2016-12-09  Werner Koch  <wk@gnupg.org>

	Release 1.7.4.
	* configure.ac: Bump LT version to C21/A1/R4.

	Improve handling of mlock error codes.
	* acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
	legitimate return code and does not indicate a broken mlock().
	* src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
	could have been overwritten by cap_from+text et al.

2016-12-09  Stephan Mueller  <smueller@chronox.de>

	random: Eliminate unneeded memcpy invocations in the DRBG.
	* random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
	pointer instead.
	(drbg_instantiate): Reduce size of scratchpad.
	(drbg_hmac_update): Avoid use of scratch buffers for the hash.
	(drbg_hmac_generate, drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_hash_generate): Ditto.

	random: Add performance improvements for the DRBG.
	* random/random-drbg.c (struct drbg_state_ops_s): New function
	pointers 'crypto_init' and 'crypto-fini'.
	(struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
	'ctr_null'.
	(drbg_hash_init, drbg_hash_fini): New.
	(drbg_hmac_init, drbg_hmac_setkey): New.
	(drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
	(drbg_sym_ctr): New.
	(drbg_ctr_bcc): Set the key.
	(drbg_ctr_df): Ditto.
	(drbg_hmac_update): Ditto.
	(drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
	(drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_ctr_update): Rework.
	(drbg_ctr_generate): Rework.
	(drbg_ctr_ops): Init new functions pointers.
	(drbg_uninstantiate): Call fini function.
	(drbg_instantiate): Call init function.

	cipher: New function for reading the counter in CTR mode.
	* cipher/cipher.c (gcry_cipher_getctr): New.

2016-12-07  Werner Koch  <wk@gnupg.org>

	Implement overflow secmem pools for xmalloc style allocators.
	* src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
	cur_blocks.
	(cur_alloced, cur_blocks): Remove vars.
	(ptr_into_pool_p): Make it inline.
	(stats_update): Add arg pool and update the new pool specific
	counters.
	(_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
	pools as needed.
	(_gcry_secmem_malloc): Pass XHINTS along.
	(_gcry_secmem_realloc_internal): Ditto.
	(_gcry_secmem_realloc): Ditto.
	(_gcry_secmem_free_internal): Take multiple pools in account.  Add
	return value to indicate whether the arg was freed.
	(_gcry_secmem_free): Add return value to indicate whether the arg was
	freed.
	(_gcry_private_is_secure): Take multiple pools in account.
	(_gcry_secmem_term): Release all pools.
	(_gcry_secmem_dump_stats): Print stats for all pools.
	* src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
	test with a direct call of _gcry_secmem_free to avoid double checking.

	Give the secmem allocators a hint when a xmalloc calls them.
	* src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
	(_gcry_secmem_realloc): Ditto.
	* src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
	passed to the secmem functions.
	(_gcry_private_realloc): Ditto.
	* src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
	* src/global.c (do_malloc): Pass this flag as XHINT to the private
	allocator.
	(_gcry_malloc_secure): Factor code out to ...
	(_gcry_malloc_secure_core): this.  Add arg XHINT.
	(_gcry_realloc): Factor code out to ...
	(_gcry_realloc_core): here.  Add arg XHINT.
	(_gcry_strdup): Factor code out to ...
	(_gcry_strdup_core): here.  Add arg XHINT.
	(_gcry_xrealloc): Use the core function and pass true for XHINT.
	(_gcry_xmalloc_secure): Ditto.
	(_gcry_xstrdup): Ditto.

	Reorganize code in secmem.c.
	* src/secmem.c (pooldesc_t): New type to collect information about one
	pool.
	(pool_size): Remove.  Now a member of pooldesc_t.
	(pool_okay): Ditto.
	(pool_is_mmapped): Ditto.
	(pool): Rename variable ...
	(mainpool): And change type to pooldesc_t.
	(ptr_into_pool_p): Add arg 'pool'.
	(mb_get_next): Ditto.
	(mb_get_prev): Ditto.
	(mb_merge): Ditto.
	(mb_get_new): Ditto.
	(init_pool): Ditto.
	(lock_pool): Rename to ...
	(look_pool_pages: this.
	(secmem_init): Rename to ...
	(_gcry_secmem_init_internal): this.  Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_secmem_malloc_internal): Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_private_is_secure): Ditto.
	(_gcry_secmem_term): Ditto.
	(_gcry_secmem_dump_stats): Ditto.
	(_gcry_secmem_free_internal): Ditto.  Remove check for NULL arg.
	(_gcry_secmem_free): Add check for NULL arg before taking the lock.
	(_gcry_secmem_realloc): Factor most code out to ...
	(_gcry_secmem_realloc_internal): this.

2016-11-28  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests: Add PBKDF2 tests for Stribog512.
	* tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's
	additions to PKCS#5.

	tests: Add Stribog HMAC tests from TC26ALG.
	* tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document
	for Stribog.

	cipher: Add Stribog OIDs from TC26 space.
	* cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New.

2016-11-28  Justus Winter  <justus@g10code.com>

	tests: Fix memory leak.
	* tests/basic.c (check_gost28147_cipher): Free cipher handles.

2016-11-25  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Cast oid argument of gcry_cipher_set_sbox to disable compiler warning.
	* src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *).

	gost: Rename tc26 s-box from A to Z.
	* cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is
	the name that ended up in all standards.

	tests: Add test to verify GOST 28147-89 against known results.
	* tests/basic.c (check_gost28147_cipher): new test function.

2016-11-17  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	cipher/gost28147: Fix CryptoPro-B S-BOX.
	* cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
	incorrect encryption/decryption using that s-box.  Add missing data.

2016-11-01  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix IDEA cipher for clearing memory.
	* cipher/idea.c (invert_key): Use wipememory, since this kind of memset
	may be removed by compiler optimization.

2016-10-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	GCM: Add bulk processing for ARMv8/AArch64 implementation.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.

	GCM: Add bulk processing for ARMv8/AArch32 implementation.
	* cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
	* tests/basic.c (check_digests): Print correct data length for "?"
	tests.
	(check_one_mac): Add large 1000000 bytes tests, when input is "!" or
	"?".
	(check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.

2016-09-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Twofish.
	* cipher/Makefile.am: Add 'twofish-aarch64.S'.
	* cipher/twofish-aarch64.S: New.
	* cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.

2016-09-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Camellia.
	* cipher/Makefile.am: Add 'camellia-aarch64.S'.
	* cipher/camellia-aarch64.S: New.
	* cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
	size to zero.
	* cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of AES.
	* cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
	* cipher/rijndael-armv8-aarch64-ce.S: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
	* configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
	'rijndael-armv8-ce.lo' for ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of GCM.
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: New.
	* cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
	ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-256.
	* cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
	* cipher/sha256-armv8-aarch64-ce.S: New.
	* cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
	section.
	* cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
	'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-1.
	* cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
	* cipher/sha1-armv8-aarch64-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.

2016-09-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AArch64 assembly implementation of AES.
	* cipher/Makefile.am: Add 'rijndael-aarch64.S'.
	* cipher/rijndael-aarch64.S: New.
	* cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
	[host=aarch64]: Add 'rijndael-aarch64.lo'.

2016-08-17  Werner Koch  <wk@gnupg.org>

	Release 1.7.3.
	* configure.ac: Set LT version to C21/A1/R3.

	random: Hash continuous areas in the csprng pool.
	* random/random-csprng.c (mix_pool): Store the first hash at the end
	of the pool.

	random: Improve the diagram showing the random mixing.
	* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.

2016-07-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	crc-intel-pclmul: split assembly block to ease register pressure.
	* cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
	assembly block handling 4 byte input into multiple blocks.

	rijndael-aesni: split assembly block to ease register pressure.
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
	constraint for passing 'bige_addb' to assembly block; split
	first inline assembly block into two parts.

2016-07-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARMv8/AArch32 Crypto Extension implementation of AES.
	* cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
	'rijndael-armv-aarch32-ce.S'.
	* cipher/rijndael-armv8-aarch32-ce.S: New.
	* cipher/rijndael-armv8-ce.c: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): New.
	(RIJNDAEL_context_s): Add 'use_arm_ce'.
	* cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
	(_gcry_aes_armv8_ce_prepare_decryption)
	(_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
	(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
	(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
	(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
	(_gcry_aes_armv8_ce_ocb_auth): New.
	(do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
	setup for ARM CE.
	(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
	ARM CE support.
	* configure.ac: Add 'rijndael-armv8-ce.lo' and
	'rijndael-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of GCM.
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
	* cipher/cipher-gcm-armv8-aarch32-ce.S: New.
	* cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
	(_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
	(ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
	(setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
	HWF_ARM_PULL HW feature flag is enabled.
	* cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.

	Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256.
	* cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
	* cipher/sha256-armv8-aarch32-ce.S: New.
	* cipher/sha256.c (USE_ARM_CE): New.
	(sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
	(SHA256_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of SHA-1.
	* cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
	* cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
	missing size.
	* cipher/sha1-armv8-aarch32-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): New.
	(sha1_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
	it.
	* cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.

	Add HW feature check for ARMv8 AArch64 and crypto extensions.
	* configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
	module on 64-bit ARM.
	(armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
	(gcry_cv_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto): New.
	* src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
	(HWF_ARM_PMULL): New.
	* src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
	(feature_map_s): New.
	[__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
	(HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
	[__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
	(HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
	(get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
	'unsigned long'.
	(detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
	(detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
	(_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
	* src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
	and 'arm-pmull'.

2016-07-14  Werner Koch  <wk@gnupg.org>

	Release 1.7.2.
	* configure.ac: Set LT version to C21/A1/R2.
	* Makefile.am (distcheck-hook): New.

2016-07-13  Werner Koch  <wk@gnupg.org>

	build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
	* build-aux/config.guess: Update.
	* build-aux/config.sub: Update.

2016-07-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON.
	* cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
	(UNALIGNED_LDMIA4): New.
	(_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
	ldm/stm instructions directly.
	* cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
	(UNALIGNED_LDMIA4): New.
	(_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
	(_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
	of ldm instruction directly.

2016-07-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: add unaligned buffer mode.
	* tests/bench-slope.c (unaligned_mode): New.
	(do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
	(print_help, main): Add '--unaligned' parameter.

2016-07-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix static build.
	* tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.

2016-06-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disallow encryption/decryption if key is not set.
	* cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
	NONE, make sure that key is set.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
	'marks.key' when reseting state.

	Avoid unaligned accesses with ARM ldm/stm instructions.
	* cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
	compile with unaligned load/store code paths.
	* cipher/sha512-arm.S: Ditto.

	Fix non-PIC reference in PIC for poly1305/ARMv7-NEON.
	* cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
	(_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.

	Fix wrong CPU feature #ifdef for SHA1/AVX.
	* cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
	HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.

2016-06-30  Werner Koch  <wk@gnupg.org>

	random: Remove debug message about not supported getrandom syscall.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
	for getrandom error ENOSYS.

2016-06-27  Werner Koch  <wk@gnupg.org>

	tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
	* tests/benchmark.c (md_bench): Do not test variable lengths algos
	with the gcry_md_hash_buffer.

	md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
	* cipher/md.c (md_read): Detect missing read function.
	(_gcry_md_hash_buffers): Return an error.

2016-06-25  Werner Koch  <wk@gnupg.org>

	ecc: Fix memory leak.
	* cipher/ecc.c (ecc_check_secret_key): Do not init point if already
	set.

	doc: Update yat2m.
	* doc/yat2m.c: Update from Libgpg-error

	tests: Add attributes to helper functions.
	* tests/t-common.h (die, fail, info): Add attributes.
	* tests/random.c (die, inf): Ditto.
	* tests/pubkey.c (die, fail, info): Add attributes.
	* tests/fipsdrv.c (die): Add attribute.
	(main): Take care of missing --key,--iv,--dt options.

	Improve robustness and help lint.
	* cipher/rsa.c (rsa_encrypt): Check for !DATA.
	* cipher/md.c (search_oid): Check early for !OID.
	(md_copy): Use gpg_err_code_from_syserror.  Replace chains of if(!err)
	tests.
	* cipher/cipher.c (search_oid): Check early for !OID.
	* src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
	* mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
	analyzers.

	cipher: Improve fatal error message for bad use of gcry_md_read.
	* cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.

2016-06-16  Niibe Yutaka  <gniibe@fsij.org>

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

2016-06-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.1.

	doc: Describe envvars.
	* doc/gcrypt.texi: Add chapter Configuration.

	random: Change names of debug envvars.
	* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
	GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
	* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
	GCRYPT_RNDW32_NOPERF.

2016-06-14  Werner Koch  <wk@gnupg.org>

	cipher: Assign OIDs to the Serpent cipher.
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

	cipher: Assign OIDs to the Serpent cipher.
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

2016-06-08  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

	Fix gcc portability on Solaris 9 SPARC boxes.
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-06-08  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-06-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-06-08  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-06-03  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

2016-06-02  Werner Koch  <wk@gnupg.org>

	Fix gcc portability on Solaris 9 SPARC boxes.
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-05-28  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-05-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-04-26  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-04-19  Werner Koch  <wk@gnupg.org>

	asm fix for older gcc versions.
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

	asm fix for older gcc versions.
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

2016-04-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.0.

2016-04-14  Werner Koch  <wk@gnupg.org>

	tests: Add test vectors for 256 GiB test of SHA3-256.
	* tests/hashtest.c: Add new test vectros.

2016-04-14  Justus Winter  <justus@g10code.com>

	src: Improve S-expression parsing.
	* src/sexp.c (do_vsexp_sscan): Return an error if a closing
	parenthesis is encountered with no matching opening parenthesis.

2016-04-14  Werner Koch  <wk@gnupg.org>

	cipher: Add constant for 8 bit CFB mode.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
	* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.

	tests: Add a new test for S-expressions.
	* tests/t-sexp.c (compare_to_canon): New.
	(back_and_forth_one): Add another test.

2016-04-13  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix corner cases for X25519.
	* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
	GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
	it's not an error, thus, let it return 0.
	(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
	X25519, not by the name of the curve.
	(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
	of aborting with log_fatal.  For X25519, it's not an error by its
	definition, but we deliberately let it return the error to detect
	looks-like-encrypted-message.
	* tests/t-cv25519.c: Add points to record the issue.

2016-04-12  Werner Koch  <wk@gnupg.org>

	cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
	aad_leftover and aad_nleftover to u_mode.ocb.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
	aad_nleftover.
	(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
	to ...
	(ocb_aad_finalize): new.
	(compute_tag_if_needed): Call new function.
	* tests/basic.c (check_ocb_cipher_splitaad): New.
	(check_ocb_cipher): Call new function.
	(main): Also call check_cipher_modes with --ciper-modes.

2016-04-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix X25519 computation on Curve25519.
	* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
	PUBKEY_FLAG_DJB_TWEAK is enabled.
	(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
	* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

	ecc: Fix initialization of EC context.
	* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
	(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
	by _gcry_mpi_ec_p_internal_new should carry FLAGS.

2016-04-06  Werner Koch  <wk@gnupg.org>

	Allow building with configure option --enable-hmac-binary-check.
	* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
	* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
	* src/hmac256.c (main): Add option --stdkey

2016-04-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Positive values in computation.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
	coefficients A and B are positive.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
	"P - T" instead of "-T", so that the result will be positive.
	(_gcry_ecc_eddsa_verify): Likewise.
	* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
	instead of _gcry_ecc_update_curve_param.
	* mpi/ec.c (ec_subm): Make sure the result will be positive.
	(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
	mpi_sub instead of mpi_neg.
	(add_points_edwards): Simply use ec_addm.
	* tests/t-mpi-point.c (test_curve): Define curves with positive
	coefficients.

2016-04-01  Werner Koch  <wk@gnupg.org>

	mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
	* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
	(mpi_fromstr): Check against this limit.
	(_gcry_mpi_scan): Ditto.
	* tests/mpitests.c (test_maxsize): New.
	(main): Cal that test.

2016-03-31  Werner Koch  <wk@gnupg.org>

	cipher: Remove specialized rmd160 functions.
	* cipher/rmd160.c: Replace rmd.h by hash-common.h.
	(RMD160_CONTEXT): Move from rmd.h to here.
	(_gcry_rmd160_init): Remove.
	(_gcry_rmd160_mixblock): Remove.
	(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
	* cipher/md.c: Remove rmd.h which was not actually used.
	* cipher/rmd.h: Remove.
	* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
	* configure.ac (USE_RMD160): Allow to build without RMD160.

	random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
	* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
	(_gcry_sha1_mixblock): New.
	* random/random-csprng.c: Include sha1.h instead of rmd.h.
	(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

	cipher: Move sha1 context definition to a separate file.
	* cipher/sha1.c: Replace hash-common.h by sha1.h.
	(SHA1_CONTEXT): Move to ...
	* cipher/sha1.h: new.  Always include all flags.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.

2016-03-29  Werner Koch  <wk@gnupg.org>

	tests: Fix buffer overflow in bench-slope.
	* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
	strncat.

2016-03-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: GCM: check that length of supplied tag is one of valid lengths.
	* cipher/cipher-gcm.c (is_tag_length_valid): New.
	(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
	* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
	valid tag lengths and negative test vectors with invalid lengths.

2016-03-24  Peter Wu  <peter@lekensteyn.nl>

	cipher: Fix memleaks in (self)tests.
	* cipher/dsa.c: Release memory for MPI and sexp structures.
	* cipher/ecc.c: Release memory for sexp structure.
	* tests/keygen.c: Likewise.

	Mark constant MPIs as non-leaked.
	* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.

2016-03-23  Werner Koch  <wk@gnupg.org>

	Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
	* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
	* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

	* tests/basic.c (_check_gcm_cipher): Check that new feature.
	(_check_poly1305_cipher): Ditto.
	(check_ccm_cipher): Ditto.
	(do_check_ocb_cipher): Ditto.
	(check_ctr_cipher): Add negative test for new feature.

	cipher: Avoid NULL-segv in GCM mode if a key has not been set.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
	has been initialized.
	(_gcry_cipher_gcm_decrypt): Ditto.
	(_gcry_cipher_gcm_authenticate): Ditto.
	(_gcry_cipher_gcm_initiv): Ditto.
	(_gcry_cipher_gcm_tag): Ditto.

	cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
	provided tag length matches the actual tag length.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for Poly1305.
	* cipher/cipher-poly1305.c: copy a fixed length instead of the
	  user-supplied number.

2016-03-23  Werner Koch  <wk@gnupg.org>

	cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
	tag length matches the actual tag length.  Avoid gratuitous return
	statements.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for GCM.
	* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
	  number.

2016-03-22  Werner Koch  <wk@gnupg.org>

	tests: Add options --fips to keygen for manual tests.
	(main): Add option --fips.
	* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
	because that is valid in FIPS mode.  Check that key generation fails
	for too short keys in FIPS mode.
	(check_ecc_keys): Check that key generation fails for Ed25519 keys in
	FIPS mode.

2016-03-22  Tomáš Mráz  <tmraz@redhat.com>

	rsa: Add FIPS 186-4 compliant RSA probable prime key generator.
	* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
	* cipher/rsa.c (generate_fips): New.
	(rsa_generate): Use new function in fips mode or with test-parms.

	* tests/keygen.c (check_rsa_keys): Add test using e=65539.

2016-03-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARM NEON support detection on ARMv6 target.
	* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
	instead of '.thumb'.

2016-03-18  Werner Koch  <wk@gnupg.org>

	Always require a 64 bit integer type.
	* configure.ac (available_digests_64): Merge with available_digests.
	(available_kdfs_64): Merge with available_kdfs.
	<64 bit datatype test>: Bail out if no such type is available.
	* src/types.h: Emit #error if no u64 can be defined.
	(PROPERLY_ALIGNED_TYPE): Always add u64 type.
	* cipher/bithelp.h: Remove all code paths which handle the
	case of !HAVE_U64_TYPEDEF.
	* cipher/bufhelp.h: Ditto.
	* cipher/cipher-ccm.c: Ditto.
	* cipher/cipher-gcm.c: Ditto.
	* cipher/cipher-internal.h: Ditto.
	* cipher/cipher.c: Ditto.
	* cipher/hash-common.h: Ditto.
	* cipher/md.c: Ditto.
	* cipher/poly1305.c: Ditto.
	* cipher/scrypt.c: Ditto.
	* cipher/tiger.c: Ditto.
	* src/g10lib.h: Ditto.
	* tests/basic.c: Ditto.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	tests: Fix testsuite after the FIPS adjustments.
	* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
	* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
	* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
	(check_ecc_keys): Skip Ed25519 in FIPS mode.
	* tests/random.c (main): Don't switch DRBG in FIPS mode.
	* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
	* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
	* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
	(main): Skip math tests that use P-192 and Ed25519 in FIPS.

	tests: Add new --pss option to fipsdrv.
	* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
	to 0 for PSS.

	cipher: Add option to specify salt length for PSS verification.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
	salt-length token.

	tests: Add support for RSA keygen tests to fipsdrv.
	* tests/fipsdrv.c (run_rsa_keygen): New.
	(main): Support RSA keygen and RSA keygen KAT tests.

	tests: Fixes for RSA testsuite in FIPS mode.
	* tests/basic.c (get_keys_new): Generate 2048 bit key.
	* tests/benchmark.c (rsa_bench): Skip keys of lengths different
	than 2048 and 3072 in FIPS mode.
	* tests/keygen.c (check_rsa_keys): Failure if short keys can be
	generated in FIPS mode.
	(check_dsa_keys): Ditto for DSA keys.
	* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.

	rsa: Use 2048 bit RSA keys for selftest.
	* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
	(selftest_encr_1024): Replaced by selftest_encr_2048.
	(selftest_sign_1024): Replaced by selftest_sign_2048.
	(selftest_encr_2048): Add check against known ciphertext.
	(selftest_sign_2048): Add check against known signature.
	(selftest_sign_2048): Free SIG_MPI.
	* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.

	Disable non-allowed algorithms in FIPS mode.
	* cipher/cipher.c (_gcry_cipher_init),
	* cipher/mac.c (_gcry_mac_init),
	* cipher/md.c (_gcry_md_init),
	* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
	non-allowed ciphers.
	* cipher/md5.c: Mark MD5 as not allowed in FIPS.
	* src/g10lib.h (_gcry_mac_init): New.
	* src/global.c (global_init): Call the new _gcry_mac_init.
	* tests/basic.c (check_ciphers): Fix a typo.

2016-03-18  Werner Koch  <wk@gnupg.org>

	kdf: Make PBKDF2 check work on all platforms.
	* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	kdf: Add upper bound for derived key length in PBKDF2.
	* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.

	ecc: ECDSA adjustments for FIPS 186-4.
	* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
	* cipher/ecc.c: Add ECDSA self test.
	* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
	in FIPS mode.
	* tests/fipsdrv.c: Add support for ECDSA signatures.

2016-03-18  Werner Koch  <wk@gnupg.org>

	dsa: Make regression tests work.
	* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
	(ogenerate_fips186): Make it work with use-fips183-2 flag.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
	standard comment out format.
	* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
	(main): Call it.
	(main): Compare against current version.
	* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
	(get_dsa_key_fips186_with_seed_new): Ditto.
	(get_dsa_key_fips186_with_domain_new): Comment out.
	(check_run): Do not call that function.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	dsa: Adjustments to conform with FIPS 186-4.
	* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
	  buflen passed to _gcry_mpi_scan.

2016-03-16  Justus Winter  <justus@g10code.com>

	Update documentation for 'gcry_sexp_extract_param'.
	* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
	must be set to NULL first, and document how the function behaves in
	case of errors.
	* src/sexp.c (_gcry_sexp_extract_param): Likewise.
	* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
	'_gcry_sexp_extract_param'.

	cipher: Update comment.
	* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
	that a curve parameter can be given.

2016-03-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel PCLMUL implementations of CRC algorithms.
	* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
	* cipher/crc-intel-pclmul.c: New.
	* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
	(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
	[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
	(gcry_crc24rfc2440_intel_pclmul): New.
	(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
	[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
	HW features detected.
	(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
	implementation if enabled.
	(crc24_init): Document storage format of 24-bit CRC.
	(crc24_next4): Use only 'data' for last table look-up.
	* configure.ac: Add 'crc-intel-pclmul.lo'.
	* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
	Intel SSE4.1.
	* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
	* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
	* tests/basic.c (fillbuf_count): New.
	(check_one_md): Add "?" check (million byte data-set with byte pattern
	0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
	checks.
	(check_one_md_multi): Skip "?".
	(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
	SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
	CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
	test-vectors for CRC32_RFC1510 and CRC24_RFC2440.

2016-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Normalize EXPO for mpi_powm.
	* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

2016-02-22  Andreas Metzler  <ametzler@bebt.de>

	Do not ship generated header file in tarball.
	* src/Makefile.am: Move gcrypt.h from include_HEADERS to
	  nodist_include_HEADERS to prevent inclusion in release tarball.
	  This could break out-of-tree-builds because the potentially outdated
	  src/gcrypt.h was not updated but was in the compiler search path.

2016-02-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building random-drbg for Win32/64.
	* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
	(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
	(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
	(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
	(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
	(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
	'drbg_read_cb' and 'len'.

2016-02-20  Werner Koch  <wk@gnupg.org>

	tests: Do not test DRBG_REINIT from "make check"
	* tests/random.c (main): Run check_drbg_reinit only if the envvar
	GCRYPT_IN_REGRESSION_TEST is set.

	doc: Fix possible dependency problem.
	* doc/Makefile.am (gcrypt.texi): Use the right traget.

2016-02-19  Stephan Mueller  <smueller@chronox.de>

	random: Remove ANSI X9.31 DRNG.
	* random-fips.c: Remove.

2016-02-19  Werner Koch  <wk@gnupg.org>

	random: Add a test case for DRBG_REINIT.
	* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
	* tests/random.c (check_drbg_reinit): New.
	(main): Call new test.

	random: Allow DRBG_REINIT before initialization.
	* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
	(_drbg_init_internal): Set the default type if no type has been set
	before.
	(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.

	Add new private header gcrypt-testapi.h.
	* src/gcrypt-testapi.h: New.
	* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
	* random/random.h: Include gcrypt-testapi.h.
	(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
	* src/global.c: Include gcrypt-testapi.h.
	(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
	* cipher/cipher.c: Include gcrypt-testapi.h.
	(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
	* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
	PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
	constants.
	* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
	PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

	* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
	(_gcry_rngdrbg_cavs_test): this.
	(gcry_rngdrbg_healthcheck_one): Rename to ...
	(_gcry_rngdrbg_healthcheck_one): this.

	random: Make the DRBG C-90 clean and use a flag string.
	* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
	"flagstr" and turn it into a string.
	* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
	designated initializers.  Use a string for the flags.
	(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
	(drbg_healthcheck_sanity): Ditto.

	random: Symbol name cleanup for random-drbg.c.
	* random/random-drbg.c: Rename all static objects and macros from
	"gcry_drbg" to "drbg".
	(drbg_string_t): New typedef.
	(drbg_gen_t): New typedef.
	(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
	this.
	(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
	that an error if actually returned.
	(gcry_rngdrbg_cavs_test): Ditto.
	(gcry_drbg_healthcheck_sanity): Ditto.

	random: Use our symbol name pattern also for drbg functions.
	* random/random-drbg.c: Rename global functions from _gcry_drbg_*
	to _gcry_rngdrbg_*.
	* random/random.c: Adjust for this change.
	* src/global.c: Ditto.

	random: Rename drbg.c to random-drbg.c.
	* random/drbg.c: Rename to ...
	* random/random-drbg.c: this.
	* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.

	random: Remove the new API introduced by the new DRBG.
	* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
	(struct gcry_drbg_string): Ditto.
	(gcry_drbg_string_fill): Ditto.
	(gcry_randomize_drbg): Remove.
	* random/drbg.c (parse_flag_string): New.
	(_gcry_drbg_reinit): Change the way the arguments are passed.
	* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
	convention.

	Add helper function _gcry_strtokenize.
	* src/misc.c (_gcry_strtokenize): New.

2016-02-18  Werner Koch  <wk@gnupg.org>

	random: Remove DRBG constants from the public API.
	* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
	* random/drbg.c: here.

2016-02-18  Stephan Mueller  <smueller@chronox.de>

	random: Add SP800-90A DRBG.
	* random/drbg.c: New.
	* random/random.c (_gcry_random_initialize): Replace rngfips init by
	drbg init.
	(__gcry_random_close_fds): Likewise.
	(_gcry_random_dump_stats): Likewise.
	(_gcry_random_is_faked): Likewise.
	(do_randomize): Likewise.
	(_gcry_random_selftest): Likewise.
	(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
	(_gcry_random_init_external_test): Remove.
	(_gcry_random_run_external_test): Remove.
	(_gcry_random_deinit_external_test): Remove.
	* random/random.h (struct gcry_drbg_test_vector): New.
	* src/gcrypt.h.in (struct gcry_drbg_gen): New.
	(struct gcry_drbg_string): New.
	(gcry_drbg_string_fill): New.
	(gcry_randomize_drbg): New.
	(GCRY_DRBG_): Lots of new macros.
	* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
	a nop.
	(_gcry_vcontrol) <Deinit external random test>: Ditto.
	(_gcry_vcontrol) <Run external random test>: Change.
	(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

2016-02-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bufhelp: disable unaligned memory accesses on powerpc.
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
	__powerpc__ and __powerpc64__.

2016-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Not validate input point for Curve25519.
	* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.

2016-02-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix memory leaks on error.
	* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.

2016-02-09  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: input validation on ECDH.
	* cipher/ecc.c (ecc_decrypt_raw): Validate the point.

2016-02-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARM assembly implementation of SHA-512.
	* cipher/Makefile.am: Add 'sha512-arm.S'.
	* cipher/sha512-arm.S: New.
	* cipher/sha512.c (USE_ARM_ASM): New.
	(_gcry_sha512_transform_arm): New.
	(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
	generic.
	* configure.ac: Add 'sha512-arm.lo'.

2016-02-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add a test for Curve25519.
	* tests/Makefile.am (tests_bin): Add t-cv25519.
	* tests/t-cv25519.c: New.

2016-02-02  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Curve25519 for data by older implementation.
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
	short length data.

	ecc: more fix of Curve25519.
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
	prefix.  Clear the MSB, according to RFC7748.

	ecc: Fix ECDH of Curve25519.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
	and prefix detection.
	* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
	(ecc_encrypt_raw): Use NBITS from curve instead of from P.
	Fix rawmpilen calculation.
	(ecc_decrypt_raw): Likewise.  Add debug output.

2016-01-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of generic SHA256 implementation.
	* cipher/sha256.c (R): Let caller do variable shuffling.
	(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
	(W, I): New.
	(transform_blk): Unroll round loop; inline message expansion to rounds
	to make message expansion buffer smaller.

2016-01-28  Werner Koch  <wk@gnupg.org>

	ecc: New API function gcry_mpi_ec_decode_point.
	* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
	* cipher/ecc-common.h: Move two prototypes to ...
	* src/ec-context.h: here.
	* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
	* src/visibility.c (gcry_mpi_ec_decode_point): New.
	* src/visibility.h: Add new function.

2016-01-15  Werner Koch  <wk@gnupg.org>

	Fix build problem for rndegd.c.
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
	* random/rndegd.c (_gcry_rndegd_connect_socket)
	(my_make_filename): Use functions with '_' prefix.

	random: Fix possible AIX problem with sysconf in rndunix.
	* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
	(start_gatherer): Detect misbehaving sysconf.

2015-12-27  Werner Koch  <wk@gnupg.org>

	random: Take at max 25% from RDRAND.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
	RDRAND from 50% to 25%.

2015-12-07  Justus Winter  <justus@g10code.com>

	cipher: Improve error handling.
	* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.

	cipher: Initialize 'flags'.
	* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.

2015-12-05  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: CHANGE point representation of Curve25519.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
	the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
	by MPI normalization.
	* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
	Always add the prefix 0x40.

2015-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: fix alignment of self-test context.
	* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
	context structure.

	salsa20: fix alignment of self-test context.
	* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
	context structure.

2015-12-02  Justus Winter  <justus@g10code.com>

	random: Drop fake entropy gathering function.
	* random/random-csprng.c (faked_rng): Drop variable.
	(gather_faked): Drop prototype and function.
	(initialize): Drop fallback code.
	(_gcry_rngcsprng_is_faked): Change accordingly.

	random: Fix selection of entropy gathering function.
	* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
	usable entropy gathering function is found.  The callsite then
	installs the fake gather function.

2015-11-26  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: minor improvement of point multiplication.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.

2015-11-25  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Constant-time multiplication for Weierstrass curve.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
	method for Weierstrass curve when SCALAR is secure.

	mpi: fix gcry_mpi_swap_cond.
	* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.

	mpi: Fix mpi_set_cond and mpi_swap_cond .
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
	the operator of !!, but assume SET/SWAP is 0 or 1.

	ecc: multiplication of Edwards curve to be constant-time.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.

	ecc: Add point_resize and point_swap_cond.
	* mpi/ec.c (point_resize, point_swap_cond): New.
	(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.

2015-11-18  Justus Winter  <justus@g10code.com>

	cipher: Fix error handling.
	* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.

2015-11-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tweak Keccak for small speed-up.
	* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
	rounds with round constant pointer instead of separate round counter.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
	(KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
	absorb loops.

	Update license information for CRC.
	* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
	for 'cipher/crc.c' as result of rewrite of CRC implementations.

2015-11-17  Justus Winter  <justus@g10code.com>

	Fix typos found using codespell.
	* cipher/cipher-ocb.c: Fix typos.
	* cipher/des.c: Likewise.
	* cipher/dsa-common.c: Likewise.
	* cipher/ecc.c: Likewise.
	* cipher/pubkey.c: Likewise.
	* cipher/rsa-common.c: Likewise.
	* cipher/scrypt.c: Likewise.
	* random/random-csprng.c: Likewise.
	* random/random-fips.c: Likewise.
	* random/rndw32.c: Likewise.
	* src/cipher-proto.h: Likewise.
	* src/context.c: Likewise.
	* src/fips.c: Likewise.
	* src/gcrypt.h.in: Likewise.
	* src/global.c: Likewise.
	* src/sexp.c: Likewise.
	* tests/mpitests.c: Likewise.
	* tests/t-lock.c: Likewise.

2015-11-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of Tiger hash algorithms.
	* cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
	to macros.
	(transform_blk): Pass variable names instead of pointers to 'pass'.

	Add ARMv7/NEON implementation of Keccak.
	* cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
	* cipher/keccak-armv7-neon.S: New.
	* cipher/keccak.c (USE_64BIT_ARM_NEON): New.
	(NEED_COMMON64): Select if USE_64BIT_ARM_NEON.
	[NEED_COMMON64] (round_consts_64bit): Rename to...
	[NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add
	terminator at end.
	[USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon)
	(_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon)
	(keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New.
	(keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation
	if supported by HW.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update
	to use new round constant table.
	* configure.ac: Add 'keccak-armv7-neon.lo'.

	Optimize Keccak 64-bit absorb functions.
	* cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	* cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	[USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT] (keccak_absorb_lanes64): Remove.
	[USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove.
	[USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove.
	* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New.

2015-10-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable CRC test vectors with zero bytes.
	* tests/basic.c (check_digests): Enable CRC test-vectors with zero
	bytes.

	Keccak: Add SHAKE Extendable-Output Functions.
	* src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
	XOFs.
	* src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
	and add 'pos' argument.
	(KECCAK_CONTEXT): Add 'suffix'.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi): Rename to...
	(keccak_extract32bi): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi_bmi2): Rename to...
	(keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument.
	(keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256.
	(shake128_init, shake256_init): New.
	(keccak_final): Do not initial permute for SHAKE output; use correct
	suffix for SHAKE.
	(keccak_extract): New.
	(keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors.
	(run_selftests): Add SHAKE128 & SHAKE256.
	(shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256)
	(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New.
	* cipher/md.c (digest_list): Add SHAKE128 & SHAKE256.
	* doc/gcrypt.texi: Ditto.
	* src/cipher.h (_gcry_digest_spec_shake128)
	(_gcry_digest_spec_shake256): New.
	* src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New.
	* tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument.
	(check_one_md_multi): Skip if algo is XOF.
	(check_digests): Add SHAKE128 & SHAKE256 test vectors.
	* tests/bench-slope.c (kdf_bench_one): Skip XOFs.

	Few updates to documentation.
	* doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
	flag; Add mention of x86 RDRAND support in rndhw.

	Add HMAC-SHA3 test vectors.
	* tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.

2015-10-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	md: add variable length output interface.
	* cipher/crc.c (_gcry_digest_spec_crc32)
	(_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
	'extract' NULL.
	* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94)
	(_gcry_digest_spec_gost3411_cp): Ditto.
	* cipher/keccak.c (_gcry_digest_spec_sha3_224)
	(_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384)
	(_gcry_digest_spec_sha3_512): Ditto.
	* cipher/md2.c (_gcry_digest_spec_md2): Ditto.
	* cipher/md4.c (_gcry_digest_spec_md4): Ditto.
	* cipher/md5.c (_gcry_digest_spec_md5): Ditto.
	* cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Ditto.
	* cipher/sha256.c (_gcry_digest_spec_sha224)
	(_gcry_digest_spec_sha256): Ditto.
	* cipher/sha512.c (_gcry_digest_spec_sha384)
	(_gcry_digest_spec_sha512): Ditto.
	* cipher/stribog.c (_gcry_digest_spec_stribog_256)
	(_gcry_digest_spec_stribog_512): Ditto.
	* cipher/tiger.c (_gcry_digest_spec_tiger)
	(_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto.
	* cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto.
	* cipher/md.c (md_enable): Do not allow combination of HMAC and
	'expandable-output function'.
	(md_final): Check if spec->read is NULL before calling.
	(md_read): Ditto.
	(md_extract, _gcry_md_extract): New.
	* doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract.
	* src/cipher-proto.h (gcry_md_extract_t): New.
	(gcry_md_spec_t): Add 'extract'.
	* src/gcrypt-int.g (_gcry_md_extract): New.
	* src/gcrypt.h.in (gcry_md_extract): New.
	* src/libgcrypt.def: Add gcry_md_extract.
	* src/libgcrypt.vers: Add gcry_md_extract.
	* src/visibility.c (gcry_md_extract): New.
	* src/visibility.h (gcry_md_extract): New.

	md: check hmac flag in prepare_macpads.
	* cipher/md.c (prepare_macpads): Check hmac flag.

	keccak: rewrite for improved performance.
	* cipher/Makefile.am: Add 'keccak_permute_32.h' and
	'keccak_permute_64.h'.
	* cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
	* cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2)
	(USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI)
	(keccak_ops_t): New.
	(KECCAK_STATE): Add 'state64' and 'state32bi' members.
	(KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'.
	(rol64, keccak_f1600_state_permute): Remove.
	[NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New.
	[NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi)
	(keccak_absorb_lane32bi): New.
	[USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64)
	(keccak_absorb_lanes64, keccak_generic64_ops): New.
	[USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld)
	(keccak_absorb_lanes64_shld, keccak_shld_64_ops): New.
	[USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2)
	(keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New.
	[USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi)
	(keccak_absorb_lanes32bi, keccak_generic32bi_ops): New.
	[USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2)
	(pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2)
	(keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New.
	(keccak_write): New.
	(keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation
	selection based on HWF features.
	(keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops'
	for state manipulation.
	(keccak_read): Adjust to KECCAK_CONTEXT changes.
	(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
	(_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use
	'keccak_write' instead of '_gcry_md_block_write'.
	* cipher/keccak_permute_32.h: New.
	* cipher/keccak_permute_64.h: New.

	hwf-x86: add detection for Intel CPUs with fast SHLD instruction.
	* cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
	HWF_INTEL_CPU.
	* cipher/sha256.c (sha256_init, sha224_init): Ditto.
	* cipher/sha512.c (sha512_init, sha384_init): Ditto.
	* src/g10lib.h (HWF_INTEL_FAST_SHLD): New.
	(HWF_INTEL_BMI2, HWF_INTEL_SSSE3, HWF_INTEL_PCLMUL, HWF_INTEL_AESNI)
	(HWF_INTEL_RDRAND, HWF_INTEL_AVX, HWF_INTEL_AVX2)
	(HWF_ARM_NEON): Update.
	* src/hwf-x86.c (detect_x86_gnuc): Add detection of Intel Core
	CPUs with fast SHLD/SHRD instruction.
	* src/hwfeatures.c (hwflist): Add "intel-fast-shld".

	Fix OCB amd64 assembly implementations for x32.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
	(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
	(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
	(_gcry_camellia_aesni_avx2_ocb_auth, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Change 'Ls' from pointer array to u64 array.
	* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
	(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
	(_gcry_serpent_avx2_ocb_enc, _gcry_serpent_avx2_ocb_dec)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Ditto.
	* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
	(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth)
	(twofish_amd64_ocb_enc, twofish_amd64_ocb_dec, twofish_amd64_ocb_auth)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Ditto.

	bench-slope: add KDF/PBKDF2 benchmark.
	* tests/bench-slope.c (bench_kdf_mode, bench_kdf_init, bench_kdf_free)
	(bench_kdf_do_bench, kdf_ops, kdf_bench_one, kdf_bench): New.
	(print_help): Add 'kdf'.
	(main): Add KDF benchmarks.

2015-10-22  NIIBE Yutaka  <gniibe@fsij.org>

	md: keep contexts for HMAC in GcryDigestEntry.
	* cipher/md.c (struct gcry_md_context): Add flags.hmac.
	Remove macpads and mcpads_Bsize.
	(md_open): Initialize flags.hmac.  Remove macpads initialization.
	(md_enable): Allocate contexts when flags.hmac is enabled.
	(md_copy): Remove macpads copying.  Add copying contexts.
	(_gcry_md_reset): When flags.hmac is enabled, restore precomputed
	context with input pad
	(md_close): Remove macpads wiping.
	(md_final): When flags.hmac is enabled, compute hmac by precomputed
	context with output pad.
	(prepare_macpads): Prepare precomputed contexts with input pad and
	output pad for each registered digest entry.
	(_gcry_md_setkey): Just call prepare_macpads.

2015-10-15  NIIBE Yutaka  <gniibe@fsij.org>

	Fix double free on error.
	* src/hmac256.c (_gcry_hmac256_finalize): Don't free HD.

2015-10-14  NIIBE Yutaka  <gniibe@fsij.org>

	Fix gpg_error_t and gpg_err_code_t confusion.
	* src/gcrypt-int.h (_gcry_sexp_extract_param): Revert the change.
	* cipher/dsa.c (dsa_check_secret_key): Ditto.
	* src/sexp.c (_gcry_sexp_extract_param): Return gpg_err_code_t.

	* src/gcrypt-int.h (_gcry_err_make_from_errno)
	(_gcry_error_from_errno): Return gpg_error_t.
	* cipher/cipher.c (_gcry_cipher_open_internal)
	(_gcry_cipher_ctl, _gcry_cipher_ctl): Don't use gcry_error.
	* src/global.c (_gcry_vcontrol): Likewise.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Use
	 gpg_err_code_from_syserror.
	* cipher/mac.c (mac_reset, mac_setkey, mac_setiv, mac_write)
	(mac_read, mac_verify): Return gcry_err_code_t.
	* cipher/rsa-common.c (mgf1): Use gcry_err_code_t for ERR.
	* src/visibility.c (gcry_error_from_errno): Return gpg_error_t.

2015-10-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix compiling AES/AES-NI implementation on linux-i386.
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Split assembly block in
	two parts to reduce number of register constraints needed.

2015-10-13  NIIBE Yutaka  <gniibe@fsij.org>

	Fix declaration of return type.
	* src/gcrypt-int.h (_gcry_sexp_extract_param): Return gpg_error_t.
	* cipher/dsa.c (dsa_generate): Fix call to _gcry_sexp_extract_param.
	* src/g10lib.h (_gcry_vcontrol): Return gcry_err_code_t.
	* src/visibility.c (gcry_mpi_snatch): Fix call to _gcry_mpi_snatch.

2015-09-07  Werner Koch  <wk@gnupg.org>

	Improve GCRYCTL_DISABLE_PRIV_DROP by also disabling cap_ calls.
	* src/secmem.c (lock_pool, secmem_init): Do not call any cap_
	functions if NO_PRIV_DROP is set.

2015-09-04  Werner Koch  <wk@gnupg.org>

	w32: Avoid a few compiler warnings.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Mark variable
	as unused.
	* random/rndw32.c (slow_gatherer): Avoid signed pointer mismatch
	warning.
	* src/secmem.c (init_pool): Avoid unused variable warning.
	* tests/random.c (writen, readn): Include on if needed.

	w32: Fix alignment problem with AESNI on Windows >= 8.
	* cipher/cipher-selftest.c (_gcry_cipher_selftest_alloc_ctx): New.
	* cipher/rijndael.c (selftest_basic_128, selftest_basic_192)
	(selftest_basic_256): Allocate context on the heap.

2015-08-31  Werner Koch  <wk@gnupg.org>

	rsa: Add verify after sign to avoid Lenstra's CRT attack.
	* cipher/rsa.c (rsa_sign): Check the CRT.

	Add pubkey algo id for EdDSA.
	* src/gcrypt.h.in (GCRY_PK_EDDSA): New.

2015-08-25  Werner Koch  <wk@gnupg.org>

	Add configure option --enable-build-timestamp.
	* configure.ac (BUILD_TIMESTAMP): Set to "<none>" by default.

2015-08-23  Werner Koch  <wk@gnupg.org>

	tests: Add missing files for the make distcheck target.
	* tests/Makefile.am (EXTRA_DIST): Add sha3-x test vector files.

2015-08-19  Werner Koch  <wk@gnupg.org>

	Change SHA-3 algorithm ids.
	* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
	(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): Change values.

2015-08-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Keccak: Fix array indexes in θ step.
	* cipher/keccak.c (keccak_f1600_state_permute): Fix indexes for D[5].

	Simplify OCB offset calculation for parallel implementations.
	* cipher/camellia-glue.c (_gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Precalculate Ls array always, instead of
	just if 'blkn % <parallel blocks> == 0'.
	* cipher/serpent.c (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth): Ditto.
	* cipher/rijndael-aesni.c (get_l): Remove low-bit checks.
	(aes_ocb_enc, aes_ocb_dec, _gcry_aes_aesni_ocb_auth): Handle leading
	blocks until block counter is multiple of 4, so that parallel block
	processing loop can use 'c->u_mode.ocb.L' array directly.
	* tests/basic.c (check_ocb_cipher_largebuf): Rename to...
	(check_ocb_cipher_largebuf_split): ...this and add option to process
	large buffer as two split buffers.
	(check_ocb_cipher_largebuf): New.

	Add carryless 8-bit addition fast-path for AES-NI CTR mode.
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Do addition using
	CTR in big-endian form, if least-significant byte does not overflow.

2015-08-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add additional SHA3 test-vectors.
	* tests/basic.c (check_digests): Allow datalen to be specified so that
	input data can have byte with value 0x00; Include sha3-*.h header files
	to test-vector structure.
	* tests/sha3-224.h: New.
	* tests/sha3-256.h: New.
	* tests/sha3-384.h: New.
	* tests/sha3-512.h: New.

	Add generic SHA3 implementation.
	* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE): Increase blocksize
	USE_SHA3 enabled.
	* cipher/keccak.c (SHA3_DELIMITED_SUFFIX, SHAKE_DELIMITED_SUFFIX): New.
	(KECCAK_STATE): Add proper state.
	(KECCAK_CONTEXT): Add 'outlen'.
	(rol64, keccak_f1600_state_permute, transform_blk, transform): New.
	(keccak_init): Add proper initialization.
	(keccak_final): Add proper finalization.
	(selftests_keccak): Add selftests.
	(oid_spec_sha3_224, oid_spec_sha3_256, oid_spec_sha3_384)
	(oid_spec_sha3_512): Add OID.
	(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
	(_gcry_digest_spec_sha3_384, _gcry_digest_spec_sha3_512): Fix output
	length.
	* cipher/mac-hmac.c (map_mac_algo_to_md): Fix mapping for SHA3-512.
	(hmac_get_keylen): Return proper blocksizes for SHA3 algorithms.
	[USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
	(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
	(_gcry_mac_type_spec_hmac_sha3_512): New.
	* cipher/mac-internal [USE_SHA3] (_gcry_mac_type_spec_hmac_sha3_224)
	(_gcry_mac_type_spec_hmac_sha3_256, _gcry_mac_type_spec_hmac_sha3_384)
	(_gcry_mac_type_spec_hmac_sha3_512): New.
	* cipher/mac.c (mac_list) [USE_SHA3]: Add SHA3 algorithms.
	* cipher/md.c (md_open): Use proper SHA-3 blocksizes for HMAC macpads.
	* tests/basic.c (check_digests): Add SHA3 test vectors.

	Optimize OCB offset calculation.
	* cipher/cipher-internal.h (ocb_get_l): New.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
	(ocb_crypt): Use 'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
	* cipher/camellia-glue.c (get_l): Remove.
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Precalculate
	offset array when block count matches parallel operation size; Use
	'ocb_get_l' instead of 'get_l'.
	* cipher/rijndael-aesni.c (get_l): Add fast path for 75% most common
	offsets.
	(aesni_ocb_enc, aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Precalculate
	offset array when block count matches parallel operation size.
	* cipher/rijndael-ssse3-amd64.c (get_l): Add fast path for 75% most
	common offsets.
	* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Use
	'ocb_get_l' instead of '_gcry_cipher_ocb_get_l'.
	* cipher/serpent.c (get_l): Remove.
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Precalculate
	offset array when block count matches parallel operation size; Use
	'ocb_get_l' instead of 'get_l'.
	* cipher/twofish.c (get_l): Remove.
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Use 'ocb_get_l'
	instead of 'get_l'.

2015-08-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: fix Montgomery curve bugs.
	* cipher/ecc.c (check_secret_key): Y1 should not be NULL when check.
	(ecc_check_secret_key): Support Montgomery curve.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Fix condition.

2015-08-08  Werner Koch  <wk@gnupg.org>

	Add framework to eventually support SHA3.
	* src/gcrypt.h.in (GCRY_MD_SHA3_224, GCRY_MD_SHA3_256)
	(GCRY_MD_SHA3_384, GCRY_MD_SHA3_512): New.
	(GCRY_MAC_HMAC_SHA3_224, GCRY_MAC_HMAC_SHA3_256)
	(GCRY_MAC_HMAC_SHA3_384, GCRY_MAC_HMAC_SHA3_512): New.
	* cipher/keccak.c: New with stub functions.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add keccak.c.
	* configure.ac (available_digests): Add sha3.
	(USE_SHA3): New.
	* src/fips.c (run_hmac_selftests): Add SHA3 to the required selftests.
	* cipher/md.c (digest_list) [USE_SHA3]: Add standard SHA3 algos.
	(md_open): Ditto for hmac processing.
	* cipher/mac-hmac.c (map_mac_algo_to_md): Add mapping.
	* cipher/hmac-tests.c (run_selftests): Prepare for tests.
	* cipher/pubkey-util.c (get_hash_algo): Add "sha3-xxx".

2015-08-06  Werner Koch  <wk@gnupg.org>

	tools: Fix memory leak for functions "I" and "G".
	* src/mpicalc.c (do_inv, do_gcd): Init A after stack check.

2015-08-06  Ismo Puustinen  <ismo.puustinen@intel.com>

	ecc: Free memory also when in error branch.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Init DISGEST and goto
	leave on error.

2015-08-06  NIIBE Yutaka  <gniibe@fsij.org>

	Add Curve25519 support.
	* cipher/ecc-curves.c (curve_aliases, domain_parms): Add Curve25519.
	* tests/curves.c (N_CURVES): It's 22 now.
	* src/cipher.h (PUBKEY_FLAG_DJB_TWEAK): New.
	* cipher/ecc-common.h (_gcry_ecc_mont_decodepoint): New.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): New.
	* cipher/ecc.c (nist_generate_key): Handle the case of
	PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
	(test_ecdh_only_keys, check_secret_key): Likewise.
	(ecc_generate): Support Curve25519 which is Montgomery curve with flag
	PUBKEY_FLAG_DJB_TWEAK and PUBKEY_FLAG_COMP.
	(ecc_encrypt_raw): Get flags from KEYPARMS and handle
	PUBKEY_FLAG_DJB_TWEAK and Montgomery curve.
	(ecc_decrypt_raw): Likewise.
	(compute_keygrip): Handle the case of PUBKEY_FLAG_DJB_TWEAK.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist):
	PUBKEY_FLAG_EDDSA implies PUBKEY_FLAG_DJB_TWEAK.
	Parse "djb-tweak" for PUBKEY_FLAG_DJB_TWEAK.

2015-07-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Reduce code size for Twofish key-setup and remove key dependend branch.
	* cipher/twofish.c (poly_to_exp): Increase size by one, change type
	from byte to u16 and insert '492' to index 0.
	(exp_to_poly): Increase size by 256, let new cells have zero value.
	(CALC_S): Execute unconditionally with help of modified tables.
	(do_twofish_setkey): Change type for 'tmp' to 'unsigned int'; Un-unroll
	CALC_K256 and CALC_K phases to reduce generated object size.

	Reduce amount of duplicated code in OCB bulk implementations.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_authenticate)
	(ocb_crypt): Change bulk function to return number of unprocessed
	blocks.
	* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth)
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
	to 'size_t'.
	* cipher/camellia-glue.c (get_l): Only if USE_AESNI_AVX or
	USE_AESNI_AVX2 defined.
	(_gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_AESNI_AVX or
	USE_AESNI_AVX2 defined; Remove unaccelerated common code.
	* cipher/rijndael.c (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): Change
	return type to 'size_t' and return zero.
	* cipher/serpent.c (get_l): Only if USE_SSE2, USE_AVX2 or USE_NEON
	defined.
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_SSE2, USE_AVX2 or
	USE_NEON defined; Remove unaccelerated common code.
	* cipher/twofish.c (get_l): Only if USE_AMD64_ASM defined.
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): Change return type
	to 'size_t' and return remaining blocks; Remove unaccelerated common
	code path. Enable remaining common code only if USE_AMD64_ASM defined;
	Remove unaccelerated common code.

	Add bulk OCB for Serpent SSE2, AVX2 and NEON implementations.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Serpent.
	* cipher/serpent-armv7-neon.S: Add OCB assembly functions.
	* cipher/serpent-avx2-amd64.S: Add OCB assembly functions.
	* cipher/serpent-sse2-amd64.S: Add OCB assembly functions.
	* cipher/serpent.c (_gcry_serpent_sse2_ocb_enc)
	(_gcry_serpent_sse2_ocb_dec, _gcry_serpent_sse2_ocb_auth)
	(_gcry_serpent_neon_ocb_enc, _gcry_serpent_neon_ocb_dec)
	(_gcry_serpent_neon_ocb_auth, _gcry_serpent_avx2_ocb_enc)
	(_gcry_serpent_avx2_ocb_dec, _gcry_serpent_avx2_ocb_auth): New
	prototypes.
	(get_l, _gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): New.
	* src/cipher.h (_gcry_serpent_ocb_crypt)
	(_gcry_serpent_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for serpent.

	Add bulk OCB for Twofish AMD64 implementation.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Twofish.
	* cipher/twofish-amd64.S: Add OCB assembly functions.
	* cipher/twofish.c (_gcry_twofish_amd64_ocb_enc)
	(_gcry_twofish_amd64_ocb_dec, _gcry_twofish_amd64_ocb_auth): New
	prototypes.
	(call_sysv_fn5, call_sysv_fn6, twofish_amd64_ocb_enc)
	(twofish_amd64_ocb_dec, twofish_amd64_ocb_auth, get_l)
	(_gcry_twofish_ocb_crypt, _gcry_twofish_ocb_auth): New.
	* src/cipher.h (_gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for Twofish.

	Add bulk OCB for Camellia AES-NI/AVX and AES-NI/AVX2 implementations.
	* cipher/camellia-aesni-avx-amd64.S: Add OCB assembly functions.
	* cipher/camellia-aesni-avx2-amd64.S: Add OCB assembly functions.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_ocb_enc)
	(_gcry_camellia_aesni_avx_ocb_dec, _gcry_camellia_aesni_avx_ocb_auth)
	(_gcry_camellia_aesni_avx2_ocb_enc, _gcry_camellia_aesni_avx2_ocb_dec)
	(_gcry_camellia_aesni_avx2_ocb_auth): New prototypes.
	(get_l, _gcry_camellia_ocb_crypt, _gcry_camellia_ocb_auth): New.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for Camellia.
	* src/cipher.h (_gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add test-vector for Camellia.

2015-07-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add OCB bulk mode for AES SSSE3 implementation.
	* cipher/rijndael-ssse3-amd64.c (SSSE3_STATE_SIZE): New.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): Use
	'ssse3_state' for storing current SSSE3 state.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(vpaes_ssse3_cleanup): Restore SSSE3 state from 'ssse3_state'.
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_cfb_enc)
	(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
	(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, _gcry_aes_ssse3_cbc_dec): Add 'ssse3_state'
	array.
	(get_l, ssse3_ocb_enc, ssse3_ocb_dec, _gcry_aes_ssse3_ocb_crypt)
	(_gcry_aes_ssse3_ocb_auth): New.
	* cipher/rijndael.c (_gcry_aes_ssse3_ocb_crypt)
	(_gcry_aes_ssse3_ocb_auth): New.
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_SSSE3]: Use SSSE3
	implementation for OCB.

2015-07-26  Peter Wu  <peter@lekensteyn.nl>

	Fix undefined behavior wrt memcpy.
	* cipher/cipher-gcm.c: Do not copy zero bytes from an empty buffer. Let
	the function continue to add padding as needed though.
	* cipher/mac-poly1305.c: If the caller requested to finish the hash
	function without a copy of the result, return immediately.

2015-07-23  Peter Wu  <peter@lekensteyn.nl>

	build: ignore scissor line for the commit-msg hook.
	* build-aux/git-hooks/commit-msg: Stop processing more lines when the
	  scissor line is encountered.

2015-07-16  Peter Wu  <peter@lekensteyn.nl>

	rsa: Fix error in comments.
	* cipher/rsa.c: Fix.

2015-07-14  Peter Wu  <peter@lekensteyn.nl>

	sexp: Fix invalid deallocation in error path.
	* src/sexp.c: Fix wrong condition.

2015-07-10  Peter Wu  <peter@lekensteyn.nl>

	ecc: fix memory leak.
	* cipher/ecc.c (ecc_verify): Release memory which was allocated before
	by _gcry_pk_util_preparse_sigval.
	(ecc_decrypt_raw): Likewise.

2015-07-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: fix memory leaks.
	cipher/ecc.c (ecc_generate): Fix memory leak on error of
	_gcry_pk_util_parse_flaglist and _gcry_ecc_eddsa_encodepoint.
	(ecc_check_secret_key): Fix memory leak on error of
	_gcry_ecc_update_curve_param.
	(ecc_sign, ecc_verify, ecc_encrypt_raw, ecc_decrypt_raw): Remove
	unnecessary sexp_release and fix memory leak on error of
	_gcry_ecc_fill_in_curve.
	(ecc_decrypt_raw): Fix double free of the point kG and memory leak
	on error of _gcry_ecc_os2ec.

2015-06-11  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Support FreeBSD 10 or later.
	* mpi/config.links: Include FreeBSD 10 to 29.

2015-05-21  Werner Koch  <wk@gnupg.org>

	ecc: Add key generation flag "no-keytest".
	* src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag
	"no-keytest".  Return an error for invalid flags of length 10.

	* cipher/ecc.c (nist_generate_key): Replace arg random_level by flags
	set random level depending on flags.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.
	* cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and
	remove var random_level.
	(nist_generate_key): Implement "no-keytest" flag.

	* tests/keygen.c (check_ecc_keys): Add tests for transient-key and
	no-keytest.

	ecc: Avoid double conversion to affine coordinates in keygen.
	* cipher/ecc.c (nist_generate_key): Add args r_x and r_y.
	(ecc_generate): Rename vars.  Convert to affine coordinates only if
	not returned by the lower level generation function.

	random: Change initial extra seeding from 2400 bits to 128 bits.
	* random/random-csprng.c (read_pool): Reduce initial seeding.

2015-05-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable AMD64 Twofish implementation on WIN64.
	* cipher/twofish-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/twofish.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(twofish_amd64_encrypt_block, twofish_amd64_decrypt_block)
	(twofish_amd64_ctr_enc, twofish_amd64_cbc_dec)
	(twofish_amd64_cfb_dec): New wrapper functions for AMD64
	assembly functions.

	Enable AMD64 Serpent implementations on WIN64.
	* cipher/serpent-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/serpent-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20.c (USE_SSE2, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSE2 || USE_AVX2] (ASM_FUNC_ABI): New.
	(_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec)
	(_gcry_serpent_sse2_cfb_dec, _gcry_serpent_avx2_ctr_enc)
	(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Add
	ASM_FUNC_ABI.

	Enable AMD64 Salsa20 implementation on WIN64.
	* cipher/salsa20-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/salsa20.c (USE_AMD64): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AMD64] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
	(_gcry_salsa20_amd64_encrypt_blocks): Add ASM_FUNC_ABI.
	[USE_AMD64] (salsa20_core): Add ASM_EXTRA_STACK.
	(salsa20_do_encrypt_stream) [USE_AMD64]: Add ASM_EXTRA_STACK.

	Enable AMD64 Poly1305 implementations on WIN64.
	* cipher/poly1305-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/poly1305-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/poly1305-internal.h (POLY1305_SYSV_FUNC_ABI): New.
	(POLY1305_USE_SSE2, POLY1305_USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(OPS_FUNC_ABI): New.
	(poly1305_ops_t): Use OPS_FUNC_ABI.
	* cipher/poly1305.c (_gcry_poly1305_amd64_sse2_init_ext)
	(_gcry_poly1305_amd64_sse2_finish_ext)
	(_gcry_poly1305_amd64_sse2_blocks, _gcry_poly1305_amd64_avx2_init_ext)
	(_gcry_poly1305_amd64_avx2_finish_ext)
	(_gcry_poly1305_amd64_avx2_blocks, _gcry_poly1305_armv7_neon_init_ext)
	(_gcry_poly1305_armv7_neon_finish_ext)
	(_gcry_poly1305_armv7_neon_blocks, poly1305_init_ext_ref32)
	(poly1305_blocks_ref32, poly1305_finish_ext_ref32)
	(poly1305_init_ext_ref8, poly1305_blocks_ref8)
	(poly1305_finish_ext_ref8): Use OPS_FUNC_ABI.

	Enable AMD64 3DES implementation on WIN64.
	* cipher/des-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/des.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(tripledes_ecb_crypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call
	assembly function through 'call_sysv_fn'.
	(tripledes_amd64_ctr_enc, tripledes_amd64_cbc_dec)
	(tripledes_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.

	Enable AMD64 ChaCha20 implementations on WIN64.
	* cipher/chacha20-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20-ssse3-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/chacha20.c (USE_SSE2, USE_SSSE3, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(chacha20_blocks_t, _gcry_chacha20_amd64_sse2_blocks)
	(_gcry_chacha20_amd64_ssse3_blocks, _gcry_chacha20_amd64_avx2_blocks)
	(_gcry_chacha20_armv7_neon_blocks, chacha20_blocks): Add ASM_FUNC_ABI.
	(chacha20_core): Add ASM_EXTRA_STACK.

	Enable AMD64 CAST5 implementation on WIN64.
	* cipher/cast5-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(RIP): Remove.
	(GET_EXTERN_POINTER): Use 'leaq' version on WIN64.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/cast5.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(do_encrypt_block, do_decrypt_block)
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
	function through 'call_sysv_fn'.
	(cast5_amd64_ctr_enc, cast5_amd64_cbc_dec)
	(cast5_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.

	Enable AMD64 Camellia implementations on WIN64.
	* cipher/camellia-aesni-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/camellia-aesni-avx2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/camellia-glue.c (USE_AESNI_AVX, USE_AESNI_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AESNI_AVX || USE_AESNI_AVX2] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	(_gcry_camellia_aesni_avx_ctr_enc, _gcry_camellia_aesni_avx_cbc_dec)
	(_gcry_camellia_aesni_avx_cfb_dec, _gcry_camellia_aesni_avx_keygen)
	(_gcry_camellia_aesni_avx2_ctr_enc, _gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): Add ASM_FUNC_ABI.

	Enable AMD64 Blowfish implementation on WIN64.
	* cipher/blowfish-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/blowfish.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (call_sysv_fn): New.
	(do_encrypt, do_encrypt_block, do_decrypt_block)
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Call assembly
	function through 'call_sysv_fn'.
	(blowfish_amd64_ctr_enc, blowfish_amd64_cbc_dec)
	(blowfish_amd64_cfb_dec): New wrapper functions for bulk
	assembly functions.
	..

	Enable AMD64 arcfour implementation on WIN64.
	* cipher/arcfour-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/arcfour.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(do_encrypt, do_decrypt) [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]: Use
	assembly block to call AMD64 assembly function.

	Update documentation for Poly1305-ChaCha20 AEAD, RFC-7539.
	* cipher/cipher-poly1305.c: Add RFC-7539 to header.
	* doc/gcrypt.texi: Update Poly1305 AEAD documentation with mention of
	RFC-7539; Drop Salsa from supported stream ciphers for Poly1305 AEAD.

	hwf-x86: use edi for passing value to ebx for i386 cpuid.
	* src/hwf-x86.c [__i386__] (get_cpuid): Use '=D' for regs[1] instead
	of '=r'.

	hwf-x86: add EDX as output register for xgetbv asm block.
	* src/hwf-x86.c (get_xgetbv): Add EDX as output.

2015-05-04  Werner Koch  <wk@gnupg.org>

	build: Update build-aux files.

	Fix possible regression on old 32 bit mingw compilers.
	* acinclude.m4: Add new pattern for mingw32.

	build: Add new file.
	* mpi/amd64/distfiles: Add func_abi.h.

2015-05-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix WIN64 assembly glue for AES.
	* cipher/rinjdael.c (do_encrypt, do_decrypt)
	[!HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Change input operands to
	input+output to mark volatile nature of the used registers.

	Add '1 million a characters' test vectors.
	* tests/basic.c (check_digests): Add "!" test vectors for MD5, SHA-384,
	SHA-512, RIPEMD160 and CRC32.

2015-05-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	More optimized CRC implementations.
	* cipher/crc.c (crc32_table, crc24_table): Replace with new table
	contents.
	(update_crc32, CRC24_INIT, CRC24_POLY): Remove.
	(crc32_next, crc32_next4, crc24_init, crc24_next, crc24_next4)
	(crc24_final): New.
	(crc24rfc2440_init): Use crc24_init.
	(crc32_write): Rewrite to use crc32_next & crc32_next4.
	(crc24_write): Rewrite to use crc24_next & crc24_next4.
	(crc32_final, crc32rfc1510_final): Use buf_put_be32.
	(crc24rfc2440_final): Use crc24_final & buf_put_le32.
	* tests/basic.c (check_digests): Add CRC "123456789" tests.

	Enable AMD64 AES implementation for WIN64.
	* cipher/rijndael-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/rijndael-internal.h (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(do_encrypt, do_decrypt)
	[USE_AMD64_ASM && !HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Use
	assembly block to call AMD64 assembly encrypt/decrypt function.

	Enable AMD64 Whirlpool implementation for WIN64.
	* cipher/whirlpool-sse2-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/whirlpool.c (USE_AMD64_ASM): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_AMD64_ASM] (ASM_FUNC_ABI, ASM_EXTRA_STACK): New.
	[USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64): Add ASM_FUNC_ABI to
	prototype.
	[USE_AMD64_ASM] (whirlpool_transform): Add ASM_EXTRA_STACK to stack
	burn value.

	Enable AMD64 SHA512 implementations for WIN64.
	* cipher/sha512-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha512-avx-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.
	* cipher/sha512.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha512_transform_amd64_ssse3, _gcry_sha512_transform_amd64_avx)
	(_gcry_sha512_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
	prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

	Enable AMD64 SHA256 implementations for WIN64.
	* cipher/sha256-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha256.c (USE_SSSE3, USE_AVX, USE_AVX2): Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_AVX2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha256_transform_amd64_ssse3, _gcry_sha256_transform_amd64_avx)
	(_gcry_sha256_transform_amd64_avx2): Add ASM_FUNC_ABI to prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

	Enable AMD64 SHA1 implementations for WIN64.
	* cipher/sha1-avx-amd64.S: Enable when
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	(ELF): New macro to mask lines with ELF specific commands.
	* cipher/sha1-avx-bmi2-amd64.S: Ditto.
	* cipher/sha1-ssse3-amd64.S: Ditto.
	* cipher/sha1.c (USE_SSSE3, USE_AVX, USE_BMI2): Enable
	when HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS defined.
	[USE_SSSE3 || USE_AVX || USE_BMI2] (ASM_FUNC_ABI)
	(ASM_EXTRA_STACK): New.
	(_gcry_sha1_transform_amd64_ssse3, _gcry_sha1_transform_amd64_avx)
	(_gcry_sha1_transform_amd64_avx_bmi2): Add ASM_FUNC_ABI to
	prototypes.
	(transform): Add ASM_EXTRA_STACK to stack burn value.

2015-05-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable AES/AES-NI, AES/SSSE3 and GCM/PCLMUL implementations on WIN64.
	* cipher/cipher-gcm-intel-pclmul.c (_gcry_ghash_intel_pclmul)
	( _gcry_ghash_intel_pclmul) [__WIN64__]: Store non-volatile vector
	registers before use and restore after.
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Remove dependency
	on !defined(__WIN64__).
	* cipher/rijndael-aesni.c [__WIN64__] (aesni_prepare_2_6_variable,
	aesni_prepare, aesni_prepare_2_6, aesni_cleanup)
	( aesni_cleanup_2_6): New.
	[!__WIN64__] (aesni_prepare_2_6_variable, aesni_prepare_2_6): New.
	(_gcry_aes_aesni_do_setkey, _gcry_aes_aesni_cbc_enc)
	(_gcry_aesni_ctr_enc, _gcry_aesni_cfb_dec, _gcry_aesni_cbc_dec)
	(_gcry_aesni_ocb_crypt, _gcry_aesni_ocb_auth): Use
	'aesni_prepare_2_6'.
	* cipher/rijndael-internal.h (USE_SSSE3): Enable if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS or
	HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS.
	(USE_AESNI): Remove dependency on !defined(__WIN64__)
	* cipher/rijndael-ssse3-amd64.c [HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS]
	(vpaes_ssse3_prepare, vpaes_ssse3_cleanup): New.
	[!HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (vpaes_ssse3_prepare): New.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec): Use
	'vpaes_ssse3_prepare'.
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption): Use
	'vpaes_ssse3_prepare' and 'vpaes_ssse3_cleanup'.
	[HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS] (X): Add masking macro to
	exclude '.type' and '.size' markers from assembly code, as they are
	not support on WIN64/COFF objects.
	* configure.ac (gcry_cv_gcc_attribute_ms_abi)
	(gcry_cv_gcc_attribute_sysv_abi, gcry_cv_gcc_default_abi_is_ms_abi)
	(gcry_cv_gcc_default_abi_is_sysv_abi)
	(gcry_cv_gcc_win64_platform_as_ok): New checks.

	Add W64 support for mpi amd64 assembly.
	acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Set
	'ac_cv_sys_symbol_underscore=no' on MingW-W64.
	mpi/amd64/func_abi.h: New.
	mpi/amd64/mpih-add1.S (_gcry_mpih_add_n): Add FUNC_ENTRY and FUNC_EXIT.
	mpi/amd64/mpih-lshift.S (_gcry_mpih_lshift): Ditto.
	mpi/amd64/mpih-mul1.S (_gcry_mpih_mul_1): Ditto.
	mpi/amd64/mpih-mul2.S (_gcry_mpih_addmul_1): Ditto.
	mpi/amd64/mpih-mul3.S (_gcry_mpih_submul_1): Ditto.
	mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Ditto.
	mpi/amd64/mpih-sub1.S (_gcry_mpih_sub_n): Ditto.
	mpi/config.links [host=x86_64-*mingw*]: Enable assembly modules.
	[host=x86_64-*-*]: Append mpi/amd64/func_abi.h to mpi/asm-syntax.h.

	DES: Silence compiler warnings on Windows.
	* cipher/des.c (working_memcmp): Make pointer arguments 'const void *'.

	Cast pointers to integers using uintptr_t instead of long.

	Fix rndhw for 64-bit Windows build.
	* configure.ac: Add sizeof check for 'void *'.
	* random/rndhw.c (poll_padlock): Check for SIZEOF_VOID_P == 8
	instead of defined(__LP64__).
	(RDRAND_LONG): Check for SIZEOF_UNSIGNED_LONG == 8 instead of
	defined(__LP64__).

	Prepare random/win32.c fast poll for 64-bit Windows.
	* random/win32.c (_gcry_rndw32_gather_random_fast) [ADD]: Rename to
	ADDINT.
	(_gcry_rndw32_gather_random_fast): Add ADDPTR.
	(_gcry_rndw32_gather_random_fast): Disable entropy gathering from
	GetQueueStatus(QS_ALLEVENTS).
	(_gcry_rndw32_gather_random_fast): Change minimumWorkingSetSize and
	maximumWorkingSetSize to SIZE_T from DWORD.
	(_gcry_rndw32_gather_random_fast): Only add lower 32-bits of
	minimumWorkingSetSize and maximumWorkingSetSize to random poll.
	(_gcry_rndw32_gather_random_fast) [__WIN64__]: Read TSC directly
	using intrinsic.

	Disable GCM and AES-NI assembly implementations for WIN64.
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): Do not enable when
	__WIN64__ defined.
	* cipher/rijndael-internal.h (USE_AESNI): Ditto.

	Disable building mpi assembly routines on WIN64.
	* mpi/config.links: Disable assembly for host 'x86_64-*mingw32*'.

	Fix packed attribute check for Windows targets.
	* configure.ac (gcry_cv_gcc_attribute_packed): Move 'long b' to its
	own packed structure.

	Fix tail handling in buf_xor_1.
	* cipher/bufhelp.h (buf_xor_1): Increment source pointer at tail
	handling.

	Add --disable-hwf for basic tests.
	* tests/basic.c (main): Add handling for '--disable-hwf'.

	Use more odd chuck sizes for check_one_md.
	* tests/basic.c (check_one_md): Make chuck size vary oddly, instead
	of using fixed length of 1000 bytes.

	Enable more modes in basic ciphers test.
	* src/gcrypt.h.in (GCRY_OCB_BLOCK_LEN): New.
	* tests/basic.c (check_one_cipher_core_reset): New.
	(check_one_cipher_core): Use check_one_cipher_core_reset inplace of
	gcry_cipher_reset.
	(check_ciphers): Add CCM and OCB modes for block cipher tests.

	Fix reseting cipher in OCB mode.
	* cipher/cipher.c (cipher_reset): Setup default taglen for OCB after
	clearing state.

2015-04-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix buggy RC4 AMD64 assembly and add test to notice similar issues.
	* cipher/arcfour-amd64.S (_gcry_arcfour_amd64): Fix swapped store of
	'x' and 'y'.
	* tests/basic.c (get_algo_mode_blklen): New.
	(check_one_cipher_core): Add new tests for split buffer input on
	encryption and decryption.

2015-04-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disallow compiler from generating SSE instructions in mixed C+asm source
	* cipher/cipher-gcm-intel-pclmul.c [gcc-version >= 4.4]: Add GCC target
	pragma to disable compiler use of SSE.
	* cipher/rijndael-aesni.c [gcc-version >= 4.4]: Ditto.
	* cipher/rijndael-ssse3-amd64.c [gcc-version >= 4.4]: Ditto.

2015-04-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add OCB bulk crypt/auth functions for AES/AES-NI.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add bulk.ocb_crypt
	and bulk.ocb_auth.
	(_gcry_cipher_ocb_get_l): New prototype.
	* cipher/cipher-ocb.c (get_l): Rename to ...
	(_gcry_cipher_ocb_get_l): ... this.
	(_gcry_cipher_ocb_authenticate, ocb_crypt): Use bulk function when
	available.
	* cipher/cipher.c (_gcry_cipher_open_internal): Setup OCB bulk
	functions for AES.
	* cipher/rijndael-aesni.c (get_l, aesni_ocb_enc, aes_ocb_dec)
	(_gcry_aes_aesni_ocb_crypt, _gcry_aes_aesni_ocb_auth): New.
	* cipher/rijndael.c [USE_AESNI] (_gcry_aes_aesni_ocb_crypt)
	(_gcry_aes_aesni_ocb_auth): New prototypes.
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New.
	* src/cipher.h (_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth): New
	prototypes.
	* tests/basic.c (check_ocb_cipher_largebuf): New.
	(check_ocb_cipher): Add large buffer encryption/decryption test.

2015-04-15  Werner Koch  <wk@gnupg.org>

	tests: Add option to time the S2K function.
	* tests/t-kdf.c: Include stopwatch.h.
	(dummy_consumer): new.
	(bench_s2k): New.
	(main): Add option parser and option --s2k.

	tests: Improve stopwatch.h.
	* tests/stopwatch.h (elapsed_time): Add arg divisor.

2015-04-13  Werner Koch  <wk@gnupg.org>

	mpi: Fix gcry_mpi_copy for NULL opaque data.
	* mpi/mpiutil.c (_gcry_mpi_copy): Copy opaque only if needed.

2015-03-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	wipememory: use one-byte aligned type for unaligned memory accesses.
	* src/g10lib.h (fast_wipememory2_unaligned_head): Enable unaligned
	access only when HAVE_GCC_ATTRIBUTE_PACKED and
	HAVE_GCC_ATTRIBUTE_ALIGNED defined.
	(fast_wipememory_t): New.
	(fast_wipememory2): Use 'fast_wipememory_t'.

	bufhelp: use one-byte aligned type for unaligned memory accesses.
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Enable only when
	HAVE_GCC_ATTRIBUTE_PACKED and HAVE_GCC_ATTRIBUTE_ALIGNED are defined.
	(bufhelp_int_t): New type.
	(buf_cpy, buf_xor, buf_xor_1, buf_xor_2dst, buf_xor_n_copy_2): Use
	'bufhelp_int_t'.
	[BUFHELP_FAST_UNALIGNED_ACCESS] (bufhelp_u32_t, bufhelp_u64_t): New.
	[BUFHELP_FAST_UNALIGNED_ACCESS] (buf_get_be32, buf_get_le32)
	(buf_put_be32, buf_put_le32, buf_get_be64, buf_get_le64)
	(buf_put_be64, buf_put_le64): Use 'bufhelp_uXX_t'.
	* configure.ac (gcry_cv_gcc_attribute_packed): New.

	tests/bench-slope: fix memory-leak and use-after-free bugs.
	* tests/bench-slope.c (do_slope_benchmark): Free 'measurements' at end.
	(bench_mac_init): Move 'key' free at end of function.

2015-03-19  Werner Koch  <wk@gnupg.org>

	Fix two pedantic warnings.
	* src/gcrypt.h.in (gcry_mpi_flag, gcry_mac_algos): Remove trailing
	comma.

2015-03-16  Werner Koch  <wk@gnupg.org>

	Use well defined type instead of size_t in secmem.c.
	* src/secmem.c (ptr_into_pool_p): Replace size_t by uintptr_t.

	Make uintptr_t global available.
	* cipher/bufhelp.h: Move include for uintptr_t to ...
	* src/types.h: here.  Check that config.h has been included.

	mpi: Remove useless condition.
	* mpi/mpi-pow.c: Remove condition rp==mp.

	cipher: Remove useless NULL check.
	* cipher/hash-common.c (_gcry_md_block_write): Remove NUL check for
	hd->buf.

2015-02-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix in-place encryption for OCB mode.
	* cipher/cipher-ocb.c (ocb_checksum): New.
	(ocb_crypt): Move checksum calculation outside main crypt loop, do
	checksum calculation for encryption before inbuf is overwritten.
	* tests/basic.c (check_ocb_cipher): Rename to ...
	(do_check_ocb_cipher): ... to this and add argument for testing
	in-place encryption/decryption.
	(check_ocb_cipher): New.

2015-02-27  NIIBE Yutaka  <gniibe@fsij.org>

	tests: fix t-sexp.c.
	* tests/t-sexp.c (bug_1594): Free N and PUBKEY.

	mpi: Avoid data-dependent timing variations in mpi_powm.
	* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
	mpi_set_cond.

	mpi: Revise mpi_powm.
	* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.

2015-02-23  Werner Koch  <wk@gnupg.org>

	cipher: Use ciphertext blinding for Elgamal decryption.
	* cipher/elgamal.c (USE_BLINDING): New.
	(decrypt): Rewrite to use ciphertext blinding.

2015-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_set_cond.
	* mpi/mpiutil.c (_gcry_mpi_set_cond): New.
	(_gcry_mpi_swap_cond): Fix types.
	* src/mpi.h (mpi_set_cond): New.

2015-01-30  Werner Koch  <wk@gnupg.org>

	w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.
	* src/Makefile.am (extra_ltoptions): New.
	(libgcrypt_la_LDFLAGS): Use it.

2015-01-28  Werner Koch  <wk@gnupg.org>

	Fix building of GOST s-boxes when cross-compiling.
	* cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
	(noinst_PROGRAMS): Remove.
	(EXTRA_DIST): New.
	(CLEANFILES): New.

2015-01-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix wrong ifdef for SSSE3 setkey.
	* cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
	around SSSE3 setkey selection.

2015-01-16  Werner Koch  <wk@gnupg.org>

	Add OCB cipher mode.
	* cipher/cipher-ocb.c: New.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-ocb.c
	* cipher/cipher-internal.h (OCB_BLOCK_LEN, OCB_L_TABLE_SIZE): New.
	(gcry_cipher_handle): Add fields marks.finalize and u_mode.ocb.
	* cipher/cipher.c (_gcry_cipher_open_internal): Add OCB mode.
	(_gcry_cipher_open_internal): Setup default taglen of OCB.
	(cipher_reset): Clear OCB specific data.
	(cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
	(_gcry_cipher_gettag, _gcry_cipher_checktag): Call OCB functions.
	(_gcry_cipher_setiv): Add OCB specific nonce setting.
	(_gcry_cipher_ctl): Add GCRYCTL_FINALIZE and GCRYCTL_SET_TAGLEN

	* src/gcrypt.h.in (GCRYCTL_SET_TAGLEN): New.
	(gcry_cipher_final): New.

	* cipher/bufhelp.h (buf_xor_1): New.

	* tests/basic.c (hex2buffer): New.
	(check_ocb_cipher): New.
	(main): Call it here.  Add option --cipher-modes.
	* tests/bench-slope.c (bench_aead_encrypt_do_bench): Call
	gcry_cipher_final.
	(bench_aead_decrypt_do_bench): Ditto.
	(bench_aead_authenticate_do_bench): Ditto.  Check error code.
	(bench_ocb_encrypt_do_bench): New.
	(bench_ocb_decrypt_do_bench): New.
	(bench_ocb_authenticate_do_bench): New.
	(ocb_encrypt_ops): New.
	(ocb_decrypt_ops): New.
	(ocb_authenticate_ops): New.
	(cipher_modes): Add them.
	(cipher_bench_one): Skip wrong block length for OCB.
	* tests/benchmark.c (cipher_bench): Add field noncelen to MODES.  Add
	OCB support.

2015-01-15  Werner Koch  <wk@gnupg.org>

	Add functions to count trailing zero bits in a word.
	* cipher/bithelp.h (_gcry_ctz, _gcry_ctz64): New.
	* configure.ac (HAVE_BUILTIN_CTZ): Add new test.

2015-01-08  Werner Koch  <wk@gnupg.org>

	cipher: Prepare for OCB mode.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_OCB): New.

2015-01-06  Werner Koch  <wk@gnupg.org>

	Make make distcheck work again.
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove --enable-ciphers.
	* cipher/Makefile.am (DISTCLEANFILES): Add gost-sb.h.

2015-01-06  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	stribog: Reduce table size to the needed one.
	* cipher/stribog.c (C16): Avoid allocating superfluous space.

	gostr3411-94: Fix the iteration count for length filling loop.
	* cipher/gostr3411-94.c (gost3411_final): Fix loop

2015-01-05  Werner Koch  <wk@gnupg.org>

	random: Silent warning under NetBSD using rndunix.
	* random/rndunix.c (STDERR_FILENO): Define if needed.
	(start_gatherer): Re-open standard descriptors.  Fix an
	unsigned/signed pointer warning.

	primegen: Fix memory leak for invalid call sequences.
	* cipher/primegen.c (prime_generate_internal): Refactor generator code
	to not leak memory for non-implemented feature.
	(_gcry_prime_group_generator): Refactor to not leak memory for invalid
	args.  Also make sure that R_G is set as soon as possible.

	doc: Update yat2m to current upstream version (GnuPG).

	build: Require automake 1.14.
	* configure.ac (AM_INIT_AUTOMAKE): Add serial-tests.

	Replace camel case of internal scrypt functions.
	* cipher/scrypt.c (_salsa20_core): Rename to salsa20_core.  Change
	callers.
	(_scryptBlockMix): Rename to scrypt_block_mix.  Change callers.
	(_scryptROMix): Rename to scrypt_ro_mix. Change callers.

2015-01-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rmd160: restore native-endian store in _gcry_rmd160_mixblock.
	* cipher/rmd160.c (_gcry_rmd160_mixblock): Store result to buffer in
	native-endianess.

2014-12-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel SSSE3 based vector permutation AES implementation.
	* cipher/Makefile.am: Add 'rijndael-ssse3-amd64.c'.
	* cipher/rijndael-internal.h (USE_SSSE3): New.
	(RIJNDAEL_context_s) [USE_SSSE3]: Add 'use_ssse3'.
	* cipher/rijndael-ssse3-amd64.c: New.
	* cipher/rijndael.c [USE_SSSE3] (_gcry_aes_ssse3_do_setkey)
	(_gcry_aes_ssse3_prepare_decryption, _gcry_aes_ssse3_encrypt)
	(_gcry_aes_ssse3_decrypt, _gcry_aes_ssse3_cfb_enc)
	(_gcry_aes_ssse3_cbc_enc, _gcry_aes_ssse3_ctr_enc)
	(_gcry_aes_ssse3_cfb_dec, _gcry_aes_ssse3_cbc_dec): New.
	(do_setkey): Add HWF check for SSSE3 and setup for SSSE3
	implementation.
	(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Add
	selection for SSSE3 implementation.
	* configure.ac [host=x86_64]: Add 'rijndael-ssse3-amd64.lo'.

2014-12-25  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	random-csprng: fix compiler warnings on ARM.
	* random/random-csprng.c (_gcry_rngcsprng_update_seed_file)
	(read_pool): Cast keypool and rndpool to 'unsigned long *' through
	'void *'.

	scrypt: fix compiler warnings on ARM.
	* cipher/scrypt.c (_scryptBlockMix): Cast X to 'u32 *' through 'void *'.

	secmem: fix compiler warnings on ARM.
	* src/secmem.c (ADDR_TO_BLOCK, mb_get_next, mb_get_new): Cast pointer
	from 'char *' to 'memblock_t *' through 'void *'.
	(MB_WIPE_OUT): Remove unneeded cast to 'memblock_t *'.

	hash: fix compiler warning on ARM.
	* cipher/md.c (md_open, md_copy): Cast 'char *' to ctx through
	'void *'.
	* cipher/md4.c (md4_final): Use buf_put_* helper instead of
	converting 'char *' to 'u32 *'.
	* cipher/md5.c (md5_final): Ditto.
	* cipher/rmd160.c (_gcry_rmd160_mixblock, rmd160_final): Ditto.
	* cipher/sha1.c (sha1_final): Ditto.
	* cipher/sha256.c (sha256_final): Ditto.
	* cipher/sha512.c (sha512_final): Ditto.
	* cipher/tiger.c (tiger_final): Ditto.

	rijndael: fix compiler warnings on ARM.
	* cipher/rijndael-internal.h (RIJNDAEL_context_s): Add u32 variants of
	keyschedule arrays to unions u1 and u2.
	(keyschedenc32, keyscheddec32): New.
	* cipher/rijndael.c (u32_a_t): Remove.
	(do_setkey): Add and use tkk[].data32, k_u32, tk_u32 and W_u32; Remove
	casting byte arrays to u32_a_t.
	(prepare_decryption, do_encrypt_fn, do_decrypt_fn): Use keyschedenc32
	and keyscheddec32; Remove casting byte arrays to u32_a_t.

2014-12-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03
	* cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
	counters for AAD and data in Poly1305.
	* cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
	(poly1305_fill_bytecounts, poly1305_do_padding): New.
	(poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD
	length.
	(_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt)
	(_gcry_cipher_poly1305_decrypt): Update AAD and data length separately.
	(_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305.
	(_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset
	AAD and data byte counts; only allow 96-bit IV.
	* cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to
	ChaCha20 cipher.
	* tests/basic.c (_check_poly1305_cipher): Update test-vectors.
	(check_ciphers): Limit Poly1305-AEAD checks to ChaCha20.
	* tests/bench-slope.c (cipher_bench_one): Ditto.

	chacha20: allow setting counter for stream random access.
	* cipher/chacha20.c (CHACHA20_CTR_SIZE): New.
	(chacha20_ivsetup): Add setup for full counter.
	(chacha20_setiv): Allow ivlen == CHACHA20_CTR_SIZE.

	gcm: do not pass extra key pointer for setupM/fillM.
	* cipher/cipher-gcm-intel-pclmul.c
	(_gcry_ghash_setup_intel_pclmul): Remove 'h' parameter.
	* cipher/cipher-gcm.c (_gcry_ghash_setup_intel_pclmul): Ditto.
	(fillM): Get 'h' pointer from 'c'.
	(setupM): Remome 'h' parameter.
	(_gcry_cipher_gcm_setkey): Only pass 'c' to setupM.

	rijndael: use more compact look-up tables and add table prefetching.
	* cipher/rijndael-internal.h (rijndael_prefetchfn_t): New.
	(RIJNDAEL_context): Add 'prefetch_enc_fn' and 'prefetch_dec_fn'.
	* cipher/rijndael-tables.h (S, T1, T2, T3, T4, T5, T6, T7, T8, S5, U1)
	(U2, U3, U4): Remove.
	(encT, dec_tables, decT, inv_sbox): Add.
	* cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block, _gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_encrypt_block): Add parameter for passing table pointer
	to assembly implementation.
	(prefetch_table, prefetch_enc, prefetch_dec): New.
	(do_setkey): Setup context prefetch functions depending on selected
	rijndael implementation; Use new tables for key setup.
	(prepare_decryption): Use new tables for decryption key setup.
	(do_encrypt_aligned): Rename to...
	(do_encrypt_fn): ... to this, change to use new compact tables,
	make handle unaligned input and unroll rounds loop by two.
	(do_encrypt): Remove handling of unaligned input/output; pass table
	pointer to assembly implementations.
	(rijndael_encrypt, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec): Prefetch encryption tables
	before encryption.
	(do_decrypt_aligned): Rename to...
	(do_decrypt_fn): ... to this, change to use new compact tables,
	make handle unaligned input and unroll rounds loop by two.
	(do_decrypt): Remove handling of unaligned input/output; pass table
	pointer to assembly implementations.
	(rijndael_decrypt, _gcry_aes_cbc_dec): Prefetch decryption tables
	before decryption.
	* cipher/rijndael-amd64.S: Use 1+1.25 KiB tables for
	encryption+decryption; remove tables from assembly file.
	* cipher/rijndael-arm.S: Ditto.

2014-12-15  Werner Koch  <wk@gnupg.org>

	build: Add configure option --disable-doc.
	* Makefile.am (AUTOMAKE_OPTIONS): Remove.
	(doc) [!BUILD_DOC]: Do not recurse into the dir.
	* configure.ac (AM_INIT_AUTOMAKE): Add option formerly in Makefile.am.
	(BUILD_DOC): Add new am_conditional.

2014-12-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: further optimizations for AES-NI accelerated CBC and CFB bulk modes
	* cipher/rijndael-aesni.c (do_aesni_enc, do_aesni_dec): Pass
	input/output through SSE register XMM0.
	(do_aesni_cfb): Remove.
	(_gcry_aes_aesni_encrypt, _gcry_aes_aesni_decrypt): Add loading/storing
	input/output to/from XMM0.
	(_gcry_aes_aesni_cfb_enc, _gcry_aes_aesni_cbc_enc)
	(_gcry_aes_aesni_cfb_dec): Update to use renewed 'do_aesni_enc' and
	move IV loading/storing outside loop.
	(_gcry_aes_aesni_cbc_dec): Update to use renewed 'do_aesni_dec'.

	GCM: move Intel PCLMUL accelerated implementation to separate file.
	* cipher/Makefile.am: Add 'cipher-gcm-intel-pclmul.c'.
	* cipher/cipher-gcm-intel-pclmul.c: New.
	* cipher/cipher-gcm.c [GCM_USE_INTEL_PCLMUL]
	(_gcry_ghash_setup_intel_pclmul, _gcry_ghash_intel_pclmul): New
	prototypes.
	[GCM_USE_INTEL_PCLMUL] (gfmul_pclmul, gfmul_pclmul_aggr4): Move
	to 'cipher-gcm-intel-pclmul.c'.
	(ghash): Rename to...
	(ghash_internal): ...this and move GCM_USE_INTEL_PCLMUL part to new
	function in 'cipher-gcm-intel-pclmul.c'.
	(setupM): Move GCM_USE_INTEL_PCLMUL part to new function in
	'cipher-gcm-intel-pclmul.c'; Add selection of ghash function based
	on available HW acceleration.
	(do_ghash_buf): Change use of 'ghash' to 'c->u_mode.gcm.ghash_fn'.
	* cipher/internal.h (ghash_fn_t): New.
	(gcry_cipher_handle): Remove 'use_intel_pclmul'; Add 'ghash_fn'.

2014-12-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: split Padlock part to separate file.
	* cipher/Makefile.am: Add 'rijndael-padlock.c'.
	* cipher/rijndael-padlock.c: New.
	* cipher/rijndael.c (do_padlock, do_padlock_encrypt)
	(do_padlock_decrypt): Move to 'rijndael-padlock.c'.
	* configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-padlock.lo'.

2014-12-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: refactor to reduce number of #ifdefs and branches.
	* cipher/rijndael-aesni.c (_gcry_aes_aesni_encrypt)
	(_gcry_aes_aesni_decrypt): Make return stack burn depth.
	* cipher/rijndael-amd64.S (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block): Ditto.
	* cipher/rijndael-arm.S (_gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_decrypt_block): Ditto.
	* cipher/rijndael-internal.h (RIJNDAEL_context_s)
	(rijndael_cryptfn_t): New.
	(RIJNDAEL_context): New members 'encrypt_fn' and 'decrypt_fn'.
	* cipher/rijndael.c (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block, _gcry_aes_aesni_encrypt)
	(_gcry_aes_aesni_decrypt, _gcry_aes_arm_encrypt_block)
	(_gcry_aes_arm_decrypt_block): Change prototypes.
	(do_padlock_encrypt, do_padlock_decrypt): New.
	(do_setkey): Separate key-length to rounds conversion from
	HW features check; Add selection for ctx->encrypt_fn and
	ctx->decrypt_fn.
	(do_encrypt_aligned, do_decrypt_aligned): Move inside
	'[!USE_AMD64_ASM && !USE_ARM_ASM]'; Move USE_AMD64_ASM and
	USE_ARM_ASM to...
	(do_encrypt, do_decrypt): ...here; Return stack depth; Remove second
	temporary buffer from non-aligned input/output case.
	(do_padlock): Move decrypt_flag to last argument; Return stack depth.
	(rijndael_encrypt): Remove #ifdefs, just call ctx->encrypt_fn.
	(_gcry_aes_cfb_enc, _gcry_aes_cbc_enc): Remove USE_PADLOCK; Call
	ctx->encrypt_fn in place of do_encrypt/do_encrypt_aligned.
	(_gcry_aes_ctr_enc): Call ctx->encrypt_fn in place of
	do_encrypt_aligned; Make tmp buffer 16-byte aligned and wipe buffer
	after use.
	(rijndael_encrypt): Remove #ifdefs, just call ctx->decrypt_fn.
	(_gcry_aes_cfb_dec): Remove USE_PADLOCK; Call ctx->decrypt_fn in place
	of do_decrypt/do_decrypt_aligned.
	(_gcry_aes_cbc_dec): Ditto; Make savebuf buffer 16-byte aligned.

	rijndael: move AES-NI blocks before Padlock.
	* cipher/rijndael.c (do_setkey, rijndael_encrypt, _gcry_aes_cfb_enc)
	(rijndael_decrypt, _gcry_aes_cfb_dec): Move USE_AESNI before
	USE_PADLOCK.
	(check_decryption_praparation) [USE_PADLOCK]: Move to...
	(prepare_decryption) [USE_PADLOCK]: ...here.

	rijndael: split AES-NI functions to separate file.
	* cipher/Makefile.in: Add 'rijndael-aesni.c'.
	* cipher/rijndael-aesni.c: New.
	* cipher/rijndael-internal.h: New.
	* cipher/rijndael.c (MAXKC, MAXROUNDS, BLOCKSIZE, ATTR_ALIGNED_16)
	(USE_AMD64_ASM, USE_ARM_ASM, USE_PADLOCK, USE_AESNI, RIJNDAEL_context)
	(keyschenc, keyschdec, padlockkey): Move to 'rijndael-internal.h'.
	(u128_s, aesni_prepare, aesni_cleanup, aesni_cleanup_2_6)
	(aesni_do_setkey, do_aesni_enc, do_aesni_dec, do_aesni_enc_vec4)
	(do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Move
	to 'rijndael-aesni.c'.
	(prepare_decryption, rijndael_encrypt, _gcry_aes_cfb_enc)
	(_gcry_aes_cbc_enc, _gcry_aes_ctr_enc, rijndael_decrypt)
	(_gcry_aes_cfb_dec, _gcry_aes_cbc_dec) [USE_AESNI]: Move to functions
	in 'rijdael-aesni.c'.
	* configure.ac [mpi_cpu_arch=x86]: Add 'rijndael-aesni.lo'.

2014-11-24  Werner Koch  <wk@gnupg.org>

	Remove duplicated prototypes.
	* src/gcrypt-int.h (_gcry_mpi_ec_new, _gcry_mpi_ec_set_mpi)
	(gcry_mpi_ec_set_point): Remove.

	tests: Add a prime mode to benchmark.
	* tests/benchmark.c (progress_cb): Add a single char mode.
	(prime_bench): New.
	(main): Add a "prime" mode.  Factor with_progress out to file scope.

2014-11-19  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Improve Montgomery curve implementation.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Support
	MPI_EC_MONTGOMERY.
	* cipher/ecc.c (test_ecdh_only_keys): New.
	(nist_generate_key): Call test_ecdh_only_keys for MPI_EC_MONTGOMERY.
	(check_secret_key): Handle Montgomery curve of x-coordinate only.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Resize points before the loop.
	Simplify, using pointers of Q1, Q2, PRD, and SUM.

2014-11-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disable NEON for CPUs that are known to have broken NEON implementation.
	* src/hwf-arm.c (detect_arm_proc_cpuinfo): Add parsing for CPU version
	information and check if CPU is known to have broken NEON
	implementation.
	(_gcry_hwf_detect_arm): Filter out broken HW features.

	Add ARM/NEON implementation of Poly1305.
	* cipher/Makefile.am: Add 'poly1305-armv7-neon.S'.
	* cipher/poly1305-armv7-neon.S: New.
	* cipher/poly1305-internal.h (POLY1305_USE_NEON)
	(POLY1305_NEON_BLOCKSIZE, POLY1305_NEON_STATESIZE)
	(POLY1305_NEON_ALIGNMENT): New.
	* cipher/poly1305.c [POLY1305_USE_NEON]
	(_gcry_poly1305_armv7_neon_init_ext)
	(_gcry_poly1305_armv7_neon_finish_ext)
	(_gcry_poly1305_armv7_neon_blocks, poly1305_armv7_neon_ops): New.
	(_gcry_poly1305_init) [POLY1305_USE_NEON]: Select NEON implementation
	if HWF_ARM_NEON set.
	* configure.ac [neonsupport=yes]: Add 'poly1305-armv7-neon.lo'.

	chacha20: add ARMv7/NEON implementation.
	* cipher/Makefile.am: Add 'chacha20-armv7-neon.S'.
	* cipher/chacha20-armv7-neon.S: New.
	* cipher/chacha20.c (USE_NEON): New.
	[USE_NEON] (_gcry_chacha20_armv7_neon_blocks): New.
	(chacha20_do_setkey) [USE_NEON]: Use Neon implementation if
	HWF_ARM_NEON flag set.
	(selftest): Self-test encrypting buffer byte by byte.
	* configure.ac [neonsupport=yes]: Add 'chacha20-armv7-neon.lo'.

2014-10-08  Markus Teich  <markus.teich@stusta.mhn.de>

	mpi: Add gcry_mpi_ec_sub.
	* NEWS (gcry_mpi_ec_sub): New.
	* doc/gcrypt.texi (gcry_mpi_ec_sub): New.
	* mpi/ec.c (_gcry_mpi_ec_sub, sub_points_edwards): New.
	(sub_points_montgomery, sub_points_weierstrass): New stubs.
	* src/gcrypt-int.h (_gcry_mpi_ec_sub): New.
	* src/gcrypt.h.in (gcry_mpi_ec_sub): New.
	* src/libgcrypt.def (gcry_mpi_ec_sub): New.
	* src/libgcrypt.vers (gcry_mpi_ec_sub): New.
	* src/mpi.h (_gcry_mpi_ec_sub_points): New.
	* src/visibility.c (gcry_mpi_ec_sub): New.
	* src/visibility.h (gcry_mpi_ec_sub): New.

2014-10-08  Werner Koch  <wk@gnupg.org>

	Fix prime test for 2 and lower and add check command to mpicalc.
	* cipher/primegen.c (check_prime): Return true for the small primes.
	(_gcry_prime_check): Return correct values for 2 and lower numbers.

	* src/mpicalc.c (do_primecheck): New.
	(main): Add command 'P'.
	(main): Allow for larger input data.

2014-10-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Whirlpool AMD64/SSE2 assembly implementation.
	* cipher/Makefile.am: Add 'whirlpool-sse2-amd64.S'.
	* cipher/whirlpool-sse2-amd64.S: New.
	* cipher/whirlpool.c (USE_AMD64_ASM): New.
	(whirlpool_tables_s): New.
	(rc, C0, C1, C2, C3, C4, C5, C6, C7): Combine these tables into single
	structure and replace old tables with macros of same name.
	(tab): New structure containing above tables.
	[USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64)
	(whirlpool_transform): New.
	* configure.ac [host=x86_64]: Add 'whirlpool-sse2-amd64.lo'.

2014-10-04  Andrei Scherer  <andsch@inbox.com>

	Improved ripemd160 performance.
	* cipher/rmd160.c (transform): Interleave the left and right lane
	rounds to introduce more instruction level parallelism.

2014-10-02  Werner Koch  <wk@gnupg.org>

	build: Document SYSROOT.
	* configure.ac: Mark SYSROOT as arg var.

	build: Support SYSROOT based config script finding.
	* src/libgcrypt.m4: Add support for SYSROOT and set
	gpg_config_script_warn.  Use AC_PATH_PROG instead of AC_PATH_TOOL
	because the config script is not expected to be installed with a
	prefix for its name
	* configure.ac: Print a library mismatch warning.
	* m4/gpg-error.m4: Update from git master.

2014-09-30  Werner Koch  <wk@gnupg.org>

	mac: Fix gcry_mac_close to allow for a NULL handle.
	* cipher/mac.c (_gcry_mac_close): Check for NULL.

2014-09-03  Werner Koch  <wk@gnupg.org>

	Add a constant for a forthcoming new RNG.
	* src/gcrypt.h.in (GCRYCTL_DRBG_REINIT): New constant.

2014-09-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add new Poly1305 MAC test vectors.
	* tests/basic.c (check_mac): Add new test vectors for Poly1305 MAC.

2014-09-02  Werner Koch  <wk@gnupg.org>

	asm: Allow building x86 and amd64 using old compilers.
	* src/hwf-x86.c (get_xgetbv): Build only if AVX support is enabled.

2014-08-21  Werner Koch  <wk@gnupg.org>

	sexp: Check args of gcry_sexp_build.
	* src/sexp.c (do_vsexp_sscan): Return error for invalid args.

	cipher: Fix a segv in case of calling with wrong parameters.
	* cipher/md.c (_gcry_md_info): Fix arg testing.

	cipher: Fix possible NULL deref in call to prime generator.
	* cipher/primegen.c (_gcry_generate_elg_prime): Change to return an
	error code.
	* cipher/dsa.c (generate): Take care of new return code.
	* cipher/elgamal.c (generate): Change to return an error code.  Take
	care of _gcry_generate_elg_prime return code.
	(generate_using_x): Take care of _gcry_generate_elg_prime return code.
	(elg_generate): Propagate return code from generate.

2014-08-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support Montgomery curve for gcry_mpi_ec_mul_point.
	* mpi/ec.c (_gcry_mpi_ec_get_affine): Support Montgomery curve.
	(montgomery_ladder): New.
	(_gcry_mpi_ec_mul_point): Implemention using montgomery_ladder.
	(_gcry_mpi_ec_curve_point): Check x-coordinate is valid.

2014-08-09  Werner Koch  <wk@gnupg.org>

	tests: Add a benchmark for Elgamal.
	* tests/benchmark.c (sample_public_elg_key_1024): New.
	(sample_private_elg_key_1024): New.
	(sample_public_elg_key_2048, sample_private_elg_key_2048): New.
	(sample_public_elg_key_3072, sample_private_elg_key_3072): New.
	(elg_bench): New.
	(main): Add elg_bench.  Add commands "elg" and "public".

2014-08-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add cofactor to domain parameters.
	* src/ec-context.h (mpi_ec_ctx_s): Add cofactor 'h'.
	* cipher/ecc-common.h (elliptic_curve_t): Add cofactor 'h'.
	(_gcry_ecc_update_curve_param): New API adding cofactor.

	* cipher/ecc-curves.c (ecc_domain_parms_t): Add cofactor 'h'.
	(ecc_domain_parms_t domain_parms): Add cofactors.
	(_gcry_ecc_fill_in_curve, _gcry_ecc_update_curve_param)
	(_gcry_ecc_get_curve, _gcry_mpi_ec_new, _gcry_ecc_get_param_sexp)
	(_gcry_ecc_get_mpi): Handle cofactor.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Likewise.
	* cipher/ecc-misc.c (_gcry_ecc_curve_free)
	(_gcry_ecc_curve_copy): Likewise.
	* cipher/ecc.c (nist_generate_key, ecc_generate)
	(ecc_check_secret_key, ecc_sign, ecc_verify, ecc_encrypt_raw)
	(ecc_decrypt_raw, _gcry_pk_ecc_get_sexp, _gcry_pubkey_spec_ecc):
	Likewise.
	(compute_keygrip): Handle cofactor, but skip it for its computation.
	* mpi/ec.c (ec_deinit): Likewise.
	* tests/t-mpi-point.c (context_param): Likewise.
	(test_curve): Add cofactors.
	* tests/curves.c (sample_key_1, sample_key_2): Add cofactors.
	* tests/keygrip.c (key_grips): Add cofactors.

2014-08-05  Werner Koch  <wk@gnupg.org>

	mpi: Fix regression for powerpc-apple-darwin detection.
	* mpi/config.links: Add separate entry for powerpc-apple-darwin.

	Fix bug inhibiting the use of the sentinel attribute.
	* src/gcrypt.h.in: Fix typo in macro.

	mpi: Use BSD syntax for x86_64-apple-darwin.
	* mpi/config.links: Add case for x86_64-apple-darwin.

2014-08-05  Kristian Fiskerstrand  <kf@sumptuouscapital.com>

	Fix building for the x32 target without asm modules.
	* mpi/generic/mpi-asm-defs.h: Use a fixed value for the x32 ABI.

2014-07-25  Werner Koch  <wk@gnupg.org>

	ecc: Support the non-standard 0x40 compression flag for EdDSA.
	* cipher/ecc.c (ecc_generate): Check the "comp" flag for EdDSA.
	* cipher/ecc-eddsa.c (eddsa_encode_x_y): Add arg WITH_PREFIX.
	(_gcry_ecc_eddsa_encodepoint): Ditto.
	(_gcry_ecc_eddsa_ensure_compact): Handle the 0x40 compression prefix.
	(_gcry_ecc_eddsa_decodepoint): Ditto.
	* tests/keygrip.c: Check an compresssed with prefix Ed25519 key.
	* tests/t-ed25519.inp: Ditto.

	mpi: Extend the internal mpi_get_buffer.
	* mpi/mpicoder.c (do_get_buffer): Add arg EXTRAALLOC.
	(_gcry_mpi_get_buffer_extra): New.

	cipher: Fix compiler warning for chacha20.
	* cipher/chacha20.c (chacha20_blocks) [!USE_SSE2]: Do not build.

2014-07-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_swap_cond.
	* mpi/mpiutil.c (_gcry_mpi_swap_cond): New.
	* src/mpi.h (mpi_swap_cond): New.

2014-06-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Speed-up SHA-1 NEON assembly implementation.
	* cipher/sha1-armv7-neon.S: Tweak implementation for speed-up.

2014-06-28  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	gostr3411_94: rewrite to use u32 mathematic.
	* cipher/gost28147.c (_gcry_gost_enc_data): New.
	* cipher/gostr3411-94.c: Rewrite implementation to use u32 mathematic
	  internally.
	* cipher/gost28147.c (_gcry_gost_enc_one): Remove.

	gost28147: use bufhelp helpers.
	* cipher/gost28147.c (gost_setkey, gost_encrypt_block, gost_decrypt_block):
	  use buf_get_le32/buf_put_le32 helpers.

	Fixup curve name in the GOST2012 test case.
	* tests/basic.c (check_pubkey): fixup curve name in public key.

	Update PBKDF2 tests with GOST R 34.11-94 test cases.
	* tests/t-kdf.c (check_pbkdf2): Add MD_GOSTR3411_CP test cases.

	Add GOST R 34.11-94 variant using id-GostR3411-94-CryptoProParamSet.
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_CP): New.
	* src/cipher.h (_gcry_digest_spec_gost3411_cp): New.
	* cipher/gost28147.c (_gcry_gost_enc_one): Differentiate between
	  CryptoPro and Test S-Boxes.
	* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_cp,
	  gost3411_cp_init): New.
	* cipher/md.c (md_open): GCRY_MD_GOSTR3411_CP also uses B=32.

	gost28147: support GCRYCTL_SET_SBOX.
	cipher/gost28147.c (gost_set_extra_info, gost_set_sbox): New.

	Support setting s-box for the ciphers that require it.
	* src/gcrypt.h.in (GCRYCTL_SET_SBOX, gcry_cipher_set_sbox): New.
	* cipher/cipher.c (_gcry_cipher_ctl): pass GCRYCTL_SET_SBOX to
	  set_extra_info callback.

	cipher/gost28147: generate optimized s-boxes from compact ones.
	* cipher/gost-s-box.c: New. Outputs optimized expanded representation of
	  s-boxes (4x256) from compact 16x8 representation.
	* cipher/Makefile.am: Add gost-sb.h dependency to gost28147.lo
	* cipher/gost.h: Add sbox to the GOST28147_context structure.
	* cipher/gost28147.c (gost_setkey): Set default s-box to test s-box from
	  GOST R 34.11 (this was the only one S-box before).
	* cipher/gost28147.c (gost_val): Use sbox from the context.

	gost28147: add OIDs used to define cipher mode.
	* cipher/gost28147 (oids_gost28147): Add OID from RFC4357.

	GOST R 34.11-94 add OIDs.
	* cipher/gostr3411-94.c: Add OIDs for GOST R 34.11-94 from RFC 4357.

2014-05-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	tests: add larger test-vectors for hash algorithms.
	* tests/basic.c (check_digests): Add large test-vectors for MD5, SHA1,
	SHA224, SHA256, SHA384, RMD160, CRC32, TIGER1, WHIRLPOOL and
	GOSTR3411_94.

	sha512: fix ARM/NEON implementation.
	* cipher/sha512-armv7-neon.S
	(_gcry_sha512_transform_armv7_neon): Byte-swap RW67q and RW1011q
	correctly in multi-block loop.
	* tests/basic.c (check_digests): Add large test vector for SHA512.

2014-05-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARM assembly when building __PIC__
	* cipher/camellia-arm.S (GET_DATA_POINTER): New.
	(_gcry_camellia_arm_encrypt_block): Use GET_DATA_POINTER.
	(_gcry_camellia_arm_decrypt_block): Ditto.
	* cipher/cast5-arm.S (GET_DATA_POINTER): New.
	(_gcry_cast5_arm_encrypt_block, _gcry_cast5_arm_decrypt_block)
	(_gcry_cast5_arm_enc_blk2, _gcry_cast5_arm_dec_blk2): Use
	GET_DATA_POINTER.
	* cipher/rijndael-arm.S (GET_DATA_POINTER): New.
	(_gcry_aes_arm_encrypt_block, _gcry_aes_arm_decrypt_block): Use
	GET_DATA_POINTER.
	* cipher/sha1-armv7-neon.S (GET_DATA_POINTER): New.
	(.LK_VEC): Move from .text to .data section.
	(_gcry_sha1_transform_armv7_neon): Use GET_DATA_POINTER.

2014-05-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Poly1305 to documentation.
	* doc/gcrypt.texi: Add documentation for Poly1305 MACs and AEAD mode.

2014-05-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: add SSE2/AMD64 optimized implementation.
	* cipher/Makefile.am: Add 'chacha20-sse2-amd64.S'.
	* cipher/chacha20-sse2-amd64.S: New.
	* cipher/chacha20.c (USE_SSE2): New.
	[USE_SSE2] (_gcry_chacha20_amd64_sse2_blocks): New.
	(chacha20_do_setkey) [USE_SSE2]: Use SSE2 implementation for blocks
	function.
	* configure.ac [host=x86-64]: Add 'chacha20-sse2-amd64.lo'.

	poly1305: add AMD64/AVX2 optimized implementation.
	* cipher/Makefile.am: Add 'poly1305-avx2-amd64.S'.
	* cipher/poly1305-avx2-amd64.S: New.
	* cipher/poly1305-internal.h (POLY1305_USE_AVX2)
	(POLY1305_AVX2_BLOCKSIZE, POLY1305_AVX2_STATESIZE)
	(POLY1305_AVX2_ALIGNMENT): New.
	(POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE)
	(POLY1305_STATE_ALIGNMENT): Use AVX2 versions when needed.
	* cipher/poly1305.c [POLY1305_USE_AVX2]
	(_gcry_poly1305_amd64_avx2_init_ext)
	(_gcry_poly1305_amd64_avx2_finish_ext)
	(_gcry_poly1305_amd64_avx2_blocks, poly1305_amd64_avx2_ops): New.
	(_gcry_poly1305_init) [POLY1305_USE_AVX2]: Use AVX2 implementation if
	AVX2 supported by CPU.
	* configure.ac [host=x86_64]: Add 'poly1305-avx2-amd64.lo'.

2014-05-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	poly1305: add AMD64/SSE2 optimized implementation.
	* cipher/Makefile.am: Add 'poly1305-sse2-amd64.S'.
	* cipher/poly1305-internal.h (POLY1305_USE_SSE2)
	(POLY1305_SSE2_BLOCKSIZE, POLY1305_SSE2_STATESIZE)
	(POLY1305_SSE2_ALIGNMENT): New.
	(POLY1305_LARGEST_BLOCKSIZE, POLY1305_LARGEST_STATESIZE)
	(POLY1305_STATE_ALIGNMENT): Use SSE2 versions when needed.
	* cipher/poly1305-sse2-amd64.S: New.
	* cipher/poly1305.c [POLY1305_USE_SSE2]
	(_gcry_poly1305_amd64_sse2_init_ext)
	(_gcry_poly1305_amd64_sse2_finish_ext)
	(_gcry_poly1305_amd64_sse2_blocks, poly1305_amd64_sse2_ops): New.
	(_gcry_polu1305_init) [POLY1305_USE_SSE2]: Use SSE2 version.
	* configure.ac [host=x86_64]: Add 'poly1305-sse2-amd64.lo'.

	Add Poly1305 based cipher AEAD mode.
	* cipher/Makefile.am: Add 'cipher-poly1305.c'.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.poly1305'.
	(_gcry_cipher_poly1305_encrypt, _gcry_cipher_poly1305_decrypt)
	(_gcry_cipher_poly1305_setiv, _gcry_cipher_poly1305_authenticate)
	(_gcry_cipher_poly1305_get_tag, _gcry_cipher_poly1305_check_tag): New.
	* cipher/cipher-poly1305.c: New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_reset, cipher_encrypt, cipher_decrypt, _gcry_cipher_setiv)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag): Handle 'GCRY_CIPHER_MODE_POLY1305'.
	(cipher_setiv): Move handling of 'GCRY_CIPHER_MODE_GCM' to ...
	(_gcry_cipher_setiv): ... here, as with other modes.
	* src/gcrypt.h.in: Add 'GCRY_CIPHER_MODE_POLY1305'.
	* tests/basic.c (_check_poly1305_cipher, check_poly1305_cipher): New.
	(check_ciphers): Add Poly1305 check.
	(check_cipher_modes): Call 'check_poly1305_cipher'.
	* tests/bench-slope.c (bench_gcm_encrypt_do_bench): Rename to
	bench_aead_... and take nonce as argument.
	(bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench): Ditto.
	(bench_gcm_encrypt_do_bench, bench_gcm_decrypt_do_bench)
	(bench_gcm_authenticate_do_bench, bench_poly1305_encrypt_do_bench)
	(bench_poly1305_decrypt_do_bench)
	(bench_poly1305_authenticate_do_bench, poly1305_encrypt_ops)
	(poly1305_decrypt_ops, poly1305_authenticate_ops): New.
	(cipher_modes): Add Poly1305.
	(cipher_bench_one): Add special handling for Poly1305.

	Add Poly1305-AES (-Camellia, etc) MACs.
	* cipher/mac-internal.h (_gcry_mac_type_spec_poly1305_aes)
	(_gcry_mac_type_spec_poly1305_camellia)
	(_gcry_mac_type_spec_poly1305_twofish)
	(_gcry_mac_type_spec_poly1305_serpent)
	(_gcry_mac_type_spec_poly1305_seed): New.
	* cipher/mac-poly1305.c (poly1305mac_context_s): Add 'hd' and
	'nonce_set'.
	(poly1305mac_open, poly1305mac_close, poly1305mac_setkey): Add handling
	for Poly1305-*** MACs.
	(poly1305mac_prepare_key, poly1305mac_setiv): New.
	(poly1305mac_reset, poly1305mac_write, poly1305mac_read): Add handling
	for 'nonce_set'.
	(poly1305mac_ops): Add 'poly1305mac_setiv'.
	(_gcry_mac_type_spec_poly1305_aes)
	(_gcry_mac_type_spec_poly1305_camellia)
	(_gcry_mac_type_spec_poly1305_twofish)
	(_gcry_mac_type_spec_poly1305_serpent)
	(_gcry_mac_type_spec_poly1305_seed): New.
	* cipher/mac.c (mac_list): Add Poly1305-AES, Poly1305-Twofish,
	Poly1305-Serpent, Poly1305-SEED and Poly1305-Camellia.
	* src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305_AES',
	'GCRY_MAC_POLY1305_CAMELLIA', 'GCRY_MAC_POLY1305_TWOFISH',
	'GCRY_MAC_POLY1305_SERPENT' and 'GCRY_MAC_POLY1305_SEED'.
	* tests/basic.c (check_mac): Add Poly1305-AES test vectors.
	* tests/bench-slope.c (bench_mac_init): Set IV for Poly1305-*** MACs.
	* tests/bench-slope.c (mac_bench): Set IV for Poly1305-*** MACs.

	Add Poly1305 MAC.
	* cipher/Makefile.am: Add 'mac-poly1305.c', 'poly1305.c' and
	'poly1305-internal.h'.
	* cipher/mac-internal.h (poly1305mac_context_s): New.
	(gcry_mac_handle): Add 'u.poly1305mac'.
	(_gcry_mac_type_spec_poly1305mac): New.
	* cipher/mac-poly1305.c: New.
	* cipher/mac.c (mac_list): Add Poly1305.
	* cipher/poly1305-internal.h: New.
	* cipher/poly1305.c: New.
	* src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305'.
	* tests/basic.c (check_mac): Add Poly1035 test vectors; Allow
	overriding lengths of data and key buffers.
	* tests/bench-slope.c (mac_bench): Increase max algo number from 500 to
	600.
	* tests/benchmark.c (mac_bench): Ditto.

	chacha20/AVX2: clear upper-halfs of YMM registers on entry.
	* cipher/chacha20-avx2-amd64.S (_gcry_chacha20_amd64_avx2_blocks): Add
	'vzeroupper' at beginning.

	chacha20/AVX2: check for ENABLE_AVX2_SUPPORT instead of HAVE_GCC_INLINE_ASM_AVX2
	* cipher/chacha20.c (USE_AVX2): Enable depending on
	ENABLE_AVX2_SUPPORT, not HAVE_GCC_INLINE_ASM_AVX2.
	* cipher/chacha20-avx2-amd64.S: Ditto.

	chacha20/SSSE3: clear XMM registers after use.
	* cipher/chacha20-ssse3-amd64.S (_gcry_chacha20_amd64_ssse3_blocks): On
	return, clear XMM registers.

2014-05-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: add AVX2/AMD64 assembly implementation.
	* cipher/Makefile.am: Add 'chacha20-avx2-amd64.S'.
	* cipher/chacha20-avx2-amd64.S: New.
	* cipher/chacha20.c (USE_AVX2): New macro.
	[USE_AVX2] (_gcry_chacha20_amd64_avx2_blocks): New.
	(chacha20_do_setkey): Select AVX2 implementation if there is HW
	support.
	(selftest): Increase size of buf by 256.
	* configure.ac [host=x86-64]: Add 'chacha20-avx2-amd64.lo'.

	chacha20: add SSSE3 assembly implementation.
	* cipher/Makefile.am: Add 'chacha20-ssse3-amd64.S'.
	* cipher/chacha20-ssse3-amd64.S: New.
	* cipher/chacha20.c (USE_SSSE3): New macro.
	[USE_SSSE3] (_gcry_chacha20_amd64_ssse3_blocks): New.
	(chacha20_do_setkey): Select SSSE3 implementation if there is HW
	support.
	* configure.ac [host=x86-64]: Add 'chacha20-ssse3-amd64.lo'.

	Add ChaCha20 stream cipher.
	* cipher/Makefile.am: Add 'chacha20.c'.
	* cipher/chacha20.c: New.
	* cipher/cipher.c (cipher_list): Add ChaCha20.
	* configure.ac: Add ChaCha20.
	* doc/gcrypt.texi: Add ChaCha20.
	* src/cipher.h (_gcry_cipher_spec_chacha20): New.
	* src/gcrypt.h.in (GCRY_CIPHER_CHACHA20): Add new algo.
	* tests/basic.c (MAX_DATA_LEN): Increase to 128 from 100.
	(check_stream_cipher): Add ChaCha20 test-vectors.
	(check_ciphers): Add ChaCha20.

2014-05-09  Werner Koch  <wk@gnupg.org>

	mpi: Fix a subtle bug setting spurious bits with in mpi_set_bit.
	* mpi/mpi-bit.c (_gcry_mpi_set_bit, _gcry_mpi_set_highbit): Clear
	allocated but not used bits before resizing.
	* tests/t-mpi-bits.c (set_bit_with_resize): New.

2014-05-07  Werner Koch  <wk@gnupg.org>

	Bump LT version.
	* configure.ac: Bumb LT version to C21/A1/R0.

2014-04-22  Werner Koch  <wk@gnupg.org>

	random: Small patch for consistency and really burn the stack.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): s/int/size_t/.
	(_gcry_rndlinux_gather_random): Replace memset by wipememory.

2014-04-16  Werner Koch  <wk@gnupg.org>

	pubkey: Re-map all depreccated RSA algo numbers.
	* cipher/pubkey.c (map_algo): Mape RSA_E and RSA_S.

2014-04-15  Werner Koch  <wk@gnupg.org>

	cipher: Fix possible NULL dereference.
	* cipher/md.c (_gcry_md_selftest): Check for spec being NULL.

2014-03-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	3des: add amd64 assembly implementation for 3DES.
	* cipher/Makefile.am: Add 'des-amd64.S'.
	* cipher/cipher-selftests.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Handle failures
	from 'setkey' function.
	* cipher/cipher.c (_gcry_cipher_open_internal) [USE_DES]: Setup bulk
	functions for 3DES.
	* cipher/des-amd64.S: New file.
	* cipher/des.c (USE_AMD64_ASM, ATTR_ALIGNED_16): New macros.
	[USE_AMD64_ASM] (_gcry_3des_amd64_crypt_block)
	(_gcry_3des_amd64_ctr_enc), _gcry_3des_amd64_cbc_dec)
	(_gcry_3des_amd64_cfb_dec): New prototypes.
	[USE_AMD64_ASM] (tripledes_ecb_crypt): New function.
	(TRIPLEDES_ECB_BURN_STACK): New macro.
	(_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec)
	(bulk_selftest_setkey, selftest_ctr, selftest_cbc, selftest_cfb): New
	functions.
	(selftest): Add call to CTR, CBC and CFB selftest functions.
	(do_tripledes_encrypt, do_tripledes_decrypt): Use
	TRIPLEDES_ECB_BURN_STACK.
	* configure.ac [host=x86-64]: Add 'des-amd64.lo'.
	* src/cipher.h (_gcry_3des_ctr_enc, _gcry_3des_cbc_dec)
	(_gcry_3des_cfb_dec): New prototypes.

2014-03-13  Werner Koch  <wk@gnupg.org>

	tests: Print diagnostics for skipped tests.
	* tests/basic.c (show_note): New.
	(show_md_not_available):
	(show_old_hmac_not_available):
	(show_mac_not_available):
	(check_digests): Remove USE_foo cpp tests from the test table.  Call
	show_md_not_available if algo is not available.
	(check_hmac): Likewise.
	(check_mac): Likewise.

2014-03-11  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add MD2 message digest implementation.
	* cipher/md2.c: New.
	* cipher/md.c (digest_list): add _gcry_digest_spec_md2.
	* tests/basic.c (check_digests): add MD2 test vectors.
	* configure.ac (default_digests): disable md2 by default.

2014-03-04  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add an utility to calculate hashes over a set of files.
	* tests/gchash.c: New.

	Add a simple (raw) PKCS#1 padding mode.
	* src/cipher.h (PUBKEY_ENC_PKCS1_RAW): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Handle pkcs1-raw
	  flag.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi):
	  Handle s-exp like (data (flags pkcs1-raw) (value xxxxx))
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_encode_raw_for_sig):
	  PKCS#1-encode data with embedded hash OID for signature verification.
	* tests/basic.c (check_pubkey_sign): Add tests for s-exps with pkcs1-raw
	  flag.

2014-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARMv6 detection when CFLAGS modify target CPU architecture.
	* configure.ac (gcry_cv_cc_arm_arch_is_v6): Use compiler test instead
	of preprocessor test.

2014-01-29  Werner Koch  <wk@gnupg.org>

	Reserve control code for FIPS extensions.
	* src/gcrypt.h.in (GCRYCTL_INACTIVATE_FIPS_FLAG): New.
	(GCRYCTL_REACTIVATE_FIPS_FLAG): New.
	* src/global.c (_gcry_vcontrol): Add them but return not_implemented.

2014-01-29  NIIBE Yutaka  <gniibe@fsij.org>

	Fix RSA Blinding.
	* cipher/rsa.c (rsa_decrypt): Loop to get multiplicative inverse.

2014-01-28  Werner Koch  <wk@gnupg.org>

	cipher: Take care of ENABLE_NEON_SUPPORT.
	* cipher/salsa20.c (USE_ARM_NEON_ASM): Define only if
	ENABLE_NEON_SUPPORT is defined.
	* cipher/serpent.c (USE_NEON): Ditto.
	* cipher/sha1.c (USE_NEON): Ditto.
	* cipher/sha512.c (USE_ARM_NEON_ASM): Ditto.

	sexp: Fix broken gcry_sexp_nth.
	* src/sexp.c (_gcry_sexp_nth): Return a valid S-expression for a data
	element.
	(NODE): Remove unused typedef.
	(ST_HINT): Comment unused macro.

	* tests/t-sexp.c (bug_1594): New.
	(main): Run new test.

2014-01-27  Werner Koch  <wk@gnupg.org>

	tests: Improve t-common.h.
	* tests/t-common.h: Add couple of macros.  Check that config.h has
	been included.
	(show): Rename to info.
	* tests/t-lock.c, tests/t-sexp.c: Adjust for changes.

	mpi: Minor fix for Atari-mint.
	* mpi/config.links [m68k-atari-mint]: Do not assume 68020.  Suggested
	by Alan Hourihane.

	(cherry picked from commit 420f42a5752e90a8b27d58ffa1ddfe6e4ab341e8)

2014-01-27  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix most of memory leaks in tests code.
	* tests/basic.c (check_ccm_cipher): Close cipher after use.
	* tests/basic.c (check_one_cipher): Correct length of used buffer.
	* tests/benchmark.c (cipher_bench): Use xcalloc to make buffer
	  initialized.
	* tests/keygen.c (check_ecc_keys): Release generated key.
	* tests/t-mpi-point.c (context_param): Release mpi Q.
	* tests/t-sexp.c (check_extract_param): Release extracted number.

	Fix memory leaks in ecc code.
	* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): Release passed mpi
	  values.
	* cipher/ecc.c (compute_keygrip): Fix potential memory leak in error
	  path.
	* cipher/ecc.c (_gcry_ecc_get_curve): Release temporary mpi.

	Fix number of blocks passed used in _gcry_rmd160_mixblock.
	* cipher/rmd160.c (_gcry_rmd160_mixblock): pass 1 to transform

2014-01-27  Werner Koch  <wk@gnupg.org>

	Small Windows build tweaks.
	* configure.ac (HAVE_PTHREAD): Do test when building for Windows.

	* tests/basic.c: Replace "%zi" by "%z" and a cast to make it work
	under Windows.

	Update gpg-error autoconf macros to fix threading problems.
	* m4/gpg-error.m4: Update to version 2014-01-24.
	* tests/Makefile.am (t_lock_LDADD): Use MT Libs.

2014-01-24  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests: Pass -no-install to libtool.
	* tests/Makefile.am: add AM_LDFLAGS = -no-install

2014-01-24  Werner Koch  <wk@gnupg.org>

	tests: Add a test for the internal locking.
	* src/global.c (external_lock_test): New.
	(_gcry_vcontrol): Call new function with formerly reserved code 61.

	* tests/t-common.h: New. Taken from current libgpg-error.
	* tests/t-lock.c: New.  Based on t-lock.c from libgpg-error.
	* configure.ac (HAVE_PTHREAD): Set macro to 1 if defined.
	(AC_CHECK_FUNCS): Check for flockfile.
	* tests/Makefile.am (tests_bin): Add t-lock.
	(noinst_HEADERS): Add t-common.h
	(LDADD): Move value to ...
	(default_ldadd): new.
	(t_lock_LDADD): New.

	Check compiler features only for the relevant platform.
	* mpi/config.links (mpi_cpu_arch): Always set for ARM.  Set for HPPA.
	Set to "undefined" for unknown platforms.
	(try_asm_modules): Act upon only after having detected the CPU.
	* configure.ac: Move the call to config.links before the platform
	specific compiler checks.  Check platform specific features only if
	the platform is targeted.

2014-01-23  Werner Koch  <wk@gnupg.org>

	Support building using the latest mingw-w64 toolchain.
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection.

2014-01-20  Werner Koch  <wk@gnupg.org>

	cipher: Fix commit 94030e44.
	* cipher/tiger.c (tiger_init): Add arg FLAGS.
	(tiger1_init, tiger2_init): Ditto.

	tests: Rename tsexp.c.
	* tests/tsexp.c: Rename to t-sexp.c

2014-01-19  Werner Koch  <wk@gnupg.org>

	md: Add Whirlpool bug emulation feature.
	* src/gcrypt.h.in (GCRY_MD_FLAG_BUGEMU1): New.
	* src/cipher-proto.h (gcry_md_init_t): Add arg FLAGS.  Change all code
	to implement that flag.
	* cipher/md.c (gcry_md_context):  Replace SECURE and FINALIZED by bit
	field FLAGS.  Add flag BUGEMU1.  Change all users.
	(md_open): Replace args SECURE and HMAC by FLAGS.  Init flags.bugemu1.
	(_gcry_md_open): Add for GCRY_MD_FLAG_BUGEMU1.
	(md_enable): Pass bugemu1 flag to the hash init function.
	(_gcry_md_reset): Ditto.

2014-01-17  Werner Koch  <wk@gnupg.org>

	Actually check for uint64_t.
	* configure.ac: Check size of uint64_t and the UINT64_C macro.

2014-01-16  Werner Koch  <wk@gnupg.org>

	Replace ath based mutexes by gpgrt based locks.
	* configure.ac (NEED_GPG_ERROR_VERSION): Require 1.13.
	(gl_LOCK): Remove.
	* src/ath.c, src/ath.h: Remove.  Remove from all files.  Replace all
	mutexes by gpgrt based statically initialized locks.
	* src/global.c (global_init): Remove ath_init.
	(_gcry_vcontrol): Make ath install a dummy function.
	(print_config): Remove threads info line.

	* doc/gcrypt.texi: Simplify the multi-thread related documentation.

2014-01-15  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix _gcry_mpi_ec_p_new to allow secp256k1.
	* mpi/ec.c (_gcry_mpi_ec_p_new): Remove checking a!=0.
	* tests/t-mpi-point.c (context_alloc): Remove two spurious tests.

2014-01-14  Milan Broz  <gmazyland@gmail.com>

	PBKDF2: Use gcry_md_reset to speed up calculation.
	* cipher/kdf.c (_gcry_kdf_pkdf2): Use gcry_md_reset
	to speed up calculation.

2014-01-13  Werner Koch  <wk@gnupg.org>

	Fix macro conflict in NetBSD.
	* cipher/bithelp.h (bswap32): Rename to _gcry_bswap32.
	(bswap64): Rename to _gcry_bswap64.

	Use internal malloc function in fips.c.
	* src/fips.c (check_binary_integrity): s/gcry_malloc/xtrymalloc/.

2014-01-13  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Truncate hash values for ECDSA signature scheme.
	* cipher/dsa-common (_gcry_dsa_normalize_hash): New. Truncate opaque
	  mpis as required for DSA and ECDSA signature schemas.
	* cipher/dsa.c (verify): Return gpg_err_code_t value from verify() to
	  behave like the rest of internal sign/verify functions.
	* cipher/dsa.c (sign, verify, dsa_verify): Factor out hash truncation.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Factor out hash truncation.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_verify):
	  as required by ECDSA scheme, truncate hash values to bitlength of
	  used curve.
	* tests/pubkey.c (check_ecc_sample_key): add a testcase for hash
	  truncation.

	Add GOST R 34.10-2012 curves proposed by TC26.
	* cipher/ecc-curves.c (domain_parmss): Add two GOST R 34.10-2012 curves
	  proposed/pending to standardization by TC26 (Russian cryptography
	  technical comitee).
	* cipher/ecc-curves.c (curve_alias): Add OID aliases.
	* tests/curves.c: Increase N_CURVES.

	Add GOST R 34.10-2001 curves per RFC4357.
	* cipher/ecc-curves.c (domain_parms): Add 3 curves defined in rfc4357.
	* cipher/ecc-curves.c (curve_aliases): Add OID and Xch aliases for GOST
	  curves.
	* tests/curves.c (N_CURVES): Update value.

	Fix typo in search_oid.
	* cipher/md.c (search_oid): Invert condition on oid comparison.

	Add MD2-HMAC calculation support.
	* src/gcrypt.h.in (GCRY_MAC_HMAC_MD2): New.
	* cipher/mac-hmac.c: Support GCRY_MAC_HMAC_MD2.

	Add a function to retrieve algorithm used by MAC handler.
	* cipher/mac.c (_gcry_mac_get_algo): New function, returns used algo.
	* src/visibility.c (gcry_mac_get_algo): New wrapper.
	* src/visibility.h: Hanlde gcry_mac_get_algo.
	* src/gcrypt-int.h (_gcry_mac_get_algo): New.
	* src/gcrypt.h.in (gcry_mac_get_algo): New.
	* src/libgcrypt.def (gcry_mac_get_algo): New.
	* src/libgcrypt.vers (gcry_mac_get_algo): New.
	* doc/gcrypt.texi: Document gcry_mac_get_algo.
	* tests/basic.c (check_one_mac): Verify gcry_mac_get_algo.

	Correct formatting of gcry_mac_get_algo_keylen documentation.
	* doc/gcrypt.texi: add braces near gcry_mac_get_algo_keylen
	  documentation.

	Use braces around unsigned int in gcry_mac_get_algo_keylen
	documentation, otherwise texinfo breaks that and uses 'int' as a
	function definition.

2014-01-13  Werner Koch  <wk@gnupg.org>

	ecc: Make a macro shorter.
	* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS.  CHnage
	all users.
	* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
	comment.
	* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
	(add_points_twistededwards): Rename to add_points_edwards.

2014-01-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix assembly division check.
	* configure.ac (gcry_cv_gcc_as_const_division_ok): Correct variable
	name mismatch at '--Wa,--divide' workaround check.

2014-01-12  NIIBE Yutaka  <gniibe@fsij.org>

	Add secp256k1 curve.
	* cipher/ecc-curves.c (curve_aliases): Add secp256k1 and its OID.
	(domain_parms): Add secp256k1's domain paramerter.

	* tests/basic.c (check_pubkey): Add a key of secp256k1.

	* tests/curves.c (N_CURVES): Updated.

2014-01-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix constant division for AMD64 assembly on Solaris/x86.
	* configure.ac (gcry_cv_gcc_as_const_division_ok): Add new check for
	constant division in assembly and test for "-Wa,--divide" workaround.
	(gcry_cv_gcc_amd64_platform_as_ok): Check for also constant division.

2014-01-10  Werner Koch  <wk@gnupg.org>

	Use the generic autogen.sh script.
	* autogen.rc: New.
	* Makefile.am (EXTRA_DIST): Add it.
	* autogen.sh: Update from current GnuPG.

	Move all helper scripts to build-aux/
	* scripts/: Rename to build-aux/.
	* compile, config.guess, config.rpath, config.sub
	* depcomp, doc/mdate-sh, doc/texinfo.tex
	* install-sh, ltmain.sh, missing: Move to build-aux/.
	* Makefile.am (EXTRA_DIST): Adjust.
	* configure.ac (AC_CONFIG_AUX_DIR): New.
	(AM_SILENT_RULES): New.

2013-12-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add blowfish/serpent ARM assembly files to Makefile.am.
	* cipher/Makefile.am: Add 'blowfish-arm.S' and 'serpent-armv7-neon.S'.

	Add AMD64 assembly implementation for arcfour.
	* cipher/Makefile.am: Add 'arcfour-amd64.S'.
	* cipher/arcfour-amd64.S: New.
	* cipher/arcfour.c (USE_AMD64_ASM): New.
	[USE_AMD64_ASM] (ARCFOUR_context, _gcry_arcfour_amd64)
	(encrypt_stream): New.
	* configure.ac [host=x86_64]: Add 'arcfour-amd64.lo'.

	Parse /proc/cpuinfo for ARM HW features.
	* src/hwf-arm.c [__linux__] (HAS_PROC_CPUINFO)
	(detect_arm_proc_cpuinfo): New.
	(_gcry_hwf_detect_arm) [HAS_PROC_CPUINFO]: Check '/proc/cpuinfo' for
	HW features.

	Fix buggy/incomplete detection of AVX/AVX2 support.
	* configure.ac: Also check for 'xgetbv' instruction in AVX and AVX2
	inline assembly checks.
	* src/hwf-x86.c [__i386__] (get_xgetbv): New function.
	[__x86_64__] (get_xgetbv): New function.
	[HAS_X86_CPUID] (detect_x86_gnuc): Check for OSXSAVE and OS support for
	XMM&YMM registers and enable AVX/AVX2 only if XMM&YMM registers are
	supported by OS.

2013-12-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change utf-8 copyright characters to '(C)'
	cipher/blowfish-amd64.S: Change utf-8 encoded copyright character to
	'(C)'.
	cipher/blowfish-arm.S: Ditto.
	cipher/bufhelp.h: Ditto.
	cipher/camellia-aesni-avx-amd64.S: Ditto.
	cipher/camellia-aesni-avx2-amd64.S: Ditto.
	cipher/camellia-arm.S: Ditto.
	cipher/cast5-amd64.S: Ditto.
	cipher/cast5-arm.S: Ditto.
	cipher/cipher-ccm.c: Ditto.
	cipher/cipher-cmac.c: Ditto.
	cipher/cipher-gcm.c: Ditto.
	cipher/cipher-selftest.c: Ditto.
	cipher/cipher-selftest.h: Ditto.
	cipher/mac-cmac.c: Ditto.
	cipher/mac-gmac.c: Ditto.
	cipher/mac-hmac.c: Ditto.
	cipher/mac-internal.h: Ditto.
	cipher/mac.c: Ditto.
	cipher/rijndael-amd64.S: Ditto.
	cipher/rijndael-arm.S: Ditto.
	cipher/salsa20-amd64.S: Ditto.
	cipher/salsa20-armv7-neon.S: Ditto.
	cipher/serpent-armv7-neon.S: Ditto.
	cipher/serpent-avx2-amd64.S: Ditto.
	cipher/serpent-sse2-amd64.S: Ditto.

	Add ARM/NEON implementation for SHA-1.
	* cipher/Makefile.am: Add 'sha1-armv7-neon.S'.
	* cipher/sha1-armv7-neon.S: New.
	* cipher/sha1.c (USE_NEON): New.
	(SHA1_CONTEXT, sha1_init) [USE_NEON]: Add and initialize 'use_neon'.
	[USE_NEON] (_gcry_sha1_transform_armv7_neon): New.
	(transform) [USE_NEON]: Use ARM/NEON assembly if enabled.
	* configure.ac: Add 'sha1-armv7-neon.lo'.

	Improve performance of SHA-512/ARM/NEON implementation.
	* cipher/sha512-armv7-neon.S (RT01q, RT23q, RT45q, RT67q): New.
	(round_0_63, round_64_79): Remove.
	(rounds2_0_63, rounds2_64_79): New.
	(_gcry_sha512_transform_armv7_neon): Add 'nblks' input; Handle multiple
	input blocks; Use new round macros.
	* cipher/sha512.c [USE_ARM_NEON_ASM]
	(_gcry_sha512_transform_armv7_neon): Add 'num_blks'.
	(transform) [USE_ARM_NEON_ASM]: Pass nblks to assembly.

	Add AVX and AVX2/BMI implementations for SHA-256.
	* LICENSES: Add 'cipher/sha256-avx-amd64.S' and
	'cipher/sha256-avx2-bmi2-amd64.S'.
	* cipher/Makefile.am: Add 'sha256-avx-amd64.S' and
	'sha256-avx2-bmi2-amd64.S'.
	* cipher/sha256-avx-amd64.S: New.
	* cipher/sha256-avx2-bmi2-amd64.S: New.
	* cipher/sha256-ssse3-amd64.S: Use 'lea' instead of 'add' in few
	places for tiny speed improvement.
	* cipher/sha256.c (USE_AVX, USE_AVX2): New.
	(SHA256_CONTEXT) [USE_AVX, USE_AVX2]: Add 'use_avx' and 'use_avx2'.
	(sha256_init, sha224_init) [USE_AVX, USE_AVX2]: Initialize above
	new context members.
	[USE_AVX] (_gcry_sha256_transform_amd64_avx): New.
	[USE_AVX2] (_gcry_sha256_transform_amd64_avx2): New.
	(transform) [USE_AVX2]: Use AVX2 assembly if enabled.
	(transform) [USE_AVX]: Use AVX assembly if enabled.
	* configure.ac: Add 'sha256-avx-amd64.lo' and
	'sha256-avx2-bmi2-amd64.lo'.

2013-12-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AVX and AVX/BMI2 implementations for SHA-1.
	* cipher/Makefile.am: Add 'sha1-avx-amd64.S' and
	'sha1-avx-bmi2-amd64.S'.
	* cipher/sha1-avx-amd64.S: New.
	* cipher/sha1-avx-bmi2-amd64.S: New.
	* cipher/sha1.c (USE_AVX, USE_BMI2): New.
	(SHA1_CONTEXT) [USE_AVX]: Add 'use_avx'.
	(SHA1_CONTEXT) [USE_BMI2]: Add 'use_bmi2'.
	(sha1_init): Initialize 'use_avx' and 'use_bmi2'.
	[USE_AVX] (_gcry_sha1_transform_amd64_avx): New.
	[USE_BMI2] (_gcry_sha1_transform_amd64_bmi2): New.
	(transform) [USE_BMI2]: Use BMI2 assembly if enabled.
	(transform) [USE_AVX]: Use AVX assembly if enabled.
	* configure.ac: Add 'sha1-avx-amd64.lo' and 'sha1-avx-bmi2-amd64.lo'.

	SHA-1/SSSE3: Improve performance on large buffers.
	* cipher/sha1-ssse3-amd64.S (RNBLKS): New.
	(_gcry_sha1_transform_amd64_ssse3): Handle multiple input blocks, with
	software pipelining of next data block processing.
	* cipher/sha1.c [USE_SSSE3] (_gcry_sha1_transform_amd64_ssse3): Add
	'nblks'.
	(transform) [USE_SSSE3]: Pass nblks to assembly function.

	Add bulk processing for hash transform functions.
	* cipher/hash-common.c (_gcry_md_block_write): Preload 'hd->blocksize'
	to stack, pass number of blocks to 'hd->bwrite'.
	* cipher/hash-common.c (_gcry_md_block_write_t): Add 'nblks'.
	* cipher/gostr3411-94.c: Rename 'transform' function to
	'transform_blk', add new 'transform' function with 'nblks' as
	additional input.
	* cipher/md4.c: Ditto.
	* cipher/md5.c: Ditto.
	* cipher/md4.c: Ditto.
	* cipher/rmd160.c: Ditto.
	* cipher/sha1.c: Ditto.
	* cipher/sha256.c: Ditto.
	* cipher/sha512.c: Ditto.
	* cipher/stribog.c: Ditto.
	* cipher/tiger.c: Ditto.
	* cipher/whirlpool.c: Ditto.

2013-12-16  Werner Koch  <wk@gnupg.org>

	Release 1.6.0.

	doc: Change yat2m to allow arbitrary condition names.
	* doc/yat2m.c (MAX_CONDITION_NESTING): New.
	(gpgone_defined): Remove.
	(condition_s, condition_stack, condition_stack_idx): New.
	(cond_is_active, cond_in_verbatim): New.
	(add_predefined_macro, set_macro, macro_set_p): New.
	(evaluate_conditions, push_condition, pop_condition): New.
	(parse_file): Rewrite to use the condition stack.
	(top_parse_file): Set prefined macros.
	(main): Change -D to define arbitrary macros.

	tests: Add SHA-512 to the long hash test.
	* tests/hashtest.c (testvectors): Add vectors for 256GiB SHA-512.
	* tests/hashtest-256g.in (algos): Add test for SHA-512.

	Add configure option --enable-large-data-tests.
	* configure.ac: Add option --enable-large-data-tests.
	* tests/hashtest-256g.in: New.
	* tests/Makefile.am (EXTRA_DIST): Add hashtest-256g.in.
	(TESTS): Split up into tests_bin, tests_bin_last, tests_sh, and
	tests_sh_last.
	(tests_sh_last): Add hashtest-256g
	(noinst_PROGRAMS): Add only tests_bin and tests_bin_last.
	(bench-slope.log, hashtest-256g.log): New rules to enforce serial run.

	random: Call random progress handler more often.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Update progress
	indicator earlier.

	cipher: Normalize the MPIs used as input to secret key functions.
	* cipher/dsa.c (sign): Normalize INPUT.
	* cipher/elgamal.c (decrypt): Normalize A and B.
	* cipher/rsa.c (secret): Normalize the INPUT.
	(rsa_decrypt): Reduce DATA before passing to secret.

2013-12-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change dummy variable in mpih-div.c to mpi_limb_t type.
	* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Change dummy
	variable to 'mpi_limb_t' type from 'int'.

	Remove duplicate gcry_mac_hd_t typedef.
	* cipher/mac-internal.h (gcry_mac_hd_t): Remove.

2013-12-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Use u64 for CCM data lengths.
	* cipher/cipher-ccm.c: Move code inside [HAVE_U64_TYPEDEF].
	[HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_set_lengths): Use 'u64' for
	data lengths.
	[!HAVE_U64_TYPEDEF] (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt, _gcry_cipher_ccm_set_nonce)
	(_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_get_tag)
	(_gcry_cipher_ccm_check_tag): Dummy functions returning
	GPG_ERROR_NOT_SUPPORTED.
	* cipher/cipher-internal.h (gcry_cipher_handle.u_mode.ccm)
	(_gcry_cipher_ccm_set_lengths): Move inside [HAVE_U64_TYPEDEF] and use
	u64 instead of size_t for CCM data lengths.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_reset)
	(_gcry_cipher_ctl) [!HAVE_U64_TYPEDEF]: Return GPG_ERR_NOT_SUPPORTED
	for CCM.
	(_gcry_cipher_ctl) [HAVE_U64_TYPEDEF]: Use u64 for
	GCRYCTL_SET_CCM_LENGTHS length parameters.
	* tests/basic.c: Do not use CCM if !HAVE_U64_TYPEDEF.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.

2013-12-14  Werner Koch  <wk@gnupg.org>

	tests: Prevent rare failure of gcry_pk_decrypt test.
	* tests/basic.c (check_pubkey_crypt): Add special mode 1.
	(main): Add option --loop.

2013-12-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Minor fixes to SHA assembly implementations.
	* cipher/Makefile.am: Correct 'sha256-avx*.S' to 'sha512-avx*.S'.
	* cipher/sha1-ssse3-amd64.S: First line, correct filename.
	* cipher/sha256-ssse3-amd64.S: Return correct stack burn depth.
	* cipher/sha512-avx-amd64.S: Use 'vzeroall' to clear registers.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto and return correct stack burn
	depth.

	SHA-1/SSSE3: Do not check for Intel syntax assembly support.
	* cipher/sha1-ssse3-amd64.S: Remove check for
	HAVE_INTEL_SYNTAX_PLATFORM_AS.
	* cipher/sha1.c [USE_SSSE3]: Ditto.

2013-12-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Convert SHA-1 SSSE3 implementation from mixed asm&C to pure asm.
	* cipher/Makefile.am: Change 'sha1-ssse3-amd64.c' to
	'sha1-ssse3-amd64.S'.
	* cipher/sha1-ssse3-amd64.c: Remove.
	* cipher/sha1-ssse3-amd64.S: New.

	SHA-1: Add SSSE3 implementation.
	* cipher/Makefile.am: Add 'sha1-ssse3-amd64.c'.
	* cipher/sha1-ssse3-amd64.c: New.
	* cipher/sha1.c (USE_SSSE3): New.
	(SHA1_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha1_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	(transform): Rename to...
	(_transform): this.
	(transform): New.
	* configure.ac [host=x86_64]: Add 'sha1-ssse3-amd64.lo'.

	Add missing register clearing in to SHA-256 and SHA-512 assembly.
	* cipher/sha256-ssse3-amd64.S: Clear used XMM/YMM registers at return.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

2013-12-13  Werner Koch  <wk@gnupg.org>

	Update license information.
	* LICENSES: New.
	* Makefile.am (EXTRA_DIST): Add LICENSES.
	* AUTHORS: Add list of copyright holders.
	* README: Reference AUTHORS.

2013-12-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix empty clobber in AVX2 assembly check.
	* configure.ac (gcry_cv_gcc_inline_asm_avx2): Add "cc" as assembly
	globber.

	Fix W32 build.
	* random/rndw32.c (register_poll, slow_gatherer): Change gcry_xmalloc to
	xmalloc, and gcry_xrealloc to xrealloc.

2013-12-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	SHA-512: Add AVX and AVX2 implementations for x86-64.
	* cipher/Makefile.am: Add 'sha512-avx-amd64.S' and
	'sha512-avx2-bmi2-amd64.S'.
	* cipher/sha512-avx-amd64.S: New.
	* cipher/sha512-avx2-bmi2-amd64.S: New.
	* cipher/sha512.c (USE_AVX, USE_AVX2): New.
	(SHA512_CONTEXT) [USE_AVX]: Add 'use_avx'.
	(SHA512_CONTEXT) [USE_AVX2]: Add 'use_avx2'.
	(sha512_init, sha384_init) [USE_AVX]: Initialize 'use_avx'.
	(sha512_init, sha384_init) [USE_AVX2]: Initialize 'use_avx2'.
	[USE_AVX] (_gcry_sha512_transform_amd64_avx): New.
	[USE_AVX2] (_gcry_sha512_transform_amd64_avx2): New.
	(transform) [USE_AVX2]: Add call for AVX2 implementation.
	(transform) [USE_AVX]: Add call for AVX implementation.
	* configure.ac (HAVE_GCC_INLINE_ASM_BMI2): New check.
	(sha512): Add 'sha512-avx-amd64.lo' and 'sha512-avx2-bmi2-amd64.lo'.
	* doc/gcrypt.texi: Document 'intel-cpu' and 'intel-bmi2'.
	* src/g10lib.h (HWF_INTEL_CPU, HWF_INTEL_BMI2): New.
	* src/hwfeatures.c (hwflist): Add "intel-cpu" and "intel-bmi2".
	* src/hwf-x86.c (detect_x86_gnuc): Check for HWF_INTEL_CPU and
	HWF_INTEL_BMI2.

	SHA-512: Add SSSE3 implementation for x86-64.
	* cipher/Makefile.am: Add 'sha512-ssse3-amd64.S'.
	* cipher/sha512-ssse3-amd64.S: New.
	* cipher/sha512.c (USE_SSSE3): New.
	(SHA512_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha512_init, sha384_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	[USE_SSSE3] (_gcry_sha512_transform_amd64_ssse3): New.
	(transform) [USE_SSSE3]: Call SSSE3 implementation.
	* configure.ac (sha512): Add 'sha512-ssse3-amd64.lo'.

	SHA-256: Add SSSE3 implementation for x86-64.
	* cipher/Makefile.am: Add 'sha256-ssse3-amd64.S'.
	* cipher/sha256-ssse3-amd64.S: New.
	* cipher/sha256.c (USE_SSSE3): New.
	(SHA256_CONTEXT) [USE_SSSE3]: Add 'use_ssse3'.
	(sha256_init, sha224_init) [USE_SSSE3]: Initialize 'use_ssse3'.
	(transform): Rename to...
	(_transform): This.
	[USE_SSSE3] (_gcry_sha256_transform_amd64_ssse3): New.
	(transform): New.
	* configure.ac (HAVE_INTEL_SYNTAX_PLATFORM_AS): New check.
	(sha256): Add 'sha256-ssse3-amd64.lo'.
	* doc/gcrypt.texi: Document 'intel-ssse3'.
	* src/g10lib.h (HWF_INTEL_SSSE3): New.
	* src/hwfeatures.c (hwflist): Add "intel-ssse3".
	* src/hwf-x86.c (detect_x86_gnuc): Test for SSSE3.

2013-12-12  Werner Koch  <wk@gnupg.org>

	Add a configuration file to disable hardware features.
	* src/hwfeatures.c: Inclyde syslog.h and ctype.h.
	(HWF_DENY_FILE): New.
	(my_isascii): New.
	(parse_hwf_deny_file): New.
	(_gcry_detect_hw_features): Call it.

	* src/mpicalc.c (main): Correctly initialize Libgcrypt.  Add options
	"--print-config" and "--disable-hwf".

	Move list of hardware features to hwfeatures.c.
	* src/global.c (hwflist, disabled_hw_features): Move to ..
	* src/hwfeatures.c: here.
	(_gcry_disable_hw_feature): New.
	(_gcry_enum_hw_features): New.
	(_gcry_detect_hw_features): Remove arg DISABLED_FEATURES.
	* src/global.c (print_config, _gcry_vcontrol, global_init): Adjust
	accordingly.

	Remove macro hacks for internal vs. external functions.  Part 2 and last.
	* src/visibility.h: Remove remaining define/undef hacks for symbol
	visibility.  Add macros to detect the use of the public functions.
	Change all affected functions by replacing them by the x-macros.
	* src/g10lib.h: Add internal prototypes.
	(xtrymalloc, xtrycalloc, xtrymalloc_secure, xtrycalloc_secure)
	(xtryrealloc, xtrystrdup, xmalloc, xcalloc, xmalloc_secure)
	(xcalloc_secure, xrealloc, xstrdup, xfree): New macros.

2013-12-11  Werner Koch  <wk@gnupg.org>

	random: Add a feature to close device file descriptors.
	* src/gcrypt.h.in (GCRYCTL_CLOSE_RANDOM_DEVICE): New.
	* src/global.c (_gcry_vcontrol): Call _gcry_random_close_fds.
	* random/random.c (_gcry_random_close_fds): New.
	* random/random-csprng.c (_gcry_rngcsprng_close_fds): New.
	* random/random-fips.c (_gcry_rngfips_close_fds): New.
	* random/random-system.c (_gcry_rngsystem_close_fds): New.
	* random/rndlinux.c (open_device): Add arg retry.
	(_gcry_rndlinux_gather_random): Add mode to close open fds.

	* tests/random.c (check_close_random_device): New.
	(main): Call new test.

2013-12-10  Werner Koch  <wk@gnupg.org>

	Fix last commit (9a37470c)
	* src/secmem.c (lock_pool): Remove remaining line.  Reported by Ian
	Goldberg.

2013-12-09  Werner Koch  <wk@gnupg.org>

	Fix one-off memory leak when build with Linux capability support.
	* src/secmem.c (lock_pool, secmem_init): Use cap_free.  Reported by
	Mike Crowe <mac@mcrowe.com>.

2013-12-09  David 'Digit' Turner  <digit@google.com>

	Update libtool to support Android.
	* m4/libtool.m4: Add "linux*android*" case.  Taken from the libtool
	repository.

2013-12-09  Werner Koch  <wk@gnupg.org>

	tests: Speed up benchmarks in regression test mode.
	* tests/tsexp.c (check_extract_param): Fix compiler warning.
	* tests/Makefile.am (TESTS_ENVIRONMENT): Set GCRYPT_IN_REGRESSION_TEST.
	* tests/bench-slope.c (main): Speed up if in regression test mode.
	* tests/benchmark.c (main): Ditto.

	tests: Add --csv option to bench-slope.
	* tests/bench-slope.c (STR, STR2): New.
	(cvs_mode): New.
	(num_measurement_repetitions): New.  Replace use of
	NUM_MEASUREMENT_REPETITIONS by this.
	(current_section_name, current_algo_name, current_mode_name): New.
	(bench_print_result_csv): New.
	(bench_print_result_std): Rename from bench_print_result.
	(bench_print_result): New. Divert depending on CSV_MODE.
	(bench_print_header, bench_print_footer): take care of CSV_MODE.
	(bench_print_algo, bench_print_mode): New.  Use them instead of
	explicit printfs.
	(main): Add options --csv and --repetitions.

2013-12-07  Werner Koch  <wk@gnupg.org>

	sexp: Allow long names and white space in gcry_sexp_extract_param.
	* src/sexp.c (_gcry_sexp_vextract_param): Skip white space.  Support
	long parameter names.
	* tests/tsexp.c (check_extract_param): Add test cases for long parameter
	names and white space.

2013-12-06  Werner Koch  <wk@gnupg.org>

	ecc: Merge partly duplicated code.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Factor A hashing out to ...
	(_gcry_ecc_eddsa_compute_h_d): new function.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Use new function.
	(reverse_buffer): Remove.

	ecc: Remove unused internal function.
	* src/cipher-proto.h (gcry_pk_spec): Remove get_param.
	* cipher/ecc-curves.c (_gcry_ecc_get_param_sexp): Merge in code from
	_gcry_ecc_get_param.
	(_gcry_ecc_get_param): Remove.
	* cipher/ecc.c (_gcry_pubkey_spec_ecc): Remove _gcry_ecc_get_param.

2013-12-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building on mingw32.
	* src/gcrypt-int.h: Include <types.h>.

2013-12-05  Werner Koch  <wk@gnupg.org>

	ecc: Change OID for Ed25519.
	* cipher/ecc-curves.c (curve_aliased): Add more suitable OID for
	Ed25519.

	Remove macro hacks for internal vs. external functions.  Part 1.
	* src/visibility.h: Remove almost all define/undef hacks for symbol
	visibility.  Add macros to detect the use of the public functions.
	Change all affected functions by prefixing them explicitly with an
	underscore and change all internal callers to call the underscore
	prefixed versions.  Provide convenience macros from sexp and mpi
	functions.
	* src/visibility.c: Change all functions to use only gpg_err_code_t
	and translate to gpg_error_t only in visibility.c.

2013-12-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: add inline assembly for x86-64.
	* mpi/longlong.h [__x86_64] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): New.

2013-12-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: fix gcry_mpi_powm for negative base.
	* mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]:
	Fix for the case where BASE is negative.
	* tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19.

2013-12-03  Werner Koch  <wk@gnupg.org>

	Add build support for ppc64le.
	* config.guess, config.sub: Update to latest version (2013-11-29).
	* m4/libtool.m4: Add patches for ppc64le.

2013-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix compiler warning on aarch64.
	* cipher/rijndael.c (do_setkey): Use braces for empty if statement
	instead of semicolon.

	Add aarch64 (arm64) mpi assembly.
	* mpi/aarch64/mpi-asm-defs.h: New.
	* mpi/aarch64/mpih-add1.S: New.
	* mpi/aarch64/mpih-mul1.S: New.
	* mpi/aarch64/mpih-mul2.S: New.
	* mpi/aarch64/mpih-mul3.S: New.
	* mpi/aarch64/mpih-sub1.S: New.
	* mpi/config.links [host=aarch64-*-*]: Add configguration for aarch64
	assembly.
	* mpi/longlong.h [__aarch64__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(count_leading_zeros): New.

2013-12-02  Werner Koch  <wk@gnupg.org>

	ecc: Use constant time point operation for Twisted Edwards.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Try to do a constant time
	operation if needed.
	* tests/benchmark.c (main): Add option --use-secmem.

	ecc: Make gcry_pk_testkey work for Ed25519.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Add optional args G
	and d.  Change all callers.
	* cipher/ecc.c (gen_y_2): Remove.
	(check_secret_key): Use generic public key compute function.  Adjust
	for use with Ed25519 and EdDSA.
	(nist_generate_key): Do not use the compliant key thingy for Ed25519.
	(ecc_check_secret_key): Make parameter parsing similar to the other
	functions.
	* cipher/ecc-curves.c (domain_parms): Zero prefix some parameters so
	that _gcry_ecc_update_curve_param works correctly.
	* tests/keygen.c (check_ecc_keys): Add "param" flag.  Check all
	Ed25519 keys.

	ecc: Fix eddsa point decompression.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): Fix the negative
	case.

	ecc: Fix gcry_mpi_ec_curve_point for Weierstrass.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Use correct equation.
	(ec_pow3): New.
	(ec_p_init): Always copy B.

	mpi: Introduce 4 user flags for gcry_mpi_t.
	* src/gcrypt.h.in (GCRYMPI_FLAG_USER1, GCRYMPI_FLAG_USER2)
	(GCRYMPI_FLAG_USER3, GCRYMPI_FLAG_USER4): New.
	* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
	(gcry_mpi_get_flag, _gcry_mpi_free): Implement them.
	(gcry_mpi_set_opaque): Keep user flags.

2013-11-29  Vladimir 'φ-coder/phcoder' Serbinenko  <phcoder@gmail.com>

	Fix armv3 compile error.
	* mpi/longlong.h [__arm__ && __ARM_ARCH < 4] (umul_ppmm): Use
	__AND_CLOBBER_CC instead of __CLOBBER_CC.

	longlong.h on mips with clang.
	* mpi/longlong.h [__mips__]: Use C-language version with clang.

2013-11-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Camellia: Tweaks for AES-NI implementations.
	* cipher/camellia-aesni-avx-amd64.S: Align stack to 16 bytes; tweak
	key-setup for small speed up.
	* cipher/camellia-aesni-avx2-amd64.S: Use vmovdqu even with aligned
	stack; reorder vinsert128 instructions; use rbp for stack frame.

2013-11-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add GMAC to MAC API.
	* cipher/Makefile.am: Add 'mac-gmac.c'.
	* cipher/mac-gmac.c: New.
	* cipher/mac-internal.h (gcry_mac_handle): Add 'u.gcm'.
	(_gcry_mac_type_spec_gmac_aes, _gcry_mac_type_spec_gmac_twofish)
	(_gcry_mac_type_spec_gmac_serpent, _gcry_mac_type_spec_gmac_seed)
	(_gcry_mac_type_spec_gmac_camellia): New externs.
	* cipher/mac.c (mac_list): Add GMAC specifications.
	* doc/gcrypt.texi: Add mention of GMAC.
	* src/gcrypt.h.in (gcry_mac_algos): Add GCM algorithms.
	* tests/basic.c (check_one_mac): Add support for MAC IVs.
	(check_mac): Add support for MAC IVs and add GMAC test vectors.
	* tests/bench-slope.c (mac_bench): Iterate algorithm numbers to 499.
	* tests/benchmark.c (mac_bench): Iterate algorithm numbers to 499.

	GCM: Move gcm_table initialization to setkey.
	* cipher/cipher-gcm.c: Change all 'c->u_iv.iv' to
	'c->u_mode.gcm.u_ghash_key.key'.
	(_gcry_cipher_gcm_setkey): New.
	(_gcry_cipher_gcm_initiv): Move ghash initialization to function above.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add
	'u_mode.gcm.u_ghash_key'; Reorder 'u_mode.gcm' members for partial
	clearing in gcry_cipher_reset.
	(_gcry_cipher_gcm_setkey): New prototype.
	* cipher/cipher.c (cipher_setkey): Add GCM setkey.
	(cipher_reset): Clear 'u_mode' only partially for GCM.

2013-11-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	GCM: Add support for split data buffers and online operation.
	* cipher/cipher-gcm.c (do_ghash_buf): Add buffering for less than
	blocksize length input and padding handling.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Add handling
	for AAD padding and check if data has already being padded.
	(_gcry_cipher_gcm_authenticate): Check that AAD or data has not being
	padded yet.
	(_gcry_cipher_gcm_initiv): Clear padding marks.
	(_gcry_cipher_gcm_tag): Add finalization and padding; Clear sensitive
	data from cipher handle, since they are not used after generating tag.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode.gcm.macbuf',
	'u_mode.gcm.mac_unused', 'u_mode.gcm.ghash_data_finalized' and
	'u_mode.gcm.ghash_aad_finalized'.
	* tests/basic.c (check_gcm_cipher): Rename to...
	(_check_gcm_cipher): ...this and add handling for different buffer step
	lengths; Enable per byte buffer testing.
	(check_gcm_cipher): Call _check_gcm_cipher with different buffer step
	sizes.

	GCM: Use size_t for buffer sizes.
	* cipher/cipher-gcm.c (ghash, gcm_bytecounter_add, do_ghash_buf)
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_geniv)
	(_gcry_cipher_gcm_tag): Use size_t for buffer lengths.
	* cipher/cipher-internal.h (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Use size_t
	for buffer lengths.

	GCM: add FIPS mode restrictions.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_get_tag): Do not allow using in FIPS mode is setiv
	was invocated directly.
	(_gcry_cipher_gcm_setiv): Rename to...
	(_gcry_cipher_gcm_initiv): ...this.
	(_gcry_cipher_gcm_setiv): New setiv function with check for FIPS mode.
	[TODO] (_gcry_cipher_gcm_getiv): New.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add
	'u_mode.gcm.disallow_encryption_because_of_setiv_in_fips_mode'.

	GCM: Add clearing and checking of marks.tag.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt)
	(_gcry_cipher_gcm_decrypt, _gcry_cipher_gcm_authenticate): Make sure
	that tag has not been finalized yet.
	(_gcry_cipher_gcm_setiv): Clear 'marks.tag'.

	GCM: Add stack burning.
	* cipher/cipher-gcm.c (do_ghash, ghash): Return stack burn depth.
	(setupM): Wipe 'tmp' buffer.
	(do_ghash_buf): Wipe 'tmp' buffer and add stack burning.

	Add aggregated bulk processing for GCM on x86-64.
	* cipher/cipher-gcm.c [__x86_64__] (gfmul_pclmul_aggr4): New.
	(ghash) [GCM_USE_INTEL_PCLMUL]: Add aggregated bulk processing
	for __x86_64__.
	(setupM) [__x86_64__]: Add initialization for aggregated bulk
	processing.

	GCM: Tweak Intel PCLMUL ghash loop for small speed-up.
	* cipher/cipher-gcm.c (do_ghash): Mark 'inline'.
	[GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): Rename to...
	[GCM_USE_INTEL_PCLMUL] (gfmul_pclmul): ..this and make inline function.
	(ghash) [GCM_USE_INTEL_PCLMUL]: Preload data before ghash-pclmul loop.

	GCM: Use counter mode code for speed-up.
	* cipher/cipher-gcm.c (ghash): Add process for multiple blocks.
	(gcm_bytecounter_add, gcm_add32_be128, gcm_check_datalen)
	(gcm_check_aadlen_or_ivlen, do_ghash_buf): New functions.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_set_iv)
	(_gcry_cipher_gcm_tag): Adjust to use above new functions and
	counter mode functions for encryption/decryption.
	* cipher/cipher-internal.h (gcry_cipher_handle): Remove 'length'; Add
	'u_mode.gcm.(addlen|datalen|tagiv|datalen_over_limits)'.
	(_gcry_cipher_gcm_setiv): Return gcry_err_code_t.
	* cipher/cipher.c (cipher_setiv): Return error code.
	(_gcry_cipher_setiv): Handle error code from 'cipher_setiv'.

	Add Intel PCLMUL acceleration for GCM.
	* cipher/cipher-gcm.c (fillM): Rename...
	(do_fillM): ...to this.
	(ghash): Remove.
	(fillM): New macro.
	(GHASH): Use 'do_ghash' instead of 'ghash'.
	[GCM_USE_INTEL_PCLMUL] (do_ghash_pclmul): New.
	(ghash): New.
	(setupM): New.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_authenticate, _gcry_cipher_gcm_setiv)
	(_gcry_cipher_gcm_tag): Use 'ghash' instead of 'GHASH' and
	'c->u_mode.gcm.u_tag.tag' instead of 'c->u_tag.tag'.
	* cipher/cipher-internal.h (GCM_USE_INTEL_PCLMUL): New.
	(gcry_cipher_handle): Move 'u_tag' and 'gcm_table' under
	'u_mode.gcm'.
	* configure.ac (pclmulsupport, gcry_cv_gcc_inline_asm_pclmul): New.
	* src/g10lib.h (HWF_INTEL_PCLMUL): New.
	* src/global.c: Add "intel-pclmul".
	* src/hwf-x86.c (detect_x86_gnuc): Add check for Intel PCLMUL.

	GCM: GHASH optimizations.
	* cipher/cipher-gcm.c [GCM_USE_TABLES] (gcmR, ghash): Replace with new.
	[GCM_USE_TABLES] [GCM_TABLES_USE_U64] (bshift, fillM, do_ghash): New.
	[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (bshift, fillM): Replace with
	new.
	[GCM_USE_TABLES] [!GCM_TABLES_USE_U64] (do_ghash): New.
	(_gcry_cipher_gcm_tag): Remove extra memcpy to outbuf and use
	buf_eq_const for comparing authentication tag.
	* cipher/cipher-internal.h (gcry_cipher_handle): Different 'gcm_table'
	for 32-bit and 64-bit platforms.

	Add some documentation for GCM mode.
	* doc/gcrypt.texi: Add mention of GCM mode.

2013-11-19  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Initial implementation of GCM.
	* cipher/Makefile.am: Add 'cipher-gcm.c'.
	* cipher/cipher-ccm.c (_gcry_ciphert_ccm_set_lengths)
	(_gcry_cipher_ccm_authenticate, _gcry_cipher_ccm_tag)
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Change
	'c->u_mode.ccm.tag' to 'c->marks.tag'.
	* cipher/cipher-gcm.c: New.
	* cipher/cipher-internal.h (GCM_USE_TABLES): New.
	(gcry_cipher_handle): Add 'marks.tag', 'u_tag', 'length' and
	'gcm_table'; Remove 'u_mode.ccm.tag'.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt)
	(_gcry_cipher_gcm_setiv, _gcry_cipher_gcm_authenticate)
	(_gcry_cipher_gcm_get_tag, _gcry_cipher_gcm_check_tag): New.
	* cipher/cipher.c (_gcry_cipher_open_internal, cipher_setkey)
	(cipher_encrypt, cipher_decrypt, _gcry_cipher_authenticate)
	(_gcry_cipher_gettag, _gcry_cipher_checktag): Add GCM mode handling.
	* src/gcrypt.h.in (gcry_cipher_modes): Add GCRY_CIPHER_MODE_GCM.
	(GCRY_GCM_BLOCK_LEN): New.
	* tests/basic.c (check_gcm_cipher): New.
	(check_ciphers): Add GCM check.
	(check_cipher_modes): Call 'check_gcm_cipher'.
	* tests/bench-slope.c (bench_gcm_encrypt_do_bench)
	(bench_gcm_decrypt_do_bench, bench_gcm_authenticate_do_bench)
	(gcm_encrypt_ops, gcm_decrypt_ops, gcm_authenticate_ops): New.
	(cipher_modes): Add GCM enc/dec/auth.
	(cipher_bench_one): Limit GCM to block ciphers with 16 byte block-size.
	* tests/benchmark.c (cipher_bench): Add GCM.

2013-11-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Camellia: fix compiler warning.
	* cipher/camellia-glue.c (camellia_setkey): Use braces around empty if
	statement.

	Tweak Camellia-AVX key-setup for small speed-up.
	* cipher/camellia-aesni-avx-amd64.S (camellia_f): Merge S-function output
	rotation with P-function.

	Add CMAC (Cipher-based MAC) to MAC API.
	* cipher/Makefile.am: Add 'cipher-cmac.c' and 'mac-cmac.c'.
	* cipher/cipher-cmac.c: New.
	* cipher/cipher-internal.h (gcry_cipher_handle.u_mode): Add 'cmac'.
	* cipher/cipher.c (gcry_cipher_open): Rename to...
	(_gcry_cipher_open_internal): ...this and add CMAC.
	(gcry_cipher_open): New wrapper that disallows use of internal
	modes (CMAC) from outside.
	(cipher_setkey, cipher_encrypt, cipher_decrypt)
	(_gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag): Add handling for CMAC mode.
	(cipher_reset): Do not reset 'marks.key' and do not clear subkeys in
	'u_mode' in CMAC mode.
	* cipher/mac-cmac.c: New.
	* cipher/mac-internal.h: Add CMAC support and algorithms.
	* cipher/mac.c: Add CMAC algorithms.
	* doc/gcrypt.texi: Add documentation for CMAC.
	* src/cipher.h (gcry_cipher_internal_modes): New.
	(_gcry_cipher_open_internal, _gcry_cipher_cmac_authenticate)
	(_gcry_cipher_cmac_get_tag, _gcry_cipher_cmac_check_tag)
	(_gcry_cipher_cmac_set_subkeys): New prototypes.
	* src/gcrypt.h.in (gcry_mac_algos): Add CMAC algorithms.
	* tests/basic.c (check_mac): Add CMAC test vectors.

2013-11-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add new MAC API, initially with HMAC.
	* cipher/Makefile.am: Add 'mac.c', 'mac-internal.h' and 'mac-hmac.c'.
	* cipher/bufhelp.h (buf_eq_const): New.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_tag): Use 'buf_eq_const' for
	constant-time compare.
	* cipher/mac-hmac.c: New.
	* cipher/mac-internal.h: New.
	* cipher/mac.c: New.
	* doc/gcrypt.texi: Add documentation for MAC API.
	* src/gcrypt-int.h [GPG_ERROR_VERSION_NUMBER < 1.13]
	(GPG_ERR_MAC_ALGO): New.
	* src/gcrypt.h.in (gcry_mac_handle, gcry_mac_hd_t, gcry_mac_algos)
	(gcry_mac_flags, gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name)
	(gcry_mac_reset, gcry_mac_test_algo): New.
	* src/libgcrypt.def (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/libgcrypt.vers (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/visibility.c (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* src/visibility.h (gcry_mac_open, gcry_mac_close, gcry_mac_ctl)
	(gcry_mac_algo_info, gcry_mac_setkey, gcry_mac_setiv, gcry_mac_write)
	(gcry_mac_read, gcry_mac_verify, gcry_mac_get_algo_maclen)
	(gcry_mac_get_algo_keylen, gcry_mac_algo_name, gcry_mac_map_name): New.
	* tests/basic.c (check_one_mac, check_mac): New.
	(main): Call 'check_mac'.
	* tests/bench-slope.c (bench_print_header, bench_print_footer): Allow
	variable algorithm name width.
	(_cipher_bench, hash_bench): Update to above change.
	(bench_hash_do_bench): Add 'gcry_md_reset'.
	(bench_mac_mode, bench_mac_init, bench_mac_free, bench_mac_do_bench)
	(mac_ops, mac_modes, mac_bench_one, _mac_bench, mac_bench): New.
	(main): Add 'mac' benchmark options.
	* tests/benchmark.c (mac_repetitions, mac_bench): New.
	(main): Add 'mac' benchmark options.

	Use correct blocksize of 32 bytes for GOSTR3411-94 HMAC.
	* cipher/md.c (md_open): Set macpads_Bsize to 32 for
	GCRY_MD_GOST24311_94.

2013-11-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: use size_t for internal buffer lengths.
	* cipher/arcfour.c (do_encrypt_stream, encrypt_stream): Use 'size_t'
	for buffer lengths.
	* cipher/blowfish.c (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Ditto.
	* cipher/camellia-glue.c (_gcry_camellia_ctr_enc)
	(_gcry_camellia_cbc_dec, _gcry_blowfish_cfb_dec): Ditto.
	* cipher/cast5.c (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec)
	(_gcry_cast5_cfb_dec): Ditto.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Ditto.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Ditto.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_encrypt)
	(_gcry_cipher_ccm_decrypt): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/cipher-internal.h (gcry_cipher_handle->bulk)
	(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt)
	(_gcry_cipher_cfb_encrypt, _gcry_cipher_cfb_decrypt)
	(_gcry_cipher_ofb_encrypt, _gcry_cipher_ctr_encrypt)
	(_gcry_cipher_aeswrap_encrypt, _gcry_cipher_aeswrap_decrypt)
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_cbc_encrypt): Ditto.
	* cipher/cipher-selftest.h (gcry_cipher_bulk_cbc_dec_t)
	(gcry_cipher_bulk_cfb_dec_t, gcry_cipher_bulk_ctr_enc_t): Ditto.
	* cipher/cipher.c (cipher_setkey, cipher_setiv, do_ecb_crypt)
	(do_ecb_encrypt, do_ecb_decrypt, cipher_encrypt)
	(cipher_decrypt): Ditto.
	* cipher/rijndael.c (_gcry_aes_ctr_enc, _gcry_aes_cbc_dec)
	(_gcry_aes_cfb_dec, _gcry_aes_cbc_enc, _gcry_aes_cfb_enc): Ditto.
	* cipher/salsa20.c (salsa20_setiv, salsa20_do_encrypt_stream)
	(salsa20_encrypt_stream, salsa20r12_encrypt_stream): Ditto.
	* cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_cfb_dec): Ditto.
	* cipher/twofish.c (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(_gcry_twofish_cfb_dec): Ditto.
	* src/cipher-proto.h (gcry_cipher_stencrypt_t)
	(gcry_cipher_stdecrypt_t, cipher_setiv_fuct_t): Ditto.
	* src/cipher.h (_gcry_aes_cfb_enc, _gcry_aes_cfb_dec)
	(_gcry_aes_cbc_enc, _gcry_aes_cbc_dec, _gcry_aes_ctr_enc)
	(_gcry_blowfish_cfb_dec, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_ctr_enc, _gcry_cast5_cfb_dec, _gcry_cast5_cbc_dec)
	(_gcry_cast5_ctr_enc, _gcry_camellia_cfb_dec, _gcry_camellia_cbc_dec)
	(_gcry_camellia_ctr_enc, _gcry_serpent_cfb_dec, _gcry_serpent_cbc_dec)
	(_gcry_serpent_ctr_enc, _gcry_twofish_cfb_dec, _gcry_twofish_cbc_dec)
	(_gcry_twofish_ctr_enc): Ditto.

	Camellia: Add AVX/AES-NI key setup.
	* cipher/camellia-aesni-avx-amd64.S (key_bitlength, key_table): New
	order of fields in ctx.
	(camellia_f, vec_rol128, vec_ror128): New macros.
	(__camellia_avx_setup128, __camellia_avx_setup256)
	(_gcry_camellia_aesni_avx_keygen): New functions.
	* cipher/camellia-aesni-avx2-amd64.S (key_bitlength, key_table): New
	order of fields in ctx.
	* cipher/camellia-arm.S (CAMELLIA_TABLE_BYTE_LEN, key_length): Remove
	unused macros.
	* cipher/camellia-glue.c (CAMELLIA_context): Move keytable to head for
	better alignment; Make 'use_aesni_avx' and 'use_aesni_avx2' bitfield
	members.
	[USE_AESNI_AVX] (_gcry_camellia_aesni_avx_keygen): New prototype.
	(camellia_setkey) [USE_AESNI_AVX || USE_AESNI_AVX2]: Read hw features
	to variable 'hwf' and match features from it.
	(camellia_setkey) [USE_AESNI_AVX]: Use AES-NI/AVX key setup if
	available.

	Avoid unneeded stack burning with AES-NI and reduce number of 'decryption_prepared' checks
	* cipher/rijndael.c (RIJNDAEL_context): Make 'decryption_prepared',
	'use_padlock' and 'use_aesni' 1-bit members in bitfield.
	(do_setkey): Move 'hwfeatures' inside [USE_AESNI || USE_PADLOCK].
	(do_aesni_enc_aligned): Rename to...
	(do_aesni_enc): ...this, as function does not require aligned input.
	(do_aesni_dec_aligned): Rename to...
	(do_aesni_dec): ...this, as function does not require aligned input.
	(do_aesni): Remove.
	(rijndael_encrypt): Call 'do_aesni_enc' instead of 'do_aesni'.
	(rijndael_decrypt): Call 'do_aesni_dec' instead of 'do_aesni'.
	(check_decryption_preparation): New.
	(do_decrypt): Remove 'decryption_prepared' check.
	(rijndael_decrypt): Ditto and call 'check_decryption_preparation'.
	(_gcry_aes_cbc_dec): Ditto.
	(_gcry_aes_cfb_enc): Add 'burn_depth' and burn stack only when needed.
	(_gcry_aes_cbc_enc): Ditto.
	(_gcry_aes_ctr_enc): Ditto.
	(_gcry_aes_cfb_dec): Ditto.
	(_gcry_aes_cbc_dec): Ditto and correct clearing of 'savebuf'.

2013-11-14  Werner Koch  <wk@gnupg.org>

	md: Fix hashing for data >= 256 GB.
	* cipher/hash-common.h (gcry_md_block_ctx): Add "nblocks_high".
	* cipher/hash-common.c (_gcry_md_block_write): Bump NBLOCKS_HIGH.
	* cipher/md4.c (md4_init, md4_final): Take care of NBLOCKS_HIGH.
	* cipher/md5.c (md5_init, md5_final): Ditto.
	* cipher/rmd160.c (_gcry_rmd160_init, rmd160_final): Ditto.
	* cipher/sha1.c (sha1_init, sha1_final): Ditto.
	* cipher/sha256.c (sha256_init, sha224_init, sha256_final): Ditto.
	* cipher/sha512.c (sha512_init, sha384_init, sha512_final): Ditto.
	* cipher/tiger.c (do_init, tiger_final): Ditto.
	* cipher/whirlpool.c (whirlpool_final): Ditto.

	* cipher/md.c (gcry_md_algo_info): Add GCRYCTL_SELFTEST.
	(_gcry_md_selftest): Return "not implemented" as required.
	* tests/hashtest.c: New.
	* tests/genhashdata.c: New.
	* tests/Makefile.am (TESTS): Add hashtest.
	(noinst_PROGRAMS): Add genhashdata

2013-11-13  Christian Grothoff  <christian@grothoff.org>

	ecc: Fix key generation for a plain Ed25519 key.
	* cipher/ecc.c (nist_generate_key): Use custom code for ED25519.

	ecc: Fix some memory leaks.
	* cipher/ecc-curves.c (_gcry_mpi_ec_new): Free ec->b before assigning.
	* cipher/ecc.c (nist_generate_key): Release Q.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto.

2013-11-11  Werner Koch  <wk@gnupg.org>

	ecc: Change keygrip computation for Ed25519+EdDSA.
	* cipher/ecc.c (compute_keygrip): Rework.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_ensure_compact): New.
	* cipher/ecc-curves.c (_gcry_ecc_update_curve_param): New.
	* tests/keygrip.c (key_grips): Add flag param and test cases for
	Ed25519.

	mpi: Add special format GCRYMPI_FMT_OPAQUE.
	* src/gcrypt.h.in (GCRYMPI_FMT_OPAQUE): New.
	(_gcry_sexp_nth_opaque_mpi): Remove.
	* src/sexp.c (gcry_sexp_nth_mpi): Add support for GCRYMPI_FMT_OPAQUE.
	(_gcry_sexp_vextract_param): Replace removed function by
	GCRYMPI_FMT_OPAQUE.

2013-11-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix error output in CTR selftest.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Change
	fprintf(stderr,...) to syslog(); Correct error output for bulk
	IV check, plaintext mismatch => ciphertext mismatch.

2013-11-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix Serpent-AVX2 and Camellia-AVX2 counter modes.
	* cipher/camellia-aesni-avx2-amd64.S
	(_gcry_camellia_aesni_avx2_ctr_enc): Byte-swap before checking for
	overflow handling.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_cbc_128): Add 16 to nblocks.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_ctr): Add test with
	non-overflowing IV and modify overflow IV to detect broken endianness
	handling.
	* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc): Byte-swap
	before checking for overflow handling; Fix crazy-mixed-endian IV
	construction to big-endian.
	* cipher/serpent.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_cbc_128): Add 8 to nblocks.

2013-11-09  Sergey V  <sftp.mtuci@gmail.com>

	cipher/gost28147: optimization: use precomputed S-box tables.
	* cipher/gost.h (GOST28147_context): Remove unneeded subst and
	subst_set members.
	* cipher/gost28147.c (max): Remove unneeded macro.
	(test_sbox): Replace with new precomputed tables.
	(gost_set_subst): Remove function.
	(gost_val): Use new S-box tables.
	(gost_encrypt_block, gost_decrypt_block): Tweak to use new ctx and
	S-box tables.

2013-11-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix tail handling for AES-NI counter mode.
	* cipher/rijndael.c (do_aesni_ctr): Fix outputting of updated
	counter-IV.

2013-11-08  Werner Koch  <wk@gnupg.org>

	ecc: Improve gcry_pk_get_curve.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Factor some code out
	to ..
	(find_domain_parms_idx): new.
	(_gcry_ecc_get_curve): Find by curve name on error.

	cipher: Avoid signed divisions in idea.c.
	* cipher/idea.c (mul_inv): Use unsigned division.

	ecc: Implement the "nocomp" flag for key generation.
	* cipher/ecc.c (ecc_generate): Support the "nocomp" flag.
	* tests/keygen.c (check_ecc_keys): Add a test for it.

	ecc: Make "noparam" the default and replace by "param".
	* src/cipher.h (PUBKEY_FLAG_NOCOMP): New.
	(PUBKEY_FLAG_NOPARAM): Remove.
	(PUBKEY_FLAG_PARAM): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Support the new
	flags and ignore the obsolete "noparam" flag.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return the curve name
	also for curves selected by NBITS.
	(_gcry_mpi_ec_new): Support the "param" flag.
	* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Ditto.
	* tests/keygen.c (check_ecc_keys): Remove the "noparam" flag.

2013-11-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix decryption function size in AES AMD64 assembly.
	* cipher/rijndael-amd64.S (_gcry_aes_amd64_decrypt_block): Set '.size'
	for '_gcry_aes_amd64_decrypt_block', not '..._encrypt_block'.

	Change 64-bit shift to 32-bit in AES AMD64 assembly.
	* cipher/rijndael-amd64.S (do16bit_shr): Change 'shrq' to 'shrl'.

2013-11-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Speed-up AES-NI key setup.
	* cipher/rijndael.c [USE_AESNI] (m128i_t): Remove.
	[USE_AESNI] (u128_t): New.
	[USE_AESNI] (aesni_do_setkey): New.
	(do_setkey) [USE_AESNI]: Move AES-NI accelerated key setup to
	'aesni_do_setkey'.
	(do_setkey): Call _gcry_get_hw_features only once. Clear stack after
	use in generic key setup part.
	(rijndael_setkey): Remove stack burning.
	(prepare_decryption) [USE_AESNI]: Use 'u128_t' instead of 'm128i_t' to
	avoid compiler generated SSE2 instructions and XMM register usage,
	unroll 'aesimc' setup loop
	(prepare_decryption): Clear stack after use.
	[USE_AESNI] (do_aesni_enc_aligned): Update comment about alignment.
	(do_decrypt): Do not burning stack after prepare_decryption.

	Avoid burn stack in Arcfour setkey.
	* cipher/arcfour.c (arcfour_setkey): Remove stack burning.

	Avoid burn_stack in CAST5 setkey.
	* cipher/cast5.c (do_cast_setkey): Use wipememory instead of memset.
	(cast_setkey): Remove stack burning.

	Improve Serpent key setup speed.
	* cipher/serpent.c (SBOX, SBOX_INVERSE): Remove index argument.
	(serpent_subkeys_generate): Use smaller temporary arrays for subkey
	generation and perform stack clearing locally.
	(serpent_setkey_internal): Use wipememory to clear stack and remove
	_gcry_burn_stack.
	(serpent_setkey): Remove unneeded _gcry_burn_stack.

	Modify encrypt/decrypt arguments for in-place.
	* cipher/cipher.c (gcry_cipher_encrypt, gcry_cipher_decrypt): Modify
	local arguments if in-place operation.

	Speed up Stribog.
	* cipher/stribog.c (STRIBOG_TABLES): Remove.
	(Pi): Remove.
	[!STRIBOG_TABLES] (A, strido): Remove.
	(stribog_table): New table pre-reordered with Pi values.
	(strido): Rewrite for new table.
	(LPSX): Rewrite for new table.
	(xor): Remove.
	(g): Small tweaks.

	Tweak AES-NI bulk CTR mode slightly.
	* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_2_5): Rename to...
	(aesni_cleanup_2_6): ...this and clear also 'xmm6'.
	[USE_AESNI && __i386__] (do_aesni_ctr, do_aesni_ctr_4): Prevent
	inlining only on i386, allow on AMD64.
	[USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Use counter block from
	'xmm5' and byte-swap mask from 'xmm6'.
	(_gcry_aes_ctr_enc) [USE_AESNI]: Preload counter block to 'xmm5' and
	byte-swap mask to 'xmm6'.
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec): Use
	'aesni_cleanup_2_6'.

	Tweak bench-slope parameters.
	* tests/bench-slope.c (BUF_STEP_SIZE): Half step size to 64.
	(NUM_MEASUREMENT_REPETITIONS): Double repetitions to 64.

	Optimize Blowfish weak key check.
	* cipher/blowfish.c (hashset_elem, val_to_hidx, add_val): New.
	(do_bf_setkey): Use faster algorithm for detecting weak keys.
	(bf_setkey): Move stack burning to do_bf_setkey.

	Fix __builtin_bswap32/64 checks.
	* configure.ac (gcry_cv_have_builtin_bswap32)
	(gcry_cv_have_builtin_bswap64): Change compile checks to link checks.

	Fix 'u32' build error with Camellia.
	* cipher/camellia.c: Add include for <config.h> and "types.h".
	(u32): Remove.
	(u8): Typedef as 'byte'.

2013-11-06  Werner Koch  <wk@gnupg.org>

	pubkey: Add forward compatibility feature.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add
	"igninvflag".

2013-11-05  Werner Koch  <wk@gnupg.org>

	ecc: Require "eddsa" flag for curve Ed25519.
	* src/cipher.h (PUBKEY_FLAG_ECDSA): Remove.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Remove "ecdsa".
	* cipher/ecc.c (ecc_generate, ecc_sign, ecc_verify): Require "eddsa" flag.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Depend "eddsa" flag.
	* tests/benchmark.c, tests/keygen.c, tests/pubkey.c
	* tests/t-ed25519.c, tests/t-mpi-point.c: Adjust for changed flags.

	ecc: Fully implement Ed25519 compression in ECDSA mode.
	* src/ec-context.h (mpi_ec_ctx_s): Add field FLAGS.
	* mpi/ec.c (ec_p_init): Add arg FLAGS.  Change all callers to pass it.
	* cipher/ecc-curves.c (point_from_keyparam): Add arg EC, parse as
	 opaque mpi and use eddsa decoding depending on the flag.
	(_gcry_mpi_ec_new): Rearrange to parse Q and D after knowing the
	curve.

	mpi: Add function gcry_mpi_set_opaque_copy.
	* src/gcrypt.h.in (gcry_mpi_set_opaque_copy): New.
	* src/visibility.c (gcry_mpi_set_opaque_copy): New.
	* src/visibility.h (gcry_mpi_set_opaque_copy): Mark visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new API.
	* tests/mpitests.c (test_opaque): Add test.

2013-11-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make test vectors 'static const'
	* cipher/arcfour.c (selftest): Change test vectors to 'static const'.
	* cipher/blowfish.c (selftest): Ditto.
	* cipher/camellia-glue.c (selftest): Ditto.
	* cipher/cast5.c (selftest): Ditto.
	* cipher/des.c (selftest): Ditto.
	* cipher/rijndael.c (selftest): Ditto.
	* tests/basic.c (cipher_cbc_mac_cipher, check_aes128_cbc_cts_cipher)
	(check_ctr_cipher, check_cfb_cipher, check_ofb_cipher)
	(check_ccm_cipher, check_stream_cipher)
	(check_stream_cipher_large_block, check_bulk_cipher_modes)
	(check_ciphers, check_digests, check_hmac, check_pubkey_sign)
	(check_pubkey_sign_ecdsa, check_pubkey_crypt, check_pubkey): Ditto.

2013-11-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make jump labels local in Salsa20 assembly.
	* cipher/salsa20-amd64.S: Rename '._labels' to '.L_labels'.
	* cipher/salsa20-armv7-neon.S: Ditto.

2013-10-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bithelp: fix undefined behaviour with rol and ror.
	* cipher/bithelp.h (rol, ror): Mask shift with 31.

2013-10-29  Werner Koch  <wk@gnupg.org>

	tests: Add feature to skip benchmarks.
	* tests/benchmark.c (main): Add feature to skip the test.
	* tests/bench-slope.c (main): Ditto.
	(get_slope): Repace C++ style comment.
	(double_cmp, cipher_bench, _hash_bench): Repalce system reserved
	symbols.

	ecc: Finish Ed25519/ECDSA hack.
	* cipher/ecc.c (ecc_generate): Fix Ed25519/ECDSA case.
	(ecc_verify): Implement ED25519/ECDSA uncompression.

	ecc: Add flags "noparam" and "comp".
	* src/cipher.h (PUBKEY_FLAG_NOPARAM, PUBKEY_FLAG_COMP): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse new flags
	and change code for possible faster parsing.
	* cipher/ecc.c (ecc_generate): Implement the "noparam" flag.
	(ecc_sign): Ditto.
	(ecc_verify): Ditto.
	* tests/keygen.c (check_ecc_keys): Use the "noparam" flag.

	* cipher/ecc.c (ecc_generate): Fix parsing of the deprecated
	transient-flag parameter.
	(ecc_verify): Do not make Q optional in the extract-param call.

2013-10-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix typos in documentation.
	* doc/gcrypt.texi: Fix some typos.

	Add ARM NEON assembly implementation of Serpent.
	* cipher/Makefile.am: Add 'serpent-armv7-neon.S'.
	* cipher/serpent-armv7-neon.S: New.
	* cipher/serpent.c (USE_NEON): New macro.
	(serpent_context_t) [USE_NEON]: Add 'use_neon'.
	[USE_NEON] (_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec)
	(_gcry_serpent_neon_cbc_dec): New prototypes.
	(serpent_setkey_internal) [USE_NEON]: Detect NEON support.
	(_gcry_serpent_neon_ctr_enc, _gcry_serpent_neon_cfb_dec)
	(_gcry_serpent_neon_cbc_dec) [USE_NEON]: Use NEON implementations
	to process eight blocks in parallel.
	* configure.ac [neonsupport]: Add 'serpent-armv7-neon.lo'.

	Add ARM NEON assembly implementation of Salsa20.
	* cipher/Makefile.am: Add 'salsa20-armv7-neon.S'.
	* cipher/salsa20-armv7-neon.S: New.
	* cipher/salsa20.c [USE_ARM_NEON_ASM]: New macro.
	(struct SALSA20_context_s, salsa20_core_t, salsa20_keysetup_t)
	(salsa20_ivsetup_t): New.
	(SALSA20_context_t) [USE_ARM_NEON_ASM]: Add 'use_neon'.
	(SALSA20_context_t): Add 'keysetup', 'ivsetup' and 'core'.
	(salsa20_core): Change 'src' argument to 'ctx'.
	[USE_ARM_NEON_ASM] (_gcry_arm_neon_salsa20_encrypt): New prototype.
	[USE_ARM_NEON_ASM] (salsa20_core_neon, salsa20_keysetup_neon)
	(salsa20_ivsetup_neon): New.
	(salsa20_do_setkey): Setup keysetup, ivsetup and core with default
	functions.
	(salsa20_do_setkey) [USE_ARM_NEON_ASM]: When NEON support detect,
	set keysetup, ivsetup and core with ARM NEON functions.
	(salsa20_do_setkey): Call 'ctx->keysetup'.
	(salsa20_setiv): Call 'ctx->ivsetup'.
	(salsa20_do_encrypt_stream) [USE_ARM_NEON_ASM]: Process large buffers
	in ARM NEON implementation.
	(salsa20_do_encrypt_stream): Call 'ctx->core' instead of directly
	calling 'salsa20_core'.
	(selftest): Add test to check large buffer processing and block counter
	updating.
	* configure.ac [neonsupport]: 'Add salsa20-armv7-neon.lo'.

	Add AMD64 assembly implementation of Salsa20.
	* cipher/Makefile.am: Add 'salsa20-amd64.S'.
	* cipher/salsa20-amd64.S: New.
	* cipher/salsa20.c (USE_AMD64): New macro.
	[USE_AMD64] (_gcry_salsa20_amd64_keysetup, _gcry_salsa20_amd64_ivsetup)
	(_gcry_salsa20_amd64_encrypt_blocks): New prototypes.
	[USE_AMD64] (salsa20_keysetup, salsa20_ivsetup, salsa20_core): New.
	[!USE_AMD64] (salsa20_core): Change 'src' to non-constant, update block
	counter in 'salsa20_core' and return burn stack depth.
	[!USE_AMD64] (salsa20_keysetup, salsa20_ivsetup): New.
	(salsa20_do_setkey): Move generic key setup to 'salsa20_keysetup'.
	(salsa20_setkey): Fix burn stack depth.
	(salsa20_setiv): Move generic IV setup to 'salsa20_ivsetup'.
	(salsa20_do_encrypt_stream) [USE_AMD64]: Process large buffers in AMD64
	implementation.
	(salsa20_do_encrypt_stream): Move stack burning to this function...
	(salsa20_encrypt_stream, salsa20r12_encrypt_stream): ...from these
	functions.
	* configure.ac [x86-64]: Add 'salsa20-amd64.lo'.

	Add new benchmarking utility, bench-slope.
	* tests/Makefile.am (TESTS): Add 'bench-slope'.
	* tests/bench-slope.c: New.

	Change .global to .globl in assembly files.
	* cipher/blowfish-arm.S: Change '.global' to '.globl'.
	* cipher/camellia-aesni-avx-amd64.S: Ditto.
	* cipher/camellia-aesni-avx2-amd64.S: Ditto.
	* cipher/camellia-arm.S: Ditto.
	* cipher/cast5-amd64.S: Ditto.
	* cipher/rijndael-amd64.S: Ditto.
	* cipher/rijndael-arm.S: Ditto.
	* cipher/serpent-avx2-amd64.S: Ditto.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* cipher/twofish-amd64.S: Ditto.
	* cipher/twofish-arm.S: Ditto.

2013-10-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Deduplicate code for ECB encryption and decryption.
	* cipher/cipher.c (do_ecb_crypt): New, based on old 'do_ecb_encrypt'.
	(do_ecb_encrypt): Use 'do_ecb_crypt', pass encryption function.
	(do_ecb_decrypt): Use 'do_ecb_crypt', pass decryption function.

2013-10-26  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Drop _gcry_cipher_ofb_decrypt as it duplicates _gcry_cipher_ofb_encrypt.
	* cipher/cipher.c (cipher_decrypt): Use _gcry_cipher_ofb_encrypt for OFB
	  decryption.
	* cipher/cipher-internal.h: Remove _gcry_cipher_ofb_decrypt declaration.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_decrypt): Remove.
	  (_gcry_cipher_ofb_encrypt): remove copying of IV to lastiv, it's
	  unused there.

2013-10-25  Werner Koch  <wk@gnupg.org>

	tests: Add tests for mpi_cmp.
	* tests/mpitests.c (die): Modernize.
	(fail): New.
	(test_opaque, test_add, test_sub, test_mul): Use gcry_log_xx
	(main): Return error count.
	(test_cmp): New.

2013-10-24  Werner Koch  <wk@gnupg.org>

	ecc: Change algorithm for Ed25519 x recovery.
	* cipher/ecc-eddsa.c (scanval): Add as temporary hack.
	(_gcry_ecc_eddsa_recover_x): Use the algorithm from page 15 of the
	paper.  Return an error code.
	(_gcry_ecc_eddsa_decodepoint): Take care of the error code.
	* mpi/mpi-mul.c (gcry_mpi_mulm): Use truncated division.

	ecc: Refactor _gcry_ecc_eddsa_decodepoint.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Factor some code
	out to ..
	(_gcry_ecc_eddsa_recover_x): new.

2013-10-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ecc-gost: Add missing include.
	* ecc-gost.c: Include "pubkey-internal.h".

2013-10-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Replace architecture specific fast_wipememory2 with generic.
	* src/g10lib.h (fast_wipememory2): Remove architecture specific
	implementations and add generic implementation.

	Improve the speed of the cipher mode code.
	* cipher/bufhelp.h (buf_cpy): New.
	(buf_xor, buf_xor_2dst): If buffers unaligned, always jump to per-byte
	processing.
	(buf_xor_n_copy_2): New.
	(buf_xor_n_copy): Use 'buf_xor_n_copy_2'.
	* cipher/blowfish.c (_gcry_blowfish_cbc_dec): Avoid extra memory copy
	and use new 'buf_xor_n_copy_2'.
	* cipher/camellia-glue.c (_gcry_camellia_cbc_dec): Ditto.
	* cipher/cast5.c (_gcry_cast_cbc_dec): Ditto.
	* cipher/serpent.c (_gcry_serpent_cbc_dec): Ditto.
	* cipher/twofish.c (_gcry_twofish_cbc_dec): Ditto.
	* cipher/rijndael.c (_gcry_aes_cbc_dec): Ditto.
	(do_encrypt, do_decrypt): Use 'buf_cpy' instead of 'memcpy'.
	(_gcry_aes_cbc_enc): Avoid copying IV, use 'last_iv' pointer instead.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt): Avoid copying IV,
	update pointer to IV instead.
	(_gcry_cipher_cbc_decrypt): Avoid extra memory copy and use new
	'buf_xor_n_copy_2'.
	(_gcry_cipher_cbc_encrypt, _gcry_cipher_cbc_decrypt): Avoid extra
	accesses to c->spec, use 'buf_cpy' instead of memcpy.
	* cipher/cipher-ccm.c (do_cbc_mac): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Ditto.
	* cipher/cipher.c (do_ecb_encrypt, do_ecb_decrypt): Ditto.

	bufhelp: enable unaligned memory accesses for AArch64 (64-bit ARM)
	* cipher/bufhelp.h [__aarch64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
	macro on AArch64.

2013-10-23  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Enable assembler optimizations on earlier ARM cores.
	* cipher/blowfish-armv6.S => cipher/blowfish-arm.S: adapt to pre-armv6 CPUs.
	* cipher/blowfish.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/camellia-armv6.S => cipher/camellia-arm.S: adapt to pre-armv6 CPUs.
	* cipher/camellia.c, cipher-camellia-glue.c: enable assembly on armv4/armv5
	  little-endian CPUs.
	* cipher/cast5-armv6.S => cipher/cast5-arm.S: adapt to pre-armv6 CPUs.
	* cipher/cast5.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/rijndael-armv6.S => cipher/rijndael-arm.S: adapt to pre-armv6 CPUs.
	* cipher/rijndael.c: enable assembly on armv4/armv5 little-endian CPUs.
	* cipher/twofish-armv6.S => cipher/twofish-arm.S: adapt to pre-armv6 CPUs.
	* cipher/twofish.c: enable assembly on armv4/armv5 little-endian CPUs.

	mpi: enable assembler on all arm architectures.
	* mpi/config.links: remove check for arm >= v6
	* mpi/armv6 => mpi/arm: rename directory to reflect that is is generic
	  enough

	Correct ASM assembly test in configure.ac.
	* configure.ac: correct HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS test to
	  require neither ARMv6, nor thumb mode. Our assembly code works
	  perfectly even on ARMv4 now.

2013-10-23  Werner Koch  <wk@gnupg.org>

	ecc: Refactor ecc.c.
	* cipher/ecc-ecdsa.c, cipher/ecc-eddsa.c, cipher/ecc-gost.c: New.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
	* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new files.
	* cipher/ecc.c (point_init, point_free): Move to ecc-common.h.
	(sign_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_sign.
	(verify_ecdsa): Move to ecc-ecdsa.c as _gcry_ecc_ecdsa_verify.
	(sign_gost): Move to ecc-gots.c as _gcry_ecc_gost_sign.
	(verify_gost): Move to ecc-gost.c as _gcry_ecc_gost_verify.
	(sign_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_sign.
	(verify_eddsa): Move to ecc-eddsa.c as _gcry_ecc_eddsa_verify.
	(eddsa_generate_key): Move to ecc-eddsa.c as _gcry_ecc_eddsa_genkey.
	(reverse_buffer): Move to ecc-eddsa.c.
	(eddsa_encodempi, eddsa_encode_x_y): Ditto.
	(_gcry_ecc_eddsa_encodepoint, _gcry_ecc_eddsa_decodepoint): Ditto.

	mpi: Fix scanning of negative SSH formats and add more tests.
	* mpi/mpicoder.c (gcry_mpi_scan): Fix sign setting for SSH format.
	* tests/t-convert.c (negative_zero): Test all formats.
	(check_formats): Add tests for PGP and scan tests for SSH and USG.

	* src/gcrypt.h.in (mpi_is_neg): Fix macro.

	* mpi/mpi-scan.c (_gcry_mpi_getbyte, _gcry_mpi_putbyte): Comment out
	these unused functions.

2013-10-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	twofish: add ARMv6 assembly implementation.
	* cipher/Makefile.am: Add 'twofish-armv6.S'.
	* cipher/twofish-armv6.S: New.
	* cipher/twofish.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_twofish_armv6_encrypt_block)
	(_gcry_twofish_armv6_decrypt_block): New prototypes.
	[USE_AMDV6_ASM] (twofish_encrypt, twofish_decrypt): Add.
	[USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt): Remove.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cfb_dec): Use 'twofish_encrypt'
	instead of 'do_twofish_encrypt'.
	(_gcry_twofish_cbc_dec): Use 'twofish_decrypt' instead of
	'do_twofish_decrypt'.
	* configure.ac [arm]: Add 'twofish-armv6.lo'.

	mpi: allow building with clang on ARM.
	* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(count_leading_zeros): Do not cast assembly output arguments.
	[__arm__] (umul_ppmm): Remove the extra '%' ahead of assembly comment.
	[_ARM_ARCH >= 4] (umul_ppmm): Use correct inputs and outputs instead of
	registers.

	serpent-amd64: do not use GAS macros.
	* cipher/serpent-avx2-amd64.S: Remove use of GAS macros.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* configure.ac [HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS]: Do not check
	for GAS macros.

	Add Counter with CBC-MAC mode (CCM)
	* cipher/Makefile.am: Add 'cipher-ccm.c'.
	* cipher/cipher-ccm.c: New.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add 'u_mode'.
	(_gcry_cipher_ccm_encrypt, _gcry_cipher_ccm_decrypt)
	(_gcry_cipher_ccm_set_nonce, _gcry_cipher_ccm_authenticate)
	(_gcry_cipher_ccm_get_tag, _gcry_cipher_ccm_check_tag)
	(_gcry_cipher_ccm_set_lengths): New prototypes.
	* cipher/cipher.c (gcry_cipher_open, cipher_encrypt, cipher_decrypt)
	(_gcry_cipher_setiv, _gcry_cipher_authenticate, _gcry_cipher_gettag)
	(_gcry_cipher_checktag, gry_cipher_ctl): Add handling for CCM mode.
	* doc/gcrypt.texi: Add documentation for GCRY_CIPHER_MODE_CCM.
	* src/gcrypt.h.in (gcry_cipher_modes): Add 'GCRY_CIPHER_MODE_CCM'.
	(gcry_ctl_cmds): Add 'GCRYCTL_SET_CCM_LENGTHS'.
	(GCRY_CCM_BLOCK_LEN): New.
	* tests/basic.c (check_ccm_cipher): New.
	(check_cipher_modes): Call 'check_ccm_cipher'.
	* tests/benchmark.c (ccm_aead_init): New.
	(cipher_bench): Add handling for AEAD modes and add CCM benchmarking.

	Add API to support AEAD cipher modes.
	* cipher/cipher.c (_gcry_cipher_authenticate, _gcry_cipher_checktag)
	(_gcry_cipher_gettag): New.
	* doc/gcrypt.texi: Add documentation for new API functions.
	* src/visibility.c (gcry_cipher_authenticate, gcry_cipher_checktag)
	(gcry_cipher_gettag): New.
	* src/gcrypt.h.in, src/visibility.h: add declarations of these
	functions.
	* src/libgcrypt.defs, src/libgcrypt.vers: export functions.

2013-10-22  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Correct compliant key generation for Edwards curves.
	* cipher/ecc.c: Add case for Edwards curves.

2013-10-17  Werner Koch  <wk@gnupg.org>

	tests: Add test options to keygen.
	* tests/keygen.c (usage): New.
	(main): Print usage info.  Allow running just one algo.

	mpi: Do not clear the sign of the mpi_mod result.
	* mpi/mpi-mod.c (_gcry_mpi_mod): Remove sign setting.

	ecc: Put the curve name again into the output of gcry_pk_genkey.
	* cipher/ecc.c (ecc_generate): Use the correct var.  Release
	CURVE_FLAGS.

	ecc: Support Weierstrass curves in gcry_mpi_ec_curve_point.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Support MPI_EC_WEIERSTRASS.

2013-10-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	arcfour: more optimized version for non-i386 architectures.
	* cipher/arcfour.c (ARCFOUR_context): Reorder members.
	(do_encrypt_stream) [!__i386__]: Faster implementation for non-i386.
	(do_arcfour_setkey): Avoid modulo operations.

	Avoid void* pointer arithmetic.
	* tests/tsexp.c (check_extract_param): Cast void* pointers to char*
	before doing arithmetics.

2013-10-16  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	ecc: Add support for GOST R 34.10-2001/-2012 signatures.
	* src/cipher.h: define PUBKEY_FLAG_GOST
	* cipher/ecc-curves.c: Add GOST2001-test and GOST2012-test curves
	  defined in standards. Typical applications would use either those
	  curves, or curves defined in RFC 4357 (will be added later).
	* cipher/ecc.c (sign_gost, verify_gost): New.
	  (ecc_sign, ecc_verify): use sign_gost/verify_gost if PUBKEY_FLAG_GOST
	  is set.
	  (ecc_names): add "gost" for gost signatures.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist,
	  _gcry_pk_util_preparse_sigval): set PUBKEY_FLAG_GOST if gost flag
	  is present in s-exp.
	* tests/benchmark.c (ecc_bench): also benchmark GOST signatures.
	* tests/basic.c (check_pubkey): add two public keys from
	  GOST R 34.10-2012 standard.
	  (check_pubkey_sign_ecdsa): add two data sets to check gost signatures.
	* tests/curves.c: correct N_CURVES as we now have 2 more curves.


	Removed some comments from the new curve definitions in ecc-curves.c
	to avoid line wrapping.  Eventually we will develop a precompiler to
	avoid parsing those hex strings. -wk

	Fix 256-bit ecdsa test key definition.
	* tests/basic.c (check_pubkey): fix nistp256 testing key declaration -
	  add missing comma.

2013-10-16  Werner Koch  <wk@gnupg.org>

	sexp: Add function gcry_sexp_extract_param.
	* src/gcrypt.h.in (_GCRY_GCC_ATTR_SENTINEL): New.
	(gcry_sexp_extract_param): New.
	* src/visibility.c (gcry_sexp_extract_param): New.
	* src/visibility.h (gcry_sexp_extract_param): Add hack to detect
	internal use.
	* cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Move and split
	into ...
	* src/sexp.c (_gcry_sexp_vextract_param)
	(_gcry_sexp_extract_param): this.  Change all callers.  Add support for buffer
	descriptors and a path option/

	* tests/tsexp.c (die, hex2buffer, hex2mpi, hex2mpiopa): New.
	(cmp_mpihex, cmp_bufhex): New.
	(check_extract_param): New.

2013-10-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: mpi-pow improvement.
	* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
	k-ary exponentiation.

2013-10-15  Werner Koch  <wk@gnupg.org>

	ecc:  Support use of Ed25519 with ECDSA.
	* src/cipher.h (PUBKEY_FLAG_ECDSA): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag "ecdsa".
	* cipher/ecc.c (verify_ecdsa, verify_eddsa): Remove some debug output.
	(ecc_generate, ecc_sign, ecc_verify): Support Ed25519 with ECDSA.
	* tests/keygen.c (check_ecc_keys): Create such a test key.
	* tests/pubkey.c (fail, info, data_from_hex, extract_cmp_data): New.
	Take from dsa-6979.c
	(check_ed25519ecdsa_sample_key): new.
	(main): Call new test.

2013-10-14  Werner Koch  <wk@gnupg.org>

	pubkey: Support flags list in gcry_pk_genkey.
	* src/cipher.h (PUBKEY_FLAG_TRANSIENT_KEY): New.
	(PUBKEY_FLAG_USE_X931): New.
	(PUBKEY_FLAG_USE_FIPS186): New.
	(PUBKEY_FLAG_USE_FIPS186_2): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Rename from
	parse_flags_list.  Parse new flags.
	* cipher/dsa.c (dsa_generate): Support flag list.
	* cipher/ecc.c (ecc_generate): Ditto.
	* cipher/rsa.c (rsa_generate): Ditto.

	pubkey: Remove duplicated flag parsing code.
	* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval)
	(_gcry_pk_util_data_to_mpi): Factor flag parsing code out to ..
	(parse_flag_list): New.
	* src/cipher.h (PUBKEY_FLAG_RAW_FLAG): New.

	mpicalc: Accept lowercase hex digits.
	* src/mpicalc.c (main): Test for lowercase hex digits.

2013-10-11  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing of remaining fucntions to the modules.
	* cipher/pubkey.c (release_mpi_array): Remove.
	(pubkey_check_secret_key): Remove.
	(sexp_elements_extract): Remove.
	(sexp_elements_extract_ecc): Remove.
	(sexp_to_key): Remove.
	(get_hash_algo): Remove.
	(gcry_pk_testkey): Revamp.
	(gcry_pk_get_curve): Revamp.
	* cipher/rsa.c (rsa_check_secret_key): Revamp.
	* cipher/elgamal.c (elg_check_secret_key): Revamp.
	* cipher/dsa.c (dsa_check_secret_key): Revamp.
	* cipher/ecc.c (ecc_check_secret_key): Revamp.
	* cipher/ecc-curves.c: Include cipher.h and pubkey-internal.h
	(_gcry_ecc_get_curve): Revamp.

	* cipher/pubkey-util.c (_gcry_pk_util_extract_mpis): Set passed and
	used parameters on error to NULL.

	pubkey: Move sexp parsing for gcry_pk_decrypt to the modules.
	* cipher/rsa.c (rsa_decrypt): Revamp.
	* cipher/elgamal.c (elg_decrypt): Revamp.
	* cipher/ecc.c (ecc_decrypt_raw): Revamp.
	* cipher/pubkey.c (gcry_pk_decrypt): Simplify.
	(sexp_to_enc): Remove.
	* cipher/pubkey-util.c (_gcry_pk_util_preparse_encval): New.

	pubkey: Move sexp parsing for gcry_pk_encrypt to the modules.
	* cipher/rsa.c (rsa_encrypt): Revamp.
	* cipher/elgamal.c (elg_encrypt): Revamp.
	* cipher/ecc.c (ecc_encrypt_raw): Revamp.
	* cipher/pubkey.c (gcry_pk_encrypt): Simplify.

	* tests/basic.c (check_pubkey_crypt): Init plain, ciph, and data so
	that they are initialized even after an encrypt failure.

	pubkey: Move sexp parsing for gcry_pk_sign to the modules.
	* cipher/rsa.c (rsa_sign): Revamp.
	* cipher/dsa.c (dsa_sign): Revamp.
	* cipher/elgamal.c (elg_sign): Revamp.
	* cipher/ecc.c (ecc_sign): Revamp.
	* cipher/pubkey.c (gcry_pk_sign): Simplify.

2013-10-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Prevent tail call optimization with _gcry_burn_stack.
	* configure.ac: New check, HAVE_GCC_ASM_VOLATILE_MEMORY.
	* src/g10lib.h (_gcry_burn_stack): Rename to __gcry_burn_stack.
	(__gcry_burn_stack_dummy): New.
	(_gcry_burn_stack): New macro.
	* src/misc.c (_gcry_burn_stack): Rename to __gcry_burn_stack.
	(__gcry_burn_stack_dummy): New.

2013-10-09  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing for gcry_pk_verify to the modules.
	* cipher/rsa.c (rsa_verify): Revamp.
	* cipher/dsa.c (dsa_verify): Revamp.
	* cipher/elgamal.c (elg_verify): Revamp.
	* cipher/ecc.c (ecc_verify): Revamp.
	* cipher/pubkey.c (sexp_to_sig): Remove.
	(pss_verify_cmp): Move to pubkey-util.c
	(sexp_data_to_mpi): Ditto.
	(init_encoding_ctx): Ditto.
	(gcry_pk_verify): Simplify.
	* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Add. Take
	from pubkey.c
	(get_hash_algo): Ditto.
	(_gcry_pk_util_data_to_mpi): Ditto.
	(pss_verify_cmp): Ditto.
	(_gcry_pk_util_extract_mpis): New.
	(_gcry_pk_util_preparse_sigval): New.
	(_gcry_pk_util_free_encoding_ctx): New.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make curve init
	optional.

	* src/g10lib.h (GCC_ATTR_SENTINEL): New.

	* tests/basic.c (check_pubkey_sign): Print the algo name.
	(main): Add option --pubkey.

2013-10-08  Werner Koch  <wk@gnupg.org>

	pubkey: Move sexp parsing for gcry_pk_get_nbits to the modules.
	* cipher/pubkey.c (spec_from_sexp): New.
	(gcry_pk_get_nbits): Simplify.
	* cipher/rsa.c (rsa_get_nbits): Take only PARMS as args and do sexp
	parsing here.
	* cipher/dsa.c (dsa_get_nbits): Ditto.
	* cipher/elgamal.c (elg_get_nbits): Ditto.
	* cipher/ecc.c (ecc_get_nbits): Ditto.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Allow NULL for arg
	CURVE.

	pubkey: Move sexp parsing for gcry_pk_getkey to the modules.
	* cipher/pubkey-util.c: New.
	(_gcry_pk_util_get_nbits): New.  Based on code from gcry_pk_genkey.
	(_gcry_pk_util_get_rsa_use_e): Ditto.
	* cipher/pubkey.c (gcry_pk_genkey): Strip most code and pass.
	* cipher/rsa.c (rsa_generate): Remove args ALGO, NBITS and EVALUE.
	Call new fucntions to get these values.
	* cipher/dsa.c (dsa_generate): Remove args ALGO, NBITS and EVALUE.
	Call _gcry_pk_util_get_nbits to get nbits.  Always parse genparms.
	* cipher/elgamal.c (elg_generate): Ditto.
	* cipher/ecc.c (ecc_generate): Ditto.

	cipher: Deprecate GCRY_PK_ELG_E.
	* cipher/elgamal.c (_gcry_pubkey_spec_elg_e): Remove.
	* cipher/pubkey.c (pubkey_list): Remove double included
	_gcry_pubkey_spec_elg.
	(map_algo): MAke ELG_E to ELG.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Provide Pth compatiblity for use with GnuPG 2.0.
	* src/ath.c (ath_install): Call ath_init and declare Pth as
	compatible.

2013-10-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha512: fix building on ARM.
	* cipher/sha512.c (transform) [USE_ARM_NEON_ASM]: Fix 'hd' to 'ctx'.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Remove deprecated control codes.
	* src/gcrypt.h.in (GCRYCTL_SET_KEY): Remove.
	(GCRYCTL_SET_IV): Remove.
	(GCRYCTL_SET_CTR): Remove.
	* cipher/md.c (gcry_md_ctl): Remove deprecated GCRYCTL_SET_KEY.
	* cipher/cipher.c (gcry_cipher_ctl): Remove deprecated
	GCRYCTL_SET_KEY, GCRYCTL_SET_IV, GCRYCTL_SET_CTR.

2013-10-02  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix errors when building with Clang on PPC.
	* mpi/longlong.h (add_ssaaaa, sub_ddmmss, count_leading_zeros,
	  umul_ppmm): Do not cast asm output to USItype.

2013-10-02  Werner Koch  <wk@gnupg.org>

	Remove last remains of the former module system.
	* src/gcrypt-module.h, src/module.c: Remove.
	* src/visibility.h: Do not include gcrypt-module.h.
	* src/g10lib.h: Remove all prototypes from module.c
	(gcry_module): Remove.
	* cipher/cipher-internal.h (gcry_cipher_handle): Remove unused field.

	Fix missing prototype warning in visibility.c.
	* src/ec-context.h (_gcry_mpi_ec_new): Move prototype to mpi.h.

	md: Simplify the message digest dispatcher md.c.
	* src/gcrypt-module.h (gcry_md_spec_t):  Move to ...
	* src/cipher-proto.h: here.  Merge with md_extra_spec_t.  Add fields
	ALGO and FLAGS.  Set these fields in all digest modules.
	* cipher/md.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.

2013-10-01  Werner Koch  <wk@gnupg.org>

	cipher: Simplify the cipher dispatcher cipher.c.
	* src/gcrypt-module.h (gcry_cipher_spec_t):  Move to ...
	* src/cipher-proto.h (gcry_cipher_spec_t): here.  Merge with
	cipher_extra_spec_t.  Add fields ALGO and FLAGS.  Set these fields in
	all cipher modules.
	* cipher/cipher.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.
	(disable_pubkey_algo): Simplified.  Not anymore thread-safe, though.

	* cipher/md.c (_gcry_md_selftest): Use correct structure.  Not a real
	problem because both define the same function as their first field.

	* cipher/pubkey.c (_gcry_pk_selftest): Take care of the disabled flag.

	mpi: Fix gcry_mpi_neg.
	* mpi/mpiutil.c (_gcry_mpi_neg): Copy U to W.

2013-10-01  Peter Wu  <lekensteyn@gmail.com>

	cipher: Add support for 128-bit keys in RC2.
	* cipher/rfc2268.c (oids_rfc2268_128): New
	(_gcry_cipher_spec_rfc2268_128): New.
	* cipher/cipher.c (cipher_table_entry): Add GCRY_CIPHER_RFC2268_128.

2013-09-30  Werner Koch  <wk@gnupg.org>

	ecc: Use faster b parameter for Ed25519.
	* cipher/ecc-curves.c (domain_parms): Replace b.
	* tests/t-mpi-point.c (test_curve): Ditto.

	ecc: Prepare for future Ed25519 optimization.
	* mpi/ec-ed25519.c: New but empty file.
	* mpi/ec-internal.h: New.
	* mpi/ec.c: Include ec-internal.h.
	(ec_mod): New.
	(ec_addm): Use ec_mod.
	(ec_mulm): Remove commented code.  Use ec_mod.
	(ec_subm): Call simple sub.
	(ec_pow2): Use ec_mulm.
	(ec_mul2): New.
	(dup_point_weierstrass): Use ec_mul2.
	(dup_point_twistededwards): Add special case for a == -1.  Use
	ec_mul2.
	(add_points_weierstrass): Use ec_mul2.
	(add_points_twistededwards): Add special case for a == -1.
	(_gcry_mpi_ec_curve_point): Ditto.
	(ec_p_init): Add hack to test Barrett functions.
	* src/ec-context.h (mpi_ec_ctx_s): Add P_BARRETT.

	* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Fix sign problem.

	ecc: Fix recomputing of Q for Ed25519.
	* cipher/ecc-misc.c (reverse_buffer): New.
	(_gcry_ecc_compute_public): Add ED255519 specific code.
	* cipher/ecc.c (sign_eddsa): Allocate DIGEST in secure memory.  Get
	rid of HASH_D.
	* tests/t-mpi-point.c (context_param): Test recomputing of Q for
	Ed25519.

	log: Try to print s-expressions in a more compact format.
	* src/misc.c (count_closing_parens): New.
	(_gcry_log_printsxp): Use new function.
	* mpi/ec.c (_gcry_mpi_point_log): Take care of a NULL point.

2013-09-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make Whirlpool use the _gcry_md_block_write helper.
	* cipher/whirlpool.c (whirlpool_context_t): Add 'bctx', remove
	'buffer', 'count' and 'nblocks'.
	(whirlpool_init): Initialize 'bctx'.
	(whirlpool_transform): Adjust context argument type and burn stack
	depth.
	(whirlpool_add): Remove.
	(whirlpool_write): Use _gcry_md_block_write.
	(whirlpool_final, whirlpool_read): Adjust for 'bctx' usage.

	whirlpool: add stack burning after transform.
	* cipher/whirlpool.c (whirlpool_transform): Return burn stack depth.
	(whirlpool_add): Do burn_stack.

	whirlpool: do bitcount calculation in finalization part.
	* cipher/whirlpool.c (whirlpool_context_t): Remove 'length', add
	'nblocks'.
	(whirlpool_add): Update 'nblocks' instead of 'length', and add early
	return at one spot.
	(whirlpool_write): Check for 'nblocks' overflow.
	(whirlpool_final): Convert 'nblocks' to bit-counter, and use
	whirlpool_write instead of whirlpool_add.

2013-09-30  Werner Koch  <wk@gnupg.org>

	Add logging functions to the API.
	* src/gcrypt.h.in (_GCRY_GCC_ATTR_PRINTF): New.
	(gcry_log_debug, gcry_log_debughex, gcry_log_debugmpi): New.
	(gcry_log_debugpnt, gcry_log_debugsxp): New.
	* src/visibility.c (gcry_log_debug): New.
	(gcry_log_debughex, gcry_log_debugmpi, gcry_log_debugpnt): New.
	(gcry_log_debugsxp): New.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new functions.
	* src/misc.c (_gcry_logv): Make public.
	(_gcry_log_printsxp): New.
	* src/g10lib.h (log_printsxp): New macro.

2013-09-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make libgcrypt build with Clang on i386.
	* cipher/longlong.h [__i386__] (add_ssaaaa, sub_ddmmss)
	(umul_ppmm, udiv_qrnnd): Do not cast asm output to USItype.

2013-09-25  Werner Koch  <wk@gnupg.org>

	mpi: Change not yet used _gcry_mpi_set_opaque_copy.
	* mpi/mpiutil.c (_gcry_mpi_set_opaque_copy): Change prototype.
	(_gcry_mpi_get_opaque_copy): Take care of gcry_malloc failure.

	sexp: Improve printing of data with a leading zero.
	* src/sexp.c (suitable_encoding): Detect leading zero byte.

	ecc: Allow the name "q@eddsa" to get/set the public key.
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): Support "q@eddsa".
	(_gcry_ecc_set_mpi): Support "q".
	* cipher/ecc.c (eddsa_encodepoint): Rename to ...
	(_gcry_ecc_eddsa_encodepoint): this and make global.  Remove arg
	MINLEN and take from context.
	(eddsa_decodepoint): Rename to
	(_gcry_ecc_eddsa_decodepoint): this and make global. Remove arg LEN
	and take from context.
	(sign_eddsa, verify_eddsa): Take B from context.
	(ecc_sign, ecc_verify): Add hack to set DIALECT.
	(_gcry_pk_ecc_get_sexp): Use _gcry_ecc_compute_public.  Handle EdDSA.
	* src/ec-context.h (mpi_ec_ctx_s): Add field NBITS.
	* mpi/ec.c (ec_p_init): Init NBITS.
	* tests/t-mpi-point.c (test_curve): Add Ed25519.
	(sample_ed25519_q): New.
	(context_param): Check new sample key.
	(hex2buffer, hex2mpiopa): New.
	(cmp_mpihex): Take care of opaque MPIs.

	mpicalc: Add statement to compute the number of bits.
	* src/mpicalc.c (do_nbits): New.
	(main): Add statement 'b'.

	ecc: Refactor low-level access functions.
	* mpi/ec.c (point_copy): Move to cipher/ecc-curves.c.
	(ec_get_reset): Rename to _gcry_mpi_ec_get_reset and make global.
	(_gcry_mpi_ec_get_mpi): Factor most code out to _gcry_ecc_get_mpi.
	(_gcry_mpi_ec_get_point): Factor most code out to _gcry_ecc_get_point.
	(_gcry_mpi_ec_set_mpi): Factor most code out to _gcry_ecc_set_mpi.
	(_gcry_mpi_ec_set_point): Factor most code out to _gcry_ecc_set_point.
	* cipher/ecc-curves.c (_gcry_ecc_get_mpi): New.
	(_gcry_ecc_get_point, _gcry_ecc_set_mpi, _gcry_ecc_set_point): New.
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): New.

	ecc: Fix highly unlikely endless loop in sign_ecdsa.
	* cipher/ecc.c (sign_ecdsa): Turn while-do into do-while loops.

2013-09-24  Werner Koch  <wk@gnupg.org>

	ecc: Allow the use of an uncompressed public key.
	* cipher/ecc.c (eddsa_encodepoint): Factor most code out to ...
	(eddsa_encode_x_y): new fucntion.
	(eddsa_decodepoint): Allow use of an uncompressed public key.
	* tests/t-ed25519.c (N_TESTS): Adjust.
	* tests/t-ed25519.inp: Add test 1025.

2013-09-23  Werner Koch  <wk@gnupg.org>

	pk: Add algo id GCRY_PK_ECC and deprecate ECDSA and ECDH.
	* src/gcrypt.h.in (GCRY_PK_ECC): New.
	* cipher/pubkey.c (map_algo): New.
	(spec_from_algo, gcry_pk_get_param, _gcry_pk_selftest): Use it.
	* cipher/ecc.c (selftests_ecdsa): Report using GCRY_PK_ECC.
	(run_selftests): Simplify.
	(ecdh_names, ecdsa_names): Merge into a new ecc_names.
	(_gcry_pubkey_spec_ecdh, _gcry_pubkey_spec_ecdsa): Merge into new
	_gcry_pubkey_spec_ecc.

	ec: Use mpi_mulm instead of mpi_powm.
	* mpi/ec.c (ec_pow2): New.
	(ec_powm): Remove call to mpi_abs.
	(dup_point_weierstrass, dup_point_twistededwards)
	(add_points_weierstrass, add_points_twistededwards)
	(_gcry_mpi_ec_curve_point): Use ec_pow2.

2013-09-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bufhelp: enable fast unaligned memory accesses on powerpc.
	* cipher/bufhelp.h [__powerpc__] (BUFHELP_FAST_UNALIGNED_ACCESS): Set
	macro enabled.
	[__powerpc64__] (BUFHELP_FAST_UNALIGNED_ACCESS): Ditto.

	Remove i386 inline assembly version of rotation functions.
	* cipher/bithelp.h (rol, ror): Remove i386 version, change
	macros to inline functions.
	* src/hmac256.c (ror): Ditto.

	Optimize and cleanup 32-bit and 64-bit endianess transforms.
	* cipher/bithelp.h (bswap32, bswap64, le_bswap32, be_bswap32)
	(le_bswap64, be_bswap64): New.
	* cipher/bufhelp.h (buf_get_be32, buf_get_le32, buf_put_le32)
	(buf_put_be32, buf_get_be64, buf_get_le64, buf_put_be64)
	(buf_put_le64): New.
	* cipher/blowfish.c (do_encrypt_block, do_decrypt_block): Use new
	endian conversion helpers.
	(do_bf_setkey): Turn endian specific code to generic.
	* cipher/camellia.c (GETU32, PUTU32): Use new endian conversion
	helpers.
	* cipher/cast5.c (rol): Remove, use rol from bithelp.
	(F1, F2, F3): Fix to use rol from bithelp.
	(do_encrypt_block, do_decrypt_block, do_cast_setkey): Use new endian
	conversion helpers.
	* cipher/des.c (READ_64BIT_DATA, WRITE_64BIT_DATA): Ditto.
	* cipher/md4.c (transform, md4_final): Ditto.
	* cipher/md5.c (transform, md5_final): Ditto.
	* cipher/rmd160.c (transform, rmd160_final): Ditto.
	* cipher/salsa20.c (LE_SWAP32, LE_READ_UINT32): Ditto.
	* cipher/scrypt.c (READ_UINT64, LE_READ_UINT64, LE_SWAP32): Ditto.
	* cipher/seed.c (GETU32, PUTU32): Ditto.
	* cipher/serpent.c (byte_swap_32): Remove.
	(serpent_key_prepare, serpent_encrypt_internal)
	(serpent_decrypt_internal): Use new endian conversion helpers.
	* cipher/sha1.c (transform, sha1_final): Ditto.
	* cipher/sha256.c (transform, sha256_final): Ditto.
	* cipher/sha512.c (__transform, sha512_final): Ditto.
	* cipher/stribog.c (transform, stribog_final): Ditto.
	* cipher/tiger.c (transform, tiger_final): Ditto.
	* cipher/twofish.c (INPACK, OUTUNPACK): Ditto.
	* cipher/whirlpool.c (buffer_to_block, block_to_buffer): Ditto.
	* configure.ac (gcry_cv_have_builtin_bswap32): Check for compiler
	provided __builtin_bswap32.
	(gcry_cv_have_builtin_bswap64): Check for compiler provided
	__builtin_bswap64.

	gostr3411_94: set better burn stack depth estimate.
	* cipher/gost28147.c (_gcry_gost_enc_one): Account function stack to
	burn stack depth.
	* cipher/gostr3411-94.c (max): New macro.
	(do_hash_step, transform): Return stack burn depth.

	Use hash transform function return type for passing burn stack depth.
	* cipher/gostr4311-94.c (transform): Return stack burn depth.
	* cipher/hash-common.c (_gcry_md_block_write): Use stack burn depth
	returned by 'hd->bwrite'.
	* cipher/hash-common.h (_gcry_md_block_write_t): Change return type to
	'unsigned int'.
	(gry_md_block_ctx_t): Remove 'stack_burn'.
	* cipher/md4.c (transform): Return stack burn depth.
	(md4_final): Use stack burn depth from transform.
	* cipher/md5.c (transform): Return stack burn depth.
	(md5_final): Use stack burn depth from transform.
	* cipher/rmd160.c (transform): Return stack burn depth.
	(rmd160_final): Use stack burn depth from transform.
	* cipher/sha1.c (transform): Return stack burn depth.
	(sha1_final): Use stack burn depth from transform.
	* cipher/sha256.c (transform): Return stack burn depth.
	(sha256_final): Use stack burn depth from transform.
	* cipher/sha512.c (__transform, transform): Return stack burn depth.
	(sha512_final): Use stack burn depth from transform.
	* cipher/stribog.c (transform64): Return stack burn depth.
	* cipher/tiger.c (transform): Return stack burn depth.
	(tiger_final): Use stack burn depth from transform.

	Make STRIBOG use the new _gcry_md_block_write helper.
	* cipher/stribog.c (STRIBOG_STRUCT): Add 'bctx' and remove 'buf' and
	'count'.
	(stribog_init_512): Initialize 'bctx'.
	(transform64): New function.
	(stribog_write): Remove.
	(stribog_final): Use _gcry_md_block_write and bctx.
	(_gcry_digest_spec_stribog_256, _gcry_digest_spec_stribog_512): Use
	_gcry_md_block_write.

	Make SHA-512 use the new _gcry_md_block_write helper.
	* cipher/hash-common.c (_gcry_md_block_write): Check that hd->buf is
	large enough.
	* cipher/hash-common.h (MD_BLOCK_MAX_BLOCKSIZE, MD_NBLOCKS_TYPE): New
	macros.
	(gcry_md_block_ctx_t): Use above macros for 'nblocks' and 'buf'.
	* cipher/sha512.c (SHA512_STATE): New struct.
	(SHA512_CONTEXT): Add 'bctx' and 'state'.
	(sha512_init, sha384_init): Initialize 'bctx'.
	(__transform, _gcry_sha512_transform_armv7_neon): Use SHA512_STATE for
	'hd'.
	(transform): For now, do not return burn stack.
	(sha512_write): Remove.
	(sha512_final): Use _gcry_md_block_write and bctx.
	(_gcry_digest_spec_sha512, _gcry_digest_spec_sha384): Use
	_gcry_md_block_write.

2013-09-20  Werner Koch  <wk@gnupg.org>

	sexp: Change internal versions to always use gpg_err_code_t.
	* src/sexp.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_build)
	(gcry_sexp_build_array, gcry_sexp_canon_len): Change error return type
	from gpg_error_t to gpg_err_code_t.  Remove all calls to gpg_error.
	* src/visibility.c (gcry_sexp_new, gcry_sexp_create, gcry_sexp_sscan)
	(gcry_sexp_build, gcry_sexp_build_array, gcry_sexp_canon_len): Map
	error codes via gpg_error.
	* cipher/dsa.c, cipher/ecc.c, cipher/elgamal.c, cipher/rsa.c: Remove
	use gpg_err_code wrappers.

	pk: Move s-exp creation for gcry_pk_decrypt to the modules.
	* cipher/pubkey.c (sexp_to_enc): Remove RET_MODERN arg and merge it
	into FLAGS.
	(gcry_pk_decrypt): Move result s-exp building into the modules.
	* src/cipher-proto.h (gcry_pk_decrypt_t): Add some args.
	* cipher/ecc.c (ecc_decrypt_raw): Change to return an s-exp.
	* cipher/elgamal.c (elg_decrypt): Ditto.
	* cipher/rsa.c (rsa_decrypt): Ditto.
	(rsa_blind, rsa_unblind): Merge into rsa_decrypt.  This saves several
	extra MPI allocations.

	pk: Remove unused function.
	* cipher/pubkey.c (_gcry_pk_aliased_algo_name): Remove

2013-09-19  Werner Koch  <wk@gnupg.org>

	Beautify debug output of the prime generator.
	* cipher/primegen.c: Adjust output of log_mpidump to recently changed
	log_mpidump code changes.

	pk: Move s-expr creation for genkey to the modules.
	* cipher/pubkey.c (pubkey_generate): Fold into gcry_pk_genkey
	(gcry_pk_genkey): Move result s-exp creation into the modules.
	* cipher/dsa.c (dsa_generate): Create result as s-exp.
	* cipher/elgamal.c (elg_generate): Ditto.
	* cipher/rsa.c (rsa_generate): Ditto.
	* cipher/ecc.c (ecc_generate): Ditto.
	* src/cipher-proto.h (pk_ext_generate_t): Remove type
	(gcry_pk_spec): and remove from struct.

	tests: Beautify some diagnostics.
	* tests/benchmark.c (ecc_bench): Print the key sexp in very verbose
	mode.
	(main): Add option --pk-count.
	* tests/keygen.c: Add Elgamal generation and improved diagnostics.
	* tests/t-ed25519.c (check_ed25519): Print running number of tests
	done.

	sexp: Improve printing data representing a negative number.
	* src/sexp.c (suitable_encoding): Detect a negative number.

	pk: Move RSA encoding functions to a new file.
	* cipher/rsa-common: New.
	* cipher/pubkey.c (pkcs1_encode_for_encryption): Move to rsa-common.c
	and rename to _gcry_rsa_pkcs1_encode_for_enc.
	(pkcs1_decode_for_encryption): Move to rsa-common.c and rename to
	_gcry_rsa_pkcs1_decode_for_enc.
	(pkcs1_encode_for_signature): Move to rsa-common.c and rename to
	_gcry_rsa_pkcs1_encode_for_sig.
	(oaep_encode): Move to rsa-common.c and rename to
	_gcry_rsa_oaep_encode.
	(oaep_decode): Move to rsa-common.c and rename to
	_gcry_rsa_oaep_decode.
	(pss_encode): Move to rsa-common.c and rename to _gcry_rsa_pss_encode.
	(pss_verify): Move to rsa-common.c and rename to _gcry_rsa_pss_decode.
	(octet_string_from_mpi, mgf1): Move to rsa-common.c.

	pk: Move s-expr creation for sign and encrypt to the modules.
	* cipher/pubkey.c (pubkey_encrypt): Fold into gcry_pk_encrypt.
	(pubkey_decrypt): Fold into gcry_pk_decrypt.
	(pubkey_sign): Fold into gcry_pk_sign.
	(pubkey_verify): Fold into gcry_pk_verify.
	(octet_string_from_mpi): Make it a wrapper and factor code out to ...
	* mpi/mpicoder.c (_gcry_mpi_to_octet_string): New function.

	* src/cipher.h (PUBKEY_FLAG_FIXEDLEN): New.
	* cipher/pubkey.c (sexp_data_to_mpi): Set flag for some encodings.
	(gcry_pk_encrypt): Simply by moving the s-expr generation to the modules.
	(gcry_pk_sign): Ditto.
	* cipher/dsa.c (dsa_sign): Create s-expr.
	* cipher/elgamal.c (elg_encrypt, elg_sign): Ditto.
	* cipher/rsa.c (rsa_encrypt, rsa_sign): Ditto.
	* cipher/ecc.c (ecc_sign, ecc_encrypt_raw): Ditto.
	(ecdsa_names): Add "eddsa".
	* tests/t-ed25519.c (one_test): Expect "eddsa" token.

2013-09-19  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix Stribog digest on bigendian platforms.
	* cipher/stribog.c (stribog_final): swap bytes in the result of digest
	calculations.

2013-09-18  Werner Koch  <wk@gnupg.org>

	pk: Simplify the public key dispatcher pubkey.c.
	* src/cipher-proto.h (gcry_pk_spec_t): Add fields ALGO and FLAGS.
	* cipher/dsa.c (_gcry_pubkey_spec_dsa): Set these fields.
	* cipher/ecc.c (_gcry_pubkey_spec_ecdsa): Ditto.
	(_gcry_pubkey_spec_ecdh): Ditto.
	* cipher/rsa.c (_gcry_pubkey_spec_rsa): Ditto.
	* cipher/elgamal.c (_gcry_pubkey_spec_elg): Ditto
	(_gcry_pubkey_spec_elg_e): New.
	* cipher/pubkey.c: Change most code to replace the former module
	system by a simpler system to gain information about the algorithms.
	(disable_pubkey_algo): SImplified.  Not anymore thread-safe, though.

	pk: Merge extraspecs struct with standard specs struct.
	* src/gcrypt-module.h (gcry_pk_spec_t): Move this typedef and the
	corresponding function typedefs to ...
	* src/cipher-proto.h: here.
	(pk_extra_spec_t): Remove typedef and merge fields into
	gcry_pk_spec_t.
	* cipher/rsa.c, cipher/dsa.c, cipher/elg.c, cipher/ecc.c: Ditto.
	* cipher/pubkey.c: Change accordingly.
	* src/cipher.h (_gcry_pubkey_extraspec_rsa): Remove.
	(_gcry_pubkey_extraspec_dsa): Remove.
	(_gcry_pubkey_extraspec_elg): Remove.
	(_gcry_pubkey_extraspec_ecdsa): Remove.

2013-09-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix encryption/decryption return type for GOST28147.
	* cipher/gost.h (_gcry_gost_enc_one): Change return type to
	'unsigned int'.
	* cipher/gost28147.c (max): New macro.
	(gost_encrypt_block, gost_decrypt_block): Return burn stack depth.
	(_gcry_gost_enc_one): Return burn stack depth from gost_encrypt_block.

2013-09-18  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	doc: fix building of ps and pdf documentation.
	* doc/gcrypt.texi, doc/gpl.texi, doc/lgpl.texi: fix texinfo errors.

	Add GOST R 34.11-2012 implementation (Stribog)
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_12_256)
	(GCRY_MD_GOSTR3411_12_512): New.
	* cipher/stribog.c: New.
	* configure.ac (available_digests_64): Add stribog.
	* src/cipher.h: Declare Stribog declarations.
	* cipher/md.c: Register Stribog digest.
	* tests/basic.c (check_digests) Add 4 testcases for Stribog from
	standard.
	* doc/gcrypt.texi: Document new constants.

	Add basic implementation of GOST R 34.11-94 message digest.
	* src/gcrypt.h.in (GCRY_MD_GOSTR3411_94): New.
	* cipher/gostr3411-94.c: New.
	* configure.ac (available_digests): Add gostr3411-94.
	* src/cipher.h: Add gostr3411-94 definitions.
	* cipher/md.c: Register GOST R 34.11-94.
	* tests/basic.c (check_digests): Add 4 tests for GOST R 34.11-94
	  hash algo. Two are  defined in the standard itself, two other are
	  more or less common tests - an empty string an exclamation mark.
	* doc/gcrypt.texi: Add an entry describing GOST R 34.11-94 to the MD
	  algorithms table.

	Separate common md block code.
	* cipher/hash-common.c (_gcry_md_block_write): New function to handle
	block md operations.  The current implementation is limited to 64 byte
	buffer and u32 block counter.

	* cipher/md4.c, cipher/md5.c, cipher/rmd.h, cipher/rmd160.c
	*cipher/sha1.c, cipher/sha256.c, cipher/tiger.c: Convert to use
	_gcry_md_block_write.

	Add limited implementation of GOST 28147-89 cipher.
	* src/gcrypt.h.in (GCRY_CIPHER_GOST28147): New.
	* cipher/gost.h, cipher/gost28147.c: New.
	* configure.ac (available_ciphers): Add gost28147.
	* src/cipher.h: Add gost28147 definitions.
	* cipher/cipher.c: Register gost28147.
	* tests/basic.c (check_ciphers): Enable simple test for gost28147.
	* doc/gcrypt.texi: document GCRY_CIPHER_GOST28147.

2013-09-18  Werner Koch  <wk@gnupg.org>

	ecc: Add Ed25519 key generation and prepare for optimizations.
	* src/mpi.h (enum ecc_dialects): New.
	* src/ec-context.h (mpi_ec_ctx_s): Add field DIALECT.
	* cipher/ecc-common.h (elliptic_curve_t): Ditto.
	* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
	(domain_parms): Add dialect values.
	(_gcry_ecc_fill_in_curve): Set dialect.
	(_gcry_ecc_get_curve): Ditto.
	(_gcry_mpi_ec_new): Ditto.
	(_gcry_ecc_get_param): Use ECC_DIALECT_STANDARD for now.
	* cipher/ecc-misc.c (_gcry_ecc_curve_copy): Copy dialect.
	(_gcry_ecc_dialect2str): New.
	* mpi/ec.c (ec_p_init): Add arg DIALECT.
	(_gcry_mpi_ec_p_internal_new): Ditto.
	(_gcry_mpi_ec_p_new): Ditto.

	* mpi/mpiutil.c (gcry_mpi_set_opaque): Set the secure flag.
	(_gcry_mpi_set_opaque_copy): New.

	* cipher/ecc-misc.c (_gcry_ecc_os2ec): Take care of an opaque MPI.
	* cipher/ecc.c (eddsa_generate_key): New.
	(generate_key): Rename to nist_generate_key and factor some code out
	to ...
	(ecc_generate_ext): here.  Divert to eddsa_generate_key if desired.
	(eddsa_decodepoint): Take care of an opaque MPI.
	(ecc_check_secret_key): Ditto.
	(ecc_sign): Ditto.
	* cipher/pubkey.c (sexp_elements_extract_ecc): Store public and secret
	key as opaque MPIs.
	(gcry_pk_genkey): Add the curve_name also to the private key part of
	the result.

	* tests/benchmark.c (ecc_bench): Support Ed25519.
	(main): Add option --debug.
	* tests/curves.c (sample_key_2): Make sure that P and N are positive.
	* tests/keygen.c (show): New.
	(check_ecc_keys): Support Ed25519.

2013-09-17  Werner Koch  <wk@gnupg.org>

	mpi: Support printing of negative numbers.
	* mpi/mpicoder.c (twocompl, onecompl): New.
	(gcry_mpi_print): Use it for STD and SSH.
	(gcry_mpi_scan): Use it for STD and SSH.  Always set NSCANNED.
	(gcry_mpi_aprint): Clear the extra allocated byte.
	* tests/t-convert.c (showhex, showmpi): New.
	(mpi2bitstr_nlz): New.
	(check_formats): New.
	(main): Call new test.

2013-09-16  Werner Koch  <wk@gnupg.org>

	Fix bug in _gcry_mpi_tdiv_q_2exp.
	* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.

	ecc: Implement Curve Ed25519 signing and verification.
	* cipher/ecc-curves.c (domain_parms): Add curve "Ed25519".
	* cipher/ecc.c (reverse_buffer): New.
	(eddsa_encodempi): New.
	(eddsa_encodepoint): New.
	(eddsa_decodepoint): New.
	(sign_eddsa): Implement.
	(verify_eddsa): Implement.
	(ecc_sign): Init unused Q.  Pass public key to sign_eddsa.
	(ecc_verify): Init pk.Q if not used.  Pass public key verbatim to
	verify_eddsa.
	* cipher/pubkey.c (sexp_elements_extract): Add arg OPAQUE.  Change all
	callers to pass 0.
	(sexp_to_sig): Add arg OPAQUE and pass it to sexp_elements_extract.
	(sexp_data_to_mpi): Allow for a zero length "value".
	(gcry_pk_verify): Reorder parameter processing.  Pass OPAQUE flag as
	required.
	* mpi/ec.c (ec_invm): Print a warning if the inverse does not exist.
	(_gcry_mpi_ec_get_affine): Implement for our Twisted Edwards curve
	model.
	(dup_point_twistededwards): Implement.
	(add_points_twistededwards): Implement.
	(_gcry_mpi_ec_mul_point): Support Twisted Edwards.

	* mpi/mpicoder.c (do_get_buffer): Add arg FILL_LE.
	(_gcry_mpi_get_buffer): Ditto.  Change all callers.
	(_gcry_mpi_get_secure_buffer): Ditto.

	* src/sexp.c (_gcry_sexp_nth_opaque_mpi): New.

	* tests/t-ed25519.c: New.
	* tests/t-ed25519.inp: New.
	* tests/t-mpi-point.c (basic_ec_math_simplified): Print some output
	only in debug mode.
	(twistededwards_math): New test.
	(main): Call new test.

	mpi: Add internal convenience function.
	* mpi/mpiutil.c (_gcry_mpi_get_opaque_copy): New.

	mpi: Add debug function to print a point.
	* mpi/ec.c (_gcry_mpi_point_log): New.
	* src/mpi.h (log_printpnt): new macro.

	tests: Factor time measurement code out.
	* tests/benchmark.c (started_at, stopped_at, start_timer, stop_timer)
	(elapsed time): Factor out to ..
	* tests/stopwatch.h: new file.

2013-09-12  Werner Koch  <wk@gnupg.org>

	Fix _gcry_log_printmpi to print 00 instead of a sole sign.
	* src/misc.c: Special case an mpi length of 0.

2013-09-11  Werner Koch  <wk@gnupg.org>

	Streamline the use of the internal mpi and hex debug functions.
	* mpi/mpicoder.c (gcry_mpi_dump): Remove.
	(_gcry_log_mpidump): Remove.
	* src/misc.c (_gcry_log_printhex): Factor all code out to ...
	(do_printhex): new.  Add line wrapping a and compact printing.
	(_gcry_log_printmpi): New.
	* src/mpi.h (log_mpidump): Remove macro.
	* src/g10lib.h (log_mpidump): Add compatibility macro.
	(log_printmpi): New macro
	* src/visibility.c (gcry_mpi_dump): Call _gcry_log_printmpi.
	* cipher/primegen.c (prime_generate_internal): Replace gcry_mpi_dump
	by log_printmpi.
	(gcry_prime_group_generator): Ditto.
	* cipher/pubkey.c: Remove extra colons from log_mpidump call.
	* cipher/rsa.c (stronger_key_check): Use log_printmpi.

2013-09-10  Werner Koch  <wk@gnupg.org>

	md: Add function gcry_md_hash_buffers.
	* src/gcrypt.h.in (gcry_buffer_t): new.
	(gcry_md_hash_buffers): New.
	* src/visibility.c, src/visibility.h: Add wrapper for new function.
	* src/libgcrypt.def, src/libgcrypt.vers: Export new function.
	* cipher/md.c (gcry_md_hash_buffers): New.
	* cipher/sha1.c (_gcry_sha1_hash_buffers): New.
	* tests/basic.c (check_one_md_multi): New.
	(check_digests): Run that test.
	* tests/hmac.c (check_hmac_multi): New.
	(main): Run that test.

	md: Fix Whirlpool flaw.
	* cipher/whirlpool.c (whirlpool_add): Remove shortcut return so that
	byte counter is always properly updated.

2013-09-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix static build on AMD64.
	* cipher/rijndael-amd64.S: Correct 'RIP' macro for non-PIC build.

	scrypt: fix for big-endian systems.
	* cipher/scrypt.c (_salsa20_core): Fix endianess issues.

2013-09-07  Werner Koch  <wk@gnupg.org>

	Use gcc "unused" attribute only with gcc >= 3.5.
	* src/g10lib.h (GCC_ATTR_UNUSED): Fix gcc version detection.

2013-09-07  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Add support for Salsa20/12 - 12 round version of Salsa20.
	* src/gcrypt.h.in (GCRY_CIPHER_SALSA20R12): New.
	* src/salsa20.c (salsa20_core, salsa20_do_encrypt_stream): Add support
	for reduced round versions.
	  (salsa20r12_encrypt_stream, _gcry_cipher_spec_salsa20r12): Implement
	Salsa20/12 - a 12 round version of Salsa20 selected by eStream.
	* src/cipher.h: Declsare Salsa20/12 definition.
	* cipher/cipher.c: Register Salsa20/12
	* tests/basic.c: (check_stream_cipher, check_stream_cipher_large_block):
	Populate Salsa20/12 tests with test vectors from ecrypt
	(check_ciphers): Add simple test for Salsa20/12

2013-09-07  Werner Koch  <wk@gnupg.org>

	Add configure option --disable-amd64-as-feature-detection.
	* configure.ac: Implement new disable flag.

	mpi: Improve support for non-Weierstrass support.
	* mpi/ec.c (ec_p_init): Add args MODEL and P.  Change all callers.
	(_gcry_mpi_ec_p_internal_new): Ditto.
	(_gcry_mpi_ec_p_new): Ditto.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Return
	GPG_ERR_UNKNOWN_CURVE instead of invalid value.  Init curve model.
	* cipher/ecc.c (ecc_verify, ecc_encrypt_raw): Ditto.
	* cipher/pubkey.c (sexp_data_to_mpi): Fix EDDSA flag error checking.

	mpi: Add gcry_mpi_ec_curve_point.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): New.
	(ec_powm): Return the absolute value.
	* src/visibility.c, src/visibility.c: Add wrappers.
	* src/libgcrypt.def, src/libgcrypt.vers: Export them.

	mpi: Add functions to manipulate the sign.
	* src/gcrypt.h.in (gcry_mpi_is_neg): New.
	(gcry_mpi_neg, gcry_mpi_abs): New.
	* mpi/mpiutil.c (_gcry_mpi_is_neg): New.
	(_gcry_mpi_neg, _gcry_mpi_abs): New.
	* src/visibility.c, src/visibility.h: Add wrappers.
	* src/libgcrypt.def, src/libgcrypt.vers: Export them.
	* src/mpi.h (mpi_is_neg): New.  Rename old macro to mpi_has_sign.
	* mpi/mpi-mod.c (_gcry_mpi_mod_barrett): Use mpi_has_sign.
	* mpi/mpi-mpow.c (calc_barrett): Ditto.
	* cipher/primegen.c (_gcry_derive_x931_prime): Ditto
	* cipher/rsa.c (secret): Ditto.

2013-09-06  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tune armv6 mpi assembly.
	* mpi/armv6/mpih-mul1.S: Tune assembly for Cortex-A8.
	* mpi/armv6/mpih-mul2.S: Ditto.
	* mpi/armv6/mpih-mul3.S: Ditto.

2013-09-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Change _gcry_burn_stack take burn depth as unsigned integer.
	* src/misc.c (_gcry_burn_stack): Change to handle 'unsigned int' bytes.

	mpicalc: fix building on linux and win32.
	* src/Makefile.am (mpicalc): Adjust CFLAGS and LDADD.

2013-09-04  Werner Koch  <wk@gnupg.org>

	Change mpicalc to use Libgcrypt and install it.
	* src/mpicalc.c: Make use of gcry_ functions.
	(MPICALC_VERSION): New.  Set to 2.0.
	(strusage): Remove.
	(scan_mpi): New.  Replaces mpi_fromstr.
	(print_mpi): New.  Replaces mpi_print.
	(my_getc): New.
	(print_help): New.
	(main): Use simple option parser and print version info.
	* src/Makefile.am (bin_PROGRAMS): Add mpicalc.
	(mpicalc_SOURCES, mpicalc_CFLAGS, mpicalc_LDADD): New.

	Add mpicalc.c to help with testing.
	* src/mpicalc.c: Take from GnuPG 1.4

	Prepare support for EdDSA.
	* src/cipher.h (PUBKEY_FLAG_EDDSA): New.
	* cipher/pubkey.c (pubkey_verify): Repalce args CMP and OPAQUEV by
	CTX.  Pass flags and hash algo to the verify function.  Change all
	verify functions to accept these args.
	(sexp_data_to_mpi): Implement new flag "eddsa".
	(gcry_pk_verify): Pass CTX instead of the compare function to
	pubkey_verify.
	* cipher/ecc.c (sign): Rename to sign_ecdsa.  Change all callers.
	(verify): Rename to verify_ecdsa.  Change all callers.
	(sign_eddsa, verify_eddsa): New stub functions.
	(ecc_sign): Divert to sign_ecdsa or sign_eddsa.
	(ecc_verify): Divert to verify_ecdsa or verify_eddsa.

	Prepare support for non-Weierstrass EC equations.
	* src/mpi.h (gcry_mpi_ec_models): New.
	* src/ec-context.h (mpi_ec_ctx_s): Add MODEL.
	* cipher/ecc-common.h (elliptic_curve_t): Ditto.
	* cipher/ecc-curves.c (ecc_domain_parms_t): Ditto.
	(domain_parms): Mark als as Weierstrass.
	(_gcry_ecc_fill_in_curve): Check model.
	(_gcry_ecc_get_curve): Set model to Weierstrass.
	* cipher/ecc-misc.c (_gcry_ecc_model2str): New.
	* cipher/ecc.c (generate_key, ecc_generate_ext): Print model in the
	debug output.

	* mpi/ec.c (_gcry_mpi_ec_dup_point): Switch depending on model.
	Factor code out to ...
	(dup_point_weierstrass): new.
	(dup_point_montgomery, dup_point_twistededwards): New stub functions.
	(_gcry_mpi_ec_add_points): Switch depending on model.  Factor code out
	to ...
	(add_points_weierstrass): new.
	(add_points_montgomery, add_points_twistededwards): New stub
	functions.

	* tests/Makefile.am (TESTS): Reorder tests.

	mpi: Suppress newer gcc warnings.
	* src/g10lib.h (GCC_ATTR_UNUSED): Define for gcc >= 3.5.
	* mpi/mpih-div.c (_gcry_mpih_mod_1, _gcry_mpih_divmod_1): Mark dummy
	as unused.
	* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.

	Do not check with cpp for typedefed constants.
	* src/gcrypt-int.h: Include error code replacements depeding on the
	version of libgpg-error.

2013-09-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Make _gcry_burn_stack use variable length array.
	* configure.ac (HAVE_VLA): Add check.
	* src/misc.c (_gcry_burn_stack) [HAVE_VLA]: Add VLA code.

	Move stack burning from block ciphers to cipher modes.
	* src/gcrypt-module.h (gcry_cipher_encrypt_t)
	(gcry_cipher_decrypt_t): Return 'unsigned int'.
	* cipher/cipher.c (dummy_encrypt_block, dummy_decrypt_block): Return
	zero.
	(do_ecb_encrypt, do_ecb_decrypt): Get largest stack burn depth from
	block cipher crypt function and burn stack at end.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Ditto.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Ditto.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt)
	(_gcry_cipher_cfb_decrypt): Ditto.
	* cipher/cipher-ctr.c (_gcry_cipher_cbc_encrypt): Ditto.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Ditto.
	* cipher/blowfish.c (encrypt_block, decrypt_block): Return burn stack
	depth.
	* cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Ditto.
	* cipher/cast5.c (encrypt_block, decrypt_block): Ditto.
	* cipher/des.c (do_tripledes_encrypt, do_tripledes_decrypt)
	(do_des_encrypt, do_des_decrypt): Ditto.
	* cipher/idea.c (idea_encrypt, idea_decrypt): Ditto.
	* cipher/rijndael.c (rijndael_encrypt, rijndael_decrypt): Ditto.
	* cipher/seed.c (seed_encrypt, seed_decrypt): Ditto.
	* cipher/serpent.c (serpent_encrypt, serpent_decrypt): Ditto.
	* cipher/twofish.c (twofish_encrypt, twofish_decrypt): Ditto.
	* cipher/rfc2268.c (encrypt_block, decrypt_block): New.
	(_gcry_cipher_spec_rfc2268_40): Use encrypt_block and decrypt_block.

2013-09-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia-aesni-avx2-amd64: Move register clearing to assembly functions.
	* cipher/camellia-aesni-avx2-amd64.S
	(_gcry_camellia_aesni_avx2_ctr_enc): Add 'vzeroall'.
	(_gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): Add 'vzeroupper' at head and
	'vzeroall' at tail.
	* cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX2]: Remove register
	clearing.

	camellia-aesni-avx-amd64: Move register clearing to assembly functions.
	* cipher/camellia-aesni-avx-amd64.S (_gcry_camellia_aesni_avx_ctr_enc)
	(_gcry_camellia_aesni_avx_cbc_dec)
	(_gcry_camellia_aesni_avx_cfb_dec): Add 'vzeroupper' at head and
	'vzeroall' at tail.
	* cipher/camellia-glue.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AESNI_AVX]: Remove register clearing.

	serpent-avx2-amd64: Move register clearing to assembly.
	* cipher/serpent-avx2-amd64.S (_gcry_serpent_avx2_ctr_enc)
	(_gcry_serpent_avx2_cbc_dec, _gcry_serpent_avx2_cfb_dec): Change last
	'vzeroupper' to 'vzeroall'.
	* cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec) [USE_AVX2]: Remove register clearing with
	'vzeroall'.

	Fix building for x32 target.
	* mpi/amd64/mpi-asm-defs.h: New file.
	* random/rndhw.c (poll_padlock) [__x86_64__]: Also check if __LP64__ is
	defined.
	[USE_DRNG, __x86_64__]: Also check if __LP64__ is defined.

2013-08-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	sha512: add ARM/NEON assembly version of transform function.
	* cipher/Makefile.am: Add 'sha512-armv7-neon.S'.
	* cipher/sha512-armv7-neon.S: New file.
	* cipher/sha512.c (USE_ARM_NEON_ASM): New macro.
	(SHA512_CONTEXT) [USE_ARM_NEON_ASM]: Add 'use_neon'.
	(sha512_init, sha384_init) [USE_ARM_NEON_ASM]: Enable 'use_neon' if
	CPU support NEON instructions.
	(k): Round constant array moved outside of 'transform' function.
	(__transform): Renamed from 'tranform' function.
	[USE_ARM_NEON_ASM] (_gcry_sha512_transform_armv7_neon): New prototype.
	(transform): New wrapper function for different transform versions.
	(sha512_write, sha512_final): Burn stack by the amount returned by
	transform function.
	* configure.ac (sha512) [neonsupport]: Add 'sha512-armv7-neon.lo'.

	sha512: reduce stack use in transform function by 512 bytes.
	* cipher/sha512.c (transform): Change 'u64 w[80]' to 'u64 w[16]' and
	inline input expansion to first 64 rounds.
	(sha512_write, sha512_final): Reduce burn_stack depth by 512 bytes.

	Add ARM HW feature detection module and add NEON detection.
	* configure.ac: Add option --disable-neon-support.
	(HAVE_GCC_INLINE_ASM_NEON): New.
	(ENABLE_NEON_SUPPORT): New.
	[arm]: Add 'hwf-arm.lo' as HW feature module.
	* src/Makefile.am: Add 'hwf-arm.c'.
	* src/g10lib.h (HWF_ARM_NEON): New macro.
	* src/global.c (hwflist): Add HWF_ARM_NEON entry.
	* src/hwf-arm.c: New file.
	* src/hwf-common.h (_gcry_hwf_detect_arm): New prototype.
	* src/hwfeatures.c (_gcry_detect_hw_features) [HAVE_CPU_ARCH_ARM]: Add
	call to _gcry_hwf_detect_arm.

	Correct mpi_cpu_arch for ARMv6.
	* mpi/config.links [armv6]: Set mpi_cpu_arch to "arm", instead of
	"armv6".

2013-08-30  Werner Koch  <wk@gnupg.org>

	mpi: Make gcry_mpi_print work with negative zeroes.
	* mpi/mpicoder.c (gcry_mpi_print): Take care of negative zero.
	(gcry_mpi_aprint): Allocate at least 1 byte.
	* tests/t-convert.c: New.
	* tests/Makefile.am (TESTS): Add t-convert.

	Refactor the ECC code into 3 files.
	* cipher/ecc-common.h, cipher/ecc-curves.c, cipher/ecc-misc.c: New.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add new files.
	* configure.ac (GCRYPT_PUBKEY_CIPHERS): Add new .c files.
	* cipher/ecc.c (curve_aliases, ecc_domain_parms_t, domain_parms)
	(scanval): Move to ecc-curves.c.
	(fill_in_curve): Move to ecc-curve.c as _gcry_ecc_fill_in_curve.
	(ecc_get_curve): Move to ecc-curve.c as _gcry_ecc_get_curve.
	(_gcry_mpi_ec_ec2os): Move to ecc-misc.c.
	(ec2os): Move to ecc-misc.c as _gcry_ecc_ec2os.
	(os2ec): Move to ecc-misc.c as _gcry_ecc_os2ec.
	(point_set): Move as inline function to ecc-common.h.
	(_gcry_ecc_curve_free): Move to ecc-misc.c as _gcry_ecc_curve_free.
	(_gcry_ecc_curve_copy): Move to ecc-misc.c as _gcry_ecc_curve_copy.
	(mpi_from_keyparam, point_from_keyparam): Move to ecc-curves.c.
	(_gcry_mpi_ec_new): Move to ecc-curves.c.
	(ecc_get_param): Move to ecc-curves.c as _gcry_ecc_get_param.
	(ecc_get_param_sexp): Move to ecc-curves.c as _gcry_ecc_get_param_sexp.

2013-08-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent-sse2-amd64: Move register clearing to assembly functions.
	cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_ctr_enc)
	(_gcry_serpent_sse2_cbc_dec, _gcry_serpent_sse2_cfb_dec): Clear used
	XMM registers.
	cipher/serpent.c (_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec)
	( _gcry_serpent_cfb_dec) [USE_SSE2]: Remove XMM register clearing from
	bulk functions.

	twofish-amd64: do not make __twofish_dec_blk3 global.
	* cipher/twofish-amd64.S (__twofish_dec_blk3): Do not export symbol as
	global.
	(__twofish_dec_blk3): Mark symbol as function.

2013-08-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: add ARMv6 assembly.
	* mpi/armv6/mpi-asm-defs.h: New.
	* mpi/armv6/mpih-add1.S: New.
	* mpi/armv6/mpih-mul1.S: New.
	* mpi/armv6/mpih-mul2.S: New.
	* mpi/armv6/mpih-mul3.S: New.
	* mpi/armv6/mpih-sub1.S: New.
	* mpi/config.links [arm]: Enable ARMv6 assembly.

	Move ARMv6 detection to configure.ac.
	* cipher/blowfish-armv6.S: Replace __ARM_ARCH >= 6 checks with
	HAVE_ARM_ARCH_V6.
	* cipher/blowfish.c: Ditto.
	* cipher/camellia-armv6.S: Ditto.
	* cipher/camellia.h: Ditto.
	* cipher/cast5-armv6.S: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/rijndael-armv6.S: Ditto.
	* cipher/rijndael.c: Ditto.
	* configure.ac: Add HAVE_ARM_ARCH_V6 check.

2013-08-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add optimized wipememory for ARM.
	src/g10lib.h [__arm__] (fast_wipememory2_unaligned_head)
	(fast_wipememory2): New macros.

	cipher: bufhelp: allow unaligned memory accesses on ARM.
	* cipher/bufhelp.h [__arm__ && __ARM_FEATURE_UNALIGNED]: Enable
	BUFHELP_FAST_UNALIGNED_ACCESS.

2013-08-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Remove burn_stack optimization.
	* src/misc.c (_gcry_burn_stack): Remove SIZEOF_UNSIGNED_LONG == 4 or 8
	optimization.

2013-08-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	camellia: add ARMv6 assembly implementation.
	* cipher/Makefile.am: Add 'camellia-armv6.S'.
	* cipher/camellia-armv6.S: New file.
	* cipher/camellia-glue.c [USE_ARMV6_ASM]
	(_gcry_camellia_armv6_encrypt_block)
	(_gcry_camellia_armv6_decrypt_block): New prototypes.
	[USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock)
	(camellia_encrypt, camellia_decrypt): New functions.
	* cipher/camellia.c [!USE_ARMV6_ASM]: Compile encryption and decryption
	routines if USE_ARMV6_ASM macro is _not_ defined.
	* cipher/camellia.h (USE_ARMV6_ASM): New macro.
	[!USE_ARMV6_ASM] (Camellia_EncryptBlock, Camellia_DecryptBlock): If
	USE_ARMV6_ASM is defined, disable these function prototypes.
	(camellia) [arm]: Add 'camellia-armv6.lo'.

	blowfish: add ARMv6 assembly implementation.
	* cipher/Makefile.am: Add 'blowfish-armv6.S'.
	* cipher/blowfish-armv6.S: New file.
	* cipher/blowfish.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_blowfish_armv6_do_encrypt)
	(_gcry_blowfish_armv6_encrypt_block)
	(_gcry_blowfish_armv6_decrypt_block, _gcry_blowfish_armv6_ctr_enc)
	(_gcry_blowfish_armv6_cbc_dec, _gcry_blowfish_armv6_cfb_dec): New
	prototypes.
	[USE_ARMV6_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block)
	(encrypt_block, decrypt_block): New functions.
	(_gcry_blowfish_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_blowfish_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_blowfish_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	* configure.ac (blowfish) [arm]: Add 'blowfish-armv6.lo'.

	cast5: add ARMv6 assembly implementation.
	* cipher/Makefile.am: Add 'cast5-armv6.S'.
	* cipher/cast5-armv6.S: New file.
	* cipher/cast5.c (USE_ARMV6_ASM): New macro.
	(CAST5_context) [USE_ARMV6_ASM]: New members 'Kr_arm_enc' and
	'Kr_arm_dec'.
	[USE_ARMV6_ASM] (_gcry_cast5_armv6_encrypt_block)
	(_gcry_cast5_armv6_decrypt_block, _gcry_cast5_armv6_ctr_enc)
	(_gcry_cast5_armv6_cbc_dec, _gcry_cast5_armv6_cfb_dec): New prototypes.
	[USE_ARMV6_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block)
	(decrypt_block): New functions.
	(_gcry_cast5_ctr_enc) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_cast5_cbc_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(_gcry_cast5_cfb_dec) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_cast_setkey) [USE_ARMV6_ASM]: Initialize 'Kr_arm_enc' and
	'Kr_arm_dec'.
	* configure.ac (cast5) [arm]: Add 'cast5-armv6.lo'.

2013-08-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: add ARMv6 assembly implementation.
	* cipher/Makefile.am: Add 'rijndael-armv6.S'.
	* cipher/rijndael-armv6.S: New file.
	* cipher/rijndael.c (USE_ARMV6_ASM): New macro.
	[USE_ARMV6_ASM] (_gcry_aes_armv6_encrypt_block)
	(_gcry_aes_armv6_decrypt_block): New prototypes.
	(do_encrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_encrypt): Disable input/output alignment when USE_ARMV6_ASM.
	(do_decrypt_aligned) [USE_ARMV6_ASM]: Use ARMv6 assembly function.
	(do_decrypt): Disable input/output alignment when USE_ARMV6_ASM.
	* configure.ac (HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS): New check for
	gcc/as compatibility with ARM assembly implementations.
	(aes) [arm]: Add 'rijndael-armv6.lo'.

2013-08-09  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: fix memory leak.
	* cipher/pubkey.c (gcry_pk_sign): Handle the specific case of ECC,
	where there is NULL whichi is not the sentinel.

2013-08-08  Werner Koch  <wk@gnupg.org>

	mpi: Clear immutable flag on the result of gcry_mpi_set.
	* mpi/mpiutil.c (gcry_mpi_set): Reset immutable and const flags.
	* tests/mpitests.c (test_const_and_immutable): Add a test for this.

2013-08-07  NIIBE Yutaka  <gniibe@fsij.org>

	tests: fix memory leaks.
	* tests/benchmark.c (dsa_bench): Release SIG.

	* tests/mpitests.c (test_powm): Release BASE, EXP, MOD, and RES.

	* tests/prime.c (check_primes): Release PRIME.

	* tests/tsexp.c (basic): Use intermediate variable M for constant.
	Release S1, S2 and A.

2013-08-07  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building on W32 (cannot export symbol 'gcry_sexp_get_buffer')
	* src/libgcrypt.def: Change 'gcry_sexp_get_buffer' to
	'gcry_sexp_nth_buffer'.

2013-08-06  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: fix another memory leak.
	* cipher/ecc.c (ecc_get_curve): Free TMP.

	tests: fix memory leaks.
	* tests/pubkey.c (check_keys_crypt): Release L, X0, and X1.
	(check_keys): Release X.

	cipher: fix memory leaks.
	* cipher/elgamal.c (elg_generate_ext): Free XVALUE.

	* cipher/pubkey.c (sexp_elements_extract): Don't use IDX for loop.
	Call mpi_free.
	(sexp_elements_extract_ecc): Call mpi_free.

2013-08-05  Werner Koch  <wk@gnupg.org>

	mpi: Improve gcry_mpi_invm to detect bad input.
	* mpi/mpi-inv.c (gcry_mpi_invm): Return 0 for bad input.

2013-07-31  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Correct checks for ecc secret key.
	* cipher/ecc.c (check_secret_key): replace wrong comparison of Q and
	sk->Q points with correct one.

2013-07-29  Werner Koch  <wk@gnupg.org>

	sexp: Allow white space anywhere in a hex format.
	* src/sexp.c (hextobyte): Remove.
	(hextonibble): New.
	(vsexp_sscan): Skip whtespace between hex nibbles.

	Implement deterministic ECDSA as specified by rfc-6979.
	* cipher/ecc.c (sign): Add args FLAGS and HASHALGO.  Convert an opaque
	MPI as INPUT.  Implement rfc-6979.
	(ecc_sign): Remove the opaque MPI code and pass FLAGS to sign.
	(verify): Do not allocate and compute Y; it is not used.
	(ecc_verify): Truncate the hash value if needed.
	* tests/dsa-rfc6979.c (check_dsa_rfc6979): Add ECDSA test cases.

2013-07-26  Werner Koch  <wk@gnupg.org>

	Implement deterministic DSA as specified by rfc-6979.
	* cipher/dsa.c (dsa_sign): Move opaque mpi extraction to sign.
	(sign): Add args FLAGS and HASHALGO.  Implement deterministic DSA.
	Add code path for R==0 to comply with the standard.
	(dsa_verify): Left fill opaque mpi based hash values.
	* cipher/dsa-common.c (int2octets, bits2octets): New.
	(_gcry_dsa_gen_rfc6979_k): New.
	* tests/dsa-rfc6979.c: New.
	* tests/Makefile.am (TESTS): Add dsa-rfc6979.

	Allow the use of a private-key s-expression with gcry_pk_verify.
	* cipher/pubkey.c (sexp_to_key): Fallback to private key.

2013-07-25  Werner Koch  <wk@gnupg.org>

	Mitigate a flush+reload cache attack on RSA secret exponents.
	* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
	exponents in secure memory.

2013-07-19  Werner Koch  <wk@gnupg.org>

	pk: Allow the use of a hash element for DSA sign and verify.
	* cipher/pubkey.c (pubkey_sign): Add arg ctx and pass it to the sign
	module.
	(gcry_pk_sign): Pass CTX to pubkey_sign.
	(sexp_data_to_mpi): Add flag rfc6979 and code to alls hash with *DSA
	* cipher/rsa.c (rsa_sign, rsa_verify): Return an error if an opaque
	MPI is given for DATA/HASH.
	* cipher/elgamal.c (elg_sign, elg_verify): Ditto.
	* cipher/dsa.c (dsa_sign, dsa_verify): Convert a given opaque MPI.
	* cipher/ecc.c (ecc_sign, ecc_verify): Ditto.
	* tests/basic.c (check_pubkey_sign_ecdsa): Add a test for using a hash
	element with DSA.

	sexp: Add function gcry_sexp_nth_buffer.
	* src/sexp.c (gcry_sexp_nth_buffer): New.
	* src/visibility.c, src/visibility.h: Add function wrapper.
	* src/libgcrypt.vers, src/libgcrypt.def: Add to API.
	* src/gcrypt.h.in: Add prototype.

2013-07-18  Werner Koch  <wk@gnupg.org>

	Add support for Salsa20.
	* src/gcrypt.h.in (GCRY_CIPHER_SALSA20): New.
	* cipher/salsa20.c: New.
	* configure.ac (available_ciphers): Add Salsa20.
	* cipher/cipher.c: Register Salsa20.
	(cipher_setiv): Allow to divert an IV to a cipher module.
	* src/cipher-proto.h (cipher_setiv_func_t): New.
	(cipher_extra_spec): Add field setiv.
	* src/cipher.h: Declare Salsa20 definitions.
	* tests/basic.c (check_stream_cipher): New.
	(check_stream_cipher_large_block): New.
	(check_cipher_modes): Run new test functions.
	(check_ciphers): Add simple test for Salsa20.

2013-07-17  Werner Koch  <wk@gnupg.org>

	Allow gcry_mpi_dump to print opaque MPIs.
	* mpi/mpicoder.c (gcry_mpi_dump): Detect abd print opaque MPIs.
	* tests/mpitests.c (test_opaque): New.
	(main): Call new test.

	cipher: Prepare to pass extra info to the sign functions.
	* src/gcrypt-module.h (gcry_pk_sign_t): Add parms flags and hashalgo.
	* cipher/rsa.c (rsa_sign): Add parms and mark them as unused.
	* cipher/dsa.c (dsa_sign): Ditto.
	* cipher/elgamal.c (elg_sign): Ditto.
	* cipher/pubkey.c (dummy_sign): Ditto.
	(pubkey_sign): Pass 0 for the new args.

	Fix a special case bug in mpi_powm for e==0.
	* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
	the result has been allocated.

2013-07-15  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Fix memory leak in t-mpi-point test.
	* tests/t-mpi-point.c (basic_ec_math, basic_ec_math_simplified): add
	calls to gcry_ctx_release() to free contexts after they become unused.

2013-07-10  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix 'Please include winsock2.h before windows.h' warnings with mingw32.
	* random/rndw32.c: include winsock2.h before windows.h.
	* src/ath.h [_WIN32]: Ditto.
	* tests/benchmark.c [_WIN32]: Ditto.

	Remove duplicate header from mpi/amd64/mpih-mul2.S.
	* mpi/amd64/mpih-mul2.S: remove duplicated header.

	Fix i386/amd64 inline assembly "cc" clobbers.
	* cipher/bithelp.h [__GNUC__, __i386__] (rol, ror): add "cc" globber
	for inline assembly.
	* cipher/cast5.c [__GNUC__, __i386__] (rol): Ditto.
	* random/rndhw.c [USE_DRNG] (rdrand_long): Ditto.
	* src/hmac256.c [__GNUC__, __i386__] (ror): Ditto.
	* mpi/longlong.c [__i386__] (add_ssaaaa, sub_ddmmss, umul_ppmm)
	(udiv_qrnnd, count_leading_zeros, count_trailing_zeros): Ditto.

	bufhelp: Suppress 'cast increases required alignment' warning.
	* cipher/bufhelp.h (buf_xor, buf_xor_2dst, buf_xor_n_copy): Cast
	to larger element pointer through (void *) to suppress -Wcast-error.

	mpi: Add __ARM_ARCH for older GCC.
	* mpi/longlong.h [__arm__]: Construct __ARM_ARCH if not provided by
	compiler.

	mpi: add missing "cc" clobber for ARM assembly.
	* mpi/longlong.h [__arm__] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.
	[__arm__][__ARM_ARCH <= 3] (umul_ppmm): Ditto.

	Tweak ARM inline assembly for mpi.
	mpi/longlong.h [__arm__]: Enable inline assembly if __thumb2__ is
	defined.
	[__arm__]: Use __ARCH_ARM when defined.
	[__arm__] [__ARM_ARCH >= 5] (count_leading_zeros): New.

2013-06-26  Werner Koch  <wk@gnupg.org>

	Make gpg-error replacement defines more robust.
	* configure.ac (AH_BOTTOM): Move GPG_ERR_ replacement defines to ...
	* src/gcrypt-int.h: new file.
	* src/visibility.h, src/cipher.h: Replace gcrypt.h by gcrypt-int.h.
	* tests/: Ditto for all test files.

2013-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Check if assembler is compatible with AMD64 assembly implementations.
	* cipher/blowfish-amd64.S: Enable only if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined.
	* cipher/camellia-aesni-avx-amd64.S: Ditto.
	* cipher/camellia-aesni-avx2-amd64.S: Ditto.
	* cipher/cast5-amd64.S: Ditto.
	* cipher/rinjdael-amd64.S: Ditto.
	* cipher/serpent-avx2-amd64.S: Ditto.
	* cipher/serpent-sse2-amd64.S: Ditto.
	* cipher/twofish-amd64.S: Ditto.
	* cipher/blowfish.c: Use AMD64 assembly implementation only if
	HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS is defined
	* cipher/camellia-glue.c: Ditto.
	* cipher/cast5.c: Ditto.
	* cipher/rijndael.c: Ditto.
	* cipher/serpent.c: Ditto.
	* cipher/twofish.c: Ditto.
	* configure.ac: Check gcc/as compatibility with AMD64 assembly
	implementations.

2013-06-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Optimize _gcry_burn_stack for 32-bit and 64-bit architectures.
	* src/misc.c (_gcry_burn_stack): Add optimization for 32-bit and 64-bit
	architectures.

	Add Camellia AES-NI/AVX2 implementation.
	* cipher/Makefile.am: Add 'camellia-aesni-avx2-amd64.S'.
	* cipher/camellia-aesni-avx2-amd64.S: New file.
	* cipher/camellia-glue.c (USE_AESNI_AVX2): New macro.
	(CAMELLIA_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
	[USE_AESNI_AVX2] (_gcry_camellia_aesni_avx2_ctr_enc)
	(_gcry_camellia_aesni_avx2_cbc_dec)
	(_gcry_camellia_aesni_avx2_cfb_dec): New prototypes.
	(camellia_setkey) [USE_AESNI_AVX2]: Check AVX2+AES-NI capable hardware
	and set 'ctx->use_aesni_avx2'.
	(_gcry_camellia_ctr_enc) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(_gcry_camellia_cbc_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(_gcry_camellia_cfb_dec) [USE_AESNI_AVX2]: Add AVX2 accelerated code.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks'
	so that AVX2 codepaths get tested.
	* configure.ac (camellia) [avx2support, aesnisupport]: Add
	'camellia-aesni-avx2-amd64.lo'.

	Add Serpent AVX2 implementation.
	* cipher/Makefile.am: Add 'serpent-avx2-amd64.S'.
	* cipher/serpent-avx2-amd64.S: New file.
	* cipher/serpent.c (USE_AVX2): New macro.
	(serpent_context_t) [USE_AVX2]: Add 'use_avx2'.
	[USE_AVX2] (_gcry_serpent_avx2_ctr_enc, _gcry_serpent_avx2_cbc_dec)
	(_gcry_serpent_avx2_cfb_dec): New prototypes.
	(serpent_setkey_internal) [USE_AVX2]: Check for AVX2 capable hardware
	and set 'use_avx2'.
	(_gcry_serpent_ctr_enc) [USE_AVX2]: Use AVX2 accelerated functions.
	(_gcry_serpent_cbc_dec) [USE_AVX2]: Use AVX2 accelerated functions.
	(_gcry_serpent_cfb_dec) [USE_AVX2]: Use AVX2 accelerated functions.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Grow 'nblocks'
	so that AVX2 codepaths are tested.
	* configure.ac (serpent) [avx2support]: Add 'serpent-avx2-amd64.lo'.

	Add detection for Intel AVX2 instruction set.
	* configure.ac: Add option --disable-avx2-support.
	(HAVE_GCC_INLINE_ASM_AVX2): New.
	(ENABLE_AVX2_SUPPORT): New.
	* src/g10lib.h (HWF_INTEL_AVX2): New.
	* src/global.c (hwflist): Add HWF_INTEL_AVX2.
	* src/hwf-x86.c [__i386__] (get_cpuid): Initialize registers to zero
	before cpuid.
	[__x86_64__] (get_cpuid): Initialize registers to zero before cpuid.
	(detect_x86_gnuc): Store maximum cpuid level.
	(detect_x86_gnuc) [ENABLE_AVX2_SUPPORT]: Add detection for AVX2.

	twofish: add amd64 assembly implementation.
	* cipher/Makefile.am: Add 'twofish-amd64.S'.
	* cipher/twofish-amd64.S: New file.
	* cipher/twofish.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_twofish_amd64_encrypt_block)
	(_gcry_twofish_amd64_decrypt_block, _gcry_twofish_amd64_ctr_enc)
	(_gcry_twofish_amd64_cbc_dec, _gcry_twofish_amd64_cfb_dec): New
	prototypes.
	[USE_AMD64_ASM] (do_twofish_encrypt, do_twofish_decrypt)
	(twofish_encrypt, twofish_decrypt): New functions.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec, _gcry_twofish_cfb_dec)
	(selftest_ctr, selftest_cbc, selftest_cfb): New functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_TWOFISH]: Register Twofish
	bulk functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (twofish) [x86_64]: Add 'twofish-amd64.lo'.
	* src/cipher.h (_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(gcry_twofish_cfb_dec): New prototypes.

2013-05-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rinjdael: add amd64 assembly implementation.
	* cipher/Makefile.am: Add 'rijndael-amd64.S'.
	* cipher/rijndael-amd64.S: New file.
	* cipher/rijndael.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_aes_amd64_encrypt_block)
	(_gcry_aes_amd64_decrypt_block): New prototypes.
	(do_encrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function.
	(do_encrypt): Disable input/output alignment when USE_AMD64_ASM is set.
	(do_decrypt_aligned) [USE_AMD64_ASM]: Use amd64 assembly function.
	(do_decrypt): Disable input/output alignment when USE_AMD64_AES is set.
	* configure.ac (aes) [x86-64]: Add 'rijndael-amd64.lo'.

	blowfish: add amd64 assembly implementation.
	* cipher/Makefile.am: Add 'blowfish-amd64.S'.
	* cipher/blowfish-amd64.S: New file.
	* cipher/blowfish.c (USE_AMD64_ASM): New macro.
	[USE_AMD64_ASM] (_gcry_blowfish_amd64_do_encrypt)
	(_gcry_blowfish_amd64_encrypt_block)
	(_gcry_blowfish_amd64_decrypt_block, _gcry_blowfish_amd64_ctr_enc)
	(_gcry_blowfish_amd64_cbc_dec, _gcry_blowfish_amd64_cfb_dec): New
	prototypes.
	[USE_AMD64_ASM] (do_encrypt, do_encrypt_block, do_decrypt_block)
	(encrypt_block, decrypt_block): New functions.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec, selftest_ctr, selftest_cbc, selftest_cfb): New
	functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_BLOWFISH]: Register Blowfish
	bulk functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (blowfish) [x86_64]: Add 'blowfish-amd64.lo'.
	* src/cipher.h (_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(gcry_blowfish_cfb_dec): New prototypes.

2013-05-24  Werner Koch  <wk@gnupg.org>

	ecc: Simplify the compliant point generation.
	* cipher/ecc.c (generate_key): Use point_snatch_set, replaces unneeded
	variable copies, etc.

	ecc: Fix a minor flaw in the generation of K.
	* cipher/dsa.c (gen_k): Factor code out to ..
	* cipher/dsa-common.c (_gcry_dsa_gen_k): new file and function.  Add
	arg security_level and re-indent a bit.
	* cipher/ecc.c (gen_k): Remove and change callers to _gcry_dsa_gen_k.
	* cipher/dsa.c: Include pubkey-internal.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add dsa-common.c

2013-05-24  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cast5: add amd64 assembly implementation.
	* cipher/Makefile.am: Add 'cast5-amd64.S'.
	* cipher/cast5-amd64.S: New file.
	* cipher/cast5.c (USE_AMD64_ASM): New macro.
	(_gcry_cast5_s1tos4): Merge arrays s1, s2, s3, s4 to single array to
	simplify access from assembly implementation.
	(s1, s2, s3, s4): New macros pointing to subarrays in
	_gcry_cast5_s1tos4.
	[USE_AMD64_ASM] (_gcry_cast5_amd64_encrypt_block)
	(_gcry_cast5_amd64_decrypt_block, _gcry_cast5_amd64_ctr_enc)
	(_gcry_cast5_amd64_cbc_dec, _gcry_cast5_amd64_cfb_dec): New prototypes.
	[USE_AMD64_ASM] (do_encrypt_block, do_decrypt_block, encrypt_block)
	(decrypt_block): New functions.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec)
	(selftest_ctr, selftest_cbc, selftest_cfb): New functions.
	(selftest): Call new bulk selftests.
	* cipher/cipher.c (gcry_cipher_open) [USE_CAST5]: Register CAST5 bulk
	functions for ctr-enc, cbc-dec and cfb-dec.
	* configure.ac (cast5) [x86_64]: Add 'cast5-amd64.lo'.
	* src/cipher.h (_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec)
	(gcry_cast5_cfb_dec): New prototypes.

	cipher-selftest: make selftest work with any block-size.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed
	functions from '<name>_128' to '<name>'.
	(_gcry_selftest_helper_cbc, _gcry_selftest_helper_cfb)
	(_gcry_selftest_helper_ctr): Make work with different block sizes.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_cfb_128, _gcry_selftest_helper_ctr_128): Renamed
	prototypes from '<name>_128' to '<name>'.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.
	* cipher/rijndael.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.
	* cipher/serpent.c (selftest_ctr_128, selftest_cfb_128)
	(selftest_ctr_128): Change to use new function names.

2013-05-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent: add parallel processing for CFB decryption.
	* cipher/cipher.c (gcry_cipher_open): Add bulf CFB decryption function
	for Serpent.
	* cipher/serpent-sse2-amd64.S (_gcry_serpent_sse2_cfb_dec): New
	function.
	* cipher/serpent.c (_gcry_serpent_sse2_cfb_dec): New prototype.
	(_gcry_serpent_cfb_dec) New function.
	(selftest_cfb_128) New function.
	(selftest) Call selftest_cfb_128.
	* src/cipher.h (_gcry_serpent_cfb_dec): New prototype.

	camellia: add parallel processing for CFB decryption.
	* cipher/camellia-aesni-avx-amd64.S
	(_gcry_camellia_aesni_avx_cfb_dec): New function.
	* cipher/camellia-glue.c (_gcry_camellia_aesni_avx_cfb_dec): New
	prototype.
	(_gcry_camellia_cfb_dec): New function.
	(selftest_cfb_128): New function.
	(selftest): Call selftest_cfb_128.
	* cipher/cipher.c (gry_cipher_open): Add bulk CFB decryption function
	for Camellia.
	* src/cipher.h (_gcry_camellia_cfb_dec): New prototype.

	rinjdael: add parallel processing for CFB decryption with AES-NI.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cfb_128): New
	function for CFB selftests.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cfb_128): New
	prototype.
	* cipher/rijndael.c [USE_AESNI] (do_aesni_enc_vec4): New function.
	(_gcry_aes_cfb_dec) [USE_AESNI]: Add parallelized CFB decryption.
	(selftest_cfb_128): New function.
	(selftest): Call selftest_cfb_128.

2013-05-23  Werner Koch  <wk@gnupg.org>

	Avoid compiler warning due to the global symbol setkey.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc_128)
	(_gcry_selftest_helper_ctr_128): Rename setkey to setkey_func.

2013-05-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent: add SSE2 accelerated amd64 implementation.
	* configure.ac (serpent): Add 'serpent-sse2-amd64.lo'.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add
	'serpent-sse2-amd64.S'.
	* cipher/cipher.c (gcry_cipher_open) [USE_SERPENT]: Register bulk
	functions for CBC-decryption and CTR-mode.
	* cipher/serpent.c (USE_SSE2): New macro.
	[USE_SSE2] (_gcry_serpent_sse2_ctr_enc, _gcry_serpent_sse2_cbc_dec):
	New prototypes to assembler functions.
	(serpent_setkey): Set 'serpent_init_done' before calling serpent_test.
	(_gcry_serpent_ctr_enc): New function.
	(_gcry_serpent_cbc_dec): New function.
	(selftest_ctr_128): New function.
	(selftest_cbc_128): New function.
	(selftest): Call selftest_ctr_128 and selftest_cbc_128.
	* cipher/serpent-sse2-amd64.S: New file.
	* src/cipher.h (_gcry_serpent_ctr_enc): New prototype.
	(_gcry_serpent_cbc_dec): New prototype.

	Serpent: faster S-box implementation.
	* cipher/serpent.c (SBOX0, SBOX1, SBOX2, SBOX3, SBOX4, SBOX5, SBOX6)
	(SBOX7, SBOX0_INVERSE, SBOX1_INVERSE, SBOX2_INVERSE, SBOX3_INVERSE)
	(SBOX4_INVERSE, SBOX5_INVERSE, SBOX6_INVERSE, SBOX7_INVERSE): Replace
	with new definitions.

2013-05-22  Werner Koch  <wk@gnupg.org>

	w32: Fix installing of .def file.
	* src/Makefile.am (install-def-file): Create libdir first.

	Add control commands to disable mlock and setuid dropping.
	* src/gcrypt.h.in (GCRYCTL_DISABLE_LOCKED_SECMEM): New.
	(GCRYCTL_DISABLE_PRIV_DROP): New.
	* src/global.c (_gcry_vcontrol): Implement them.
	* src/secmem.h (GCRY_SECMEM_FLAG_NO_MLOCK): New.
	(GCRY_SECMEM_FLAG_NO_PRIV_DROP): New.
	* src/secmem.c (no_mlock, no_priv_drop): New.
	(_gcry_secmem_set_flags, _gcry_secmem_get_flags): Set and get them.
	(lock_pool): Handle no_mlock and no_priv_drop.

	Fix libtool 2.4.2 to correctly detect .def files.
	* ltmain.sh (sed_uncomment_deffile): New.
	(orig_export_symbols): Uncomment def file before testing for EXPORTS.
	* m4/libtool.m4: Do the same for the generated code.

2013-05-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AES bulk CBC decryption selftest.
	* cipher/rinjdael.c (selftest_cbc_128): New.
	(selftest): Call selftest_cbc_128.

	Change AES bulk CTR encryption selftest use new selftest helper function
	* cipher/rinjdael.c: (selftest_ctr_128): Change to use new selftest
	helper function.

	Convert bulk CTR and CBC selftest functions in Camellia to generic selftest helper functions
	* cipher/Makefile.am (libcipher_la_SOURCES): Add cipher-selftest files.
	* cipher/camellia-glue.c (selftest_ctr_128, selftest_cbc_128): Change
	to use the new selftest helper functions.
	* cipher/cipher-selftest.c: New.
	* cipher/cipher-selftest.h: New.

	camellia: add bulk CBC decryption selftest.
	* cipher/camellia-glue.c: (selftest_cbc_128): New selftest function for
	bulk CBC decryption.
	(selftest): Add call to selftest_cbc_128.

	camellia: Rename camellia_aesni_avx_x86-64.S to camellia-aesni-avx-amd64.S
	* cipher/camellia_aesni_avx_x86-64.S: Remove.
	* cipher/camellia-aesni-avx-amd64.S: New.
	* cipher/Makefile.am: Use the new filename.
	* configure.ac: Use the new filename.

2013-05-21  Werner Koch  <wk@gnupg.org>

	Fix indentation and save on string space.
	* cipher/ecc.c (generate_key): Use the same string for both fatal
	messages.

2013-05-20  Andrey  <andrey@brainhub.org>

	cipher: Fix segv in last ECC change.
	* cipher/ecc.c (generate_key): Make sure R is initialized.

2013-05-09  Andrey  <andrey@brainhub.org>

	cipher: Generate compliant ECC keys.
	* cipher/ecc.c (generate_key): Make sure a key is compliant for
	using the compact representation.

2013-04-18  Werner Koch  <wk@gnupg.org>

	cipher: Fix regression in Padlock support.
	* cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case
	and use the standard one.

	mpi: Yet another fix to get option flag munging right.
	* cipher/Makefile.am (o_flag_munging): Yet another fix.

	mpi: Make using gcc's -Ofast easier.
	* cipher/Makefile.am (o_flag_munging): Take -Ofast in account.

	Fix alignment problem in idea.c.
	* cipher/idea.c (cipher): Rework parameter use to fix alignment
	problems.

	* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.

	Fix alignment problem in idea.c.

	* cipher/idea.c (cipher): Rework parameter use to fix alignment
	problems.

	* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.


	(cherry picked from 4cd279556777e02eda79973f68efaa4b741f9175)

2013-04-18  Vladimir Serbinenko  <phcoder@gmail.com>

	Add some const attributes.
	* cipher/md4.c (transform): Add const attribute.
	* cipher/md5.c (transform): Ditto.
	* cipher/rmd160.c (transform): Ditto.

	Fix alignment problem in serpent.c.
	* cipher/serpent.c (serpent_key_prepare): Fix misaligned access.
	(serpent_setkey): Likewise.
	(serpent_encrypt_internal): Likewise.
	(serpent_decrypt_internal): Likewise.
	(serpent_encrypt): Don't put an alignment-increasing cast.
	(serpent_decrypt): Likewise.
	(serpent_test): Likewise.

2013-04-16  Werner Koch  <wk@wheatstone.g10code.de>

	Fix multiply by zero in gcry_mpi_ec_mul.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
	* tests/t-mpi-point.c (basic_ec_math): Add a test case for this.

2013-04-15  Werner Koch  <wk@gnupg.org>

	Add macros to return pre-defined MPIs.
	* src/gcrypt.h.in (GCRYMPI_CONST_ONE, GCRYMPI_CONST_TWO)
	(GCRYMPI_CONST_THREE, GCRYMPI_CONST_FOUR, GCRYMPI_CONST_EIGHT): New.
	(_gcry_mpi_get_const): New private function.
	* src/visibility.c (_gcry_mpi_get_const): New.
	* src/visibility.h: Mark it visible.

	Fix addition of EC points.
	* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
	coordinates.

2013-04-12  Werner Koch  <wk@gnupg.org>

	Add hack to allow using an "ecc" key for "ecdsa" or "ecdh".
	* cipher/pubkey.c (sexp_to_key): Add optional arg USE.
	(gcry_pk_encrypt, gcry_pk_decrypt): Call sexp_to_key with usage sign.
	(gcry_pk_sign, gcry_pk_verify): Call sexp_to_key with usage encrypt.
	* tests/basic.c (show_sexp): New.
	(check_pubkey_sign): Print test number and add cases for ecc.
	(check_pubkey_sign_ecdsa): New.
	(do_check_one_pubkey): Divert to new function.

2013-04-11  Werner Koch  <wk@gnupg.org>

	Add gcry_pubkey_get_sexp.
	* src/gcrypt.h.in (GCRY_PK_GET_PUBKEY): New.
	(GCRY_PK_GET_SECKEY): New.
	(gcry_pubkey_get_sexp): New.
	* src/visibility.c (gcry_pubkey_get_sexp): New.
	* src/visibility.h (gcry_pubkey_get_sexp): Mark visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.
	* cipher/pubkey-internal.h: New.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add new file.
	* cipher/ecc.c: Include pubkey-internal.h
	(_gcry_pk_ecc_get_sexp): New.
	* cipher/pubkey.c: Include pubkey-internal.h and context.h.
	(_gcry_pubkey_get_sexp): New.
	* src/context.c (_gcry_ctx_find_pointer): New.
	* src/cipher-proto.h: Add _gcry_pubkey_get_sexp.
	* tests/t-mpi-point.c (print_sexp): New.
	(context_param, basic_ec_math_simplified): Add tests for the new
	function.

	* configure.ac (NEED_GPG_ERROR_VERSION): Set to 1.11.
	(AH_BOTTOM) Add error codes from gpg-error 1.12
	* src/g10lib.h (fips_not_operational): Use GPG_ERR_NOT_OPERATIONAL.

	* mpi/ec.c (_gcry_mpi_ec_get_mpi): Fix computation of Q.
	(_gcry_mpi_ec_get_point): Ditto.

	Remove unused code.
	* cipher/pubkey.c (_gcry_pk_module_lookup, _gcry_pk_module_release)
	(_gcry_pk_get_elements): Remove.

2013-04-05  Werner Koch  <wk@gnupg.org>

	Make the Q parameter optional for ECC signing.
	* cipher/ecc.c (ecc_sign): Remove the need for Q.
	* cipher/pubkey.c (sexp_elements_extract_ecc): Make Q optional for a
	private key.
	(sexp_to_key): Add optional arg R_IS_ECC.
	(gcry_pk_sign): Do not call gcry_pk_get_nbits for ECC keys.
	* tests/pubkey.c (die): Make sure to print a LF.
	(check_ecc_sample_key): New.
	(main): Call new test.

	Add test case for SCRYPT and rework the code.
	* tests/t-kdf.c (check_scrypt): New.
	(main): Call new test.

	* configure.ac: Support disabling of the scrypt algorithm.  Make KDF
	enabling similar to the other algorithm classes.  Disable scrypt if we
	don't have a 64 bit type.
	* cipher/memxor.c, cipher/memxor.h: Remove.
	* cipher/scrypt.h: Remove.
	* cipher/kdf-internal.h: New.
	* cipher/Makefile.am: Remove files.  Add new file.  Move scrypt.c to
	EXTRA_libcipher_la_SOURCES.
	(GCRYPT_MODULES): Add GCRYPT_KDFS.
	* src/gcrypt.h.in (GCRY_KDF_SCRYPT): Change value.
	* cipher/kdf.c (pkdf2): Rename to _gcry_kdf_pkdf2.
	(_gcry_kdf_pkdf2): Don't bail out for SALTLEN==0.
	(gcry_kdf_derive): Allow for a passwordlen of zero for scrypt.  Check
	for SALTLEN > 0 for GCRY_KDF_PBKDF2.  Pass algo to _gcry_kdf_scrypt.
	(gcry_kdf_derive) [!USE_SCRYPT]: Return an error.
	* cipher/scrypt.c: Replace memxor.h by bufhelp.h.  Replace scrypt.h by
	kdf-internal.h.  Enable code only if HAVE_U64_TYPEDEF is defined.
	Replace C99 types uint64_t, uint32_t, and uint8_t by libgcrypt types.
	(_SALSA20_INPUT_LENGTH): Remove underscore from identifier.
	(_scryptBlockMix): Replace memxor by buf_xor.
	(_gcry_kdf_scrypt): Use gcry_malloc and gcry_free.  Check for integer
	overflow.  Add hack to support blocksize of 1 for tests.  Return
	errors from calls to _gcry_kdf_pkdf2.

	* cipher/kdf.c (openpgp_s2k): Make static.

2013-04-04  Christian Grothoff  <christian@grothoff.org>

	Add the SCRYPT KDF function.
	* scrypt.c, scrypt.h: New files.
	* memxor.c, memxor.h: New files.
	* cipher/Makefile.am: Add new files.
	* cipher/kdf.c (gcry_kdf_derive): Support GCRY_KDF_SCRYPT.
	* src/gcrypt.h.in (GCRY_KDF_SCRYPT): New.

2013-03-22  Werner Koch  <wk@gnupg.org>

	Replace deprecated AM_CONFIG_HEADER macro.
	* configure.ac: s/AM_CONFIG_HEADER/AC_CONFIG_HEADER/

	Disable AES-NI support if as does not support SSSE3.
	* configure.ac (HAVE_GCC_INLINE_ASM_SSSE3): New test.
	(ENABLE_AESNI_SUPPORT): Do not define without SSSE3 support.
	(HAVE_GCC_INLINE_ASM_SSSE3, ENABLE_AVX_SUPPORT): Split up detection
	and definition.

2013-03-21  Werner Koch  <wk@gnupg.org>

	Fix make dependency regression.
	* src/Makefile.am (libgcrypt_la_DEPENDENCIES): Add missing backslash.
	Reported by LRN.

2013-03-20  Werner Koch  <wk@gnupg.org>

	Use finer grained on-the-fly helper computations for EC.
	* src/ec-context.h (mpi_ec_ctx_s): Replace NEED_SYNC by a bitfield.
	* mpi/ec.c (ec_p_sync): Remove.
	(ec_get_reset, ec_get_a_is_pminus3, ec_get_two_inv_p): New.
	(ec_p_init): Use ec_get_reset.
	(_gcry_mpi_ec_set_mpi, _gcry_mpi_ec_dup_point)
	(_gcry_mpi_ec_add_points): Replace ec_p_sync by the ec_get_ accessors.

	Allow building with w64-mingw32.
	* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain.  Also
	prepare for 64 bit building.

	Provide GCRYPT_VERSION_NUMBER macro, add build info to the binary.
	* src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New.
	* configure.ac (VERSION_NUMBER): New ac_subst.
	* src/global.c (_gcry_vcontrol): Move call to above function ...
	(gcry_check_version): .. here.

	* configure.ac (BUILD_REVISION, BUILD_FILEVERSION)
	(BUILD_TIMESTAMP): Define on all platforms.
	* compat/compat.c (_gcry_compat_identification): Include revision and
	timestamp.

	Fix a memory leak in the new EC code.
	* cipher/ecc.c (point_from_keyparam): Always call mpi_free on A.

2013-03-19  Werner Koch  <wk@gnupg.org>

	Extend the new EC interface and fix two bugs.
	* src/ec-context.h (mpi_ec_ctx_s): Add field NEED_SYNC.
	* mpi/ec.c (ec_p_sync): New.
	(ec_p_init): Only set NEED_SYNC.
	(_gcry_mpi_ec_set_mpi): Set NEED_SYNC for 'p' and 'a'.
	(_gcry_mpi_ec_dup_point, _gcry_mpi_ec_add_points)
	(_gcry_mpi_ec_mul_point): Call ec_p_sync.
	(_gcry_mpi_ec_get_point): Recompute 'q' is needed.
	(_gcry_mpi_ec_get_mpi): Ditto.  Also allow for names 'q', 'q.x',
	'q.y', and 'g'.
	* cipher/ecc.c (_gcry_mpi_ec_ec2os): New.

	* cipher/ecc.c (_gcry_mpi_ec_new): Fix init from parameters 'Q'->'q',
	'G'->'q'.

2013-03-15  Werner Koch  <wk@gnupg.org>

	mpi: Add functions to manipulate an EC context.
	* src/gcrypt.h.in (gcry_mpi_ec_p_new): Remove.
	(gcry_mpi_ec_new): New.
	(gcry_mpi_ec_get_mpi): New.
	(gcry_mpi_ec_get_point): New.
	(gcry_mpi_ec_set_mpi): New.
	(gcry_mpi_ec_set_point): New.
	* src/visibility.c (gcry_mpi_ec_p_new): Remove.
	* mpi/ec.c (_gcry_mpi_ec_p_new): Make it an internal function and
	change to return an error code.
	(_gcry_mpi_ec_get_mpi): New.
	(_gcry_mpi_ec_get_point): New.
	(_gcry_mpi_ec_set_mpi): New.
	(_gcry_mpi_ec_set_point): New.
	* src/mpi.h: Add new prototypes.
	* src/ec-context.h: New.
	* mpi/ec.c: Include that header.
	(mpi_ec_ctx_s): Move to ec-context.h, add new fields, and put some
	fields into an inner struct.
	(point_copy): New.
	* cipher/ecc.c (fill_in_curve): Allow passing NULL for R_NBITS.
	(mpi_from_keyparam, point_from_keyparam): New.
	(_gcry_mpi_ec_new): New.

	* tests/t-mpi-point.c (test-curve): New.
	(ec_p_new): New.  Use it instead of the removed gcry_mpi_ec_p_new.
	(get_and_cmp_mpi, get_and_cmp_point): New.
	(context_param): New test.
	(basic_ec_math_simplified): New test.
	(main): Call new tests.

	* src/context.c (_gcry_ctx_get_pointer): Check for a NULL CTX.

2013-03-13  Werner Koch  <wk@gnupg.org>

	Add GCRYMPI_FLAG_CONST and make use constants.
	* src/gcrypt.h.in (GCRYMPI_FLAG_CONST): New.
	* src/mpi.h (mpi_is_const, mpi_const): New.
	(enum gcry_mpi_constants, MPI_NUMBER_OF_CONSTANTS): New.
	* mpi/mpiutil.c (_gcry_mpi_init): New.
	(constants): New.
	(_gcry_mpi_free): Do not release a constant flagged MPI.
	(gcry_mpi_copy): Clear the const and immutable flags.
	(gcry_mpi_set_flag, gcry_mpi_clear_flag, gcry_mpi_get_flag): Support
	GCRYMPI_FLAG_CONST.
	(_gcry_mpi_const): New.
	* src/global.c (global_init): Call _gcry_mpi_init.
	* mpi/ec.c (mpi_ec_ctx_s): Remove fields one, two, three, four, and
	eight.  Change all users to call mpi_const() instead.

	* src/mpiutils.c (gcry_mpi_set_opaque): Check the immutable flag.

	Add GCRYMPI_FLAG_IMMUTABLE to help debugging.
	* src/gcrypt.h.in (GCRYMPI_FLAG_IMMUTABLE): New.
	* src/mpi.h (mpi_is_immutable): New macro.
	* mpi/mpiutil.c (gcry_mpi_set_flag, gcry_mpi_clear_flag)
	(gcry_mpi_get_flag): Implement new flag
	(_gcry_mpi_immutable_failed): New.

	* mpi/mpiutil.c (_gcry_mpi_clear, _gcry_mpi_free, gcry_mpi_snatch)
	(gcry_mpi_set, gcry_mpi_randomize): Act upon the immutable flag.
	* mpi/mpi-bit.c (gcry_mpi_set_bit, gcry_mpi_set_highbit)
	(gcry_mpi_clear_highbit, gcry_mpi_clear_bit)
	(_gcry_mpi_rshift_limbs, gcry_mpi_lshift): Ditto.
	* mpi/mpicoder.c (_gcry_mpi_set_buffer): Ditto.

2013-03-08  Werner Koch  <wk@gnupg.org>

	mpi: Add an API for EC math.
	* src/context.c, src/context.h: New.
	* src/Makefile.am (libgcrypt_la_SOURCES): Add new files.
	* src/gcrypt.h.in (struct gcry_context, gcry_ctx_t): New types.
	(gcry_ctx_release): New prototype.
	(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
	(gcry_mpi_ec_add, gcry_mpi_ec_mul): New prototypes.
	* mpi/ec.c: Include errno.h and context.h.
	(_gcry_mpi_ec_init): Rename to ..
	(ec_p_init): this, make static, remove allocation and add arg CTX.
	(_gcry_mpi_ec_p_internal_new): New; to replace _gcry_mpi_ec_init.
	Change all callers to use this func.
	(_gcry_mpi_ec_free): Factor code out to ..
	(ec_deinit): New func.
	(gcry_mpi_ec_p_new): New.
	* src/visibility.c: Include context.h and mpi.h.
	(gcry_mpi_ec_p_new, gcry_mpi_ec_get_affine, gcry_mpi_ec_dup)
	(gcry_mpi_ec_add, gcry_mpi_ec_mul)
	(gcry_ctx_release): New wrapper functions.
	* src/visibility.h: Mark new wrapper functions visible.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new symbols.
	* tests/t-mpi-point.c (print_mpi, hex2mpi, cmp_mpihex): New.
	(context_alloc): New.
	(make_point, basic_ec_math): New.

	mpi: Add an API for EC point operations.
	* mpi/ec.c (gcry_mpi_point_new, gcry_mpi_point_release): New.
	(gcry_mpi_point_get, gcry_mpi_point_snatch_get): New.
	(gcry_mpi_point_set, gcry_mpi_point_snatch_set): New.
	* src/visibility.h, src/visibility.c: Add corresponding macros and
	wrappers.
	* src/gcrypt.h.in (struct gcry_mpi_point, gcry_mpi_point_t): New.
	(gcry_mpi_point_new, gcry_mpi_point_release, gcry_mpi_point_get)
	(gcry_mpi_point_snatch_get, gcry_mpi_point_set)
	(gcry_mpi_point_snatch_set): New prototypes.
	(mpi_point_new, mpi_point_release, mpi_point_get, mpi_point_snatch_get)
	(mpi_point_set, mpi_point_snatch_set): New macros.
	* src/libgcrypt.vers (gcry_mpi_point_new, gcry_mpi_point_release)
	(gcry_mpi_point_get, gcry_mpi_point_snatch_get, gcry_mpi_point_set)
	(gcry_mpi_point_snatch_set): New symbols.
	* src/libgcrypt.def: Ditto.
	* tests/t-mpi-point.c: New.
	* tests/Makefile.am (TESTS): Add t-mpi-point

2013-03-07  Werner Koch  <wk@gnupg.org>

	mpi: Add mpi_snatch and change an internal typedef.
	* src/mpi.h (struct mpi_point_s): Rename to struct gcry_mpi_point.
	(mpi_point_struct): New typedef.
	(mpi_point_t): Change typedef to a pointer.  Replace all occurrences
	to use mpi_point_struct.
	* mpi/ec.c (_gcry_mpi_ec_point_init): Rename to ..
	(_gcry_mpi_point_init): this.  Change all callers.
	(_gcry_mpi_ec_point_free): Rename to ..
	(_gcry_mpi_point_free_parts): this.  Change all callers.

	* mpi/mpiutil.c (gcry_mpi_snatch): New function.
	* src/gcrypt.h.in (gcry_mpi_snatch, mpi_snatch): Add protoype and
	macro.
	* src/visibility.c (gcry_mpi_snatch): Add wrapper.
	* src/visibility.h (gcry_mpi_snatch): Add macro magic.
	* src/libgcrypt.def, src/libgcrypt.vers: Add new function.

	Pretty print the configure feedback.
	* acinclude.m4 (GNUPG_MSG_PRINT): Remove.
	(GCRY_MSG_SHOW, GCRY_MSG_WRAP): New.
	* configure.ac: Use new macros for the feedback.

2013-02-20  Werner Koch  <wk@gnupg.org>

	Fix building of hwf-x86.c.
	* src/Makefile.am (AM_CFLAGS): Set to GPG_ERROR_CFLAGS
	(AM_CCASFLAGS): Set NOEXECSTACK_FLAGS.

	Remove build hacks for FreeBSD.
	* configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and
	LDFLAGS.

2013-02-19  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Rinjdael: Fix use of SSE2 outside USE_AESNI/ctx->use_aesni.
	* cipher/rijndael.c (_gcry_aes_cbc_enc): Check if AES-NI is enabled before
	calling aesni_prepare() and aesni_cleanup().

	Add AES-NI/AVX accelerated Camellia implementation.
	* configure.ac: Add option --disable-avx-support.
	(HAVE_GCC_INLINE_ASM_AVX): New.
	(ENABLE_AVX_SUPPORT): New.
	(camellia) [ENABLE_AVX_SUPPORT, ENABLE_AESNI_SUPPORT]: Add
	camellia_aesni_avx_x86-64.lo.
	* cipher/Makefile.am (AM_CCASFLAGS): Add.
	(EXTRA_libcipher_la_SOURCES): Add camellia_aesni_avx_x86-64.S
	* cipher/camellia-glue.c [ENABLE_AESNI_SUPPORT, ENABLE_AVX_SUPPORT]
	[__x86_64__] (USE_AESNI_AVX): Add macro.
	(struct Camellia_context) [USE_AESNI_AVX]: Add use_aesni_avx.
	[USE_AESNI_AVX] (_gcry_camellia_aesni_avx_ctr_enc)
	(_gcry_camellia_aesni_avx_cbc_dec): New prototypes to assembly
	functions.
	(camellia_setkey) [USE_AESNI_AVX]: Enable AES-NI/AVX if hardware
	support both.
	(_gcry_camellia_ctr_enc) [USE_AESNI_AVX]: Add AES-NI/AVX code.
	(_gcry_camellia_cbc_dec) [USE_AESNI_AVX]: Add AES-NI/AVX code.
	* cipher/camellia_aesni_avx_x86-64.S: New.
	* src/g10lib.h (HWF_INTEL_AVX): New.
	* src/global.c (hwflist): Add HWF_INTEL_AVX.
	* src/hwf-x86.c (detect_x86_gnuc) [ENABLE_AVX_SUPPORT]: Add detection
	for AVX.

	camellia.c: Prepare for AES-NI/AVX implementation.
	* cipher/camellia-glue.c (CAMELLIA_encrypt_stack_burn_size)
	(CAMELLIA_decrypt_stack_burn_size): Increase stack burn size.
	* cipher/camellia.c (CAMELLIA_ROUNDSM): Move key-material mixing in
	the front.
	(camellia_setup128, camellia_setup256): Remove now unneeded
	key-material mangling.
	(camellia_encrypt128, camellia_decrypt128, amellia_encrypt256)
	(camellia_decrypt256): Copy block to stack, so that compiler can
	optimize it for register usage.

	Camellia, prepare glue code for AES-NI/AVX implementation.
	* cipher/camellia-glue.c (ATTR_ALIGNED_16): Add macro.
	(CAMELLIA_encrypt_stack_burn_size): Add macro.
	(camellia_encrypt): Use macro above for stack burn size.
	(CAMELLIA_decrypt_stack_burn_size): Add macro.
	(camellia_decrypt): Use macro above for stack burn size.
	(_gcry_camellia_ctr_enc): New function.
	(_gcry_camellia_cbc_dec): New function.
	(selftest_ctr_128): New function.
	(selftest): Call function above.
	* cipher/cipher.c (gcry_cipher_open) [USE_CAMELLIA]: Register bulk
	functions for CBC-decryption and CTR-mode.
	* src/cipher.h (_gcry_camellia_ctr_enc): New prototype.
	(_gcry_camellia_cbc_dec): New prototype.

2012-12-21  Werner Koch  <wk@gnupg.org>

	Prepare for hardware feature detection on other platforms.
	* configure.ac (GCRYPT_HWF_MODULES): New.
	(HAVE_CPU_ARCH_X86, HAVE_CPU_ARCH_ALPHA, HAVE_CPU_ARCH_SPARC)
	(HAVE_CPU_ARCH_MIPS, HAVE_CPU_ARCH_M68K, HAVE_CPU_ARCH_PPC)
	(HAVE_CPU_ARCH_ARM): New AC_DEFINEs.
	* mpi/config.links (mpi_cpu_arch): New.
	* src/global.c (print_config): Print new tag "cpu-arch".
	* src/Makefile.am (libgcrypt_la_SOURCES): Add hwf-common.h
	(EXTRA_libgcrypt_la_SOURCES): New.
	(gcrypt_hwf_modules): New.
	(libgcrypt_la_DEPENDENCIES, libgcrypt_la_LIBADD): Add that one.
	* src/hwfeatures.c: Factor most code out to ...
	* src/hwf-x86.c: New file.
	(detect_x86_gnuc): Return the feature vector.
	(_gcry_hwf_detect_x86): New.
	* src/hwf-common.h: New.
	* src/hwfeatures.c (_gcry_detect_hw_features): Dispatch using
	HAVE_CPU_ARCH_ macros.

2012-12-21  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Clean up i386/x86-64 cpuid usage in hwfeatures.c.
	* src/hwfeatures.c [__i386__ && __GNUC__] (detect_ia32_gnuc): Remove.
	[__x86_64__ && __GNUC__] (detect_x86_64_gnuc): Remove.
	[__i386__ && __GNUC__] (is_cpuid_available, get_cpuid)
	(HAS_X86_CPUID): New.
	[__x86_64__ && __GNUC__] (is_cpuid_available, get_cpuid)
	(HAS_X86_CPUID): New.
	[HAS_X86_CPUID] (detect_x86_gnuc): New.
	(_gcry_detect_hw_features) [__i386__ && GNUC]: Remove detect_ia32_gnuc
	call.
	(_gcry_detect_hw_features) [__x86_64__ && GNUC]: Remove
	detect_x86_64_gnuc call.
	(_gcry_detect_hw_features) [HAS_X86_CPUID]: Add detect_x86_gnuc call.

2012-12-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>

	Add support for using DRNG random number generator.
	* configure.ac: Add option --disable-drng-support.
	(ENABLE_DRNG_SUPPORT): New.
	* random/rndhw.c (USE_DRNG): New.
	(rdrand_long, rdrand_nlong, poll_drng): New.
	(_gcry_rndhw_poll_fast, _gcry_rndhw_poll_slow): Call poll function.
	* src/g10lib.h (HWF_INTEL_RDRAND): New.
	* src/global.c (hwflist): Add "intel-rdrand".
	* src/hwfeatures.c (detect_x86_64_gnuc) [ENABLE_DRNG_SUPPORT]: Detect
	RDRAND.
	(detect_ia32_gnuc) [ENABLE_DRNG_SUPPORT]: Detect RDRAND.

2012-12-03  Werner Koch  <wk@gnupg.org>

	random: Add a RNG selection interface and system RNG wrapper.
	* random/random-system.c: New.
	* random/Makefile.am (librandom_la_SOURCES): Add new module.
	* random/random.c (struct rng_types): New.
	(_gcry_set_preferred_rng_type, _gcry_get_rng_type): New.
	(_gcry_random_initialize, gcry_random_add_bytes, do_randomize)
	(_gcry_set_random_seed_file, _gcry_update_random_seed_file)
	(_gcry_fast_random_poll): Dispatch to the actual RNG.
	* src/gcrypt.h.in (GCRYCTL_SET_PREFERRED_RNG_TYPE): New.
	GCRYCTL_GET_CURRENT_RNG_TYPE): New.
	(gcry_rng_types): New.
	* src/global.c (print_config): Print the TNG type.
	(global_init, _gcry_vcontrol): Implement the new control codes.
	* doc/gcrypt.texi (Controlling the library): Document the new control
	codes.

	* tests/benchmark.c (main): Add options to test the RNG types.
	* tests/random.c (main): Add new options.
	(print_hex): Print to stderr.
	(progress_cb, rng_type): New.
	(check_rng_type_switching, check_early_rng_type_switching): New.
	(run_all_rng_tests): New.

	tests: Allow use of random.c under Windows.
	* tests/Makefile.am (TESTS): Always include random.c
	* tests/random.c [!W32]: Include sys/wait.h.
	(inf): New.
	(check_forking, check_nonce_forking): Print a notice what will be done.
	(main) [W32]: Do not call signal.

	Make random-fips.c work multi-threaded.
	* random/random-fips.c (basic_initialization): Fix reversed logic.

	Move nonce creation from csprng backend to random main module.
	* random/random-csprng.c (_gcry_rngcsprng_create_nonce): Remove.
	(nonce_buffer_lock): Remove.
	(initialize_basics): Remove init of nonce_buffer_lock.
	* random/random.c: Add a few header files.
	(nonce_buffer_lock):  New.
	(_gcry_random_initialize): Init nonce_buffer_lock.
	(gcry_create_nonce): Add code from _gcry_rngcsprng_create_nonce.

	* random/random-daemon.c (_gcry_daemon_create_nonce): Remove.

2012-12-03  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix building with CC="gcc -std=c90".
	* configure.ac: Add check for missing 'asm' keyword in C90 mode and
	replacement with '__asm__'.

2012-12-03  Werner Koch  <wk@gnupg.org>

	Try to use inttypes.h if stdint.h is not available.
	* cipher/bufhelp.h [HAVE_INTTYPES_H]: Include inttypes.h

2012-12-03  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize buffer xoring.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add 'bufhelp.h'.
	* cipher/bufhelp.h: New.
	* cipher/cipher-aeswrap.c (_gcry_cipher_aeswrap_encrypt)
	(_gcry_cipher_aeswrap_decrypt): Use 'buf_xor' for buffer xoring.
	* cipher/cipher-cbc.c (_gcry_cipher_cbc_encrypt)
	(_gcry_cipher_cbc_decrypt): Use 'buf_xor' for buffer xoring and remove
	resulting unused variables.
	* cipher/cipher-cfb.c (_gcry_cipher_cfb_encrypt) Use 'buf_xor_2dst'
	for buffer xoring and remove resulting unused variables.
	(_gcry_cipher_cfb_decrypt): Use 'buf_xor_n_copy' for buffer xoring and
	remove resulting unused variables.
	* cipher/cipher-ctr.c (_gcry_cipher_ctr_encrypt): Use 'buf_xor' for
	buffer xoring and remove resulting unused variables.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt)
	(_gcry_cipher_ofb_decrypt): Use 'buf_xor' for buffer xoring and remove
	resulting used variables.
	* cipher/rijndael.c (_gry_aes_cfb_enc): Use 'buf_xor_2dst' for buffer
	xoring and remove resulting unused variables.
	(_gry_aes_cfb_dev): Use 'buf_xor_n_copy' for buffer xoring and remove
	resulting unused variables.
	(_gry_aes_cbc_enc, _gry_aes_ctr_enc, _gry_aes_cbc_dec): Use 'buf_xor'
	for buffer xoring and remove resulting unused variables.

2012-11-29  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize AES-NI CTR mode.
	* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Make
	handling of 64-bit overflow and carry conditional. Avoid generic to
	vector register passing of value '1'. Generate and use '-1' instead.

2012-11-28  Werner Koch  <wk@gnupg.org>

	Make a cpp conditional in rijndael.c better readable.
	* cipher/rijndael.c (USE_AESNI): Modify cpp conditionals for better
	readability.

2012-11-28  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix building with Clang on x86-64 and i386.
	* cipher/rijndael.c [USE_AESNI] (do_aesni_enc_aligned)
	(do_aesni_dec_vec4, do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Add
	explicit suffix to 'cmp' instructions.

2012-11-26  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Optimize wipememory2 for i386 and x86-64.
	* src/g10lib.h (wipememory2): Add call to fast_wipememory2.
	(fast_wipememory2): New macros for i386 and x86-64 architectures.
	Empty macro provided for other architectures.

	Fix missing 64bit carry handling in AES-NI CTR mode.
	* cipher/rijndael.c [USE_AESNI] (do_aesni_ctr, do_aesni_ctr_4): Add
	carry handling to 64-bit addition.
	(selftest_ctr_128): New function for testing IV handling in bulk CTR
	function.
	(selftest): Add call to selftest_ctr_128.

	Add parallelized AES-NI CBC decryption.
	* cipher/rijndael.c [USE_AESNI] (aesni_cleanup_5): New macro.
	[USE_AESNI] (do_aesni_dec_vec4): New function.
	(_gcry_aes_cbc_dec) [USE_AESNI]: Add parallelized CBC loop.
	(_gcry_aes_cbc_dec) [USE_AESNI]: Change IV storage register from xmm3
	to xmm5.

	Clear xmm5 after use in AES-NI CTR mode.
	* cipher/rijndael.c [USE_AESNI]: Rename aesni_cleanup_2_4 to
	aesni_cleanup_2_5.
	[USE_AESNI] (aesni_cleanup_2_5): Clear xmm5 register.
	(_gcry_aes_ctr_enc, _gcry_aes_cbc_dec) [USE_AESNI]: Use
	aesni_cleanup_2_5 instead of aesni_cleanup_2_4.

	Optimize AES-NI CBC encryption.
	* cipher/rijndeal.c (_gcry_aes_cbc_enc) [USE_AESNI]: Add AES-NI
	spesific loop and use SSE2 assembler for xoring and copying of
	blocks.

	Improve parallelizability of CBC decryption for AES-NI.
	* cipher/rijndael.c (_gcry_aes_cbc_dec) [USE_AESNI]: Add AES-NI
	specific CBC mode loop with temporary block and IV stored in free SSE
	registers.

	Extend test of chained modes for 128bit ciphers.
	* tests/basic.c (check_one_cipher_core, check_one_cipher): Increase
	input and output buffer sizes from 16 bytes to 1024+16=1040 bytes.
	(check_one_cipher_core): Add asserts to verify sizes of temporary
	buffers.

2012-11-21  Werner Koch  <wk@gnupg.org>

	Fix for strict aliasing rules.
	* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t for
	casting.

	Do not detect AES-NI support if disabled by configure.
	* src/hwfeatures.c (detect_ia32_gnuc): Detect AESNI support only if
	that support has been enabled.

2012-11-21  Jussi Kivilinna  <jussi.kivilinna@mbnet.fi>

	Fix too large burn_stack in camellia-glue.c.
	* cipher/camellia-glue.c (camellia_encrypt, camellia_decrypt): Do not
	take full array size of KEY_TABLE_TYPE, but argument size instead.

	Add x86_64 support for AES-NI.
	* cipher/rijndael.c [ENABLE_AESNI_SUPPORT]: Enable USE_AESNI on x86-64.
	(do_setkey) [USE_AESNI_is_disabled_here]: Use %[key] and %[ksch]
	directly as registers instead of using temporary register %%esi.
	[USE_AESNI] (do_aesni_enc_aligned, do_aesni_dec_aligned, do_aesni_cfb,
	do_aesni_ctr, do_aesni_ctr_4): Use %[key] directly as register instead
	of using temporary register %%esi.
	[USE_AESNI] (do_aesni_cfb, do_aesni_ctr, do_aesni_ctr_4): Change %[key]
	from generic "g" type to register "r".
	* src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Do not
	clear AES-NI feature flag.

	Fix cpuid vendor-id check for i386 and x86-64.
	* src/hwfeatures.c (detect_x86_64_gnuc, detect_ia32_gnuc): Allow
	Intel features be detect from CPU by other vendors too.

	Fix hwdetect assembler clobbers.
	* src/hwfeatures.c (detect_x86_64_gnuc): Add missing %ebx assembler
	clobbers.
	(detect_x86_64_gnuc, detect_ia32_gnuc) [ENABLE_PADLOCK_SUPPORT]: Add
	missing %ecx assembler clobbers.

2012-11-21  Werner Koch  <wk@gnupg.org>

	Use configure test for aligned attribute.
	* configure.ac (HAVE_GCC_ATTRIBUTE_ALIGNED): New test and ac_define.
	* cipher/cipher-internal.h, cipher/rijndael.c, random/rndhw.c: Use new
	macro instead of a fixed test for __GNUC__.

	Fix segv with AES-NI on some platforms.
	* cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes.

2012-11-16  Werner Koch  <wk@gnupg.org>

	Improve parsing of the GIT revision number.
	* configure.ac (mmm4_revision): Use git rev-parse.

2012-11-08  Werner Koch  <wk@gnupg.org>

	Fix extern inline use for gcc > 4.3 in c99 mode.
	* mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern
	inline semantics in gcc.

2012-11-07  Werner Koch  <wk@gnupg.org>

	Fix memory leak in gcry_pk_testkey for ECC.
	* cipher/ecc.c (check_secret_key): Restructure for easier allocation
	tracking.  Fix memory leak.

2012-11-05  Werner Koch  <wk@gnupg.org>

	Prepare for a backported interface in 1.5.1.
	* configure.ac: Bump LT version at C20/A0/R0 to adjust for a planned
	API update in 1.5.1.

	Adjust for stricter autoconf requirements.
	* configure.ac: Fix usage of AC_LANG_PROGRAM.

	Update build helper scripts.
	* config.guess, config.sub: Update to version 2012-07-31.
	* ltmain.sh: Update to version 2.4.2.
	* install-sh, m4/libtool.m4, m4/ltoptions.m4, m4/ltversion.m4
	* m4/lt~obsolete.m4: Update to autoconf 2.69 versions.

	Do not distribute a copy of gitlog-to-changelog.
	* Makefile.am (GITLOG_TO_CHANGELOG): New.
	(gen-ChangeLog): Require an installed gitlog-to-changelog.
	* scripts/gitlog-to-changelog: Remove.

	* README.SVN: Remove.
	* REMOVE.GIT: New.

	Allow building with w64-mingw32.
	* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain.  Also
	prepare for 64 bit building.
	<git-setup>: Remove option -c from chmod.

	Switch to the new automagic beta numbering scheme.
	* configure.ac: Add all the required m4 magic.

	Avoid dereferencing pointer right after the end.
	* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.

2012-10-30  Werner Koch  <wk@gnupg.org>

	Make ancient test program useful again.
	* tests/testapi.c (test_sexp): Adjust to current API.  Print the
	return code.  Mark unused args.
	(test_genkey): Mark unused args.
	(main): Do not pass NULL to printf.

	tests: Add ECC key generation tests.
	* tests/keygen.c (check_generated_ecc_key): New.
	(check_ecc_keys): New.
	(main): Call simple ECC checks.

2012-10-30  Milan Broz  <mbroz@redhat.com>

	PBKDF2: Allow empty passphrase.
	* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
	* tests/t-kdf.c (check_pbkdf2): Add test case for above.

2012-08-16  Xi Wang  <xi.wang@gmail.com>

	Replace deliberate division by zero with _gcry_divide_by_zero.
	* mpi/mpi-pow.c: Replace 1 / msize.
	* mpi/mpih-div.c: Replace 1 / dsize.
	* src/misc.c: Add _gcry_divide_by_zero.

2012-06-21  Werner Koch  <wk@gnupg.org>

	Clear AESNI feature flag for x86_64.
	* src/hwfeatures.c (_gcry_detect_hw_features) [__x86_64__]: Clear
	AESNI feature flag.

	Beautify last change.
	* cipher/rijndael.c: Replace C99 feature from last patch.  Keep cpp
	lines short.
	* random/rndhw.c: Keep cpp lines short.
	* src/hwfeatures.c (_gcry_detect_hw_features): Make cpp def chain
	better readable.

2012-06-21  Rafaël Carré  <funman@videolan.org>

	Enable VIA Padlock on x86_64 platforms.
	  * cipher/rijndael.c: Duplicate x86 assembly and convert to x86_64.
	  * random/rndhw.c: Likewise.
	  * src/hwfeatures.c: Likewise.

2012-05-14  Werner Koch  <wk@gnupg.org>

	Add curve aliases from RFC-5656.
	* cipher/ecc.c (curve_aliases): Add "nistp???" entries.

2012-04-16  Werner Koch  <wk@gnupg.org>

	State new contribution rules.
	* doc/DCO: New.
	* doc/HACKING: Document new rules.

2012-04-04  Tomas Mraz  <tmraz@fedoraproject.org>

	Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command.
	* doc/gcrypt.texi: Add documentation of the new command.
	* src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode
	only when fips mode is enabled.
	(_gcry_set_enforced_fips_mode): New function.
	* src/g10lib.h: Add the _gcry_set_enforced_fips_mode prototype.
	* src/gcrypt.h.in: Add the GCRYCTL_SET_ENFORCED_FIPS_FLAG.
	* src/global.c (_gcry_vcontrol): Handle the new command.

2012-02-17  Ulrich Müller  <ulm@gentoo.org>

	Rework selftest in idea.c.
	* cipher/idea.c (do_setkey): Execute selftest when first called.
	(decrypt_block): Remove commented-out code.
	(selftest): Execute all selftests. Return NULL on success, or
	string in case of error.

2012-02-16  Werner Koch  <wk@gnupg.org>

	Fix missing prototype.
	* src/g10lib.h (_gcry_secmem_module_init): Make it a real prototype.

2012-02-16  Ulrich Müller  <ulm@gentoo.org>

	Add support for the IDEA cipher.
	Adapt idea.c to the Libgcrypt framework.
	Add IDEA to cipher_table and to the build system.

	Patents on IDEA have expired:
	  Europe: EP0482154 on 2011-05-16,
	  Japan:  JP3225440 on 2011-05-16,
	  U.S.:   5,214,703 on 2012-01-07.

	* configure.ac: Add idea to the list of available ciphers.
	Define USE_IDEA if idea is enabled.
	* cipher/cipher.c (cipher_table): Add entry for IDEA.
	* cipher/idea.c: Update comment about patents.
	Include proper header files and remove redundant declarations.
	(expand_key, cipher, do_setkey, encrypt_block, decrypt_block):
	Define function arguments as const where appropriate.
	(cipher): Test for !WORDS_BIGENDIAN instead of LITTLE_ENDIAN_HOST.
	(do_setkey, decrypt_block): Don't call selftest.
	(idea_setkey): New function, wrapper for do_setkey.
	(idea_encrypt): New function, wrapper for encrypt_block.
	(_gcry_cipher_spec_idea): Define.
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add idea.c.
	* src/cipher.h (_gcry_cipher_spec_idea): Declare.
	* tests/basic.c (check_ciphers): Add GCRY_CIPHER_IDEA.

2012-01-09  Werner Koch  <wk@gnupg.org>

	Include an IDEA implementation.
	The code is the old IDEA test code, written by me back in 1997 and
	distributed on a Danish FTP server.  This commit is only for
	reference.  To use the code it has to be adjusted to the Libgcrypt
	framework.

2012-01-03  Marcus Brinkmann  <marcus.brinkmann@ruhr-uni-bochum.de>

	Fix pthread locking and remove defunctional support for static lock init.
	* src/ath.c: Include assert.h.
	(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Dereference LOCK.
	* src/g10lib.h (_gcry_secmem_module_init): New declaration.
	* src/global.c (global_init): Call _gcry_secmem_module_init.
	* src/secmem.c (_gcry_secmem_module_init): New function.

2011-12-16  Werner Koch  <wk@gnupg.org>

	Add alignment tests for the cipher tests.
	* tests/basic.c (check_one_cipher): Factor most code out to
	check_one_cipher_core.  Call that core function several times using
	different alignment settings.
	(check_one_cipher_core): New.  Add extra args to allow alignment
	testing.

2011-12-07  Werner Koch  <wk@gnupg.org>

	tests/prime: Add option to create a well known private key.
	* tests/prime.c (print_mpi, create_42prime): New.
	(main): Add option --42.

2011-12-01  Werner Koch  <wk@gnupg.org>

	Do not build the random-daemon by make distcheck.
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Disable building of the
	random daemon

	Generate the ChangeLog from commit logs.
	* scripts/gitlog-to-changelog: New script.  Taken from gnulib.
	* scripts/git-log-fix: New file.
	* scripts/git-log-footer: New file.
	* doc/HACKING: Describe the ChangeLog policy
	* ChangeLog: New file.
	* Makefile.am (EXTRA_DIST): Add new files.
	(gen-ChangeLog): New.
	(dist-hook): Run gen-ChangeLog.

	Rename all ChangeLog files to ChangeLog-2011.

2011-12-01  Werner Koch  <wk@gnupg.org>

	NB: Changes done before December 1st, 2011 are described in
	per directory files named ChangeLog-2011.  See doc/HACKING for
	details.

        -----
	Copyright (C) 2011 Free Software Foundation, Inc.

	Copying and distribution of this file and/or the original GIT
	commit log messages, with or without modification, are
	permitted provided the copyright notice and this notice are
	preserved.
