2023-06-01  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.9.1.

2023-05-26  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.9.1.
	(LIBNETTLE_MINOR): Bump minor number, to 8.8.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.8.

2023-05-19  Niels Möller  <nisse@lysator.liu.se>

	From Jussi Kivilinna:
	* ocb.c (ocb_crypt_n): Fix broken loop logic.
	* testsuite/ocb-test.c (test_main): Add test vector from libgcrypt,
	with larger message, to exercise above loop.

2023-05-16  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/ghash-update.asm: Use separate unaligned load
	instructions (movups) to load the tabulated values, since they are
	only 8-byte aligned and pand memory operands require 16-byte
	alignment.

2023-05-15  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (output_bignum_redc): Add missing mpz_clear, reported
	by Noah Watkins.
	(output_digits): Delete a gratuitous mpz_init.

2023-05-14  Niels Möller  <nisse@lysator.liu.se>

	* Released nettle-3.9.

2023-05-12  Niels Möller  <nisse@lysator.liu.se>

	* texinfo.tex: Delete unused file.

	Copy files from https://git.savannah.gnu.org/cgit/gnulib.git/plain/build-aux/
	* install-sh: Update to 2020-11-14.01 version.
	* config.guess: Update to 2023-01-01 version.
	* config.sub: Update to 2023-01-21 version.

2023-05-10  Niels Möller  <nisse@lysator.liu.se>

	Fix compile error in --disable-public-key configuration.
	* testsuite/sha1-test.c: Add missing include of sha1.h.
	* testsuite/sha256-test.c: Add missing include of sha2.h.

2023-05-07  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.9.
	(LIBNETTLE_MINOR): Bump minor number, to 8.7 (8.6 was used for
	Nettle-3.8.1).
	(LIBHOGWEED_MINOR): Bump minor number, to 6.7.

2023-04-25  Niels Möller  <nisse@lysator.liu.se>

	Rework tests of SIV message functions.
	* testsuite/siv-gcm-test.c (nettle_encrypt_message_func)
	(nettle_decrypt_message_func): Delete typedefs.
	(test_compare_results, test_cipher_siv_gcm): Delete functions.
	(test_siv_gcm_aes128, test_siv_gcm_aes256): Delete macros.
	(siv_gcm_aes128, siv_gcm_aes256): New algorithm structs.
	(test_main): Use test_aead_message.

	* testsuite/siv-cmac-test.c (nettle_encrypt_message_func)
	(nettle_decrypt_message_func): Delete typedefs.
	(test_compare_results, test_cipher_siv): Delete functions.
	(test_siv_aes128, test_siv_aes256): Delete macros.
	(siv_cmac_aes128, siv_cmac_aes256): New algorithm structs.
	(test_main): Use test_aead_message.

2023-04-24  Niels Möller  <nisse@lysator.liu.se>

	Rework tests of OCB message functions.
	* testsuite/testutils.c (test_aead_message): New function, for
	testing AEAD message functions.
	* testsuite/testutils.h (nettle_encrypt_message_func)
	(nettle_decrypt_message_func): New typedefs.
	(struct nettle_aead_message): New struct.
	* testsuite/ocb-test.c (nettle_encrypt_message_func)
	(nettle_decrypt_message_func): Deleted typedefs.
	(test_compare_results): Deleted function.
	(test_ocb_aes128): Deleted macro.
	(struct ocb_aes128_message_key): New struct.
	(ocb_aes128_set_encrypt_key_wrapper)
	(ocb_aes128_set_decrypt_key_wrapper)
	(ocb_aes128_encrypt_message_wrapper)
	(ocb_aes128_decrypt_message_wrapper): New wrapper functions, using
	above ocb_aes128_message_key for both encrypt and decrypt, and a
	fix tag length of 16 octets.
	(ocb_aes128_message): New algorithm struct, with above wrappers.
	(test_main): Use test_aead_message.

2023-04-23  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/siv-cmac-test.c: Renamed file, from...
	* testsuite/siv-test.c: ... old name.

2023-04-13  Niels Möller  <nisse@lysator.liu.se>

	* ghash-update.c (gcm_gf_mul): Rewrite to avoid side-channel
	leakage. Now processes the message bits one at a time, using
	tabulated values of the key premultiplied by appropriate powers of
	x, so that the table is accessed in a fixed sequential order.
	Performance penalty, on x86_64, is roughly 3 times.
	(shift_table): Deleted table.
	(gcm_gf_shift_8): Deleted function.
	* ghash-set-key.c (_ghash_set_key): Rewrite table generation.
	* gcmdata.c: Deleted.
	* Makefile.in: Delete references to gcmdata.

	* x86_64/ghash-update.asm: Rewritten, similar side-channel silent
	method as the C implementation, with same table layout, but using
	sse2 instructions.

	* testsuite/gcm-test.c (test_ghash_internal): Add valgrind
	annotations, to verify that the ghash implementation makes no
	data-dependent branches or memory accesses.

	* examples/nettle-benchmark.c (bench_ghash_update): New function.

2023-04-03  Niels Möller  <nisse@lysator.liu.se>

	From Mamone Tarsha:
	* x86_64/pclmul/ghash-update.asm: New loop to process two blocks
	at a time.
	* x86_64/pclmul/ghash-set-key.asm: Likewise.

2023-03-25  Niels Möller  <nisse@lysator.liu.se>

	* ocb.h (OCB_MAX_NONCE_SIZE): New constant.

2023-02-16  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/sha256-compress-n.asm: Fix incorrect w64 setup. Report
	and fix from Gisle Vanem.

2023-02-08  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Benchmark ocb_aes128.

2023-02-07  Niels Möller  <nisse@lysator.liu.se>

	Implement OCB mode. RFC 7253.
	* block-internal.h (block16_set): New function.

	* ocb.c (ocb_set_key, ocb_set_nonce, ocb_update, ocb_encrypt)
	(ocb_decrypt, ocb_encrypt_message, ocb_decrypt_message): New
	public functions.
	(MEM_ROTATE_RIGHT, MEM_MASK): New macros.
	(extract, update_offset, pad_block, ocb_fill_n, ocb_crypt_n)
	(ocb_checksum_n): New helper functions.
	* ocb-aes128.c (ocb_aes128_set_encrypt_key)
	(ocb_aes128_set_decrypt_key, ocb_aes128_set_nonce)
	(ocb_aes128_update, ocb_aes128_encrypt, ocb_aes128_decrypt)
	(ocb_aes128_digest, ocb_aes128_encrypt_message)
	(ocb_aes128_decrypt_message): New file, new functions.
	* ocb.h: Declare ocb functions.
	(struct ocb_key): New struct.
	(struct ocb_ctx): New struct.
	(struct ocb_aes128_encrypt_key): New struct.
	* Makefile.in (nettle_SOURCES): Add ocb.c ocb-aes128.c.
	(HEADERS): Add ocb.h.

	* nettle-internal.c (nettle_ocb_aes128)
	(ocb_aes128_set_encrypt_key_wrapper)
	(ocb_aes128_set_decrypt_key_wrapper)
	(ocb_aes128_set_nonce_wrapper, ocb_aes128_update_wrapper)
	(ocb_aes128_encrypt_wrapper, ocb_aes128_decrypt_wrapper)
	(ocb_aes128_digest_wrapper): New aead algorithm, and
	related wrapper functions.
	* nettle-internal.h (OCB_NONCE_SIZE): New constant.
	(struct ocb_aes128_ctx): New struct.

	* testsuite/ocb-test.c: New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add ocb-test.c.

2023-02-06  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (test_aead): Always use set_nonce function
	pointer if non-NULL, test varying alignment, output the unexpected
	data when test fails.

2022-12-05  Niels Möller  <nisse@lysator.liu.se>

	* xts-aes128.c (xts_aes128_encrypt_message)
	(xts_aes128_decrypt_message): const-declare the xts_key argument.
	* xts-aes256.c (xts_aes256_encrypt_message)
	(xts_aes256_decrypt_message): Likewise.

2022-11-09  Niels Möller  <nisse@lysator.liu.se>

	From Mamone Tarsha:
	* powerpc64/p9/poly1305-blocks.asm: New file, multi-block radix
	2^44 implementation. Benchmarked to give a speedup of 3.2 times on
	Power9.
	* powerpc64/p9/poly1305.m4 (DEFINES_BLOCK_R64, BLOCK_R64): New
	file, new macros.
	* powerpc64/p9/poly1305-internal.asm: Use BLOCK_R64 macro.
	* powerpc64/machine.m4 (INC_GPR, INC_VR): New macros.
	* powerpc64/fat/poly1305-blocks.asm: New file.
	* poly1305-update.c: Check HAVE_NATIVE_fat_poly1305_blocks, and
	define _nettle_poly1305_blocks_c when needed.
	* fat-ppc.c: Fat setup for _nettle_poly1305_blocks.

2022-11-07  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (ASM_FLAGS): New configure environment variable.
	* aclocal.m4 (GMP_TRY_ASSEMBLE): Use $ASM_FLAGS.
	* config.make.in (ASM_FLAGS): Add substitution.
	* Makefile.in: Use $(ASM_FLAGS) when compiling .asm files.

2022-10-31  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: (asm_file_list): Add HAVE_NATIVE_poly1305_blocks.
	(asm_nettle_optional_list): Add poly1305-blocks.asm.
	* x86_64/poly1305-blocks.asm: New file.

	* md-internal.h (MD_FILL_OR_RETURN_INDEX): New macro.
	* poly1305-update.c (_nettle_poly1305_update): New file and
	function.
	* poly1305-internal.h: Declare _nettle_poly1305_blocks and
	_nettle_poly1305_update.
	* chacha-poly1305.c (poly1305_update): Use _nettle_poly1305_update.
	* poly1305-aes.c (poly1305_aes_update): Likewise.
	* Makefile.in (nettle_SOURCES): Add poly1305-update.c.

2022-10-13  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (mpn_sec_tabselect) [NETTLE_USE_MINI_GMP]: Add back
	here, to support mini-gmp builds. Updated signature to be
	compatible with the gmp version.
	* gmp-glue.h: Add declaration.

2022-10-11  Niels Möller  <nisse@lysator.liu.se>

	* sec-tabselect.c (sec_tabselect): Delete file and function. All
	callers updated to use gmp's mpn_sec_tabselect instead, which is
	implemented in assembly on many platforms.

2022-10-02  Niels Möller  <nisse@lysator.liu.se>

	* examples/ecc-benchmark.c (bench_curve): Add benchmarking of
	modulo q inversion.

2022-09-29  Niels Möller  <nisse@lysator.liu.se>

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Call ecc_mul_g and ecc_mul_a directly, not via
	function pointers.
	(ecc_ecdsa_verify_itch): Use ECC_MUL_A_ITCH
	rather than ecc->mul_itch.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify_itch)
	(ecc_gostdsa_verify): Analogous changes.

	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Call ecc_mul_g and ecc_j_to_a
	directly, not via function pointers.
	(ecc_ecdsa_sign_itch): Use ECC_MUL_G_ITCH rather than
	ecc->mul_g_itch.
	* ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign):
	Analogous changes.

2022-09-28  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/meta-hash-test.c (test_main): Add check of
	NETTLE_MAX_HASH_BLOCK_SIZE.
	* nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE): Increase to 144,
	to accommodate sha3_224.
	* testsuite/meta-cipher-test.c (test_main): Check that cipher
	metadata doesn't exceed NETTLE_MAX_CIPHER_BLOCK_SIZE or
	NETTLE_MAX_CIPHER_KEY_SIZE.

	From Daiki Ueno:
	* siv-gcm.c (siv_gcm_encrypt_message, siv_gcm_decrypt_message):
	New file, implementation of SIV-GCM.
	* siv-gcm.h (SIV_GCM_BLOCK_SIZE, SIV_GCM_DIGEST_SIZE)
	(SIV_GCM_NONCE_SIZE): New header file, new constants and
	declarations.
	* siv-gcm-aes128.c (siv_gcm_aes128_encrypt_message)
	(siv_gcm_aes128_decrypt_message): New file and functions.
	* siv-gcm-aes256.c (siv_gcm_aes256_encrypt_message)
	(siv_gcm_aes256_decrypt_message): Likewise.
	* siv-ghash-set-key.c (_siv_ghash_set_key): New file, new internal
	function.
	* siv-ghash-update.c (_siv_ghash_update): Likewise.
	* block-internal.h (block16_bswap): New inline function.
	* bswap-internal.h (bswap64_if_be): New macro.
	* nettle-internal.h (NETTLE_MAX_CIPHER_KEY_SIZE): New constant.
	* Makefile.in (nettle_SOURCES): Add new source files.
	(HEADERS): Add siv-gcm.h.
	* testsuite/siv-gcm-test.c: New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add siv-gcm-test.c.
	* nettle.texinfo (SIV-GCM): Documentation.

	From Zoltan Fridrich:
	* balloon.c (balloon, balloon_itch): Implementation of balloon
	password hash.
	* balloon.h: New header file.
	* balloon-sha1.c (balloon_sha1): New file and function.
	* balloon-sha256.c (balloon_sha256): Likewise.
	* balloon-sha384.c (balloon_sha384): Likewise.
	* balloon-sha512.c (balloon_sha512): Likewise.
	* Makefile.in (nettle_SOURCES): Add balloon source files.
	(HEADERS): Add ballon.h.
	* testsuite/balloon-test.c: New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add balloon-test.c.

2022-09-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-nonsec-add-jjj.c (ecc_nonsec_add_jjj): New file and
	function.
	* ecc-internal.h: Declare it.
	* Makefile.in (hogweed_SOURCES): Add ecc-nonsec-add-jjj.c.
	* testsuite/ecc-add-test.c (test_main): Add tests for ecc_nonsec_add_jjj.

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj,
	to produce correct result in a corner case where point addition
	needs to use point duplication. Also use ecc_j_to_a rather than
	ecc->h_to_a, since ecdsa supports only weierstrass curves.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change.

	* testsuite/ecdsa-verify-test.c (test_main): Add corresponding test.
	* testsuite/ecdsa-sign-test.c (test_main): And a test producing
	the problematic signature.

2022-09-08  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (string_toupper): New utility function.
	(output_modulo): Move more of the per-modulo output here.
	(output_curve): Remove corresponding code.

2022-08-31  Niels Möller  <nisse@lysator.liu.se>

	* bswap-internal.h (nettle_bswap64, nettle_bswap32)
	(bswap64_if_le): New header file, new inline functions/macros.
	* gcm.c (gcm_hash_sizes): Use bswap64_if_le, and bswap-internal.h,
	replacing local definition of bswap_if_le.
	* nist-keywrap.c (nist_keywrap16): Likewise.
	* blowfish-bcrypt.c (swap32): Renamed function, to...
	(bswap32_if_le): ...new name, rewritten to use nettle_bswap32.
	Update call sites.
	* Makefile.in (DISTFILES): Add bswap-internal.h.

2022-08-18  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (HEADERS): Add sm4.h.

	From Tianjia Zhang: SM4 block cipher.
	* sm4.c: New file.
	* sm4.h: New file.
	* sm4-meta.c: New file.
	* gcm-sm4.c: New file
	* gcm-sm4-meta.c: New file.
	* nettle.texinfo: Document SM4.
	* testsuite/gcm-test.c (test_main): Add SM4 tests.
	* testsuite/sm4-test.c: New file.

	* configure.ac (ABI): Change mips abi check to apply only to mips64.

2022-08-17  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (mpz_urandomm) [NETTLE_USE_MINI_GMP]: New
	fallback definition when building with mini-gmp.

2022-08-16  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_sub): Ensure that if inputs are in the
	range 0 <= a, b < 2m, then output is in the same range.
	* eccdata.c (output_curve): New outputs ecc_Bm2p and ecc_Bm2q.
	* ecc-internal.h (struct ecc_modulo): New member Bm2m (B^size -
	2m), needed by ecc_mod_sub. Update all curves.
	* testsuite/ecc-mod-arith-test.c: New tests for ecc_mod_add and
	ecc_mod_sub.

	* eccdata.c (output_modulo): Output the limb size, delete return
	value.
	(output_curve): Update calls to output_modulo, other minor cleanup.

2022-08-07  Niels Möller  <nisse@lysator.liu.se>

	Delete all arcfour assembly code.
	* arcfour.c (arcfour_crypt): Moved function here, from...
	* arcfour-crypt.c: ... deleted file.
	* sparc32/arcfour-crypt.asm: Deleted.
	* sparc64/arcfour-crypt.asm: Deleted.
	* x86/arcfour-crypt.asm: Deleted.
	* asm.m4: Delete arcfour structure offsets.

2022-08-07  Niels Möller  <nisse@lysator.liu.se>

	Based on patch from Corentin Labbe:
	* nettle.texinfo: Document sha256_compress, sha512_compress,
	md5_compress and sha1_compress.

	* configure.ac: Refer to nettle-types.h, rather than arcfour.c,
	for AC_CONFIG_SRCDIR.

2022-08-05  Niels Möller  <nisse@lysator.liu.se>

	* nettle-internal.h: Include stdlib.h, fix alloca warnings on BSD.
	* hmac.c: Delete corresponding include here, no longer needed.

	* getopt.c: Include stdlib.h and unistd.h unconditionally,
	similarly to the gnulib version of this file.

2022-08-04  Niels Möller  <nisse@lysator.liu.se>

	From Brad Smith:
	* configure.ac: Fix 64-bit MIPS ABI check for other OS's like *BSD / Linux.
	* aclocal.m4 (LSH_CCPIC): Use proper PIC flag for *BSD OS's.
	* blowfish-bcrypt.c (swap32): Eliminate conflict with OpenBSD's swap32 macro.

2022-07-29  Niels Möller  <nisse@lysator.liu.se>

	* s390x/msa_x1/sha256-compress-n.asm: New file. replacing...
	* s390x/msa_x1/sha256-compress.asm: ...deleted file.
	* s390x/fat/sha256-compress-n-2.asm: New file. replacing...
	* s390x/fat/sha256-compress-2.asm: ...deleted file.
	* fat-s390x.c: Update fat setup.

2022-07-26  Niels Möller  <nisse@lysator.liu.se>

	* arm/v6/sha256-compress-n.asm: New file. replacing...
	* arm/v6/sha256-compress.asm: ...deleted file.
	* arm/fat/sha256-compress-n-2.asm: New file. replacing...
	* arm/fat/sha256-compress-2.asm: ...deleted file.
	* fat-arm.c: Update fat setup.

2022-07-11  Niels Möller  <nisse@lysator.liu.se>

	* arm64/crypto/sha256-compress-n.asm: New file. replacing...
	* arm64/crypto/sha256-compress.asm: ...deleted file.
	* arm64/fat/sha256-compress-n-2.asm: New file. replacing...
	* arm64/fat/sha256-compress-2.asm: ...deleted file.
	* fat-arm64.c: Update fat setup.

2022-07-05  Niels Möller  <nisse@lysator.liu.se>

	* md-internal.h (MD_FILL_OR_RETURN): New file, new macro.
	* sha256-compress-n.c (_nettle_sha256_compress_n): New file and
	function, replacing...
	* sha256-compress.c (_nettle_sha256_compress): ...deleted file and
	function.
	* sha2-internal.h (_nettle_sha256_compress_n): Declare new function..
	* sha256.c (sha256_compress): Update to use
	_nettle_sha256_compress_n and MD_FILL_OR_RETURN.
	* x86_64/sha256-compress-n.asm: New file. replacing...
	* x86_64/sha256-compress.asm: ...deleted file.
	* x86_64/sha_ni/sha256-compress-n.asm: New file. replacing...
	* x86_64/sha_ni/sha256-compress.asm: ...deleted file.
	* fat-setup.h (sha256_compress_n_func): New typedef, replacing...
	(sha256_compress_func): ... deleted typedef.
	* fat-x86_64.c: Update fat setup.

2022-06-20  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/sha1-test.c (test_sha1_compress): New function.
	(test_main): Add tests for compressing 0, 1 or 2 blocks.
	* testsuite/sha256-test.c (test_sha256_compress): New function.
	(test_main): Add tests for compressing 0, 1 or 2 blocks.

2022-06-12  Niels Möller  <nisse@lysator.liu.se>

	From Christian Weisgerber:
	* fat-arm64.c (get_arm64_features): Enable runtime feature
	detection for openbsd.

2022-06-09  Niels Möller  <nisse@lysator.liu.se>

	* md5.h (md5_compress): New public name for compression function.
	* sha1.h (sha1_compress): Likewise.

	Based on patches from Corentin Labbe:
	* sha2.h: Declare new functions.
	* sha256.c (sha256_compress): New function.
	(COMPRESS): Updated to use sha256_compress.
	(sha256_write_digest): Use sha256_compress directly.
	* sha512.c (sha512_compress): New function.
	(COMPRESS): Updated to use sha512_compress.
	(sha512_write_digest): Use sha512_compress directly.

2022-06-02  Niels Möller  <nisse@lysator.liu.se>

	* Released nettle-3.8.

2022-05-23  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (OPT_SOURCES): Add missing file fat-arm64.c.

	* config.guess: Update to 2022-05-08 version.
	* config.sub: Update to 2022-01-03 version.

2022-05-20  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.8.
	(LIBNETTLE_MINOR): Bump minor number, to 8.5.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.5.

2022-05-05  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (CBC): Document cbc_aes128_encrypt,
	cbc_aes192_encrypt and cbc_aes256_encrypt.

2022-04-28  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (Copyright): Deleted incomplete and out of date
	list of authors. Replaced by...
	* AUTHORS: New updated list of authors and contributions.

2022-02-23  Niels Möller  <nisse@lysator.liu.se>

	Analogous s390x update, by Mamone Tarsha:
	* fat-s390x.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.
	* s390x/fat/ghash-update-2.asm: New file.
	* s390x/fat/ghash-set-key-2.asm: New file.
	* s390x/fat/gcm-hash.asm: Deleted.
	* s390x/msa_x4/gcm-hash.asm: Deleted, split into two new files...
	* s390x/msa_x4/ghash-update.asm: New file.
	* s390x/msa_x4/ghash-set-key.asm: New file

2022-02-22  Niels Möller  <nisse@lysator.liu.se>

	* fat-ppc.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.

	* powerpc64/fat/ghash-update-2.asm: New file.
	* powerpc64/fat/ghash-set-key-2.asm: New file.
	* powerpc64/fat/gcm-hash.asm: Deleted.

	* powerpc64/p8/gcm-hash.asm: Deleted, split into two new files...
	* powerpc64/p8/ghash-update.asm: New file.
	* powerpc64/p8/ghash-set-key.asm: New file

2022-02-21  Niels Möller  <nisse@lysator.liu.se>

	* fat-arm64.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.

	* arm64/fat/ghash-update-2.asm: New file.
	* arm64/fat/ghash-set-key-2.asm: New file.
	* arm64/fat/gcm-hash.asm: Deleted.

	* ghash-update.c (_nettle_ghash_update_c): New name, for fat builds.

	* arm64/crypto/gcm-hash.asm: Deleted, split into two new files...
	* arm64/crypto/ghash-set-key.asm: New file.
	* arm64/crypto/ghash-update.asm: New file.

2022-02-19  Niels Möller  <nisse@lysator.liu.se>

	* fat-x86_64.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.
	* fat-setup.h (ghash_set_key_func, ghash_update_func): New
	typedefs.
	(gcm_init_key_func, gcm_hash_func): Deleted typedefs.
	* x86_64/fat/ghash-update.asm: New file.
	* x86_64/fat/ghash-update-2.asm: New file.
	* x86_64/fat/ghash-set-key-2.asm: New file.
	* x86_64/fat/gcm-hash.asm: Deleted.
	* ghash-set-key.c (_nettle_ghash_set_key_c): New name, for fat
	builds.
	* configure.ac (asm_nettle_optional_list): Add ghash-set-key-2.asm
	ghash-update-2.asm.

	* ghash-set-key.c (_ghash_digest): Deleted, and also deleted
	assembly implementations.
	* gcm.c (gcm_digest): Replace call to _ghash_digest with block16_xor.

	* x86_64/pclmul/gcm-hash.asm: Deleted, split into two new files...
	* x86_64/pclmul/ghash-set-key.asm: New file.
	* x86_64/pclmul/ghash-update.asm: New file.

	* configure.ac (asm_replace_list): Add ghash-set-key.asm ghash-update.asm.
	(asm_nettle_optional_list): Delete gcm-hash.asm gcm-hash8.asm.
	* x86_64/ghash-update.asm: New file, based on old gcm-hash8.asm,
	but without any handling of partial blocks.
	* x86_64/gcm-hash8.asm: Deleted.

	* ghash-set-key.c (_ghash_digest): Moved function from...
	* ghash-update.c (_ghash_digest): ...old location.

2022-02-18  Niels Möller  <nisse@lysator.liu.se>

	* block-internal.h (block16_zero): New function.

	* ghash-internal.h: New file, declaring new internal ghash interface.
	* gcm-internal.h: Deleted file.
	* ghash-update.c (gcm_gf_shift_8): Moved here (from gcm.c)
	(gcm_gf_mul): Likewise.
	(_ghash_update): New function, extracted from _nettle_gcm_hash_c.
	(_ghash_digest): New function.
	* ghash-set-key.c (_ghash_set_key): New file and function.
	Extracted from _nettle_gcm_init_key_c and _nettle_gcm_set_key.

	* gcm.c (INC32): Deleted macro, used in only one place.
	(gcm_set_key): Update to use _ghash_set_key.
	(gcm_hash): Renamed, was _gcm_hash, and implemented in terms of
	_ghash_update.
	(bswap_if_le): New function (copied from nist-keywrap.c).
	(gcm_hash_sizes): Use bswap_if_le and _ghash_update.
	(gcm_set_iv): Updated to use gcm_hash and block16_zero.
	(gcm_digest): Use _ghash_digest.

	* testsuite/gcm-test.c (test_ghash_internal): Updated to use
	_ghash_set_key and _ghash_update.

	* Makefile.in (nettle_SOURCES): Add ghash-set-key.c ghash-update.c.
	(DISTFILES): Replaced gcm-internal.h with ghash-internal.h.

2022-02-17  Niels Möller  <nisse@lysator.liu.se>

	* gcm.c: Require that GCM_TABLE_BITS == 8. Delete old code for
	GCM_TABLE_BITS == 0 and GCM_TABLE_BITS == 4.
	* gcm-internal.h: Delete checks for GCM_TABLE_BITS != 8.
	* fat-x86_64.c: Likewise.
	* fat-s390x.c: Likewise.
	* fat-ppc.c: Likewise.
	* fat-arm64.c: Likewise.

2022-02-15  Niels Möller  <nisse@lysator.liu.se>

	* fat-x86_64.c: Add fat setup for gcm.
	* x86_64/fat/gcm-hash.asm: New file.

	* Makefile.in (distdir): Add x86_64/pclmul directory.
	* configure.ac: New configure option --enable-x86-pclmul.
	(asm_path): Add x86_64/pclmul, if above option is set.
	* x86_64/pclmul/gcm-hash.asm: New file, initial implementation of
	GCM using the pclmulqdq instructions.

2022-02-08  Niels Möller  <nisse@lysator.liu.se>

	* gcm-internal.h (_gcm_hash): Arrange so that this is an alias for
	the appropriate implementation. Updated all users.
	* gcm.c (_nettle_gcm_set_key): New internal function, intended to
	make tests of internal ghash functions easier.
	(gcm_set_key): Use it.
	* testsuite/gcm-test.c (test_ghash_internal): New function.
	(test_main): Add tests of internal ghash functions, with keys
	corresponding to various single-bit polynomials.

2022-01-28  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/poly1305-test.c (poly1305_internal): Renamed function,
	was test_poly1305_internal.
	(test_poly1305_internal): New helper function.
	(test_fixed): New function, to test internal functions with fixed
	test inputs.
	(test_random): Use test_poly1305_internal.
	(test_main): Call test_fixed.

	* misc/poly1305-gen-example.pike: Program to generate poly1305
	inputs with a given digest.

2022-01-27  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/poly1305-internal.asm: Rewrote. Rearrange folding, so
	that all the multiply instructions needed to process a block are
	independent of each other. Measured speedup of 16% on AMD zen2 and
	28% on Intel broadwell, and expected to be generally faster.
	* asm.m4 (P1305): Rearrange struct contents, to fit 64-bit entries
	S0 and H2. Total struct size unchanged.

2022-01-25  Niels Möller  <nisse@lysator.liu.se>

	Chacha implementation for arm64, contributed by Mamone Tarsha.
	* arm64/chacha-core-internal.asm: New file.
	* arm64/chacha-2core.asm: New file.
	* arm64/chacha-4core.asm: New file

2022-01-24  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp224r1-modp.asm: New file, contributed by
	Amitay Isaacs.
	* powerpc64/ecc-curve25519-modp.asm: New file, contributed by
	Martin Schwenke & Alastair D´Silva
	* powerpc64/ecc-curve448-modp.asm: New file, contributed by Martin
	Schwenke & Amitay Isaacs.

2022-01-23  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/poly1305-test.c (test_poly1305_internal): New function.
	(ref_poly1305_internal): New function.
	(test_random): New function.
	(test_main): Call test_random.

	Arrange so that GMP or mini-gmp is always available for tests.
	* testsuite/testutils.h [!WITH_HOGWEED]: Include mini-gmp.h.
	* testsuite/testutils.c [!WITH_HOGWEED]: Include mini-gmp.c.

2022-01-21  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp192r1-modp.asm: New file, contributed by
	Amitay Isaacs.
	* powerpc64/ecc-secp384r1-modp.asm: New file, contributed by
	Martin Schwenke, Amitay Isaacs & Alastair D´Silva.
	* powerpc64/ecc-secp521r1-modp.asm: New file, contributed by
	Martin Schwenke & Alastair D´Silva.

2022-01-17  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (test_ecc_point_valid_p): New function,
	moved from...
	* testsuite/ecdsa-keygen-test.c (ecc_valid_p): ... old copy.
	* testsuite/gostdsa-keygen-test.c (ecc_valid_p): ... old copy.
	* testsuite/testutils.h: Declare it.
	(test_randomize) [NETTLE_USE_MINI_GMP]: Use inline function rather
	than macro for dummy definition, to avoid compile time warnings.

2022-01-10  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp256r1-redc.asm: Reduce number of registers
	used, eliminating save and restore of callee-save registers.
	Speedup of 7% reported for POWER9 (and marginal speedup of secp256
	sign and verify operations).

2022-01-04  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (ELFV2_ABI): New substituted variable, set on
	powerpc64 based on the _CALL_ELF define.
	* config.m4.in (ELFV2_ABI): Substituted here.
	* powerpc64/machine.m4: Use ELFV2_ABI rather than WORDS_BIGENDIAN
	to select abi flavor. Intended to support ppc64be + musl, which,
	unlike other big-endian configurations, uses ELFv2.

2021-12-09  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/ecc-secp256r1-redc.asm: New folding scheme with one less
	carry propagation phase, and fewer registers, avoiding save and
	restore of callee-save registers. 17% speedup of this function on
	AMD Ryzen 5, resulting in a modest improvement in ecdsa
	performance.

	* powerpc64/ecc-secp256r1-redc.asm: New file, contributed by
	Amitay Isaacs.

2021-11-29  Niels Möller  <nisse@lysator.liu.se>

	From Tianjia Zhang: SM3 hash function.
	* sm3.h: New file.
	* sm3.c: New file.
	* sm3-meta.c: New file.
	* hmac-sm3.c: New file.
	* hmac-sm3-meta.c: New file.
	* testsuite/sm3-test.c: New file.
	* nettle.texinfo: Document SM3.

2021-11-19  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (mpz_limbs_cmp): Deleted function. Usage replaced
	with mpz_roinit_n and mpz_cmp.
	(mpz_limbs_read_n): Deleted function. Usage in tests only,
	replaced with mpz_limbs_copy.

2021-11-15  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/eddsa-compress-test.c (test_main): Use test_randomize.
	* testsuite/ecc-redc-test.c (test_main): Likewise.
	* testsuite/ecc-mul-g-test.c (test_main): Likewise.
	* testsuite/ecc-mul-a-test.c (test_main): Likewise.

	* testsuite/ecc-modinv-test.c (test_modulo): Trim allocation for
	result area.
	(test_main): Use test_randomize.
	* testsuite/ecc-sqrt-test.c (test_sqrt): Trim allocation.
	(test_sqrt_ratio): Trim allocation. Fix sqrt_ratio test for v = 0,
	failure is expected.
	(test_main): Use test_randomize.

2021-11-13  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (get_random_seed): Move function here.
	(test_randomize): New function.
	* testsuite/ecc-mod-test.c (get_random_seed): Delete old copy.
	(test_main): Use test_randomize.
	* testsuite/rsa-compute-root-test.c (get_random_seed): Delete old copy.
	(test_main): Use test_randomize.

	* ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero
	input, which needs handling as a special case in the
	Tonelli-Shanks algorithm.

	* testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0)
	returns 0.
	(test_sqrt_ratio): Check that sqrt (0/1) returns 0.

2021-11-11  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only
	when computed. Fixes uninitialized value bug from previous change.

	* ecc-secp384r1.c (ecc_mod_pow_288m32m1): New function.
	(ecc_secp384r1_inv): Use ecc_mod_pow_288m32m1.
	(ecc_secp384r1_sqrt): Likewise.

	* eccdata.c (output_curve): Delete generation of unused values
	ecc_sqrt_t and ECC_SQRT_T_BITS.

2021-11-10  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (output_bignum_redc): New function.
	(output_curve): Generate both redc and non-redc versions of
	ecc_sqrt_z. Fixes secp224r1 sqrt, in configs using redc.

2021-11-08  Niels Möller  <nisse@lysator.liu.se>

	Square root functions, based on patch by Wim Lewis.
	* ecc-internal.h (ecc_mod_sqrt_func): New typedef.
	(struct ecc_modulo): Add sqrt function pointer and sqrt_itch.
	Update all curve definitions.
	* ecc-secp192r1.c (ECC_SECP192R1_SQRT_ITCH): New constant.
	(ecc_secp192r1_sqrt): New function.
	* ecc-secp256r1.c (ecc_secp256r1_sqrt): New function.
	* ecc-secp384r1.c (ecc_secp384r1_sqrt): New function.
	* ecc-secp521r1.c (ecc_secp521r1_sqrt): New function.
	* ecc-secp224r1.c (ecc_secp224r1_sqrt): New function, using
	Tonelli-Shanks' algorithm.

	* testsuite/ecc-sqrt-test.c (test_sqrt): New function.
	(test_sqrt_ratio): Renamed function (was test_modulo).
	(test_main): Test sqrt function, for curves that define it.

	* ecc-secp224r1.c (ecc_mod_pow_127m1): New function.

2021-11-07  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to
	sqrt_ratio_itch.
	* eddsa-decompress.c (_eddsa_decompress_itch): Updated.

	* ecc-curve448.c (ECC_CURVE448_SQRT_RATIO_ITCH): Renamed, from ...
	(ECC_CURVE448_SQRT_ITCH): ... old name.
	(ecc_curve448_sqrt_ratio): Renamed, from ...
	(ecc_curve448_sqrt): ... old name.
	(_nettle_curve448): Updated.

	* ecc-curve25519.c (ECC_25519_SQRT_RATIO_ITCH): Renamed, from ...
	(ECC_25519_SQRT_ITCH): ... old name
	(ecc_curve25519_sqrt_ratio): Renamed, from ...
	(ecc_curve25519_sqrt): ... old name.
	(_nettle_curve25519): Updated.

	* ecc-internal.h (ecc_mod_sqrt_ratio_func): Renamed typedef...
	(ecc_mod_sqrt_func): ... from old name.
	(struct ecc_modulo): Renamed corresponding function pointer to
	sqrt_ratio. Updated all uses.

2021-10-28  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_equal_p): New function, moved from
	ecc-modinv-test.c. Based on patch by Wim Lewis.
	* testsuite/ecc-modinv-test.c (mod_eq_p): Deleted, replaced with ecc_mod_equal_p.

2021-10-26  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_zero_p): New function.
	* ecc-curve25519.c (ecc_curve25519_zero_p): Use it.
	* ecc-curve448.c (ecc_curve448_zero_p): Deleted, usage replaced
	with ecc_mod_zero_p.
	* testsuite/ecc-modinv-test.c (mod_eq_p): Rewritten to use
	ecc_mod_zero_p, and require that one input is canonically reduced.
	(zero_p): Deleted, usage replaced with ecc_mod_zero_p.

2021-10-23  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (sec_zero_p): New function.
	* ecc-curve25519.c (ecc_curve25519_zero_p): Use it.
	* ecc-curve448.c (ecc_curve448_zero_p): Use it.
	* ecc-random.c (ecdsa_in_range): Use it.
	(zero_p): Delete static function.

2021-10-22  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp256r1.c: Rework ad-hoc reduction functions. In
	particular, arranged to always use single-limb quotients, no q2
	quotient carry.
	(ecc_secp256r1_modp): Reimplemented, closer to 2/1 division,
	(ecc_secp256r1_modq): Reimplemented, closer to divappr2 division.

2021-10-06  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/ecc-mod-test.c: Extend tests to give better coverage
	of corner cases, with input close to a multiple of the modulo.

2021-09-21  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (nettle.pdf): Generate pdf manual using texi2pdf,
	rather than texi2dvi + dvips + ps2pdf, which makes hyperlinks work
	better.

	* nettle.texinfo: Delete explicit node pointers in nettle.texinfo
	Instead, rely on makeinfo's automatic pointer creation.
	(Cipher functions): Split into nodes, with proper menu.

2021-09-14  Niels Möller  <nisse@lysator.liu.se>

	* cbc.h (cbc_aes128_encrypt, cbc_aes192_encrypt)
	(cbc_aes256_encrypt): Change interface, take cipher context
	pointer and iv as separate arguments. Update C and x86_64
	implementations and corresponding glue code.

	* testsuite/testutils.c (test_aead): Test encrypt/decrypt with
	message split into pieces.

2021-09-12  Niels Möller  <nisse@lysator.liu.se>

	* Merged CBC-AES changes into master branch.

2021-09-09  Niels Möller  <nisse@lysator.liu.se>

	Implementation of CBC-AES for x86_64 aesni. Roughly 40%-50%
	speedup benchmarked on Ryzen 5.
	* x86_64/aesni/cbc-aes128-encrypt.asm: New file.
	* x86_64/aesni/cbc-aes192-encrypt.asm: New file.
	* x86_64/aesni/cbc-aes256-encrypt.asm: New file.
	* x86_64/fat/cbc-aes128-encrypt-2.asm: New file.
	* x86_64/fat/cbc-aes192-encrypt-2.asm: New file.
	* x86_64/fat/cbc-aes256-encrypt-2.asm: New file.
	* configure.ac (asm_nettle_optional_list, asm_replace_list): Add
	new asm files.
	* fat-setup.h (cbc_aes128_encrypt_func, cbc_aes192_encrypt_func)
	(cbc_aes256_encrypt_func): New typedefs.
	* fat-x86_64.c (fat_init): Use new functions, when aesni is available

2021-09-08  Niels Möller  <nisse@lysator.liu.se>

	* cbc-aes128-encrypt.c (nettle_cbc_aes128_encrypt): New file and
	function.
	* cbc-aes192-encrypt.c (cbc_aes192_set_encrypt_key): New file.
	* cbc-aes256-encrypt.c (cbc_aes256_set_encrypt_key): New file.
	* cbc.h (cbc_aes128_ctx, struct cbc_aes192_ctx, cbc_aes256_ctx):
	New context structs. Declare new functions.
	* Makefile.in (nettle_SOURCES): Add new files.
	* nettle-internal.c (nettle_cbc_aes128, nettle_cbc_aes192)
	(nettle_cbc_aes256): New algorithm structs, for tests and
	benchmarking.
	* testsuite/testutils.c (test_aead): Skip tests of decryption and
	authentication, if corresponding function pointers are NULL.
	* testsuite/cbc-test.c (test_main): Add tests of new cbc
	functions.
	* examples/nettle-benchmark.c (time_aead): Skip decrypt benchmark,
	if corresponding function pointer is NULL.

2021-09-09  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/fat/cpuid.asm: Fix usage of W64_ENTRY and W64_EXIT, to
	make fat builds work on 64-bit windows.

2021-08-16  Niels Möller  <nisse@lysator.liu.se>

	S390x functions for sha1, sha256 and sha512, from Mamone Tarsha:
	* s390x/msa/sha1-compress.asm: New file.
	* s390x/msa_x1/sha256-compress.asm: Likewise.
	* s390x/msa_x2/sha512-compress.asm: Likewise.
	* s390x/fat/sha1-compress-2.asm: Likewise.
	* s390x/fat/sha256-compress-2.asm: Likewise.
	* s390x/fat/sha512-compress-2.asm: Likewise.
	* fat-s390x.c: Update fat setup.
	* Makefile.in (distdir): Add s390x/msa_x1.

2021-08-10  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/aesni/aes128-encrypt.asm: New file, with 2-way loop.
	* x86_64/aesni/aes128-decrypt.asm: Likewise.
	* x86_64/aesni/aes192-encrypt.asm: Likewise.
	* x86_64/aesni/aes192-decrypt.asm: Likewise.
	* x86_64/aesni/aes256-encrypt.asm: Likewise.
	* x86_64/aesni/aes256-decrypt.asm: Likewise.
	* x86_64/aesni/aes-encrypt-internal.asm: Deleted.
	* x86_64/aesni/aes-decrypt-internal.asm: Deleted.
	* x86_64/fat/: Corresponding new and deleted files.
	* fat-x86_64.c: Update fat setup accordingly.

2021-08-09  Niels Möller  <nisse@lysator.liu.se>

	Arm64 AES functions, from Mamone Tarsha:
	* arm64/crypto/aes128-decrypt.asm: New file.
	* arm64/crypto/aes128-encrypt.asm: New file.
	* arm64/crypto/aes192-decrypt.asm: New file.
	* arm64/crypto/aes192-encrypt.asm: New file.
	* arm64/crypto/aes256-decrypt.asm: New file.
	* arm64/crypto/aes256-encrypt.asm: New file.
	* arm64/fat/aes128-decrypt-2.asm: New file.
	* arm64/fat/aes128-encrypt-2.asm: New file.
	* arm64/fat/aes192-decrypt-2.asm: New file.
	* arm64/fat/aes192-encrypt-2.asm: New file.
	* arm64/fat/aes256-decrypt-2.asm: New file.
	* arm64/fat/aes256-encrypt-2.asm: New file.
	* configure.ac: Add aes to arm64 FAT_TEST_LIST.
	* fat-arm64.c: Update fat setup.

2021-08-06  Niels Möller  <nisse@lysator.liu.se>

	S390x xor functions, from Mamone Tarsha:
	* configure.ac: New configure option --enable-s390x-vf.
	* fat-s390x.c: Fat setup for memxor3.
	* s390x/vf/memxor3.asm: New file.
	* s390x/memxor.asm: New file.
