++2019-11-21 Niels Möller <nisse@lysator.liu.se>
++
++ * Merge curve448 preparations, from September 2017.
++
+ 2017-09-23 Niels Möller <nisse@lysator.liu.se>
+
+ * eccdata.c: Reorganize curve25519 precomputation to work directly
+ with the twisted Edwards curve, with new point addition based on a
+ patch from Daiki Ueno.
+ * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery
+ curve constant.
+
+ * ecc-internal.h (struct ecc_curve): Delete unused pointer
+ edwards_root. Update all instances.
+ * eccdata.c (output_curve): Don't output it.
+
+ * testsuite/ecc-add-test.c (test_main): Reduce test duplication.
+ Use ecc->add_hhh_itch.
+ * testsuite/ecc-dup-test.c (test_main): Reduce test duplication.
+ Use ecc->dup_itch.
+
+ 2017-09-23 Daiki Ueno <dueno@redhat.com>
+
+ * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of
+ hard-coded value for curve25519.
+ * eddsa-sign.c (_eddsa_sign): Likewise.
+
+ * ecc-internal.h (ecc_dup_func): New typedef.
+ (struct ecc_curve): New constants add_hh_itch and dup_itch, new
+ function pointers add_hh and dup.
+ * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c,
+ ecc-25519.c: Update accordingly.
+ * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers.
+ * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh):
+ Likewise.
+ * testsuite/ecc-dup-test.c (test_main): Likewise.
+ * testsuite/ecc-add-test.c (test_main): Likewise.
+
+2019-10-01 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/testutils.c (test_cipher_cfb8): Reset destination area
+ between tests. Encrypt/decrypt final partial block.
+
+ From Daiki Ueno, fixing bug reported by Stephan Mueller:
+ * cfb.c (cfb8_decrypt): Don't truncate output IV if input is
+ shorter than block size.
+ * testsuite/testutils.c (test_cipher_cfb8): Test splitting input
+ into multiple calls to cfb8_encrypt and cfb8_decrypt.
+
+2019-09-30 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read.
+ Trim allocation size for de_data, drop some uses of
+ SIV_DIGEST_SIZE, call FAIL for unexpected returned values.
+ (test_compare_results): Delete digest argument.
+
+2019-09-15 Niels Möller <nisse@lysator.liu.se>
+
+ From Dmitry Eremin-Solenikov:
+ * gost28147.c (_gost28147_encrypt_block): New file, encrypt
+ function and sbox tables moved here.
+ * gosthash94.c: Update functions to take sbox array as argument.
+ (gost_block_compress): Use _gost28147_encrypt_block.
+ (gosthash94cp_update,gosthash94cp_digest): New functions.
+ * gost28147-internal.h: New file.
+ * gost28147.h: New file.
+ * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm.
+ * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and
+ nettle_gosthash94cp.
+ * hmac-gosthash94.c (hmac_gosthash94_set_key)
+ (hmac_gosthash94_update, hmac_gosthash94_digest)
+ (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update)
+ (hmac_gosthash94cp_digest): New file and functions.
+ * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file
+ and function.
+ * testsuite/pbkdf2-test.c (test_main): Add
+ pbkdf2-hmac-gosthash94cp tests.
+ * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests.
+ * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests.
+ * nettle.texinfo (Legacy hash functions): Document gosthash94cp.
+
+ * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS.
+
+2019-07-08 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle-types.h (union nettle_block16): Mark w member as deprecated.
+ * eax.c (block16_xor): Use uint64_t member of nettle_block16.
+ * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise.
+
+2019-07-10 Niels Möller <nisse@lysator.liu.se>
+
+ From Dmitry Eremin-Solenikov:
+ * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init)
+ (cmac64_update, cmac64_digest): New file, new functions.
+ * cmac-des3.c (cmac_des3_set_key, cmac_des3_update)
+ (cmac_des3_digest): New file, new functions.
+ * cmac.h: Add cmac64 and cmac_des3 declarations.
+ * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c.
+ * testsuite/cmac-test.c (test_main): Add tests for cmac_des3.
+
+2019-07-02 Niels Möller <nisse@lysator.liu.se>
+
+ From Dmitry Eremin-Solenikov:
+ * testsuite/testutils.c (test_mac): New function.
+ * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
+ New algorithm structs.
+ (test_cmac_aes128, test_cmac_aes256): Use test_mac.
+
+2019-06-06 Niels Möller <nisse@lysator.liu.se>
+
+ Update for cmac changes, enabling const for the _message functions.
+ * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument,
+ and use a local struct cmac128_ctx for message-specific state.
+ (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated
+ callers.
+ (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const
+ struct cmac128_key as argument. Updated callers.
+
+ * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key
+ rather than struct cmac128_ctx.
+
+ * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message)
+ (siv_cmac_aes256_decrypt_message): Likewise.
+ * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message)
+ (siv_cmac_aes128_decrypt_message): The ctx argument made const.
+
+2019-05-15 Niels Möller <nisse@lysator.liu.se>
+
+ * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE):
+ New constants.
+ * testsuite/siv-test.c: Simplify tests a little.
+
+ * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1.
+ * siv-cmac.c (_siv_s2v): Require non-empty nonce.
+ * nettle.texinfo (SIV-CMAC): Update documentation.
+
+2019-05-06 Niels Möller <nisse@lysator.liu.se>
+
+ SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos:
+ * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants.
+ (SIV_CMAC_CTX): New macro.
+ (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New
+ context structs.
+ * siv-cmac.c (_siv_s2v, siv_cmac_set_key)
+ (siv_cmac_encrypt_message)
+ (siv_cmac_decrypt_message): New file, new functions.
+ * siv-cmac-aes128.c (siv_cmac_aes128_set_key)
+ (siv_cmac_aes128_encrypt_message)
+ (siv_cmac_aes128_decrypt_message): New file, new functions.
+ * siv-cmac-aes256.c (siv_cmac_aes256_set_key)
+ (siv_cmac_aes256_encrypt_message)
+ (siv_cmac_aes256_decrypt_message): New file, new functions.
+ * Makefile.in (nettle_SOURCES): Add siv-cmac source files.
+ (HEADERS): Add siv-cmac.h.
+ * testsuite/siv-test.c: New file.
+ * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c
+ * nettle.texinfo (SIV-CMAC): Documentation.
+
+2019-04-30 Niels Möller <nisse@lysator.liu.se>
+
+ Based on a patch contributed by Nikos Mavrogiannopoulos.
+ * cmac.c (_cmac128_block_mulx): Renamed function...
+ (block_mulx): ... from old name.
+ * cmac-internal.h (_cmac128_block_mulx): New file, declare function.
+ * Makefile.in (DISTFILES): Added cmac-internal.h.
+
+2019-06-26 Niels Möller <nisse@lysator.liu.se>
+
+ * Released nettle-3.5.1.
+
+ * configure.ac: Update version number to 3.5.1.
+
+ * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed
+ directories.
+
+ * Released nettle-3.5.
+
+2019-06-25 Niels Möller <nisse@lysator.liu.se>
+
+ * config.sub: Update to 2019-05-23 version, from savannah's
+ config.git.
+ * config.guess: Update to 2019-06-10 version, from savannah's
+ config.git. Adds recognition of mips R6 and riscv.
+
+2019-06-05 Niels Möller <nisse@lysator.liu.se>
+
+ Further separation of CMAC per-message state from the
+ message-independent subkeys, analogous to the gcm implementation.
+ * cmac.h (struct cmac128_ctx): Remove key, instead a struct
+ cmac128_key should be passed separately to functions that need it.
+ (CMAC128_CTX): Include both a struct cmac128_key and a struct
+ cmac128_ctx.
+ (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly.
+
+ * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx
+ to cmac128_key. Use a nettle_block16 for the constant zero block.
+ (cmac128_init): New function, to initialize a cmac128_ctx.
+ (cmac128_digest): Add cmac128_key argument. Move padding memset
+ into the block handling a partial block. Call cmac128_init to
+ reset state.
+
+2019-06-01 Niels Möller <nisse@lysator.liu.se>
+
+ * cmac.h (struct cmac128_key): New struct.
+ * cmac.h (struct cmac128_ctx): Use struct cmac128_key.
+ * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly.
+
+2019-05-12 Niels Möller <nisse@lysator.liu.se>
+
+ Delete old libdes/openssl compatibility interface.
+ * des-compat.c: Delete file.
+ * des-compat.h: Delete file.
+ * testsuite/des-compat-test.c: Delete file.
+ * nettle.texinfo (Compatibility functions): Delete mention in documentation.
+
+2019-05-11 Niels Möller <nisse@lysator.liu.se>
+
+ * NEWS: More updates for Nettle-3.5.
+
+2019-04-27 Niels Möller <nisse@lysator.liu.se>
+
+ From Simo Sorce:
+ * x86_64/poly1305-internal.asm: Add missing EPILOGUE.
+ * x86_64/serpent-decrypt.asm: Likewise.
+ * x86_64/serpent-encrypt.asm: Likewise.
+
+2019-04-14 Niels Möller <nisse@lysator.liu.se>
+
+ * tools/nettle-pbkdf2.c (main): Check strdup return value.
+
+2019-03-29 Niels Möller <nisse@lysator.liu.se>
+
+ * aes.h (struct aes_ctx): Redefine using a union of key-size
+ specific contexts.
+ * aes-decrypt.c (aes_decrypt): Use switch on key_size.
+ * aes-encrypt.c (aes_encrypt): Likewise.
+ * aes-set-decrypt-key.c (aes_invert_key): Likewise.
+ * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise.
+
+2019-03-27 Niels Möller <nisse@lysator.liu.se>
+
+ * xts.c (xts_shift): Arrange with a single write to u64[1].
+ * cmac.c (block_mulx): Rewrite to work in the same way as
+ xts_shift, with 64-bit operations. XTS and CMAC use opposite
+ endianness, but otherwise, these two functions are identical.
+
+2019-03-24 Niels Möller <nisse@lysator.liu.se>
+
+ From Simo Sorce:
+ * xts.h: New file.
+ * xts.c: New file.
+ (BE_SHIFT): New macro.
+ (xts_shift, check_length, xts_encrypt_message)
+ (xts_decrypt_message): New functions.
+ * xts-aes128.c (xts_aes128_set_encrypt_key)
+ (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message)
+ (xts_aes128_decrypt_message): New file, new functions.
+ * xts-aes256.c (xts_aes256_set_encrypt_key)
+ (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message)
+ (xts_aes256_decrypt_message): New file, new functions.
+ * nettle.texinfo (XTS): Document XTS mode.
+ * Makefile.in (nettle_SOURCES): Add xts sourcce files.
+ (HEADERS): New installed header xts.h.
+ * testsuite/xts-test.c: New file.
+ * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c.
+
+2019-02-06 Niels Möller <nisse@lysator.liu.se>
+
+ * gosthash94.h (struct gosthash94_ctx): Move block buffer last in
+ struct.
+ * md2.h (struct md2_ctx): Likewise.
+ * md4.h (struct md4_ctx): Likewise.
+ * md5.h (struct md5_ctx): Likewise.
+ * ripemd160.h (struct ripemd160_ctx): Likewise.
+ * sha1.h (struct sha1_ctx): Likewise.
+ * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise.
+
+2019-01-19 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/Makefile.in (TARGETS): Delete eratosthenes, left over
+ from earlier change.
+
+ * fat-arm.c: Fix declarations of chacha_core functions.
+
+ From Yuriy M. Kaminskiy:
+ * fat-setup.h (chacha_core_func): New typedef.
+ * fat-arm.c (fat_init): Enable choice between
+ _nettle_chacha_core_c and _nettle_chacha_core_neon.
+ * configure.ac (asm_nettle_optional_list): Add
+ chacha-core-internal-2.asm.
+ * chacha-core-internal.c: Enable fat build with C and asm version.
+ * arm/fat/chacha-core-internal-2.asm: New file.
+
+2019-01-12 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/eratosthenes.c: Deleted program.
+ * examples/Makefile.in: Delete rule to build and distribute it.
+
+2019-01-10 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c (test_one): Use %u and
+ corresponding cast, when printing bit sizes.
+
+2019-01-09 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to
+ inline asm.
+
+2019-01-08 Niels Möller <nisse@lysator.liu.se>
+
+ * sha512-compress.c: Add missing include of sha2-internal.h.
+
+2019-01-06 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert
+ call with side-effects.
+
+2019-01-06 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle-types.h: Don't use nettle-stdint.h, include <stdint.h>
+ directly.
+ * nettle-write.h: Likewise.
+ * configure.ac: Delete use of AX_CREATE_STDINT_H.
+ * aclocal.m4 (AX_CREATE_STDINT_H): Delete.
+ * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of
+ nettle-stdint.h.
+
+2018-12-26 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper
+ function. Call openssl's RSA_generate_key_ex rather then the
+ deprecated RSA_generate_key.
+ (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it.
+
+ * eccdata.c (ecc_pippenger_precompute): Check that table size is
+ at least 2. Intended to silence warning from the clang static
+ analyzer.
+
+ * configure.ac: Bump package version to 3.5.
+ (LIBNETTLE_MAJOR): Bump major number, now 7.
+ (LIBHOGWEED_MAJOR): Bump major number, now 5.
+ (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero.
+
+ * pkcs1-internal.h: New header file, moved declarations of
+ _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here.
+ * rsa-internal.h: ... old location.
+ * Makefile.in (DISTFILES): Added pkcs1-internal.h.
+ * pkcs1-decrypt.c: Include new file.
+ * pkcs1-sec-decrypt.c: Likewise.
+ * rsa-decrypt-tr.c: Likewise.
+ * rsa-sec-decrypt.c: Likewise.
+ * testsuite/pkcs1-sec-decrypt-test.c: Likewise.
+
+ * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for
+ strdup with gcc -std=c89.
+ * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for
+ getline with gcc -std=c89.
+
+ * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop.
+ Reported by Andreas Gustafsson.
+ * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise.
+
+2018-12-04 Niels Möller <nisse@lysator.liu.se>
+
+ * Released nettle-3.4.1.
+
+2018-11-28 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: Update GMP check. Check for the function
+ mpn_sec_div_r, available since GMP-6.0.0.
+
+ * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of
+ decrypted storage. Update test of rsa_decrypt, to allow clobbering
+ of all of the passed in message area.
+
+ * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around
+ _pkcs1_sec_decrypt_variable. Improves side-channel silence of the
+ only caller, rsa_decrypt.
+
+ * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make
+ dist. Patch from Simo Sorce.
+
+ * rsa-internal.h: Add include of rsa.h.
+
+2018-11-27 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New
+ local helper functions, with their own itch functions.
+ (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to
+ use helpers, for clarity.
+
+2018-11-26 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify
+ selection of psize and qsize, and fix so that qsize is used.
+ (test_main): Add outer loop, to test with more than one key.
+ Deallocate storage before exiting.
+
+2018-11-25 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/rsa-compute-root-test.c: Renamed, from ...
+ * testsuite/rsa-sec-compute-root-test.c: ... old name.
+
+ * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ...
+ * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location.
+ * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from...
+ (rsa_sec_compute_root_tr): ... old name. Updated callers.
+ (cnd_mpn_zero): Use a volatile-declared mask variable.
+
+ * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix
+ masking of most significant bits.
+
+ * rsa-decrypt-tr.c (rsa_decrypt_tr): Use
+ NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
+
+ * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
+ valgrind marking, and document potential leakage of lowest and
+ highest bits of p and q.
+
+ * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to
+ mpz_sizeinbase, since that potentially leaks most significant bits
+ of private key parameters a and b.
+
+ * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix
+ valgrind marking of return value.
+
+ Merged below changes from Simo Sorce, to make RSA private key
+ operations side-channel silent.
+
+2018-11-08 Simo Sorce <simo@redhat.com>
+
+ * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use
+ _rsa_sec_compute_root.
+
+ * testsuite/rsa-sec-compute-root-test.c: Add more tests for new
+ side-channel silent functions.
+
+ * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn,
+ since that is required for one of the GMP calls in
+ _rsa_sec_compute_root.
+
+ * rsa-decrypt-tr.c: Switch to use side-channel silent functions.
+
+ * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private
+ function. Variable size version for backwards compatibility.
+
+ * testsuite/rsa-sec-decrypt-test.c: Adds more tests.
+
+ * rsa-sec-decrypt.c (rsa_sec_decrypt): New function.
+ Fixed length side-channel silent version of rsa-decrypt.
+ * testsuite/rsa-encrypt-test.c: add tests for the new fucntion.
+
+ * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for
+ _pkcs1_sec_decrypt.
+
+ * gmp-glue.c (mpn_get_base256): New function.
+
+ * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function.
+ Fixed length side-channel silent version of pkcs1-decrypt.
+
+ * cnd-memcpy.c (cnd_memcpy): New function.
+ * memops.h: Declare it.
+ * testsuite/cnd-memcpy-test.c: New test case.
+
+ * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses
+ _rsa_sec_compute_root, as well as side-channel silent RSA
+ blinding.
+ (rsa_compute_root_tr) Rewritten as a wrapper around
+ rsa_sec_compute_root_tr.
+ (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root)
+ (cnd_mpn_zero): New helper functions.
+ (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not
+ side-channel silent wrapper around rsa_compute_root_tr, and the
+ latter function left unchanged.
+
+ * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch)
+ (_rsa_sec_compute_root): New file, new private functions.
+ Side-channel silent version of rsa_compute_root.
+ * rsa-internal.h: New header file with declarations.
+
+ * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro.
+
+2018-11-24 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: Bump package version to 3.4.1.
+ (LIBNETTLE_MINOR): Bump library version to 6.5.
+ (LIBHOGWEED_MINOR): Bump library version to 4.5.
+
+2018-11-17 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/hogweed-benchmark.c (bench_rsa_verify)
+ (bench_openssl_rsa_tr_init): New functions.
+ (alg_list): Benchmark timing-resistant RSA functions, i.e.,
+ including RSA blinding.
+ (main): Increase width of first column, here and in other
+ printouts.
+
+2018-10-10 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when
+ processing more than on full block of size CTR_BUFFER_LIMIT, src
+ and dst arguments to memxor3 were not properly updated.
+
+2018-10-10 Niels Möller <nisse@lysator.liu.se>
+
+ * aes-set-encrypt-key.c: Add missing include of stdlib.h.
+ * des-compat.c: Likewise.
+
+2018-09-13 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and
+ redundant check for p == q.
+
+2018-08-09 Niels Möller <nisse@lysator.liu.se>
+
+ * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with
+ _NETTLE_ATTRIBUTE_DEPRECATED.
+
+ * nettle-types.h (_NETTLE_ATTRIBUTE_PURE)
+ (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and
+ lookalikes.
+ * ecc-curve.h: Include nettle-types.h, and use
+ _NETTLE_ATTRIBUTE_PURE instead of local definition.
+ * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit
+ #ifdefs.
+
+ * aes.h: Mark functions using struct aes_ctx interface as
+ deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where
+ the functions are implemented or tested.
+ * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated.
+
+ * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper)
+ (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast
+ between incompatible function types (which gcc-8 warns about).
+ Wrappers are expected to compile to a single jmp instruction.
+
+ * des-compat.c (des_compat_des3_encrypt)
+ (des_compat_des3_decrypt): Change length argument type to size_t.
+
+2018-08-08 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle.texinfo (Compatibility): New section on ABI and API
+ compatibility.
+
+2018-07-25 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ * examples/nettle-benchmark.c: Add benchmarking for HMAC functions.
+
+2018-07-13 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/eratosthenes.c (vector_alloc): Add assert related to
+ overflow in the size calculation. Fixes a corner case identified
+ by static analysis.
+ (vector_init): Analogous assert.
+
+2018-07-12 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/eratosthenes.c (main): Don't allocate bitmap storage
+ for limit == 2 (early exit), closing memory leak at exit.
+ (main): Fix handling of short -q option.
+
+ * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui,
+ to fix memory leak.
+ (ecc_curve_clear): New function.
+ (main): Call it, to deallocate storage before exit.
+
+2018-07-08 Niels Möller <nisse@lysator.liu.se>
+
+ * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress.
+ * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name.
+ * x86_64/fat/sha1-compress-2.asm: Likewise.
+
+2018-07-07 Niels Möller <nisse@lysator.liu.se>
+
+ From Nikos Mavrogiannopoulos.
+ * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to
+ public function, since there's known appliation usage (filezilla).
+ * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor
+ alias for the new name.
+ * md5-compress.c (nettle_md5_compress): Similarly renamed (used by
+ sogo).
+ * md5.h (_nettle_md5_compress): Old name,, now a preprocessor
+ alias for the new name.
+
+ * chacha-internal.h, dsa-internal.h, eddsa-internal.h:
+ * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h:
+ * salsa20-internal.h, sha2-internal.h, sha3-internal.h:
+ * umac-internal.h: Internal declarations moved to new header
+ files, which are not installed..
+ * Makefile.in (DISTFILES): Added above files.
+
+ * libnettle.map.in: Use a different symbol version for _nettle_*
+ symbols, depending on the minor release. This marks these symbols
+ explicitly not part of the public Nettle ABI.
+ * libhogweed.map.in: Analogous change.
+
+2018-06-17 Niels Möller <nisse@lysator.liu.se>
+
+ * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed
+ by Dmitry Eremin-Solenikov.
+
+ * testsuite/symbols-test: Exclude ____chkstk_darwin symbols,
+ produced by Apple's Xcode 10 compiler. Patch contributed by
+ Dominyk Tiller.
+
+2018-03-25 Niels Möller <nisse@lysator.liu.se>
+
+ From Michael Weiser.
+ * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN.
+ * config.m4.in: Use it to set WORDS_BIGENDIAN.
+ * asm.m4 (IF_BE, IF_LE): New macros.
+ * arm/memxor.asm: Support big-endian ARM.
+ * arm/memxor3.asm: Likewise.
+ * arm/neon/chacha-core-internal.asm: Likewise.
+ * arm/neon/salsa20-core-internal.asm: Likewise.
+ * arm/neon/umac-nh.asm: Likewise.
+ * arm/v6/sha1-compress.asm: Likewise.
+ * arm/v6/sha256-compress.asm: Likewise.
+ * arm/README: Document big-endian considerations.
+
+2018-03-17 Niels Möller <nisse@lysator.liu.se>
+
+ Discourage direct access to data symbols with non-public size.
+ Direct references to these symbols may result in copy-relocations
+ like R_X86_64_COPY, which make the symbol size leak into the ABI.
+ * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1)
+ (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add
+ leading underscore on these data symbols.
+
+ * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads)
+ (_nettle_armors): Add leading underscore on these data symbols.
+ Update all internal use. Macros without leading underscore remain,
+ and expand to access via accessor functions nettle_get_ciphers and
+ similar.
+
+2018-03-10 Niels Möller <nisse@lysator.liu.se>
+
+ * eccdata.c (ecc_table_size): New helper function.
+ (ecc_pippenger_precompute): Display warning for poor parameters.
+
+ * eccparams.c (main): New program, to list parameter alternatives
+ for Pippenger's algorithm.
+
+ * Makefile.in: Tweak parameters for ecc tables.
+ (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6.
+ Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3%
+ for ecdsa signatures.
+ (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c =
+ 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on
+ 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures.
+ (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c =
+ 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures.
+ (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c =
+ 6. Table size unchanged. 12% speedup for ecdsa signatures.
+ (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6.
+ Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit
+ platforms). 15% speedup for ecdsa signatures.
+ (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c =
+ 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures.
+
+2018-03-14 Niels Möller <nisse@lysator.liu.se>
+
+ Merge sha256 code using the x86_64 sha_ni instructions, starting
+ 2018-02-21.
+
+2018-03-11 Niels Möller <nisse@lysator.liu.se>
+
+ * x86_64/fat/sha256-compress.asm: New file.
+ * x86_64/fat/sha256-compress-2.asm: New file.
+ * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or
+ sha_ni version for sha256_compress.
+
+2018-02-21 Niels Möller <nisse@lysator.liu.se>
+
+ * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni
+ instructions.
+
+2018-02-20 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly.
+
+2018-02-19 Niels Möller <nisse@lysator.liu.se>
+
+ Mostly aesthetic changes. Besides indentation:
+ * cmac.h (struct cmac128): Rename, to cmac128_ctx.
+ (CMAC128_CTX): Rename first member from data to ctx.
+
+ * cmac.c: Use const void * as the type for cipher arguments.
+ (block_mulx): Un-inline.
+ (cmac128_set_key): Make a constant function local.
+
+ * testsuite/cmac-test.c: Delete local typedefs.
+
+2018-02-19 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ Add support for CMAC.
+ * cmac.h: New file.
+ (struct cmac128): New struct.
+ * cmac.c (block_mulx, cmac128_set_key, cmac128_update)
+ (cmac128_digest): New file, new functions.
+ * cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update)
+ (cmac_aes128_digest): New file, new functions.
+ * cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update)
+ (cmac_aes256_digest): New file, new functions.
+ * Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c.
+ (HEADERS): Added cmac.h.
+
+ * testsuite/cmac-test.c: New tests.
+ * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c.
+
+ * examples/nettle-benchmark.c (time_cmac): New function.
+ (main): Use it.
+
+ * nettle.texinfo: Document CMAC.
+
+2018-02-20 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/cbc-test.c (test_cbc_bulk): Use struct
+ aes256_ctx, instead of the deprecated struct aes_ctx.
+ * testsuite/cfb-test.c (test_cfb_bulk): Likewise.
+ * examples/rsa-session.h (struct rsa_session): Likewise.
+ * examples/rsa-encrypt.c (rsa_session_set_encrypt_key)
+ (process_file): Use aes256_* functions.
+ * examples/rsa-decrypt.c (rsa_session_set_decrypt_key)
+ (process_file): Likewise.
+
+2018-02-19 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle-internal.h: Include sha3.h, needed for the definition of
+ NETTLE_MAX_HASH_CONTEXT_SIZE.
+ (TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support
+ allocation of context structs with alignment requirements.
+ [!HAVE_ALLOCA]: Also use assert, rather than calling abort
+ directly.
+
+ * pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros.
+ * pss-mgf1.c (pss_mgf1): Likewise.
+
+2018-02-18 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c...
+ (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds
+ without public-key support.
+
+2018-02-18 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ * examples/nettle-openssl.c): Move expressions with side effects
+ out of asserts.
+
+2018-02-17 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+ (openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use
+ EVP_CipherInit_ex.
+ * examples/nettle-openssl.c (nettle_openssl_gcm_aes128)
+ (nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead
+ algorithms, for benchmarking purposes, and supporting wrapper functions.
+ * nettle-internal.h: Corresponding declarations.
+ * examples/nettle-benchmark.c (main): Include openssl's gcm aes in
+ benchmark.
+
+2018-02-16 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle.texinfo: Improved index entries.
+ (Cipher functions): Update CAST128/CAST5 docs. Inconsistencies
+ spotted by Henrik Rindlöw.
+
+2018-02-10 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: New configure option --enable-x86-sha-ni.
+
+2018-02-07 Niels Möller <nisse@lysator.liu.se>
+
+ * x86_64/fat/sha1-compress.asm: New file.
+ * x86_64/fat/sha1-compress-2.asm: New file.
+ * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or
+ sha_ni version for sha1_compress.
+
+2018-02-05 Niels Möller <nisse@lysator.liu.se>
+
+ * x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni
+ instructions.
+
+ * fat-x86_64.c (get_x86_features): Check for sha_ni extension.
+
+ * x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction.
+
+2018-02-01 Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+ * gcm.c (gcm_fill): New function, for use with _ctr_crypt16.
+ (gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of
+ gcm_aes128, benchmarked on x86_64 with aesni instructions.
+
+2018-02-01 Niels Möller <nisse@lysator.liu.se>
+
+ Based on a patch contributed by Nikos Mavrogiannopoulos.
+ * ctr16.c (_ctr_crypt16): New file, renamed and generalized
+ function. New function pointer argument, used to fill a block with
+ counter values. Use nettle_block16 * as the type for the buffer to
+ be filled. Always process any final and partial block, and return
+ no value.
+ * ctr.c (ctr_crypt): ... previous, replaced, function.
+ (ctr_fill16): Updated to new argument type.
+ (ctr_crypt): Return immediately after using _ctr_crypt16.
+
+ * ctr-internal.h: New file, declaring _ctr_crypt16.
+ (nettle_fill16_func): New function typedef.
+
+ * Makefile.in (nettle_SOURCES): Added ctr16.c.
+ (DISTFILES): Added ctr-internal.h.
+
+2018-01-30 Niels Möller <nisse@lysator.liu.se>
+
+ * Makefile.in (clean-here): Don't delete desdata.stamp.
+
+2018-01-24 Jay Foad <jay.foad@gmail.com>
+
+ * Makefile.in (TARGETS): Delete dependencies on aesdata, desdata,
+ twofishdata, shadata and gcmdata. They are not needed for a normal
+ build.
+ (clean-here): Explicitly delete of above files.
+ (desdata.stamp): New stamp target, to avoid building desdata twice
+ in a parallell build.
+
+2018-01-23 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac (asm_path): Recognize "x86", in addition to "i?86",
+ for 32-bit x86 processors. Reportedly needed for x86 android builds.
+
+2018-01-20 Niels Möller <nisse@lysator.liu.se>
+
+ CFB8 support, contributed by Dmitry Eremin-Solenikov.
+ * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions.
+ * cfb.h: Declare them.
+ (CFB8_ENCRYPT, CFB8_DECRYPT): New macros.
+ * testsuite/cfb-test.c: New tests for CFB8.
+ * nettle.texinfo (CFB and CFB8): Documentation.
+
+2018-01-16 Niels Möller <nisse@lysator.liu.se>
+
+ * tools/pkcs1-conv.c (convert_file): Add missing break statements.
+
+2018-01-09 Niels Möller <nisse@lysator.liu.se>
+
+ * testsuite/testutils.c (test_cipher_ctr): Test operations with
+ shorter sizes.
+
+ * testsuite/ctr-test.c: Additional unofficial test vectors, to
+ exercise carry propagation in the counter, and block size
+ different from 16.
+
+2018-01-08 Niels Möller <nisse@lysator.liu.se>
+
+ * ctr.c (ctr_crypt16): New function, with optimizations specific
+ to 16-byte block size.
+ (ctr_fill16): New helper function, definition depending on
+ WORDS_BIGENDIAN, and little endian version requiring
+ HAVE_BUILTIN_BSWAP64.
+ (ctr_crypt): Use ctr_crypt16, when appropriate.
+
+ * nettle-types.h (union nettle_block16): Add uint64_t field.
+
+ * configure.ac: Check for __builtin_bswap64, define
+ HAVE_BUILTIN_BSWAP64 if available.
+
+ * ctr.c (ctr_fill): New function. Use in ctr_crypt.
+
+ * ctr.c (ctr_crypt): For in-place operation, increase max buffer
+ size from 4 blocks to 512 bytes, similarly to CBC and CFB.
+ Improves in-place aes128 CTR performance by 25% on x86_64.
+
+ * examples/nettle-benchmark.c (time_cipher): Benchmark in-place
+ operation separately, for cbc_decrypt and ctr_crypt.
+
+ * cbc.c (cbc_decrypt): For in-place operation (src == dst case),
+ eliminate use of src variable.
+ * cfb.c (cfb_decrypt): Likewise.
+ * gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor.
+
+2018-01-03 Niels Möller <nisse@lysator.liu.se>
+
+ * x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm
+ registers before the block loop, and completely unroll the round
+ loop.
+ * x86_64/aesni/aes-decrypt-internal.asm: Likewise.
+
+2017-11-19 Niels Möller <nisse@lysator.liu.se>
+
+ * Released nettle-3.4.
+
+2017-11-12 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac: Update check of GMP_NUMB_BITS declaration in
+ assembly files. Was broken by rename of configure variable
+ GMP_NUMB_BITS --> NUMB_BITS.
+
+2017-11-11 Niels Möller <nisse@lysator.liu.se>
+
+ * nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers
+ and nettle_get_aeads, and replace nettle_secp_256r1 by
+ nettle_get_secp_256r1. Update version numbers. Delete ancient
+ setting of ispell-skip-region-alist as an emacs file-local
+ variable.
+
+2017-11-08 Niels Möller <nisse@lysator.liu.se>
+
+ * ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1)
+ (nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete
+ macro wrappers, partially reverting below 2017-04-09 change. They
+ didn't work at all for applications that only see a forward
+ declaration of struct ecc_curve. Instead, we will have to make an
+ ABI and API break and delete these symbols, when the size of
+ struct ecc_curve is increased.
+
+2017-11-05 Niels Möller <nisse@lysator.liu.se>
+
+ * configure.ac Bump package version to 3.4.
+ (LIBNETTLE_MINOR): Bump library version to 6.4.
+ (LIBHOGWEED_MINOR): Bump library version to 4.4.
+
+2017-10-23 Niels Möller <nisse@lysator.liu.se>
+
+ * examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the
+ environment, to support Mac OSX shared libraries.
+ * testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise.
+
+2017-10-23 Niels Möller <nisse@lysator.liu.se>
+
+ Merge API fixes, starting at 2017-01-12.
+
+2017-04-09 Niels Möller <nisse@lysator.liu.se>
+
+ * ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1)
+ (nettle_get_secp_256r1, nettle_get_secp_384r1)
+ (nettle_get_secp_521r1): New functions, returning a pointer to
+ corresponding structure.
+ (nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1)
+ (nettle_secp_384r1, nettle_secp_521r1): Redefined as macros,
+ calling the corresponding function.
+
+ * nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New
+ macros, analogous to below change to nettle_hashes.
+
+ * nettle-meta-ciphers.c (nettle_get_ciphers): New function.
+
+ * nettle-meta-aeads.c (nettle_get_aeads): New function.
+
+ * nettle-meta-armors.c (nettle_get_armors): New function.
+
+2017-01-12 Niels Möller <nisse@lysator.liu.se>
+
+ * tools/nettle-hash.c (find_algorithm): Deleted function.
+ (main): Replaced by call to nettle_lookup_hash.
+
+ * testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash.
+
+ * nettle-meta.h (nettle_hashes): New macro, expanding to a call to
+ nettle_get_hashes. Direct access to the array causes the array
+ size to leak into the ABI, since a plain un-relocatable executable
+ linking with libnettle.so gets copy relocations for any referenced
+ data items in the shared library.
+
+ * nettle-meta-hashes.c (nettle_get_hashes): New function.
+
+2017-10-16 Niels Möller <nisse@lysator.liu.se>
+
+ CFB support, contributed by Dmitry Eremin-Solenikov.
+ * cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions.
+ * cfb.h: New header file.
+ (CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros.
+ * Makefile.in (nettle_SOURCES): Add cfb.c.
+ (HEADERS): Add cfb.h.
+ * testsuite/cfb-test.c: New test case.
+ * testsuite/testutils.c (test_cipher_cfb): New function.
+ * nettle.texinfo (CFB): Documentation.
+
+2017-10-16 Niels Möller <nisse@lysator.liu.se>
+
+ * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with
+ gcc.
+
+2017-09-27 Niels Möller <nisse@lysator.liu.se>
+
+ Merged armor-signedness branch, starting 2017-08-27.
+
+2017-09-24 Niels Möller <nisse@lysator.liu.se>
+
+ * tools/pkcs1-conv.c (base64_decode_in_place): New helper
+ function.
+ (decode_base64): Use it.
+
+ * sexp-transport-format.c (base64_encode_in_place): New helper
+ function.
+ (sexp_transport_vformat): Use it.
+
+ * testsuite/base64-test.c (test_fuzz_once): Update to use char
+ type where appropriate.
+ (test_main): Use helper functions base64_encode_in_place and
+ base64_decode_in_place (copied to this file).
+
+ * testsuite/testutils.c (tstring_data): Use uint8_t for data
+ argument.
+ * testsuite/testutils.h (SDATA): Use US macro to cast data
+ argument.
+
+2017-08-27 Niels Möller <nisse@lysator.liu.se>
+
+ * base64-encode.c (base64_encode_raw, base64_encode_group)
+ (base64_encode_single, base64_encode_update)
+ (base64_encode_final): Change type of destination to char *.
+ * base16-encode.c (base16_encode_single, base16_encode_update):
+ Likewise.
+ * base64-decode.c (base64_decode_single, base64_decode_update):
+ Change type of source argument to const char *. Update (almost)
+ all callers.
+ * base16-decode.c (base16_decode_single, base16_decode_update):
+ Likewise.
+ * nettle-types.h (nettle_armor_encode_update_func)
+ (nettle_armor_encode_final_func, nettle_armor_decode_update_func):
+ Corresponding updates to typedefs.
+
2017-09-14 Niels Möller <nisse@lysator.liu.se>
* hkdf.c: Delete unneeded includes. Use Nettle licensing notice.