc6979 ECDSA with fixed k.
	+ commit be57179f42f8a7cb64f72f73ccea753400573b4f
	* cipher/ecc.c (run_selftests): Implement KAT for non-deterministic
	ECDSA.
	* cipher/ecc. (rfc6979_ecdsa_sample_data, rfc6979_ecdsa_sample_data_bad,
	rfc6979_ecdsa_data_tmpl): New.

2025-03-04  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Allow tests with !USE_RSA.
	+ commit 8404a048b7c58eb903717e09cffaa7735f7d8520
	* tests/t-fips-service-ind.c [USE_RSA] (check_pk_s_v): Ifdef-out.

	fips,cipher: Do the computation when marking non-compliant.
	+ commit 54a6617b3679cfeb6d986ddf3c9c73641929f02c
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Continue the computation
	when marking non-compliant.
	* cipher/pubkey.c (_gcry_pk_encrypt, _gcry_pk_sign): Likewise.
	(_gcry_pk_sign_md, _gcry_pk_verify, _gcry_pk_verify_md): Likewise.
	(_gcry_pk_testkey): Likewise.

2025-02-26  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Update t-fips-service-ind using GCRY_MD_SHA256 for KDF tests.
	+ commit e5989e08a556117ec3f19f098765963358b71051
	* tests/t-fips-service-ind.c (check_kdf_derive): Use GCRY_MD_SHA256.

	md: Use check_digest_algo_spec in _gcry_md_selftest.
	+ commit ce4755d5c5500cede6d7d380fdab2d15f5d77796
	* cipher/md.c (check_digest_algo_spec): New.
	(check_digest_algo): Use check_digest_algo_spec.
	(_gcry_md_selftest): Likewise.

	md: Fix gcry_md_algo_info to mark/reject under FIPS mode.
	+ commit 2f17a98a80b155e750ab77d4703e33612e545d58
	* cipher/md.c (check_digest_algo): Fix for marking non-compliance.
	* src/visibility.c (gcry_md_algo_info): Add check with
	fips_is_operational.

2025-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:rsa: Mark/reject SHA1/unknown with RSA signature generation.
	+ commit 60e5039793c2474d29ded039cf1a6b8107733a20
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_encode_raw_for_sig): We can't
	determine if it's compliant when raw PKCS1 encoding is used.
	(_gcry_rsa_pss_encode): Add the behavior of marking non-compliant use.
	(_gcry_rsa_pss_verify): Likewise.
	* cipher/rsa.c (rsa_sign): Handle the check for SHA1.
	(rsa_verify): Likewise.
	* tests/t-fips-service-ind.c (check_pk_s_v): Add use cases for RSA
	and Ed25519.

	Revert "md: Make SHA1 non-FIPS and differentiate in the SLI"
	+ commit 1e815a00c302921adb9b41b372a8f6f908e23620
	This reverts commit 13a71215c255377863b0154ac602c86fe5450c49.

	cipher:(EC)DSA: Simply use mpi_clear_highbit in _gcry_dsa_gen_k.
	+ commit 54caef02afa90ad43d70f5772cd5550bb2055555
	* cipher/dsa-common.c (_gcry_dsa_gen_k): Use mpi_clear_highbit.

	mpi: Avoid normalizing MPI in _gcry_mpi_invm.
	+ commit c1da86e45a6e9c462cdb511c4c9c7fd375da1303
	* mpi/mpi-inv.c (_gcry_mpi_invm): Use _gcry_mpih_cmp_ui.

2025-02-20  NIIBE Yutaka  <gniibe@fsij.org>

	cipher,mpi: Expose some MPI helper functions by mpi.h.
	+ commit 88ae76d069c331ad947ecab8419df9a00f979b0e
	* cipher/dsa-common.c: Don't include mpi-internal.h.
	* mpi/mpi-inline.h (_gcry_mpih_add_lli): Move this to ...
	* src/mpi.h (_gcry_mpih_add_lli): ... here.
	(_gcry_mpih_rshift, _gcry_mpih_add_n_cond): Add.
	(_gcry_mpih_cmp_ui, _gcry_mpih_cmp_lli): Add.
	(_gcry_mpih_add_n): Add.
	* mpi/mpi-internal.h (_gcry_mpih_cmp_ui, _gcry_mpih_cmp_lli): Remove.

2025-02-19  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix _gcry_mpih_add_lli, as macro.
	+ commit bd53c51b03383ade2b63132d0034a75ab526c546
	* mpi/mpi-inline.h (_gcry_mpih_add_lli): Use _gcry_mpih_add_n.
	* mpi/mpi-internal.h (_gcry_mpih_add_lli): Remove.
	* mpi/mpih-const-time.c (_gcry_mpih_add_lli): Remove.

2025-02-18  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add MPI helper modular exponentiation, Least Leak Intended.
	+ commit 2039d93289dbc1a90089466390777c756660ba5a
	* mpi/Makefile.am (libmpi_la_SOURCES): Add mpih-pow.c.
	* mpi/mpi-internal.h (_gcry_mpih_powm_lli): New.
	* mpi/mpi-pow.c (_gcry_mpi_get_powm_config): New.
	(USE_ALGORITHM_LLI_EXPONENTIATION): New, enabled as default.
	[USE_ALGORITHM_LLI_EXPONENTIATION] (_gcry_mpi_powm): Call
	_gcry_mpih_powm_lli when it's on secure memory.
	* mpi/mpih-pow.c (_gcry_mpih_powm_lli): New.
	* src/gcrypt-int.h (_gcry_mpi_get_powm_config): New.
	* src/global.c (print_config): Call _gcry_mpi_get_powm_config.

	mpi: Add MPH helper of table lookup, Least Leak Intended.
	+ commit 8fd2aab881c733a29c26459ed1d1d7f234728314
	* mpi/mpi-internal.h (ct_limb_select): New.
	(_gcry_mpih_lookup_lli): New.
	* mpi/mpih-const-time.c (_gcry_mpih_lookup_lli): New.

	cipher:(EC)DSA: Fix _gcry_dsa_gen_*k not to normalize MPI.
	+ commit bb5e893456b10c8a4fa336a281bf3008c0f9eb5e
	* cipher/dsa-common.c (_gcry_dsa_gen_k): Use _gcry_mpih_cmp_lli
	and _gcry_mpih_cmp_ui.
	(_gcry_dsa_gen_rfc6979_k): Likewise.

	cipher:(EC)DSA: Avoid MPI normalize by mpi_rshift.
	+ commit 0b794c208db39d959f8f532bc9920daefa853d2a
	* cipher/dsa-common.c (_gcry_dsa_gen_rfc6979_k): Use
	_gcry_mpi_set_buffer and _gcry_mpih_rshift, instead of _gcry_mpi_scan
	and mpi_rshift.

	cipher:(EC)DSA: Fix _gcry_dsa_modify_k to least leak.
	+ commit d05cdb31689a45733751393a819a71c7c3386675
	* cipher/dsa-common.c (_gcry_dsa_modify_k): Use _gcry_mpih_add_lli.

2025-02-17  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add _gcry_mpih_add_lli.
	+ commit 58e72af4eac4711993191919b6890b5ebb554acc
	* mpi/mpi-internal.h (_gcry_mpih_add_lli): New.
	* mpi/mpih-const-time.c (_gcry_mpih_add_lli): New.

2025-02-17  NIIBE Yutaka  <gniibe@fsij.org>
	    Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: Add _gcry_mpih_cmp_lli, Least Leak Intended.
	+ commit 459a6c9c81ee28ddf5baa9fe47f3138fd34334d5
	* mpi/mpi-internal.h (_gcry_mpih_cmp_lli): New.
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_lli): New.

	mpi: Add _gcry_mpih_add_1_lli as Least Leak Intended.
	+ commit 06de5bc277532d1ef42b81464af81d2a22b90ad4
	* mpi/mpi-inline.h (_gcry_mpih_add_1_lli): New.

2025-02-14  Lucas Mulling  <lucas.mulling@suse.com>

	md: Make SHA1 non-FIPS and differentiate in the SLI.
	+ commit 13a71215c255377863b0154ac602c86fe5450c49
	* cipher/md.c (_gcry_md_open, md_enable, _gcry_md_enable, md_copy):
	Differentiate SHA1.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Make SHA1 not FIPS.
	* src/fips.c (_gcry_fips_indicator_mac, _gcry_fips_indicator_md,
	run_digest_selftests, run_mac_selftests): Differentiate SHA1.
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_MD_SHA1): New.
	* tests/basic.c: (check_pubkey_sign): Use sha256 for baddata, add
	FLAG_NOFIPS to non FIPS compliant tests that use SHA1, and improve error
	messages.
	* tests/pkcs1v2.c (main): Skip tests in FIPS mode.
	* tests/t-fips-service-ind.c (check_kdf_derive): Use sha256 as pbkdf2
	subalgo.
	* tests/t-fips-service-ind.c (check_mac_o_w_r_c): Check for rejection of
	SHA1 test cases if in FIPS mode.

2025-02-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpih-const-time: fix return value for _gcry_mpih_cmp_ui.
	+ commit 957ac97097d0960a621ea1ea9f751b422afa8949
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Return '1' when
	upper part of MPI is not all zeros.
	* tests/mpitests.c (test_invm_cmpui, test_invm): Add tests
	for gcry_mpi_invm().

2025-02-12  Lucas Mulling  <lucas.mulling@suse.com>

	cipher: Don't differentiate GCRY_CIPHER_MODE_CMAC in FIPS mode.
	+ commit 608ff4b2261e2d8961f0ef4189e74b1173b2802c
	* cipher/cipher.c (_gcry_cipher_mode_fips_compliance): Allow
	GCRY_CIPHER_MODE_CMAC in fips mode.
	* cipher/cipher.c (cipher_modes_fips_compliance)
	(cipher_int_modes_fips_compliance): New.

	cipher: Rename _gcry_cipher_is_mode_fips_compliant.
	+ commit 6b0fbb7e5e0da77787e3a87d74359ee21c44904e
	* cipher/cipher.c (_gcry_cipher_is_mode_fips_compliant): Rename to
	_gcry_cipher_mode_fips_compliance for better clarity and change the
	return type to gcry_err_code_t.
	* cipher/cipher.c (_gcry_cipher_mode_fips_compliance): Use
	gcry_cipher_modes instead of int for mode.
	* tests/t-fips-service-ind.c (check_cipher_o_s_e_d_c): Fix typo in fail.

2025-02-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/longlong: prevent optimization of carry instructions to branches.
	+ commit dd480b1e797463f71a7e69e9509833ff7a923bd6
	* mpi/longlong.h: Include "const-time.h"
	(add_ssaaaa, sub_ddmmss): Prevent optimization of carry handling to
	conditional branches in generic variant of double width addition and
	subtraction as was seen with GCC on riscv64.
	(umul_ppmm): Avoid conditional branch in generic 16x16=>32bit
	multiplication version of umul_ppmm.
	* src/const-time.h (CT_DEOPTIMIZE_VAR): New.

	mpih-const-time: avoid branches in _gcry_mpih_cmp_ui.
	+ commit 9c658cc8214f277d43b18d722bbc316972802d47
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Avoid conditional
	branches for return value selection.

2025-02-06  NIIBE Yutaka  <gniibe@fsij.org>

	Fix _gcry_dsa_modify_k.
	+ commit 35a6a6feb9dcd0f4650a0fe73eb2581f481602c6
	* cipher/dsa-common.c (_gcry_dsa_modify_k): Don't use ! to negate the
	logical value.

2025-02-03  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Rename _gcry_mpih_mod as the one of Least Leak Intended.
	+ commit ff6c905bea7b2fb5526423ec9fba53f8d08f014b
	* mpi/mpi-internal.h (mpih_mod_lli): Add _lli suffix.
	(_gcry_mpih_mod_lli): Likewise.
	* mpi/mpih-const-time.c (_gcry_mpih_mod_lli): Rename.
	* mpi/mpi-inv.c (_gcry_mpi_invm): Follow the change.

	mpi: Add _gcry_mpih_mul_lli as Least Leak Intended.
	+ commit 5c5089ba36205ee5af0c83eec782eac68bf55d2e
	* mpi/mpi-internal.h (_gcry_mpih_mul_lli): New.
	* mpi/mpih-mul.c (_gcry_mpih_mul_lli): New.

2025-01-31  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:prime: Fix long standing bug for PRIME % 2 == 0.
	+ commit 639b0fca15054f18c83fe3a6132a7765e558b984
	* cipher/primegen.c (check_prime): Check if it's even.

2025-01-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SHA3 acceleration for RISC-V Zbb extension.
	+ commit 1a660068ba5b58861de2c71b119ae2b6b6db0263
	* cipher/keccak.c (USE_RISCV_ZBB): New.
	[NEED_COMMON64, HAVE_GCC_INLINE_ASM_RISCV] (load_aligned_u64)
	(HAVE_ALIGNED_ABSORB_LANES64, aligned_absorb_lanes64_8)
	(aligned_absorb_lanes64_4, aligned_absorb_lanes64_2)
	(aligned_absorb_lanes64_1, HAVE_ALIGNED_EXTRACT64)
	(aligned_extract64): New.
	[NEED_COMMON64] (keccak_extract64): Add 'aligned_extract64' path.
	[USE_64BIT] (absorb_lanes64_8, absorb_lanes64_4, absorb_lanes64_2)
	(absorb_lanes64_1): Rename these functions to …
	[USE_64BIT] (unaligned_absorb_lanes64_8, unaligned_absorb_lanes64_4)
	(unaligned_absorb_lanes64_2, unaligned_absorb_lanes64_1): … these.
	[USE_64BIT] (absorb_lanes64_21, absorb_lanes64_18, absorb_lanes64_17)
	(absorb_lanes64_13, absorb_lanes64_9): New.
	[USE_RISCV_ZBB]: (ANDN64, ROL64, keccak_riscv_zbb_64_ops): New.
	(keccak_init) [USE_RISCV_ZBB]: Use 'keccak_riscv_zbb_64_ops' if
	HWF_RISCV_IMAFDC and HWF_RISCV_ZBB available.
	* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): Use
	absorb_lanes64_21, absorb_lanes64_18, absorb_lanes64_17,
	absorb_lanes64_13 and absorb_lanes64_9.

	chacha20: add RISC-V vector intrinsics implementation.
	+ commit 8dbee93ac2f1bba095a0519a6e0656319cfddfa4
	* cipher/Makefile.am: Add 'chacha20-riscv-v.c' and
	add ENABLE_RISCV_VECTOR_INTRINSICS_EXTRA_CFLAGS handling for
	'chacha20-riscv-v.o' and 'chacha20-riscv-v.lo'.
	* cipher/chacha20-riscv-v.c: New.
	* cipher/chacha20.c (USE_RISCV_V): New.
	(CHACHA20_context_s): Add 'use_riscv_v'.
	[USE_RISCV_V] (_gcry_chacha20_riscv_v_blocks)
	(_gcry_chacha20_riscv_v_check_hw): New.
	(chacha20_blocks) [USE_RISCV_V]: Add RISC-V vector code path.
	(chacha20_do_setkey) [USE_RISCV_V]: Add HW feature detection for
	RISC-V vector implementation.
	* configure.ac: Add 'chacha20-riscv-v.lo'.

	Add GHASH RISC-V Zbb+Zbc implementation.
	+ commit 0f1fec12b0e9c952afaf78d3c973df41627cb3ff
	* cipher/Makefile.am: Add 'cipher-gcm-riscv-zbb-zbc.c'.
	* cipher/cipher-gcm-riscv-zbb-zbc.c: New.
	* cipher/cipher-gcm.c [GCM_USE_RISCV_ZBB_ZBC]
	(_gcry_ghash_setup_riscv_zbb_zbc, _gcry_ghash_riscv_zbb_zbc): New.
	(setupM) [GCM_USE_RISCV_ZBB_ZBC]: Check for HWF_RISCV_IMAFDC,
	HWF_RISCV_ZBB and HWF_RISCV_ZBC to enable RISC-V Zbb+Zbc implementation.
	* cipher/cipher-internal.h (GCM_USE_RISCV_ZBB_ZBC): New.
	* configure.ac: Add 'cipher-gcm-riscv-zbb-zbc.lo'.

	Add RISC-V vector permute AES.
	+ commit b24ebd61630486600530ebfc2cc81634a0fb373e
	* cipher/Makefile.am: Add 'rinjdael-vp-riscv.c' and
	CFLAG handling for 'rijndael-vp-riscv.o' and 'rijndael-vp-riscv.lo'.
	(ENABLE_RISCV_VECTOR_INTRINSICS_EXTRA_CFLAGS): New.
	* cipher/rijndael-internal.h (USE_VP_RISCV): New.
	* cipher/rijndael-vp-simd128.h [__ARM_NEON]: Move ARM NEON macros to ...
	* cipher/rijndael-vp-aarch64.c: ... here.
	* cipher/rijndael-vp-riscv.c: New.
	* cipher/rijndael-vp-simd128.h: Use '__m128i_const' type for constant
	vector values and use *_amemld() macros to load these values to vector
	registers.
	[__x86_64__] (vpaddd128, vpaddb128): Remove.
	[__x86_64__] (psrl_byte_128, movdqa128_memld, pand128_amemld)
	(paddq128_amemld, paddd128_amemld, pshufb128_amemld): New.
	[HAVE_SIMD256] (aes_encrypt_core_4blks_simd256)
	(aes_decrypt_core_4blks_simd256): New.
	(FUNC_CTR_ENC, FUNC_CTR32LE_ENC, FUNC_CFB_DEC, FUNC_CBC_DEC)
	(aes_simd128_ocb_enc, aes_simd128_ocb_dec, FUNC_OCB_AUTH)
	(aes_simd128_ecb_enc, aes_simd128_ecb_dec, aes_simd128_xts_enc)
	(aes_simd128_xts_dec) [HAVE_SIMD256]: Add 4 block parallel code paths
	for HW with 256-bit wide vectors.
	* cipher/rijndael.c [USE_VP_RISCV]
	(_gcry_aes_vp_riscv_setup_acceleration, _gcry_aes_vp_riscv_do_setkey)
	(_gcry_aes_vp_riscv_prepare_decryption, _gcry_aes_vp_riscv_encrypt)
	(_gcry_aes_vp_riscv_decrypt, _gcry_aes_vp_riscv_cfb_enc)
	(_gcry_aes_vp_riscv_cbc_enc, _gcry_aes_vp_riscv_ctr_enc)
	(_gcry_aes_vp_riscv_ctr32le_enc, _gcry_aes_vp_riscv_cfb_dec)
	(_gcry_aes_vp_riscv_cbc_dec, _gcry_aes_vp_riscv_ocb_crypt)
	(_gcry_aes_vp_riscv_ocb_auth, _gcry_aes_vp_riscv_ecb_crypt)
	(_gcry_aes_vp_riscv_xts_crypt): New.
	(do_setkey) [USE_VP_RISCV]: Setup vector permute AES for RISC-V with
	HWF_RISCV_IMAFDC and HWF_RISCV_V.
	* cipher/simd-common-riscv.h: New.
	* configure.ac: Add 'rijndael-vp-riscv.lo'.
	(gcry_cv_cc_riscv_vector_intrinsics)
	(gcry_cv_cc_riscv_vector_intrinsics_cflags): New.

	bithelp: add count trailing zero bits variant for RISC-V.
	+ commit 60104c2f92dc0d89bc67aa12a403533a65c34a2f
	* cipher/bithelp.h (_gcry_ctz_no_zero): New.
	(_gcry_ctz): Use '_gcry_ctz_no_zero'.
	* cipher/cipher-internal.h (ocb_get_l): Use '_gcry_ctz_no_zero'.

	hwf: add detection of RISC-V (64-bit) hardware features.
	+ commit df9de2a5e5a847fa4f11a923cf3397bf1cf7a562
	* configure.ac
	(gcry_cv_gcc_inline_asm_riscv, gcry_cv_gcc_inline_asm_riscv_v)
	(HAVE_GCC_INLINE_ASM_RISCV_V, HAVE_CPU_ARCH_RISCV): Add RISC-V
	detection support.
	* mpi/config.links: Add setup for RISC-V links.
	* src/Makefile.am: Add 'hwf-riscv.c'.
	* src/g10lib.h (HWF_RISCV_IMAFDC, HWF_RISCV_V, HWF_RISCV_ZBB)
	(HWF_RISCV_ZBC): New.
	* src/hwf_common.h (_gcry_hwf_detect_riscv): New.
	* src/hwf-riscv.c: New.
	* src/hwfeatures.c: Add "riscv-imafdc", "riscv-v", "riscv-zbb",
	and "riscv-zbc".

2025-01-27  Lucas Mulling  <lucas.mulling@suse.com>

	cipher: Check and mark non-compliant cipher modes in the SLI.
	+ commit 9f0fd2656d7d7ba26fcf95cc64d2514ae9ac8ec1
	* cipher/cipher.c (_gcry_cipher_open_internal): Check and mark if the
	cipher mode is compliant and reject accordingly.
	(_gcry_cipher_is_mode_fips_compliant): New.
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_CIPHER_MODE): New.
	* tests/t-fips-service-ind.c (check_cipher_o_s_e_d_c): Add test to
	verify that the service level indication is correctly set for non-
	compliant cipher modes, and correctly rejected if
	GCRY_FIPS_FLAG_REJECT_CIPHER_MODE is set.

2025-01-16  NIIBE Yutaka  <gniibe@fsij.org>

	Remove WindowsCE support.
	+ commit 24a2ca672b2198d3f420399bd01cc626d9de99f8
	* compat/clock.c, compat/getpid.c, random/rndw32ce.c: Remove.
	* compat/Makefile.am: Remove comment for clock.c and getpid.c.
	* compat/libcompat.h: Remove replacement functions.
	* configure.ac (GPG_ERR_ENABLE_ERRNO_MACROS): Remove.
	(have_w32ce_system, HAVE_W32CE_SYSTEM): Remove.
	(AC_REPLACE_FUNCS): Remove.
	(USE_RNDW32CE): Remove.
	* random/Makefile.am (EXTRA_librandom_la_SOURCES): Remove rndw32ce.c.
	* random/random-csprng.c [USE_RNDW32CE] (getfnc_gather_random):
	Remove WindowsCE support.
	(getfnc_fast_random_poll): Likewise.
	* src/Makefile.am [HAVE_W32CE_SYSTEM]: Remove WindowsCE support.
	* src/dumpsexp.c [__MINGW32CE__]: Remove WindowsCE support.
	* tests/stopwatch.h [__MINGW32CE__] (start_timer, stop_timer): Remove
	WindowsCE support.

2025-01-09  NIIBE Yutaka  <gniibe@fsij.org>

	build: Improve __thread specifier check.
	+ commit 42e8858566e32080aaf818b168f34c698a9ef084
	* configure.ac (AC_COMPILE_IFELSE __thread): Move the declaration to
	global, referring the variable with (void) in main to avoid an error
	buidling with -Werror=unused-variable.  Don't need to include
	stdlib.h.

2025-01-06  NIIBE Yutaka  <gniibe@fsij.org>

	fips,cipher: Fix memory leak for gcry_pk_hash_sign.
	+ commit 5e925e6c348450bf80b4560abac9a035903bff59
	* cipher/pubkey.c (prepare_datasexp_to_be_signed): Release
	copied HD when error.

2024-12-26  NIIBE Yutaka  <gniibe@fsij.org>

	fips,ecc: Check DATA in gcry_pk_sign/verify in FIPS mode.
	+ commit 53c97483b17fee280e24f595bc0d82d9b362ffde
	* src/gcrypt.h.in (GCRY_FIPS_FLAG_REJECT_PK_MD): New.
	(GCRY_FIPS_FLAG_REJECT_PK_GOST_SM2): New.

	* cipher/ecc.c (ecc_sign): Check if GOST or SM2.  Check if hash is
	compliant.
	(ecc_verify): Likewise.
	* tests/t-fips-service-ind.c (check_pk_s_v): Modify tests including
	hash compliance.

2024-12-24  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add more tests to tests/t-fips-service-ind.
	+ commit d71c88f78a4f1b72f92de90791fc6fe81a3cb861
	* tests/t-fips-service-ind.c (check_pk_g_t_n_c, check_pk_s_v): New.
	(main): Call check_pk_g_t_n_c and check_pk_s_v.

	fips,ecc: Add rejecting or marking for gcry_pk_get_curve.
	+ commit c6a092abbe7bea315394b15f28fd231dae0e4d7c
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Check under FIPS mode.

2024-12-20  NIIBE Yutaka  <gniibe@fsij.org>

	fips,cipher: Add behavior not to reject but mark non-compliant.
	+ commit a776b692669af7a6c089779989b626c4795e30b0
	* cipher/dsa.c (dsa_check_keysize): Check reject flag for rejection,
	or mark non-comliant in FIPS mode.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
	* cipher/ecc.c (ecc_sign, ecc_verify): Likewise.
	* cipher/pubkey.c (_gcry_pk_encrypt, _gcry_pk_sign): Likewise.
	(_gcry_pk_verify, _gcry_pk_testkey, _gcry_pk_genkey): Likewise.
	(_gcry_pk_get_nbits, _gcry_pk_get_curve): Likewise.
	* src/visibility.c (gcry_pk_encrypt): Initialize the indicator.
	(gcry_pk_decrypt, gcry_pk_sign, gcry_pk_verify): Likewise.
	(gcry_pk_testkey, gcry_pk_genkey), gcry_pk_get_nbits)
	(gcry_pk_get_curve): Likewise.

	fips: Rejection by GCRYCTL_FIPS_REJECT_NON_FIPS, not by open flags.
	+ commit d060dd58b82882dec0d8bfcc593536bc0083b4b1
	* src/gcrypt.h.in (GCRY_CIPHER_FLAG_REJECT_NON_FIPS): Remove.
	(GCRY_MD_FLAG_REJECT_NON_FIPS): Remove.
	(GCRY_MAC_FLAG_REJECT_NON_FIPS): Remove.
	* tests/t-fips-service-ind.c: Update tests with
	GCRYCTL_FIPS_REJECT_NON_FIPS.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey): Use
	fips_check_rejection.
	* cipher/mac.c (mac_open): Likewise.
	* cipher/md.c (struct gcry_md_context): Remove reject_non_fips.
	(md_open, md_enable): Use fips_check_rejection.
	(_gcry_md_enable, md_copy): Likewise.

2024-12-19  NIIBE Yutaka  <gniibe@fsij.org>

	Fix the previous change.
	+ commit b4eb23dc01a40e13d542fbfc5169dffa7fae5677
	* cipher/pubkey.c (_gcry_pk_sign_md): Fix memory leak.
	(_gcry_pk_verify_md): Likewise.

	fips: Introduce GCRYCTL_FIPS_REJECT_NON_FIPS.
	+ commit e52adf0948c60b2e9accd7996fcece0f9b443763
	* src/gcrypt.h.in (GCRYCTL_FIPS_REJECT_NON_FIPS): New.
	(GCRY_FIPS_FLAG_REJECT_*): New.
	* src/fips.c (struct gcry_thread_context): Add flags_reject_non_fips.
	(the_tc): Add initial value.
	(_gcry_thread_context_set_reject): New.
	(_gcry_thread_context_check_rejection): New.
	* src/gcrypt-int.h (fips_check_rejection): New.
	* src/global.c (_gcry_vcontrol): Handle GCRYCTL_FIPS_REJECT_NON_FIPS.
	* tests/t-fips-service-ind.c (main): Use GCRYCTL_FIPS_REJECT_NON_FIPS.

2024-12-18  NIIBE Yutaka  <gniibe@fsij.org>

	fips,cipher: Implement FIPS service indicator for gcry_pk_hash_ API.
	+ commit edb43bc290046bd22548bf69ae2fbeb453112e44
	* src/visibility.c (gcry_pk_hash_sign): Initialize the indicator.
	(gcry_pk_hash_verify): Likewise.
	* tests/t-fips-service-ind.c (check_pk_hash_sign_verify): New.
	(main): Call check_pk_hash_sign_verify.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't reject, but
	mark non-compliance.
	* cipher/pubkey.c (prepare_datasexp_to_be_signed): Likewise.
	(_gcry_pk_sign_md, _gcry_pk_verify_md): Likewise.

	fips,md: gcry_md_copy should care about FIPS service indicator.
	+ commit 60db2a175d120aba6818de49638b36006878abf7
	* cipher/md.c (md_copy): In a case of non-compliant, mark with
	fips_service_indicator_mark_non_compliant.
	* src/visibility.c (gcry_md_copy): Initialize the indicator.

2024-12-17  NIIBE Yutaka  <gniibe@fsij.org>

	tests,fips: Add gcry_cipher_open tests.
	+ commit cfd2d2f41ad4aef40d83f8f7237d1da13c7e240c
	* tests/t-fips-service-ind.c (check_cipher_o_s_e_d_c): New.
	(main): Call check_cipher_o_s_e_d_c.

2024-12-16  NIIBE Yutaka  <gniibe@fsij.org>

	tests,fips: Move KDF tests to t-fips-service-ind.
	+ commit b59bde31ded9e829e2a53ddb8c533bf35a144972
	* tests/t-fips-service-ind.c (check_kdf_derive): Move from...
	* tests/t-kdf.c (check_fips_gcry_kdf_derive): ... here.

	tests,fips: Rename t-fips-service-ind.
	+ commit 132f346232b33fe41ffee3b3870ec189626676e7
	* tests/t-fips-service-ind.c: Rename from t-digest.c.
	* tests/Makefile.am (tests_bin): Follow the change.

	tests,fips: Add gcry_mac_open tests.
	+ commit c4f75014cb8af732f87c02fe7c2e7a488fe71c6d
	* tests/t-digest.c (check_mac_o_w_r_c): New.
	(main): Call check_mac_o_w_r_c.

	fips,cipher: Implement new FIPS service indicator for cipher_open.
	+ commit 69a5d0ed18a3ddc6f297de783c7cef5ad2257df0
	* src/gcrypt.h.in (GCRY_CIPHER_FLAG_REJECT_NON_FIPS): New.
	* cipher/cipher.c (_gcry_cipher_open_internal): Don't reject
	but mark the service indicator in FIPS mode.
	(cipher_setkey): Likewise.
	* src/visibility.c (gcry_cipher_open): Initialize the service
	indicator.
	(gcry_cipher_setkey): Likewise.

	fips,mac: Implement new FIPS service indicator for gcry_mac_open.
	+ commit fcb0c7004b0b6b318fdcced2bf61d9acb1e28cfc
	* src/gcrypt.h.in (GCRY_MAC_FLAG_REJECT_NON_FIPS): New.
	* cipher/mac.c (mac_open): Have FLAGS, instead of SECURE.  Reject when
	GCRY_MAC_FLAG_REJECT_NON_FIPS, otherwise, mark non compliant.
	(_gcry_mac_open): Follow the change.
	* src/visibility.c (gcry_mac_open): Add initialization for FIPS
	service indicator.
	(gcry_mac_setkey): Likewise.  Don't reject but mark.

2024-12-13  NIIBE Yutaka  <gniibe@fsij.org>

	fips,tests: Add tests for md_open/write/read/close for t-digest.
	+ commit 917fc6000dfebd8854f0d1c220b85dec0dbf4676
	* tests/t-digest.c (check_md_o_w_r_c): New.
	(main): Call check_md_o_w_r_c.

	fips,md: Implement new FIPS service indicator for gcry_md_open API.
	+ commit 9757e280794f537efc82c4eaa9a2944ece6a068a
	* src/gcrypt.h.in (GCRY_MD_FLAG_FIPS_NO_REJECTION): Remove.
	(GCRY_MD_FLAG_REJECT_NON_FIPS): New.
	* cipher/md.c (struct gcry_md_context): Add reject_non_fips.
	(md_enable): Remove NO_REJECT argument.
	(md_open): Change the FLAGS handling.
	(_gcry_md_open): Add checking of FIPS compliance against ALGO.
	(_gcry_md_enable): Likewise.
	(_gcry_md_hash_buffer): Follow the change of md_open change
	which now defaults to no rejection.
	(_gcry_md_hash_buffers_extract): Likewise.
	* src/visibility.c (gcry_md_open): Add fips_service_indicator_init.
	(gcry_md_enable): Likewise.
	(gcry_md_setkey): Don't reject but mark non-compliance.
	* tests/t-kdf.c (check_fips_gcry_kdf_derive): Add a test with
	non-compliant hash function.
	* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): It's not
	compliant.
	* cipher/md5.c (gcry_md_oid_spec_t oid_spec_md5): It's not compliant.
	* tests/t-digest.c (check_hash_buffer, check_hash_buffers): MD5
	tests enabled.

	fips: Change the internal API for new FIPS service indicator.
	+ commit 4799914966a7f94f41e1ed5b7b62fded7ba09704
	* src/gcrypt-int.h (fips_service_indicator_init): Initialize by 0.
	(fips_service_indicator_mark_success): Remove.
	(fips_service_indicator_mark_non_compliant): New.
	* cipher/kdf.c (_gcry_kdf_derive): Follow the change of the API.
	* cipher/md.c (_gcry_md_hash_buffer): Likewise.
	(_gcry_md_hash_buffers_extract): Likewise.

2024-12-12  Simon Josefsson  <simon@josefsson.org>

	cipher: Add script to re-generate mceliece6688128f.c.
	+ commit 47ed744465ae7461771a3ca08799264a3d32a7fd
	* cipher/mceliece6688128f.sh: Add.
	* cipher/mceliece6688128f.c: Regenerate from script.

2024-12-11  Milan Broz  <gmazyland@gmail.com>

	kdf: Fix memory cost overflow in Argon2 KDF.
	+ commit 28327dba6b5ffae4a5e33da827fe0e2b48e99adb
	* cipher/kdf.c (argon2_init) Fix memory cost overflow in Argon2 KDF.

2024-12-11  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix comment in t-thread-local.
	+ commit 75744f721d8d9c3bfc0ee1f8fec760718eb924a2
	* tests/t-thread-local.c: Fix the name.

2024-12-10  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Extend tests/t-digest to test hmac too.
	+ commit 41cbcc0f0e786364972a4df213eff1b0ae362a40
	* tests/t-digest.c (check_hash_buffer): Rename.
	(check_hash_buffers): New.
	(main): Call check_hash_buffer and check_hash_buffers.

	tests: Fix t-digest for a minimal configuration.
	+ commit 06f6aafedc9f53d54468611744c67e0b7aa13c0c
	* tests/t-digest.c (check_digests): Care about minimal configuration.

2024-12-09  NIIBE Yutaka  <gniibe@fsij.org>

	fips,tests: Add t-digest.
	+ commit 7faf542f157330f3b247fa2542182ac805f06737
	* tests/Makefile.am (tests_bin): Add t-digest.
	* tests/t-digest.c: New.

2024-12-06  NIIBE Yutaka  <gniibe@fsij.org>

	fips,md: Implement new FIPS service indicator for gcry_md_hash_*.
	+ commit 3478caac62c712547f7c0e07f4cf9602bc317997
	* cipher/md.c (md_enable): Add an NO_REJECT argument.
	(md_open): Check flags against GCRY_MD_FLAG_FIPS_NO_REJECTION to
	call md_enable.
	(_gcry_md_enable): Follow the change.
	(_gcry_md_hash_buffer): Don't reject but keep the computation.
	Call fips_service_indicator_mark_success.
	(_gcry_md_hash_buffers_extract): Likewise.
	* src/gcrypt.h.in (GCRY_MD_FLAG_FIPS_NO_REJECTION): New.
	* src/visibility.c (gcry_md_hash_buffer, gcry_md_hash_buffers): Call
	fips_service_indicator_init.
	(gcry_md_hash_buffers_ext): Likewise.

2024-12-05  NIIBE Yutaka  <gniibe@fsij.org>
	    David Sugar  <david@atsec.com>

	fips,kdf: Implement new FIPS service indicator for gcry_kdf_derive.
	+ commit 5cfa1aee5b98baf0d66333344e0fa45b79cca28b
	* cipher/kdf.c (_gcry_kdf_derive): Don't reject by GPG_ERR_INV_VALUE
	but continue the computation, clearing IS_COMPLIANT.  After successful
	computation, call fips_service_indicator_mark_success with
	IS_COMPLIANT.
	* src/visibility.c (gcry_kdf_derive): Call fips_service_indicator_init.
	* tests/t-kdf.c (check_fips_gcry_kdf_derive): New.
	(main): Call check_fips_gcry_kdf_derive.

2024-12-05  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.
	+ commit f51f4e98930e6b2175e85fe8a95b8b6a15ad5efa
	* src/fips.c (_gcry_fips_indicator): New.
	* src/g10lib.h (_gcry_fips_indicator): New.
	* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR): New.
	(gcry_get_fips_service_indicator): New.
	* src/global.c (_gcry_vcontrol): Handle GCRYCTL_FIPS_SERVICE_INDICATOR.

	fips: Introduce an internal API for FIPS service indicator.
	+ commit e1cf3123282525693b646499eb7efe4f2be4010a
	* configure.ac (HAVE_GCC_STORAGE_CLASS__THREAD): New.
	* src/fips.c (struct gcry_thread_context): New.
	(_gcry_thread_context_set_fsi, _gcry_thread_context_get_fsi): New.
	* src/gcrypt-int.h (fips_service_indicator_init): New macro.
	(fips_service_indicator_mark_success): New macro.
	* tests/Makefile.am (tests_bin): Add t-thread-local.
	* tests/t-thread-local.c: New.

2024-11-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add vector register clearing for PowerPC implementations.
	+ commit 022f44b6d894ba631cb20623a1e39267a953dff9
	* cipher/Makefile.am: Add 'simd-common-ppc.h'.
	* cipher/camellia-simd128.h
	[HAVE_GCC_INLINE_ASM_PPC_ALTIVEC]: Include "simd-common-ppc.h".
	[HAVE_GCC_INLINE_ASM_PPC_ALTIVEC] (memory_barrier_with_vec)
	(clear_vec_regs): Remove.
	* cipher/chacha20-p10le-8x.s (clear_vec_regs): New.
	(_gcry_chacha20_p10le_8x): Add clear_vec_regs.
	* cipher/chacha20-ppc.c: Include "simd-common-ppc.h".
	(chacha20_ppc_blocks1, chacha20_ppc_blocks4)
	(chacha20_poly1305_ppc_blocks4): Add clear_vec_regs.
	* cipher/cipher-gcm-ppc.c: Include "simd-common-ppc.h".
	(_gcry_ghash_setup_ppc_vpmsum, _gcry_ghash_ppc_vpmsum): Add
	clear_vec_regs.
	* cipher/poly1305-p10le.s (clear_vec_regs): New.
	(gcry_poly1305_p10le_4blocks): Add clear_vec_regs.
	* cipher/rijndael-p10le.c: Include "simd-common-ppc.h".
	(_gcry_aes_p10le_gcm_crypt): Add clear_vec_regs.
	* cipher/rijndael-ppc-common.h: Include "simd-common-ppc.h".
	* cipher/rijndael-ppc-functions.h (ENCRYPT_BLOCK_FUNC):
	(DECRYPT_BLOCK_FUNC, CFB_ENC_FUNC, ECB_CRYPT_FUNC, CFB_DEC_FUNC)
	(CBC_ENC_FUNC, CBC_DEC_FUNC, CTR_ENC_FUNC, OCB_CRYPT_FUNC)
	(OCB_AUTH_FUNC, XTS_CRYPT_FUNC, CTR32LE_ENC_FUNC): Add
	clear_vec_regs.
	* cipher/rijndael-ppc.c (_gcry_aes_ppc8_setkey)
	(_gcry_aes_ppc8_prepare_decryption): Add clear_vec_regs.
	* cipher/sha256-ppc.c: Include "simd-common-ppc.h".
	(sha256_transform_ppc): Add clear_vec_regs.
	* cipher/sha512-ppc.c: Include "simd-common-ppc.h".
	(sha512_transform_ppc): Add clear_vec_regs.
	* cipher/simd-common-ppc.h: New.
	* cipher/sm4-ppc.c: Include "simd-common-ppc.h".
	(sm4_ppc_crypt_blk1_16): Add clear_vec_regs.

	rijndael-ppc: fix 'may be used uninitialized' warnings.
	+ commit 52bd6fc0c0383c183870966069a7548dc2b8641a
	* cipher/rijndael-ppc-common.h (PRELOAD_ROUND_KEYS_ALL): Load
	rkey10-rkey13 with zero value by default.

	salsa20-amd64: clear vectors registers.
	+ commit 6a128b2380a4deb6086a904f17a1ff40c5af9b64
	* cipher/salsa20-amd64.S (CLEAR_REG): New.
	(_gcry_salsa20_amd64_encrypt_blocks): Clear vectors registers
	at exit.

	whirlpool-sse2-amd64: clear vectors registers.
	+ commit c479b9dd5a3863d81d88c305da1b61e3aa2d274e
	* cipher/whirlpool-sse2-amd64.S (CLEAR_REG): New.
	(_gcry_whirlpool_transform_amd64): Clear vectors registers
	at exit.

	camellia-aarch64-ce: clear volatile vectors registers.
	+ commit 762ccf64429d94530727bf8508e4d499fcfd062c
	* cipher/camellia-simd128.h [__powerpc__] (clear_vec_regs): New.
	[__ARM_NEON]: Include 'simd-common-aarch64.h'.
	[__ARM_NEON] (memory_barrier_with_vec): Remove.
	[__x86_64__] (clear_vec_regs): New.
	(FUNC_ENC_BLK16, FUNC_DEC_BLK16, camellia_setup128)
	(camellia_setup256): Add clear_vec_regs.

	gcm-aarch64-ce: clear volatile vector registers at setup function.
	+ commit 3d3e346cc3f52a423d67118203f0543feb430545
	* cipher/cipher-gcm-armv8-aarch64-ce.S
	(_gcry_ghash_setup_armv8_ce_pmull): Clear used vectors registers
	before function exit.

	sm3-aarch64-ce: clear volatile vector registers.
	+ commit af84aa32427d841eedbad0c2d1e53cf1df6dd732
	* cipher/sm3-armv8-aarch64-ce.S: Add CLEAR_ALL_REGS.

	sm4-aarch64-ce: clear volatile vector registers.
	+ commit 42495ad3a80eadb0b853c95377777fe9435b03ac
	* cipher/sm4-armv8-aarch64-ce.S (_gcry_sm4_armv8_ce_expand_key)
	(_gcry_sm4_armv8_ce_crypt_blk1_8, _gcry_sm4_armv8_ce_crypt)
	(_gcry_sm4_armv8_ce_cbc_dec, _gcry_sm4_armv8_ce_cfb_dec)
	(_gcry_sm4_armv8_ce_ctr_enc, _gcry_sm4_armv8_ce_xts_crypt): Add
	CLEAR_ALL_REGS.

	sm4-aarch64: clear volatile vectors registers.
	+ commit f6cebb330d87b88543949ae36a2bfef8b45c41d8
	* cipher/sm4-aarch64.S (clear_volatile_vec_regs): New.
	(_gcry_sm4_aarch64_crypt_blk1_8, _gcry_sm4_aarch64_crypt)
	(_gcry_sm4_aarch64_cbc_dec, _gcry_sm4_aarch64_cfb_dec)
	(_gcry_sm4_aarch64_ctr_enc): Add clear_volatile_vec_regs.

	sm4-aarch64-sve: clear volatile vectors registers.
	+ commit fb78bc85dfe183f381ad83142e5abf46f4096ca6
	* cipher/asm-common-aarch64.h (CLEAR_ALL_REGS): New.
	* cipher/sm4-armv9-aarch64-sve-ce.S
	(_gcry_sm4_armv9_sve_ce_cbc_dec, _gcry_sm4_armv9_sve_ce_cfb_dec)
	(_gcry_sm4_armv9_sve_ce_ctr_enc): Add CLEAR_ALL_REGS.

	sm4-aarch64-sve: add missing .text section.
	+ commit 341945ae9651b42e07fe5c29d6634b8af110ce4c
	* cipher/sm4-armv9-aarch64-sve-ce.S: Add missing '.text'.

	Add GHASH AArch64/SIMD intrinsics implementation.
	+ commit fec871fd18c73d790ac64a2a3b9e422212c2a6af
	* cipher/Makefile.am: Add 'cipher-gcm-aarch64-simd.c'.
	* cipher/cipher-gcm-aarch64-simd.c: New.
	* cipher/cipher-gcm.c [GCM_USE_AARCH64]: Add function
	prototypes for AArch64/SIMD implementation.
	(setupM) [GCM_USE_AARCH64]: Add setup for AArch64/SIMD
	implementation.
	* cipher/cipher-internal.h (GCM_USE_AARCH64): New.
	* configure.ac: Add 'cipher-gcm-aarch64-simd.c'.

	Add AES Vector Permute intrinsics implementation for AArch64.
	+ commit 94a63aedbbd252305c865912e59400dc6f3bc3b8
	* cipher/Makefile: Add 'rijndael-vp-aarch64.c',
	'rijndael-vp-simd128.h' and 'simd-common-aarch64.h'.
	* cipher/rijndael-internal.h (USE_VP_AARCH64): New.
	* cipher/rijndael-vp-aarch64.c: New.
	* cipher/rijndael-vp-simd128.h: New.
	* cipher/rijndael.c [USE_VP_AARCH64]: Add function prototypes
	for AArch64 vector permutation implementation.
	(do_setkey) [USE_VP_AARCH64]: Setup function pointers for
	AArch64 vector permutation implementation.
	* cipher/simd-common-aarch64.h: New.
	* configure.ac: Add 'rijndael-vp-aarch64.lo'.

2024-10-25  NIIBE Yutaka  <gniibe@fsij.org>

	config: Include Kyber in GCRYPT_PUBKEY_CIPHERS.
	+ commit 7eaa43bf0931494afccbd413d83a3010aa80cee0
	* configure.ac (available_pubkey_ciphers): Add kyber.

2024-09-17  NIIBE Yutaka  <gniibe@fsij.org>

	tests:kyber: Add genkey and encap KAT tests.
	+ commit 4876a1a45c25d7e3ffb45a0af4e7c8995ce3a552
	* tests/t-kem.c (test_kem_sntrup761): Use gcry_kem_genkey API.
	(test_kem_mceliece6688128f): Likewise.
	(test_kem_mlkem512, test_kem_mlkem768, test_kem_mlkem1024): Likewise.
	(test_kem_raw_x25519, test_kem_dhkem_x25519): Likewise.
	* tests/t-mlkem.c (N_TESTS): Update the number of tests.
	(one_genkey_test, one_encap_test): New.
	(one_decap_test): Rename from one_test.
	(check_mlkem_kat): Support KAT tests for genkey ane encap.
	* tests/t-mlkem.inp: Add test data sets for genkey and encap.

	cipher:kyber: Add gcry_kem_genkey to support deterministic op.
	+ commit 38742196c04c99de3366156221dda9e0ceddc0d7
	* cipher/kem.c (_gcry_kem_genkey): Rename from _gcry_kem_keypair,
	adding OPTIONAL argument.
	(_gcry_kem_encap): Allow OPTIONAL for deterministic operation.
	(kem_generate): Use _gcry_kem_genkey instead of _gcry_kem_keypair.
	* cipher/kyber.c (crypto_kem_keypair_derand_2)
	(crypto_kem_keypair_derand_3, crypto_kem_keypair_derand_4): Expose.
	(crypto_kem_enc_derand_2, crypto_kem_enc_derand_3): Likewise.
	(crypto_kem_enc_derand_4): Likewise.
	(kyber_keypair): Allow COINS for deterministic operation.
	(kyber_encap): Likewise.
	* cipher/kyber.h: Allow COINS for deterministic operation.
	(crypto_kem_keypair_derand, crypto_kem_enc_derand): New.
	* src/gcrypt-int.h (_gcry_kem_genkey): Rename from _gcry_kem_keypair.
	* src/gcrypt.h.in (gcry_kem_genkey): New.
	* src/libgcrypt.def (gcry_kem_genkey): New.
	* src/libgcrypt.vers (gcry_kem_genkey): New.
	* src/visibility.c (gcry_kem_genkey): New.
	* src/visibility.h (gcry_kem_genkey): New.

2024-08-27  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kyber: Apply changes from upstream for final FIPS 203.
	+ commit cc95c36e7f79ac47c201b7cbd375ee37b9689d0d
	* cipher/kyber-kdep.c (gen_matrix): Simplify for the case of
	XOF_BLOCKBYTES%3 == 0.
	(indcpa_keypair_derand): Add domain separation to key generation.

2024-08-26  NIIBE Yutaka  <gniibe@fsij.org>

	Fix previous commit.
	+ commit bfbddd64002d80e2d0a7e62adff2ed57abc99392
	* tests/pkcs1v2.c (check_oaep): Need to specify HASH-ALGO.

2024-08-22  NIIBE Yutaka  <gniibe@fsij.org>

	tests: More fixes for tests/pkcs1v2.c.
	+ commit ced3a39b29af341edb2e025e398c31c177b78bfe
	* tests/pkcs1v2.c (check_oaep): Don't specify SHA1.
	Don't supply SEED for decryption.
	(check_pss): Don't supply SALT for verification.

2024-08-22  Jakub Jelen  <jjelen@redhat.com>

	tests: Remove needless PKCS#1.5 encryption and decryption parameters.
	+ commit 081e18a98f629926bd1306680f6bfa5936345d59
	* tests/pkcs1v2.c (check_v15crypt): Remove needless flags from s-exp.

2024-08-21  Werner Koch  <wk@gnupg.org>

	Return a proper error code on malloc failure in hex2buffer.
	+ commit c51151f5b0b3e5c9ebf6935d85fe1505aa7a124a
	* src/sexp.c (_gcry_hex2buffer): Replace xmalloc by xtrymalloc.

2024-08-21  NIIBE Yutaka  <gniibe@fsij.org>

	Fix memory leaks.
	+ commit 0e186b31d7bcdab793e82e73295804351c3dffd7
	* src/sexp.c (_gcry_hex2buffer): Free buffer on error.
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_keypair): Free buffer on exit path.
	(_gcry_ecc_curve_mul_point): Free buffer on all exit paths.
	* tests/t-common.h (hex2buffer): Free memory on error path.

2024-08-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add PAC/BTI support for AArch64 assembly.
	+ commit 55e2e23401c64541e88aad84b5f9e8b1e4ab6acb
	* cipher/asm-common-aarch64.h (AARCH64_BTI_PROPERTY_FLAG)
	(AARCH64_HINT_BTI_C, AARCH64_PAC_PROPERTY_FLAG)
	(note.gnu.property): New.
	(CFI_STARTPROC): Add AARCH64_HINT_BTI_C.

	camellia-aarch64: do not store/load link register to/from stack.
	+ commit b73f54fed2c440128982b4ee23e9226768b75681
	* cipher/camellia-aarch64.S (_gcry_camellia_arm_encrypt_block)
	(_gcry_camellia_arm_decrypt_block): Store/load dummy x20 instead
	of x30.

	Do not build 32-bit ARM assembly on Aarch64.
	+ commit 93aad101d5796242558c26b7851624449edeba52
	* configure.ac: Build "serpent-armv7-neon", "salsa20-armv7-neon",
	"chacha20-armv7-neon", "sha512-armv7-neon" and "keccak-armv7-neon"
	only on 32-bit ARM.

2024-08-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/ec-inline: reduce register pressure on 32-bit ARM.
	+ commit 9c93b4607adcf9b3efd53aba43e2d33bf5aef9df
	* mpi/ec-inline.h [HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS] (ADD4_LIMB32)
	(ADD6_LIMB32, SUB4_LIMB32, SUB6_LIMB32): Reuse input registers
	as output (use just two unique operators).

2024-07-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add CET support for i386 assembly.
	+ commit 64ec13d11b08fbe31cc6f83e9464e7e251d41019
	* cipher/asm-common-i386.h (ENDBRANCH): New.
	(CFI_STARTPROC): Add ENDBRANCH.
	[__CET__] (note.gnu.property): Add CET property section.

	Add CET support for x86-64 assembly.
	+ commit d69e6a29b986cf1cb21e09d337a0de2564ef34f2
	* cipher/asm-common-amd64.h (ENDBRANCH): New.
	(CFI_STARTPROC): Add ENDBRANCH.
	[__CET__] (note.gnu.property): Add CET property section.

	Do not build amd64 assembly on i386.
	+ commit 5797d75e3b916caf504bed73a8629c6c168be58d
	* configure.ac: Build "serpent-avx2-amd64" and
	"camellia-*-amd64" only on x86-64.

	Do not build i386 assembly on x86-64.
	+ commit dd42a4e03e066c49a6d83e0d3a07e4261d77121a
	* configure.ac: Enable building i386 "rijndael-vaes" only
	on i?86 host instead of x86 MPI arch ("i?86 + x86-64").

	asm-common-amd64: add missing CFI directives for large memory model code
	+ commit 7ee2e73495d051ca09dd57c90132a7a9cc53bc62
	* cipher/asm-common-amd64.h [__code_model_large__]
	(GET_EXTERN_POINTER): Add CFI_PUSH/CFI_POP directives.

2024-07-04  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:blake2: Fix for use_avx512.
	+ commit b42116d6067a5233f72e5598032d4b396bb8eaac
	* cipher/blake2.c (blake2s_init_ctx): Conditional with USE_AVX512.

2024-07-02  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kyber: Use ct_int16_select of libgcrypt .
	+ commit 8b898670e9150cd04ab57c763e9aedb7091c5e18
	* cipher/kyber-common.c (poly_frommsg): Use ct_int16_select.
	* cipher/kyber.c: Require ct_int16_select for external use case.
	* src/const-time.h: Add ct_int16_select.

	cipher:kyber: Apply a change from upstream.
	+ commit f765778e82b33efa6a9c0ec0b4f97564ac229c46
	* cipher/kyber-common.c (poly_frommsg): Remove secret-dependent
	branch.

2024-06-24  simit.ghane  <simit.ghane@lge.com>

	random:cipher: handle substitution in sed command.
	+ commit e96df0c82e086bf348753d2d0fa37fa6191b4b14
	* cipher/Makefile.am (o_flag_munging): Add 'g' flag for first sed
	expression.
	* random/Makefile.am (o_flag_munging): Likewise.

2024-06-24  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Fix acinclude.m4 for underscore detection in the symbol.
	+ commit bb0895bbb7c6d2b9502cbbf03da14d4ecf27a183
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Fix for a case with
	underscore.

2024-06-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/generic: use longlong.h for carry handling.
	+ commit d37cdd5bcb1e0960c3f4164a8163893438811f29
	* mpi/generic/mpih-add1.c (_gcry_mpih_add_n): Use add_ssaaaa for
	carry handling.
	* mpi/generic/mpih-mul1.c (_gcry_mpih_mul_1): Likewise.
	* mpi/generic/mpih-mul2.c (_gcry_mpih_addmul_1): Likewise.
	* mpi/generic/mpih-mul3.c (_gcry_mpih_submul_1): Use add_ssaaaa
	and sub_ddmmss for carry handling.
	* mpi/generic/mpih-sub1.c (_gcry_mpih_sub_n): Likewise.

	chacha20-ppc: fix implicit conversion between vector types warnings.
	+ commit 414b4251fdb3c701912a0fc56ae8ef6e3fe35ecf
	* cipher/chacha20-ppc.c (chacha20_ppc_blocks4)
	(chacha20_ppc_blocks4, chacha20_poly1305_ppc_blocks4): Explicitly
	convert return values from vec_cmplt.

	chacha20-ppc: silence GCC cast alignment warning.
	+ commit a9f112f36392c87b3d6153b8452cd86211d15ce0
	* cipher/chacha20-ppc.c (vec_load_le, vec_store_le): Cast
	pointers through void pointer type.

	rijndael-p10le: silence incorrect GCC cast alignment warning.
	+ commit 1f8a5aa86dad71c77af9a2b4387e7fc2e5bf015f
	* cipher/rijndael-p10le.c (_gcry_aes_p10le_gcm_crypt): Cast
	context to RIJNDAEL_context type through void pointer.

	src/hwf-x86: disable inline assembly CFI directivies for WIN32.
	+ commit 26a462925e2230de82d5e1b91c9306b1f2668a02
	* src/hwf-x86.c (CFI_ADJUST_CFA_OFFSET, CFI_PUSH4)
	(CFI_POP4): Define only if _WIN32 is not defined.

2024-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disable SHA3 s390x acceleration for CSHAKE.
	+ commit 2486d9b5ae015c1786cb84466a751da4bc0d7122
	* cipher/keccak.c (keccak_final_s390x): Add assert check for
	expected SHAKE suffix.
	(_gcry_cshake_customize, cshake_hash_buffers): Disable s390x
	acceleration when selecting CSHAKE suffix.

2024-06-19  Werner Koch  <wk@gnupg.org>

	Release 1.11.0.
	+ commit 9d94d7846cde272b8b1519ba96e53967bf0b90d2


2024-06-14  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Update gpg-error.m4.
	+ commit 89adba4518d2c7f83a37361f66b3ac290c96525c
	* m4/gpg-error.m4: Update from libgpg-error master.

2024-06-13  NIIBE Yutaka  <gniibe@fsij.org>

	libgcrypt.m4: Fix setting/using GPG_ERROR_CONFIG.
	+ commit 0fd9ec3403ea66d39f32602dce53bc5219e4c158
	libgcrypt.m4 (_AM_PATH_GPGRT_CONFIG): Don't set GPG_ERROR_CONFIG and
	gpg_error_config_version.

2024-06-06  Jakub Jelen  <jjelen@redhat.com>

	cipher:aeswrap: Fix padding length check.
	+ commit dc8d84383a6bfa44f397132eae203efa0bf20e82
	* cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt_auto): When
	padding length is 8, correctly return GPG_ERR_CHECKSUM.

2024-05-21  Jakub Jelen  <jjelen@redhat.com>

	mpi: Fix loop condition in bad point check.
	+ commit 1875758440158fe1943d1b19b29d77421d269256
	* mpi/ec.c (ec_p_init): Fix loop condition to avoid out-of-range read.

2024-05-17  Werner Koch  <wk@gnupg.org>

	build: Remove cruft from configure.ac.
	+ commit 0526d65afd34f9282e7fd125df6ee9a3c757ae79
	* configure.ac: Remove unused cruft.

2024-05-14  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Include _AM_PATH_GPGRT_CONFIG definition.
	+ commit ad3b599462bdbc459f6c7be867e9a12ab46481b3
	* src/libgcrypt.m4: Find gpgrt-config.

2024-05-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	random: fix o_flag_munging for -O1.
	+ commit 5afadba008918d651afefb842ae123cc18454c74
	* random/Makefile.am (o_flag_munging): Also convert -O1 to -O0.

2024-05-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20-aarch64: use local symbols for read-only data.
	+ commit 3f5989014a1b7c01aced88897d878ce5105d15df
	* cipher/chacha20-aarch64.S: Remove '.globl' mark for RODATA section
	objects.

2024-05-07  simit.ghane  <simit.ghane@lge.com>

	Fix building error with '-O2' in sysroot path.
	+ commit b99952adc6ee611641709610d2e4dc90ba9acf37
	* cipher/Makefile.am (o_flag_munging): Tweak the sed script.
	* random/Makefile.am (o_flag_munging): Ditto.

2024-05-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem: Remove the experimental KEMs (PGP and CMS).
	+ commit c9affe97d20bc958d733206adf350214b32ae0b2
	* src/gcrypt.h.in (enum gcry_kem_algos): Remove
	GCRY_KEM_OPENPGP_X25519, GCRY_KEM_CMS_X25519_X963_SHA256, and
	GCRY_KEM_CMS_X25519_HKDF_SHA256.
	* cipher/kem.c (_gcry_kem_keypair, _gcry_kem_encap): Likewise.
	(_gcry_kem_decap): Likewise.
	* cipher/kem-ecc.c (algo_to_curve): Follow the removal.
	(algo_to_seckey_len): Likewise.
	(openpgp_kem_kdf, _gcry_openpgp_kem_encap): Remove.
	(_gcry_openpgp_kem_decap, cms_kem_kdf): Remove.
	(_gcry_cms_kem_encap, _gcry_cms_kem_decap): Remove.
	* cipher/kem-ecc.h: Follow the removal.
	* tests/t-kem.c (test_kem_openpgp_x25519) Remove.
	(test_kem_cms_x25519): Remove.
	(check_kem, main): Follow the change.

2024-04-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent-avx512-x86: fix CBC and CFB decryption with clang-18.
	+ commit 5a653a9129d7cc2f203ab9ad37ccdbcb832337d1
	* cipher/serpent-avx512-x86.c (serpent_avx512_blk32): Avoid
	'_mm512_castsi128_si512' usage to prevent non-initialized
	vector register parts getting XOR into calculations for
	CBC and CFB decryption.

2024-04-26  Werner Koch  <wk@gnupg.org>

	Let gcry_print_config show whether it is amd64 or i686.
	+ commit 0729fb84a6a1c038d4ed10f9c60be7df48558d9e
	* src/global.c (print_config): Append a sub-cpu string.

2024-04-25  Werner Koch  <wk@gnupg.org>

	Require GpgRT 1.49.
	+ commit f895a69d3b4bd5b8f6fab11345c2663947b7e5e3
	* configure.ac (LIBGCRYPT_LT_REVISION): Require 1.49
	* src/global.c (print_config): Repalce gpgrt backward compatibility.
	* src/misc.c (_gcry_set_gpgrt_post_log_handler): Ditto.
	(_gcry_logv): Use new gpgrt_logv_domain.

2024-04-24  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem:ecc: Support NIST curves.
	+ commit 005292cf9f41179247918711b2968dd188aae122
	* cipher/kem-ecc (ECC_SECKEY_LEN_MAX): Fix for P521R1.
	(algo_to_curve): Using canonical name, add NIST curves,
	(algo_to_seckey_len): Likewise.
	* cipher/kem.c (_gcry_kem_keypair, _gcry_kem_encap): Likewise.
	(_gcry_kem_decap): Likewise.
	* src/gcrypt.h.in (enum gcry_kem_algos): Likewise.

	cipher:kem:ecc: Fix DHKEM implementation.
	+ commit 118fa95d8d36efb07dbebdbcbc0e3408e69ac5d2
	* cipher/kem-ecc.c (_gcry_ecc_dhkem_decap): Fix the size.

2024-04-23  Werner Koch  <wk@gnupg.org>

	cipher:kem:ecc: Support brainpoolP512r1.
	+ commit 4fb99ec266e5d38e0f6df5c2fd27da71f2fb441f
	* cipher/kem-ecc.c (algo_to_curve): Add GCRY_KEM_RAW_BP512.
	(algo_to_seckey_len): Ditto.
	* cipher/kem.c (_gcry_kem_keypair): Ditto.
	(_gcry_kem_encap): Ditto.
	(_gcry_kem_decap): Ditto.

	Use explicit values for the gcry_kem_algos enum.
	+ commit 66884c2d6b35bf418a267697a2726142a95188be
	* src/gcrypt.h.in (enum gcry_kem_algos): Use explicit values for
	improved ABI stability.
	(GCRY_KEM_RAW_BP512): New.

	cipher:kem:ecc: Fix for Weierstrass.
	+ commit 7ad308434f159952baf578eca60efc1f5bf93019
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): Use POINT_LEN and not
	NBYTES to create mpi_u.

	Divert log functions to the gpgrt log functions.
	+ commit ab0bdc72c79d5655e63047f768a202e063d8c18b
	* src/misc.c (my_gpgrt_post_fatal_handler): New.
	(_gcry_set_gpgrt_post_log_handler): New.
	(map_log_level): New.
	(_gcry_logv): Use gcrypt log function unless a handler has been
	installed.
	* src/global.c (global_init): Install post log handler.
	* src/gcrypt.h.in (gcry_set_log_handler): Deprecate.

2024-04-22  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem:ecc: Support brainpoolP256r1 and brainpoolP384r1.
	+ commit 9c65260f915f3eeebf10b51ab7c3c9b5f0004d9b
	* cipher/kem.c (_gcry_kem_keypair): Support classic curves.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.
	* cipher/kem-ecc.c (algo_to_curve, algo_to_seckey_len): New.
	(_gcry_ecc_raw_keypair): Support classic curves.
	(_gcry_ecc_raw_encap, _gcry_ecc_raw_decap): Likewise.
	(ecc_tweak_bits): Move to ...
	* cipher/ecc-ecdh.c (ecc_tweak_bits): here.
	(_gcry_ecc_curve_keypair): New.
	(_gcry_ecc_curve_mul_point): Add length arguments.
	* src/gcrypt-int.h (_gcry_ecc_curve_keypair): New.
	* src/gcrypt.h.in: Add constants for brainpoolP256r1 and
	brainpoolP384r1.

2024-04-19  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:ecc: Return the result in SEC1 point format for Weierstrass.
	+ commit 47f2cb8f6f35cf962158d9cffc79c23fab163585
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): Fix for
	MPI_EC_WEIERSTRASS curve.

	cipher:ecc: Add _gcry_ecc_curve_mul_point function with curve name.
	+ commit b1da8247dcbc036a5dc55dc7121ccd537c9b7ff3
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): New.  Also support
	Weierstrass curve as well as Montgomery one.
	(_gcry_ecc_mul_point): Use _gcry_ecc_curve_mul_point.

	cipher:kem: Rename Classic McEliece API constants.
	+ commit 72b1b8d447fb8046e5546998619206646dde2ea7
	* src/gcrypt.h.in (GCRY_KEM_CM6688128F): Rename.
	* cipher/kem.c (_gcry_kem_keypair): Follow the change.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.
	* tests/t-kem.c (test_kem_mceliece6688128f): Likewise.
	(main): Also change CLI option name.

2024-04-18  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: More clean up for Classic McEliece implementation.
	+ commit 9a552b80d6c44a05ab733e441664d19de6f23da3
	* cipher/mceliece6688128f.h: Provide GCC_ATTR_UNUSED.
	* cipher/mceliece6688128f.c: Use GCC_ATTR_UNUSED.

	cipher: Fix comments of Classic McEliece implementation.
	+ commit 6478203e77d173128c4c0810db6f41198c360ca2
	* cipher/mceliece6688128f.c: Don't use C++-style comments for old
	compilers (< C99).

2024-04-17  Simon Josefsson  <simon@josefsson.org>

	cipher: Add Classic McEliece mceliece6688128f.
	+ commit 003367b91272f499d6eecb32ab9a09f383bdc788
	* cipher/Makefile.am (libcipher_la_SOURCES): Add mceliece6688128f.{c,h}.
	* cipher/mceliece6688128f.c, cipher/mceliece6688128f.h: New.
	* tests/t-kem.c: Support mceliece6688128f.

2024-04-16  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix copyright notices for Kyber implementation.
	+ commit eec1a576dbd080eb54ad7c6027271fe3f71c8847
	* cipher/kyber-common.c: Fix copyright notice sentences.
	* cipher/kyber-kdep.c, cipher/kyber.c, cipher/kyber.h: Likewise.

2024-04-09  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add X448 based ECC KEM.
	+ commit 40b4781022c5f5ebf1ec6e6d814f9c2a346cb3ca
	* src/gcrypt.h.in (GCRY_KEM_RAW_X448, GCRY_KEM_DHKEM448): New.
	* cipher/kem-ecc.c (_gcry_ecc_raw_encap): Support X448.
	(ecc_dhkem_kdf, _gcry_ecc_dhkem_encap): Likewise.
	(_gcry_ecc_dhkem_decap): Likewise.
	* cipher/kem.c (_gcry_kem_keypair): Add support for GCRY_KEM_RAW_X448
	and GCRY_KEM_DHKEM448.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.

2024-04-05  Werner Koch  <wk@gnupg.org>

	Trailing comma removal for better portability.
	+ commit 9e6db9d74631e623164319f1fc9713afdf9e3eb9
	* cipher/kem.c (kem_names): Remove trailing comma.
	* src/gcrypt.h.in (enum gcry_kem_algos): Ditto.

	ecc: Add bp256, bp384, bp512 aliases for Brainpool curves.
	+ commit d211e7fe967381bfb19e4f18e0be067c68200c50
	* cipher/ecc-curves.c (curve_aliases): Add new aliases for Brainpool.

2024-04-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix t-kem for tests with X25519 for FIPS mode.
	+ commit a78dcad69872e1d6e6eb7ead174e398d9c7d4800
	* tests/t-kem.c (test_kem_raw_x25519): It is expected to fail.
	(test_kem_dhkem_x25519, test_kem_openpgp_x25519): Likewise.
	(test_kem_cms_x25519): Likewise.

2024-03-28  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem: Add ECC KEM for X25519.
	+ commit 5da6c63fed34f6027a9531780252f0f54087c379
	* cipher/Makefile.am (libcipher_la_SOURCES): Add kem-ecc.{c,h}.
	* cipher/kem-ecc.c: New.
	* cipher/kem-ecc.h: New.
	* cipher/kem.c (_gcry_kem_keypair): Dispatch to _gcry_ecc_raw_keypair.
	(_gcry_kem_encap): Dispatch to _gcry_ecc_raw_encap,
	_gcry_ecc_dhkem_encap, _gcry_openpgp_kem_encap, and
	_gcry_cms_kem_encap.
	(_gcry_kem_decap): Dispatch to _gcry_ecc_raw_decap,
	_gcry_ecc_dhkem_decap, _gcry_openpgp_kem_decap, and
	_gcry_cms_kem_decap.
	* src/gcrypt.h.in: Add constants for ECC KEM.
	* tests/t-kem.c (test_kem_raw_x25519, test_kem_dhkem_x25519)
	(test_kem_openpgp_x25519, test_kem_cms_x25519): New.
	(check_kem, main): Add tests for ECC KEM.

2024-03-27  NIIBE Yutaka  <gniibe@fsij.org>
	    Falko Strenzke  <falko.strenzke@mtg.de>

	tests:basic: Add cSHAKE test vectors.
	+ commit b81076beba280c24923b0259a8973c777204c5df
	* tests/basic.c (check_one_md): Extend with customization N and S.
	(check_one_md_multi): Likewise.
	(check_digests): Add test vectors for GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.

2024-03-27  NIIBE Yutaka  <gniibe@fsij.org>

	md: Add cSHAKE digest algorithm and the implementation.
	+ commit 065b3f4e0271cc410c002842ea640f93e56c6a20
	* src/gcrypt.h.in (gcry_ctl_cmds): Add GCRYCTL_MD_CUSTOMIZE.
	(gcry_md_algos): Add GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	(struct gcry_cshake_customization): New.
	* cipher/keccak.c (CSHAKE_DELIMITED_SUFFIX): New.
	(keccak_init): Support GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	(selftests_keccak): Likewise.
	(cshake_input_n, cshake_input_s, _gcry_cshake_customize): New.
	(cshake128_init, cshake256_init, cshake_hash_buffers): New.
	(_gcry_cshake128_hash_buffers, _gcry_cshake256_hash_buffers): New.
	(_gcry_digest_spec_cshake128, _gcry_digest_spec_cshake256): New.
	* cipher/md.c (digest_list): Add cSHAKE md_specs.
	(digest_list_algo301): Likewise.
	(md_customize): New.
	(_gcry_md_ctl): Support GCRYCTL_MD_CUSTOMIZE.
	* src/cipher.h (_gcry_cshake_customize): New.
	(_gcry_digest_spec_cshake128, _gcry_digest_spec_cshake256): New.
	* src/fips.c (_gcry_fips_indicator_md): Support GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.
	* tests/basic.c (check_one_md): Support GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256 as xof.
	(check_one_md_multi): Exclude GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256
	as xof.
	* tests/bench-slope.c (hash_bench, kdf_bench): Exclude
	GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	* tests/benchmark.c (md_bench): Exclude GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.

2024-03-11  NIIBE Yutaka  <gniibe@fsij.org>

	Add gcry_md_hash_buffers_ext function.
	+ commit 3d48e6e37b040c955a84e58ce3147562fa74d1f3
	* src/gcrypt.h.in (gcry_md_hash_buffers_ext): New.
	* src/libgcrypt.def: Add gcry_md_hash_buffers_ext.
	* src/libgcrypt.vers: Likewise.
	* src/visibility.c: Add gcry_md_hash_buffers_ext.
	* src/visibility.h: Add gcry_md_hash_buffers_ext.

2024-03-05  NIIBE Yutaka  <gniibe@fsij.org>

	kem: Fix the previous commit.
	+ commit f4bcc69c3c9b0c2c948a9944cec7894cb590b211
	* cipher/kem.c (kem_compute_keygrip): Rever the change.

2024-03-04  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix Kyber key in SEXP, and its keygrip computation.
	+ commit 47c594386ebec3f9dea2d091c38cc7768a1840d9
	* cipher/kem.c (kem_generate): Include public key part in SEXP of
	private key.
	(kem_compute_keygrip): Fix keygrip computation.

	mpi: Fix ECC computation on hppa.
	+ commit b757f4130af987bdfc769b754b6e9e27882c349c
	* mpi/ec-inline.h [__hppa] (ADD4_LIMB32, SUB4_LIMB32): New.
	* mpi/longlong.h [__hppa] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.

2024-03-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix the previous commit.
	+ commit 23ccf8eafbc452fa5cf466bee219846400bd2424
	* tests/keygen.c (check_kem_keys): Those are not yet in the standard.

2024-03-02  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix keygen for FIPS mode.
	+ commit 58f93ea56f7173a5fc3f85710dbf167cb0e5e203
	* tests/keygen.c (check_kem_keys): Care about FIPS mode.

2024-02-29  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Silence warning for some architecture.
	+ commit 813a96de4ffec5d72dbb4473a42bd2b5b3f56b50
	* mpi/mpih-const-time.c (mpih_ct_limb_greater_than): DIFF_LO is not
	used.

2024-02-22  Werner Koch  <wk@gnupg.org>

	cipher: Add a way to get a keygrip for KEM algos.
	+ commit 4db7f3b07be5fc7b4c1c3b2e7548167cb1968533
	* src/gcrypt.h.in (GCRY_PK_KEM): New.
	* cipher/kem.c (kem_infos): New.
	(kem_names): New.
	(kem_generate): New.
	(kem_compute_keygrip): New.
	(kem_get_nbits): New.
	(_gcry_pubkey_spec_kem): New.
	* cipher/pubkey.c (pubkey_list): Add spec for KEM.
	* src/cipher.h (_gcry_pubkey_spec_kem): Declare.
	(_gcry_pubkey_spec_elg_e): Remove this used declaration.

	* tests/keygen.c (check_generated_kem_key): New.
	(check_kem_keys): New.
	(main): Add optional argument kem and all new function.

	cipher: Slight refactoring of kem.c.
	+ commit b36aee33dd00906a98d5d1295bf471140844f737
	* cipher/kem.c (_gcry_kem_keypair): Do not claim used variables.
	Slight refactoring to allow for a enum-case check.
	(_gcry_kem_encap): Ditto.
	(_gcry_kem_decap): Ditto.

	* cipher/kyber.h (crypto_kem_keypair_3) [KYBER_K]: Fix syntax error.

2024-02-09  Clemens Lang  <cllang@redhat.com>

	sha3: Fill OIDs and partial ASN.1 structs.
	+ commit b3750fb42a44760e65d8869bc9a64e79197ae96d
	* cipher/keccak.c (sha3_224_asn): New.
	(oid_spec_sha3_224, oid_spec_sha3_256): Update the OIDs.
	(sha3_256_asn): Have a correct value.
	(sha3_384_asn): Have a correct value.
	(oid_spec_sha3_384, oid_spec_sha3_512): Update the OIDs.
	(sha3_512_asn): Have a correct value.
	(shake128_asn): Have a correct value.
	(oid_spec_shake128, oid_spec_shake256): Update the OIDs.
	(shake256_asn): Have a correct value.

2024-02-06  Werner Koch  <wk@gnupg.org>

	doc: Fix link to the s-expression description.
	+ commit 52f18b9ffe6ce38eba159c39550c10a95bce3d11
	Note that there is also thr description at

	 https://people.csail.mit.edu/rivest/pubs
	 /RL96.ver-1.1.html#secSexpressions

2024-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix Kyber segfaulting on Win64.
	+ commit 0929a9f1ede27dc6c629a92d92002da14eafa68a
	* cipher/kyber.c (prg, pkprf): Cast variadic parameters to expected
	types ('void *' and 'size_t').

	rijndael-s390x: fix AES256-XTS feature mask.
	+ commit 679b07898897e16029dbf596dbcf0141ebb99792
	* cipher/rijndael-s390x.c (_gcry_aes_s390x_setup_acceleration): Fix
	AES256-XTS feature mask.

2024-01-30  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kdf: Add X963KDF for use in CMS.
	+ commit 3abac420b30ad4aeef803b23995303ac6bb563fa
	* src/gcrypt.h.in (gcry_kdf_algos): Add GCRY_KDF_X963_KDF.
	* cipher/kdf.c (x963_kdf_open, x963_kdf_compute): New.
	(x963_kdf_final, x963_kdf_close): New.
	(_gcry_kdf_open, _gcry_kdf_final, _gcry_kdf_close): Add
	support for GCRY_KDF_X963_KDF.

	Fix the version script for non-existing symbols.
	+ commit be328b4a3476d5cbe543a761c043c5923ea1e280
	* src/libgcrypt.vers: Remove gcry_md_get and gcry_pk_register.

2024-01-29  NIIBE Yutaka  <gniibe@fsij.org>

	build: Use @FGREP@ by configure for libgcrypt-config.
	+ commit 128121e74b66793fabd24e478df6ea2ab568e24a
	* configure.ac (AC_PROG_FGREP): Add.
	* src/libgcrypt-config.in: Use @FGREP@.

2024-01-16  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix tests/basic.
	+ commit 86812491c7541a6e76cc2f2c45538b4715121b88
	* tests/basic.c (check_ecb_cipher): Use 'i' instead of '0'.

	m4: Update acinclude.m4 to use $GREP.
	+ commit 656ca459e3d87f91dc20a2fb1001344f4c872ee3
	* acinclude.m4: Use $GREP, instead of egrep.  Simplify the detection.

2024-01-15  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix copyright notices for LGPL.
	+ commit 2eaaa8846f226ccd54f3165afe10583936d9d940
	* cipher/kem.c: Fix LGPL name, with correct capitalizing..
	* cipher/kyber-common.c: Likewise.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.
	* cipher/kyber.h: Likewise.
	* cipher/sntrup761.c: Likewise.
	* cipher/sntrup761.h: Likewise.

	tests: Add known answers test for ML-KEM (Kyber).
	+ commit 6765916e3b55dc45d93123e789973c7528df5232
	* tests/Makefile.am (tests_bin): Add t-mlkem.
	(EXTRA_DIST): Add t-mlkem.inp.
	* tests/t-mlkem.c: New.
	* tests/t-mlkem.inp: New.

	cipher:kyber: Fix comment style.
	+ commit 384638bc4a0dd4315ce2955d08f51f007ba88df9
	* cipher/kyber-common.c: Fix comments.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.

	cipher: Add use of the Kyber implementation.
	+ commit f2f9d56358acf3b38764bc4465db627162f42bbf
	* cipher/Makefile.am (EXTRA_DIST): Add kyber-common.c kyber-kdep.c.
	(libcipher_la_SOURCES): Add kyber.c and kyber.h.
	* cipher/kem.c (_gcry_kem_keypair): Add call to kyber_keypair.
	(_gcry_kem_encap): Add call to kyber_encap.
	(_gcry_kem_decap): Add call to kyber_decap.
	* tests/t-common.h (show_note): Factor from existing uses.
	(show_sexp, prepend_srcdir, read_textline, copy_data): Likewise.
	(hex2buffer, reverse_buffer): Likewise.
	* tests/t-kem.c (show_note): Remove.
	(test_kem_sntrup761): Rename from test_kem.
	(test_kem_mlkem512, test_kem_mlkem768, test_kem_mlkem1024): New.
	(check_kem): Add N_LOOPS argument.  Call relevant tests by the
	variable SELECTED_ALGO.
	(main): Add option handling to select testing specific algorithm.

	cipher:kyber: Modify VERIFY function.
	+ commit 5c9c4dca39f2806443aaec60972e648715d3b048
	* cipher/kyber-kdep.c (crypto_kem_dec): Use verify1.
	* cipher/kyber.c (verify1): Return 1 when success.

	cipher:kyber: Modification for xof_ routines.
	+ commit fe3ecf810370086df40f4cc980d0a290e5f3a9a5
	* cipher/kyber-kdep.c (gen_matrix): Remove comment for
	gen_matrix.  Add calls to xof_init and xof_close.

	cipher:kyber: Integrate into libgcrypt, adding glue code.
	+ commit 4e9aa70078c5537f1c56f54e78d769c8b5dc9f0c
	* cipher/kyber-common.c: Add copyright notice.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.
	* cipher/kyber-kdep.c: Add #undef to clear the definitions.
	* cipher/kyber.c: Integrate into libgcrypt, also allow standalone use.

	cipher:kyber: Have cipher/kyber.h.
	+ commit 31743c17d7bd1f6dc653e6dfcf76fab5356649ae
	* cipher/kyber.h: New.

	cipher:kyber: Move declarations to kyber-kdep.c.
	+ commit b6e20ed580e08278eb963a87f6355c43ba0d34d2
	* cipher/kyber.c: Move KYBER_K-dependent declarations into...
	* cipher/kyber-kdep.c: ... here, or kyber.h.

	cipher:kyber: Functions in poly for different KYBER_K.
	+ commit efd55d9ecae549318425dc7a867c9698cbc78410
	* cipher/kyber-common.c (load24_littleendian, cbd3): Fix the
	compile-time condition.
	(poly_cbd_eta1, poly_cbd_eta2): Remove.
	(zetas): Don't export.
	(poly_compress): Remove.
	(poly_compress_128, poly_compress_160): New.
	(poly_decompress): Remove.
	(poly_decompress_128, poly_decompress_160): New.
	(poly_getnoise_eta1): Remove.
	(poly_getnoise_eta1_2): New.  Directly call cbd3.
	(poly_getnoise_eta1_3_4): New.  Directly call cbd2.
	(poly_getnoise_eta2):  Directly call cbd2.
	* cipher/kyber.c: Fix declarations for poly_compress,
	poly_decompress and poly_getnoise_eta1.

	cipher:kyber: Make the implementation into three files.
	+ commit 01a14c0df2957900903895a3c49de2bdb708816f
	* cipher/kyber-common.c: New.  Common part.
	* cipher/kyber-kdep.c: New. KYBER_K dependent part.
	* cipher/kyber.c: Move functions and variables to two files.

	cipher:kyber: Constants common and k-dependent.
	+ commit fc35a5372a74c696f45b10dccbb84331673412b4
	* cipher/kyber.c (KYBER_ETA1): Remove.
	(KYBER_ETA1_2, KYBER_ETA1_3_4): New.
	(KYBER_POLYCOMPRESSEDBYTES): Remove.
	(KYBER_POLYCOMPRESSEDBYTES_2_3): New.
	(KYBER_POLYCOMPRESSEDBYTES_4): New.

	cipher:kyber: Export the KEM API only.
	+ commit 34dd0a1a75b2ee37ccd1215235f8b9f00f38bff1
	* cipher/kyber.c: Don't export other functions and data.

	cipher: Editorial clean up cipher/kyber.c for headers.
	+ commit 4b601fe5b3cff021e265df6eb64911e6a8105bd3
	* cipher/kyber.c: Clean up.

	cipher: Add headers to Kyber implementation.
	+ commit 10e9bcd5c67ed40292b06901b38fa9b94ccc09ba
	* cipher/kyber.c: Add headers from the reference implementation.

	cipher: Put the original Kyber implementation.
	+ commit 18e5c0d268b1aeac59f526b9730b39520750ca14
	* cipher/kyber.c: Kyber reference implementation.

	cipher: Allow standalone use of SNTRUP761 implementation.
	+ commit bdadd65d440b7f689f49450530a548c32007f71b
	* cipher/sntrup761.c [HAVE_CONFIG_H]: Conditionalize.

2024-01-08  NIIBE Yutaka  <gniibe@fsij.org>

	Avoid use of C99 feature for enum.
	+ commit dbfb7cc76ef3f98fe62f0549b97d76f395864ae0
	* src/gcrypt.h.in (enum gcry_kdf_algos): Remove last comma.
	(enum gcry_kem_algos): Likewise.

2023-12-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: restore compiler barriers for auto-GHZ check.
	+ commit c9cb10f3be226dfd65c670ff2565d81dfc668376
	* tests/bench-slope.c (auto_ghz_bench): Add memory barriers to
	AUTO_GHZ_OPERATION macro when barrier is supported by compiler.

	mpi/ec-inline: refactor i386 assembly to reduce register usage.
	+ commit 956f1ed4ec6ead59dc56f574f943f1fe25dac723
	* mpi/ec-inline.h [__i386__] (ADD2_LIMB32_CARRY_OUT)
	(ADD2_LIMB32_CARRY_IN_OUT, ADD2_LIB32_CARRY_IN, SUB2_LIMB32_CARRY_OUT)
	(SUB2_LIMB32_CARRY_IN_OUT, SUB2_LIB32_CARRY_IN, ADD8_LIMB32)
	(ADD10_LIMB32, ADD14_LIMB32, SUB8_LIMB32, SUB10_LIMB32)
	(SUB14_LIMB32): New.
	[__i386__] (ADD4_LIMB32, ADD6_LIMB32, SUB4_LIMB32, SUB6_LIMB32): Rewrite
	to use new *_CARRY_* macros.
	[BYTES_PER_MPI_LIMB == 4] (ADD4_LIMB64): Use ADD8_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (ADD5_LIMB64): Use ADD10_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (ADD7_LIMB64): Use ADD14_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB4_LIMB64): Use SUB8_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB5_LIMB64): Use SUB10_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB7_LIMB64): Use SUB14_LIMB32 if available.

2023-12-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/ec-nist: fix for -Og build failure on i386.
	+ commit 90097bd2f41c217dc5c666570e5680f432cf92d3
	* mpi/ec-nist.c (_gcry_mpi_ec_nist256_mod)
	(_gcry_mpi_ec_nist384_mod): Load p_mult constant with carry offset
	to stack.

2023-12-12  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Update digest values following input changes.
	+ commit 4a104752d8a2f0ca15d7873011a14226925a773b
	* tests/basic.c (check_digests): Update the values.

2023-12-12  Andreas Metzler  <ametzler@bebt.de>

	Point to gnu.org as canonical license location.
	+ commit cd056b4d1614e9e245b66782b54aad1697e22a01


	Fix license header inconsistency.
	+ commit 25e93a02268b9f533b1ffa4f6a5fe47d686e2145


	Unify capitalization of LGPL copyright statements.
	+ commit ca5689367a837b6541307f6ae19e0176b051d06f


2023-12-08  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix sntrup761.h, so that it can be used outside.
	+ commit ebc9aaacd62bbc7f048020531398ccb9f97e4437
	* cipher/sntrup761.h [_GCRYPT_IN_LIBGCRYPT]: Ifdef-out
	libgcrypt specific glue code.  Recover the constants.

	cipher: Minor fix for C90 compiler.
	+ commit 2149888d47afea9946c3a748310ad27dfcda48c3
	* cipher/sntrup761.c (crypto_sort_int32): Declare A, before its use.

2023-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add sntrup761 to KEM API.
	+ commit 947ad42450eadec079a1c50deba90e6453f0113c
	* cipher/kem.c (sntrup761_random): New glue code.
	( _gcry_kem_keypair, _gcry_kem_encap, _gcry_kem_decap): Call sntrup761
	functions.
	* cipher/sntrup761.h: Add glue code to libgcrypt.
	* src/visibility.h: Update for KEM functions.
	* tests/t-kem.c: Fix for the final KEM API.

2023-12-07  Simon Josefsson  <simon@josefsson.org>

	cipher: Add Streamlined NTRU Prime sntrup761.
	+ commit cf9923e1a59f2f535311f3676345d34e593ba108
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sntrup761.c and h.
	* cipher/sntrup761.c: New.
	* tests/Makefile.am (tests_bin): Add t-kem.
	* tests/t-kem.c: New.

2023-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	Add an API for Key Encapsulation Mechanism.
	+ commit 7e503fa9170fd290105714d15a335f7748860e23
	* cipher/Makefile.am (libcipher_la_SOURCES): Add kem.c.
	* cipher/kem.c: New.
	* src/gcrypt-int.h (_gcry_kem_keypair, _gcry_kem_encap)
	(_gcry_kem_decap): New.
	* src/gcrypt.h.in (gcry_kem_keypair, gcry_kem_encap)
	(gcry_kem_decap): New.  Add constants.
	* src/libgcrypt.def (gcry_kem_keypair, gcry_kem_encap)
	(gcry_kem_decap): Add symbols.
	* src/libgcrypt.vers: Likewise.

2023-11-22  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix t-x448 for error handling.
	+ commit dc1c916da4ba3960495bca450d8f4bc6897d9167
	* tests/t-x448.c (test_cv_x448): Take the error code from ERR.

2023-11-16  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix return type of _gcry_ecc_mul_point.
	+ commit 354e53558e55fe5bc8fa4be32e1c1bace7623536
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return gpg_err_code_t.
	* src/gcrypt-int.h (_gcry_ecc_mul_point): Return gpg_err_code_t.
	* src/visibility.c (gcry_ecc_mul_point): Follow the change.

2023-11-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpih_mod: avoid unintentional conditional branch.
	+ commit 39d5364a9557d6f423de117601cb1e6414814f47
	* mpi/mpih-const-time.c (_gcry_mpih_mod): Avoid conditional branch
	on the_bit extraction.

	mpih-const-time: use constant-time comparisons conditional add/sub/abs.
	+ commit c419a04d529af7b5fb43732ec2b4304166c2579a
	* mpi/mpih-const-time.c (mpih_ct_limb_greater_than)
	(mpih_ct_limb_less_than): New.
	(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_abs_cond): Use
	mpih_ct_limb_greater_than and mpih_ct_limb_less_than for comparisons.

	const-time: add functions for generating masks from 0/1 input.
	+ commit cf757cf90e9ae966b95dcebfd2f31b9212697f0c
	* mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use mask generating
	functions.
	* mpi/mpi-internal.h (ct_limb_gen_mask, ct_limb_gen_inv_mask): New.
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond, _gcry_mpih_add_n_cond)
	(_gcry_mpih_sub_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond): Use
	mask generating functions.
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use mask
	generating functions.
	* src/const-time.h (DEFINE_CT_TYPE_GEN_MASK, ct_uintptr_gen_mask)
	(ct_ulong_gen_mask, DEFINE_CT_TYPE_GEN_INV_MASK, ct_uintptr_gen_inv_mask)
	(ct_ulong_gen_inv_mask): New.
	(DEFINE_CT_TYPE_SELECT_FUNC): Use mask generating functions.
	* src/const-time.c (_gcry_ct_memmov_cond): Use mask generating functions.

	ec: avoid unintentional condition branches for 25519, 448 and 256k1.
	+ commit 305a65c1ede8f78160100478d46efa199d334a64
	* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519, ec_addm_448)
	(ec_subm_448, ec_mulm_448, ec_secp256k1_mod): Use mpih_limb_is_zero
	and mpih_limb_is_not_zero instead of comparison to zero.

	ec-nist: avoid unintentional conditional branch by comparison.
	+ commit a9e7aa647e4b84964c76230370d71235383e5c2d
	* mpi/ec-nist.c (_gcry_mpi_ec_nist521_mod): Use mpih_limb_is_not_zero.
	* mpi/mpi-internal.h (mpih_limb_is_not_zero): New.

	mpih_cmp_ui: avoid unintentional conditional branch.
	+ commit aab6a42d5f44724b73a02598546a5e7d8b33298e
	* mpi/mpi-internal.h (mpih_limb_is_zero): New.
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Use mpih_limb_is_zero
	instead of comparison.

	ec-nist: use global vone and vzero.
	+ commit 5c5ba1ec2b505726ee1311339ac9e8b5c62cac4a
	* mpi/ec-nist.c (vzero, vone): Remove.
	(_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use _gcry_ct_vzero
	and _gcry_ct_vone.

	mpiutil: use global vone and vzero.
	+ commit d4aee9ace9a904446b987dddc2999119c4d62dae
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use
	_gcry_ct_vzero and _gcry_ct_vone.

	mpih-const-time: use global vzero/vone variable.
	+ commit 179df341162c74da312f76363a0ff1f2f303aa78
	* mpi/mpih-const-time.c (vzero, vone): Remove.
	(_gcry_mpih_set_cond, _gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond)
	(_gcry_mpih_swap_cond, _gcry_mpih_abs_cond): Use _gcry_ct_vzero and
	_gcry_ct_vone.

	const-time: ct_memmov_cond: switch to use dual mask approach.
	+ commit 4d3e0e30b98b2acb90acb2792b8327c26824a66f
	* src/const-time.c (_gcry_ct_memmov_cond): Use dual mask + AND/OR
	instead of single mask + XOR.

	const-time: prefix global symbols with _gcry_
	+ commit 22dde5150ee2be01651410ed9756601ba6a29c93
	* cipher/const-time.c (ct_not_memequal, ct_memequal)
	(ct_memmov_cond): Rename these to ...
	(_gcry_ct_not_memequal, _gcry_ct_memequal)
	(_gcry_ct_memmov_cond): ... these.
	* cipher/const-time.h (ct_not_memequal, ct_memequal)
	(ct_memmov_cond): Rename these to ...
	(_gcry_ct_not_memequal, _gcry_ct_memequal)
	(_gcry_ct_memmov_cond): ... these.
	(ct_not_memequal, ct_memequal, ct_memmov_cond): New macros.

	mpih_set_cond: restore EM leakage mitigation.
	+ commit 0c6ec6bbe788b8c4a6982b2128d442b51323c898
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Replace single mask + XOR
	with dual mask + AND/OR; Add comment about reason for dual mask usage.
	(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond)
	(_gcry_mpih_abs_cond): Add comment about reason for dual mask usage.

	rsa, elgamal: avoid logical not operator in constant-time code.
	+ commit 84f934c09afac18b3f4351646c0fe6f93aede277
	* cipher/elgamal.c (elg_decrypt): Replace ! operator with calls to
	ct_is_not_zero/ct_is_zero/ct_ulong_select.
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Replace !
	operator with call to ct_is_zero.
	* cipher/rsa.c (rsa_decrypt): Replace ! operator with calls to
	ct_is_not_zero/ct_is_zero/ct_ulong_select.
	* src/const-time.c (_gcry_ct_vzero, _gcry_ct_vone): New.
	* src/const-time.h (_gcry_ct_vzero, _gcry_ct_vone): New.
	(ct_is_not_zero, ct_is_zero, DEFINE_CT_TYPE_SELECT_FUNC)
	(ct_uintptr_select, ct_ulong_select): New.
	(sexp_null_cond): Use ct_uintptr_select.

	const-time: always avoid comparison operator for byte comparison.
	+ commit 137e35ad47ee8734d0f3ffb6af1d1669c4621e0b
	* configure.ac: Remove POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON
	macro.
	* src/const-time.h (ct_not_equal_byte): Remove
	POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON ifdef.

	Use single constant-time memory comparison implementation.
	+ commit 1e9ddbd65c4627235611d75c3198c4ec197c9a05
	* src/const-time.c (ct_not_memequal): Use original 'buf_eq_const'
	implementation here.
	(ct_memequal): New.
	* cipher/bufhelp.h (buf_eq_const): Call to 'ct_memequal'.

2023-11-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: update auto-GHZ for alderlake-P.
	+ commit a047a9c7d10824593d5c9ae43d8a3d6319ef3c0b
	* tests/bench-slope.c (vone): New.
	(auto_ghz_bench): Remove memory barrier usage; Generate constant
	values from volatile variable.

2023-10-31  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix ElGamal decryption.
	+ commit 6d1d50ba3aad1850975f717adbedb4cb8b236fa7
	* cipher/elgamal.c (elg_decrypt): Call sexp_build always.
	* cipher/rsa.c (rsa_decrypt): Return an error code of sexp_build
	when RC != 0.

	rsa: Use memmov_independently when unpadding.
	+ commit 58b62be844549ad3d57c507d834027f1e2756567
	* cipher/rsa-common.c (memmov_independently): New.
	(_gcry_rsa_pkcs1_decode_for_enc): Use memmov_independently.
	(_gcry_rsa_oaep_decode): Use memmov_independently.

	const-time: Add ct_memmov_cond, fix _gcry_mpih_set_cond.
	+ commit bd08357436a9559766cd458d25781ee4f94012a2
	* src/const-time.c (ct_memmov_cond): New.
	* src/const-time.h (ct_memmov_cond): New.
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Use XOR and a MASK.

2023-10-30  NIIBE Yutaka  <gniibe@fsij.org>

	const-time: Use ct_not_memequal, instead.  Tested with AVR.
	+ commit c31b70b2660c3d24bd54ee08c255c36d867fdea7
	* cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_not_memequal.
	* src/const-time.c (ct_not_memequal): Use ct_not_equal_byte.
	* src/const-time.h (ct_not_memequal): Rename from ct_memequal.

	build: Check if arch is VAX or compiler is MSVC.
	+ commit c848459e512615c1865a23cf24debb3ad4a1e85b
	* configure.ac (AH_BOTTOM): Add check for VAX and MSVC.
	* src/const-time.h (POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON):
	Rename.

2023-10-27  NIIBE Yutaka  <gniibe@fsij.org>

	rsa: Fix decoding of PKCS#1 v1.5 and OAEP padding.
	+ commit 34c20427926010d6fa95b1666e4b1b60f60a8742
	* src/Makefile.am (libgcrypt_la_SOURCES): Add const-time.h and
	const-time.c.
	* src/const-time.h (ct_not_equal_byte, sexp_null_cond): New.
	(ct_memequal): New from NetBSD, modified return type and name.
	* src/const-time.c: New.
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Examine whole
	sequence of the byte-array.  Use N0 to find the separator position, with
	ct_not_equal_byte.  Return the MPI even when the case of an error.
	* cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_memequal to
	check LHASH.  Examine all the sequence of the byte-array.  Use N1 to
	find the separator of 0x01.  Return the MPI even when the case of an
	error.
	* cipher/rsa.c (rsa_decrypt): Always build a SEXP.

2023-10-06  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Minor clean-up of sexp output handling.
	+ commit 5e5dff0551fcd9a826db18188fa1e4a6ca45099a
	* src/sexp.c (suitable_encoding): Remove check for starting zero.

2023-10-05  NIIBE Yutaka  <gniibe@fsij.org>

	doc: Minor style fixes.
	+ commit edddc5738e6b1652ccc5db6861888de66112427f


	sexp: String with \0 is considered "binary".
	+ commit ddd41eb6ace02626b0bf7704fdec9b765fb717c4
	* src/sexp.c (suitable_encoding): It's "binary" when
	the buffer contains '\0'.

2023-09-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2-avx512: merge some of the gather loads.
	+ commit 325786acd445f9e74e4c44ba86c5b4e06788ea46
	* cipher/blake2b-amd64-avx512.S (GATHER_MSG_2, GATHER_MSG_3)
	(GATHER_MSG_5, GATHER_MSG_6, GATHER_MSG_8, GATHER_MSG_9): New.
	(LOAD_MSG_2, LOAD_MSG_3, LOAD_MSG_5, LOAD_MSG_6, LOAD_MSG_8)
	(LOAD_MSG_9): Use GATHER_MSG_<number>.
	(_blake2b_avx512_data): Add merged load masks ".L[4-7]_mask".
	(_gcry_blake2b_transform_amd64_avx512): Load merged load masks
	to %k[4-7] and clear registers on exit.
	* cipher/blake2s-amd64-avx512.S (VPINSRD_KMASK, GATHER_MSG_2)
	(GATHER_MSG_3, GATHER_MSG_5, GATHER_MSG_6, GATHER_MSG_8)
	(GATHER_MSG_9): New.
	(LOAD_MSG_2, LOAD_MSG_3, LOAD_MSG_5, LOAD_MSG_6, LOAD_MSG_8)
	(LOAD_MSG_9): Use GATHER_MSG_<number>.
	(_blake2s_avx512_data): Add merged load masks ".L[4-7]_mask".
	(_gcry_blake2s_transform_amd64_avx512): Load merged load masks
	to %k[4-7] and clear registers on exit.

2023-09-01  NIIBE Yutaka  <gniibe@fsij.org>

	build: Change the default for --with-libtool-modification.
	+ commit 36d014f919d1c5f00dde4509da9b5e02895467c9
	* configure.ac (--with-libtool-modification): default=never.

2023-08-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2b-avx512: replace VPGATHER with manual gather.
	+ commit 59f14c1db37e16aba37af185dd0677f9783536ce
	* cipher/blake2.c (blake2b_init_ctx): Remove HWF_INTEL_FAST_VPGATHER
	check for AVX512 implementation.
	* cipher/blake2b-amd64-avx512.S (R16, VPINSRQ_KMASK, .Lshuf_ror16)
	(.Lk1_mask): New.
	(GEN_GMASK, RESET_KMASKS, .Lgmask*): Remove.
	(GATHER_MSG): Use manual gather instead of VPGATHER.
	(ROR_16): Use vpshufb for small speed improvement on tigerlake.
	(_gcry_blake2b_transform_amd64_avx512): New setup & clean-up for
	kmask registers; Reduce excess loop aligned from 64B to 16B.

	twofish-avx2-amd64: replace VPGATHER with manual gather.
	+ commit ded3a1ec2ec6980750e3e9eabde001cdbebece51
	* cipher/twofish-avx2-amd64.S (do_gather): New.
	(g16): Switch to use 'do_gather' instead of VPGATHER instruction.
	(__twofish_enc_blk16, __twofish_dec_blk16): Prepare stack
	for 'do_gather'.
	* cipher/twofish.c (twofish) [USE_AVX2]: Remove now unneeded
	HWF_INTEL_FAST_VPGATHER check.

	Avoid VPGATHER usage for most of Intel CPUs.
	+ commit f2bf9997d46590e688bad213267b8fb466e95ecd
	* cipher/blake2.c (blake2b_init_ctx): Check for fast VPGATHER
	for AVX512 implementation.
	* src/hwf-x86.c (detect_x86_gnuc): Do not enable
	HWF_INTEL_FAST_VPGATHER for Intel CPUs suffering from
	"Downfall" vulnerability.

2023-08-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: New configure option --with-libtool-modification.
	+ commit 2143503b8f56a4e6909dc8b4f86e20c8ad76aaed
	* Makefile.am (EXTRA_DIST): Add build-aux/libtool-patch.sed.
	* build-aux/libtool-patch.sed: New.
	* configure.ac (--with-libtool-modification): New.
	* build-aux/ltmain.sh: Revert our own local modification.

2023-07-26  NIIBE Yutaka  <gniibe@fsij.org>

	doc: yat2m-stamp should depend on version.texi.
	+ commit f019c98fd418596074ffd2cc755be6c483aac932
	* doc/Makefile.am (yat2m-stamp): Depend on version.texi.

2023-07-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-x86: use CFI statements for 'is_cpuid_available'
	+ commit a5f88f30ce612b0239b946c4424d81cf0d552e96
	* src/hwf-x86.c (FORCE_FUNC_FRAME_POINTER): Remove.
	(CFI_ADJUST_CFA_OFFSET, CFI_PUSH4, CFI_POP4): New.
	(is_cpuid_available): Use CFI statements instead of frame-pointer
	attribute.

	configure: fix HAVE_GCC_ASM_CFI_DIRECTIVES check.
	+ commit 35829d38d61fa3130d88eaeea1af2591a3f07208
	* cipher/camellia-aesni-avx2-amd64.h (enc_blk1_32): Fix dual
	CFI_ENDPROC() usage.
	* configure.ac (gcry_cv_gcc_asm_cfi_directives): Add missing ';'
	after 'void asmfunc(void)'.
	* mpi/asm-common-i386.h: New.
	* mpi/i386/syntax.h: Remove CFI macros and instead include
	"asm-common-i386.h".

	Add VAES/AVX2 accelerated i386 implementation for AES.
	+ commit 4a42a042bcf6b25f13957207c2d13d420f450bb8
	* cipher/Makefile.am: Add 'rijndael-vaes-i386.c' and
	'rijndael-vaes-avx2-i386.S'.
	* cipher/asm-common-i386.h: New.
	* cipher/rijndael-internal.h (USE_VAES_I386): New.
	* cipher/rijndael-vaes-avx2-i386.S: New.
	* cipher/rijndael-vaes-i386.c: New.
	* cipher/rijndael-vaes.c: Update header description (add 'AMD64').
	* cipher/rijndael.c [USE_VAES]: Add 'USE_VAES_I386' to ifdef around
	'_gcry_aes_vaes_*' function prototypes.
	(setkey) [USE_VAES_I386]: Add setup of VAES/AVX2/i386 bulk functions.
	* configure.ac: Add 'rijndael-vaes-i386.lo' and
	'rijndael-vaes-avx2-i386.lo'.
	(gcry_cv_gcc_amd64_platform_as_ok): Rename this to ...
	(gcry_cv_gcc_x86_platform_as_ok): ... this and change to check for
	both AMD64 and i386 assembler compatibility.
	(gcry_cv_gcc_win32_platform_as_ok): New.

	rijndael-vaes-avx2-amd64: avoid extra load in CFB & CBC IV handling.
	+ commit 13f288edd5274880cf6833c80eba24183440a66d
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_cbc_dec_amd64, _gcry_vaes_avx2_cfb_dec_amd64): Avoid
	duplicate memory load from source buffer.

	rijndael-vaes-avx2-amd64: acceleration for OCB auth.
	+ commit 6b47e85d65158f3b6b1c3c24476249bfe3a7f943
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_ocb_crypt_amd64): Add authentication mode support.
	* cipher/rijndael-vaes.c (_gcry_vaes_avx2_ocb_crypt_amd64): Change
	to return 'size_t' value.
	(_gcry_aes_vaes_ocb_auth): New.
	* cipher/rijndael.c (_gcry_aes_vaes_ocb_auth): New.
	(do_setkey) [USE_VAES]: Add setup for 'bulk_ops->ocb_auth'.

2023-07-14  Bernhard Reiter  <bernhard@intevation.de>

	build: Fix the notice in configure.ac.
	+ commit 77ce5866e06cb5ebd82a0ce34206395aa03b9352
	* configure.ac: Fix typo.

2023-07-12  NIIBE Yutaka  <gniibe@fsij.org>

	Use unsigned int for a bit field.
	+ commit e76e88eef7811ada4c6e1d57520ba8c439139782
	* random/random-drbg.c (struct drbg_state_ops_s): Use unsigned.
	(struct drbg_state_s): Likewise.
	* src/hmac256.c (struct hmac256_context): Likewise.

2023-06-28  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:ecc:fips: Only allow defined digest algo for EdDSA.
	+ commit d15fe6aac10b0ffc2eb8974c23095d8123025e5c
	* cipher/ecc.c (ecc_sign): Add the check if it's proper digest
	algo for EdDSA on FIPS mode.

	cipher:ecc:fips: Reject use of SHAKE when it's ECDSA with RFC6979.
	+ commit f65c30d470f581e4df91a5aff8bb202ff0fd56ad
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Check if it's SHAKE.

2023-06-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	keccak: add md_read support for SHAKE algorithms.
	+ commit 794695ff45d64f6586d7f08e74c075c098ac3b5d
	* cipher/hash-common.c (_gcry_hash_selftest_check_one): Adjust
	for SHAKE algorithms now returning non-zero for digest length.
	* cipher/keccak.c (KECCAK_CONTEXT_S): Add 'shake_in_extract_mode'
	and 'shake_in_read_mode' flags.
	(keccak_init): Initialize new context fields; set output length
	for SHAKE algorithms.
	(keccak_extract): Rename to ...
	(do_keccak_extract): this and add return value.
	(keccak_extract): New with 'shake_in_???_mode' checks & setup.
	(keccak_shake_read): New.
	(_gcry_sha3_hash_buffers): Adjust for 'spec->mdlen' not being
	zero for SHAKE algorithms, instead check 'suffix' for type.
	(_gcry_digest_spec_shake128): Set mdlen to 32 bytes; Set read
	function.
	(_gcry_digest_spec_shake256): Set mdlen to 64 bytes; Set read
	function.
	* cipher/md.c (md_extract): Pass return value from algo extract
	function.
	(_gcry_md_hash_buffers_extract): Adjust for 'spec->mdlen' not
	being zero for SHAKE algorithms.
	* src/cipher-proto.h (gcry_md_extract_t): Change return type
	from 'void' to 'gpg_err_code_t'.
	* tests/basic.c (check_one_md, check_one_md_multi): Adjust
	for 'gcry_md_get_algo_dlen()' not being zero for SHAKE
	algorithms.
	(check_digests): Add md_read interface test-vectors for SHAKE128
	and SHAKE256.

2023-06-23  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:rsa: Add support of SHAKE as MGF.
	+ commit 8802faadab79ec84714bbaf28eaa882860779cba
	* cipher/rsa-common.c (_gcry_rsa_pss_encode): Support SHAKE.
	(_gcry_rsa_pss_verify): Likewise.

2023-06-16  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Allow KDF measurement in FIPS mode.
	+ commit 70b1b036f3ee06c5894e996cbd742cf3c174ca79
	* tests/bench-slope.c (bench_kdf_init): Tweak the iterations in FIPS
	mode.
	(bench_kdf_do_bench): Use larger values to avoid rejection in FIPS
	mode.

	cipher:kdf: Move FIPS mode check to _gcry_kdf_derive.
	+ commit f4bff832c7f5a54879c1858d7b426cd12088c57c
	* cipher/kdf.c (_gcry_kdf_pkdf2): Move the checks to...
	(_gcry_kdf_derive): ... here.

	Remove out of core handler setting message in FIPS mode.
	+ commit 6c79dcddd151b6b01a760f7aab54e6882ea5a475
	* src/global.c (_gcry_set_outofcore_handler): Don't call log_info.

	cipher:ecc: Implement PCT for EdDSA.
	+ commit 3ac2bba4a4b11388949e235d0d9555478468a379
	* cipher/ecc.c (test_keys_eddsa_fips): New.
	(ecc_generate): Use test_keys_eddsa_fips for EdDSA.

	build: Detect broken GCC for x86/AVX512 intrinsics.
	+ commit 97f4a94d5960bb53b690bbd5cdf87b64311e21cc
	* configure.ac (HAVE_COMPATIBLE_CC_X86_AVX512_INTRINSICS): Check
	the GCC bug 90980.

	cipher:ecc: Add selftests for EdDSA.
	+ commit 547dfb5aecc1ae057e0bc599e8565f8c3fb84894
	* cipher/ecc.c (selftest_hash_sign_eddsa): New.
	(selftests_ecc): Add IS_EDDSA argument.
	(run_selftests): Add tests for Ed25519 and Ed448.
	* src/g10lib.h (_gcry_hex2buffer): New.
	* src/sexp.c (_gcry_hex2buffer): Add.

2023-06-16  Jakub Jelen  <jjelen@redhat.com>

	tests: EdDSA keys work in FIPS mode.
	+ commit 73d2f5d93541747befe9a791991553d691f3a1ae
	* tests/bench-slope.c (ecc_algo_fips_allowed): Adjust list of FIPS
	  allowed algorithms.
	* tests/benchmark.c (ecc_bench): Ditto.
	* tests/curves.c (check_get_params): Ditto.
	* tests/keygrip.c (global): Ditto.
	* tests/pubkey.c (main): Run Ed25519 test in FIPS mode.
	* tests/t-ed25519.c (one_test): Remove FIPS exception.
	  (main): Do not record FIPS status.
	* tests/t-ed448.c (one_test): Remove FIPS exception.
	  (main): Do not record FIPS status.
	* tests/keygen.c (check_ecc_keys): Remove FIPS exceptions.

	ecc: Enable Ed25519 and Ed448 in FIPS mode.
	+ commit c08ea202d91651b7c8f7ed37f5554330deac52b8
	* cipher/ecc-curves.c (domain_parms): Flip the FIPS byte for EdDSA
	  curves to enable them in FIPS mode
	* src/fips.c (valid_string_in_sexp): Mark eddsa flag valid in FIPS mode

2023-06-15  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:ecc: Fix EdDSA secret key check.
	+ commit ed879d832659f51c40bfadcd3b96fb8890b1eefb
	* cipher/ecc.c (check_secret_key): No reason to exclude EdDSA key.

	context: Make the context chain-able.
	+ commit f4019ed225bf4478b06fdb54e01bd7b9264694a9
	* src/context.h (_gcry_ctx_alloc): Add NEXT argurment.
	* src/context.c (struct gcry_context): Add NEXT field.
	(_gcry_ctx_alloc): Support the NEXT field.
	(_gcry_ctx_get_pointer): Allow access to the NEXT field.
	(_gcry_ctx_release): Loop following NEXT.
	* cipher/pubkey.c (struct pk_single_data): Remove CTX_NEXT.
	(release_single_data): Remove.
	(_gcry_pk_single_data_push): Call _gcry_ctx_alloc with NEXT.
	(_gcry_pk_get_single_data): Use _gcry_ctx_get_pointer to
	access NEXT.

2023-06-14  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:pubkey: Fix non-use of flexible array member.
	+ commit c160e1a85f8295e388de7a0b09a351bc271f0d95
	* cipher/pubkey.c (struct pk_single_data): Use 1 as the size.
	(_gcry_pk_single_data_push): Use offsetof.

	cipher:ecc: Support gcry_pk_hash_sign/verify for EdDSA.
	+ commit 86fcf8292208838b47c08e74cd0941694287e7dd
	* cipher/pubkey.c (prepare_datasexp_to_be_signed): Allow HD=NULL,
	and use of CTX for supplying input data and random_override.
	(_gcry_pk_sign_md, _gcry_pk_verify_md): Support the case of HD==NULL.
	(release_single_data): New.
	(_gcry_pk_single_data_push, _gcry_pk_get_single_data): New.
	(_gcry_pk_random_override_new, _gcry_pk_get_random_override): Remove.
	* src/context.h (CONTEXT_TYPE_SINGLE_DATA): New.
	(CONTEXT_TYPE_RANDOM_OVERRIDE): Remove.
	* src/context.c (_gcry_ctx_alloc): Use CONTEXT_TYPE_SINGLE_DATA.
	* src/gcrypt-int.h (_gcry_pk_single_data_push,
	_gcry_pk_get_single_data): New.
	(_gcry_pk_random_override_new, _gcry_pk_get_random_override): Remove.
	* src/gcrypt.h.in (gcry_pk_input_data_push): New.
	* src/visibility.c (gcry_pk_random_override_new): Follow the change.
	* tests/t-ed25519.c (one_test): Use gcry_pk_hash_sign/verify API.
	* tests/t-ed448.c (one_test): Use gcry_pk_hash_sign/verify API.

2023-06-13  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:ecc: Fix public key computation for EdDSA.
	+ commit 469919751d6eb46ceff9df80676416ca8f474459
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Fix hard-coded length
	for digest lower bits.

2023-06-12  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:pubkey: Factor out data SEXP preparation.
	+ commit 263aa80b39dcf6d98c475784b319cb91b87cec3b
	* cipher/pubkey.c (prepare_datasexp_to_be_signed): New.
	(_gcry_pk_sign_md, _gcry_pk_verify_md): Use the function.

2023-06-09  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Factor functions for ECC selftests.
	+ commit e0f7e927c594bec46afc23b782526546d0024ff5
	* cipher/ecc.c: Factor out data for ECC selftests.
	(selftest_hash_sign, selftest_sign): Have more arguments.
	(selftests_ecc): Rename from selftests_ecdsa, having more args.
	Follow the change of selftest_hash_sign, selftest_sign with data.
	(run_selftests): Call selftests_ecc with constants of ECDSA.

2023-06-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	addm/subm/mulm: fix case when destination is same MPI as divider.
	+ commit f490ffd739f713fcf0be35b7fbbb8502dea40a0c
	* mpi/mpi-add.c (_gcry_mpi_addm, _gcry_mpi_subm): Take copy of M when
	W and M are the same MPI.
	* mpi/mpi-mul.c (_gcry_mpi_mulm): Likewise.
	* tests/mpitests.c (test_addm_subm_mulm): New.
	(main): Run addm/subm/mulm test.

2023-06-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	twofish-avx2: de-unroll round function.
	+ commit beeff8eda4a94187ee2c72c4372ab3e634335e45
	* cipher/twofish-avx2-amd64.S (__twofish_enc_blk16)
	(__twofish_dec_blk16): Use loop structure instead of unrolling.

2023-05-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent: add x86/AVX512 implementation.
	+ commit ce95b6ec3554aec0e4a26f700889a19d85b5d9ac
	* cipher/Makefile.am: Add `serpent-avx512-x86.c`; Add extra CFLAG
	handling for `serpent-avx512-x86.o` and `serpent-avx512-x86.lo`.
	* cipher/serpent-avx512-x86.c: New.
	* cipher/serpent.c (USE_AVX512): New.
	(serpent_context_t): Add `use_avx512`.
	[USE_AVX512] (_gcry_serpent_avx512_cbc_dec)
	(_gcry_serpent_avx512_cfb_dec, _gcry_serpent_avx512_ctr_enc)
	(_gcry_serpent_avx512_ocb_crypt, _gcry_serpent_avx512_blk32): New.
	(serpent_setkey_internal) [USE_AVX512]: Set `use_avx512` is
	AVX512 HW available.
	(_gcry_serpent_ctr_enc) [USE_AVX512]: New.
	(_gcry_serpent_cbc_dec) [USE_AVX512]: New.
	(_gcry_serpent_cfb_dec) [USE_AVX512]: New.
	(_gcry_serpent_ocb_crypt) [USE_AVX512]: New.
	(serpent_crypt_blk1_16): Rename to...
	(serpent_crypt_blk1_32): ... this; Add AVX512 code-path; Adjust for
	increase from max 16 blocks to max 32 blocks.
	(serpent_encrypt_blk1_16): Rename to ...
	(serpent_encrypt_blk1_32): ... this.
	(serpent_decrypt_blk1_16): Rename to ...
	(serpent_decrypt_blk1_32): ... this.
	(_gcry_serpent_xts_crypt, _gcry_serpent_ecb_crypt): Increase bulk
	block count from 16 to 32.
	* configure.ac (gcry_cv_cc_x86_avx512_intrinsics)
	(ENABLE_X86_AVX512_INTRINSICS_EXTRA_CFLAGS): New.
	(GCRYPT_ASM_CIPHERS): Add `serpent-avx512-x86.lo`.

2023-05-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: Sync libtool from libgpg-error for 64-bit Windows.
	+ commit 01c0185e63605ec7e0b9e90ca99ef9f435b67261
	* build-aux/ltmain.hs: Update from libgpg-error.

2023-05-10  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Use -no-fast-install LDFLAGS for Windows.
	+ commit 33f9f0dec26df64e8184395eb6554ee379a87e3d
	* tests/Makefile.am [HAVE_W32_SYSTEM] (AM_LDFLAGS): Conditionalize.

	w32: Silence GCC warning for -Wcast-function-type.
	+ commit 501dee123efe3d7d9488bb806ac9af5f56053f06
	* random/rndw32.c (init_system_rng): Add (void *).
	(slow_gatherer): Likewise.

2023-04-27  NIIBE Yutaka  <gniibe@fsij.org>

	Update copyright notices to use URL.
	+ commit f5284460ac4c8cc41ad9d39c5d15bd063710d956
	* build-aux/db2any: Update copyright notice.
	* cipher/arcfour.c, cipher/blowfish.ccipher/cast5.c: Likewise.
	* cipher/crc-armv8-ce.c, cipher/crc-intel-pclmul.c: Likewise.
	* cipher/crc-ppc.c, cipher/crc.c, cipher/des.c: Likewise.
	* cipher/md2.c, cipher/md4.c, cipher/md5.c: Likewise.
	* cipher/primegen.c, cipher/rfc2268.c, cipher/rmd160.c: Likewise.
	* cipher/seed.c, cipher/serpent.c, cipher/tiger.c: Likewise.
	* cipher/twofish.c: Likewise.
	* mpi/alpha/mpih-add1.S, mpi/alpha/mpih-lshift.S: Likewise.
	* mpi/alpha/mpih-mul1.S, mpi/alpha/mpih-mul2.S: Likewise.
	* mpi/alpha/mpih-mul3.S, mpi/alpha/mpih-rshift.S: Likewise.
	* mpi/alpha/mpih-sub1.S, mpi/alpha/udiv-qrnnd.S: Likewise.
	* mpi/amd64/mpih-add1.S, mpi/amd64/mpih-lshift.S: Likewise.
	* mpi/amd64/mpih-mul1.S, mpi/amd64/mpih-mul2.S: Likewise.
	* mpi/amd64/mpih-mul3.S, mpi/amd64/mpih-rshift.S: Likewise.
	* mpi/amd64/mpih-sub1.S, mpi/config.links: Likewise.
	* mpi/generic/mpih-add1.c, mpi/generic/mpih-lshift.c: Likewise.
	* mpi/generic/mpih-mul1.c, mpi/generic/mpih-mul2.c: Likewise.
	* mpi/generic/mpih-mul3.c, mpi/generic/mpih-rshift.c: Likewise.
	* mpi/generic/mpih-sub1.c, mpi/generic/udiv-w-sdiv.c: Likewise.
	* mpi/hppa/mpih-add1.S, mpi/hppa/mpih-lshift.S: Likewise.
	* mpi/hppa/mpih-rshift.S, mpi/hppa/mpih-sub1.S: Likewise.
	* mpi/hppa/udiv-qrnnd.S, mpi/hppa1.1/mpih-mul1.S: Likewise.
	* mpi/hppa1.1/mpih-mul2.S, mpi/hppa1.1/mpih-mul3.S: Likewise.
	* mpi/hppa1.1/udiv-qrnnd.S, mpi/i386/mpih-add1.S: Likewise.
	* mpi/i386/mpih-lshift.S, mpi/i386/mpih-mul1.S: Likewise.
	* mpi/i386/mpih-mul2.S, mpi/i386/mpih-mul3.S: Likewise.
	* mpi/i386/mpih-rshift.S, mpi/i386/mpih-sub1.S: Likewise.
	* mpi/i386/syntax.h, mpi/longlong.h: Likewise.
	* mpi/m68k/mc68020/mpih-mul1.S, mpi/m68k/mc68020/mpih-mul2.S: Likewise.
	* mpi/m68k/mc68020/mpih-mul3.S, mpi/m68k/mpih-add1.S: Likewise.
	* mpi/m68k/mpih-lshift.S, mpi/m68k/mpih-rshift.S: Likewise.
	* mpi/m68k/mpih-sub1.S, mpi/m68k/syntax.h: Likewise.
	* mpi/mips3/mpih-add1.S, mpi/mips3/mpih-lshift.S: Likewise.
	* mpi/mips3/mpih-mul1.S, mpi/mips3/mpih-mul2.S: Likewise.
	* mpi/mips3/mpih-mul3.S, mpi/mips3/mpih-rshift.S: Likewise.
	* mpi/mips3/mpih-sub1.S, mpi/mpi-add.c: Likewise.
	* mpi/mpi-bit.c, mpi/mpi-cmp.c, mpi/mpi-div.c: Likewise.
	* mpi/mpi-gcd.c, mpi/mpi-inline.c, mpi/mpi-inline.h: Likewise.
	* mpi/mpi-internal.h, mpi/mpi-mpow.c, mpi/mpi-mul.c: Likewise.
	* mpi/mpi-scan.c, mpi/mpih-div.c, mpi/mpih-mul.c: Likewise.
	* mpi/pa7100/mpih-lshift.S, mpi/pa7100/mpih-rshift.S: Likewise.
	* mpi/power/mpih-add1.S, mpi/power/mpih-lshift.S: Likewise.
	* mpi/power/mpih-mul1.S, mpi/power/mpih-mul2.S: Likewise.
	* mpi/power/mpih-mul3.S, mpi/power/mpih-rshift.S: Likewise.
	* mpi/power/mpih-sub1.S, mpi/powerpc32/mpih-add1.S: Likewise.
	* mpi/powerpc32/mpih-lshift.S, mpi/powerpc32/mpih-mul1.S: Likewise.
	* mpi/powerpc32/mpih-mul2.S, mpi/powerpc32/mpih-mul3.S: Likewise.
	* mpi/powerpc32/mpih-rshift.S, mpi/powerpc32/mpih-sub1.S: Likewise.
	* mpi/powerpc32/syntax.h, mpi/sparc32/mpih-add1.S: Likewise.
	* mpi/sparc32/mpih-lshift.S, mpi/sparc32/mpih-rshift.S: Likewise.
	* mpi/sparc32/udiv.S, mpi/sparc32v8/mpih-mul1.S: Likewise.
	* mpi/sparc32v8/mpih-mul2.S, mpi/sparc32v8/mpih-mul3.S: Likewise.
	* mpi/supersparc/udiv.S: Likewise.
	* random/random.h, random/rndegd.c: Likewise.
	* src/cipher.h, src/libgcrypt.def, src/libgcrypt.vers: Likewise.
	* src/missing-string.c, src/mpi.h, src/secmem.h: Likewise.
	* src/stdmem.h, src/types.h: Likewise.
	* tests/aeswrap.c, tests/curves.c, tests/hmac.c: Likewise.
	* tests/keygrip.c, tests/prime.c, tests/random.c: Likewise.
	* tests/t-kdf.c, tests/testapi.c: Likewise.

	Update m4 files and Makefiles.
	+ commit 17a3394b47cb82535ef7187e8819931b00cf4fa6
	* acinclude.m4: Use URL and add SPDX identifier.
	* m4/noexecstack.m4: Likewise.
	* Makefile.am: Likewise.
	* doc/Makefile.am: Likewise.
	* mpi/Makefile.am: Likewise.
	* tests/Makefile.am: Likewise.

2023-04-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: optimize mpi_rshift and mpi_lshift to avoid extra MPI copying.
	+ commit fdf2e8ba654a4dcfee25586dd7e0749f2b7a92c0
	* mpi/mpi-bit.c (_gcry_mpi_rshift): Refactor so that _gcry_mpih_rshift
	is used to do the copying along with shifting when copying is needed
	and refactor so that same code-path is used for both in-place and
	copying operation.
	(_gcry_mpi_lshift): Refactor so that _gcry_mpih_lshift is used to do
	the copying along with shifting when copying is needed and refactor
	so that same code-path is used for both in-place and copying operation.

	mpi/amd64: optimize add_n and sub_n.
	+ commit ad4ee8d52f7199ba8bdee767044337060529069f
	* mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): New implementation
	with 4x unrolled fast-path loop.
	* mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Likewise.

	mpi/amd64: fix use of 'movd' for 64-bit register move in lshift&rshift.
	+ commit 3e17e819a6a4d505828cf93fc2c258a753f1d38c
	* mpi/amd64/mpih-lshift.S: Use 'movq' instead of 'movd' for moving
	value to %rax.
	* mpi/amd64/mpih-rshift.S: Likewise.

	mpi: avoid MPI copy at gcry_mpi_sub.
	+ commit 8b09db4cce1040f061034ab899cd1369a51dceeb
	* mpi/mpi-add.c (_gcry_mpi_add): Rename function...
	(_gcry_mpi_add_inv_sign): ... to this and add parameter for inverting
	sign of second operand.
	(_gcry_mpi_add): New.
	(_gcry_mpi_sub): Remove mpi_copy and instead use new
	'_gcry_mpi_add_inv_sign' function with inverted sign for second
	operand.

	bench-slope: add MPI benchmarking.
	+ commit e90fbf6f8dacf280d03e557a65528fc2df24f1d7
	* tests/bench-slope.c (MPI_START_SIZE, MPI_END_SIZE, MPI_STEP_SIZE)
	(MPI_NUM_STEPS, bench_mpi_test, mpi_test_names, bench_mpi_mode)
	(bench_mpi_hd, bench_mpi_init, bench_mpi_fre, bench_mpi_do_bench)
	(mpi_ops, mpi_modes, mpi_bench_one, _mpi_bench, mpi_match_test)
	(mpi_bench): New.
	(print_help): Add mention of 'mpi'.
	(main): Add "mpi" tests.

	cipher: restore weak-key error-code after mode specific setkey.
	+ commit 5d18b401f8a780e2465662e88cbac6974033bf3f
	* cipher/cipher.c (cipher_setkey): Restore weak-key error-code
	in case mode specific setkey returned success for the return code.

2023-04-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: add documentation for GCRYCTL_SET_ALLOW_WEAK_KEY.
	+ commit f3ca9fa4f7e0aee1bb5012c419deb7b927da844d
	* doc/gcrypt.texi: Add 'GCRYCTL_SET_ALLOW_WEAK_KEY' under
	'gcry_cipher_ctl'.

	Revert "cipher: Fix edge case for SET_ALLOW_WEAK_KEY."
	+ commit 7146b69b490595d654228bae8c3fb5d1525e3b60
	* cipher/cipher.c (cipher_setkey): Do not reset RC.

2023-04-16  Werner Koch  <wk@gnupg.org>

	cipher: Fix edge case for SET_ALLOW_WEAK_KEY.
	+ commit 30840c2c45d718e0fd93cfd40771fbefa50e31f5
	* cipher/cipher.c (cipher_setkey): Reset RC.

2023-04-10  NIIBE Yutaka  <gniibe@fsij.org>

	random: Use getrandom only when it's appropriate.
	+ commit fa21ddc158b5d7b5900856e5b131071302217a51
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random)
	[GRND_RANDOM]: Conditionalize the use of getrandom, as it's
	not a portable function.

2023-04-04  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Enable the fast path to ChaCha20 only when supported.
	+ commit 137f1fd82bc9136d434ca41f58d62091b64df6db
	cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt)
	(_gcry_cipher_poly1305_decrypt) [USE_CHACHA20]: Conditionalize.

2023-04-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher-gcm-ppc: tweak loop structure a bit.
	+ commit 278ba98497e126358a6b0ee8b566cc62ebb96ab9
	* cipher/cipher-gcm-ppc.c (_gcry_ghash_ppc_vpmsum): Increament
	'buf' pointer right after use; Use 'for' loop for inner 4-blocks
	loop to allow compiler to better optimize loop.

2023-04-03  NIIBE Yutaka  <gniibe@fsij.org>

	build: Allow build with -Oz.
	+ commit 7edf1abb9a0d892a80cbf7ab42f64b2720671ee9
	* cipher/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.
	* random/Makefile.am [ENABLE_O_FLAG_MUNGING]: Support -Oz.

2023-04-01  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Update gpg-error.m4.
	+ commit bcf5922eaac274f5ace991ecace01e718a9fe964
	* m4/gpg-error.m4: Update from libgpg-error master.

2023-03-24  NIIBE Yutaka  <gniibe@fsij.org>

	fips: More elaborate way of getting FIPS pk flags indicators.
	+ commit 1c916b8c99ea0e30f1d81d606fd63b0c45657186
	* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
	in the S-expression.
	* doc/gcrypt.texi: Add document for the FIPS service indicator
	GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.

2023-03-23  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit 0af15f1fa0ca277fba17b365519f710b41a5b78f
	* m4/gpg-error.m4: Update from libgpg-error master.

2023-03-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-simd128: use 8-bit right shift for rotate function.
	+ commit 79a79d3dc6268f4d72597f7db6c83511dbbef645
	* cipher/camellia-simd128.h (rol32_1_16): Use vpsrlb128 for uint8
	right shift by 7 if available.

	camellia-gfni: use GFNI for uint8 right shift in FLS.
	+ commit 3c98ae9cb60a8a72d3fa6641e59775f98ec78786
	* cipher/camellia-aesni-avx2-amd64.h (IF_GFNI, IF_NOT_GFNI): New.
	[CAMELLIA_GFNI_BUILD] (rol32_1_32): Add GFNI variant which uses
	vgf2p8affineqb for uint8 right shift by 7.
	(fls32): Load 'right shift by 7' bit-matrix on GFNI build.
	[CAMELLIA_GFNI_BUILD] (.Lright_shift_by_7): New.
	* cipher/camellia-gfni-avx512-amd64.S (clear_regs): Don't clear %k1.
	(rol32_1_64): Use vgf2p8affineqb for uint8 right shift by 7.
	(fls64): Adjust for rol32_1_64 changes.
	(.Lbyte_ones): Remove.
	(.Lright_shift_by_7): New.
	(_gcry_camellia_gfni_avx512_ctr_enc): Clear %k1 after use.

2023-03-14  Jakub Jelen  <jjelen@redhat.com>

	tests: Improve test coverage for FIPS service indicators.
	+ commit fae63f517906ba8f46d255f1b5770665f2197ad9
	* tests/basic.c (check_digests): Check the FIPS indicators.
	(check_mac): Ditto.

	fips: Explicitly disable overriding random in FIPS mode.
	+ commit e0a5a9eb8301991c28fae8632add8dacce81aeb4
	* src/fips.c: (_gcry_fips_indicator_function): Mark using random
	override non-approved in FIPS mode.

	fips: Explicitly allow only some PK flags.
	+ commit 4c1c8a707f9652dbfad8f8b531d8b84556f655f1
	* src/fips.c (_gcry_fips_indicator_pk_flags): New function for explicit
	  FIPS indicator for public key algorithm flags.
	* src/g10lib.h (_gcry_fips_indicator_pk_flags): New.
	* src/gcrypt.h.in (GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS): New.
	* src/global.c (_gcry_vcontrol): Handle the new option.
	* doc/gcrypt.texi: Document new options.

2023-03-14  Tobias Heider  <tobias.heider@canonical.com>

	doc: Document the new FIPS indicators.
	+ commit 0b7ad923978f708b41933d6b91d3159ffc7a84a1
	* doc/gcrypt.texi: Document the new options for FIPS indicators.

2023-03-08  Tobias Heider  <tobias.heider@canonical.com>

	fips: Unblock MD5 in fips mode but mark non-approved in indicator.
	+ commit dc4a60e2d70bc52ba2955f8e676341d675ab89a0
	* cipher/mac-hmac.c (_gcry_mac_type_spec_hmac_md5): Allow in fips mode.
	* cipher/md5.c (_gcry_digest_spec_md5): Allow in fips mode.

	fips: Add explicit indicators for md and mac algorithms.
	+ commit c88672a327f6774a66d75a35f25266eec99b16f4
	* src/fips.c (_gcry_fips_indicator_mac): New function indicating
	non-approved mac algorithms.
	(_gcry_fips_indicator_md): new functions indicating non-approved
	message digest algorithms.
	* src/g10lib.h (_gcry_fips_indicator_mac): New function.
	(_gcry_fips_indicator_md): Ditto.
	* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbols,
	GCRYCTL_FIPS_SERVICE_INDICATOR_MAC and
	GCRYCTL_FIPS_SERVICE_INDICATOR_MD.
	* src/global.c (_gcry_vcontrol): Handle new FIPS indicators.

2023-03-07  Jakub Jelen  <jjelen@redhat.com>

	kdf: Update tests in regards to the allowed parameters in FIPS mode.
	+ commit f5fe94810f3099c9ccc2ca3a5891502922ab0576
	* cipher/kdf.c (check_one): run selftests for more approved parameters
	and check that wrong parameters correctly fail in FIPS mode.

	fips: Check return value from ftell.
	+ commit 3fd3bb31597f80c76a94ea62e42d58d796beabf1
	* src/fips.c (get_file_offset): Check return value of ftell to be able
	  to detect errors.

	random: Remove unused SHA384 DRBGs.
	+ commit 45b80678109e5817b7cd15566a9d6c96b064b95f
	* random/random-drbg.c (global): Remove unused SHA384-based defines.
	(drbg_cores): Remove SHA384 configurations.
	(drbg_sec_strength): Remove unused SHA384.

	visibility: Check FIPS operational status for MD+Sign operation.
	+ commit 654d0dfa04993ebe28c0536d42f4bc6d87c28369
	* src/visibility.c (gcry_pk_hash_sign): Check fips status before
	calling the operation itself.
	(gcry_pk_hash_verify): Ditto.

	ecc: Make the PCT recoverable in FIPS mode and consistent with RSA.
	+ commit 23a2d1285e35b2eb91bb422609eb1c965c8a9bf6
	* cipher/ecc.c (test_keys_fips): Replace calls to log_fatal with
	return code on error.
	(ecc_generate): Signal error when PCT fails in FIPS mode.

	ecc: Do not allow skipping tests in FIPS Mode.
	+ commit 2ddeec574bc1ae90bb4242c4ce9ad9e7975a27bd
	* cipher/ecc.c (ecc_generate): Do not allow skipping tests PCT tests
	in FIPS mode.

2023-03-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ppc: use vector registers for key schedule calculations.
	+ commit 855f8c513d6db58cbc9d45f3e0bb2cee3ab5a189
	* cipher/rijndael-ppc.c (_gcry_aes_sbox4_ppc8): Remove.
	(bcast_u32_to_vec, u32_from_vec): New.
	(_gcry_aes_ppc8_setkey): Use vectors for round key calculation
	variables.

	Add PowerPC vector implementation of SM4.
	+ commit 0b2da804ee813eee22c386ba7f253415103b34ea
	* cipher/Makefile.am: Add 'sm4-ppc.c'.
	* cipher/sm4-ppc.c: New.
	* cipher/sm4.c (USE_PPC_CRYPTO): New.
	(SM4_context): Add 'use_ppc8le' and 'use_ppc9le'.
	[USE_PPC_CRYPTO] (_gcry_sm4_ppc8le_crypt_blk1_16)
	(_gcry_sm4_ppc9le_crypt_blk1_16, sm4_ppc8le_crypt_blk1_16)
	(sm4_ppc9le_crypt_blk1_16): New.
	(sm4_setkey) [USE_PPC_CRYPTO]: Set use_ppc8le and use_ppc9le
	based on HW features.
	(sm4_get_crypt_blk1_16_fn) [USE_PPC_CRYPTO]: Add PowerPC
	implementation selection.

2023-03-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-simd128: faster sbox filtering with uint8 right shift.
	+ commit 6c05c808e4e848964f67157e80f1835c5146e2bc
	* cipher/camellia-simd128.h (if_vpsrlb128)
	(if_not_vpsrlb128): New.
	(filter_8bit): Use 'vpsrlb128' when available on target
	architecture (PowerPC and AArch64).

	chacha20-ppc: do not generate p9 code when target attr unavailable.
	+ commit 652598096325c2478d7d033585dadc13bec6fb1d
	* cipher/chacha20-ppc.c (HAVE_FUNC_ATTR_TARGET): New.
	(_gcry_chacha20_ppc9_blocks1, _gcry_chacha20_ppc9_blocks4)
	(_gcry_chacha20_poly1305_ppc8_blocks4): Use inline functions
	only if HAVE_FUNC_ATTR_TARGET is defined.

2023-03-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix "'inline' is not at beginning of declaration" warnings.
	+ commit 0a5f7e9543a823034f6dd6dae2f647c4e213f213
	* cipher/chacha20-ppc.c (chacha20_ppc_blocks1)
	(chacha20_ppc_blocks4, chacha20_poly1305_ppc_blocks4): Move
	'ASM_FUNC_ATTR_INLINE' right after 'static'.
	* cipher/sha256-ppc.c (sha256_transform_ppc): Likewise.
	* cipher/sha512-ppc.c (sha512_transform_ppc): Likewise.

	Improve PPC target function attribute checks.
	+ commit 66bae697a853b21e0a2ff2a5031d23e3691a9084
	* configure.ac (gcry_cv_gcc_attribute_ppc_target)
	(gcry_cv_clang_attribute_ppc_target): Add 'always_inline'
	function to test.

2023-02-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia: add AArch64 crypto-extension implementation.
	+ commit 898c857206ada06d70c5f46ac5adaa9d7058e672
	* cipher/Makefile.am: Add 'camellia-aarch64-ce.(c|o|lo)'.
	(aarch64_neon_cflags): New.
	* cipher/camellia-aarch64-ce.c: New.
	* cipher/camellia-glue.c (USE_AARCH64_CE): New.
	(CAMELLIA_context): Add 'use_aarch64ce'.
	(_gcry_camellia_aarch64ce_encrypt_blk16)
	(_gcry_camellia_aarch64ce_decrypt_blk16)
	(_gcry_camellia_aarch64ce_keygen, camellia_aarch64ce_enc_blk16)
	(camellia_aarch64ce_dec_blk16, aarch64ce_burn_stack_depth): New.
	(camellia_setkey) [USE_AARCH64_CE]: Set use_aarch64ce if HW has
	HWF_ARM_AES; Use AArch64/CE key generation if supported by HW.
	(camellia_encrypt_blk1_32, camellia_decrypt_blk1_32)
	[USE_AARCH64_CE]: Add AArch64/CE code path.

	camellia: add POWER8/POWER9 vcrypto implementation.
	+ commit 6fa11d8b7070eb7c4c296c879213c9596bd00b1c
	* cipher/Makefile.am: Add 'camellia-simd128.h',
	'camellia-ppc8le.c' and 'camellia-ppc9le.c'.
	* cipher/camellia-glue.c (USE_PPC_CRYPTO): New.
	(CAMELLIA_context) [USE_PPC_CRYPTO]: Add 'use_ppc', 'use_ppc8'
	and 'use_ppc9'.
	[USE_PPC_CRYPTO] (_gcry_camellia_ppc8_encrypt_blk16)
	(_gcry_camellia_ppc8_decrypt_blk16, _gcry_camellia_ppc8_keygen)
	(_gcry_camellia_ppc9_encrypt_blk16)
	(_gcry_camellia_ppc9_decrypt_blk16, _gcry_camellia_ppc9_keygen)
	(camellia_ppc_enc_blk16, camellia_ppc_dec_blk16)
	(ppc_burn_stack_depth): New.
	(camellia_setkey) [USE_PPC_CRYPTO]: Setup 'use_ppc', 'use_ppc8'
	and 'use_ppc9' and use PPC key-generation if HWF is available.
	(camellia_encrypt_blk1_32)
	(camellia_decrypt_blk1_32) [USE_PPC_CRYPTO]: Add 'use_ppc' paths.
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Enable
	generic bulk path when USE_PPC_CRYPTO is defined.
	* cipher/camellia-ppc8le.c: New.
	* cipher/camellia-ppc9le.c: New.
	* cipher/camellia-simd128.h: New.
	* configure.ac: Add 'camellia-ppc8le.lo' and 'camellia-ppc9le.lo'.

2023-02-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aes-amd64-vaes: fix fast exit path in XTS function.
	+ commit 0d42d9674458a22cfccec419f4c358d743c5effb
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_xts_crypt_amd64): On fast exit path, compare
	number of blocks left against '1' instead of '0' as following
	branch is 'less than'.

	ppc: add support for clang target attribute.
	+ commit 937a76a34540bd2558f5b34a98fbe53227000646
	* configure.ac (gcry_cv_clang_attribute_ppc_target): New.
	* cipher/chacha20-ppc.c [HAVE_CLANG_ATTRIBUTE_PPC_TARGET]
	(FUNC_ATTR_TARGET_P8, FUNC_ATTR_TARGET_P9): New.
	* cipher/rijndael-ppc.c [HAVE_CLANG_ATTRIBUTE_PPC_TARGET]
	(FPC_OPT_ATTR): New.
	* cipher/rijndael-ppc9le.c [HAVE_CLANG_ATTRIBUTE_PPC_TARGET]
	(FPC_OPT_ATTR): New.
	* cipher/sha256-ppc.c [HAVE_CLANG_ATTRIBUTE_PPC_TARGET]
	(FUNC_ATTR_TARGET_P8, FUNC_ATTR_TARGET_P9): New.
	* cipher/sha512-ppc.c [HAVE_CLANG_ATTRIBUTE_PPC_TARGET]
	(FUNC_ATTR_TARGET_P8, FUNC_ATTR_TARGET_P9): New.
	(ror64): Remove unused function.

	chacha20-ppc: use target and optimize attributes for P8 and P9.
	+ commit f3d1d4a8c9f0df107a57e2cd3699253766d6e45a
	* cipher/chacha20-ppc.c (_gcry_chacha20_ppc8_blocks1): Rename to...
	(chacha20_ppc_blocks1): ...this; Add 'always inline' attribute.
	(_gcry_chacha20_ppc8_blocks4): Rename to...
	(chacha20_ppc_blocks4): ...this; Add 'always inline' attribute.
	(_gcry_chacha20_poly1305_ppc8_blocks4): Rename to...
	(chacha20_poly1305_ppc_blocks4): ...this; Add 'always inline'
	attribute.
	(FUNC_ATTR_OPT_O2, FUNC_ATTR_TARGET_P8, FUNC_ATTR_TARGET_P9): New.
	(_gcry_chacha20_ppc8_blocks1, _gcry_chacha20_ppc8_blocks4)
	(_gcry_chacha20_poly1305_ppc8_blocks4): New.
	(_gcry_chacha20_ppc9_blocks1, _gcry_chacha20_ppc9_blocks4)
	(_gcry_chacha20_poly1305_ppc9_blocks4): New.
	* cipher/chacha20.c (CHACHA20_context_t): Add 'use_p9'.
	(_gcry_chacha20_ppc9_blocks1, _gcry_chacha20_ppc9_blocks4)
	(_gcry_chacha20_poly1305_ppc9_blocks4): New.
	(chacha20_do_setkey): Set 'use_p9' if HW has HWF_PPC_ARCH_3_00.
	(chacha20_blocks, do_chacha20_encrypt_stream_tail)
	(_gcry_chacha20_poly1305_encrypt)
	(_gcry_chacha20_poly1305_decrypt) [USE_PPC_VEC]: Add 'use_p9' paths.

	aes-ppc: use target and optimize attributes for P8 and P9.
	+ commit 100063cf4e1ca3350f05a343d8fa0ccf305debb1
	* cipher/rijndael-ppc-functions.h: Add PPC_OPT_ATTR attribute
	macro for all functions.
	* cipher/rijndael-ppc.c (FUNC_ATTR_OPT, PPC_OPT_ATTR): New.
	(_gcry_aes_ppc8_setkey, _gcry_aes_ppc8_prepare_decryption): Add
	PPC_OPT_ATTR attribute macro.
	* cipher/rijndael-ppc9le.c (FUNC_ATTR_OPT, PPC_OPT_ATTR): New.

	aes-ppc: add CTR32LE bulk acceleration.
	+ commit 84f2e2d0b51b7b3e75d96d8188ae6a8d8174542b
	* cipher/rijndael-ppc-functions.h (CTR32LE_ENC_FUNC): New.
	* cipher/rijndael-ppc.c (_gcry_aes_ppc8_ctr32le_enc): New.
	* cipher/rijndael-ppc9le.c (_gcry_aes_ppc9le_ctr32le_enc): New.
	* cipher/rijndael.c (_gcry_aes_ppc8_ctr32le_enc)
	(_gcry_aes_ppc9le_ctr32le_enc): New.
	(do_setkey): Setup _gcry_aes_ppc8_ctr32le_enc for POWER8 and
	_gcry_aes_ppc9le_ctr32le_enc for POWER9.

	aes-ppc: add ECB bulk acceleration for benchmarking purposes.
	+ commit a7ebf9d52e67015c0ae175c0a9bbff9da9fe6f32
	* cipher/rijndael-ppc-functions.h (ECB_CRYPT_FUNC): New.
	* cipher/rijndael-ppc.c (_gcry_aes_ppc8_ecb_crypt): New.
	* cipher/rijndael-ppc9le.c (_gcry_aes_ppc9le_ecb_crypt): New.
	* cipher/rijndael.c (_gcry_aes_ppc8_ecb_crypt)
	(_gcry_aes_ppc9le_ecb_crypt): New.
	(do_setkey): Set up _gcry_aes_ppc8_ecb_crypt for POWER8 and
	_gcry_aes_ppc9le_ecb_crypt for POWER9.

	sha2-ppc: better optimization for POWER9.
	+ commit 161614ecc1c20d94a8599888524b1d1fd0eb2754
	* cipher/sha256-ppc.c: Change to use vector registers, generate
	POWER8 and POWER9 from same code with help of 'target' and
	'optimize' attribute.
	* cipher/sha512-ppc.c: Likewise.
	* configure.ac (gcry_cv_gcc_attribute_optimize)
	(gcry_cv_gcc_attribute_ppc_target): New.

2023-02-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-aesni-avx: speed up for round key broadcasting.
	+ commit dd4cb5d75c8e4e666db4352d999b2111b9ddb80d
	* cipher/camellia-aesni-avx2-amd64.h (roundsm16, fls16): Broadcast
	round key bytes directly with 'vpshufb'.

	camellia-avx2: speed up for round key broadcasting.
	+ commit b9a9755742c7bf7ca8c007d33f98aaa076a382c7
	* cipher/camellia-aesni-avx2-amd64.h (roundsm32, fls32): Use
	'vpbroadcastb' for loading round key.
	* cipher/camellia-glue.c (camellia_encrypt_blk1_32)
	(camellia_decrypt_blk1_32): Adjust num_blks thresholds for AVX2
	implementations, 2 blks for GFNI, 4 blks for VAES and 5 blks for AESNI.

	camellia-gfni-avx512: speed up for round key broadcasting.
	+ commit a4c22331f57d23832ddd019ac3108b5fa3dd942b
	* cipher/camellia-gfni-avx512-amd64.S (roundsm64, fls64): Use
	'vpbroadcastb' for loading round key.

	camellia-avx2: add fast path for full 32 block ECB input.
	+ commit 5f25ad09fdb5eb5f83f7cc4cefe79bbeab29fec8
	* cipher/camellia-aesni-avx2-amd64.h (enc_blk1_32, dec_blk1_32): Add
	fast path for 32 block input.

	camellia: add CTR-mode byte addition for AVX/AVX2/AVX512 impl.
	+ commit 87ae2a660d59751ddd7da40da05cfaee73f35ea7
	* cipher/camellia-aesni-avx-amd64.S
	(_gcry_camellia_aesni_avx_ctr_enc): Add byte addition fast-path.
	* cipher/camellia-aesni-avx2-amd64.h (ctr_enc): Likewise.
	* cipher/camellia-gfni-avx512-amd64.S
	(_gcry_camellia_gfni_avx512_ctr_enc): Likewise.
	* cipher/camellia-glue.c (CAMELLIA_context): Add 'use_avx2'.
	(camellia_setkey, _gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
	(_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth) [USE_AESNI_AVX2]: Use 'use_avx2' to check
	if any of the AVX2 implementations is enabled.

	camellia-aesni-avx: add acceleration for ECB/XTS/CTR32LE modes.
	+ commit 926cc22058a39c7a931e14590eab6fd7a78ba455
	* cipher/camellia-aesni-avx-amd64.S (_gcry_camellia_aesni_avx_ecb_enc)
	(_gcry_camellia_aesni_avx_ecb_dec): New.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ecb_enc)
	(_gcry_camellia_aesni_avx_ecb_dec): New.
	(camellia_setkey): Always enable XTS/ECB/CTR32LE bulk functions.
	(camellia_encrypt_blk1_32, camellia_decrypt_blk1_32)
	[USE_AESNI_AVX]: Add AESNI/AVX code-path.

	sm4: add CTR-mode byte addition for AVX/AVX2/AVX512 implementations.
	+ commit 978b02fca682c9ecb71e30cdeeb6922fc8331f6e
	* cipher/sm4-aesni-avx-amd64.S
	(_gcry_sm4_aesni_avx_ctr_enc): Add byte addition fast-path.
	* cipher/sm4-aesni-avx2-amd64.S
	(_gcry_sm4_aesni_avx2_ctr_enc): Likewise.
	* cipher/sm4-gfni-avx2-amd64.S
	(_gcry_sm4_gfni_avx2_ctr_enc): Likewise.
	* cipher/sm4-gfni-avx512-amd64.S
	(_gcry_sm4_gfni_avx512_ctr_enc)
	(_gcry_sm4_gfni_avx512_ctr_enc_blk32): Likewise.

	aes-vaes-avx2: improve case when only CTR needs carry handling.
	+ commit 8f7f5a9fc63968304bacedbc2f22b9f7188bbd53
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_ctr_enc_amd64): Add handling for the case when
	only main counter needs carry handling but generated vector counters
	do not.

	aria-avx2: add VAES accelerated implementation.
	+ commit caf402e9b41fff6cf39b914b088ea1e5f8fd3bd1
	* cipher/aria-aesni-avx2-amd64.S (CONFIG_AS_VAES): New.
	[CONFIG_AS_VAES]: Add VAES accelerated assembly macros and functions.
	* cipher/aria.c (USE_VAES_AVX2): New.
	(ARIA_context): Add 'use_vaes_avx2'.
	(_gcry_aria_vaes_avx2_ecb_crypt_blk32)
	(_gcry_aria_vaes_avx2_ctr_crypt_blk32)
	(aria_avx2_ecb_crypt_blk32, aria_avx2_ctr_crypt_blk32): Add VAES/AVX2
	code paths.
	(aria_setkey): Enable VAES/AVX2 implementation based on HW features.

	aria-avx512: small optimization for aria_diff_m.
	+ commit f359a3ec7e845aa446836bd47994fe18d6d41e08
	* cipher/aria-gfni-avx512-amd64.S (aria_diff_m): Use 'vpternlogq' for
	3-way XOR operation.
	---

	Using vpternlogq gives small performance improvement on AMD Zen4. With
	Intel tiger-lake speed is the same as before.

	Benchmark on AMD Ryzen 9 7900X (zen4, turbo-freq off):

	Before:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.203 ns/B      4703 MiB/s     0.953 c/B      4700
	        ECB dec |     0.204 ns/B      4675 MiB/s     0.959 c/B      4700
	        CTR enc |     0.207 ns/B      4609 MiB/s     0.973 c/B      4700
	        CTR dec |     0.207 ns/B      4608 MiB/s     0.973 c/B      4700

	After (~3% faster):
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.197 ns/B      4847 MiB/s     0.925 c/B      4700
	        ECB dec |     0.197 ns/B      4852 MiB/s     0.924 c/B      4700
	        CTR enc |     0.200 ns/B      4759 MiB/s     0.942 c/B      4700
	        CTR dec |     0.200 ns/B      4772 MiB/s     0.939 c/B      4700

	Cc: Taehee Yoo <ap420073@gmail.com>

	aria-avx: small optimization for aria_ark_8way.
	+ commit 855f1551fd921ced652dc0c3c03601dfcd063f1c
	* cipher/aria-aesni-avx-amd64.S (aria_ark_8way): Use 'vmovd' for
	loading key material and 'vpshufb' for broadcasting from byte
	locations 3, 2, 1 and 0.

	aria: add x86_64 GFNI/AVX512 accelerated implementation.
	+ commit 45351e6474cbbe5baaa4c488222610edc417176e
	* cipher/Makefile.am: Add 'aria-gfni-avx512-amd64.S'.
	* cipher/aria-gfni-avx512-amd64.S: New.
	* cipher/aria.c (USE_GFNI_AVX512): New.
	[USE_GFNI_AVX512] (MAX_PARALLEL_BLKS): New.
	(ARIA_context): Add 'use_gfni_avx512'.
	(_gcry_aria_gfni_avx512_ecb_crypt_blk64)
	(_gcry_aria_gfni_avx512_ctr_crypt_blk64)
	(aria_gfni_avx512_ecb_crypt_blk64)
	(aria_gfni_avx512_ctr_crypt_blk64): New.
	(aria_crypt_blocks) [USE_GFNI_AVX512]: Add 64 parallel block
	AVX512/GFNI processing.
	(_gcry_aria_ctr_enc) [USE_GFNI_AVX512]: Add 64 parallel block
	AVX512/GFNI processing.
	(aria_setkey): Enable GFNI/AVX512 based on HW features.
	* configure.ac: Add 'aria-gfni-avx512-amd64.lo'.

	aria: add x86_64 AESNI/GFNI/AVX/AVX2 accelerated implementations.
	+ commit f4268a8f51a89a7c0374a23f669d7a19cad304ae
	* cipher/Makefile.am: Add 'aria-aesni-avx-amd64.S' and
	'aria-aesni-avx2-amd64.S'.
	* cipher/aria-aesni-avx-amd64.S: New.
	* cipher/aria-aesni-avx2-amd64.S: New.
	* cipher/aria.c (USE_AESNI_AVX, USE_GFNI_AVX, USE_AESNI_AVX2)
	(USE_GFNI_AVX2, MAX_PARALLEL_BLKS, ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(ARIA_context): Add 'use_aesni_avx', 'use_gfni_avx',
	'use_aesni_avx2' and 'use_gfni_avx2'.
	(_gcry_aria_aesni_avx_ecb_crypt_blk1_16)
	(_gcry_aria_aesni_avx_ctr_crypt_blk16)
	(_gcry_aria_gfni_avx_ecb_crypt_blk1_16)
	(_gcry_aria_gfni_avx_ctr_crypt_blk16)
	(aria_avx_ecb_crypt_blk1_16, aria_avx_ctr_crypt_blk16)
	(_gcry_aria_aesni_avx2_ecb_crypt_blk32)
	(_gcry_aria_aesni_avx2_ctr_crypt_blk32)
	(_gcry_aria_gfni_avx2_ecb_crypt_blk32)
	(_gcry_aria_gfni_avx2_ctr_crypt_blk32)
	(aria_avx2_ecb_crypt_blk32, aria_avx2_ctr_crypt_blk32): New.
	(aria_crypt_blocks) [USE_AESNI_AVX2]: Add 32 parallel block
	AVX2/AESNI/GFNI processing.
	(aria_crypt_blocks) [USE_AESNI_AVX]: Add 3 to 16 parallel block
	AVX/AESNI/GFNI processing.
	(_gcry_aria_ctr_enc) [USE_AESNI_AVX2]: Add 32 parallel block
	AVX2/AESNI/GFNI processing.
	(_gcry_aria_ctr_enc) [USE_AESNI_AVX]: Add 16 parallel block
	AVX/AESNI/GFNI processing.
	(_gcry_aria_ctr_enc, _gcry_aria_cbc_dec, _gcry_aria_cfb_enc)
	(_gcry_aria_ecb_crypt, _gcry_aria_xts_crypt, _gcry_aria_ctr32le_enc)
	(_gcry_aria_ocb_crypt, _gcry_aria_ocb_auth): Use MAX_PARALLEL_BLKS
	for parallel processing width.
	(aria_setkey): Enable AESNI/AVX, GFNI/AVX, AESNI/AVX2, GFNI/AVX2 based
	on HW features.
	* configure.ac: Add 'aria-aesni-avx-amd64.lo' and
	'aria-aesni-avx2-amd64.lo'.
	---

	This patch adds AVX/AVX2/AESNI/GFNI accelerated ARIA block cipher
	implementations for libgcrypt. This implementation is based on work
	by Taehee Yoo, with following notable changes:
	 - Integration to libgcrypt, use of 'aes-common-amd64.h'.
	 - Use 'vmovddup' for loading GFNI constants.
	 - Use round loop instead of unrolling for smaller code size and
	   increased performance.
	 - Use stack for temporary storage instead of external buffers.
	 - Use merge ECB encryption/decryption to single function.
	 - Add 1 to 15 blocks support for AVX ECB functions.
	 - Add byte-addition fast path for CTR.

	===

	Benchmark on AMD Ryzen 9 7900X (zen4, turbo-freq off):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.715 ns/B      1333 MiB/s      3.36 c/B      4700
	        ECB dec |     0.712 ns/B      1339 MiB/s      3.35 c/B      4700
	        CTR enc |     0.714 ns/B      1336 MiB/s      3.36 c/B      4700
	        CTR dec |     0.714 ns/B      1335 MiB/s      3.36 c/B      4700

	 GFNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.516 ns/B      1847 MiB/s      2.43 c/B      4700
	        ECB dec |     0.519 ns/B      1839 MiB/s      2.44 c/B      4700
	        CTR enc |     0.517 ns/B      1846 MiB/s      2.43 c/B      4700
	        CTR dec |     0.518 ns/B      1843 MiB/s      2.43 c/B      4700

	 AESNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.416 ns/B      2292 MiB/s      1.96 c/B      4700
	        ECB dec |     0.421 ns/B      2266 MiB/s      1.98 c/B      4700
	        CTR enc |     0.415 ns/B      2298 MiB/s      1.95 c/B      4700
	        CTR dec |     0.415 ns/B      2300 MiB/s      1.95 c/B      4700

	 GFNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.235 ns/B      4056 MiB/s      1.11 c/B      4700
	        ECB dec |     0.234 ns/B      4079 MiB/s      1.10 c/B      4700
	        CTR enc |     0.232 ns/B      4104 MiB/s      1.09 c/B      4700
	        CTR dec |     0.233 ns/B      4094 MiB/s      1.10 c/B      4700

	===

	Benchmark on Intel Core i3-1115G4 (tiger-lake, turbo-freq off):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |      1.26 ns/B     757.6 MiB/s      3.77 c/B      2993
	        ECB dec |      1.27 ns/B     753.1 MiB/s      3.79 c/B      2992
	        CTR enc |      1.25 ns/B     760.3 MiB/s      3.75 c/B      2992
	        CTR dec |      1.26 ns/B     759.1 MiB/s      3.76 c/B      2992

	 GFNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.967 ns/B     986.6 MiB/s      2.89 c/B      2992
	        ECB dec |     0.966 ns/B     987.1 MiB/s      2.89 c/B      2992
	        CTR enc |     0.972 ns/B     980.8 MiB/s      2.91 c/B      2993
	        CTR dec |     0.971 ns/B     982.5 MiB/s      2.90 c/B      2993

	 AESNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.817 ns/B      1167 MiB/s      2.44 c/B      2992
	        ECB dec |     0.819 ns/B      1164 MiB/s      2.45 c/B      2992
	        CTR enc |     0.819 ns/B      1164 MiB/s      2.45 c/B      2992
	        CTR dec |     0.819 ns/B      1164 MiB/s      2.45 c/B      2992

	 GFNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.506 ns/B      1886 MiB/s      1.51 c/B      2992
	        ECB dec |     0.505 ns/B      1887 MiB/s      1.51 c/B      2992
	        CTR enc |     0.564 ns/B      1691 MiB/s      1.69 c/B      2992
	        CTR dec |     0.565 ns/B      1689 MiB/s      1.69 c/B      2992

	===

	Benchmark on AMD Ryzen 7 5800X (zen3, turbo-freq off):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.921 ns/B      1035 MiB/s      3.50 c/B      3800
	        ECB dec |     0.922 ns/B      1034 MiB/s      3.50 c/B      3800
	        CTR enc |     0.923 ns/B      1033 MiB/s      3.51 c/B      3800
	        CTR dec |     0.923 ns/B      1033 MiB/s      3.51 c/B      3800

	 AESNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.559 ns/B      1707 MiB/s      2.12 c/B      3800
	        ECB dec |     0.560 ns/B      1703 MiB/s      2.13 c/B      3800
	        CTR enc |     0.570 ns/B      1672 MiB/s      2.17 c/B      3800
	        CTR dec |     0.568 ns/B      1679 MiB/s      2.16 c/B      3800

	===

	Benchmark on AMD EPYC 7642 (zen2):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |      1.22 ns/B     784.5 MiB/s      4.01 c/B      3298
	        ECB dec |      1.22 ns/B     784.8 MiB/s      4.00 c/B      3292
	        CTR enc |      1.22 ns/B     780.1 MiB/s      4.03 c/B      3299
	        CTR dec |      1.22 ns/B     779.1 MiB/s      4.04 c/B      3299

	 AESNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.735 ns/B      1298 MiB/s      2.42 c/B      3299
	        ECB dec |     0.738 ns/B      1292 MiB/s      2.44 c/B      3299
	        CTR enc |     0.732 ns/B      1303 MiB/s      2.41 c/B      3299
	        CTR dec |     0.732 ns/B      1303 MiB/s      2.41 c/B      3299

	===

	Benchmark on Intel Core i5-6500 (skylake):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |      1.24 ns/B     766.6 MiB/s      4.48 c/B      3598
	        ECB dec |      1.25 ns/B     764.9 MiB/s      4.49 c/B      3598
	        CTR enc |      1.25 ns/B     761.7 MiB/s      4.50 c/B      3598
	        CTR dec |      1.25 ns/B     761.6 MiB/s      4.51 c/B      3598

	 AESNI/AVX2:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |     0.829 ns/B      1150 MiB/s      2.98 c/B      3599
	        ECB dec |     0.831 ns/B      1147 MiB/s      2.99 c/B      3598
	        CTR enc |     0.829 ns/B      1150 MiB/s      2.98 c/B      3598
	        CTR dec |     0.828 ns/B      1152 MiB/s      2.98 c/B      3598

	===

	Benchmark on Intel Core i5-2450M (sandy-bridge, turbo-freq off):

	 AESNI/AVX:
	 ARIA128        |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        ECB enc |      2.11 ns/B     452.7 MiB/s      5.25 c/B      2494
	        ECB dec |      2.10 ns/B     454.5 MiB/s      5.23 c/B      2494
	        CTR enc |      2.10 ns/B     453.2 MiB/s      5.25 c/B      2494
	        CTR dec |      2.10 ns/B     453.2 MiB/s      5.25 c/B      2494

	[v2]
	 - Optimization for CTR mode: Use CTR byte-addition path when
	   counter carry-overflow happen only on ctr-variable but not in
	   generated counter vector registers.

	Cc: Taehee Yoo <ap420073@gmail.com>

2023-01-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	asm-common-aarch64: fix read-only section for Windows target.
	+ commit 833a904faf2b90a1b1d1b58e1e9a12f2e8e2378c
	* cipher/asm-common-aarch64.h (SECTION_RODATA): Use .rdata for
	_WIN32.

2023-01-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aarch64-asm: align functions to 16 bytes.
	+ commit 6f8e750c42ffd34900fad30540e92e382111d567
	* cipher/camellia-aarch64.S: Align functions to 16 bytes.
	* cipher/chacha20-aarch64.S: Likewise.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Likewise.
	* cipher/crc-armv8-aarch64-ce.S: Likewise.
	* cipher/rijndael-aarch64.S: Likewise.
	* cipher/rijndael-armv8-aarch64-ce.S: Likewise.
	* cipher/sha1-armv8-aarch64-ce.S: Likewise.
	* cipher/sha256-armv8-aarch64-ce.S: Likewise.
	* cipher/sha512-armv8-aarch64-ce.S: Likewise.
	* cipher/sm3-aarch64.S: Likewise.
	* cipher/sm3-armv8-aarch64-ce.S: Likewise.
	* cipher/sm4-aarch64.S: Likewise.
	* cipher/sm4-armv8-aarch64-ce.S: Likewise.
	* cipher/sm4-armv9-aarch64-sve-ce.S: Likewise.
	* cipher/twofish-aarch64.S: Likewise.
	* mpi/aarch64/mpih-add1.S: Likewise.
	* mpi/aarch64/mpih-mul1.S: Likewise.
	* mpi/aarch64/mpih-mul2.S: Likewise.
	* mpi/aarch64/mpih-mul3.S: Likewise.
	* mpi/aarch64/mpih-sub1.S: Likewise.

	aarch64-asm: move constant data to read-only section.
	+ commit b3d7d520a0aab8b3356749fa4765a7f1f5c676d6
	* cipher/asm-common-aarch64.h (SECTION_RODATA)
	(GET_DATA_POINTER): New.
	(GET_LOCAL_POINTER): Remove.
	* cipher/camellia-aarch64.S: Move constant data to read-only data
	section; Remove unneeded '.ltorg'.
	* cipher/chacha20-aarch64.S: Likewise.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Likewise.
	* cipher/crc-armv8-aarch64-ce.S: Likewise.
	* cipher/rijndael-aarch64.S: Likewise.
	* cipher/sha1-armv8-aarch64-ce.S: Likewise.
	* cipher/sha256-armv8-aarch64-ce.S: Likewise.
	* cipher/sm3-aarch64.S: Likewise.
	* cipher/sm3-armv8-aarch64-ce.S: Likewise.
	* cipher/sm4-aarch64.S: Likewise.
	* cipher/sm4-armv9-aarch64-sve-ce.S: Likewise.
	* cipher/twofish-aarch64.S: Likewise.

	s390x-asm: move constant data to read-only section.
	+ commit 65f52773d4bb59a4ea4b7e373fe79b3559ddf312
	* cipher/chacha20-s390x.S: Move constant data to read-only
	section; Align functions to 16 bytes.
	* cipher/poly1305-s390x.S: Likewise.

	powerpc-asm: move constant data to read-only section.
	+ commit d0a109148b799e6ba24bb0e030009e5ac3eaf5dc
	* cipher/chacha20-p10le-8x.s: Move constant data to read-only
	section.

	mpi/amd64: align functions and inner loops to 16 bytes.
	+ commit 12ad3ea6b49b12ba7ca44bc77e4e87025a6fd095
	* mpi/amd64/mpih-add1.S: Align function and inner loop to 16 bytes.
	* mpi/amd64/mpih-lshift.S: Likewise.
	* mpi/amd64/mpih-mul1.S: Likewise.
	* mpi/amd64/mpih-mul2.S: Likewise.
	* mpi/amd64/mpih-mul3.S: Likewise.
	* mpi/amd64/mpih-rshift.S: Likewise.
	* mpi/amd64/mpih-sub1.S: Likewise.

	amd64-asm: move constant data to read-only section for cipher algos.
	+ commit 208b1f3a7bd8709889aa566ff030bcff57ce1cfd
	* cipher/camellia-aesni-avx-amd64.S: Move constant data to
	read-only section.
	* cipher/camellia-aesni-avx2-amd64.h: Likewise.
	* cipher/camellia-gfni-avx512-amd64.S: Likewise.
	* cipher/chacha20-amd64-avx2.S: Likewise.
	* cipher/chacha20-amd64-avx512.S: Likewise.
	* cipher/chacha20-amd64-ssse3.S: Likewise.
	* cipher/des-amd64.s: Likewise.
	* cipher/rijndael-ssse3-amd64-asm.S: Likewise.
	* cipher/rijndael-vaes-avx2-amd64.S: Likewise.
	* cipher/serpent-avx2-amd64.S: Likewise.
	* cipher/sm4-aesni-avx-amd64.S: Likewise.
	* cipher/sm4-aesni-avx2-amd64.S: Likewise.
	* cipher/sm4-gfni-avx2-amd64.S: Likewise.
	* cipher/sm4-gfni-avx512-amd64.S: Likewise.
	* cipher/twofish-avx2-amd64.S: Likewise.

	amd64-asm: align functions to 16 bytes for cipher algos.
	+ commit 9d62c54de2b0cd3b1849a27f8998e1f0d43f1583
	* cipher/blowfish-amd64.S: Align functions to 16 bytes.
	* cipher/camellia-aesni-avx-amd64.S: Likewise.
	* cipher/camellia-aesni-avx2-amd64.h: Likewise.
	* cipher/camellia-gfni-avx512-amd64.S: Likewise.
	* cipher/cast5-amd64.S: Likewise.
	* cipher/chacha20-amd64-avx2.S: Likewise.
	* cipher/chacha20-amd64-ssse3.S: Likewise.
	* cipher/des-amd64.s: Likewise.
	* cipher/rijndael-amd64.S: Likewise.
	* cipher/rijndael-ssse3-amd64-asm.S: Likewise.
	* cipher/salsa20-amd64.S: Likewise.
	* cipher/serpent-avx2-amd64.S: Likewise.
	* cipher/serpent-sse2-amd64.S: Likewise.
	* cipher/sm4-aesni-avx-amd64.S: Likewise.
	* cipher/sm4-aesni-avx2-amd64.S: Likewise.
	* cipher/sm4-gfni-avx2-amd64.S: Likewise.
	* cipher/twofish-amd64.S: Likewise.
	* cipher/twofish-avx2-amd64.S: Likewise.

	amd64-asm: move constant data to read-only section for hash/mac algos.
	+ commit 14137d685cf8d779ac4656b64b7d5adcdcf90e3a
	* cipher/asm-common-amd64.h (SECTION_RODATA): New.
	* cipher/blake2b-amd64-avx2.S: Use read-only section for constant
	data.
	* cipher/blake2b-amd64-avx512.S: Likewise.
	* cipher/blake2s-amd64-avx.S: Likewise.
	* cipher/blake2s-amd64-avx512.S: Likewise.
	* cipher/poly1305-amd64-avx512.S: Likewise.
	* cipher/sha1-avx-amd64.S: Likewise.
	* cipher/sha1-avx-bmi2-amd64.S: Likewise.
	* cipher/sha1-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha1-ssse3-amd64.S: Likewise.
	* cipher/sha256-avx-amd64.S: Likewise.
	* cipher/sha256-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha256-ssse3-amd64.S: Likewise.
	* cipher/sha512-avx-amd64.S: Likewise.
	* cipher/sha512-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha512-avx512-amd64.S: Likewise.
	* cipher/sha512-ssse3-amd64.S: Likewise.
	* cipher/sha3-avx-bmi2-amd64.S: Likewise.

2023-01-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/bench-slope: skip CPU warm-up in regression tests.
	+ commit ec57b50bc60a6a5cc98249e2607b4e31bdcba553
	* tests/bench-slope.c (warm_up_cpu): Skip in regression tests.

	tests/basic: perform x86 vector cluttering only when __SSE2__ is set.
	+ commit 308a70ac9907de136fae86db40ebe25c904167a2
	* tests/basic.c (CLUTTER_VECTOR_REGISTER_AMD64)
	(CLUTTER_VECTOR_REGISTER_I386): Set only if __SSE2__ defined.
	(clutter_vector_registers) [CLUTTER_VECTOR_REGISTER_AMD64]: Remove
	__SSE2__ check for "xmm" clobbers.
	(clutter_vector_registers) [CLUTTER_VECTOR_REGISTER_I386]: Likewise.

	tests/basic: fix clutter vector register asm for amd64 and i386.
	+ commit 1a758b08bba09a7bba72b764d4f7c6c7c8f08cf1
	* tests/basic.c (clutter_vector_registers): Pass data pointers through
	single register for CLUTTER_VECTOR_REGISTER_AMD64 and
	CLUTTER_VECTOR_REGISTER_I386 as compiler might attempt to allocate
	separate pointer register for each "m" operator.

	avx512: tweak zmm16-zmm31 register clearing.
	+ commit 7de2fb66e065a97f121bd16ab37efba32983a6bd
	* cipher/asm-common-amd64.h (spec_stop_avx512): Clear ymm16
	before and after vpopcntb.
	* cipher/camellia-gfni-avx512-amd64.S (clear_zmm16_zmm31): Clear
	YMM16-YMM31 registers instead of XMM16-XMM31.
	* cipher/chacha20-amd64-avx512.S (clear_zmm16_zmm31): Likewise.
	* cipher/keccak-amd64-avx512.S (clear_regs): Likewise.
	(clear_avx512_4regs): Clear all 4 registers with XOR.
	* cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
	(_gcry_polyval_intel_pclmul): Clear YMM16-YMM19 registers instead of
	ZMM16-ZMM19.
	* cipher/poly1305-amd64-avx512.S (POLY1305_BLOCKS): Clear YMM16-YMM31
	registers after vector processing instead of XMM16-XMM31.
	* cipher/sha512-avx512-amd64.S
	(_gcry_sha512_transform_amd64_avx512): Likewise.

2023-01-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aria: add generic 2-way bulk processing.
	+ commit 5e1a04f77933a8295df69d818e9effc076dc68cd
	* cipher/aria.c (ARIA_context): Add 'bulk_prefetch_ready'.
	(aria_crypt_2blks, aria_crypt_blocks, aria_enc_blocks, aria_dec_blocks)
	(_gcry_aria_ctr_enc, _gcry_aria_cbc_enc, _gcry_aria_cbc_dec)
	(_gcry_aria_cfb_enc, _gcry_aria_cfb_dec, _gcry_aria_ecb_crypt)
	(_gcry_aria_xts_crypt, _gcry_aria_ctr32le_enc, _gcry_aria_ocb_crypt)
	(_gcry_aria_ocb_auth): New.
	(aria_setkey): Setup 'bulk_ops' function pointers.

	Add ARIA block cipher.
	+ commit 316c6d7715d931a0fbe3ebc4e20e6f4d77b716cb
	* cipher/Makefile.am: Add 'aria.c'.
	* cipher/aria.c: New.
	* cipher/cipher.c (cipher_list, cipher_list_algo301): Add ARIA cipher
	specs.
	* cipher/mac-cmac.c (map_mac_algo_to_cipher): Add GCRY_MAC_CMAC_ARIA.
	(_gcry_mac_type_spec_cmac_aria): New.
	* cipher/mac-gmac.c (map_mac_algo_to_cipher): Add GCRY_MAC_GMAC_ARIA.
	(_gcry_mac_type_spec_gmac_aria): New.
	* cipher/mac-internal.h (_gcry_mac_type_spec_cmac_aria)
	(_gcry_mac_type_spec_gmac_aria)
	(_gcry_mac_type_spec_poly1305mac_aria): New.
	* cipher/mac-poly1305.c (poly1305mac_open): Add GCRY_MAC_GMAC_ARIA.
	(_gcry_mac_type_spec_poly1305mac_aria): New.
	* cipher/mac.c (mac_list, mac_list_algo201, mac_list_algo401)
	(mac_list_algo501): Add ARIA MAC specs.
	* configure.ac (available_ciphers): Add 'aria'.
	(GCRYPT_CIPHERS): Add 'aria.lo'.
	(USE_ARIA): New.
	* doc/gcrypt.texi: Add GCRY_CIPHER_ARIA128, GCRY_CIPHER_ARIA192,
	GCRY_CIPHER_ARIA256, GCRY_MAC_CMAC_ARIA, GCRY_MAC_GMAC_ARIA and
	GCRY_MAC_POLY1305_ARIA.
	* src/cipher.h (_gcry_cipher_spec_aria128, _gcry_cipher_spec_aria192)
	(_gcry_cipher_spec_aria256): New.
	* src/gcrypt.h.in (gcry_cipher_algos): Add GCRY_CIPHER_ARIA128,
	GCRY_CIPHER_ARIA192 and GCRY_CIPHER_ARIA256.
	(gcry_mac_algos): GCRY_MAC_CMAC_ARIA, GCRY_MAC_GMAC_ARIA and
	GCRY_MAC_POLY1305_ARIA.
	* tests/basic.c (check_ecb_cipher, check_ctr_cipher)
	(check_cfb_cipher, check_ocb_cipher) [USE_ARIA]: Add ARIA test-vectors.
	(check_ciphers) [USE_ARIA]: Add GCRY_CIPHER_ARIA128, GCRY_CIPHER_ARIA192
	and GCRY_CIPHER_ARIA256.
	(main): Also run 'check_bulk_cipher_modes' for 'cipher_modes_only'-mode.
	* tests/bench-slope.c (bench_mac_init): Add GCRY_MAC_POLY1305_ARIA
	setiv-handling.
	* tests/benchmark.c (mac_bench): Likewise.

2023-01-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sm4: add missing OCB 16-way GFNI-AVX512 path.
	+ commit 30c9a1d101b45908a17c68fa50f4cdf9bd113792
	* cipher/sm4.c (_gcry_sm4_ocb_crypt) [USE_GFNI_AVX512]: Add 16-way
	GFNI-AVX512 handling.

	bulkhelp: change bulk function definition to allow modifying context.
	+ commit 86db4b02c6e5fd41ae958fb5e1fcf3e296a820ad
	* cipher/bulkhelp.h (bulk_crypt_fn_t): Make 'ctx' non-constant and
	change 'num_blks' from 'unsigned int' to 'size_t'.
	* cipher/camellia-glue.c (camellia_encrypt_blk1_32)
	(camellia_encrypt_blk1_64, camellia_decrypt_blk1_32)
	(camellia_decrypt_blk1_64): Adjust to match 'bulk_crypt_fn_t'.
	* cipher/serpent.c (serpent_crypt_blk1_16, serpent_encrypt_blk1_16)
	(serpent_decrypt_blk1_16): Likewise.
	* cipher/sm4.c (crypt_blk1_16_fn_t, _gcry_sm4_aesni_avx_crypt_blk1_8)
	(sm4_aesni_avx_crypt_blk1_16, _gcry_sm4_aesni_avx2_crypt_blk1_16)
	(sm4_aesni_avx2_crypt_blk1_16, _gcry_sm4_gfni_avx2_crypt_blk1_16)
	(sm4_gfni_avx2_crypt_blk1_16, _gcry_sm4_gfni_avx512_crypt_blk1_16)
	(_gcry_sm4_gfni_avx512_crypt_blk32, sm4_gfni_avx512_crypt_blk1_16)
	(_gcry_sm4_aarch64_crypt_blk1_8, sm4_aarch64_crypt_blk1_16)
	(_gcry_sm4_armv8_ce_crypt_blk1_8, sm4_armv8_ce_crypt_blk1_16)
	(_gcry_sm4_armv9_sve_ce_crypt, sm4_armv9_sve_ce_crypt_blk1_16)
	(sm4_crypt_blocks, sm4_crypt_blk1_32, sm4_encrypt_blk1_32)
	(sm4_decrypt_blk1_32): Likewise.
	* cipher/twofish.c (twofish_crypt_blk1_16, twofish_encrypt_blk1_16)
	(twofish_decrypt_blk1_16): Likewise.

	Add GMAC-SM4 and Poly1305-SM4.
	+ commit d1ccc409d4c655f695c7dc042a629a8898bd14eb
	* cipher/cipher.c (cipher_list_algo301): Remove comma at the end
	of last entry.
	* cipher/mac-gmac.c (map_mac_algo_to_cipher): Add SM4.
	(_gcry_mac_type_spec_gmac_sm4): New.
	* cipher/max-internal.h (_gcry_mac_type_spec_gmac_sm4)
	(_gcry_mac_type_spec_poly1305mac_sm4): New.
	* cipher/mac-poly1305.c (poly1305mac_open): Add SM4.
	(_gcry_mac_type_spec_poly1305mac_sm4): New.
	* cipher/mac.c (mac_list, mac_list_algo401, mac_list_algo501): Add
	GMAC-SM4 and Poly1304-SM4.
	(mac_list_algo101): Remove comma at the end of last entry.
	* cipher/md.c (digest_list_algo301): Remove comma at the end of
	last entry.
	* doc/gcrypt.texi: Add GCRY_MAC_GMAC_SM4 and GCRY_MAC_POLY1305_SM4.
	* src/gcrypt.h.in (GCRY_MAC_GMAC_SM4, GCRY_MAC_POLY1305_SM4): New.
	* tests/bench-slope.c (bench_mac_init): Setup IV for
	GCRY_MAC_POLY1305_SM4.
	* tests/benchmark.c (mac_bench): Likewise.

	Fix compiler warnings seen with clang-powerpc64le target.
	+ commit f2153d797f43a5fc8b80c2d908bf7dd6ad1fcc2a
	* cipher/rijndael-ppc-common.h (asm_sbox_be): New.
	* cipher/rijndael-ppc.c (_gcry_aes_sbox4_ppc8): Use 'asm_sbox_be'
	instead of 'vec_sbox_be' since this instrinsics has different
	prototype definition on GCC and Clang ('vector uchar' vs 'vector
	ulong long').
	* cipher/sha256-ppc.c (vec_ror_u32): Remove unused function.

2022-12-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add clang support for ARM 32-bit assembly.
	+ commit 02d5d1d97b3f281cf9c854d7143e346ab76fa384
	* configure.ac (gcry_cv_gcc_arm_platform_as_ok)
	(gcry_cv_gcc_inline_asm_neon): Remove % prefix from register names.
	* cipher/cipher-gcm-armv7-neon.S (vmull_p64): Prefix constant values
	with # character instead of $.
	* cipher/blowfish-arm.S: Remove % prefix from all register names.
	* cipher/camellia-arm.S: Likewise.
	* cipher/cast5-arm.S: Likewise.
	* cipher/rijndael-arm.S: Likewise.
	* cipher/rijndael-armv8-aarch32-ce.S: Likewise.
	* cipher/sha512-arm.S: Likewise.
	* cipher/sha512-armv7-neon.S: Likewise.
	* cipher/twofish-arm.S: Likewise.
	* mpi/arm/mpih-add1.S: Likewise.
	* mpi/arm/mpih-mul1.S: Likewise.
	* mpi/arm/mpih-mul2.S: Likewise.
	* mpi/arm/mpih-mul3.S: Likewise.
	* mpi/arm/mpih-sub1.S: Likewise.

	rijndael-ppc: fix wrong inline assembly constraint.
	+ commit 3d20308cc529b53d49954e9f0b8d10fa14422303
	* cipher/rijndael-ppc-function.h (CBC_ENC_FUNC): Fix outiv constraint.

	Fix building AVX512 Intel-syntax assembly with x86-64 clang.
	+ commit 31837163fbc36680140a17892374380a214c5d16
	* cipher/asm-common-amd64.h (spec_stop_avx512_intel_syntax): New.
	* cipher/poly1305-amd64-avx512.S: Use spec_stop_avx512_intel_syntax
	instead of spec_stop_avx512.
	* cipher/sha512-avx512-amd64.S: Likewise.

2022-12-14  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix m4 macros for strict C compiler.
	+ commit e3b441214f93d8f61875b8223480e57afa2a3f10
	* m4/ax_cc_for_build.m4: Fix for no arg.
	* m4/noexecstack.m4: Likewise.

	build: Fix configure.ac for strict C99.
	+ commit f62d5cf9f2683efa867fb04332c84ec899818d22
	* configure.ac: More fixes for other architecture.

2022-12-13  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix configure.ac for strict C99.
	+ commit 693ffa145378682229473b0e811a9cea7c4d307a
	* configure.ac: Add function declarations for asm functions.

2022-12-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	avx512: tweak AVX512 spec stop, use common macro in assembly.
	+ commit 8b4e0e9e9a3696be1404938226f0ec3582f12258
	* cipher/cipher-gcm-intel-pclmul.c: Use xmm registers for AVX512
	spec stop.
	* cipher/asm-common-amd64.h (spec_stop_avx512): New.
	* cipher/blake2b-amd64-avx512.S: Use spec_stop_avx512.
	* cipher/blake2s-amd64-avx512.S: Likewise.
	* cipher/camellia-gfni-avx512-amd64.S: Likewise.
	* cipher/chacha20-avx512-amd64.S: Likewise.
	* cipher/keccak-amd64-avx512.S: Likewise.
	* cipher/poly1305-amd64-avx512.S: Likewise.
	* cipher/sha512-avx512-amd64.S: Likewise.
	* cipher/sm4-gfni-avx512-amd64.S: Likewise.
	---

	chacha20-avx512: add handling for any input block count and tweak 16 block code a bit
	+ commit 996f81dd86ab299f92df581edad49e69ee932139
	* cipher/chacha20-amd64-avx512.S: Add tail handling for 8/4/2/1
	blocks; Rename `_gcry_chacha20_amd64_avx512_blocks16` to
	`_gcry_chacha20_amd64_avx512_blocks`; Tweak 16 parallel block processing
	for small speed improvement.
	* cipher/chacha20.c (_gcry_chacha20_amd64_avx512_blocks16): Rename to ...
	(_gcry_chacha20_amd64_avx512_blocks): ... this.
	(chacha20_blocks) [USE_AVX512]: Add AVX512 code-path.
	(do_chacha20_encrypt_stream_tail) [USE_AVX512]: Change to handle any
	number of full input blocks instead of multiples of 16.

2022-12-06  Jakub Jelen  <jjelen@redhat.com>

	fips,rsa: Prevent usage of X9.31 keygen in FIPS mode.
	+ commit 06ea5b5332ffdb44a0a394d766be8989bcb6a95c
	* cipher/rsa.c (rsa_generate): Do not accept use-x931 or derive-parms
	in FIPS mode.
	* tests/pubkey.c (get_keys_x931_new): Expect failure in FIPS mode.
	(check_run): Skip checking X9.31 keys in FIPS mode.
	* doc/gcrypt.texi: Document "test-parms" and clarify some cases around
	the X9.31 keygen.

2022-11-30  Jakub Jelen  <jjelen@redhat.com>

	rsa: Prevent usage of long salt in FIPS mode.
	+ commit bf1e62e59200b2046680d1d3d1599facc88cfe63
	* cipher/rsa-common.c (_gcry_rsa_pss_encode): Prevent usage of large
	  salt lengths
	  (_gcry_rsa_pss_verify): Ditto.
	* tests/basic.c (check_pubkey_sign): Check longer salt length fails in
	  FIPS mode
	* tests/t-rsa-pss.c (one_test_sexp): Fix function name in error message

2022-11-21  NIIBE Yutaka  <gniibe@fsij.org>

	random:w32: Don't emit message for diskperf when it's not useful.
	+ commit 35abf4d2eb582b78873aa324f6d02976788ffbbc
	* random/rndw32.c (slow_gatherer): Suppress emitting by log_info.

2022-11-18  Jakub Jelen  <jjelen@redhat.com>

	fips: Mark AES key wrapping as approved.
	+ commit c34c9e70055ee43e5ef257384fa15941f064e5a4
	* src/fips.c (_gcry_fips_indicator_cipher): Add key wrapping mode as
	approved.

	pkdf2: Add checks for FIPS.
	+ commit f4a861f3e5ae82f278284061e4829c03edf9c3a7
	* cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS.
	Set bounds for salt length and iteration count in FIPS mode.

2022-11-01  NIIBE Yutaka  <gniibe@fsij.org>

	build: Prefer gpgrt-config when available.
	+ commit 0dcb7e05c9e1c9c2a23abe0a0390680741b61414
	* src/libgcrypt.m4: Overriding the decision by
	--with-libgcrypt-prefix, use gpgrt-config libgcrypt when gpgrt-config
	is available.

2022-10-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha3-avx512: fix for "x32" target.
	+ commit eab1caae7bd529c09d809d4d7c64c97ab7abeab8
	* cipher/keccak.c (_gcry_keccak_absorb_blocks_avx512): Change size_t
	to u64; change 'const byte **new_lanes' to 'u64 *new_lanes'.
	(keccak_absorb_lanes64_avx512): Get new lines pointer from assembly
	through 'u64' type.

	serpent: accelerate XTS and ECB modes.
	+ commit 8a1fe5f78f9fed32cd641b3d9d02197f7ba394d8
	* cipher/serpent-armv7-neon.S (_gcry_serpent_neon_blk8): New.
	* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_blk16): New.
	* cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_blk8): New.
	* cipher/serpent.c (_gcry_serpent_sse2_blk8)
	(_gcry_serpent_avx2_blk16, _gcry_serpent_neon_blk8)
	(_gcry_serpent_xts_crypt, _gcry_serpent_ecb_crypt)
	(serpent_crypt_blk1_16, serpent_encrypt_blk1_16)
	(serpent_decrypt_blk1_16): New.
	(serpent_setkey): Setup XTS and ECB bulk functions.

	serpent: fix compiler warning on 32-bit ARM.
	+ commit b50b7ea5cabaf3729afe370b285d78fff9e27d31
	* cipher/serpent.c (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth) [USE_NEON]: Cast "Ls" to 'const void **'.

	twofish: accelerate XTS and ECB modes.
	+ commit d078a928f5c6024fde89388582b83742d2b8638a
	* cipher/twofish-amd64.S (_gcry_twofish_amd64_blk3): New.
	* cipher/twofish-avx2-amd64.S (_gcry_twofish_avx2_blk16): New.
	(_gcry_twofish_xts_crypt, _gcry_twofish_ecb_crypt)
	(_gcry_twofish_avx2_blk16, _gcry_twofish_amd64_blk3)
	(twofish_crypt_blk1_16, twofish_encrypt_blk1_16)
	(twofish_decrypt_blk1_16): New.
	(twofish_setkey): Setup XTS and ECB bulk functions.

	sm4: accelerate ECB (for benchmarking)
	+ commit 14f39993d632815db68a5dca90e021891c9547ab
	* cipher/sm4.c (_gcry_sm4_ecb_crypt): New.
	(sm4_setkey): Setup ECB bulk function.

	sm4: fix lookup-table prefetching.
	+ commit a43e03ef842b2bb93b10cd2b85230af1f0269ca0
	* cipher/sm4.c (sm4_expand_key): Prefetch sbox table.
	(sm4_get_crypt_blk1_16_fn): Do not prefetch sbox table.
	(sm4_expand_key, _gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
	(_gcry_sm4_cfb_dec): Prefetch sbox table if table look-up
	implementation is used.

	camellia: accelerate ECB (for benchmarking)
	+ commit 6475d0915ffecc54a8d1105262edb28ff4026803
	* cipher/bulkhelp.h (bulk_ecb_crypt_128): New.
	* cipher/camellia-glue.c (_gcry_camellia_ecb_crypt): New.
	(camellia_setkey): Select ECB bulk function with AESNI/AVX2, VAES/AVX2
	and GFNI/AVX2.

	rijndael-vaes: align asm functions.
	+ commit 7c1aa4c9452aa1259039680bc1d5ba15124c5f76
	* cipher/rijndael-vaes-avx2-amd64.S: Align functions to 16 bytes.

	rijndael: add ECB acceleration (for benchmarking purposes)
	+ commit 84f3d41acb2377d1ed0c2b9e8268de9d35e90af0
	* cipher/cipher-internal.h (cipher_bulk_ops): Add 'ecb_crypt'.
	* cipher/cipher.c (do_ecb_crypt): Use bulk function if available.
	* cipher/rijndael-aesni.c (do_aesni_enc_vec8): Change asm label
	'.Ldeclast' to '.Lenclast'.
	(_gcry_aes_aesni_ecb_crypt): New.
	* cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_ecb_enc_armv8_ce)
	(_gcry_aes_ecb_dec_armv8_ce): New.
	* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_ecb_enc_armv8_ce)
	(_gcry_aes_ecb_dec_armv8_ce): New.
	* cipher/rijndael-armv8-ce.c (_gcry_aes_ocb_enc_armv8_ce)
	(_gcry_aes_ocb_dec_armv8_ce, _gcry_aes_ocb_auth_armv8_ce): Change
	return value from void to size_t.
	(ocb_crypt_fn_t, xts_crypt_fn_t): Remove.
	(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_xts_crypt): Remove
	indirect function call; Return value from called function (allows tail
	call optimization).
	(_gcry_aes_armv8_ce_ocb_auth): Return value from called function (allows
	tail call optimization).
	(_gcry_aes_ecb_enc_armv8_ce, _gcry_aes_ecb_dec_armv8_ce)
	(_gcry_aes_armv8_ce_ecb_crypt): New.
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_ecb_crypt_amd64): New.
	* cipher/rijndael-vaes.c (_gcry_vaes_avx2_ecb_crypt_amd64)
	(_gcry_aes_vaes_ecb_crypt): New.
	* cipher/rijndael.c (_gcry_aes_aesni_ecb_crypt)
	(_gcry_aes_vaes_ecb_crypt, _gcry_aes_armv8_ce_ecb_crypt): New.
	(do_setkey): Setup ECB bulk function for x86 AESNI/VAES and ARM CE.

	mpi/longlong: update powerpc macros from GCC.
	+ commit bf5ec001dfcbd4a293d0bd577fd70a0f8286c4e6
	* mpi/longlong.h [__powerpc__, __powerpc64__]: Update macros.

	hwf-x86: enable VPGATHER usage for AMD CPUs with AVX512.
	+ commit 4b1cb76e3587a8fdf59673a8368d47e4cd2fe151
	* src/hwf-x86.c (detect_x86_gnuc): Move model based checks and
	forced soft hwfeatures enablement at end; Enable VPGATHER for
	AMD CPUs with AVX512.

	sha512-avx512: enable only on Intel CPUs for now.
	+ commit c0f85e0c8657030eb979a465199a07e2819f81e4
	* cipher/sha512.c (sha512_init_common): Enable AVX512 implementation
	only for Intel CPUs.

2022-10-26  Jakub Jelen  <jjelen@redhat.com>

	hmac,hkdf: Check the HMAC key length in FIPS mode.
	+ commit b095ea7559734f519fbe92d570afe567330eb474
	* src/visibility.c (gcry_md_setkey): Add the check here, too.

	Revert "kdf:pkdf2: Require longer input when FIPS mode."
	+ commit 47db7fe3a0c36523d2ccec31705cffff9a2337bc
	* cipher/kdf.c (_gcry_kdf_pkdf2): Remove the length limitation of
	  passphrase input length.

2022-10-24  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit 12b3bc5a0d9c453d02ae229aadfee82808c10220
	* m4/gpg-error.m4: Update from libgpg-error 1.46.

2022-10-19  Jakub Jelen  <jjelen@redhat.com>

	tests: Use proper format string for size_t.
	+ commit b77e7a225bc40ea09fa66969625b97b09a1cbf23


	cipher: Do not run RSA encryption selftest by default.
	+ commit 4e7941587c95fc3ae5fb5686346855395ef6754b
	* cipher/rsa.c (selftests_rsa): Skip encryption selftest as this
	  operation is not claimed as part of the certification.

	Revert "tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode"
	+ commit 7468cdfc8b6aa0c6e17c41218d5c5f2b575b16e4
	This reverts commit f736f3c70182d9c948f9105eb769c47c5578df35. The pubkey
	encryption has already separate explicit FIPS service indicator.

	Revert "Do not allow PKCS #1.5 padding for encryption in FIPS"
	+ commit e83280b36be3be3775427c5842f4274d01992763
	This reverts commit c7709f7b23848abf4ba65cb99cb2a9e9c7ebdefc. The pubkey
	encryption has already separate explicit FIPS service indicator.

	Revert "tests: Expect the OEAP tests to fail in FIPS mode."
	+ commit 9d56af04dce0795d30374fd575a8500fcf0ae158
	This reverts commit 249ca431ef881d510b90a5d3db9cd8507c4d697b. The pubkey
	encryption has already separate explicit FIPS service indicator.

	Revert "fips: Disable RSA-OAEP padding in FIPS mode."
	+ commit a7b5cab05f6a7de23c565b1303eb3f198d0b7e2b
	This reverts commit e552e37983da0c54840786eeff34481685fde1e9. The pubkey
	encryption has already separate explicit FIPS service indicator.

	fips: Mark gcry_pk_encrypt/decrypt function non-approved.
	+ commit 05cb8355d3e66f15425ad85ae2203882e80f4792
	* src/fips.c (_gcry_fips_indicator_function): Add
	gcry_pk_encrypt/decrypt as non-approved.

	fips: Fix fips indicator function.
	+ commit c5de9e77fb332939695918710b0842030515cce0
	* src/fips.c (_gcry_fips_indicator_function): Fix typo in sign/verify
	function names.

2022-10-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: fix RFC reference for GCM-SIV.
	+ commit 94dcd2cf5cd17244eaa96920218f32b64c0cec44
	* doc/gcrypt.texi: Fix GCM-SIV RFC reference to RFC-8452.

	mpi/longlong.h: i386: use tzcnt instruction for trailing zeros.
	+ commit f01d4b7a601f68e52c7c7b4647bfe97cb60be26e
	* mpi/longlong.h [__i386__] (count_trailing_zeros): Add 'rep' prefix
	for 'bsfq'.

	mpi/longlong.h: x86-64: use tzcnt instruction for trailing zeros.
	+ commit 38bd31bc46b992f68c9455ed50a6280943fe6a75
	* mpi/longlong.h [__x86_64__] (count_trailing_zeros): Add 'rep' prefix
	for 'bsfq'.

	mpi/longlong: fix generic smul_ppmm ifdef.
	+ commit d67f453d1b9de0ddb579de3a14ca8a3801bfead6
	* mpi/longlong.h [!umul_ppmm] (smul_ppmm): Change ifdef
	from !defined(umul_ppmm) to !defined(smul_ppmm).

	mpi/longlong: provide generic implementation using double word type.
	+ commit aef0ddf4d37ae7667cdf49d406e740e8d8d311cd
	* configure.ac: Add check for 'unsigned __int128'.
	* mpi/longlong.h (UDWtype): Define for 32-bit or 64-bit when
	'unsigned long long' or 'unsigned __int128' is available.
	(add_ssaaaa, sub_ddmmss, umul_ppmm, udiv_qrnnd) [UDWtype]: New.

2022-10-06  Jakub Jelen  <jjelen@redhat.com>

	tests: Reproducer for short dklen in FIPS mode.
	+ commit efdc87b305ff326f37acd3a9c2606de24a706cce
	* tests/t-kdf.c (check_pbkdf2): Add test vector with short dklen and
	  verify it fails in FIPS mode

	random: Extend the comment about FIPS specifics.
	+ commit 6e832840a8b7cdd30f77e66685ad0de863d7e84d
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Clarify
	  description of the chainging DRBG in FIPS mode.

2022-10-04  Jakub Jelen  <jjelen@redhat.com>

	random: Get maximum 32B of entropy at once in FIPS Mode.
	+ commit a6a6e94027abf18a51f5f93bf9fb2cfe5496bdf8
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): In fips
	mode, gather max 32 B of strong entropy for initialization.

2022-10-02  Jakub Jelen  <jjelen@redhat.com>

	tests: Avoid memory leak.
	+ commit 567bc62e1c3046594088de7209fee7c545ece1e3
	* tests/hashtest.c (run_longtest): Avoid memory leak on error

2022-10-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	t-rsa-testparm: fix 'function declaration isn’t a prototype' warning.
	+ commit 0909186b9e66aa3a8fac7b2571915c45a7bfaeb3
	* cipher/t-rsa-testparm.c (check_rsa_testparm): Define parameters as
	void.

	tests/benchmark: remove VLA usage.
	+ commit 6419fbb1d3dd365a89623a94448a0335ae4a8554
	* cipher/benchmark.c (ccm_aead_init): Avoid VLA in stack array.

	tests/bench-slope: remove VLA usage.
	+ commit 335b8eb1211b3b67541c689da949101db3b669fd
	* tests/bench-slope.c (bench_set_cipher_key): New.
	(bench_encrypt_init, bench_xts_encrypt_init): Use
	'bench_set_cipher_key' to remove VLA usage.

	cipher-ccm: remove VLA usage.
	+ commit ce60a68a1172ea20c1ff72e27e4b0115d805bf48
	* cipher/cipher-ccm.c (do_cbc_mac): Avoid VLA for stack array.

	mpi/ec: remove VLA usage.
	+ commit 9978fc22045ca7623a6e0cbf704fb48ab1550419
	* mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod)
	(_gcry_mpi_ec_nist521_mod): Avoid VLA for arrays.
	* mpi/ec.c (ec_secp256k1_mod): Avoid VLA for arrays.

2022-09-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/hashtest: add hugeblock & disable-hwf options and 6 gig test vectors
	+ commit 0cb29a5736cfcd6bce4ce2495cd0481f0bdb34a4
	* .gitignore: Add 'tests/hashtest-6g'.
	* configure.ac: Add 'tests/hashtest-6g'.
	* tests/Makefile: Add 'hashtest-6g'.
	* tests/hashtest-6g.in: New.
	* tests/hashtest-256g.in: Add SHA3-512 to algos.
	* tests/hashtest.c (use_hugeblock): New.
	(testvectors): Add 256 GiB test vectors for BLAKE2S, BLAKE2B and
	whirlpool; Add 6 GiB test vectors for SHA1, SHA256, SHA512, SHA3, SM3,
	BLAKE2S, BLAKE2B, WHIRLPOOL, CRC32 and CRC24.
	(run_longtest); Use huge 5 GiB pattern block when requested.
	(main): Add '--hugeblock' and '--disable-hwf' options.
	* tests/testdrv.c: Add 'hashtest-6g'; Add SHA3 to 'hashtest-256g'.

2022-09-27  Jakub Jelen  <jjelen@redhat.com>

	keccak: Use size_t to avoid integer overflow.
	+ commit 9c828129b2058c3f36e07634637929a54e8377ee
	* cipher/keccak-armv7-neon.S: Fix function name in comment and change
	  parameter type to size_t.
	* cipher/keccak.c (keccak_ops_t): Change absorb function signature to
	  use size_t.
	  (keccak_absorb_lanes64_avx512): Change nlanes type to size_t.
	  (_gcry_keccak_absorb_lanes64_armv7_neon): Ditto.
	  (keccak_absorb_lanes64_armv7_neon): Ditto.
	  (keccak_absorb_lanes32bi): Ditto.
	  (keccak_absorb_lanes32bi_bmi2): Ditto.
	  (keccak_write): Change nlanes variable to use size_t and avoid
	  overflow when calculating count.
	* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): Change
	  nlanes argument to use size_t.

2022-09-27  Tobias Heider  <tobias.heider@canonical.com>

	kdf:pkdf2: Check minimum allowed key size when running in FIPS mode.
	+ commit 3c04b692de1e7b45b764ff8d66bf84609b012e3a
	* cipher/kdf.c (_gcry_kdf_pkdf2): Add output length check.

2022-09-27  NIIBE Yutaka  <gniibe@fsij.org>

	kdf:pkdf2: Require longer input when FIPS mode.
	+ commit 857e6f467d0fc9fd858a73d84122695425970075
	* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.

2022-09-22  Clemens Lang  <cllang@redhat.com>

	fips: Skip PCT if RSA keygen test-parms specified.
	+ commit c20022ffd4ad2cea51928a109dfa102d711d30ac
	* cipher/rsa.c (rsa_generate): Skip PCT is test-parms were specified.
	* tests/t-rsa-testparm.c: Add test for this functionality
	* tests/Makefile.am: Add test to build system

2022-09-16  NIIBE Yutaka  <gniibe@fsij.org>

	More clean up.
	+ commit 82226dad7ae0effa0d96645476f0401f94361141
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Add static qualifier.
	* mpi/ec-ed25519.c: Include ec-internal.h.
	* src/secmem.c (MB_WIPE_OUT): Remove extra semicolon.

	Move function prototype to cipher.h.
	+ commit f97b2f706dd0a8820828e9015340a895539ed216
	* cipher/kdf-internal.h: Move from here.
	* src/cipher.h (blake2b_vl_hash): To here.

	Minor clean up.
	+ commit 984d94fa9ffff69bd1bdb5d418889d2e6b2745e2
	* mpi/mpi-internal.h: Remove extra semicolon from the macro.
	* mpi/mpih-mul.c: Likewise.
	* src/cipher-proto.h: Remove duplication for enum pk_encoding.
	* mpi/mpi-pow.c (_gcry_mpi_powm): Initialize XSIZE.

	Fix _gcry_err_code_to_errno.
	+ commit 3962623fe6de5c6d6604db90c8c0869fc3d3b7cf
	* src/gcrypt-int.h: Use gpg_err_code_to_errno.

	Fix use of noreturn.
	+ commit 000c50e0781920d691cc60c345a7bd4d770e92d5
	* doc/yat2m.c: Use __noreturn__.
	* src/g10lib.h: Likewise.

2022-09-08  NIIBE Yutaka  <gniibe@fsij.org>

	Silence compiler warnings for unused internal value.
	+ commit 37dc9f8fd00a3aff175f34f094557899207d7ef8
	* cipher/primegen.c (gen_prime): Fix write only variable.
	* src/dumpsexp.c (parse_and_print): Likewise.

	Fix function prototypes.
	+ commit 10d9878dd84fe89a598b6d5ac313869e5f8ffdae
	* random/random-csprng.c (random_poll): It's no args.
	* src/secmem.c (_gcry_secmem_module_init): Likewise.
	(_gcry_secmem_term): Likewise.

2022-08-26  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Check arguments for setup_geniv.
	+ commit c9008345c114ddf2f2ecbfe8dbab03c6d0649408
	* cipher/cipher.c (_gcry_cipher_setup_geniv): Validate the lengths.

2022-08-25  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Support internal generation of IV for AEAD cipher mode.
	+ commit 373b1f6c17948fa7d31880c3705391bef08a0471
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_setiv_zero): New.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate): Use _gcry_cipher_gcm_setiv_zero.
	* cipher/cipher-internal.h (struct gcry_cipher_handle): Add aead field.
	* cipher/cipher.c (_gcry_cipher_setiv): Check calling setiv to reject
	direct invocation in FIPS mode.
	(_gcry_cipher_setup_geniv, _gcry_cipher_geniv): New.
	* doc/gcrypt.texi: Add explanation for two new functions.
	* src/gcrypt-int.h (_gcry_cipher_setup_geniv, _gcry_cipher_geniv): New.
	* src/gcrypt.h.in (enum gcry_cipher_geniv_methods): New.
	(gcry_cipher_setup_geniv, gcry_cipher_geniv): New.
	* src/libgcrypt.def (gcry_cipher_setup_geniv, gcry_cipher_geniv): Add.
	* src/libgcrypt.vers: Likewise.
	* src/visibility.c (gcry_cipher_setup_geniv, gcry_cipher_geniv): Add.
	* src/visibility.h: Likewise.

2022-08-23  Jakub Jelen  <jjelen@redhat.com>

	tests: Expect the OEAP tests to fail in FIPS mode.
	+ commit 249ca431ef881d510b90a5d3db9cd8507c4d697b
	* tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption
	  to fail in FIPS mode
	* tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS
	  mode

	fips: Disable RSA-OAEP padding in FIPS mode.
	+ commit e552e37983da0c54840786eeff34481685fde1e9
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding
	  in FIPS mode for encryption
	* cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for
	  decryption

	gcrypt.h: Fix function name in comment.
	+ commit 0d69847e41e1803654180544fffd4cba3f49cb12


	random: Use getrandom (GRND_RANDOM) in FIPS mode.
	+ commit aab1d63e4def41593312f76de016c885ffafecde
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
	  GRND_RANDOM in FIPS Mode

	Simplify the PCT for RSA and ECDSA.
	+ commit a527d252b89958864153da9ad149e97bb96e1692
	Could be squashed.

	* cipher/ecc.c (test_keys_fips): Simplify to accept key in SEXP format
	  (nist_generate_key): Skip call to test keys
	  (ecc_generate): Call test keys in FIPS mode later, when we have
	  complete SEXP key structure.
	* cipher/rsa.c (test_keys_fips): Simplify to accept key in SEXP format
	  (generate_fips): Skip selftest at this stage
	  (rsa_generate): Test the keys later when we already have key in SEXP
	  format

	ecc: Run PCT also with the digest step.
	+ commit d259993b9456c7abe465f234c4a6f9688a16db40
	* cipher/ecc.c (test_keys_fips): New function
	  (nist_generate_key): In FIPS mode, execute new PCT test
	---

	rsa: Run PCT in FIPS mode also with digest step.
	+ commit 505f048cac8e5af92d3431bd97ade492d1a30bc2
	* cipher/rsa.c (test_keys_fips): New.
	(generate_fips): Call test_keys_fips.

	fips: Add function-name based FIPS indicator.
	+ commit 05a9c9d1ba1db6c1cd160fba979e9ddf4700a0c0
	* doc/gcrypt.texi: Document the new function-based fips indicator
	  GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
	* src/fips.c (_gcry_fips_indicator_function): New function indicating
	  non-approved functions.
	* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
	  GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
	* src/global.c (_gcry_vcontrol): Handle new FIPS indicator.

	fips: Run digest&sign self tests for RSA and ECC in FIPS mode.
	+ commit 1fc7bfc351ba1d7fa31c0c62a24ad78e9e1cfd5b
	* cipher/ecc.c (selftest_hash_sign): Implement digest & sign KAT
	 (selftests_ecdsa): Run the original basic test only with extended tests
	 (run_selftests): Pass-through the extended argument
	* cipher/rsa.c (selftest_hash_sign_2048): Implement digest & sign KAT
	 (selftests_rsa): Run the original basic test only with extended tests
	 (run_selftests): Pass-through the extended argument

2022-08-18  Milan Broz  <gmazyland@gmail.com>

	kdf: Allow empty password for Argon2.
	+ commit a20700c55f0eb8dbb8368b756a571c116163a0bc
	* cipher/kdf.c (_gcry_kdf_open) allow empty password for Argon2.

	kdf: Restructure KDF test vectors.
	+ commit 8a1f50e66364389b8a867801ead8327a663b0c03
	* tests/t-kdf.c: Restructure KDF test vectors to allow easy addition
	  new vectors. Also remove some ugly C code like goto again.

2022-08-02  Clemens Lang  <cllang@redhat.com>

	tests/basic: Add ifdefs for SM4 and CAMELLIA tests.
	+ commit 97e2c237f15dcdb44152887f4773f1f212b529bd
	* tests/basic.c (check_gcm_siv_cipher): Do not run test vectors that
	  are known to fail when compiled without support for SM4 or CAMELLIA.

2022-08-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	basic: gcm-siv: add fips checks for SM4 and CAMELLIA128.
	+ commit a8f66410ca0ded040abea4790efaeb36bb4ccc91
	* tests/basic.c (check_gcm_siv_cipher): Add 'flags' for test vectors
	and set FLAG_NOFIPS for SM4 and CAMELLIA128 test vectors; Add FIPS check
	for test vectors; Change printing "aes-gcm-siv" on fail messages to
	"algo %d GCM-SIV".

2022-07-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sm4: fix unused parameter compiler warning.
	+ commit a0c933f6fed0612558ff75fb23cbf78e2dea1f16
	* cipher/sm4.c (sm4_get_crypt_blk1_16_fn): '(void)'-access ctx
	parameter to avoid compiler warning on powerpc.

2022-07-31  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	sm4: add ARMv8 CE accelerated implementation for XTS mode.
	+ commit 8287dea8379fa9e43dc331c6bd444dd25a962e4b
	* cipher/sm4-armv8-aarch64-ce.S (_gcry_sm4_armv8_ce_xts_crypt): New.
	* cipher/sm4.c (_gcry_sm4_armv8_ce_xts_crypt): New.
	(_gcry_sm4_xts_crypt) [USE_ARM_CE]: Add ARMv8 CE implementation for XTS.

2022-07-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Simplify AES key schedule implementation.
	+ commit db5136c4d9331c001bbe91cfe6625ae7738f8575
	* cipher/rijndael-armv8-ce.c (_gcry_aes_armv8_ce_setkey): New key
	schedule with simplified structure and less stack usage.
	* cipher/rijndael-internal.h (RIJNDAEL_context_s): Add
	'keyschedule32b'.
	(keyschenc32b): New.
	* cipher/rijndael-ppc-common.h (vec_u32): New.
	* cipher/rijndael-ppc.c (vec_bswap32_const): Remove.
	(_gcry_aes_sbox4_ppc8): Optimize for less instructions emitted.
	(keysched_idx): New.
	(_gcry_aes_ppc8_setkey): New key schedule with simplified structure.
	* cipher/rijndael-tables.h (rcon): Remove.
	* cipher/rijndael.c (sbox4): New.
	(do_setkey): New key schedule with simplified structure and less
	stack usage.

	rijndael-ppc: small speed-up for CBC and CFB encryption.
	+ commit 2ac6c24aa53024eb415d49f52229e868f72f47f8
	* cipher/rijndael-ppc-common.h (AES_ENCRYPT_ALL): Remove
	* cipher/rijndael-ppc-functions.h (CFB_ENC_FUNC)
	(CBC_ENC_FUNC): Removed two block unrolled loop; Optimized single
	block loop for shorter critical-path.

2022-07-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha512: add AArch64 crypto/SHA512 extension implementation.
	+ commit e51d3b8330a1d4b15e3484df90646e075c02f54b
	* cipher/Makefile.am: Add 'sha512-armv8-aarch64-ce.S'.
	* cipher/sha512-armv8-aarch64-ce.S: New.
	* cipher/sha512.c (ATTR_ALIGNED_64, USE_ARM64_SHA512): New.
	(k): Make array aligned to 64 bytes.
	[USE_ARM64_SHA512] (_gcry_sha512_transform_armv8_ce): New.
	[USE_ARM64_SHA512] (do_sha512_transform_armv8_ce): New.
	(sha512_init_common) [USE_ARM64_SHA512]: Use ARMv8-SHA512 accelerated
	implementation if HW feature available.
	* configure.ac: Add 'sha512-armv8-aarch64-ce.lo'.
	(gcry_cv_gcc_inline_asm_aarch64_sha3_sha512_sm3_sm4)
	(HAVE_GCC_INLINE_ASM_AARCH64_SHA3_SHA512_SM3_SM4): New.

	blake2: add AVX512 accelerated implementations.
	+ commit 909daa700e4b45d75469df298ee564b8fc2f4b72
	* cipher/Makefile.am: Add 'blake2b-amd64-avx512.S' and
	'blake2s-amd64-avx512.S'.
	* cipher/blake2.c (USE_AVX512): New.
	(ASM_FUNC_ABI): Setup attribute if USE_AVX2 or USE_AVX512 enabled in
	addition to USE_AVX.
	(BLAKE2B_CONTEXT_S, BLAKE2S_CONTEXT_S): Add 'use_avx512'.
	(_gcry_blake2b_transform_amd64_avx512)
	(_gcry_blake2s_transform_amd64_avx512): New.
	(blake2b_transform, blake2s_transform) [USE_AVX512]: Add AVX512 path.
	(blake2b_init_ctx, blake2s_init_ctx) [USE_AVX512]: Use AVX512 if HW
	feature available.
	* cipher/blake2b-amd64-avx512.S: New.
	* cipher/blake2s-amd64-avx512.S: New.
	* configure.ac: Add 'blake2b-amd64-avx512.lo' and
	'blake2s-amd64-avx512.lo'.

	sha3: Add x86-64 AVX512 accelerated implementation.
	+ commit beaad75f4655e5316ce24f75ef172c231fd47fc1
	* LICENSES: Add 'cipher/keccak-amd64-avx512.S'.
	* configure.ac: Add 'keccak-amd64-avx512.lo'.
	* cipher/Makefile.am: Add 'keccak-amd64-avx512.S'.
	* cipher/keccak-amd64-avx512.S: New.
	* cipher/keccak.c (USE_64BIT_AVX512, ASM_FUNC_ABI): New.
	[USE_64BIT_AVX512] (_gcry_keccak_f1600_state_permute64_avx512)
	(_gcry_keccak_absorb_blocks_avx512, keccak_f1600_state_permute64_avx512)
	(keccak_absorb_lanes64_avx512, keccak_avx512_64_ops): New.
	(keccak_init) [USE_64BIT_AVX512]: Enable x86-64 AVX512 implementation
	if supported by HW features.

2022-07-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sm4-arm-sve-ce: use 32 parallel blocks for XTS and CTR32LE.
	+ commit dca0bd133dd08ec88e0b4c454cfc26c9093572a9
	* cipher/sm4.c (sm4_crypt_blk1_32) [USE_ARM_SVE_CE]: Add SVE-SM4 code
	path.

	sm4 & camellia: add generic bulk acceleration for CTR32LE mode (GCM-SIV)
	+ commit cf956793afc2cdbd3b20caa3d186ccb8023b804c
	* cipher/bulkhelp.h (bulk_ctr32le_enc_128): New.
	* cipher/camellia-glue.c (_gcry_camellia_ctr32le_enc): New.
	(camellia_setkey): Setup `bulk_ops->ctr32le_enc` if any AVX2
	implementation is available.
	* cipher/sm4.c (_gcry_sm4_ctr32le_enc): New.
	(sm4_setkey): Setup `bulk_ops->ctr32le_enc`.
	* tests/basic.c (check_gcm_siv_cipher): Add large bulk encryption
	test vectors for SM4 and CAMELLIA128.

	sm4: add amd64 GFNI/AVX512 implementation.
	+ commit eaed633c1662d8a98042ac146c981113f2807b22
	* cipher/Makefile.am: Add 'sm4-gfni-avx512-amd64.S'.
	* cipher/sm4-gfni-avx512-amd64.S: New.
	* cipher/sm4-gfni.c (USE_GFNI_AVX512): New.
	(SM4_context): Add 'use_gfni_avx512' and 'crypt_blk1_16'.
	(_gcry_sm4_gfni_avx512_expand_key, _gcry_sm4_gfni_avx512_ctr_enc)
	(_gcry_sm4_gfni_avx512_cbc_dec, _gcry_sm4_gfni_avx512_cfb_dec)
	(_gcry_sm4_gfni_avx512_ocb_enc, _gcry_sm4_gfni_avx512_ocb_dec)
	(_gcry_sm4_gfni_avx512_ocb_auth, _gcry_sm4_gfni_avx512_ctr_enc_blk32)
	(_gcry_sm4_gfni_avx512_cbc_dec_blk32)
	(_gcry_sm4_gfni_avx512_cfb_dec_blk32)
	(_gcry_sm4_gfni_avx512_ocb_enc_blk32)
	(_gcry_sm4_gfni_avx512_ocb_dec_blk32)
	(_gcry_sm4_gfni_avx512_crypt_blk1_16)
	(_gcry_sm4_gfni_avx512_crypt_blk32, sm4_gfni_avx512_crypt_blk1_16)
	(sm4_crypt_blk1_32, sm4_encrypt_blk1_32, sm4_decrypt_blk1_32): New.
	(sm4_expand_key): Add GFNI/AVX512 code-path
	(sm4_setkey): Use GFNI/AVX512 if supported by CPU; Setup
	`ctx->crypt_blk1_16`.
	(sm4_encrypt, sm4_decrypt, sm4_get_crypt_blk1_16_fn, _gcry_sm4_ctr_enc)
	(_gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt)
	(_gcry_sm4_ocb_auth) [USE_GFNI_AVX512]: Add GFNI/AVX512 code path.
	(_gcry_sm4_xts_crypt): Change parallel block size from 16 to 32.
	* configure.ac: Add 'sm4-gfni-avx512-amd64.lo'.

2022-07-21  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Add SM4 ARMv9 SVE CE assembly implementation.
	+ commit 2dc2654006746a25f9cb6b24786867f1725ac244
	* cipher/Makefile.am: Add 'sm4-armv9-aarch64-sve-ce.S'.
	* cipher/sm4-armv9-aarch64-sve-ce.S: New.
	* cipher/sm4.c (USE_ARM_SVE_CE): New.
	(SM4_context) [USE_ARM_SVE_CE]: Add 'use_arm_sve_ce'.
	(_gcry_sm4_armv9_sve_ce_crypt, _gcry_sm4_armv9_sve_ce_ctr_enc)
	(_gcry_sm4_armv9_sve_ce_cbc_dec, _gcry_sm4_armv9_sve_ce_cfb_dec)
	(sm4_armv9_sve_ce_crypt_blk1_16): New.
	(sm4_setkey): Enable ARMv9 SVE CE if supported by HW.
	(sm4_get_crypt_blk1_16_fn) [USE_ARM_SVE_CE]: Add ARMv9 SVE CE
	bulk functions.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	[USE_ARM_SVE_CE]: Add ARMv9 SVE CE bulk functions.
	* configure.ac: Add 'sm4-armv9-aarch64-sve-ce.lo'.

	Add ARMv9 SVE2 and optional Crypto Extension HW features.
	+ commit ea5e71f9c8eb32d8b820be85eb34a8926cfa834d
	* configure.ac (sve2support, gcry_cv_gcc_inline_asm_aarch64_sve2)
	(ENABLE_SVE2_SUPPORT): New.
	* doc/gcrypt.texi: Add "sve2, sveaes, svepmull, svesha3, svesm4" to
	ARM hardware features list.
	* src/g10lib.h (HWF_ARM_SVE2, HWF_ARM_SVEAES, HWF_ARM_SVEPMULL)
	(HWF_ARM_SVESHA3, HWF_ARM_SVESM4): New.
	* src/hwf-arm.c (arm_features): Add
	"sve2, sveaes, svepmull, svesha3, svesm4".
	* src/hwfeatures.c (hwflist): Add
	"arm-sve2, arm-sveaes, arm-svepmull, arm-svesha3, arm-svesm4".

	Add detection for HW feature "ARMv8 SVE"
	+ commit 8921b5221e333626884ad291881f79e0583d574a
	* configure.ac (svesupport, gcry_cv_gcc_inline_asm_aarch64_sve)
	(ENABLE_SVE_SUPPORT): New.
	* doc/gcrypt.texi: Add "arm-sve" to HW features list.
	* src/g10lib.h (HWF_ARM_SVE): New.
	* src/hwf-arm.c (arm_features): Add "sve".
	* src/hwfeatures.c (hwflist): Add "arm-sve".

2022-07-21  NIIBE Yutaka  <gniibe@fsij.org>

	Cleanup for type definitions of byte, ushort, u32, and u64.
	+ commit 3494140847cb8056d017418fefa25e7bbcfaa32c
	* src/types.h: Use macros defined by configure script.
	* src/hmac256.c: Fix for HAVE_U32.
	* cipher/poly1305.c: Fix for HAVE_U64.

2022-07-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	visibility: add missing fips_is_operational check for gcry_md_extract.
	+ commit 434a58d0e784958d56ad4eceebec10ee97933108
	* src/visibility.c (gcry_md_extract): Add 'fips_is_operational' check.

	hwf-x86: fix UBSAN warning.
	+ commit 9636c88262fc5704cb4136cae975932acee6d08f
	* src/hwf-x86.c (detect_x86_gnuc): Change `(1 << 31)` to `(1U << 31)`
	to fix undefined behaviour.

	hwf-arm: add ARM HW feature detection support for MacOS.
	+ commit 4abcedcea82036b18b3906e99f8aaf0a1f6c8b9a
	* configure.ac: Add detection for header 'sys/sysctl.h' and system
	function 'sysctlbyname'.
	* src/hwf-arm.c (HAS_APPLE_SYSCTLBYNAME)
	(detect_arm_apple_sysctlbyname): New.
	(detect_arm_hwf_by_toolchain) [__ARM_FEATURE_CRYPTO]: Also check for
	ENABLE_ARM_CRYPTO_SUPPORT.
	(_gcry_hwf_detect_arm) [HAS_APPLE_SYSCTLBYNAME]: Check HWFs with
	'detect_arm_apple_sysctlbyname' function.

2022-07-19  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add buildhelp.h to source to be distributed.
	+ commit 9a134fb7f286b94904585f3c3958c944999f20cc
	* cipher/Makefile.am (libcipher_la_SOURCES): Add bulkhelp.h.

	build: Fix configure script.
	+ commit 2efb90104591eda490d9f7ba281aa29bceb92487
	* configure.ac (AC_USE_SYSTEM_EXTENSIONS): Use it earlier.

	build: Update config.guess, config.sub, and config.rpath.
	+ commit e633cc3315aa350d9d28cc27a6deb6304c68ef77
	* build-aux/config.guess: Update from upstream.
	* build-aux/config.sub: Ditto.
	* build-aux/config.rpath: Update from gettext 0.21.

2022-07-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix gcry_pk_hash_verify for explicit hash.
	+ commit b2a64ed4f34abbd3871336503bec5ffeb3ad547b
	* cipher/pubkey.c (_gcry_pk_verify_md): Implement support of explicit
	hash.
	* tests/t-ecdsa.c (one_test_sexp): Use explicit hash.

2022-07-07  Clemens Lang via Gcrypt-devel  <gcrypt-devel@lists.gnupg.org>

	tests/t-kdf: Test KDF FIPS indicator.
	+ commit 37b812f5e2a3c80d4bc104512248a07268f3c98b
	 * tests/t-kdf.c (check_fips_indicators): Add test for gcry_control
	   (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF).

	tests: Test gcry_pk_hash_sign w/explicit hash algo.
	+ commit 45a139b166a3fa18eb1eddf7e02b5cdd890a6c37
	 * tests/t-ecdsa.c (one_test_sexp): Re-run signature operation with hash
	   algorithm explicitly specified in data_tmpl as documented in the
	   manpage.

2022-07-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sm4: fix wrong macro used for GFNI/AVX2 code-path.
	+ commit 66ef99bb1804d754edaa5d6b37651e92e918540e
	* cipher/sm4.c (sm4_get_crypt_blk1_16_fn): Use USE_GFNI_AVX2 for
	GFNI/AVX2 block.

	sm4: fix use of GFNI/AVX2 accelerated key expansion.
	+ commit 935e211af145c559c9147026339ceb947edb6d6a
	* cipher/sm4.c [USE_GFNI_AVX2] (_gcry_sm4_gfni_avx_expand_key): Remove.
	[USE_GFNI_AVX2] (_gcry_sm4_gfni_avx2_expand_key): New.
	(sm4_expand_key): Change '_gcry_sm4_gfni_avx_expand_key' to
	'_gcry_sm4_gfni_avx2_expand_key'.

	camellia-gfni-avx512: remove copy-paste / leftover extra instructions.
	+ commit 99b7375bd6162c7c3f481ab6d0d106bfcb5b2b07
	* cipher/camellia-gfni-avx512-amd64.S: Remove extranous copy-pasted
	instructions after `.Lbswap128_mask` constant; Remove left-over plaintext
	xorring in OCB encryption input loading macro.

	camellia-gfni-avx512: add missing register clearing on function exits.
	+ commit ac14d9ee7a094a2b9a26b1e3f4d36f59dbf68b40
	* cipher/camellia-gfni-avx512-amd64.S: Add clear_regs() at externally
	visible function epilogues.

	tests/basic: enable IV checks for CBC/CFB/CTR bulk tests.
	+ commit fd3ed68754eb1741cef22bce8bc2957f3853a292
	* cipher/cipher.c (_gcry_cipher_ctl): Add handling for
	'PRIV_CIPHERCTL_GET_COUNTER'.
	* src/gcrypt-testapi.h (PRIV_CIPHERCTL_GET_COUNTER): New.
	* tests/basic.c (cipher_cbc_bulk_test, cipher_cfb_bulk_test): Restore
	IV checks by reading current IV from CBC/CFB cipher handle using
	PRIV_CIPHERCTL_GET_INPUT_VECTOR.
	(cipher_ctr_bulk_test): Restore counter checks by reading current
	counter from CTR cipher handle using PRIV_CIPHERCTL_GET_COUNTER.

2022-07-06  NIIBE Yutaka  <gniibe@fsij.org>

	cipher,chacha20: Conditionalize a variable.
	+ commit 8d5053fb08cf2a38360be2d2f5534b137c299e74
	* cipher/chacha20.c (_gcry_chacha20_poly1305_decrypt): Only
	use skip_stitched when one of macros is defined.

2022-07-06  Clemens Lang  <cllang@redhat.com>

	tests/basic: Skip non-FIPS tests in FIPS mode.
	+ commit 9d6203532d9012ff82aa218bd1a17797cf8017e5
	* tests/basic.c (check_pubkey): Skip non-FIPS tests in FIPS mode, fixes
	  a logic error previously introduced in e9698002.

2022-07-05  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Fix memory leak on error.
	+ commit e2a7a0c9f5d258051b26babeac20e4a7cfb5a6ac
	* cipher/kdf.c (hkdf_open): Free the memory on the error path.

2022-07-01  Clemens Lang  <cllang@redhat.com>

	fips: Skip selftests of unsupported PK algos.
	+ commit c5480b4934bb0adecdfc29a47b5e123f995507e1
	* src/fips.c (run_pubkey_selftests): Do not run selftests for disabled
	  public key algorithms.

	build: Skip PK-specific tests if algo is disabled.
	+ commit 56000fb5c42f01f1ced4e3dd0bb30662c0ba87c3
	* configure.ac: Define AM_CONDITIONALs for USE_DSA, USE_RSA,
	  USE_ELGAMAL, USE_ECC so Makefiles can depend on them.
	* tests/Makefile.am: Skip tests that test only one public key algorithm
	  if that algorithm is disabled.

	tests/keygen.c: Skip unavailable PK algorithms.
	+ commit 572b0bf9668d6a01cd7ce1c2227d5a4899ad3502
	* tests/keygen.c (show_mpi, check_rsa_keys, check_elg_keys,
	  check_dsa_keys, check_generated_ecc_key, check_ecc_keys): Skip tests
	  if the required public key algorithm is not available.

	tests/benchmark: Skip unavailable PK algorithms.
	+ commit 78c0d76f809262184ef0198be087fc2b133c880b
	* tests/benchmark.c (cipher_bench, rsa_bench, elg_bench, dsa_bench,
	  ecc_bench): Do not run benchmarks for PK algorithms that are not
	  supported in the current build.

	tests/basic: Skip tests if PK algo is unavailable.
	+ commit e78cf3df23a2bf33dc7fdc99e55949732521668d
	* tests/basic.c (check_pubkey): Skip tests if the required public key
	  algorithm is not available.

	tests/pubkey: Skip tests if PK algo is unavailable.
	+ commit 4f4da6cbf065b3ae675e2b0d3ff56765025c2852
	* tests/pubkey.c (check_run, main): Skip tests for unavailable
	  algorithms.

	kdf: Skip tests if hash algo is not available.
	+ commit 96fafffeeba5899d3d1b4d68ce99faed23cef641
	* tests/t-kdf.c (check_openpgp, check_pbkdf2): Test digest availability.

2022-06-24  NIIBE Yutaka  <gniibe@fsij.org>

	hmac,hkdf: Allow use of shorter salt for HKDF.
	+ commit 58c92098d053aae7c78cc42bdd7c80c13efc89bb
	* cipher/md.c (prepare_macpads): Move the check to...
	* src/visibility.c (gcry_mac_setkey): ... here.
	* tests/t-kdf.c (check_hkdf): No failure is expected.

2022-06-21  NIIBE Yutaka  <gniibe@fsij.org>

	kdf,fips: Modify HKDF test for FIPS mode.
	+ commit 07722d89bac1a739b084b4412c3ff42e215d5968
	* tests/t-kdf.c (check_hkdf): Check if shorter salts are rejected
	correctly when FIPS mode.

	kdf: Add input check for hkdf.
	+ commit e0f0c788dc0f268965c0f63eb33d9f98c0575d58
	* cipher/kdf.c (hkdf_open): Validate the output size.

2022-06-16  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Add HKDF of RFC5869.
	+ commit fbddfb964f0b1c1ec131194b2273c3f834041c84
	* src/gcrypt.h.in (GCRY_KDF_HKDF): New.
	* cipher/kdf.c (hkdf_open, hkdf_compute, hkdf_final, hkdf_close): New.
	(_gcry_kdf_open, _gcry_kdf_compute, _gcry_kdf_final, _gcry_kdf_close):
	Handle GCRY_KDF_HKDF.
	* tests/t-kdf.c (check_hkdf): New.  Test vectors from RFC5869.
	(main): Call check_hkdf.

2022-06-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ppc: enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch-3.00.
	+ commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14
	* cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable
	P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is
	defined.
	* cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise.
	* cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise.
	---

	This change allows testing P10 implementations with P9 and with QEMU-PPC.

2022-06-12  Danny Tsen  <dtsen@us.ibm.com>

	Chacha20/poly1305 - Optimized chacha20/poly1305 for P10 operation.
	+ commit 88fe7ac33eb4cb4dff76a5cc7fca50da5fb0ee3a
	* configure.ac: Added chacha20 and poly1305 assembly implementations.
	* cipher/chacha20-p10le-8x.s: (New) - support 8 blocks (512 bytes)
	unrolling.
	* cipher/poly1305-p10le.s: (New) - support 4 blocks (128 bytes)
	unrolling.
	* cipher/Makefile.am: Added new chacha20 and poly1305 files.
	* cipher/chacha20.c: Added PPC p10 le support for 8x chacha20.
	* cipher/poly1305.c: Added PPC p10 le support for 4x poly1305.
	* cipher/poly1305-internal.h: Added PPC p10 le support for poly1305.
	---

	[jk: cosmetic changes to C code]
	[jk: fix building on ppc64be]

2022-06-08  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Add support for One-Step KDF with MAC.
	+ commit 6d32bf80846a22568575a101a3fe6769ab058bb9
	* src/gcrypt.h.in (GCRY_KDF_ONESTEP_KDF_MAC): New.
	* cipher/kdf.c (onestep_kdf_mac_open, onestep_kdf_mac_compute): New.
	(onestep_kdf_mac_final, onestep_kdf_mac_close): New.
	(_gcry_kdf_open, _gcry_kdf_compute, _gcry_kdf_final, _gcry_kdf_close):
	Add support for GCRY_KDF_ONESTEP_KDF_MAC.

2022-06-07  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Add One-Step KDF with hash.
	+ commit f8c983cb14f8ba0921ce8fa52ea3519feae07861
	* src/gcrypt.h.in (GCRY_KDF_ONESTEP_KDF): New.
	* cipher/kdf.c (onestep_kdf_open, onestep_kdf_compute): New.
	(onestep_kdf_final): New.
	(_gcry_kdf_open, _gcry_kdf_compute, _gcry_kdf_final): Add
	GCRY_KDF_ONESTEP_KDF support.
	* tests/t-kdf.c (check_onestep_kdf): Add the test.
	(main): Call check_onestep_kdf.

	Fix for struct gcry_thread_cbs.
	+ commit 8d8e80ad753645b5fcbe28bb3e768079415ef848
	* src/gcrypt.h.in (struct gcry_thread_cbs): Since it's no use any
	more, even internally, use _GCRY_GCC_ATTR_DEPRECATED instead.

2022-06-01  NIIBE Yutaka  <gniibe@fsij.org>

	secmem: Remove RISC OS support.
	+ commit fd9aa21983a114e1aab605536bc2371235e9a060
	* src/secmem.c [__riscos__]: Remove.

	secmem: Clean up ERRNO handling.
	+ commit d7c900a97b62a44d6667e065c6d2384136aefa63
	* src/secmem.c (lock_pool_pages): Use ERR only for the return value
	from mlock.

	secmem: Remove getting cap_ipc_lock by capabilities support.
	+ commit 43f51d0ec6b50a6317a6e67642bc87b9ddf45927
	* src/secmem.c (lock_pool_pages): Remove escalation of the capability.

2022-05-31  Jakub Jelen  <jjelen@redhat.com>

	Fix memory leaks in tests.
	+ commit ef2e1523c33c3143b4fee0c00f88a5a0842b337f
	* tests/aeswrap.c (check_one_with_padding): Free hd on error paths
	* tests/basic.c (check_ccm_cipher): Free context on error paths
	  (check_ocb_cipher_checksum): Ditto.
	  (do_check_xts_cipher): Ditto.
	  (check_gost28147_cipher_basic): Ditto.
	* tests/bench-slope.c (bench_ecc_init): Free memory on invalid input.
	* tests/t-cv25519.c (test_it): Free memory on error path
	* tests/t-dsa.c (hex2buffer): Free memory on error path
	* tests/t-ecdsa.c (hex2buffer): Free memory on error path
	  (one_test_sexp): Cleanup memory on exit
	* tests/t-mpi-point.c (check_ec_mul): Free memory on error
	  (check_ec_mul_reduction): Ditto
	* tests/t-rsa-15.c (hex2buffer): Ditto
	* tests/t-rsa-pss.c (hex2buffer): Ditto
	* tests/t-x448.c (test_it): Free memory on error path
	* tests/testdrv.c (my_spawn): Free memory on error paths

2022-05-19  Jakub Jelen  <jjelen@redhat.com>

	cipher: Allow verification of small RSA signatures in FIPS mode.
	+ commit ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667
	* cipher/rsa.c (rsa_check_keysize): Formatting.
	  (rsa_check_verify_keysize): New function.
	  (rsa_verify): Allow using smaller keys for verification.

2022-05-17  NIIBE Yutaka  <gniibe@fsij.org>

	Fix internal declaration of _gcry_kdf_compute.
	+ commit 4019f1a66b15d2ef82eb059c432e6b09b2c69b21
	* src/gcrypt-int.h (_gcry_kdf_compute): Return gcry_err_code_t.

	mpi: Allow building with --disable-asm for HPPA.
	+ commit c0692324fe8b3806eefc5017767917dca9cd94d0
	* mpi/longlong.h [__hppa] (udiv_qrnnd): Only define
	when assembler is enabled.

2022-05-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aarch64-asm: use ADR for getting pointers for local labels.
	+ commit fd02e8e78470deb661269c429f3348f811c054c6
	* cipher/asm-common-aarch64.h (GET_DATA_POINTER): Remove.
	(GET_LOCAL_POINTER): New.
	* cipher/camellia-aarch64.S: Use GET_LOCAL_POINTER instead of ADR
	instruction directly.
	* cipher/chacha20-aarch64.S: Use GET_LOCAL_POINTER instead of
	GET_DATA_POINTER.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Likewise.
	* cipher/crc-armv8-aarch64-ce.S: Likewise.
	* cipher/sha1-armv8-aarch64-ce.S: Likewise.
	* cipher/sha256-armv8-aarch64-ce.S: Likewise.
	* cipher/sm3-aarch64.S: Likewise.
	* cipher/sm3-armv8-aarch64-ce.S: Likewise.
	* cipher/sm4-aarch64.S: Likewise.
	---

	Switch to use ADR instead of ADRP/LDR or ADRP/ADD for getting
	data pointers within assembly files. ADR is more portable across
	targets and does not require labels to be declared in GOT tables.

2022-05-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: move CBC/CFB/CTR self-tests to tests/basic.
	+ commit a9700956361d280746f2bffe94cbdb72c95eb3ed
	* cipher/Makefile.am: Remove 'cipher-selftest.c' and 'cipher-selftest.h'.
	* cipher/cipher-selftest.c: Remove (refactor these tests to
	tests/basic.c).
	* cipher/cipher-selftest.h: Remove.
	* cipher/blowfish.c (selftest_ctr, selftest_cbc, selftest_cfb): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cbc_128)
	(selftest_cfb_128): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/cast5.c (selftest_ctr, selftest_cbc, selftest_cfb): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/des.c (bulk_selftest_setkey, selftest_ctr, selftest_cbc)
	(selftest_cfb): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
	(selftest_basic_256): Allocate context from stack instead of heap and
	handle alignment manually.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/serpent.c (selftest_ctr_128, selftest_cbc_128)
	(selftest_cfb_128): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/sm4.c (selftest_ctr_128, selftest_cbc_128)
	(selftest_cfb_128): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* cipher/twofish.c (selftest_ctr, selftest_cbc, selftest_cfb): Remove.
	(selftest): Remove CTR/CBC/CFB bulk self-tests.
	* tests/basic.c (buf_xor, cipher_cbc_bulk_test, buf_xor_2dst)
	(cipher_cfb_bulk_test, cipher_ctr_bulk_test): New.
	(check_ciphers): Run cipher_cbc_bulk_test(), cipher_cfb_bulk_test() and
	cipher_ctr_bulk_test() for block ciphers.
	---

	CBC/CFB/CTR bulk self-tests are quite computationally heavy and
	slow down use cases where application opens cipher context once,
	does processing and exits. Better place for these tests is in
	`tests/basic`.

	camellia: add amd64 GFNI/AVX512 implementation.
	+ commit 9ab61ba24b72bc109b7578a7868716910d2ea9d1
	* cipher/Makefile.am: Add 'camellia-gfni-avx512-amd64.S'.
	* cipher/bulkhelp.h (bulk_ocb_prepare_L_pointers_array_blk64): New.
	* cipher/camellia-aesni-avx2-amd64.h: Rename internal functions from
	"__camellia_???" to "FUNC_NAME(???)"; Minor changes to comments.
	* cipher/camellia-gfni-avx512-amd64.S: New.
	* cipher/camellia-gfni.c (USE_GFNI_AVX512): New.
	(CAMELLIA_context): Add 'use_gfni_avx512'.
	(_gcry_camellia_gfni_avx512_ctr_enc, _gcry_camellia_gfni_avx512_cbc_dec)
	(_gcry_camellia_gfni_avx512_cfb_dec, _gcry_camellia_gfni_avx512_ocb_enc)
	(_gcry_camellia_gfni_avx512_ocb_dec)
	(_gcry_camellia_gfni_avx512_enc_blk64)
	(_gcry_camellia_gfni_avx512_dec_blk64, avx512_burn_stack_depth): New.
	(camellia_setkey): Use GFNI/AVX512 if supported by CPU.
	(camellia_encrypt_blk1_64, camellia_decrypt_blk1_64): New.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec, _gcry_camellia_cfb_dec)
	(_gcry_camellia_ocb_crypt) [USE_GFNI_AVX512]: Add GFNI/AVX512 code path.
	(_gcry_camellia_xts_crypt): Change parallel block size from 32 to 64.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Increase test
	block size.
	* cipher/chacha20-amd64-avx512.S: Clear k-mask registers with xor.
	* cipher/poly1305-amd64-avx512.S: Likewise.
	* cipher/sha512-avx512-amd64.S: Likewise.
	---

	Benchmark on Intel i3-1115G4 (tigerlake):

	Before (GFNI/AVX2):
	 CAMELLIA128    |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        CBC dec |     0.356 ns/B      2679 MiB/s      1.46 c/B      4089
	        CFB dec |     0.374 ns/B      2547 MiB/s      1.53 c/B      4089
	        CTR enc |     0.409 ns/B      2332 MiB/s      1.67 c/B      4089
	        CTR dec |     0.406 ns/B      2347 MiB/s      1.66 c/B      4089
	        XTS enc |     0.430 ns/B      2216 MiB/s      1.76 c/B      4090
	        XTS dec |     0.433 ns/B      2201 MiB/s      1.77 c/B      4090
	        OCB enc |     0.460 ns/B      2071 MiB/s      1.88 c/B      4089
	        OCB dec |     0.492 ns/B      1939 MiB/s      2.01 c/B      4089

	After (GFNI/AVX512):
	 CAMELLIA128    |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	        CBC dec |     0.207 ns/B      4600 MiB/s     0.827 c/B      3989
	        CFB dec |     0.207 ns/B      4610 MiB/s     0.825 c/B      3989
	        CTR enc |     0.218 ns/B      4382 MiB/s     0.868 c/B      3990
	        CTR dec |     0.217 ns/B      4389 MiB/s     0.867 c/B      3990
	        XTS enc |     0.330 ns/B      2886 MiB/s      1.35 c/B      4097±4
	        XTS dec |     0.328 ns/B      2904 MiB/s      1.35 c/B      4097±3
	        OCB enc |     0.246 ns/B      3879 MiB/s     0.981 c/B      3990
	        OCB dec |     0.247 ns/B      3855 MiB/s     0.987 c/B      3990

	  CBC dec: 70% faster
	  CFB dec: 80% faster
	  CTR: 87% faster
	  XTS: 31% faster
	  OCB: 92% faster

2022-05-10  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix for 64-bit for _gcry_mpih_cmp_ui.
	+ commit a611e3a25d61505698e2bb38ec2db38bc6a74820
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Compare 64-bit
	value correctly.

	random: Fix rndjent for Windows.
	+ commit 5dc97e855bb27705a548a297b666b7be7b1c59a3
	* random/jitterentropy-base-user.h [HAVE_W32_SYSTEM] (jent_ncpu):
	Implement.
	* random/rndjent.c (_WIN32_WINNT): Define for GetNativeSystemInfo.
	(EOPNOTSUPP): Define when not available.

2022-04-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: add testing for partial bulk processing code paths.
	+ commit 9ba1f0091ff408d6140ee75a56fd67f02d0d3f30
	* tests/basic.c (check_one_cipher_core): Add 'split_mode' parameter and
	handling for split_mode==1.
	(check_one_cipher): Use split_mode==0 for existing check_one_cipher_core
	calls; Add new large buffer check with split_mode==1.

	sm4-aesni-avx2: add generic 1 to 16 block bulk processing function.
	+ commit e239738b4af28b64ab617900fced8a216552e9f1
	* cipher/sm4-aesni-avx2-amd64.S: Remove unnecessary vzeroupper at
	function entries.
	(_gcry_sm4_aesni_avx2_crypt_blk1_16): New.
	* cipher/sm4.c (_gcry_sm4_aesni_avx2_crypt_blk1_16)
	(sm4_aesni_avx2_crypt_blk1_16): New.
	(sm4_get_crypt_blk1_16_fn) [USE_AESNI_AVX2]: Add
	'sm4_aesni_avx2_crypt_blk1_16'.

	Add SM4 x86-64/GFNI/AVX2 implementation.
	+ commit 5095d60af42d898311d66b10f5204a3418a4a8af
	* cipher/Makefile.am: Add 'sm4-gfni-avx2-amd64.S'.
	* cipher/sm4-aesni-avx2-amd64.S: New.
	* cipher/sm4.c (USE_GFNI_AVX2): New.
	(SM4_context): Add 'use_gfni_avx2'.
	(crypt_blk1_8_fn_t): Rename to...
	(crypt_blk1_16_fn_t): ...this.
	(sm4_aesni_avx_crypt_blk1_8): Rename to...
	(sm4_aesni_avx_crypt_blk1_16): ...this and add handling for 9 to 16
	input blocks.
	(_gcry_sm4_gfni_avx_expand_key, _gcry_sm4_gfni_avx2_ctr_enc)
	(_gcry_sm4_gfni_avx2_cbc_dec, _gcry_sm4_gfni_avx2_cfb_dec)
	(_gcry_sm4_gfni_avx2_ocb_enc, _gcry_sm4_gfni_avx2_ocb_dec)
	(_gcry_sm4_gfni_avx2_ocb_auth, _gcry_sm4_gfni_avx2_crypt_blk1_16)
	(sm4_gfni_avx2_crypt_blk1_16): New.
	(sm4_aarch64_crypt_blk1_8): Rename to...
	(sm4_aarch64_crypt_blk1_16): ...this and add handling for 9 to 16
	input blocks.
	(sm4_armv8_ce_crypt_blk1_8): Rename to...
	(sm4_armv8_ce_crypt_blk1_16): ...this and add handling for 9 to 16
	input blocks.
	(sm4_expand_key): Add GFNI/AVX2 path.
	(sm4_setkey): Enable GFNI/AVX2 implementation if HW features
	available; Disable AESNI implementations when GFNI implementation is
	enabled.
	(sm4_encrypt) [USE_GFNI_AVX2]: New.
	(sm4_decrypt) [USE_GFNI_AVX2]: New.
	(sm4_get_crypt_blk1_8_fn): Rename to...
	(sm4_get_crypt_blk1_16_fn): ...this; Update to use *_blk1_16 functions;
	Add GFNI/AVX2 selection.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Add GFNI/AVX2 path; Widen
	generic bulk processing from 8 blocks to 16 blocks.
	(_gcry_sm4_xts_crypt): Widen generic bulk processing from 8 blocks to
	16 blocks.

	sm4: add XTS bulk processing.
	+ commit aad3381e93846212c2022dba50e621e4b48f3295
	* cipher/sm4.c (_gcry_sm4_xts_crypt): New.
	(sm4_setkey): Set XTS bulk function.

2022-04-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-avx2: add bulk processing for XTS mode.
	+ commit 32b18cdb87b771f5c1ec87ef5e0f115f3f2d362f
	* cipher/bulkhelp.h (bulk_xts_crypt_128): New.
	* cipher/camellia-glue.c (_gcry_camellia_xts_crypt): New.
	(camellia_set_key) [USE_AESNI_AVX2]: Set XTS bulk function if AVX2
	implementation is available.

	camellia-avx2: add partial parallel block processing.
	+ commit bacdc1de3f4fe063054af4e36e7fdfa5b00ccb64
	* cipher/camellia-aesni-avx2-amd64.h: Remove unnecessary vzeroupper
	from function entry.
	(enc_blk1_32, dec_blk1_32): New.
	* cipher/camellia-glue.c (avx_burn_stack_depth)
	(avx2_burn_stack_depth): Move outside of bulk functions to deduplicate.
	(camellia_setkey): Disable AESNI & VAES implementation when GFNI
	implementation is enabled.
	(_gcry_camellia_aesni_avx2_enc_blk1_32)
	(_gcry_camellia_aesni_avx2_dec_blk1_32)
	(_gcry_camellia_vaes_avx2_enc_blk1_32)
	(_gcry_camellia_vaes_avx2_dec_blk1_32)
	(_gcry_camellia_gfni_avx2_enc_blk1_32)
	(_gcry_camellia_gfni_avx2_dec_blk1_32, camellia_encrypt_blk1_32)
	(camellia_decrypt_blk1_32): New.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec, _gcry_camellia_cfb_dec)
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Use new bulk
	processing helpers from 'bulkhelp.h' and 'camellia_encrypt_blk1_32'
	and 'camellia_decrypt_blk1_32' for partial parallel processing.

2022-04-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher/bulkhelp: add functions for CTR/CBC/CFB/OCB bulk processing.
	+ commit 754055ccd0438b96961601438fafb7799eae612f
	* cipher/bulkhelp.h (bulk_crypt_fn_t, bulk_ctr_enc_128)
	(bulk_cbc_dec_128, bulk_cfb_dec_128, bulk_ocb_crypt_128)
	(bulk_ocb_auth_128): New.
	* cipher/sm4.c (_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Switch
	to use helper functions from 'bulkhelp.h'.

	Move bulk OCB L pointer array setup code to common header.
	+ commit 9388279803ff82ea0ccd12a83157b94c807e7a8f
	* cipher/bulkhelp.h: New.
	* cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_crypt): Use new
	`bulk_ocb_prepare_L_pointers_array_blkXX` function for OCB L pointer
	array setup.
	* cipher/serpent.c (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth): Likewise.
	* cipher/sm4.c (_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Likewise.
	* cipher/twofish.c (_gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): Likewise.

	sm4: deduplicate bulk processing function selection.
	+ commit e1c5f950838b2fa086a798f7194b618f581dca96
	* cipher/sm4.c (crypt_blk1_8_fn_t): New.
	(sm4_aesni_avx_crypt_blk1_8, sm4_aarch64_crypt_blk1_8)
	(sm4_armv8_ce_crypt_blk1_8, sm4_crypt_blocks): Change first parameter
	to void pointer type.
	(sm4_get_crypt_blk1_8_fn): New.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Use sm4_get_crypt_blk1_8_fn
	for selecting crypt_blk1_8.

	Add GFNI/AVX2 implementation of Camellia.
	+ commit 4e6896eb9fce74908e15e085da00edfed0fa1923
	* cipher/Makefile.am: Add "camellia-gfni-avx2-amd64.S".
	* cipher/camellia-aesni-avx2-amd64.h [CAMELLIA_GFNI_BUILD]: Add GFNI
	support.
	* cipher/camellia-gfni-avx2-amd64.S: New.
	* cipher/camellia-glue.c (USE_GFNI_AVX2): New.
	(CAMELLIA_context) [USE_AESNI_AVX2]: New member "use_gfni_avx2".
	[USE_GFNI_AVX2] (_gcry_camellia_gfni_avx2_ctr_enc)
	(_gcry_camellia_gfni_avx2_cbc_dec, _gcry_camellia_gfni_avx2_cfb_dec)
	(_gcry_camellia_gfni_avx2_ocb_enc, _gcry_camellia_gfni_avx2_ocb_dec)
	(_gcry_camellia_gfni_avx2_ocb_auth): New.
	(camellia_setkey) [USE_GFNI_AVX2]: Enable GFNI if supported by HW.
	(_gcry_camellia_ctr_enc) [USE_GFNI_AVX2]: Add GFNI support.
	(_gcry_camellia_cbc_dec) [USE_GFNI_AVX2]: Add GFNI support.
	(_gcry_camellia_cfb_dec) [USE_GFNI_AVX2]: Add GFNI support.
	(_gcry_camellia_ocb_crypt) [USE_GFNI_AVX2]: Add GFNI support.
	(_gcry_camellia_ocb_auth) [USE_GFNI_AVX2]: Add GFNI support.
	* configure.ac: Add "camellia-gfni-avx2-amd64.lo".

	Add detection for HW feature "intel-gfni"
	+ commit 3410d40996d8f7377935192ebecf4cad66688b25
	* configure.ac (gfnisupport, gcry_cv_gcc_inline_asm_gfni)
	(ENABLE_GFNI_SUPPORT): New.
	* src/g10lib.h (HWF_INTEL_GFNI): New.
	* src/hwf-x86.c (detect_x86_gnuc): Add GFNI detection.
	* src/hwfeatures.c (hwflist): Add "intel-gfni".
	* doc/gcrypt.texi: Add "intel-gfni" to HW features list.

2022-04-21  Jakub Jelen  <jjelen@redhat.com>

	tests: Expect the RSA PKCS #1.5 encryption to fail in FIPS mode.
	+ commit f736f3c70182d9c948f9105eb769c47c5578df35
	* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to
	  fail in FIPS mode. Expect failure when wrong padding is selected
	* tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to
	  fail in FIPS mode

	tests: Replace custom bit with more generic flags.
	+ commit 299e2f93415984919181e0ee651719bbf83bdd2f
	* tests/basic.c (global): New flag FLAG_SPECIAL
	  (check_pubkey_crypt): Change to use bitfield flags

	Do not allow PKCS #1.5 padding for encryption in FIPS.
	+ commit c7709f7b23848abf4ba65cb99cb2a9e9c7ebdefc
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block PKCS #1.5
	  padding for encryption in FIPS mode
	* cipher/rsa.c (rsa_decrypt): Block PKCS #1.5 decryption in FIPS mode

2022-04-21  NIIBE Yutaka  <gniibe@fsij.org>

	random: Not use secure memory for DRBG instance.
	+ commit f436bf4451cb2ad0a1f56aa843bf79a58878022f
	* random/random-drbg.c (drbg_instance): New at BSS.
	(_drbg_init_internal): Don't allocate at secure memory.
	(_gcry_rngdrbg_close_fds): Follow the change.

2022-04-20  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Change the bounds for RSA key generation round.
	+ commit cd30ed3c0d715aa0c58a32a29cfb1476163a5b94
	* cipher/rsa.c (generate_fips): Use 10 for p, 20 for q.

2022-04-19  NIIBE Yutaka  <gniibe@fsij.org>

	Use offsetof instead of null ptr calculation.
	+ commit 9e9f3073369905707b718aa1628d0fe5b1affed9
	* src/secmem.c (_gcry_secmem_realloc_internal): Use offsetof.

2022-04-18  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix rsa key generation.
	+ commit 51754fa2ed06cc41487324432dbea654642ef244
	* cipher/rsa.c (generate_fips): Set the least significant bit.

2022-04-12  Clemens Lang  <cllang@redhat.com>

	build: Fix make dist after socklen.m4 removal.
	+ commit 922f9957f94a24c58812db9bbabfb55a8ce211a8
	* m4/Makefile.am: Remove socklen.m4 from EXTRA_DIST

2022-04-08  NIIBE Yutaka  <gniibe@fsij.org>

	build: Remove configure checking for socklen_t.
	+ commit e5260b6b9f38a91797b2cb5d789e9cbbc97ec485
	* configure.ac (gl_TYPE_SOCKLEN_T): Remove.
	* m4/socklen.m4: Remove.

2022-04-06  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	doc: Fix missing ARM hardware features.
	+ commit a7c3e0b9b0ff636d498a9d82f4ced8b5fac50a8b
	* doc/gcrypt.texi: Add sha3/sm3/sm4/sha512 to ARM hardware features.

	build: Fix for arm crypto support.
	+ commit 972aae9fc337ecf25139737cc7083a1bb56457f8
	* configure.ac: Correct wrong variable names.

2022-04-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: add AVX512 implementation.
	+ commit 9a63cfd61753b2c7ef7a872a01565154f10a72c0
	* cipher/Makefile.am: Add 'chacha20-amd64-avx512.S'.
	* cipher/chacha20-amd64-avx512.S: New.
	* cipher/chacha20.c (USE_AVX512): New.
	(CHACHA20_context_s): Add 'use_avx512'.
	[USE_AVX512] (_gcry_chacha20_amd64_avx512_blocks16): New.
	(chacha20_do_setkey) [USE_AVX512]: Setup 'use_avx512' based on
	HW features.
	(do_chacha20_encrypt_stream_tail) [USE_AVX512]: Use AVX512
	implementation if supported.
	(_gcry_chacha20_poly1305_encrypt) [USE_AVX512]: Disable stitched
	chacha20-poly1305 implementations if AVX512 implementation is used.
	(_gcry_chacha20_poly1305_decrypt) [USE_AVX512]: Disable stitched
	chacha20-poly1305 implementations if AVX512 implementation is used.

	poly1305: add AVX512 implementation.
	+ commit cd3ed4977076343bb6092001cafe55673dc30e34
	* LICENSES: Add 3-clause BSD license for poly1305-amd64-avx512.S.
	* cipher/Makefile.am: Add 'poly1305-amd64-avx512.S'.
	* cipher/poly1305-amd64-avx512.S: New.
	* cipher/poly1305-internal.h (POLY1305_USE_AVX512): New.
	(poly1305_context_s): Add 'use_avx512'.
	* cipher/poly1305.c (ASM_FUNC_ABI, ASM_FUNC_WRAPPER_ATTR): New.
	[POLY1305_USE_AVX512] (_gcry_poly1305_amd64_avx512_blocks)
	(poly1305_amd64_avx512_blocks): New.
	(poly1305_init): Use AVX512 is HW feature available (set use_avx512).
	[USE_MPI_64BIT] (poly1305_blocks): Rename to ...
	[USE_MPI_64BIT] (poly1305_blocks_generic): ... this.
	[USE_MPI_64BIT] (poly1305_blocks): New.

2022-04-05  NIIBE Yutaka  <gniibe@fsij.org>

	doc: Update yat2m from libgpg-error.
	+ commit 5f357784662a7d3a3d3498d6ca5d5781e9e60ac0
	* doc/yat2m.c: Update.

2022-04-04  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Add SM3 ARMv8/AArch64/CE assembly implementation.
	+ commit fe891ff4a3cdc74957b215db4a9a9e01fefe0cd4
	* cipher/Makefile.am: Add 'sm3-armv8-aarch64-ce.S'.
	* cipher/sm3-armv8-aarch64-ce.S: New.
	* cipher/sm3.c (USE_ARM_CE): New.
	[USE_ARM_CE] (_gcry_sm3_transform_armv8_ce)
	(do_sm3_transform_armv8_ce): New.
	(sm3_init) [USE_ARM_CE]: New.
	* configure.ac: Add 'sm3-armv8-aarch64-ce.lo'.

2022-04-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature.
	+ commit 29bfb3ebbc63d7ed18b916c5c6946790fb3d15df
	* src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10.

2022-03-31  NIIBE Yutaka  <gniibe@fsij.org>

	random:drbg: Fix the behavior for child process.
	+ commit df7879a86b1de8eaf2d784687155c4274574b120
	* random/random-drbg.c (_gcry_rngdrbg_randomize): Update change of PID
	detection.

	build: When no gpg-error-config, not install libgcrypt-config.
	+ commit 2db5b5e995c21c5bd9cd193c2ed1109ba9b1a440
	* configure.ac (USE_GPGRT_CONFIG): New.
	* src/Makefile.am [USE_GPGRT_CONFIG]: Conditionalize the install
	of libgcrypt-config.

2022-03-30  Werner Koch  <wk@gnupg.org>

	tests: Add brainpoolP256r1 to bench-slope.
	+ commit 67b36154f88ebe271a40c3f3f7b963943c656b71
	* tests/bench-slope.c (ECC_ALGO_BRAINP256R1): New.
	(ecc_algo_fips_allowed): Support this curve.
	(ecc_algo_name): Ditto.
	(ecc_algo_curve): Ditto.
	(ecc_nbits): Ditto.
	(bench_ecc_init): Ditto.

2022-03-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	configure: fix avx512 check for i386.
	+ commit a5d126c61cc00aa2d63c389a956330067c90cbfd
	* configure.ac (gcry_cv_gcc_inline_asm_avx512): Do not use ZMM22
	register; Check for broadcast memory source.

2022-03-29  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Fix configure.ac error of intel-avx512.
	+ commit 4dc707e336a91ca9ca5a59787b9245a1ca3042c6
	* configure.ac: Correctly set value for avx512support.

2022-03-29  NIIBE Yutaka  <gniibe@fsij.org>

	kdf:argon2: Fix for the case output > 64.
	+ commit 564739a58426d89db2f0c9334659949e503d2c59
	* cipher/blake2.c (blake2b_vl_hash): Fix the last step.
	* cipher/kdf.c (argon2_open): Check the value.

2022-03-28  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix for build for Windows.
	+ commit 5d6a1c396396ba7b44f11af10a9c51b1b573e03c
	* cipher/Makefile.am: Use EXEEXT_FOR_BUILD.
	* doc/Makefile.am: Likewise.

	test: Fix cast for Windows 64-bit.
	+ commit e24fe678656156502bd3ef1b7805cddede1dd2de
	* tests/bench-slope.c (slope_benchmark): Use uintptr_t.

2022-03-28  Werner Koch  <wk@gnupg.org>

	hash: Add more OIDs.
	+ commit 26ac5e30018f2bf0a973b3a45410e6a0c8067f0e
	* cipher/sha256.c: Add X9.62 OID.
	* cipher/sha512.c: Ditto.

	build: Improve sign-release traget.
	+ commit ec656616bbbb5db87d3cdf4f4ea695217935d843
	* Makefile.am (sign-release): Allow running in the dist dir.

2022-03-28  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix null pointer arithmetic.
	+ commit 1517a31ea476b76f67289d07e2c2821aa4ef83ef
	* tests/bench-slope.c (slope_benchmark): Don't use null pointer.

2022-03-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building sha512-avx512 with clang.
	+ commit a0db0a121571129b7149e51e98e5fbc6e35413e8
	* cipher/sha512-avx512-amd64.S
	(_gcry_sha512_transform_amd64_avx512): Change "%xmm??" registers to
	"xmm??" for clear_reg parameter.
	* configure.ac (gcry_cv_gcc_inline_asm_avx512): Check support for
	registers in range "zmm16-zmm31".

2022-03-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	SHA512: Add AVX512 implementation.
	+ commit 089223aa3b554e5c9a07d9176470308dab10ac8a
	* LICENSES: Add 'cipher/sha512-avx512-amd64.S'.
	* cipher/Makefile.am: Add 'sha512-avx512-amd64.S'.
	* cipher/sha512-avx512-amd64.S: New.
	* cipher/sha512.c (USE_AVX512): New.
	(do_sha512_transform_amd64_ssse3, do_sha512_transform_amd64_avx)
	(do_sha512_transform_amd64_avx2): Add ASM_EXTRA_STACK to return value
	only if assembly routine returned non-zero value.
	[USE_AVX512] (_gcry_sha512_transform_amd64_avx512)
	(do_sha512_transform_amd64_avx512): New.
	(sha512_init_common) [USE_AVX512]: Use AVX512 implementation if HW
	feature supported.
	---

	Benchmark on Intel Core i3-1115G4 (tigerlake):

	 Before:
	                |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	 SHA512         |      1.51 ns/B     631.6 MiB/s      6.17 c/B      4089

	 After (~29% faster):
	                |  nanosecs/byte   mebibytes/sec   cycles/byte  auto Mhz
	 SHA512         |      1.16 ns/B     819.0 MiB/s      4.76 c/B      4090

2022-03-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-vaes-avx2: perform checksumming inline.
	+ commit d820d27a3bce6365523fbcb6ec607b23dd4ca4e2
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_ocb_checksum): Remove.
	(_gcry_vaes_avx2_ocb_crypt_amd64): Add inline checksumming.

2022-03-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ghash|polyval: add x86_64 VPCLMUL/AVX512 accelerated implementation.
	+ commit e6f360019369fff42411b4cca976cc8ebe09281d
	* cipher/cipher-gcm-intel-pclmul.c (GCM_INTEL_USE_VPCLMUL_AVX512)
	(GCM_INTEL_AGGR32_TABLE_INITIALIZED): New.
	(ghash_setup_aggr16_avx2): Store H16 for aggr32 setup.
	[GCM_USE_INTEL_VPCLMUL_AVX512] (GFMUL_AGGR32_ASM_VPCMUL_AVX512)
	(gfmul_vpclmul_avx512_aggr32, gfmul_vpclmul_avx512_aggr32_le)
	(gfmul_pclmul_avx512, gcm_lsh_avx512, load_h1h4_to_zmm1)
	(ghash_setup_aggr8_avx512, ghash_setup_aggr16_avx512)
	(ghash_setup_aggr32_avx512, swap128b_perm): New.
	(_gcry_ghash_setup_intel_pclmul) [GCM_USE_INTEL_VPCLMUL_AVX512]: Enable
	AVX512 implementation based on HW features.
	(_gcry_ghash_intel_pclmul, _gcry_polyval_intel_pclmul): Add
	VPCLMUL/AVX512 code path; Small tweaks to VPCLMUL/AVX2 code path; Tweaks
	on register clearing.

	Add detection for HW feature "intel-avx512"
	+ commit 8cf06145263eb23b5411fae03e1ea13e146d605e
	* configure.ac (avx512support, gcry_cv_gcc_inline_asm_avx512)
	(ENABLE_AVX512_SUPPORT): New.
	* src/g10lib.h (HWF_INTEL_AVX512): New.
	* src/hwf-x86.c (detect_x86_gnuc): Add AVX512 detection.
	* src/hwfeatures.c (hwflist): Add "intel-avx512".
	* doc/gcrypt.texi: Add "intel-avx512" to HW features list.

2022-03-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ghash|polyval: add x86_64 VPCLMUL/AVX2 accelerated implementation.
	+ commit d857e85cb4d4cb9702a59364ce9a4b9d81328cb5
	* cipher/cipher-gcm-intel-pclmul.c (GCM_INTEL_USE_VPCLMUL_AVX2)
	(GCM_INTEL_AGGR8_TABLE_INITIALIZED)
	(GCM_INTEL_AGGR16_TABLE_INITIALIZED): New.
	(gfmul_pclmul): Fixes to comments.
	[GCM_USE_INTEL_VPCLMUL_AVX2] (GFMUL_AGGR16_ASM_VPCMUL_AVX2)
	(gfmul_vpclmul_avx2_aggr16, gfmul_vpclmul_avx2_aggr16_le)
	(gfmul_pclmul_avx2, gcm_lsh_avx2, load_h1h2_to_ymm1)
	(ghash_setup_aggr8_avx2, ghash_setup_aggr16_avx2): New.
	(_gcry_ghash_setup_intel_pclmul): Add 'hw_features' parameter; Setup
	ghash and polyval function pointers for context; Add VPCLMUL/AVX2 code
	path; Defer aggr8 and aggr16 table initialization to until first use in
	'_gcry_ghash_intel_pclmul' or '_gcry_polyval_intel_pclmul'.
	[__x86_64__] (ghash_setup_aggr8): New.
	(_gcry_ghash_intel_pclmul): Add VPCLMUL/AVX2 code path; Add call for
	aggr8 table initialization.
	(_gcry_polyval_intel_pclmul): Add VPCLMUL/AVX2 code path; Add call for
	aggr8 table initialization.
	* cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL] (_gcry_ghash_intel_pclmul)
	(_gcry_polyval_intel_pclmul): Remove.
	[GCM_USE_INTEL_PCLMUL] (_gcry_ghash_setup_intel_pclmul): Add
	'hw_features' parameter.
	(setupM) [GCM_USE_INTEL_PCLMUL]: Pass HW features to
	'_gcry_ghash_setup_intel_pclmul'; Let '_gcry_ghash_setup_intel_pclmul'
	setup function pointers.
	* cipher/cipher-internal.h (GCM_USE_INTEL_VPCLMUL_AVX2): New.
	(gcry_cipher_handle): Add member 'gcm.hw_impl_flags'.

2022-03-02  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Add SM4 ARMv8/AArch64/CE assembly implementation.
	+ commit 47cafffb09d8a224f07e0750f4ba882bb86cb15a
	* cipher/Makefile.am: Add 'sm4-armv8-aarch64-ce.S'.
	* cipher/sm4-armv8-aarch64-ce.S: New.
	* cipher/sm4.c (USE_ARM_CE): New.
	(SM4_context) [USE_ARM_CE]: Add 'use_arm_ce'.
	[USE_ARM_CE] (_gcry_sm4_armv8_ce_expand_key)
	(_gcry_sm4_armv8_ce_crypt, _gcry_sm4_armv8_ce_ctr_enc)
	(_gcry_sm4_armv8_ce_cbc_dec, _gcry_sm4_armv8_ce_cfb_dec)
	(_gcry_sm4_armv8_ce_crypt_blk1_8, sm4_armv8_ce_crypt_blk1_8): New.
	(sm4_expand_key) [USE_ARM_CE]: Use ARMv8/AArch64/CE key setup.
	(sm4_setkey): Enable ARMv8/AArch64/CE if supported by HW.
	(sm4_encrypt) [USE_ARM_CE]: Use SM4 CE encryption.
	(sm4_decrypt) [USE_ARM_CE]: Use SM4 CE decryption.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_ARM_CE]: Add
	ARMv8/AArch64/CE bulk functions.
	* configure.ac: Add 'sm4-armv8-aarch64-ce.lo'.

	hwf-arm: add ARMv8.2 optional crypto extension HW features.
	+ commit 7d2983979866223d96aad4806af0311671585f64
	* src/g10lib.h (HWF_ARM_SHA3, HWF_ARM_SM3, HWF_ARM_SM4)
	(HWF_ARM_SHA512): New.
	* src/hwf-arm.c (arm_features): Add sha3, sm3, sm4, sha512 HW features.
	* src/hwfeatures.c (hwflist): Add sha3, sm3, sm4, sha512 HW features.

2022-02-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	powerpc: check for missing optimization level for vector register usage.
	+ commit 6951e0f591ccff24b9ce2e43c2dcab955e3302c4
	* cipher/Makefile.am [ENABLE_PPC_VCRYPTO_EXTRA_CFLAGS]
	(ppc_vcrypto_cflags): Add '-O2'.
	* configure.ac (gcry_cv_cc_ppc_altivec): Check for missing compiler
	optimization with vec_sld_u32 inline function.
	* configure.ac (gcry_cv_cc_ppc_altivec_cflags): Check for missing
	compiler optimization with vec_sld_u32 inline function; Add '-O2' to
	CFLAGS.

2022-02-23  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Add SM4 ARMv8/AArch64 assembly implementation.
	+ commit d8825601f10aec20db118496bb68a5cd1372b7da
	* cipher/Makefile.am: Add 'sm4-aarch64.S'.
	* cipher/sm4-aarch64.S: New.
	* cipher/sm4.c (USE_AARCH64_SIMD): New.
	(SM4_context) [USE_AARCH64_SIMD]: Add 'use_aarch64_simd'.
	[USE_AARCH64_SIMD] (_gcry_sm4_aarch64_crypt)
	(_gcry_sm4_aarch64_ctr_enc, _gcry_sm4_aarch64_cbc_dec)
	(_gcry_sm4_aarch64_cfb_dec, _gcry_sm4_aarch64_crypt_blk1_8)
	(sm4_aarch64_crypt_blk1_8): New.
	(sm4_setkey): Enable ARMv8/AArch64 if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AARCH64_SIMD]:
	Add ARMv8/AArch64 bulk functions.
	* configure.ac: Add 'sm4-aarch64.lo'.

	Move VPUSH_API/VPOP_API macros to common header.
	+ commit 83e1649edd5eedd8faf24e5c10cb643218ce3c6f
	* cipher/asm-common-aarch64.h: Add VPUSH_API/VPOP_API/CLEAR_REG macros.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Remove common macros.

2022-02-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Perform AEAD input 24KiB splitting only when input larger than 32KiB.
	+ commit 2508b755608ce182a7e570dc2717a6a70346b927
	* cipher/chacha20.c (_gcry_chacha20_poly1305_encrypt)
	(_gcry_chacha20_poly1305_decrypt): Process in 24KiB chunks if input
	larger than 32KiB.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt): Likewise.
	* cipher/cipher-eax.c (_gcry_cipher_eax_encrypt)
	(_gcry_cipher_eax_decrypt): Likewise.
	* cipher/cipher-gcm.c (gcm_cipher_inner): Likewise.
	* cipher/cipher-ocb.c (ocb_crypt): Likewise.
	* cipher/cipher-poly2305.c (_gcry_cipher_poly1305_encrypt)
	(_gcry_cipher_poly1305_decrypt): Likewise.

2022-02-17  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Clarify what to be hashed for the integrity check.
	+ commit 052c5ef4cea56772b7015e36f231fa0bcbf91410
	* src/fips.c (get_file_offset): Compute the maximum offset
	of segments.
	* src/gen-note-integrity.sh: Likewise.

	fips: Fix gen-note-integrity.sh script not to use cmp utility.
	+ commit 3c8b6c4a9cad59c5e1db5706f6774a3141b60210
	* src/gen-note-integrity.sh: Simplify detecting 32-bit machine
	or 64-bit machine.

	Silence compiler warnings for possible alignment problem.
	+ commit 5420cbbd3ec7ebf081224796e8d1f8299f7ad985
	* cipher/kdf.c (balloon_final): Fix the cast.
	(_gcry_kdf_compute, _gcry_kdf_final, _gcry_kdf_close): Likewise.

2022-02-16  NIIBE Yutaka  <gniibe@fsij.org>

	fips: More portable integrity check.
	+ commit a340e980388243ceae6df57d101036f3f2a955be
	* src/Makefile.am (EXTRA_DIST): Change the name of the script.
	(libgcrypt.la.done): Invoce OBJCOPY with --add-section.
	(libgcrypt.so.hmac): Specify ECHO_N.
	* src/fips.c (get_file_offset): Rename from get_file_offsets.
	Find the note section and return the value in HMAC.
	(hmac256_check): Simplify by HMAC from the note section, not loaded.
	(check_binary_integrity): Use dladdr instead of dladdr1.
	* src/gen-note-integrity.sh: Rename from genhmac.sh.
	Generate ElfN_Nhdr, and then the hmac.

	fips: Integrity check improvement, with only loadable segments.
	+ commit 9dcf9305962b90febdf2d7cc73b49feadbf6a01f
	* configure.ac (READELF): Check the tool.
	* src/Makefile.am (libgcrypt.so.hmac): Use genhmac.sh with hmac256.
	* src/fips.c (get_file_offsets): Rename from get_file_offset.
	Determine the OFFSET2 at the end of loadable segments, too.
	Add fixup of the ELF header to exclude section information.
	(hmac256_check): Finish scanning at the end of loadble segments.
	* src/genhmac.sh: New.

	build: Clean up acinclude.m4.
	+ commit b2f110f99626afce84c23c76db0ebaaadac4ee48
	* acinclude.m4 (GNUPG_CHECK_TYPEDEF): Remove.  We can just use
	AC_CHECK_TYPES.
	(GNUPG_CHECK_GNUMAKE): Remove.  It may build with other Make.
	(GNUPG_SYS_LIBTOOL_CYGWIN32): Remove.  Now, it's done by LT_INIT.
	(TYPE_SOCKLEN_T): Remove.  Now, we use gl_TYPE_SOCKLEN_T.

	build: Remove checking Pth library.
	+ commit d98a78f0eb7711d32f473a04ea417e0f0bde6a00
	* acinclude.m4 (GNUPG_PTH_VERSION_CHECK): Remove.
	* configure.ac (PTH_CFLAGS, PTH_LIBS): Remove.

2022-02-15  Clemens Lang via Gcrypt-devel  <gcrypt-devel@lists.gnupg.org>

	fips: Use ELF header to find hmac file offset.
	+ commit beb5d6df5c5785db7c32a24a5d2a351cb964bfbc
	* src/fips.c [ENABLE_HMAC_BINARY_CHECK] (hmac256_check): Use ELF headers
	  to locate the file offset for the HMAC in addition to information from
	  the loader

2022-02-15  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix m4/gpg-error.m4.
	+ commit bff9f1b024647e18b2c87dcd769c0e449f7752e6
	* m4/gpg-error.m4: Unset GPGRT_CONFIG when it doesn't work well.

2022-02-14  Clemens Lang via Gcrypt-devel  <gcrypt-devel@lists.gnupg.org>

	hmac: Fix memory leak.
	+ commit 6994d874af865cc6ba95a8a6eb5a8fe048e88e07
	* src/hmac.c: Release HMAC256 context

	fips: Fix memory leaks in FIPS mode.
	+ commit 7fc5d33e74164519edcd8127a35cc21228d2727f
	* cipher/pubkey.c (_gcry_pk_sign_md): Fix memory leak in FIPS mode when
	  used with SHA1
	* tests/basic.c (check_one_cipher_core): Add missing free in error code
	  triggered in FIPS mode
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): Likewise
	* tests/pubkey.c (check_x931_derived_key): Likewise

2022-02-10  NIIBE Yutaka  <gniibe@fsij.org>

	Clean up for removal of memory guard support.
	+ commit 738723a1cd20b24fc667a457163a4aa6617dc182
	* mpi/mpiutil.c (_gcry_mpi_m_check): Remove.
	* src/g10lib.h (_gcry_check_heap): Remove.
	* src/global.c (_gcry_check_heap): Remove.
	* src/mpi.h (mpi_m_check): Remove.

	Remove the built-in memory guard support.
	+ commit f98ca6aa34ccdbbaf94f93ae30beafe400303c97
	* configure.ac (--enable-m-guard): Remove.
	* src/global.c (_gcry_vcontrol): Return GPG_ERR_NOT_SUPPORTED for
	GCRYCTL_ENABLE_M_GUARD.
	* src/stdmem.c (use_m_guard, _gcry_private_enable_m_guard): Remove.
	(_gcry_private_malloc): Remove the code path with use_m_guard==1.
	(_gcry_private_malloc_secure): Likewise.
	(_gcry_private_realloc, _gcry_private_free): Likewise.
	(_gcry_private_check_heap): Remove.
	* src/stdmem.h: Remove declarations for memory guard functions.

2022-02-09  NIIBE Yutaka  <gniibe@fsij.org>

	Fix memory allocation when GCRYCTL_ENABLE_M_GUARD.
	+ commit 90f41a1898e421c04080d35d7fea98ee18e74865
	* configure.ac: Add check for ALIGNOF_LONG_DOUBLE.
	* src/stdmem.c: Adjust EXTRA_ALIGN.

	kdf: Prepare aligned memory in balloon_final.
	+ commit 6936f234220d12a87fe17f7fbdbb29ba9787dd95
	* cipher/kdf.c (BALLOON_BLOCK_LEN_MAX): Rename from
	BALLOON_SALT_LEN_MAX.
	(balloon_xor_block): Revert the previous change.
	(balloon_final): Prepare memory for u64.

2022-02-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	kdf: fix unaligned memory access in balloon_xor_block.
	+ commit 59b2504df8f02f82adf0dd83db219bc451b0d9cc
	* cipher/kdf.c (balloon_xor_block): Use 'buf_xor' helper function; Change
	pointer parameters to 'void *' type.
	(balloon_final): Don't cast last_block to 'u64 *' for balloon_xor_block
	call.

2022-02-08  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Extend original Balloon to other digest algos.
	+ commit 26bfa41e2413621c8e73dacba9b7c5ed69a1da35
	* cipher/kdf.c (struct balloon_thread_data): Use pointer to md_spec.
	(prng_aes_ctr_init): Select relevant cipher to match BLKLEN.
	Use other half of digest for IV if not original Balloon.
	(balloon_open): Support other digest algos.
	(balloon_final): Check the error code in compute.

2022-02-07  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Add experimental Balloon KDF.
	+ commit 08ab32228ad20fd730979d700bf46b18e469703c
	* cipher/kdf.c (prng_aes_ctr_init, prng_aes_ctr_get_rand64): New.
	(prng_aes_ctr_fini, ballon_context_size): New.
	(balloon_open): Implement with SHA-256.
	(balloon_xor_block, balloon_compress, balloon_expand): New.
	(balloon_compute_fill, balloon_compute_mix, balloon_compute): New.
	(balloon_compute_all, balloon_final, balloon_close): New.
	(_gcry_kdf_open): Check argument for GCRY_KDF_BALLOON.
	(_gcry_kdf_compute): Dispatch for GCRY_KDF_BALLOON.
	(_gcry_kdf_final, _gcry_kdf_close): Likewise.
	* tests/t-kdf.c (check_balloon): New.
	(main): Add check_balloon.

	kdf: Use u64.
	+ commit e257fe39b8ffafa3b1fc72b00db1ea43d29c9983
	* cipher/kdf.c (rotr64): We use u64 in libgcrypt.

2022-02-04  Heiko Becker  <heirecka@exherbo.org>

	jitterentropy: Include <fcntl.h> and <limits.h>
	+ commit a484bd665f4afaf39eaa0fdf3aa1c7dae75078b4
	* random/jitterentropy-base-user.h: Include <fcntl.h> for O_RDONLY
	* random/jitterentropy-base-user.h: Include <limits.h> for LONG_MAX

2022-02-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-arm: add detection of ARMv8 crypto extension by toolchain config.
	+ commit d480db6e6c806835405c6795024a8fd91448c16b
	* src/hwf-arm.c (detect_arm_hwf_by_toolchain): New.
	(_gcry_hwf_detect_arm): Move __ARM_NEON check to
	'detect_arm_hwf_by_toolchain' and add call to the new function.

2022-02-02  NIIBE Yutaka  <gniibe@fsij.org>

	Remove random-daemon server and util.
	+ commit d918d8aee27987c3bb99f44a7ed3508d81009f51
	* configure.ac (--enable-random-daemon): Remove.
	* src/Makefile.am: Remove ENABLE_RANDOM_DAEMON things.
	* src/gcryptrnd.c, src/getrandom.c: Remove.

2022-01-31  Werner Koch  <wk@gnupg.org>

	rsa: Fix regression in not returning an error for prime generation.
	+ commit 217bf0a0e7be4a216a405a4bfb719e0fd437c2a3
	* cipher/rsa.c (generate_fips):  Set the default EC again.

2022-01-31  Jakub Jelen  <jjelen@redhat.com>

	cipher: Initialize values not to confuse static analyzers.
	+ commit cb9df21fcbb05d9650df7b45671d335eefad405b
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Initialize integer values
	  not to confuse static analyzers.
	  (_gcry_ecc_eddsa_verify): Ditto.

	fips: Remove unused assignment.
	+ commit d2003618e6bf733f0c913f5c8961779f8e4dc05c
	* src/fips.c (hmac256_check): Remove unused assignment.

	cipher: Remove dead code in for the siv mode.
	+ commit 0f38e6a877f19db303672ca899b36333fb84c8fa
	* cipher/cipher-siv.c (_gcry_cipher_siv_setkey): Remove dead code

	random: Avoid dereference of the ec before checking for NULL.
	+ commit 904e168bdb2ac4cbfe32db86a6cd11ab462340ad
	* random/jitterentropy-noise.c (jent_memaccess): Move check before
	  dereferencing the pointer.

2022-01-31  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Fix computation by big-endian machine.
	+ commit 77512c510bf744b341d3173e65e22b9dd0b5df03
	* cipher/kdf.c (beswap64_block): New.
	(argon2_fill_first_blocks): Convert to native endian.
	(pseudo_random_generate): Run in native endian.
	(argon2_compute_segment): Run in native endian.
	(argon2_final): Convert from native endian.

	ciper/blake2: Make sure to clean up the stack.
	+ commit 7dc488ae036addd69878681a4eab6d25e9d99c8e
	* cipher/blake2.c (blake2b_vl_hash): Wipe the memory.

2022-01-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	kdf: handle errors from thread dispatch/wait functions.
	+ commit 54369c66bedd20d6846ed8fab678082ec8eecf5d
	* cipher/kdf.c (argon2_compute): Handle failed job dispatch/wait.
	* tests/t-kdf.c (pthread_jobs_launch_job)
	(wait_all_jobs_completion): Handle errors returned from pthread functions.

	kdf/argon2: use BLAKE2b hash_buffers function instead of _gcry_md_*
	+ commit 409f69167983deacee6d6c85c80a4be0e4b5d7c1
	* cipher/kdf.c (argon2_fill_first_blocks): Convert to use iov
	hash_buffers API instead of _gcry_md_*.

	Rename KDF job functions and function types.
	+ commit c5aead8aebc7dfb699597eb6adf334bd2edbc374
	* src/gcrypt.h.in (gcry_kdf_job_fn_t): New.
	(gcry_kdf_dispatch_job_fn_t): Renamed from 'gcry_kdf_lauch_job_t'; Use
	'gcry_kdf_job_fn_t' for function pointer parameter.
	(gcry_kdf_wait_all_jobs_fn_t): Renamed from
	'gcry_kdf_wait_all_jobs_completion_t'.
	(gcry_kdf_thread_ops_t): Rename functions to 'dispatch_job' and
	'wait_all_jobs'.
	* cipher/kdf.c (argon2_compute): Change to use 'dispatch_job' and
	'wait_all_jobs'.
	* tests/t-kdf.c (job_thread_param, pthread_jobs_launch_job): Use
	'gcry_kdf_job_fn_t' type for 'job'.

	tests/t-kdf: few changes to pthread example and fix win32/win64 builds.
	+ commit 03a0eedefe3e8b979aee6fb9800fe8e794f50089
	* src/gcrypt.h.in (gcry_kdf_thread_ops_t): New based on
	'struct gcry_kdf_thread_ops'.
	(gcry_kdf_compute): Use 'gcry_kdf_thread_ops_t' instead of
	'struct gcry_kdf_thread_ops'.
	* tests/Makefile.am: Define 't_kdf_LDADD' and 't_kdf_CFLAGS' on
	win32/win64 target too.
	* tests/t-kdf.c (pthread_jobs_launch_job): Set 'oldest_thread_idx' on
	first thread creation.
	(wait_all_jobs_completion): Reset 'oldest_thread_idx' to -1.
	(my_kdf_derive): Merge HAVE_PTHREAD ifdefs; Initialize 'oldest_thread_idx'
	to -1.

2022-01-28  NIIBE Yutaka  <gniibe@fsij.org>
	    Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	kdf: Change new KDF API.
	+ commit 254fb14044cfce87b619138dec7bb78a2534d1b3
	* cipher/kdf.c (argon2_ctl): Remove.
	(argon2_iterator): Remove.
	(argon2_compute_segment): Change the API.
	(argon2_compute): New.
	(argon2_open): No optional N_THERADS any more.
	(_gcry_kdf_ctl): Remove.
	(_gcry_kdf_iterator, _gcry_kdf_compute_segment): Remove.
	(_gcry_kdf_compute): New.
	* src/gcrypt-int.h: Update declarations.
	* src/gcrypt.h.in: Likewise.
	* src/libgcrypt.def: Update.
	* src/libgcrypt.vers: Update.
	* src/visibility.c: Update.
	* src/visibility.h: Update.
	* tests/t-kdf.c (check_argon2): Update the test with change of new
	API.

2022-01-28  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Implement Argon2 KDF using blake2b_vl_hash function.
	+ commit 4cbbd87e2af00c7b3f0236a56f12bd51e9295816
	* cipher/kdf.c (hash): Remove, as it's not possible to implement with
	_gcry_md_* programming interface.
	(xor_block): New.
	(argon2_fill_first_blocks): Rename from argon2_genh0_first_blocks.
	(argon2_init): Don't use ->HD any more.
	(fill_block, pseudo_random_generate, index_alpha): New.
	(argon2_compute_segment): Implement ARGOND, ARGON2I and ARGON2ID.
	(argon2_final): Fix using blake2b_vl_hash.
	(argon2_open): Fix for parameters and the restriction for output length.
	* tests/t-kdf.c (check_argon2): Update test vector for version 0x13.
	(main): Enable the test.

	cipher: Implement variable-length hash function for Argon2.
	+ commit 6467287ba121df9e5965d5a3a7a4f349793d49d2
	* cipher/blake2.c (blake2b_vl_hash): New.

2022-01-26  NIIBE Yutaka  <gniibe@fsij.org>

	kdf: Improve new KDF API.
	+ commit f21871e241e96148cef3ad4314ad596178cf8967
	* cipher/kdf.c (struct argon2_thread_data): Change layout.
	(argon2_iterator): Use struct gcry_kdf_pt_head.
	(argon2_compute_segment): Rename from argon2_compute_row.
	(argon2_open): Handle N_THREAD maximum.
	(_gcry_kdf_iterator): Use struct gcry_kdf_pt_head.
	(_gcry_kdf_compute_segment): Rename from _gcry_kdf_compute_row.
	* src/gcrypt-int.h: Update declarations.
	* src/gcrypt.h.in (struct gcry_kdf_pt_head): Expose the data type.
	* src/libgcrypt.def, src/libgcrypt.vers: Update.
	* src/visibility.c, src/visibility.h: Update.
	* tests/t-kdf.c (start_thread, my_kdf_derive): Follow the change.

2022-01-25  NIIBE Yutaka  <gniibe@fsij.org>

	random: Include sys/random.h when available.
	+ commit 5e2d792eb8d9e5aaf1b71205f9298286b8145462
	* configure.ac (AC_CHECK_HEADERS): Check sys/random.h.
	* random/rndgetentropy.c [HAVE_SYS_RANDOM_H]: Include it.

	cipher: Add new API for modern KDF function.
	+ commit bafdb90d97b65db541ea917088ca956e6a364f6b
	* cipher/kdf.c (hash, argon2_genh0_first_blocks): New for Argon2.
	(argon2_init, argon2_ctl, argon2_iterator): Likewise.
	(argon2_compute_row, argon2_final, argon2_close): Likewise.
	(argon2_open): Likewise.
	(balloon_open): New for Balloon.
	(_gcry_kdf_open, _gcry_kdf_ctl, _gcry_kdf_iterator): Add new API.
	(_gcry_kdf_compute_row, _gcry_kdf_final, _gcry_kdf_close): Likewise.
	* src/gcrypt-int.h: Add declarations for new API.
	* src/gcrypt.h.in: Likewise.
	(enum gcry_kdf_algos): Add GCRY_KDF_ARGON2 and GCRY_KDF_BALLOON.
	(enum gcry_kdf_subalgo_argon2): Add GCRY_KDF_ARGON2D,
	GCRY_KDF_ARGON2I, and GCRY_KDF_ARGON2ID.
	* src/libgcrypt.def, src/libgcrypt.vers: Update.
	* src/visibility.h: Likewise.
	* src/visibility.c: Add new API.
	* tests/Makefile.am (t_kdf_LDADD, t_kdf_CFLAGS): Enable use of pthread.
	* tests/t-kdf.c (check_argon2): New, not enabled yet.

	Prefer uint64_t for the definition of u64.
	+ commit 3d353782d84b9720262d7b05adfae3aef7ff843b
	* src/types.h (u64): Prefer use of uint64_t with C99 compliant
	compiler.

	tests: Fix variable initialization for tests.
	+ commit 99642f18ccbe45fb4cae55945af49f7884bcaceb
	* tests/t-rsa-15.c (one_test_sexp): Initialize OUT_LEN.
	* tests/t-rsa-pss.c (one_test_sexp): Initialize CTX and OUT_LEN.
	Fix the if condition.

2022-01-25  Jakub Jelen  <jjelen@redhat.com>

	mpi: Add missing header file to the tarball.
	+ commit 08f3e0909f8c4fefc2c020dca206037693282186
	* mpi/Makefile.am: Add missing header file.

	doc: Update more information about FIPS selftests and algorithms.
	+ commit 1f299cb16afdfd0ccc3cd9e9ae65a789be6514f7
	* doc/gcrypt.texi: List implemented GOST curves.
	  Update location of the HMAC selftests and add SHA3 ones.
	  Add information about ECC selftests.
	  Add information about KDF selftests.
	  Update information about additional MAC selftests.
	  Update ifnromation about FIPS allowed algorithms.

2022-01-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/t-kdf: fix format string argument type mismatch.
	+ commit e9e723d5e320ff2c67bf9a9841777749a44e54d0
	* tests/t-kdf.c (check_pbkdf2, check_scrypt): Change fprintf format
	for plen from "%ld" to "%u" and cast plen to 'unsigned int'.

	Fix building GCM when GCM_USE_ARM_NEON defined but GCM_USE_ARM_PMULL not
	+ commit a35ac62ee7b5a6e799eb4a89a934da0313fb1158
	* cipher/cipher-gcm.c (setupM): Remove ifdef around 'features'.

2022-01-20  NIIBE Yutaka  <gniibe@fsij.org>

	scrypt: Fix the last step of SCRYPT.
	+ commit 867435cf8847fb80e922eb818fbcfac131863b8c
	* cipher/scrypt.c (_gcry_kdf_scrypt): Single call to PBKDF2.

	fips: Recover test cases for selftest, add skipping in FIPS mode.
	+ commit 535a4d345872aa2cd2ab3a5f9c4411d0a0313328
	* cipher/kdf.c (check_one): Skip a test with shorter passphrase in
	FIPS mode.
	(selftest_pbkdf2): Recover selftest cases.
	* cipher/mac-hmac.c (check_one): Skip a test with shorter key in FIPS
	mode.
	(selftests_sha224, selftests_sha256): Recover selftest cases.
	(selftests_sha384, selftests_sha512, selftests_sha3): Likewise.

2022-01-19  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Reject shorter key for HMAC in FIPS mode.
	+ commit 76aad97dd312e83f2f9b8d086553f2b72ab6546f
	* cipher/md.c (prepare_macpads): Reject < 112-bit key.
	* cipher/kdf.c (selftest_pbkdf2): Remove selftest cases with shorter
	key.
	* cipher/mac-hmac.c (selftests_sha224, selftests_sha256): Likewise.
	(selftests_sha384, selftests_sha512, selftests_sha3): Likewise.
	* tests/basic.c (check_one_hmac) Handle an error when shorter key
	is rejected.
	(check_one_mac): Likewise.
	* tests/t-kdf.c (check_pbkdf2, check_scrypt): Likewise.

2022-01-18  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix .m4 files in distribution.
	+ commit 6f225308d3e59f8749403ad743d8e6c591142f8f
	* m4/Makefile.am (EXTRA_DIST): Remove sys_socket_h.m4.

2022-01-17  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Remove GCRYCTL_FIPS_SERVICE_INDICATOR and renumber the enum.
	+ commit d0db6a5abf7b8cc5637de5a080a7ed986e3ff63f
	* src/gcrypt.h.in (enum gcry_ctl_cmds): Remove
	GCRYCTL_FIPS_SERVICE_INDICATOR.
	* src/fips.c (_gcry_fips_indicator_cipher): Use gcry_kdf_algos.
	* tests/basic.c: Use GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER.

2022-01-17  Jakub Jelen  <jjelen@redhat.com>

	Update documentation related to FIPS.
	+ commit e023e10ee89baf5d5909de4d8c13ba6dfbc8ed99
	* cipher/rsa.c (selftest_encr_2048): Fix error message
	* doc/gcrypt.texi: Add missing hwfeatures
	  Add description of the service indicator API
	  Fix typo in tampered word
	  Add some missing curves
	  Remove algoriths no longer used in FIPS mode and update claims given

	fips: Add support for KDF FIPS indicators.
	+ commit 8611c9f276ad0f51fcdd4da0481108880104338f
	* src/fips.c (_gcry_fips_indicator): rename to
	  _gcry_fips_indicator_cipher().
	  (_gcry_fips_indicator_kdf): New function.
	* src/g10lib.h: Rename _gcry_fips_indicator to
	  _gcry_fips_indicator_cipher() and add _gcry_fips_indicator_kdf()
	* src/gcrypt.h.in (enum gcry_ctl_cmds): Add
	  GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER and
	  GCRYCTL_FIPS_SERVICE_INDICATOR_KDF.
	* src/global.c (_gcry_vcontrol): Implement support for KDF FIPS
	  Indicator separate from the cipher one.

2022-01-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-aesni: small optimization for cbc-enc and cfb-enc.
	+ commit dfd53c7eddf0beaf9e85daaed92c0bd756112470
	* cipher/rijndael-aesni.c (_gcry_aes_aesni_cfb_enc)
	(_gcry_aes_aesni_cbc_enc): Copy contents of 'do_aesni_enc' here and
	merge input/output and first/last round key xoring to shorten critical
	path.

	mpi/amd64: remove extra 'ret' from assembly functions.
	+ commit 0c0f27a89205842b5ef8e56a9726074f6b738f73
	* mpi/amd64/mpih-add1.S: Remove 'ret' as it is already included by
	FUNC_EXIT macro.
	* mpi/amd64/mpih-lshift.S: Likewise.
	* mpi/amd64/mpih-mul1.S: Likewise.
	* mpi/amd64/mpih-mul2.S: Likewise.
	* mpi/amd64/mpih-mul3.S: Likewise.
	* mpi/amd64/mpih-rshift.S: Likewise.
	* mpi/amd64/mpih-sub1.S: Likewise.

	mpi/config.links: merge i586 targets with rest i*86 targets.
	+ commit 9bbb6c2c5d03c19b7f4356628a76eb8bde3ab026
	* mpi/config.links: Merge i586 targets with rest i[3467]86 targets.

	mpi: remove unused i586 and pentium4 assembly.
	+ commit 2800de892585c405099039d6f9dc346c3a71c16e
	* mpi/config.links: Remove 'i586' from paths.
	* mpi/i586*: Remove.
	* mpi/pentium4/*: Remove.

	Add straight-line speculation hardening for aarch64 assembly.
	+ commit 34bcc102158a651781f4e7639e2654068a39db6d
	* cipher/asm-common-aarch64.h (ret_spec_stop): New.
	* cipher/asm-poly1305-aarch64.h: Use 'ret_spec_stop' for 'ret'
	instruction.
	* cipher/camellia-aarch64.S: Likewise.
	* cipher/chacha20-aarch64.S: Likewise.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Likewise.
	* cipher/crc-armv8-aarch64-ce.S: Likewise.
	* cipher/rijndael-aarch64.S: Likewise.
	* cipher/rijndael-armv8-aarch64-ce.S: Likewise.
	* cipher/sha1-armv8-aarch64-ce.S: Likewise.
	* cipher/sha256-armv8-aarch64-ce.S: Likewise.
	* cipher/sm3-aarch64.S: Likewise.
	* cipher/twofish-aarch64.S: Likewise.
	* mpi/aarch64/mpih-add1.S: Likewise.
	* mpi/aarch64/mpih-mul1.S: Likewise.
	* mpi/aarch64/mpih-mul2.S: Likewise.
	* mpi/aarch64/mpih-mul3.S: Likewise.
	* mpi/aarch64/mpih-sub1.S: Likewise.

	Add straight-line speculation hardening for amd64 and i386 assembly.
	+ commit 11ade08efbfbc36dbf3571f1026946269950bc40
	* cipher/asm-common-amd64.h (ret_spec_stop): New.
	* cipher/arcfour-amd64.S: Use 'ret_spec_stop' for 'ret' instruction.
	* cipher/blake2b-amd64-avx2.S: Likewise.
	* cipher/blake2s-amd64-avx.S: Likewise.
	* cipher/blowfish-amd64.S: Likewise.
	* cipher/camellia-aesni-avx-amd64.S: Likewise.
	* cipher/camellia-aesni-avx2-amd64.h: Likewise.
	* cipher/cast5-amd64.S: Likewise.
	* cipher/chacha20-amd64-avx2.S: Likewise.
	* cipher/chacha20-amd64-ssse3.S: Likewise.
	* cipher/des-amd64.S: Likewise.
	* cipher/rijndael-aarch64.S: Likewise.
	* cipher/rijndael-amd64.S: Likewise.
	* cipher/rijndael-ssse3-amd64-asm.S: Likewise.
	* cipher/rijndael-vaes-avx2-amd64.S: Likewise.
	* cipher/salsa20-amd64.S: Likewise.
	* cipher/serpent-avx2-amd64.S: Likewise.
	* cipher/serpent-sse2-amd64.S: Likewise.
	* cipher/sha1-avx-amd64.S: Likewise.
	* cipher/sha1-avx-bmi2-amd64.S: Likewise.
	* cipher/sha1-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha1-ssse3-amd64.S: Likewise.
	* cipher/sha256-avx-amd64.S: Likewise.
	* cipher/sha256-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha256-ssse3-amd64.S: Likewise.
	* cipher/sha512-avx-amd64.S: Likewise.
	* cipher/sha512-avx2-bmi2-amd64.S: Likewise.
	* cipher/sha512-ssse3-amd64.S: Likewise.
	* cipher/sm3-avx-bmi2-amd64.S: Likewise.
	* cipher/sm4-aesni-avx-amd64.S: Likewise.
	* cipher/sm4-aesni-avx2-amd64.S: Likewise.
	* cipher/twofish-amd64.S: Likewise.
	* cipher/twofish-avx2-amd64.S: Likewise.
	* cipher/whirlpool-sse2-amd64.S: Likewise.
	* mpi/amd64/func_abi.h (CFI_*): Remove, include from "asm-common-amd64.h"
	instead.
	(FUNC_EXIT): Use 'ret_spec_stop' for 'ret' instruction.
	* mpi/asm-common-amd64.h: New.
	* mpi/i386/mpih-add1.S: Use 'ret_spec_stop' for 'ret' instruction.
	* mpi/i386/mpih-lshift.S: Likewise.
	* mpi/i386/mpih-mul1.S: Likewise.
	* mpi/i386/mpih-mul2.S: Likewise.
	* mpi/i386/mpih-mul3.S: Likewise.
	* mpi/i386/mpih-rshift.S: Likewise.
	* mpi/i386/mpih-sub1.S: Likewise.
	* mpi/i386/syntax.h (ret_spec_stop): New.

	Optimizations for AES aarch64-ce assembly implementation.
	+ commit ff2a647d36677f6ad9edbe992a6c0ab0f7cf9510
	* cipher/rijndael-armv8-aarch64-ce.S (vk14): Remove.
	(vklast, __, _): New.
	(aes_preload_keys): Setup vklast.
	(do_aes_one128/192/256): Split to ...
	(do_aes_one_part1, do_aes_part2_128/192/256): ... these and add
	interleave ops.
	(do_aes_one128/192/256): New using above part1 and part2 macros.
	(aes_round_4): Rename to ...
	(aes_round_4_multikey): ... this and allow different key used for
	parallel blocks.
	(aes_round_4): New using above multikey macro.
	(aes_lastround_4): Reorder AES round and xor instructions, allow
	different last key for parallel blocks.
	(do_aes_4_128/192/256): Split to ...
	(do_aes_4_part1_multikey, do_aes_4_part1)
	(do_aes_4_part2_128/192/256): ... these.
	(do_aes_4_128/192/256): New using above part1 and part2 macros.
	(CLEAR_REG): Use movi for clearing registers.
	(aes_clear_keys): Remove branching and clear all key registers.
	(_gcry_aes_enc_armv8_ce, _gcry_aes_dec_armv8_ce): Adjust to macro
	changes.
	(_gcry_aes_cbc_enc_armv8_ce, _gcry_aes_cbc_dec_armv8_ce)
	(_gcry_aes_cfb_enc_armv8_ce, _gcry_aes_cfb_enc_armv8_ce)
	(_gcry_aes_ctr32le_enc_armv8_ce): Apply entry/loop-body/exit
	optimization for better interleaving of input/output processing;
	First/last round key and input/output xoring optimization to reduce
	critical path length.
	(_gcry_aes_ctr_enc_armv8_ce): Add fast path for counter incrementing
	without byte-swaps when counter does not overflow 8-bit; Apply
	entry/loop-body/exit optimization for better interleaving of
	input/output processing; First/last round key and input/output
	xoring optimization to reduce critical path length.
	(_gcry_aes_ocb_enc_armv8_ce, _gcry_aes_ocb_dec_armv8_ce): Add aligned
	processing for nblk and OCB offsets; Apply entry/loop-body/exit
	optimization for better interleaving of input/output processing;
	First/last round key and input/output xoring optimization to reduce
	critical path length; Change to use same function body macro for
	both encryption and decryption.
	(_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Apply
	entry/loop-body/exit optimization for better interleaving of
	input/output processing; First/last round key and input/output
	xoring optimization to reduce critical path length; Change to use
	same function body macro for both encryption and decryption.

	Add armv8/pmull accelerated POLYVAL for GCM-SIV.
	+ commit 4e6f1ef5a00e15128e5f2398e2c282d31152d276
	* cipher/cipher-gcm-armv8-aarch32-ce.S
	(_gcry_polyval_armv8_ce_pmull): New.
	* cipher/cipher-gcm-armv8-aarch64-ce.S
	(_gcry_polyval_armv8_ce_pmull): New.
	* cipher/cipher-gcm.c (_gcry_polyval_armv8_ce_pmull)
	(polyval_armv8_ce_pmull): New.
	(setupM) [GCM_USE_ARM_PMULL]: Setup 'polyval_armv8_ce_pmull' as POLYVAL
	function.

	Use 'vmov' and 'movi' for vector register clearing in ARM assembly.
	+ commit 859b6ac7fbdb6ec18d1536e14b9ee83c1add224e
	* cipher/chacha20-aarch64.S (clear): Use 'movi'.
	* cipher/chacha20-armv7-neon.S (clear): Use 'vmov'.
	* cipher/cipher-gcm-armv7-neon.S (clear): Use 'vmov'.
	* cipher/cipher-gcm-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
	* cipher/cipher-gcm-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
	* cipher/rijndael-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
	* cipher/sha1-armv7-neon.S (clear): Use 'vmov'.
	* cipher/sha1-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
	* cipher/sha1-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
	* cipher/sha256-armv8-aarch32-ce.S (CLEAR_REG): Use 'vmov'.
	* cipher/sha256-armv8-aarch64-ce.S (CLEAR_REG): Use 'movi'.
	* cipher/sha512-armv7-neon.S (CLEAR_REG): New using 'vmov'.
	(_gcry_sha512_transform_armv7_neon): Use CLEAR_REG for clearing
	registers.

	Add SM3 ARM/AArch64 assembly implementation.
	+ commit f664333a4749eab03c6b19bae2f28863b8501a24
	* cipher/Makefile.am: Add 'sm3-aarch64.S'.
	* cipher/sm3-aarch64.S: New.
	* cipher/sm3.c (USE_AARCH64_SIMD): New.
	[USE_AARCH64_SIMD] (_gcry_sm3_transform_aarch64)
	(do_sm3_transform_aarch64): New.
	(sm3_init) [USE_AARCH64_SIMD]: New.
	* configure.ac: Add 'sm3-aarch64.lo'.
	* tests/basic.c (main): Add command-line option '--hash' for running
	only hash algorithm tests.

2022-01-11  NIIBE Yutaka  <gniibe@fsij.org>

	random: Rename rndlinux module to rndoldlinux.
	+ commit 560943805a525a6f479b666578b0ff7d51e6f833
	* configure.ac (USE_RNDOLDLINUX): Rename from USE_RNDLINUX.
	(GCRYPT_RANDOM): Use rndoldlinux.lo.
	* doc/gcrypt.texi: Update.
	* random/Makefile.am (EXTRA_librandom_la_SOURCES): Update.
	* random/rndoldlinux.c: Rename from rndlinux.c.  Rename the function.
	* random/rand-internal.h: Update the function name.
	* random/random-csprng.c: Update the calls to the function.
	* random/random-drbg.c: Likewise.
	* random/random-system.c: Likewise.
	* src/global.c: Use USE_RNDOLDLINUX.

2022-01-11  Jakub Jelen  <jjelen@redhat.com>

	configure: Fix help text for the fips module version.
	+ commit 83e58191d3d960b3efda960dd6fe50e8f0b02bda
	* configure.ac: Fix unmatched parenthesis and add more verbose
	  description of the --with-fips-module-version configure option.

2022-01-11  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Provide a mechanizm to put libgcrypt in non-FIPS mode.
	+ commit 2a8b3fed1a80e74dfb12c03e426373a300407eda
	* doc/gcrypt.texi (Disabling FIPS mode): Add.
	* src/gcrypt.h.in (GCRYCTL_NO_FIPS_MODE): New.
	* src/global.c (_gcry_vcontrol): Support GCRYCTL_NO_FIPS_MODE.
	* tests/t-ed25519.c: Add --no-fips option to test non-FIPS mode.

	cipher: Keep original behavior of Key Unwrap when not extended.
	+ commit 383866f014f2ae8487d15e3fd99fe688b489d364
	* cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt_auto): Only
	allow unwrapping by KWP when GCRY_CIPHER_EXTENDED is specified.

2022-01-05  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add an API to retrieve unwrapped key length for KWP.
	+ commit 746b8e29969be56e086191dbe93978f7e0355aa0
	* cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt)
	(_gcry_cipher_keywrap_decrypt_padding): Merged into...
	(_gcry_cipher_keywrap_decrypt_auto): ... this.
	Write length information to struct gcry_cipher_handle.
	* cipher/cipher-internal.h (struct gcry_cipher_handle): Add
	u_mode.wrap.
	* cipher/cipher.c (_gcry_cipher_setup_mode_ops): Use
	_gcry_cipher_keywrap_decrypt_auto.
	(_gcry_cipher_info): Support GCRYCTL_GET_KEYLEN for
	GCRY_CIPHER_MODE_AESWRAP.  Not that it's not length of KEK,
	but length of unwrapped key.
	* tests/aeswrap.c (check_one_with_padding): Add check
	for length of unwrapped key.

2022-01-04  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Use const for *_spec_t, if possible.
	+ commit f9ba07942b10c72af50bd73c92c4851b6981546e
	* cipher/blake2.c: Use const.
	* cipher/camellia-glue.c, cipher/cipher.c, cipher/crc.c: Likewise.
	* cipher/des.c, cipher/gost28147.c, cipher/gostr3411-94.c: Likewise.
	* cipher/keccak.c, cipher/mac-cmac.c, cipher/mac-gmac.c: Likewise.
	* cipher/mac-hmac.c, cipher/mac-internal.h: Likewise.
	* cipher/mac-poly1305.c, cipher/mac.c, cipher/md.c: Likewise.
	* cipher/md.c, cipher/md2.c, cipher/md4.c, cipher/md5.c: Likewise.
	* cipher/pubkey.c, cipher/rfc2268.c, cipher/rijndael.c: Likewise.
	* cipher/rmd160.c, cipher/seed.c, cipher/serpent.c: Likewise.
	* cipher/sha1.c, cipher/sha256.c, cipher/sha512.c: Likewise.
	* cipher/sm3.c, cipher/sm4.c, cipher/stribog.c: Likewise.
	* cipher/pubkey.c, cipher/rfc2268.c, cipher/rijndael.c: Likewise.
	* src/cipher-proto.h, src/cipher.h: Likewise.

	fips: Use flags.fips to check algo availability.
	+ commit 034e4402dade7a4bcc239913b78c702c5c6f0dbb
	* cipher/cipher.c (check_cipher_algo): Check ->flags.fips.
	(_gcry_cipher_open_internal, _gcry_cipher_selftest): Likewise.
	(_gcry_cipher_init): Don't modify ->flags.disabled.
	* cipher/mac.c (_gcry_mac_init): Don't modify ->flags.disabled.
	(check_mac_algo): Check ->flags.fips.
	(mac_open, _gcry_mac_selftest): Likewise.
	* cipher/md.c (check_digest_algo): Check ->flags.fips.
	(md_enable, _gcry_md_hash_buffer): Likewise.
	(_gcry_md_hash_buffers_extract, _gcry_md_selftest): Likewise.
	(_gcry_md_init): Don't modify ->flags.disabled.

	doc: Update doc/gcrypt.texi for random/.
	+ commit 11ef7b50a708b92d94e1e1f47433fc53b3fd2cf3
	* doc/gcrypt.texi: Address rndgetentropy module.  Remove X9.31 RPNG
	documentation, as the implementation has been removed already.

2022-01-03  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add support of Key wrap with padding (KWP).
	+ commit 2914f169f95467b9c789000105773b38ad2dea5a
	* src/gcrypt.h.in (GCRY_CIPHER_EXTENDED): New enum value.
	* cipher/cipher-aeswrap.c (wrap): New.
	(_gcry_cipher_keywrap_encrypt, unwrap): Use wrap.
	(_gcry_cipher_keywrap_encrypt_padding): New.
	(_gcry_cipher_keywrap_decrypt): Use unwrap.
	(_gcry_cipher_keywrap_decrypt_padding): New.
	* cipher/cipher-internal.h: Add declarations.
	* cipher/cipher.c (_gcry_cipher_open_internal): Support
	GCRY_CIPHER_EXTENDED.
	(_gcry_cipher_setup_mode_ops): Extend for GCRY_CIPHER_MODE_AESWRAP.
	* tests/aeswrap.c: Add two tests from RFC5649.

2021-12-22  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update for newer autoconf.
	+ commit 3204c3827e9840915af2b6cbf603f3cf51664568
	* configure.ac (AC_PREREQ): Require >= 2.69.
	(AC_CONFIG_HEADERS): Use it, instead of AC_CONFIG_HEADER.
	(AC_HEADER_STDC): Remove.
	* m4/sys_socket_h.m4: Remove.

2021-12-21  Danny Tsen  <dtsen@us.ibm.com>

	AES-GCM: Bulk implementation of AES-GCM acceleration for ppc64le.
	+ commit 7205c715b3e0f6fd0b853e8916d174048f43c03b
	* configure.ac: Added p10 assembly implementation file and assiciated file.
	* cipher/Makefile.am: Added p10 assembly implementation file and associated
	file.
	* cipher/rijndael.c: Added p10 function.
	* cipher/rijndael-p10le.c: New wrapper file for AES-GCM call.
	* cipher/rijndael-gcm-p10le.s: New implementation of AES-GCM bulk function in
	Power Assembly.
	* src/g10lib.h: Added Power arch 3.1 definition for p10.
	* src/hwf-ppc.c: Added Power arch 3.1 definition for p10.
	* src/hwfeatures.c: Added Power arch 3.1 definition for p10.

2021-12-21  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	cipher: Fix SM3 avx/bmi2 compilation error.
	+ commit 3b9f746c2fb16234dffe0582059dfe36b2c21bf8
	* cipher/sm3-avx-bmi2-amd64.S: Change K0-K63 macros to signed decimal.

2021-12-17  NIIBE Yutaka  <gniibe@fsij.org>

	random: Keep --enable-random-daemon, but not its use from runtime.
	+ commit 27d945084f6926d0ebe8066fb60db785f3a8fb57
	* configure.ac (--enable-random-daemon): Don't define
	USE_RANDOM_DAEMON, but use the conditional ENABLE_RANDOM_DAEMON.
	* src/Makefile.am: Use the conditional ENABLE_RANDOM_DAEMON.

	random: Remove random-daemon use remained.
	+ commit 14f5d73e2731b83b18e9771eb3068c6dbba6f069
	* configure.ac (--enable-random-daemon): Fix the message.
	* random/random-csprng.c [USE_RANDOM_DAEMON] (initialize_basics):
	Remove the dependency to random daemon.
	* random/random.h [USE_RANDOM_DAEMON]: Likewise.

	fips: Add constructor to run selftests.
	+ commit 45974d87753978b953940045280e9f28f951dbe0
	* src/fips.c (_gcry_fips_to_activate): New.
	* src/g10lib.h (_gcry_fips_to_activate): New.
	* src/global.c [ENABLE_HMAC_BINARY_CHECK] (_gcry_global_constructor):
	New.

2021-12-16  NIIBE Yutaka  <gniibe@fsij.org>

	Simplify the logic for no_secure_memory.
	+ commit 209d98dcf66bd7baeca37cd6b13b31c7f00f4625
	* src/global.c (_gcry_vcontrol): Don't set NO_SECURE_MEMORY when
	FIPS mode is enabled.
	(get_no_secure_memory): Remove.  Don't touch NO_SECURE_MEMORY,
	when examining the variable.
	(do_malloc, _gcry_is_secure): Just use NO_SECURE_MEMORY.

2021-12-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SM3 x86-64 AVX/BMI2 assembly implementation.
	+ commit 0c1d55a84c8970b8568ae645f24ce534bebdb5a4
	* cipher/Makefile.am: Add 'sm3-avx-bmi2-amd64.S'.
	* cipher/sm3-avx-bmi2-amd64.S: New.
	* cipher/sm3.c (USE_AVX_BMI2, ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(SM3_CONTEXT): Define 'h' as array instead of separate fields 'h1',
	'h2', etc.
	[USE_AVX_BMI2] (_gcry_sm3_transform_amd64_avx_bmi2)
	(do_sm3_transform_amd64_avx_bmi2): New.
	(sm3_init): Select AVX/BMI2 transform function if support by HW; Update
	to use 'hd->h' as array.
	(transform_blk, sm3_final): Update to use 'hd->h' as array.
	* configure.ac: Add 'sm3-avx-bmi2-amd64.lo'.

2021-12-10  Jakub Jelen  <jjelen@redhat.com>

	tests: Include the new input files for tests.
	+ commit 02583e1216bc7e6f9f4219771bb274d1fe4491c8
	* tests/Makefile.am: Include the new .inp files needed for tests

2021-12-09  NIIBE Yutaka  <gniibe@fsij.org>

	tests,fips: Align the use of variable in_fips_mode.
	+ commit 7d8403b59a105d2d3e5d0fd9d5d25b7e3b2d2787
	* tests/pubkey.c (check_run): Fix use of pkey and skey.
	* tests/*.c (in_fips_mode): No initialize by 0.

2021-12-09  Jakub Jelen  <jjelen@redhat.com>

	Adjust tests for proper disablement of non-approve PK operations.
	+ commit 5b82f4b4dbf393d0ce901fc9e0c559c488b013cb
	* cipher/pubkey.c (_gcry_pk_genkey): Do not allow key generation of
	  disabled key types
	* tests/benchmark.c (elg_bench): Skip Elgamal keys benchmark in FIPS
	  mode
	  (dsa_bench): Skip DSA keys benchmarking in FIPS mode
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): DSA keys are no longer
	  allowed in FIPS mode
	* tests/fips186-dsa.c (global): Use global in_fips_mode flag
	  (check_dsa_gen_186_2): Expect DSA keygen fail in FIPS mode
	  (check_dsa_gen_186_3): Ditto.
	  (main): Use global fips mode flag.
	* tests/keygen.c (check_elg_keys): Verify Elgamal keys can not be
	  generated in FIPS mode
	  (check_dsa_keys): Verify DSA keys can not be generated in FIPS mode.
	* tests/pubkey.c (get_elg_key_new): Expect key generation to fail in
	  FIPS mode
	  (get_dsa_key_new): Expect DSA key generation to fail in FIPS mode
	  (get_dsa_key_fips186_new): Ditto.
	  (get_dsa_key_with_domain_new): Ditto.
	  (get_dsa_key_fips186_with_seed_new): Ditto.
	  (check_run): Do not try the Elgamal and DSA key operations in FIPS
	  mode.
	* tests/t-dsa.c (one_test_sexp): Skip the DSA tests in FIPS mode.

2021-12-08  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add tests for gcry_pk_hash_sign/verify API.
	+ commit a0a2b6796f58f9aac0fe49100b1ee4c68f9bdc72
	* tests/Makefile.am (tests_bin): Add t-dsa t-ecdsa t-rsa-pss t-rsa-15.
	* tests/t-dsa.c, tests/t-ecdsa.c: New tests.
	* tests/t-rsa-15.c, tests/t-rsa-pss.c: New tests.
	* tests/t-dsa.inp, tests/t-ecdsa.inp: New data for tests.
	* tests/t-rsa-15.inp, tests/t-rsa-pss.inp: New data for tests.

2021-12-08  Jakub Jelen  <jjelen@redhat.com>

	fips: Disable DSA in FIPS mode.
	+ commit ea362090fc11caa28643153fc6444442243c8765
	* cipher/dsa.c (run_selftests): Disable DSA spec in FIPS mode.
	* src/fips.c (run_pubkey_selftests): Skip DSA power-on selftests.

2021-12-08  NIIBE Yutaka  <gniibe@fsij.org>

	random: Remove random-fips.c from repo.
	+ commit 5521cac32d75f2b94894cd5a94deb2c5d25f43a5
	* random/random-fips.c: Remove.

2021-12-07  Alexander Kanavin  <alex.kanavin@gmail.com>

	build: cipher/Makefile.am, doc/Makefile.am: add a missing space.
	+ commit 05472c1882df2fb84b867c0bdbbff510065785ba
	* cipher/Makefile.am: Add a space.
	* doc/Makefile.am: Ditto.

2021-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	md: Fix disabled check.
	+ commit 8ca3fe07d03e9329ee97534f40208593cde11bf7
	* cipher/md.c (md_enable): Fix accessing the disabled flag.

2021-12-07  Jakub Jelen  <jjelen@redhat.com>

	Properly enforce disablement in other pubkey API.
	+ commit e96980022e5ec079c9d4e3492eb6a1131c68e0f2
	* cipher/pubkey.c (_gcry_pk_encrypt): Fail if algo is disabled
	  (_gcry_pk_decrypt): Ditto.
	  (_gcry_pk_sign): Ditto.
	  (_gcry_pk_sign_md): Ditto.
	  (_gcry_pk_verify): Ditto.
	  (_gcry_pk_verify_md): Ditto.
	  (_gcry_pk_testkey): Ditto.
	  (_gcry_pk_get_nbits): Ditto.
	  (_gcry_pk_get_curve): Ditto.
	* tests/basic.c (check_pubkey): Test also other API in FIPS mode to
	  verify they fail as expected.

2021-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add paren for readability.
	+ commit bea8b9672c3c47c9bffb7edc52fb32cf9091c231
	* tests/basic.c (check_pubkey): Add parentheses.

	md: Fix checking to use ->disabled instead of ->fips directly.
	+ commit 3152a565d9a426b6c984e161d1a95a8df347dc15
	* cipher/md.c (md_enable): Check by ->disabled.
	(_gcry_md_hash_buffer, _gcry_md_hash_buffers_extract): Likewise.

	random: Remove use of experimental random daemon.
	+ commit 754ad5815b5bb7462260414f2bc5f449bee0b1c6
	* random/Makefile.am (librandom_la_SOURCES): Remove random-daemon.c.
	* random/random-daemon.c: Remove.
	* random/rand-internal.h: Remove declarations.
	* random/random-csprng.c (_gcry_rngcsprng_set_daemon_socket)
	(_gcry_rngcsprng_use_daemon): Remove.
	[USE_RANDOM_DAEMON] (_gcry_rngcsprng_randomize): Don't call
	_gcry_daemon_randomize.
	* random/random.c (_gcry_set_random_daemon_socket)
	(_gcry_use_random_daemon): Remove.
	* src/global.c (_gcry_vcontrol): Return GPG_ERR_NOT_SUPPORTED.
	* tests/benchmark.c (main): Remove support of use_random_daemon.

2021-12-06  NIIBE Yutaka  <gniibe@fsij.org>

	random: Release memory in DRBG.
	+ commit 751fcadd34ed42b2e595664e9ec3f88fd074d7b7
	* random/random-drbg.c (_gcry_rngdrbg_close_fds): Release DRBG_STATE.

	fips: Factor out check_fips_system_setting function.
	+ commit 5425052f38cd41a99469e4c3245a1c3e037410fe
	* src/fips.c (check_fips_system_setting): New.
	(_gcry_initialize_fips_mode): Use the new function.

	cipher,tests: Consitent use of #if/#endif for algo selection.
	+ commit b14aaf1a2dc71560e1f7c19ac88a7b16cc491f25
	* cipher/cipher.c: Use #if instead of #ifdef for algo.
	* cipher/mac-cmac.c: Likewise.
	* cipher/mac-hmac.c: Likewise.
	* cipher/mac-internal.h: Likewise.
	* cipher/mac.c: Likewise.
	* tests/basic.c: Likewise.

2021-12-06  Jakub Jelen  <jjelen@redhat.com>

	tests: Conditionalize other algorithms that might not be built-in.
	+ commit 57b61b0f4f1be7513ed064a90321849bb9f47f29
	* tests/basic.c (check_cbc_mac_cipher): Do not run DES tests without DES
	  being built-in.
	  (check_ecb_cipher): Do not run blowfish and DES tests without them
	  being built-in
	  (check_cfb_cipher): Do not run DES tests without DES being built-in.
	  (check_ccm_cipher): Do not run camellia tests without it being
	  built-in.
	  (check_ocb_cipher): Do not run Camellia, Twofish and Serpent tests
	  without them being built-in.
	  (check_digests): Do not run SM3 tests without them being built-in.
	  (check_digests): Do not run DES, Camellia and GOST tests without them
	  being built-in.

	tests: Unbreak tests with SM4 disabled.
	+ commit b601ef4dc9f9a337e3019fc5ad3c7b31fcdc43f3
	* tests/basic.c (check_ecb_cipher): Do not run SM4 tests when SM4 is not
	  built.
	  (check_ctr_cipher): Ditto.
	  (check_cfb_cipher): Ditto.
	  (check_ofb_cipher): Ditto.
	  (check_ocb_cipher): Ditto.

2021-12-03  NIIBE Yutaka  <gniibe@fsij.org>
	    Jakub Jelen  <jjelen@redhat.com>

	rsa: Allow e=0 to select 65537 for keygeneration under X931.
	+ commit e4a450d1d966cf19cc5ba4d772254be08782e463
	* cipher/rsa.c (generate_x931): Use e=65537.

2021-12-03  Jakub Jelen  <jjelen@redhat.com>

	random: Add missing header file to the release tarball.
	+ commit 78ce1f9e0afe296eab916f1b547f967166f80e10
	* random/Makefile.am: Add missing header file.

2021-12-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	gcry_mpi_sub_ui: fix subtracting from negative value.
	+ commit d5bf106468e6c6b0f33b193abf04590e4e9fc011
	* mpi/mpi-add.c (_gcry_mpi_sub_ui): Set output sign bit when 'u'
	is negative.
	* tests/mpitests.c (test_add): Additional tests for mpi_add_ui; Check
	test output and fail if output does not match expected.
	(test_sub): Additional tests for mpi_sub_ui; Check test output and fail
	if output does not match expected.
	(test_mul): Additional tests for mpi_mul_ui; Check test output and fail
	if output does not match expected.

2021-12-01  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix basic.c to show useful information on error.
	+ commit bff9ed54285b9a332382589d89e317da987b5b38
	* tests/basic.c (check_ctr_cipher): Assign return value to ERR.
	(check_siv_cipher, check_ccm_cipher): Likewise.

2021-12-01  Jakub Jelen  <jjelen@redhat.com>

	tests: Improve error checking in regards to FIPS.
	+ commit c8d2b0069e3cc97138c4e09224a84bb6ccf1b6b5
	* tests/basic.c (check_cbc_mac_cipher): Improve verbose alignment
	  (check_ecb_cipher): Improve verbose message alignment.
	  (check_ctr_cipher): Improve verbose message alignment.
	  (check_cfb_cipher): Improve verbose message alignment and error
	  reporting.
	  (check_ofb_cipher): Improve verbose message alignment and error
	  reporting.
	  (_check_gcm_cipher): Improve error checking.
	  (_check_eax_cipher): Improve error checking.
	  (check_siv_cipher): Improve error checking.
	  (check_gcm_siv_cipher): Improve error checking and indentation.
	  (_check_poly1305_cipher): Improve verbose message alignment.
	  (check_ccm_cipher): Improve verbose message alignment.
	  (do_check_ocb_cipher): Improve error checking.
	  (check_ocb_cipher_largebuf_split): Improve error checking.
	  (check_ocb_cipher_checksum): Improve error checking.
	  (check_ocb_cipher_splitaad): Improve error checking.
	  (check_gost28147_cipher_basic): Improve verbose message alignment.
	  (check_stream_cipher): Improve verbose message alignment.
	  (check_one_cipher_core): Improve error checking.
	  (check_ciphers): Improve error checking.
	  (check_pubkey): Check explicitly the for failure in FIPS mode.

	Disable 3DES in FIPS mode.
	+ commit 23a58b779e31e6244a481c26096d1ad061eb024c
	* cipher/des.c (_gcry_cipher_spec_tripledes): Mark as non-FIPS
	* cipher/mac-cmac.c ( _gcry_mac_type_spec_cmac_tripledes): Mark non-FIPS
	* src/fips.c (run_cipher_selftests): skip 3DES selftests)
	  (run_mac_selftests): skip CMAC_3DES selftests
	* tests/basic.c (check_cfb_cipher): Do not expect the 3DES working in
	  FIPS mode

2021-11-30  Jakub Jelen  <jjelen@redhat.com>

	Implement explicit FIPS indicators for cipher modes.
	+ commit 3d38968f4b751c5561679040c055c34a690bed75
	* src/fips.c (_gcry_fips_indicator): New.
	* src/g10lib.h (_gcry_fips_indicator): New declaration.
	* src/gcrypt.h.in (gcry_ctl_cmds): New GCRYCTL_FIPS_SERVICE_INDICATOR
	* src/global.c (_gcry_vcontrol): Handle GCRYCTL_FIPS_SERVICE_INDICATOR
	* tests/basic.c (do_check_ocb_cipher): Check excplicit FIPS indicator
	  (check_ocb_cipher_largebuf_split): Ditto.
	  (check_ocb_cipher_checksum): Ditto.
	  (check_ocb_cipher_splitaad): Ditto.
	  (check_bulk_cipher_modes): Ditto.

2021-11-24  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Release random resources after selftests.
	+ commit 40ab39966650489449bee3e2a68f43a9d38c4dd4
	* src/fips.c (_gcry_fips_is_operational): Call _cgry_random_close_fds.

	random: Extend semantics of _gcry_random_close_fds.
	+ commit 204be8a385ae6140175e3b495989a261410c34d0
	* random/random-csprng.c (_gcry_rngcsprng_close_fds): Add
	de-initialization.
	* random/random-drbg.c (_gcry_rngdrbg_close_fds): Likewise.

2021-11-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Do not build 'cipher/' assembly files when --disable-asm used.
	+ commit 33f1a7ad3cd13602d8bffe156f383c3a704dfd67
	* configure.ac: Collect assembly implementation *.lo files under
	GCRYPT_ASM_CIPHERS and GCRYPT_ASM_DIGEST for --disable-asm
	selection.

	Do not build poly1305-s390x.S on foreign architectures.
	+ commit f10fa6b9a6ca7565408c4685d88a38893396d02b
	* configure.ac [host=s390x-*-*]: Add 'poly1305-s390x.lo'.
	* cipher/Makefile.am: Move 'poly1305-s390x.S' to
	'EXTRA_libcipher_la_SOURCES'.

	jitterentropy: use wipememory for jent_memset_secure.
	+ commit a44301f6d2051b6b4e20b4459f41aa2b95f8b2b7
	* random/jitterentropy-base-user.h (jent_memset_secure): Use wipememory.

	jitterentropy: fix building on Win32.
	+ commit c38ebc3b6c7d6844209a58677379b61750b6504d
	* random/jitterentropy.h (jent_notime_ctx): Add #ifdef
	JENT_CONF_ENABLE_INTERNAL_TIMER around pthread variables.

2021-11-18  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Remove tweak for FIPS enabled.
	+ commit 1183ffdd7a242955c1cc34eef0b02c002202a9ec
	* tests/t-secmem.c (test_secmem): Remove the tweak.

	jitternetropy: Put our local change to use non-secure memory.
	+ commit 85cb7375fec39bb9fb195ca0bbe95bbbfd6deb98
	* random/jitterentropy-base.c (jent_entropy_collector_alloc_internal):
	Let jent_memaccess use normal memory.

	build: Fix excess quotation to enable config.status --recheck works.
	+ commit 17f9eb20c94fd6711370546437b7150dc11a6335
	* configure.ac (DEF_HMAC_BINARY_CHECK): Fix quatation.

	random: Fix rndgetentropy correctly uses rndjent.
	+ commit 5493282b4aacd6b466c4ddd366ce9eb4036b3562
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Call
	_gcry_rndjent_poll for GCRY_VERY_STRONG_RANDOM.

2021-11-17  NIIBE Yutaka  <gniibe@fsij.org>

	jitterentropy: Use jent_read_entropy_safe for rndjent.
	+ commit 2101da04924b1361e2a1021b406a519a3bde9aee
	* random/rndjent.c (_gcry_rndjent_poll): Use jent_read_entropy_safe.

	Fix jent_read_entropy for JENT_CPU_JITTERENTROPY_SECURE_MEMORY.
	+ commit d0fcb4da98a05097bc0cd6dc7377cb02aaa8b61c
	* random/jitterentropy-base.c (jent_read_entropy): Fix conditional
	compile.

	jitterentropy: Fix for C90 compiler.
	+ commit cf85258e6aff87f5b0614097b4ff2972ceb703fd
	* random/jitterentropy-noise.c (jent_hash_time): Declare hash_loop_cnt
	at the beginning of the function.

	jitterentropy: Disable use of pthread.
	+ commit 964c9c5eee30cc45488b88ec4c0199a41861e4aa
	* random/jitterentropy.h (JENT_CONF_ENABLE_INTERNAL_TIMER): Undefine.
	* random/jitterentropy-base.c [JENT_CONF_ENABLE_INTERNAL_TIMER]
	(jent_entropy_switch_notime_impl): Add conditional compilation.
	* random/jitterentropy-base-user.h [JENT_CONF_ENABLE_INTERNAL_TIMER]
	(jent_yield): Likewise.
	* random/jitterentropy.h [JENT_CONF_ENABLE_INTERNAL_TIMER]
	(jent_entropy_switch_notime_impl): Likewise.

	jitterentropy: Fix building rndjent.
	+ commit d5ae5229db70f71301a3f3eefdd38a73a4fde499
	* random/Makefile.am: Update for new jitterentropy.
	* random/rndjent.c: Update to include the other files.

	jitterentropy: Merge from jitterentropy-library-3.3.0.
	+ commit 3bacdac611b9eb3bd5ae8d78156b1110e77e9518
	* random/jitterentropy-base.h: New.
	* random/jitterentropy-gcd.c: New.
	* random/jitterentropy-gcd.h: New.
	* random/jitterentropy-health.c: New.
	* random/jitterentropy-health.h: New.
	* random/jitterentropy-noise.c: New.
	* random/jitterentropy-noise.h: New.
	* random/jitterentropy-sha3.c: New.
	* random/jitterentropy-sha3.h: New.
	* random/jitterentropy-timer.c: New.
	* random/jitterentropy-timer.h: New.
	* random/jitterentropy-base.c: Update.
	* random/jitterentropy.h: Update.
	* random/jitterentropy-base-user.h: Update, keeping ours mostly.

2021-11-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add intel-pclmul accelerated POLYVAL for GCM-SIV.
	+ commit 5e0187d84fc16d9ff0fbb0ccd4348657fea90d36
	* cipher/cipher-gcm-intel-pclmul.c (gfmul_pclmul_aggr4)
	(gfmul_pclmul_aggr8): Move assembly to new GFMUL_AGGRx_ASM* macros.
	(GFMUL_AGGR4_ASM_1, GFMUL_AGGR4_ASM_2, gfmul_pclmul_aggr4_le)
	(GFMUL_AGGR8_ASM, gfmul_pclmul_aggr8_le)
	(_gcry_polyval_intel_pclmul): New.
	* cipher/cipher-gcm-siv.c (do_polyval_buf): Use polyval function
	if available.
	* cipher/cipher-gcm.c (_gcry_polyval_intel_pclmul): New.
	(setupM): Setup 'c->u_mode.gcm.polyval_fn' with accelerated polyval
	function if available.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add member
	'u_mode.gcm.polyval_fn'.

2021-11-15  NIIBE Yutaka  <gniibe@fsij.org>

	random: Include getentropy random module.
	+ commit ec671cfa239888b67fcafda40b19006b61d9bbf2
	* random/rand-internal.h (_gcry_rndgetentropy_gather_random): Add.
	* random/random-csprng.c [USE_RNDLINUX] (_gcry_rngcsprng_close_fds)
	(getfnc_gather_random): Support getentropy random module.
	* random/random-drbg.c: Likewise.
	* random/random-fips.c: Likewise.
	* random/random-system.c: Likewise.
	* src/global.c [USE_RNDLINUX] (print_config): Show getentropy.

	build: Support rndgetentropy random module.
	+ commit e562e34c824dda9ce1c4a0af58e8366699a3d88b
	* configure.ac: Add getentropy random module.
	* random/Makefile.am (EXTRA_librandom_la_SOURCES): Add.

	random:getentropy: Simplify more.
	+ commit 6de43f11c625de381e75f01ce83cbb2d2634fb35
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Remove
	'if'.

	random:getentropy: Limit the size of buffer in exact size.
	+ commit cebe5c78a9493c7b4ee894305c0ede0899815e6a
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random):
	Redundant space had no sense.

	random: Simplify rndgetentropy.
	+ commit a8395fd7a40f4d9a8f57154a28cd1cae97e708f2
	* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Simply
	call getentropy.

	random: Start rnd-getentropy.c.
	+ commit f36bfe7ec1b2cef7760aa338292fadb93783ced4
	* random/rnd-getentropy.c: Copied from rndlinux.c.

2021-11-11  NIIBE Yutaka  <gniibe@fsij.org>

	tests:pkcs1v2: Skip tests with small keys in FIPS mode.
	+ commit 1481607cb9db977468a75f9f4638dc1cf3ade007
	* tests/pkcs1v2.c (in_fips_mode): New.
	(check_oaep): Skip when key size is less than 2048 in FIPS mode.
	(check_pss, check_v15crypt, check_v15sign): Likewise.

	tests:pubkey: Replace RSA key to one of 2k.
	+ commit 66119e0c1a024f7cf059393c3db827eb338339b0
	* tests/pubkey.c (sample_private_key_1): Use 2k key from basic.c.
	(sample_private_key_1_1): Likewise.
	(sample_private_key_1_2): Likewise.

2021-11-09  Jakub Jelen  <jjelen@redhat.com>

	tests: Benchmark also larger RSA keys in FIPS mode.
	+ commit 2a899b5b84583f2e68bd8564034aa10846810e85
	* tests/benchmark.c (rsa_bench): Test also large RSA keys in FIPS mode

	tests: Explicit FIPS checking for symmetric algorithms.
	+ commit fb931073707ed521366f0e4a2e54b3935ce649a3
	* tests/basic.c (FLAG_CFB8): New.
	(check_ecb_cipher): Introduce new flag and explicitly check for
	algorithm functionality in regards to FIPS.
	(check_ctr_cipher): Ditto.
	(check_cfb_cipher): Replace the cfb8 flag with generic flag and
	explicitly check for algorithm funcionality in regards to FIPS.
	(check_ofb_cipher): Introduce new flag and explicitly check for
	algorithm functionality in regards to FIPS.
	(_check_poly1305_cipher): Explicitly check functionality in regards to
	FIPS mode.
	(check_ccm_cipher): Introduce new flag and explicitly check for
	algorithm functionality in regards to FIPS.
	(check_gost28147_cipher_basic): Explicitly check functionality in
	regards to FIPS mode.
	(check_stream_cipher_large_block): Explicitly check functionality in
	regards to FIPS mode.

2021-11-08  NIIBE Yutaka  <gniibe@fsij.org>

	dsa: Add checks in FIPS mode.
	+ commit df66bd94e6e3650216b0d179d79d4c296f173855
	* cipher/dsa.c (dsa_check_keysize): New.
	(generate_fips186): Add call to dsa_check_keysize.
	(dsa_sign, dsa_verify): Likewise.
	* tests/benchmark.c (dsa_bench): Skip 1024-bit.
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): 1024-bit
	now fails.
	* tests/fips186-dsa.c (main): Only test check_dsa_gen_186_3 in FIPS
	mode.

2021-11-08  Jakub Jelen  <jjelen@redhat.com>

	tests: Add 2k RSA key working in FIPS mode.
	+ commit 1f45fec2082247f3634af050f1fdbf0a5858cf46
	* tests/basic.c (check_pubkey): The 1k RSA keys are no longer supposed
	to be working so have a new 2k one that should work.  Taken from
	ciper/rsa.c's sample_secret_key.

2021-11-08  Jakub Jelen  <jjelen@redhat.com>
	    NIIBE Yutaka  <gniibe@fsij.org>

	rsa: Check keylen constraints for key operations.
	+ commit 40d63d09b2d06631f4d2c3d1b167a620d50c99f8
	* cipher/rsa.c (rsa_check_keysize): New.
	(generate_fips): Factor out the bits check.
	(rsa_encrypt): Add checking key length.
	(rsa_decrypt, rsa_sign, rsa_verify): Likewise.

2021-11-08  NIIBE Yutaka  <gniibe@fsij.org>
	    NIIBE Yutaka  <gniibe@fsij.org>

	tests: Expect errors from algorithms not supported in FIPS mode.
	+ commit cc3571a1f2244bdf829d7d16dd546131711eb8a9
	* tests/basic.c (FLAG_NOFIPS): New.
	(check_pubkey_sign): Pass and handle NOFIPS flag.
	(check_pubkey_sign_ecdsa): Likewise.
	(check_pubkey_crypt): Likewise.
	(do_check_one_pubkey): Pass flags.
	(check_pubkey): Mark explicitly algorithms expected not to work in
	FIPS mode and make sure they fail.

2021-11-08  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix basic.c:check_pubkey.
	+ commit 1b29be8e7e49a6ee04734b86db5732dc3eaca84b
	* tests/basic.c (check_pubkey): Don't call check_one_pubkey_new
	multiple times.

2021-11-08  Jakub Jelen  <jjelen@redhat.com>

	cipher: Respect the disabled flag of pubkey algorithms.
	+ commit ff5ab6a809345112f02a6037957ef21bc4bf3bce
	* cipher/pubkey.c (check_pubkey_algo): Check the disabled flag before
	using the algorithm.

2021-11-05  Jakub Jelen  <jjelen@redhat.com>

	doc: Reference the new FIPS 140-3.
	+ commit 976673425784eb2d056a4dbbe13b6d2ca5f8cbf2
	* doc/gcrypt.texi: Replace -2 with -3
	* cipher/ecc-curves.c: Replace -2 with -3

2021-11-01  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:md: Check digest algo is supported when FIPS enabled.
	+ commit cfd1dd6a838f70324a749dad0d589bc2dbe33651
	* cipher/md.c (_gcry_md_hash_buffer): Check for FIPS for
	hash_buffers method case.
	(_gcry_md_hash_buffers_extract): Likewise.

2021-10-29  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Allow opaque MPI with zero length.
	+ commit 34d55589b7d91a239435d77e3d45cf0deeba59b6
	* mpi/mpiutil.c (_gcry_mpi_copy): Support zero length.

2021-10-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/bench-slope: avoid divide by zero.
	+ commit ecd4d348ac87c073ced38eb1e6dbec03b532cdf2
	* tests/bench-slope.c (safe_div): New.
	(get_slope): Make static; Skip if number of points is too small; Use
	safe_div.
	(do_slope_benchmark): Retry benchmark if result does not make sense;
	Limit retries to 4 for non-auto-ghz and 1000 for auto-ghz.
	(get_auto_ghz, do_slope_benchmark, bench_print_result_csv)
	(bench_print_result_std): Use safe_div.

	md: clear context with wipememory to avoid false warning.
	+ commit 5881114e08601745857a68bc3318f3421155f645
	* cipher/md.c (md_open): Initialize ctx with wipememory2 instead
	of memset.

	cipher/sha512: fix 'accessing 64 bytes in a region of size 8' warnings.
	+ commit 6333cdeee5c1ca5bd4255f9cdcd266db314a2122
	* cipher/sha512.c (SHA512_STATESHA256_CONTEXT): Replace h0-h7 with h[8].
	(do_sha512_transform_i386_ssse3, do_sha512_transform_ppc8)
	(do_sha512_transform_ppc9, do_sha512_transform_s390x)
	(do_sha512_final_s390x, sha512_init, sha384_init, sha512_256_init)
	(sha512_224_init, do_transform_generic, sha512_final): Convert use
	of h0-h7 to h[0]-h[7].

	poly1305: fix building with 'arm-linux-gnueabihf-gcc-11 -O3'
	+ commit e4ce7ad0ecf6c356fa377e139d08c4dbcf6bf533
	* cipher/poly1305.c [HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS]
	(ADD_1305_32): Reduce number of register operands.

2021-10-20  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Reject SHA-1 for hash+sign/verify when FIPS enabled.
	+ commit a23cf78102f3200dc441a3123c3fbeaa28f38b50
	* cipher/pubkey.c (_gcry_pk_sign_md): Reject SHA-1 when FIPS.
	(_gcry_pk_verify_md): Likewise.

2021-10-15  NIIBE Yutaka  <gniibe@fsij.org>

	doc: Add entries for hash+sign functions.
	+ commit 8f31f652d453f480d4d2559dfa17e7bd42145a49


2021-10-15  Jakub Jelen  <jjelen@redhat.com>

	fips: Improve selftests invocation.
	+ commit d45db4ad16fec0fe7d32aae60f356a386fbf909b
	* src/fips.c (run_digest_selftests): Skip SHA256 selftest if they were
	already executed as part of the integrity check.
	(run_mac_selftests): Skip HMAC-SHA256 selftest if they were already
	executed as part of the integrity check.
	(run_hmac_sha256_selftests): Run SHA256 selftest too.
	(_gcry_fips_run_selftests): Run the sha256 selftests regardless of the
	fips mode status.

2021-10-14  Jakub Jelen  <jjelen@redhat.com>

	fips: Verify library integrity before running selftests.
	+ commit d2c68849d19bd0ed4c8c3c040c5939737aa15981
	* src/fips.c (run_hmac_sha256_selftests): New function.
	(_gcry_fips_run_selftests): Move integrity check earlier and run
	HMAC-SHA256 tests before that.

	cipher: Allow generation of RSA keys > 2k.
	+ commit bba63fab1a22232e494d3de93d74280d300faf8d
	 * cipher/rsa.c (generate_fips): Allow any larger key than 2k in FIPS
	   mode.

2021-10-12  NIIBE Yutaka  <gniibe@fsij.org>

	build: Support specifying HMAC key by --enable-hmac-binary-check.
	+ commit 10e02b90f65f3a85d72a719806b9d8873377c1a4
	* configure.ac (DEF_HMAC_BINARY_CHECK): New SUBSTITUTION.
	(DL_LIBS): Fix the condition.
	* src/Makefile.am (libgcrypt_la_CFLAGS): Use DEF_HMAC_BINARY_CHECK.
	(hmac256_CFLAGS): Likewise.

2021-10-11  NIIBE Yutaka  <gniibe@fsij.org>

	build: Use KEY_FOR_BINARY_CHECK for --enable-hmac-binary-check.
	+ commit 0709359657633271c8c018d67b40d9052c630022
	* src/fips.c (KEY_FOR_BINARY_CHECK): Allow supplying externally.
	* src/hmac256.c: Use KEY_FOR_BINARY_CHECK macro.

2021-10-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher/sha256: fix 'accessing 32 bytes in a region of size 4' warnings.
	+ commit 95425c6b0b96a4d2eae4e2a55a23d293b08f7993
	* cipher/sha256.c (SHA256_CONTEXT): Replace h0-h7 with h[8].
	(do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
	(do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
	(do_sha256_transform_armv8_ce, do_sha256_transform_ppc8)
	(do_sha256_transform_ppc9, do_sha256_transform_s390x)
	(do_sha256_final_s390x, sha256_init, sha224_init)
	(do_transform_generic, sha256_final): Convert use of h0-h7 to h[0]-h[7].

2021-10-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add sign+hash, verify+hash, and random-override API.
	+ commit 082ea0efa9b129e8ca7703eeb6b1c9325caeedfd
	* cipher/pubkey.c (_gcry_pk_sign_md, _gcry_pk_verify_md): New.
	(_gcry_pk_random_override_new): New.
	(_gcry_pk_get_random_override): New.
	* src/gcrypt-int.h: Add those routines.
	* src/context.h (CONTEXT_TYPE_RANDOM_OVERRIDE): New.
	* src/context.c (_gcry_ctx_alloc, _gcry_ctx_release): Handle
	CONTEXT_TYPE_RANDOM_OVERRIDE.
	* src/gcrypt.h.in (gcry_error_t gcry_pk_hash_sign): New.
	(gcry_error_t gcry_pk_hash_verify): New.
	(gcry_pk_random_override_new): New.
	* src/libgcrypt.def, src/libgcrypt.vers: Update.
	* src/visibility.c (gcry_pk_hash_sign, gcry_pk_hash_verify): New.
	(gcry_pk_random_override_new): New.
	* src/visibility.h: Add those routines.

	cipher:dsa,ecdsa: Support supplying K externally.
	+ commit 16a9eaad5d1add3a95b1da6e037b074f18b094c7
	* cipher/dsa.c (sign): Add an argument K for DSA.
	(test_keys, dsa_sign): Follow the change.
	* cipher/ecc-common.h (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise for ECDSA.
	* cipher/ecc.c (test_keys, ecc_sign): Follow the change.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support "label"
	for K.

2021-10-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building for Win64 target.
	+ commit 9fc0d145278d46bb129660a57b7ca2f94577d461
	* random/random-csprng.c [HAVE_W32_SYSTEM]: Include <windows.h>.
	* tests/bench-slope.c [_WIN32]: Include <windows.h>.

2021-10-05  NIIBE Yutaka  <gniibe@fsij.org>

	build,gcrypt.h: Don't define gcry_socklen_t.
	+ commit 71d4d592d8910ea6f9e091ae578cf68907cb5758
	* configure.ac (FALLBACK_SOCKLEN_T): Remove.
	* src/gcrypt.h.in: Remove FALLBACK_SOCKLEN_T.

	build,gcrypt.h: Remove INSERT_SYS_SELECT_H.
	+ commit 0f43570af93e56bdd4a4b2bf6eef722d0bff4a4f
	* configure.ac (INSERT_SYS_SELECT_H): Remove.
	Remove checking sys/select.h.
	* src/gcrypt.h.in: Remove INSERT_SYS_SELECT_H.

2021-10-05  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	random: Use poll instead of select.
	+ commit 7da42a8e8cc587ced46dffefc8448c8a286b1ca0
	* random/rndlinux.c (open_device): Use poll.
	(_gcry_rndlinux_gather_random): Use poll.

2021-09-27  Werner Koch  <wk@gnupg.org>

	tests: Remove old CAVS test scripts.
	+ commit db928d97b4b69f9aa1fee3c2a38a138534608c89
	* tests/cavs_driver.pl: Remove.
	* tests/cavs_tests.sh: Remove
	* tests/Makefile.am: (EXTRA_DIST): Remove them.

2021-09-27  NIIBE Yutaka  <gniibe@fsij.org>

	libtool: Link without -flat_namespace for macOS.
	+ commit c9cebf3d1824d6ec90fd864a744bb81c97ac7d31
	* m4/libtool.m4: Not setting 10.0 to MACOSX_DEPLOYMENT_TARGET when not
	defined.  Only specify -flat_namespace to linker for specific
	(older) versions and hosts.

2021-09-24  NIIBE Yutaka  <gniibe@fsij.org>

	build: Add hmac256.h to distribution.
	+ commit 9511f469363b629a06e1f3dab6ee4ba333e72b93
	* src/Makefile.am (hmac256_SOURCES): Add hmac256.h.

2021-09-20  Jakub Jelen  <jjelen@redhat.com>

	Allow passing FIPS module version.
	+ commit c74fde0c3f6114c594332fb28a09c7b817969231
	* README: Document new --with-fips-module-version=version switch
	* configure.ac: Implementation of the --with-fips-module-version
	* src/global.c (print_config): Print FIPS module version from above

	Remove the forced fips mode.
	+ commit 3f4dd47ba74e0a9f18feba1809eeddff8790707e
	* cipher/rsa.c (generate_fips): Drop reference to enforced fips mode and
	  use normal FIPS mode check
	* doc/gcrypt.texi: Drop references to enforced FIPS mode
	* src/fips.c (enforced_fips_mode): Removed
	  (_gcry_initialize_fips_mode): Remove reading of the FIPS_FORCE_FILE
	  to enforce FIPS mode
	  (_gcry_enforced_fips_mode): Remove
	  (_gcry_set_enforced_fips_mode): Remove
	* src/g10lib.h (_gcry_enforced_fips_mode): Remove declaration
	  (_gcry_set_enforced_fips_mode): Remova declaration
	* src/global.c (print_config): Remove the forced fips flag
	  (_gcry_vcontrol): Deprecate GCRYCTL_SET_ENFORCED_FIPS_FLAG
	  (get_no_secure_memory): Ignore the option in FIPS mode

	Remove a way to inactive FIPS mode.
	+ commit edbc1dd10bc3e1fcc0e355fe1a9c4c8769f51daf
	* cipher/md.c (_gcry_md_hash_buffer): Remove inactivation of FIPS mode
	  when MD5 is used
	  (_gcry_md_hash_buffers_extract): Ditto.
	* src/fips.c (gcry_is_fips_mode_inactive): Removed
	  (_gcry_inactivate_fips_mode): Removed
	  (_gcry_is_fips_mode_inactive): Removed
	* src/g10lib.h (_gcry_inactivate_fips_mode): Remove declaration
	  (_gcry_is_fips_mode_inactive): Remove declaration
	* global.c (_gcry_vcontrol): Update the GCRYCTL_FIPS_MODE_P
	  (_gcry_set_allocation_handler): Silently ignore custom alocation
	  handlers in FIPS mode

2021-09-16  Jakub Jelen  <jjelen@redhat.com>

	tests: Improve FIPS detection in curves test.
	+ commit fd116968ef2dcecb4058be2b2b3e8ab90f1e3181
	* tests/curves.c (check_matching): When FIPS mode enabled, skip a test
	with sample_key_2, which uses brainpoolP160r1 curve.
	(check_get_params): Replace "error_expected" filed to "flags" to hold
	TEST_ERROR_EXPECTED and/or TEST_NOFIPS.  Put TEST_NOFIPS flags for
	non-FIPS curves.  When FIPS mode enabled, don't skip supported curves.

	tests: Fix typo in comment.
	+ commit f9ae351c954c01a382c8ac915298efa25fc45177
	* tests/curves.c: Typo in comment

2021-09-14  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix support of sha512-224 and sha512-256.
	+ commit d04b1be9edacd7be6f03faba6f4d6c44c4247eb7
	* cipher/pubkey-util.c (get_hash_algo): Add.

	* cipher/sha512.c (sha512_256_asn, sha512_224_asn): Fill correct values.

	cipher: Support internal hashing with "prehash" for RSA PKCS#1.
	+ commit 422031a5943f2e698036e3c0df5955c585f22c16
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support internal
	hashing.

2021-09-13  Werner Koch  <wk@gnupg.org>

	cipher: Clear AESWRAP scratch area immediately after use.
	+ commit df4fe02794bb3511f7006d641e99736bad091c58
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_decrypt): Call
	wipememory.

2021-08-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARMv8-CE HW acceleration for GCM-SIV counter mode.
	+ commit 47e425e07995454573e28c13c08229d2f8a75642
	* cipher/rijndael-armv8-aarch32-ce.S
	(_gcry_aes_ctr32le_enc_armv8_ce): New.
	* cipher/rijndael-armv8-aarch64-ce.S
	(_gcry_aes_ctr32le_enc_armv8_ce): New.
	* cipher/rijndael-armv8-ce.c
	(_gcry_aes_ctr32le_enc_armv8_ce)
	(_gcry_aes_armv8_ce_ctr32le_enc): New.
	* cipher/rijndael.c
	(_gcry_aes_armv8_ce_ctr32le_enc): New prototype.
	(do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for ARMv8-CE.

	Add x86 HW acceleration for GCM-SIV counter mode.
	+ commit 33aebb30d210768d510a2843d9cc0c0ecd4237d1
	* cipher/cipher-gcm-siv.c (do_ctr_le32): Use bulk function if
	available.
	* cipher/cipher-internal.h (cipher_bulk_ops): Add 'ctr32le_enc'.
	* cipher/rijndael-aesni.c (_gcry_aes_aesni_ctr32le_enc): New.
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_ctr32le_enc_amd64, .Lle_addd_*): New.
	* cipher/rijndael-vaes.c (_gcry_vaes_avx2_ctr32le_enc_amd64)
	(_gcry_aes_vaes_ctr32le_enc): New.
	* cipher/rijndael.c (_gcry_aes_aesni_ctr32le_enc)
	(_gcry_aes_vaes_ctr32le_enc): New prototypes.
	(do_setkey): Add setup of 'bulk_ops->ctr32le_enc' for AES-NI and
	VAES.
	* tests/basic.c (check_gcm_siv_cipher): Add large test-vector for
	bulk ops testing.

	Add AES-GCM-SIV mode (RFC 8452)
	+ commit 1b8994c4ecf2cb53fff46fa84a95a7c259e7cec7
	* cipher/Makefile.am: Add 'cipher-gcm-siv.c'.
	* cipher/cipher-gcm-siv.c: New.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_setupM): New.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'siv_keylen'.
	(_gcry_cipher_gcm_setupM, _gcry_cipher_gcm_siv_encrypt)
	(_gcry_cipher_gcm_siv_decrypt, _gcry_cipher_gcm_siv_set_nonce)
	(_gcry_cipher_gcm_siv_authenticate)
	(_gcry_cipher_gcm_siv_set_decryption_tag)
	(_gcry_cipher_gcm_siv_get_tag, _gcry_cipher_gcm_siv_check_tag)
	(_gcry_cipher_gcm_siv_setkey): New prototypes.
	(cipher_block_bswap): New helper function.
	* cipher/cipher.c (_gcry_cipher_open_internal): Add
	'GCRY_CIPHER_MODE_GCM_SIV'; Refactor mode requirement checks for
	better size optimization (check pointers & blocksize in same order
	for all).
	(cipher_setkey, cipher_reset, _gcry_cipher_setup_mode_ops)
	(_gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add GCM-SIV.
	(_gcry_cipher_ctl): Handle 'set decryption tag' for GCM-SIV.
	* doc/gcrypt.texi: Add GCM-SIV.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_GCM_SIV): New.
	(GCRY_SIV_BLOCK_LEN, gcry_cipher_set_decryption_tag): Add to comment
	that these are also for GCM-SIV in addition to SIV mode.
	* tests/basic.c (check_gcm_siv_cipher): New.
	(check_cipher_modes): Check for GCM-SIV.
	* tests/bench-slope.c (bench_gcm_siv_encrypt_do_bench)
	(bench_gcm_siv_decrypt_do_bench, bench_gcm_siv_authenticate_do_bench)
	(gcm_siv_encrypt_ops, gcm_siv_decrypt_ops)
	(gcm_siv_authenticate_ops): New.
	(cipher_modes): Add GCM-SIV.
	(cipher_bench_one): Check key length requirement for GCM-SIV.

	Add SIV mode (RFC 5297)
	+ commit 659a208cb065d686f60e2c4f51856f460d6b44f5
	* cipher/Makefile.am: Add 'cipher-siv.c'.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Rename to
	_gcry_cipher_ctr_encrypt_ctx and add algo context parameter.
	(_gcry_cipher_ctr_encrypt): New using _gcry_cipher_ctr_encrypt_ctx.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.siv'.
	(_gcry_cipher_ctr_encrypt_ctx, _gcry_cipher_siv_encrypt)
	(_gcry_cipher_siv_decrypt, _gcry_cipher_siv_set_nonce)
	(_gcry_cipher_siv_authenticate, _gcry_cipher_siv_set_decryption_tag)
	(_gcry_cipher_siv_get_tag, _gcry_cipher_siv_check_tag)
	(_gcry_cipher_siv_setkey): New.
	* cipher/cipher-siv.c: New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_reset, _gcry_cipher_setup_mode_ops, _gcry_cipher_info): Add
	GCRY_CIPHER_MODE_SIV handling.
	(_gcry_cipher_ctl): Add GCRYCTL_SET_DECRYPTION_TAG handling.
	* doc/gcrypt.texi: Add documentation for SIV mode.
	* src/gcrypt.h.in (GCRYCTL_SET_DECRYPTION_TAG): New.
	(GCRY_CIPHER_MODE_SIV): New.
	(gcry_cipher_set_decryption_tag): New.
	* tests/basic.c (check_siv_cipher): New.
	(check_cipher_modes): Add call for 'check_siv_cipher'.
	* tests/bench-slope.c (bench_encrypt_init): Use double size key for
	SIV mode.
	(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
	(bench_aead_authenticate_do_bench): Reset cipher context on each run.
	(bench_aead_authenticate_do_bench): Support nonce-less operation.
	(bench_siv_encrypt_do_bench, bench_siv_decrypt_do_bench)
	(bench_siv_authenticate_do_bench, siv_encrypt_ops)
	(siv_decrypt_ops, siv_authenticate_ops): New.
	(cipher_modes): Add SIV mode benchmarks.
	(cipher_bench_one): Restrict SIV mode testing to 16 byte block-size.

	mpi/longlong: fix variable shadowing from MIPS umul_ppmm macros.
	+ commit 9e3b0446653fda6912e91fae84883cdbefdc2195
	* mpi/longlong.h [__mips__ && W_TIPE_SIZE == 32] (umul_ppmm): Rename
	temporary variable '_r' to '__r'.
	[__mips && W_TIPE_SIZE == 64] (umul_ppmm): Ditto.

2021-08-23  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Use offsetof for allocation of gcry_md_context.
	+ commit 581e04386d875672ba6c3fc4a4232ca72bc46c8c
	* cipher/md.c (md_open): Allocate exact space for the allocation and
	use offsetof for the calculation.

2021-08-19  NIIBE Yutaka  <gniibe@fsij.org>

	hmac: Don't have the second implementation of hmac256.
	+ commit c9acca865ba4abaa4443712f87fb8926fe7ad8b7
	* src/Makefile.am (libgcrypt_la_SOURCES): Remove hmac256.
	* cipher/mac-hmac.c (selftests_sha256): Remove the tests.

	fips: Don't use gcry_check_version for integrity check any more.
	+ commit c11788e5641be26371adc90f63e5a191cfc796f8
	* src/visibility.h [FIPS_FORCE_FILE]: Remove ifdef/endif.

	fips: Use a .rodata1 section integrity check with hmac256.
	+ commit f02dc5235e4751c57b16683ee9a8ef53014c6d13
	* src/fips.c (hmac256_check): New.
	(check_binary_integrity): Use hmac256_check.

	build: Generate hash for integrity check with hmac256 (2).
	+ commit 24aaded244a2b9427f2e90e4bf7adf086e0e0fef
	* src/Makefile.am (libgcrypt.la.done): Use the rodata1 section.
	* src/fips.c (_gcry_fips_run_selftests): Only enable
	check_binary_integrity by ENABLE_HMAC_BINARY_CHECK.
	[ENABLE_HMAC_BINARY_CHECK] (hmac_for_the_implementation): New.
	[ENABLE_HMAC_BINARY_CHECK] (check_binary_integrity): Use
	hmac_for_the_implementation in rodata.

2021-08-18  NIIBE Yutaka  <gniibe@fsij.org>

	build: Generate hash for integrity check with hmac256.
	+ commit 3c89aad4a0d7f836fd747d4e2f0edfbf648ae318
	* configure.ac [ENABLE_HMAC_BINARY_CHECK]: Check objcopy.
	(USE_HMAC_BINARY_CHECK): New Automake conditional.

	* src/Makefile.am (libgcrypt.la.done): New target.
	[USE_HMAC_BINARY_CHECK] (libgcrypt.so.hmac): Compute the hash.
	[USE_HMAC_BINARY_CHECK] (libgcrypt.la.done): Add .hmac section.

	hmac: Fix hmac256 command option handling.
	+ commit 07c21dd7d134e6403c9ee4e09250ec577c9b2867
	* src/hmac256.c (main): Fix use of --stdkey.

	cipher: Fix the order of fields of gcry_md_context.
	+ commit cbbdc015bf522d4aff656ff0417b83144ab4bb2a
	* cipher/md.c (struct gcry_md_context): Fix for better memory usage.

2021-08-17  Jakub Jelen  <jjelen@redhat.com>

	tests: Generating large-enough DSA keys works in FIPS mode.
	+ commit 6e40fca726357f13790065a27e2a0b333129fc54
	The a93d678f previously added this condition, but the DSA key size
	changed since then to 2k, which is still allowed.

	* tests/pubkey.c (get_dsa_key_with_domain_new): DSA keys still work in
	  FIPS mode.

	dsa: Drop dead code.
	+ commit 564e51fde71116757cdb6bc813aacf481bb826ed
	 * cipher/dsa.c (generate): This function is never called in FIPS mode

	rsa: Do not allow 1024 RSA keys in FIPS mode.
	+ commit 034055ffdca28602a40c4d0b5997173e8597af18
	Previously, the condition was in generate_std, which is never called in
	FIPS mode.

	* cipher/rsa.c (generate_std): Remove dead code as FIPS is using
	  'generate_fips'
	  (generate_fips): Do not allow 1024 bit key generation

	tests: Avoid confusing 'success' on error message.
	+ commit 588b8bb6ef091db299ff2eade295d3119b62283a
	 * tests/pubkey.c (get_dsa_key_with_domain_new): Remove bogus "success"
	   on error.

2021-08-17  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Fix tests in fips mode and non-fips mode.
	+ commit 2ae56abd0eb60d755509d82155f52263bf2e37e8
	* tests/t-secmem.c (test_secmem): Only tweak when FIPS enabled.

2021-08-16  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Skip tests when FIPS for keygrip computations.
	+ commit 44c7c41af21c668826280abfee1257853020ba2d
	* tests/keygrip.c (check): Skip non-FIPS curves when FIPS.
	(main): Check if FIPS is enabled.

	cipher: Raise an error for non-approved digests correctly.
	+ commit acc1598ea891180660d1a531823a1b5385e7f4e6
	* cipher/md.c (md_enable): Remove check if it's enforced or not.

	fips: Fix tests in fips mode.
	+ commit 347817438990b7adf22dc71e4fb581e3232f03a7
	* src/global.c (_gcry_vcontrol): Don't check NO_SECURE_MEMORY for
	GCRYCTL_FIPS_MODE_P.
	* tests/t-secmem.c (test_secmem): Use smaller value.

2021-08-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/bench-slope: allow non-FIPS ECC benchmarking in non-FIPS mode.
	+ commit a5982e35088a382b49c0e95e9a87365202267601
	* tests/bench-slope.c (_ecc_bench): Check for 'in_fips_mode'.

2021-08-06  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Fix check_binary_integrity.
	+ commit ca6797c5c5c61a0eae1f5aa82988d4870fe5edab
	* src/fips.c: Define FIPS_FORCE_FILE macro earlier.
	(check_binary_integrity): Use the address of gcry_check_version.
	* src/visibility.h [FIPS_FORCE_FILE] (gcry_check_version): Allow
	internal use of exported function.

2021-08-05  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update checking headers.
	+ commit 538090d829483696de6342f2ea564b2e25d6a294
	* configure.ac (AC_CHECK_HEADERS): Remove sys/msg.h.

2021-08-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix values for DSA with larger key length.
	+ commit 8bf9ade071b80c1141d4a76d1b51b9a235b8b340
	* tests/pubkey.c (get_dsa_key_with_domain_new): Update.

	fips: Support LIBGCRYPT_FORCE_FIPS_MODE envvar.
	+ commit 7ac72ebaf7f723203c5fe9befa249e9bcc78ee92
	* src/fips.c (_gcry_initialize_fips_mode): Check the
	environment variable LIBGCRYPT_FORCE_FIPS_MODE.

2021-07-29  Jakub Jelen  <jjelen@redhat.com>

	tests: Verify unsupported KDF tests fail in FIPS mode.
	+ commit 0ab4e8063729147fb9abd463055785aac831bf5c
	* tests/t-kdf.c (check_pbkdf2): Verify tests based on algorithms
	  unsupported in FIPS mode fail.

	cipher: Do not use of non-approved digests in FIPS mode.
	+ commit 0f118c2dfb8e1236893c30a9b86e7e231c8e5758
	* cipher/md.c (md_enable): Block all non-approved digest algorithms, not
	  only the MD5 and do not drop from FIPS mode if not enforced.

	tests: Generating DSA from domain should fail in FIPS mode.
	+ commit a93d678fa5a349600fabdce3fbe5919837cdc282
	* tests/pubkey.c (get_dsa_key_with_domain_new): Expect failure in FIPS
	  mode
	  (check_x931_derived_key): Simplify testing for FIPS mode.
	  (main): Check for fips mode.

	tests: Transient DSA keys work in FIPS mode.
	+ commit 83893f3f77da986951be98306a82238c97522bc1
	* tests/pubkey.c (check_run): Enable tests with DSA transient keys which
	  work in FIPS.

	tests: Skip secmem overflow test in FIPS mode.
	+ commit 6df523bfb095bf4c3d9dc6a0699fefcdfc6cd594
	* tests/t-secmem.c (main): Skip overflow tests in FIPS mode because they
	  are fatal and there is no way to override the outofcore handler.

	tests: Expect the 192b ECDSA tests to fail in fips mode.
	+ commit d2a26b30b5dbfa7b26a606e5b2fe5c238ab1afa1
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): Expect ECDSA 192b keys to
	  fail in FIPS mode.
	  (main): Detect FIPS mode.

	tests: Expect curves 25519/448 to fail in FIPS mode.
	+ commit 3026148331523ec7ca81031339b5629431cafa23
	* tests/t-cv25519.c (test_cv_hl): Expect the operation to fail in FIPS
	  mode.
	  (test_cv_x25519, test_it): Ditto.
	  (main) Detect FIPS mode.
	* tests/t-ed25519.c (one_test): Expect the operation to fail in FIPS
	  mode.
	  (main) Detect FIPS mode.
	* tests/t-ed448.c (one_test): Expect the operation to fail in FIPS
	  mode.
	  (main) Detect FIPS mode.
	* tests/t-x448.c (test_cv_hl): Expect the operation to fail in FIPS
	  mode.
	  (test_cv_x448, test_cv): Ditto.
	  (main) Detect FIPS mode.

	tests: Skip unsupported mechanisms in FIPS mode.
	+ commit 55dbac435c5ba31ef140f72ce997662e5f9fe55b
	* tests/bench-slope.c (cipher_bench_one): Skip GCM mode in FIPS mode
	  (ecc_algo_fips_allowed): New function
	  (_ecc_bench): Skip algorithms disabled in FIPS mode
	  (main): Check for FIPS mode
	* tests/benchmark.c (cipher_bench): Skip GCM in FIPS mode

	tests: Do not expect GCM work in FIPS.
	+ commit f56a33df60dcce78c2b1aa5aeeee64549a26a0ce
	* tests/basic.c (check_one_cipher_core): Expect GCM ciphers to fail in
	  FIPS mode
	  (check_cipher_modes): Skip GCM ciphers tests as they fail quite late
	  in gcry_cipher_gettag().

	mac: Disable AES GMAC in FIPS mode.
	+ commit aa1e9ebf8bdbe6ed27c8667dbe4e1a69713210a5
	* cipher/mac-gmac.c (_gcry_mac_type_spec_gmac_aes): Remove FIPS flag

2021-07-29  NIIBE Yutaka  <gniibe@fsij.org>

	hwfeatures: Enable hardware support also in FIPS mode.
	+ commit 70e6cec07d86332f1aaf7a69bec75c7138306f6a
	* src/hwfeatures.c (_gcry_detect_hw_features): Remove skipping in FIPS
	mode.

	cipher: Support internal hashing for DSA and ECDSA signing.
	+ commit 4a3e71403225bd60a96d6747a8141a268bedda78
	* cipher/dsa-common.c (_gcry_dsa_compute_hash): New.
	* cipher/pubkey-internal.h (_gcry_dsa_compute_hash): New.
	* cipher/dsa.c (verify): Add FLAGS and HASHALGO.
	(test_keys): Follow the change of verify API.
	(sign, verify): Support PUBKEY_FLAG_PREHASH flag to hash internally.
	(selftest_sign): Test with "prehash" flag.
	* cipher/ecc-common.h (_gcry_ecc_ecdsa_verify): Add FLAGS and
	HASHALGO.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Support
	PUBKEY_FLAG_PREHASH flag to hash internally.
	(_gcry_ecc_ecdsa_verify): Likewise.
	* cipher/ecc.c (test_keys): Follow the change of
	_gcry_ecc_ecdsa_verify API.
	(selftest_sign): Test with "prehash" flag.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support handling
	of "hash-algo" and "value" with "prehash" flag.

2021-07-23  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Support internal hashing for RSA-PSS.
	+ commit 877be1bf9df0b4e9aed9036db1592a64582a4bac
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support
	"hash-algo" with "value" for internal hashing with RSA-PSS.
	* tests/basic.c (check_pubkey_sign): Add test cases.

	cipher: Extend RSA-PSS internal function for verify, too.
	+ commit 285b4cb70df1553c60fb5da6c94e1106694d4f9e
	* cipher/pubkey-internal.h (_gcry_rsa_pss_verify): Support internal
	hashing.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Use opaque MPI for
	RSA-PSS.
	* cipher/rsa-common.c (_gcry_rsa_pss_verify): Support internal
	hashing.
	* cipher/rsa.c (rsa_verify): Allow opaque MPI for RSA-PSS.

	cipher: Extend RSA-PSS internal function.
	+ commit 51307b1ceaa752d5a737b06ab0217d310faea403
	* cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Follow the change.
	* cipher/rsa-common.c (_gcry_rsa_pss_encode): Support internal hashing.

	cipher: Check by caller instead, not by callee for RSA-PSS.
	+ commit 652e115e10f2bd53d1e1fbe161c2528f4ca89012
	* cipher/pubkey-internal.h (_gcry_rsa_pss_encode): Change the API.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Before the call to
	_gcry_rsa_pss_encode, check the condition here, raise GPG_ERR_INV_ARG
	if it's not good.
	* cipher/rsa-common.c (_gcry_rsa_pss_encode): No check inside.

2021-07-15  NIIBE Yutaka  <gniibe@fsij.org>

	hmac: Use xfree.
	+ commit db9f7abb7af7b5c5bc2ec356c614a5cdb88d75a6
	* src/hmac256.c [STANDALONE] (xfree): Define.
	(_gcry_hmac256_new, _gcry_hmac256_release): Use xfree.
	(_gcry_hmac256_file): Likewise.

2021-07-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: use SHA256 instead of RMD160 for SHAKE extract testing.
	+ commit b98ca3f798abd17696f52163665204c4e83d9092
	* tests/basic.c (check_one_md): Use GCRY_MD_SHA256 as 'crcalgo' for
	SHAKE128/SHAKE256 testing.

2021-07-07  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix tests/basic.c for FIPS mode.
	+ commit ccb076e8aabb9c49e7026258b3a36a8422f6bbe4
	* tests/basic.c (main): Use bare gcry_control for
	GCRYCTL_FORCE_FIPS_MODE.

	tests: Skip unavailable ciphers in FIPS mode.
	+ commit 61c87070abc4baeb9d847db015e6a3031f349483
	* tests/basic.c (_check_poly1305_cipher):
	(check_ocb_cipher_largebuf_split): Skip unavailable ciphers when
	IN_FIPS_MODE.
	(check_ocb_cipher_checksum, check_gost28147_cipher_basic): Likewise.

2021-07-07  NIIBE Yutaka  <gniibe@fsij.org>
	    Jakub Jelen  <jjelen@redhat.com>

	tests: Fix messages to STDERR when FIPS mode is enabled.
	+ commit 297d31294333f39201ae6f387108300b311bedd1
	* tests/basic.c (check_digests): Emit message when IN_FIPS_MODE.
	(check_hmac, check_mac): Likewise.

2021-07-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rinjdael-s390x: fix UBSAN warning on using index beyond end of array.
	+ commit 4b76fa6a1f924a56d2a8c323a9c2d95de763d0dc
	* cipher/rijndael-s390x.c (aes_s390x_ocb_get_l): New.
	(aes_s390x_ocb_enc, aes_s390x_ocb_dec, aes_s390x_ocb_auth): Use
	'aes_s390x_ocb_get_l'.

2021-07-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ec: add zSeries/s390x accelerated scalar multiplication.
	+ commit 69fdcb5433236c4fc5d24c1dcc269424a088086c
	* cipher/asm-inline-s390x.h (PCC_FUNCTION_*): New.
	(pcc_query, pcc_scalar_multiply): New.
	* mpi/Makefile.am: Add 'ec-hw-s390x.c'.
	* mpi/ec-hw-s390x.c: New.
	* mpi/ec-internal.h (_gcry_s390x_ec_hw_mul_point)
	(mpi_ec_hw_mul_point): New.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Call 'mpi_ec_hw_mul_point'.
	* src/g10lib.h (HWF_S390X_MSA_9): New.
	* src/hwf-s390x.c (s390x_features): Add MSA9.
	* src/hwfeatures.c (hwflist): Add 's390x-msa-9'.

	tests/t-mpi-point: add one more NIST P-256 reduction test-vector.
	+ commit 3f4a59299134c6804c5d29fb3f275ea0e04ac8ac
	* tests/t-mpi-point.c (check_ec_mul_reduction): Add second NIST P-256
	test vector from T5510.

2021-07-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: add X25519 and X448 scalar multiplication.
	+ commit 9911069388e762d2a85bc2a11ca6cfcc4c895e4f
	* tests/bench-slope.c (ECC_ALGO_X25519, ECC_ALGO_X448): New.
	(ecc_algo_name, ecc_algo_curve, ecc_nbits): Add X25519 and X448.
	(bench_ecc_mult_do_bench): Pass Y as NULL to ec_get_affine with
	X25519 and X448.
	(cipher_ecc_one): Run only multiplication bench for X25519 and X448.

	mpi: optimizations for MPI scanning and printing.
	+ commit 2fcac487069f9e40ff30366546624a8aff355b55
	* mpi/mpicoder.c (mpi_read_from_buffer): Add word-size buffer
	reading loop using 'buf_get_be(32|64)'.
	(mpi_fromstr): Use look-up tables for HEX conversion; Add fast-path
	loop for converting 8 hex-characters at once; Add string length
	parameter.
	(do_get_buffer): Use 'buf_put_be(32|64)' instead of byte writes; Add
	fast-path for reversing buffer with 'buf_get_(be64|be32|le64|le32)'.
	(_gcry_mpi_set_buffer): Use 'buf_get_be(32|64)' instead of byte reads.
	(twocompl): Use _gcry_ctz instead of open-coded if-clauses to get
	first bit set; Add fast-path for inverting buffer with
	'buf_get_(he64|he32)'.
	(_gcry_mpi_scan): Use 'buf_get_be32' where possible; Provide string
	length to 'mpi_fromstr'.
	(_gcry_mpi_print): Use 'buf_put_be32' where possible; Use look-up
	table for HEX conversion; Add fast-path loop for converting to
	8 hex-characters at once.
	* tests/t-convert.c (check_formats): Add new tests for larger values.

	mpi/ec: cache converted field_table MPIs.
	+ commit ef676b9c14da1c45db8f8538b740a8bbf603652d
	* mpi/ec.c (field_table_mpis): New.
	(ec_p_init): Cache converted field table MPIs.

	mpi_ec_get_affine: fast path for Z==1 case.
	+ commit 38d80fdfddd027fe87bf5508e453d3e2cdbaa337
	* mpi/ec.c (_gcry_mpi_ec_get_affine): Return X and Y as is
	if Z is 1 (for Weierstrass and Edwards curves).

	tests/t-mpi-point: add reduction test-vectors for secp256k1.
	+ commit 1652377763892213fa2cd53aa64884934b2c900f
	* tests/t-mpi-point.c (check_ec_mul_reduction): Add secp256k1 test
	vectors.

2021-06-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ec-nist: fix 'mod p' carry adjustment and output masking.
	+ commit fc92c609dfdbcf59a09ca3aaf53a1c1b8408c351
	* mpi/ec-inline.h (MASK_AND64, LIMB_OR64): New.
	[__x86_64__]: Use "rme" operand type instead of "g" to fix use
	of large 32-bit constants.
	* mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): At end,
	check if 's[]' is negative instead result of last addition, for
	output masks; Use 'p_mult' table entry for P instead of 'ctx->p'.
	(_gcry_mpi_ec_nist256_mod): Handle corner case were 2*P needs to be
	added after carry based subtraction.
	* tests/t-mpi-point.c (check_ec_mul_reduction): New.
	(main): Call 'check_ec_mul_reduction'.

2021-06-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/ec: add fast reduction for secp256k1.
	+ commit 6dfab8cfb94ccb485a15b13df3c499cbb06fddf2
	* mpi/ec.c (ec_secp256k1_mod): New.
	(field_table): Add 'secp256k1'.
	* tests/t-mpi-point.c (check_ec_mul): Add secp256k1 test vectors.

	mpi/ec: add fast reduction functions for NIST curves.
	+ commit 9d909cb67e70fd792926ac1e2ab305b2cc96bc27
	* configure.ac (ASM_DISABLED): New.
	* mpi/Makefile.am: Add 'ec-nist.c' and 'ec-inline.h'.
	* mpi/ec-nist.c: New.
	* mpi/ec-inline.h: New.
	* mpi/ec-internal.h (_gcry_mpi_ec_nist192_mod)
	(_gcry_mpi_ec_nist224_mod, _gcry_mpi_ec_nist256_mod)
	(_gcry_mpi_ec_nist384_mod, _gcry_mpi_ec_nist521_mod): New.
	* mpi/ec.c (ec_addm, ec_subm, ec_mulm, ec_mul2): Use
	'ctx->mod'.
	(field_table): Add 'mod' function; Add NIST reduction
	functions.
	(ec_p_init): Setup ctx->mod; Setup function pointers
	from field_table only if pointer is not NULL; Resize
	ctx->a and ctx->b only if set.
	* mpi/mpi-internal.h (RESIZE_AND_CLEAR_IF_NEEDED): New.
	* mpi/mpiutil.c (_gcry_mpi_resize): Clear all unused
	limbs also in realloc case.
	* src/ec-context.h (mpi_ec_ctx_s): Add 'mod' function.

	mpi/ec: small optimization for ec_mulm_448.
	+ commit ccfa9f2c1427b40483984198c3df41f8057f69f8
	* mpi/ec.c (ec_addm_448, ec_subm_448): Change order of sub_n and
	set_cond to remove need to clear 'n'.
	(ec_mulm_448): Use memcpy where possible; Use mpih_rshift where
	possible; Use mpih_lshift for doubling a3; Remove one addition
	at end.

	mpi/ec: small optimization for ec_mulm_25519.
	+ commit 9c12226c31d4fed4942c049724591a82c4428408
	* mpi/ec.c (ec_addm_25519): Remove one addition.
	(ec_subm_25519): Change order of add_n and set_cond to remove
	need to clear 'n'.
	(ec_mulm_25519): Avoid extra memory copies; Use _gcry_mpih_addmul_1
	for multiplying by 19 and adding; Remove one addition at end.

	mpi/longlong.h: fix missing macro parameter parentheses.
	+ commit 9722da5bfc4a519365f081b75319e96c4dd238f2
	* mpi/longlong.h [__alpha] (umul_ppmm): Add parentheses around
	used parameters.
	[__i370__] (sdiv_qrnnd): Ditto.
	[__mips__] (umul_ppmm): Ditto.
	[__vax__] (sdiv_qrnnd): Ditto.

	tests/t-mpi-point: add NIST curve multiplication test vectors.
	+ commit a0871a1e817f49e81b36b52e6b629f044bbd902e
	* tests/t-mpi-point.c (mpi_base10_scan, check_ec_mul): New.
	(main): Call 'check_ec_mul'.

	tests/bench-slope: add ECC benchmarking.
	+ commit 57cf83834bc00a7431378aabda692bf700e4876c
	* tests/bench-slope.c (bench_print_result_nsec_per_iteration): New.
	(bench_print_header_nsec_per_iteration): New.
	(kdf_bench_one, kdf_bench): Use new print helper functions.
	[USE_ECC]: New ECC benchmarks.
	(ecc_bench): New.
	(print_help): Add 'ecc' option.
	(main): Add ECC benchmarks.

	tests/benchmark: add benchmark for Ed448.
	+ commit b53abf7905e05c39a2bdeffb77414458d2697d89
	* tests/benchmark.c (ecc_bench): Add Ed448.

2021-06-17  Werner Koch  <wk@gnupg.org>

	ecc: Fix bug in gcry_pk_get_param for Curve25519.
	+ commit 692e9b1935ed4ad9517077c1f87da41ddefb9937
	* cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Simplify.

	* cipher/pubkey.c (map_algo): Also map EDDSA to ECC.
	* tests/curves.c (check_get_params): Add simple param lookup tests by
	for all curves.

2021-06-16  Johannes Schindelin via Gcrypt-devel  <gcrypt-devel@gnupg.org>

	build: Fix broken mlock detection.
	+ commit 66ff25ed4a8fd0c6897d8b18600be483c90ee436
	* acinclude.m4 [GNUPG_CHECK_MLOCK]: Use size_t for the ptr test.

2021-06-02  Werner Koch  <wk@gnupg.org>

	cipher: Extend convenience OID mapping table for AES.
	+ commit 585f153e1f741c1952c8e8c1a7f3a89a1e641572
	* cipher/rijndael.c: Add OIDs for GCM and CCM.

	Minor tweak to gcry_free.
	+ commit b6de4080a97385423b6a78fd400606d31093806f
	* src/global.c (_gcry_free): Avoid setting errno again if it did not
	change.

2021-06-01  NIIBE Yutaka  <gniibe@fsij.org>

	random: Silence a warning for building rndjent by Clang.
	+ commit f6a4e22d86d2e2e03d164ec6515bb662eb762ef3
	* random/jitterentropy-base.c: Conditionalize by __OPTIMIZE__.

2021-05-27  NIIBE Yutaka  <gniibe@fsij.org>

	build: _DARWIN_C_SOURCE should be 1.
	+ commit b9a14725ec13747dab1d96658b2f7ce09b1ec874
	* configure.ac (*-apple-darwin*): Set _DARWIN_C_SOURCE 1.

2021-05-26  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix ElGamal encryption for other implementations.
	+ commit 632d80ef30e13de6926d503aa697f92b5dbfbc5e
	* cipher/elgamal.c (gen_k): Remove support of smaller K.
	(do_encrypt): Never use smaller K.
	(sign): Folllow the change of gen_k.

2021-05-17  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	cipher: Fix memory leaks for EdDSA.
	+ commit 14bb6d4ea0dcb4db008057df93396d105d4a8672
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Initialize point Q when used.

2021-05-17  H.J. Lu  <hjl.tools@gmail.com>

	Always include <config.h> in cipher assembly codes.
	+ commit a1f5d87ed49beaab2e4754532b84bd201ef3f68c
	* cipher/poly1305-s390x.S: Always include <config.h>.

2021-05-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix the input length check for Montgomery curve.
	+ commit 5f814e8a4968c01a7ffc7762bcaf3ce040594caf
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.

2021-04-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-x86: fix use of wrong operand type.
	+ commit ec87511d9cd2dc31434e939b6351d74a38d4ceaa
	* src/hwf-x86.c (get_cpuid): Use xchg for swapping %ebx back
	and forth between operand register.

2021-04-27  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Check the input length for the point.
	+ commit 060c378c050e7ec6206358c681a313d6e1967dcf
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
	of valid point representation.

2021-04-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	keccak: add hash_buffers functions for SHAKE128 & SHAKE256.
	+ commit e866c01e645d35475614d892665ac1c09513156d
	* cipher/keccak.c (_gcry_shake128_hash_buffers)
	(_gcry_shake256_hash_buffers): New.
	(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): Add
	hash_buffers pointer.

	hash_buffers: add output length param for XOF support.
	+ commit eb96baf28473302b3d78187de92eb10093919f18
	* src/cipher-proto.h (gcry_md_hash_buffers_t): Add nbytes parameter
	for outbuf size for XOF algorithms.
	* cipher/md.c (_gcry_md_hash_buffer)
	(_gcry_md_hash_buffers_extract): Adjust for spec->hash_buffers
	parameter change.
	* cipher/keccak.c (_gcry_sha3_hash_buffers): Add nbytes parameter and
	handling for XOF output.
	* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add nbytes parameter for
	hash_buffers.
	* cipher/rmd160.c (_gcry_rmd160_hash_buffers): Add nbytes parameter.
	* cipher/sha1.c (_gcry_sha1_hash_buffers): Add nbytes parameter.
	(_gcry_sha1_hash_buffer): Pass nbytes to _gcry_sha1_hash_buffers.
	* cipher/sha256.c (_gcry_sha256_hash_buffers)
	(_gcry_sha224_hash_buffers): Add nbytes parameter.
	* cipher/sha512.c (_gcry_sha512_hash_buffers)
	(_gcry_sha384_hash_buffers, _gcry_sha512_256_hash_buffers)
	(_gcry_sha512_224_hash_buffers): Add nbytes parameter.
	* cipher/sm3.c (_gcry_sm3_hash_buffers): Add nbytes parameter.

	md: remove hash_buffer function from algorithms.
	+ commit 580ae61db5fe47b558135c2c794fd72c2680fa20
	* cipher/md.c (_gcry_md_hash_buffer): Remove used of
	'spec->hash_buffer'.
	* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Remove *_hash_buffer.
	* cipher/crc.c: Remove spec hash_buffer NULL pointers.
	* cipher/gostr3411-94.c: Remove spec hash_buffer NULL pointers.
	* cipher/keccak.c (_gcry_sha3_hash_buffer
	(_gcry_sha3_224_hash_buffer, _gcry_sha3_256_hash_buffer): Remove.
	(_gcry_sha3_384_hash_buffer, _gcry_sha3_512_hash_buffer): Remove.
	* cipher/md2.c: Remove spec hash_buffer NULL pointers.
	* cipher/md4.c: Remove spec hash_buffer NULL pointers.
	* cipher/md5.c: Remove spec hash_buffer NULL pointers.
	* cipher/rmd160.c (_gcry_rmd160_hash_buffer): Remove.
	* cipher/sha1.c (_gcry_sha1_hash_buffer): Rewrite using
	_gcry_sha1_hash_buffers.
	(_gcry_sha1_hash_buffers): Make static.
	(_gcry_digest_spec_sha1): Remove hash_buffer pointer.
	* cipher/sha256.c (_gcry_sha256_hash_buffer)
	(_gcry_sha224_hash_buffer): Remove.
	(_gcry_sha256_hash_buffers): Make static.
	* cipher/sha512.c (_gcry_sha512_hash_buffer)
	(_gcry_sha384_hash_buffer, _gcry_sha512_256_hash_buffer)
	(_gcry_sha512_224_hash_buffer): Remove.
	(_gcry_sha512_hash_buffers): Make static.
	* cipher/sm3.c (_gcry_sm3_hash_buffer): Remove.
	(_gcry_sm3_hash_buffers): Make static.
	* cipher/stribog.c: Remove spec hash_buffer NULL pointers.
	* cipher/tiger.c: Remove spec hash_buffer NULL pointers.
	* cipher/whirlpool.c: Remove spec hash_buffer NULL pointers.
	* src/cipher-proto.h (gcry_md_hash_buffer_t): Remove.
	(gcry_md_spec_t): Remove 'hash_buffer'.
	* src/cipher.h (_gcry_rmd160_hash_buffer, _gcry_sha1_hash_buffers)
	(_gcry_sha256_hash_buffer, _gcry_sha256_hash_buffers)
	(_gcry_sha512_hash_buffer, _gcry_sha512_hash_buffers)
	(_gcry_sm3_hash_buffer, _gcry_sm3_hash_buffers): Remove.

	Add XOF output support for internal _gcry_md_hash_buffers.
	+ commit f53d541d0947a894e6f09b4568658a859505a649
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d, _gcry_ecc_eddsa_sign)
	(_gcry_ecc_eddsa_verify): Use same _gcry_md_hash_buffers_extract code
	path for SHA512 and SHAKE256.
	* cipher/md.c (_gcry_md_hash_buffers): Rename to ...
	(_gcry_md_hash_buffers_extract): ... this; Add digestlen and handling
	for XOF algorithms (SHAKE128, SHAKE256).
	(_gcry_md_hash_buffers): New.
	* src/gcrypt-int.h (_gcry_md_hash_buffers_extract): New.

	Use memset for constant length wipememory2.
	+ commit 4770ad72607f73b9d529511c687556a6b4109875
	* src/g10lib.h (fast_wipememory2_inline): New.
	(wipememory2): Use 'fast_wipememory2_inline', remove 'fast_wipememory2'
	use; Use _gcry_fast_wipememory* when _len or _set is not constant.
	(fast_wipememory_s, fast_wipememory2): Remove.

2021-04-19  Werner Koch  <wk@gnupg.org>

	Release 1.9.3.
	+ commit cb78627203705365d24b48ec4fc4cf2fc804b277


2021-04-15  NIIBE Yutaka  <gniibe@fsij.org>
	    Jakub Jelen  <jjelen@redhat.com>

	cipher: Fix memory leaks for EdDSA.
	+ commit a8d6c6c1b258548260748eefba0532fd35c8ce47
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Free the point Q.
	(_gcry_ecc_eddsa_verify): Avoid memory leaks for points and MPIs.

2021-04-13  NIIBE Yutaka  <gniibe@fsij.org>

	api: Avoid use of C99 feature.
	+ commit 9c42db0b379c277ee976fcc696e84e31863a85a8
	* src/gcrypt.h.in (enum gcry_md_algos): Remove last comma.

	random: Fix for iOS.
	+ commit 0007f889bda884e40459ad86f13b6cd8b14c91df
	* random/rndlinux.c [TARGET_OS_IPHONE]: Don't define HAVE_GETENTROPY.

	cipher: Hardening ElGamal by introducing exponent blinding too.
	+ commit e8b7f10be275bcedb5fc05ed4837a89bfd605c61
	* cipher/elgamal.c (do_encrypt): Also do exponent blinding.

2021-04-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: harden add_n_cond, sub_n_cond and abs_cond against EM leakage.
	+ commit 9bc3d8de6e2a8cdef37c118f0a70376ed777eeee
	* mpi/mpih-const-time.c (_gcry_mpih_add_n_cond)
	(_gcry_mpih_sub_n_cond): Always perform calculation with both UP and
	VP; Use two masks for selecting output.
	(_gcry_mpih_abs_cond): Always calculate absolute value of UP; Use
	two masks for selecting output.

	mpi: harden set_cond functions against EM leakage.
	+ commit c7c25b6e6e6b52bbed26d8016145c404eb118f19
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Use two masks for
	selecting output.
	* mpi/mpiutil.c (_gcry_mpi_set_cond): Use two masks for selecting
	output.

	mpi: harden swap_cond functions against EM leakage.
	+ commit 1266f5bb02b7f76f2e4697ecfb85ef19c2ae04a9
	* mpi/mpih-const-time.c (vzero, vone): New.
	(_gcry_mpih_swap_cond): Use two masks for selecting output.
	* mpi/mpiutil.c (vzero, vone): New.
	(_gcry_mpi_swap_cond): Use to masks for selecting output.

2021-04-02  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Return GPG_ERR_INV_KEYLEN when wrong key length.
	+ commit 840713de1a685920b6b1e1379902d545eccc74cf
	* cipher/idea.c (do_setkey): Return GPG_ERR_INV_KEYLEN.
	* cipher/rfc2268.c (setkey_core): Likewise.
	* cipher/serpent.c (serpent_setkey_internal): Likewise.
	(serpent_setkey): Likewise.

2021-04-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher-gcm-ppc: add big-endian support.
	+ commit aaa30381eac3cdb49a21e279b2d89ef6e695a138
	* cipher/cipher-gcm-ppc.c (ALIGNED_16): New.
	(vec_store_he, vec_load_he): Remove WORDS_BIGENDIAN ifdef.
	(vec_dup_byte_elem): New.
	(_gcry_ghash_setup_ppc_vpmsum): Match function declaration with
	prototype in cipher-gcm.c; Load C2 with VEC_LOAD_BE; Use
	vec_dup_byte_elem; Align constants to 16 bytes.
	(_gcry_ghash_ppc_vpmsum): Match function declaration with
	prototype in cipher-gcm.c; Align constant to 16 bytes.
	* cipher/cipher-gcm.c (ghash_ppc_vpmsum): Return value from
	_gcry_ghash_ppc_vpmsum.
	* cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): Remove requirement
	for !WORDS_BIGENDIAN.

	mpi/aarch64: use C_SYMBOL_NAME for assembly function names.
	+ commit 1cf5a568f2b2f2c3d83c154cdcf5a40aa1f83c50
	* mpi/aarch64/mpih-add1.S: Add missing C_SYMBOL_NAME.
	* mpi/aarch64/mpih-mul1.S: Add missing C_SYMBOL_NAME.
	* mpi/aarch64/mpih-mul2.S: Add missing C_SYMBOL_NAME.
	* mpi/aarch64/mpih-mul3.S: Add missing C_SYMBOL_NAME.
	* mpi/aarch64/mpih-sub1.S: Add missing C_SYMBOL_NAME.

2021-03-31  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit d2b3d046fc66a3166dc0c003a430ce756532ff74
	* m4/gpg-error.m4: Update from libgpg-error.

2021-03-30  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix for make distcheck, no EPS support.
	+ commit 35917373d64521d9c0d33b5fa9b60abd28964dd4
	* Makefile.am (AM_DISTCHECK_DVI_TARGET): Specify 'pdf'.
	* doc/Makefile.am (EXTRA_DIST, BUILT_SOURCES): Remove .eps files.

	ecc: Fix the regression of gcry_mpi_ec_add.
	+ commit 45e88b8ec6dfbd8f981ca89ded80ef48eca6f0e9
	* mpi/ec.c (_gcry_mpi_ec_point_resize): Export the routine
	for internal use.
	(add_points_edwards, _gcry_mpi_ec_mul_point): Use mpi_point_resize.
	* src/gcrypt-int.h (_gcry_mpi_ec_point_resize): Declare.

	* src/visibility.c (gcry_mpi_ec_dup, gcry_mpi_ec_add): Make sure for
	the size of limb before calling the internal functions.
	(gcry_mpi_ec_sub): Likewise.

2021-03-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-s390x: fix checksum calculation in OCB decryption.
	+ commit 68bb0ddc5504c9c0f3f52259a4085bb2fc1a02ad
	* cipher/rijndael-s390x.c (aes_s390x_ocb_dec): Calculate checksum
	after decryption instead of inlining.

	tests/basic: OCB large buffer check: make input buffer non-repeatable.
	+ commit 21c273cecfd58408b8d3287f5bc8c246c3010313
	* tests/basic.c (check_ocb_cipher_largebuf_split): Use SHA1 to
	initialize input buffer.
	(check_ocb_cipher): Update largebuf test vectors.

	tests/basic: add decryption check to check_ocb_cipher_checksum.
	+ commit 56da81ac47209dc41af08a129f5e0c15538261b2
	* tests/basic.c (check_ocb_cipher_checksum): Add decryption.

2021-03-25  NIIBE Yutaka  <gniibe@fsij.org>

	build: Remove intermediate PDF files from EXTRA_DIST.
	+ commit 52f6e95159885431f3c7e9f64290d0132ca547ef
	* doc/Makefile.am (EXTRA_DIST): Remove PDF files.
	(BUILT_SOURCES): Likewise.

2021-03-24  Werner Koch  <wk@gnupg.org>

	ecc: Fix keygrip computation for compressed points.
	+ commit c8c38757c428871af980a548bc38f38e5d9238d1
	* cipher/ecc-misc.c (_gcry_ecc_ec2os): Factor most code out to ...
	(_gcry_ecc_ec2os_buf): new.
	* cipher/ecc.c (compute_keygrip): Handle compressed keys.
	* tests/keygrip.c: Add new tests.

2021-03-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Compile arch specific GCM implementations only on target arch.
	+ commit 43302b960f546fd60ed7fefb2b0404ee69491e93
	* cipher/Makefile.am: Move arch specific 'cipher-gcm-*.[cS]' files
	from libcipher_la_SOURCES to EXTRA_libcipher_la_SOURCES.
	* configure.ac: Add 'cipher-gcm-intel-pclmul.lo' and
	'cipher-gcm-arm*.lo'.

	configure.ac: fix digest implementations going to cipher list.
	+ commit 8892510bb8f45438144a7449440fcb32ae4c5f7b
	* configure.ac: Add 'crc-arm*.lo', 'crc-ppc.lo', 'sha*-ppc.lo' to
	GCRYPT_DIGESTS instead of GCRYPT_CIPHERS.

	cipher-gcm-ppc: tweak for better performance.
	+ commit 760ef8baee06db5ce4da55eb5648e605aa511d2d
	* cipher/cipher-gcm-ppc.c (asm_xor, asm_mergelo, asm_mergehi)
	(vec_be_swap, vec_load_he, vec_store_he): New.
	(vec_load_be, vec_perm2, vec_aligned_st, vec_aligned_ld): Remove.
	(asm_vpmsumd, asm_swap_u64, vec_perm2, asm_rot_block_left)
	(asm_rot_block_right, asm_ashl_128, vec_aligned_ld)
	(_gcry_ghash_setup_ppc_vpmsum): Update 'bswap_const'.
	(_gcry_ghash_ppc_vpmsum): Update 'bswap_const'; Use 'asm_mergehi'
	and 'asm_mergelo' instead of vec_perm2; Use 'asm_xor' for
	fast path to enforce instruction ordering; Use 'vec_load_he' and
	'vec_be_swap' for big-endian loads.

2021-03-07  Shawn Landden  <shawn@git.icu>

	VPMSUMD acceleration for GCM mode on PPC.
	+ commit 440332532a1c107e2baeafda5464e0707f634be1
	* cipher/Makefile.am: Add 'cipher-gcm-ppc.c'.
	* cipher/cipher-gcm-ppc.c: New.
	* cipher/cipher-gcm.c [GCM_USE_PPC_VPMSUM] (_gcry_ghash_setup_ppc_vpmsum)
	(_gcry_ghash_ppc_vpmsum, ghash_setup_ppc_vpsum, ghash_ppc_vpmsum): New.
	(setupM) [GCM_USE_PPC_VPMSUM]: Select ppc-vpmsum implementation if
	HW feature "ppc-vcrypto" is available.
	* cipher/cipher-internal.h (GCM_USE_PPC_VPMSUM): New.
	(gcry_cipher_handle): Move 'ghash_fn' at end of 'gcm' block to align
	'gcm_table' to 16 bytes.
	* configure.ac: Add 'cipher-gcm-ppc.lo'.
	* tests/basic.c (_check_gcm_cipher): New AES256 test vector.
	* AUTHORS: Add 'CRYPTOGAMS'.
	* LICENSES: Add original license to 3-clause-BSD section.

2021-03-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	src/hwfeatures: add reminder about documenting new HW features.
	+ commit 7c4c992fe96f781e387bd26a11b17e70a27aa3c0
	* src/hwfeatures.c (hwflist): Add comment about updating
	'doc/gcrypt.texi' with new HW features.

2021-03-06  Jakub Jelen  <jjelen@redhat.com>

	doc: Document newly added optimizations.
	+ commit 49ab649c69951cd7b6d40d3527e21db51d93a207
	* doc/gcrypt.texi: Add HW features 'intel-vaes-vpclmul', 'ppc-vcrypto',
	'ppc-arch_3_00', 'ppc-arch_2_07', 's390x-msa', 's390x-msa-4',
	's390x-msa-8' and 's390x-vx'.

2021-03-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	poly1305: make --disable-asm work on x86, aarch64 and ppc.
	+ commit 2b84da922660918129c610f4d27cb5c510ab0489
	* cipher/poly1305.c [__aarch64__] (ADD_1305_64): Check for
	HAVE_CPU_ARCH_ARM.
	[__x86_64__] (ADD_1305_64): Check for HAVE_CPU_ARCH_X86.
	[__powerpc__] (ADD_1305_64): Check for HAVE_CPU_ARCH_PPC.
	[__i386__] (ADD_1305_32): Check for HAVE_CPU_ARCH_X86.

	poly1305: fix compiling on i386 gcc-4.7.
	+ commit bcb180190e8921356c039b0475fd71f2c45d986d
	* cipher/poly1305.c [__i386__]: Limit i386 variant of ADD_1305_32 to
	GCC-5 or newer.

	cipher-gcm-intel-pclmul: fix compiling with i386 gcc-4.7.
	+ commit d1fcf3975c57c5312890199832100c8c363d5b18
	* cipher/cipher-gcm-intel-pclmul.c (gcm_lsh): Pass '*pconst' instead of
	'pconst' to asm block.

2021-02-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: add x86_64 VAES/AVX2 accelerated implementation.
	+ commit e72498a54fdead503fb0c1c93e2b747cd91e7681
	* cipher/Makefile.am: Add 'rijndael-vaes.c' and
	'rijndael-vaes-avx2-amd64.S'.
	* cipher/rijndael-internal.h (USE_VAES): New.
	* cipher/rijndael-vaes-avx2-amd64.S: New.
	* cipher/rijndael-vaes.c: New.
	* cipher/rijndael.c (_gcry_aes_vaes_cfb_dec, _gcry_aes_vaes_cbc_dec)
	(_gcry_aes_vaes_ctr_enc, _gcry_aes_vaes_ocb_crypt)
	(_gcry_aes_vaes_xts_crypt): New.
	(do_setkey) [USE_VAES]: Add detection for VAES.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128)
	[USE_VAES]: Increase number of selftest blocks.
	* configure.ac: Add 'rijndael-vaes.lo' and
	'rijndael-vaes-avx2-amd64.lo'.

	rijndael-aesni: add 8-block parallel code path for XTS.
	+ commit ffe1d53197031eeb65601c5aeafe55e78079a75e
	* cipher/rijndael-aesni.c (xts_gfmul_const): Fix array size from 16
	to 2.
	(_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_dec) [__x86_64__]: Add
	8-block parallel code paths.

	camellia: add x86_64 VAES/AVX2 accelerated implementation.
	+ commit 0e7e60241a0d054eae7a98116636a831ec6ccc97
	* cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.h' and
	'camellia-vaes-avx2-amd64.S'.
	* cipher/camellia-aesni-avx2-amd64.S: New, old content moved to...
	* cipher/camellia-aesni-avx2-amd64.h: ...here.
	(IF_AESNI, IF_VAES, FUNC_NAME): New.
	* cipher/camellia-vaes-avx2-amd64.S: New.
	* cipher/camellia-glue.c (USE_VAES_AVX2): New.
	(CAMELLIA_context): New member 'use_vaes_avx2'.
	(_gcry_camellia_vaes_avx2_ctr_enc, _gcry_camellia_vaes_avx2_cbc_dec)
	(_gcry_camellia_vaes_avx2_cfb_dec, _gcry_camellia_vaes_avx2_ocb_enc)
	(_gcry_camellia_vaes_avx2_ocb_dec)
	(_gcry_camellia_vaes_avx2_ocb_auth): New.
	(camellia_setkey): Check for HWF_INTEL_VAES.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
	(_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Add USE_VAES_AVX2 code.
	* configure.ac: Add 'camellia-vaes-avx2-amd64.lo'.

	hwf-x86: add "intel-vaes-vpclmul" HW feature.
	+ commit eb404d8904532f6dca82421c952be286a1f4e11c
	* configure.ac (HAVE_GCC_INLINE_ASM_VAES_VPCLMUL): New.
	* src/g10lib.h (HWF_INTEL_VAES_VPCLMUL): New.
	* src/hwf-x86.c (detect_x86_gnuc): Check for VAES and VPCLMUL.
	* src/hwfeatures.c (hwflist): Add "intel-vaes-vpclmul".

2021-02-17  Werner Koch  <wk@gnupg.org>

	Release 1.9.2.
	+ commit 24bd7e8215f7982b0c8db46fd87b47b370a52ec6


2021-02-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit 8e3cd4c4677c3b10ac6265a1b31f84c63c95cac4
	* m4/gpg-error.m4: Update from libgpg-error.

2021-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	random: Fix build for macOS.
	+ commit d78cdf42854b17e2216890e7b78f9e7e05c0b1f8
	* random/rndlinux.c [__APPLE__] (HAVE_GETENTROPY): Valid only when the
	macro __MAC_10_11 is available.

2021-02-08  Werner Koch  <wk@gnupg.org>

	tests: Fix minor glitches.
	+ commit 82395f11b444651f544f5e51c62fc6b65c04f9ef
	* tests/basic.c (ALWAYS_INLINE): Make sure it is defined.
	* tests/version.c (main): Print the config info to stdout.

	New test Makefile target xtestsuite.
	+ commit ebc4d5670a1ada54ad907a4836eb8f6f573c2c38
	* tests/Makefile.am (xtestsuite, xcheck): New targets.

	New test driver to allow for standalone regression tests.
	+ commit b142da4c88deef4798ef96061dac399df3ddd73d
	* tests/testdrv.c: New.

2021-02-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha256-avx2: fix reading beyond end of input buffer.
	+ commit 24af2a55d862d45fe3aef6b5626a52d9bb0fb17e
	* cipher/sha256-avx2-bmi2-amd64.S
	(_gcry_sha256_transform_amd64_avx2): Use 'last block' code path if
	input length is only one block.
	* tests/basic.c (check_one_md_final): Use dynamic allocated buffer
	so that in future similar access errors get detected by
	tests/basic + valgrind.

	ecc-ecdh: fix memory leak.
	+ commit 289543544e41cd5fe90352c5c7548ac09da533cc
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Free 'ec' at function exit.

	tests: allow running 'make check' with ASAN.
	+ commit f46a6bd9b3d7ef7d1a72c5b6da5cf34ace2ff156
	* tests/t-secmem.c (main): Skip test if environment variable
	GCRYPT_IN_ASAN_TEST is defined.
	* tests/t-sexp.c (main): Do not initialize secmem if environment
	variable GCRYPT_IN_ASAN_TEST is defined.

	global: make sure that bulk config string is null-terminated.
	+ commit 8716e4b2ada21456802aee67c2bc8edfec78f820
	* src/global.c (_gcry_get_config): Append null-terminator to output
	in the 'what == NULL' case.

	Add handling for -Og with O-flag munging.
	+ commit a71b7de32b0c7c41359335a488cfe4dd70c65121
	* cipher/Makefile.am (o_flag_munging): Add handling for '-Og'.
	* random/Makefile.am (o_flag_munging): Add handling for '-Og'.

	jent: silence ubsan warning about signed overflow.
	+ commit 6fc11291282a668839040c72a1d558a6ebbd4972
	* random/jitterentropy-base.c (jent_stuck): Cast 'delta2' values to
	'uint64_t' for calculation.

	Fix ubsan warnings for i386 build.
	+ commit 364e9e9d10503b36f98fbb1b489e00026f22c9d7
	* mpi/mpicoder.c (_gcry_mpi_set_buffer) [BYTES_PER_MPI_LIMB == 4]: Cast
	"*p--" values to mpi_limb_t before left shifting.
	* tests/t-lock.c (main): Cast 'time(NULL)' to unsigned type.

	Fix building with --disable-asm on x86.
	+ commit af23ab5c5482d625ff52e60606cf044e2b0106c8
	* cipher/keccak.c (USE_64BIT_BMI2, USE_64BIT_SHLD)
	(USE_32BIT_BMI2): Depend also on HAVE_CPU_ARCH_X86.
	* random/rndjent.c [__i386__ || __x86_64__] (USE_JENT): Depend
	also on HAVE_CPU_ARCH_X86.

	md: clear bctx.count at final function.
	+ commit cb95fc53003e9f34ff80fc33627ceda605de223c
	* cipher/md4.c (md4_final): Set bctx.count zero after
	finalizing.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (rmd160_final): Ditto.
	* cipher/sha1.c (sha1_final): Ditto.
	* cipher/sha256.c (sha256_final): Ditto.
	* cipher/sha512.c (sha512_final): Ditto.
	* cipher/sm3.c (sm3_final): Ditto.
	* cipher/stribog.c (stribog_final): Ditto.
	* cipher/tiger.c (tiger_final): Ditto.

2021-02-02  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add checking key for ECDSA.
	+ commit 598d0f3e0294a487e01b88cc714a8cd0a47329bb
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_verify): Validate public key.
	* cipher/ecc-gost.c (_gcry_ecc_gost_verify): Likewise.
	* cipher/ecc-sm2.c (_gcry_ecc_sm2_verify): Likewise.

2021-01-29  Werner Koch  <wk@gnupg.org>

	Release 1.9.1.
	+ commit 466299b1ceb82ec7c4dd0ca376de50399a896adf
	* configure.ac: Bump LT version to C23/A3/R1.

2021-01-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hash-common: fix heap overflow when writing more data after final.
	+ commit 512c0c75276949f13b6373b5c04f7065af750b08
	* tests/basic.c (check_one_md): Test writing to digest after read.
	* cipher/hash-common.c (_gcry_md_block_write): Reset 'hd->count' if
	greater than blocksize.

2021-01-28  Werner Koch  <wk@gnupg.org>

	Add a compliance keyword to gcry_get_config.
	+ commit aa3f595341eb263980210776c7fe377b2ed24c5e
	* src/global.c (print_config): New config line.

2021-01-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	asm-common-aarch64: add MacOS support for GET_DATA_POINTER.
	+ commit 014fed5153647641376b9131ea1d87dc5e88cf42
	* cipher/asm-common-aarch64.h [__APPLE__] (GET_DATA_POINTER): Add MacOS
	variant of macro.

2021-01-27  NIIBE Yutaka  <gniibe@fsij.org>

	random: Use getentropy on macOS when available.
	+ commit 6cb0faf6ceec5b2e799e6fb5f04b85d135a7da9b
	* random/rndlinux.c [__APPLE__ && __MACH__] (getentropy): Declare.
	(_gcry_rndlinux_gather_random): Check the symbol and use getentropy.

	mpi: Fix _gcry_mpih_mod implementation.
	+ commit f06ff4e31c8e162f4a59986241c7ab43d5085927
	* mpi/mpih-const-time.c (_gcry_mpih_mod): Handle the overflow.

	build: Check spawn.h for MacOS X Tiger.
	+ commit fc901e978a0c18a3524cad5d1ef3451ed11b9347
	* configure.ac: Add check for spawn.h.
	* tests/random.c: Only use posix_spawn if available.

2021-01-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	global: fix compile error at pragma GCC diagnostic.
	+ commit 3d095206c30d772d5fc68bf69bfc384e43f766e9
	* src/global.c (_gcry_vcontrol): Move "pragma GCC diagnostics" outside
	function.

	cipher-proto: remove forward typedef of cipher_bulk_ops_t.
	+ commit 17aad639d29c7c835a7effb89181c7c99b16cb6a
	* cipher/cipher-proto (cipher_bulk_ops_t): Remove typedef, leave
	forward declaration of 'struct cipher_bulk_ops'.
	(gcry_cipher_setkey_t): Change 'bulk_ops' to
	'struct cipher_bulk_ops *'.
	* cipher/arcfour.c: Include 'cipher-internal.h'.
	* cipher/gost28147.c: Ditto.
	* cipher/idea.c: Ditto.
	* cipher/rfc2268.c: Ditto.
	* cipher/salsa20.c: Ditto.
	* cipher/seed.c: Ditto.
	* cipher/mac-internal.h (CTX_MAGIC_NORMAL): Rename to...
	(CTX_MAC_MAGIC_NORMAL): ... this.
	(CTX_MAGIC_SECURE): Rename to...
	(CTX_MAC_MAGIC_SECURE): ... this.
	* cipher/mac-cmac.c (cmac_open): Use CTX_MAC_MAGIC_SECURE.
	* cipher/mac-gmac.c (gmac_open): Ditto.
	* cipher/mac-hmac.c (hmac_open): Ditto.
	* cipher/mac-poly1305.c (poly1305mac_open): Ditto.
	* cipher/mac.c (mac_open): Use CTX_MAC_MAGIC_SECURE and
	CTX_MAC_MAGIC_NORMAL.

2021-01-26  David Michael  <fedora.dm0@gmail.com>

	cipher/sha512: Fix non-NEON ARM assembly implementation.
	+ commit 1e72c50f864ae1c77ba80c191224b9ef1d22a2e2
	* cipher/sha512.c (do_transform_generic)
	[USE_ARM_ASM]: Switch to the non-NEON assembly implementation.

2021-01-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2: fix RIP register access for AVX/AVX2 implementations.
	+ commit b2f78ae034b8d4aa3d4cc7bf85262317832f6e0a
	* cipher/blake2b-amd64-avx2.S: Use rRIP instead of (RIP).
	* cipher/blake2s-amd64-avx.S: Use rRIP instead of (RIP).

	sha512/sha256: remove assembler macros from AMD64 implementations.
	+ commit 9f49e806f9506533236fd44b17f17b85961b20f1
	* configure.ac (gcry_cv_gcc_platform_as_ok_for_intel_syntax): Remove
	assembler macro check from Intel syntax assembly support check.
	* cipher/sha256-avx-amd64.S: Replace assembler macros with C
	preprocessor counterparts.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

	configure.ac: run assembler checks through linker for better LTO support
	+ commit 393bd6c3d1aa2b2a1b05be0e2d7fb2514e6c5ad0
	* configure.ac (gcry_cv_gcc_arm_platform_as_ok)
	(gcry_cv_gcc_aarch64_platform_as_ok)
	(gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
	(gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
	(gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
	(gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_as_const_division_ok)
	(gcry_cv_gcc_as_const_division_with_wadivide_ok)
	(gcry_cv_gcc_amd64_platform_as_ok, gcry_cv_gcc_win64_platform_as_ok)
	(gcry_cv_gcc_platform_as_ok_for_intel_syntax)
	(gcry_cv_gcc_inline_asm_neon, gcry_cv_gcc_inline_asm_aarch32_crypto)
	(gcry_cv_gcc_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto)
	(gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00)
	(gcry_cv_gcc_inline_asm_s390x, gcry_cv_gcc_inline_asm_s390x): Use
	AC_LINK_IFELSE check instead of AC_COMPILE_IFELSE.

	rijndael: remove unused use_xxx flags.
	+ commit a14447f8169aff30a49f5c2ab06bd5bbd1cc3531
	* cipher/rijndael-internal.h (RIJNDAEL_context_s): Remove unused
	'use_padlock', 'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto'
	and 'use_ppc9le_crypto'.
	* cipher/rijndael.c (do_setkey): Do not setup 'use_padlock',
	'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto' and
	'use_ppc9le_crypto'.

	Define HW-feature flags per architecture.
	+ commit 8d404a629167d67ed56e45de3e65d1e0b7cdeb24
	* random/rand-internal.h (_gcry_rndhw_poll_slow): Add requested length
	parameter.
	* random/rndhw.c (_gcry_rndhw_poll_slow): Limit accounted bytes to 50%
	(or 25% for RDRAND) - this code is moved from caller side.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Move
	HWF_INTEL_RDRAND check to _gcry_rndhw_poll_slow.
	* src/g10lib.h (HWF_PADLOCK_*, HWF_INTEL_*): Define only if
	HAVE_CPU_ARCH_X86.
	(HWF_ARM_*): Define only if HAVE_CPU_ARCH_ARM.
	(HWF_PPC_*): Define only if HAVE_CPU_ARCH_PPC.
	(HWF_S390X_*): Define only if HAVE_CPU_ARCH_S390X.

	Add configure option to force enable 'soft' HW feature bits.
	+ commit 3b34bd6e178614d6021ee7d1140646f7c8ed7519
	* configure.ac (force_soft_hwfeatures)
	(ENABLE_FORCE_SOFT_HWFEATURES): New.
	* src/hwf-x86.c (detect_x86_gnuc): Enable HWF_INTEL_FAST_SHLD
	and HWF_INTEL_FAST_VPGATHER if ENABLE_FORCE_SOFT_HWFEATURES enabled.

2021-01-26  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Ed25519 private key handling for preceding ZEROs.
	+ commit 1b74f633bd3e358fb07a856a70597019980651d2
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fill-up or remove
	preceding ZEROs correctly, fixing the third argument of mpi_set_opaque.

	ecc: Fix initialization of CTX for sign and verify.
	+ commit 652b102697cbfe2d7bc642fc7374cb21a9cf03e6
	* cipher/ecc.c (ecc_sign, ecc_verify): Call
	_gcry_pk_util_init_encoding_ctx at first.

2021-01-21  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix build of tests with non-default installation.
	+ commit fa3420b011c105ca21894489e62c7e882a3ac4dd
	* tests/Makefile.am: Add forgotten @LDADD_FOR_TESTS_KLUDGE@.

2021-01-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Split inline assembly blocks with many memory operands.
	+ commit 00df9f27181d77166ceb55f319329400bf2e6a48
	* cipher/rijndael-aesni.c (aesni_ocb_checksum, aesni_ocb_enc)
	(aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Split assembly blocks
	with more than 4 memory operands to smaller blocks.
	* cipher/sha512-ssse3-i386.c (W2): Split big assembly block to
	three smaller blocks.

	tests/basic: fix build on ARM32 when NEON disabled.
	+ commit 81354e911bfa3e135d3e07f6a8d9e98033cd921a
	* tests/basic.c (CLUTTER_VECTOR_REGISTER_NEON)
	(CLUTTER_VECTOR_REGISTER_AARCH64): Remove check for __ARM_FEATURE_SIMD32.

	kdf: make self-test test-vector array read-only.
	+ commit 097148bc89ec8c18b9e4795733e0f0b1ae0ecd1d
	* cipher/kdf.c (selftest_pbkdf2): Make 'tv[]' constant.

	kdf: add missing null-terminator for self-test test-vector array.
	+ commit c6425a5537294dfe2beaafc9105f7af4ceac677f
	* cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array.

	cipher/bithelp: use __builtin_ctzl when available.
	+ commit 807827cda3bacf5f475167ee6d34657713111838
	* cipher/bithelp.h (_gcry_ctz64): Use __builtin_ctzl if available.

	mpi/longlong: make use of compiler provided __builtin_ctz/__builtin_clz.
	+ commit 477355047e5c75ad2b2238a8716e4646b861184c
	* configure.ac (gcry_cv_have_builtin_ctzl, gcry_cv_have_builtin_clz)
	(gcry_cv_have_builtin_clzl): New checks.
	* mpi/longlong.h (count_leading_zeros, count_trailing_zeros): Use
	__buildin_clz[l]/__builtin_ctz[l] if available and bit counting
	macros not yet provided by inline assembly.

2021-01-19  Werner Koch  <wk@gnupg.org>

	Release 1.9.0.
	+ commit 0dc49af9b5371c5e2f766b70c3bede2b10db9f7e


2021-01-19  NIIBE Yutaka  <gniibe@fsij.org>

	Fix DSA for FIPS 186-3.
	+ commit 30ed9593f632c728d918598037358deaeccd1968
	* cipher/dsa.c (generate_fips186): Supply INITIAL_SEED to
	_gcry_generate_fips186_3_prime.
	* tests/fips186-dsa.c (check_dsa_gen_186_2): Add where tv comes from.
	(check_dsa_gen_186_3): Implement tests.
	* tests/pubkey.c (get_dsa_key_fips186_with_seed_new): Use the qbits
	and seed of tests/fips186-dsa.c.

2021-01-19  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	Check if FIPS is operational and error return if not.
	+ commit ebeae53222648c637907f4b358888fc0e7123dc9
	* src/visibility.c (gcry_kdf_derive): Add the check.
	(gcry_prime_generate, gcry_prime_group_generator): Likewise.
	(gcry_mpi_randomize): Likewise, but no return.

2021-01-18  Werner Koch  <wk@gnupg.org>

	ecc: Change an error code of gcry_ecc_mul_point.
	+ commit ca5a90bf70598247589078478d237287ca524453
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return
	GPG_ERR_UNKNOWN_CURVE.

2021-01-15  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	kdf: Add selftest.
	+ commit 7a0da24925361a3109474d0e433511467a9e35d1
	* src/cipher-proto.h (_gcry_kdf_selftest): New.
	* cipher/kdf.c (check_one, selftest_pbkdf2): New.
	(_gcry_kdf_selftest): New.
	* src/fips.c (run_kdf_selftests): New.
	(_gcry_fips_run_selftests): Call run_kdf_selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	cmac: Add selftest.
	+ commit 385a89e35b0b95f15b4c6e4d5482b1fc6906f7c5
	* cipher/mac-cmac.c (check_one, selftests_cmac_3des): New.
	(selftests_cmac_aes, cmac_selftest): New.
	(cmac_ops): Add cmac_selftest.
	* src/fips.c (run_mac_selftests): Add CMAC selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Raise an error when an integer is negative with USG.
	+ commit 00d7c1c632019066a4884930d413ccc044d81af5
	* src/sexp.c (do_vsexp_sscan): Return GPG_ERR_INV_ARG if negative.

2021-01-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add backward compatibility support for Ed25519 key in SEXP.
	+ commit 4768baf74be03d8973d004725f796aef329c45bf
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Support Ed25519 keys with
	parameter {p,a,b,g,n}.

	ecc: Minor implementation change for _gcry_ecc_get_curve.
	+ commit 3fe7036d05f283df9441d42242f0047b6ea11a32
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Flatten.

2020-12-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add s390x/zSeries implementation of Poly1305.
	+ commit 1f75681cbba895ea2f7ea0637900721f4522e729
	* cipher/Makefile.am: Add 'poly1305-s390x.S' and
	'asm-poly1305-s390x.h'.
	* cipher/asm-poly1305-s390x.h: New
	* cipher/chacha20-s390x.S (_gcry_chacha20_poly1305_s390x_vx_blocks8)
	(_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New, stitched
	chacha20-poly1305 implementation.
	* cipher/chacha20.c (USE_S390X_VX_POLY1305): New.
	(_gcry_chacha20_poly1305_s390x_vx_blocks8)
	(_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New prototypes.
	(_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt): Add
	s390x/VX stitched chacha20-poly1305 code-path.
	* cipher/poly1305-s390x.S: New.
	* cipher/poly1305.c (USE_S390X_ASM, HAVE_ASM_POLY1305_BLOCKS): New.
	[USE_S390X_ASM] (_gcry_poly1305_s390x_blocks1, poly1305_blocks): New.
	* configure.ac (gcry_cv_gcc_inline_asm_s390x): Check for 'risbgn' and
	'algrk' instructions.
	* tests/basic.c (_check_poly1305_cipher): Add large chacha20-poly1305
	test vector.

	Add s390x/zSeries implementation of ChaCha20.
	+ commit 6a0bb9ab7f886087d7edb0725c90485086a1c0b4
	* cipher/Makefile.am: Add 'asm-common-s390x.h' and 'chacha20-s390x.S'.
	* cipher/asm-common-s390x.h: New.
	* cipher/chacha20-s390x.S: New.
	* cipher/chacha20.c (USE_S390X_VX): New.
	(CHACHA20_context_t): Change 'use_*' bit-field to unsigned type; Add
	'use_s390x'.
	(_gcry_chacha20_s390x_vx_blocks8)
	(_gcry_chacha20_s390x_vx_blocks4_2_1): New.
	(chacha20_do_setkey): Add HW feature detect for s390x/VX.
	(chacha20_blocks, do_chacha20_encrypt_stream_tail): Add s390x/VX
	code-path.
	* configure.ac: Add 'chacha20-s390x.lo'.

	hwf-s390x: add VX vector instruction set detection.
	+ commit 1d13794780e3d052cd5ed6f900bf5900cf44b377
	* configure.ac (gcry_cv_gcc_inline_asm_s390x_vx): New check.
	* src/g10lib.h (HWF_S390X_VX): New.
	* src/hwf-s390x.c (HWCAP_S390_VXRS): New.
	(s390x_features) [HAVE_GCC_INLINE_ASM_S390X_VX]: Add VX feature check.
	* src/hwfeatures.c (hwlist): Add "s390x-vx".

	mpi/longlong: add s390x/zSeries macros.
	+ commit 0252cc9b62dfe20c77211f093b4fda54786177d3
	* mpi/longlong.h [__s390x__] (add_ssaaaa, sub_ddmmss, UTItype)
	(umul_ppmm, udiv_qrnnd): New.

2020-12-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-arm: fix incorrect HWCAP2 for SHA1 and SHA2 on AArch32.
	+ commit 6b6bfd57d0a6b2b4577c084db35078cd9fadafa5
	* src/hwf-arm.c (HWCAP2_SHA1, HWCAP2_SHA2): Change from bit indexes to
	flags.

	Add missing prototype for _gcry_mac_selftest.
	+ commit e47f04b4a28947c90db70ccaf93e149cfd5213c9
	* src/cipher-proto.h (_gcry_hmac_selftest): Rename to...
	(_gcry_mac_selftest): ... this.

2020-12-21  NIIBE Yutaka  <gniibe@fsij.org>

	Merge hmac-tests.c into mac-hmac.c.
	+ commit 2ab14b23afc092fd25395954c2a94db932ca4d95
	* cipher/Makefile.am (EXTRA_DIST): Remove hmac-tests.c.
	* cipher/hmac-tests.c: Remove, merge into...
	* cipher/mac-hmac.c: ... here.

2020-12-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add s390x/zSeries acceleration for SHA3.
	+ commit 7532e27cacb74c92fd561524a0897163b0fcd7f4
	* cipher/asm-inline-s390x.h (KLMD_PADDING_STATE): New.
	(kimd_execute): Change 'reg0' from read-only to read/write.
	(klmd_shake_execute): New.
	* cipher/keccak.c (USE_S390X_CRYPTO): New.
	(KECCAK_CONTEXT) [USE_S390X_CRYPTO]: New members.
	[USE_S390X_CRYPTO] (keccak_bwrite_s390x, keccak_final_s390x)
	(keccak_bextract_s390x, keccak_write_s390x, keccak_extract_s390x): New.
	(keccak_write) [USE_S390X_CRYPTO]: Use accelerated function if enabled.
	(keccak_final) [USE_S390X_CRYPTO]: Likewise.
	(keccak_extract) [USE_S390X_CRYPTO]: Likewise.
	(keccak_init) [USE_S390X_CRYPTO]: Detect and setup zSeries
	acceleration.

	Add s390x/zSeries acceleration for SHA512.
	+ commit 45f0ec0c4e3b08627cbf7e65f5f110c321710d01
	* cipher/sha512.c (USE_S390X_CRYPTO): New.
	(SHA512_CONTEXT) [USE_S390X_CRYPTO]: New members.
	(do_sha512_transform_s390x, do_sha512_final_s390x): New.
	(sha512_init_common) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha512_final) [USE_S390X_CRYPTO]: Use accelerated final function.

	Add s390x/zSeries acceleration for SHA256.
	+ commit 0b555c3cc7c2b80ec2628685946a6139a1996911
	* cipher/sha256.c (USE_S390X_CRYPTO): New.
	(SHA256_CONTEXT) [USE_S390X_CRYPTO]: New members.
	(do_sha256_transform_s390x, do_sha256_final_s390x): New.
	(sha256_common_init) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha256_final) [USE_S390X_CRYPTO]: Use accelerated final function.

	Add s390x/zSeries acceleration for SHA1.
	+ commit 88570515b4ca92a44c4e40c31f877c11cc00ab68
	* cipher/asm-inline-s390x.h (ALWAYS_INLINE): New.
	(klmd_query): New.
	(km_function_to_mask, kimd_execute, klmd_execute): Mark as always
	inline.
	* cipher/rijndael-s390x.c (ALWAYS_INLINE): Remove.
	* cipher/sha1.c (do_sha1_transform_s390x, do_sha1_final_s390x): New.
	(sha1_init) [SHA1_USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha1_final) [SHA1_USE_S390X_CRYPTO]: Use accelerated final function.
	* cipher/sha1.h (SHA1_USE_S390X_CRYPTO): New.
	(SHA1_CONTEXT) [SHA1_USE_S390X_CRYPTO]: New.

	Add bulk AES-GCM acceleration for s390x/zSeries.
	+ commit 5aeb091f911398217b2e9facb9bdeb05c63d7844
	* cipher/Makefile.am: Add 'asm-inline-s390x.h'.
	* cipher/asm-inline-s390x.h: New.
	* cipher/cipher-gcm.c [GCM_USE_S390X_CRYPTO] (ghash_s390x_kimd): New.
	(setupM) [GCM_USE_S390X_CRYPTO]: Add setup for s390x GHASH function.
	* cipher/cipher-internal.h (GCM_USE_S390X_CRYPTO): New.
	* cipher/rijndael-s390x.c (u128_t, km_functions_e): Move to
	'asm-inline-s390x.h'.
	(aes_s390x_gcm_crypt): New.
	(_gcry_aes_s390x_setup_acceleration): Use 'km_function_to_mask'; Add
	setup for GCM bulk function.

	Add bulk function interface for GCM mode.
	+ commit f4e63e92dc0b79633f48b11d292dd7bdf2752ede
	* cipher/cipher-gcm.c (do_ghash_buf): Proper handling for the case
	where 'unused' gets filled to full blocksize.
	(gcm_crypt_inner): New.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Use
	'gcm_crypt_inner'.
	* cipher/cipher-internal.h (cipher_bulk_ops_t): Add 'gcm_crypt'.

	Add s390x/zSeries acceleration for AES.
	+ commit 9219d9d1b60c01a4c7dbde05ee6b5b52e0d7d072
	* configure.ac: Add 'rijndael-s390x.lo'.
	* cipher/Makefile.am: Add 'rijndael-s390x.c'.
	* cipher/rijndael-internal.c (USE_S390X_CRYPTO): New.
	(RIJNDAEL_context_s) [USE_S390X_CRYPTO]: New 'km*_func' members.
	* cipher/rijndael-s390x.c: New.
	* cipher/rijndael.c (_gcry_aes_s390x_setup_acceleration)
	(_gcry_aes_s390x_setup_setkey)
	(_gcry_aes_s390x_setup_prepare_decryption, _gcry_aes_s390x_encrypt)
	(_gcry_aes_s390x_decrypt): New.
	(do_setkey) [USE_S390X_CRYPTO]: Add s390x acceleration setup.

	Add bulk function interface for OFB mode.
	+ commit f12b6788f2297391265af93a7794bfbc503de6d7
	* cipher/cipher-internal.h (cipher_bulk_ops): Add 'ofb_enc'.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Use bulk encryption
	function if defined.
	* cipher/basic.c (check_bulk_cipher_modes): Add OFB-AES test vectors.

	hwf: add detection of s390x/zSeries hardware features.
	+ commit 128054767d5f864798a39d432997f7d38c4bf729
	* configure.ac (gcry_cv_gcc_inline_asm_s390x)
	(HAVE_CPU_ARCH_S390X): Add s390x detection support.
	* mpi/config.links: Add setup for s390x links.
	* src/Makefile.am: Add 'hwf-s390x.c'.
	* src/g10lib.h (HWF_S390X_MSA, HWF_S390X_MSA_4, HWF_S390X_8): New.
	* src/hwf_common.h (_gcry_hwf_detect_s390x): New.
	* src/hwf-s390x.c: New.
	* src/hwfeatures.c: Add "s390x-msa", "s390x-msa-4" and "s390x-msa-8".

	tests/bench-slope: use same benchmarking for XTS as for other modes.
	+ commit 0e37bb32e215feb4716341f7053c4f54806645cb
	* tests/bench-slope.c (bench_xts_encrypt_init): Use same buffer
	sizes as other tests.
	(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench): Remove.
	(xts_encrypt_ops): Use 'bench_encrypt_do_bench'.
	(xts_decrypt_ops): Use 'bench_decrypt_do_bench'.

	aarch64: mpi/longlong.h: fix operand size mismatch.
	+ commit c59b5b03a063ebc73935dbb10bc4f568faddbedf
	* mpi/longlong.h [__aarch64__] (count_leading_zeros): Use correctly
	sized temporary variable for asm output.

	aarch64: use configure check for assembly ELF directives support.
	+ commit 8352b0ece5237e3f86f1525b072e8f690ad0fa94
	* configure.ac (gcry_cv_gcc_asm_elf_directives): New check.
	(HAVE_GCC_ASM_ELF_DIRECTIVES): New 'config.h' macro.
	* cipher/asm-common-aarch64.h (ELF): Change feature macro check from
	__ELF__ to HAVE_GCC_ASM_ELF_DIRECTIVES.

2020-12-18  NIIBE Yutaka  <gniibe@fsij.org>

	Reorganize self-tests for HMAC.
	+ commit c90fb0d8fb7a84bbcc8d6832de6a554405591850
	* cipher/Makefile.am: Prepare merge of hmac-test.c into mac-hmac.c.
	* cipher/hmac-tests.c: Ifdef-out run_selftests and _gcry_hmac_selftest.
	* cipher/mac-internal.h: Include cipher-proto.h for selftest.
	(gcry_mac_spec_ops): Add selftest field.
	* cipher/mac-hmac.c: Include hmac-tests.c for migration.
	(hmac_selftest) New.
	(hmac_ops): Add hmac_selftest.
	* cipher/gost28147.c, cipher/mac-cmac.c: Add new field for selftest.
	* cipher/mac-gmac.c, cipher/mac-poly1305.c: Likewise..
	* cipher/mac.c (_gcry_mac_selftest): New.
	* src/fips.c (run_mac_selftests): Rename from run_hmac_selftests.
	Use GCRY_MAC_HMAC_*, and call _gcry_mac_selftest.
	(_gcry_fips_run_selftests): Use run_mac_selftests.

2020-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Prevent link-time optimization from inlining __gcry_burn_stack.
	+ commit 1a83df98b198902ee6d71549231a3af37088d452
	* src/g10lib.h (NOINLINE_FUNC): New attribute macro.
	* src/misc.c (__gcry_burn_stack): Add NOINLINE_FUNC attribute.

	tests/basic: check 32-bit and 64-bit overflow for CTR and ChaCha20.
	+ commit 2065720b5b0642cc1a0e08086a434244ebb1abf2
	* tests/basic.c (check_one_cipher_ctr_reset)
	(check_one_cipher_ctr_overflow): New.
	(check_one_cipher): Add counter overflow tests for ChaCha20 and CTR
	mode.

	chacha20-ppc: fix 32-bit counter overflow handling.
	+ commit ed45eac3b721c1313902b977379fbd4886ccca7b
	* cipher/chacha20-ppc.c (vec_add_ctr_u64, ADD_U64): New.
	(_gcry_chacha20_ppc8_blocks1, _gcry_chacha20_ppc8_blocks4)
	(_gcry_chacha20_poly1305_ppc8_blocks4): Use ADD_U64 when incrementing
	counter.

2020-12-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Put a work around to tests/random for macOS.
	+ commit 9769b40b54cf010a0c41c4ab05a7a88e17d70613
	* configure.ac [*-apple-darwin*] (USE_POSIX_SPAWN_FOR_TESTS): New.
	* tests/random.c [USE_POSIX_SPAWN_FOR_TESTS] (run_all_rng_tests): New.

2020-11-18  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update to newer autoconf constructs.
	+ commit 9485ca7b5bf11194cff59edbfa6a0fba3bf6162a
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Use AS_MESSAGE_LOG_FD
	instead of AC_FD_CC.
	(GNUPG_CHECK_MLOCK): Use AC_LINK_IFELSE instead of AC_TRY_LINK.
	Use AC_RUN_IFELSE instead of AC_TRY_RUN.
	* configure.ac (AC_ISC_POSIX): Replace by AC_SEARCH_LIBS.
	Use AC_USE_SYSTEM_EXTENSIONS instead of AC_GNU_SOURCE.
	Use AS_HELP_STRING instead of AC_HELP_STRING.
	(AC_TYPE_SIGNAL): Remove.
	(AC_DECL_SYS_SIGLIST): Remove.
	* m4/Makefile.am (EXTRA_DIST): Update.
	* m4/onceonly.m4: Remove.
	* m4/socklen.m4: Update from gnulib.
	* m4/libtool.m4: Update from libgpg-error.
	* m4/gpg-error.m4: Update from libgpg-error.
	* m4/noexecstack.m4: Use AS_HELP_STRING instead of AC_HELP_STRING.

	build: Use modern Autoconf check for type.
	+ commit 425bf499185d78aa8fcad6a30b8771e7865d449d
	* configure.ac (byte, ushort, us6, u32, u64): Use AC_CHECK_TYPES.
	* cipher/poly1305.c: Use HAVE_TYPE_U64.
	* src/hmac256.c: HAVE_TYPE_U32.
	* src/types.h: Use HAVE_TYPE_BYTE, HAVE_TYPE_USHORT, HAVE_TYPE_U16,
	HAVE_TYPE_U32, and HAVE_TYPE_U64.

	m4: Update with newer autoconf constructs.
	+ commit 908e347fb68b28e180ac816b5050406358e81a0f
	* src/libgcrypt.m4: Replace AC_HELP_STRING to AS_HELP_STRING.

2020-10-30  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Handle removed zeros at the beginning for Ed25519.
	+ commit 361a0588489cf4a539da8debd1771024a1faa218
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Accept private
	key with removed zeros.

2020-10-23  Werner Koch  <wk@gnupg.org>

	random: Allow for a Unicode random seed file on Windows.
	+ commit 24341f58f0d38bd62c45d285bcf8472f82b56135
	* random/random-csprng.c (utf8_to_wchar) [W32]: New.
	(any8bitchar) [W32]: New.
	(my_open): New.  Replace all calls to open with this.

2020-10-01  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Fix typo in comment.
	+ commit 4a50c6b88d6d8d843e50add851a8a5e691349097
	* tests/basic.c: Fix typo in comment.

2020-09-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: clean-up prepare_decryption function.
	+ commit 2051d5bd6f732a36e5a536cba734531a9e2e915f
	* cipher/rijndael-internal.h (rijndael_prepare_decfn_t): New.
	(RIJNDAEL_context_s): New member 'prepare_decryption'.
	* cipher/rijndael-padlock.c (_gcry_aes_padlock_prepare_decryption): New.
	* cipher/rijndael.c (_gcry_aes_padlock_prepare_decryption): New.
	(do_setkey): Setup 'ctx->prepare_decryption' for each acceleration type.
	(prepare_decryption): Remove calls to other prepare decryption functions.
	(check_decryption_preparation): Call 'ctx->prepare_decryption' instead
	of 'prepare_decryption'.

	rijndael: clean-up generic bulk functions.
	+ commit 7679c918ade9d334bc80cb8c10916bbc847ff382
	* cipher/rijndael.c (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Remove
	calls to hardware accelerated AES bulk functions.

	cipher: setup bulk functions at each algorithms key setup.
	+ commit 51271eb86bcb0eb89e55a2add9607c503f182c89
	* cipher/cipher-internal.h (cipher_mode_ops_t, cipher_bulk_ops_t): New.
	(gcry_cipher_handle): Define members 'mode_ops' and 'bulk' using new
	types.
	* cipher/cipher.c (_gcry_cipher_open_internal): Remove bulk function
	setup.
	(cipher_setkey): Pass context bulk function pointer to algorithm setkey
	function.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter; Use bulk function returned by setkey function.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter.
	* cipher/arcfour.c (arcfour_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/blowfish.c (bf_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/camellia.c (camellia_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
	(_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/cast5.c (cast_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Make
	static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/chacha20.c (chacha20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/cast5.c (do_tripledes_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec): Make
	static.
	(bulk_selftest_setkey): Change 'hd' parameter to 'bulk_ops'.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(do_des_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/gost28147.c (gost_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/idea.c (idea_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rfc2268.c (do_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rijndael.c (do_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(rijndael_setkey): Change 'hd' parameter to 'bulk_ops'.
	(_gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
	(_gcry_aes_cbc_dec, _gcry_aes_ctr_enc, _gcry_aes_ocb_crypt)
	(_gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Make static.
	(selftest_basic_128, selftest_basic_192, selftest_basic_256): Pass
	'bulk_ops' to setkey function.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	* cipher/salsa20.c (salsa20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/seed.c (seed_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/serpent.c (serpent_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec, _gcry_serpent_cfb_dec)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/sm4.c (sm4_setkey): Change 'hd' parameter to 'bulk_ops'; Setup
	'bulk_ops' with bulk acceleration functions.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/twofish.c (twofish_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(_gcry_twofish_cfb_dec, _gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest, main): Pass 'bulk_ops' to setkey function.
	* src/cipher-proto.h: Forward declare 'cipher_bulk_ops_t'.
	(gcry_cipher_setkey_t): Replace 'hd' with 'bulk_ops'.
	* src/cipher.h: Remove bulk acceleration function prototypes for
	'aes', 'blowfish', 'cast5', 'camellia', '3des', 'serpent', 'sm4' and
	'twofish'.

2020-09-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: tidy do_setkey little bit.
	+ commit e0829ae648d9d9da67cd8a8fae7aa05774a0d0f7
	* cipher/rijndael.c (do_setkey): Reduce number of ifdefs by using
	function pointer for accelerated key-setup.

2020-09-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-aesni: tweak x86_64 AES-NI for better performance on AMD Zen2.
	+ commit f96989f0e9085fa58b475131d29b37f68ba564ec
	* cipher/rijndael-aesni.c (do_aesni_enc_vec8, do_aesni_dec_vec8): Move
	first round key xoring and last round out to caller.
	(do_aesni_ctr_4): Change low 8-bit counter overflow check to 8-bit
	addition to low-bits and detect overflow from carry flag; Adjust
	slow path to restore counter.
	(do_aesni_ctr_8): Same as above; Interleave first round key xoring and
	first round with CTR generation on fast path; Interleave last round
	with output xoring.
	(_gcry_aes_aesni_cfb_dec, _gcry_aes_aesni_cbc_dec): Add first round
	key xoring; Change order of last round xoring and output xoring
	(shorten the dependency path).
	(_gcry_aes_aesni_ocb_auth): Add first round key xoring and last round
	handling.

2020-08-26  Werner Koch  <wk@gnupg.org>

	build: Allow customization of the signing key.
	+ commit 9cd92ebae21900e54cc3d8b607c8ed1afbf2eb9b
	* Makefile.am (sign-release): Read variabales from user configuration.

2020-08-21  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix basic.c.
	+ commit fd51bc523d095168ee9367fe3f18d18f7a88ad90
	* tests/basic.c (check_one_hmac): Fix error paths.
	(check_pubkey_crypt): Fix wrong call of gcry_sexp_new.

	ecc: Fix an error path.
	+ commit 65a2cd139e21250e6581a4f610015937e7b91451
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Avoid null dereference on
	error.

2020-07-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20-aarch64: improve performance through higher SIMD interleaving.
	+ commit 8d7b1d0a52bde173646e5b42b31d23593eabecf2
	* cipher/chacha20-aarch64.S (ROTATE2, ROTATE2_8, ROTATE2_16)
	(QUARTERROUND2): Replace with...
	(ROTATE4, ROTATE4_8, ROTATE4_16, QUARTERROUND4): ...these.
	(_gcry_chacha20_aarch64_blocks4)
	(_gcry_chacha20_poly1305_aarch64_blocks4): Adjust to use QUARTERROUND4.

	tests/bench-slope: improve CPU frequency auto-detection.
	+ commit f1c3db3bf40e07cfd1a6a92209865ee7a98129ca
	* configure.ac (gcry_cv_have_asm_volatile_memory): Check also if
	assembly memory barrier with input/output register is supported.
	* tests/bench-slope.c (auto_ghz_bench): Change to use base operation
	that takes two CPU cycles and unroll loop by 1024 operations.

	Enable jitter entropy also on non-x86 architectures.
	+ commit 886120f33bd3f10e6e6a09920eca1f9ed81044e7
	* configure.ac: Do not force jentsupport to "n/a" on non-x86
	architectures.

	random/jitterentropy: fix USE_JENT == JENT_USES_GETTIME code path.
	+ commit 4ed9b949485448816a70d86260d572f08ae34621
	* random/jitterentropy-base-user.h (jent_get_nstime): Use 'tv' variable
	instead of non-existing 'time'.

	Camellia AES-NI/AVX/AVX2 size optimization.
	+ commit 4c0e244fc53e0f7b927bfe4cf54695b5d282fd27
	* cipher/camellia-aesni-avx-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds16/fls16' portions of encryption/decryption.
	* cipher/camellia-aesni-avx2-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds32/fls32' portions of encryption/decryption.

2020-07-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support reading EC point in compressed format for good curves.
	+ commit e0dabf74bf276500257f15b85ded9cf24ccc8334
	* cipher/ecc-curves.c (gcry_ecc_get_curve): Handle G, differently.
	* cipher/ecc-misc.c (_gcry_ecc_sec_decodepoint): Support compressed
	representation of EC point.  Rename from _gcry_ecc_os2ec.
	* cipher/ecc-sm2.c (_gcry_ecc_sm2_decrypt) Follow the change.
	* cipher/ecc.c (ecc_decrypt_raw): Likewise.
	* mpi/ec.c (_gcry_mpi_ec_set_point): Likewise.
	* src/ec-context.h: API change _gcry_ecc_sec_decodepoint from
	_gcry_ecc_os2ec.
	* tests/basic.c (check_pubkey): Use compressed representation
	for two public keys of NIST P192 and NIST P256.

2020-07-06  Werner Koch  <wk@gnupg.org>

	mpi: Consider +0 and -0 the same in mpi_cmp.
	+ commit 1f3a92e103d4a8e019d8d022647a2b9fb2681327
	* mpi/mpi-cmp.c (do_mpi_cmp): Check size of U an V.

2020-06-23  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix length computation.
	+ commit 1db1dc7945b111b6e20a8420ad38a358316681ab
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add one only for
	Edwards case.

2020-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SM4 x86-64/AES-NI/AVX2 implementation.
	+ commit 35a78eb248d6bacd2a58477a122a0020d796ce63
	* cipher/Makefile.am: Add 'sm4-aesni-avx2-amd64.S'.
	* cipher/sm4-aesni-avx2-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX2): New.
	(SM4_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
	[USE_AESNI_AVX2] (_gcry_sm4_aesni_avx2_ctr_enc)
	(_gcry_sm4_aesni_avx2_cbc_dec, _gcry_sm4_aesni_avx2_cfb_dec)
	(_gcry_sm4_aesni_avx2_ocb_enc, _gcry_sm4_aesni_avx2_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth): New.
	(sm4_setkey): Enable AES-NI/AVX2 if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX2]: Add
	AES-NI/AVX2 bulk functions.
	* configure.ac: Add ''sm4-aesni-avx2-amd64.lo'.

	Add SM4 x86-64/AES-NI/AVX implementation.
	+ commit c9a3f1bb91e63033e3bf3e06bdd6075622626d0d
	* cipher/Makefile.am: Add 'sm4-aesni-avx-amd64.S'.
	* cipher/sm4-aesni-avx-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX, ASM_FUNC_ABI): New.
	(SM4_context) [USE_AESNI_AVX]: Add 'use_aesni_avx'.
	[USE_AESNI_AVX] (_gcry_sm4_aesni_avx_expand_key)
	(_gcry_sm4_aesni_avx_crypt_blk1_8, _gcry_sm4_aesni_avx_ctr_enc)
	(_gcry_sm4_aesni_avx_cbc_dec, _gcry_sm4_aesni_avx_cfb_dec)
	(_gcry_sm4_aesni_avx_ocb_enc, _gcry_sm4_aesni_avx_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth, sm4_aesni_avx_crypt_blk1_8): New.
	(sm4_expand_key) [USE_AESNI_AVX]: Use AES-NI/AVX key setup.
	(sm4_setkey): Enable AES-NI/AVX if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX]: Add
	AES-NI/AVX bulk functions.
	* configure.ac: Add ''sm4-aesni-avx-amd64.lo'.

	Optimizations for SM4 cipher.
	+ commit 81fee26bbbae820a311a3ce3ac55e304655c2acd
	* cipher/cipher.c (_gcry_cipher_open_internal): Add SM4 bulk
	functions.
	* cipher/sm4.c (ATTR_ALIGNED_64): New.
	(sbox): Convert to ...
	(sbox_table): ... this structure for sbox hardening as is done
	for AES and GCM.
	(prefetch_sbox_table): New.
	(sm4_t_non_lin_sub): Make inline; Optimize sbox access pattern.
	(sm4_key_lin_sub): Make inline; Tune slightly.
	(sm4_key_sub, sm4_enc_sub): Make inline.
	(sm4_round): Make inline; Take 'x' as separate parameters instead
	of array.
	(sm4_expand_key): Return void; Drop keylen; Unroll loops by 4;
	Wipe sensitive variables at end; Move key-length check to
	'sm4_setkey'.
	(sm4_setkey): Add initial self-test step; Add key-length check;
	Remove burn stack (as variables wiped in 'sm4_expand_key').
	(sm4_do_crypt): Return burn stack depth; Unroll loops by 4.
	(sm4_encrypt, sm4_decrypt): Prefetch sbox table; Return burn
	stack from 'sm4_do_crypt', as allows tail-call optimization
	by compiler.
	(sm4_do_crypt_blks2): New two parallel block function for greater
	instruction level parallelism.
	(sm4_crypt_blocks, _gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New
	bulk processing functions.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): New
	bulk processing self-tests.
	(sm4_selftest): Clear SM4 context before use; Use 'sm4_expand_key'
	instead of 'sm4_setkey'; Call bulk processing self-tests.
	* src/cipher.h (_gcry_sm4_ctr_enc, _gcry_sm4_ctr_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add SM4-OCB test vector.

2020-06-18  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: For Ed448, it's only for EdDSA.
	+ commit a6177e1bc948a7af052d62bcd62aa6b5825bfaff
	* cipher/ecc.c (ecc_sign): Ed448 is only for EdDSA.
	Hash algo is determined by the curve.
	(ecc_verify): Likewise.
	* tests/t-ed448.c (one_test): Don't specify (flags eddsa).
	Don't specify hash-algo.

	ecc: Fix the condition for EdDSA data handling.
	+ commit f2847d56cce2afdd993f797812a673495a41c234
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): It may be
	the encoding context which determines EdDSA.  Hash-algo can be
	omitted.  Flags are OR-ed.

	ecc: Support EdDSA with context and enabling PH(M).
	+ commit ba78ad8f19674b94edfdf4998f40feee081481bc
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Simplify.
	(DOM4_0_NONE, DOM4_0_NONE_LEN): Remove.
	(DOM25519, DOM25519_LEN): New.
	(DOM448, DOM448_LEN): New.
	(_gcry_ecc_eddsa_sign): Support EdDSA with context and PH.
	(_gcry_ecc_eddsa_verify): Likewise.
	* tests/t-ed448.c: Add tests with context and PH=1.
	* tests/t-ed448.inp: Add test data.

	ecc: Change EdDSA internal API.
	+ commit 2856ac14ae3e4c9e6288e1f0d8bc1945bb874081
	* cipher/ecc-common.h (_gcry_ecc_eddsa_sign): Last arg is CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Get hash algo from CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc.c (ecc_sign, ecc_verify): Follow the change.

2020-06-17  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support "label" for EdDSA context in data.
	+ commit 1cf49754694611620fd383327cf127e91f6883df
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Handle ctx->label.

	ecc: Initialize key before handling data.
	+ commit d51a9c259d49c63121fab48bce48d826e9b57733
	* cipher/ecc.c (ecc_sign): Initialize key at first.
	(ecc_verify): Likewise.

	ecc: Add new flag "prehash".
	+ commit 9a640eba6dd7504c90a65151cdaf1e4093a8b475
	* src/cipher.h (PUBKEY_FLAG_PREHASH): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse it.

	ecc: No (flags eddsa) required for Ed448.
	+ commit b1721f9b291a4c226caa2bfbe4fefe8fde5216e0
	* cipher/ecc.c (check_secret_key): Ed448 means EdDSA.
	(ecc_generate): Likewise.
	* tests/t-ed448.c (one_test): Remove the flag in key.

	ecc: Support Ed448 by _gcry_ecc_compute_public.
	+ commit 5585ee4947082f932ee01d93dfe295c769e96671
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Handle Ed448.

2020-06-16  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Add basic test-vectors for SM4.
	+ commit c1535d0b8797e9b3bbfb5193b6ab23bf788ffd36
	* tests/basic.c (check_ciphers): Add SM4 check and test-vectors.

	Add SM4 symmetric cipher algorithm.
	+ commit ddcce166ab8bc6f51f5b509bcbea13a8746384ec
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm4.c.
	* cipher/cipher.c (cipher_list, cipher_list_algo301): Add
	_gcry_cipher_spec_sm4.
	* cipher/mac-cmac.c (map_mac_algo_to_cipher): Add cmac SM4.
	(_gcry_mac_type_spec_cmac_sm4): Add cmac SM4.
	* cipher/mac-internal.h: Declare spec_cmac_sm4.
	* cipher/mac.c (mac_list, mac_list_algo201): Add cmac SM4.
	* cipher/sm4.c: New.
	* configure.ac (available_ciphers): Add sm4.
	* doc/gcrypt.texi: Add SM4 document.
	* src/cipher.h: Add declarations for SM4 and cmac SM4.
	* src/gcrypt.h.in (gcry_cipher_algos): Add algorithm ID for SM4.

2020-06-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and GCRY_MAC_GOST28147_IMIT.
	+ commit 6c571bfda6409d7d668f5d44cea0c6c31e2688be
	* doc/gcrypt.texi: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and
	GCRY_MAC_GOST28147_IMIT.

2020-06-16  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Ed448 key generation.
	+ commit c15cc1a38199cf0d758579eb01d0e88c99cd4b80
	* cipher/ecc.c (ecc_generate): Fix point representation for Ed448.

	ecc,test: Add testing Ed448.
	+ commit c7779e499e9051ee79ed720f576dbf40d90cdfb1


	ecc: Support Ed448 for verify.
	+ commit d1baad35c65030e41fcba69854c57032eee0d111
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Support Ed448.

	ecc: Support Ed448 signing.
	+ commit 951b37c5038667b461692454397bb058b5e1e184
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Support Ed448.

	ecc: Use SHAKE256 in EdDSA with Ed448.
	+ commit 32d6d73d44d372dd1ec0b08ba03f1b7b085c09d9
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Fix for SHAKE256.

	ecc: Support shake128 and shake256 for message digest.
	+ commit f6815a96e51be44a361ddcd3a20a5b969b1dab1b
	* cipher/pubkey-util.c (get_hash_algo): Add shake128 and shake256.

	ecc: Support Ed448 for key generation.
	+ commit e25446ecc04442b399302ce72db6d5ea2e9e85e8
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Support Ed448.
	(_gcry_ecc_eddsa_genkey): Support Ed448, using
	_gcry_ecc_eddsa_compute_h_d.

	ecc: Support Ed448 in decoding point.
	+ commit bd22b029bbf50737f90535c506fba4f812bcf040
	* cipher/ecc-eddsa.c (ecc_ed448_recover_x): New.
	(_gcry_ecc_eddsa_recover_x): Support Ed448.
	(_gcry_ecc_eddsa_decodepoint): Support Ed448.
	* mpi/ec.c (_gcry_mpi_ec_decode_point): For Ed448, use
	_gcry_ecc_eddsa_decodepoint.

	ecc: Add new curve: Ed448.
	+ commit 339b03acf0971a31997901dd674fb75c4dde31d0
	* cipher/ecc-curves.c (curve_aliases): Add Ed448.
	(domain_parms): Add domain parameters for Ed448.
	* tests/curves.c (N_CURVES): Increment.

	ecc: Fix EdDSA encoding for Ed448.
	+ commit 3386aaf84d4d89b6ff931533df2ff82ed3f7c7f9
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fix point/scalar
	length condition.
	* cipher/ecc-eddsa.c (eddsa_encodempi): The second argument is NBITS.
	(eddsa_encode_x_y): Likewise.
	(_gcry_ecc_eddsa_encodepoint): Follow the change.
	(_gcry_ecc_eddsa_ensure_compact): Likewise.
	(_gcry_ecc_eddsa_decodepoint): Likewise.
	(_gcry_ecc_eddsa_sign): Likewise.  Remove restriction of 256 bits.

2020-06-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix NBITS in domain_parms.
	+ commit db7b2c591004868abedbc2c19d3bb2efebf8529d
	* cipher/ecc-curves.c (cipher/ecc-curves.c): It's NBITS of 'p'.

2020-06-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix UBSAN warning on left shift by 24 places with type 'int'
	+ commit 6cdd7268fe19b066ddb373e2f3c0b7ebf9b938dd
	* cipher/rijndael.c (do_encrypt_fn, do_decrypt_fn): Cast final
	sbox/inv_sbox look-ups to 'u32' type.

	Disable all assembly modules with --disable-asm.
	+ commit 3060aadec396802af13f08c4b2dd1b28f2a68c5d
	* configure.ac (try_asm_modules): Update description,
	"MPI" => "MPI and cipher".
	(gcry_cv_gcc_arm_platform_as_ok, gcry_cv_gcc_aarch64_platform_as_ok)
	(gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
	(gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
	(gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
	(gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_amd64_platform_as_ok)
	(gcry_cv_gcc_platform_as_ok_for_intel_syntax)
	(gcry_cv_cc_arm_arch_is_v6, gcry_cv_gcc_inline_asm_neon)
	(gcry_cv_gcc_inline_asm_aarch32_crypto)
	(gcry_cv_gcc_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto)
	(gcry_cv_cc_ppc_altivec, gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00): Check for "try_asm_modules".
	* mpi/config.links: Set "mpi_cpu_arch" to "disabled"
	with --disable-asm.

2020-06-05  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	mpicalc: fix typo.
	+ commit 2dd3e27fc53cf408f799d2e7b379c1441e0d62c8
	* src/mpicalc.c (print_help): fix typo in commands description.

2020-06-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix flags in mpi_copy for opaque MPI.
	+ commit 78a5a1aa7627afaa24e2ea1eb9b08f1cfdd71561
	* mpi/mpiutil.c (_gcry_mpi_copy): Copy flags.

2020-06-03  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Use opaque MPI for 'd' of Ed25519/EdDSA.
	+ commit 0d8346f84a1f5865da3375ce92420d92fb5ae652
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add FLAGS.
	Use opaque MPI for Ed25519/EdDSA, too.
	(_gcry_mpi_ec_internal_new): Follow the change.
	(_gcry_mpi_ec_new): Likewise.

2020-06-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher-ocb: fix out-of-array stack memory access.
	+ commit 8cfaeae42522778052c36fceccab504826a30cbf
	* cipher/cipher-ocb.c (bit_copy): Do not access memory beyond
	's' array when bitoff > 8.

2020-06-01  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: More fix of off-by-one mistake mpi_invm_pow2.
	+ commit 6a2cd0fe78a9cdc78911694a84b08762dd8658b4
	* mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.

	ecc: Consistently handle parameters as unsigned value.
	+ commit 6f8b1d4cb798375e6d830fd6b73c71da93ee5f3f
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Parse as unsigned value.

2020-05-27  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Fix coding of line break.
	+ commit 33c972b6a6fe79aacb0a732d1df9a9deacafca29
	* src/sexp.c (_gcry_sexp_vextract_param): Add missing newline.

2020-05-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Make sure it's the fixed size bytes.
	+ commit eb2288f3b1f338a9aec11d559ec84bdb201960e1
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Checking the size
	of EC point representation, return GPG_ERR_INV_OBJ if not valid.

2020-05-13  Werner Koch  <wk@gnupg.org>

	ecc: Detect the use of a Montgomery curve earlier in ecc_verify.
	+ commit d0f995afe2e0228d3b9e30b0fc7091631d7d0090
	* cipher/ecc.c (ecc_verify): Do not allow a Montgomery curve.

2020-05-13  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix off-by-one mistake mpi_invm_pow2.
	+ commit 69b55f87053ce2494cd4b38dc600f867bc4355be
	* mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.

2020-05-12  Werner Koch  <wk@gnupg.org>

	ecc: Initialize a dummy parameter.
	+ commit 75a7b17878e02c3882070d6c86e0d2efbc3d680a
	* cipher/ecc.c (ecc_verify): Rename flags to dummy_flags and
	initialize.

2020-05-06  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests/benchmark.c: fix error message for invalid MAC algo.
	+ commit 79e196a610b1b734a1f573288b148d62787f5281


2020-04-27  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	ecc: Fix typo error in ecc-gost.
	+ commit fe688ce7e14f14d7d3a7e16aa0304d24b5b1a179
	* cipher/ecc-gost.c (_gcry_ecc_gost_verify): Fix typo in comment.

2020-04-27  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix the return value of mpi_invm_generic.
	+ commit f10eb240a30ac115cfeb63848c67a936e1059ab9
	* mpi/mpi-inv.c (mpi_invm_generic): Return correct value.

2020-04-24  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix return value of mpi_invm_generic.
	+ commit bc3b6a6a45cf9fa6cc0556da870628c53570f52f
	* mpi/mpi-inv.c (mpi_invm_generic): Return 0 if inverse does not exist.

	mpi: More use of mpih API for _gcry_mpi_invm.
	+ commit 559ba9b36c9cdf4762d28beb3b4c59665c671818
	* mpi/mpi-inv.c (mpi_invm_pow2): Remove.
	(_gcry_mpi_invm): Use mpih_invm_pow2 instead.

	mpi: Use mpih interface internally for mpi-inv.
	+ commit beefbb90d71d7fbd0b4429472b7d4b39670ff64b
	* mpi/mpi-inv.c (mpih_invm_pow2): Converted from mpi_invm_pow2.
	(mpi_invm_pow2): Use mpih_invm_pow2.

	mpi: Fix size of A in mpi_invm_pow2.
	+ commit efa5151ea1c2a2c049b2651581e71b6becba4e16
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix size of A.

2020-04-23  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: More fix for _gcry_mpi_invm.
	+ commit f81a1dd7317513000e5bc4d1bfffd6d2bfb8c2a2
	* mpi/mpi-inv.c (_gcry_mpi_invm): Fix comments and use of CRT path.

2020-04-22  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix off-by-one mistake mpi_invm_pow2.
	+ commit 3bb9f74764b3626ed1116fc7e517921232d6be54
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix computation of iterations.

2020-04-21  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Use mpi_invm_pow2 for mpi_invm.
	+ commit bac01a6cfb3d645ff8439cbd3b310d255735d792
	* mpi/mpi-inv.c (_gcry_mpi_invm): Use mpi_invm_pow2.

	mpi: Fix mpi_invm_pow2.
	+ commit 2a3c58a0b4db01c17da0bf8c035fb1def2af114c
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix the algo implementation.

2020-04-19  Dmitry Baryshkov  <dbaryshkov@gmail.com>

	gost28147: implement special MAC mode called imitovstavka (IMIT)
	+ commit 45f21f871982753716d4a7676d948e8c7d644db5
	* src/gcrypt.h.in (GCRY_MAC_GOST28147_IMIT): New.
	* cipher/gost28147.c (gost_imit_open, gost_imit_close)
	(gost_imit_setkey, gost_imit_setiv, gost_imit_reset, _gost_imit_block)
	(gost_imit_block, gost_imit_write, gost_imit_finish, gost_imit_read)
	(gost_imit_verify, gost_imit_get_maclen, gost_imit_get_keylen)
	(gost_imit_set_extra_info): New functions implementing GOST 28147-89
	MAC (imitovstavka, IMIT) mode.
	* cipher/gost28147.c (gost_imit_ops)
	(_gcry_mac_type_spec_gost28147_imit): declare GOST 28147-89 IMIT
	handler.
	* cipher/mac-internal.h (gcry_mac_handle): add fields to support GOST
	28147-89 IMIT mode.
	* cipher/mac.c (mac_list): add _gcry_mac_type_spec_gost28147_imit.
	(spec_from_algo): handle GCRY_MAC_GOST28147_IMIT.
	* tests/basic.c (check_mac): add GOST28147-89 IMIT test vector.

	mac: add support for gcry_mac_ctl(GCRYCTL_SET_SBOX)
	+ commit d7fa70ed9ddc6e0189a8b59016b1f17717a26865
	* cipher/mac-internal.h (gcry_mac_spec_ops_t): add set_extra_info field
	for providing additional settings.
	* cipher/mac.c (_gcry_mac_ctl): support GCRYCTL_SET_SBOX call.
	* cipher/mac-cmac.c (cmac_ops): set set_extra_info to NULL.
	* cipher/mac-gmac.c (gmac_ops): the same.
	* cipher/mac-hmac.c (hmac_ops): the same.
	* cipher/mac-poly1305.c (poly1305mac_ops): the same.

2020-04-17  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Use mpi_invm_pow2 for N=2^k.
	+ commit 469e2fefb64e3a4bd80995935f82caf416e3a4ae
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix.
	(_gcry_mpi_invm): Use mpi_invm_pow2.

	mpi: Rewrite mpi_invm_odd into mpih_invm_odd.
	+ commit 05ceac8e2f6f28f97428c005d0a318d71d7cf9d9
	* mpi/mpi-inv.c (mpih_invm_odd): Use mpi_ptr_t API.
	(_gcry_mpi_invm): Use _gcry_mpih_mod and mpih_invm_odd.

	mpi: Add _gcry_mpih_cmp_ui.
	+ commit 128045a12139fe2e4be877df59da10c7d4857d9a
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): New.

	mpi: Add internal functipn mpi_invm_pow2.
	+ commit 515bd6e9fae448e966f71e23635503716201158d
	* mpi/mpi-inv.c (mpi_invm_pow2): New.

2020-04-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_set_bit_cond.
	+ commit a91bd0211c4e5f0ce575b3a63a36049dd9edbf90
	* mpi/mpiutil.c (_gcry_mpi_set_bit_cond): New.
	* src/mpi.h (mpi_set_bit_cond): New macro.
	(_gcry_mpi_set_bit_cond): New.

	mpi: Add _gcry_mpih_mod.
	+ commit 95bdfd9ce9e114f447f3639e551e8f4f63d024fe
	* mpi/mpi-internal.h (mpih_mod, _gcry_mpih_mod): New.
	* mpi/mpih-const-time.c (_gcry_mpih_mod): New.

	mpih: Expose const-time MPI helper functions.
	+ commit 9b7e0d89006fce0641da05d8ef2696b1fb73145b
	* mpi/Makefile.am (libmpi_la_SOURCES): Add mpih-const-time.c.
	* mpi/ec.c (mpih_set_cond): Move to mpih-const-time.c.
	* mpi/mpi-internal.h: Add macros and declarations.
	* mpi/mpi-inv.c (mpih_add_n_cond): Likewise.
	(mpih_sub_n_cond, mpih_swap_cond, mpih_abs_cond): Likewise.
	* mpi/mpih-const-time.c: New.

2020-04-14  Werner Koch  <wk@gnupg.org>

	sexp: Extend gcry_sexp_extract_param with a multi-string extractor.
	+ commit 32b08e38628b3ed409054db05a7f73b1ab86464a
	* src/sexp.c (_gcry_sexp_vextract_param): Implement "%#s" control
	sequence.

2020-04-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Remove hard-coded value for ECC_DIALECT_ED25519.
	+ commit 0ff36e04f7cdef961610e7bc674a9c9ef0fd4853
	* mpi/ec.c (ec_p_init): Remove special handling for Ed25519.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_encodepoint): Fix assumption
	ec->nbits is 256 for EdDSA.
	(_gcry_ecc_eddsa_decodepoint): Likewise.
	(_gcry_ecc_eddsa_verify): Likewise.

2020-04-09  Werner Koch  <wk@gnupg.org>

	sexp: Extend gcry_sexp_extract_param with new format specifiers.
	+ commit 60c179b59e538aebb3a5f7621d92eee60b90c785
	* src/sexp.c (_gcry_sexp_vextract_param): Add new conversion methods.
	* tests/t-sexp.c (check_extract_param): Add corresponding tests.

2020-04-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ppc: avoid using vec_vsx_ld/vec_vsx_st for 2x64-bit vectors.
	+ commit 1250a9cd859d99f487ca8d76a98d70d464324bbe
	* cipher/crc-ppc.c (CRC_VEC_U64_LOAD, CRC_VEC_U64_LOAD_LE)
	(CRC_VEC_U64_LOAD_BE): Remove vec_vsx_ld usage.
	(asm_vec_u64_load, asm_vec_u64_load_le): New.
	* cipher/sha512-ppc.c (vec_vshasigma_u64): Use '__asm__' instead of
	'asm' for assembly block.
	(vec_u64_load, vec_u64_store): New.
	(_gcry_sha512_transform_ppc8): Use vec_u64_load/store instead of
	vec_vsx_ld/vec_vsx_st.
	* configure.ac (gcy_cv_cc_ppc_altivec)
	(gcy_cv_cc_ppc_altivec_cflags): Add check for vec_vsx_ld with
	'unsigned int *' pointer type.

2020-04-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	asm-poly1305-aarch64: fix building with clang.
	+ commit 89b3ded8df969fe5fb31313c60419dd34d36b605
	* cipher/asm-poly1305-aarch64.h (POLY1305_BLOCK_PART25): Use correct
	instruction format for right-shifting.

2020-03-31  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

	libgcrypt.m4: Fix spelling.
	+ commit 6a5743469a4366b1e238d378e427442f04400950


	libgcrypt.m4: Fix spelling.
	+ commit e16e7e619183f36720d17855419860d1dc6fe3a5


2020-03-20  Dmitry Baryshkov  <dbaryshkov@gmail.com>

	tests/basic: add GOST 28147 keymeshing testcase from LibreSSL testsuite.
	+ commit 3441f4c94c49a589c5e323b1526d2d6b5974cf2f
	* tests/basic.c (check_cfb_cipher): add check for GOST 28147 CFB with
	KeyMeshing enabled.

	gost28147: add support for CryptoPro key meshing per RFC 4357.
	+ commit dcee00adbd1c0a2cde1aeed1bb94421e81d0de3b
	* cipher/gost28147.c (gost_do_set_sbox, cryptopro_key_meshing,
	CryptoProMeshingKey, gost_encrypt_block_mesh): New.
	(_gcry_cipher_spec_gost28147_mesh): New cipher with keymeshing,
	(_gcry_cipher_spec_gost28147): Remove OIDs for this cipher should not
	be selected using these OIDs (they are for CFB with keymeshing).

	* cipher/cipher.c (cipher_list, cipher_list_algo301): add
	_gcry_cipher_spec_gost28147_mesh.

	* src/gcrypt.h.in (GCRY_CIPHER_GOST28147_MESH): New cipher with
	keymeshing.

	* doc/gcrypt.texi (GCRY_CIPHER_GOST28147_MESH): Add definition.

	* tests/basic.c (check_gost28147_cipher, check_gost28147_cipher_basic):
	Run basic tests on GCRY_CIPHER_GOST28147_MESH.

	gost: add keymeshing support per RFC 4357.
	+ commit 18cd3f0c473ae909cdaa5a820faef50d7670fcbb
	* cipher/gost-s-box.c (gost_sbox): define if keymeshing should be
	enabled or not.
	(main): output whether we should enable or disable keymeshing for a
	particular parameters set.

2020-03-18  NIIBE Yutaka  <gniibe@fsij.org>

	DSA,ECDSA: Fix use of mpi_invm.
	+ commit ada758e3019c2585213a132960613b1ac48502b8
	* cipher/dsa.c (sign): Call mpi_invm before _gcry_dsa_modify_k.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.

	mpi: Constant time mpi_inv with some conditions.
	+ commit 20082ca965eab5665af60956c4ed72709836b1ed
	* mpi/mpi-inv.c (mpih_add_n_cond, mpih_sub_n_cond, mpih_swap_cond)
	(mpih_abs_cond): New.
	(mpi_invm_odd): New.
	(mpi_invm_generic): Rename from _gcry_mpi_invm.
	(_gcry_mpi_invm): Use mpi_invm_odd for usual odd cases.

2020-03-11  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Support opaque MPI with gcry_mpi_print.
	+ commit b4b04ae6c2e55bc2b24efc663d1eeaa0b3613f4c
	* mpi/mpicoder.c (_gcry_mpi_get_buffer): Return the bytes as-is.

2020-03-09  Werner Koch  <wk@gnupg.org>

	mpi: Abort on division by zero also in _gcry_mpi_tdiv_qr.
	+ commit afbab896fa04d9481dbb9f4d01f607b12e31dcbf
	* mpi/mpi-div.c (_gcry_mpi_tdiv_qr): Error out on division by zero.

2020-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	build: More accurate dependency to -lgpg-error.
	+ commit 9b8ac13761f0407bd701e43b0a65fbada204958f
	* configure.ac (LIBGCRYPT_CONFIG_LIBS): Remove DL_LIBS.
	* src/libgcrypt.c.in: Distinguish static link use case.
	* tests/Makefile.am: Fix use of -lgpg-error.

	build: Fix linking -ldl.
	+ commit c21e5d72e24e62752559f92b1825287298ae2f03
	* src/Makefile.am (libgcrypt_la_LIBADD): Add DL_LIBS.
	(mpicalc_LDADD): Remove DL_LIBS.
	* tests/Makefile.am (standard_ldadd): Remove DL_LIBS.

2020-02-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	crc-ppc: fix bad register used for vector load/store assembly.
	+ commit b64b029318e7d0b66123015146614118f466a7a9
	* cipher/crc-ppc.c (CRC_VEC_U64_LOAD_BE): Move implementation to...
	(asm_vec_u64_load_be): ...here; Add "r0" to clobber list for load
	instruction when offset is not zero; Add zero offset path.

	rinjdael-aes: use zero offset vector load/store when possible.
	+ commit 89776d45c824032409f581e5fd1db6bf149df57f
	* cipher/rijndael-ppc-common.h (asm_aligned_ld, asm_aligned_st): Use
	zero offset instruction variant when input offset is constant zero.
	* cipher/rijndael-ppc.c (asm_load_be_noswap)
	(asm_store_be_noswap): Likewise.

	Add POWER9 little-endian variant of PPC AES implementation.
	+ commit 114bbc45e9717f9ad9641f64d8df8690db8da434
	* configure.ac: Add 'rijndael-ppc9le.lo'.
	* cipher/Makefile.am: Add 'rijndael-ppc9le.c', 'rijndael-ppc-common.h'
	and 'rijndael-ppc-functions.h'.
	* cipher/rijndael-internal.h (USE_PPC_CRYPTO_WITH_PPC9LE): New.
	(RIJNDAEL_context_s): Add 'use_ppc9le_crypto'.
	* cipher/rijndael.c (_gcry_aes_ppc9le_encrypt)
	(_gcry_aes_ppc9le_decrypt, _gcry_aes_ppc9le_cfb_enc)
	(_gcry_aes_ppc9le_cfb_dec, _gcry_aes_ppc9le_ctr_enc)
	(_gcry_aes_ppc9le_cbc_enc, _gcry_aes_ppc9le_cbc_dec)
	(_gcry_aes_ppc9le_ocb_crypt, _gcry_aes_ppc9le_ocb_auth)
	(_gcry_aes_ppc9le_xts_crypt): New.
	(do_setkey, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt)
	[USE_PPC_CRYPTO_WITH_PPC9LE]: New.
	* cipher/rijndael-ppc.c: Split common code to headers
	'rijndael-ppc-common.h' and 'rijndael-ppc-functions.h'.
	* cipher/rijndael-ppc-common.h: Split from 'rijndael-ppc.c'.
	(asm_add_uint64, asm_sra_int64, asm_swap_uint64_halfs): New.
	* cipher/rijndael-ppc-functions.h: Split from 'rijndael-ppc.c'.
	(CFB_ENC_FUNC, CBC_ENC_FUNC): Unroll loop by 2.
	(XTS_CRYPT_FUNC, GEN_TWEAK): Tweak generation without vperm
	instruction.
	* cipher/rijndael-ppc9le.c: New.

	Add gcry_cipher_ctl command to allow weak keys in testing use-cases.
	+ commit 5beadf201312d0c649971b0c1d4c3827b434a0b5
	* cipher/cipher-internal.h (gcry_cipher_handle): Add
	'marks.allow_weak_key' flag.
	* cipher/cipher.c (cipher_setkey): Do not handle weak key as error when
	weak keys are allowed.
	(cipher_reset): Preserve 'marks.allow_weak_key' flag on object reset.
	(_gcry_cipher_ctl): Add handling for GCRYCTL_SET_ALLOW_WEAK_KEY.
	* src/gcrypt.h.in (gcry_ctl_cmds): Add GCRYCTL_SET_ALLOW_WEAK_KEY.
	* tests/basic.c (check_ecb_cipher): Add tests for weak key errors and
	for GCRYCTL_SET_ALLOW_WEAK_KEY.

2020-01-23  NIIBE Yutaka  <gniibe@fsij.org>

	random: Fix include of config.h.
	+ commit e0898d0628789414da23e0526c87df1885c8b3ae
	* random/random-drbg.c: Include config.h earlier.

2020-01-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sexp: fix cast from 'int' pointer to 'size_t' pointer.
	+ commit 8b31091da092e22dba78b2402c2f436bbffc1c73
	* src/sexp.c (do_vsexp_sscan): Change 'datalen' from 'int' to
	'size_t'; Remove &datalen pointer cast to 'size_t *' type.

	mpi/i386: fix DWARF CFI for _gcry_mpih_sub_n and _gcry_mpih_add_n.
	+ commit 5f098f7e6ceb899ac27a0a30ee036de5f1be4e3d
	* mpi/i386/mpih-add1.S (_gcry_mpih_add_n) [PIC]: Adjust CFI CFA offset
	when making call and restoring stack pointer.
	* mpi/i386/mpih-sub1.S (_gcry_mpih_sub_n) [PIC]: Ditto.

2020-01-22  H.J. Lu  <hjl.tools@gmail.com>

	i386: Add _CET_ENDBR to indirect jump targets.
	+ commit cb9f0a2df8225eed071ae0a56265e38e9f6ff184
	* mpi/i386/mpih-add1.S (_gcry_mpih_add_n): Save and restore
	%ebx if IBT is enabed.  Add _CET_ENDBR to indirect jump targets
	and adjust jump destination for _CET_ENDBR.
	* mpi/i386/mpih-sub1.S (_gcry_mpih_sub_n): Likewise.

	amd64: Always include <config.h> in cipher assembly codes.
	+ commit 22e577071790834f07753c42a191a568c9f2644d
	* cipher/camellia-aesni-avx-amd64.S: Always include <config.h>.
	* cipher/camellia-aesni-avx2-amd64.S: Likewise.
	* cipher/serpent-avx2-amd64.S: Likewise.

	mpi: Add .note.gnu.property section for Intel CET.
	+ commit 24b4d5c10a97aaf82ac7402cc3a5b429d580cd66
	* mpi/config.links: Include <cet.h> in <asm-syntax.h>.

	x86: Add .note.gnu.property section for Intel CET.
	+ commit 4c88c2bd2a418435506325cd53246acaaa52750c
	* configure.ac: Include <cet.h> in <config.h> for assembly
	codes.

2020-01-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: add vector cluttering to detect implementation bugs.
	+ commit 4aa8ff904262f331abbb8c988069a7029ca13502
	* src/global.c (_gcry_check_version): Fix missing newline.
	* src/basic.c (ALWAYS_INLINE, CLUTTER_REGISTER_*, prepare_vector_data)
	(clutter_vector_registers): New.
	(progress_handler): Make static function.
	(check_bulk_cipher_modes, check_one_cipher_core_reset)
	(check_one_cipher_core, check_one_md, check_one_md_multi)
	(check_one_md_final, check_one_mac): Clutter vector registers before
	gcry_* calls to cipher/md/mac algorithms.

2020-01-22  Marvin W  <git@larma.de>

	Set vZZ.16b register to zero before use in armv8 gcm implementation.
	+ commit 79ed620ec46adbb08f5cea6a4865a95a436e4109
	* cipher/cipher-gcm-armv8-aarch64-ce.S
	(_gcry_ghash_setup_armv8_ce_pmull): Set vZZ to zero.

2020-01-21  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Add basic test cases for sm2.
	+ commit aa9c78afa1d867bb7b9b3c695cf31a832c9419e5
	* tests/basic.c (check_pubkey): Add test cases for ecc-sm2.

	Add elliptic curve SM2 implementation.
	+ commit 6b55246c77089dd372eb1807808111660fd789c7
	* configure.ac (enabled_pubkey_ciphers): Add ecc-sm2.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add ecc-sm2.c.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist,
	  _gcry_pk_util_preparse_sigval): Add sm2 flags.
	* cipher/ecc.c: Support ecc-sm2.
	* cipher/ecc-common.h: Add declarations for ecc-sm2.
	* cipher/ecc-sm2.c: New.
	* src/cipher.h: Define PUBKEY_FLAG_SM2.

	ecc: Simplify signature code.
	+ commit 8d9958910e54f3fecbab6e133c3971843f6ef310
	* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Use implemented function.
	* cipher/ecc.c (ecc_verify): Remove redundant code.

2020-01-21  NIIBE Yutaka  <gniibe@fsij.org>
	    NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix check_pubkey.
	+ commit 95e9cee802419adf6f4b01b29d7874793004fa8d
	* tests/basic.c (check_pubkey): Fix constants of pubkeys.

2020-01-21  NIIBE Yutaka  <gniibe@fsij.org>

	Avoid use of ulong in internal code.
	+ commit 4997139b3e83761c9af0246cec829305c3d7d13b
	* configure.ac (HAVE_ULONG_TYPEDEF): Remove.
	* mpi/mpi-div.c (_gcry_mpi_fdiv_r_ui): Use unsigned long.
	(_gcry_mpi_divisible_ui): Likewise.
	* random/rndunix.c (_gcry_rndunix_gather_random): Likewise.
	* random/rndw32.c (_gcry_rndw32_gather_random_fast): Likewise.
	(ADDINT): Likewise.
	* random/rndw32ce.c (_gcry_rndw32ce_gather_random_fast): Likewise.
	* src/mpi.h: Follow the change.
	* src/types.h (HAVE_ULONG_TYPEDEF): Remove.

2020-01-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	gcrypt.texi: fix GCRYCTL_GET_ALGO_NENCR typo.
	+ commit 5ebb2f0671c902863eee91cbcfc85a72be506410
	* doc/gcrypt.texi: Fix GCRYCTL_GET_ALGO_NENC to GCRYCTL_GET_ALGO_NENCR.

2020-01-19  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	mpi: Fix error that point not uninitialized.
	+ commit 7e3aac7ba49b3b6e6c5ebe7c880b5b323c423ef7
	* cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Initialize E->G poing

	ecc: Wrong flag and elements_enc fix.
	+ commit 43cfc1632dd3a9579a906f31cd3b6c88d242d1a5
	* cipher/ecc.c (ecc_generate): Fix wrong flag and elements_enc.

	Update .gitignore.
	+ commit 176a5f162acd0cfebc5517d061205681bc3658d0


2020-01-16  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	Add new curve named sm2p256v1.
	+ commit d154c1e9e11019980253f0a65758932cd0656470
	* cipher/ecc-curves.c (domain_parms): Add sm2p256v1 for SM2.
	* tests/curves.c (N_CURVES): Update N_CURVES for SM2.

2019-12-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ppc: performance improvements.
	+ commit 110077505acacae62cec3d09b32a084b9cee0368
	* cipher/rijndael-ppc.c (ALIGNED_LOAD, ALIGNED_STORE, VEC_LOAD_BE)
	(VEC_STORE_BE): Rewrite.
	(VEC_BE_SWAP, VEC_LOAD_BE_NOSWAP, VEC_STORE_BE_NOSWAP): New.
	(PRELOAD_ROUND_KEYS, AES_ENCRYPT, AES_DECRYPT): Adjust to new
	input parameters for vector load macros.
	(ROUND_KEY_VARIABLES_ALL, PRELOAD_ROUND_KEYS_ALL)
	(AES_ENCRYPT_ALL): New.
	(vec_bswap32_const_neg): New.
	(vec_aligned_ld, vec_aligned_st, vec_load_be_const): Rename to...
	(asm_aligned_ls, asm_aligned_st, asm_load_be_const): ...these.
	(asm_be_swap, asm_vperm1, asm_load_be_noswap)
	(asm_store_be_noswap): New.
	(vec_add_uint128): Rename to...
	(asm_add_uint128): ...this.
	(asm_xor, asm_cipher_be, asm_cipherlast_be, asm_ncipher_be)
	(asm_ncipherlast_be): New inline assembly functions with volatile
	keyword to allow manual instruction ordering.
	(_gcry_aes_ppc8_setkey, aes_ppc8_prepare_decryption)
	(_gcry_aes_ppc8_encrypt, _gcry_aes_ppc8_decrypt)
	(_gcry_aes_ppc8_cfb_enc, _gcry_aes_ppc8_cbc_enc)
	(_gcry_aes_ppc8_ocb_auth): Update to use new&rewritten helper macros.
	(_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_dec)
	(_gcry_aes_ppc8_ctr_enc, _gcry_aes_ppc8_ocb_crypt)
	(_gcry_aes_ppc8_xts_crypt): Update to use new&rewritten helper
	macros; Tune 8-block parallel paths with manual instruction ordering.

	rijndael-ppc: fix bad register used for vector load/store assembly.
	+ commit 0837d7e6be3e604c1f7b86d18c582d8aa7ed858c
	* cipher/rijndael-ppc.c (vec_aligned_ld, vec_load_be, vec_aligned_st)
	(vec_store_be): Add "r0" to clobber list for load/store instructions.

2019-12-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: fix typo in error log.
	+ commit 5b9ea3df0dc355d77b9f061f63064614a97b8b67
	* cipher/cipher.c (_gcry_cipher_encrypt): Fix log "cipher_decrypt: ..."
	to "cipher_encrypt: ...".

2019-11-21  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	gost28147: inline gost_val function to speed up code.
	+ commit e5c4cf0efb8fd297963e6b4392ab98c41dbad536
	* cipher/gost28147.c (gost_val): mark function as inline

	gost28147: do not use GOST28147_CONTEXT outside of GOST 28147 calculation
	+ commit f9894240bed36eab17fabf5aa482799b148618e2
	* cipher/gost28147.c (_gcry_gost_enc_data): remove unused context
	  argument
	* cipher/gostr3411-94.c (GOSTR3411_CONTEXT, gostr3411_init,
	  do_hash_step): remove unused GOST 28147-89 context.

	gost28147: simplify internal code.
	+ commit d164a8e7f6829163f1279517f07b61805311f8f2
	* cipher/gost28147.c (gost_val, _gost_encrypt_data): don't use gost
	  context internally
	* cipher/gost28147.c (gost_encrypt_block, gost_decrypt_block,
	  _gcry_gost_enc_data): adapt to internal changes.

	gostr3411-94: small speedup.
	+ commit 8f573a67d12e6d9026f1676a6dae7813105bc490
	* cipher/gostr3411-94.c (do_p): unroll loop for a small spedup

2019-11-18  Paul Wolneykien  <manowar@altlinux.org>

	ecc: update GOST2012 curves.
	+ commit a3a866f63e7a527fe3c053758b84d70c142f8283
	* cipher/ecc-curves.c (domain_parms): rename GOST 2012 curves to contain
	  curve bit size
	  (curve_aliases): rename curves, provide backwards-compatible
	  aliases, add new OIDs and two new curves.
	* cipher/ecc-curves.c (curve_aliases): add new OIDs and aliases for
	* tests/basic.c (check_pubkey): use new name for GOST2012 512-bit test
	  curve.
	* tests/benchmark.c (ecc_bench): use new name for GOST2012 512-bit test
	  curve.

2019-11-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ec: fix left shift overflows on WIN64 build.
	+ commit bdbd032d1626dbb34e1840e5f5393524dd546a1d
	* mpi/ec.c (ec_mulm_448): Cast constants to (mpi_limb_t) before
	shifting left by 32.

	mpi/amd64: use SSE2 for shifting instead of MMX.
	+ commit 1322c6a5d1e9aa0c69a2b259aa5ec7bcf5cb5653
	* mpi/amd64/mpih-lshift.S: Convert to SSE2.
	* mpi/amd64/mpih-rshift.S: Ditto.

	Add i386/SSSE3 implementation of SHA512.
	+ commit b52dde860963c794b12d14b0a9c5848bca7ba51e
	* LICENSES: Add 'sha512-ssse3-i386.c'.
	* configure.ac: Add 'sha512-ssse3-i386.lo'.
	* cipher/Makefile.am: Add 'sha512-ssse3-i386.c'.
	* cipher/sha512-ssse3-i386.c: New.
	* cipher/sha512.c (USE_SSSE3_I386, _gcry_sha512_transform_i386_ssse3)
	(do_sha512_transform_i386_ssse3): New.
	(_gcry_sha512_transform_arm) [USE_SSSE3_I386]: Use i386/SSSE3 transform
	function if supported by CPU.

2019-10-28  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add Curve for X448 with ECC_DIALECT_SAFECURVE.
	+ commit d9c418305e1053decebefbd5a98a95f845404a09
	* cipher/ecc-curves.c (domain_parms): Add X448.
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Support X448.
	* mpi/ec.c (ec_addm_448, ec_subm_448, ec_mulm_448): New.
	(ec_mul2_448, ec_pow2_448): New.
	(field_table): Add for X448.
	(curve448_bad_points): New.
	(bad_points_table): New.
	(ec_p_init): Use bad_points_table.
	* tests/Makefile.am (t-x448): Add.
	* tests/curves.c (N_CURVES): Update.
	* tests/t-x448.c: New.

2019-10-25  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Introduce new dialect: ECC_DIALECT_SAFECURVE.
	+ commit 498ab6d9f2f8b0775da41553be7868e59cf4cc2e
	* src/mpi.h (ECC_DIALECT_SAFECURVE): New.
	* cipher/ecc-misc.c (_gcry_ecc_dialect2str): Support the new dialect.
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Support opaque
	MPI handling of secret 'd' for ECC_DIALECT_SAFECURVE.
	* cipher/ecc.c (nist_generate_key): Support opaque secret for
	ECC_DIALECT_SAFECURVE.
	(test_ecdh_only_keys): Likewise.
	(ecc_generate): Support native point representation for
	ECC_DIALECT_SAFECURVE.
	(ecc_encrypt_raw): Support opaque MPI handling of secret and
	native point representation for ECC_DIALECT_SAFECURVE.
	(ecc_decrypt_raw): Support native point representation for
	ECC_DIALECT_SAFECURVE.
	(_gcry_pk_ecc_get_sexp): Likewise.

	ecc: Make _gcry_mpi_ec_mul_point friendly to X25519 computation.
	+ commit 2dfedafe08ac57a87e6892d1af4d72cbb398fe40
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Support scalar input as an opaque
	MPI in little-endian native format.
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use an opaque scalar.

	pubkey: Support a method to get data as an opaque MPI.
	+ commit 050e0b4accfae6a49dda6b1bac52749edec5ce22
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Support an
	opaque MPI in old style.

2019-10-24  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support an opaque MPI handling in mpi_from_keyparam.
	+ commit 05a7d2f262bc5c2d108dcfa6e3d907dd895a4074
	* cipher/ecc-curves.c (mpi_from_keyparam): Add OPAQUE argument.

	ecc: Fix handling of point representation in EdDSA.
	+ commit 3d5a05767b84e0f781ed5dfe434adb4d4e9d2aa5
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): Use
	GCRYMPI_FMT_USG, since integer is defined as unsigned in SEC1.
	(_gcry_ecc_eddsa_decodepoint): Likewise.

	ecc: Return an opaque MPI by _gcry_ecc_ec2os.
	+ commit 8fce1027c2531127dd52a8b883f34333ffd3763b
	* cipher/ecc-misc.c (_gcry_ecc_ec2os): Use mpi_set_opaque instead of
	_gcry_mpi_scan to make an opaque MPI.

	ecc: String constant fix.
	+ commit 35c1faaea2b0aee9b127d02d93158826d17eb107
	* cipher/ecc-curves.c (domain_parms): Same string length for NIST
	P-521.

	ecc: Simplify _gcry_ecc_compute_public.
	+ commit ad8927f40169364003f72fc188ea60b295ef5e59
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Don't need G and d.
	Use ec->G and ec->d.
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Follow the change.
	(_gcry_ecc_get_point): Likewise.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Don't need d,
	but use ec->d.
	(_gcry_ecc_eddsa_sign): Follow the change.

2019-10-23  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Use opaque MPI for _gcry_ecc_mul_point.
	+ commit c5a7191c1bd18292a34ad4da45d743dfac035f9a
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use opaque MPI for U.

	ecc: Fix _gcry_ecc_mont_decodepoint for data by old implementation.
	+ commit bbe15758c893dbf546416c1a6bccdad1ab000ad7
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Support data by old
	implementation by opaque public key.
	Fix confusion of endian, in the handling of data by normal MPI key.

	ecc: ECDH clean up for use of ec->nbits.
	+ commit 27e848666b4a03939b0c8db15aa6e6f79bc7db30
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Use ec->nbits.
	* cipher/ecc.c (test_ecdh_only_keys): Likewise.
	(ecc_encrypt_raw): Likewise.
	(ecc_generate): Fix debug output format.

2019-10-22  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix key generation for ECDH.
	+ commit 82441bbb82903c21cd2b9b4e2d50202b14fdc24c
	* cipher/ecc.c (test_ecdh_only_keys): Don't free EC here.

	ecc: Fix debug output.
	+ commit 6d93812aa312a92d4de2dc034bdf87c276a24b8a
	* cipher/ecc-curves.c (_gcry_mpi_ec_internal_new): Fix debug output.

	ecc: Simplify using mpi_ec_t directly.
	+ commit 6a30a9a2cc48d2343c3e9815567dbd4bf9eec058
	* cipher/ecc-common.h (ECC_public_key, ECC_secret_key): Remove.
	(_gcry_ecc_ecdsa_sign, _gcry_ecc_ecdsa_verify): Use mpi_ec_t.
	(_gcry_ecc_eddsa_genkey, gcry_ecc_eddsa_sign): Likewise.
	(_gcry_ecc_eddsa_verify): Likewise.
	(_gcry_ecc_gost_sign, _gcry_ecc_gost_verify): Likewise.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Use mpi_ec_t directly.
	(_gcry_ecc_ecdsa_verify): Likewise.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
	(_gcry_ecc_eddsa_sign, _gcry_ecc_eddsa_verify): Likewise.
	* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
	(_gcry_ecc_gost_verify): Likewise.

	ecc: Fix for NBITS support.
	+ commit 975de38796917392e83152447c6575648a5a5ee3
	* cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Fill curve
	parameters by NBITS.
	(_gcry_mpi_ec_internal_new): Show "EdDSA".

	ecc: Add NAME member to struct mpi_ec_ctx_s.
	+ commit e921ad5b3ad093304312aca90a3c971de05cbf03
	* src/ec-context.h (struct mpi_ec_ctx_s): Add NAME.
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Initialize NAME.

	ecc: Add key generation support to mpi_ec_get_elliptic_curve.
	+ commit 488704be6e044e23770d95344511c5a347b533c5
	* cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Handle params for
	key generation.
	(_gcry_mpi_ec_internal_new): Remove duplication for handling of flags.

	ecc: Consolidate with _gcry_mpi_ec_internal_new.
	+ commit 5415bc578080018e1cd36aa44cf5c0a9995cbafc
	* cipher/ecc-ecdh.c (prepare_ec): Use _gcry_mpi_ec_internal_new.
	(_gcry_ecc_mul_point): Don't need to have E of elliptic_curve_t.
	* cipher/ecc.c (ecc_encrypt_raw): Use _gcry_mpi_ec_internal_new.
	(ecc_decrypt_raw): Likewise.

	ecc: Support flags and debug print in _gcry_mpi_ec_internal_new.
	+ commit c2aa333dd88b4cd337329128a2018dd3b00f5114
	* cipher/ecc-curves.c (mpi_ec_get_elliptic_curve): Don't set *r_flags.
	(_gcry_mpi_ec_internal_new): Add r_flags argument.
	Parse the flag list.
	Output to debug channel when DBG_CIPHER.

2019-10-21  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add new function _gcry_mpi_ec_internal_new.
	+ commit c7b97ac9bdf96f5a89ae553cac12954043ab174d
	* cipher/ecc-curves.c (mpi_ec_get_elliptic_curve)
	(mpi_ec_setup_elliptic_curve): Factor out from _gcry_mpi_ec_new.
	(_gcry_mpi_ec_internal_new): New.
	(_gcry_mpi_ec_new): Rewrite using mpi_ec_get_elliptic_curve and
	mpi_ec_setup_elliptic_curve.

	ecc: Simplify ecc_encrypt_raw and ecc_decrypt_raw.
	+ commit 10b8cc280a535f14b017106c87f2b26bb68d9489
	* cipher/ecc.c (ecc_encrypt_raw): Use elliptic_curve_t directly.
	(ecc_decrypt_raw): Likewise.

	ecc: More fixes for cofactor with PUBKEY_FLAG_PARAM.
	+ commit 61a0518282537ad52367354c96986c3d1b698d6f
	* cipher/ecc.c (ecc_check_secret_key): Support "h" in KEYPARMS.
	(ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Likewise.

	ecc: Simply use unsigned int for cofactor, not MPI.
	+ commit a258ae728de62607b3ef4eca940cfbcf9965fa5f
	* cipher/ecc-common.h (elliptic_curve_t): Use unsigned int for H.
	* src/ec-context.h (struct mpi_ec_ctx_s): Ditto.
	* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
	(domain_parms): Update for the cofactors.
	(_gcry_ecc_fill_in_curve): H is no longer MPI, but unsigned int.
	(_gcry_ecc_get_curve): Remove handling for H.
	(_gcry_mpi_ec_new): In KEYPARM, cofactor is still MPI.
	(_gcry_ecc_get_param_sexp): H is no longer MPI, but unsigned int.
	(_gcry_ecc_get_mpi): Keep the API, returning MPI for "h".
	(_gcry_ecc_set_mpi): Likewise.
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Fix for unsigned int.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
	* cipher/ecc-misc.c (_gcry_ecc_curve_free): Likewise.
	* cipher/ecc.c (nist_generate_key, test_ecdh_only_keys): Likewise.
	(test_ecdh_only_keys, ecc_generate, ecc_check_secret_key): Likewise.
	(ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Likewise.
	(_gcry_pk_ecc_get_sexp): Likewise.
	* mpi/ec.c (ec_deinit): Likewise.

2019-10-18  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Simplify compute_keygrip.
	+ commit 579d5d6017d63b5eabec588b24d1a22566455bac
	* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Remove H.
	* cipher/ecc.c (compute_keygrip): Don't get H, since it's not
	used in the computation.

	ecc: Clean up key generation code.
	+ commit 95cc9b8f4483fd7edfc7555199f6a05cfa68a236
	* cipher/ecc.c (test_ecdh_only_keys): No need to make PK by SK.

2019-10-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building t-lock for WIN32.
	+ commit 7e1383cfd43fdc2b6f743e6a1304f0f0b2142847
	* tests/t-lock.c (external_lock_test_init, external_lock_test_lock)
	(externel_lock_test_unlock, external_lock_test_destroy)
	(nonce_thread, get_rand, pick_account, pick_value, revision_thread)
	(accountant_thread): Build also if _WIN32 defined in addition to
	HAVE_PTHREAD.

	hash-common: avoid integer division to reduce call overhead.
	+ commit f9d8b5a0369cc94e125d36d9c8864d5cd2eaa1d2
	* cipher/hash-common.h (gcry_md_block_ctx): Replace 'blocksize' with
	'blocksize_shift'.
	* cipher/hash-common.c (_gcry_md_block_write): Use bit-level operations
	instead of division to get number of blocks.
	* cipher/gostr2411-94.c (gost3411_init): Initialize 'blocksize_shift'
	instead of 'blocksize'.
	* cipher/md2.c (md2_init): Ditto.
	* cipher/md4.c (md4_init): Ditto.
	* cipher/md5.c (md5_init): Ditto.
	* cipher/rmd160.c (rmd160_init): Ditto.
	* cipher/sha1.c (sha1_init): Ditto.
	* cipher/sha256.c (sha256_common_init): Ditto.
	* cipher/sha512.c (sha512_init_common): Ditto.
	* cipher/sm3.c (sm3_init): Ditto.
	* cipher/stribog.c (stribog_init_512): Ditto.
	* cipher/tiger.c (do_init): Ditto.
	* cipher/whirlpool.c (whirlpool_init): Ditto.

2019-10-11  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Handle ephemeral key as opaque octets.
	+ commit ff0f1782560eb45458d9a8dd97088dabeddb34e7
	* cipher/ecc.c (ecc_decrypt_raw): Extract an ephemeral key
	as opaque octets.

2019-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Consolidate encoding a point for Montgomery curve.
	+ commit 80cf289905ace9f174eb06d7f55f38980f7e4dbd
	* cipher/ecc-common.h (_gcry_ecc_mont_encodepoint): New.
	* cipher/ecc-misc.c (_gcry_ecc_mont_encodepoint): New.
	* cipher/ecc.c (ecc_generate): Use _gcry_ecc_mont_encodepoint.
	(ecc_encrypt_raw, ecc_decrypt_raw, _gcry_pk_ecc_get_sexp): Likewise.

2019-10-09  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: More clean-up for Ed25519 and Curve25519.
	+ commit ba0b31f2636632b1b39ebd2202de3ba5d60588b8
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): Fix calc for
	bytes.
	* cipher/ecc.c (ecc_encrypt_raw): Use public key as opaque byte-string
	with "/q" for both cases, since it is always fixed size with a prefix.
	(compute_keygrip): Likewise.
	Fix hard-coded value of 256 for Ed25519.
	Handle Curve25519 differently.

2019-10-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix hard-coded value for 25519 to allow other modern curves.
	+ commit d66a4856eb0c39823bf3414b3ca4cf6322f32aef
	* cipher/ecc.c (nist_generate_key): Support other modern curves.
	(test_ecdh_only_keys): Likewise.
	(check_secret_key): Don't use ECC_DIALECT_ED25519 for the check.
	(_gcry_pk_ecc_get_sexp): Support Montgomery curve.

	ecc: Clean up for decoding point.
	+ commit 254c5279058f0aea2d3568d6e756002242e82f8f
	* cipher/ecc-curves.c (point_from_keyparam): Possibly supporting
	Montgomery curve, use _gcry_mpi_ec_decode_point.
	(_gcry_ecc_set_mpi): Likewise.
	* cipher/ecc.c (ecc_check_secret_key): Likewise.

	random: Clean up unused old internal API.
	+ commit 6e57242c61bca38b3cc8fdf424b5667ab953e4cd
	* random/random.h (_gcry_get_random_bits): Remove.

2019-10-02  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix regression in keygrip computation for cv25519 (2).
	+ commit 1cfe2329b91cc7be30f7c3a14fc634ec89a1be96
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Recover g_y
	for Curve25519.

2019-09-28  Werner Koch  <wk@gnupg.org>

	ecc: Fix regression in keygrip computation for cv25519.
	+ commit f67b6492e0b0a2a661cd53a08b20f23e6e3f9f89
	* cipher/ecc-curves.c (domain_parms): Revert g_y for cv25519.
	* tests/keygrip.c: Add test case for cv25519.

2019-09-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add stitched ChaCha20-Poly1305 ARMv8/AArch64 implementation.
	+ commit 4bebafb7bae8343f543728937caf7d3453c88b7c
	* cipher/Makefile.am: Add 'asm-poly1305-aarch64.h'.
	* cipher/asm-poly1305-aarch64.h: New.
	* cipher/chacha20-aarch64.S (ROT8, _, ROTATE2_8): New.
	(ROTATE2): Add interleave operator.
	(QUARTERROUND2): Add interleave operators; Use ROTATE2_8.
	(chacha20_data): Rename to...
	(_gcry_chacha20_aarch64_blocks4_data_inc_counter): ...to this.
	(_gcry_chacha20_aarch64_blocks4_data_rot8): New.
	(_gcry_chacha20_aarch64_blocks4): Preload ROT8; Fill empty parameters
	for QUARTERROUND2 interleave operators.
	(_gcry_chacha20_poly1305_aarch64_blocks4): New.
	* cipher/chacha20.c
	[USE_AARCH64_SIMD] (_gcry_chacha20_poly1305_aarch64_blocks4): New.
	(_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt)
	[USE_AARCH64_SIMD]: Use stitched implementation if ctr->use_neon is
	set.

2019-09-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Small tweak for PowerPC Chacha20-Poly1305 round loop.
	+ commit 96b91e164160dfbd913aefe258f472d386f5b642
	* cipher/chacha20-ppc.c (_gcry_chacha20_poly1305_ppc8_block4): Use
	inner/outer round loop structure instead of two separate loops for
	stitched and non-stitched parts.

	Reduce size of x86-64 stitched Chacha20-Poly1305 implementations.
	+ commit 664370ea02df883d16db1ffdd9ada023335b0f63
	* cipher/chacha20-amd64-avx2.c
	(_gcry_chacha20_poly1305_amd64_avx2_blocks8): De-unroll round loop.
	* cipher/chacha20-amd64-ssse3.c
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks4):
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks1): Ditto.

2019-09-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add PowerPC extra CFLAGS also for chacha20-ppc and crc-ppc.
	+ commit 5516072451d46be8827455afff840eb6d49155fb
	* cipher/Makefile.am: Add 'ppc_vcrypto_cflags' for chacha20-ppc.o/.lo
	and crc-ppc.o/.lo.

2019-09-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add PowerPC vpmsum implementation of CRC.
	+ commit 0486b85bd1fb65013e77f858cae9ea4530f868df
	* cipher/Makefile.am: Add 'crc-ppc.c'.
	* cipher/crc-armv8-ce.c: Remove 'USE_INTEL_PCLMUL' comment.
	* cipher/crc-ppc.c: New.
	* cipher/crc.c (USE_PPC_VPMSUM): New.
	(CRC_CONTEXT): Add 'use_vpmsum'.
	(_gcry_crc32_ppc8_vpmsum, _gcry_crc24rfc2440_ppc8_vpmsum): New.
	(crc32_init, crc24rfc2440_init): Add HWF check for 'use_vpmsum'.
	(crc32_write, crc24rfc2440_write): Add 'use_vpmsum' code-path.
	* configure.ac: Add 'vpmsumd' instruction to PowerPC VSX inline
	assembly check; Add 'crc-ppc.lo'.

	Add PowerPC vector implementation of ChaCha20.
	+ commit 557702f0d53a7ad1cf2ce0333c9df799a8abad59
	* cipher/Makefile.am: Add 'chacha20-ppc.c'.
	* cipher/chacha20-ppc.c: New.
	* cipher/chacha20.c (USE_PPC_VEC, _gcry_chacha20_ppc8_blocks4)
	(_gcry_chacha20_ppc8_blocks1, USE_PPC_VEC_POLY1305)
	(_gcry_chacha20_poly1305_ppc8_blocks4): New.
	(CHACHA20_context_t): Add 'use_ppc'.
	(chacha20_blocks, chacha20_keysetup)
	(do_chacha20_encrypt_stream_tail): Add USE_PPC_VEC code.
	(_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt): Add
	USE_PPC_VEC_POLY1305 code.
	* configure.ac: Add 'chacha20-ppc.lo'.
	* src/g10lib.h (HWF_PPC_ARCH_2_07): New.
	* src/hwf-ppc.c (PPC_FEATURE2_ARCH_2_07): New.
	(ppc_features): Add HWF_PPC_ARCH_2_07.
	* src/hwfeatures.c (hwflist): Add 'ppc-arch_2_07'.

2019-09-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	poly1305: add fast addition macro for ppc64.
	+ commit 0564757b934d24c7fef10df8594099985fbbc0ac
	* cipher/poly1305.c [USE_MPI_64BIT && __powerpc__] (ADD_1305_64): New.

2019-09-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SHA-512 implementations for POWER8 and POWER9.
	+ commit 93632f1adf57f142e5d9e9653c405f2ca8c601c0
	* cipher/Makefile.am: Add 'sha512-ppc.c'; Add extra CFLAG handling for
	'sha512-ppc.c'.
	* cipher/sha512-ppc.c: New.
	* cipher/sha512.c (USE_PPC_CRYPTO, _gcry_sha512_transform_ppc8)
	(_gcry_sha512_transform_ppc9, do_sha512_transform_ppc8)
	(do_sha512_transform_ppc9): New.
	(sha512_init_common): Add PowerPC HW feature detection and
	implementation selection.
	* configure.ac: Add 'vshasigmad' instruction to PowerPC assembly
	support check; Add 'sha512-ppc.lo'.

2019-08-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SHA-256 implementations for POWER8 and POWER9.
	+ commit e19dc973bc8e2a0ce92dd87515df3ee338265a8d
	* cipher/Makefile.am: Add 'sha256-ppc.c'; Add extra CFLAG handling for
	'sha256-ppc.c'.
	* cipher/sha256-ppc.c: New.
	* cipher/sha256.c (USE_PPC_CRYPTO, _gcry_sha256_transform_ppc8)
	(_gcry_sha256_transform_ppc9, do_sha256_transform_ppc8)
	(do_sha256_transform_ppc9): New.
	(sha256_init, sha224_init): Split common part to new function named...
	(sha256_common_init): ...this; Add PowerPC HW feature detection and
	implementation selection.
	* configure.ac: Add 'vshasigmaw' instruction to PowerPC assembly
	support check; Add 'sha256-ppc.lo'.

2019-08-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-ppc: add detection for PowerISA 3.00.
	+ commit 418179593080f3028426657c4ef1941cdad85513
	* src/g10lib.h (HWF_PPC_ARCH_3_00): New.
	* src/hwf-ppc.c (feature_map_s): Remove unused 'feature_match'.
	(PPC_FEATURE2_ARCH_3_00): New.
	(ppc_features, get_hwcap): Add PowerISA 3.00.
	* src/hwfeatures.c (hwflist): Rename "ppc-crypto" to "ppc-vcrypto"; Add
	"ppc-arch_3_00".

	rijndael-ppc: add bulk modes for CBC, CFB, CTR and XTS.
	+ commit 81d555d3473016eb9382fb1df153ba1effbbe32e
	* cipher/rijndael-ppc.c (vec_add_uint128, _gcry_aes_ppc8_cfb_enc)
	(_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_enc)
	(_gcry_aes_ppc8_cbc_dec, _gcry_aes_ppc8_ctr_enc)
	(_gcry_aes_ppc8_xts_crypt): New.
	* cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_cfb_enc)
	(_gcry_aes_ppc8_cfb_dec, _gcry_aes_ppc8_cbc_enc)
	(_gcry_aes_ppc8_cbc_dec, _gcry_aes_ppc8_ctr_enc)
	(_gcry_aes_ppc8_xts_crypt): New.
	(do_setkey, _gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
	(_gcry_aes_cbc_dec, _gcry_aes_ctr_enc)
	(_gcry_aes_xts_crypto) [USE_PPC_CRYPTO]: Enable PowerPC AES
	CFB/CBC/CTR/XTS bulk implementations.
	* configure.ac (gcry_cv_gcc_inline_asm_ppc_altivec): Add 'vadduwm'
	instruction.

	rijndael-ppc: add bulk mode for ocb_auth.
	+ commit bd1367bb607846d582ad09ded6c4ce4be4e52778
	* cipher/rijndael-ppc.c (_gcry_aes_ppc8_ocb_auth): New.
	* cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_ocb_auth): New
	prototype.
	(do_setkey, _gcry_aes_ocb_auth) [USE_PPC_CRYPTO]: Add PowerPC AES
	ocb_auth.

	rijndael-ppc: enable PowerPC AES-OCB implemention.
	+ commit 821602c60c7d144c978c335f91ae1641cf668df5
	* cipher/rijndael-ppc.c (ROUND_KEY_VARIABLES, PRELOAD_ROUND_KEYS)
	(AES_ENCRYPT, AES_DECRYPT): New.
	(_gcry_aes_ppc8_prepare_decryption): Rename to...
	(aes_ppc8_prepare_decryption): ... this.
	(_gcry_aes_ppc8_prepare_decryption): New.
	(aes_ppc8_encrypt_altivec, aes_ppc8_decrypt_altivec): Remove.
	(_gcry_aes_ppc8_encrypt): Use AES_ENCRYPT macro.
	(_gcry_aes_ppc8_decrypt): Use AES_DECRYPT macro.
	(_gcry_aes_ppc8_ocb_crypt): Uncomment; Optimizations for OCB offset
	calculations, etc; Use new load/store and encryption/decryption macros.
	* cipher/rijndaelc [USE_PPC_CRYPTO] (_gcry_aes_ppc8_ocb_crypt): New
	prototype.
	(do_setkey, _gcry_aes_ocb_crypt) [USE_PPC_CRYPTO]: Add PowerPC AES OCB
	encryption/decryption.

	rijndael-ppc: add key setup and enable single block PowerPC AES.
	+ commit 9dca65ef71b4bdbd89a087f41f4dbba71e6d2822
	* cipher/Makefile.am: Add 'rijndael-ppc.c'.
	* cipher/rijndael-internal.h (USE_PPC_CRYPTO): New.
	(RIJNDAEL_context): Add 'use_ppc_crypto'.
	* cipher/rijndael-ppc.c (backwards, swap_if_le): Remove.
	(u128_t, ALWAYS_INLINE, NO_INLINE, NO_INSTRUMENT_FUNCTION)
	(ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE, ASM_FUNC_ATTR_NOINLINE)
	(ALIGNED_LOAD, ALIGNED_STORE, VEC_LOAD_BE, VEC_STORE_BE)
	(vec_bswap32_const, vec_aligned_ld, vec_load_be_const)
	(vec_load_be, vec_aligned_st, vec_store_be, _gcry_aes_sbox4_ppc8)
	(_gcry_aes_ppc8_setkey, _gcry_aes_ppc8_prepare_decryption)
	(aes_ppc8_encrypt_altivec, aes_ppc8_decrypt_altivec): New.
	(_gcry_aes_ppc8_encrypt, _gcry_aes_ppc8_decrypt): Rewrite.
	(_gcry_aes_ppc8_ocb_crypt): Comment out.
	* cipher/rijndael.c [USE_PPC_CRYPTO] (_gcry_aes_ppc8_setkey)
	(_gcry_aes_ppc8_prepare_decryption, _gcry_aes_ppc8_encrypt)
	(_gcry_aes_ppc8_decrypt): New prototypes.
	(do_setkey) [USE_PPC_CRYPTO]: Add setup for PowerPC AES.
	(prepare_decryption) [USE_PPC_CRYPTO]: Ditto.
	* configure.ac: Add 'rijndael-ppc.lo'.
	(gcry_cv_ppc_altivec, gcry_cv_cc_ppc_altivec_cflags)
	(gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00): New checks.

2019-08-26  Shawn Landden  <shawn@git.icu>

	rijndael/ppc: implement single-block mode, and implement OCB block cipher
	+ commit 92f38a619b1cf759057e9cd532ae7c1d0331100f
	* cipher/rijndael-ppc.c: New implementation of single-block mode, and
	implementation of OCB mode.

	hwf: add detection of PowerPC hardware features.
	+ commit b4a3c76fabfa07c10fd18b90230f60b806ad9620
	* src/Makefile.am: PowerPC hardware detection.
	* src/g10lib.h: Likewise.
	* src/hwf-common.h: Likewise.
	* src/hwf-ppc.c: Likewise.
	* src/hwfeatures.c: Likewise.
	* configure.ac: Likewise.

2019-08-20  NIIBE Yutaka  <gniibe@fsij.org>

	pkgconfig: Fix libgcrypt.pc.
	+ commit 761d12f140b77b907087590646651d9578b68a54
	* src/libgcrypt.pc.in (Cflags, Libs): Have flags.

2019-08-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix build with !HAVE_PTHREAD.
	+ commit 900647d96cb7806cd9b2de343e4a4bd66c073fba
	* tests/t-lock.c [!HAVE_PTHREAD]: Buildable now.

	ecdsa: Fix unblinding too early.
	+ commit cdaeb86f067b94d9dff4235ade20dde6479d9bb8
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Keep the blinding until
	the last step.

2019-08-12  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix testapi.c to be buildable.
	+ commit 376124f86097414cf1f9cbbc17af935d30064c82
	* tests/testapi.c: Fix for xgcry_control.

2019-08-08  NIIBE Yutaka  <gniibe@fsij.org>

	dsa,ecdsa: Fix use of nonce, use larger one.
	+ commit 7c2943309d14407b51c8166c4dcecb56a3628567
	* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
	* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
	* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
	* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.

2019-08-07  NIIBE Yutaka  <gniibe@fsij.org>
	    Ján Jančár  <johny@neuromancer.sk>

	ecc: Add mitigation against timing attack.
	+ commit b9577f7c89b4327edc09f2231bc8b31521102c79
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.

2019-08-07  NIIBE Yutaka  <gniibe@fsij.org>

	dsa,ecdsa: Allocate secure memory for RFC6979 generation.
	+ commit 75c2fbc43d2f2cf5f4c60cb28001fda7324185c2
	* cipher/dsa-common.c (_gcry_dsa_gen_rfc6979_k): Use secure memory
	just like _gcry_dsa_gen_k does.

2019-07-22  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix previous commit.
	+ commit 6126fc2f180a9b61064cea5c838d2ff7e0b7774a


	build: Use {CFLAGS,CPPFLAGS,LDFLAGS}_FOR_BUILD for helper programs.
	+ commit 6d80f3f12dc2ff04b0eaa3ba29ee8725b6fb4f69
	* configure.ac (CC_FOR_BUILD): Use AX_CC_FOR_BUILD.
	* cipher/Makefile.am (gost-s-box): Add
	{CFLAGS,CPPFLAGS,LDFLAGS}_FOR_BUILD.
	* doc/Makefile.am (yat2m): Likewise.
	* m4/ax_cc_for_build.m4: New.

2019-07-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix use of AVX instruction in SHA1/SSSE3 assembly.
	+ commit 320ed47963032aab7aadd8aefa054b9a7725c9f7
	* cipher/sha1-ssse3-amd64.S: Replace 'vmovdqa' with 'movdqa'
	instruction.

2019-07-15  Werner Koch  <wk@gnupg.org>

	sexp: Improve argument checking of sexp parser.
	+ commit 1c2cecbb35e1a0760121d76c327651fe7b2b791a
	* src/sexp.c (do_vsexp_sscan): Check for bad length in '%b'.

2019-07-15  NIIBE Yutaka  <gniibe@fsij.org>

	tests: t-mpi-point: Remove implementation dependent checks.
	+ commit 8a0bde8c211c70756a2d8aa46e1bcf1f6f89e55d
	* tests/t-mpi-point.c (basic_ec_math): Remove comparing X and Y,
	only comparison of Z is relevant, mathematically.
	Remove useless check, where different values in equivalence class
	exist.
	(basic_ec_math_simplified): Likewise.

2019-06-25  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Support reading base64.
	+ commit ab57613f10ad57d2fec648017c18d7abb189863b
	* configure.ac (NEED_GPG_ERROR_VERSION): Require libgpg-error >= 1.27.
	* src/sexp.c (do_vsexp_sscan): Support data in base64 format.
	* tests/t-sexp.c (check_extract_param): Add a test case.

2019-06-24  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Correctly return an error.
	+ commit b4a1114dc77617f0e772ddc4faf8820399b4354a
	* cipher/ecc-ecdh.c (_gcry_ecc_get_algo_keylen): Return 0 for
	unknow algorithm.
	(_gcry_ecc_mul_point): Return GPG_ERR_UNSUPPORTED_ALGORITHM for
	GCRY_ECC_CURVE448 for now.
	Return GPG_ERR_UNKNOWN_ALGORITHM, otherwise.

2019-06-21  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix the Curve25519 test.
	+ commit 6934711d572e13e9e78fb2c53bb119034b088c5a
	* tests/t-cv25519.c (test_cv_x25519): Initialize SCALAR.

	ecc: Improve new ECDH API.
	+ commit a658c9ccc2c741f40b0b5cdbcd184cfb9a841d17
	* cipher/ecc-ecdh.c (_gcry_ecc_get_algo_keylen): New.
	(_gcry_ecc_mul_point): Fill into the RESULT buffer, instead of
	allocating new buffer.
	* src/gcrypt-int.h: Change the API.
	* src/gcrypt.h.in: Likewise.
	* src/libgcrypt.def (gcry_ecc_get_algo_keylen): New.
	* src/libgcrypt.vers (gcry_ecc_get_algo_keylen): New.
	* src/visibility.c (gcry_ecc_get_algo_keylen): New.
	* src/visibility.h (gcry_ecc_get_algo_keylen): New.
	* tests/t-cv25519.c: Fix the use case.

2019-06-20  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: X25519 API change to allow NULL for POINT.
	+ commit 6d77c2054ea0358fb4c6f59b4c91c673c0a83b03
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Allow NULL for point,
	meaning G.

	ecc: Add an API for X25519 function as gcry_ecc_mul_point.
	+ commit ec8c2cdf977aa8d9ca5af0a9bd25aeb9190570b3
	* configure.ac: Add ecc-ecdh.lo.
	* cipher/Makefile.am: Add ecc-ecdh.c.
	* cipher/ecc-common.h (reverse_buffer): Expose.
	* cipher/ecc-eddsa.c (reverse_buffer): Expose.
	* cipher/ecc-curves.c (domain_parms): Fix as the errata of RFC.
	* cipher/ecc-ecdh.c: New.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix for other curves
	than Curve25519.
	* src/gcrypt-int.h (_gcry_ecc_mul_point): New.
	* src/gcrypt.h.in (enum gcry_ecc_curves): New.
	(gcry_ecc_mul_point): new.
	* src/libgcrypt.def (gcry_ecc_mul_point): New.
	* src/libgcrypt.vers (gcry_ecc_mul_point): New.
	* src/visibility.h (gcry_ecc_mul_point): New.
	* src/visibility.c (gcry_ecc_mul_point): New.
	* tests/t-cv25519.c (test_cv_hl): Rename from test_cv.
	(test_cv_x25519): New.
	(test_cv): Call both of test_cv_hl and test_cv_x25519.

2019-06-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: add CTR mode carry overflow test vectors.
	+ commit 971d372f512ff6805d5b8b54e9ac1446f3f66643
	* tests/basic.c (check_ctr_cipher): Change tv structure 'plaintext'
	and 'out' to pointers; Add counter carry overflow test vectors; Make
	temporary buffer large enough for new test vectors.

	GCM: move look-up table to .data section and unshare between processes.
	+ commit a4c561aab1014c3630bc88faf6f5246fee16b020
	* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
	(gcmR): Move to 'gcm_table' structure.
	(gcm_table): New structure for look-up table with counters before and
	after.
	(gcmR): New macro.
	(prefetch_table): Handle input with length not multiple of 256.
	(do_prefetch_tables): Modify pre- and post-table counters to unshare
	look-up table pages between processes.

	AES: move look-up tables to .data section and unshare between processes.
	+ commit daedbbb5541cd8ecda1459d3b843ea4d92788762
	* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
	* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
	(enc_tables): New structure for encryption table with counters before
	and after.
	(encT): New macro.
	(dec_tables): Add counters before and after encryption table; Move
	from .rodata to .data section.
	(do_encrypt): Change 'encT' to 'enc_tables.T'.
	(do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
	* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
	with length not multiple of 256.
	(prefetch_enc, prefetch_dec): Modify pre- and post-table counters
	to unshare look-up table pages between processes.

2019-05-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher/Makefile.am: add '-fcoverage-*' to instrumentation munging.
	+ commit c6ffa216976d80a13486b13f64d6776cdb8b6ccf
	* cipher/Makefile.am: Remove '-fcoverage-*' flag for mixed asm/C
	i386+amd64 implementations.

2019-05-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	md: fix UBSAN warning.
	+ commit dad94696d9c48c18b59576776c7caa95123dfa1b
	* cipher/md.c (gcry_md_list): Define 'context' as array of
	PROPERLY_ALIGNED_TYPE.
	(md_enable, _gcry_md_reset, _gcry_md_close, md_final, md_set_key)
	(prepare_macpads, md_read, md_extract): Access md context through
	'gcry_md_list->context' pointer instead of 'gcry_md_list->context.c'.

	Disable instrumentation on mixed Intel SSE C/assembly implementations.
	+ commit d24dae4538dbbda9e6c72a34fae69682cfb2fef0
	* cipher/Makefile.am: Make 'tiger.o' and 'tiger.lo' depend on Makefile;
	Add instrumentation option munging.
	* cipher/cipher-gcm-intel-pcmul.c (ALWAYS_INLINE)
	(NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
	(reduction, gfmul_pclmul, gfmul_pclmul_aggr4, gfmul_pclmul_aggr8)
	(gcm_lsh): Define with 'ASM_FUNC_ATTR_INLINE' instead of 'inline'.
	(_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): Define with
	'ASM_FUNC_ATTR'.
	* cipher/crc-intel-pcmul.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION)
	(ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
	(crc32_reflected_bulk, crc32_reflected_less_than_16, crc32_bulk)
	(crc32_less_than_16): Define with 'ASM_FUNC_ATTR_INLINE' instead of
	'inline'.
	(_gcry_crc32_intel_pclmul, _gcry_crc24rfc2440_intel_pclmul): Define
	with 'ASM_FUNC_ATTR'.
	* cipher/rijndael-aesni.c (NO_INSTRUMENT_FUNCTION, ASM_FUNC_ATTR)
	(ASM_FUNC_ATTR_INLINE, ASM_FUNC_ATTR_NOINLINE): New.
	(aes_ocb_get_l, do_aesni_prepare_decryption, do_aesni_enc)
	(do_aesni_dec, do_aesni_enc_vec4, do_aesni_dec_vec4, do_aesni_enc_vec8)
	(do_aesni_dec_vec8, aesni_ocb_checksum): Define with
	'ASM_FUNC_ATTR_INLINE' instead of 'inline'.
	(do_aesni_ctr, do_aesni_ctr_4, do_aesni_ctr_8): Define wtih
	'ASM_FUNC_ATTR_INLINE'.
	(aesni_ocb_enc, aesni_ocb_dec): Define with 'ASM_FUNC_ATTR_NOINLINE'
	instead of 'NO_INLINE'.
	(_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_prepare_decryption)
	(_gcry_aes_aesni_encrypt, _gcry_aes_aesni_cfg_enc)
	(_gcry_aes_aesni_cbc_enc, _gcry_aes_aesni_ctr_enc)
	(_gcry_aes_aesni_decrypt, _gcry_aes_aesni_cfb_dec)
	(_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
	(_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_enc)
	(_gcry_aes_aesni_xts_dec, _gcry_aes_aesni_xts_crypt): Define with
	'ASM_FUNC_ATTR'.
	* cipher/rijndael-ssse3-amd64.c (ALWAYS_INLINE, NO_INSTRUMENT_FUNCTION)
	(ASM_FUNC_ATTR, ASM_FUNC_ATTR_INLINE): New.
	(aes_ocb_get_l, do_ssse3_prepare_decryption, do_vpaes_ssse3_enc)
	(do_vpaes_ssse3_dec): Define with 'ASM_FUNC_ATTR_INLINE' instead of
	'inline'.
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
	(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
	(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
	(_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Define with
	'ASM_FUNC_ATTR'.
	* cipher/sha1-intel-shaext.c (NO_INSTRUMENT_FUNCTION)
	(ASM_FUNC_ATTR): New.
	(_gcry_sha1_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'.
	* cipher/sha256-intel-shaext.c (NO_INSTRUMENT_FUNCTION)
	(ASM_FUNC_ATTR): New.
	(_gcry_sha256_transform_intel_shaext): Define with 'ASM_FUNC_ATTR'.
	* configure.ac (ENABLE_INSTRUMENTATION_MUNGING): New.

	tests/basic: fix signed interger overflow.
	+ commit 3c7ff6bd1c40d5216d6c12b6b28f77fd1a57baa7
	* tests/basic.c (check_ocb_cipher_largebuf_split): Cast to unsigned
	when generating buffer values.

2019-05-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests: do not use GCC variadic macro extension for xgcry_control.
	+ commit be567cb5dd629e9aa22d81b29d4326e5aa97efa7
	* tests/t-common.h (xgcry_control): Use doubly nested parenthesis for
	passing arguments for gcry_control instead of GCC specific variadic
	macro extension.
	* tests/aeswrap.c: Change xgcry_control to use doubly nested
	parenthesis.
	* tests/basic.c: Ditto.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.
	* tests/curves.c: Ditto.
	* tests/dsa-rfc6979.c: Ditto.
	* tests/fips186-dsa: Ditto.
	* tests/fipsdrv.c: Ditto.
	* tests/fipsrngdrv.c: Ditto.
	* tests/gchash.c: Ditto.
	* tests/hashtest.c: Ditto.
	* tests/hmac.c: Ditto.
	* tests/keygen.c: Ditto.
	* tests/keygrip.c: Ditto.
	* tests/mpitests.c: Ditto.
	* tests/pkbench.c: Ditto.
	* tests/pkcs1v2.c: Ditto.
	* tests/prime.c: Ditto.
	* tests/pubkey.c: Ditto.
	* tests/random.c: Ditto.
	* tests/rsacvt.c: Ditto.
	* tests/t-convert.c: Ditto.
	* tests/t-cv25519.c: Ditto.
	* tests/t-ed25519.c: Ditto.
	* tests/t-kdf.c: Ditto.
	* tests/t-lock.c: Ditto.
	* tests/t-mpi-bit.c: Ditto.
	* tests/t-mpi-point.c: Ditto.
	* tests/t-secmem.c: Ditto.
	* tests/t-sexp.c: Ditto.
	* tests/version.c: Ditto.

2019-05-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: mark CFB and CFB8 as stream block cipher modes.
	+ commit 34e9306a66b47785ddbab6594ae4c23581d35b5a
	* tests/basic.c (get_algo_mode_blklen): Return '1' for CFB and CFB8.

2019-05-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix message digest final function for MD4, MD5 and RMD160.
	+ commit 15592cd52f543aadb2fab8f6c112c68075309ad6
	* cipher/md4.c (md4_final): Use buffer offset '64 + 56' for bit count
	on 'need one extra block' path.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (rmd160_final): Ditto.
	* tests/basic.c (check_one_md_final): New.
	(check_digest): Add new '*' test vectors and handle them with
	check_one_md_final.

2019-05-06  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix carry overflow in Stribog in 512-bit addition.
	+ commit da6cd4fea30f79cf9d8f9b2f1c6daf3aea39fa9c
	* cipher/stribog.c (transform_bits): properly calculate carry flag
	* tests/basic.c (check_digests): add two more test cases

2019-04-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add support for explicit_memset.
	+ commit 71b0eb3fb75d2e6bbd86df055dc667b2debab0c1
	* configure.ac: Add function check for 'explicit_memset'.
	* src/misc.c (_gcry_fast_wipememory, _gcry_fast_wipememory2): Use
	explicit_memset if available.

	Fix CFI_PUSH/CFI_POP redefine build warning with AMD64 MPI.
	+ commit 78b1047eded8d5f8a13162d13160fce1809f6ee4
	* mpi/amd64/func_abi.h: Move CFI macros into [__x86_64__] block.
	* mpi/i386/syntax.h: Move CFI macros into [__i386__] block.

	Enable four block aggregated GCM Intel PCLMUL implementation on i386.
	+ commit a6e7c411e5f67a9473675ca8d49017a4d13a8d3e
	* cipher/cipher-gcm-intel-pclmul.c (reduction): Change "%%xmm7" to
	"%%xmm5".
	(gfmul_pclmul_aggr4): Move outside [__x86_64__] block; Remove usage of
	XMM8-XMM15 registers; Do not preload H-values and be_mask to reduce
	register usage for i386.
	(_gcry_ghash_setup_intel_pclmul): Enable calculation of H2, H3 and H4
	on i386.
	(_gcry_ghash_intel_pclmul): Adjust to above gfmul_pclmul_aggr4
	changes; Move 'aggr4' code path outside [__x86_64__] block.

	Prefetch GCM look-up tables.
	+ commit 1374254c2904ab5b18ba4a890856824a102d4705
	* cipher/cipher-gcm.c (prefetch_table, do_prefetch_tables)
	(prefetch_tables): New.
	(ghash_internal): Call prefetch_tables.

	Optimizations for generic table-based GCM implementations.
	+ commit ecd02cdd61e8c690f48637656f0e1e08b750fe30
	* cipher/cipher-gcm.c [GCM_TABLES_USE_U64] (do_fillM): Precalculate
	M[32..63] values.
	[GCM_TABLES_USE_U64] (do_ghash): Split processing of two 64-bit halfs
	of the input to two separate loops; Use precalculated M[] values.
	[GCM_USE_TABLES && !GCM_TABLES_USE_U64] (do_fillM): Precalculate
	M[64..127] values.
	[GCM_USE_TABLES && !GCM_TABLES_USE_U64] (do_ghash): Use precalculated
	M[] values.
	[GCM_USE_TABLES] (bshift): Avoid conditional execution for mask
	calculation.
	* cipher/cipher-internal.h (gcry_cipher_handle): Double gcm_table size.

2019-04-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Optimizations for GCM Intel/PCLMUL implementation.
	+ commit af5f3fb08674608acf6617ea622ed0b9a2ee77a5
	* cipher/cipher-gcm-intel-pclmul.c (reduction): New.
	(glmul_pclmul): Include shifting to left into pclmul operations; Use
	'reduction' helper function.
	[__x86_64__] (gfmul_pclmul_aggr4): Reorder instructions and adjust
	register usage to free up registers; Use 'reduction' helper function;
	Include shifting to left into pclmul operations; Moving load H values
	and input from caller into this function.
	[__x86_64__] (gfmul_pclmul_aggr8): New.
	(gcm_lsh): New.
	(_gcry_ghash_setup_intel_pclmul): Left shift H values to left by
	one; Preserve XMM6-XMM15 registers on WIN64.
	(_gcry_ghash_intel_pclmul) [__x86_64__]: Use 8 block aggregated
	reduction function.

	Move data pointer macro for 64-bit ARM assembly to common header.
	+ commit b9be297bb8eba7a09fa8413261de1587adcfd381
	* cipher/asm-common-aarch64.h (GET_DATA_POINTER): New.
	* cipher/chacha20-aarch64.S (GET_DATA_POINTER): Remove.
	* cipher/cipher-gcm-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
	* cipher/crc-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
	* cipher/rijndael-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
	* cipher/sha1-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.
	* cipher/sha256-armv8-aarch64-ce.S (GET_DATA_POINTER): Remove.

	Add CFI unwind assembly directives for 64-bit ARM assembly.
	+ commit 5a2a96a63517838e04f9fc0fb2d932fac5124b8a
	* cipher/asm-common-aarch64.h (CFI_STARTPROC, CFI_ENDPROC)
	(CFI_REMEMBER_STATE, CFI_RESTORE_STATE, CFI_ADJUST_CFA_OFFSET)
	(CFI_REL_OFFSET, CFI_DEF_CFA_REGISTER, CFI_REGISTER, CFI_RESTORE)
	(DW_REGNO_SP, DW_SLEB128_7BIT, DW_SLEB128_28BIT, CFI_CFA_ON_STACK)
	(CFI_REG_ON_STACK): New.
	* cipher/camellia-aarch64.S: Add CFI directives.
	* cipher/chacha20-aarch64.S: Add CFI directives.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Add CFI directives.
	* cipher/crc-armv8-aarch64-ce.S: Add CFI directives.
	* cipher/rijndael-aarch64.S: Add CFI directives.
	* cipher/rijndael-armv8-aarch64-ce.S: Add CFI directives.
	* cipher/sha1-armv8-aarch64-ce.S: Add CFI directives.
	* cipher/sha256-armv8-aarch64-ce.S: Add CFI directives.
	* cipher/twofish-aarch64.S: Add CFI directives.
	* mpi/aarch64/mpih-add1.S: Add CFI directives.
	* mpi/aarch64/mpih-mul1.S: Add CFI directives.
	* mpi/aarch64/mpih-mul2.S: Add CFI directives.
	* mpi/aarch64/mpih-mul3.S: Add CFI directives.
	* mpi/aarch64/mpih-sub1.S: Add CFI directives.
	* mpi/asm-common-aarch64.h: Include "../cipher/asm-common-aarch64.h".
	(ELF): Remove.

	Add 64-bit ARMv8/CE PMULL implementation of CRC.
	+ commit 14c8a593ede42f51f567ed7ba77b53124151aa38
	* cipher/Makefile.am: Add 'crc-armv8-ce.c' and
	'crc-armv8-aarch64-ce.S'.
	* cipher/asm-common-aarch64.h [HAVE_GCC_ASM_CFI_DIRECTIVES]: Add CFI
	helper macros.
	* cipher/crc-armv8-aarch64-ce.S: New.
	* cipher/crc-armv8-ce.c: New.
	* cipher/crc.c (USE_ARM_PMULL): New.
	(CRC_CONTEXT) [USE_ARM_PMULL]: Add 'use_pmull'.
	[USE_ARM_PMULL] (_gcry_crc32_armv8_ce_pmull)
	(_gcry_crc24rfc2440_armv8_ce_pmull): New prototypes.
	(crc32_init, crc32rfc1510_init, crc24rfc2440_init): Enable ARM PMULL
	implementations if supported by HW features.
	(crc32_write, crc24rfc2440_write) [USE_ARM_PMULL]: Use ARM PMULL
	implementations if enabled.
	* configure.ac: Add 'crc-armv8-ce.lo' and 'crc-armv8-aarch64-ce.lo'.

2019-04-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: make stack unwinding work at i386 mpi functions.
	+ commit b878a986f3ab2c35aff89c7f66f137a91542ed5b
	* mpi/i386/syntax.h: Include 'config.h'.
	(CFI_STARTPROC, CFI_ENDPROC, CFI_ADJUST_CFA_OFFSET, CFI_REL_OFFSET)
	(CFI_RESTORE, CFI_PUSH, CFI_POP): New.
	* mpi/i386/mpih-add1.S: Add CFI directives.
	* mpi/i386/mpih-lshift.S: Add CFI directives.
	* mpi/i386/mpih-mul1.S: Add CFI directives.
	* mpi/i386/mpih-mul2.S: Add CFI directives.
	* mpi/i386/mpih-mul3.S: Add CFI directives.
	* mpi/i386/mpih-rshift.S: Add CFI directives.
	* mpi/i386/mpih-sub1.S: Add CFI directives.

	hwf-x86: make stack unwinding work at i386 cpuid functions.
	+ commit 0bd18e8bf7d67072f8c77352140b4ed4cfde3c6c
	* src/hwf-x86.c (FORCE_FUNC_FRAME_POINTER): New.
	[__i386__] (is_cpuid_available): Force use of stack frame pointer as
	inline assembly modifies stack register; Add 'memory' constraint for
	inline assembly.
	[__i386__] (get_cpuid): Avoid push/pop instruction when preserving
	%ebx register over cpuid.

	Limit and document Blowfish key lengths to 8-576 bits.
	+ commit 3546599e5578f89f9e77b08bf599f9c44b23da5f
	* cipher/blowfish.c (BLOWFISH_KEY_MIN_BITS)
	(BLOWFISH_KEY_MAX_BITS): New.
	(do_bf_setkey): Check input key length to MIN_BITS and MAX_BITS.
	* doc/gcrypt.texi: Update supported Blowfish key lengths.
	* tests/basic.c (check_ecb_cipher): New, with Blowfish test vectors
	for different key lengths.
	(check_cipher_modes): Call 'check_ecb_cipher'.

2019-04-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add CFI unwind assembly directives for AMD64 assembly.
	+ commit d11ae95d05dc39ec6b825d1109afadd964589880
	* configure.ac (gcry_cv_gcc_asm_cfi_directives): New.
	* cipher/asm-common-amd64.h (ADD_RIP, CFI_STARTPROC, CFI_ENDPROC)
	(CFI_REMEMBER_STATE, CFI_RESTORE_STATE, CFI_ADJUST_CFA_OFFSET)
	(CFI_REL_OFFSET, CFI_DEF_CFA_REGISTER, CFI_REGISTER, CFI_RESTORE)
	(CFI_PUSH, CFI_POP, CFI_POP_TMP_REG, CFI_LEAVE, DW_REGNO)
	(DW_SLEB128_7BIT, DW_SLEB128_28BIT, CFI_CFA_ON_STACK)
	(CFI_REG_ON_STACK): New.
	(ENTER_SYSV_FUNCPARAMS_0_4, EXIT_SYSV_FUNC): Add CFI directives.
	* cipher/arcfour-amd64.S: Add CFI directives.
	* cipher/blake2b-amd64-avx2.S: Add CFI directives.
	* cipher/blake2s-amd64-avx.S: Add CFI directives.
	* cipher/blowfish-amd64.S: Add CFI directives.
	* cipher/camellia-aesni-avx-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/camellia-aesni-avx2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/cast5-amd64.S: Add CFI directives.
	* cipher/chacha20-amd64-avx2.S: Add CFI directives.
	* cipher/chacha20-amd64-ssse3.S: Add CFI directives.
	* cipher/des-amd64.S: Add CFI directives.
	* cipher/rijndael-amd64.S: Add CFI directives.
	* cipher/rijndael-ssse3-amd64-asm.S: Add CFI directives.
	* cipher/salsa20-amd64.S: Add CFI directives; Use 'asm-common-amd64.h'.
	* cipher/serpent-avx2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/serpent-sse2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha1-avx-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha1-avx-bmi2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha1-avx2-bmi2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha1-ssse3-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha256-avx-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha256-avx2-bmi2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha256-ssse3-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha512-avx-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha512-avx2-bmi2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/sha512-ssse3-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/twofish-amd64.S: Add CFI directives.
	* cipher/twofish-avx2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* cipher/whirlpool-sse2-amd64.S: Add CFI directives; Use
	'asm-common-amd64.h'.
	* mpi/amd64/func_abi.h: Include 'config.h'.
	(CFI_STARTPROC, CFI_ENDPROC, CFI_ADJUST_CFA_OFFSET, CFI_REL_OFFSET)
	(CFI_RESTORE, CFI_PUSH, CFI_POP): New.
	(FUNC_ENTRY, FUNC_EXIT): Add CFI directives.

2019-04-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	twofish-amd64: do not use xchg instruction.
	+ commit 0903b215ef5a18332b740a24e6e2bfbed9e1d97b
	* cipher/twofish-amd64.S (g1g2_3): Swap ab and cd registers using
	'movq' instructions instead of 'xchgq'.

2019-04-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Use FreeBSD's elf_aux_info for detecting ARM HW features.
	+ commit 2ffc689d4757f31f1e2c4961b94b0b0c8dc302b7
	* configure.ac: Add function check for 'elf_aux_info'.
	* src/hwf-arm.c [HAVE_ELF_AUX_INFO]: Include 'sys/auxv.h'.
	[HAVE_ELF_AUX_INFO && !HAVE_GETAUXVAL] (HAVE_GETAUXVAL)
	(getauxval): New.

2019-04-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Use getauxval system function for detecting ARM HW features.
	+ commit 6812a2c5bd2d9129bfdf34f3daf89cd8543ed8e5
	* configure.ac: Add header check for 'sys/auxv.h'; Add function check
	for 'getauxval'.
	* src/hwf-arm.c [HAVE_SYS_AUXV_H && HAVE_GETAUXVAL]: Include
	'sys/auxv.h'.
	(HAS_SYS_AT_HWCAP): Enable AT_HWCAP if have 'getauxval' in addition of
	__linux__.
	(AT_HWCAP, AT_HWCAP2, HWCAP_NEON, HWCAP2_AES, HWCAP2_PMULL)
	(HWCAP2_SHA1, HWCAP2_SHA2, HWCAP_ASIMD, HWCAP_AES)
	(HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2): Define these macros only if not
	already defined.
	(get_hwcap) [HAVE_SYS_AUXV_H && HAVE_GETAUXVAL]: Use 'getauxval' to
	fetch HW capability flags.

	Disable SM3 in FIPS mode.
	+ commit 04a6c3c7482dd1ecb5113a049b1765b0d5f212fb
	* cipher/sm3.h (_gcry_digest_spec_sm3): Set flags.fips to zero.

2019-04-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tune SHA-512/AVX2 and SHA-256/AVX2 implementations.
	+ commit 478581c5107ae75281c54e56cdcef5165f3155ca
	* cipher/sha256-avx2-bmi2-amd64.S (ONE_ROUND_PART1, ONE_ROUND_PART2)
	(ONE_ROUND): New round function.
	(FOUR_ROUNDS_AND_SCHED, FOUR_ROUNDS): Use new round function.
	(_gcry_sha256_transform_amd64_avx2): Exit early if number of blocks is
	zero; Writing XFER to stack earlier and handle XREF writing in
	FOUR_ROUNDS_AND_SCHED.
	* cipher/sha512-avx2-bmi2-amd64.S (MASK_YMM_LO, MASK_YMM_LOx): New.
	(ONE_ROUND_PART1, ONE_ROUND_PART2, ONE_ROUND): New round function.
	(FOUR_ROUNDS_AND_SCHED, FOUR_ROUNDS): Use new round function.
	(_gcry_sha512_transform_amd64_avx2): Writing XFER to stack earlier and
	handle XREF writing in FOUR_ROUNDS_AND_SCHED.

2019-04-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SHA512/224 and SHA512/256 algorithms.
	+ commit a3683b6f623189a4b65bb584bb9e65e3ad7b3139
	* cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping for SHA512/224
	and SHA512/256.
	(_gcry_mac_type_spec_hmac_sha512_256)
	(_gcry_mac_type_spec_hmac_sha512_224): New.
	* cipher/mac-internal.h (_gcry_mac_type_spec_hmac_sha512_256)
	(_gcry_mac_type_spec_hmac_sha512_224): New.
	* cipher/mac.c (mac_list, mac_list_algo101): Add SHA512/224 and
	SHA512/256.
	* cipher/md.c (digest_list, digest_list_algo301)
	(prepare_macpads): Ditto.
	* cipher/sha512.c (run_selftests): Ditto.
	(sha512_init_common): Move common initialization here.
	(sha512_init, sha384_init): Use common initialization function.
	(sha512_224_init, sha512_256_init, _gcry_sha512_224_hash_buffer)
	(_gcry_sha512_224_hash_buffers, _gcry_sha512_256_hash_buffer)
	(_gcry_sha512_256_hash_buffers, selftests_sha512_224)
	(selftests_sha512_256, sha512_224_asn, oid_spec_sha512_224)
	(_gcry_digest_spec_sha512_224, sha512_256_asn, oid_spec_sha512_256)
	(_gcry_digest_spec_sha512_256): New.
	* doc/gcrypt.texi: Add SHA512/224 and SHA512/256; Add missing
	HMAC-BLAKE2s and HMAC-BLAKE2b.
	* src/cipher.h (_gcry_digest_spec_sha512_224)
	(_gcry_digest_spec_sha512_256): New.
	* src/gcrypt.h.in (GCRY_MD_SHA512_256, GCRY_MD_SHA512_224): New.
	(GCRY_MAC_HMAC_SHA512_256, GCRY_MAC_HMAC_SHA512_224): New.
	* tests/basic.c (check_digests): Add SHA512/224 and SHA512/256
	test vectors.

	Remove extra buffer flush at begining of digest final functions.
	+ commit c6055aaccac86e1ca8a9d35c980d7abbacf2a9ff
	* cipher/md2.c (md2_final): Remove _gcry_md_block_write flush call
	from entry.
	* cipher/md4.c (md4_final): Ditto.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (rmd160_final): Ditto.
	* cipher/sha1.c (sha1_final): Ditto.
	* cipher/sha256.c (sha256_final): Ditto.
	* cipher/sha512.c (sha512_final): Ditto.
	* cipher/sm3.c (sm3_final): Ditto.
	* cipher/stribog.c (stribog_final): Ditto.
	* cipher/tiger.c (tiger_final): Ditto.

	Optimizations for digest final functions.
	+ commit e76cd0e2b1f6025c1319576a5848815d1d231aeb
	* cipher/md4.c (md4_final): Avoid byte-by-byte buffer setting when
	padding; Merge extra and last block processing.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (rmd160_final): Ditto.
	* cipher/sha1.c (sha1_final): Ditto.
	* cipher/sha256.c (sha256_final): Ditto.
	* cipher/sm3.c (sm3_final): Ditto.
	* cipher/tiger.c (tiger_final): Ditto.
	* cipher/sha512.c (sha512_final): Avoid byte-by-byte buffer setting
	when padding.
	* cipher/stribog.c (stribog_final): Ditto.
	* cipher/whirlpool.c (whirlpool_final): Ditto.

	tests/basic: add hash test for small block sizes.
	+ commit c54b1c96c644c941f3eb3d2a09432b82f25b6ff1
	* tests/basic.c (check_one_md): Compare hashing buffers sizes from 1 to
	129 as full buffer input and byte-by-byte input.

	Burn stack in transform functions for SHA2 AMD64 implementations.
	+ commit 74ef3ecbf94e704975e238a99c0e0480cebf46ac
	* cipher/sha256-avx-amd64.S: Burn stack inside transform functions.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

	Burn stack in transform functions for SHA1 AMD64 implementations.
	+ commit f3d4bd90662faaedd37ce0dae1f9e7f91748e91e
	* cipher/sha1-avx-amd64.S: Burn stack inside transform functions.
	* cipher/sha1-avx-bmi2-amd64.S: Ditto.
	* cipher/sha1-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha1-ssse3-amd64.S: Ditto.

	Add AVX2/BMI2 implementation of SHA1.
	+ commit b982900bfe6403e95a157271d8d811c9c573af9e
	* cipher/Makefile.am: Add 'sha1-avx2-bmi2-amd64.S'.
	* cipher/hash-common.h (MD_BLOCK_CTX_BUFFER_SIZE): New.
	(gcry_md_block_ctx): Change buffer length to MD_BLOCK_CTX_BUFFER_SIZE.
	* cipher/sha1-avx-amd64.S: Add missing .size for transform function.
	* cipher/sha1-ssse3-amd64.S: Add missing .size for transform function.
	* cipher/sha1-avx-bmi2-amd64.S: Add missing .size for transform
	function; Tweak implementation for small ~1% speed increase.
	* cipher/sha1-avx2-bmi2-amd64.S: New.
	* cipher/sha1.c (USE_AVX2, _gcry_sha1_transform_amd64_avx2_bmi2)
	(do_sha1_transform_amd64_avx2_bmi2): New.
	(sha1_init) [USE_AVX2]: Enable AVX2 implementation if supported by
	HW features.
	(sha1_final): Merge processing of two last blocks when extra block is
	needed.

2019-03-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blowfish: add three rounds parallel handling to generic C implementation
	+ commit ced7508c857c0cc37da2299a393e5b167dd28e54
	* cipher/blowfish.c (BLOWFISH_ROUNDS): Remove.
	[BLOWFISH_ROUNDS != 16] (function_F): Remove.
	(F): Replace big-endian and little-endian version with single
	endian-neutral version.
	(R3, do_encrypt_3, do_decrypt_3): New.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Use new three block functions.

	cast5: add three rounds parallel handling to generic C implementation.
	+ commit 4ec566b3689eff4a712eacfcbb4161eb243bb1df
	* cipher/cast5.c (do_encrypt_block_3, do_decrypt_block_3): New.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Use
	new three block functions.

	cast5: read Kr four blocks at time and shift for current round.
	+ commit 8a0e68be1020d0c359bf8191159ac1ebe32a5aa0
	* cipher/cast5.c (do_encrypt_block, do_decrypt_block): Read Kr as
	32-bit words instead of bytes and shift value for each round.

	Add helper function for adding value to cipher block.
	+ commit 0fe918fa897cca9e01cbdb80d14106cfe5af680e
	* cipher/cipher-internal.h (cipher_block_add): New.
	* cipher/blowfish.c (_gcry_blowfish_ctr_enc): Use new helper function
	for CTR block increment.
	* cipher/camellia-glue.c (_gcry_camellia_ctr_enc): Ditto.
	* cipher/cast5.c (_gcry_cast5_ctr_enc): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/des.c (_gcry_3des_ctr_enc): Ditto.
	* cipher/rijndael.c (_gcry_aes_ctr_enc): Ditto.
	* cipher/serpent.c (_gcry_serpent_ctr_enc): Ditto.
	* cipher/twofish.c (_gcry_twofish_ctr_enc): Ditto.

2019-03-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Optimize OCB set_key and set_nonce.
	+ commit efd700e31dc8e1e386d367d1b682000977e0c810
	* cipher/cipher-ocb.c (double_block): Change to input/output
	host-endian block instead of big-endian buffer.
	(double_block_cpy): Remove.
	(bit_copy): Use fixed length copy and 'u64' for calculations.
	(ocb_get_L_big): Handle block endian conversions for double_block.
	(_gcry_cipher_ocb_setkey): Handle block endian conversions for
	double_block.
	(_gcry_cipher_ocb_set_nonce): Set full length of 'ktop' to zero; Drop
	length parameter for bit_copy.

	AES-NI/OCB: Optimize last and first key XORing.
	+ commit eacbd59b1333b95858886999c8049e04bf72ad74
	* cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec)
	[__x86_64__]: Reorder and mix first and last key XORing with OCB offset
	XOR operations.

	AES-NI/OCB: Perform checksumming inline with encryption.
	+ commit e924ce456d5728a81c148de4a6eb23373cb70ca0
	* cipher/rijndael-aesni.c (aesni_ocb_enc): Remove call to
	'aesni_ocb_checksum', instead perform checksumming inline with offset
	calculations.

2019-03-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	AES-NI/OCB: Use stack for temporary storage.
	+ commit b82dbbedf027327e0b4444a01edb045f51c4152b
	* cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec): Use stack
	allocated 'tmpbuf' instead of output buffer as temporary storage.

2019-03-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/basic: add large buffer testing for ciphers.
	+ commit cabeebfc1179c8f5982834a8cbce02c55b3468e2
	* tests/basic.c (check_one_cipher_core): Allocate buffers from heap.
	(check_one_cipher): Add testing with large buffer (~65 KiB) in addition
	to medium size buffer (~2 KiB).

	chacha20-poly1305: fix wrong en/decryption on large input buffers.
	+ commit 049376470b31832d3331fc0037d273b4147e9d38
	* cipher/chacha20.c (_gcry_chacha20_poly1305_encrypt)
	(_gcry_chacha20_poly1305_decrypt): Correctly use 'currlen' for chacha20
	on the non-stitched code path.

2019-03-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: add mention about aligning data to cachelines for best performance.
	+ commit bb03edcbba95e06686188957a65c1967ee07cd6a
	* doc/gcrypt.text: Add mention about aligning data to cachelines for
	best performance.

	random-drbg: do not use calloc for zero ctr.
	+ commit 5a20151213c2e496513c541c36e4ebd086b20be9
	* random/random-drbg.c (DRBG_CTR_NULL_LEN): Move to 'constants'
	section.
	(drbg_state_s): Remove 'ctr_null' member.
	(drbg_ctr_generate): Add 'drbg_ctr_null'.
	(drbg_sym_fini, drbg_sym_init): Remove 'drbg->ctr_null' usage.

2019-03-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARMv7/NEON accelerated GCM implementation.
	+ commit 2445cf7431fab921f6c1870da7084ee698992064
	* cipher/Makefile.am: Add 'cipher-gcm-armv7-neon.S'.
	* cipher/cipher-gcm-armv7-neon.S: New.
	* cipher/cipher-gcm.c [GCM_USE_ARM_NEON] (_gcry_ghash_setup_armv7_neon)
	(_gcry_ghash_armv7_neon, ghash_setup_armv7_neon)
	(ghash_armv7_neon): New.
	(setupM) [GCM_USE_ARM_NEON]: Use armv7/neon implementation if have
	HWF_ARM_NEON.
	* cipher/cipher-internal.h (GCM_USE_ARM_NEON): New.

	Use memset instead of setting buffers byte by byte.
	+ commit 6f2391d2df029b0e1a4e5dde17c3d97cc594a1c7
	* cipher/cipher-ccm.c (do_cbc_mac): Replace buffer setting loop with memset call.
	* cipher/cipher-gcm.c (do_ghash_buf): Ditto.
	* cipher/poly1305.c (poly1305_final): Ditto.

	Use buf_cpy instead of copying buffers byte by byte.
	+ commit 4db6d8796c0d95ab89e9ad69336509b604b957cd
	* cipher/bufhelp.h (buf_cpy): Skip memcpy if length is zero.
	* cipher/cipher-ccm.c (do_cbc_mac): Replace buffer copy loops with buf_cpy call.
	* cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate): Ditto.

	Reduce overhead on generic hash write function.
	+ commit e76617cbab018dd8f41fd6b4ec6740b5303f7e13
	* cipher/hash-common.c (_gcry_md_block_write): Remove recursive
	function call; Use buf_cpy for copying buffers; Burn stack only once.

	sha1-avx: use vmovdqa instead of movdqa.
	+ commit f8d14df1abd645c3279b14da43b4a7983d87f89f
	* cipher/sha1-avx-amd64.S: Replace 'movdqa' with 'vmovdqa'.
	* cipher/sha1-avx-bmi2-amd64.S: Replace 'movdqa' with 'vmovdqa'.

	doc/gcrypt.texi: update HW feature list.
	+ commit 7abf65da84c7106250a5ed2de78b05610cf251f4
	* doc/gcrypt.texi: Update FW feature list.

2019-03-20  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

	ecc: Adjust debugging output.
	+ commit 54db6a4b44124ed7e95897174f32262482b4b0cb
	* cipher/ecc.c (ecc_check_secret_key): Adjust debugging output to use
	full column titles.

2019-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	fips: Only test check_binary_integrity when fips_mode is enabled.
	+ commit ad133fc79757236359252e92244fe16e9adb45a3
	* src/fips.c (_gcry_fips_run_selftests): Check the status of fips_mode
	before calling check_binary_integrity.

2019-02-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add 2-way path for SSSE3 version of ChaCha20.
	+ commit d455068988e5779b0200c51415ddab6b51e12dc4
	* cipher/chacha20-amd64-ssse3.S (_gcry_chacha20_amd64_ssse3_blocks1)
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks1): Add 2-way code paths.
	* cipher/chacha20.c (_gcry_chacha20_poly1305_encrypt): Add
	preprosessing of 2 blocks with SSSE3.

2019-01-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Do not precalculate OCB offset L0+L1+L0.
	+ commit afab94d222425ecb838eb56cb0723bdaf3e5de36
	* cipher/cipher-internal.h (gcry_cipher_handle): Remove OCB L0L1L0.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_setkey): Ditto.
	* cipher/rijndael-aesni.c (aesni_ocb_enc, aesni_ocb_dec)
	(_gcry_aes_aesni_ocb_auth): Replace L0L1L0 use with L1.

	Calculate OCB L-tables when setting key instead of when setting nonce.
	+ commit c15409c49993166ab1325d45360b3a8fe72a5556
	* cipher/cipher-internal.h (gcry_cipher_handle): Mark areas of
	u_mode.ocb that are and are not cleared by gcry_cipher_reset.
	(_gcry_cipher_ocb_setkey): New.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Split
	L-table generation to ...
	(_gcry_cipher_ocb_setkey): ... this new function.
	* cipher/cipher.c (cipher_setkey): Add handling for OCB mode.
	(cipher_reset): Do not clear L-values for OCB mode.

	chacha20-amd64-avx2: optimize output xoring.
	+ commit 08e0650c21984bb9ddf5a1dabb1cc890fabf63ab
	* cipher/chacha20-amd64-avx2.S (STACK_TMP2): Remove.
	(transpose_16byte_2x2, xor_src_dst): New.
	(BUF_XOR_256_TO_128): Remove.
	(_gcry_chaha20_amd64_avx2_blocks8)
	(_gcry_chacha20_poly1305_amd64_avx2_blocks8): Replace
	BUF_XOR_256_TO_128 with transpose_16byte_2x2/xor_src_dst; Reduce stack
	usage; Better interleave chacha20 state merging and output xoring.

	tests/bench-slope: prevent auto-mhz detection getting stuck.
	+ commit 28614a77a28190ab902a2b98039de2cd0635c7c7
	* cipher/bench-slope.c (bench_ghz, bench_ghz_diff): New static
	variables.
	(AUTO_GHZ_TARGET_DIFF): New macro.
	(do_slope_benchmark): Reduce target auto-mhz accuracy after
	repeated failures.
	(bench_print_result_csv, bench_print_result_std): Print auto-ghz
	different if 1 Mhz or more.
	(do_slope_benchmark, bench_print_result_csv, bench_print_result_std)
	(bench_print_result): Remove 'bench_ghz' parameter.
	(cipher_bench_one, hash_bench_one, mac_bench_one)
	(kdf_bench_one): Remove 'bench_ghz' variable.

	tests/bench-slope: add missing cipher context reset.
	+ commit 546f13ae08918726791600cdd0d0be56cc52c790
	* tests/bench-slope.c (bench_encrypt_do_bench)
	(bench_decrypt_do_bench): Add call to 'gcry_cipher_reset'.

	Add stitched ChaCha20-Poly1305 SSSE3 and AVX2 implementations.
	+ commit d6330dfb4b0e9fb3f8eef65ea13146060b804a97
	* cipher/asm-poly1305-amd64.h: New.
	* cipher/Makefile.am: Add 'asm-poly1305-amd64.h'.
	* cipher/chacha20-amd64-avx2.S (QUATERROUND2): Add interleave
	operators.
	(_gcry_chacha20_poly1305_amd64_avx2_blocks8): New.
	* cipher/chacha20-amd64-ssse3.S (QUATERROUND2): Add interleave
	operators.
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks4)
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks1): New.
	* cipher/chacha20.c (_gcry_chacha20_poly1305_amd64_ssse3_blocks4)
	(_gcry_chacha20_poly1305_amd64_ssse3_blocks1)
	(_gcry_chacha20_poly1305_amd64_avx2_blocks8): New prototypes.
	(chacha20_encrypt_stream): Split tail to...
	(do_chacha20_encrypt_stream_tail): ... new function.
	(_gcry_chacha20_poly1305_encrypt)
	(_gcry_chacha20_poly1305_decrypt): New.
	* cipher/cipher-internal.h (_gcry_chacha20_poly1305_encrypt)
	(_gcry_chacha20_poly1305_decrypt): New prototypes.
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt): Call
	'_gcry_chacha20_poly1305_encrypt' if cipher is ChaCha20.
	(_gcry_cipher_poly1305_decrypt): Call
	'_gcry_chacha20_poly1305_decrypt' if cipher is ChaCha20.
	* cipher/poly1305-internal.h (_gcry_cipher_poly1305_update_burn): New
	prototype.
	* cipher/poly1305.c (poly1305_blocks): Make static.
	(_gcry_poly1305_update): Split main function body to ...
	(_gcry_poly1305_update_burn): ... new function.

	Add SSSE3 optimized non-parallel ChaCha20 function.
	+ commit 7d9b2f114f3edf4d13640616cf34c79364234781
	* cipher/chacha20-amd64-ssse3.S (ROTATE_SHUF, ROTATE, WORD_SHUF)
	(QUARTERROUND4, _gcry_chacha20_amd64_ssse3_blocks1): New.
	* cipher/chacha20.c (_gcry_chacha20_amd64_ssse3_blocks1): New
	prototype.
	(chacha20_blocks): Rename to ...
	(do_chacha20_blocks): ... this.
	(chacha20_blocks): New.
	(chacha20_encrypt_stream): Adjust for new chacha20_blocks function.

	tests/basic: increase buffer size for check_one_cipher.
	+ commit 88e482d16ee80de41b6f133e77f0d15423fcd266
	* tests/basic.c (check_one_cipher_core)
	(check_one_cipher): Increase buffer from 1040 to 1904 bytes.

	tests/basic: check AEAD tags in check_one_cipher test.
	+ commit eee1f152a5b3040f6723d287d1b01fb939be67b7
	* tests/basic.c (get_algo_mode_taglen): New.
	(check_one_cipher_core_reset): Check that tags are same with
	AEAD modes.

2019-01-15  NIIBE Yutaka  <gniibe@fsij.org>

	build: With LD_LIBRARY_PATH defined, use --disable-new-dtags.
	+ commit e5c2f8a2cd2b89d90ea30de2dedb0e92498a5f70
	* configure.ac (LDADD_FOR_TESTS_KLUDGE): New for --disable-new-dtags.
	* tests/Makefile.am (LDADD, t_lock_LDADD): Use LDADD_FOR_TESTS_KLUDGE.

	random: Fix previous commit for getentropy function.
	+ commit 17f246c7044ab9ed236f6ec73fc126654257f0f9
	* random/rndlinux.c [__NR_getrandom] (_gcry_rndlinux_gather_random):
	Check return value only for use of syscall.

	random: Use getentropy when available for not GNU/Linux.
	+ commit 2677d7d482bf2d078c1dce64854747c5b148924b
	* configure.ac: Detect getentropy.
	* random/rndlinux.c [__linux__] (getentropy): Macro defined.
	[HAVE_GETENTROPY] (_gcry_rndlinux_gather_random): Use getentropy.

2019-01-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-aarch64: do not export look-up table globally.
	+ commit 09c27280cc09798d15369b3a143036b7ab5ddd69
	* cipher/camellia-aarch64.S (_gcry_camellia_arm_tables): Remove
	'.globl' export.

2019-01-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Process CCM/EAX/GCM/Poly1305 AEAD cipher modes input in 24 KiB chucks.
	+ commit 3ee6588de8311b461ef8707c70ff86d2b252966d
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt): Process data in 24 KiB chunks.
	* cipher/cipher-eax.c (_gcry_cipher_eax_encrypt)
	(_gcry_cipher_eax_decrypt): Ditto.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_decrypt): Ditto.
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_encrypt)
	(_gcry_cipher_poly1305_decrypt): Ditto.

	tests/benchmark: add Chacha20-Poly1305 benchmarking.
	+ commit 4871f11745f33c5c5051bfe6f325ac1c10764b04
	* tests/benchmark.c (cipher_bench): Add Chacha20-Poly1305.

	tests/benchmark: add --huge-buffers option for cipher tests.
	+ commit edde61f325e4b345f17c47369f3b6b1400656f04
	* tests/benchmark.c (huge_buffers, cipher_encrypt, cipher_decrypt): New.
	(cipher_bench): Add 'max_inlen' to modes structure; add huge buffers
	mode selection.
	(main): Add '--huge-buffers'.

2018-12-19  NIIBE Yutaka  <gniibe@fsij.org>

	random: Add finalizer for rndjent.
	+ commit 3028a221d39c1b593ea0c1bcbfccd33959769692
	* random/rand-internal.h (_gcry_rndjent_fini): New.
	* random/rndjent.c (_gcry_rndjent_fini): New.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Call the finalizer
	when GCRYCTL_CLOSE_RANDOM_DEVICE.

2018-12-12  Werner Koch  <wk@gnupg.org>

	secmem: Prepare for easier debugging.
	+ commit 876f7280e8604bc99ddda0526339ec5ec6b23c4b
	* src/secmem.c (_gcry_secmem_dump_stats): Factor code out to ...
	(secmem_dump_stats_internal): new.

2018-12-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-aesni: interleave last CTR encryption round with xoring.
	+ commit 66d2b7fc17258f1424f4ca4adb1096e48b818bd0
	* cipher/rijndael-aesni.c (do_aesni_ctr_8): Interleave aesenclast
	with input xoring.

2018-11-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Use explicit_bzero for wipememory.
	+ commit 168668228c7c49e70612cb4d602d6d603a2add2c
	* configure.ac (AC_CHECK_FUNCS): Check for 'explicit_bzero'.
	* src/g10lib.h (wipememory2): Use _gcry_fast_wipememory if _SET is
	zero.
	(_gcry_fast_wipememory): New.
	(_gcry_wipememory2): Rename to...
	(_gcry_fast_wipememory2): ...this.
	* src/misc.c (_gcry_wipememory): New.
	(_gcry_wipememory2): Rename to...
	(_gcry_fast_wipememory2): ...this.
	(_gcry_fast_wipememory2) [HAVE_EXPLICIT_BZERO]: Use explicit_bzero if
	SET is zero.
	(_gcry_burn_stack): Use _gcry_fast_wipememory.

	Add clang target pragma for mixed C/assembly x86-64 implementations.
	+ commit 9d9c4fd18b445ff414d11678285d54af3afdb222
	* cipher/cipher-gcm-intel-pclmul.c: Add target 'no-sse' attribute
	pragma for clang.
	* cipher/crc-intel-pclmul.c: Ditto.
	* cipher/rijndael-aesni.c: Ditto.
	* cipher/rijndael-ssse3-amd64.c: Ditto.
	* cipher/sha1-intel-shaext.c: Ditto.
	* cipher/sha256-intel-shaext.c: Ditto.

	Optimizations for AES-NI OCB.
	+ commit b42de67f34871a2520cfe370af513f2aab6e4f75
	* cipher/cipher-internal.h (gcry_cipher_handle): New pre-computed OCB
	values L0L1 and L0L1L0; Swap dimensions for OCB L table.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Setup L0L1 and
	L0L1L0 values.
	(ocb_crypt): Process input in 24KiB chunks for better cache locality
	for checksumming.
	* cipher/rijndael-aesni.c (ALWAYS_INLINE): New macro for always
	inlining functions, change all functions with 'inline' to use
	ALWAYS_INLINE.
	(NO_INLINE): New macro.
	(aesni_prepare_2_6_variable, aesni_prepare_7_15_variable): Rename to...
	(aesni_prepare_2_7_variable, aesni_prepare_8_15_variable): ...these and
	adjust accordingly (xmm7 moved from *_7_15 to *_2_7).
	(aesni_prepare_2_6, aesni_prepare_7_15): Rename to...
	(aesni_prepare_2_7, aesni_prepare_8_15): ...these and adjust
	accordingly.
	(aesni_cleanup_2_6, aesni_cleanup_7_15): Rename to...
	(aesni_cleanup_2_7, aesni_cleanup_8_15): ...these and adjust
	accordingly.
	(aesni_ocb_checksum): New.
	(aesni_ocb_enc, aesni_ocb_dec): Calculate OCB offsets in parallel
	with help of pre-computed offsets L0+L1 ja L0+L1+L0; Do checksum
	calculation as separate pass instead of inline; Use NO_INLINE.
	(_gcry_aes_aesni_ocb_auth): Calculate OCB offsets in parallel
	with help of pre-computed offsets L0+L1 ja L0+L1+L0.
	* cipher/rijndael-internal.h (RIJNDAEL_context_s) [USE_AESNI]: Add
	'use_avx2' and 'use_avx'.
	* cipher/rijndael.c (do_setkey) [USE_AESNI]: Set 'use_avx2' if
	Intel AVX2 HW feature is available and 'use_avx' if Intel AVX HW
	feature is available.
	* tests/basic.c (do_check_ocb_cipher): New test vector; increase
	size of temporary buffers for new test vector.
	(check_ocb_cipher_largebuf_split): Make test plaintext non-uniform
	for better checksum testing.
	(check_ocb_cipher_checksum): New.
	(check_ocb_cipher_largebuf): Call check_ocb_cipher_checksum.
	(check_ocb_cipher): New expected tags for check_ocb_cipher_largebuf
	test runs.

2018-11-19  Andreas Metzler  <ametzler@bebt.de>

	doc: Fix library initialization examples.
	+ commit af0bbdb9019e0b4a72e87e8b1b4a55506d349834


2018-11-14  Werner Koch  <wk@gnupg.org>

	random: Initialize variable as requested by valgrind.
	+ commit aa686dfc9b563ff79c01d2f8560b88f69c42ecba
	random/jitterentropy-base.c: Init.

2018-11-13  NIIBE Yutaka  <gniibe@fsij.org>

	libgcrypt.m4: Prefer gpgrt-config to SYSROOT support.
	+ commit 852245390ef7fd8ca9e36010886a4cf42cf710bf
	* libgcrypt.m4: Move SYSROOT support after check of GPGRT_CONFIG.

	build: Update autogen.rc.
	+ commit bea193446351c24b10a4342466978d57bd53f599
	* autogen.rc: Remove obsolete --with-gpg-error-prefix option.

2018-11-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix 'variable may be used uninitialized' warning for CTR mode.
	+ commit 3f76319803a4abcd33fa29a0ac39f8ed9d646226
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Set N to BLOCKSIZE
	before counter loop.

2018-11-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix inlining of ocb_get_l for x86 AES implementations.
	+ commit 9d6431604b5ee21572c1c2cfa8376e6d81162cbb
	* cipher/rijndael-aesni.c (aes_ocb_get_l): New.
	(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Use
	'aes_ocb_get_l'.
	* cipher/rijndael-ssse3-amd4.c (aes_ocb_get_l): New.
	(ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Use
	'aes_ocb_get_l'.

2018-11-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	stdmem: free: only call _gcry_secmem_free if needed.
	+ commit 23f56d3359ca7d152aa87874ddd6305171a91408
	* src/stdmem.c (_gcry_private_free): Check if memory is secure before
	calling _gcry_secmem_free to avoid unnecessarily taking secmem lock.

	secmem: fix potential memory visibility issue.
	+ commit d6c6680ca31c05bafbb8becda56da051346eceb3
	* configure.ac (gcry_cv_have_sync_synchronize): New check.
	* src/secmem.c (pooldesc_s): Make next pointer volatile.
	(memory_barrier): New.
	(_gcry_secmem_malloc_internal): Insert memory barrier between
	pool->next and mainpool.next assigments.
	(_gcry_private_is_secure): Update comments.

	wipememory: use memset for non-constant length or large buffer wipes.
	+ commit 4faeaa1cbd235a2560fa04a8ac3766a07029acd8
	* src/g10lib.h (CONSTANT_P): New.
	(_gcry_wipememory2): New prototype.
	(wipememory2): Use _gcry_wipememory2 if _len not constant expression or
	lenght is larger than 64 bytes.
	(FASTWIPE_T, FASTWIPE_MULT, fast_wipememory2_unaligned_head): Remove.
	(fast_wipememory2): Always handle buffer as unaligned.
	* src/misc.c (__gcry_burn_stack): Move memset_ptr variable to...
	(memset_ptr): ... here. New.
	(_gcry_wipememory2): New.

	Change buf_cpy and buf_xor* functions to use buf_put/buf_get helpers.
	+ commit 0068d41d9304ebcdb2caba1fa8848925e2bfaac7
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS)
	(bufhelp_int_s, buf_xor_1): Remove.
	(buf_cpy, buf_xor, buf_xor_2dst, buf_xor_n_copy_2): Use
	buf_put/buf_get helpers to handle unaligned memory accesses.

	rijndael: fix unused parameter warning.
	+ commit 30e783ec487466132324673f197d36b85a91b060
	* cipher/rijndael.c (do_setkey): Silence unused 'hd' warning.

	mpi/longlong.h: enable inline assembly for powerpc64.
	+ commit ec49013d23d9a7b874c42d77ceb08bd313ba69e1
	* mpi/longlong.h [__powerpc__ && W_TYPE_SIZE == 64]: Remove '#if 0'.

	Change remaining users of _gcry_fips_mode to use fips_mode.
	+ commit 2aece89d3967e692743541cea857f2e4771b0b62
	* src/fips.c (_gcry_fips_mode): Remove.
	(_gcry_enforced_fips_mode, _gcry_inactivate_fips_mode)
	(_gcry_is_fips_mode_inactive): Use fips_mode.
	* src/g10lib.h (_gcry_fips_mode): Remove.

2018-11-02  NIIBE Yutaka  <gniibe@fsij.org>

	aarch64: mpi: Distribute the header file as a part of source.
	+ commit a2e0cb1542818ad8a71de34ccbf191adab0a0b86
	* mpi/Makefile.am (EXTRA_libmpi_la_SOURCES): Add asm-common-aarch64.h.

	build: Fix GCRYPT_HWF_MODULES.
	+ commit f7395338d71d4d82180a11707fd6e77787162e24
	* configure.ac (GCRYPT_HWF_MODULES): Add libgcrypt_la- prefix.

	build: Update gpg-error.m4 and libgcrypt.m4.
	+ commit f46286851158878d5041ac5381b2807ecec541eb
	* m4/gpg-error.m4: Update to 2018-11-02.
	* src/libgrypt.m4: Add AC_MSG_NOTICE.
	Bump the version date.

2018-10-29  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4 and ksba.m4.
	+ commit 4a4d4a284ca996df874e2534f8529c1611289943
	* m4/gpg-error.m4: Update to 2018-10-29.
	* src/libgrypt.m4: Follow the change of gpgrt-config.
	Bump the version date.

2018-10-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix missing global initialization in fips_is_operational.
	+ commit 6e669e09603e5a98b59dcf35f77f346db6c81eac
	* src/g10lib.h (_gcry_global_any_init_done): New extern.
	(fips_is_operational): Check for _gcry_global_any_init_done and call
	_gcry_global_is_operational.
	* src/global.c (any_init_done): Rename to ...
	(_gcry_global_any_init_done): ... this and make externally available.

2018-10-26  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

	random: use getrandom() on Linux where available.
	+ commit 7e662680c170968661ee0105d132813f8281d229
	* random/rndlinux.c (_gcry_rndlinux_gather_random): use the
	getrandom() syscall on Linux if it exists, regardless of what kind of
	entropy was requested.

2018-10-26  Werner Koch  <wk@gnupg.org>

	random: Make sure to re-open /dev/random after a fork.
	+ commit 319f55e6e5793c59f1ba4cfe481b562bca42194d
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Detect fork and
	re-open devices.

	primes: Avoid leaking bits of the prime test to pageable memory.
	+ commit 2e2e68ad4874a4678cfbe452b70ae987e0402eca
	* cipher/primegen.c (gen_prime): Allocate MODS in secure memory.

2018-10-26  NIIBE Yutaka  <gniibe@fsij.org>

	libgcrypt.m4: Better compatibility support.
	+ commit a755bd0ea09af2ae5a66e3f5aeb8707673c687cf
	* src/gpg-error.m4: Update.
	* src/libgcrypt.m4: Don't assume libgcrypt-config is newer.

	build: Fix libgcrypt.m4.
	+ commit 630ece1b7e0a94442bca91d8e96d9b1d4cd3ec66
	* src/libgcrypt.m4: Use AC_PATH_PROG to detect libgcrypt-config.

	build: Relax build requirements.
	+ commit 8e5641ed65f86783542d5caccdeeee42eeb9457c
	* m4/gpg-error.m4: Update from libgpg-error 1.33.
	* src/libgcrypt.m4: Don't require AM_PATH_GPG_ERROR.  Use GPGRT_CONFIG
	instead of libgcrypt-config when it is confirmed that it is available
	and working well.
	* configure.ac (AM_PATH_GPG_ERROR): No requirement for newer version
	(It was because of new gpgrt-config which supports *.pc files).

2018-10-25  NIIBE Yutaka  <gniibe@fsij.org>

	build: Require libgpg-error >= 1.33.
	+ commit b376dc2abbb208b10bbc76998ff39adb2f301905
	* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.33.
	* m4/gpg-error.m4: Update from libgpg-error 1.33.
	* src/libgcrypt.m4: Bump version date.
	Use --variable option.

2018-10-24  Werner Koch  <wk@gnupg.org>

	build: Add release make target.
	+ commit 03bb25ee7ed6f1076bf788ab981ca68672880daa
	* Makefile.am (release, sign-release): New targets.

	build: Make distcheck work again.
	+ commit b0ad66e48c46b79af69349606e276cf0a6b9a020
	* cipher/Makefile.am: Prettified source file lists.
	EXTRA_libcipher_la_SOURCES): Add missing asm-common-aarch64.h.

	Fix memory leak in secmem in out of core conditions.
	+ commit f74687fd43f5772a372f54031d5a9527597f4ce4
	* src/secmem.c (_gcry_secmem_malloc_internal): Release pool descriptor
	if the pool could not be allocated.

	ecc: Fix memory leak in the error case of ecc_encrypt_raw.
	+ commit e57e75ea517f32109b508113f18298fc69fd1192
	* cipher/ecc.c (ecc_encrypt_raw): Add proper error cleanup in the main
	block.

	ecc: Fix possible memory leakage in parameter check of eddsa.
	+ commit 149ceb3cae03d0385341d32430aa5ae57de90007
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Fix mem leak.

2018-10-24  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix libgcrypt.pc.
	+ commit 0e071372fc0e6fed4a449955ed0789803ba5e709
	* src/libgcrypt.pc.in: Fix typo.

	build: Compatibility to pkg-config.
	+ commit c60eabb11435665fa84a3a82b2a15f48870cc4d7
	* src/libgcrypt-config.in: Support --variable and --modversion.

	build: Make libgcrypt.m4 use gpg-error-config.
	+ commit 7da887d69d72ea0ea0d106054c48a8c03e242a18
	* src/libgcrypt.m4: Use gpg-error-config.

	build: Provide libgcrypt.pc, generated by configure.
	+ commit 97194b422bc89a6137f4e218d4cdee118c63e96e
	* configure.ac: Generate src/libgcrypt.pc.
	* src/Makefile.am (pkgconfigdir, pkgconfig_DATA): New.
	(EXTRA_DIST): Add libgcrypt.pc.in.
	* src/libgcrypt-config.in: Use @PACKAGE_VERSION@.
	* src/libgcrypt.pc.in: New.

	build: Update gpg-error.m4 from libgpg-error.
	+ commit 5b1febb5e40d92072bef425bd9e63f7a07edd57e
	* m4/gpg-error.m4: Update from libgpg-error 1.33.

	build: Don't default to underscore=yes for cross-build.
	+ commit 0f4545b441b6fbdd6e9c4e95f5f2a367483e78ad
	* acinclude.m4: Don't set ac_cv_sys_symbol_underscore
	for cross build.

2018-10-23  Werner Koch  <wk@gnupg.org>

	ecc: Fix potential unintended freeing of an internal param.
	+ commit e2da4e8dee4b371804f3b2659b53431fb6380d93
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Fix c+p error

	sexp: Fix uninitialized use of a var in the error case.
	+ commit 9f2c7ec4d8b07e82663ad084c90c016d3c3b80c2
	* src/sexp.c (_gcry_sexp_vextract_param): Initialize L1.

2018-10-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: Let configure create the VERSION file.
	+ commit 0f2c6ce2c9504c6df435463243edaa669e57b109
	* autogen.sh: Update from libgpg-error.
	* configure.ac: Use mym4_versoin to create VERSION file.
	* Makefile.am (dist-hook): Do not create VERSION file.
	(EXTRA_DIST): Add VERSION.

2018-07-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add size optimized cipher block copy and xor functions.
	+ commit 86e5e06a97ae13b8bbf6923ecc76e02b9c429b46
	* cipher/bufhelp.h (buf_get_he32, buf_put_he32, buf_get_he64)
	(buf_put_he64): New.
	* cipher/cipher-internal.h (cipher_block_cpy, cipher_block_xor)
	(cipher_block_xor_1, cipher_block_xor_2dst, cipher_block_xor_n_copy_2)
	(cipher_block_xor_n_copy): New.
	* cipher/cipher-gcm-intel-pclmul.c
	(_gcry_ghash_setup_intel_pclmul): Use assembly for swapping endianness
	instead of buf_get_be64 and buf_cpy.
	* cipher/blowfish.c: Use new cipher_block_* functions for cipher block
	sized buf_cpy/xor* operations.
	* cipher/camellia-glue.c: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/cipher-aeswrap.c: Ditto.
	* cipher/cipher-cbc.c: Ditto.
	* cipher/cipher-ccm.c: Ditto.
	* cipher/cipher-cfb.c: Ditto.
	* cipher/cipher-cmac.c: Ditto.
	* cipher/cipher-ctr.c: Ditto.
	* cipher/cipher-eax.c: Ditto.
	* cipher/cipher-gcm.c: Ditto.
	* cipher/cipher-ocb.c: Ditto.
	* cipher/cipher-ofb.c: Ditto.
	* cipher/cipher-xts.c: Ditto.
	* cipher/des.c: Ditto.
	* cipher/rijndael.c: Ditto.
	* cipher/serpent.c: Ditto.
	* cipher/twofish.c: Ditto.

2018-07-04  NIIBE Yutaka  <gniibe@fsij.org>

	RFC-8439 was published.
	+ commit 9660c3fafd732b1857bb2697c6f43aed077b9ad6
	* cipher/cipher-poly1305.c: Update RFC reference.

2018-06-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Clean-up implementation selection for SHA1 and SHA2.
	+ commit 8a44c55d2fb758f726b8b436aa5c0b88a6c6f112
	* cipher/sha1.c (ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
	(do_sha1_transform_amd64_ssse3, do_sha1_transform_amd64_avx)
	(do_sha1_transform_amd64_avx_bmi2, do_sha1_transform_intel_shaext)
	(do_sha1_transform_armv7_neon, do_sha1_transform_armv8_ce): New.
	(transform_blk, transform): Merge to ...
	(do_transform_generic): ... this and remove calls to assembly
	implementations.
	(sha1_init): Select hd->bctx.bwrite based on HW features.
	(_gcry_sha1_mixblock, sha1_final): Call hd->bctx.bwrite instead of
	transform.
	* cipher/sha1.h (SHA1_CONTEXT): Remove implementation selection bits.
	* cipher/sha256.h (SHA256_CONTEXT): Remove implementation selection
	bits.
	(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
	(do_sha256_transform_amd64_ssse3, do_sha256_transform_amd64_avx)
	(do_sha256_transform_amd64_avx2, do_sha256_transform_intel_shaext)
	(do_sha256_transform_armv8_ce): New.
	(transform_blk, transform): Merge to ...
	(do_transform_generic): ... this and remove calls to assembly
	implementations.
	(sha256_init, sha224_init): Select hd->bctx.bwrite based on HW
	features.
	(sha256_final): Call hd->bctx.bwrite instead of transform.
	* cipher/sha512-armv7-neon.S
	(_gcry_sha512_transform_armv7_neon): Return zero.
	* cipher/sha512.h (SHA512_CONTEXT): Remove implementation selection
	bits.
	(ASM_EXTRA_STACK): Increase by sizeof(void*)*4.
	(do_sha512_transform_armv7_neon, do_sha512_transform_amd64_ssse3)
	(do_sha512_transform_amd64_avx, do_sha512_transform_amd64_avx2): New.
	[USE_ARM_ASM] (do_transform_generic): New.
	(transform_blk, transform): Merge to ...
	[!USE_ARM_ASM] (do_transform_generic): ... this and remove calls to
	assembly implementations.
	(sha512_init, sha384_init): Select hd->bctx.bwrite based on HW
	features.
	(sha512_final): Call hd->bctx.bwrite instead of transform.

	Add hash_buffer and hash_buffers for SHA-224, SHA-385, SHA3 and BLAKE2.
	+ commit 59c4e344eec61cff45185e1caea6815b3266a0f8
	* cipher/blake2.c (DEFINE_BLAKE2_VARIANT): Add hash_buffer and
	hash_buffers functions for BLAKE2 variants.
	* cipher/keccak.c (_gcry_sha3_hash_buffer, _gcry_sha3_hash_buffers)
	(_gcry_sha3_224_hash_buffer, _gcry_sha3_224_hash_buffers)
	(_gcry_sha3_256_hash_buffer, _gcry_sha3_256_hash_buffers)
	(_gcry_sha3_384_hash_buffer, _gcry_sha3_384_hash_buffers)
	(_gcry_sha3_512_hash_buffer, _gcry_sha3_512_hash_buffers): New.
	* cipher/sha256.c (_gcry_sha224_hash_buffer)
	(_gcry_sha224_hash_buffers): New.
	* cipher/sha512.c (_gcry_sha384_hash_buffer)
	(_gcry_sha384_hash_buffers): New.

	Add hash_buffer and hash_buffers pointers to message digest spec.
	+ commit b136703ea0ddbd9fec6dfd1f8dfda8373653ba39
	* src/cipher-proto.h (gcry_md_hash_buffer_t)
	(gcry_md_hash_buffers_t): New.
	(gcry_md_spec): Add hash_buffer and hash_buffers.
	* cipher/md.c (_gcry_md_hash_buffer, _gcry_md_hash_buffers): Use
	hash_buffer/hash_buffers from MD spec instead of hard-coding supported
	algorithms.
	* cipher/blake2.c: Add NULL to MD spec hash_buffer and hash_buffers
	pointers.
	* cipher/crc.c: Ditto.
	* cipher/gostr3411-94.c: Ditto.
	* cipher/keccak.c: Ditto.
	* cipher/md2.c: Ditto.
	* cipher/md4.c: Ditto.
	* cipher/md5.c: Ditto.
	* cipher/stribog.c: Ditto.
	* cipher/tiger.c: Ditto.
	* cipher/whirlpool.c: Ditto.
	* cipher/rmd160.c (_gcry_rmd160_hash_buffers): New.
	(_gcry_digest_spec_rmd160): Add hash_buffer and hash_buffers functions.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Add hash_buffer and
	hash_buffers functions.
	* cipher/sha256.c (_gcry_digest_spec_sha256): Add hash_buffer and
	hash_buffers functions.
	(_gcry_digest_spec_sha224): Add NULL pointers for hash_buffer and
	hash_buffers.
	* cipher/sha512.c (_gcry_digest_spec_sha1): Add hash_buffer and
	hash_buffers functions.
	(_gcry_digest_spec_sha384): Add NULL pointers for hash_buffer and
	hash_buffers.
	* cipher/sm3.c (_gcry_digest_spec_sha1): Add hash_buffer and
	hash_buffers functions.

	AES: setup cipher object bulk routines with optimized versions.
	+ commit a15c1def7e0f170f6663635db84fecab1cbfcca7
	* cipher/rijndael-aesni.c
	(_gcry_aes_aesni_prepare_decryption): Rename...
	(do_aesni_prepare_decryption): .. to this.
	(_gcry_aes_aesni_prepare_decryption): New.
	(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
	(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
	(_gcry_aes_aesni_cbc_dec): Reorder parameters to match bulk
	operations.
	(_gcry_aes_aesni_cbc_dec, aesni_ocb_dec)
	(_gcry_aes_aesni_xts_dec): Check and prepare decryption.
	(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): Change return
	type to size_t.
	* cipher/rijndael-armv8-ce.c
	(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
	(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
	(_gcry_aes_armv8_ce_cbc_dec): Reorder parameters to match bulk
	operations.
	(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
	(_gcry_aes_armv8_ce_xts_dec): Check and prepare decryption.
	(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Change
	return type to size_t.
	* cipher/rijndael-ssse3-amd64.c
	(_gcry_ssse3_prepare_decryption): Rename...
	(do_ssse3_prepare_decryption): .. to this.
	(_gcry_ssse3_prepare_decryption): New.
	(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
	(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec): Reorder parameters to match bulk
	operations.
	(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_dec): Check and prepare decryption.
	(_gcry_aes_ssse3_ocb_crypt, _gcry_aes_ssse3_ocb_auth): Change return
	type to size_t.
	* cipher/rijndael.c
	(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
	(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
	(_gcry_aes_aesni_cbc_dec, _gcry_aes_aesni_ocb_crypt)
	(_gcry_aes_aesni_ocb_auth, _gcry_aes_aesni_xts_crypt)
	(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
	(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_ocb_crypt)
	(_gcry_aes_ssse3_ocb_auth, _gcry_aes_ssse3_xts_crypt)
	(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
	(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
	(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
	(_gcry_aes_armv8_ce_ocb_auth, _gcry_aes_armv8_ce_xts_crypt): Change
	prototypes to match bulk operations.
	(do_setkey): Setup bulk operations with optimized implementations.
	(_gcry_aes_cfb_enc, _gcry_aes_cbc_enc, _gcry_aes_ctr_enc)
	(_gcry_aes_cfb_dec, _gcry_aes_cbc_dec, _gcry_aes_ocb_crypt)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Update
	usage to match new prototypes, avoid prefetch and decryption
	preparation on optimized code paths.

	Pass cipher object pointer to setkey functions.
	+ commit ca21a24808efa5d562ac91f683504ae0d6dfa69f
	* cipher/cipher.c (cipher_setkey): Pass cipher object pointer to
	cipher's setkey function.
	* cipher/arcfour.c: Add gcry_cipher_hd_t parameter for setkey
	functions and update selftests to pass NULL pointer.
	* cipher/blowfish.c: Ditto.
	* cipher/camellia-glue.c: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/chacha20.c: Ditto.
	* cipher/cipher-selftest.c: Ditto.
	* cipher/des.c: Ditto.
	* cipher/gost28147.c: Ditto.
	* cipher/idea.c: Ditto.
	* cipher/rfc2268.c: Ditto.
	* cipher/rijndael.c: Ditto.
	* cipher/salsa20.c: Ditto.
	* cipher/seed.c: Ditto.
	* cipher/serpent.c: Ditto.
	* cipher/twofish.c: Ditto.
	* src/cipher-proto.h: Ditto.

	Add fast path for _gcry_fips_is_operational.
	+ commit b6e6ace324440f564df664e27f8276ef01f76795
	* src/fips.c (no_fips_mode_required): Rename to...
	(_gcry_no_fips_mode_required): ...this and make externally available.
	* src/g10lib.h (_gcry_no_fips_mode_required): New extern.
	(fips_mode): Inline _gcry_fips_mode to macro, use
	_gcry_no_fips_mode_required directly.
	(fips_is_operational): Inline fips_mode check from
	_gcry_fips_in_operational.

	Access cipher mode routines through routine pointers.
	+ commit 233e2049a2cc1c1110f541b6a7ef145a737e2c65
	* cipher/cipher-internal.h (gcry_cipher_handle): Add function pointers
	for mode operations.
	(_gcry_cipher_xts_crypt): Remove.
	(_gcry_cipher_xts_encrypt, _gcry_cipher_xts_decrypt): New.
	* cipher/cipher-xts.c (_gcry_cipher_xts_encrypt)
	(_gcry_cipher_xts_decrypt): New.
	* cipher/cipher.c (_gcry_cipher_setup_mode_ops): New.
	(_gcry_cipher_open_internal): Setup mode routines.
	(cipher_encrypt, cipher_decrypt): Remove.
	(do_stream_encrypt, do_stream_decrypt, do_encrypt_none_unknown)
	(do_decrypt_none_unknown): New.
	(_gcry_cipher_encrypt, _gcry_cipher_decrypt, _gcry_cipher_setiv)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag): Adapted to use mode routines through pointers.

	Add separate handlers for CBC-CTS variant.
	+ commit 87d8caa47e00f1b1cea968fe38cf30c0ccc9749c
	* cipher/cipher-cbc.c (cbc_encrypt_inner, cbc_decrypt_inner)
	(_gcry_cipher_cbc_cts_encrypt, _gcry_cipher_cbc_cts_decrypt): New.
	(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Remove CTS
	handling.
	* cipher/cipher-internal.h (_gcry_cipher_cbc_cts_encrypt)
	(_gcry_cipher_cbc_cts_decrypt): New.
	* cipher/cipher.c (cipher_encrypt, cipher_decrypt): Call CBC-CTS
	handler if CBC-CTS flag is set.

	Avoid division by spec->blocksize in cipher mode handlers.
	+ commit f5168091c1930e948af8f25da11cad5dfa62c7ba
	* cipher/cipher-internal.h (_gcry_blocksize_shift): New.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipherp_cbc_decrypt): Use bit-level operations instead of
	division to get number of blocks and check input length against
	blocksize.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-cmac.c (_gcry_cmac_write): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_crypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Ditto.

	Fix CBC-CTS+CBC-MAC flag check.
	+ commit a69021535b472556651eb2bab65666206c56c24b
	* cipher/cipher.c (_gcry_cipher_open_internal): Check flags separately
	instead of AND masking two flags to zero.

	tests/basic: silence GCC-8 warning.
	+ commit 2a94bdfc0538a340a24c1a7b524bb0c5f606457c
	* tests/basic.c (check_ofb_cipher, check_stream_cipher): Change
	tv[].data[].inlen type from signed to unsigned integer.

2018-06-19  Will Dietz  <w@wdtz.org>

	random: Fix hang of _gcry_rndjent_get_version.
	+ commit 355f5b7f69075c010fe33aa5b10ac60c08fae0c7
	* random/rndjent.c (_gcry_rndjent_get_version): Move locking.

2018-06-13  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add blinding for ECDSA.
	+ commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
	randomized nonce B.

2018-06-06  Werner Koch  <wk@gnupg.org>

	ecc: Improve gcry_mpi_ec_curve_point.
	+ commit 7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Check range of coordinates.
	* tests/t-mpi-point.c (point_on_curve): New.

2018-06-05  Werner Koch  <wk@gnupg.org>

	mpi: New internal function _gcry_mpi_cmpabs.
	+ commit 6606ae44e0de1069b29dd4215ee9748280940e1b
	* mpi/mpi-cmp.c (_gcry_mpi_cmp): Factor out to ...
	(do_mpi_cmp): New.  Add arg absmode.
	(_gcry_mpi_cmpabs): New.
	* src/gcrypt-int.h (mpi_cmpabs): New macro.

2018-04-29  Werner Koch  <wk@gnupg.org>

	build: Convince gcc not to delete NULL ptr checks.
	+ commit 61dbb7c08ab11c10060e193b52e3e1d2ec6dd062
	* configure.ac: Try to use -fno-delete-null-pointer-checks.

2018-04-28  Werner Koch  <wk@gnupg.org>

	prime: Avoid rare assertion failure in gcry_prime_check.
	+ commit f3362f10f6f671246c38115ed12b0047966c200e
	* cipher/primegen.c (is_prime): Don't fail on the assert X > 1.

2018-04-17  Werner Koch  <wk@gnupg.org>

	mpi: Fix for buidling for MIPS64 with Clang.
	+ commit e7ae0ae243c8978a67c802169183187d88557be8
	* mpi/longlong.h [MIPS64][__clang__]: Use the C version like we
	already do for 32 bit MIPS.

2018-04-11  NIIBE Yutaka  <gniibe@fsij.org>

	hmac: Use xtrymalloc.
	+ commit 3e3b520fb32a37c5c23762531a7b3168e112ac36
	* src/hmac256.c (_gcry_hmac256_new): Use xtrymalloc.
	(_gcry_hmac256_file): Likewise.

2018-04-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	basic_all_hwfeature_combinations.sh: use $njobs to limit parallel tasks.
	+ commit 5e01705ca90830c27a4cbd8bad41243915f4538a
	* tests/basic_all_hwfeature_combinations.sh: Use $njobs to limit
	parallel tasks instead of fixed number "8".

	Faster look-up for spec by algo for digests, ciphers and MAC.
	+ commit 634a85412a4073aa1890589ce5e97eac7b0f3ca3
	* cipher/cipher.c (cipher_list_algo0, cipher_list_algo301): New cipher
	spec lists with same order and spacing as 'gcry_cipher_algos'
	enumeration.
	(spec_from_algo): Use new spec lists for faster look-up.
	* cipher/mac.c (mac_list_algo101, mac_list_algo201, mac_list_algo401)
	(mac_list_algo501): New MAC spec lists with same order and spacing as
	'gcry_mac_algos' enumeration.
	(spec_from_algo): Use new spec lists for faster look-up.
	* cipher/md.c (digest_list_algo0, digest_list_algo301): New digest
	spec lists with same order and spacing as 'gcry_md_algos'
	enumeration.
	(spec_from_algo): Use new spec lists for faster look-up.

	Fix building with BLAKE2 disabled.
	+ commit 35b59d0ea52e8a1c30c43554dc4dbca97da4bf87
	* cipher/md.c (md_setkey): Enclose Blake2 part with USE_BLAKE2.

	Add missing BLAKE2, SM3 and GOSTR3411_CP to MAC-HMAC interface.
	+ commit 52e52eb0e3e5541cfc86e04c5047500db5d538b7
	* cipher/mac-hmac.c (map_mac_algo_to_md): Add GOSTR3411_CP, BLAKE2 and
	SM3.
	(_gcry_mac_type_spec_hmac_gost3411_cp)
	(_gcry_mac_type_spec_hmac_blake2b_512)
	(_gcry_mac_type_spec_hmac_blake2b_384)
	(_gcry_mac_type_spec_hmac_blake2b_256)
	(_gcry_mac_type_spec_hmac_blake2b_160)
	(_gcry_mac_type_spec_hmac_blake2s_256)
	(_gcry_mac_type_spec_hmac_blake2s_224)
	(_gcry_mac_type_spec_hmac_blake2s_160)
	(_gcry_mac_type_spec_hmac_blake2s_128)
	(_gcry_mac_type_spec_hmac_sm3): New.
	* cipher/mac-internal.h (_gcry_mac_type_spec_hmac_gost3411_cp)
	(_gcry_mac_type_spec_hmac_blake2b_512)
	(_gcry_mac_type_spec_hmac_blake2b_384)
	(_gcry_mac_type_spec_hmac_blake2b_256)
	(_gcry_mac_type_spec_hmac_blake2b_160)
	(_gcry_mac_type_spec_hmac_blake2s_256)
	(_gcry_mac_type_spec_hmac_blake2s_224)
	(_gcry_mac_type_spec_hmac_blake2s_160)
	(_gcry_mac_type_spec_hmac_blake2s_128)
	(_gcry_mac_type_spec_hmac_sm3): New.
	* cipher/mac.c (mac_list): Add GOSTR3411_CP, BLAKE2 and SM3.
	* src/gcrypt.h.in (GCRY_MAC_HMAC_GOSTR3411_CP)
	(GCRY_MAC_HMAC_BLAKE2B_512, GCRY_MAC_HMAC_BLAKE2B_384)
	(GCRY_MAC_HMAC_BLAKE2B_256, GCRY_MAC_HMAC_BLAKE2B_160)
	(GCRY_MAC_HMAC_BLAKE2S_256, GCRY_MAC_HMAC_BLAKE2S_224)
	(GCRY_MAC_HMAC_BLAKE2S_160, GCRY_MAC_HMAC_BLAKE2S_128)
	(GCRY_MAC_HMAC_SM3): New.

2018-04-10  NIIBE Yutaka  <gniibe@fsij.org>

	random: Protect another use of jent_rng_collector.
	+ commit 0de2a22fcf6607d0aecb550feefa414cee3731b2
	* random/rndjent.c (_gcry_rndjent_get_version): Lock the access.

2018-03-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aarch64/assembly: only use the lower 32 bit of an int parameters.
	+ commit 9b58e4a03ba3aeff7bae3f40da706977870c9649
	* cipher/camellia-aarch64.S (_gcry_camellia_arm_encrypt_block)
	(__gcry_camellia_arm_decrypt_block): Make comment section about input
	registers match usage.
	* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_ocb_auth_armv8_ce): Use
	'w12' and 'w7' instead of 'x12' and 'x7'.
	(_gcry_aes_xts_enc_armv8_ce, _gcry_aes_xts_dec_armv8_ce): Fix function
	prototype in comments.
	* mpi/aarch64/mpih-add1.S: Use 32-bit registers for 32-bit mpi_size_t
	parameters.
	* mpi/aarch64/mpih-mul1.S: Ditto.
	* mpi/aarch64/mpih-mul2.S: Ditto.
	* mpi/aarch64/mpih-mul3.S: Ditto.
	* mpi/aarch64/mpih-sub1.S: Ditto.

	poly1305: silence compiler warning on clang/aarch64.
	+ commit 8cdb010f04528703a502344e00d52447de12547d
	* cipher/poly1305.c (MUL_MOD_1305_64): cast zero constant to 64-bits.

2018-03-28  Martin Storsjö  <martin@martin.st>

	aarch64: Enable building the aarch64 cipher assembly for windows.
	+ commit 0de2191a07d69ef1fa34ca4c5d5fc4985ff7b4c4
	* cipher/asm-common-aarch64.h: New.
	* cipher/camellia-aarch64.S: Use ELF macro, use x19 instead of x18.
	* cipher/chacha20-aarch64.S: Use ELF macro, don't use GOT on windows.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Use ELF macro.
	* cipher/rijndael-aarch64.S: Use ELF macro.
	* cipher/rijndael-armv8-aarch64-ce.S: Use ELF macro.
	* cipher/sha1-armv8-aarch64-ce.S: Use ELF macro.
	* cipher/sha256-armv8-aarch64-ce.S: Use ELF macro.
	* cipher/twofish-aarch64.S: Use ELF macro.
	* configure.ac: Don't require .size and .type in aarch64 assembly check.

	aarch64: camellia: Only use the lower 32 bit of an int parameter.
	+ commit 4e1b628f492643d4e9b830bcdab7b49daaec5854
	* cipher/camellia-aarch64.S: Use 'w3' instead of 'x3'.

	aarch64: Fix assembling chacha20-aarch64.S with clang/llvm.
	+ commit 36e916fc332eda74963192b1c0bf6860a3e5d67b
	* cipher/chacha20-aarch64.S: Remove superfluous lane counts.

	aarch64: mpi: Fix building the mpi aarch64 assembly for windows.
	+ commit ec0a2f25c0f64a7b65b373508ce9081e10461965
	* mpi/aarch64/mpih-add1.S: Use ELF macro.
	* mpi/aarch64/mpih-mul1.S: Use ELF macro.
	* mpi/aarch64/mpih-mul2.S: Use ELF macro.
	* mpi/aarch64/mpih-mul3.S: Use ELF macro.
	* mpi/aarch64/mpih-sub1.S: Use ELF macro.
	* mpi/asm-common-aarch64.h: New.

	random: Don't assume that _WIN64 implies x86_64.
	+ commit ed41d6d6fb4551342b22ef763de1bd60e964e186
	* random/rndw32.c: Change _WIN64 ifdef into __x86_64__.

2018-03-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests/aeswrap: add in-place encryption/decryption testing.
	+ commit 885f031fbd17abc1c0fedbb98df22823b647fc11
	* tests/aeswrap.c (check): Rename to...
	(check_one): ...this and add in-place testing.
	(check): New.

2018-03-22  Stephan Mueller  <smueller@chronox.de>

	AES-KW: fix in-place encryption.
	+ commit 330ec66e0babdabb658dc7d6db78f37b2a1b996e
	* cipher/cipher-aeswrap.c: move memmove call before KW IV setting

2018-03-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: add CPU frequency auto-detection.
	+ commit 617f5e746f8295cc36d1002c8c53edc95d04d0f6
	* tests/bench-slope.c (bench_obj): Add 'hd'.
	(bench_encrypt_init, bench_encrypt_free, bench_encrypt_do_bench)
	(bench_decrypt_do_bench, bench_xts_encrypt_init)
	(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
	(bench_ccm_encrypt_init, bench_ccm_encrypt_do_bench)
	(bench_ccm_decrypt_do_bench, bench_aead_encrypt_init)
	(bench_aead_encrypt_do_bench, bench_aead_decrypt_do_bench)
	(bench_hash_init, bench_hash_free, bench_hash_do_bench)
	(bench_mac_init, bench_mac_free, bench_mac_do_bench): Use 'obj->hd'
	for storing pointer to crypto context.
	(auto_ghz): New.
	(do_slope_benchmark): Rename to...
	(slope_benchmark): ...this.
	(auto_ghz_init, auto_ghz_free, auto_ghz_bench, auto_ghz_detect_ops)
	(get_auto_ghz, do_slope_benchmark): New.
	(double_to_str): Round number larger than 1000 to integer.
	(bench_print_result_csv, bench_print_result_std)
	(bench_print_result, bench_print_header, cipher_bench_one)
	(hash_bench_one, mac_bench_one, kdf_bench_one, kdf_bench): Add
	auto-detected frequency printing.
	(print_help): Help for CPU speed auto-detection mode.
	(main): Add parsing for "--cpu-mhz auto".

	_gcry_burn_stack: use memset for clearing memory.
	+ commit 3841b23c0ccb24d555b7570083bba958e3126d26
	* src/misc.c (__gcry_burn_stack) [HAVE_VLA]: Use 'memset' for clearing
	stack.

	Improve constant-time buffer compare.
	+ commit a1127dbbada4302abf09eec90fbaceca87bfcdf0
	* cipher/bufhelp.h (buf_eq_const): Rewrite logic.

2018-02-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel SHA Extensions accelerated SHA256 implementation.
	+ commit 0b3ec359e2279c3b46b171372b1b7733bba20cd7
	* cipher/Makefile.am: Add 'sha256-intel-shaext.c'.
	* cipher/sha256-intel-shaext.c: New.
	* cipher/sha256.c (USE_SHAEXT)
	(_gcry_sha256_transform_intel_shaext): New.
	(SHA256_CONTEXT): Add 'use_shaext'.
	(sha256_init, sha224_init) [USE_SHAEXT]: Use shaext if supported.
	(transform) [USE_SHAEXT]: Use shaext if enabled.
	(transform): Only add ASM_EXTRA_STACK if returned burn length is not
	zero.
	* configure.ac: Add 'sha256-intel-shaext.lo'.

	Add Intel SHA Extensions accelerated SHA1 implementation.
	+ commit d02958bd300d2c80bc92b1e072103e95e256b297
	* cipher/Makefile.am: Add 'sha1-intel-shaext.c'.
	* cipher/sha1-intel-shaext.c: New.
	* cipher/sha1.c (USE_SHAEXT, _gcry_sha1_transform_intel_shaext): New.
	(sha1_init) [USE_SHAEXT]: Use shaext implementation is supported.
	(transform) [USE_SHAEXT]: Use shaext if enabled.
	(transform): Only add ASM_EXTRA_STACK if returned burn length is not
	zero.
	* cipher/sha1.h (SHA1_CONTEXT): Add 'use_shaext'.
	* configure.ac: Add 'sha1-intel-shaext.lo'.
	(shaextsupport, gcry_cv_gcc_inline_asm_shaext): New.
	* src/g10lib.h: Add HWF_INTEL_SHAEXT and reorder HWF flags.
	* src/hwf-x86.c (detect_x86_gnuc): Detect SHA Extensions.
	* src/hwfeatures.c (hwflist): Add 'intel-shaext'.

	AVX implementation of BLAKE2s.
	+ commit da58a62ac1b7a8d97b0895dcb41d15af531e45e5
	* cipher/Makefile.am: Add 'blake2s-amd64-avx.S'.
	* cipher/blake2.c (USE_AVX, _gry_blake2s_transform_amd64_avx): New.
	(BLAKE2S_CONTEXT) [USE_AVX]: Add 'use_avx'.
	(blake2s_transform): Rename to ...
	(blake2s_transform_generic): ... this.
	(blake2s_transform): New.
	(blake2s_final): Pass 'ctx' pointer to transform function instead of
	'S'.
	(blake2s_init_ctx): Check HW features and enable AVX implementation
	if supported.
	* cipher/blake2s-amd64-avx.S: New.
	* configure.ac: Add 'blake2s-amd64-avx.lo'.

2018-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	AVX2 implementation of BLAKE2b.
	+ commit af7fc732f9a7af7a70276f1e8364d2132db314f1
	* cipher/Makefile.am: Add 'blake2b-amd64-avx2.S'.
	* cipher/blake2.c (USE_AVX2, ASM_FUNC_ABI, ASM_EXTRA_STACK)
	(_gry_blake2b_transform_amd64_avx2): New.
	(BLAKE2B_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
	(blake2b_transform): Rename to ...
	(blake2b_transform_generic): ... this.
	(blake2b_transform): New.
	(blake2b_final): Pass 'ctx' pointer to transform function instead of
	'S'.
	(blake2b_init_ctx): Check HW features and enable AVX2 implementation
	if supported.
	* cipher/blake2b-amd64-avx2.S: New.
	* configure.ac: Add 'blake2b-amd64-avx2.lo'.

2018-01-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix incorrect counter overflow handling for GCM.
	+ commit ffdc6f3623a0bcb41324d562340b2cd1c288e387
	* cipher/cipher-gcm.c (gcm_ctr_encrypt): New function to handle
	32-bit CTR increment for GCM.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Do not use
	generic CTR implementation directly, use gcm_ctr_encrypt instead.
	* tests/basic.c (_check_gcm_cipher): Add test-vectors for 32-bit
	CTR overflow.
	(check_gcm_cipher): Add 'split input to 15 bytes and 17 bytes'
	test-runs.

2018-01-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix use of AVX instructions in Chaha20 SSSE3 implementation.
	+ commit 0b55f349a8b8f4b0ac9ed724c2d5b8dcc9f5401c
	* cipher/chacha20-amd64-ssse3.S: Replace two 'vmovdqa' instructions
	with 'movdqa'.

2018-01-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: fix double "See" in front of reference.
	+ commit bd75f0e89817b5708c57efab49e3eb4e035186e2
	* doc/gcrypt.texi: Change @xref to @ref when text already has 'see' in
	the front.

	Add EAX mode.
	+ commit e8629e535bd0e9711b07904d4501de8ad57aaecd
	* cipher/Makefile.am: Add 'cipher-eax.c'.
	* cipher/cipher-cmac.c (cmac_write): Rename to ...
	(_gcry_cmac_write): ... this; Take CMAC context as new input
	parameter; Return error code.
	(cmac_generate_subkeys): Rename to ...
	(_gcry_cmac_generate_subkeys): ... this; Take CMAC context as new
	input parameter; Return error code.
	(cmac_final): Rename to ...
	(_gcry_cmac_final): ... this; Take CMAC context as new input
	parameter; Return error code.
	(cmac_tag): Take CMAC context as new input parameter.
	(_gcry_cmac_reset): New.
	(_gcry_cipher_cmac_authenticate): Remove duplicate tag flag check;
	Adapt to changes above.
	(_gcry_cipher_cmac_get_tag): Adapt to changes above.
	(_gcry_cipher_cmac_check_tag): Ditto.
	(_gcry_cipher_cmac_set_subkeys): Ditto.
	* cipher-eax.c: New.
	* cipher-internal.h (gcry_cmac_context_t): New.
	(gcry_cipher_handle): Update u_mode.cmac; Add u_mode.eax.
	(_gcry_cmac_write, _gcry_cmac_generate_subkeys, _gcry_cmac_final)
	(_gcry_cmac_reset, _gcry_cipher_eax_encrypt, _gcry_cipher_eax_decrypt)
	(_gcry_cipher_eax_set_nonce, _gcry_cipher_eax_authenticate)
	(_gcry_cipher_eax_get_tag, _gcry_cipher_eax_check_tag)
	(_gcry_cipher_eax_setkey): New prototypes.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag, _gcry_cipher_checktag)
	(_gcry_cipher_info): Add EAX mode.
	* doc/gcrypt.texi: Add EAX mode.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_EAX): New.
	* tests/basic.c (_check_gcm_cipher, _check_poly1305_cipher): Constify
	test vectors array.
	(_check_eax_cipher, check_eax_cipher): New.
	(check_ciphers, check_cipher_modes): Add EAX mode.
	* tests/bench-slope.c (bench_eax_encrypt_do_bench)
	(bench_eax_decrypt_do_bench, bench_eax_authenticate_do_bench)
	(eax_encrypt_ops, eax_decrypt_ops, eax_authenticate_ops): New.
	(cipher_modes): Add EAX mode.
	* tests/benchmark.c (cipher_bench): Add EAX mode.

	cipher: constify spec arrays.
	+ commit cd7ed2e3546b12dd98df4211949f1cdbf5827013
	* cipher/cipher.c (cipher_list): Constify array.
	* cipher/mac.c (mac_list): Constify array.
	* cipher/md.c (digest_list): Constify array.
	* cipher/pubkey.c (pubkey_list): Constify array.

	Add ARMv8/CE acceleration for AES-XTS.
	+ commit 93503c127a52c1f6a193750e2bf181a744ba3e6b
	* cipher/rijndael-armv8-aarch32-ce.S (_gcry_aes_xts_enc_armv8_ce)
	(_gcry_aes_xts_dec_armv8_ce): New.
	* cipher/rijndael-armv8-aarch64-ce.S (_gcry_aes_xts_enc_armv8_ce)
	(_gcry_aes_xts_dec_armv8_ce): New.
	* cipher/rijndael-armv8-ce.c (_gcry_aes_xts_enc_armv8_ce)
	(_gcry_aes_xts_dec_armv8_ce, xts_crypt_fn_t)
	(_gcry_aes_armv8_ce_xts_crypt): New.
	* cipher/rijndael.c (_gcry_aes_armv8_ce_xts_crypt): New.
	(_gcry_aes_xts_crypt) [USE_ARM_CE]: New.

2018-01-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ssse3: call assembly functions directly.
	+ commit c3d60acc3ab5c6d60c2258882175bf31351cc998
	* cipher/rijndael-ssse3-amd64-asm.S (_gcry_aes_ssse3_enc_preload)
	(_gcry_aes_ssse3_dec_preload, _gcry_aes_ssse3_encrypt_core)
	(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add
	ENTER_SYSV_FUNC_PARAMS_* at function entry and EXIT_SYSV_FUNC at exit.
	(_gcry_aes_ssse3_encrypt_core, _gcry_aes_ssse3_decrypt_core): Change
	to input parameters to RDI and RSI registers.
	* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_encrypt_core)
	(_gcry_aes_ssse3_decrypt_core, _gcry_aes_schedule_core): Add parameters
	for function prototypes.
	(PUSH_STACK_PTR, POP_STACK_PTR): Remove.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Remove inline assembly to
	call functions, and call directly instead.

	Move AMD64 MS to SysV calling convention conversion to assembly side.
	+ commit a518b6680ea80a4325731028545a701c1d71fc02
	* cipher/Makefile.am: Add 'asm-common-amd64.h'.
	* cipher/asm-common-amd64.h: New.
	* cipher/blowfish-amd64.S: Add ENTER_SYSV_FUNC_* and EXIT_SYSV_FUNC for
	each global function from 'asm-common-amd64.h'.
	* cipher/cast5-amd64.S: Ditto.
	* cipher/des-amd64.S: Ditto.
	* cipher/rijndael-amd64.S: Ditto.
	* cipher/twofish-amd64.S: Ditto.
	* cipher/arcfour-amd64.S: Ditto.
	* cipher/blowfish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(call_sysv_fn): Remove.
	* cipher/cast5.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(call_sysv_fn): Remove.
	* cipher/twofish.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(call_sysv_fn, call_sysv_fn5, call_sysv_fn6): Remove.
	* cipher/rijndael.c (do_encrypt, do_decrypt)
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Remove assembly block for
	calling SysV ABI function.
	* cipher/arcfour.c [USE_AMD64_ASM] (encrypt_stream): Ditto.

	Make BMI2 inline assembly check more robust.
	+ commit 135250e3060e79be698d4f36a819aa8a880789f8
	* configure.ac (gcry_cv_gcc_inline_asm_bmi2): New assembly test.

	Add AES-NI acceleration for AES-XTS.
	+ commit a00c5b2988cea256c7823a76ce601febf02c790f
	* cipher/cipher-internal.h (gcry_cipher_handle): Change bulk
	XTS function to take cipher context.
	* cipher/cipher-xts.c (_gcry_cipher_xts_crypt): Ditto.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup AES-NI
	XTS bulk function.
	* cipher/rijndael-aesni.c (xts_gfmul_const, _gcry_aes_aesni_xts_enc)
	(_gcry_aes_aesni_xts_enc, _gcry_aes_aesni_xts_crypt): New.
	* cipher/rijndael.c (_gcry_aes_aesni_xts_crypt)
	(_gcry_aes_xts_crypt): New.
	* src/cipher.h (_gcry_aes_xts_crypt): New.

	AES-NI improvements for AMD64.
	+ commit c9e9cb2eb6a1c659d3825ca627228b732f2f2152
	* cipher/rijndael-aesni.c [__x86_64__] (aesni_prepare_7_15_variable)
	(aesni_prepare_7_15, aesni_cleanup_7_15, do_aesni_enc_vec8)
	(do_aesni_dec_vec8, do_aesni_ctr_8): New.
	(_gcry_aes_aesni_ctr_enc, _gcry_aes_aesni_cfb_dec)
	(_gcry_aes_aesni_cbc_dec, aesni_ocb_enc, aesni_ocb_dec)
	(_gcry_aes_aesni_ocb_auth) [__x86_64__]: Add 8 parallel blocks
	processing.

	Add ARMv8/AArch64 implementation of chacha20.
	+ commit b3ec0f752c925cde36f560f0f9309ab6450bbfd9
	* cipher/Makefile.am: Add 'chacha20-aarch64.S'.
	* cipher/chacha20-aarch64.S: New.
	* cipher/chacha20.c (USE_AARCH64_SIMD): New.
	(_gcry_chacha20_aarch_blocks4): New.
	(chacha20_do_setkey): Add HWF selection for Aarch64 implementation.
	* configure.ac: Add 'chacha20-aarch64.lo'.

	New ChaCha implementations.
	+ commit 172ad09cbedc893f147180875335f4c525393c0b
	* cipher/Makefile.am: Remove 'chacha20-sse2-amd64.S',
	'chacha20-ssse3-amd64.S', 'chacha20-avx2-amd64.S'; Add
	'chacha20-amd64-ssse3.S', 'chacha20-amd64-avx2.S'.
	* cipher/chacha20-amd64-avx2.S: New.
	* cipher/chacha20-amd64-ssse3.S: New.
	* cipher/chacha20-armv7-neon.S: Rewrite.
	* cipher/chacha20-avx2-amd64.S: Remove.
	* cipher/chacha20-sse2-amd64.S: Remove.
	* cipher/chacha20-ssse3-amd64.S: Remove.
	* cipher/chacha20.c (CHACHA20_INPUT_LENGTH, USE_SSE2, USE_NEON)
	(ASM_EXTRA_STACK, chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
	(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
	(_gcry_chacha20_armv7_neon_blocks, QROUND, QOUT, chacha20_core)
	(chacha20_do_encrypt_stream): Remove.
	(_gcry_chacha20_amd64_ssse3_blocks4, _gcry_chacha20_amd64_avx2_blocks8)
	(_gcry_chacha20_armv7_neon_blocks4, ROTATE, XOR, PLUS, PLUSONE)
	(QUARTERROUND, BUF_XOR_LE32): New.
	(CHACHA20_context_s, chacha20_blocks, chacha20_keysetup)
	(chacha20_encrypt_stream): Rewrite.
	(chacha20_do_setkey): Adjust for new CHACHA20_context_s.
	* configure.ac: Remove 'chacha20-sse2-amd64.lo',
	'chacha20-ssse3-amd64.lo', 'chacha20-avx2-amd64.lo'; Add
	'chacha20-amd64-ssse3.lo', 'chacha20-amd64-avx2.lo'.

	New Poly1305 implementations.
	+ commit b9a471ccf5f02f89e25c7ccc29898d0e4e486099
	* cipher/Makefile.am: Include '../mpi' for 'longlong.h'; Remove
	'poly1305-sse2-amd64.S', 'poly1305-avx2-amd64.S' and
	'poly1305-armv7-neon.S'.
	* cipher/poly1305-armv7-neon.S: Remove.
	* cipher/poly1305-avx2-amd64.S: Remove.
	* cipher/poly1305-sse2-amd64.S: Remove.
	* cipher/poly1305-internal.h (POLY1305_BLOCKSIZE)
	(POLY1305_STATE): New.
	(POLY1305_SYSV_FUNC_ABI, POLY1305_REF_BLOCKSIZE)
	(POLY1305_REF_STATESIZE, POLY1305_REF_ALIGNMENT)
	(POLY1305_USE_SSE2, POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
	(POLY1305_SSE2_ALIGNMENT, POLY1305_USE_AVX2, POLY1305_AVX2_BLOCKSIZE)
	(POLY1305_AVX2_STATESIZE, POLY1305_AVX2_ALIGNMENT)
	(POLY1305_USE_NEON, POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
	(POLY1305_NEON_ALIGNMENT, POLY1305_LARGEST_BLOCKSIZE)
	(POLY1305_LARGEST_STATESIZE, POLY1305_LARGEST_ALIGNMENT)
	(POLY1305_STATE_BLOCKSIZE, POLY1305_STATE_STATESIZE)
	(POLY1305_STATE_ALIGNMENT, OPS_FUNC_ABI, poly1305_key_s)
	(poly1305_ops_s): Remove.
	(poly1305_context_s): Rewrite.
	* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
	(_gcry_poly1305_amd64_sse2_finish_ext)
	(_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops)
	(poly1305_init_ext_ref32, poly1305_blocks_ref32)
	(poly1305_finish_ext_ref32, poly1305_default_ops)
	(_gcry_poly1305_amd64_avx2_init_ext)
	(_gcry_poly1305_amd64_avx2_finish_ext)
	(_gcry_poly1305_amd64_avx2_blocks)
	(poly1305_amd64_avx2_ops, poly1305_get_state): Remove.
	(poly1305_init): Rewrite.
	(USE_MPI_64BIT, USE_MPI_32BIT): New.
	[USE_MPI_64BIT] (ADD_1305_64, MUL_MOD_1305_64, poly1305_blocks)
	(poly1305_final): New implementation using 64-bit limbs.
	[USE_MPI_32BIT] (UMUL_ADD_32, ADD_1305_32, MUL_MOD_1305_32)
	(poly1305_blocks): New implementation using 32-bit limbs.
	(_gcry_poly1305_update, _gcry_poly1305_finish)
	(_gcry_poly1305_init): Adapt to new implementation.
	* configure.ac: Remove 'poly1305-sse2-amd64.lo',
	'poly1305-avx2-amd64.lo' and 'poly1305-armv7-neon.lo'.

	mpi/ec: fix when 'unsigned long' is 32-bit but limb size is 64-bit.
	+ commit d39deb0a41dbeec81174704904d3d29c66d10d7e
	* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Cast '1' to
	mpi_limb_t before left shift.

2017-11-24  Werner Koch  <wk@gnupg.org>

	sexp: Avoid a fatal error in case of ENOMEM in called functions.
	+ commit 2ad912d5b7794fb32192fddab1b559c7b86303a2
	* src/sexp.c (do_vsexp_sscan): Replace BUG() by a proper error
	return.  Replace sprintf by snprintf.
	(convert_to_hex): Replace sprintf by snprintf.
	(convert_to_string): Ditto.
	(_gcry_sexp_sprint): Ditto.

	api: Add GCRYCTL_AUTO_EXPAND_SECMEM.
	+ commit 1f6b2f6099ebcfd785e2d2ae0aeca810394dbbac
	* src/gcrypt.h.in (GCRYCTL_AUTO_EXPAND_SECMEM): New enum.
	* src/global.c (_gcry_vcontrol): Implement that.
	* src/secmem.c (auto_expand): New var.
	(_gcry_secmem_set_auto_expand): New.
	(_gcry_secmem_malloc_internal): Act upon AUTO_EXPAND.

2017-11-14  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add HAVE_MMAP check for MinGW.
	+ commit c594f187bd457b757112adc551ffa4db92962dc1
	* tests/t-secmem.c (main): Conditionalize with HAVE_MMAP.

2017-11-09  NIIBE Yutaka  <gniibe@fsij.org>

	Fix secmem test for machine with larger page.
	+ commit 621f5c4e837347308a6b06a8cfbfc47ca9fae69e
	* tests/t-secmem.c (main): Detect page size and setup chunk size.
	* src/secmem.c (init_pool): Simplify the expression.

2017-10-25  NIIBE Yutaka  <gniibe@fsij.org>

	Add OID information for SM3.
	+ commit 94b84360ca55c407222a3eb8222d8b1816fc617f
	* cipher/sm3.c (asn_sm3, oid_spec_sm3): New.
	(_gcry_digest_spec_sm3): Add asn_sm3, oid_spec_sm3.

2017-10-24  Jia Zhang  <qianyue.zj@alibaba-inc.com>

	Add crypto hash SM3.
	+ commit 4423bf3cc4432b9bfe801ff74cb05e6f0dd3eccd
	* configure.ac (available_digests): Add sm3.
	* src/cipher.h: Add declarations for SM3.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm3.c.
	* cipher/md.c [USE_SM3] (digest_list): Add _gcry_digest_spec_sm3.
	* cipher/pubkey-util.c (hashnames): Add "sm3".
	* cipher/sm3.c: New.
	* tests/basic.c (check_digests): Add test vectors for SM3.
	* tests/hashtest-256g.in (algos): Add SM3.
	* tests/hashtest.c (testvectors): Add for SM3.

2017-10-24  NIIBE Yutaka  <gniibe@fsij.org>

	Add new constant GCRY_MD_SM3 for crypto hash SM3.
	+ commit 5b31e22d9fc542bdccb1586ef2c83d9794a731d3
	* src/gcrypt.h.in (GCRY_MD_SM3): New.

2017-10-17  Werner Koch  <wk@gnupg.org>

	api: New function gcry_mpi_get_ui.
	+ commit c6e42e7ec3d1046969d783c443c13aad7cb61bb8
	* src/gcrypt.h.in (gcry_mpi_get_ui): New.
	(mpi_get_ui): New macro.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
	* src/visibility.c (gcry_mpi_get_ui): New.
	* src/visibility.h: Mark that function.
	(gcry_mpi_get_ui): New.
	* mpi/mpiutil.c (MY_UINT_MAX): New macro.
	(_gcry_mpi_get_ui): Re-implemented.  This function existed but was
	never imported or used.
	* tests/mpitests.c (test_maxsize): Add some test for this function.

2017-08-29  NIIBE Yutaka  <gniibe@fsij.org>

	Tweak GCC version check.
	+ commit e4dc458b0b7dc9b8417a2177ef17822d9b9064ec
	* src/global.c (_gcry_vcontrol): It's GCC 4.2 which started to support
	diagnostic pragma.

	random: Fix warnings on Windows.
	+ commit 8126a6717c80d4fc1766d7f975e872bee2f9f203
	* random/random-csprng.c (lock_seed_file): Vars with no use.

	tests: Fix warnings on Windows.
	+ commit a848ef44470a524c05624afb54b92cf25595acd2
	* tests/fipsdrv.c (print_dsa_domain_parameters, print_ecdsa_dq): Fix.

	ecc: Fix scratch MPI.
	+ commit db3a8d6890fb4a6436e082b49378c0bd891563ca
	* mpi/ec.c (ec_p_init): Check if scratch MPI is allocated.

	ecc: Fix ec_mulm_25519.
	+ commit 1d5f726668b9cc32d6bb601f2329987058146c6c
	* mpi/ec.c (ec_mulm_25519): Improve reduction to 25519.

	ecc: Use 25519 method also for ed25519.
	+ commit fab712d654b2ccd24696ed90bc239860a128ad5b
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Don't use mpi_add
	since it resizes to have more limbs.
	* mpi/ec.c (point_resize): Fix for Edwards curve.
	(ec_p_init): Support Edwards curve.
	(_gcry_mpi_ec_get_affine): Use the methods.
	(dup_point_edwards, add_points_edwards, sub_points_edwards): Ditto.
	(_gcry_mpi_ec_mul_point): Resize MPIs of point to fixed size.
	(_gcry_mpi_ec_curve_point): Use the methods.

	ecc: Clean up curve specific method support.
	+ commit 1ac3d3637dd80013b78e03b9b9f582091710d908
	* src/ec-context.h (struct mpi_ec_ctx_s): Remove MOD method.
	* mpi/ec.c (ec_mod_25519): Remove.
	(ec_p_init): Follow the removal of the MOD method.

	ecc: Relax condition for 25519 computations.
	+ commit e9be23c4ad9f42c9d3198c706f912b7e27f574bc
	* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519): Check number
	of limbs, allocated more is OK.

	ecc: Fix ec_mulm_25519.
	+ commit 449459a2770d3aecb1f36502bf1903e0cbd2873e
	* mpi/ec.c (ec_mulm_25519): Fix the cases of 0 to 18.

	ecc: field specific routines for 25519.
	+ commit 9ed0fb37bd637d1a2e9498c24097cfeadec682ec
	* mpi/ec.c (point_resize): Improve for X25519.
	(mpih_set_cond): New.
	(ec_mod_25519, ec_addm_25519, ec_subm_25519, ec_mulm_25519)
	(ec_mul2_25519, ec_pow2_25519): New.
	(ec_p_init): Fill by FIELD_TABLE.

	ecc: Add field specific computation methods.
	+ commit d4cd381defe5b37dda19bbda0986bdd38065bd31
	* src/ec-context.h (struct mpi_ec_ctx_s): Add methods.
	* mpi/ec.c (ec_p_init): Initialize the default methods.
	(montgomery_ladder): Use the methods.

2017-08-27  Werner Koch  <wk@gnupg.org>

	Release 1.8.1.
	+ commit 80fd8615048c3897b91a315cca22ab139b056ccd
	* configure.ac: Set LT version to C22/A2/R1.

2017-08-27  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add input validation for X25519.
	+ commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
	* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
	* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
	(_gcry_mpi_ec_bad_point): New.

2017-08-07  Marcus Brinkmann  <marcus.brinkmann@ruhr-uni-bochum.de>

	cipher: Add OID for SHA384WithECDSA.
	+ commit a7bd2cbd3eabda88fb3cac5cbc13c21c97a7b315
	* cipher/sha512.c (oid_spec_sha384): Add SHA384WithECDSA.

2017-08-02  Werner Koch  <wk@gnupg.org>

	tests: Fix a printf glitch for a Windows test.
	+ commit df1e221b3012e96bbffbc7d5fd70836a9ae1cc19
	* tests/t-convert.c (check_formats): Fix print format glitch on
	Windows.
	* tests/t-ed25519.c: Typo fix.

	tests: Add benchmarking option to tests/random.
	+ commit 21d0f068a721c022f955084c28304934fd198c5e
	* tests/random.c: Always include unistd.h.
	(prepend_srcdir): New.
	(run_benchmark): New.
	(main): Add options --benchmark and --with-seed-file.  Print whetehr
	JENT has been used.
	* tests/t-common.h (split_fields_colon): New. Taken from GnuPG.
	License of that code changed to LGPLv2.1.

	random: Add more bytes to the pool in addition to the seed file.
	+ commit eea36574f37830a6a80b4fad884825e815b2912f
	* random/random-csprng.c (read_seed_file): Read 128 or 32 butes
	depending on whether we have the Jitter RNG.

2017-08-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add script to run basic tests with all supported HWF combinations.
	+ commit 94a92a3db909aef0ebcc009c2d7f5a2663e99004
	* tests/basic_all_hwfeature_combinations.sh: New.
	* tests/Makefile.am: Add basic_all_hwfeature_combinations.sh.

2017-07-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix return value type for _gcry_md_extract.
	+ commit cf1528e7f2761774d06ace0de48f39c96b52dc4f
	* src/gcrypt-int.h (_gcry_md_extract): Use gpg_err_code_t instead of
	gpg_error_t for internal function return type.

	Fix building AArch32 CE implementations when target is ARMv6 arch.
	+ commit 4a7aa30ae9f3ce798dd886c2f2d4164c43027748
	* cipher/cipher-gcm-armv8-aarch32-ce.S: Select ARMv8 architecure.
	* cipher/rijndael-armv8-aarch32-ce.S: Ditto.
	* cipher/sha1-armv8-aarch32-ce.S: Ditto.
	* cipher/sha256-armv8-aarch32-ce.S: Ditto.
	* configure.ac (gcry_cv_gcc_inline_asm_aarch32_crypto): Ditto.

2017-07-25  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Add fall through annotation.
	+ commit b7cd44335d9cde43be6f693dca6399ed0762649c
	* src/dumpsexp.c (parse_and_print): It's fall through.

2017-07-24  Werner Koch  <wk@gnupg.org>

	random: Fix the command line munging for jitterbase.
	+ commit ac39522ab08fcd2483edc223334c6ab9d19e91f3
	* random/Makefile.am (o_flag_munging): Make the first sed term also
	global.

2017-07-19  NIIBE Yutaka  <gniibe@fsij.org>

	Remove byte order mark.
	+ commit 1d8e4c2c3a7d0a4154caf5bd720a9a0b04179390
	* random/jitterentropy-base.c, random/jitterentropy.h: Remove
	byte order mark.

2017-07-18  Werner Koch  <wk@gnupg.org>

	Release 1.8.0.
	+ commit 850aca744eeda5fd410f478a0778e353045ac962


	mac: Add selftests for HMAC-SHA3-xxx.
	+ commit 95194c550443e8d5558856633f920daec8a975c4
	* cipher/hmac-tests.c (check_one): Add arg trunc and change all
	callers to pass false.
	(selftests_sha3): New.
	(run_selftests): Call new selftests.

	api: New function gcry_mpi_point_copy.
	+ commit ecf73dafb7aafed0d0f339d07235b58c2113f94c
	* src/gcrypt.h.in (gcry_mpi_point_copy): New.
	(mpi_point_copy): New macro.
	* src/visibility.c (gcry_mpi_point_copy): New.
	* src/libgcrypt.def, src/libgcrypt.vers: Add function.
	* mpi/ec.c (_gcry_mpi_point_copy): New.
	* tests/t-mpi-point.c (set_get_point): Add test.

2017-07-17  Werner Koch  <wk@gnupg.org>

	random: Minor fix for getting the rndjent version.
	+ commit 9d99c6b973caa7fdf93b53cf764066214f763803
	* random/rndjent.c (_gcry_rndjent_get_version): Always set R_ACTIVE.
	* tests/version.c (test_get_config): Check number of fields for
	rng-type.

2017-07-07  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Minor fix of mpi_pow.
	+ commit 61b0f52c1cc85bf8c3cac9aba40e28682e4e1b8b
	* mpi/mpi-pow.c (_gcry_mpi_powm): Allocate size fix.

	mpi: Fix mpi_pow alternative implementation.
	+ commit 66ed4d53789892def7b237756d8a0ab28df9d222
	* mpi/mpi-pow.c
	  [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm): Use
	  mpi_set_cond.

	Fix mpi_pow alternative implementation.
	+ commit 619ebae9847831f43314a95cc3180f4b329b4d3b
	* mpi/mpi-pow.c [USE_ALGORITHM_SIMPLE_EXPONENTIATION] (_gcry_mpi_powm):
	Allocate size fix.

2017-07-06  Werner Koch  <wk@gnupg.org>

	rsa: Use modern MPI allocation function.
	+ commit 208aba6f9a0475ba049f5a66fe02cf9a6214a887
	* cipher/rsa.c (secret_core_crt): Use modern function _gcry_mpi_snew.

2017-07-05  Werner Koch  <wk@gnupg.org>

	build: Minor API fixes to fix build problems on AIX.
	+ commit 85a9a913da9ecc6b2cd6f743e90e49983251d706
	* src/gcrypt.h.in (gcry_error_from_errno): Fix return type.
	* src/visibility.c (gcry_md_extract): Change return type to match the
	prototype.

	tools: Add left shift to mpicalc.
	+ commit 0d30a4a9791d20c8881b5b12bd44611d9f4274cd
	* src/mpicalc.c (do_lshift): New.
	(main): Handle '<'.

2017-07-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix mpi_set_secure.
	+ commit 5feaf1cc8f22c1f8d19a34850d86fe190f1432e2
	* mpi/mpiutil.c (mpi_set_secure): Allocate by ->alloced.

2017-06-29  NIIBE Yutaka  <gniibe@fsij.org>
	    Werner Koch  <wk@gnupg.org>

	rsa: Add exponent blinding.
	+ commit 8725c99ffa41778f382ca97233183bcd687bb0ce
	* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
	nonce R for mpi_powm computation.

2017-06-28  NIIBE Yutaka  <gniibe@fsij.org>

	Same computation for square and multiply.
	+ commit 78130828e9a140a9de4dafadbc844dbb64cb709a
	* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
	the assignment to base_u into the loop.  Copy content refered by RP to
	BASE_U except the last of the loop.

2017-06-24  Werner Koch  <wk@gnupg.org>

	rsa: Minor refactoring.
	+ commit e6a3dc9900433bbc8ad362a595a3837318c28fa9
	* cipher/rsa.c (secret): Factor code out to ...
	(secret_core_std, secret_core_crt): new functions.

2017-06-23  Werner Koch  <wk@gnupg.org>

	random: Add missing dependency.
	+ commit d091610377b2c92cf385282b1adfc30fa6cd5c75
	* random/Makefile.am (EXTRA_librandom_la_SOURCES): Fix file name.
	(rndjent.o, rndjent.lo): Depend on jitterentropy-base-user.h.

	random: Update jitterentropy to 2.1.0.
	+ commit 8dfae89ecd3e9ae0967586cb38d12ef9111fc7cd
	* random/rndjent.c (jent_get_nstime, jent_zfree)
	(jent_fips_enabled, jent_zalloc): Move functions and macros to ...
	* random/jitterentropy-base-user.h: this file.   That files was not
	used before.
	* random/Makefile.am (EXTRA_librandom_la_SOURCES): Add
	jitterentropy-base-user.
	* random/jitterentropy-base.c: Update to version 2.1.0.
	* random/jitterentropy.h: Ditto.

2017-06-21  Werner Koch  <wk@gnupg.org>

	api: New function gcry_get_config.
	+ commit 27148e60ba15b0cb73b47a75c688fcb48a1a3444
	* src/misc.c (_gcry_log_info_with_dummy_fp): Remove.
	* src/global.c (print_config): New arg WHAT.  Remove arg FNC and use
	gpgrt_fprintf directly.
	(_gcry_get_config): New.
	(_gcry_vcontrol) <GCRYCTL_PRINT_CONFIG>: Use _gcry_get_config instead
	of print_config.
	* src/gcrypt.h.in (gcry_get_config): New.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
	* src/visibility.c (gcry_get_config): New.
	* src/visibility.h: Mark new function.

	* tests/version.c (test_get_config): New.
	(main): Call new test.

	random: Allow building rndjent on non-x86.
	+ commit c2319464b03e61aaf34ef6d5f4b59b0c0483a373
	* random/jitterentropy-base.c (jent_version): Uncomment function.
	* random/rndjent.c: Include time.h
	(JENT_USES_RDTSC): New.
	(JENT_USES_GETTIME): New.
	(JENT_USES_READ_REAL_TIME): New.
	(jent_get_nstime): Support clock_gettime and AIX specific
	function.  Taken from Stephan Müller's code.
	(is_rng_available): New.
	(_gcry_rndjent_dump_stats): Use that function.
	(_gcry_rndjent_poll): Use that fucntion.  Allow an ADD of NULL for an
	intialize only mode.
	(_gcry_rndjent_get_version): New.

2017-06-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-padlock: change asm operands from read-only to read/write.
	+ commit 32b4ab209067f6f08b87b27bc78ec27dc497b708
	* cipher/rijndael-padlock.c (do_padlock): Change ESI/EDI/ECX to use
	read/write operands as XCRYPT instruction modifies these registers.

2017-06-16  Werner Koch  <wk@gnupg.org>

	random: Make rndjent.c NTG.1 compliant.
	+ commit 82bc052eda5b3897724c7ad11e54f8203e8e88e9
	* random/rndjent.c (_gcry_rndjent_poll): Hash the retrieved jitter.

	md: Optimize gcry_md_hash_buffers for SHA-256 and SHA-512.
	+ commit e6f90a392a1fd59b19b16f7a2bc7c439ae369d5f
	* cipher/sha256.c (_gcry_sha256_hash_buffer): New.
	(_gcry_sha256_hash_buffers): New.
	* cipher/sha512.c (_gcry_sha512_hash_buffer): New.
	(_gcry_sha512_hash_buffers): New.
	* cipher/md.c (_gcry_md_hash_buffer): Optimize for SHA246 and SHA512.
	(_gcry_md_hash_buffers): Ditto.

	random: Allow building rndjent.c with stats collecting enabled.
	+ commit ee3a74f5539cbc5182ce089994e37c16ce612149
	* random/rndjent.c: Change license to the one used by jitterentropy.h.
	(jent_init_statistic): New.
	(jent_bit_count): New.
	(jent_statistic_copy_stat): new.
	(jent_calc_statistic): New.

	New global config option "only-urandom".
	+ commit 8f6082e95f30c1ba68d2de23da90146f87f0c66c
	* random/rand-internal.h (RANDOM_CONF_ONLY_URANDOM): New.
	* random/random.c (_gcry_random_read_conf): Add option "only-urandom".
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Implement that
	option.
	* tests/keygen.c (main): Add option --no-quick for better manual
	tests.

	Implement global config file /etc/gcrypt/random.conf.
	+ commit b05a4abc358b204dba343d9cfbd59fdc828c1686
	* src/hwfeatures.c (my_isascii): Move macro to ...
	* src/g10lib.h: here.
	* tests/random.c (main): Dump random stats.
	* random/random.c (RANDOM_CONF_FILE): New.
	(_gcry_random_read_conf): New.
	(_gcry_random_dump_stats): Call rndjent stats.
	* random/rndjent.c (jent_rng_totalcalls, jent_rng_totalbytes): New.
	(_gcry_rndjent_poll): Take care of config option disable-jent.  Wipe
	buffer.  Bump counters.
	(_gcry_rndjent_dump_stats): New.

2017-06-14  Werner Koch  <wk@gnupg.org>

	random: Add jitter RND based entropy collector.
	+ commit f5e7763ddca59dcd9ac9f2f4d50cb41b14a34a9e
	* random/rndjent.c: New.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Use rndjent.
	* random/rndw32.c (_gcry_rndw32_gather_random): Use rndjent.
	(slow_gatherer): Fix compiler warning.
	* random/Makefile.am (librandom_la_SOURCES): Add rndjent.c
	(EXTRA_librandom_la_SOURCES): Add jitterentropy-base.c and
	jitterentropy.h.
	(rndjent.o, rndjent.lo): New rules.
	* configure.ac: New option --disbale-jent-support
	(ENABLE_JENT_SUPPORT): New ac-define.

	cipher: New helper function rol64.
	+ commit 6c882fb1fdb6c7cba2215fa7391110d63e24b9dc
	* cipher/bithelp.h (rol64): New inline functions.

	New hardware feature flag HWF_INTEL_RDTSC.
	+ commit 06f303a633ea2b992259688bef2b023c3f388f73
	* src/g10lib.h (HWF_INTEL_RDTSC): New.
	* src/hwfeatures.c (hwflist): Add "intel-rdtsc".
	* src/hwf-x86.c (detect_x86_gnuc): Get EDX features and test for TSC.

	random: Changes to original Jitter RNG implementation.
	+ commit a44c45675f8b631e11048a540bb1fbb7a022ebb4
	* random/jitterentropy-base.c: Change double underscore symbols and
	make all functions static.
	* random/jitterentropy.h: Likewise.

2017-06-13  Stephan Mueller  <smueller@chronox.de>

	random: Add original Jitter RNG implementation.
	+ commit f0ae18ecf48fbe2da0b9fb3f354d0dd3173d91d3
	* random/jitterentropy-base-user.h: New.
	* random/jitterentropy-base.c: New.
	* random/jitterentropy.h: New.

2017-06-08  Werner Koch  <wk@gnupg.org>

	build: Fix ChangeLog building for builds from other worktrees.
	+ commit cdfd7ea72a44657f037dd0dbba6e5ea0c2b344aa
	* Makefile.am (gen-ChangeLog): Test for existance of ".git" regardless
	on whether it is a file or directory.

2017-06-02  NIIBE Yutaka  <gniibe@fsij.org>

	secmem: Fix SEGV and stat calculation.
	+ commit e0958debe1a7db1bec1283115cdc6a14bf3b43e5
	* src/secmem (init_pool): Care about the header size.
	(_gcry_secmem_malloc_internal): Likewise.
	(_gcry_secmem_malloc_internal): Use mb->size for stats.

2017-06-01  Jo Van Bulck  <jo.vanbulck@cs.kuleuven.be>

	ecc: Store EdDSA session key in secure memory.
	+ commit 5a22de904a0a366ae79f03ff1e13a1232a89e26b
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
	session key.

2017-05-31  Werner Koch  <wk@gnupg.org>

	api: Deprecate gcry_md_info.
	+ commit 45c39340c9926c2c5801dbab7609687c41e9ff1f


2017-05-30  Werner Koch  <wk@gnupg.org>

	mpi: Distribute asm files for aarch64 and asm.
	+ commit c65f9558f12ffa2810538ef616e71b4052dacb81
	* mpi/aarch64/distfiles: New.
	* mpi/arm/distfiles: New.

	mpi: Distribute asm definitions for amd64.
	+ commit 87e481137debabb7f989d7fa9b1c21c336e10c98
	* mpi/amd64/distfiles: Add mpi-asm-defs.h.

2017-05-23  Werner Koch  <wk@gnupg.org>

	cipher: Fix compiler warnings.
	+ commit d764c9894013727ff82eb194da6030209c273528
	* cipher/poly1305.c (poly1305_default_ops): Move to the top.  Add
	prototypes and compile only if USE_SSE2 is not defined.
	(poly1305_init_ext_ref32): Compile only if USE_SSE2 is not defined.
	(poly1305_blocks_ref32): Ditto.
	(poly1305_finish_ext_ref32): Ditto.

	doc: Comment fixes.
	+ commit c1bb3d9fdb6fe5f336af1d5a03fc42bfdc1f8b0b


2017-05-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ssse3: fix functions calls from assembly blocks.
	+ commit 4cd94994a9abec9b92fa5972869baf089a28fa76
	* cipher/rijndael-ssse3-amd64.c (PUSH_STACK_PTR, POP_STACK_PTR): New.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Use PUSH_STACK_PTR and
	POP_STACK_PTR.

	chacha20-armv7-neon: fix to use fast code path when memory is aligned.
	+ commit 68861ae5d3e007d7a39f14ea27dc3dd8ef13ba02
	* cipher/chacha20-armv7-neon.S (UNALIGNED_LDMIA4): Uncomment
	instruction for jump to aligned code path.

	Move data in AMD64 assembly to text section.
	+ commit 1a094bc5b2aa730833faf593a931d4e5d7f9ab4d
	* cipher/camellia-aesni-avx-amd64.S: Move data to .text section to
	ensure that RIP relative addressing of data will work.
	* cipher/camellia-aesni-avx2-amd64.S: Ditto.
	* cipher/chacha20-avx2-amd64.S: Ditto.
	* cipher/chacha20-ssse3-amd64.S: Ditto.
	* cipher/des-amd64.S: Ditto.
	* cipher/serpent-avx2-amd64.S: Ditto.
	* cipher/sha1-avx-amd64.S: Ditto.
	* cipher/sha1-avx-bmi2-amd64.S: Ditto.
	* cipher/sha1-ssse3-amd64.S: Ditto.
	* cipher/sha256-avx-amd64.S: Ditto.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

	cast5-amd64: use 64-bit relocation with large PIC memory model.
	+ commit ff02fca39c83bcf30c79368611ac65e273e77f6c
	* cipher/cast5-amd64.S [__code_model_large__]
	(GET_EXTERN_POINTER): New.

2017-05-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building with x86-64 medium and large memory models.
	+ commit 434d4f2af39033fc626044ba9a060da298522293
	* cipher/cast5-amd64.S [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(GET_EXTERN_POINTER): Load 64-bit address instead of 32-bit.
	* cipher/rijndael.c (do_encrypt, do_decrypt)
	[USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Load
	table pointer through register instead of generic reference.

2017-04-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Simplify mpi_powm.
	+ commit 719468e53133d3bdf12156c5bfdea2bf15f9f6f1
	* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.

2017-03-08  Justus Winter  <justus@g10code.com>

	build: Use macOS' compatibility macros to enable all features.
	+ commit 654024081cfa103c87bb163b117ea3568171d408
	* configure.ac: On macOS, use the compatibility macros to expose every
	feature of the libc.  This is the equivalent of _GNU_SOURCE on GNU
	libc.

2017-02-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add BLAKE2b and BLAKE2s hash algorithms (RFC 7693)
	+ commit 5bd530b8a4624f101b8d42e68f1b28bcc13f4f76
	* cipher/blake2.c: New.
	* cipher/Makefile.am: Add 'blake2.c'.
	* cipher/md.c (digest_list, prepare_macpads): Add BLAKE2.
	(md_setkey): New.
	(_gcry_md_setkey): Call 'md_setkey' for non-HMAC md.
	* configure.ac: Add BLAKE2 digest.
	* doc/gcrypt.texi: Add BLAKE2.
	* src/cipher.h (_gcry_blake2_init_with_key)
	(_gcry_digest_spec_blake2b_512, _gcry_digest_spec_blake2b_384)
	(_gcry_digest_spec_blake2b_256, _gcry_digest_spec_blake2b_160)
	(_gcry_digest_spec_blake2s_256, _gcry_digest_spec_blake2s_224)
	(_gcry_digest_spec_blake2s_160, _gcry_digest_spec_blake2s_128): New.
	* src/gcrypt.h.in (GCRY_MD_BLAKE2B_512, GCRY_MD_BLAKE2B_384)
	(GCRY_MD_BLAKE2B_256, GCRY_MD_BLAKE2B_160, GCRY_MD_BLAKE2S_256)
	(GCRY_MD_BLAKE2S_224, GCRY_MD_BLAKE2S_160, GCRY_MD_BLAKE2S_128): New.
	* tests/basic.c (check_one_md): Add testing for keyed hashes.
	(check_digests): Add BLAKE2 test vectors; Add testing for keyed hashes.
	* tests/blake2b.h: New.
	* tests/blake2s.h: New.
	* tests/Makefile.am: Add 'blake2b.h' and 'blake2s.h'.

	Fix building with clang on ARM64/FreeBSD.
	+ commit da213db2c6cda6f57e5853e8c591d69bfa1cfa74
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Use '.cpu generic+simd+crypto'
	instead of '.arch armv8-a+crypto'.
	* cipher/rijndael-armv8-aarch64-ce.S: Ditto.
	* cipher/sha1-armv8-aarch64-ce.S: Ditto.
	* cipher/sha256-armv8-aarch64-ce.S: Ditto.
	* configure.ac (gcry_cv_gcc_inline_asm_aarch64_neon): Ditto.
	(gcry_cv_gcc_inline_asm_aarch64_crypto): Ditto; and include NEON
	instructions to crypto instructions check.

2017-02-07  Justus Winter  <justus@g10code.com>

	Fix building with a pre C99 compiler.
	+ commit 75d91ffeaf83098ade325bb3b6b2c8a76eb1f6a6
	* cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt): Move the
	declaration of 'i' out of the loop.
	(_gcry_cipher_cfb8_decrypt): Likewise.

2017-02-04  Mathias L. Baumann  <mathias.baumann_at_sociomantic.com>

	Implement CFB with 8-bit mode.
	+ commit d1ee9a660571ce4a998c9ab2299d4f2419f99127
	* cipher/cipher-cfb.c (_gcry_cipher_cfb8_encrypt)
	(_gcry_cipher_cfg8_decrypt): Add 8-bit variants of decrypt/encrypt
	functions.
	* cipher/cipher-internal.h (_gcry_cipher_cfb8_encrypt)
	(_gcry_cipher_cfg8_decrypt): Ditto.
	* cipher/cipher.c: Adjust code flow to work with GCRY_CIPHER_MODE_CFB8.
	* tests/basic.c: Add tests for cfb8 with AES and 3DES.

2017-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rndhw: add missing "memory" clobbers.
	+ commit c67c728478e8f47b6e8296b643fd35d66d4a1052
	* random/rndhw.c: (poll_padlock, rdrand_long): Add "memory" to asm
	clobbers.

	Add UNLIKELY and LIKELY macros.
	+ commit 4b7451d3e8e7b87d8e407fbbd924ad5b13bd0f00
	* src/g10lib.h (LIKELY, UNLIKELY): New.
	(gcry_assert): Use LIKELY for assert check.
	(fast_wipememory2_unaligned_head): Use UNLIKELY for unaligned
	branching.
	* cipher/bufhelp.h (buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst)
	(buf_xor_n_copy_2): Ditto.

	rndhw: avoid type-punching.
	+ commit 37b537600f33fcf8e1c8dc2c658a142fbba44199
	* random/rndhw.c (rdrand_long, rdrand_nlong): Add 'volatile' for
	pointer.
	(poll_drng): Convert buffer to 'unsigned long[]' and make use of DIM
	macro.

2017-01-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-x86: avoid type-punching.
	+ commit 1407317a6112a23d4fec5827a9d74faef4196f66
	* src/hwf-x86.c (detect_x86_gnuc): Use union for vendor_id.

	cipher: add explicit blocksize checks to allow better optimization.
	+ commit efa9042f82ffed3d076b8e26ac62d29e00bb756a
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Add explicit check for cipher blocksize of
	64-bit or 128-bit.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-cmac.c (cmac_write, cmac_generate_subkeys)
	(cmac_final): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Ditto.

	bufhelp: use unaligned dword and qword types for endianess helpers.
	+ commit e7b941c3de9c9b6319298c02f844cc0cadbf8562
	* cipher/bufhelp.h (BUFHELP_UNALIGNED_ACCESS): New, defined
	if attributes 'packed', 'aligned' and 'may_alias' are supported.
	(BUFHELP_FAST_UNALIGNED_ACCESS): Define if have
	BUFHELP_UNALIGNED_ACCESS.

	rijndael-aesni: fix u128_t strict-aliasing rule breaking.
	+ commit 92b4a29d2453712192ced2d7226abc49679dcb1e
	* cipher/rijndael-aesni.c (u128_t): Add attributes to tell GCC and clang
	that casting from 'char *' to 'u128_t *' is ok.

	cipher-xts: fix pointer casting to wrong alignment and aliasing.
	+ commit 4f31d816dcc1e95dc647651e92acbdfed53f5c14
	* cipher/cipher-xts.c (xts_gfmul_byA, xts_inc128): Use buf_get_le64
	and buf_put_le64 for accessing data; Change parameter pointers to
	'unsigned char *' type.
	(_gcry_cipher_xts_crypt): Do not cast buffer pointers to 'u64 *'
	for helper functions.

	crc-intel-pclmul: fix undefined behavior with unaligned access.
	+ commit 55cf1b5588705cab5f45e2817c4aa1d204dc0042
	* cipher/crc-intel-pclmul.c (u16_unaligned_s): New.
	(crc32_reflected_less_than_16, crc32_less_than_16): Use
	'u16_unaligned_s' for unaligned memory access.

	configure.ac: fix attribute checks.
	+ commit b29b1b9f576f501d4b993be0a751567045274a1a
	* configure.ac: Add -Werror flag for attribute checks.

	configure.ac: fix may_alias attribute check.
	+ commit 136c8416ea540dd126be3997d94d7063b3aaf577
	* configure.ac: Test may_alias attribute on type, not on variable.

	bufhelp: add 'may_alias' attribute for properly aligned 'bufhelp_int_t'
	+ commit d1ae52a0e23308f33b78cffeba56005b687f23c0
	* cipher/bufhelp.h [!BUFHELP_FAST_UNALIGNED_ACCESS]
	(bufhelp_int_t): Add 'may_alias' attribute.

2017-01-27  Werner Koch  <wk@gnupg.org>

	w32: New envvar GCRYPT_RNDW32_DBG.
	+ commit a351fbde8548ce3f57298c618426f043844fbc78
	* random/rndw32.c (_gcry_rndw32_gather_random): Use getenv to set
	DEBUG_ME.

2017-01-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ssse3-amd64: fix building on x32.
	+ commit 39b9302da5d08bd52688d20befe626fee0b6c41d
	* cipher/rijndael-ssse3-amd64.c: Use 64-bit call instructions
	with 64-bit registers.

	bufhelp: use 'may_alias' attribute unaligned pointer types.
	+ commit bf9e0b79e620ca2324224893b07522462b125412
	* configure.ac (gcry_cv_gcc_attribute_may_alias)
	(HAVE_GCC_ATTRIBUTE_MAY_ALIAS): New check for 'may_alias' attribute.
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only if
	HAVE_GCC_ATTRIBUTE_MAY_ALIAS is defined.
	[BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_int_t, bufhelp_u32_t)
	(bufhelp_u64_t): Add 'may_alias' attribute.
	* src/g10lib.h (fast_wipememory_t): Add HAVE_GCC_ATTRIBUTE_MAY_ALIAS
	defined check; Add 'may_alias' attribute.

2017-01-18  Werner Koch  <wk@gnupg.org>

	random: Call getrandom before select and emitting a progress callback.
	+ commit 623aab8a940ea61afe3fef650ad485a755ed9fe7
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom
	call before the select.

2017-01-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: amd64: fix too large jump alignment in mpih-rshift.
	+ commit ddcfe31e2425e88b280e7cdaf3f0eaaad8ccc023
	* mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment
	with 'ALIGN(4)' instead of 256-byte.

	rijndael-ssse3: move assembly functions to separate source-file.
	+ commit 54c57bc49edb5c00e9ed8103cc4837bb72c5e863
	* cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'.
	* cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions
	here ...
	* cipher/rinjdael-ssse3-amd64.c: ... from this file.
	(_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload)
	(_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core)
	(_gcry_aes_ssse3_decrypt_core): New.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external
	assembly functions; remove 'aes_const_ptr' variable usage.
	(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt)
	(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
	(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
	(_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage.
	* configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'.

	Add AVX2/vpgather bulk implementation of Twofish.
	+ commit c59a8ce51ceb9a80169c44ef86a67e95cf8528c3
	* cipher/Makefile.am: Add 'twofish-avx2-amd64.S'.
	* cipher/twofish-avx2-amd64.S: New.
	* cipher/twofish.c (USE_AVX2): New.
	(TWOFISH_context) [USE_AVX2]: Add 'use_avx2' member.
	(ASM_FUNC_ABI): New.
	(twofish_setkey): Add check for AVX2 and fast VPGATHER HW features.
	(_gcry_twofish_avx2_ctr_enc, _gcry_twofish_avx2_cbc_dec)
	(_gcry_twofish_avx2_cfb_dec, _gcry_twofish_avx2_ocb_enc)
	(_gcry_twofish_avx2_ocb_dec, _gcry_twofish_avx2_ocb_auth): New.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Add AVX2 bulk
	handling.
	(selftest_ctr, selftest_cbc, selftest_cfb): Increase nblocks from
	3+X to 16+X.
	* configure.ac: Add 'twofish-avx2-amd64.lo'.
	* src/g10lib.h (HWF_INTEL_FAST_VPGATHER): New.
	* src/hwf-x86.c (detect_x86_gnuc): Add detection for
	HWF_INTEL_FAST_VPGATHER.
	* src/hwfeatures.c (HWF_INTEL_FAST_VPGATHER): Add
	"intel-fast-vpgather" for HWF_INTEL_FAST_VPGATHER.

	Add XTS cipher mode.
	+ commit 232a129b1f915fc54881506e4b07c89cf84932e6
	* cipher/Makefile.am: Add 'cipher-xts.c'.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'bulk.xts_crypt'
	and 'u_mode.xts' members.
	(_gcry_cipher_xts_crypt): New prototype.
	* cipher/cipher-xts.c: New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_reset, cipher_encrypt, cipher_decrypt): Add XTS mode handling.
	* doc/gcrypt.texi: Add XTS mode to documentation.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_XTS, GCRY_XTS_BLOCK_LEN): New.
	* tests/basic.c (do_check_xts_cipher, check_xts_cipher): New.
	(check_bulk_cipher_modes): Add XTS test-vectors.
	(check_one_cipher_core, check_one_cipher, check_ciphers): Add XTS
	testing support.
	(check_cipher_modes): Add XTS test.
	* tests/bench-slope.c (bench_xts_encrypt_init)
	(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench)
	(xts_encrypt_ops, xts_decrypt_ops): New.
	(cipher_modes, cipher_bench_one): Add XTS.
	* tests/benchmark.c (cipher_bench): Add XTS testing.

2017-01-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-ssse3: fix counter operand from read-only to read/write.
	+ commit aada604594fd42224d366d3cb98f67fd3b989cd6
	* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change
	'ctrlow' operand from read-only to read-write.

2017-01-03  Werner Koch  <wk@gnupg.org>

	Extend GCRYCTL_PRINT_CONFIG to print compiler version.
	+ commit 98b49695b1ffe3c406ae39a45051b8594f903b9d
	* src/global.c (print_config): Print version of libgpg-error and used
	compiler.

	tests: Add option --disable-hwf to the version utility.
	+ commit 3582641469f1c74078f0d758c4d5458cc0ee5649
	* src/hwfeatures.c (_gcry_disable_hw_feature): Rewrite to allow
	passing a colon delimited feature set.
	(parse_hwf_deny_file): Remove unused var I.
	* tests/version.c (main): Add options --verbose and --disable-hwf.

2016-12-15  Werner Koch  <wk@gnupg.org>
	    Nicolas Porcel  <nicolasporcel06@gmail.com>

	Fix regression in broken mlock detection.
	+ commit 0a90f87799903a3fb97189ef7cba19e7b3534e1c
	* acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN.

2016-12-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwfeatures: add 'all' for disabling all hardware features.
	+ commit c83d0d2a26059cf471d09f5cb8e7fc5d76c4907b
	* .gitignore: Add 'tests/basic-disable-all-hwf'.
	* configure.ac: Ditto.
	* tests/Makefile.am: Ditto.
	* src/hwfeatures.c (_gcry_disable_hw_feature): Match 'all' for
	masking all HW features off.
	(parse_hwf_deny_file): Use '_gcry_disable_hw_feature' for matching.
	* tests/basic-disable-all-hwf.in: New.

	tests/hashtest-256g: add missing executable extension for Win32.
	+ commit 2b7b227b8a0bd5ff286258bc187782efac180a7e
	* tests/hashtest-256g.in: Add @EXEEXT@.

	OCB ARM CE: Move ocb_get_l handling to assembly part.
	+ commit 5c418e597f0f20a546d953161695e6caf1f57689
	* cipher/rijndael-armv8-aarch32-ce.S: Add OCB 'L_{ntz(i)}' calculation.
	* cipher/rijndael-armv8-aarch64-ce.S: Ditto.
	* cipher/rijndael-armv8-ce.c (_gcry_aes_ocb_enc_armv8_ce)
	(_gcry_aes_ocb_dec_armv8_ce, _gcry_aes_ocb_auth_armv8_ce)
	(ocb_cryt_fn_t): Updated arguments.
	(_gcry_aes_armv8_ce_ocb_crypt, _gcry_aes_armv8_ce_ocb_auth): Remove
	'ocb_get_l' handling and splitting input to 32 block chunks, instead
	pass full buffers to assembly.

	OCB: Move large L handling from bottom to upper level.
	+ commit 2d2e5286d53e1f62fe040dff4c6e01961f00afe2
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_get_l): Remove.
	(ocb_get_L_big): New.
	(_gcry_cipher_ocb_authenticate): L-big handling done in upper
	processing loop, so that lower level never sees the case where
	'aad_nblocks % 65536 == 0'; Add missing stack burn.
	(ocb_aad_finalize): Add missing stack burn.
	(ocb_crypt): L-big handling done in upper processing loop, so that
	lower level never sees the case where 'data_nblocks % 65536 == 0'.
	* cipher/cipher-internal.h (_gcry_cipher_ocb_get_l): Remove.
	(ocb_get_l): Remove 'l_tmp' usage and simplify since input
	is more limited now, 'N is not multiple of 65536'.
	* cipher/rijndael-aesni.c (get_l): Remove.
	(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Remove
	l_tmp; Use 'ocb_get_l'.
	* cipher/rijndael-ssse3-amd64.c (get_l): Remove.
	(ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_auth): Remove
	l_tmp; Use 'ocb_get_l'.
	* cipher/camellia-glue.c: Remove OCB l_tmp usage.
	* cipher/rijndael-armv8-ce.c: Ditto.
	* cipher/rijndael.c: Ditto.
	* cipher/serpent.c: Ditto.
	* cipher/twofish.c: Ditto.

	OCB: remove 'int64_t' usage.
	+ commit 161d339f48c03be7fd0f4249d730f7f1767ef8e4
	* cipher/cipher-ocb.c (double_block): Use alternative way to generate
	sign-bit mask, without 'int64_t'.

	random-drbg: use bufhelp function for big-endian store.
	+ commit 0b03b658bebc69a84d87ef13f9b60a27b0c42305
	* random/random-drbg.c (drbg_cpu_to_be32): Remove.
	(drbg_ctr_df, drbg_hash_df): Use 'buf_put_be32' instead of
	'drbg_cpu_to_be32'.

2016-12-09  Werner Koch  <wk@gnupg.org>

	Improve handling of mlock error codes.
	+ commit 618b8978f46f4011c11512fd5f30c15e01652e2e
	* acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
	legitimate return code and does not indicate a broken mlock().
	* src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
	could have been overwritten by cap_from+text et al.

2016-12-08  Stephan Mueller  <smueller@chronox.de>

	random: Eliminate unneeded memcpy invocations in the DRBG.
	+ commit 656395ba4cf34f42dda3a120bda3ed1220755a3d
	* random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
	pointer instead.
	(drbg_instantiate): Reduce size of scratchpad.
	(drbg_hmac_update): Avoid use of scratch buffers for the hash.
	(drbg_hmac_generate, drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_hash_generate): Ditto.

	random: Add performance improvements for the DRBG.
	+ commit 20886fdcb841b0bf89bb1d44303d42f1804e38cb
	* random/random-drbg.c (struct drbg_state_ops_s): New function
	pointers 'crypto_init' and 'crypto-fini'.
	(struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
	'ctr_null'.
	(drbg_hash_init, drbg_hash_fini): New.
	(drbg_hmac_init, drbg_hmac_setkey): New.
	(drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
	(drbg_sym_ctr): New.
	(drbg_ctr_bcc): Set the key.
	(drbg_ctr_df): Ditto.
	(drbg_hmac_update): Ditto.
	(drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
	(drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_ctr_update): Rework.
	(drbg_ctr_generate): Rework.
	(drbg_ctr_ops): Init new functions pointers.
	(drbg_uninstantiate): Call fini function.
	(drbg_instantiate): Call init function.

	cipher: New function for reading the counter in CTR mode.
	+ commit 227099f179df9dcf083d0ef6be9883c775df0874
	* cipher/cipher.c (gcry_cipher_getctr): New.

2016-12-07  Werner Koch  <wk@gnupg.org>

	Document the overflow pools and add a stupid test case.
	+ commit 95bac312644ad45e486c94c2efd25d0748b9a20b
	* tests/t-secmem.c (test_secmem_overflow): New func.
	(main): Disable warning and call new function.

	Implement overflow secmem pools for xmalloc style allocators.
	+ commit b6870cf25c0b1eb9c127a94af8326c446421a472
	* src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
	cur_blocks.
	(cur_alloced, cur_blocks): Remove vars.
	(ptr_into_pool_p): Make it inline.
	(stats_update): Add arg pool and update the new pool specific
	counters.
	(_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
	pools as needed.
	(_gcry_secmem_malloc): Pass XHINTS along.
	(_gcry_secmem_realloc_internal): Ditto.
	(_gcry_secmem_realloc): Ditto.
	(_gcry_secmem_free_internal): Take multiple pools in account.  Add
	return value to indicate whether the arg was freed.
	(_gcry_secmem_free): Add return value to indicate whether the arg was
	freed.
	(_gcry_private_is_secure): Take multiple pools in account.
	(_gcry_secmem_term): Release all pools.
	(_gcry_secmem_dump_stats): Print stats for all pools.
	* src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
	test with a direct call of _gcry_secmem_free to avoid double checking.

	Give the secmem allocators a hint when a xmalloc calls them.
	+ commit b7df907dca4d525f8930c533b763ffce44ceed87
	* src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
	(_gcry_secmem_realloc): Ditto.
	* src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
	passed to the secmem functions.
	(_gcry_private_realloc): Ditto.
	* src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
	* src/global.c (do_malloc): Pass this flag as XHINT to the private
	allocator.
	(_gcry_malloc_secure): Factor code out to ...
	(_gcry_malloc_secure_core): this.  Add arg XHINT.
	(_gcry_realloc): Factor code out to ...
	(_gcry_realloc_core): here.  Add arg XHINT.
	(_gcry_strdup): Factor code out to ...
	(_gcry_strdup_core): here.  Add arg XHINT.
	(_gcry_xrealloc): Use the core function and pass true for XHINT.
	(_gcry_xmalloc_secure): Ditto.
	(_gcry_xstrdup): Ditto.

	tests: New test t-secmem.
	+ commit e366c19b34922c770af82cd035fd815680b29dee
	* src/secmem.c (_gcry_secmem_dump_stats): Add arg EXTENDED and adjust
	caller.
	* src/gcrypt-testapi.h (PRIV_CTL_DUMP_SECMEM_STATS): New.
	* src/global.c (_gcry_vcontrol): Implement that.
	* tests/t-secmem.c: New.
	* tests/Makefile.am (tests_bin): Add that test.

2016-12-06  Werner Koch  <wk@gnupg.org>

	Fix compiler warning about possible-NULL-dreference.
	+ commit 995ce697308320c6a52a307f83dc49eeb8d784b4
	* src/mpi.h (mpi_is_const, mpi_is_immutable): Do check arg before
	deref-ing.  The are only used at places where the arg shall not be NULL.

	Fix possible NULL-deref in gcry_log_debugsxp.
	+ commit 984a97f0750f812f0ad3c343ee6a67560953a504
	* src/misc.c (_gcry_log_printsxp): Prevent passing NULL to strlen.

	Reorganize code in secmem.c.
	+ commit 603f479a919311f720a05da738150c2192d5e562
	* src/secmem.c (pooldesc_t): New type to collect information about one
	pool.
	(pool_size): Remove.  Now a member of pooldesc_t.
	(pool_okay): Ditto.
	(pool_is_mmapped): Ditto.
	(pool): Rename variable ...
	(mainpool): And change type to pooldesc_t.
	(ptr_into_pool_p): Add arg 'pool'.
	(mb_get_next): Ditto.
	(mb_get_prev): Ditto.
	(mb_merge): Ditto.
	(mb_get_new): Ditto.
	(init_pool): Ditto.
	(lock_pool): Rename to ...
	(look_pool_pages: this.
	(secmem_init): Rename to ...
	(_gcry_secmem_init_internal): this.  Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_secmem_malloc_internal): Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_private_is_secure): Ditto.
	(_gcry_secmem_term): Ditto.
	(_gcry_secmem_dump_stats): Ditto.
	(_gcry_secmem_free_internal): Ditto.  Remove check for NULL arg.
	(_gcry_secmem_free): Add check for NULL arg before taking the lock.
	(_gcry_secmem_realloc): Factor most code out to ...
	(_gcry_secmem_realloc_internal): this.

2016-11-28  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests: Add PBKDF2 tests for Stribog512.
	+ commit a0580d446fef648a177ca4ab060d0e449780db84
	* tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's
	additions to PKCS#5.

	tests: Add Stribog HMAC tests from TC26ALG.
	+ commit fe6077e6ee8565bfcc91bad14a73e68f45b3c32b
	* tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document
	for Stribog.

	cipher: Add Stribog OIDs from TC26 space.
	+ commit ccffacaf6c3abe6120a0898db922981d28ab7af2
	* cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New.

2016-11-25  Justus Winter  <justus@g10code.com>

	tests: Fix memory leak.
	+ commit 5530a8234d703ce9b685f78fb6e951136eb0aeb2
	* tests/basic.c (check_gost28147_cipher): Free cipher handles.

2016-11-25  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Cast oid argument of gcry_cipher_set_sbox to disable compiler warning.
	+ commit 1a67e3195896704f8b3ba09e3db1214bab834491
	* src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *).

	gost: Rename tc26 s-box from A to Z.
	+ commit dc8ceb8d2dfef949f3afa14fc75f9de8cd07c7ad
	* cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is
	the name that ended up in all standards.

	tests: Add test to verify GOST 28147-89 against known results.
	+ commit 4f5c26c73c66daf2e4aff966e43c22b2db7e0138
	* tests/basic.c (check_gost28147_cipher): new test function.

2016-11-17  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	cipher/gost28147: Fix CryptoPro-B S-BOX.
	+ commit 5ca63c92825453fdb369a97bbc19cb95b49b4296
	* cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
	incorrect encryption/decryption using that s-box.  Add missing data.

2016-11-12  Werner Koch  <wk@gnupg.org>

	Put blocking calls into Libgpg-error's system call clamp.
	+ commit b829dfe9f0eeff08c956ba3f3a6b559b9d2199dd
	* src/gcrypt.h.in (GCRYCTL_REINIT_SYSCALL_CLAMP): New.
	* configure.ac: Require Libgpg-error 1.25.  Set version number to
	1.8.0.
	* src/gcrypt-int.h: Remove error code emulation.
	* src/global.c (pre_syscall_func, post_syscall_func): New.
	(global_init): Call gpgrt_get_syscall_clamp.
	(_gcry_vcontrol) <GCRYCTL_REINIT_SYSCALL_CLAMP>: Ditto.
	(_gcry_pre_syscall, _gcry_post_syscall): New.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Use the new
	functions.

2016-11-01  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix IDEA cipher for clearing memory.
	+ commit bf6d5b10cb4173826f47ac080506b68bb001acb2
	* cipher/idea.c (invert_key): Use wipememory, since this kind of memset
	may be removed by compiler optimization.

2016-10-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	GCM: Add bulk processing for ARMv8/AArch64 implementation.
	+ commit bfd732f53a9b5dfe14217a68a0fa289bf6913ec0
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.

	GCM: Add bulk processing for ARMv8/AArch32 implementation.
	+ commit 27747921cb1dfced83c5666cd1c474764724c52b
	* cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
	* tests/basic.c (check_digests): Print correct data length for "?"
	tests.
	(check_one_mac): Add large 1000000 bytes tests, when input is "!" or
	"?".
	(check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.

2016-09-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Twofish.
	+ commit 5418d9ca4c0e087fd6872ad350a996fe74880d86
	* cipher/Makefile.am: Add 'twofish-aarch64.S'.
	* cipher/twofish-aarch64.S: New.
	* cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.

2016-09-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Camellia.
	+ commit de73a2e7237ba7c34ce48bb5fb671aa3993de832
	* cipher/Makefile.am: Add 'camellia-aarch64.S'.
	* cipher/camellia-aarch64.S: New.
	* cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
	size to zero.
	* cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of AES.
	+ commit 4cd8d40d698564d24ece2af24546e34c58bf2961
	* cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
	* cipher/rijndael-armv8-aarch64-ce.S: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
	* configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
	'rijndael-armv8-ce.lo' for ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of GCM.
	+ commit 0b332c1aef03a735c1fb0df184f74d523deb2f98
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: New.
	* cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
	ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-256.
	+ commit 2d4bbc0ad62c54bbdef77799f9db82d344b7219e
	* cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
	* cipher/sha256-armv8-aarch64-ce.S: New.
	* cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
	section.
	* cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
	'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-1.
	+ commit e4eb03f56683317c908cb55be727832810dc8c72
	* cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
	* cipher/sha1-armv8-aarch64-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.

2016-09-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AArch64 assembly implementation of AES.
	+ commit 595251ad37bf1968261d7e781752513f67525803
	* cipher/Makefile.am: Add 'rijndael-aarch64.S'.
	* cipher/rijndael-aarch64.S: New.
	* cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
	[host=aarch64]: Add 'rijndael-aarch64.lo'.

2016-08-17  Werner Koch  <wk@gnupg.org>

	Release 1.7.3.
	+ commit f8241874971478bdcd2bc2082d901d05db7b256d
	* configure.ac: Set LT version to C21/A1/R3.

	random: Hash continuous areas in the csprng pool.
	+ commit 8dd45ad957b54b939c288a68720137386c7f6501
	* random/random-csprng.c (mix_pool): Store the first hash at the end
	of the pool.

	random: Improve the diagram showing the random mixing.
	+ commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513
	* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.

2016-07-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	crc-intel-pclmul: split assembly block to ease register pressure.
	+ commit f38199dbc290003898a1799adc367265267784c2
	* cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
	assembly block handling 4 byte input into multiple blocks.

	rijndael-aesni: split assembly block to ease register pressure.
	+ commit a4d1595a2638db63ac4c73e722c8ba95fdd85ff7
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
	constraint for passing 'bige_addb' to assembly block; split
	first inline assembly block into two parts.

2016-07-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARMv8/AArch32 Crypto Extension implementation of AES.
	+ commit 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a
	* cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
	'rijndael-armv-aarch32-ce.S'.
	* cipher/rijndael-armv8-aarch32-ce.S: New.
	* cipher/rijndael-armv8-ce.c: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): New.
	(RIJNDAEL_context_s): Add 'use_arm_ce'.
	* cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
	(_gcry_aes_armv8_ce_prepare_decryption)
	(_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
	(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
	(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
	(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
	(_gcry_aes_armv8_ce_ocb_auth): New.
	(do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
	setup for ARM CE.
	(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
	ARM CE support.
	* configure.ac: Add 'rijndael-armv8-ce.lo' and
	'rijndael-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of GCM.
	+ commit 962b15470663db11e5c35b86768f1b5d8e600017
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
	* cipher/cipher-gcm-armv8-aarch32-ce.S: New.
	* cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
	(_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
	(ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
	(setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
	HWF_ARM_PULL HW feature flag is enabled.
	* cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.

	Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256.
	+ commit 34c64eb03178fbfd34190148fec5a189df2b8f83
	* cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
	* cipher/sha256-armv8-aarch32-ce.S: New.
	* cipher/sha256.c (USE_ARM_CE): New.
	(sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
	(SHA256_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of SHA-1.
	+ commit 3d6334f8d94c2a4df10eed203ae928298a4332ef
	* cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
	* cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
	missing size.
	* cipher/sha1-armv8-aarch32-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): New.
	(sha1_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
	it.
	* cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.

	Add HW feature check for ARMv8 AArch64 and crypto extensions.
	+ commit eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f
	* configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
	module on 64-bit ARM.
	(armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
	(gcry_cv_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto): New.
	* src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
	(HWF_ARM_PMULL): New.
	* src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
	(feature_map_s): New.
	[__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
	(HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
	[__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
	(HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
	(get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
	'unsigned long'.
	(detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
	(detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
	(_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
	* src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
	and 'arm-pmull'.

2016-07-14  Werner Koch  <wk@gnupg.org>

	Release 1.7.2.
	+ commit be0bec7d9208b2f2d2ffce9cc2ca6154853e7e59
	* configure.ac: Set LT version to C21/A1/R2.
	* Makefile.am (distcheck-hook): New.

2016-07-13  Werner Koch  <wk@gnupg.org>

	build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
	+ commit e535ea1bdc42309553007d60599d3147b8defe93
	* build-aux/config.guess: Update.
	* build-aux/config.sub: Update.

2016-07-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON.
	+ commit 1111d311fd6452abd4080d1072c75ddb1b5a3dd1
	* cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
	(UNALIGNED_LDMIA4): New.
	(_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
	ldm/stm instructions directly.
	* cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
	(UNALIGNED_LDMIA4): New.
	(_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
	(_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
	of ldm instruction directly.

2016-07-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: add unaligned buffer mode.
	+ commit 496790940753226f96b731a43d950bd268acd97a
	* tests/bench-slope.c (unaligned_mode): New.
	(do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
	(print_help, main): Add '--unaligned' parameter.

2016-07-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix static build.
	+ commit cb79630ec567a5f2e03e5f863cda168faa7b8cc8
	* tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.

2016-06-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disallow encryption/decryption if key is not set.
	+ commit 07de9858032826f5a7b08c372f6bcc73bbb503eb
	* cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
	NONE, make sure that key is set.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
	'marks.key' when reseting state.

	Avoid unaligned accesses with ARM ldm/stm instructions.
	+ commit a6158a01a4d81a5d862e1e0a60bfd6063443311d
	* cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
	compile with unaligned load/store code paths.
	* cipher/sha512-arm.S: Ditto.

	Fix non-PIC reference in PIC for poly1305/ARMv7-NEON.
	+ commit a09126242a51c4ea4564b0f70b808e4f27fe5a91
	* cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
	(_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.

	Fix wrong CPU feature #ifdef for SHA1/AVX.
	+ commit 4a983e3bef58b9d056517e25e0ab10b72d12ceba
	* cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
	HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.

2016-06-30  Werner Koch  <wk@gnupg.org>

	random: Remove debug message about not supported getrandom syscall.
	+ commit 6965515c73632a088fb126a4a55e95121671fa98
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
	for getrandom error ENOSYS.

2016-06-27  Werner Koch  <wk@gnupg.org>

	tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
	+ commit 4d634a098742ff425b324e9f2a67b9f62de09744
	* tests/benchmark.c (md_bench): Do not test variable lengths algos
	with the gcry_md_hash_buffer.

	md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
	+ commit ae26edf4b60359bfa5fe3a27b2c24b336e7ec35c
	* cipher/md.c (md_read): Detect missing read function.
	(_gcry_md_hash_buffers): Return an error.

2016-06-25  Werner Koch  <wk@gnupg.org>

	ecc: Fix memory leak.
	+ commit 7a7f7c147f888367dfee6093d26bfeaf750efc3a
	* cipher/ecc.c (ecc_check_secret_key): Do not init point if already
	set.

	doc: Update yat2m.
	+ commit 1feb01940062a74c27230434fc3babdddca8caf4
	* doc/yat2m.c: Update from Libgpg-error

	tests: Add attributes to helper functions.
	+ commit c870cb5d385c1d6e1e28ca481cf9cf44b3bfeea9
	* tests/t-common.h (die, fail, info): Add attributes.
	* tests/random.c (die, inf): Ditto.
	* tests/pubkey.c (die, fail, info): Add attributes.
	* tests/fipsdrv.c (die): Add attribute.
	(main): Take care of missing --key,--iv,--dt options.

	Improve robustness and help lint.
	+ commit 5a5b055b81ee60a22a846bdf2031516b1c24df98
	* cipher/rsa.c (rsa_encrypt): Check for !DATA.
	* cipher/md.c (search_oid): Check early for !OID.
	(md_copy): Use gpg_err_code_from_syserror.  Replace chains of if(!err)
	tests.
	* cipher/cipher.c (search_oid): Check early for !OID.
	* src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
	* mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
	analyzers.

	cipher: Improve fatal error message for bad use of gcry_md_read.
	+ commit 3f98b1e92d5afd720d7cea5b4e8295c5018bf9ac
	* cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.

2016-06-16  Niibe Yutaka  <gniibe@fsij.org>

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	+ commit b0b70e7fe37b1bf13ec0bfc8effcb5c7f5db6b7d
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	+ commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

2016-06-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.1.
	+ commit 48aa6d6602564d6ba0cef10cf08f9fb0c59b3223


	doc: Describe envvars.
	+ commit c3173bbe3f1a9c73f81a538dd49ccfa0447bfcdc
	* doc/gcrypt.texi: Add chapter Configuration.

	random: Change names of debug envvars.
	+ commit 131b4f0634cee0e5c47d2250c59f51127b10f7b3
	* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
	GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
	* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
	GCRYPT_RNDW32_NOPERF.

2016-06-14  Werner Koch  <wk@gnupg.org>

	cipher: Assign OIDs to the Serpent cipher.
	+ commit e13a6a1ba53127af602713d0c2aaa85c94b3cd7e
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

	cipher: Assign OIDs to the Serpent cipher.
	+ commit 6cc2100c00a65dff07b095dea7b32cb5c5cd96d4
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

2016-06-08  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	+ commit 1f769e3e8442bae2f1f73c656920bb2df70153c0
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	+ commit 52cdfb1960808aaad48b5a501bbce0e3141c3961
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

	Fix gcc portability on Solaris 9 SPARC boxes.
	+ commit b766ea14ad1c27d6160531b200cc70aaa479c6dc
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-06-08  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	+ commit dc76313308c184c92eb78452b503405b90fc7ebd
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-06-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	+ commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-06-08  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	+ commit c05837211e5221d3f56146865e823bc20b4ff1ab
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-06-03  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	+ commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	+ commit 82df6c63a72fdd969c3923523f10d0cef5713ac7
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

2016-06-02  Werner Koch  <wk@gnupg.org>

	Fix gcc portability on Solaris 9 SPARC boxes.
	+ commit 4121f15122501d8946f1589b303d1f7949c15e30
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-05-28  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	+ commit 3e8074ecd3a534e8bd7f11cf17f0b22d252584c8
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-05-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	+ commit c7430aa752232aa690c5d8f16575a345442ad8d7
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-04-26  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	+ commit ee5a32226a7ca4ab067864e06623fc11a1768900
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-04-19  Werner Koch  <wk@gnupg.org>

	asm fix for older gcc versions.
	+ commit caa9d14c914bf6116ec3f773a322a94e2be0c0fb
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

	asm fix for older gcc versions.
	+ commit 4545372c0f8dd35aef2a7abc12b588ed1a4a0363
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

2016-04-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.0.
	+ commit 795f9cb090c776658a0e3117996e3fb7e2ebd94a


2016-04-14  Werner Koch  <wk@gnupg.org>

	tests: Add test vectors for 256 GiB test of SHA3-256.
	+ commit 1737c546dc7268fa9edcd4a23b7439c56d37ee4f
	* tests/hashtest.c: Add new test vectros.

2016-04-14  Justus Winter  <justus@g10code.com>

	src: Improve S-expression parsing.
	+ commit 491586bc7f7b9edc6b78331a77e653543983c9e4
	* src/sexp.c (do_vsexp_sscan): Return an error if a closing
	parenthesis is encountered with no matching opening parenthesis.

2016-04-14  Werner Koch  <wk@gnupg.org>

	cipher: Add constant for 8 bit CFB mode.
	+ commit 47c6a1f88eb763e9baa394e34d873b761abcebbe
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
	* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.

	tests: Add a new test for S-expressions.
	+ commit 88c6b98350193abbdcfb227754979b0c097ee09c
	* tests/t-sexp.c (compare_to_canon): New.
	(back_and_forth_one): Add another test.

2016-04-13  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix corner cases for X25519.
	+ commit 8472b71812e71c69d66e2fcc02a6e21b66755f8b
	* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
	GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
	it's not an error, thus, let it return 0.
	(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
	X25519, not by the name of the curve.
	(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
	of aborting with log_fatal.  For X25519, it's not an error by its
	definition, but we deliberately let it return the error to detect
	looks-like-encrypted-message.
	* tests/t-cv25519.c: Add points to record the issue.

2016-04-12  Werner Koch  <wk@gnupg.org>

	cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
	+ commit b6d2a25a275a35ec4dbd53ecaa9ea0ed7aa99c7b
	* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
	aad_leftover and aad_nleftover to u_mode.ocb.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
	aad_nleftover.
	(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
	to ...
	(ocb_aad_finalize): new.
	(compute_tag_if_needed): Call new function.
	* tests/basic.c (check_ocb_cipher_splitaad): New.
	(check_ocb_cipher): Call new function.
	(main): Also call check_cipher_modes with --ciper-modes.

2016-04-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix X25519 computation on Curve25519.
	+ commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5
	* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
	PUBKEY_FLAG_DJB_TWEAK is enabled.
	(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
	* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

	ecc: Fix initialization of EC context.
	+ commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de
	* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
	(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
	by _gcry_mpi_ec_p_internal_new should carry FLAGS.

2016-04-06  Werner Koch  <wk@gnupg.org>

	Allow building with configure option --enable-hmac-binary-check.
	+ commit 65c63144b66392f40b991684789b8b793248e3ba
	* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
	* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
	* src/hmac256.c (main): Add option --stdkey

2016-04-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Positive values in computation.
	+ commit 6f386ceae86a058e26294f744750f1ed2a95e604
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
	coefficients A and B are positive.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
	"P - T" instead of "-T", so that the result will be positive.
	(_gcry_ecc_eddsa_verify): Likewise.
	* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
	instead of _gcry_ecc_update_curve_param.
	* mpi/ec.c (ec_subm): Make sure the result will be positive.
	(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
	mpi_sub instead of mpi_neg.
	(add_points_edwards): Simply use ec_addm.
	* tests/t-mpi-point.c (test_curve): Define curves with positive
	coefficients.

2016-04-01  Werner Koch  <wk@gnupg.org>

	mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
	+ commit 862cf19a119427dd7ee7959a36c72d905f5ea5ca
	* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
	(mpi_fromstr): Check against this limit.
	(_gcry_mpi_scan): Ditto.
	* tests/mpitests.c (test_maxsize): New.
	(main): Cal that test.

2016-03-31  Werner Koch  <wk@gnupg.org>

	cipher: Remove specialized rmd160 functions.
	+ commit fcce0cb6e8af70b134c6ecc3f56afa07a7d31f27
	* cipher/rmd160.c: Replace rmd.h by hash-common.h.
	(RMD160_CONTEXT): Move from rmd.h to here.
	(_gcry_rmd160_init): Remove.
	(_gcry_rmd160_mixblock): Remove.
	(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
	* cipher/md.c: Remove rmd.h which was not actually used.
	* cipher/rmd.h: Remove.
	* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
	* configure.ac (USE_RMD160): Allow to build without RMD160.

	random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
	+ commit a9cbe2d1f6a517a831517da8bc1d29e3e0b2c0c0
	* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
	(_gcry_sha1_mixblock): New.
	* random/random-csprng.c: Include sha1.h instead of rmd.h.
	(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

	cipher: Move sha1 context definition to a separate file.
	+ commit 142a479a484cb4e84d0561be9b05b44dac9e6fe2
	* cipher/sha1.c: Replace hash-common.h by sha1.h.
	(SHA1_CONTEXT): Move to ...
	* cipher/sha1.h: new.  Always include all flags.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.

2016-03-29  Werner Koch  <wk@gnupg.org>

	tests: Fix buffer overflow in bench-slope.
	+ commit 48ee918400762281bec5b6fc218a9f0d119aac7c
	* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
	strncat.

2016-03-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: GCM: check that length of supplied tag is one of valid lengths.
	+ commit f2260e3a2e962ac80124ef938e54041bbea08561
	* cipher/cipher-gcm.c (is_tag_length_valid): New.
	(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
	* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
	valid tag lengths and negative test vectors with invalid lengths.

2016-03-24  Peter Wu  <peter@lekensteyn.nl>

	cipher: Fix memleaks in (self)tests.
	+ commit 4a064e2a06fe737f344d1dfd8a45cc4c2abbe4c9
	* cipher/dsa.c: Release memory for MPI and sexp structures.
	* cipher/ecc.c: Release memory for sexp structure.
	* tests/keygen.c: Likewise.

	Mark constant MPIs as non-leaked.
	+ commit 470a30db241a2d567739ef2adb2a2ee64992d8b4
	* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.

2016-03-23  Werner Koch  <wk@gnupg.org>

	Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
	+ commit fea5971488e049f902d7912df22a945bc755ad6d
	* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
	* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

	* tests/basic.c (_check_gcm_cipher): Check that new feature.
	(_check_poly1305_cipher): Ditto.
	(check_ccm_cipher): Ditto.
	(do_check_ocb_cipher): Ditto.
	(check_ctr_cipher): Add negative test for new feature.

	cipher: Avoid NULL-segv in GCM mode if a key has not been set.
	+ commit e709d86fe596a4bcf235799468947c13ae657d78
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
	has been initialized.
	(_gcry_cipher_gcm_decrypt): Ditto.
	(_gcry_cipher_gcm_authenticate): Ditto.
	(_gcry_cipher_gcm_initiv): Ditto.
	(_gcry_cipher_gcm_tag): Ditto.

	cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
	+ commit 7c9c82feecf94a455c66d9c38576f36c9c4b484c
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
	provided tag length matches the actual tag length.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for Poly1305.
	+ commit 6821e1bd94969106a70e3de17b86f6e6181f4e59
	* cipher/cipher-poly1305.c: copy a fixed length instead of the
	  user-supplied number.

2016-03-23  Werner Koch  <wk@gnupg.org>

	cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
	+ commit 15785bc9fb1787554bf371945ecb191830c15bfd
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
	tag length matches the actual tag length.  Avoid gratuitous return
	statements.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for GCM.
	+ commit d3d7bdf8215275b3b20690dfde3f43dbe25b6f85
	* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
	  number.

2016-03-22  Werner Koch  <wk@gnupg.org>

	tests: Add options --fips to keygen for manual tests.
	+ commit d328095dd4de83b839d9d8c4bdbeec0956971016
	(main): Add option --fips.
	* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
	because that is valid in FIPS mode.  Check that key generation fails
	for too short keys in FIPS mode.
	(check_ecc_keys): Check that key generation fails for Ed25519 keys in
	FIPS mode.

2016-03-22  Tomáš Mráz  <tmraz@redhat.com>

	rsa: Add FIPS 186-4 compliant RSA probable prime key generator.
	+ commit 5f9b3c2e220ca6d0eaff32324a973ef67933a844
	* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
	* cipher/rsa.c (generate_fips): New.
	(rsa_generate): Use new function in fips mode or with test-parms.

	* tests/keygen.c (check_rsa_keys): Add test using e=65539.

2016-03-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARM NEON support detection on ARMv6 target.
	+ commit 583919d70763671ed9feeaa14e1f66379aff88cc
	* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
	instead of '.thumb'.

2016-03-18  Werner Koch  <wk@gnupg.org>

	Always require a 64 bit integer type.
	+ commit 897ccd21b7221982806b5c024518f4e989152f14
	* configure.ac (available_digests_64): Merge with available_digests.
	(available_kdfs_64): Merge with available_kdfs.
	<64 bit datatype test>: Bail out if no such type is available.
	* src/types.h: Emit #error if no u64 can be defined.
	(PROPERLY_ALIGNED_TYPE): Always add u64 type.
	* cipher/bithelp.h: Remove all code paths which handle the
	case of !HAVE_U64_TYPEDEF.
	* cipher/bufhelp.h: Ditto.
	* cipher/cipher-ccm.c: Ditto.
	* cipher/cipher-gcm.c: Ditto.
	* cipher/cipher-internal.h: Ditto.
	* cipher/cipher.c: Ditto.
	* cipher/hash-common.h: Ditto.
	* cipher/md.c: Ditto.
	* cipher/poly1305.c: Ditto.
	* cipher/scrypt.c: Ditto.
	* cipher/tiger.c: Ditto.
	* src/g10lib.h: Ditto.
	* tests/basic.c: Ditto.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	tests: Fix testsuite after the FIPS adjustments.
	+ commit 9ecc2690181ba0bb44f66451a7dce2fc19965793
	* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
	* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
	* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
	(check_ecc_keys): Skip Ed25519 in FIPS mode.
	* tests/random.c (main): Don't switch DRBG in FIPS mode.
	* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
	* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
	* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
	(main): Skip math tests that use P-192 and Ed25519 in FIPS.

	tests: Add new --pss option to fipsdrv.
	+ commit 1a02d741cacc3b57fe3d6ffebd794d53a60c9e97
	* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
	to 0 for PSS.

	cipher: Add option to specify salt length for PSS verification.
	+ commit 0bd8137e68c201b6c2290710e348aaf57efa2b2e
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
	salt-length token.

	tests: Add support for RSA keygen tests to fipsdrv.
	+ commit 2e139456369a834cf87d983da4f61241fda76efe
	* tests/fipsdrv.c (run_rsa_keygen): New.
	(main): Support RSA keygen and RSA keygen KAT tests.

	tests: Fixes for RSA testsuite in FIPS mode.
	+ commit c690230af5a66b809f8f6fbab1a6262a5ba078cb
	* tests/basic.c (get_keys_new): Generate 2048 bit key.
	* tests/benchmark.c (rsa_bench): Skip keys of lengths different
	than 2048 and 3072 in FIPS mode.
	* tests/keygen.c (check_rsa_keys): Failure if short keys can be
	generated in FIPS mode.
	(check_dsa_keys): Ditto for DSA keys.
	* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.

	rsa: Use 2048 bit RSA keys for selftest.
	+ commit 78cec8b4754fdf774edb2d575000cb3e972e244c
	* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
	(selftest_encr_1024): Replaced by selftest_encr_2048.
	(selftest_sign_1024): Replaced by selftest_sign_2048.
	(selftest_encr_2048): Add check against known ciphertext.
	(selftest_sign_2048): Add check against known signature.
	(selftest_sign_2048): Free SIG_MPI.
	* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.

	Disable non-allowed algorithms in FIPS mode.
	+ commit ce1cbe16992a7340edcf8e6576973e3508267640
	* cipher/cipher.c (_gcry_cipher_init),
	* cipher/mac.c (_gcry_mac_init),
	* cipher/md.c (_gcry_md_init),
	* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
	non-allowed ciphers.
	* cipher/md5.c: Mark MD5 as not allowed in FIPS.
	* src/g10lib.h (_gcry_mac_init): New.
	* src/global.c (global_init): Call the new _gcry_mac_init.
	* tests/basic.c (check_ciphers): Fix a typo.

2016-03-18  Werner Koch  <wk@gnupg.org>

	kdf: Make PBKDF2 check work on all platforms.
	+ commit c478cf175887c84dc071c4f73a7667603b354789
	* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	kdf: Add upper bound for derived key length in PBKDF2.
	+ commit 0f741b0704bac5c0e2d2a0c2b34b44b35baa76d6
	* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.

	ecc: ECDSA adjustments for FIPS 186-4.
	+ commit a242e3d9185e6e2dc13902ea9331131755bbba01
	* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
	* cipher/ecc.c: Add ECDSA self test.
	* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
	in FIPS mode.
	* tests/fipsdrv.c: Add support for ECDSA signatures.

2016-03-18  Werner Koch  <wk@gnupg.org>

	dsa: Make regression tests work.
	+ commit e40939b2141306238cc30a340b867b60fa4dc2a3
	* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
	(ogenerate_fips186): Make it work with use-fips183-2 flag.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
	standard comment out format.
	* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
	(main): Call it.
	(main): Compare against current version.
	* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
	(get_dsa_key_fips186_with_seed_new): Ditto.
	(get_dsa_key_fips186_with_domain_new): Comment out.
	(check_run): Do not call that function.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	dsa: Adjustments to conform with FIPS 186-4.
	+ commit 80e9f95e6f419daa765e4876c858e3e36e808897
	* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
	  buflen passed to _gcry_mpi_scan.

2016-03-16  Justus Winter  <justus@g10code.com>

	Update documentation for 'gcry_sexp_extract_param'.
	+ commit 4051fe7fec6ffdc7a2f5c3856665478866991ee7
	* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
	must be set to NULL first, and document how the function behaves in
	case of errors.
	* src/sexp.c (_gcry_sexp_extract_param): Likewise.
	* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
	'_gcry_sexp_extract_param'.

	cipher: Update comment.
	+ commit fcf4358a7a7ba8d32bf385ea99ced5f47cbd3ae2
	* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
	that a curve parameter can be given.

2016-03-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel PCLMUL implementations of CRC algorithms.
	+ commit 5d601dd57fcb41aa2015ab655fd6fc51537da667
	* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
	* cipher/crc-intel-pclmul.c: New.
	* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
	(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
	[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
	(gcry_crc24rfc2440_intel_pclmul): New.
	(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
	[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
	HW features detected.
	(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
	implementation if enabled.
	(crc24_init): Document storage format of 24-bit CRC.
	(crc24_next4): Use only 'data' for last table look-up.
	* configure.ac: Add 'crc-intel-pclmul.lo'.
	* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
	Intel SSE4.1.
	* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
	* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
	* tests/basic.c (fillbuf_count): New.
	(check_one_md): Add "?" check (million byte data-set with byte pattern
	0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
	checks.
	(check_one_md_multi): Skip "?".
	(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
	SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
	CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
	test-vectors for CRC32_RFC1510 and CRC24_RFC2440.

2016-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Normalize EXPO for mpi_powm.
	+ commit fdfa5bfefdde316688a3c8021bd3528c5273b0f4
	* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

2016-02-22  Andreas Metzler  <ametzler@bebt.de>

	Do not ship generated header file in tarball.
	+ commit 2b40a16333fa75f1cee85ab901a5aa9cff845a92
	* src/Makefile.am: Move gcrypt.h from include_HEADERS to
	  nodist_include_HEADERS to prevent inclusion in release tarball.
	  This could break out-of-tree-builds because the potentially outdated
	  src/gcrypt.h was not updated but was in the compiler search path.

2016-02-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building random-drbg for Win32/64.
	+ commit 531b25aa94c58f6d2168a9537c8cea6c53d7bbe0
	* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
	(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
	(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
	(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
	(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
	(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
	'drbg_read_cb' and 'len'.

2016-02-20  Werner Koch  <wk@gnupg.org>

	tests: Do not test DRBG_REINIT from "make check"
	+ commit 839d12c221430b60db5e0d6fbb107f22e0a6837f
	* tests/random.c (main): Run check_drbg_reinit only if the envvar
	GCRYPT_IN_REGRESSION_TEST is set.

	doc: Fix possible dependency problem.
	+ commit 3b57e5a1ba68e26dcaea38b763287fddba9b6b7c
	* doc/Makefile.am (gcrypt.texi): Use the right traget.

2016-02-19  Stephan Mueller  <smueller@chronox.de>

	random: Remove ANSI X9.31 DRNG.
	+ commit e9b692d25d1c149b5417b70e18f2ce173bc25b6d
	* random-fips.c: Remove.

2016-02-19  Werner Koch  <wk@gnupg.org>

	random: Add a test case for DRBG_REINIT.
	+ commit 934ba2ae5a95a96fdbb3b935b51ba43df66f11df
	* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
	* tests/random.c (check_drbg_reinit): New.
	(main): Call new test.

	random: Allow DRBG_REINIT before initialization.
	+ commit 7cdbd6e6a3cf1ee366b981e148d41b1187a6fdcf
	* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
	(_drbg_init_internal): Set the default type if no type has been set
	before.
	(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.

	Add new private header gcrypt-testapi.h.
	+ commit 744b030cff61fd25114b0b25394c62782c153343
	* src/gcrypt-testapi.h: New.
	* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
	* random/random.h: Include gcrypt-testapi.h.
	(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
	* src/global.c: Include gcrypt-testapi.h.
	(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
	* cipher/cipher.c: Include gcrypt-testapi.h.
	(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
	* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
	PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
	constants.
	* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
	PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

	* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
	(_gcry_rngdrbg_cavs_test): this.
	(gcry_rngdrbg_healthcheck_one): Rename to ...
	(_gcry_rngdrbg_healthcheck_one): this.

	random: Make the DRBG C-90 clean and use a flag string.
	+ commit 95f1db3affb9f5b8a2c814c211d4a02b30446c15
	* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
	"flagstr" and turn it into a string.
	* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
	designated initializers.  Use a string for the flags.
	(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
	(drbg_healthcheck_sanity): Ditto.

	random: Symbol name cleanup for random-drbg.c.
	+ commit 85ed07790552297586258e8fe09b546eee357a8b
	* random/random-drbg.c: Rename all static objects and macros from
	"gcry_drbg" to "drbg".
	(drbg_string_t): New typedef.
	(drbg_gen_t): New typedef.
	(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
	this.
	(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
	that an error if actually returned.
	(gcry_rngdrbg_cavs_test): Ditto.
	(gcry_drbg_healthcheck_sanity): Ditto.

	random: Use our symbol name pattern also for drbg functions.
	+ commit 7cf3c929331133e4381dbceac53d3addd921c929
	* random/random-drbg.c: Rename global functions from _gcry_drbg_*
	to _gcry_rngdrbg_*.
	* random/random.c: Adjust for this change.
	* src/global.c: Ditto.

	random: Rename drbg.c to random-drbg.c.
	+ commit e49b3f2c10e012509b5930c0df4d6df378d3b9f4
	* random/drbg.c: Rename to ...
	* random/random-drbg.c: this.
	* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.

	random: Remove the new API introduced by the new DRBG.
	+ commit dfac2b13d0068b2b1b420d77e9771a49964b81c1
	* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
	(struct gcry_drbg_string): Ditto.
	(gcry_drbg_string_fill): Ditto.
	(gcry_randomize_drbg): Remove.
	* random/drbg.c (parse_flag_string): New.
	(_gcry_drbg_reinit): Change the way the arguments are passed.
	* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
	convention.

	Add helper function _gcry_strtokenize.
	+ commit 4e134b6e77f558730ec1eceb6b816b0bcfd845e9
	* src/misc.c (_gcry_strtokenize): New.

2016-02-18  Werner Koch  <wk@gnupg.org>

	random: Remove DRBG constants from the public API.
	+ commit fd13372fa9069d3a72947ea59c57e33637c936bf
	* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
	* random/drbg.c: here.

2016-02-18  Stephan Mueller  <smueller@chronox.de>

	random: Add SP800-90A DRBG.
	+ commit ed57fed6de1465e02ec5e3bc0affeabdd35e2eb7
	* random/drbg.c: New.
	* random/random.c (_gcry_random_initialize): Replace rngfips init by
	drbg init.
	(__gcry_random_close_fds): Likewise.
	(_gcry_random_dump_stats): Likewise.
	(_gcry_random_is_faked): Likewise.
	(do_randomize): Likewise.
	(_gcry_random_selftest): Likewise.
	(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
	(_gcry_random_init_external_test): Remove.
	(_gcry_random_run_external_test): Remove.
	(_gcry_random_deinit_external_test): Remove.
	* random/random.h (struct gcry_drbg_test_vector): New.
	* src/gcrypt.h.in (struct gcry_drbg_gen): New.
	(struct gcry_drbg_string): New.
	(gcry_drbg_string_fill): New.
	(gcry_randomize_drbg): New.
	(GCRY_DRBG_): Lots of new macros.
	* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
	a nop.
	(_gcry_vcontrol) <Deinit external random test>: Ditto.
	(_gcry_vcontrol) <Run external random test>: Change.
	(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

2016-02-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bufhelp: disable unaligned memory accesses on powerpc.
	+ commit 1da793d089b65ac8c1ead65dacb6b8699f5b6e69
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
	__powerpc__ and __powerpc64__.

2016-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Not validate input point for Curve25519.
	+ commit 7a019bc7ecdbdfdef51094e090ce95e062da9b64
	* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.

2016-02-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix memory leaks on error.
	+ commit b12dd550fd6af687ef95c584d0d8366c34965cc8
	* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.

2016-02-09  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: input validation on ECDH.
	+ commit 23b72901f8a5ba9a78485b235c7a917fbc8faae0
	* cipher/ecc.c (ecc_decrypt_raw): Validate the point.

2016-02-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARM assembly implementation of SHA-512.
	+ commit 8353884bc65c820d5bcacaf1ac23cdee72091a09
	* cipher/Makefile.am: Add 'sha512-arm.S'.
	* cipher/sha512-arm.S: New.
	* cipher/sha512.c (USE_ARM_ASM): New.
	(_gcry_sha512_transform_arm): New.
	(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
	generic.
	* configure.ac: Add 'sha512-arm.lo'.

2016-02-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add a test for Curve25519.
	+ commit b8b3361504950689ef1e779fb3357cecf8a9f739
	* tests/Makefile.am (tests_bin): Add t-cv25519.
	* tests/t-cv25519.c: New.

2016-02-02  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Curve25519 for data by older implementation.
	+ commit 6cb6df9dddac6ad246002b83c2ce0aaa0ecf30e5
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
	short length data.

	ecc: more fix of Curve25519.
	+ commit 48ba5a50066611ecacea850ced13f5cb66097a81
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
	prefix.  Clear the MSB, according to RFC7748.

	ecc: Fix ECDH of Curve25519.
	+ commit a2f9afcd7fcdafd5951498b07f34957f9766dce9
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
	and prefix detection.
	* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
	(ecc_encrypt_raw): Use NBITS from curve instead of from P.
	Fix rawmpilen calculation.
	(ecc_decrypt_raw): Likewise.  Add debug output.

2016-01-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of generic SHA256 implementation.
	+ commit f3e51161036382429c3491c7c881f36c0a653c7b
	* cipher/sha256.c (R): Let caller do variable shuffling.
	(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
	(W, I): New.
	(transform_blk): Unroll round loop; inline message expansion to rounds
	to make message expansion buffer smaller.

2016-01-28  Werner Koch  <wk@gnupg.org>

	ecc: New API function gcry_mpi_ec_decode_point.
	+ commit 2cf2ca7bb9741ac86e8aa92d8f03b1c5f5938897
	* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
	* cipher/ecc-common.h: Move two prototypes to ...
	* src/ec-context.h: here.
	* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
	* src/visibility.c (gcry_mpi_ec_decode_point): New.
	* src/visibility.h: Add new function.

2016-01-15  Werner Koch  <wk@gnupg.org>

	Fix build problem for rndegd.c.
	+ commit 191c2e4fe2dc0e00f61aa44e011a9596887e6ce1
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
	* random/rndegd.c (_gcry_rndegd_connect_socket)
	(my_make_filename): Use functions with '_' prefix.

	random: Fix possible AIX problem with sysconf in rndunix.
	+ commit 6303b0e83856ee89374b447e710f0ab2af61caec
	* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
	(start_gatherer): Detect misbehaving sysconf.

2015-12-27  Werner Koch  <wk@gnupg.org>

	random: Take at max 25% from RDRAND.
	+ commit 5a78e7f15e0dd96a8bf64e2bb142880bf8ea6965
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
	RDRAND from 50% to 25%.

2015-12-07  Justus Winter  <justus@g10code.com>

	cipher: Improve error handling.
	+ commit b9c02fbeb7efb7d0593b33485fb30c298291cf80
	* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.

	cipher: Initialize 'flags'.
	+ commit ca06cd7f77acb317c2649c58918908f043dfe6bd
	* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.

2015-12-05  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: CHANGE point representation of Curve25519.
	+ commit dd3d06e7f113cf7608f060ceb043262efd0b0c9d
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
	the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
	by MPI normalization.
	* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
	Always add the prefix 0x40.

2015-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: fix alignment of self-test context.
	+ commit 6fadbcd088e2af3e48407b95d8d0c2a8b7ad6c38
	* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
	context structure.

	salsa20: fix alignment of self-test context.
	+ commit 2cba0dbda462237f55438d4199eccd10c5e3f6ca
	* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
	context structure.

2015-12-02  Justus Winter  <justus@g10code.com>

	random: Drop fake entropy gathering function.
	+ commit d421ac283ec46d0ecaf6278ba4c24843f65fb2fa
	* random/random-csprng.c (faked_rng): Drop variable.
	(gather_faked): Drop prototype and function.
	(initialize): Drop fallback code.
	(_gcry_rngcsprng_is_faked): Change accordingly.

	random: Fix selection of entropy gathering function.
	+ commit 468a5796ffb1a7776db4004d534376c1b981d740
	* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
	usable entropy gathering function is found.  The callsite then
	installs the fake gather function.

2015-11-26  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: minor improvement of point multiplication.
	+ commit 3658afd09c3b03b4398aaa5748387220c93b1a94
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.

2015-11-25  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Constant-time multiplication for Weierstrass curve.
	+ commit 88e1358962e902ff1cbec8d53ba3eee46407851a
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
	method for Weierstrass curve when SCALAR is secure.

	mpi: fix gcry_mpi_swap_cond.
	+ commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f
	* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.

	mpi: Fix mpi_set_cond and mpi_swap_cond .
	+ commit 8ad682c412047d3b9196950709dbd7bd14ac8732
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
	the operator of !!, but assume SET/SWAP is 0 or 1.

	ecc: multiplication of Edwards curve to be constant-time.
	+ commit 295b1c3540752af4fc5e6f41480e6db215222fba
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.

	ecc: Add point_resize and point_swap_cond.
	+ commit b6015176df6bfae107ac82f9baa29ef2c175c9f9
	* mpi/ec.c (point_resize, point_swap_cond): New.
	(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.

2015-11-18  Justus Winter  <justus@g10code.com>

	cipher: Fix error handling.
	+ commit 940dc8adc034a6c6c38742f6bfd7d837a532d537
	* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.

2015-11-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tweak Keccak for small speed-up.
	+ commit 6571a64331839d7d952292163afbf34c8bef62e0
	* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
	rounds with round constant pointer instead of separate round counter.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
	(KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
	absorb loops.

	Update license information for CRC.
	+ commit 15ea0acf8bb0aa307eccc23024a0bd7878fb8080
	* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
	for 'cipher/crc.c' as result of rewrite of CRC implementations.

2015-11-17  Justus Winter  <justus@g10code.com>

	Fix typos found using codespell.
	+ commit 0e395944b70c7a92a6437f6bcc14f287c19ce9de
	* cipher/cipher-ocb.c: Fix typos.
	* cipher/des.c: Likewise.
	* cipher/dsa-common.c: Likewise.
	* cipher/ecc.c: Likewise.
	* cipher/pubkey.c: Likewise.
	* cipher/rsa-common.c: Likewise.
	* cipher/scrypt.c: Likewise.
	* random/random-csprng.c: Likewise.
	* random/random-fips.c: Likewise.
	* random/rndw32.c: Likewise.
	* src/cipher-proto.h: Likewise.
	* src/context.c: Likewise.
	* src/fips.c: Likewise.
	* src/gcrypt.h.in: Likewise.
	* src/global.c: Likewise.
	* src/sexp.c: Likewise.
	* tests/mpitests.c: Likewise.
	* tests/t-lock.c: Likewise.

2015-11-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of Tiger hash algorithms.
	+ commit 89fa74d6b3e58cd4fcd6e0939a35e46cbaca2ea0
	* cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
	to macros.
	(transform_blk): Pass variable names instead of pointers to 'pass'.

	Add ARMv7/NEON implementation of Keccak.
	+ commit a1cc7bb15473a2419b24ecac765ae0ce5989a13b
	* cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
	* cipher/keccak-armv7-neon.S: New.
	* cipher/keccak.c (USE_64BIT_ARM_NEON): New.
	(NEED_COMMON64): Select if USE_64BIT_ARM_NEON.
	[NEED_COMMON64] (round_consts_64bit): Rename to...
	[NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add
	terminator at end.
	[USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon)
	(_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon)
	(keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New.
	(keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation
	if supported by HW.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update
	to use new round constant table.
	* configure.ac: Add 'keccak-armv7-neon.lo'.

	Optimize Keccak 64-bit absorb functions.
	+ commit 2857cb89c6dc1c02266600bc1fd2967a3cd5cf88
	* cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	* cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	[USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT] (keccak_absorb_lanes64): Remove.
	[USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove.
	[USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove.
	* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New.

2015-10-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable CRC test vectors with zero bytes.
	+ commit 07e4839e75a7bca3a6c0a94aecfe75efe61d7ff2
	* tests/basic.c (check_digests): Enable CRC test-vectors with zero
	bytes.

	Keccak: Add SHAKE Extendable-Output Functions.
	+ commit c0b9eee2d93a13930244f9ce0c14ed6b4aeb6c29
	* src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
	XOFs.
	* src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
	and add 'pos' argument.
	(KECCAK_CONTEXT): Add 'suffix'.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi): Rename to...
	(keccak_extract32bi): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi_bmi2): Rename to...
	(keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument.
	(keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256.
	(shake128_init, shake256_init): New.
	(keccak_final): Do not initial permute for SHAKE output; use correct
	suffix for SHAKE.
	(keccak_extract): New.
	(keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors.
	(run_selftests): Add SHAKE128 & SHAKE256.
	(shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256)
	(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New.
	* cipher/md.c (digest_list): Add SHAKE128 & SHAKE256.
	* doc/gcrypt.texi: Ditto.
	* src/cipher.h (_gcry_digest_spec_shake128)
	(_gcry_digest_spec_shake256): New.
	* src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New.
	* tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument.
	(check_one_md_multi): Skip if algo is XOF.
	(check_digests): Add SHAKE128 & SHAKE256 test vectors.
	* tests/bench-slope.c (kdf_bench_one): Skip XOFs.

	Few updates to documentation.
	+ commit 28de6f9e16e386018e81a9cdaee596be7616ccab
	* doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
	flag; Add mention of x86 RDRAND support in rndhw.

	Add HMAC-SHA3 test vectors.
	+ commit 92ad19873562cfce7bcc4a0b5aed8195d8284cfc
	* tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.

2015-10-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	md: add variable length output interface.
	+ commit 577dc2b63ceca6a8a716256d034ea4e7414f65fa
	* cipher/crc.c (_gcry_digest_spec_crc32)
	(_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
	'extract' NULL.
	* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94)
	(_gcry_digest_spec_gost3411_cp): Ditto.
	* cipher/keccak.c (_gcry_digest_spec_sha3_224)
	(_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384)
	(_gcry_digest_spec_sha3_512): Ditto.
	* cipher/md2.c (_gcry_digest_spec_md2): Ditto.
	* cipher/md4.c (_gcry_digest_spec_md4): Ditto.
	* cipher/md5.c (_gcry_digest_spec_md5): Ditto.
	* cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Ditto.
	* cipher/sha256.c (_gcry_digest_spec_sha224)
	(_gcry_digest_spec_sha256): Ditto.
	* cipher/sha512.c (_gcry_digest_spec_sha384)
	(_gcry_digest_spec_sha512): Ditto.
	* cipher/stribog.c (_gcry_digest_spec_stribog_256)
	(_gcry_digest_spec_stribog_512): Ditto.
	* cipher/tiger.c (_gcry_digest_spec_tiger)
	(_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto.
	* cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto.
	* cipher/md.c (md_enable): Do not allow combination of HMAC and
	'expandable-output function'.
	(md_final): Check if spec->read is NULL before calling.
	(md_read): Ditto.
	(md_extract, _gcry_md_extract): New.
	* doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract.
	* src/cipher-proto.h (gcry_md_extract_t): New.
	(gcry_md_spec_t): Add 'extract'.
	* src/gcrypt-int.g (_gcry_md_extract): New.
	* src/gcrypt.h.in (gcry_md_extract): New.
	* src/libgcrypt.def: Add gcry_md_extract.
	* src/libgcrypt.vers: Add gcry_md_extract.
	* src/visibility.c (gcry_md_extract): New.
	* src/visibility.h (gcry_md_extract): New.

	md: check hmac flag in prepare_macpads.
	+ commit cee2e122ec6c1886957a8d47498eb63a6a921725
	* cipher/md.c (prepare_macpads): Check hmac flag.

	keccak: rewrite for improved performance.
	+ commit 74184c28fbe7ff58cf57f0094ef957d94045da7d
	* cipher/Makefile.am: Add 'keccak_permute_32.h' and
	'keccak_permute_64.h'.
	* cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
	* cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2)
	(USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI)
	(keccak_ops_t): New.
	(KECCAK_STATE): Add 'state64' and 'state32bi' members.
	(KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'.
	(rol64, keccak_f1600_state_permute): Remove.
	[NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New.
	[NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi)
	(keccak_absorb_lane32bi): New.
	[USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64)
	(keccak_absorb_lanes64, keccak_generic64_ops): New.
	[USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld)
	(keccak_absorb_lanes64_shld, keccak_shld_64_ops): New.
	[USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2)
	(keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New.
	[USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi)
	(keccak_absorb_lanes32bi, keccak_generic32bi_ops): New.
	[USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2)
	(pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2)
	(keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New.
	(keccak_write): New.
	(keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation
	selection based on HWF features.
	(keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops'
	for state manipulation.
	(keccak_read): Adjust to KECCAK_CONTEXT changes.
	(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
	(_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use
	'keccak_write' instead of '_gcry_md_block_write'.
	* cipher/keccak_permute_32.h: New.
	* cipher/keccak_permute_64.h: New.

	hwf-x86: add detection for Intel CPUs with fast SHLD instruction.
	+ commit 909644ef5883927262366c356eed530e55aba478
	* cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
	HWF_INTEL_CPU.
	* cipher/sha256.c (sha256_init, sha224_init): Ditto.
	* cipher/sha512.c (sha512_init, sha384_init): Ditto.
	* src/g10lib.h (HWF_INTEL_FAST_SHLD): New.
	(HWF_INTEL_BMI2, HWF_INTEL_SSSE3, HWF_INTEL_PCLMUL, HWF_INTEL_AESNI)
	(HWF_INTEL_RDRAND, HWF_INTEL_AVX, HWF_INTEL_AVX2)
	(HWF_ARM_NEON): Update.
	* src/hwf-x86.c (detect_x86_gnuc): Add detection of Intel Core
	CPUs with fast SHLD/SHRD instruction.
	* src/hwfeatures.c (hwflist): Add "intel-fast-shld".

	Fix OCB amd64 assembly implementations for x32.
	+ commit 16fd540f4d01eb6dc23d9509ae549353617c7a67
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
	(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
	(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
	(_gcry_camellia_aesni_avx2_ocb_auth, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Change 'Ls' from pointer array to u64 array.
	* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
	(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
	(_gcry_serpent_avx2_ocb_enc, _gcry_serpent_avx2_ocb_dec)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Ditto.
	* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
	(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth)
	(twofish_amd64_ocb_enc, twofish_amd64_ocb_dec, twofish_amd64_ocb_auth)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto.

	bench-slope: add KDF/PBKDF2 benchmark.
	+ commit ae40af427fd2a856b24ec2a41323ec8b80ffc9c0
	* tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free)
	(bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New.
	(print_help): Add 'kdf'.
	(main): Add KDF benchmarks.

2015-10-22  NIIBE Yutaka  <gniibe@fsij.org>

	md: keep contexts for HMAC in GcryDigestEntry.
	+ commit f7505b550dd591e33d3a3fab9277c43c460f1bad
	* cipher/md.c (struct gcry_md_context): Add flags.hmac.
	Remove macpads and mcpads_Bsize.
	(md_open): Initialize flags.hmac.  Remove macpads initialization.
	(md_enable): Allocate contexts when flags.hmac is enabled.
	(md_copy): Remove macpads copying.  Add copying contexts.
	(_gcry_md_reset): When flags.hmac is enabled, restore precomputed
	context with input pad
	(md_close): Remove macpads wiping.
	(md_final): When flags.hmac is enabled, compute hmac by precomputed
	context with output pad.
	(prepare_macpads): Prepare precomputed contexts with input pad and
	output pad for each registered digest entry.
	(_gcry_md_setkey): Just call prepare_macpads.

2015-10-15  NIIBE Yutaka  <gniibe@fsij.org>

	Fix double free on error.
	+ commit 1c6d2698a84e4bf82735287c1d64954bfc1a1982
	* src/hmac256.c (_gcry_hmac256_finalize): Don't free HD.

2015-10-14  NIIBE Yutaka  <gniibe@fsij.org>

	Fix gpg_error_t and gpg_err_code_t confusion.
	+ commit 813565a07ca575c87e1252c6ed26018653ecd338
	* src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change.
	* cipher/dsa.c (dsa_check_secret_key): Ditto.
	* src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t.

	* src/gcrypt-int.h (_gcry_err_make_from_errno)
	(_gcry_error_from_errno): Return gpg_error_t.
	* cipher/cipher.c (_gcry_cipher_open_internal)
	(_gcry_cipher_ctl, _gcry_cipher_ctl): Don't use gcry_error.
	* src/global.c (_gcry_vcontrol): Likewise.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Use
	 gpg_err_code_from_syserror.
	* cipher/mac.c (mac_reset, mac_setkey, mac_setiv, mac_write)
	(mac_read, mac_verify): Return gcry_err_code_t.
	* cipher/rsa-common.c (mgf1): Use gcry_err_code_t for ERR.
	* src/visibility.c (gcry_error_from_errno): Return gpg_error_t.

2015-10-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix compiling AES/AES-NI implementation on linux-i386.
	+ commit fa94b6111948a614ebdcb67f7942eced8b84c579
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in
	two parts to reduce number of register constraints needed.

2015-10-13  NIIBE Yutaka  <gniibe@fsij.org>

	Fix declaration of return type.
	+ commit 73374fdd27c7ba28b19f9672c68a6f5b72252fe5
	* src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t.
	* cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param.
	* src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t.
	* src/visibility.c (gcry_mpi_snatch): Fix call to _gcry_mpi_snatch.

2015-09-07  Werner Koch  <wk@gnupg.org>

	Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
	+ commit 3a3d5410cc83f7069c7cb1ab384905f382292d32
	* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
	functions if NO_PRIV_DROP is set.

2015-09-04  Werner Koch  <wk@gnupg.org>

	w32: Avoid a few compiler warnings.
	+ commit e97c62a4a687b56d00a2d0a63e072a977f8eb81c
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
	as unused.
	* random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch
	warning.
	* src/secmem.c (init_pool): Avoid unused variable warning.
	* tests/random.c (writen, readn): Include on if needed.

	w32: Fix alignment problem with AESNI on Windows >= 8.
	+ commit e2785a2268702312529521df3bd2f4e6b43cea3a
	* cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New.
	* cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
	(selftest_basic_256): Allocate context on the heap.

2015-08-31  Werner Koch  <wk@gnupg.org>

	rsa: Add verify after sign to avoid Lenstra's CRT attack.
	+ commit c17f84bd02d7ee93845e92e20f6ddba814961588
	* cipher/rsa.c (rsa_sign): Check the CRT.

	Add pubkey algo id for EdDSA.
	+ commit dd87639abd38afc91a6f27af33f0ba17402ad02d
	* src/gcrypt.h.in (GCRY_PK_EDDSA): New.

2015-08-25  Werner Koch  <wk@gnupg.org>

	Add configure option --enable-build-timestamp.
	+ commit a785cc3db0c4e8eb8ebbf784b833a40d2c42ec3e
	* configure.ac (BUILD_TIMESTAMP): Set to "<none>" by default.

2015-08-23  Werner Koch  <wk@gnupg.org>

	tests: Add missing files for the make distcheck target.
	+ commit fb3cb47b0a29d3e73150297aa4495c20915e4a75
	* tests/Makefile.am (EXTRA_DIST): Add sha3-x test vector files.

2015-08-19  Werner Koch  <wk@gnupg.org>

	Change SHA-3 algorithm ids.
	+ commit 65639ecaaeba642e40487446c40d045482001285
	* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
	(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values.

2015-08-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Keccak: Fix array indexes in θ step.
	+ commit 48822ae0b436bcea0fe92dbf0d88475ba3179320
	* cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5].

	Simplify OCB offset calculation for parallel implementations.
	+ commit 24ebf53f1e8a8afa27dcd768339bda70a740bb03
	* cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of
	just if 'blkn % <parallel blocks> == 0'.
	* cipher/serpent.c (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth): Ditto.
	* cipher/rijndael-aesni.c (get_l): Remove low-bit checks.
	(aes_ocb_enc, aes_ocb_dec, _gcry_aes_aesni_ocb_auth): Handle leading
	blocks until block counter is multiple of 4, so that parallel block
	processing loop can use 'c->u_mode.ocb.L' array directly.
	* tests/basic.c (check_ocb_cipher_largebuf): Rename to...
	(check_ocb_cipher_largebuf_split): ...this and add option to process
	large buffer as two split buffers.
	(check_ocb_cipher_largebuf): New.

	Add carryless 8-bit addition fast-path for AES-NI CTR mode.
	+ commit e11895da1f4af9782d89e92ba2e6b1a63235b54b
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using
	CTR in big-endian form, if least-significant byte does not overflow.

2015-08-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add additional SHA3 test-vectors.
	+ commit 80321eb3a63a20f86734d6eebb3f419c0ec895aa
	* tests/basic.c (check_digests): Allow datalen to be specified so that
	input data can have byte with value 0x00; Include sha3-*.h header files
	to test-vector structure.
	* tests/sha3-224.h: New.
	* tests/sha3-256.h: New.
	* tests/sha3-384.h: New.
	* tests/sha3-512.h: New.

	Add generic SHA3 implementation.
	+ commit 434ba17d1d5ad59c70d721ad3ecb376c2403a7e5
	* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize
	USE_SHA3 enabled.
	* cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New.
	(KECCAK_STATE): Add proper state.
	(KECCAK_CONTEXT): Add 'outlen'.
	(rol64, keccak_f1600_state_permute, transform_blk, transform): New.
	(keccak_init): Add proper initialization.
	(keccak_final): Add proper finalization.
	(selftests_keccak): Add selftests.
	(oid_spec_sha3_224, oid_spec_sha3_256, oid_spec_sha3_384)
	(oid_spec_sha3_512): Add OID.
	(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
	(_gcry_digest_spec_sha3_384, _gcry_digest_spec_sha3_512): Fix output
	length.
	* cipher/mac-hmac.c (map_mac_algo_to_md): Fix mapping for SHA3-512.
	(hmac_get_keylen): Return proper blocksizes for SHA3 algorithms.
	[USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
	(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
	(_gcry_mac_type_spec_hmac_sha3_512): New.
	* cipher/mac-internal [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
	(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
	(_gcry_mac_type_spec_hmac_sha3_512): New.
	* cipher/mac.c (mac_list) [USE_SHA3]: Add SHA3 algorithms.
	* cipher/md.c (md_open): Use proper SHA-3 blocksizes for HMAC macpads.
	* tests/basic.c (check_digests): Add SHA3 test vectors.

	Optimize OCB offset calculation.
	+ commit 49f52c67fb42c0656c8f9af655087f444562ca82
	* cipher/cipher-internal.h (ocb_get_l): New.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
	(ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
	* cipher/camellia-glue.c (get_l): Remove.
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Precalculate
	offset array when block count matches parallel operation size; Use
	'ocb_get_l' instead of 'get_l'.
	* cipher/rijndael-aesni.c (get_l): Add fast path for 75% most common
	offsets.
	(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Precalculate
	offset array when block count matches parallel operation size.
	* cipher/rijndael-ssse3-amd64.c (get_l): Add fast path for 75% most
	common offsets.
	* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Use
	'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
	* cipher/serpent.c (get_l): Remove.
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Precalculate
	offset array when block count matches parallel operation size; Use
	'ocb_get_l' instead of 'get_l'.
	* cipher/twofish.c (get_l): Remove.
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Use 'ocb_get_l'
	instead of 'get_l'.

2015-08-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: fix Montgomery curve bugs.
	+ commit ce746936b6c210e602d106cfbf45cf60b408d871
	* cipher/ecc.c (check_secret_key): Y1 should not be NULL when check.
	(ecc_check_secret_key): Support Montgomery curve.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition.

2015-08-08  Werner Koch  <wk@gnupg.org>

	Add framework to eventually support SHA3.
	+ commit 0e17f7a05bba309a87811992aa47a77af9935b99
	* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
	(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
	(GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
	(GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New.
	* cipher/keccak.c: New with stub functions.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c.
	* configure.ac (available_digests): Add sha3.
	(USE_SHA3): New.
	* src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests.
	* cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos.
	(md_open): Ditto for hmac processing.
	* cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping.
	* cipher/hmac-tests.c (run_selftests): Prepare for tests.
	* cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx".

2015-08-06  Werner Koch  <wk@gnupg.org>

	tools: Fix memory leak for functions "I" and "G".
	+ commit 10789e3cdda7b944acb4b59624c34a2ccfaea6e5
	* src/mpicalc.c (do_inv, do_gcd): Init A after stack check.

2015-08-06  Ismo Puustinen  <ismo.puustinen@intel.com>

	ecc: Free memory also when in error branch.
	+ commit 1d896371fbc94c605fce35eabcde01e24dd22892
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto
	leave on error.

2015-08-06  NIIBE Yutaka  <gniibe@fsij.org>

	Add Curve25519 support.
	+ commit e93f4c21c59756604440ad8cbf27e67d29c99ffd
	* cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519.
	* tests/curves.c (N_CURVES): It's 22 now.
	* src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New.
	* cipher/ecc-common.h (_gcry_ecc_mont_decodepoint): New.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): New.
	* cipher/ecc.c (nist_generate_key): Handle the case of
	PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
	(test_ecdh_only_keys, check_secret_key): Likewise.
	(ecc_generate): Support Curve25519 which is Montgomery curve with flag
	PUBKEY_FLAG_DJB_TWEAK and PUBKEY_FLAG_COMP.
	(ecc_encrypt_raw): Get flags from KEYPARMS and handle
	PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
	(ecc_decrypt_raw): Likewise.
	(compute_keygrip): Handle the case of PUBKEY_FLAG_DJB_TWEAK.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist):
	PUBKEY_FLAG_EDDSA implies PUBKEY_FLAG_DJB_TWEAK.
	Parse "djb-tweak" for PUBKEY_FLAG_DJB_TWEAK.

2015-07-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Reduce code size for Twofish key-setup and remove key dependend branch.
	+ commit b4b1d872ba651bc44761b35d245b1a519a33f515
	* cipher/twofish.c (poly_to_exp): Increase size by one, change type
	from byte to u16 and insert '492' to index 0.
	(exp_to_poly): Increase size by 256, let new cells have zero value.
	(CALC_S): Execute unconditionally with help of modified tables.
	(do_twofish_setkey): Change type for 'tmp' to 'unsigned int'; Un-unroll
	CALC_K256 and CALC_K phases to reduce generated object size.

	Reduce amount of duplicated code in OCB bulk implementations.
	+ commit e950052bc6f5ff11a7c23091ff3f6b5cc431e875
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
	(ocb_crypt): Change bulk function to return number of unprocessed
	blocks.
	* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth)
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
	to 'size_t'.
	* cipher/camellia-glue.c (get_l): Only if USE_AESNI_AVX or
	USE_AESNI_AVX2 defined.
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_AESNI_AVX or
	USE_AESNI_AVX2 defined; Remove unaccelerated common code.
	* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Change
	return type to 'size_t' and return zero.
	* cipher/serpent.c (get_l): Only if USE_SSE2, USE_AVX2 or USE_NEON
	defined.
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_SSE2, USE_AVX2 or
	USE_NEON defined; Remove unaccelerated common code.
	* cipher/twofish.c (get_l): Only if USE_AMD64_ASM defined.
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_AMD64_ASM defined;
	Remove unaccelerated common code.

	Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations.
	+ commit adbdca0d58f9c06dc3850b95e3455e179c1e6960
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Serpent.
	* cipher/serpent-armv7-neon.S: Add OCB assembly functions.
	* cipher/serpent-avx2-amd64.S: Add OCB assembly functions.
	* cipher/serpent-sse2-amd64.S: Add OCB assembly functions.
	* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
	(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
	(_gcry_serpent_neon_ocb_enc, _gcry_serpent_neon_ocb_dec)
	(_gcry_serpent_neon_ocb_auth, _gcry_serpent_avx2_ocb_enc)
	(_gcry_serpent_avx2_ocb_dec, _gcry_serpent_avx2_ocb_auth): New
	prototypes.
	(get_l, _gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): New.
	* src/cipher.h (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for serpent.

	Add bulk OCB for Twofish AMD64 implementation.
	+ commit 7f6804c37c4b41d85fb26aa723b1c41e4a3cf278
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Twofish.
	* cipher/twofish-amd64.S: Add OCB assembly functions.
	* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
	(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth): New
	prototypes.
	(call_sysv_fn5, call_sysv_fn6, twofish_amd64_ocb_enc)
	(twofish_amd64_ocb_dec, twofish_amd64_ocb_auth, get_l)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): New.
	* src/cipher.h (_gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for Twofish.

	Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations.
	+ commit bb088c6b1620504fdc79e89af27c2bf3fb02b4b4
	* cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions.
	* cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
	(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
	(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
	(_gcry_camellia_aesni_avx2_ocb_auth): New prototypes.
	(get_l, _gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): New.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Camellia.
	* src/cipher.h (_gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for Camellia.

2015-07-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add OCB bulk mode for AES SSSE3 implementation.
	+ commit 620e1e0300c79943a1846a49563b04386dc60546
	* cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use
	'ssse3_state' for storing current SSSE3 state.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(vpaes_ssse3_cleanup): Restore SSSE3 state from 'ssse3_state'.
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
	(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
	(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_cbc_dec): Add 'ssse3_state'
	array.
	(get_l, ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_crypt)
	(_gcry_aes_ssse3_ocb_auth): New.
	* cipher/rijndael.c (_gcry_aes_ssse3_ocb_crypt)
	(_gcry_aes_ssse3_ocb_auth): New.
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_SSSE3]: Use SSSE3
	implementation for OCB.

2015-07-26  Peter Wu  <peter@lekensteyn.nl>

	Fix undefined behavior wrt memcpy.
	+ commit 46c072669eb81ed610cc5b3c0dc0c75a143afbb4
	* cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let
	the function continue to add padding as needed though.
	* cipher/mac-poly1305.c: If the caller requested to finish the hash
	function without a copy of the result, return immediately.

2015-07-23  Peter Wu  <peter@lekensteyn.nl>

	build: ignore scissor line for the commit-msg hook.
	+ commit ada0a7d302cca97b327faaacac7a5d0b8043df88
	* build-aux/git-hooks/commit-msg: Stop processing more lines when the
	  scissor line is encountered.

2015-07-16  Peter Wu  <peter@lekensteyn.nl>

	rsa: Fix error in comments.
	+ commit 9cd55e8e948f0049cb23495f536decf797d072f7
	* cipher/rsa.c: Fix.

2015-07-14  Peter Wu  <peter@lekensteyn.nl>

	sexp: Fix invalid deallocation in error path.
	+ commit 0f9532b186c1e0b54d7e7a6d76bce82b6226122b
	* src/sexp.c: Fix wrong condition.

2015-07-10  Peter Wu  <peter@lekensteyn.nl>

	ecc: fix memory leak.
	+ commit 2a7aa3ea4d03a9c808d5888f5509c08cd27aa27c
	* cipher/ecc.c (ecc_verify): Release memory which was allocated before
	by _gcry_pk_util_preparse_sigval.
	(ecc_decrypt_raw): Likewise.

2015-07-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: fix memory leaks.
	+ commit 0a7547e487a8bc4e7ac9599c55579eb2e4a13f06
	cipher/ecc.c (ecc_generate): Fix memory leak on error of
	_gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint.
	(ecc_check_secret_key): Fix memory leak on error of
	_gcry_ecc_update_curve_param.
	(ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Remove
	unnecessary sexp_release and fix memory leak on error of
	_gcry_ecc_fill_in_curve.
	(ecc_decrypt_raw): Fix double free of the point kG and memory leak
	on error of _gcry_ecc_os2ec.

2015-06-11  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Support FreeBSD 10 or later.
	+ commit a36ee7501f68ad7ebcfe31f9659430b9d2c3ddd1
	* mpi/config.links: Include FreeBSD 10 to 29.

2015-05-21  Werner Koch  <wk@gnupg.org>

	ecc: Add key generation flag "no-keytest".
	+ commit 2bddd947fd1c11b4ec461576db65a5e34fea1b07
	* src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
	"no-keytest".  Return an error for invalid flags of length 10.

	* cipher/ecc.c (nist_generate_key): Replace arg random_level by flags
	set random level depending on flags.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
	* cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and
	remove var random_level.
	(nist_generate_key): Implement "no-keytest" flag.

	* tests/keygen.c (check_ecc_keys): Add tests for transient-key and
	no-keytest.

	ecc: Avoid double conversion to affine coordinates in keygen.
	+ commit 102d68b3bd77813a3ff989526855bb1e283bf9d7
	* cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
	(ecc_generate): Rename vars.  Convert to affine coordinates only if
	not returned by the lower level generation function.

	random: Change initial extra seeding from 2400 bits to 128 bits.
	+ commit 8124e357b732a719696bfd5271def4e528f2a1e1
	* random/random-csprng.c (read_pool): Reduce initial seeding.

2015-05-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable AMD64 Twofish implementation on WIN64.
	+ commit 9b0c6c8141ae9bd056392a3f6b5704b505fc8501
	* cipher/twofish-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/twofish.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(twofish_amd64_encrypt_block, twofish_amd64_decrypt_block)
	(twofish_amd64_ctr_enc, twofish_amd64_cbc_dec)
	(twofish_amd64_cfb_dec): New wrapper functions for AMD64
	assembly functions.

	Enable AMD64 Serpent implementations on WIN64.
	+ commit eb0ed576893b6c7990dbcb568510f831d246cea6
	* cipher/serpent-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/serpent-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20.c (USE_SSE2, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSE2 || USE_AVX2] (ASM_FUNC_ABI): New.
	(_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec)
	(_gcry_serpent_sse2_cfb_dec, _gcry_serpent_avx2_ctr_enc)
	(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Add
	ASM_FUNC_ABI.

	Enable AMD64 Salsa20 implementation on WIN64.
	+ commit 12bc93ca8187b8061c2e705427ef22f5a71d29b0
	* cipher/salsa20-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/salsa20.c (USE_AMD64): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AMD64] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
	(_gcry_salsa20_amd64_encrypt_blocks): Add ASM_FUNC_ABI.
	[USE_AMD64] (salsa20_core): Add ASM_EXTRA_STACK.
	(salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK.

	Enable AMD64 Poly1305 implementations on WIN64.
	+ commit 8d7de4dbf7732c6eb9e9853ad7c19c89075ace6f
	* cipher/poly1305-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/poly1305-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/poly1305-internal.h (POLY1305_SYSV_FUNC_ABI): New.
	(POLY1305_USE_SSE2, POLY1305_USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(OPS_FUNC_ABI): New.
	(poly1305_ops_t): Use OPS_FUNC_ABI.
	* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
	(_gcry_poly1305_amd64_sse2_finish_ext)
	(_gcry_poly1305_amd64_sse2_blocks, _gcry_poly1305_amd64_avx2_init_ext)
	(_gcry_poly1305_amd64_avx2_finish_ext)
	(_gcry_poly1305_amd64_avx2_blocks, _gcry_poly1305_armv7_neon_init_ext)
	(_gcry_poly1305_armv7_neon_finish_ext)
	(_gcry_poly1305_armv7_neon_blocks, poly1305_init_ext_ref32)
	(poly1305_blocks_ref32, poly1305_finish_ext_ref32)
	(poly1305_init_ext_ref8, poly1305_blocks_ref8)
	(poly1305_finish_ext_ref8): Use OPS_FUNC_ABI.

	Enable AMD64 3DES implementation on WIN64.
	+ commit b65e9e71d5ee992db5c96793c6af999545daad28
	* cipher/des-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/des.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(tripledes_ecb_crypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call
	assembly function through 'call_sysv_fn'.
	(tripledes_amd64_ctr_enc, tripledes_amd64_cbc_dec)
	(tripledes_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.

	Enable AMD64 ChaCha20 implementations on WIN64.
	+ commit 9597cfddf03c467825da152be5ca0d12a8c30d88
	* cipher/chacha20-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20-ssse3-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20.c (USE_SSE2, USE_SSSE3, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
	(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
	(_gcry_chacha20_armv7_neon_blocks, chacha20_blocks): Add ASM_FUNC_ABI.
	(chacha20_core): Add ASM_EXTRA_STACK.

	Enable AMD64 CAST5 implementation on WIN64.
	+ commit 6a6646df80386204675d8b149ab60e74d7ca124c
	* cipher/cast5-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(RIP): Remove.
	(GET_EXTERN_POINTER): Use 'leaq' version on WIN64.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/cast5.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(do_encrypt_block, do_decrypt_block)
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
	function through 'call_sysv_fn'.
	(cast5_amd64_ctr_enc, cast5_amd64_cbc_dec)
	(cast5_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.

	Enable AMD64 Camellia implementations on WIN64.
	+ commit 9a4fb3709864bf3e3918800d44ff576590cd4e92
	* cipher/camellia-aesni-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/camellia-aesni-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/camellia-glue.c (USE_AESNI_AVX, USE_AESNI_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AESNI_AVX || USE_AESNI_AVX2] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(_gcry_camellia_aesni_avx_ctr_enc, _gcry_camellia_aesni_avx_cbc_dec)
	(_gcry_camellia_aesni_avx_cfb_dec, _gcry_camellia_aesni_avx_keygen)
	(_gcry_camellia_aesni_avx2_ctr_enc, _gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI.

	Enable AMD64 Blowfish implementation on WIN64.
	+ commit e05682093ffb003b589a697428d918d755ac631d
	* cipher/blowfish-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/blowfish.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(do_encrypt, do_encrypt_block, do_decrypt_block)
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
	function through 'call_sysv_fn'.
	(blowfish_amd64_ctr_enc, blowfish_amd64_cbc_dec)
	(blowfish_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.
	..

	Enable AMD64 arcfour implementation on WIN64.
	+ commit c46b015bedba7ce0db68929bd33a86a54ab3d919
	* cipher/arcfour-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/arcfour.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(do_encrypt, do_decrypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Use
	assembly block to call AMD64 assembly function.

	Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539.
	+ commit ee8fc4edcb3466b03246c8720b90731bf274ff1d
	* cipher/cipher-poly1305.c: Add RFC-7539 to header.
	* doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of
	RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD.

	hwf-x86: use edi for passing value to ebx for i386 cpuid.
	+ commit bac42c68b069f17abcca810a21439c7233815747
	* src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead
	of '=r'.

	hwf-x86: add EDX as output register for xgetbv asm block.
	+ commit e15beb584a5ebdfc363e1ff15f87102508652d71
	* src/hwf-x86.c (get_xgetbv): Add EDX as output.

2015-05-04  Werner Koch  <wk@gnupg.org>

	build: Update build-aux files.
	+ commit 5a7d55eed3316f40ca61acbee032bfc285e28803


	Fix possible regression on old 32 bit mingw compilers.
	+ commit 090ca7435156b5f52064357dd59059570d466f46
	* acinclude.m4: Add new pattern for mingw32.

	build: Add new file.
	+ commit 4af52b2e72ce004b7d8f99e09c4324e3c2a84379
	* mpi/amd64/distfiles: Add func_abi.h.

2015-05-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix WIN64 assembly glue for AES.
	+ commit 24a769a7c7601dbb85332e550f6fbd121b56df5f
	* cipher/rinjdael.c (do_encrypt, do_decrypt)
	[!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to
	input+output to mark volatile nature of the used registers.

	Add '1 million a characters' test vectors.
	+ commit 2f4fefdbc62857b6e2da26ce111ee140a068c471
	* tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384,
	SHA-512, RIPEMD160 and CRC32.

2015-05-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	More optimized CRC implementations.
	+ commit 06e122baa3321483a47bbf82fd2a4540becfa0c9
	* cipher/crc.c (crc32_table, crc24_table): Replace with new table
	contents.
	(update_crc32, CRC24_INIT, CRC24_POLY): Remove.
	(crc32_next, crc32_next4, crc24_init, crc24_next, crc24_next4)
	(crc24_final): New.
	(crc24rfc2440_init): Use crc24_init.
	(crc32_write): Rewrite to use crc32_next & crc32_next4.
	(crc24_write): Rewrite to use crc24_next & crc24_next4.
	(crc32_final, crc32rfc1510_final): Use buf_put_be32.
	(crc24rfc2440_final): Use crc24_final & buf_put_le32.
	* tests/basic.c (check_digests): Add CRC "123456789" tests.

	Enable AMD64 AES implementation for WIN64.
	+ commit 66129b3334a5aa54ff8a97981507e4704f759571
	* cipher/rijndael-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/rijndael-internal.h (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(do_encrypt, do_decrypt)
	[USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Use
	assembly block to call AMD64 assembly encrypt/decrypt function.

	Enable AMD64 Whirlpool implementation for WIN64.
	+ commit 8422d5d699265b960bd1ca837044ee052fc5b614
	* cipher/whirlpool-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/whirlpool.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AMD64_ASM] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	[USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64): Add ASM_FUNC_ABI to
	prototype.
	[USE_AMD64_ASM] (whirlpool_transform): Add ASM_EXTRA_STACK to stack
	burn value.

	Enable AMD64 SHA512 implementations for WIN64.
	+ commit 1089a13073c26a9a456e43ec38d937e6ee7f4077
	* cipher/sha512-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha512-avx-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.
	* cipher/sha512.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha512_transform_amd64_ssse3, _gcry_sha512_transform_amd64_avx)
	(_gcry_sha512_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
	prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

	Enable AMD64 SHA256 implementations for WIN64.
	+ commit 022959099644f64df5f2a83ade21159864f64837
	* cipher/sha256-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha256.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha256_transform_amd64_ssse3, _gcry_sha256_transform_amd64_avx)
	(_gcry_sha256_transform_amd64_avx2): Add ASM_FUNC_ABI to prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

	Enable AMD64 SHA1 implementations for WIN64.
	+ commit e433676a899fa0d274d40547166b03c7c8bd8e78
	* cipher/sha1-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha1-avx-bmi2-amd64.S: Ditto.
	* cipher/sha1-ssse3-amd64.S: Ditto.
	* cipher/sha1.c (USE_SSSE3, USE_AVX, USE_BMI2): Enable
	when HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_BMI2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha1_transform_amd64_ssse3, _gcry_sha1_transform_amd64_avx)
	(_gcry_sha1_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
	prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

2015-05-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64.
	+ commit 4e09aaa36d151c3312019724a77fc09aa345b82f
	* cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
	( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector
	registers before use and restore after.
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Remove dependency
	on !defined(__WIN64__).
	* cipher/rijndael-aesni.c [__WIN64__] (aesni_prepare_2_6_variable,
	aesni_prepare, aesni_prepare_2_6, aesni_cleanup)
	( aesni_cleanup_2_6): New.
	[!__WIN64__] (aesni_prepare_2_6_variable, aesni_prepare_2_6): New.
	(_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_cbc_enc)
	(_gcry_aesni_ctr_enc, _gcry_aesni_cfb_dec, _gcry_aesni_cbc_dec)
	(_gcry_aesni_ocb_crypt, _gcry_aesni_ocb_auth): Use
	'aesni_prepare_2_6'.
	* cipher/rijndael-internal.h (USE_SSSE3): Enable if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS or
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS.
	(USE_AESNI): Remove dependency on !defined(__WIN64__)
	* cipher/rijndael-ssse3-amd64.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(vpaes_ssse3_prepare, vpaes_ssse3_cleanup): New.
	[!HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): New.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec): Use
	'vpaes_ssse3_prepare'.
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption): Use
	'vpaes_ssse3_prepare' and 'vpaes_ssse3_cleanup'.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (X): Add masking macro to
	exclude '.type' and '.size' markers from assembly code, as they are
	not support on WIN64/COFF objects.
	* configure.ac (gcry_cv_gcc_attribute_ms_abi)
	(gcry_cv_gcc_attribute_sysv_abi, gcry_cv_gcc_default_abi_is_ms_abi)
	(gcry_cv_gcc_default_abi_is_sysv_abi)
	(gcry_cv_gcc_win64_platform_as_ok): New checks.

	Add W64 support for mpi amd64 assembly.
	+ commit 460355f23e770637d29e3af7b998a957a2b5bc88
	acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set
	'ac_cv_sys_symbol_underscore=no' on MingW-W64.
	mpi/amd64/func_abi.h: New.
	mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): Add FUNC_ENTRY and FUNC_EXIT.
	mpi/amd64/mpih-lshift.S (_gcry_mpih_lshift): Ditto.
	mpi/amd64/mpih-mul1.S (_gcry_mpih_mul_1): Ditto.
	mpi/amd64/mpih-mul2.S (_gcry_mpih_addmul_1): Ditto.
	mpi/amd64/mpih-mul3.S (_gcry_mpih_submul_1): Ditto.
	mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Ditto.
	mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Ditto.
	mpi/config.links [host=x86_64-*mingw*]: Enable assembly modules.
	[host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h.

	DES: Silence compiler warnings on Windows.
	+ commit 6c21cf5fed1ad430fa41445eac2350802bc8aaed
	* cipher/des.c (working_memcmp): Make pointer arguments 'const void *'.

	Cast pointers to integers using uintptr_t instead of long.
	+ commit 9cf224322007d90193d4910f0da6e0e29ce01d70


	Fix rndhw for 64-bit Windows build.
	+ commit d5a7e00b6b222566a5650639ef29684b047c1909
	* configure.ac: Add sizeof check for 'void *'.
	* random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8
	instead of defined(__LP64__).
	(RDRAND_LONG): Check for SIZEOF_UNSIGNED_LONG == 8 instead of
	defined(__LP64__).

	Prepare random/win32.c fast poll for 64-bit Windows.
	+ commit 0cdd24456b33defc7f8176fa82ab694fbc284385
	* random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to
	ADDINT.
	(_gcry_rndw32_gather_random_fast): Add ADDPTR.
	(_gcry_rndw32_gather_random_fast): Disable entropy gathering from
	GetQueueStatus(QS_ALLEVENTS).
	(_gcry_rndw32_gather_random_fast): Change minimumWorkingSetSize and
	maximumWorkingSetSize to SIZE_T from DWORD.
	(_gcry_rndw32_gather_random_fast): Only add lower 32-bits of
	minimumWorkingSetSize and maximumWorkingSetSize to random poll.
	(_gcry_rndw32_gather_random_fast) [__WIN64__]: Read TSC directly
	using intrinsic.

	Disable GCM and AES-NI assembly implementations for WIN64.
	+ commit f701954555340a503f6e52cc18d58b0c515427b7
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when
	__WIN64__ defined.
	* cipher/rijndael-internal.h (USE_AESNI): Ditto.

	Disable building mpi assembly routines on WIN64.
	+ commit e78560a4b717f7154f910a8ce4128de152f586da
	* mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'.

	Fix packed attribute check for Windows targets.
	+ commit e886e4f5e73fe6a9f9191f5155852ce5d8bb88fe
	* configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its
	own packed structure.

	Fix tail handling in buf_xor_1.
	+ commit c2dba93e639639bdac139b3a3a456d10ddc61f79
	* cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail
	handling.

	Add --disable-hwf for basic tests.
	+ commit 839a3bbe2bb045139223b32753d656cc6c3d4669
	* tests/basic.c (main): Add handling for '--disable-hwf'.

	Use more odd chuck sizes for check_one_md.
	+ commit 9f086ffa43f2507b9d17522a0a2e394cb273baf8
	* tests/basic.c (check_one_md): Make chuck size vary oddly, instead
	of using fixed length of 1000 bytes.

	Enable more modes in basic ciphers test.
	+ commit e40eff94f9f8654c3d29e03bbb7e5ee6a43c1435
	* src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New.
	* tests/basic.c (check_one_cipher_core_reset): New.
	(check_one_cipher_core): Use check_one_cipher_core_reset inplace of
	gcry_cipher_reset.
	(check_ciphers): Add CCM and OCB modes for block cipher tests.

	Fix reseting cipher in OCB mode.
	+ commit 88842cbc68beb4f73c87fdbcb74182cba818f789
	* cipher/cipher.c (cipher_reset): Setup default taglen for OCB after
	clearing state.

2015-04-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix buggy RC4 AMD64 assembly and add test to notice similar issues.
	+ commit 124dfce7c5a2d9405fa2b2832e91ac1267943830
	* cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of
	'x' and 'y'.
	* tests/basic.c (get_algo_mode_blklen): New.
	(check_one_cipher_core): Add new tests for split buffer input on
	encryption and decryption.

2015-04-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disallow compiler from generating SSE instructions in mixed C+asm source
	+ commit f88266c0f868d7bf51a215d5531bb9f2b4dad19e
	* cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target
	pragma to disable compiler use of SSE.
	* cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto.
	* cipher/rijndael-ssse3-amd64.c [gcc-version >= 4.4]: Ditto.

2015-04-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add OCB bulk crypt/auth functions for AES/AES-NI.
	+ commit 305cc878d395475c46b4ef52f4764bd0c85bf8ac
	* cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt
	and bulk.ocb_auth.
	(_gcry_cipher_ocb_get_l): New prototype.
	* cipher/cipher-ocb.c (get_l): Rename to ...
	(_gcry_cipher_ocb_get_l): ... this.
	(_gcry_cipher_ocb_authenticate, ocb_crypt): Use bulk function when
	available.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for AES.
	* cipher/rijndael-aesni.c (get_l, aesni_ocb_enc, aes_ocb_dec)
	(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): New.
	* cipher/rijndael.c [USE_AESNI] (_gcry_aes_aesni_ocb_crypt)
	(_gcry_aes_aesni_ocb_auth): New prototypes.
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New.
	* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New
	prototypes.
	* tests/basic.c (check_ocb_cipher_largebuf): New.
	(check_ocb_cipher): Add large buffer encryption/decryption test.

2015-04-15  Werner Koch  <wk@gnupg.org>

	tests: Add option to time the S2K function.
	+ commit fe38d3815b4cd203cd529949e244aca80d32897f
	* tests/t-kdf.c: Include stopwatch.h.
	(dummy_consumer): new.
	(bench_s2k): New.
	(main): Add option parser and option --s2k.

	tests: Improve stopwatch.h.
	+ commit 3b03a3b493233a472da531d8d9582d1be6d376b0
	* tests/stopwatch.h (elapsed_time): Add arg divisor.

2015-04-13  Werner Koch  <wk@gnupg.org>

	mpi: Fix gcry_mpi_copy for NULL opaque data.
	+ commit 9fca46864e1b5a9c788072113589454adb89fa97
	* mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed.

2015-03-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	wipememory: use one-byte aligned type for unaligned memory accesses.
	+ commit a06fbc0d1e98eb1218eff55ad2f37d471e4f33b2
	* src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned
	access only when HAVE_GCC_ATTRIBUTE_PACKED and
	HAVE_GCC_ATTRIBUTE_ALIGNED defined.
	(fast_wipememory_t): New.
	(fast_wipememory2): Use 'fast_wipememory_t'.

	bufhelp: use one-byte aligned type for unaligned memory accesses.
	+ commit 92fa5f16d69707e302c0f85b2e5e80af8dc037f1
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when
	HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined.
	(bufhelp_int_t): New type.
	(buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst, buf_xor_n_copy_2): Use
	'bufhelp_int_t'.
	[BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_u32_t, bufhelp_u64_t): New.
	[BUFHELP_FAST_UNALIGNED_ACCESS] (buf_get_be32, buf_get_le32)
	(buf_put_be32, buf_put_le32, buf_get_be64, buf_get_le64)
	(buf_put_be64, buf_put_le64): Use 'bufhelp_uXX_t'.
	* configure.ac (gcry_cv_gcc_attribute_packed): New.

	tests/bench-slope: fix memory-leak and use-after-free bugs.
	+ commit aa234561d00c3fb15fe501df4bf58f3db7c7c06b
	* tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end.
	(bench_mac_init): Move 'key' free at end of function.

2015-03-19  Werner Koch  <wk@gnupg.org>

	Fix two pedantic warnings.
	+ commit f5832285b0e420d77be1b8da10a1e1d86583b414
	* src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing
	comma.

2015-03-16  Werner Koch  <wk@gnupg.org>

	Use well defined type instead of size_t in secmem.c.
	+ commit db8ae3616987fa288173446398a107e31e2e28aa
	* src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.

	Make uintptr_t global available.
	+ commit f0f60c1a04d664936bcf52e8f46705bdc63e7ad9
	* cipher/bufhelp.h: Move include for uintptr_t to ...
	* src/types.h: here.  Check that config.h has been included.

	mpi: Remove useless condition.
	+ commit 0a9cdb8ae092d050ca12a7a4f2f50e25b82154ec
	* mpi/mpi-pow.c: Remove condition rp==mp.

	cipher: Remove useless NULL check.
	+ commit fbb97dcf763e28e81e01092ad4c934b3eaf88cc8
	* cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for
	hd->buf.

2015-02-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix in-place encryption for OCB mode.
	+ commit 5e66a4f8d5a63f58caeee367433dd8dd32346083
	* cipher/cipher-ocb.c (ocb_checksum): New.
	(ocb_crypt): Move checksum calculation outside main crypt loop, do
	checksum calculation for encryption before inbuf is overwritten.
	* tests/basic.c (check_ocb_cipher): Rename to ...
	(do_check_ocb_cipher): ... to this and add argument for testing
	in-place encryption/decryption.
	(check_ocb_cipher): New.

2015-02-27  NIIBE Yutaka  <gniibe@fsij.org>

	tests: fix t-sexp.c.
	+ commit 505decf5369970219ddc9e78a20f97c623957b78
	* tests/t-sexp.c (bug_1594): Free N and PUBKEY.

	mpi: Avoid data-dependent timing variations in mpi_powm.
	+ commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
	* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
	mpi_set_cond.

	mpi: Revise mpi_powm.
	+ commit 1fa8cdb933505960d4e4b4842b122d4e06953e88
	* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.

2015-02-23  Werner Koch  <wk@gnupg.org>

	cipher: Use ciphertext blinding for Elgamal decryption.
	+ commit 410d70bad9a650e3837055e36f157894ae49a57d
	* cipher/elgamal.c (USE_BLINDING): New.
	(decrypt): Rewrite to use ciphertext blinding.

2015-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_set_cond.
	+ commit 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288
	* mpi/mpiutil.c (_gcry_mpi_set_cond): New.
	(_gcry_mpi_swap_cond): Fix types.
	* src/mpi.h (mpi_set_cond): New.

2015-01-30  Werner Koch  <wk@gnupg.org>

	w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.
	+ commit 40a7bdf50e19faaf106470897fed72af623adc50
	* src/Makefile.am (extra_ltoptions): New.
	(libgcrypt_la_LDFLAGS): Use it.

2015-01-28  Werner Koch  <wk@gnupg.org>

	Fix building of GOST s-boxes when cross-compiling.
	+ commit 2564d204e408b296425ac0660c6bdc6270575fb6
	* cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
	(noinst_PROGRAMS): Remove.
	(EXTRA_DIST): New.
	(CLEANFILES): New.

2015-01-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix wrong ifdef for SSSE3 setkey.
	+ commit ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47
	* cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
	around SSSE3 setkey selection.

2015-01-16  Werner Koch  <wk@gnupg.org>

	Add OCB cipher mode.
	+ commit 067d7d8752d4d8a98f8e0e5e9b1a5b13e1b7ff9c
	* cipher/cipher-ocb.c: New.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c
	* cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New.
	(gcry_cipher_handle): Add fields marks.finalize and u_mode.ocb.
	* cipher/cipher.c (_gcry_cipher_open_internal): Add OCB mode.
	(_gcry_cipher_open_internal): Setup default taglen of OCB.
	(cipher_reset): Clear OCB specific data.
	(cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
	(_gcry_cipher_gettag, _gcry_cipher_checktag): Call OCB functions.
	(_gcry_cipher_setiv): Add OCB specific nonce setting.
	(_gcry_cipher_ctl): Add GCRYCTL_FINALIZE and GCRYCTL_SET_TAGLEN

	* src/gcrypt.h.in (GCRYCTL_SET_TAGLEN): New.
	(gcry_cipher_final): New.

	* cipher/bufhelp.h (buf_xor_1): New.

	* tests/basic.c (hex2buffer): New.
	(check_ocb_cipher): New.
	(main): Call it here.  Add option --cipher-modes.
	* tests/bench-slope.c (bench_aead_encrypt_do_bench): Call
	gcry_cipher_final.
	(bench_aead_decrypt_do_bench): Ditto.
	(bench_aead_authenticate_do_bench): Ditto.  Check error code.
	(bench_ocb_encrypt_do_bench): New.
	(bench_ocb_decrypt_do_bench): New.
	(bench_ocb_authenticate_do_bench): New.
	(ocb_encrypt_ops): New.
	(ocb_decrypt_ops): New.
	(ocb_authenticate_ops): New.
	(cipher_modes): Add them.
	(cipher_bench_one): Skip wrong block length for OCB.
	* tests/benchmark.c (cipher_bench): Add field noncelen to MODES.  Add
	OCB support.

2015-01-15  Werner Koch  <wk@gnupg.org>

	Add functions to count trailing zero bits in a word.
	+ commit 9d2a22c94ae99f9301321082c4fb8d73f4085fda
	* cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New.
	* configure.ac (HAVE_BUILTIN_CTZ): Add new test.

2015-01-08  Werner Koch  <wk@gnupg.org>

	cipher: Prepare for OCB mode.
	+ commit 9d328962660da72f094dc5424d5ef67abbaffdf6
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New.

2015-01-06  Werner Koch  <wk@gnupg.org>

	Make make distcheck work again.
	+ commit 4f7dcdc25af269b12275126edeef30b262fb891d
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers.
	* cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h.

2015-01-06  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	stribog: Reduce table size to the needed one.
	+ commit e4de52378a85cf383994ded8edf0d5cf98dcb10c
	* cipher/stribog.c (C16): Avoid allocating superfluous space.

	gostr3411-94: Fix the iteration count for length filling loop.
	+ commit 05dc5bcd234909ae9c9366b653346076b9a834ed
	* cipher/gostr3411-94.c (gost3411_final): Fix loop

2015-01-05  Werner Koch  <wk@gnupg.org>

	random: Silent warning under NetBSD using rndunix.
	+ commit 817472358a093438e802380caecf7139406400cf
	* random/rndunix.c (STDERR_FILENO): Define if needed.
	(start_gatherer): Re-open standard descriptors.  Fix an
	unsigned/signed pointer warning.

	primegen: Fix memory leak for invalid call sequences.
	+ commit 8c5eee51d9a25b143e41ffb7ff4a6b2a29b82d83
	* cipher/primegen.c (prime_generate_internal): Refactor generator code
	to not leak memory for non-implemented feature.
	(_gcry_prime_group_generator): Refactor to not leak memory for invalid
	args.  Also make sure that R_G is set as soon as possible.

	doc: Update yat2m to current upstream version (GnuPG).
	+ commit dd5df198727ea5d8f6b04288e14fd732051453c8


	build: Require automake 1.14.
	+ commit f65276970a6dcd6d9bca94cecc49b68acdcc9492
	* configure.ac (AM_INIT_AUTOMAKE): Add serial-tests.

	Replace camel case of internal scrypt functions.
	+ commit 1a6d65ac0aab335541726d02f2046d883a768ec3
	* cipher/scrypt.c (_salsa20_core): Rename to salsa20_core.  Change
	callers.
	(_scryptBlockMix): Rename to scrypt_block_mix.  Change callers.
	(_scryptROMix): Rename to scrypt_ro_mix. Change callers.

2015-01-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rmd160: restore native-endian store in _gcry_rmd160_mixblock.
	+ commit d7c7453cf5e6b8f3c6b522a30e680f844a28c9de
	* cipher/rmd160.c (_gcry_rmd160_mixblock): Store result to buffer in
	native-endianess.

2014-12-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel SSSE3 based vector permutation AES implementation.
	+ commit 8eabecc883332156adffc1df42d27f614c157e06
	* cipher/Makefile.am: Add 'rijndael-ssse3-amd64.c'.
	* cipher/rijndael-internal.h (USE_SSSE3): New.
	(RIJNDAEL_context_s) [USE_SSSE3]: Add 'use_ssse3'.
	* cipher/rijndael-ssse3-amd64.c: New.
	* cipher/rijndael.c [USE_SSSE3] (_gcry_aes_ssse3_do_setkey)
	(_gcry_aes_ssse3_prepare_decryption, _gcry_aes_ssse3_encrypt)
	(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_enc)
	(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
	(_gcry_aes_ssse3_cfb_dec, _gcry_aes_ssse3_cbc_dec): New.
	(do_setkey): Add HWF check for SSSE3 and setup for SSSE3
	implementation.
	(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Add
	selection for SSSE3 implementation.
	* configure.ac [host=x86_64]: Add 'rijndael-ssse3-amd64.lo'.

2014-12-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	random-csprng: fix compiler warnings on ARM.
	+ commit c2e1f8fea271f3ef8027809547c4a52e0b1e24a2
	* random/random-csprng.c (_gcry_rngcsprng_update_seed_file)
	(read_pool): Cast keypool and rndpool to 'unsigned long *' through
	'void *'.

	scrypt: fix compiler warnings on ARM.
	+ commit 1dab4c9422bf0f3cdc7a4d3ccf9db090abd90e94
	* cipher/scrypt.c (_scryptBlockMix): Cast X to 'u32 *' through 'void *'.

	secmem: fix compiler warnings on ARM.
	+ commit 99faf9cb34f872144313403f29f3379798debfc9
	* src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer
	from 'char *' to 'memblock_t *' through 'void *'.
	(MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'.

	hash: fix compiler warning on ARM.
	+ commit 4515315f61fbf79413e150fbd1d5f5a2435f2bc5
	* cipher/md.c (md_open, md_copy): Cast 'char *' to ctx through
	'void *'.
	* cipher/md4.c (md4_final): Use buf_put_* helper instead of
	converting 'char *' to 'u32 *'.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (_gcry_rmd160_mixblock, rmd160_final): Ditto.
	* cipher/sha1.c (sha1_final): Ditto.
	* cipher/sha256.c (sha256_final): Ditto.
	* cipher/sha512.c (sha512_final): Ditto.
	* cipher/tiger.c (tiger_final): Ditto.

	rijndael: fix compiler warnings on ARM.
	+ commit cc26106dbebeb84d481661813edc3e5aea9a7d99
	* cipher/rijndael-internal.h (RIJNDAEL_context_s): Add u32 variants of
	keyschedule arrays to unions u1 and u2.
	(keyschedenc32, keyscheddec32): New.
	* cipher/rijndael.c (u32_a_t): Remove.
	(do_setkey): Add and use tkk[].data32, k_u32, tk_u32 and W_u32; Remove
	casting byte arrays to u32_a_t.
	(prepare_decryption, do_encrypt_fn, do_decrypt_fn): Use keyschedenc32
	and keyscheddec32; Remove casting byte arrays to u32_a_t.

2014-12-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03
	+ commit 520070e02e2e6ee7228945015573a6e1f4895ec3
	* cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
	counters for AAD and data in Poly1305.
	* cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
	(poly1305_fill_bytecounts, poly1305_do_padding): New.
	(poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD
	length.
	(_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt)
	(_gcry_cipher_poly1305_decrypt): Update AAD and data length separately.
	(_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305.
	(_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset
	AAD and data byte counts; only allow 96-bit IV.
	* cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to
	ChaCha20 cipher.
	* tests/basic.c (_check_poly1305_cipher): Update test-vectors.
	(check_ciphers): Limit Poly1305-AEAD checks to ChaCha20.
	* tests/bench-slope.c (cipher_bench_one): Ditto.

	chacha20: allow setting counter for stream random access.
	+ commit 11b8d2d449a7bc664b4371ae14c57caa6704d272
	* cipher/chacha20.c (CHACHA20_CTR_SIZE): New.
	(chacha20_ivsetup): Add setup for full counter.
	(chacha20_setiv): Allow ivlen == CHACHA20_CTR_SIZE.

	gcm: do not pass extra key pointer for setupM/fillM.
	+ commit c964321c8a1328e89d636d899a45d68802f5ac9f
	* cipher/cipher-gcm-intel-pclmul.c
	(_gcry_ghash_setup_intel_pclmul): Remove 'h' parameter.
	* cipher/cipher-gcm.c (_gcry_ghash_setup_intel_pclmul): Ditto.
	(fillM): Get 'h' pointer from 'c'.
	(setupM): Remome 'h' parameter.
	(_gcry_cipher_gcm_setkey): Only pass 'c' to setupM.

	rijndael: use more compact look-up tables and add table prefetching.
	+ commit 2374753938df64f6fd8015b44613806a326eff1a
	* cipher/rijndael-internal.h (rijndael_prefetchfn_t): New.
	(RIJNDAEL_context): Add 'prefetch_enc_fn' and 'prefetch_dec_fn'.
	* cipher/rijndael-tables.h (S, T1, T2, T3, T4, T5, T6, T7, T8, S5, U1)
	(U2, U3, U4): Remove.
	(encT, dec_tables, decT, inv_sbox): Add.
	* cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block, _gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_encrypt_block): Add parameter for passing table pointer
	to assembly implementation.
	(prefetch_table, prefetch_enc, prefetch_dec): New.
	(do_setkey): Setup context prefetch functions depending on selected
	rijndael implementation; Use new tables for key setup.
	(prepare_decryption): Use new tables for decryption key setup.
	(do_encrypt_aligned): Rename to...
	(do_encrypt_fn): ... to this, change to use new compact tables,
	make handle unaligned input and unroll rounds loop by two.
	(do_encrypt): Remove handling of unaligned input/output; pass table
	pointer to assembly implementations.
	(rijndael_encrypt, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec): Prefetch encryption tables
	before encryption.
	(do_decrypt_aligned): Rename to...
	(do_decrypt_fn): ... to this, change to use new compact tables,
	make handle unaligned input and unroll rounds loop by two.
	(do_decrypt): Remove handling of unaligned input/output; pass table
	pointer to assembly implementations.
	(rijndael_decrypt, _gcry_aes_cbc_dec): Prefetch decryption tables
	before decryption.
	* cipher/rijndael-amd64.S: Use 1+1.25 KiB tables for
	encryption+decryption; remove tables from assembly file.
	* cipher/rijndael-arm.S: Ditto.

2014-12-15  Werner Koch  <wk@gnupg.org>

	build: Add configure option --disable-doc.
	+ commit ad50e360ef4851e66e51a03fc420175636336b58
	* Makefile.am (AUTOMAKE_OPTIONS): Remove.
	(doc) [!BUILD_DOC]: Do not recurse into the dir.
	* configure.ac (AM_INIT_AUTOMAKE): Add option formerly in Makefile.am.
	(BUILD_DOC): Add new am_conditional.

2014-12-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: further optimizations for AES-NI accelerated CBC and CFB bulk modes
	+ commit 4f46374502eb988d701b904f83819e2cf7b1755c
	* cipher/rijndael-aesni.c (do_aesni_enc, do_aesni_dec): Pass
	input/output through SSE register XMM0.
	(do_aesni_cfb): Remove.
	(_gcry_aes_aesni_encrypt, _gcry_aes_aesni_decrypt): Add loading/storing
	input/output to/from XMM0.
	(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
	(_gcry_aes_aesni_cfb_dec): Update to use renewed 'do_aesni_enc' and
	move IV loading/storing outside loop.
	(_gcry_aes_aesni_cbc_dec): Update to use renewed 'do_aesni_dec'.

	GCM: move Intel PCLMUL accelerated implementation to separate file.
	+ commit 4a0795af021305f9240f23626a3796157db46bd7
	* cipher/Makefile.am: Add 'cipher-gcm-intel-pclmul.c'.
	* cipher/cipher-gcm-intel-pclmul.c: New.
	* cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL]
	(_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): New
	prototypes.
	[GCM_USE_INTEL_PCLMUL] (gfmul_pclmul, gfmul_pclmul_aggr4): Move
	to 'cipher-gcm-intel-pclmul.c'.
	(ghash): Rename to...
	(ghash_internal): ...this and move GCM_USE_INTEL_PCLMUL part to new
	function in 'cipher-gcm-intel-pclmul.c'.
	(setupM): Move GCM_USE_INTEL_PCLMUL part to new function in
	'cipher-gcm-intel-pclmul.c'; Add selection of ghash function based
	on available HW acceleration.
	(do_ghash_buf): Change use of 'ghash' to 'c->u_mode.gcm.ghash_fn'.
	* cipher/internal.h (ghash_fn_t): New.
	(gcry_cipher_handle): Remove 'use_intel_pclmul'; Add 'ghash_fn'.

2014-12-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: split Padlock part to separate file.
	+ commit cbf4c8cb6bbda15eea61885279f2a6f1d4bcedfd
	* cipher/Makefile.am: Add 'rijndael-padlock.c'.
	* cipher/rijndael-padlock.c: New.
	* cipher/rijndael.c (do_padlock, do_padlock_encrypt)
	(do_padlock_decrypt): Move to 'rijndael-padlock.c'.
	* configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-padlock.lo'.

2014-12-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: refactor to reduce number of #ifdefs and branches.
	+ commit 3d5b51786e2050c461e9791b59142a731462b66d
	* cipher/rijndael-aesni.c (_gcry_aes_aesni_encrypt)
	(_gcry_aes_aesni_decrypt): Make return stack burn depth.
	* cipher/rijndael-amd64.S (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block): Ditto.
	* cipher/rijndael-arm.S (_gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_decrypt_block): Ditto.
	* cipher/rijndael-internal.h (RIJNDAEL_context_s)
	(rijndael_cryptfn_t): New.
	(RIJNDAEL_context): New members 'encrypt_fn' and 'decrypt_fn'.
	* cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block, _gcry_aes_aesni_encrypt)
	(_gcry_aes_aesni_decrypt, _gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_decrypt_block): Change prototypes.
	(do_padlock_encrypt, do_padlock_decrypt): New.
	(do_setkey): Separate key-length to rounds conversion from
	HW features check; Add selection for ctx->encrypt_fn and
	ctx->decrypt_fn.
	(do_encrypt_aligned, do_decrypt_aligned): Move inside
	'[!USE_AMD64_ASM && !USE_ARM_ASM]'; Move USE_AMD64_ASM and
	USE_ARM_ASM to...
	(do_encrypt, do_decrypt): ...here; Return stack depth; Remove second
	temporary buffer from non-aligned input/output case.
	(do_padlock): Move decrypt_flag to last argument; Return stack depth.
	(rijndael_encrypt): Remove #ifdefs, just call ctx->encrypt_fn.
	(_gcry_aes_cfb_enc, _gcry_aes_cbc_enc): Remove USE_PADLOCK; Call
	ctx->encrypt_fn in place of do_encrypt/do_encrypt_aligned.
	(_gcry_aes_ctr_enc): Call ctx->encrypt_fn in place of
	do_encrypt_aligned; Make tmp buffer 16-byte aligned and wipe buffer
	after use.
	(rijndael_encrypt): Remove #ifdefs, just call ctx->decrypt_fn.
	(_gcry_aes_cfb_dec): Remove USE_PADLOCK; Call ctx->decrypt_fn in place
	of do_decrypt/do_decrypt_aligned.
	(_gcry_aes_cbc_dec): Ditto; Make savebuf buffer 16-byte aligned.

	rijndael: move AES-NI blocks before Padlock.
	+ commit dbf9e95dd3891f6e6ad370e8ab78fec03595687b
	* cipher/rijndael.c (do_setkey, rijndael_encrypt, _gcry_aes_cfb_enc)
	(rijndael_decrypt, _gcry_aes_cfb_dec): Move USE_AESNI before
	USE_PADLOCK.
	(check_decryption_praparation) [USE_PADLOCK]: Move to...
	(prepare_decryption) [USE_PADLOCK]: ...here.

	rijndael: split AES-NI functions to separate file.
	+ commit 67d529630e838daeb8cb9c6d7ef660c01ef34fee
	* cipher/Makefile.in: Add 'rijndael-aesni.c'.
	* cipher/rijndael-aesni.c: New.
	* cipher/rijndael-internal.h: New.
	* cipher/rijndael.c (MAXKC, MAXROUNDS, BLOCKSIZE, ATTR_ALIGNED_16)
	(USE_AMD64_ASM, USE_ARM_ASM, USE_PADLOCK, USE_AESNI, RIJNDAEL_context)
	(keyschenc, keyschdec, padlockkey): Move to 'rijndael-internal.h'.
	(u128_s, aesni_prepare, aesni_cleanup, aesni_cleanup_2_6)
	(aesni_do_setkey, do_aesni_enc, do_aesni_dec, do_aesni_enc_vec4)
	(do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Move
	to 'rijndael-aesni.c'.
	(prepare_decryption, rijndael_encrypt, _gcry_aes_cfb_enc)
	(_gcry_aes_cbc_enc, _gcry_aes_ctr_enc, rijndael_decrypt)
	(_gcry_aes_cfb_dec, _gcry_aes_cbc_dec) [USE_AESNI]: Move to functions
	in 'rijdael-aesni.c'.
	* configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-aesni.lo'.

2014-11-24  Werner Koch  <wk@gnupg.org>

	Remove duplicated prototypes.
	+ commit d53ea84bed37b973f7ce59262c50b33700cd8311
	* src/gcrypt-int.h (_gcry_mpi_ec_new, _gcry_mpi_ec_set_mpi)
	(gcry_mpi_ec_set_point): Remove.

	tests: Add a prime mode to benchmark.
	+ commit 1b4210c204a5ef5e631187509e011b8468a134ef
	* tests/benchmark.c (progress_cb): Add a single char mode.
	(prime_bench): New.
	(main): Add a "prime" mode.  Factor with_progress out to file scope.

2014-11-19  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Improve Montgomery curve implementation.
	+ commit e6130034506013d6153465a2bedb6fb08a43f74d
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Support
	MPI_EC_MONTGOMERY.
	* cipher/ecc.c (test_ecdh_only_keys): New.
	(nist_generate_key): Call test_ecdh_only_keys for MPI_EC_MONTGOMERY.
	(check_secret_key): Handle Montgomery curve of x-coordinate only.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Resize points before the loop.
	Simplify, using pointers of Q1, Q2, PRD, and SUM.

2014-11-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disable NEON for CPUs that are known to have broken NEON implementation.
	+ commit 95eef21583d8e998efc48f22898c1ae31b77cb48
	* src/hwf-arm.c (detect_arm_proc_cpuinfo): Add parsing for CPU version
	information and check if CPU is known to have broken NEON
	implementation.
	(_gcry_hwf_detect_arm): Filter out broken HW features.

	Add ARM/NEON implementation of Poly1305.
	+ commit 0b520128551054d83fb0bb2db8873394f38de498
	* cipher/Makefile.am: Add 'poly1305-armv7-neon.S'.
	* cipher/poly1305-armv7-neon.S: New.
	* cipher/poly1305-internal.h (POLY1305_USE_NEON)
	(POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
	(POLY1305_NEON_ALIGNMENT): New.
	* cipher/poly1305.c [POLY1305_USE_NEON]
	(_gcry_poly1305_armv7_neon_init_ext)
	(_gcry_poly1305_armv7_neon_finish_ext)
	(_gcry_poly1305_armv7_neon_blocks, poly1305_armv7_neon_ops): New.
	(_gcry_poly1305_init) [POLY1305_USE_NEON]: Select NEON implementation
	if HWF_ARM_NEON set.
	* configure.ac [neonsupport=yes]: Add 'poly1305-armv7-neon.lo'.

	chacha20: add ARMv7/NEON implementation.
	+ commit c584f44543883346d5a565581ff99a0afce9c5e1
	* cipher/Makefile.am: Add 'chacha20-armv7-neon.S'.
	* cipher/chacha20-armv7-neon.S: New.
	* cipher/chacha20.c (USE_NEON): New.
	[USE_NEON] (_gcry_chacha20_armv7_neon_blocks): New.
	(chacha20_do_setkey) [USE_NEON]: Use Neon implementation if
	HWF_ARM_NEON flag set.
	(selftest): Self-test encrypting buffer byte by byte.
	* configure.ac [neonsupport=yes]: Add 'chacha20-armv7-neon.lo'.

2014-10-08  Markus Teich  <markus.teich@stusta.mhn.de>

	mpi: Add gcry_mpi_ec_sub.
	+ commit 23ecadf309f8056c35cc092e58df801ac0eab862
	* NEWS (gcry_mpi_ec_sub): New.
	* doc/gcrypt.texi (gcry_mpi_ec_sub): New.
	* mpi/ec.c (_gcry_mpi_ec_sub, sub_points_edwards): New.
	(sub_points_montgomery, sub_points_weierstrass): New stubs.
	* src/gcrypt-int.h (_gcry_mpi_ec_sub): New.
	* src/gcrypt.h.in (gcry_mpi_ec_sub): New.
	* src/libgcrypt.def (gcry_mpi_ec_sub): New.
	* src/libgcrypt.vers (gcry_mpi_ec_sub): New.
	* src/mpi.h (_gcry_mpi_ec_sub_points): New.
	* src/visibility.c (gcry_mpi_ec_sub): New.
	* src/visibility.h (gcry_mpi_ec_sub): New.

2014-10-08  Werner Koch  <wk@gnupg.org>

	Fix prime test for 2 and lower and add check command to mpicalc.
	+ commit 5c906e2cdb14e93fb4915fdc69c7353a5fa35709
	* cipher/primegen.c (check_prime): Return true for the small primes.
	(_gcry_prime_check): Return correct values for 2 and lower numbers.

	* src/mpicalc.c (do_primecheck): New.
	(main): Add command 'P'.
	(main): Allow for larger input data.

2014-10-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Whirlpool AMD64/SSE2 assembly implementation.
	+ commit de0ccd4dce7ec185a678d78878d4538dd609ca0f
	* cipher/Makefile.am: Add 'whirlpool-sse2-amd64.S'.
	* cipher/whirlpool-sse2-amd64.S: New.
	* cipher/whirlpool.c (USE_AMD64_ASM): New.
	(whirlpool_tables_s): New.
	(rc, C0, C1, C2, C3, C4, C5, C6, C7): Combine these tables into single
	structure and replace old tables with macros of same name.
	(tab): New structure containing above tables.
	[USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64)
	(whirlpool_transform): New.
	* configure.ac [host=x86_64]: Add 'whirlpool-sse2-amd64.lo'.

2014-10-04  Andrei Scherer  <andsch@inbox.com>

	Improved ripemd160 performance.
	+ commit 30bd759f398f45b04d0a783b875f59ce9bd1e51d
	* cipher/rmd160.c (transform): Interleave the left and right lane
	rounds to introduce more instruction level parallelism.

2014-10-02  Werner Koch  <wk@gnupg.org>

	build: Document SYSROOT.
	+ commit 0ecd136a6ca02252f63ad229fa5240897bfe6544
	* configure.ac: Mark SYSROOT as arg var.

	build: Support SYSROOT based config script finding.
	+ commit 1e8b86494cf8fa045696bd447b16267ffd1797f0
	* src/libgcrypt.m4: Add support for SYSROOT and set
	gpg_config_script_warn.  Use AC_PATH_PROG instead of AC_PATH_TOOL
	because the config script is not expected to be installed with a
	prefix for its name
	* configure.ac: Print a library mismatch warning.
	* m4/gpg-error.m4: Update from git master.

2014-09-30  Werner Koch  <wk@gnupg.org>

	mac: Fix gcry_mac_close to allow for a NULL handle.
	+ commit 51dae8c8c4b63bb5e1685cbd8722e35342524737
	* cipher/mac.c (_gcry_mac_close): Check for NULL.

2014-09-03  Werner Koch  <wk@gnupg.org>

	Add a constant for a forthcoming new RNG.
	+ commit 8b960a807d168000d2690897a7634bd384ac1346
	* src/gcrypt.h.in (GCRYCTL_DRBG_REINIT): New constant.

2014-09-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add new Poly1305 MAC test vectors.
	+ commit 8a2a328742012a7c528dd007437185e4584c1e48
	* tests/basic.c (check_mac): Add new test vectors for Poly1305 MAC.

2014-09-02  Werner Koch  <wk@gnupg.org>

	asm: Allow building x86 and amd64 using old compilers.
	+ commit 5eec04a43e6c562e956353449be931dd43dfe1cc
	* src/hwf-x86.c (get_xgetbv): Build only if AVX support is enabled.

2014-08-21  Werner Koch  <wk@gnupg.org>

	sexp: Check args of gcry_sexp_build.
	+ commit e606d5f1bada1f2d21faeedd3fa2cf2dca7b274c
	* src/sexp.c (do_vsexp_sscan): Return error for invalid args.

	cipher: Fix a segv in case of calling with wrong parameters.
	+ commit f850add813d783f31ca6a60459dea25ef71bce7e
	* cipher/md.c (_gcry_md_info): Fix arg testing.

	cipher: Fix possible NULL deref in call to prime generator.
	+ commit 18056ace7f466cb8c1eaf08e5dc0400516d83b4c
	* cipher/primegen.c (_gcry_generate_elg_prime): Change to return an
	error code.
	* cipher/dsa.c (generate): Take care of new return code.
	* cipher/elgamal.c (generate): Change to return an error code.  Take
	care of _gcry_generate_elg_prime return code.
	(generate_using_x): Take care of _gcry_generate_elg_prime return code.
	(elg_generate): Propagate return code from generate.

2014-08-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support Montgomery curve for gcry_mpi_ec_mul_point.
	+ commit 34bb55ee36df3aca3ebca88f8b61c786cd0c0701
	* mpi/ec.c (_gcry_mpi_ec_get_affine): Support Montgomery curve.
	(montgomery_ladder): New.
	(_gcry_mpi_ec_mul_point): Implemention using montgomery_ladder.
	(_gcry_mpi_ec_curve_point): Check x-coordinate is valid.

2014-08-09  Werner Koch  <wk@gnupg.org>

	tests: Add a benchmark for Elgamal.
	+ commit e6d354865bf8f3d4c1bb5e8157a76fdd442cff41
	* tests/benchmark.c (sample_public_elg_key_1024): New.
	(sample_private_elg_key_1024): New.
	(sample_public_elg_key_2048, sample_private_elg_key_2048): New.
	(sample_public_elg_key_3072, sample_private_elg_key_3072): New.
	(elg_bench): New.
	(main): Add elg_bench.  Add commands "elg" and "public".

2014-08-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add cofactor to domain parameters.
	+ commit 9933b9e5e1a3f5b1019c75f93bd265d4a1ecc270
	* src/ec-context.h (mpi_ec_ctx_s): Add cofactor 'h'.
	* cipher/ecc-common.h (elliptic_curve_t): Add cofactor 'h'.
	(_gcry_ecc_update_curve_param): New API adding cofactor.

	* cipher/ecc-curves.c (ecc_domain_parms_t): Add cofactor 'h'.
	(ecc_domain_parms_t domain_parms): Add cofactors.
	(_gcry_ecc_fill_in_curve, _gcry_ecc_update_curve_param)
	(_gcry_ecc_get_curve, _gcry_mpi_ec_new, _gcry_ecc_get_param_sexp)
	(_gcry_ecc_get_mpi): Handle cofactor.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
	* cipher/ecc-misc.c (_gcry_ecc_curve_free)
	(_gcry_ecc_curve_copy): Likewise.
	* cipher/ecc.c (nist_generate_key, ecc_generate)
	(ecc_check_secret_key, ecc_sign, ecc_verify, ecc_encrypt_raw)
	(ecc_decrypt_raw, _gcry_pk_ecc_get_sexp, _gcry_pubkey_spec_ecc):
	Likewise.
	(compute_keygrip): Handle cofactor, but skip it for its computation.
	* mpi/ec.c (ec_deinit): Likewise.
	* tests/t-mpi-point.c (context_param): Likewise.
	(test_curve): Add cofactors.
	* tests/curves.c (sample_key_1, sample_key_2): Add cofactors.
	* tests/keygrip.c (key_grips): Add cofactors.

2014-08-05  Werner Koch  <wk@gnupg.org>

	mpi: Fix regression for powerpc-apple-darwin detection.
	+ commit 4ce77b0a810d3c889c07dfb385127d90fa1ae36a
	* mpi/config.links: Add separate entry for powerpc-apple-darwin.

	Fix bug inhibiting the use of the sentinel attribute.
	+ commit d2d28298ccc0d0f3c0b03fd323deb1e8808ef74f
	* src/gcrypt.h.in: Fix typo in macro.

	mpi: Use BSD syntax for x86_64-apple-darwin.
	+ commit 71939faa7c54e7b4b28d115e748a85f134876a02
	* mpi/config.links: Add case for x86_64-apple-darwin.

2014-08-05  Kristian Fiskerstrand  <kf@sumptuouscapital.com>

	Fix building for the x32 target without asm modules.
	+ commit a17c29844b63e9e869f7855d901bc9d859234ead
	* mpi/generic/mpi-asm-defs.h: Use a fixed value for the x32 ABI.

2014-07-25  Werner Koch  <wk@gnupg.org>

	ecc: Support the non-standard 0x40 compression flag for EdDSA.
	+ commit 4556f9b19c024f16bdf542da7173395c0741b91d
	* cipher/ecc.c (ecc_generate): Check the "comp" flag for EdDSA.
	* cipher/ecc-eddsa.c (eddsa_encode_x_y): Add arg WITH_PREFIX.
	(_gcry_ecc_eddsa_encodepoint): Ditto.
	(_gcry_ecc_eddsa_ensure_compact): Handle the 0x40 compression prefix.
	(_gcry_ecc_eddsa_decodepoint): Ditto.
	* tests/keygrip.c: Check an compresssed with prefix Ed25519 key.
	* tests/t-ed25519.inp: Ditto.

	mpi: Extend the internal mpi_get_buffer.
	+ commit 0e10902ad7584277ac966367efc712b183784532
	* mpi/mpicoder.c (do_get_buffer): Add arg EXTRAALLOC.
	(_gcry_mpi_get_buffer_extra): New.

	cipher: Fix compiler warning for chacha20.
	+ commit 4e0bf1b9190ce08fb23eb3ae0c3be58954ff36ab
	* cipher/chacha20.c (chacha20_blocks) [!USE_SSE2]: Do not build.

2014-07-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_swap_cond.
	+ commit 4846e52728970e3117f3a046ef9010be089a3ae4
	* mpi/mpiutil.c (_gcry_mpi_swap_cond): New.
	* src/mpi.h (mpi_swap_cond): New.

2014-06-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Speed-up SHA-1 NEON assembly implementation.
	+ commit 1b9b00bbe41bbed32563f1102049521e703e72bd
	* cipher/sha1-armv7-neon.S: Tweak implementation for speed-up.

2014-06-28  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	gostr3411_94: rewrite to use u32 mathematic.
	+ commit 066f068bd0bc4d8e01f1f18b6153cdc8d2c245d7
	* cipher/gost28147.c (_gcry_gost_enc_data): New.
	* cipher/gostr3411-94.c: Rewrite implementation to use u32 mathematic
	  internally.
	* cipher/gost28147.c (_gcry_gost_enc_one): Remove.

	gost28147: use bufhelp helpers.
	+ commit 7aeba6c449169926076df83b01ddbfa6b41fe411
	* cipher/gost28147.c (gost_setkey, gost_encrypt_block, gost_decrypt_block):
	  use buf_get_le32/buf_put_le32 helpers.

	Fixup curve name in the GOST2012 test case.
	+ commit b78d504fa8745b8b04589acbbcf7dd5fe9279d13
	* tests/basic.c (check_pubkey): fixup curve name in public key.

	Update PBKDF2 tests with GOST R 34.11-94 test cases.
	+ commit 7533b2ad46f42e98d9dba52e88e79c0311d2d3b7
	* tests/t-kdf.c (check_pbkdf2): Add MD_GOSTR3411_CP test cases.

	Add GOST R 34.11-94 variant using id-GostR3411-94-CryptoProParamSet.
	+ commit 25d6af77e2336b5979ddbe8b90978fe5b61dfaf9
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_CP): New.
	* src/cipher.h (_gcry_digest_spec_gost3411_cp): New.
	* cipher/gost28147.c (_gcry_gost_enc_one): Differentiate between
	  CryptoPro and Test S-Boxes.
	* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_cp,
	  gost3411_cp_init): New.
	* cipher/md.c (md_open): GCRY_MD_GOSTR3411_CP also uses B=32.

	gost28147: support GCRYCTL_SET_SBOX.
	+ commit 5ee35a04362c94e680ef3633fa83b72e0aee8626
	cipher/gost28147.c (gost_set_extra_info, gost_set_sbox): New.

	Support setting s-box for the ciphers that require it.
	+ commit fb074d113fcbf66a5c20592625cb19051f3430f5
	* src/gcrypt.h.in (GCRYCTL_SET_SBOX, gcry_cipher_set_sbox): New.
	* cipher/cipher.c (_gcry_cipher_ctl): pass GCRYCTL_SET_SBOX to
	  set_extra_info callback.

	cipher/gost28147: generate optimized s-boxes from compact ones.
	+ commit 164738a0292b3f32c7747099ad9cadace58e5eda
	* cipher/gost-s-box.c: New. Outputs optimized expanded representation of
	  s-boxes (4x256) from compact 16x8 representation.
	* cipher/Makefile.am: Add gost-sb.h dependency to gost28147.lo
	* cipher/gost.h: Add sbox to the GOST28147_context structure.
	* cipher/gost28147.c (gost_setkey): Set default s-box to test s-box from
	  GOST R 34.11 (this was the only one S-box before).
	* cipher/gost28147.c (gost_val): Use sbox from the context.

	gost28147: add OIDs used to define cipher mode.
	+ commit 34a58010000288515636706811c3837f32957b2e
	* cipher/gost28147 (oids_gost28147): Add OID from RFC4357.

	GOST R 34.11-94 add OIDs.
	+ commit 8b221cf5ce233c8c49a4e4ecebb70d523fc37837
	* cipher/gostr3411-94.c: Add OIDs for GOST R 34.11-94 from RFC 4357.

2014-05-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests: add larger test-vectors for hash algorithms.
	+ commit f14fb5b427b5159fcd9603d2b3cde936889cf430
	* tests/basic.c (check_digests): Add large test-vectors for MD5, SHA1,
	SHA224, SHA256, SHA384, RMD160, CRC32, TIGER1, WHIRLPOOL and
	GOSTR3411_94.

	sha512: fix ARM/NEON implementation.
	+ commit beb901575f0d6cd6a0a27506ebea9a725754d0cc
	* cipher/sha512-armv7-neon.S
	(_gcry_sha512_transform_armv7_neon): Byte-swap RW67q and RW1011q
	correctly in multi-block loop.
	* tests/basic.c (check_digests): Add large test vector for SHA512.

2014-05-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARM assembly when building __PIC__
	+ commit 994c758d8f5471c7e9c38c2834742cca2502d35f
	* cipher/camellia-arm.S (GET_DATA_POINTER): New.
	(_gcry_camellia_arm_encrypt_block): Use GET_DATA_POINTER.
	(_gcry_camellia_arm_decrypt_block): Ditto.
	* cipher/cast5-arm.S (GET_DATA_POINTER): New.
	(_gcry_cast5_arm_encrypt_block, _gcry_cast5_arm_decrypt_block)
	(_gcry_cast5_arm_enc_blk2, _gcry_cast5_arm_dec_blk2): Use
	GET_DATA_POINTER.
	* cipher/rijndael-arm.S (GET_DATA_POINTER): New.
	(_gcry_aes_arm_encrypt_block, _gcry_aes_arm_decrypt_block): Use
	GET_DATA_POINTER.
	* cipher/sha1-armv7-neon.S (GET_DATA_POINTER): New.
	(.LK_VEC): Move from .text to .data section.
	(_gcry_sha1_transform_armv7_neon): Use GET_DATA_POINTER.

2014-05-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Poly1305 to documentation.
	+ commit bf4943932dae95a0573b63bf32a9b9acd5a6ddf3
	* doc/gcrypt.texi: Add documentation for Poly1305 MACs and AEAD mode.

2014-05-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: add SSE2/AMD64 optimized implementation.
	+ commit 323b1eb80ff3396d83fedbe5bba9a4e6c412d192
	* cipher/Makefile.am: Add 'chacha20-sse2-amd64.S'.
	* cipher/chacha20-sse2-amd64.S: New.
	* cipher/chacha20.c (USE_SSE2): New.
	[USE_SSE2] (_gcry_chacha20_amd64_sse2_blocks): New.
	(chacha20_do_setkey) [USE_SSE2]: Use SSE2 implementation for blocks
	function.
	* configure.ac [host=x86-64]: Add 'chacha20-sse2-amd64.lo'.

	poly1305: add AMD64/AVX2 optimized implementation.
	+ commit 98f021961ee65669037bc8bb552a69fd78f610fc
	* cipher/Makefile.am: Add 'poly1305-avx2-amd64.S'.
	* cipher/poly1305-avx2-amd64.S: New.
	* cipher/poly1305-internal.h (POLY1305_USE_AVX2)
	(POLY1305_AVX2_BLOCKSIZE, POLY1305_AVX2_STATESIZE)
	(POLY1305_AVX2_ALIGNMENT): New.
	(POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE)
	(POLY1305_STATE_ALIGNMENT): Use AVX2 versions when needed.
	* cipher/poly1305.c [POLY1305_USE_AVX2]
	(_gcry_poly1305_amd64_avx2_init_ext)
	(_gcry_poly1305_amd64_avx2_finish_ext)
	(_gcry_poly1305_amd64_avx2_blocks, poly1305_amd64_avx2_ops): New.
	(_gcry_poly1305_init) [POLY1305_USE_AVX2]: Use AVX2 implementation if
	AVX2 supported by CPU.
	* configure.ac [host=x86_64]: Add 'poly1305-avx2-amd64.lo'.

2014-05-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	poly1305: add AMD64/SSE2 optimized implementation.
	+ commit 297532602ed2d881d8fdc393d1961068a143a891
	* cipher/Makefile.am: Add 'poly1305-sse2-amd64.S'.
	* cipher/poly1305-internal.h (POLY1305_USE_SSE2)
	(POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
	(POLY1305_SSE2_ALIGNMENT): New.
	(POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE)
	(POLY1305_STATE_ALIGNMENT): Use SSE2 versions when needed.
	* cipher/poly1305-sse2-amd64.S: New.
	* cipher/poly1305.c [POLY1305_USE_SSE2]
	(_gcry_poly1305_amd64_sse2_init_ext)
	(_gcry_poly1305_amd64_sse2_finish_ext)
	(_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops): New.
	(_gcry_polu1305_init) [POLY1305_USE_SSE2]: Use SSE2 version.
	* configure.ac [host=x86_64]: Add 'poly1305-sse2-amd64.lo'.

	Add Poly1305 based cipher AEAD mode.
	+ commit e813958419b0ec4439e6caf07d3b2234cffa2bfa
	* cipher/Makefile.am: Add 'cipher-poly1305.c'.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.poly1305'.
	(_gcry_cipher_poly1305_encrypt, _gcry_cipher_poly1305_decrypt)
	(_gcry_cipher_poly1305_setiv, _gcry_cipher_poly1305_authenticate)
	(_gcry_cipher_poly1305_get_tag, _gcry_cipher_poly1305_check_tag): New.
	* cipher/cipher-poly1305.c: New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag): Handle 'GCRY_CIPHER_MODE_POLY1305'.
	(cipher_setiv): Move handling of 'GCRY_CIPHER_MODE_GCM' to ...
	(_gcry_cipher_setiv): ... here, as with other modes.
	* src/gcrypt.h.in: Add 'GCRY_CIPHER_MODE_POLY1305'.
	* tests/basic.c (_check_poly1305_cipher, check_poly1305_cipher): New.
	(check_ciphers): Add Poly1305 check.
	(check_cipher_modes): Call 'check_poly1305_cipher'.
	* tests/bench-slope.c (bench_gcm_encrypt_do_bench): Rename to
	bench_aead_... and take nonce as argument.
	(bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench): Ditto.
	(bench_gcm_encrypt_do_bench, bench_gcm_decrypt_do_bench)
	(bench_gcm_authenticate_do_bench, bench_poly1305_encrypt_do_bench)
	(bench_poly1305_decrypt_do_bench)
	(bench_poly1305_authenticate_do_bench, poly1305_encrypt_ops)
	(poly1305_decrypt_ops, poly1305_authenticate_ops): New.
	(cipher_modes): Add Poly1305.
	(cipher_bench_one): Add special handling for Poly1305.

	Add Poly1305-AES (-Camellia, etc) MACs.
	+ commit 73b3b75c2221a6e3bed4117e0a206a1193acd2ed
	* cipher/mac-internal.h (_gcry_mac_type_spec_poly1305_aes)
	(_gcry_mac_type_spec_poly1305_camellia)
	(_gcry_mac_type_spec_poly1305_twofish)
	(_gcry_mac_type_spec_poly1305_serpent)
	(_gcry_mac_type_spec_poly1305_seed): New.
	* cipher/mac-poly1305.c (poly1305mac_context_s): Add 'hd' and
	'nonce_set'.
	(poly1305mac_open, poly1305mac_close, poly1305mac_setkey): Add handling
	for Poly1305-*** MACs.
	(poly1305mac_prepare_key, poly1305mac_setiv): New.
	(poly1305mac_reset, poly1305mac_write, poly1305mac_read): Add handling
	for 'nonce_set'.
	(poly1305mac_ops): Add 'poly1305mac_setiv'.
	(_gcry_mac_type_spec_poly1305_aes)
	(_gcry_mac_type_spec_poly1305_camellia)
	(_gcry_mac_type_spec_poly1305_twofish)
	(_gcry_mac_type_spec_poly1305_serpent)
	(_gcry_mac_type_spec_poly1305_seed): New.
	* cipher/mac.c (mac_list): Add Poly1305-AES, Poly1305-Twofish,
	Poly1305-Serpent, Poly1305-SEED and Poly1305-Camellia.
	* src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305_AES',
	'GCRY_MAC_POLY1305_CAMELLIA', 'GCRY_MAC_POLY1305_TWOFISH',
	'GCRY_MAC_POLY1305_SERPENT' and 'GCRY_MAC_POLY1305_SEED'.
	* tests/basic.c (check_mac): Add Poly1305-AES test vectors.
	* tests/bench-slope.c (bench_mac_init): Set IV for Poly1305-*** MACs.
	* tests/bench-slope.c (mac_bench): Set IV for Poly1305-*** MACs.

	Add Poly1305 MAC.
	+ commit b8794fed68ebe7567f4617141f0996ad290d9120
	* cipher/Makefile.am: Add 'mac-poly1305.c', 'poly1305.c' and
	'poly1305-internal.h'.
	* cipher/mac-internal.h (poly1305mac_context_s): New.
	(gcry_mac_handle): Add 'u.poly1305mac'.
	(_gcry_mac_type_spec_poly1305mac): New.
	* cipher/mac-poly1305.c: New.
	* cipher/mac.c (mac_list): Add Poly1305.
	* cipher/poly1305-internal.h: New.
	* cipher/poly1305.c: New.
	* src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305'.
	* tests/basic.c (check_mac): Add Poly1035 test vectors; Allow
	overriding lengths of data and key buffers.
	* tests/bench-slope.c (mac_bench): Increase max algo number from 500 to
	600.
	* tests/benchmark.c (mac_bench): Ditto.

	chacha20/AVX2: clear upper-halfs of YMM registers on entry.
	+ commit c20daeeb05329bfc6cc2c562cbd4b965291fe0e1
	* cipher/chacha20-avx2-amd64.S (_gcry_chacha20_amd64_avx2_blocks): Add
	'vzeroupper' at beginning.

	chacha20/AVX2: check for ENABLE_AVX2_SUPPORT instead of HAVE_GCC_INLINE_ASM_AVX2
	+ commit a3062db748f272e0f7346e1ed9e0bf7ed61a4eae
	* cipher/chacha20.c (USE_AVX2): Enable depending on
	ENABLE_AVX2_SUPPORT, not HAVE_GCC_INLINE_ASM_AVX2.
	* cipher/chacha20-avx2-amd64.S: Ditto.

	chacha20/SSSE3: clear XMM registers after use.
	+ commit a7d9eeeba632b7eb4a5b15ff17f6565181642f3c
	* cipher/chacha20-ssse3-amd64.S (_gcry_chacha20_amd64_ssse3_blocks): On
	return, clear XMM registers.

2014-05-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: add AVX2/AMD64 assembly implementation.
	+ commit a39ee7555691d18cae97560f130aaf952bfbd278
	* cipher/Makefile.am: Add 'chacha20-avx2-amd64.S'.
	* cipher/chacha20-avx2-amd64.S: New.
	* cipher/chacha20.c (USE_AVX2): New macro.
	[USE_AVX2] (_gcry_chacha20_amd64_avx2_blocks): New.
	(chacha20_do_setkey): Select AVX2 implementation if there is HW
	support.
	(selftest): Increase size of buf by 256.
	* configure.ac [host=x86-64]: Add 'chacha20-avx2-amd64.lo'.

	chacha20: add SSSE3 assembly implementation.
	+ commit def7d4cad386271c6d4e2f10aabe0cb4abd871e4
	* cipher/Makefile.am: Add 'chacha20-ssse3-amd64.S'.
	* cipher/chacha20-ssse3-amd64.S: New.
	* cipher/chacha20.c (USE_SSSE3): New macro.
	[USE_SSSE3] (_gcry_chacha20_amd64_ssse3_blocks): New.
	(chacha20_do_setkey): Select SSSE3 implementation if there is HW
	support.
	* configure.ac [host=x86-64]: Add 'chacha20-ssse3-amd64.lo'.

	Add ChaCha20 stream cipher.
	+ commit 23f33d57c9b6f2295a8ddfc9a8eee5a2c30cf406
	* cipher/Makefile.am: Add 'chacha20.c'.
	* cipher/chacha20.c: New.
	* cipher/cipher.c (cipher_list): Add ChaCha20.
	* configure.ac: Add ChaCha20.
	* doc/gcrypt.texi: Add ChaCha20.
	* src/cipher.h (_gcry_cipher_spec_chacha20): New.
	* src/gcrypt.h.in (GCRY_CIPHER_CHACHA20): Add new algo.
	* tests/basic.c (MAX_DATA_LEN): Increase to 128 from 100.
	(check_stream_cipher): Add ChaCha20 test-vectors.
	(check_ciphers): Add ChaCha20.

2014-05-09  Werner Koch  <wk@gnupg.org>

	mpi: Fix a subtle bug setting spurious bits with in mpi_set_bit.
	+ commit 246b7aaae1ee459f440260bbc4ec2c01c5dc3362
	* mpi/mpi-bit.c (_gcry_mpi_set_bit, _gcry_mpi_set_highbit): Clear
	allocated but not used bits before resizing.
	* tests/t-mpi-bits.c (set_bit_with_resize): New.

2014-05-07  Werner Koch  <wk@gnupg.org>

	Bump LT version.
	+ commit fc6ff6f73a51bcbbbb3757dc1386da40aa3ae75d
	* configure.ac: Bumb LT version to C21/A1/R0.

2014-04-22  Werner Koch  <wk@gnupg.org>

	random: Small patch for consistency and really burn the stack.
	+ commit a79c4ad7c56ee4410f17beb73eeb58b0dd36bfc6
	* random/rndlinux.c (_gcry_rndlinux_gather_random): s/int/size_t/.
	(_gcry_rndlinux_gather_random): Replace memset by wipememory.

2014-04-16  Werner Koch  <wk@gnupg.org>

	pubkey: Re-map all depreccated RSA algo numbers.
	+ commit 773e23698218755e9172d2507031a8263c47cc0b
	* cipher/pubkey.c (map_algo): Mape RSA_E and RSA_S.

2014-04-15  Werner Koch  <wk@gnupg.org>

	cipher: Fix possible NULL dereference.
	+ commit ae1fbce6dacf14747af0126e640bd4e54cb8c680
	* cipher/md.c (_gcry_md_selftest): Check for spec being NULL.

2014-03-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	3des: add amd64 assembly implementation for 3DES.
	+ commit b76b632a453b8d100d024e2439b4358454dc286e
	* cipher/Makefile.am: Add 'des-amd64.S'.
	* cipher/cipher-selftests.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Handle failures
	from 'setkey' function.
	* cipher/cipher.c (_gcry_cipher_open_internal) [USE_DES]: Setup bulk
	functions for 3DES.
	* cipher/des-amd64.S: New file.
	* cipher/des.c (USE_AMD64_ASM, ATTR_ALIGNED_16): New macros.
	[USE_AMD64_ASM] (_gcry_3des_amd64_crypt_block)
	(_gcry_3des_amd64_ctr_enc), _gcry_3des_amd64_cbc_dec)
	(_gcry_3des_amd64_cfb_dec): New prototypes.
	[USE_AMD64_ASM] (tripledes_ecb_crypt): New function.
	(TRIPLEDES_ECB_BURN_STACK): New macro.
	(_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec)
	(bulk_selftest_setkey, selftest_ctr, selftest_cbc, selftest_cfb): New
	functions.
	(selftest): Add call to CTR, CBC and CFB selftest functions.
	(do_tripledes_encrypt, do_tripledes_decrypt): Use
	TRIPLEDES_ECB_BURN_STACK.
	* configure.ac [host=x86-64]: Add 'des-amd64.lo'.
	* src/cipher.h (_gcry_3des_ctr_enc, _gcry_3des_cbc_dec)
	(_gcry_3des_cfb_dec): New prototypes.

2014-03-13  Werner Koch  <wk@gnupg.org>

	tests: Print diagnostics for skipped tests.
	+ commit 50aeee51a0b1a09dd9fff2bb71749a816fe7a791
	* tests/basic.c (show_note): New.
	(show_md_not_available):
	(show_old_hmac_not_available):
	(show_mac_not_available):
	(check_digests): Remove USE_foo cpp tests from the test table.  Call
	show_md_not_available if algo is not available.
	(check_hmac): Likewise.
	(check_mac): Likewise.

2014-03-11  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add MD2 message digest implementation.
	+ commit 5a8e1504bf8a2ffbc018be576dea77b685200444
	* cipher/md2.c: New.
	* cipher/md.c (digest_list): add _gcry_digest_spec_md2.
	* tests/basic.c (check_digests): add MD2 test vectors.
	* configure.ac (default_digests): disable md2 by default.

2014-03-04  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add an utility to calculate hashes over a set of files.
	+ commit 2b5403c408dfbd71be24c7635f5fa0b61ab4c9bb
	* tests/gchash.c: New.

	Add a simple (raw) PKCS#1 padding mode.
	+ commit ea8d597726305274214224757b32730644e12bd8
	* src/cipher.h (PUBKEY_ENC_PKCS1_RAW): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Handle pkcs1-raw
	  flag.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi):
	  Handle s-exp like (data (flags pkcs1-raw) (value xxxxx))
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_encode_raw_for_sig):
	  PKCS#1-encode data with embedded hash OID for signature verification.
	* tests/basic.c (check_pubkey_sign): Add tests for s-exps with pkcs1-raw
	  flag.

2014-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARMv6 detection when CFLAGS modify target CPU architecture.
	+ commit 6be3032048ee2466511d2384fcf2d28b856219b2
	* configure.ac (gcry_cv_cc_arm_arch_is_v6): Use compiler test instead
	of preprocessor test.

2014-01-29  Werner Koch  <wk@gnupg.org>

	Reserve control code for FIPS extensions.
	+ commit aea96a64fbc58a0b6f9f435e97e93294c6eb1052
	* src/gcrypt.h.in (GCRYCTL_INACTIVATE_FIPS_FLAG): New.
	(GCRYCTL_REACTIVATE_FIPS_FLAG): New.
	* src/global.c (_gcry_vcontrol): Add them but return not_implemented.

2014-01-29  NIIBE Yutaka  <gniibe@fsij.org>

	Fix RSA Blinding.
	+ commit 121a90d8931944974054f7d94f63b7f89df87fa5
	* cipher/rsa.c (rsa_decrypt): Loop to get multiplicative inverse.

2014-01-28  Werner Koch  <wk@gnupg.org>

	cipher: Take care of ENABLE_NEON_SUPPORT.
	+ commit 52f7c48c901a3de51bd690a218f3de2f71e8d790
	* cipher/salsa20.c (USE_ARM_NEON_ASM): Define only if
	ENABLE_NEON_SUPPORT is defined.
	* cipher/serpent.c (USE_NEON): Ditto.
	* cipher/sha1.c (USE_NEON): Ditto.
	* cipher/sha512.c (USE_ARM_NEON_ASM): Ditto.

	sexp: Fix broken gcry_sexp_nth.
	+ commit cbdc355415f83ed62da4f3618767eba54d7e6d37
	* src/sexp.c (_gcry_sexp_nth): Return a valid S-expression for a data
	element.
	(NODE): Remove unused typedef.
	(ST_HINT): Comment unused macro.

	* tests/t-sexp.c (bug_1594): New.
	(main): Run new test.

2014-01-27  Werner Koch  <wk@gnupg.org>

	tests: Improve t-common.h.
	+ commit 7460e9243b3cc050631c37ed4f2713ae7bcb6762
	* tests/t-common.h: Add couple of macros.  Check that config.h has
	been included.
	(show): Rename to info.
	* tests/t-lock.c, tests/t-sexp.c: Adjust for changes.

	mpi: Minor fix for Atari-mint.
	+ commit 3caa0f1319dc4779e0d6eee4460c1af2a12b2c3c
	* mpi/config.links [m68k-atari-mint]: Do not assume 68020.  Suggested
	by Alan Hourihane.

	(cherry picked from commit 420f42a5752e90a8b27d58ffa1ddfe6e4ab341e8)

2014-01-27  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix most of memory leaks in tests code.
	+ commit 5c150ece094bf0a504a111ce6c7b72e8d0b0457a
	* tests/basic.c (check_ccm_cipher): Close cipher after use.
	* tests/basic.c (check_one_cipher): Correct length of used buffer.
	* tests/benchmark.c (cipher_bench): Use xcalloc to make buffer
	  initialized.
	* tests/keygen.c (check_ecc_keys): Release generated key.
	* tests/t-mpi-point.c (context_param): Release mpi Q.
	* tests/t-sexp.c (check_extract_param): Release extracted number.

	Fix memory leaks in ecc code.
	+ commit 6d87e6abdfb7552323a95401f14e6367398a3e5a
	* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Release passed mpi
	  values.
	* cipher/ecc.c (compute_keygrip): Fix potential memory leak in error
	  path.
	* cipher/ecc.c (_gcry_ecc_get_curve): Release temporary mpi.

	Fix number of blocks passed used in _gcry_rmd160_mixblock.
	+ commit 5d23e7b9a77421f3ebfda4a84c459a8729f3bb41
	* cipher/rmd160.c (_gcry_rmd160_mixblock): pass 1 to transform

2014-01-27  Werner Koch  <wk@gnupg.org>

	Small Windows build tweaks.
	+ commit f7df906171854b6b6506b82d4fee2c2ebb0327ea
	* configure.ac (HAVE_PTHREAD): Do test when building for Windows.

	* tests/basic.c: Replace "%zi" by "%z" and a cast to make it work
	under Windows.

	Update gpg-error autoconf macros to fix threading problems.
	+ commit 79da0358fd555361e1ce4202f55494a8918eb8ae
	* m4/gpg-error.m4: Update to version 2014-01-24.
	* tests/Makefile.am (t_lock_LDADD): Use MT Libs.

2014-01-24  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests: Pass -no-install to libtool.
	+ commit bf34bfa5c458ee5ece91f25e3b4194d768498ab6
	* tests/Makefile.am: add AM_LDFLAGS = -no-install

2014-01-24  Werner Koch  <wk@gnupg.org>

	tests: Add a test for the internal locking.
	+ commit ff91ec934ed52294cddcd7dcfacc04721a0487bf
	* src/global.c (external_lock_test): New.
	(_gcry_vcontrol): Call new function with formerly reserved code 61.

	* tests/t-common.h: New. Taken from current libgpg-error.
	* tests/t-lock.c: New.  Based on t-lock.c from libgpg-error.
	* configure.ac (HAVE_PTHREAD): Set macro to 1 if defined.
	(AC_CHECK_FUNCS): Check for flockfile.
	* tests/Makefile.am (tests_bin): Add t-lock.
	(noinst_HEADERS): Add t-common.h
	(LDADD): Move value to ...
	(default_ldadd): new.
	(t_lock_LDADD): New.

	Check compiler features only for the relevant platform.
	+ commit 24e65d715812cea28732397870cb1585b8435521
	* mpi/config.links (mpi_cpu_arch): Always set for ARM.  Set for HPPA.
	Set to "undefined" for unknown platforms.
	(try_asm_modules): Act upon only after having detected the CPU.
	* configure.ac: Move the call to config.links before the platform
	specific compiler checks.  Check platform specific features only if
	the platform is targeted.

2014-01-23  Werner Koch  <wk@gnupg.org>

	Support building using the latest mingw-w64 toolchain.
	+ commit 4ad3417acab5021db1f722c314314ce4b781833a
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection.

2014-01-20  Werner Koch  <wk@gnupg.org>

	cipher: Fix commit 94030e44.
	+ commit dad06e4d1b835bac778b87090b1d3894b7535b14
	* cipher/tiger.c (tiger_init): Add arg FLAGS.
	(tiger1_init, tiger2_init): Ditto.

	tests: Rename tsexp.c.
	+ commit 192e77d123fdb04c459c998b9eb1731618a833fa
	* tests/tsexp.c: Rename to t-sexp.c

2014-01-19  Werner Koch  <wk@gnupg.org>

	md: Add Whirlpool bug emulation feature.
	+ commit 94030e44aaff805d754e368507f16dd51a531b72
	* src/gcrypt.h.in (GCRY_MD_FLAG_BUGEMU1): New.
	* src/cipher-proto.h (gcry_md_init_t): Add arg FLAGS.  Change all code
	to implement that flag.
	* cipher/md.c (gcry_md_context):  Replace SECURE and FINALIZED by bit
	field FLAGS.  Add flag BUGEMU1.  Change all users.
	(md_open): Replace args SECURE and HMAC by FLAGS.  Init flags.bugemu1.
	(_gcry_md_open): Add for GCRY_MD_FLAG_BUGEMU1.
	(md_enable): Pass bugemu1 flag to the hash init function.
	(_gcry_md_reset): Ditto.

2014-01-17  Werner Koch  <wk@gnupg.org>

	Actually check for uint64_t.
	+ commit c3b30bae7d1e157f8b65e32ba1b3a516f2bbf58b
	* configure.ac: Check size of uint64_t and the UINT64_C macro.

2014-01-16  Werner Koch  <wk@gnupg.org>

	Replace ath based mutexes by gpgrt based locks.
	+ commit cfc151ba637200e4fc05d9481a8df2071b2f9a47
	* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13.
	(gl_LOCK): Remove.
	* src/ath.c, src/ath.h: Remove.  Remove from all files.  Replace all
	mutexes by gpgrt based statically initialized locks.
	* src/global.c (global_init): Remove ath_init.
	(_gcry_vcontrol): Make ath install a dummy function.
	(print_config): Remove threads info line.

	* doc/gcrypt.texi: Simplify the multi-thread related documentation.

2014-01-15  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix _gcry_mpi_ec_p_new to allow secp256k1.
	+ commit 49edeebb43174865cf4fa2c170a42a8e4274c4f0
	* mpi/ec.c (_gcry_mpi_ec_p_new): Remove checking a!=0.
	* tests/t-mpi-point.c (context_alloc): Remove two spurious tests.

2014-01-14  Milan Broz  <gmazyland@gmail.com>

	PBKDF2: Use gcry_md_reset to speed up calculation.
	+ commit 04cda6b7cc16f3f52c12d9d3e46c56701003496e
	* cipher/kdf.c (_gcry_kdf_pkdf2): Use gcry_md_reset
	to speed up calculation.

2014-01-13  Werner Koch  <wk@gnupg.org>

	Fix macro conflict in NetBSD.
	+ commit 5f2af6c26bc04975c0b518881532871d7387d7ce
	* cipher/bithelp.h (bswap32): Rename to _gcry_bswap32.
	(bswap64): Rename to _gcry_bswap64.

	Use internal malloc function in fips.c.
	+ commit 518ae274a1845ce626b2b4223a9b3805cbbab1a7
	* src/fips.c (check_binary_integrity): s/gcry_malloc/xtrymalloc/.

2014-01-13  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Truncate hash values for ECDSA signature scheme.
	+ commit 9edcf1090e0485f9f383b6c54b18ea8ca3d4a225
	* cipher/dsa-common (_gcry_dsa_normalize_hash): New. Truncate opaque
	  mpis as required for DSA and ECDSA signature schemas.
	* cipher/dsa.c (verify): Return gpg_err_code_t value from verify() to
	  behave like the rest of internal sign/verify functions.
	* cipher/dsa.c (sign, verify, dsa_verify): Factor out hash truncation.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Factor out hash truncation.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_verify):
	  as required by ECDSA scheme, truncate hash values to bitlength of
	  used curve.
	* tests/pubkey.c (check_ecc_sample_key): add a testcase for hash
	  truncation.

	Add GOST R 34.10-2012 curves proposed by TC26.
	+ commit 2c5ec803100ed8261e51442fb93b75367b7725ea
	* cipher/ecc-curves.c (domain_parmss): Add two GOST R 34.10-2012 curves
	  proposed/pending to standardization by TC26 (Russian cryptography
	  technical comitee).
	* cipher/ecc-curves.c (curve_alias): Add OID aliases.
	* tests/curves.c: Increase N_CURVES.

	Add GOST R 34.10-2001 curves per RFC4357.
	+ commit 9bedc5c3b646dfe481678ca58f5466ac46decaf7
	* cipher/ecc-curves.c (domain_parms): Add 3 curves defined in rfc4357.
	* cipher/ecc-curves.c (curve_aliases): Add OID and Xch aliases for GOST
	  curves.
	* tests/curves.c (N_CURVES): Update value.

	Fix typo in search_oid.
	+ commit 7edcb574d8d6dffb6e234c2ba1996a9a04923859
	* cipher/md.c (search_oid): Invert condition on oid comparison.

	Add MD2-HMAC calculation support.
	+ commit 653b58cb5e85511b6c04c3f85ef3e372c2e9f74f
	* src/gcrypt.h.in (GCRY_MAC_HMAC_MD2): New.
	* cipher/mac-hmac.c: Support GCRY_MAC_HMAC_MD2.

	Add a function to retrieve algorithm used by MAC handler.
	+ commit 8439a379c86ef1088465ea70ac10840759a1638e
	* cipher/mac.c (_gcry_mac_get_algo): New function, returns used algo.
	* src/visibility.c (gcry_mac_get_algo): New wrapper.
	* src/visibility.h: Hanlde gcry_mac_get_algo.
	* src/gcrypt-int.h (_gcry_mac_get_algo): New.
	* src/gcrypt.h.in (gcry_mac_get_algo): New.
	* src/libgcrypt.def (gcry_mac_get_algo): New.
	* src/libgcrypt.vers (gcry_mac_get_algo): New.
	* doc/gcrypt.texi: Document gcry_mac_get_algo.
	* tests/basic.c (check_one_mac): Verify gcry_mac_get_algo.

	Correct formatting of gcry_mac_get_algo_keylen documentation.
	+ commit 36c9e0e4eb4f935da90df1c8df484d1940bda5eb
	* doc/gcrypt.texi: add braces near gcry_mac_get_algo_keylen
	  documentation.

	Use braces around unsigned int in gcry_mac_get_algo_keylen
	documentation, otherwise texinfo breaks that and uses 'int' as a
	function definition.

2014-01-13  Werner Koch  <wk@gnupg.org>

	ecc: Make a macro shorter.
	+ commit 2ef48ba59c32bfa1a9265d5eea8ab225a658903a
	* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS.  CHnage
	all users.
	* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
	comment.
	* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
	(add_points_twistededwards): Rename to add_points_edwards.

2014-01-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix assembly division check.
	+ commit ef3e66e168c4b9b86bfc4903001631e53a7125d8
	* configure.ac (gcry_cv_gcc_as_const_division_ok): Correct variable
	name mismatch at '--Wa,--divide' workaround check.

2014-01-12  NIIBE Yutaka  <gniibe@fsij.org>

	Add secp256k1 curve.
	+ commit 019e0e9e8c77a2edf283745e05e9301673ea6a0a
	* cipher/ecc-curves.c (curve_aliases): Add secp256k1 and its OID.
	(domain_parms): Add secp256k1's domain paramerter.

	* tests/basic.c (check_pubkey): Add a key of secp256k1.

	* tests/curves.c (N_CURVES): Updated.

2014-01-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix constant division for AMD64 assembly on Solaris/x86.
	+ commit 43376891c01f4aff1fbfb23beafebb5adfd0868c
	* configure.ac (gcry_cv_gcc_as_const_division_ok): Add new check for
	constant division in assembly and test for "-Wa,--divide" workaround.
	(gcry_cv_gcc_amd64_platform_as_ok): Check for also constant division.

2014-01-10  Werner Koch  <wk@gnupg.org>

	Use the generic autogen.sh script.
	+ commit b0ac1f9b143aa15855914ba93fef900288d45c9c
	* autogen.rc: New.
	* Makefile.am (EXTRA_DIST): Add it.
	* autogen.sh: Update from current GnuPG.

	Move all helper scripts to build-aux/
	+ commit df9b4eabf52faee6f289a4bc62219684442ae383
	* scripts/: Rename to build-aux/.
	* compile, config.guess, config.rpath, config.sub
	* depcomp, doc/mdate-sh, doc/texinfo.tex
	* install-sh, ltmain.sh, missing: Move to build-aux/.
	* Makefile.am (EXTRA_DIST): Adjust.
	* configure.ac (AC_CONFIG_AUX_DIR): New.
	(AM_SILENT_RULES): New.

2013-12-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add blowfish/serpent ARM assembly files to Makefile.am.
	+ commit 7fef7f481c0a1542be34d1dc831f58d41846ac29
	* cipher/Makefile.am: Add 'blowfish-arm.S' and 'serpent-armv7-neon.S'.

	Add AMD64 assembly implementation for arcfour.
	+ commit 7547898109c72a97e3102b2a045ee4fdb2aa40bf
	* cipher/Makefile.am: Add 'arcfour-amd64.S'.
	* cipher/arcfour-amd64.S: New.
	* cipher/arcfour.c (USE_AMD64_ASM): New.
	[USE_AMD64_ASM] (ARCFOUR_context, _gcry_arcfour_amd64)
	(encrypt_stream): New.
	* configure.ac [host=x86_64]: Add 'arcfour-amd64.lo'.

	Parse /proc/cpuinfo for ARM HW features.
	+ commit a05be441d8cd89b90d8d58e3a343a436dae377d0
	* src/hwf-arm.c [__linux__] (HAS_PROC_CPUINFO)
	(detect_arm_proc_cpuinfo): New.
	(_gcry_hwf_detect_arm) [HAS_PROC_CPUINFO]: Check '/proc/cpuinfo' for
	HW features.

	Fix buggy/incomplete detection of AVX/AVX2 support.
	+ commit bbcb12187afb1756cb27296166b57fa19ee45d4d
	* configure.ac: Also check for 'xgetbv' instruction in AVX and AVX2
	inline assembly checks.
	* src/hwf-x86.c [__i386__] (get_xgetbv): New function.
	[__x86_64__] (get_xgetbv): New function.
	[HAS_X86_CPUID] (detect_x86_gnuc): Check for OSXSAVE and OS support for
	XMM&YMM registers and enable AVX/AVX2 only if XMM&YMM registers are
	supported by OS.

2013-12-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change utf-8 copyright characters to '(C)'
	+ commit b7e814f93ee40fcfe17a187a8989c07fde2ba0cd
	cipher/blowfish-amd64.S: Change utf-8 encoded copyright character to
	'(C)'.
	cipher/blowfish-arm.S: Ditto.
	cipher/bufhelp.h: Ditto.
	cipher/camellia-aesni-avx-amd64.S: Ditto.
	cipher/camellia-aesni-avx2-amd64.S: Ditto.
	cipher/camellia-arm.S: Ditto.
	cipher/cast5-amd64.S: Ditto.
	cipher/cast5-arm.S: Ditto.
	cipher/cipher-ccm.c: Ditto.
	cipher/cipher-cmac.c: Ditto.
	cipher/cipher-gcm.c: Ditto.
	cipher/cipher-selftest.c: Ditto.
	cipher/cipher-selftest.h: Ditto.
	cipher/mac-cmac.c: Ditto.
	cipher/mac-gmac.c: Ditto.
	cipher/mac-hmac.c: Ditto.
	cipher/mac-internal.h: Ditto.
	cipher/mac.c: Ditto.
	cipher/rijndael-amd64.S: Ditto.
	cipher/rijndael-arm.S: Ditto.
	cipher/salsa20-amd64.S: Ditto.
	cipher/salsa20-armv7-neon.S: Ditto.
	cipher/serpent-armv7-neon.S: Ditto.
	cipher/serpent-avx2-amd64.S: Ditto.
	cipher/serpent-sse2-amd64.S: Ditto.

	Add ARM/NEON implementation for SHA-1.
	+ commit fc7dcf616937afaf73cfda1bf7bd79566a96b130
	* cipher/Makefile.am: Add 'sha1-armv7-neon.S'.
	* cipher/sha1-armv7-neon.S: New.
	* cipher/sha1.c (USE_NEON): New.
	(SHA1_CONTEXT, sha1_init) [USE_NEON]: Add and initialize 'use_neon'.
	[USE_NEON] (_gcry_sha1_transform_armv7_neon): New.
	(transform) [USE_NEON]: Use ARM/NEON assembly if enabled.
	* configure.ac: Add 'sha1-armv7-neon.lo'.

	Improve performance of SHA-512/ARM/NEON implementation.
	+ commit df629ba53a662427ebd3ddca90c3fe9ddd6511d3
	* cipher/sha512-armv7-neon.S (RT01q, RT23q, RT45q, RT67q): New.
	(round_0_63, round_64_79): Remove.
	(rounds2_0_63, rounds2_64_79): New.
	(_gcry_sha512_transform_armv7_neon): Add 'nblks' input; Handle multiple
	input blocks; Use new round macros.
	* cipher/sha512.c [USE_ARM_NEON_ASM]
	(_gcry_sha512_transform_armv7_neon): Add 'num_blks'.
	(transform) [USE_ARM_NEON_ASM]: Pass nblks to assembly.

	Add AVX and AVX2/BMI implementations for SHA-256.
	+ commit a5c2bbfe0db515d739ab683297903c77b1eec124
	* LICENSES: Add 'cipher/sha256-avx-amd64.S' and
	'cipher/sha256-avx2-bmi2-amd64.S'.
	* cipher/Makefile.am: Add 'sha256-avx-amd64.S' and
	'sha256-avx2-bmi2-amd64.S'.
	* cipher/sha256-avx-amd64.S: New.
	* cipher/sha256-avx2-bmi2-amd64.S: New.
	* cipher/sha256-ssse3-amd64.S: Use 'lea' instead of 'add' in few
	places for tiny speed improvement.
	* cipher/sha256.c (USE_AVX, USE_AVX2): New.
	(SHA256_CONTEXT) [USE_AVX, USE_AVX2]: Add 'use_avx' and 'use_avx2'.
	(sha256_init, sha224_init) [USE_AVX, USE_AVX2]: Initialize above
	new context members.
	[USE_AVX] (_gcry_sha256_transform_amd64_avx): New.
	[USE_AVX2] (_gcry_sha256_transform_amd64_avx2): New.
	(transform) [USE_AVX2]: Use AVX2 assembly if enabled.
	(transform) [USE_AVX]: Use AVX assembly if enabled.
	* configure.ac: Add 'sha256-avx-amd64.lo' and
	'sha256-avx2-bmi2-amd64.lo'.

2013-12-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AVX and AVX/BMI2 implementations for SHA-1.
	+ commit e4e458465b124e25b6aec7a60174bf1ca32dc5fd
	* cipher/Makefile.am: Add 'sha1-avx-amd64.S' and
	'sha1-avx-bmi2-amd64.S'.
	* cipher/sha1-avx-amd64.S: New.
	* cipher/sha1-avx-bmi2-amd64.S: New.
	* cipher/sha1.c (USE_AVX, USE_BMI2): New.
	(SHA1_CONTEXT) [USE_AVX]: Add 'use_avx'.
	(SHA1_CONTEXT) [USE_BMI2]: Add 'use_bmi2'.
	(sha1_init): Initialize 'use_avx' and 'use_bmi2'.
	[USE_AVX] (_gcry_sha1_transform_amd64_avx): New.
	[USE_BMI2] (_gcry_sha1_transform_amd64_bmi2): New.
	(transform) [USE_BMI2]: Use BMI2 assembly if enabled.
	(transform) [USE_AVX]: Use AVX assembly if enabled.
	* configure.ac: Add 'sha1-avx-amd64.lo' and 'sha1-avx-bmi2-amd64.lo'.

	SHA-1/SSSE3: Improve performance on large buffers.
	+ commit 6fd0dd2a5f1362f91e2861cd9d300341a43842a5
	* cipher/sha1-ssse3-amd64.S (RNBLKS): New.
	(_gcry_sha1_transform_amd64_ssse3): Handle multiple input blocks, with
	software pipelining of next data block processing.
	* cipher/sha1.c [USE_SSSE3] (_gcry_sha1_transform_amd64_ssse3): Add
	'nblks'.
	(transform) [USE_SSSE3]: Pass nblks to assembly function.

	Add bulk processing for hash transform functions.
	+ commit 50b8c8342d023038a4b528af83153293dd2756ea
	* cipher/hash-common.c (_gcry_md_block_write): Preload 'hd->blocksize'
	to stack, pass number of blocks to 'hd->bwrite'.
	* cipher/hash-common.c (_gcry_md_block_write_t): Add 'nblks'.
	* cipher/gostr3411-94.c: Rename 'transform' function to
	'transform_blk', add new 'transform' function with 'nblks' as
	additional input.
	* cipher/md4.c: Ditto.
	* cipher/md5.c: Ditto.
	* cipher/md4.c: Ditto.
	* cipher/rmd160.c: Ditto.
	* cipher/sha1.c: Ditto.
	* cipher/sha256.c: Ditto.
	* cipher/sha512.c: Ditto.
	* cipher/stribog.c: Ditto.
	* cipher/tiger.c: Ditto.
	* cipher/whirlpool.c: Ditto.

2013-12-16  Werner Koch  <wk@gnupg.org>

	Release 1.6.0.
	+ commit 0ea9731e1c93a962f6266004ab0e7418c19d6277


	doc: Change yat2m to allow arbitrary condition names.
	+ commit 9a912f8c4f366c53f1cdb94513b67b937e87178b
	* doc/yat2m.c (MAX_CONDITION_NESTING): New.
	(gpgone_defined): Remove.
	(condition_s, condition_stack, condition_stack_idx): New.
	(cond_is_active, cond_in_verbatim): New.
	(add_predefined_macro, set_macro, macro_set_p): New.
	(evaluate_conditions, push_condition, pop_condition): New.
	(parse_file): Rewrite to use the condition stack.
	(top_parse_file): Set prefined macros.
	(main): Change -D to define arbitrary macros.

	tests: Add SHA-512 to the long hash test.
	+ commit 0d3bd23d7f730b9bbc81fc8da8d99f4853c36020
	* tests/hashtest.c (testvectors): Add vectors for 256GiB SHA-512.
	* tests/hashtest-256g.in (algos): Add test for SHA-512.

	Add configure option --enable-large-data-tests.
	+ commit a6b9304a889397ac98e1c2c4ac3e178669d94492
	* configure.ac: Add option --enable-large-data-tests.
	* tests/hashtest-256g.in: New.
	* tests/Makefile.am (EXTRA_DIST): Add hashtest-256g.in.
	(TESTS): Split up into tests_bin, tests_bin_last, tests_sh, and
	tests_sh_last.
	(tests_sh_last): Add hashtest-256g
	(noinst_PROGRAMS): Add only tests_bin and tests_bin_last.
	(bench-slope.log, hashtest-256g.log): New rules to enforce serial run.

	random: Call random progress handler more often.
	+ commit 5a7ce59396fe56f0d681df314bfbdb5f7732d4b1
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Update progress
	indicator earlier.

	cipher: Normalize the MPIs used as input to secret key functions.
	+ commit dec048b2ec79271a2f4405be5b87b1e768b3f1a9
	* cipher/dsa.c (sign): Normalize INPUT.
	* cipher/elgamal.c (decrypt): Normalize A and B.
	* cipher/rsa.c (secret): Normalize the INPUT.
	(rsa_decrypt): Reduce DATA before passing to secret.

2013-12-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change dummy variable in mpih-div.c to mpi_limb_t type.
	+ commit 953535a7de68cf62b5b1ad6f96ea3a9edd83762c
	* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Change dummy
	variable to 'mpi_limb_t' type from 'int'.

	Remove duplicate gcry_mac_hd_t typedef.
	+ commit 5c31990214b58c4e17edb01fbbe6d9f573975a22
	* cipher/mac-internal.h (gcry_mac_hd_t): Remove.

2013-12-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Use u64 for CCM data lengths.
	+ commit 110fed2d6b0bbc97cb5cc0a3a564e05fc42afa2d
	* cipher/cipher-ccm.c: Move code inside [HAVE_U64_TYPEDEF].
	[HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_set_lengths): Use 'u64' for
	data lengths.
	[!HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt, _gcry_cipher_ccm_set_nonce)
	(_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_get_tag)
	(_gcry_cipher_ccm_check_tag): Dummy functions returning
	GPG_ERROR_NOT_SUPPORTED.
	* cipher/cipher-internal.h (gcry_cipher_handle.u_mode.ccm)
	(_gcry_cipher_ccm_set_lengths): Move inside [HAVE_U64_TYPEDEF] and use
	u64 instead of size_t for CCM data lengths.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_reset)
	(_gcry_cipher_ctl) [!HAVE_U64_TYPEDEF]: Return GPG_ERR_NOT_SUPPORTED
	for CCM.
	(_gcry_cipher_ctl) [HAVE_U64_TYPEDEF]: Use u64 for
	GCRYCTL_SET_CCM_LENGTHS length parameters.
	* tests/basic.c: Do not use CCM if !HAVE_U64_TYPEDEF.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.

2013-12-14  Werner Koch  <wk@gnupg.org>

	tests: Prevent rare failure of gcry_pk_decrypt test.
	+ commit bfb43a17d8db571fca4ed433ee8be5c366745844
	* tests/basic.c (check_pubkey_crypt): Add special mode 1.
	(main): Add option --loop.

2013-12-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Minor fixes to SHA assembly implementations.
	+ commit ffd9b2aa5abda7f4d7790ed48116ed5d71ab9995
	* cipher/Makefile.am: Correct 'sha256-avx*.S' to 'sha512-avx*.S'.
	* cipher/sha1-ssse3-amd64.S: First line, correct filename.
	* cipher/sha256-ssse3-amd64.S: Return correct stack burn depth.
	* cipher/sha512-avx-amd64.S: Use 'vzeroall' to clear registers.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto and return correct stack burn
	depth.

	SHA-1/SSSE3: Do not check for Intel syntax assembly support.
	+ commit c86c35534a153b13e880d0bb0ea3e48e1c0ecaf9
	* cipher/sha1-ssse3-amd64.S: Remove check for
	HAVE_INTEL_SYNTAX_PLATFORM_AS.
	* cipher/sha1.c [USE_SSSE3]: Ditto.

2013-12-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Convert SHA-1 SSSE3 implementation from mixed asm&C to pure asm.
	+ commit d2b853246c2ed056a92096d89c3ca057e45c9c92
	* cipher/Makefile.am: Change 'sha1-ssse3-amd64.c' to
	'sha1-ssse3-amd64.S'.
	* cipher/sha1-ssse3-amd64.c: Remove.
	* cipher/sha1-ssse3-amd64.S: New.

	SHA-1: Add SSSE3 implementation.
	+ commit be2238f68abcc6f2b4e8c38ad9141376ce622a22
	* cipher/Makefile.am: Add 'sha1-ssse3-amd64.c'.
	* cipher/sha1-ssse3-amd64.c: New.
	* cipher/sha1.c (USE_SSSE3): New.
	(SHA1_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha1_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	(transform): Rename to...
	(_transform): this.
	(transform): New.
	* configure.ac [host=x86_64]: Add 'sha1-ssse3-amd64.lo'.

	Add missing register clearing in to SHA-256 and SHA-512 assembly.
	+ commit 04615cc6803cdede25fa92e3ff697e252a23cd7a
	* cipher/sha256-ssse3-amd64.S: Clear used XMM/YMM registers at return.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

2013-12-13  Werner Koch  <wk@gnupg.org>

	Update license information.
	+ commit 764643a3d5634bcbc47790bd8505f6a1a5280d9c
	* LICENSES: New.
	* Makefile.am (EXTRA_DIST): Add LICENSES.
	* AUTHORS: Add list of copyright holders.
	* README: Reference AUTHORS.

2013-12-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix empty clobber in AVX2 assembly check.
	+ commit e41d605ee41469e8a33cdc4d38f742cfb931f835
	* configure.ac (gcry_cv_gcc_inline_asm_avx2): Add "cc" as assembly
	globber.

	Fix W32 build.
	+ commit a71b810ddd67ca3a1773d8f929d162551abb58eb
	* random/rndw32.c (register_poll, slow_gatherer): Change gcry_xmalloc to
	xmalloc, and gcry_xrealloc to xrealloc.

2013-12-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	SHA-512: Add AVX and AVX2 implementations for x86-64.
	+ commit 2e4253dc8eb512cd0e807360926dc6ba912c95b4
	* cipher/Makefile.am: Add 'sha512-avx-amd64.S' and
	'sha512-avx2-bmi2-amd64.S'.
	* cipher/sha512-avx-amd64.S: New.
	* cipher/sha512-avx2-bmi2-amd64.S: New.
	* cipher/sha512.c (USE_AVX, USE_AVX2): New.
	(SHA512_CONTEXT) [USE_AVX]: Add 'use_avx'.
	(SHA512_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
	(sha512_init, sha384_init) [USE_AVX]: Initialize 'use_avx'.
	(sha512_init, sha384_init) [USE_AVX2]: Initialize 'use_avx2'.
	[USE_AVX] (_gcry_sha512_transform_amd64_avx): New.
	[USE_AVX2] (_gcry_sha512_transform_amd64_avx2): New.
	(transform) [USE_AVX2]: Add call for AVX2 implementation.
	(transform) [USE_AVX]: Add call for AVX implementation.
	* configure.ac (HAVE_GCC_INLINE_ASM_BMI2): New check.
	(sha512): Add 'sha512-avx-amd64.lo' and 'sha512-avx2-bmi2-amd64.lo'.
	* doc/gcrypt.texi: Document 'intel-cpu' and 'intel-bmi2'.
	* src/g10lib.h (HWF_INTEL_CPU, HWF_INTEL_BMI2): New.
	* src/hwfeatures.c (hwflist): Add "intel-cpu" and "intel-bmi2".
	* src/hwf-x86.c (detect_x86_gnuc): Check for HWF_INTEL_CPU and
	HWF_INTEL_BMI2.

	SHA-512: Add SSSE3 implementation for x86-64.
	+ commit 69a6d0f9562fcd26112a589318c13de66ce1700e
	* cipher/Makefile.am: Add 'sha512-ssse3-amd64.S'.
	* cipher/sha512-ssse3-amd64.S: New.
	* cipher/sha512.c (USE_SSSE3): New.
	(SHA512_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha512_init, sha384_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	[USE_SSSE3] (_gcry_sha512_transform_amd64_ssse3): New.
	(transform) [USE_SSSE3]: Call SSSE3 implementation.
	* configure.ac (sha512): Add 'sha512-ssse3-amd64.lo'.

	SHA-256: Add SSSE3 implementation for x86-64.
	+ commit e1a3931263e67aacec3c0bfcaa86c7d1441d5c6a
	* cipher/Makefile.am: Add 'sha256-ssse3-amd64.S'.
	* cipher/sha256-ssse3-amd64.S: New.
	* cipher/sha256.c (USE_SSSE3): New.
	(SHA256_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha256_init, sha224_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	(transform): Rename to...
	(_transform): This.
	[USE_SSSE3] (_gcry_sha256_transform_amd64_ssse3): New.
	(transform): New.
	* configure.ac (HAVE_INTEL_SYNTAX_PLATFORM_AS): New check.
	(sha256): Add 'sha256-ssse3-amd64.lo'.
	* doc/gcrypt.texi: Document 'intel-ssse3'.
	* src/g10lib.h (HWF_INTEL_SSSE3): New.
	* src/hwfeatures.c (hwflist): Add "intel-ssse3".
	* src/hwf-x86.c (detect_x86_gnuc): Test for SSSE3.

2013-12-12  Werner Koch  <wk@gnupg.org>

	Add a configuration file to disable hardware features.
	+ commit 5e1239b1e2948211ff2675f45cce2b28c3379cfb
	* src/hwfeatures.c: Inclyde syslog.h and ctype.h.
	(HWF_DENY_FILE): New.
	(my_isascii): New.
	(parse_hwf_deny_file): New.
	(_gcry_detect_hw_features): Call it.

	* src/mpicalc.c (main): Correctly initialize Libgcrypt.  Add options
	"--print-config" and "--disable-hwf".

	Move list of hardware features to hwfeatures.c.
	+ commit 4ae77322b681a13da62d01274bcab25be2af12d0
	* src/global.c (hwflist, disabled_hw_features): Move to ..
	* src/hwfeatures.c: here.
	(_gcry_disable_hw_feature): New.
	(_gcry_enum_hw_features): New.
	(_gcry_detect_hw_features): Remove arg DISABLED_FEATURES.
	* src/global.c (print_config, _gcry_vcontrol, global_init): Adjust
	accordingly.

	Remove macro hacks for internal vs. external functions.  Part 2 and last.
	+ commit 3b30e9840d4b351c4de73b126e561154cb7df4cc
	* src/visibility.h: Remove remaining define/undef hacks for symbol
	visibility.  Add macros to detect the use of the public functions.
	Change all affected functions by replacing them by the x-macros.
	* src/g10lib.h: Add internal prototypes.
	(xtrymalloc, xtrycalloc, xtrymalloc_secure, xtrycalloc_secure)
	(xtryrealloc, xtrystrdup, xmalloc, xcalloc, xmalloc_secure)
	(xcalloc_secure, xrealloc, xstrdup, xfree): New macros.

2013-12-11  Werner Koch  <wk@gnupg.org>

	random: Add a feature to close device file descriptors.
	+ commit cd548ba2dc777b8b27d8d33182ba733c20222120
	* src/gcrypt.h.in (GCRYCTL_CLOSE_RANDOM_DEVICE): New.
	* src/global.c (_gcry_vcontrol): Call _gcry_random_close_fds.
	* random/random.c (_gcry_random_close_fds): New.
	* random/random-csprng.c (_gcry_rngcsprng_close_fds): New.
	* random/random-fips.c (_gcry_rngfips_close_fds): New.
	* random/random-system.c (_gcry_rngsystem_close_fds): New.
	* random/rndlinux.c (open_device): Add arg retry.
	(_gcry_rndlinux_gather_random): Add mode to close open fds.

	* tests/random.c (check_close_random_device): New.
	(main): Call new test.

2013-12-10  Werner Koch  <wk@gnupg.org>

	Fix last commit (9a37470c)
	+ commit eae1e7712e1b687bd77eb37d0eb505fc9d46d93c
	* src/secmem.c (lock_pool): Remove remaining line.  Reported by Ian
	Goldberg.

2013-12-09  Werner Koch  <wk@gnupg.org>

	Fix one-off memory leak when build with Linux capability support.
	+ commit 9a37470c50ee9966cb2652617a404ddd54a9c096
	* src/secmem.c (lock_pool, secmem_init): Use cap_free.  Reported by
	Mike Crowe <mac@mcrowe.com>.

2013-12-09  David 'Digit' Turner  <digit@google.com>

	Update libtool to support Android.
	+ commit 2516f0b660b1a7181ad38c44310c627f4f498595
	* m4/libtool.m4: Add "linux*android*" case.  Taken from the libtool
	repository.

2013-12-09  Werner Koch  <wk@gnupg.org>

	tests: Speed up benchmarks in regression test mode.
	+ commit 2e5354fe8db5288939733d0fb63ad4c87bc20105
	* tests/tsexp.c (check_extract_param): Fix compiler warning.
	* tests/Makefile.am (TESTS_ENVIRONMENT): Set GCRYPT_IN_REGRESSION_TEST.
	* tests/bench-slope.c (main): Speed up if in regression test mode.
	* tests/benchmark.c (main): Ditto.

	tests: Add --csv option to bench-slope.
	+ commit 8072e9fa4b42ae8e65e266aa158fd903f1bb0927
	* tests/bench-slope.c (STR, STR2): New.
	(cvs_mode): New.
	(num_measurement_repetitions): New.  Replace use of
	NUM_MEASUREMENT_REPETITIONS by this.
	(current_section_name, current_algo_name, current_mode_name): New.
	(bench_print_result_csv): New.
	(bench_print_result_std): Rename from bench_print_result.
	(bench_print_result): New. Divert depending on CSV_MODE.
	(bench_print_header, bench_print_footer): take care of CSV_MODE.
	(bench_print_algo, bench_print_mode): New.  Use them instead of
	explicit printfs.
	(main): Add options --csv and --repetitions.

2013-12-07  Werner Koch  <wk@gnupg.org>

	sexp: Allow long names and white space in gcry_sexp_extract_param.
	+ commit d4555433b6e422fa69a85cae99961f513e55d82b
	* src/sexp.c (_gcry_sexp_vextract_param): Skip white space.  Support
	long parameter names.
	* tests/tsexp.c (check_extract_param): Add test cases for long parameter
	names and white space.

2013-12-06  Werner Koch  <wk@gnupg.org>

	ecc: Merge partly duplicated code.
	+ commit 405021cb6d4e470337302c65dec5bc91491a89c1
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Factor A hashing out to ...
	(_gcry_ecc_eddsa_compute_h_d): new function.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Use new function.
	(reverse_buffer): Remove.

	ecc: Remove unused internal function.
	+ commit 4cf2c65fe15173c8d68a141a01b34fc1fb9080b7
	* src/cipher-proto.h (gcry_pk_spec): Remove get_param.
	* cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Merge in code from
	_gcry_ecc_get_param.
	(_gcry_ecc_get_param): Remove.
	* cipher/ecc.c (_gcry_pubkey_spec_ecc): Remove _gcry_ecc_get_param.

2013-12-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building on mingw32.
	+ commit 5917ce34e3b3eac4c15f62577e4723974024f818
	* src/gcrypt-int.h: Include <types.h>.

2013-12-05  Werner Koch  <wk@gnupg.org>

	ecc: Change OID for Ed25519.
	+ commit 7ef43d1eebb4f8226e860982dfe5fa2e2c82ad0f
	* cipher/ecc-curves.c (curve_aliased): Add more suitable OID for
	Ed25519.

	Remove macro hacks for internal vs. external functions.  Part 1.
	+ commit 7bacf1812b55fa78db63abaa1f5a9220e9c6cccc
	* src/visibility.h: Remove almost all define/undef hacks for symbol
	visibility.  Add macros to detect the use of the public functions.
	Change all affected functions by prefixing them explicitly with an
	underscore and change all internal callers to call the underscore
	prefixed versions.  Provide convenience macros from sexp and mpi
	functions.
	* src/visibility.c: Change all functions to use only gpg_err_code_t
	and translate to gpg_error_t only in visibility.c.

2013-12-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: add inline assembly for x86-64.
	+ commit 85bb0a98ea5add0296cbcc415d557eaa1f6bd294
	* mpi/longlong.h [__x86_64] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): New.

2013-12-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: fix gcry_mpi_powm for negative base.
	+ commit c56080c26186d25dec05f01831494c77d8d07e13
	* mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]:
	Fix for the case where BASE is negative.
	* tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19.

2013-12-03  Werner Koch  <wk@gnupg.org>

	Add build support for ppc64le.
	+ commit 2ff86db2e1b0f6cc22a1ca86037b526c5fa3be51
	* config.guess, config.sub: Update to latest version (2013-11-29).
	* m4/libtool.m4: Add patches for ppc64le.

2013-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix compiler warning on aarch64.
	+ commit 59b1a1b7ee2923e1bf091071ae716d180c6c6006
	* cipher/rijndael.c (do_setkey): Use braces for empty if statement
	instead of semicolon.

	Add aarch64 (arm64) mpi assembly.
	+ commit 80896bc8f5e6ed9a627374e34f040ad5f3617584
	* mpi/aarch64/mpi-asm-defs.h: New.
	* mpi/aarch64/mpih-add1.S: New.
	* mpi/aarch64/mpih-mul1.S: New.
	* mpi/aarch64/mpih-mul2.S: New.
	* mpi/aarch64/mpih-mul3.S: New.
	* mpi/aarch64/mpih-sub1.S: New.
	* mpi/config.links [host=aarch64-*-*]: Add configguration for aarch64
	assembly.
	* mpi/longlong.h [__aarch64__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(count_leading_zeros): New.

2013-12-02  Werner Koch  <wk@gnupg.org>

	ecc: Use constant time point operation for Twisted Edwards.
	+ commit d4ce0cfe0d35d7ec69c115456848b5b735c928ea
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Try to do a constant time
	operation if needed.
	* tests/benchmark.c (main): Add option --use-secmem.

	ecc: Make gcry_pk_testkey work for Ed25519.
	+ commit 14ae6224b1b17abbfc80c26ad0f4c60f1e8635e2
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Add optional args G
	and d.  Change all callers.
	* cipher/ecc.c (gen_y_2): Remove.
	(check_secret_key): Use generic public key compute function.  Adjust
	for use with Ed25519 and EdDSA.
	(nist_generate_key): Do not use the compliant key thingy for Ed25519.
	(ecc_check_secret_key): Make parameter parsing similar to the other
	functions.
	* cipher/ecc-curves.c (domain_parms): Zero prefix some parameters so
	that _gcry_ecc_update_curve_param works correctly.
	* tests/keygen.c (check_ecc_keys): Add "param" flag.  Check all
	Ed25519 keys.

	ecc: Fix eddsa point decompression.
	+ commit 485f35124b1a74af0bad321ed70be3a79d8d11d7
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): Fix the negative
	case.

	ecc: Fix gcry_mpi_ec_curve_point for Weierstrass.
	+ commit ecb90f8e7c6f2516080d27ed7da6a25f2314da3c
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Use correct equation.
	(ec_pow3): New.
	(ec_p_init): Always copy B.

	mpi: Introduce 4 user flags for gcry_mpi_t.
	+ commit 29eddc2558d4cf39995f66d5fccd62f584d5b203
	* src/gcrypt.h.in (GCRYMPI_FLAG_USER1, GCRYMPI_FLAG_USER2)
	(GCRYMPI_FLAG_USER3, GCRYMPI_FLAG_USER4): New.
	* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
	(gcry_mpi_get_flag, _gcry_mpi_free): Implement them.
	(gcry_mpi_set_opaque): Keep user flags.

2013-11-29  Vladimir 'φ-coder/phcoder' Serbinenko  <phcoder@gmail.com>

	Fix armv3 compile error.
	+ commit 3b1cc9e6c357574f54160298d731c18f3d717b6c
	* mpi/longlong.h [__arm__ && __ARM_ARCH < 4] (umul_ppmm): Use
	__AND_CLOBBER_CC instead of __CLOBBER_CC.

	longlong.h on mips with clang.
	+ commit 1ecbd0bca31d462719a2a6590c1d03244e76ef89
	* mpi/longlong.h [__mips__]: Use C-language version with clang.

2013-11-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Camellia: Tweaks for AES-NI implementations.
	+ commit 3ef21e7e1b8003db9792155044db95f9d9ced184
	* cipher/camellia-aesni-avx-amd64.S: Align stack to 16 bytes; tweak
	key-setup for small speed up.
	* cipher/camellia-aesni-avx2-amd64.S: Use vmovdqu even with aligned
	stack; reorder vinsert128 instructions; use rbp for stack frame.

2013-11-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add GMAC to MAC API.
	+ commit a34448c929b13bfb7b66d69169c89e7319a18b31
	* cipher/Makefile.am: Add 'mac-gmac.c'.
	* cipher/mac-gmac.c: New.
	* cipher/mac-internal.h (gcry_mac_handle): Add 'u.gcm'.
	(_gcry_mac_type_spec_gmac_aes, _gcry_mac_type_spec_gmac_twofish)
	(_gcry_mac_type_spec_gmac_serpent, _gcry_mac_type_spec_gmac_seed)
	(_gcry_mac_type_spec_gmac_camellia): New externs.
	* cipher/mac.c (mac_list): Add GMAC specifications.
	* doc/gcrypt.texi: Add mention of GMAC.
	* src/gcrypt.h.in (gcry_mac_algos): Add GCM algorithms.
	* tests/basic.c (check_one_mac): Add support for MAC IVs.
	(check_mac): Add support for MAC IVs and add GMAC test vectors.
	* tests/bench-slope.c (mac_bench): Iterate algorithm numbers to 499.
	* tests/benchmark.c (mac_bench): Iterate algorithm numbers to 499.

	GCM: Move gcm_table initialization to setkey.
	+ commit dbfa651618693da7ea73b4d2d00d4efd411bfb46
	* cipher/cipher-gcm.c: Change all 'c->u_iv.iv' to
	'c->u_mode.gcm.u_ghash_key.key'.
	(_gcry_cipher_gcm_setkey): New.
	(_gcry_cipher_gcm_initiv): Move ghash initialization to function above.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add
	'u_mode.gcm.u_ghash_key'; Reorder 'u_mode.gcm' members for partial
	clearing in gcry_cipher_reset.
	(_gcry_cipher_gcm_setkey): New prototype.
	* cipher/cipher.c (cipher_setkey): Add GCM setkey.
	(cipher_reset): Clear 'u_mode' only partially for GCM.

2013-11-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	GCM: Add support for split data buffers and online operation.
	+ commit fb1e52e3fe231671de546eacd6becd31c26c4f7b
	* cipher/cipher-gcm.c (do_ghash_buf): Add buffering for less than
	blocksize length input and padding handling.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Add handling
	for AAD padding and check if data has already being padded.
	(_gcry_cipher_gcm_authenticate): Check that AAD or data has not being
	padded yet.
	(_gcry_cipher_gcm_initiv): Clear padding marks.
	(_gcry_cipher_gcm_tag): Add finalization and padding; Clear sensitive
	data from cipher handle, since they are not used after generating tag.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.gcm.macbuf',
	'u_mode.gcm.mac_unused', 'u_mode.gcm.ghash_data_finalized' and
	'u_mode.gcm.ghash_aad_finalized'.
	* tests/basic.c (check_gcm_cipher): Rename to...
	(_check_gcm_cipher): ...this and add handling for different buffer step
	lengths; Enable per byte buffer testing.
	(check_gcm_cipher): Call _check_gcm_cipher with different buffer step
	sizes.

	GCM: Use size_t for buffer sizes.
	+ commit 2d870a9142e8c8b3f008e1ad8e83e4bdf7a8e4e7
	* cipher/cipher-gcm.c (ghash, gcm_bytecounter_add, do_ghash_buf)
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_geniv)
	(_gcry_cipher_gcm_tag): Use size_t for buffer lengths.
	* cipher/cipher-internal.h (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Use size_t
	for buffer lengths.

	GCM: add FIPS mode restrictions.
	+ commit 56d352d6bdcf7abaa33c3399741f5063e2ddc32a
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_get_tag): Do not allow using in FIPS mode is setiv
	was invocated directly.
	(_gcry_cipher_gcm_setiv): Rename to...
	(_gcry_cipher_gcm_initiv): ...this.
	(_gcry_cipher_gcm_setiv): New setiv function with check for FIPS mode.
	[TODO] (_gcry_cipher_gcm_getiv): New.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add
	'u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode'.

	GCM: Add clearing and checking of marks.tag.
	+ commit 32a2da9abc91394b23cf565c1c833fa964394083
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Make sure
	that tag has not been finalized yet.
	(_gcry_cipher_gcm_setiv): Clear 'marks.tag'.

	GCM: Add stack burning.
	+ commit 018f08354b1b116672e82f9ce942884b288aaf9e
	* cipher/cipher-gcm.c (do_ghash, ghash): Return stack burn depth.
	(setupM): Wipe 'tmp' buffer.
	(do_ghash_buf): Wipe 'tmp' buffer and add stack burning.

	Add aggregated bulk processing for GCM on x86-64.
	+ commit c9537fbf8ff0af919cff2bebadc4c6e7caea8076
	* cipher/cipher-gcm.c [__x86_64__] (gfmul_pclmul_aggr4): New.
	(ghash) [GCM_USE_INTEL_PCLMUL]: Add aggregated bulk processing
	for __x86_64__.
	(setupM) [__x86_64__]: Add initialization for aggregated bulk
	processing.

	GCM: Tweak Intel PCLMUL ghash loop for small speed-up.
	+ commit 9b6764944284fed733c2f88619b3d9eb5d5c259a
	* cipher/cipher-gcm.c (do_ghash): Mark 'inline'.
	[GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): Rename to...
	[GCM_USE_INTEL_PCLMUL] (gfmul_pclmul): ..this and make inline function.
	(ghash) [GCM_USE_INTEL_PCLMUL]: Preload data before ghash-pclmul loop.

	GCM: Use counter mode code for speed-up.
	+ commit bd4bd23a2511a4bce63c3217cca0d4ecf0c79532
	* cipher/cipher-gcm.c (ghash): Add process for multiple blocks.
	(gcm_bytecounter_add, gcm_add32_be128, gcm_check_datalen)
	(gcm_check_aadlen_or_ivlen, do_ghash_buf): New functions.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_set_iv)
	(_gcry_cipher_gcm_tag): Adjust to use above new functions and
	counter mode functions for encryption/decryption.
	* cipher/cipher-internal.h (gcry_cipher_handle): Remove 'length'; Add
	'u_mode.gcm.(addlen|datalen|tagiv|datalen_over_limits)'.
	(_gcry_cipher_gcm_setiv): Return gcry_err_code_t.
	* cipher/cipher.c (cipher_setiv): Return error code.
	(_gcry_cipher_setiv): Handle error code from 'cipher_setiv'.

	Add Intel PCLMUL acceleration for GCM.
	+ commit 5a65ffabadd50f174ab7375faad7a726cce49e61
	* cipher/cipher-gcm.c (fillM): Rename...
	(do_fillM): ...to this.
	(ghash): Remove.
	(fillM): New macro.
	(GHASH): Use 'do_ghash' instead of 'ghash'.
	[GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): New.
	(ghash): New.
	(setupM): New.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_setiv)
	(_gcry_cipher_gcm_tag): Use 'ghash' instead of 'GHASH' and
	'c->u_mode.gcm.u_tag.tag' instead of 'c->u_tag.tag'.
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): New.
	(gcry_cipher_handle): Move 'u_tag' and 'gcm_table' under
	'u_mode.gcm'.
	* configure.ac (pclmulsupport, gcry_cv_gcc_inline_asm_pclmul): New.
	* src/g10lib.h (HWF_INTEL_PCLMUL): New.
	* src/global.c: Add "intel-pclmul".
	* src/hwf-x86.c (detect_x86_gnuc): Add check for Intel PCLMUL.

	GCM: GHASH optimizations.
	+ commit 0e9e7d72f3c9eb7ac832746c3034855faaf8d02c
	* cipher/cipher-gcm.c [GCM_USE_TABLES] (gcmR, ghash): Replace with new.
	[GCM_USE_TABLES] [GCM_TABLES_USE_U64] (bshift, fillM, do_ghash): New.
	[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (bshift, fillM): Replace with
	new.
	[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (do_ghash): New.
	(_gcry_cipher_gcm_tag): Remove extra memcpy to outbuf and use
	buf_eq_const for comparing authentication tag.
	* cipher/cipher-internal.h (gcry_cipher_handle): Different 'gcm_table'
	for 32-bit and 64-bit platforms.

	Add some documentation for GCM mode.
	+ commit 332da0ed7c8fab6c2bee841c94d8364c2ab4e30d
	* doc/gcrypt.texi: Add mention of GCM mode.

2013-11-19  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Initial implementation of GCM.
	+ commit 90cce18b9eced4f412ceeec5bcae18c4493322df
	* cipher/Makefile.am: Add 'cipher-gcm.c'.
	* cipher/cipher-ccm.c (_gcry_ciphert_ccm_set_lengths)
	(_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_tag)
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Change
	'c->u_mode.ccm.tag' to 'c->marks.tag'.
	* cipher/cipher-gcm.c: New.
	* cipher/cipher-internal.h (GCM_USE_TABLES): New.
	(gcry_cipher_handle): Add 'marks.tag', 'u_tag', 'length' and
	'gcm_table'; Remove 'u_mode.ccm.tag'.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_setiv, _gcry_cipher_gcm_authenticate)
	(_gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag): New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
	(_gcry_cipher_gettag, _gcry_cipher_checktag): Add GCM mode handling.
	* src/gcrypt.h.in (gcry_cipher_modes): Add GCRY_CIPHER_MODE_GCM.
	(GCRY_GCM_BLOCK_LEN): New.
	* tests/basic.c (check_gcm_cipher): New.
	(check_ciphers): Add GCM check.
	(check_cipher_modes): Call 'check_gcm_cipher'.
	* tests/bench-slope.c (bench_gcm_encrypt_do_bench)
	(bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench)
	(gcm_encrypt_ops, gcm_decrypt_ops, gcm_authenticate_ops): New.
	(cipher_modes): Add GCM enc/dec/auth.
	(cipher_bench_one): Limit GCM to block ciphers with 16 byte block-size.
	* tests/benchmark.c (cipher_bench): Add GCM.

2013-11-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Camellia: fix compiler warning.
	+ commit 9816ae9d9931b75e4fdc9a5be10e6af447132313
	* cipher/camellia-glue.c (camellia_setkey): Use braces around empty if
	statement.

	Tweak Camellia-AVX key-setup for small speed-up.
	+ commit 77922a82c3f2e30eca04511fa5a355208349c657
	* cipher/camellia-aesni-avx-amd64.S (camellia_f): Merge S-function output
	rotation with P-function.

	Add CMAC (Cipher-based MAC) to MAC API.
	+ commit b49cd64aaaff2e5488a84665362ef7150683226c
	* cipher/Makefile.am: Add 'cipher-cmac.c' and 'mac-cmac.c'.
	* cipher/cipher-cmac.c: New.
	* cipher/cipher-internal.h (gcry_cipher_handle.u_mode): Add 'cmac'.
	* cipher/cipher.c (gcry_cipher_open): Rename to...
	(_gcry_cipher_open_internal): ...this and add CMAC.
	(gcry_cipher_open): New wrapper that disallows use of internal
	modes (CMAC) from outside.
	(cipher_setkey, cipher_encrypt, cipher_decrypt)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag): Add handling for CMAC mode.
	(cipher_reset): Do not reset 'marks.key' and do not clear subkeys in
	'u_mode' in CMAC mode.
	* cipher/mac-cmac.c: New.
	* cipher/mac-internal.h: Add CMAC support and algorithms.
	* cipher/mac.c: Add CMAC algorithms.
	* doc/gcrypt.texi: Add documentation for CMAC.
	* src/cipher.h (gcry_cipher_internal_modes): New.
	(_gcry_cipher_open_internal, _gcry_cipher_cmac_authenticate)
	(_gcry_cipher_cmac_get_tag, _gcry_cipher_cmac_check_tag)
	(_gcry_cipher_cmac_set_subkeys): New prototypes.
	* src/gcrypt.h.in (gcry_mac_algos): Add CMAC algorithms.
	* tests/basic.c (check_mac): Add CMAC test vectors.

2013-11-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add new MAC API, initially with HMAC.
	+ commit fcd6da37d55f248d3558ee0ff385b41b866e7ded
	* cipher/Makefile.am: Add 'mac.c', 'mac-internal.h' and 'mac-hmac.c'.
	* cipher/bufhelp.h (buf_eq_const): New.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Use 'buf_eq_const' for
	constant-time compare.
	* cipher/mac-hmac.c: New.
	* cipher/mac-internal.h: New.
	* cipher/mac.c: New.
	* doc/gcrypt.texi: Add documentation for MAC API.
	* src/gcrypt-int.h [GPG_ERROR_VERSION_NUMBER < 1.13]
	(GPG_ERR_MAC_ALGO): New.
	* src/gcrypt.h.in (gcry_mac_handle, gcry_mac_hd_t, gcry_mac_algos)
	(gcry_mac_flags, gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name)
	(gcry_mac_reset, gcry_mac_test_algo): New.
	* src/libgcrypt.def (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/libgcrypt.vers (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/visibility.c (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/visibility.h (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* tests/basic.c (check_one_mac, check_mac): New.
	(main): Call 'check_mac'.
	* tests/bench-slope.c (bench_print_header, bench_print_footer): Allow
	variable algorithm name width.
	(_cipher_bench, hash_bench): Update to above change.
	(bench_hash_do_bench): Add 'gcry_md_reset'.
	(bench_mac_mode, bench_mac_init, bench_mac_free, bench_mac_do_bench)
	(mac_ops, mac_modes, mac_bench_one, _mac_bench, mac_bench): New.
	(main): Add 'mac' benchmark options.
	* tests/benchmark.c (mac_repetitions, mac_bench): New.
	(main): Add 'mac' benchmark options.

	Use correct blocksize of 32 bytes for GOSTR3411-94 HMAC.
	+ commit b95a557a43aeed68ea5e5ce02aca42ee97bfdb3b
	* cipher/md.c (md_open): Set macpads_Bsize to 32 for
	GCRY_MD_GOST24311_94.

2013-11-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: use size_t for internal buffer lengths.
	+ commit b787657a9d2c1d8e19f9fcb0b21e31cb062630cf
	* cipher/arcfour.c (do_encrypt_stream, encrypt_stream): Use 'size_t'
	for buffer lengths.
	* cipher/blowfish.c (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Ditto.
	* cipher/camellia-glue.c (_gcry_camellia_ctr_enc)
	(_gcry_camellia_cbc_dec, _gcry_blowfish_cfb_dec): Ditto.
	* cipher/cast5.c (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec)
	(_gcry_cast5_cfb_dec): Ditto.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Ditto.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Ditto.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/cipher-internal.h (gcry_cipher_handle->bulk)
	(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt)
	(_gcry_cipher_cfb_encrypt, _gcry_cipher_cfb_decrypt)
	(_gcry_cipher_ofb_encrypt, _gcry_cipher_ctr_encrypt)
	(_gcry_cipher_aeswrap_encrypt, _gcry_cipher_aeswrap_decrypt)
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_cbc_encrypt): Ditto.
	* cipher/cipher-selftest.h (gcry_cipher_bulk_cbc_dec_t)
	(gcry_cipher_bulk_cfb_dec_t, gcry_cipher_bulk_ctr_enc_t): Ditto.
	* cipher/cipher.c (cipher_setkey, cipher_setiv, do_ecb_crypt)
	(do_ecb_encrypt, do_ecb_decrypt, cipher_encrypt)
	(cipher_decrypt): Ditto.
	* cipher/rijndael.c (_gcry_aes_ctr_enc, _gcry_aes_cbc_dec)
	(_gcry_aes_cfb_dec, _gcry_aes_cbc_enc, _gcry_aes_cfb_enc): Ditto.
	* cipher/salsa20.c (salsa20_setiv, salsa20_do_encrypt_stream)
	(salsa20_encrypt_stream, salsa20r12_encrypt_stream): Ditto.
	* cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_cfb_dec): Ditto.
	* cipher/twofish.c (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(_gcry_twofish_cfb_dec): Ditto.
	* src/cipher-proto.h (gcry_cipher_stencrypt_t)
	(gcry_cipher_stdecrypt_t, cipher_setiv_fuct_t): Ditto.
	* src/cipher.h (_gcry_aes_cfb_enc, _gcry_aes_cfb_dec)
	(_gcry_aes_cbc_enc, _gcry_aes_cbc_dec, _gcry_aes_ctr_enc)
	(_gcry_blowfish_cfb_dec, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_ctr_enc, _gcry_cast5_cfb_dec, _gcry_cast5_cbc_dec)
	(_gcry_cast5_ctr_enc, _gcry_camellia_cfb_dec, _gcry_camellia_cbc_dec)
	(_gcry_camellia_ctr_enc, _gcry_serpent_cfb_dec, _gcry_serpent_cbc_dec)
	(_gcry_serpent_ctr_enc, _gcry_twofish_cfb_dec, _gcry_twofish_cbc_dec)
	(_gcry_twofish_ctr_enc): Ditto.

	Camellia: Add AVX/AES-NI key setup.
	+ commit ef9f52cbb39e46918c96200b09c21e931eff174f
	* cipher/camellia-aesni-avx-amd64.S (key_bitlength, key_table): New
	order of fields in ctx.
	(camellia_f, vec_rol128, vec_ror128): New macros.
	(__camellia_avx_setup128, __camellia_avx_setup256)
	(_gcry_camellia_aesni_avx_keygen): New functions.
	* cipher/camellia-aesni-avx2-amd64.S (key_bitlength, key_table): New
	order of fields in ctx.
	* cipher/camellia-arm.S (CAMELLIA_TABLE_BYTE_LEN, key_length): Remove
	unused macros.
	* cipher/camellia-glue.c (CAMELLIA_context): Move keytable to head for
	better alignment; Make 'use_aesni_avx' and 'use_aesni_avx2' bitfield
	members.
	[USE_AESNI_AVX] (_gcry_camellia_aesni_avx_keygen): New prototype.
	(camellia_setkey) [USE_AESNI_AVX || USE_AESNI_AVX2]: Read hw features
	to variable 'hwf' and match features from it.
	(camellia_setkey) [USE_AESNI_AVX]: Use AES-NI/AVX key setup if
	available.

	Avoid unneeded stack burning with AES-NI and reduce number of 'decryption_prepared' checks
	+ commit c8ad83fb605fdbf6dc0b0dbcc8aedfbd477640da
	* cipher/rijndael.c (RIJNDAEL_context): Make 'decryption_prepared',
	'use_padlock' and 'use_aesni' 1-bit members in bitfield.
	(do_setkey): Move 'hwfeatures' inside [USE_AESNI || USE_PADLOCK].
	(do_aesni_enc_aligned): Rename to...
	(do_aesni_enc): ...this, as function does not require aligned input.
	(do_aesni_dec_aligned): Rename to...
	(do_aesni_dec): ...this, as function does not require aligned input.
	(do_aesni): Remove.
	(rijndael_encrypt): Call 'do_aesni_enc' instead of 'do_aesni'.
	(rijndael_decrypt): Call 'do_aesni_dec' instead of 'do_aesni'.
	(check_decryption_preparation): New.
	(do_decrypt): Remove 'decryption_prepared' check.
	(rijndael_decrypt): Ditto and call 'check_decryption_preparation'.
	(_gcry_aes_cbc_dec): Ditto.
	(_gcry_aes_cfb_enc): Add 'burn_depth' and burn stack only when needed.
	(_gcry_aes_cbc_enc): Ditto.
	(_gcry_aes_ctr_enc): Ditto.
	(_gcry_aes_cfb_dec): Ditto.
	(_gcry_aes_cbc_dec): Ditto and correct clearing of 'savebuf'.

2013-11-14  Werner Koch  <wk@gnupg.org>

	md: Fix hashing for data >= 256 GB.
	+ commit c43a8c0d81a711161f7a81b24ef7c33a1353eee0
	* cipher/hash-common.h (gcry_md_block_ctx): Add "nblocks_high".
	* cipher/hash-common.c (_gcry_md_block_write): Bump NBLOCKS_HIGH.
	* cipher/md4.c (md4_init, md4_final): Take care of NBLOCKS_HIGH.
	* cipher/md5.c (md5_init, md5_final): Ditto.
	* cipher/rmd160.c (_gcry_rmd160_init, rmd160_final): Ditto.
	* cipher/sha1.c (sha1_init, sha1_final): Ditto.
	* cipher/sha256.c (sha256_init, sha224_init, sha256_final): Ditto.
	* cipher/sha512.c (sha512_init, sha384_init, sha512_final): Ditto.
	* cipher/tiger.c (do_init, tiger_final): Ditto.
	* cipher/whirlpool.c (whirlpool_final): Ditto.

	* cipher/md.c (gcry_md_algo_info): Add GCRYCTL_SELFTEST.
	(_gcry_md_selftest): Return "not implemented" as required.
	* tests/hashtest.c: New.
	* tests/genhashdata.c: New.
	* tests/Makefile.am (TESTS): Add hashtest.
	(noinst_PROGRAMS): Add genhashdata

2013-11-13  Christian Grothoff  <christian@grothoff.org>

	ecc: Fix key generation for a plain Ed25519 key.
	+ commit 7d91e99bcd30a463dd4faed014b8521a663d8316
	* cipher/ecc.c (nist_generate_key): Use custom code for ED25519.

	ecc: Fix some memory leaks.
	+ commit c4f9af49f228df59c218381a25fa3c0f93ccbeae
	* cipher/ecc-curves.c (_gcry_mpi_ec_new): Free ec->b before assigning.
	* cipher/ecc.c (nist_generate_key): Release Q.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.

2013-11-11  Werner Koch  <wk@gnupg.org>

	ecc: Change keygrip computation for Ed25519+EdDSA.
	+ commit 4fb3c8e5a7fc6a1568f54bcc0be17fecf75e0742
	* cipher/ecc.c (compute_keygrip): Rework.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): New.
	* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): New.
	* tests/keygrip.c (key_grips): Add flag param and test cases for
	Ed25519.

	mpi: Add special format GCRYMPI_FMT_OPAQUE.
	+ commit 8b3eecee2d89179297e43de7d650f74759c61a58
	* src/gcrypt.h.in (GCRYMPI_FMT_OPAQUE): New.
	(_gcry_sexp_nth_opaque_mpi): Remove.
	* src/sexp.c (gcry_sexp_nth_mpi): Add support for GCRYMPI_FMT_OPAQUE.
	(_gcry_sexp_vextract_param): Replace removed function by
	GCRYMPI_FMT_OPAQUE.

2013-11-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix error output in CTR selftest.
	+ commit 7b26586e35a6d407ca31b41528b0810b1408fd4b
	* cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Change
	fprintf(stderr,...) to syslog(); Correct error output for bulk
	IV check, plaintext mismatch => ciphertext mismatch.

2013-11-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix Serpent-AVX2 and Camellia-AVX2 counter modes.
	+ commit df29831d008e32faf74091d080a415731418d158
	* cipher/camellia-aesni-avx2-amd64.S
	(_gcry_camellia_aesni_avx2_ctr_enc): Byte-swap before checking for
	overflow handling.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_cbc_128): Add 16 to nblocks.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Add test with
	non-overflowing IV and modify overflow IV to detect broken endianness
	handling.
	* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc): Byte-swap
	before checking for overflow handling; Fix crazy-mixed-endian IV
	construction to big-endian.
	* cipher/serpent.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_cbc_128): Add 8 to nblocks.

2013-11-09  Sergey V  <sftp.mtuci@gmail.com>

	cipher/gost28147: optimization: use precomputed S-box tables.
	+ commit 51501b638546665163bbb85a14308fdb99211a28
	* cipher/gost.h (GOST28147_context): Remove unneeded subst and
	subst_set members.
	* cipher/gost28147.c (max): Remove unneeded macro.
	(test_sbox): Replace with new precomputed tables.
	(gost_set_subst): Remove function.
	(gost_val): Use new S-box tables.
	(gost_encrypt_block, gost_decrypt_block): Tweak to use new ctx and
	S-box tables.

2013-11-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix tail handling for AES-NI counter mode.
	+ commit 60ed0abbbc7cb15812f1e713143c72555acea69e
	* cipher/rijndael.c (do_aesni_ctr): Fix outputting of updated
	counter-IV.

2013-11-08  Werner Koch  <wk@gnupg.org>

	ecc: Improve gcry_pk_get_curve.
	+ commit 03aed1acec611362285db5156a6b92c91604fba4
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Factor some code out
	to ..
	(find_domain_parms_idx): new.
	(_gcry_ecc_get_curve): Find by curve name on error.

	cipher: Avoid signed divisions in idea.c.
	+ commit e241dde1420475459e32608137829e52748d0212
	* cipher/idea.c (mul_inv): Use unsigned division.

	ecc: Implement the "nocomp" flag for key generation.
	+ commit 9f63c0f7a3b2c15c7e258cd17395cabd0a8f00cc
	* cipher/ecc.c (ecc_generate): Support the "nocomp" flag.
	* tests/keygen.c (check_ecc_keys): Add a test for it.

	ecc: Make "noparam" the default and replace by "param".
	+ commit ed45fd2e60c88e2f005282e6eadd018b59dcf65b
	* src/cipher.h (PUBKEY_FLAG_NOCOMP): New.
	(PUBKEY_FLAG_NOPARAM): Remove.
	(PUBKEY_FLAG_PARAM): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Support the new
	flags and ignore the obsolete "noparam" flag.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return the curve name
	also for curves selected by NBITS.
	(_gcry_mpi_ec_new): Support the "param" flag.
	* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Ditto.
	* tests/keygen.c (check_ecc_keys): Remove the "noparam" flag.

2013-11-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix decryption function size in AES AMD64 assembly.
	+ commit bfe4f6523b80bae0040328ef324b9000ee5b38a4
	* cipher/rijndael-amd64.S (_gcry_aes_amd64_decrypt_block): Set '.size'
	for '_gcry_aes_amd64_decrypt_block', not '..._encrypt_block'.

	Change 64-bit shift to 32-bit in AES AMD64 assembly.
	+ commit 57b296ea3a5204cd3711b7bf57c8fb14d8542402
	* cipher/rijndael-amd64.S (do16bit_shr): Change 'shrq' to 'shrl'.

2013-11-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Speed-up AES-NI key setup.
	+ commit f702d62d888b30e24c19f203566a1473098b2b31
	* cipher/rijndael.c [USE_AESNI] (m128i_t): Remove.
	[USE_AESNI] (u128_t): New.
	[USE_AESNI] (aesni_do_setkey): New.
	(do_setkey) [USE_AESNI]: Move AES-NI accelerated key setup to
	'aesni_do_setkey'.
	(do_setkey): Call _gcry_get_hw_features only once. Clear stack after
	use in generic key setup part.
	(rijndael_setkey): Remove stack burning.
	(prepare_decryption) [USE_AESNI]: Use 'u128_t' instead of 'm128i_t' to
	avoid compiler generated SSE2 instructions and XMM register usage,
	unroll 'aesimc' setup loop
	(prepare_decryption): Clear stack after use.
	[USE_AESNI] (do_aesni_enc_aligned): Update comment about alignment.
	(do_decrypt): Do not burning stack after prepare_decryption.

	Avoid burn stack in Arcfour setkey.
	+ commit a50a6ba3540f49fc7dcdb32e691327d5942e3509
	* cipher/arcfour.c (arcfour_setkey): Remove stack burning.

	Avoid burn_stack in CAST5 setkey.
	+ commit 5797ebc268b4e953cedd0c729c5cdb1f8fd764e4
	* cipher/cast5.c (do_cast_setkey): Use wipememory instead of memset.
	(cast_setkey): Remove stack burning.

	Improve Serpent key setup speed.
	+ commit 9897ccb381503455edc490679b2e9251a09ac5cb
	* cipher/serpent.c (SBOX, SBOX_INVERSE): Remove index argument.
	(serpent_subkeys_generate): Use smaller temporary arrays for subkey
	generation and perform stack clearing locally.
	(serpent_setkey_internal): Use wipememory to clear stack and remove
	_gcry_burn_stack.
	(serpent_setkey): Remove unneeded _gcry_burn_stack.

	Modify encrypt/decrypt arguments for in-place.
	+ commit b8515aa70b00baba3fba8121ed305edcd029c8c7
	* cipher/cipher.c (gcry_cipher_encrypt, gcry_cipher_decrypt): Modify
	local arguments if in-place operation.

	Speed up Stribog.
	+ commit a48d07ccadee4cb8b666a9a4ba2f00129bad5b2f
	* cipher/stribog.c (STRIBOG_TABLES): Remove.
	(Pi): Remove.
	[!STRIBOG_TABLES] (A, strido): Remove.
	(stribog_table): New table pre-reordered with Pi values.
	(strido): Rewrite for new table.
	(LPSX): Rewrite for new table.
	(xor): Remove.
	(g): Small tweaks.

	Tweak AES-NI bulk CTR mode slightly.
	+ commit 3b5058b58a183fa23ecf3ef819e2ae6ac64c0216
	* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_2_5): Rename to...
	(aesni_cleanup_2_6): ...this and clear also 'xmm6'.
	[USE_AESNI && __i386__] (do_aesni_ctr, do_aesni_ctr_4): Prevent
	inlining only on i386, allow on AMD64.
	[USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Use counter block from
	'xmm5' and byte-swap mask from 'xmm6'.
	(_gcry_aes_ctr_enc) [USE_AESNI]: Preload counter block to 'xmm5' and
	byte-swap mask to 'xmm6'.
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Use
	'aesni_cleanup_2_6'.

	Tweak bench-slope parameters.
	+ commit 7e98eecc1a955bc253765f92a166b6560f085b8c
	* tests/bench-slope.c (BUF_STEP_SIZE): Half step size to 64.
	(NUM_MEASUREMENT_REPETITIONS): Double repetitions to 64.

	Optimize Blowfish weak key check.
	+ commit 8e1c0f9b894c39b6554c544208dc000682f520c7
	* cipher/blowfish.c (hashset_elem, val_to_hidx, add_val): New.
	(do_bf_setkey): Use faster algorithm for detecting weak keys.
	(bf_setkey): Move stack burning to do_bf_setkey.

	Fix __builtin_bswap32/64 checks.
	+ commit 2590a5df6f5fc884614c8c379324027d2d61b9b5
	* configure.ac (gcry_cv_have_builtin_bswap32)
	(gcry_cv_have_builtin_bswap64): Change compile checks to link checks.

	Fix 'u32' build error with Camellia.
	+ commit 84bcb400e7db7268abfc29b5ab1513b0c063b293
	* cipher/camellia.c: Add include for <config.h> and "types.h".
	(u32): Remove.
	(u8): Typedef as 'byte'.

2013-11-06  Werner Koch  <wk@gnupg.org>

	pubkey: Add forward compatibility feature.
	+ commit 6d169b654c7ff04c10f73afe80b2c70cefa410c1
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add
	"igninvflag".

2013-11-05  Werner Koch  <wk@gnupg.org>

	ecc: Require "eddsa" flag for curve Ed25519.
	+ commit b9fd3988b54b50109f4e7179e7fe0739bb1d97c5
	* src/cipher.h (PUBKEY_FLAG_ECDSA): Remove.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Remove "ecdsa".
	* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Require "eddsa" flag.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Depend "eddsa" flag.
	* tests/benchmark.c, tests/keygen.c, tests/pubkey.c
	* tests/t-ed25519.c, tests/t-mpi-point.c: Adjust for changed flags.

	ecc: Fully implement Ed25519 compression in ECDSA mode.
	+ commit f09ffe8a4802af65a116e79eceeb1cb4ed4fa2f4
	* src/ec-context.h (mpi_ec_ctx_s): Add field FLAGS.
	* mpi/ec.c (ec_p_init): Add arg FLAGS.  Change all callers to pass it.
	* cipher/ecc-curves.c (point_from_keyparam): Add arg EC, parse as
	 opaque mpi and use eddsa decoding depending on the flag.
	(_gcry_mpi_ec_new): Rearrange to parse Q and D after knowing the
	curve.

	mpi: Add function gcry_mpi_set_opaque_copy.
	+ commit 630aca794ddf057fb7265b7dc346374743036af4
	* src/gcrypt.h.in (gcry_mpi_set_opaque_copy): New.
	* src/visibility.c (gcry_mpi_set_opaque_copy): New.
	* src/visibility.h (gcry_mpi_set_opaque_copy): Mark visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new API.
	* tests/mpitests.c (test_opaque): Add test.

2013-11-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make test vectors 'static const'
	+ commit d50a88d1e29124d038196fec6082fd093e922604
	* cipher/arcfour.c (selftest): Change test vectors to 'static const'.
	* cipher/blowfish.c (selftest): Ditto.
	* cipher/camellia-glue.c (selftest): Ditto.
	* cipher/cast5.c (selftest): Ditto.
	* cipher/des.c (selftest): Ditto.
	* cipher/rijndael.c (selftest): Ditto.
	* tests/basic.c (cipher_cbc_mac_cipher, check_aes128_cbc_cts_cipher)
	(check_ctr_cipher, check_cfb_cipher, check_ofb_cipher)
	(check_ccm_cipher, check_stream_cipher)
	(check_stream_cipher_large_block, check_bulk_cipher_modes)
	(check_ciphers, check_digests, check_hmac, check_pubkey_sign)
	(check_pubkey_sign_ecdsa, check_pubkey_crypt, check_pubkey): Ditto.

2013-11-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make jump labels local in Salsa20 assembly.
	+ commit d4697862266f3c96b6946dc92139dd8f3e81e5f6
	* cipher/salsa20-amd64.S: Rename '._labels' to '.L_labels'.
	* cipher/salsa20-armv7-neon.S: Ditto.

2013-10-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bithelp: fix undefined behaviour with rol and ror.
	+ commit d1cadd145199040299538891ab2ccd1208f7776e
	* cipher/bithelp.h (rol, ror): Mask shift with 31.

2013-10-29  Werner Koch  <wk@gnupg.org>

	tests: Add feature to skip benchmarks.
	+ commit ba6bffafd17bea11985afc500022d66da261d59a
	* tests/benchmark.c (main): Add feature to skip the test.
	* tests/bench-slope.c (main): Ditto.
	(get_slope): Repace C++ style comment.
	(double_cmp, cipher_bench, _hash_bench): Repalce system reserved
	symbols.

	ecc: Finish Ed25519/ECDSA hack.
	+ commit c284f15db99e9cb135612de710199abb23baafd3
	* cipher/ecc.c (ecc_generate): Fix Ed25519/ECDSA case.
	(ecc_verify): Implement ED25519/ECDSA uncompression.

	ecc: Add flags "noparam" and "comp".
	+ commit ba892a0a874c8b2a83dbf0940608cd7e2911ce01
	* src/cipher.h (PUBKEY_FLAG_NOPARAM, PUBKEY_FLAG_COMP): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse new flags
	and change code for possible faster parsing.
	* cipher/ecc.c (ecc_generate): Implement the "noparam" flag.
	(ecc_sign): Ditto.
	(ecc_verify): Ditto.
	* tests/keygen.c (check_ecc_keys): Use the "noparam" flag.

	* cipher/ecc.c (ecc_generate): Fix parsing of the deprecated
	transient-flag parameter.
	(ecc_verify): Do not make Q optional in the extract-param call.

2013-10-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix typos in documentation.
	+ commit 1faa61845f180bd47e037e400dde2d864ee83c89
	* doc/gcrypt.texi: Fix some typos.

	Add ARM NEON assembly implementation of Serpent.
	+ commit 2cb6e1f323d24359b1c5b113be5c2f79a2a4cded
	* cipher/Makefile.am: Add 'serpent-armv7-neon.S'.
	* cipher/serpent-armv7-neon.S: New.
	* cipher/serpent.c (USE_NEON): New macro.
	(serpent_context_t) [USE_NEON]: Add 'use_neon'.
	[USE_NEON] (_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec)
	(_gcry_serpent_neon_cbc_dec): New prototypes.
	(serpent_setkey_internal) [USE_NEON]: Detect NEON support.
	(_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec)
	(_gcry_serpent_neon_cbc_dec) [USE_NEON]: Use NEON implementations
	to process eight blocks in parallel.
	* configure.ac [neonsupport]: Add 'serpent-armv7-neon.lo'.

	Add ARM NEON assembly implementation of Salsa20.
	+ commit 3ff9d2571c18cd7a34359f9c60a10d3b0f932b23
	* cipher/Makefile.am: Add 'salsa20-armv7-neon.S'.
	* cipher/salsa20-armv7-neon.S: New.
	* cipher/salsa20.c [USE_ARM_NEON_ASM]: New macro.
	(struct SALSA20_context_s, salsa20_core_t, salsa20_keysetup_t)
	(salsa20_ivsetup_t): New.
	(SALSA20_context_t) [USE_ARM_NEON_ASM]: Add 'use_neon'.
	(SALSA20_context_t): Add 'keysetup', 'ivsetup' and 'core'.
	(salsa20_core): Change 'src' argument to 'ctx'.
	[USE_ARM_NEON_ASM] (_gcry_arm_neon_salsa20_encrypt): New prototype.
	[USE_ARM_NEON_ASM] (salsa20_core_neon, salsa20_keysetup_neon)
	(salsa20_ivsetup_neon): New.
	(salsa20_do_setkey): Setup keysetup, ivsetup and core with default
	functions.
	(salsa20_do_setkey) [USE_ARM_NEON_ASM]: When NEON support detect,
	set keysetup, ivsetup and core with ARM NEON functions.
	(salsa20_do_setkey): Call 'ctx->keysetup'.
	(salsa20_setiv): Call 'ctx->ivsetup'.
	(salsa20_do_encrypt_stream) [USE_ARM_NEON_ASM]: Process large buffers
	in ARM NEON implementation.
	(salsa20_do_encrypt_stream): Call 'ctx->core' instead of directly
	calling 'salsa20_core'.
	(selftest): Add test to check large buffer processing and block counter
	updating.
	* configure.ac [neonsupport]: 'Add salsa20-armv7-neon.lo'.

	Add AMD64 assembly implementation of Salsa20.
	+ commit 5a3d43485efdc09912be0967ee0a3ce345b3b15a
	* cipher/Makefile.am: Add 'salsa20-amd64.S'.
	* cipher/salsa20-amd64.S: New.
	* cipher/salsa20.c (USE_AMD64): New macro.
	[USE_AMD64] (_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
	(_gcry_salsa20_amd64_encrypt_blocks): New prototypes.
	[USE_AMD64] (salsa20_keysetup, salsa20_ivsetup, salsa20_core): New.
	[!USE_AMD64] (salsa20_core): Change 'src' to non-constant, update block
	counter in 'salsa20_core' and return burn stack depth.
	[!USE_AMD64] (salsa20_keysetup, salsa20_ivsetup): New.
	(salsa20_do_setkey): Move generic key setup to 'salsa20_keysetup'.
	(salsa20_setkey): Fix burn stack depth.
	(salsa20_setiv): Move generic IV setup to 'salsa20_ivsetup'.
	(salsa20_do_encrypt_stream) [USE_AMD64]: Process large buffers in AMD64
	implementation.
	(salsa20_do_encrypt_stream): Move stack burning to this function...
	(salsa20_encrypt_stream, salsa20r12_encrypt_stream): ...from these
	functions.
	* configure.ac [x86-64]: Add 'salsa20-amd64.lo'.

	Add new benchmarking utility, bench-slope.
	+ commit e214e8392671dd30e9c33260717b5e756debf3bf
	* tests/Makefile.am (TESTS): Add 'bench-slope'.
	* tests/bench-slope.c: New.

	Change .global to .globl in assembly files.
	+ commit ebc8abfcb09d6106fcfce40f240a513e276f46e9
	* cipher/blowfish-arm.S: Change '.global' to '.globl'.
	* cipher/camellia-aesni-avx-amd64.S: Ditto.
	* cipher/camellia-aesni-avx2-amd64.S: Ditto.
	* cipher/camellia-arm.S: Ditto.
	* cipher/cast5-amd64.S: Ditto.
	* cipher/rijndael-amd64.S: Ditto.
	* cipher/rijndael-arm.S: Ditto.
	* cipher/serpent-avx2-amd64.S: Ditto.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* cipher/twofish-amd64.S: Ditto.
	* cipher/twofish-arm.S: Ditto.

2013-10-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Deduplicate code for ECB encryption and decryption.
	+ commit 51f1beab3d1e879942a95f58b08de7dbcce75dce
	* cipher/cipher.c (do_ecb_crypt): New, based on old 'do_ecb_encrypt'.
	(do_ecb_encrypt): Use 'do_ecb_crypt', pass encryption function.
	(do_ecb_decrypt): Use 'do_ecb_crypt', pass decryption function.

2013-10-26  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Drop _gcry_cipher_ofb_decrypt as it duplicates _gcry_cipher_ofb_encrypt.
	+ commit d9431725952e40f201c7eda000d3c8511ebd5b33
	* cipher/cipher.c (cipher_decrypt): Use _gcry_cipher_ofb_encrypt for OFB
	  decryption.
	* cipher/cipher-internal.h: Remove _gcry_cipher_ofb_decrypt declaration.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_decrypt): Remove.
	  (_gcry_cipher_ofb_encrypt): remove copying of IV to lastiv, it's
	  unused there.

2013-10-25  Werner Koch  <wk@gnupg.org>

	tests: Add tests for mpi_cmp.
	+ commit 6c6d4810927de7310ae7bac61b4ff5467d7cb485
	* tests/mpitests.c (die): Modernize.
	(fail): New.
	(test_opaque, test_add, test_sub, test_mul): Use gcry_log_xx
	(main): Return error count.
	(test_cmp): New.

2013-10-24  Werner Koch  <wk@gnupg.org>

	ecc: Change algorithm for Ed25519 x recovery.
	+ commit c630fd71b336eb9209e914d24dc1e26a34521882
	* cipher/ecc-eddsa.c (scanval): Add as temporary hack.
	(_gcry_ecc_eddsa_recover_x): Use the algorithm from page 15 of the
	paper.  Return an error code.
	(_gcry_ecc_eddsa_decodepoint): Take care of the error code.
	* mpi/mpi-mul.c (gcry_mpi_mulm): Use truncated division.

	ecc: Refactor _gcry_ecc_eddsa_decodepoint.
	+ commit 1cf5699b6febab1ef9d300531acc2ee33a7df739
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Factor some code
	out to ..
	(_gcry_ecc_eddsa_recover_x): new.

2013-10-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ecc-gost: Add missing include.
	+ commit 9ce54e5b512418ddf45ce18f2cbd48cdced779f5
	* ecc-gost.c: Include "pubkey-internal.h".

2013-10-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Replace architecture specific fast_wipememory2 with generic.
	+ commit 54df6fcd806f8c150cffe6cc09925bb8b638bb5b
	* src/g10lib.h (fast_wipememory2): Remove architecture specific
	implementations and add generic implementation.

	Improve the speed of the cipher mode code.
	+ commit 293e93672fdabc829e35cc624c397276342bafe4
	* cipher/bufhelp.h (buf_cpy): New.
	(buf_xor, buf_xor_2dst): If buffers unaligned, always jump to per-byte
	processing.
	(buf_xor_n_copy_2): New.
	(buf_xor_n_copy): Use 'buf_xor_n_copy_2'.
	* cipher/blowfish.c (_gcry_blowfish_cbc_dec): Avoid extra memory copy
	and use new 'buf_xor_n_copy_2'.
	* cipher/camellia-glue.c (_gcry_camellia_cbc_dec): Ditto.
	* cipher/cast5.c (_gcry_cast_cbc_dec): Ditto.
	* cipher/serpent.c (_gcry_serpent_cbc_dec): Ditto.
	* cipher/twofish.c (_gcry_twofish_cbc_dec): Ditto.
	* cipher/rijndael.c (_gcry_aes_cbc_dec): Ditto.
	(do_encrypt, do_decrypt): Use 'buf_cpy' instead of 'memcpy'.
	(_gcry_aes_cbc_enc): Avoid copying IV, use 'last_iv' pointer instead.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt): Avoid copying IV,
	update pointer to IV instead.
	(_gcry_cipher_cbc_decrypt): Avoid extra memory copy and use new
	'buf_xor_n_copy_2'.
	(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Avoid extra
	accesses to c->spec, use 'buf_cpy' instead of memcpy.
	* cipher/cipher-ccm.c (do_cbc_mac): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Ditto.
	* cipher/cipher.c (do_ecb_encrypt, do_ecb_decrypt): Ditto.

	bufhelp: enable unaligned memory accesses for AArch64 (64-bit ARM)
	+ commit 2901a10dbf1264707debc8402546c07eeac60932
	* cipher/bufhelp.h [__aarch64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
	macro on AArch64.

2013-10-23  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Enable assembler optimizations on earlier ARM cores.
	+ commit 2fd83faa876d0be91ab7884b1a9eaa7793559eb9
	* cipher/blowfish-armv6.S => cipher/blowfish-arm.S: adapt to pre-armv6 CPUs.
	* cipher/blowfish.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/camellia-armv6.S => cipher/camellia-arm.S: adapt to pre-armv6 CPUs.
	* cipher/camellia.c, cipher-camellia-glue.c: enable assembly on armv4/armv5
	  little-endian CPUs.
	* cipher/cast5-armv6.S => cipher/cast5-arm.S: adapt to pre-armv6 CPUs.
	* cipher/cast5.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/rijndael-armv6.S => cipher/rijndael-arm.S: adapt to pre-armv6 CPUs.
	* cipher/rijndael.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/twofish-armv6.S => cipher/twofish-arm.S: adapt to pre-armv6 CPUs.
	* cipher/twofish.c: enable assembly on armv4/armv5 little-endian CPUs.

	mpi: enable assembler on all arm architectures.
	+ commit 0b39fce7e3ce6761d6bd5195d093ec6857edb7c2
	* mpi/config.links: remove check for arm >= v6
	* mpi/armv6 => mpi/arm: rename directory to reflect that is is generic
	  enough

	Correct ASM assembly test in configure.ac.
	+ commit 10bf6a7e16ed193f90d2749970a420f00d1d3320
	* configure.ac: correct HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS test to
	  require neither ARMv6, nor thumb mode. Our assembly code works
	  perfectly even on ARMv4 now.

2013-10-23  Werner Koch  <wk@gnupg.org>

	ecc: Refactor ecc.c.
	+ commit 164eb8c85d773ef4f0939115ec45f5e4b47c1700
	* cipher/ecc-ecdsa.c, cipher/ecc-eddsa.c, cipher/ecc-gost.c: New.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
	* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new files.
	* cipher/ecc.c (point_init, point_free): Move to ecc-common.h.
	(sign_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_sign.
	(verify_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_verify.
	(sign_gost): Move to ecc-gots.c as _gcry_ecc_gost_sign.
	(verify_gost): Move to ecc-gost.c as _gcry_ecc_gost_verify.
	(sign_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_sign.
	(verify_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_verify.
	(eddsa_generate_key): Move to ecc-eddsa.c as _gcry_ecc_eddsa_genkey.
	(reverse_buffer): Move to ecc-eddsa.c.
	(eddsa_encodempi, eddsa_encode_x_y): Ditto.
	(_gcry_ecc_eddsa_encodepoint, _gcry_ecc_eddsa_decodepoint): Ditto.

	mpi: Fix scanning of negative SSH formats and add more tests.
	+ commit 45f6e6268bfdc4b608beaba6b7086b2286e33c71
	* mpi/mpicoder.c (gcry_mpi_scan): Fix sign setting for SSH format.
	* tests/t-convert.c (negative_zero): Test all formats.
	(check_formats): Add tests for PGP and scan tests for SSH and USG.

	* src/gcrypt.h.in (mpi_is_neg): Fix macro.

	* mpi/mpi-scan.c (_gcry_mpi_getbyte, _gcry_mpi_putbyte): Comment out
	these unused functions.

2013-10-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	twofish: add ARMv6 assembly implementation.
	+ commit 98674fdaa30ab22a3ac86ca05d688b5b6112895d
	* cipher/Makefile.am: Add 'twofish-armv6.S'.
	* cipher/twofish-armv6.S: New.
	* cipher/twofish.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_twofish_armv6_encrypt_block)
	(_gcry_twofish_armv6_decrypt_block): New prototypes.
	[USE_AMDV6_ASM] (twofish_encrypt, twofish_decrypt): Add.
	[USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt): Remove.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cfb_dec): Use 'twofish_encrypt'
	instead of 'do_twofish_encrypt'.
	(_gcry_twofish_cbc_dec): Use 'twofish_decrypt' instead of
	'do_twofish_decrypt'.
	* configure.ac [arm]: Add 'twofish-armv6.lo'.

	mpi: allow building with clang on ARM.
	+ commit e67c67321ce240c93dd0fa2b21c649c0a8e233f7
	* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(count_leading_zeros): Do not cast assembly output arguments.
	[__arm__] (umul_ppmm): Remove the extra '%' ahead of assembly comment.
	[_ARM_ARCH >= 4] (umul_ppmm): Use correct inputs and outputs instead of
	registers.

	serpent-amd64: do not use GAS macros.
	+ commit c7efaa5fe0ee92e321a7b49d56752cc12eb75fe0
	* cipher/serpent-avx2-amd64.S: Remove use of GAS macros.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* configure.ac [HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Do not check
	for GAS macros.

	Add Counter with CBC-MAC mode (CCM)
	+ commit 335d9bf7b035815750b63a3a8334d6ce44dc4449
	* cipher/Makefile.am: Add 'cipher-ccm.c'.
	* cipher/cipher-ccm.c: New.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode'.
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt)
	(_gcry_cipher_ccm_set_nonce, _gcry_cipher_ccm_authenticate)
	(_gcry_cipher_ccm_get_tag, _gcry_cipher_ccm_check_tag)
	(_gcry_cipher_ccm_set_lengths): New prototypes.
	* cipher/cipher.c (gcry_cipher_open, cipher_encrypt, cipher_decrypt)
	(_gcry_cipher_setiv, _gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag, gry_cipher_ctl): Add handling for CCM mode.
	* doc/gcrypt.texi: Add documentation for GCRY_CIPHER_MODE_CCM.
	* src/gcrypt.h.in (gcry_cipher_modes): Add 'GCRY_CIPHER_MODE_CCM'.
	(gcry_ctl_cmds): Add 'GCRYCTL_SET_CCM_LENGTHS'.
	(GCRY_CCM_BLOCK_LEN): New.
	* tests/basic.c (check_ccm_cipher): New.
	(check_cipher_modes): Call 'check_ccm_cipher'.
	* tests/benchmark.c (ccm_aead_init): New.
	(cipher_bench): Add handling for AEAD modes and add CCM benchmarking.

	Add API to support AEAD cipher modes.
	+ commit 95654041f2aa62f71aac4d8614dafe8433d10f95
	* cipher/cipher.c (_gcry_cipher_authenticate, _gcry_cipher_checktag)
	(_gcry_cipher_gettag): New.
	* doc/gcrypt.texi: Add documentation for new API functions.
	* src/visibility.c (gcry_cipher_authenticate, gcry_cipher_checktag)
	(gcry_cipher_gettag): New.
	* src/gcrypt.h.in, src/visibility.h: add declarations of these
	functions.
	* src/libgcrypt.defs, src/libgcrypt.vers: export functions.

2013-10-22  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Correct compliant key generation for Edwards curves.
	+ commit a5a277a9016ccb34f1858a65e0ed1791b2fc3db3
	* cipher/ecc.c: Add case for Edwards curves.

2013-10-17  Werner Koch  <wk@gnupg.org>

	tests: Add test options to keygen.
	+ commit f7711e6eb5f02d03c74911f6f037ab28075e7c0d
	* tests/keygen.c (usage): New.
	(main): Print usage info.  Allow running just one algo.

	mpi: Do not clear the sign of the mpi_mod result.
	+ commit 91e007606f1f6f8e1416c403fe809d47fddf9b1f
	* mpi/mpi-mod.c (_gcry_mpi_mod): Remove sign setting.

	ecc: Put the curve name again into the output of gcry_pk_genkey.
	+ commit 4776dcd394ce59fa50d959921857b3427c5a63c8
	* cipher/ecc.c (ecc_generate): Use the correct var.  Release
	CURVE_FLAGS.

	ecc: Support Weierstrass curves in gcry_mpi_ec_curve_point.
	+ commit b22417158c50ec3a0b2ff55b4ade063b42a87e8f
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Support MPI_EC_WEIERSTRASS.

2013-10-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	arcfour: more optimized version for non-i386 architectures.
	+ commit f9371c026aad09ff48746d22c8333746c886e773
	* cipher/arcfour.c (ARCFOUR_context): Reorder members.
	(do_encrypt_stream) [!__i386__]: Faster implementation for non-i386.
	(do_arcfour_setkey): Avoid modulo operations.

	Avoid void* pointer arithmetic.
	+ commit c89ab921ccfaefe6c4f6a724d01e0df41a1a381f
	* tests/tsexp.c (check_extract_param): Cast void* pointers to char*
	before doing arithmetics.

2013-10-16  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	ecc: Add support for GOST R 34.10-2001/-2012 signatures.
	+ commit 83902f1f1dbc8263a0c3f61be59cd2eb95293c97
	* src/cipher.h: define PUBKEY_FLAG_GOST
	* cipher/ecc-curves.c: Add GOST2001-test and GOST2012-test curves
	  defined in standards. Typical applications would use either those
	  curves, or curves defined in RFC 4357 (will be added later).
	* cipher/ecc.c (sign_gost, verify_gost): New.
	  (ecc_sign, ecc_verify): use sign_gost/verify_gost if PUBKEY_FLAG_GOST
	  is set.
	  (ecc_names): add "gost" for gost signatures.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist,
	  _gcry_pk_util_preparse_sigval): set PUBKEY_FLAG_GOST if gost flag
	  is present in s-exp.
	* tests/benchmark.c (ecc_bench): also benchmark GOST signatures.
	* tests/basic.c (check_pubkey): add two public keys from
	  GOST R 34.10-2012 standard.
	  (check_pubkey_sign_ecdsa): add two data sets to check gost signatures.
	* tests/curves.c: correct N_CURVES as we now have 2 more curves.


	Removed some comments from the new curve definitions in ecc-curves.c
	to avoid line wrapping.  Eventually we will develop a precompiler to
	avoid parsing those hex strings. -wk

	Fix 256-bit ecdsa test key definition.
	+ commit 187b2bb541b985255aee262d181434a7cb4ae2e7
	* tests/basic.c (check_pubkey): fix nistp256 testing key declaration -
	  add missing comma.

2013-10-16  Werner Koch  <wk@gnupg.org>

	sexp: Add function gcry_sexp_extract_param.
	+ commit a329b6abf00c990faf1986f9fbad7b4d71c13bcb
	* src/gcrypt.h.in (_GCRY_GCC_ATTR_SENTINEL): New.
	(gcry_sexp_extract_param): New.
	* src/visibility.c (gcry_sexp_extract_param): New.
	* src/visibility.h (gcry_sexp_extract_param): Add hack to detect
	internal use.
	* cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Move and split
	into ...
	* src/sexp.c (_gcry_sexp_vextract_param)
	(_gcry_sexp_extract_param): this.  Change all callers.  Add support for buffer
	descriptors and a path option/

	* tests/tsexp.c (die, hex2buffer, hex2mpi, hex2mpiopa): New.
	(cmp_mpihex, cmp_bufhex): New.
	(check_extract_param): New.

2013-10-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: mpi-pow improvement.
	+ commit 45aa6131e93fac89d46733b3436d960f35fb99b2
	* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
	k-ary exponentiation.

2013-10-15  Werner Koch  <wk@gnupg.org>

	ecc:  Support use of Ed25519 with ECDSA.
	+ commit 537969fbbb1104b8305a7edb331b7666d54eff2c
	* src/cipher.h (PUBKEY_FLAG_ECDSA): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag "ecdsa".
	* cipher/ecc.c (verify_ecdsa, verify_eddsa): Remove some debug output.
	(ecc_generate, ecc_sign, ecc_verify): Support Ed25519 with ECDSA.
	* tests/keygen.c (check_ecc_keys): Create such a test key.
	* tests/pubkey.c (fail, info, data_from_hex, extract_cmp_data): New.
	Take from dsa-6979.c
	(check_ed25519ecdsa_sample_key): new.
	(main): Call new test.

2013-10-14  Werner Koch  <wk@gnupg.org>

	pubkey: Support flags list in gcry_pk_genkey.
	+ commit d3a605d7827b8a73ef844e9e5183590bd6b1389a
	* src/cipher.h (PUBKEY_FLAG_TRANSIENT_KEY): New.
	(PUBKEY_FLAG_USE_X931): New.
	(PUBKEY_FLAG_USE_FIPS186): New.
	(PUBKEY_FLAG_USE_FIPS186_2): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Rename from
	parse_flags_list.  Parse new flags.
	* cipher/dsa.c (dsa_generate): Support flag list.
	* cipher/ecc.c (ecc_generate): Ditto.
	* cipher/rsa.c (rsa_generate): Ditto.

	pubkey: Remove duplicated flag parsing code.
	+ commit 5be2345ddec4147e535d5b039ee74f84bcacf9e4
	* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval)
	(_gcry_pk_util_data_to_mpi): Factor flag parsing code out to ..
	(parse_flag_list): New.
	* src/cipher.h (PUBKEY_FLAG_RAW_FLAG): New.

	mpicalc: Accept lowercase hex digits.
	+ commit 0cd551faa775ad5309a40629ae30bf86b75fca09
	* src/mpicalc.c (main): Test for lowercase hex digits.

2013-10-11  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing of remaining fucntions to the modules.
	+ commit a951c061523e1c13f1358c9760fc3a9d787ab2d4
	* cipher/pubkey.c (release_mpi_array): Remove.
	(pubkey_check_secret_key): Remove.
	(sexp_elements_extract): Remove.
	(sexp_elements_extract_ecc): Remove.
	(sexp_to_key): Remove.
	(get_hash_algo): Remove.
	(gcry_pk_testkey): Revamp.
	(gcry_pk_get_curve): Revamp.
	* cipher/rsa.c (rsa_check_secret_key): Revamp.
	* cipher/elgamal.c (elg_check_secret_key): Revamp.
	* cipher/dsa.c (dsa_check_secret_key): Revamp.
	* cipher/ecc.c (ecc_check_secret_key): Revamp.
	* cipher/ecc-curves.c: Include cipher.h and pubkey-internal.h
	(_gcry_ecc_get_curve): Revamp.

	* cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Set passed and
	used parameters on error to NULL.

	pubkey: Move sexp parsing for gcry_pk_decrypt to the modules.
	+ commit 07950c865a901afc48acb46f0695040cadfd5068
	* cipher/rsa.c (rsa_decrypt): Revamp.
	* cipher/elgamal.c (elg_decrypt): Revamp.
	* cipher/ecc.c (ecc_decrypt_raw): Revamp.
	* cipher/pubkey.c (gcry_pk_decrypt): Simplify.
	(sexp_to_enc): Remove.
	* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval): New.

	pubkey: Move sexp parsing for gcry_pk_encrypt to the modules.
	+ commit 6bd5d18c45a4a3ce8f0f66f56c83b80594877f53
	* cipher/rsa.c (rsa_encrypt): Revamp.
	* cipher/elgamal.c (elg_encrypt): Revamp.
	* cipher/ecc.c (ecc_encrypt_raw): Revamp.
	* cipher/pubkey.c (gcry_pk_encrypt): Simplify.

	* tests/basic.c (check_pubkey_crypt): Init plain, ciph, and data so
	that they are initialized even after an encrypt failure.

	pubkey: Move sexp parsing for gcry_pk_sign to the modules.
	+ commit d0ae6635e4e6ae273c3a137c513d518f28f6eab3
	* cipher/rsa.c (rsa_sign): Revamp.
	* cipher/dsa.c (dsa_sign): Revamp.
	* cipher/elgamal.c (elg_sign): Revamp.
	* cipher/ecc.c (ecc_sign): Revamp.
	* cipher/pubkey.c (gcry_pk_sign): Simplify.

2013-10-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Prevent tail call optimization with _gcry_burn_stack.
	+ commit 150c0313f971bcea62d2802f0389c883e11ebb31
	* configure.ac: New check, HAVE_GCC_ASM_VOLATILE_MEMORY.
	* src/g10lib.h (_gcry_burn_stack): Rename to __gcry_burn_stack.
	(__gcry_burn_stack_dummy): New.
	(_gcry_burn_stack): New macro.
	* src/misc.c (_gcry_burn_stack): Rename to __gcry_burn_stack.
	(__gcry_burn_stack_dummy): New.

2013-10-09  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing for gcry_pk_verify to the modules.
	+ commit 94b652ecb006c29fa2ffb1badc9f02b758581737
	* cipher/rsa.c (rsa_verify): Revamp.
	* cipher/dsa.c (dsa_verify): Revamp.
	* cipher/elgamal.c (elg_verify): Revamp.
	* cipher/ecc.c (ecc_verify): Revamp.
	* cipher/pubkey.c (sexp_to_sig): Remove.
	(pss_verify_cmp): Move to pubkey-util.c
	(sexp_data_to_mpi): Ditto.
	(init_encoding_ctx): Ditto.
	(gcry_pk_verify): Simplify.
	* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Add. Take
	from pubkey.c
	(get_hash_algo): Ditto.
	(_gcry_pk_util_data_to_mpi): Ditto.
	(pss_verify_cmp): Ditto.
	(_gcry_pk_util_extract_mpis): New.
	(_gcry_pk_util_preparse_sigval): New.
	(_gcry_pk_util_free_encoding_ctx): New.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make curve init
	optional.

	* src/g10lib.h (GCC_ATTR_SENTINEL): New.

	* tests/basic.c (check_pubkey_sign): Print the algo name.
	(main): Add option --pubkey.

2013-10-08  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing for gcry_pk_get_nbits to the modules.
	+ commit 4645f3728bb0900591b0aef85831fdee52c59e3c
	* cipher/pubkey.c (spec_from_sexp): New.
	(gcry_pk_get_nbits): Simplify.
	* cipher/rsa.c (rsa_get_nbits): Take only PARMS as args and do sexp
	parsing here.
	* cipher/dsa.c (dsa_get_nbits): Ditto.
	* cipher/elgamal.c (elg_get_nbits): Ditto.
	* cipher/ecc.c (ecc_get_nbits): Ditto.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Allow NULL for arg
	CURVE.

	pubkey: Move sexp parsing for gcry_pk_getkey to the modules.
	+ commit 3816e46ce211e63adf46dbc775510aa137572248
	* cipher/pubkey-util.c: New.
	(_gcry_pk_util_get_nbits): New.  Based on code from gcry_pk_genkey.
	(_gcry_pk_util_get_rsa_use_e): Ditto.
	* cipher/pubkey.c (gcry_pk_genkey): Strip most code and pass.
	* cipher/rsa.c (rsa_generate): Remove args ALGO, NBITS and EVALUE.
	Call new fucntions to get these values.
	* cipher/dsa.c (dsa_generate): Remove args ALGO, NBITS and EVALUE.
	Call _gcry_pk_util_get_nbits to get nbits.  Always parse genparms.
	* cipher/elgamal.c (elg_generate): Ditto.
	* cipher/ecc.c (ecc_generate): Ditto.

	cipher: Deprecate GCRY_PK_ELG_E.
	+ commit f79d3e13d3229115c47cbe5007647cb44105fe3f
	* cipher/elgamal.c (_gcry_pubkey_spec_elg_e): Remove.
	* cipher/pubkey.c (pubkey_list): Remove double included
	_gcry_pubkey_spec_elg.
	(map_algo): MAke ELG_E to ELG.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Provide Pth compatiblity for use with GnuPG 2.0.
	+ commit 2f767f6a17f7e99da4075882f7fe3ca597b31bdb
	* src/ath.c (ath_install): Call ath_init and declare Pth as
	compatible.

2013-10-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha512: fix building on ARM.
	+ commit 6410152338a2b2ac1216e70c153cd16f9199c94e
	* cipher/sha512.c (transform) [USE_ARM_NEON_ASM]: Fix 'hd' to 'ctx'.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Remove deprecated control codes.
	+ commit f04a1db22d982627ba87da4e5df52df9b994c779
	* src/gcrypt.h.in (GCRYCTL_SET_KEY): Remove.
	(GCRYCTL_SET_IV): Remove.
	(GCRYCTL_SET_CTR): Remove.
	* cipher/md.c (gcry_md_ctl): Remove deprecated GCRYCTL_SET_KEY.
	* cipher/cipher.c (gcry_cipher_ctl): Remove deprecated
	GCRYCTL_SET_KEY, GCRYCTL_SET_IV, GCRYCTL_SET_CTR.

2013-10-02  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix errors when building with Clang on PPC.
	+ commit 33757c1e03f1d885920633edf543cd1c77999455
	* mpi/longlong.h (add_ssaaaa, sub_ddmmss, count_leading_zeros,
	  umul_ppmm): Do not cast asm output to USItype.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Remove last remains of the former module system.
	+ commit 628ed5ba0ef4b1f04b5a77e29e4bc49a1fe13c07
	* src/gcrypt-module.h, src/module.c: Remove.
	* src/visibility.h: Do not include gcrypt-module.h.
	* src/g10lib.h: Remove all prototypes from module.c
	(gcry_module): Remove.
	* cipher/cipher-internal.h (gcry_cipher_handle): Remove unused field.

	Fix missing prototype warning in visibility.c.
	+ commit 52783d483293d48cd468143ae6ae2cccbfe17200
	* src/ec-context.h (_gcry_mpi_ec_new): Move prototype to mpi.h.

	md: Simplify the message digest dispatcher md.c.
	+ commit 0d39997932617ba20656f8bcc230ba744b76c87e
	* src/gcrypt-module.h (gcry_md_spec_t):  Move to ...
	* src/cipher-proto.h: here.  Merge with md_extra_spec_t.  Add fields
	ALGO and FLAGS.  Set these fields in all digest modules.
	* cipher/md.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.

2013-10-01  Werner Koch  <wk@gnupg.org>

	cipher: Simplify the cipher dispatcher cipher.c.
	+ commit 3ca180b25e8df252fc16f802cfdc27496e307830
	* src/gcrypt-module.h (gcry_cipher_spec_t):  Move to ...
	* src/cipher-proto.h (gcry_cipher_spec_t): here.  Merge with
	cipher_extra_spec_t.  Add fields ALGO and FLAGS.  Set these fields in
	all cipher modules.
	* cipher/cipher.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.
	(disable_pubkey_algo): Simplified.  Not anymore thread-safe, though.

	* cipher/md.c (_gcry_md_selftest): Use correct structure.  Not a real
	problem because both define the same function as their first field.

	* cipher/pubkey.c (_gcry_pk_selftest): Take care of the disabled flag.

	mpi: Fix gcry_mpi_neg.
	+ commit 4153fa859816e799e506055321a22e6450aacdcc
	* mpi/mpiutil.c (_gcry_mpi_neg): Copy U to W.

2013-10-01  Peter Wu  <lekensteyn@gmail.com>

	cipher: Add support for 128-bit keys in RC2.
	+ commit 738177ec0eae05069ec61bc4f724a69d4e052e42
	* cipher/rfc2268.c (oids_rfc2268_128): New
	(_gcry_cipher_spec_rfc2268_128): New.
	* cipher/cipher.c (cipher_table_entry): Add GCRY_CIPHER_RFC2268_128.

2013-09-30  Werner Koch  <wk@gnupg.org>

	ecc: Use faster b parameter for Ed25519.
	+ commit 1d85452412b65e7976bc94969fc513ff6b880ed8
	* cipher/ecc-curves.c (domain_parms): Replace b.
	* tests/t-mpi-point.c (test_curve): Ditto.

	ecc: Prepare for future Ed25519 optimization.
	+ commit a2618c822e666d4121cba29bee3fd50bf70c9743
	* mpi/ec-ed25519.c: New but empty file.
	* mpi/ec-internal.h: New.
	* mpi/ec.c: Include ec-internal.h.
	(ec_mod): New.
	(ec_addm): Use ec_mod.
	(ec_mulm): Remove commented code.  Use ec_mod.
	(ec_subm): Call simple sub.
	(ec_pow2): Use ec_mulm.
	(ec_mul2): New.
	(dup_point_weierstrass): Use ec_mul2.
	(dup_point_twistededwards): Add special case for a == -1.  Use
	ec_mul2.
	(add_points_weierstrass): Use ec_mul2.
	(add_points_twistededwards): Add special case for a == -1.
	(_gcry_mpi_ec_curve_point): Ditto.
	(ec_p_init): Add hack to test Barrett functions.
	* src/ec-context.h (mpi_ec_ctx_s): Add P_BARRETT.

	* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem.

	ecc: Fix recomputing of Q for Ed25519.
	+ commit c325adb8f5092b80a626bd3bb5e49cf7f3a29fc8
	* cipher/ecc-misc.c (reverse_buffer): New.
	(_gcry_ecc_compute_public): Add ED255519 specific code.
	* cipher/ecc.c (sign_eddsa): Allocate DIGEST in secure memory.  Get
	rid of HASH_D.
	* tests/t-mpi-point.c (context_param): Test recomputing of Q for
	Ed25519.

	log: Try to print s-expressions in a more compact format.
	+ commit d69a13d3d1c14ad6a6aa7cd349d6d2dfb152d422
	* src/misc.c (count_closing_parens): New.
	(_gcry_log_printsxp): Use new function.
	* mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point.

2013-09-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make Whirlpool use the _gcry_md_block_write helper.
	+ commit 68cefd0f1d60ac33b58031df9b1d165cb1bf0f14
	* cipher/whirlpool.c (whirlpool_context_t): Add 'bctx', remove
	'buffer', 'count' and 'nblocks'.
	(whirlpool_init): Initialize 'bctx'.
	(whirlpool_transform): Adjust context argument type and burn stack
	depth.
	(whirlpool_add): Remove.
	(whirlpool_write): Use _gcry_md_block_write.
	(whirlpool_final, whirlpool_read): Adjust for 'bctx' usage.

	whirlpool: add stack burning after transform.
	+ commit a96d622e1a36d40d1504b7ada567e90ec9957443
	* cipher/whirlpool.c (whirlpool_transform): Return burn stack depth.
	(whirlpool_add): Do burn_stack.

	whirlpool: do bitcount calculation in finalization part.
	+ commit 10d7351411f19bb2c03d2e24ca5a38dabe45023b
	* cipher/whirlpool.c (whirlpool_context_t): Remove 'length', add
	'nblocks'.
	(whirlpool_add): Update 'nblocks' instead of 'length', and add early
	return at one spot.
	(whirlpool_write): Check for 'nblocks' overflow.
	(whirlpool_final): Convert 'nblocks' to bit-counter, and use
	whirlpool_write instead of whirlpool_add.

2013-09-30  Werner Koch  <wk@gnupg.org>

	Add logging functions to the API.
	+ commit d2076f27bb7c5d505abf25fc622d21794c4a5df3
	* src/gcrypt.h.in (_GCRY_GCC_ATTR_PRINTF): New.
	(gcry_log_debug, gcry_log_debughex, gcry_log_debugmpi): New.
	(gcry_log_debugpnt, gcry_log_debugsxp): New.
	* src/visibility.c (gcry_log_debug): New.
	(gcry_log_debughex, gcry_log_debugmpi, gcry_log_debugpnt): New.
	(gcry_log_debugsxp): New.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new functions.
	* src/misc.c (_gcry_logv): Make public.
	(_gcry_log_printsxp): New.
	* src/g10lib.h (log_printsxp): New macro.

2013-09-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make libgcrypt build with Clang on i386.
	+ commit db60d828137c4f3682ca4ca2a54fe3d96d3db5f9
	* cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss)
	(umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype.

2013-09-25  Werner Koch  <wk@gnupg.org>

	mpi: Change not yet used _gcry_mpi_set_opaque_copy.
	+ commit 1c6660debdbf1e4c3e80074c846a3e3097f214bb
	* mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype.
	(_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure.

	sexp: Improve printing of data with a leading zero.
	+ commit 9b7c49971588edf6acfc74bfb797eb79d19cb350
	* src/sexp.c (suitable_encoding): Detect leading zero byte.

	ecc: Allow the name "q@eddsa" to get/set the public key.
	+ commit d6683d2a6065986a9198d2d2eaa02c005b68cea4
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa".
	(_gcry_ecc_set_mpi): Support "q".
	* cipher/ecc.c (eddsa_encodepoint): Rename to ...
	(_gcry_ecc_eddsa_encodepoint): this and make global.  Remove arg
	MINLEN and take from context.
	(eddsa_decodepoint): Rename to
	(_gcry_ecc_eddsa_decodepoint): this and make global. Remove arg LEN
	and take from context.
	(sign_eddsa, verify_eddsa): Take B from context.
	(ecc_sign, ecc_verify): Add hack to set DIALECT.
	(_gcry_pk_ecc_get_sexp): Use _gcry_ecc_compute_public.  Handle EdDSA.
	* src/ec-context.h (mpi_ec_ctx_s): Add field NBITS.
	* mpi/ec.c (ec_p_init): Init NBITS.
	* tests/t-mpi-point.c (test_curve): Add Ed25519.
	(sample_ed25519_q): New.
	(context_param): Check new sample key.
	(hex2buffer, hex2mpiopa): New.
	(cmp_mpihex): Take care of opaque MPIs.

	mpicalc: Add statement to compute the number of bits.
	+ commit 9a4447ccd1b90bcd701941e80a7f484a1825fcea
	* src/mpicalc.c (do_nbits): New.
	(main): Add statement 'b'.

	ecc: Refactor low-level access functions.
	+ commit 64a7d347847d606eb5f4c156e24ba060271b8f6b
	* mpi/ec.c (point_copy): Move to cipher/ecc-curves.c.
	(ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global.
	(_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi.
	(_gcry_mpi_ec_get_point): Factor most code out to _gcry_ecc_get_point.
	(_gcry_mpi_ec_set_mpi): Factor most code out to _gcry_ecc_set_mpi.
	(_gcry_mpi_ec_set_point): Factor most code out to _gcry_ecc_set_point.
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): New.
	(_gcry_ecc_get_point, _gcry_ecc_set_mpi, _gcry_ecc_set_point): New.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): New.

	ecc: Fix highly unlikely endless loop in sign_ecdsa.
	+ commit 1f5f4452e5bca105ec2197a4facbf9778e7dc31e
	* cipher/ecc.c (sign_ecdsa): Turn while-do into do-while loops.

2013-09-24  Werner Koch  <wk@gnupg.org>

	ecc: Allow the use of an uncompressed public key.
	+ commit df013c9820709421ef9550158ac5df0060d73379
	* cipher/ecc.c (eddsa_encodepoint): Factor most code out to ...
	(eddsa_encode_x_y): new fucntion.
	(eddsa_decodepoint): Allow use of an uncompressed public key.
	* tests/t-ed25519.c (N_TESTS): Adjust.
	* tests/t-ed25519.inp: Add test 1025.

2013-09-23  Werner Koch  <wk@gnupg.org>

	pk: Add algo id GCRY_PK_ECC and deprecate ECDSA and ECDH.
	+ commit d5f91466695c5736f441c9bf1998436184a4bf61
	* src/gcrypt.h.in (GCRY_PK_ECC): New.
	* cipher/pubkey.c (map_algo): New.
	(spec_from_algo, gcry_pk_get_param, _gcry_pk_selftest): Use it.
	* cipher/ecc.c (selftests_ecdsa): Report using GCRY_PK_ECC.
	(run_selftests): Simplify.
	(ecdh_names, ecdsa_names): Merge into a new ecc_names.
	(_gcry_pubkey_spec_ecdh, _gcry_pubkey_spec_ecdsa): Merge into new
	_gcry_pubkey_spec_ecc.

	ec: Use mpi_mulm instead of mpi_powm.
	+ commit 4552437bb3c5ff96a889fd31e4bc504b2a12fac7
	* mpi/ec.c (ec_pow2): New.
	(ec_powm): Remove call to mpi_abs.
	(dup_point_weierstrass, dup_point_twistededwards)
	(add_points_weierstrass, add_points_twistededwards)
	(_gcry_mpi_ec_curve_point): Use ec_pow2.

2013-09-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bufhelp: enable fast unaligned memory accesses on powerpc.
	+ commit 925d4fb3e8f2df3c5566ec6b5df7620a3d3504e5
	* cipher/bufhelp.h [__powerpc__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
	macro enabled.
	[__powerpc64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Ditto.

	Remove i386 inline assembly version of rotation functions.
	+ commit cfea5c28a3822e1e7e401e5107ebe07ba7fdcf37
	* cipher/bithelp.h (rol, ror): Remove i386 version, change
	macros to inline functions.
	* src/hmac256.c (ror): Ditto.

	Optimize and cleanup 32-bit and 64-bit endianess transforms.
	+ commit 9337e03824a5bdd3bbbcb8382cabefe6d6c32e1e
	* cipher/bithelp.h (bswap32, bswap64, le_bswap32, be_bswap32)
	(le_bswap64, be_bswap64): New.
	* cipher/bufhelp.h (buf_get_be32, buf_get_le32, buf_put_le32)
	(buf_put_be32, buf_get_be64, buf_get_le64, buf_put_be64)
	(buf_put_le64): New.
	* cipher/blowfish.c (do_encrypt_block, do_decrypt_block): Use new
	endian conversion helpers.
	(do_bf_setkey): Turn endian specific code to generic.
	* cipher/camellia.c (GETU32, PUTU32): Use new endian conversion
	helpers.
	* cipher/cast5.c (rol): Remove, use rol from bithelp.
	(F1, F2, F3): Fix to use rol from bithelp.
	(do_encrypt_block, do_decrypt_block, do_cast_setkey): Use new endian
	conversion helpers.
	* cipher/des.c (READ_64BIT_DATA, WRITE_64BIT_DATA): Ditto.
	* cipher/md4.c (transform, md4_final): Ditto.
	* cipher/md5.c (transform, md5_final): Ditto.
	* cipher/rmd160.c (transform, rmd160_final): Ditto.
	* cipher/salsa20.c (LE_SWAP32, LE_READ_UINT32): Ditto.
	* cipher/scrypt.c (READ_UINT64, LE_READ_UINT64, LE_SWAP32): Ditto.
	* cipher/seed.c (GETU32, PUTU32): Ditto.
	* cipher/serpent.c (byte_swap_32): Remove.
	(serpent_key_prepare, serpent_encrypt_internal)
	(serpent_decrypt_internal): Use new endian conversion helpers.
	* cipher/sha1.c (transform, sha1_final): Ditto.
	* cipher/sha256.c (transform, sha256_final): Ditto.
	* cipher/sha512.c (__transform, sha512_final): Ditto.
	* cipher/stribog.c (transform, stribog_final): Ditto.
	* cipher/tiger.c (transform, tiger_final): Ditto.
	* cipher/twofish.c (INPACK, OUTUNPACK): Ditto.
	* cipher/whirlpool.c (buffer_to_block, block_to_buffer): Ditto.
	* configure.ac (gcry_cv_have_builtin_bswap32): Check for compiler
	provided __builtin_bswap32.
	(gcry_cv_have_builtin_bswap64): Check for compiler provided
	__builtin_bswap64.

	gostr3411_94: set better burn stack depth estimate.
	+ commit 7409de7bc28ff8847c9d71d8c3e35e1968d59d60
	* cipher/gost28147.c (_gcry_gost_enc_one): Account function stack to
	burn stack depth.
	* cipher/gostr3411-94.c (max): New macro.
	(do_hash_step, transform): Return stack burn depth.

	Use hash transform function return type for passing burn stack depth.
	+ commit 592c2ab3deeeccbb6d3b078ed7bf0e6627c8e1fb
	* cipher/gostr4311-94.c (transform): Return stack burn depth.
	* cipher/hash-common.c (_gcry_md_block_write): Use stack burn depth
	returned by 'hd->bwrite'.
	* cipher/hash-common.h (_gcry_md_block_write_t): Change return type to
	'unsigned int'.
	(gry_md_block_ctx_t): Remove 'stack_burn'.
	* cipher/md4.c (transform): Return stack burn depth.
	(md4_final): Use stack burn depth from transform.
	* cipher/md5.c (transform): Return stack burn depth.
	(md5_final): Use stack burn depth from transform.
	* cipher/rmd160.c (transform): Return stack burn depth.
	(rmd160_final): Use stack burn depth from transform.
	* cipher/sha1.c (transform): Return stack burn depth.
	(sha1_final): Use stack burn depth from transform.
	* cipher/sha256.c (transform): Return stack burn depth.
	(sha256_final): Use stack burn depth from transform.
	* cipher/sha512.c (__transform, transform): Return stack burn depth.
	(sha512_final): Use stack burn depth from transform.
	* cipher/stribog.c (transform64): Return stack burn depth.
	* cipher/tiger.c (transform): Return stack burn depth.
	(tiger_final): Use stack burn depth from transform.

	Make STRIBOG use the new _gcry_md_block_write helper.
	+ commit 902ea6052c11108bd19333c31b03e084bed1fb86
	* cipher/stribog.c (STRIBOG_STRUCT): Add 'bctx' and remove 'buf' and
	'count'.
	(stribog_init_512): Initialize 'bctx'.
	(transform64): New function.
	(stribog_write): Remove.
	(stribog_final): Use _gcry_md_block_write and bctx.
	(_gcry_digest_spec_stribog_256, _gcry_digest_spec_stribog_512): Use
	_gcry_md_block_write.

	Make SHA-512 use the new _gcry_md_block_write helper.
	+ commit cce7449efe471b076c5a97929ac8907162011394
	* cipher/hash-common.c (_gcry_md_block_write): Check that hd->buf is
	large enough.
	* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE, MD_NBLOCKS_TYPE): New
	macros.
	(gcry_md_block_ctx_t): Use above macros for 'nblocks' and 'buf'.
	* cipher/sha512.c (SHA512_STATE): New struct.
	(SHA512_CONTEXT): Add 'bctx' and 'state'.
	(sha512_init, sha384_init): Initialize 'bctx'.
	(__transform, _gcry_sha512_transform_armv7_neon): Use SHA512_STATE for
	'hd'.
	(transform): For now, do not return burn stack.
	(sha512_write): Remove.
	(sha512_final): Use _gcry_md_block_write and bctx.
	(_gcry_digest_spec_sha512, _gcry_digest_spec_sha384): Use
	_gcry_md_block_write.

2013-09-20  Werner Koch  <wk@gnupg.org>

	sexp: Change internal versions to always use gpg_err_code_t.
	+ commit 3e5cfa20acfeccb9df2c3fae2730344b40b36104
	* src/sexp.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_build)
	(gcry_sexp_build_array, gcry_sexp_canon_len): Change error return type
	from gpg_error_t to gpg_err_code_t.  Remove all calls to gpg_error.
	* src/visibility.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_sscan)
	(gcry_sexp_build, gcry_sexp_build_array, gcry_sexp_canon_len): Map
	error codes via gpg_error.
	* cipher/dsa.c, cipher/ecc.c, cipher/elgamal.c, cipher/rsa.c: Remove
	use gpg_err_code wrappers.

	pk: Move s-exp creation for gcry_pk_decrypt to the modules.
	+ commit 722bfc1e5f2268453db62f38cc46b5ec6ef3adee
	* cipher/pubkey.c (sexp_to_enc): Remove RET_MODERN arg and merge it
	into FLAGS.
	(gcry_pk_decrypt): Move result s-exp building into the modules.
	* src/cipher-proto.h (gcry_pk_decrypt_t): Add some args.
	* cipher/ecc.c (ecc_decrypt_raw): Change to return an s-exp.
	* cipher/elgamal.c (elg_decrypt): Ditto.
	* cipher/rsa.c (rsa_decrypt): Ditto.
	(rsa_blind, rsa_unblind): Merge into rsa_decrypt.  This saves several
	extra MPI allocations.

	pk: Remove unused function.
	+ commit 64cd7ab93da7c95cc8aa320c61c6e29f9e2399c4
	* cipher/pubkey.c (_gcry_pk_aliased_algo_name): Remove

2013-09-19  Werner Koch  <wk@gnupg.org>

	Beautify debug output of the prime generator.
	+ commit 6576f0a7684292cb5691bfcabad0acca4c06c014
	* cipher/primegen.c: Adjust output of log_mpidump to recently changed
	log_mpidump code changes.

	pk: Move s-expr creation for genkey to the modules.
	+ commit 1bf08850bf9343146c938bc03917417e16393e9a
	* cipher/pubkey.c (pubkey_generate): Fold into gcry_pk_genkey
	(gcry_pk_genkey): Move result s-exp creation into the modules.
	* cipher/dsa.c (dsa_generate): Create result as s-exp.
	* cipher/elgamal.c (elg_generate): Ditto.
	* cipher/rsa.c (rsa_generate): Ditto.
	* cipher/ecc.c (ecc_generate): Ditto.
	* src/cipher-proto.h (pk_ext_generate_t): Remove type
	(gcry_pk_spec): and remove from struct.

	tests: Beautify some diagnostics.
	+ commit 2fe084873333c4d67bcfba0b527d63cd3cff6c47
	* tests/benchmark.c (ecc_bench): Print the key sexp in very verbose
	mode.
	(main): Add option --pk-count.
	* tests/keygen.c: Add Elgamal generation and improved diagnostics.
	* tests/t-ed25519.c (check_ed25519): Print running number of tests
	done.

	sexp: Improve printing data representing a negative number.
	+ commit b3f3d47d347c14ed41d755cee580f000309b9c03
	* src/sexp.c (suitable_encoding): Detect a negative number.

	pk: Move RSA encoding functions to a new file.
	+ commit 071f70b9a766187fc70f6abc6a69d50752449285
	* cipher/rsa-common: New.
	* cipher/pubkey.c (pkcs1_encode_for_encryption): Move to rsa-common.c
	and rename to _gcry_rsa_pkcs1_encode_for_enc.
	(pkcs1_decode_for_encryption): Move to rsa-common.c and rename to
	_gcry_rsa_pkcs1_decode_for_enc.
	(pkcs1_encode_for_signature): Move to rsa-common.c and rename to
	_gcry_rsa_pkcs1_encode_for_sig.
	(oaep_encode): Move to rsa-common.c and rename to
	_gcry_rsa_oaep_encode.
	(oaep_decode): Move to rsa-common.c and rename to
	_gcry_rsa_oaep_decode.
	(pss_encode): Move to rsa-common.c and rename to _gcry_rsa_pss_encode.
	(pss_verify): Move to rsa-common.c and rename to _gcry_rsa_pss_decode.
	(octet_string_from_mpi, mgf1): Move to rsa-common.c.

	pk: Move s-expr creation for sign and encrypt to the modules.
	+ commit eca9e2e50ddd4c9020fe1d4a9a3c77d20ebb90f6
	* cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt.
	(pubkey_decrypt): Fold into gcry_pk_decrypt.
	(pubkey_sign): Fold into gcry_pk_sign.
	(pubkey_verify): Fold into gcry_pk_verify.
	(octet_string_from_mpi): Make it a wrapper and factor code out to ...
	* mpi/mpicoder.c (_gcry_mpi_to_octet_string): New function.

	* src/cipher.h (PUBKEY_FLAG_FIXEDLEN): New.
	* cipher/pubkey.c (sexp_data_to_mpi): Set flag for some encodings.
	(gcry_pk_encrypt): Simply by moving the s-expr generation to the modules.
	(gcry_pk_sign): Ditto.
	* cipher/dsa.c (dsa_sign): Create s-expr.
	* cipher/elgamal.c (elg_encrypt, elg_sign): Ditto.
	* cipher/rsa.c (rsa_encrypt, rsa_sign): Ditto.
	* cipher/ecc.c (ecc_sign, ecc_encrypt_raw): Ditto.
	(ecdsa_names): Add "eddsa".
	* tests/t-ed25519.c (one_test): Expect "eddsa" token.

2013-09-19  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix Stribog digest on bigendian platforms.
	+ commit d399faf5db71d429bfd6fa4a9cfc82e2a55055f0
	* cipher/stribog.c (stribog_final): swap bytes in the result of digest
	calculations.

2013-09-18  Werner Koch  <wk@gnupg.org>

	pk: Simplify the public key dispatcher pubkey.c.
	+ commit 85722afb379f7a392a8117b895de273fd88c4ebc
	* src/cipher-proto.h (gcry_pk_spec_t): Add fields ALGO and FLAGS.
	* cipher/dsa.c (_gcry_pubkey_spec_dsa): Set these fields.
	* cipher/ecc.c (_gcry_pubkey_spec_ecdsa): Ditto.
	(_gcry_pubkey_spec_ecdh): Ditto.
	* cipher/rsa.c (_gcry_pubkey_spec_rsa): Ditto.
	* cipher/elgamal.c (_gcry_pubkey_spec_elg): Ditto
	(_gcry_pubkey_spec_elg_e): New.
	* cipher/pubkey.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.
	(disable_pubkey_algo): SImplified.  Not anymore thread-safe, though.

	pk: Merge extraspecs struct with standard specs struct.
	+ commit 89103ce00e862cc709e80fa41f2ee13d54093ec5
	* src/gcrypt-module.h (gcry_pk_spec_t): Move this typedef and the
	corresponding function typedefs to ...
	* src/cipher-proto.h: here.
	(pk_extra_spec_t): Remove typedef and merge fields into
	gcry_pk_spec_t.
	* cipher/rsa.c, cipher/dsa.c, cipher/elg.c, cipher/ecc.c: Ditto.
	* cipher/pubkey.c: Change accordingly.
	* src/cipher.h (_gcry_pubkey_extraspec_rsa): Remove.
	(_gcry_pubkey_extraspec_dsa): Remove.
	(_gcry_pubkey_extraspec_elg): Remove.
	(_gcry_pubkey_extraspec_ecdsa): Remove.

2013-09-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix encryption/decryption return type for GOST28147.
	+ commit 2ad7ea9cb388fd31e4b0852b68d77f599ef4adce
	* cipher/gost.h (_gcry_gost_enc_one): Change return type to
	'unsigned int'.
	* cipher/gost28147.c (max): New macro.
	(gost_encrypt_block, gost_decrypt_block): Return burn stack depth.
	(_gcry_gost_enc_one): Return burn stack depth from gost_encrypt_block.

2013-09-18  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	doc: fix building of ps and pdf documentation.
	+ commit bd33fa21c9afc6c81e0da24016fc13001e9c7390
	* doc/gcrypt.texi, doc/gpl.texi, doc/lgpl.texi: fix texinfo errors.

	Add GOST R 34.11-2012 implementation (Stribog)
	+ commit c22064bdd773a807801e300aa9214b2fdcafcf20
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_12_256)
	(GCRY_MD_GOSTR3411_12_512): New.
	* cipher/stribog.c: New.
	* configure.ac (available_digests_64): Add stribog.
	* src/cipher.h: Declare Stribog declarations.
	* cipher/md.c: Register Stribog digest.
	* tests/basic.c (check_digests) Add 4 testcases for Stribog from
	standard.
	* doc/gcrypt.texi: Document new constants.

	Add basic implementation of GOST R 34.11-94 message digest.
	+ commit b0579baaa04fb91eabbbdc295bcabea04cf84056
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_94): New.
	* cipher/gostr3411-94.c: New.
	* configure.ac (available_digests): Add gostr3411-94.
	* src/cipher.h: Add gostr3411-94 definitions.
	* cipher/md.c: Register GOST R 34.11-94.
	* tests/basic.c (check_digests): Add 4 tests for GOST R 34.11-94
	  hash algo. Two are  defined in the standard itself, two other are
	  more or less common tests - an empty string an exclamation mark.
	* doc/gcrypt.texi: Add an entry describing GOST R 34.11-94 to the MD
	  algorithms table.

	Separate common md block code.
	+ commit ecde77ad98690540abb21db08e5531297ed72bd0
	* cipher/hash-common.c (_gcry_md_block_write): New function to handle
	block md operations.  The current implementation is limited to 64 byte
	buffer and u32 block counter.

	* cipher/md4.c, cipher/md5.c, cipher/rmd.h, cipher/rmd160.c
	*cipher/sha1.c, cipher/sha256.c, cipher/tiger.c: Convert to use
	_gcry_md_block_write.

	Add limited implementation of GOST 28147-89 cipher.
	+ commit 56b5949f71f501744998f5ebc12488ebf6f1c0b5
	* src/gcrypt.h.in (GCRY_CIPHER_GOST28147): New.
	* cipher/gost.h, cipher/gost28147.c: New.
	* configure.ac (available_ciphers): Add gost28147.
	* src/cipher.h: Add gost28147 definitions.
	* cipher/cipher.c: Register gost28147.
	* tests/basic.c (check_ciphers): Enable simple test for gost28147.
	* doc/gcrypt.texi: document GCRY_CIPHER_GOST28147.

2013-09-18  Werner Koch  <wk@gnupg.org>

	ecc: Add Ed25519 key generation and prepare for optimizations.
	+ commit 63cd3474425cb5a7ec4d1a56be15b248ecda4680
	* src/mpi.h (enum ecc_dialects): New.
	* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
	* cipher/ecc-common.h (elliptic_curve_t): Ditto.
	* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
	(domain_parms): Add dialect values.
	(_gcry_ecc_fill_in_curve): Set dialect.
	(_gcry_ecc_get_curve): Ditto.
	(_gcry_mpi_ec_new): Ditto.
	(_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now.
	* cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect.
	(_gcry_ecc_dialect2str): New.
	* mpi/ec.c (ec_p_init): Add arg DIALECT.
	(_gcry_mpi_ec_p_internal_new): Ditto.
	(_gcry_mpi_ec_p_new): Ditto.

	* mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag.
	(_gcry_mpi_set_opaque_copy): New.

	* cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI.
	* cipher/ecc.c (eddsa_generate_key): New.
	(generate_key): Rename to nist_generate_key and factor some code out
	to ...
	(ecc_generate_ext): here.  Divert to eddsa_generate_key if desired.
	(eddsa_decodepoint): Take care of an opaque MPI.
	(ecc_check_secret_key): Ditto.
	(ecc_sign): Ditto.
	* cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret
	key as opaque MPIs.
	(gcry_pk_genkey): Add the curve_name also to the private key part of
	the result.

	* tests/benchmark.c (ecc_bench): Support Ed25519.
	(main): Add option --debug.
	* tests/curves.c (sample_key_2): Make sure that P and N are positive.
	* tests/keygen.c (show): New.
	(check_ecc_keys): Support Ed25519.

2013-09-17  Werner Koch  <wk@gnupg.org>

	mpi: Support printing of negative numbers.
	+ commit 89fe2173649a72019d75e059e6c6938efd10421f
	* mpi/mpicoder.c (twocompl, onecompl): New.
	(gcry_mpi_print): Use it for STD and SSH.
	(gcry_mpi_scan): Use it for STD and SSH.  Always set NSCANNED.
	(gcry_mpi_aprint): Clear the extra allocated byte.
	* tests/t-convert.c (showhex, showmpi): New.
	(mpi2bitstr_nlz): New.
	(check_formats): New.
	(main): Call new test.

2013-09-16  Werner Koch  <wk@gnupg.org>

	Fix bug in _gcry_mpi_tdiv_q_2exp.
	+ commit a7a9cdcaaf3979baa18dad51e722882581349f45
	* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.

	ecc: Implement Curve Ed25519 signing and verification.
	+ commit bc5199a02abe428ad377443280b3eda60141a1d6
	* cipher/ecc-curves.c (domain_parms): Add curve "Ed25519".
	* cipher/ecc.c (reverse_buffer): New.
	(eddsa_encodempi): New.
	(eddsa_encodepoint): New.
	(eddsa_decodepoint): New.
	(sign_eddsa): Implement.
	(verify_eddsa): Implement.
	(ecc_sign): Init unused Q.  Pass public key to sign_eddsa.
	(ecc_verify): Init pk.Q if not used.  Pass public key verbatim to
	verify_eddsa.
	* cipher/pubkey.c (sexp_elements_extract): Add arg OPAQUE.  Change all
	callers to pass 0.
	(sexp_to_sig): Add arg OPAQUE and pass it to sexp_elements_extract.
	(sexp_data_to_mpi): Allow for a zero length "value".
	(gcry_pk_verify): Reorder parameter processing.  Pass OPAQUE flag as
	required.
	* mpi/ec.c (ec_invm): Print a warning if the inverse does not exist.
	(_gcry_mpi_ec_get_affine): Implement for our Twisted Edwards curve
	model.
	(dup_point_twistededwards): Implement.
	(add_points_twistededwards): Implement.
	(_gcry_mpi_ec_mul_point): Support Twisted Edwards.

	* mpi/mpicoder.c (do_get_buffer): Add arg FILL_LE.
	(_gcry_mpi_get_buffer): Ditto.  Change all callers.
	(_gcry_mpi_get_secure_buffer): Ditto.

	* src/sexp.c (_gcry_sexp_nth_opaque_mpi): New.

	* tests/t-ed25519.c: New.
	* tests/t-ed25519.inp: New.
	* tests/t-mpi-point.c (basic_ec_math_simplified): Print some output
	only in debug mode.
	(twistededwards_math): New test.
	(main): Call new test.

	mpi: Add internal convenience function.
	+ commit 44a2c34e90ed7de149952398787906d8823b636b
	* mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New.

	mpi: Add debug function to print a point.
	+ commit 8ebc94d11a1eb93f2365c93f555e958700fdfbd4
	* mpi/ec.c (_gcry_mpi_point_log): New.
	* src/mpi.h (log_printpnt): new macro.

	tests: Factor time measurement code out.
	+ commit 58eaf0c4332ac2f645ede28c4d18337389dfa753
	* tests/benchmark.c (started_at, stopped_at, start_timer, stop_timer)
	(elapsed time): Factor out to ..
	* tests/stopwatch.h: new file.

2013-09-12  Werner Koch  <wk@gnupg.org>

	Fix _gcry_log_printmpi to print 00 instead of a sole sign.
	+ commit 1c76349c69c70a62b516a4f837c6287def640807
	* src/misc.c: Special case an mpi length of 0.

2013-09-11  Werner Koch  <wk@gnupg.org>

	Streamline the use of the internal mpi and hex debug functions.
	+ commit e35ed615acc624a8b6c07576ea0650aac2bdb0db
	* mpi/mpicoder.c (gcry_mpi_dump): Remove.
	(_gcry_log_mpidump): Remove.
	* src/misc.c (_gcry_log_printhex): Factor all code out to ...
	(do_printhex): new.  Add line wrapping a and compact printing.
	(_gcry_log_printmpi): New.
	* src/mpi.h (log_mpidump): Remove macro.
	* src/g10lib.h (log_mpidump): Add compatibility macro.
	(log_printmpi): New macro
	* src/visibility.c (gcry_mpi_dump): Call _gcry_log_printmpi.
	* cipher/primegen.c (prime_generate_internal): Replace gcry_mpi_dump
	by log_printmpi.
	(gcry_prime_group_generator): Ditto.
	* cipher/pubkey.c: Remove extra colons from log_mpidump call.
	* cipher/rsa.c (stronger_key_check): Use log_printmpi.

2013-09-10  Werner Koch  <wk@gnupg.org>

	md: Add function gcry_md_hash_buffers.
	+ commit f3bca0c77c4979504f95fdbc618f7458e61e3e45
	* src/gcrypt.h.in (gcry_buffer_t): new.
	(gcry_md_hash_buffers): New.
	* src/visibility.c, src/visibility.h: Add wrapper for new function.
	* src/libgcrypt.def, src/libgcrypt.vers: Export new function.
	* cipher/md.c (gcry_md_hash_buffers): New.
	* cipher/sha1.c (_gcry_sha1_hash_buffers): New.
	* tests/basic.c (check_one_md_multi): New.
	(check_digests): Run that test.
	* tests/hmac.c (check_hmac_multi): New.
	(main): Run that test.

	md: Fix Whirlpool flaw.
	+ commit 0a28b2d2c9181a536fc894e24626714832619923
	* cipher/whirlpool.c (whirlpool_add): Remove shortcut return so that
	byte counter is always properly updated.

2013-09-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix static build on AMD64.
	+ commit 90fdf25f0dcc5feac7195ede55bd15948a11363e
	* cipher/rijndael-amd64.S: Correct 'RIP' macro for non-PIC build.

	scrypt: fix for big-endian systems.
	+ commit 38a038a135d82231eff9d84f1ae3c4a25c6a5e75
	* cipher/scrypt.c (_salsa20_core): Fix endianess issues.

2013-09-07  Werner Koch  <wk@gnupg.org>

	Use gcc "unused" attribute only with gcc >= 3.5.
	+ commit f7135e299e659d78906aac3dfdf30f380b5cf9c6
	* src/g10lib.h (GCC_ATTR_UNUSED): Fix gcc version detection.

2013-09-07  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add support for Salsa20/12 - 12 round version of Salsa20.
	+ commit ae6f6c47d2e0c536f3eab0823b5f23d26956cda2
	* src/gcrypt.h.in (GCRY_CIPHER_SALSA20R12): New.
	* src/salsa20.c (salsa20_core, salsa20_do_encrypt_stream): Add support
	for reduced round versions.
	  (salsa20r12_encrypt_stream, _gcry_cipher_spec_salsa20r12): Implement
	Salsa20/12 - a 12 round version of Salsa20 selected by eStream.
	* src/cipher.h: Declsare Salsa20/12 definition.
	* cipher/cipher.c: Register Salsa20/12
	* tests/basic.c: (check_stream_cipher, check_stream_cipher_large_block):
	Populate Salsa20/12 tests with test vectors from ecrypt
	(check_ciphers): Add simple test for Salsa20/12

2013-09-07  Werner Koch  <wk@gnupg.org>

	Add configure option --disable-amd64-as-feature-detection.
	+ commit 49d5b9dcd622cdc87fb02a211bd51e3d46345bf2
	* configure.ac: Implement new disable flag.

	mpi: Improve support for non-Weierstrass support.
	+ commit 4d8c8c7aa88cddb1624301957e6245405f46d027
	* mpi/ec.c (ec_p_init): Add args MODEL and P.  Change all callers.
	(_gcry_mpi_ec_p_internal_new): Ditto.
	(_gcry_mpi_ec_p_new): Ditto.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return
	GPG_ERR_UNKNOWN_CURVE instead of invalid value.  Init curve model.
	* cipher/ecc.c (ecc_verify, ecc_encrypt_raw): Ditto.
	* cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking.

	mpi: Add gcry_mpi_ec_curve_point.
	+ commit ddfefe429660cc5d798f3517208936449247ae5c
	* mpi/ec.c (_gcry_mpi_ec_curve_point): New.
	(ec_powm): Return the absolute value.
	* src/visibility.c, src/visibility.c: Add wrappers.
	* src/libgcrypt.def, src/libgcrypt.vers: Export them.

	mpi: Add functions to manipulate the sign.
	+ commit 1bd2c67aa55b40589654d3fa5dea05cf1ed7dc5f
	* src/gcrypt.h.in (gcry_mpi_is_neg): New.
	(gcry_mpi_neg, gcry_mpi_abs): New.
	* mpi/mpiutil.c (_gcry_mpi_is_neg): New.
	(_gcry_mpi_neg, _gcry_mpi_abs): New.
	* src/visibility.c, src/visibility.h: Add wrappers.
	* src/libgcrypt.def, src/libgcrypt.vers: Export them.
	* src/mpi.h (mpi_is_neg): New.  Rename old macro to mpi_has_sign.
	* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Use mpi_has_sign.
	* mpi/mpi-mpow.c (calc_barrett): Ditto.
	* cipher/primegen.c (_gcry_derive_x931_prime): Ditto
	* cipher/rsa.c (secret): Ditto.

2013-09-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tune armv6 mpi assembly.
	+ commit 4e4440153258e2f0dfdcaa8443820af06984ecb1
	* mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8.
	* mpi/armv6/mpih-mul2.S: Ditto.
	* mpi/armv6/mpih-mul3.S: Ditto.

2013-09-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change _gcry_burn_stack take burn depth as unsigned integer.
	+ commit e0ae31fcce3bd57b24751ff3c82cba820e493c3a
	* src/misc.c (_gcry_burn_stack): Change to handle 'unsigned int' bytes.

	mpicalc: fix building on linux and win32.
	+ commit 50ec983666f0ca9d50c84aa1afad0d7bd5810779
	* src/Makefile.am (mpicalc): Adjust CFLAGS and LDADD.

2013-09-04  Werner Koch  <wk@gnupg.org>

	Change mpicalc to use Libgcrypt and install it.
	+ commit 1d23040b659661b4086c079cb9fd5f37189a7020
	* src/mpicalc.c: Make use of gcry_ functions.
	(MPICALC_VERSION): New.  Set to 2.0.
	(strusage): Remove.
	(scan_mpi): New.  Replaces mpi_fromstr.
	(print_mpi): New.  Replaces mpi_print.
	(my_getc): New.
	(print_help): New.
	(main): Use simple option parser and print version info.
	* src/Makefile.am (bin_PROGRAMS): Add mpicalc.
	(mpicalc_SOURCES, mpicalc_CFLAGS, mpicalc_LDADD): New.

	Add mpicalc.c to help with testing.
	+ commit a70c46e29c480fa0f56ab4814666a5b115f84fd7
	* src/mpicalc.c: Take from GnuPG 1.4

	Prepare support for EdDSA.
	+ commit c47d4001033f68212d2847b3074a0bdda990342e
	* src/cipher.h (PUBKEY_FLAG_EDDSA): New.
	* cipher/pubkey.c (pubkey_verify): Repalce args CMP and OPAQUEV by
	CTX.  Pass flags and hash algo to the verify function.  Change all
	verify functions to accept these args.
	(sexp_data_to_mpi): Implement new flag "eddsa".
	(gcry_pk_verify): Pass CTX instead of the compare function to
	pubkey_verify.
	* cipher/ecc.c (sign): Rename to sign_ecdsa.  Change all callers.
	(verify): Rename to verify_ecdsa.  Change all callers.
	(sign_eddsa, verify_eddsa): New stub functions.
	(ecc_sign): Divert to sign_ecdsa or sign_eddsa.
	(ecc_verify): Divert to verify_ecdsa or verify_eddsa.

	Prepare support for non-Weierstrass EC equations.
	+ commit c26be7a337d0bf98193bc58e043209e46d0769bb
	* src/mpi.h (gcry_mpi_ec_models): New.
	* src/ec-context.h (mpi_ec_ctx_s): Add MODEL.
	* cipher/ecc-common.h (elliptic_curve_t): Ditto.
	* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
	(domain_parms): Mark als as Weierstrass.
	(_gcry_ecc_fill_in_curve): Check model.
	(_gcry_ecc_get_curve): Set model to Weierstrass.
	* cipher/ecc-misc.c (_gcry_ecc_model2str): New.
	* cipher/ecc.c (generate_key, ecc_generate_ext): Print model in the
	debug output.

	* mpi/ec.c (_gcry_mpi_ec_dup_point): Switch depending on model.
	Factor code out to ...
	(dup_point_weierstrass): new.
	(dup_point_montgomery, dup_point_twistededwards): New stub functions.
	(_gcry_mpi_ec_add_points): Switch depending on model.  Factor code out
	to ...
	(add_points_weierstrass): new.
	(add_points_montgomery, add_points_twistededwards): New stub
	functions.

	* tests/Makefile.am (TESTS): Reorder tests.

	mpi: Suppress newer gcc warnings.
	+ commit 8698530b2f9ef95542f1dd550961de7af86cc256
	* src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5.
	* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy
	as unused.
	* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.

	Do not check with cpp for typedefed constants.
	+ commit b28b1f732e1b4f9c62a9de87c22c6bb0d3f8fdb8
	* src/gcrypt-int.h: Include error code replacements depeding on the
	version of libgpg-error.

2013-09-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make _gcry_burn_stack use variable length array.
	+ commit 4b0edf53440239d3bcc95941980c062a0801a149
	* configure.ac (HAVE_VLA): Add check.
	* src/misc.c (_gcry_burn_stack) [HAVE_VLA]: Add VLA code.

	Move stack burning from block ciphers to cipher modes.
	+ commit a3aaa6ad03388ea3eaa24304b604cb864633332f
	* src/gcrypt-module.h (gcry_cipher_encrypt_t)
	(gcry_cipher_decrypt_t): Return 'unsigned int'.
	* cipher/cipher.c (dummy_encrypt_block, dummy_decrypt_block): Return
	zero.
	(do_ecb_encrypt, do_ecb_decrypt): Get largest stack burn depth from
	block cipher crypt function and burn stack at end.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Ditto.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_cbc_encrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Ditto.
	* cipher/blowfish.c (encrypt_block, decrypt_block): Return burn stack
	depth.
	* cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Ditto.
	* cipher/cast5.c (encrypt_block, decrypt_block): Ditto.
	* cipher/des.c (do_tripledes_encrypt, do_tripledes_decrypt)
	(do_des_encrypt, do_des_decrypt): Ditto.
	* cipher/idea.c (idea_encrypt, idea_decrypt): Ditto.
	* cipher/rijndael.c (rijndael_encrypt, rijndael_decrypt): Ditto.
	* cipher/seed.c (seed_encrypt, seed_decrypt): Ditto.
	* cipher/serpent.c (serpent_encrypt, serpent_decrypt): Ditto.
	* cipher/twofish.c (twofish_encrypt, twofish_decrypt): Ditto.
	* cipher/rfc2268.c (encrypt_block, decrypt_block): New.
	(_gcry_cipher_spec_rfc2268_40): Use encrypt_block and decrypt_block.

2013-09-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-aesni-avx2-amd64: Move register clearing to assembly functions.
	+ commit f3515240de9513ead975985c9f8ab714022cac8e
	* cipher/camellia-aesni-avx2-amd64.S
	(_gcry_camellia_aesni_avx2_ctr_enc): Add 'vzeroall'.
	(_gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): Add 'vzeroupper' at head and
	'vzeroall' at tail.
	* cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX2]: Remove register
	clearing.

	camellia-aesni-avx-amd64: Move register clearing to assembly functions.
	+ commit 8b735cb563dff7aafbf8a970972522b5621e665c
	* cipher/camellia-aesni-avx-amd64.S (_gcry_camellia_aesni_avx_ctr_enc)
	(_gcry_camellia_aesni_avx_cbc_dec)
	(_gcry_camellia_aesni_avx_cfb_dec): Add 'vzeroupper' at head and
	'vzeroall' at tail.
	* cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX]: Remove register clearing.

	serpent-avx2-amd64: Move register clearing to assembly.
	+ commit d12828cd821a4b4428eae19de5aee02cf536e536
	* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc)
	(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Change last
	'vzeroupper' to 'vzeroall'.
	* cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AVX2]: Remove register clearing with
	'vzeroall'.

	Fix building for x32 target.
	+ commit fd6721c235a5bdcb332c8eb708fbd4f96e52e824
	* mpi/amd64/mpi-asm-defs.h: New file.
	* random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is
	defined.
	[USE_DRNG, __x86_64__]: Also check if __LP64__ is defined.

2013-08-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha512: add ARM/NEON assembly version of transform function.
	+ commit 99d15543b8d94a8f1ef66c6ccb862b0ce82c514d
	* cipher/Makefile.am: Add 'sha512-armv7-neon.S'.
	* cipher/sha512-armv7-neon.S: New file.
	* cipher/sha512.c (USE_ARM_NEON_ASM): New macro.
	(SHA512_CONTEXT) [USE_ARM_NEON_ASM]: Add 'use_neon'.
	(sha512_init, sha384_init) [USE_ARM_NEON_ASM]: Enable 'use_neon' if
	CPU support NEON instructions.
	(k): Round constant array moved outside of 'transform' function.
	(__transform): Renamed from 'tranform' function.
	[USE_ARM_NEON_ASM] (_gcry_sha512_transform_armv7_neon): New prototype.
	(transform): New wrapper function for different transform versions.
	(sha512_write, sha512_final): Burn stack by the amount returned by
	transform function.
	* configure.ac (sha512) [neonsupport]: Add 'sha512-armv7-neon.lo'.

	sha512: reduce stack use in transform function by 512 bytes.
	+ commit 03da7f8ba3ec24d4639a2bcebbc0d9d831734c08
	* cipher/sha512.c (transform): Change 'u64 w[80]' to 'u64 w[16]' and
	inline input expansion to first 64 rounds.
	(sha512_write, sha512_final): Reduce burn_stack depth by 512 bytes.

	Add ARM HW feature detection module and add NEON detection.
	+ commit 9c95be105f518d18407115c2c06893857c24b116
	* configure.ac: Add option --disable-neon-support.
	(HAVE_GCC_INLINE_ASM_NEON): New.
	(ENABLE_NEON_SUPPORT): New.
	[arm]: Add 'hwf-arm.lo' as HW feature module.
	* src/Makefile.am: Add 'hwf-arm.c'.
	* src/g10lib.h (HWF_ARM_NEON): New macro.
	* src/global.c (hwflist): Add HWF_ARM_NEON entry.
	* src/hwf-arm.c: New file.
	* src/hwf-common.h (_gcry_hwf_detect_arm): New prototype.
	* src/hwfeatures.c (_gcry_detect_hw_features) [HAVE_CPU_ARCH_ARM]: Add
	call to _gcry_hwf_detect_arm.

	Correct mpi_cpu_arch for ARMv6.
	+ commit 7b0ebe69fe35f2ee13e1e1beb2766a1eaadb7f0c
	* mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of
	"armv6".

2013-08-30  Werner Koch  <wk@gnupg.org>

	mpi: Make gcry_mpi_print work with negative zeroes.
	+ commit e9b711e6ddb480a71d2996465074e436c752c005
	* mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero.
	(gcry_mpi_aprint): Allocate at least 1 byte.
	* tests/t-convert.c: New.
	* tests/Makefile.am (TESTS): Add t-convert.

	Refactor the ECC code into 3 files.
	+ commit 800d4e01376d52a94a157b53978c7c3f957fc476
	* cipher/ecc-common.h, cipher/ecc-curves.c, cipher/ecc-misc.c: New.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
	* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new .c files.
	* cipher/ecc.c (curve_aliases, ecc_domain_parms_t, domain_parms)
	(scanval): Move to ecc-curves.c.
	(fill_in_curve): Move to ecc-curve.c as _gcry_ecc_fill_in_curve.
	(ecc_get_curve): Move to ecc-curve.c as _gcry_ecc_get_curve.
	(_gcry_mpi_ec_ec2os): Move to ecc-misc.c.
	(ec2os): Move to ecc-misc.c as _gcry_ecc_ec2os.
	(os2ec): Move to ecc-misc.c as _gcry_ecc_os2ec.
	(point_set): Move as inline function to ecc-common.h.
	(_gcry_ecc_curve_free): Move to ecc-misc.c as _gcry_ecc_curve_free.
	(_gcry_ecc_curve_copy): Move to ecc-misc.c as _gcry_ecc_curve_copy.
	(mpi_from_keyparam, point_from_keyparam): Move to ecc-curves.c.
	(_gcry_mpi_ec_new): Move to ecc-curves.c.
	(ecc_get_param): Move to ecc-curves.c as _gcry_ecc_get_param.
	(ecc_get_param_sexp): Move to ecc-curves.c as _gcry_ecc_get_param_sexp.

2013-08-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent-sse2-amd64: Move register clearing to assembly functions.
	+ commit 040aa7688296e93659cb32ca31e9a001a6ab1edd
	cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_ctr_enc)
	(_gcry_serpent_sse2_cbc_dec, _gcry_serpent_sse2_cfb_dec): Clear used
	XMM registers.
	cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	( _gcry_serpent_cfb_dec) [USE_SSE2]: Remove XMM register clearing from
	bulk functions.

	twofish-amd64: do not make __twofish_dec_blk3 global.
	+ commit 82db04a6a0058cf870485459abe7c1659b138ec5
	* cipher/twofish-amd64.S (__twofish_dec_blk3): Do not export symbol as
	global.
	(__twofish_dec_blk3): Mark symbol as function.

2013-08-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: add ARMv6 assembly.
	+ commit da327aef3fe24fdf98fffbc8aea69de42ed12456
	* mpi/armv6/mpi-asm-defs.h: New.
	* mpi/armv6/mpih-add1.S: New.
	* mpi/armv6/mpih-mul1.S: New.
	* mpi/armv6/mpih-mul2.S: New.
	* mpi/armv6/mpih-mul3.S: New.
	* mpi/armv6/mpih-sub1.S: New.
	* mpi/config.links [arm]: Enable ARMv6 assembly.

	Move ARMv6 detection to configure.ac.
	+ commit 151f1e518be2d16bed748ba832384b0472ddcf9b
	* cipher/blowfish-armv6.S: Replace __ARM_ARCH >= 6 checks with
	HAVE_ARM_ARCH_V6.
	* cipher/blowfish.c: Ditto.
	* cipher/camellia-armv6.S: Ditto.
	* cipher/camellia.h: Ditto.
	* cipher/cast5-armv6.S: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/rijndael-armv6.S: Ditto.
	* cipher/rijndael.c: Ditto.
	* configure.ac: Add HAVE_ARM_ARCH_V6 check.

2013-08-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add optimized wipememory for ARM.
	+ commit c030e33533fb819afe195eff5f89ec39863b1fbc
	src/g10lib.h [__arm__] (fast_wipememory2_unaligned_head)
	(fast_wipememory2): New macros.

	cipher: bufhelp: allow unaligned memory accesses on ARM.
	+ commit 796dda37b957b20dba391343937c6325a8c8b288
	* cipher/bufhelp.h [__arm__ && __ARM_FEATURE_UNALIGNED]: Enable
	BUFHELP_FAST_UNALIGNED_ACCESS.

2013-08-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Remove burn_stack optimization.
	+ commit 79895b9459b9bf8c60cb7abf09d5bf16ed0cf6e3
	* src/misc.c (_gcry_burn_stack): Remove SIZEOF_UNSIGNED_LONG == 4 or 8
	optimization.

2013-08-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia: add ARMv6 assembly implementation.
	+ commit cafadc1e4fb97581262b0081ba251e05613d4394
	* cipher/Makefile.am: Add 'camellia-armv6.S'.
	* cipher/camellia-armv6.S: New file.
	* cipher/camellia-glue.c [USE_ARMV6_ASM]
	(_gcry_camellia_armv6_encrypt_block)
	(_gcry_camellia_armv6_decrypt_block): New prototypes.
	[USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock)
	(camellia_encrypt, camellia_decrypt): New functions.
	* cipher/camellia.c [!USE_ARMV6_ASM]: Compile encryption and decryption
	routines if USE_ARMV6_ASM macro is _not_ defined.
	* cipher/camellia.h (USE_ARMV6_ASM): New macro.
	[!USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock): If
	USE_ARMV6_ASM is defined, disable these function prototypes.
	(camellia) [arm]: Add 'camellia-armv6.lo'.

	blowfish: add ARMv6 assembly implementation.
	+ commit 31e4b1a96a07e9a3698fcb7be0643a136ebb8e5c
	* cipher/Makefile.am: Add 'blowfish-armv6.S'.
	* cipher/blowfish-armv6.S: New file.
	* cipher/blowfish.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_blowfish_armv6_do_encrypt)
	(_gcry_blowfish_armv6_encrypt_block)
	(_gcry_blowfish_armv6_decrypt_block, _gcry_blowfish_armv6_ctr_enc)
	(_gcry_blowfish_armv6_cbc_dec, _gcry_blowfish_armv6_cfb_dec): New
	prototypes.
	[USE_ARMV6_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block)
	(encrypt_block, decrypt_block): New functions.
	(_gcry_blowfish_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_blowfish_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_blowfish_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	* configure.ac (blowfish) [arm]: Add 'blowfish-armv6.lo'.

	cast5: add ARMv6 assembly implementation.
	+ commit 8d1faf56714598301580ce370e0bfa6d65e73644
	* cipher/Makefile.am: Add 'cast5-armv6.S'.
	* cipher/cast5-armv6.S: New file.
	* cipher/cast5.c (USE_ARMV6_ASM): New macro.
	(CAST5_context) [USE_ARMV6_ASM]: New members 'Kr_arm_enc' and
	'Kr_arm_dec'.
	[USE_ARMV6_ASM] (_gcry_cast5_armv6_encrypt_block)
	(_gcry_cast5_armv6_decrypt_block, _gcry_cast5_armv6_ctr_enc)
	(_gcry_cast5_armv6_cbc_dec, _gcry_cast5_armv6_cfb_dec): New prototypes.
	[USE_ARMV6_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block)
	(decrypt_block): New functions.
	(_gcry_cast5_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_cast5_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_cast5_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_cast_setkey) [USE_ARMV6_ASM]: Initialize 'Kr_arm_enc' and
	'Kr_arm_dec'.
	* configure.ac (cast5) [arm]: Add 'cast5-armv6.lo'.

2013-08-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: add ARMv6 assembly implementation.
	+ commit f365961422f1c8b3d89b8bcd9c99828f38c1f158
	* cipher/Makefile.am: Add 'rijndael-armv6.S'.
	* cipher/rijndael-armv6.S: New file.
	* cipher/rijndael.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_aes_armv6_encrypt_block)
	(_gcry_aes_armv6_decrypt_block): New prototypes.
	(do_encrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_encrypt): Disable input/output alignment when USE_ARMV6_ASM.
	(do_decrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_decrypt): Disable input/output alignment when USE_ARMV6_ASM.
	* configure.ac (HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS): New check for
	gcc/as compatibility with ARM assembly implementations.
	(aes) [arm]: Add 'rijndael-armv6.lo'.

2013-08-09  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: fix memory leak.
	+ commit 2b5bbe264fcd61e5e458e5f71a6507ba0271c729
	* cipher/pubkey.c (gcry_pk_sign): Handle the specific case of ECC,
	where there is NULL whichi is not the sentinel.

2013-08-08  Werner Koch  <wk@gnupg.org>

	mpi: Clear immutable flag on the result of gcry_mpi_set.
	+ commit 426cbc9feca0c8f46208fb3670adab95f9e46087
	* mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags.
	* tests/mpitests.c (test_const_and_immutable): Add a test for this.

2013-08-07  NIIBE Yutaka  <gniibe@fsij.org>

	tests: fix memory leaks.
	+ commit cc082642c1b0f2a3e9ca78e1ffd3f64417c204bd
	* tests/benchmark.c (dsa_bench): Release SIG.

	* tests/mpitests.c (test_powm): Release BASE, EXP, MOD, and RES.

	* tests/prime.c (check_primes): Release PRIME.

	* tests/tsexp.c (basic): Use intermediate variable M for constant.
	Release S1, S2 and A.

2013-08-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building on W32 (cannot export symbol 'gcry_sexp_get_buffer')
	+ commit 065d446478bf68553339fc77a89b8369bd110a18
	* src/libgcrypt.def: Change 'gcry_sexp_get_buffer' to
	'gcry_sexp_nth_buffer'.

2013-08-06  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: fix another memory leak.
	+ commit 9a421813123a2f5db0a91eaee4a45138efc9ad34
	* cipher/ecc.c (ecc_get_curve): Free TMP.

	tests: fix memory leaks.
	+ commit 87eddc31ccba6decbddd1761dd42a208666cd311
	* tests/pubkey.c (check_keys_crypt): Release L, X0, and X1.
	(check_keys): Release X.

	cipher: fix memory leaks.
	+ commit ae6ffd9af38cbcac57c220960f683aab91db85cb
	* cipher/elgamal.c (elg_generate_ext): Free XVALUE.

	* cipher/pubkey.c (sexp_elements_extract): Don't use IDX for loop.
	Call mpi_free.
	(sexp_elements_extract_ecc): Call mpi_free.

2013-08-05  Werner Koch  <wk@gnupg.org>

	mpi: Improve gcry_mpi_invm to detect bad input.
	+ commit d8e99a04dba6a606e879464cd11deee760d1e000
	* mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input.

2013-07-31  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Correct checks for ecc secret key.
	+ commit 10dfa41b43a906031bc674ea41cd3073701011f3
	* cipher/ecc.c (check_secret_key): replace wrong comparison of Q and
	sk->Q points with correct one.

2013-07-29  Werner Koch  <wk@gnupg.org>

	sexp: Allow white space anywhere in a hex format.
	+ commit 43320961a8751ee28dc95cdb0ae01ea8a7ff7f91
	* src/sexp.c (hextobyte): Remove.
	(hextonibble): New.
	(vsexp_sscan): Skip whtespace between hex nibbles.

	Implement deterministic ECDSA as specified by rfc-6979.
	+ commit 6e0a9786637d649b48aae0e611a12e12beef9b3b
	* cipher/ecc.c (sign): Add args FLAGS and HASHALGO.  Convert an opaque
	MPI as INPUT.  Implement rfc-6979.
	(ecc_sign): Remove the opaque MPI code and pass FLAGS to sign.
	(verify): Do not allocate and compute Y; it is not used.
	(ecc_verify): Truncate the hash value if needed.
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): Add ECDSA test cases.

2013-07-26  Werner Koch  <wk@gnupg.org>

	Implement deterministic DSA as specified by rfc-6979.
	+ commit 1cfa79aabc5d0fd8d124901054475e90ab7d9cde
	* cipher/dsa.c (dsa_sign): Move opaque mpi extraction to sign.
	(sign): Add args FLAGS and HASHALGO.  Implement deterministic DSA.
	Add code path for R==0 to comply with the standard.
	(dsa_verify): Left fill opaque mpi based hash values.
	* cipher/dsa-common.c (int2octets, bits2octets): New.
	(_gcry_dsa_gen_rfc6979_k): New.
	* tests/dsa-rfc6979.c: New.
	* tests/Makefile.am (TESTS): Add dsa-rfc6979.

	Allow the use of a private-key s-expression with gcry_pk_verify.
	+ commit b72d312ad11887fc416aa821786f6bdb663c0f4a
	* cipher/pubkey.c (sexp_to_key): Fallback to private key.

2013-07-25  Werner Koch  <wk@gnupg.org>

	Mitigate a flush+reload cache attack on RSA secret exponents.
	+ commit 287bf0e543f244d784cf8b58340bf0ab3c6aba97
	* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
	exponents in secure memory.

2013-07-19  Werner Koch  <wk@gnupg.org>

	pk: Allow the use of a hash element for DSA sign and verify.
	+ commit 37d0a1ebdc2dc74df4fb6bf0621045018122a68f
	* cipher/pubkey.c (pubkey_sign): Add arg ctx and pass it to the sign
	module.
	(gcry_pk_sign): Pass CTX to pubkey_sign.
	(sexp_data_to_mpi): Add flag rfc6979 and code to alls hash with *DSA
	* cipher/rsa.c (rsa_sign, rsa_verify): Return an error if an opaque
	MPI is given for DATA/HASH.
	* cipher/elgamal.c (elg_sign, elg_verify): Ditto.
	* cipher/dsa.c (dsa_sign, dsa_verify): Convert a given opaque MPI.
	* cipher/ecc.c (ecc_sign, ecc_verify): Ditto.
	* tests/basic.c (check_pubkey_sign_ecdsa): Add a test for using a hash
	element with DSA.

	sexp: Add function gcry_sexp_nth_buffer.
	+ commit 2d3e8d4d9562d666420aadd9ffa8ac0456a1cd91
	* src/sexp.c (gcry_sexp_nth_buffer): New.
	* src/visibility.c, src/visibility.h: Add function wrapper.
	* src/libgcrypt.vers, src/libgcrypt.def: Add to API.
	* src/gcrypt.h.in: Add prototype.

2013-07-18  Werner Koch  <wk@gnupg.org>

	Add support for Salsa20.
	+ commit c4885092088431e7928e4459fda20cc0e8ceb201
	* src/gcrypt.h.in (GCRY_CIPHER_SALSA20): New.
	* cipher/salsa20.c: New.
	* configure.ac (available_ciphers): Add Salsa20.
	* cipher/cipher.c: Register Salsa20.
	(cipher_setiv): Allow to divert an IV to a cipher module.
	* src/cipher-proto.h (cipher_setiv_func_t): New.
	(cipher_extra_spec): Add field setiv.
	* src/cipher.h: Declare Salsa20 definitions.
	* tests/basic.c (check_stream_cipher): New.
	(check_stream_cipher_large_block): New.
	(check_cipher_modes): Run new test functions.
	(check_ciphers): Add simple test for Salsa20.

2013-07-17  Werner Koch  <wk@gnupg.org>

	Allow gcry_mpi_dump to print opaque MPIs.
	+ commit 364d019e3ffedfcb434576702f73e767cb9389ef
	* mpi/mpicoder.c (gcry_mpi_dump): Detect abd print opaque MPIs.
	* tests/mpitests.c (test_opaque): New.
	(main): Call new test.

	cipher: Prepare to pass extra info to the sign functions.
	+ commit 5940e66cbefea3de5924f494f18aed69bb694bff
	* src/gcrypt-module.h (gcry_pk_sign_t): Add parms flags and hashalgo.
	* cipher/rsa.c (rsa_sign): Add parms and mark them as unused.
	* cipher/dsa.c (dsa_sign): Ditto.
	* cipher/elgamal.c (elg_sign): Ditto.
	* cipher/pubkey.c (dummy_sign): Ditto.
	(pubkey_sign): Pass 0 for the new args.

	Fix a special case bug in mpi_powm for e==0.
	+ commit 6e1adb05d290aeeb1c230c763970695f4a538526
	* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
	the result has been allocated.

2013-07-15  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix memory leak in t-mpi-point test.
	+ commit a7b80e9fba6b1b095f7c53469747967b40ebfbfd
	* tests/t-mpi-point.c (basic_ec_math, basic_ec_math_simplified): add
	calls to gcry_ctx_release() to free contexts after they become unused.

2013-07-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix 'Please include winsock2.h before windows.h' warnings with mingw32.
	+ commit d6c9c86cb7f571ae0bd9aee4efa01a0f9c4c3104
	* random/rndw32.c: include winsock2.h before windows.h.
	* src/ath.h [_WIN32]: Ditto.
	* tests/benchmark.c [_WIN32]: Ditto.

	Remove duplicate header from mpi/amd64/mpih-mul2.S.
	+ commit c64a0dcbefc5b0055954e37a3c86b32ff7a1b1da
	* mpi/amd64/mpih-mul2.S: remove duplicated header.

	Fix i386/amd64 inline assembly "cc" clobbers.
	+ commit ed0a598172208ec67234a4edd73189bf6808fd04
	* cipher/bithelp.h [__GNUC__, __i386__] (rol, ror): add "cc" globber
	for inline assembly.
	* cipher/cast5.c [__GNUC__, __i386__] (rol): Ditto.
	* random/rndhw.c [USE_DRNG] (rdrand_long): Ditto.
	* src/hmac256.c [__GNUC__, __i386__] (ror): Ditto.
	* mpi/longlong.c [__i386__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): Ditto.

	bufhelp: Suppress 'cast increases required alignment' warning.
	+ commit c3902a6b5cea9acef2e15fbee24eb601eeb25168
	* cipher/bufhelp.h (buf_xor, buf_xor_2dst, buf_xor_n_copy): Cast
	to larger element pointer through (void *) to suppress -Wcast-error.

	mpi: Add __ARM_ARCH for older GCC.
	+ commit 97f392f43cf2e4da1297cbecacbfbff33a869478
	* mpi/longlong.h [__arm__]: Construct __ARM_ARCH if not provided by
	compiler.

	mpi: add missing "cc" clobber for ARM assembly.
	+ commit 8aa4f2161cf643ce36d87d2e2786b546736f8232
	* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.
	[__arm__][__ARM_ARCH <= 3] (umul_ppmm): Ditto.

	Tweak ARM inline assembly for mpi.
	+ commit 71dda4507053379433dc8b0fc6462c15de7299df
	mpi/longlong.h [__arm__]: Enable inline assembly if __thumb2__ is
	defined.
	[__arm__]: Use __ARCH_ARM when defined.
	[__arm__] [__ARM_ARCH >= 5] (count_leading_zeros): New.

2013-06-26  Werner Koch  <wk@gnupg.org>

	Make gpg-error replacement defines more robust.
	+ commit 6540b84a6e9113813e7e49e3ad2024d4a0073300
	* configure.ac (AH_BOTTOM): Move GPG_ERR_ replacement defines to ...
	* src/gcrypt-int.h: new file.
	* src/visibility.h, src/cipher.h: Replace gcrypt.h by gcrypt-int.h.
	* tests/: Ditto for all test files.

2013-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Check if assembler is compatible with AMD64 assembly implementations.
	+ commit 3544fa8aa63bef9a35abf236e9376191b5ec206b
	* cipher/blowfish-amd64.S: Enable only if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined.
	* cipher/camellia-aesni-avx-amd64.S: Ditto.
	* cipher/camellia-aesni-avx2-amd64.S: Ditto.
	* cipher/cast5-amd64.S: Ditto.
	* cipher/rinjdael-amd64.S: Ditto.
	* cipher/serpent-avx2-amd64.S: Ditto.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* cipher/twofish-amd64.S: Ditto.
	* cipher/blowfish.c: Use AMD64 assembly implementation only if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined
	* cipher/camellia-glue.c: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/rijndael.c: Ditto.
	* cipher/serpent.c: Ditto.
	* cipher/twofish.c: Ditto.
	* configure.ac: Check gcc/as compatibility with AMD64 assembly
	implementations.

2013-06-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Optimize _gcry_burn_stack for 32-bit and 64-bit architectures.
	+ commit ec2f8de409a93c80efa658134df22074a9bca5a4
	* src/misc.c (_gcry_burn_stack): Add optimization for 32-bit and 64-bit
	architectures.

	Add Camellia AES-NI/AVX2 implementation.
	+ commit d94ec5f5f8a5d40a7d344025aa466f276f9718df
	* cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.S'.
	* cipher/camellia-aesni-avx2-amd64.S: New file.
	* cipher/camellia-glue.c (USE_AESNI_AVX2): New macro.
	(CAMELLIA_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
	[USE_AESNI_AVX2] (_gcry_camellia_aesni_avx2_ctr_enc)
	(_gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): New prototypes.
	(camellia_setkey) [USE_AESNI_AVX2]: Check AVX2+AES-NI capable hardware
	and set 'ctx->use_aesni_avx2'.
	(_gcry_camellia_ctr_enc) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(_gcry_camellia_cbc_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(_gcry_camellia_cfb_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks'
	so that AVX2 codepaths get tested.
	* configure.ac (camellia) [avx2support, aesnisupport]: Add
	'camellia-aesni-avx2-amd64.lo'.

	Add Serpent AVX2 implementation.
	+ commit e7ab4e1a7396f4609b9033207015b239ab4a5140
	* cipher/Makefile.am: Add 'serpent-avx2-amd64.S'.
	* cipher/serpent-avx2-amd64.S: New file.
	* cipher/serpent.c (USE_AVX2): New macro.
	(serpent_context_t) [USE_AVX2]: Add 'use_avx2'.
	[USE_AVX2] (_gcry_serpent_avx2_ctr_enc, _gcry_serpent_avx2_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec): New prototypes.
	(serpent_setkey_internal) [USE_AVX2]: Check for AVX2 capable hardware
	and set 'use_avx2'.
	(_gcry_serpent_ctr_enc) [USE_AVX2]: Use AVX2 accelerated functions.
	(_gcry_serpent_cbc_dec) [USE_AVX2]: Use AVX2 accelerated functions.
	(_gcry_serpent_cfb_dec) [USE_AVX2]: Use AVX2 accelerated functions.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks'
	so that AVX2 codepaths are tested.
	* configure.ac (serpent) [avx2support]: Add 'serpent-avx2-amd64.lo'.

	Add detection for Intel AVX2 instruction set.
	+ commit 3289bca708bdd02c69a331095ac6ca9a1efd74cc
	* configure.ac: Add option --disable-avx2-support.
	(HAVE_GCC_INLINE_ASM_AVX2): New.
	(ENABLE_AVX2_SUPPORT): New.
	* src/g10lib.h (HWF_INTEL_AVX2): New.
	* src/global.c (hwflist): Add HWF_INTEL_AVX2.
	* src/hwf-x86.c [__i386__] (get_cpuid): Initialize registers to zero
	before cpuid.
	[__x86_64__] (get_cpuid): Initialize registers to zero before cpuid.
	(detect_x86_gnuc): Store maximum cpuid level.
	(detect_x86_gnuc) [ENABLE_AVX2_SUPPORT]: Add detection for AVX2.

	twofish: add amd64 assembly implementation.
	+ commit d325ab5d86e6107a46007a4d0131122bbd719f8c
	* cipher/Makefile.am: Add 'twofish-amd64.S'.
	* cipher/twofish-amd64.S: New file.
	* cipher/twofish.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_twofish_amd64_encrypt_block)
	(_gcry_twofish_amd64_decrypt_block, _gcry_twofish_amd64_ctr_enc)
	(_gcry_twofish_amd64_cbc_dec, _gcry_twofish_amd64_cfb_dec): New
	prototypes.
	[USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt)
	(twofish_encrypt, twofish_decrypt): New functions.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec)
	(selftest_ctr, selftest_cbc, selftest_cfb): New functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_TWOFISH]: Register Twofish
	bulk functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (twofish) [x86_64]: Add 'twofish-amd64.lo'.
	* src/cipher.h (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(gcry_twofish_cfb_dec): New prototypes.

2013-05-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rinjdael: add amd64 assembly implementation.
	+ commit 7317fcfadf00789df140e51c0d16b60f6b144b59
	* cipher/Makefile.am: Add 'rijndael-amd64.S'.
	* cipher/rijndael-amd64.S: New file.
	* cipher/rijndael.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block): New prototypes.
	(do_encrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function.
	(do_encrypt): Disable input/output alignment when USE_AMD64_ASM is set.
	(do_decrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function.
	(do_decrypt): Disable input/output alignment when USE_AMD64_AES is set.
	* configure.ac (aes) [x86-64]: Add 'rijndael-amd64.lo'.

	blowfish: add amd64 assembly implementation.
	+ commit 9a61edd1f00cefe8ffa3ad54a53eed163883053c
	* cipher/Makefile.am: Add 'blowfish-amd64.S'.
	* cipher/blowfish-amd64.S: New file.
	* cipher/blowfish.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_blowfish_amd64_do_encrypt)
	(_gcry_blowfish_amd64_encrypt_block)
	(_gcry_blowfish_amd64_decrypt_block, _gcry_blowfish_amd64_ctr_enc)
	(_gcry_blowfish_amd64_cbc_dec, _gcry_blowfish_amd64_cfb_dec): New
	prototypes.
	[USE_AMD64_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block)
	(encrypt_block, decrypt_block): New functions.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec, selftest_ctr, selftest_cbc, selftest_cfb): New
	functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_BLOWFISH]: Register Blowfish
	bulk functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (blowfish) [x86_64]: Add 'blowfish-amd64.lo'.
	* src/cipher.h (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(gcry_blowfish_cfb_dec): New prototypes.

2013-05-24  Werner Koch  <wk@gnupg.org>

	ecc: Simplify the compliant point generation.
	+ commit 99b18aa536703ef90c9a1f5c8f40bc68b2064593
	* cipher/ecc.c (generate_key): Use point_snatch_set, replaces unneeded
	variable copies, etc.

	ecc: Fix a minor flaw in the generation of K.
	+ commit 9711384f75564a71979e3fb971b5f4cadcf1afef
	* cipher/dsa.c (gen_k): Factor code out to ..
	* cipher/dsa-common.c (_gcry_dsa_gen_k): new file and function.  Add
	arg security_level and re-indent a bit.
	* cipher/ecc.c (gen_k): Remove and change callers to _gcry_dsa_gen_k.
	* cipher/dsa.c: Include pubkey-internal.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add dsa-common.c

2013-05-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cast5: add amd64 assembly implementation.
	+ commit 0bdf26eea8cdbffefe7e37578f8f896c4f5f5275
	* cipher/Makefile.am: Add 'cast5-amd64.S'.
	* cipher/cast5-amd64.S: New file.
	* cipher/cast5.c (USE_AMD64_ASM): New macro.
	(_gcry_cast5_s1tos4): Merge arrays s1, s2, s3, s4 to single array to
	simplify access from assembly implementation.
	(s1, s2, s3, s4): New macros pointing to subarrays in
	_gcry_cast5_s1tos4.
	[USE_AMD64_ASM] (_gcry_cast5_amd64_encrypt_block)
	(_gcry_cast5_amd64_decrypt_block, _gcry_cast5_amd64_ctr_enc)
	(_gcry_cast5_amd64_cbc_dec, _gcry_cast5_amd64_cfb_dec): New prototypes.
	[USE_AMD64_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block)
	(decrypt_block): New functions.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec)
	(selftest_ctr, selftest_cbc, selftest_cfb): New functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_CAST5]: Register CAST5 bulk
	functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (cast5) [x86_64]: Add 'cast5-amd64.lo'.
	* src/cipher.h (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec)
	(gcry_cast5_cfb_dec): New prototypes.

	cipher-selftest: make selftest work with any block-size.
	+ commit ab8fc70b5f0c396a5bc941267f59166e860b8c5d
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed
	functions from '<name>_128' to '<name>'.
	(_gcry_selftest_helper_cbc, _gcry_selftest_helper_cfb)
	(_gcry_selftest_helper_ctr): Make work with different block sizes.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed
	prototypes from '<name>_128' to '<name>'.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.
	* cipher/rijndael.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.
	* cipher/serpent.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.

2013-05-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent: add parallel processing for CFB decryption.
	+ commit 6deb0ccdf718a0670f80e6762a3842caf76437d6
	* cipher/cipher.c (gcry_cipher_open): Add bulf CFB decryption function
	for Serpent.
	* cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_cfb_dec): New
	function.
	* cipher/serpent.c (_gcry_serpent_sse2_cfb_dec): New prototype.
	(_gcry_serpent_cfb_dec) New function.
	(selftest_cfb_128) New function.
	(selftest) Call selftest_cfb_128.
	* src/cipher.h (_gcry_serpent_cfb_dec): New prototype.

	camellia: add parallel processing for CFB decryption.
	+ commit b60f06f70227c1e69e1010da8b47ea51ade48145
	* cipher/camellia-aesni-avx-amd64.S
	(_gcry_camellia_aesni_avx_cfb_dec): New function.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_cfb_dec): New
	prototype.
	(_gcry_camellia_cfb_dec): New function.
	(selftest_cfb_128): New function.
	(selftest): Call selftest_cfb_128.
	* cipher/cipher.c (gry_cipher_open): Add bulk CFB decryption function
	for Camellia.
	* src/cipher.h (_gcry_camellia_cfb_dec): New prototype.

	rinjdael: add parallel processing for CFB decryption with AES-NI.
	+ commit 319ee14f2aab8db56a830fd7ac8926f91b4f738a
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cfb_128): New
	function for CFB selftests.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cfb_128): New
	prototype.
	* cipher/rijndael.c [USE_AESNI] (do_aesni_enc_vec4): New function.
	(_gcry_aes_cfb_dec) [USE_AESNI]: Add parallelized CFB decryption.
	(selftest_cfb_128): New function.
	(selftest): Call selftest_cfb_128.

2013-05-23  Werner Koch  <wk@gnupg.org>

	Avoid compiler warning due to the global symbol setkey.
	+ commit b402de8b9c4a9f269faf03ca952b1eb68a1f33c8
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_ctr_128): Rename setkey to setkey_func.

2013-05-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent: add SSE2 accelerated amd64 implementation.
	+ commit 2fd06e207dcea1d8a7f0e7e92f3359615a99421b
	* configure.ac (serpent): Add 'serpent-sse2-amd64.lo'.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add
	'serpent-sse2-amd64.S'.
	* cipher/cipher.c (gcry_cipher_open) [USE_SERPENT]: Register bulk
	functions for CBC-decryption and CTR-mode.
	* cipher/serpent.c (USE_SSE2): New macro.
	[USE_SSE2] (_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec):
	New prototypes to assembler functions.
	(serpent_setkey): Set 'serpent_init_done' before calling serpent_test.
	(_gcry_serpent_ctr_enc): New function.
	(_gcry_serpent_cbc_dec): New function.
	(selftest_ctr_128): New function.
	(selftest_cbc_128): New function.
	(selftest): Call selftest_ctr_128 and selftest_cbc_128.
	* cipher/serpent-sse2-amd64.S: New file.
	* src/cipher.h (_gcry_serpent_ctr_enc): New prototype.
	(_gcry_serpent_cbc_dec): New prototype.

	Serpent: faster S-box implementation.
	+ commit c85501af8222913f0a1e20e77fceb88e93417925
	* cipher/serpent.c (SBOX0, SBOX1, SBOX2, SBOX3, SBOX4, SBOX5, SBOX6)
	(SBOX7, SBOX0_INVERSE, SBOX1_INVERSE, SBOX2_INVERSE, SBOX3_INVERSE)
	(SBOX4_INVERSE, SBOX5_INVERSE, SBOX6_INVERSE, SBOX7_INVERSE): Replace
	with new definitions.

2013-05-22  Werner Koch  <wk@gnupg.org>

	w32: Fix installing of .def file.
	+ commit 4e46d8bc78008ba06f106b368cefb0dddf15fe38
	* src/Makefile.am (install-def-file): Create libdir first.

	Add control commands to disable mlock and setuid dropping.
	+ commit 2b8014af202c9e0f7619f7a4377f5eb752235220
	* src/gcrypt.h.in (GCRYCTL_DISABLE_LOCKED_SECMEM): New.
	(GCRYCTL_DISABLE_PRIV_DROP): New.
	* src/global.c (_gcry_vcontrol): Implement them.
	* src/secmem.h (GCRY_SECMEM_FLAG_NO_MLOCK): New.
	(GCRY_SECMEM_FLAG_NO_PRIV_DROP): New.
	* src/secmem.c (no_mlock, no_priv_drop): New.
	(_gcry_secmem_set_flags, _gcry_secmem_get_flags): Set and get them.
	(lock_pool): Handle no_mlock and no_priv_drop.

	Fix libtool 2.4.2 to correctly detect .def files.
	+ commit 05b3e2dda61d3d532a7f1ffd2487a85ed1c4f3ab
	* ltmain.sh (sed_uncomment_deffile): New.
	(orig_export_symbols): Uncomment def file before testing for EXPORTS.
	* m4/libtool.m4: Do the same for the generated code.

2013-05-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AES bulk CBC decryption selftest.
	+ commit b65281a1b76d7898eb7607932246b78277d8570b
	* cipher/rinjdael.c (selftest_cbc_128): New.
	(selftest): Call selftest_cbc_128.

	Change AES bulk CTR encryption selftest use new selftest helper function
	+ commit 3637bdbb5f30a5e06745d448a6a8ad00e5cdd740
	* cipher/rinjdael.c: (selftest_ctr_128): Change to use new selftest
	helper function.

	Convert bulk CTR and CBC selftest functions in Camellia to generic selftest helper functions
	+ commit eed4042fa028b3f73bad6a768f5b0a82f642e545
	* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-selftest files.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cbc_128): Change
	to use the new selftest helper functions.
	* cipher/cipher-selftest.c: New.
	* cipher/cipher-selftest.h: New.

	camellia: add bulk CBC decryption selftest.
	+ commit f2986f03d1ae59f973bae56ce4333e5457003de5
	* cipher/camellia-glue.c: (selftest_cbc_128): New selftest function for
	bulk CBC decryption.
	(selftest): Add call to selftest_cbc_128.

	camellia: Rename camellia_aesni_avx_x86-64.S to camellia-aesni-avx-amd64.S
	+ commit 194ae35da7830a76b96e9b21121a2e1248762d3f
	* cipher/camellia_aesni_avx_x86-64.S: Remove.
	* cipher/camellia-aesni-avx-amd64.S: New.
	* cipher/Makefile.am: Use the new filename.
	* configure.ac: Use the new filename.

2013-05-21  Werner Koch  <wk@gnupg.org>

	Fix indentation and save on string space.
	+ commit 2ac3a7c2b7154379738d17cfde8cd9017dc142f0
	* cipher/ecc.c (generate_key): Use the same string for both fatal
	messages.

2013-05-20  Andrey  <andrey@brainhub.org>

	cipher: Fix segv in last ECC change.
	+ commit eb4937914db3fb7317502e97e4f0e40c1857f59d
	* cipher/ecc.c (generate_key): Make sure R is initialized.

2013-05-09  Andrey  <andrey@brainhub.org>

	cipher: Generate compliant ECC keys.
	+ commit 296f38a2bd2e25788643a42e4881faed00884a40
	* cipher/ecc.c (generate_key): Make sure a key is compliant for
	using the compact representation.

2013-04-18  Werner Koch  <wk@gnupg.org>

	cipher: Fix regression in Padlock support.
	+ commit 6c942ec4d63032539f1fc56c3b970cfec2369e2b
	* cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case
	and use the standard one.

	mpi: Yet another fix to get option flag munging right.
	+ commit 03557687a09b9c8878c77cbfdd0f5049940c72da
	* cipher/Makefile.am (o_flag_munging): Yet another fix.

	mpi: Make using gcc's -Ofast easier.
	+ commit 1ab26bc304c559b0a8d29823d656f7ad8d10a59d
	* cipher/Makefile.am (o_flag_munging): Take -Ofast in account.

	Fix alignment problem in idea.c.
	+ commit 3271b0dfda67e26c381d7ed667737f08f865ee40
	* cipher/idea.c (cipher): Rework parameter use to fix alignment
	problems.

	* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.

	Fix alignment problem in idea.c.

	* cipher/idea.c (cipher): Rework parameter use to fix alignment
	problems.

	* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.


	(cherry picked from 4cd279556777e02eda79973f68efaa4b741f9175)

2013-04-18  Vladimir Serbinenko  <phcoder@gmail.com>

	Add some const attributes.
	+ commit ff0b94c22b36600fff1db9f1d48f9de61f9038f7
	* cipher/md4.c (transform): Add const attribute.
	* cipher/md5.c (transform): Ditto.
	* cipher/rmd160.c (transform): Ditto.

	Fix alignment problem in serpent.c.
	+ commit 86e72b490a5790a9c23341067c7e4d3e38be1634
	* cipher/serpent.c (serpent_key_prepare): Fix misaligned access.
	(serpent_setkey): Likewise.
	(serpent_encrypt_internal): Likewise.
	(serpent_decrypt_internal): Likewise.
	(serpent_encrypt): Don't put an alignment-increasing cast.
	(serpent_decrypt): Likewise.
	(serpent_test): Likewise.

2013-04-16  Werner Koch  <wk@wheatstone.g10code.de>

	Fix multiply by zero in gcry_mpi_ec_mul.
	+ commit 78cd0ba8a8eceee9d0b3397a2ab3bda6ba37c8a4
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
	* tests/t-mpi-point.c (basic_ec_math): Add a test case for this.

2013-04-15  Werner Koch  <wk@gnupg.org>

	Add macros to return pre-defined MPIs.
	+ commit bd3afc27459a44df8cf501a7e1ae37bb849a8b0e
	* src/gcrypt.h.in (GCRYMPI_CONST_ONE, GCRYMPI_CONST_TWO)
	(GCRYMPI_CONST_THREE, GCRYMPI_CONST_FOUR, GCRYMPI_CONST_EIGHT): New.
	(_gcry_mpi_get_const): New private function.
	* src/visibility.c (_gcry_mpi_get_const): New.
	* src/visibility.h: Mark it visible.

	Fix addition of EC points.
	+ commit 71b25a5562f68aad81eae52cc1bab9ca7731a7e9
	* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
	coordinates.

2013-04-12  Werner Koch  <wk@gnupg.org>

	Add hack to allow using an "ecc" key for "ecdsa" or "ecdh".
	+ commit af8a79aea80217a0c85a592db1fa001792a6bf0f
	* cipher/pubkey.c (sexp_to_key): Add optional arg USE.
	(gcry_pk_encrypt, gcry_pk_decrypt): Call sexp_to_key with usage sign.
	(gcry_pk_sign, gcry_pk_verify): Call sexp_to_key with usage encrypt.
	* tests/basic.c (show_sexp): New.
	(check_pubkey_sign): Print test number and add cases for ecc.
	(check_pubkey_sign_ecdsa): New.
	(do_check_one_pubkey): Divert to new function.

2013-04-11  Werner Koch  <wk@gnupg.org>

	Add gcry_pubkey_get_sexp.
	+ commit 1f3cfad66456dd6f2e48f20b8eb0c51343449a1c
	* src/gcrypt.h.in (GCRY_PK_GET_PUBKEY): New.
	(GCRY_PK_GET_SECKEY): New.
	(gcry_pubkey_get_sexp): New.
	* src/visibility.c (gcry_pubkey_get_sexp): New.
	* src/visibility.h (gcry_pubkey_get_sexp): Mark visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
	* cipher/pubkey-internal.h: New.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add new file.
	* cipher/ecc.c: Include pubkey-internal.h
	(_gcry_pk_ecc_get_sexp): New.
	* cipher/pubkey.c: Include pubkey-internal.h and context.h.
	(_gcry_pubkey_get_sexp): New.
	* src/context.c (_gcry_ctx_find_pointer): New.
	* src/cipher-proto.h: Add _gcry_pubkey_get_sexp.
	* tests/t-mpi-point.c (print_sexp): New.
	(context_param, basic_ec_math_simplified): Add tests for the new
	function.

	* configure.ac (NEED_GPG_ERROR_VERSION): Set to 1.11.
	(AH_BOTTOM) Add error codes from gpg-error 1.12
	* src/g10lib.h (fips_not_operational): Use GPG_ERR_NOT_OPERATIONAL.

	* mpi/ec.c (_gcry_mpi_ec_get_mpi): Fix computation of Q.
	(_gcry_mpi_ec_get_point): Ditto.

	Remove unused code.
	+ commit 7524da2ba83d83a766c22d704006380c893e1c49
	* cipher/pubkey.c (_gcry_pk_module_lookup, _gcry_pk_module_release)
	(_gcry_pk_get_elements): Remove.

2013-04-05  Werner Koch  <wk@gnupg.org>

	Make the Q parameter optional for ECC signing.
	+ commit fe91a642c7c257aca095b96406fbcace88fa3df4
	* cipher/ecc.c (ecc_sign): Remove the need for Q.
	* cipher/pubkey.c (sexp_elements_extract_ecc): Make Q optional for a
	private key.
	(sexp_to_key): Add optional arg R_IS_ECC.
	(gcry_pk_sign): Do not call gcry_pk_get_nbits for ECC keys.
	* tests/pubkey.c (die): Make sure to print a LF.
	(check_ecc_sample_key): New.
	(main): Call new test.

	Add test case for SCRYPT and rework the code.
	+ commit f23a068bcb6ec9788710698578d8be0a2a006dbc
	* tests/t-kdf.c (check_scrypt): New.
	(main): Call new test.

	* configure.ac: Support disabling of the scrypt algorithm.  Make KDF
	enabling similar to the other algorithm classes.  Disable scrypt if we
	don't have a 64 bit type.
	* cipher/memxor.c, cipher/memxor.h: Remove.
	* cipher/scrypt.h: Remove.
	* cipher/kdf-internal.h: New.
	* cipher/Makefile.am: Remove files.  Add new file.  Move scrypt.c to
	EXTRA_libcipher_la_SOURCES.
	(GCRYPT_MODULES): Add GCRYPT_KDFS.
	* src/gcrypt.h.in (GCRY_KDF_SCRYPT): Change value.
	* cipher/kdf.c (pkdf2): Rename to _gcry_kdf_pkdf2.
	(_gcry_kdf_pkdf2): Don't bail out for SALTLEN==0.
	(gcry_kdf_derive): Allow for a passwordlen of zero for scrypt.  Check
	for SALTLEN > 0 for GCRY_KDF_PBKDF2.  Pass algo to _gcry_kdf_scrypt.
	(gcry_kdf_derive) [!USE_SCRYPT]: Return an error.
	* cipher/scrypt.c: Replace memxor.h by bufhelp.h.  Replace scrypt.h by
	kdf-internal.h.  Enable code only if HAVE_U64_TYPEDEF is defined.
	Replace C99 types uint64_t, uint32_t, and uint8_t by libgcrypt types.
	(_SALSA20_INPUT_LENGTH): Remove underscore from identifier.
	(_scryptBlockMix): Replace memxor by buf_xor.
	(_gcry_kdf_scrypt): Use gcry_malloc and gcry_free.  Check for integer
	overflow.  Add hack to support blocksize of 1 for tests.  Return
	errors from calls to _gcry_kdf_pkdf2.

	* cipher/kdf.c (openpgp_s2k): Make static.

2013-04-04  Christian Grothoff  <christian@grothoff.org>

	Add the SCRYPT KDF function.
	+ commit 855b1a8f81b5a3b5b31d0c3c303675425f58a5af
	* scrypt.c, scrypt.h: New files.
	* memxor.c, memxor.h: New files.
	* cipher/Makefile.am: Add new files.
	* cipher/kdf.c (gcry_kdf_derive): Support GCRY_KDF_SCRYPT.
	* src/gcrypt.h.in (GCRY_KDF_SCRYPT): New.

2013-03-22  Werner Koch  <wk@gnupg.org>

	Replace deprecated AM_CONFIG_HEADER macro.
	+ commit d0c8fda5af45354ac32928c9a01e688d6893599d
	* configure.ac: s/AM_CONFIG_HEADER/AC_CONFIG_HEADER/

	Disable AES-NI support if as does not support SSSE3.
	+ commit 9f4df1612ae21a5ce70d98930cb194e5193f5e2d
	* configure.ac (HAVE_GCC_INLINE_ASM_SSSE3): New test.
	(ENABLE_AESNI_SUPPORT): Do not define without SSSE3 support.
	(HAVE_GCC_INLINE_ASM_SSSE3, ENABLE_AVX_SUPPORT): Split up detection
	and definition.

2013-03-21  Werner Koch  <wk@gnupg.org>

	Fix make dependency regression.
	+ commit 2a1e03c5a481689c43d197dd8034a1d73de0a1a4
	* src/Makefile.am (libgcrypt_la_DEPENDENCIES): Add missing backslash.
	Reported by LRN.

2013-03-20  Werner Koch  <wk@gnupg.org>

	Use finer grained on-the-fly helper computations for EC.
	+ commit 5fb3501aa0cf5f2b2a9012706bb9ad2b1c4bfd7d
	* src/ec-context.h (mpi_ec_ctx_s): Replace NEED_SYNC by a bitfield.
	* mpi/ec.c (ec_p_sync): Remove.
	(ec_get_reset, ec_get_a_is_pminus3, ec_get_two_inv_p): New.
	(ec_p_init): Use ec_get_reset.
	(_gcry_mpi_ec_set_mpi, _gcry_mpi_ec_dup_point)
	(_gcry_mpi_ec_add_points): Replace ec_p_sync by the ec_get_ accessors.

	Allow building with w64-mingw32.
	+ commit b402e550041782b770a6ae267c7c28ca8324a12e
	* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain.  Also
	prepare for 64 bit building.

	Provide GCRYPT_VERSION_NUMBER macro, add build info to the binary.
	+ commit 1eaad0a8c4cab227685a6a8768e539df2f1f4dac
	* src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New.
	* configure.ac (VERSION_NUMBER): New ac_subst.
	* src/global.c (_gcry_vcontrol): Move call to above function ...
	(gcry_check_version): .. here.

	* configure.ac (BUILD_REVISION, BUILD_FILEVERSION)
	(BUILD_TIMESTAMP): Define on all platforms.
	* compat/compat.c (_gcry_compat_identification): Include revision and
	timestamp.

	Fix a memory leak in the new EC code.
	+ commit de07974d807b703a2554d6ba885ea249e648bd44
	* cipher/ecc.c (point_from_keyparam): Always call mpi_free on A.

2013-03-19  Werner Koch  <wk@gnupg.org>

	Extend the new EC interface and fix two bugs.
	+ commit 931e409e877d1e444edd53dead327ec8e64daf9a
	* src/ec-context.h (mpi_ec_ctx_s): Add field NEED_SYNC.
	* mpi/ec.c (ec_p_sync): New.
	(ec_p_init): Only set NEED_SYNC.
	(_gcry_mpi_ec_set_mpi): Set NEED_SYNC for 'p' and 'a'.
	(_gcry_mpi_ec_dup_point, _gcry_mpi_ec_add_points)
	(_gcry_mpi_ec_mul_point): Call ec_p_sync.
	(_gcry_mpi_ec_get_point): Recompute 'q' is needed.
	(_gcry_mpi_ec_get_mpi): Ditto.  Also allow for names 'q', 'q.x',
	'q.y', and 'g'.
	* cipher/ecc.c (_gcry_mpi_ec_ec2os): New.

	* cipher/ecc.c (_gcry_mpi_ec_new): Fix init from parameters 'Q'->'q',
	'G'->'q'.

2013-03-15  Werner Koch  <wk@gnupg.org>

	mpi: Add functions to manipulate an EC context.
	+ commit 229f3219f80c9369ed9624242c0436ae6d293201
	* src/gcrypt.h.in (gcry_mpi_ec_p_new): Remove.
	(gcry_mpi_ec_new): New.
	(gcry_mpi_ec_get_mpi): New.
	(gcry_mpi_ec_get_point): New.
	(gcry_mpi_ec_set_mpi): New.
	(gcry_mpi_ec_set_point): New.
	* src/visibility.c (gcry_mpi_ec_p_new): Remove.
	* mpi/ec.c (_gcry_mpi_ec_p_new): Make it an internal function and
	change to return an error code.
	(_gcry_mpi_ec_get_mpi): New.
	(_gcry_mpi_ec_get_point): New.
	(_gcry_mpi_ec_set_mpi): New.
	(_gcry_mpi_ec_set_point): New.
	* src/mpi.h: Add new prototypes.
	* src/ec-context.h: New.
	* mpi/ec.c: Include that header.
	(mpi_ec_ctx_s): Move to ec-context.h, add new fields, and put some
	fields into an inner struct.
	(point_copy): New.
	* cipher/ecc.c (fill_in_curve): Allow passing NULL for R_NBITS.
	(mpi_from_keyparam, point_from_keyparam): New.
	(_gcry_mpi_ec_new): New.

	* tests/t-mpi-point.c (test-curve): New.
	(ec_p_new): New.  Use it instead of the removed gcry_mpi_ec_p_new.
	(get_and_cmp_mpi, get_and_cmp_point): New.
	(context_param): New test.
	(basic_ec_math_simplified): New test.
	(main): Call new tests.

	* src/context.c (_gcry_ctx_get_pointer): Check for a NULL CTX.

2013-03-13  Werner Koch  <wk@gnupg.org>

	Add GCRYMPI_FLAG_CONST and make use constants.
	+ commit e005629bd7bebb3e13945645c6e1230b44ab16a2
	* src/gcrypt.h.in (GCRYMPI_FLAG_CONST): New.
	* src/mpi.h (mpi_is_const, mpi_const): New.
	(enum gcry_mpi_constants, MPI_NUMBER_OF_CONSTANTS): New.
	* mpi/mpiutil.c (_gcry_mpi_init): New.
	(constants): New.
	(_gcry_mpi_free): Do not release a constant flagged MPI.
	(gcry_mpi_copy): Clear the const and immutable flags.
	(gcry_mpi_set_flag, gcry_mpi_clear_flag, gcry_mpi_get_flag): Support
	GCRYMPI_FLAG_CONST.
	(_gcry_mpi_const): New.
	* src/global.c (global_init): Call _gcry_mpi_init.
	* mpi/ec.c (mpi_ec_ctx_s): Remove fields one, two, three, four, and
	eight.  Change all users to call mpi_const() instead.

	* src/mpiutils.c (gcry_mpi_set_opaque): Check the immutable flag.

	Add GCRYMPI_FLAG_IMMUTABLE to help debugging.
	+ commit 1fecae98ee7e0fa49b29f98efa6817ca121ed98a
	* src/gcrypt.h.in (GCRYMPI_FLAG_IMMUTABLE): New.
	* src/mpi.h (mpi_is_immutable): New macro.
	* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
	(gcry_mpi_get_flag): Implement new flag
	(_gcry_mpi_immutable_failed): New.

	* mpi/mpiutil.c (_gcry_mpi_clear, _gcry_mpi_free, gcry_mpi_snatch)
	(gcry_mpi_set, gcry_mpi_randomize): Act upon the immutable flag.
	* mpi/mpi-bit.c (gcry_mpi_set_bit, gcry_mpi_set_highbit)
	(gcry_mpi_clear_highbit, gcry_mpi_clear_bit)
	(_gcry_mpi_rshift_limbs, gcry_mpi_lshift): Ditto.
	* mpi/mpicoder.c (_gcry_mpi_set_buffer): Ditto.

2013-03-08  Werner Koch  <wk@gnupg.org>

	mpi: Add an API for EC math.
	+ commit 8ac9e756d3ca545a9b97e61ad3d42fc2e877d788
	* src/context.c, src/context.h: New.
	* src/Makefile.am (libgcrypt_la_SOURCES): Add new files.
	* src/gcrypt.h.in (struct gcry_context, gcry_ctx_t): New types.
	(gcry_ctx_release): New prototype.
	(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
	(gcry_mpi_ec_add, gcry_mpi_ec_mul): New prototypes.
	* mpi/ec.c: Include errno.h and context.h.
	(_gcry_mpi_ec_init): Rename to ..
	(ec_p_init): this, make static, remove allocation and add arg CTX.
	(_gcry_mpi_ec_p_internal_new): New; to replace _gcry_mpi_ec_init.
	Change all callers to use this func.
	(_gcry_mpi_ec_free): Factor code out to ..
	(ec_deinit): New func.
	(gcry_mpi_ec_p_new): New.
	* src/visibility.c: Include context.h and mpi.h.
	(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
	(gcry_mpi_ec_add, gcry_mpi_ec_mul)
	(gcry_ctx_release): New wrapper functions.
	* src/visibility.h: Mark new wrapper functions visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new symbols.
	* tests/t-mpi-point.c (print_mpi, hex2mpi, cmp_mpihex): New.
	(context_alloc): New.
	(make_point, basic_ec_math): New.

	mpi: Add an API for EC point operations.
	+ commit 7cce620acddac2df024ca421ed3abc32a88f3738
	* mpi/ec.c (gcry_mpi_point_new, gcry_mpi_point_release): New.
	(gcry_mpi_point_get, gcry_mpi_point_snatch_get): New.
	(gcry_mpi_point_set, gcry_mpi_point_snatch_set): New.
	* src/visibility.h, src/visibility.c: Add corresponding macros and
	wrappers.
	* src/gcrypt.h.in (struct gcry_mpi_point, gcry_mpi_point_t): New.
	(gcry_mpi_point_new, gcry_mpi_point_release, gcry_mpi_point_get)
	(gcry_mpi_point_snatch_get, gcry_mpi_point_set)
	(gcry_mpi_point_snatch_set): New prototypes.
	(mpi_point_new, mpi_point_release, mpi_point_get, mpi_point_snatch_get)
	(mpi_point_set, mpi_point_snatch_set): New macros.
	* src/libgcrypt.vers (gcry_mpi_point_new, gcry_mpi_point_release)
	(gcry_mpi_point_get, gcry_mpi_point_snatch_get, gcry_mpi_point_set)
	(gcry_mpi_point_snatch_set): New symbols.
	* src/libgcrypt.def: Ditto.
	* tests/t-mpi-point.c: New.
	* tests/Makefile.am (TESTS): Add t-mpi-point

2013-03-07  Werner Koch  <wk@gnupg.org>

	mpi: Add mpi_snatch and change an internal typedef.
	+ commit 6c4767637c512127a4362732b3ec51068554d328
	* src/mpi.h (struct mpi_point_s): Rename to struct gcry_mpi_point.
	(mpi_point_struct): New typedef.
	(mpi_point_t): Change typedef to a pointer.  Replace all occurrences
	to use mpi_point_struct.
	* mpi/ec.c (_gcry_mpi_ec_point_init): Rename to ..
	(_gcry_mpi_point_init): this.  Change all callers.
	(_gcry_mpi_ec_point_free): Rename to ..
	(_gcry_mpi_point_free_parts): this.  Change all callers.

	* mpi/mpiutil.c (gcry_mpi_snatch): New function.
	* src/gcrypt.h.in (gcry_mpi_snatch, mpi_snatch): Add protoype and
	macro.
	* src/visibility.c (gcry_mpi_snatch): Add wrapper.
	* src/visibility.h (gcry_mpi_snatch): Add macro magic.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.

	Pretty print the configure feedback.
	+ commit c620099e4ab2f35e0196b395a805bb655c984ac2
	* acinclude.m4 (GNUPG_MSG_PRINT): Remove.
	(GCRY_MSG_SHOW, GCRY_MSG_WRAP): New.
	* configure.ac: Use new macros for the feedback.

2013-02-20  Werner Koch  <wk@gnupg.org>

	Fix building of hwf-x86.c.
	+ commit 70dcac663de06b012417015c175973d64e6980df
	* src/Makefile.am (AM_CFLAGS): Set to GPG_ERROR_CFLAGS
	(AM_CCASFLAGS): Set NOEXECSTACK_FLAGS.

	Remove build hacks for FreeBSD.
	+ commit fb48ebf7081400a24ee48f8a9894a361e8834b6e
	* configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and
	LDFLAGS.

2013-02-19  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Rinjdael: Fix use of SSE2 outside USE_AESNI/ctx->use_aesni.
	+ commit 0da77955a097bfd2469ad084b3e9fcac4fb1e3fa
	* cipher/rijndael.c (_gcry_aes_cbc_enc): Check if AES-NI is enabled before
	calling aesni_prepare() and aesni_cleanup().

	Add AES-NI/AVX accelerated Camellia implementation.
	+ commit 63ac3ba07dba82fde040d31b90b4eff627bd92b9
	* configure.ac: Add option --disable-avx-support.
	(HAVE_GCC_INLINE_ASM_AVX): New.
	(ENABLE_AVX_SUPPORT): New.
	(camellia) [ENABLE_AVX_SUPPORT, ENABLE_AESNI_SUPPORT]: Add
	camellia_aesni_avx_x86-64.lo.
	* cipher/Makefile.am (AM_CCASFLAGS): Add.
	(EXTRA_libcipher_la_SOURCES): Add camellia_aesni_avx_x86-64.S
	* cipher/camellia-glue.c [ENABLE_AESNI_SUPPORT, ENABLE_AVX_SUPPORT]
	[__x86_64__] (USE_AESNI_AVX): Add macro.
	(struct Camellia_context) [USE_AESNI_AVX]: Add use_aesni_avx.
	[USE_AESNI_AVX] (_gcry_camellia_aesni_avx_ctr_enc)
	(_gcry_camellia_aesni_avx_cbc_dec): New prototypes to assembly
	functions.
	(camellia_setkey) [USE_AESNI_AVX]: Enable AES-NI/AVX if hardware
	support both.
	(_gcry_camellia_ctr_enc) [USE_AESNI_AVX]: Add AES-NI/AVX code.
	(_gcry_camellia_cbc_dec) [USE_AESNI_AVX]: Add AES-NI/AVX code.
	* cipher/camellia_aesni_avx_x86-64.S: New.
	* src/g10lib.h (HWF_INTEL_AVX): New.
	* src/global.c (hwflist): Add HWF_INTEL_AVX.
	* src/hwf-x86.c (detect_x86_gnuc) [ENABLE_AVX_SUPPORT]: Add detection
	for AVX.

	camellia.c: Prepare for AES-NI/AVX implementation.
	+ commit 4de62d80644228fc5db2a9f9c94a7eb633d8de2e
	* cipher/camellia-glue.c (CAMELLIA_encrypt_stack_burn_size)
	(CAMELLIA_decrypt_stack_burn_size): Increase stack burn size.
	* cipher/camellia.c (CAMELLIA_ROUNDSM): Move key-material mixing in
	the front.
	(camellia_setup128, camellia_setup256): Remove now unneeded
	key-material mangling.
	(camellia_encrypt128, camellia_decrypt128, amellia_encrypt256)
	(camellia_decrypt256): Copy block to stack, so that compiler can
	optimize it for register usage.

	Camellia, prepare glue code for AES-NI/AVX implementation.
	+ commit 537f12ce072d568f9fa344c447d32b2e0efffbe8
	* cipher/camellia-glue.c (ATTR_ALIGNED_16): Add macro.
	(CAMELLIA_encrypt_stack_burn_size): Add macro.
	(camellia_encrypt): Use macro above for stack burn size.
	(CAMELLIA_decrypt_stack_burn_size): Add macro.
	(camellia_decrypt): Use macro above for stack burn size.
	(_gcry_camellia_ctr_enc): New function.
	(_gcry_camellia_cbc_dec): New function.
	(selftest_ctr_128): New function.
	(selftest): Call function above.
	* cipher/cipher.c (gcry_cipher_open) [USE_CAMELLIA]: Register bulk
	functions for CBC-decryption and CTR-mode.
	* src/cipher.h (_gcry_camellia_ctr_enc): New prototype.
	(_gcry_camellia_cbc_dec): New prototype.

2012-12-21  Werner Koch  <wk@gnupg.org>

	Prepare for hardware feature detection on other platforms.
	+ commit 09ac5d87d11aa0b1fa0e0a4184ab03b3671a73e2
	* configure.ac (GCRYPT_HWF_MODULES): New.
	(HAVE_CPU_ARCH_X86, HAVE_CPU_ARCH_ALPHA, HAVE_CPU_ARCH_SPARC)
	(HAVE_CPU_ARCH_MIPS, HAVE_CPU_ARCH_M68K, HAVE_CPU_ARCH_PPC)
	(HAVE_CPU_ARCH_ARM): New AC_DEFINEs.
	* mpi/config.links (mpi_cpu_arch): New.
	* src/global.c (print_config): Print new tag "cpu-arch".
	* src/Makefile.am (libgcrypt_la_SOURCES): Add hwf-common.h
	(EXTRA_libgcrypt_la_SOURCES): New.
	(gcrypt_hwf_modules): New.
	(libgcrypt_la_DEPENDENCIES, libgcrypt_la_LIBADD): Add that one.
	* src/hwfeatures.c: Factor most code out to ...
	* src/hwf-x86.c: New file.
	(detect_x86_gnuc): Return the feature vector.
	(_gcry_hwf_detect_x86): New.
	* src/hwf-common.h: New.
	* src/hwfeatures.c (_gcry_detect_hw_features): Dispatch using
	HAVE_CPU_ARCH_ macros.

2012-12-21  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Clean up i386/x86-64 cpuid usage in hwfeatures.c.
	+ commit d842eea55e22c05da3959a7a4422b5fcd7884f60
	* src/hwfeatures.c [__i386__ && __GNUC__] (detect_ia32_gnuc): Remove.
	[__x86_64__ && __GNUC__] (detect_x86_64_gnuc): Remove.
	[__i386__ && __GNUC__] (is_cpuid_available, get_cpuid)
	(HAS_X86_CPUID): New.
	[__x86_64__ && __GNUC__] (is_cpuid_available, get_cpuid)
	(HAS_X86_CPUID): New.
	[HAS_X86_CPUID] (detect_x86_gnuc): New.
	(_gcry_detect_hw_features) [__i386__ && GNUC]: Remove detect_ia32_gnuc
	call.
	(_gcry_detect_hw_features) [__x86_64__ && GNUC]: Remove
	detect_x86_64_gnuc call.
	(_gcry_detect_hw_features) [HAS_X86_CPUID]: Add detect_x86_gnuc call.

2012-12-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	Add support for using DRNG random number generator.
	+ commit efd7002188e6d50013e4d9a920a8b9afa9d210e5
	* configure.ac: Add option --disable-drng-support.
	(ENABLE_DRNG_SUPPORT): New.
	* random/rndhw.c (USE_DRNG): New.
	(rdrand_long, rdrand_nlong, poll_drng): New.
	(_gcry_rndhw_poll_fast, _gcry_rndhw_poll_slow): Call poll function.
	* src/g10lib.h (HWF_INTEL_RDRAND): New.
	* src/global.c (hwflist): Add "intel-rdrand".
	* src/hwfeatures.c (detect_x86_64_gnuc) [ENABLE_DRNG_SUPPORT]: Detect
	RDRAND.
	(detect_ia32_gnuc) [ENABLE_DRNG_SUPPORT]: Detect RDRAND.

2012-12-03  Werner Koch  <wk@gnupg.org>

	random: Add a RNG selection interface and system RNG wrapper.
	+ commit 7607ab81504ce44060ed0b331d309606f5da1e75
	* random/random-system.c: New.
	* random/Makefile.am (librandom_la_SOURCES): Add new module.
	* random/random.c (struct rng_types): New.
	(_gcry_set_preferred_rng_type, _gcry_get_rng_type): New.
	(_gcry_random_initialize, gcry_random_add_bytes, do_randomize)
	(_gcry_set_random_seed_file, _gcry_update_random_seed_file)
	(_gcry_fast_random_poll): Dispatch to the actual RNG.
	* src/gcrypt.h.in (GCRYCTL_SET_PREFERRED_RNG_TYPE): New.
	GCRYCTL_GET_CURRENT_RNG_TYPE): New.
	(gcry_rng_types): New.
	* src/global.c (print_config): Print the TNG type.
	(global_init, _gcry_vcontrol): Implement the new control codes.
	* doc/gcrypt.texi (Controlling the library): Document the new control
	codes.

	* tests/benchmark.c (main): Add options to test the RNG types.
	* tests/random.c (main): Add new options.
	(print_hex): Print to stderr.
	(progress_cb, rng_type): New.
	(check_rng_type_switching, check_early_rng_type_switching): New.
	(run_all_rng_tests): New.

	tests: Allow use of random.c under Windows.
	+ commit 76c622e24a07f7c826812be173aa173b4334776b
	* tests/Makefile.am (TESTS): Always include random.c
	* tests/random.c [!W32]: Include sys/wait.h.
	(inf): New.
	(check_forking, check_nonce_forking): Print a notice what will be done.
	(main) [W32]: Do not call signal.

	Make random-fips.c work multi-threaded.
	+ commit 75760021b511ba438606af746431223357e7a155
	* random/random-fips.c (basic_initialization): Fix reversed logic.

	Move nonce creation from csprng backend to random main module.
	+ commit c324644aa14e54fc7051983b38222db32b8ab227
	* random/random-csprng.c (_gcry_rngcsprng_create_nonce): Remove.
	(nonce_buffer_lock): Remove.
	(initialize_basics): Remove init of nonce_buffer_lock.
	* random/random.c: Add a few header files.
	(nonce_buffer_lock):  New.
	(_gcry_random_initialize): Init nonce_buffer_lock.
	(gcry_create_nonce): Add code from _gcry_rngcsprng_create_nonce.

	* random/random-daemon.c (_gcry_daemon_create_nonce): Remove.

2012-12-03  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix building with CC="gcc -std=c90".
	+ commit f851b9a932ee64fa5a06000d1ac763ba4349f07d
	* configure.ac: Add check for missing 'asm' keyword in C90 mode and
	replacement with '__asm__'.

2012-12-03  Werner Koch  <wk@gnupg.org>

	Try to use inttypes.h if stdint.h is not available.
	+ commit d9ec7aec1301b13a89e5c9c54d7ad52e1a29b846
	* cipher/bufhelp.h [HAVE_INTTYPES_H]: Include inttypes.h

2012-12-03  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize buffer xoring.
	+ commit 162791bc08f4fc9b3882671e68ecdfd9e130ae59
	* cipher/Makefile.am (libcipher_la_SOURCES): Add 'bufhelp.h'.
	* cipher/bufhelp.h: New.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Use 'buf_xor' for buffer xoring.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Use 'buf_xor' for buffer xoring and remove
	resulting unused variables.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) Use 'buf_xor_2dst'
	for buffer xoring and remove resulting unused variables.
	(_gcry_cipher_cfb_decrypt): Use 'buf_xor_n_copy' for buffer xoring and
	remove resulting unused variables.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Use 'buf_xor' for
	buffer xoring and remove resulting unused variables.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Use 'buf_xor' for buffer xoring and remove
	resulting used variables.
	* cipher/rijndael.c (_gry_aes_cfb_enc): Use 'buf_xor_2dst' for buffer
	xoring and remove resulting unused variables.
	(_gry_aes_cfb_dev): Use 'buf_xor_n_copy' for buffer xoring and remove
	resulting unused variables.
	(_gry_aes_cbc_enc, _gry_aes_ctr_enc, _gry_aes_cbc_dec): Use 'buf_xor'
	for buffer xoring and remove resulting unused variables.

2012-11-29  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize AES-NI CTR mode.
	+ commit 9ee9e25f519696d509b1a5c1cc04ab0121e98a51
	* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Make
	handling of 64-bit overflow and carry conditional. Avoid generic to
	vector register passing of value '1'. Generate and use '-1' instead.

2012-11-28  Werner Koch  <wk@gnupg.org>

	Make a cpp conditional in rijndael.c better readable.
	+ commit 6765e0a8618000d3dc7bda035163e0708c43791b
	* cipher/rijndael.c (USE_AESNI): Modify cpp conditionals for better
	readability.

2012-11-28  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix building with Clang on x86-64 and i386.
	+ commit 99e272d938fe23efec25af409bdb91dae0e659e5
	* cipher/rijndael.c [USE_AESNI] (do_aesni_enc_aligned)
	(do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Add
	explicit suffix to 'cmp' instructions.

2012-11-26  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize wipememory2 for i386 and x86-64.
	+ commit faec12e23f03c7cd1614594bfdd51f1302cadb42
	* src/g10lib.h (wipememory2): Add call to fast_wipememory2.
	(fast_wipememory2): New macros for i386 and x86-64 architectures.
	Empty macro provided for other architectures.

	Fix missing 64bit carry handling in AES-NI CTR mode.
	+ commit fc37e805c6394c2e635d1a033670be961f36a6d2
	* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Add
	carry handling to 64-bit addition.
	(selftest_ctr_128): New function for testing IV handling in bulk CTR
	function.
	(selftest): Add call to selftest_ctr_128.

	Add parallelized AES-NI CBC decryption.
	+ commit 35aff0cd43885b5f5c076432ec614698abeb63d8
	* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_5): New macro.
	[USE_AESNI] (do_aesni_dec_vec4): New function.
	(_gcry_aes_cbc_dec) [USE_AESNI]: Add parallelized CBC loop.
	(_gcry_aes_cbc_dec) [USE_AESNI]: Change IV storage register from xmm3
	to xmm5.

	Clear xmm5 after use in AES-NI CTR mode.
	+ commit 5acd0e5ae2a58dda51c2b56c879b80a1a6d2c42f
	* cipher/rijndael.c [USE_AESNI]: Rename aesni_cleanup_2_4 to
	aesni_cleanup_2_5.
	[USE_AESNI] (aesni_cleanup_2_5): Clear xmm5 register.
	(_gcry_aes_ctr_enc, _gcry_aes_cbc_dec) [USE_AESNI]: Use
	aesni_cleanup_2_5 instead of aesni_cleanup_2_4.

	Optimize AES-NI CBC encryption.
	+ commit be3768994ad362dfc849a8cd0146b4c9bb287d20
	* cipher/rijndeal.c (_gcry_aes_cbc_enc) [USE_AESNI]: Add AES-NI
	spesific loop and use SSE2 assembler for xoring and copying of
	blocks.

	Improve parallelizability of CBC decryption for AES-NI.
	+ commit 3369d960158ab4231b83926a0f982e2a8819f173
	* cipher/rijndael.c (_gcry_aes_cbc_dec) [USE_AESNI]: Add AES-NI
	specific CBC mode loop with temporary block and IV stored in free SSE
	registers.

	Extend test of chained modes for 128bit ciphers.
	+ commit 55b96be08531664ed3f4230acebe0f45954bbc33
	* tests/basic.c (check_one_cipher_core, check_one_cipher): Increase
	input and output buffer sizes from 16 bytes to 1024+16=1040 bytes.
	(check_one_cipher_core): Add asserts to verify sizes of temporary
	buffers.

2012-11-21  Werner Koch  <wk@gnupg.org>

	Fix for strict aliasing rules.
	+ commit dfb4673da8ee52d95e0a62c9f49ca8599943f22e
	* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t for
	casting.

	Do not detect AES-NI support if disabled by configure.
	+ commit 3047795794eb238aa684bd0729acf64c82a19e09
	* src/hwfeatures.c (detect_ia32_gnuc): Detect AESNI support only if
	that support has been enabled.

2012-11-21  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix too large burn_stack in camellia-glue.c.
	+ commit 8afabc2813948778a3db52d9dee9a041a3dd50d4
	* cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Do not
	take full array size of KEY_TABLE_TYPE, but argument size instead.

	Add x86_64 support for AES-NI.
	+ commit d8bdfa42ed582655c180e7db9b16d4e756a12a6e
	* cipher/rijndael.c [ENABLE_AESNI_SUPPORT]: Enable USE_AESNI on x86-64.
	(do_setkey) [USE_AESNI_is_disabled_here]: Use %[key] and %[ksch]
	directly as registers instead of using temporary register %%esi.
	[USE_AESNI] (do_aesni_enc_aligned, do_aesni_dec_aligned, do_aesni_cfb,
	do_aesni_ctr, do_aesni_ctr_4): Use %[key] directly as register instead
	of using temporary register %%esi.
	[USE_AESNI] (do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Change %[key]
	from generic "g" type to register "r".
	* src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Do not
	clear AES-NI feature flag.

	Fix cpuid vendor-id check for i386 and x86-64.
	+ commit 9e1552517f68459a165ddebbba85e7cf37ff4f0c
	* src/hwfeatures.c (detect_x86_64_gnuc, detect_ia32_gnuc): Allow
	Intel features be detect from CPU by other vendors too.

	Fix hwdetect assembler clobbers.
	+ commit 19b9efd1f47a5de9c450ce8212dfa3174a029c7a
	* src/hwfeatures.c (detect_x86_64_gnuc): Add missing %ebx assembler
	clobbers.
	(detect_x86_64_gnuc, detect_ia32_gnuc) [ENABLE_PADLOCK_SUPPORT]: Add
	missing %ecx assembler clobbers.

2012-11-21  Werner Koch  <wk@gnupg.org>

	Use configure test for aligned attribute.
	+ commit 6368ed542150956ff4ba8170a15bbc534143675c
	* configure.ac (HAVE_GCC_ATTRIBUTE_ALIGNED): New test and ac_define.
	* cipher/cipher-internal.h, cipher/rijndael.c, random/rndhw.c: Use new
	macro instead of a fixed test for __GNUC__.

	Fix segv with AES-NI on some platforms.
	+ commit a96974de734beb51a733a89b3283bcf7b433b54c
	* cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes.

2012-11-16  Werner Koch  <wk@gnupg.org>

	Improve parsing of the GIT revision number.
	+ commit 4b18e530f417d4af401a3fd721ad2a07e5310e3e
	* configure.ac (mmm4_revision): Use git rev-parse.

2012-11-08  Werner Koch  <wk@gnupg.org>

	Fix extern inline use for gcc > 4.3 in c99 mode.
	+ commit 5abc06114e91beca0177331e1c79815f5fb6d7be
	* mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern
	inline semantics in gcc.

2012-11-07  Werner Koch  <wk@gnupg.org>

	Fix memory leak in gcry_pk_testkey for ECC.
	+ commit 8cbbad5f94f6e0429fffe66d689aea20f7e35957
	* cipher/ecc.c (check_secret_key): Restructure for easier allocation
	tracking.  Fix memory leak.

2012-11-05  Werner Koch  <wk@gnupg.org>

	Prepare for a backported interface in 1.5.1.
	+ commit 7af98ef78d45e813f47ae4e180a02757a379953f
	* configure.ac: Bump LT version at C20/A0/R0 to adjust for a planned
	API update in 1.5.1.

	Adjust for stricter autoconf requirements.
	+ commit 1241fbbc896e9bbad68f1007a17b20493f6cd1af
	* configure.ac: Fix usage of AC_LANG_PROGRAM.

	Update build helper scripts.
	+ commit a5c4d45e8d12737cd21b095c81da5c18e2afc39e
	* config.guess, config.sub: Update to version 2012-07-31.
	* ltmain.sh: Update to version 2.4.2.
	* install-sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4
	* m4/lt~obsolete.m4: Update to autoconf 2.69 versions.

	Do not distribute a copy of gitlog-to-changelog.
	+ commit 40976d7da5420453bf93a9c99f0cc4c7044d0774
	* Makefile.am (GITLOG_TO_CHANGELOG): New.
	(gen-ChangeLog): Require an installed gitlog-to-changelog.
	* scripts/gitlog-to-changelog: Remove.

	* README.SVN: Remove.
	* REMOVE.GIT: New.

	Allow building with w64-mingw32.
	+ commit 4f6fb150558d0ed250bfbd50352c258a4456ba50
	* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain.  Also
	prepare for 64 bit building.
	<git-setup>: Remove option -c from chmod.

	Switch to the new automagic beta numbering scheme.
	+ commit 7d5195be76d9dd4adc28976ad153e8f7761c5855
	* configure.ac: Add all the required m4 magic.

	Avoid dereferencing pointer right after the end.
	+ commit 79502e2c1982047dcf2b776f52826f38bbd9b1fe
	* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.

2012-10-30  Werner Koch  <wk@gnupg.org>

	Make ancient test program useful again.
	+ commit 66adf76e634423bb72ce1f0b5ed78f4e4798f190
	* tests/testapi.c (test_sexp): Adjust to current API.  Print the
	return code.  Mark unused args.
	(test_genkey): Mark unused args.
	(main): Do not pass NULL to printf.

	tests: Add ECC key generation tests.
	+ commit c13164884ade6b1e945cddacce2d244fd881de6b
	* tests/keygen.c (check_generated_ecc_key): New.
	(check_ecc_keys): New.
	(main): Call simple ECC checks.

2012-10-30  Milan Broz  <mbroz@redhat.com>

	PBKDF2: Allow empty passphrase.
	+ commit 8528f1ba40e587dc17e02822e529fbd7ac69a189
	* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
	* tests/t-kdf.c (check_pbkdf2): Add test case for above.

2012-08-16  Xi Wang  <xi.wang@gmail.com>

	Replace deliberate division by zero with _gcry_divide_by_zero.
	+ commit 2c54c4da19d3a79e9f749740828026dd41f0521a
	* mpi/mpi-pow.c: Replace 1 / msize.
	* mpi/mpih-div.c: Replace 1 / dsize.
	* src/misc.c: Add _gcry_divide_by_zero.

2012-06-21  Werner Koch  <wk@gnupg.org>

	Clear AESNI feature flag for x86_64.
	+ commit 2196728e2252917849c1be94417258076767021b
	* src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Clear
	AESNI feature flag.

	Beautify last change.
	+ commit 20e423212c9710ee663e12dd0f62580ceb245a6f
	* cipher/rijndael.c: Replace C99 feature from last patch.  Keep cpp
	lines short.
	* random/rndhw.c: Keep cpp lines short.
	* src/hwfeatures.c (_gcry_detect_hw_features): Make cpp def chain
	better readable.

2012-06-21  Rafaël Carré  <funman@videolan.org>

	Enable VIA Padlock on x86_64 platforms.
	+ commit baf0dc7e9c26167ab43ba2adebcf2f1abc9d9b3b
	  * cipher/rijndael.c: Duplicate x86 assembly and convert to x86_64.
	  * random/rndhw.c: Likewise.
	  * src/hwfeatures.c: Likewise.

2012-05-14  Werner Koch  <wk@gnupg.org>

	Add curve aliases from RFC-5656.
	+ commit 39c123b729a472ace039f8536d07f8b9a5f4675a
	* cipher/ecc.c (curve_aliases): Add "nistp???" entries.

2012-04-16  Werner Koch  <wk@gnupg.org>

	State new contribution rules.
	+ commit 3bb858551cd5d84e43b800edfa2b07d1529718a9
	* doc/DCO: New.
	* doc/HACKING: Document new rules.

2012-04-04  Tomas Mraz  <tmraz@fedoraproject.org>

	Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command.
	+ commit 90e49a11733bfba9c3c505ac487282d35757f682
	* doc/gcrypt.texi: Add documentation of the new command.
	* src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode
	only when fips mode is enabled.
	(_gcry_set_enforced_fips_mode): New function.
	* src/g10lib.h: Add the _gcry_set_enforced_fips_mode prototype.
	* src/gcrypt.h.in: Add the GCRYCTL_SET_ENFORCED_FIPS_FLAG.
	* src/global.c (_gcry_vcontrol): Handle the new command.

2012-02-17  Ulrich Müller  <ulm@gentoo.org>

	Rework selftest in idea.c.
	+ commit 70cca617ed75ea292e1fed769114dda5cc1d76f1
	* cipher/idea.c (do_setkey): Execute selftest when first called.
	(decrypt_block): Remove commented-out code.
	(selftest): Execute all selftests. Return NULL on success, or
	string in case of error.

2012-02-16  Werner Koch  <wk@gnupg.org>

	Fix missing prototype.
	+ commit 46035d28c9b413851d43a4008fdc8e4cdf5d686b
	* src/g10lib.h (_gcry_secmem_module_init): Make it a real prototype.

2012-02-16  Ulrich Müller  <ulm@gentoo.org>

	Add support for the IDEA cipher.
	+ commit 318fd85f377c060908d371f792d41e599b3b7483
	Adapt idea.c to the Libgcrypt framework.
	Add IDEA to cipher_table and to the build system.

	Patents on IDEA have expired:
	  Europe: EP0482154 on 2011-05-16,
	  Japan:  JP3225440 on 2011-05-16,
	  U.S.:   5,214,703 on 2012-01-07.

	* configure.ac: Add idea to the list of available ciphers.
	Define USE_IDEA if idea is enabled.
	* cipher/cipher.c (cipher_table): Add entry for IDEA.
	* cipher/idea.c: Update comment about patents.
	Include proper header files and remove redundant declarations.
	(expand_key, cipher, do_setkey, encrypt_block, decrypt_block):
	Define function arguments as const where appropriate.
	(cipher): Test for !WORDS_BIGENDIAN instead of LITTLE_ENDIAN_HOST.
	(do_setkey, decrypt_block): Don't call selftest.
	(idea_setkey): New function, wrapper for do_setkey.
	(idea_encrypt): New function, wrapper for encrypt_block.
	(_gcry_cipher_spec_idea): Define.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add idea.c.
	* src/cipher.h (_gcry_cipher_spec_idea): Declare.
	* tests/basic.c (check_ciphers): Add GCRY_CIPHER_IDEA.

2012-01-09  Werner Koch  <wk@gnupg.org>

	Include an IDEA implementation.
	+ commit 6078b05f5340d886e0b9e6cee1d9b5043e0cb210
	The code is the old IDEA test code, written by me back in 1997 and
	distributed on a Danish FTP server.  This commit is only for
	reference.  To use the code it has to be adjusted to the Libgcrypt
	framework.

2012-01-03  Marcus Brinkmann  <marcus.brinkmann@ruhr-uni-bochum.de>

	Fix pthread locking and remove defunctional support for static lock init.
	+ commit 38fcd59ce774eaa3d65f2f7534c989afd860eb56
	* src/ath.c: Include assert.h.
	(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Dereference LOCK.
	* src/g10lib.h (_gcry_secmem_module_init): New declaration.
	* src/global.c (global_init): Call _gcry_secmem_module_init.
	* src/secmem.c (_gcry_secmem_module_init): New function.

2011-12-16  Werner Koch  <wk@gnupg.org>

	Add alignment tests for the cipher tests.
	+ commit 14cf1f7e338fedb8edaff5631441746605152bd6
	* tests/basic.c (check_one_cipher): Factor most code out to
	check_one_cipher_core.  Call that core function several times using
	different alignment settings.
	(check_one_cipher_core): New.  Add extra args to allow alignment
	testing.

2011-12-07  Werner Koch  <wk@gnupg.org>

	tests/prime: Add option to create a well known private key.
	+ commit 16f5654643d584e3bc739b636752d779176b2191
	* tests/prime.c (print_mpi, create_42prime): New.
	(main): Add option --42.

2011-12-01  Werner Koch  <wk@gnupg.org>

	Do not build the random-daemon by make distcheck.
	+ commit ea1fb538d99f1ec093f2fef86f4f29176ec27826
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Disable building of the
	random daemon

	Generate the ChangeLog from commit logs.
	+ commit 137d73191c904926ba529376144ee8239af4ca02
	* scripts/gitlog-to-changelog: New script.  Taken from gnulib.
	* scripts/git-log-fix: New file.
	* scripts/git-log-footer: New file.
	* doc/HACKING: Describe the ChangeLog policy
	* ChangeLog: New file.
	* Makefile.am (EXTRA_DIST): Add new files.
	(gen-ChangeLog): New.
	(dist-hook): Run gen-ChangeLog.

	Rename all ChangeLog files to ChangeLog-2011.

2011-12-01  Werner Koch  <wk@gnupg.org>

	NB: Changes done before December 1st, 2011 are described in
	per directory files named ChangeLog-2011.  See doc/HACKING for
	details.

        -----
	Copyright (C) 2011 Free Software Foundation, Inc.

	Copying and distribution of this file and/or the original GIT
	commit log messages, with or without modification, are
	permitted provided the copyright notice and this notice are
	preserved.