2021-01-29  Werner Koch  <wk@gnupg.org>

	Release 1.9.1.
	+ commit 466299b1ceb82ec7c4dd0ca376de50399a896adf
	* configure.ac: Bump LT version to C23/A3/R1.

2021-01-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hash-common: fix heap overflow when writing more data after final.
	+ commit 512c0c75276949f13b6373b5c04f7065af750b08
	* tests/basic.c (check_one_md): Test writing to digest after read.
	* cipher/hash-common.c (_gcry_md_block_write): Reset 'hd->count' if
	greater than blocksize.

2021-01-28  Werner Koch  <wk@gnupg.org>

	Add a compliance keyword to gcry_get_config.
	+ commit aa3f595341eb263980210776c7fe377b2ed24c5e
	* src/global.c (print_config): New config line.

2021-01-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	asm-common-aarch64: add MacOS support for GET_DATA_POINTER.
	+ commit 014fed5153647641376b9131ea1d87dc5e88cf42
	* cipher/asm-common-aarch64.h [__APPLE__] (GET_DATA_POINTER): Add MacOS
	variant of macro.

2021-01-27  NIIBE Yutaka  <gniibe@fsij.org>

	random: Use getentropy on macOS when available.
	+ commit 6cb0faf6ceec5b2e799e6fb5f04b85d135a7da9b
	* random/rndlinux.c [__APPLE__ && __MACH__] (getentropy): Declare.
	(_gcry_rndlinux_gather_random): Check the symbol and use getentropy.

	mpi: Fix _gcry_mpih_mod implementation.
	+ commit f06ff4e31c8e162f4a59986241c7ab43d5085927
	* mpi/mpih-const-time.c (_gcry_mpih_mod): Handle the overflow.

	build: Check spawn.h for MacOS X Tiger.
	+ commit fc901e978a0c18a3524cad5d1ef3451ed11b9347
	* configure.ac: Add check for spawn.h.
	* tests/random.c: Only use posix_spawn if available.

2021-01-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	global: fix compile error at pragma GCC diagnostic.
	+ commit 3d095206c30d772d5fc68bf69bfc384e43f766e9
	* src/global.c (_gcry_vcontrol): Move "pragma GCC diagnostics" outside
	function.

	cipher-proto: remove forward typedef of cipher_bulk_ops_t.
	+ commit 17aad639d29c7c835a7effb89181c7c99b16cb6a
	* cipher/cipher-proto (cipher_bulk_ops_t): Remove typedef, leave
	forward declaration of 'struct cipher_bulk_ops'.
	(gcry_cipher_setkey_t): Change 'bulk_ops' to
	'struct cipher_bulk_ops *'.
	* cipher/arcfour.c: Include 'cipher-internal.h'.
	* cipher/gost28147.c: Ditto.
	* cipher/idea.c: Ditto.
	* cipher/rfc2268.c: Ditto.
	* cipher/salsa20.c: Ditto.
	* cipher/seed.c: Ditto.
	* cipher/mac-internal.h (CTX_MAGIC_NORMAL): Rename to...
	(CTX_MAC_MAGIC_NORMAL): ... this.
	(CTX_MAGIC_SECURE): Rename to...
	(CTX_MAC_MAGIC_SECURE): ... this.
	* cipher/mac-cmac.c (cmac_open): Use CTX_MAC_MAGIC_SECURE.
	* cipher/mac-gmac.c (gmac_open): Ditto.
	* cipher/mac-hmac.c (hmac_open): Ditto.
	* cipher/mac-poly1305.c (poly1305mac_open): Ditto.
	* cipher/mac.c (mac_open): Use CTX_MAC_MAGIC_SECURE and
	CTX_MAC_MAGIC_NORMAL.

2021-01-26  David Michael  <fedora.dm0@gmail.com>

	cipher/sha512: Fix non-NEON ARM assembly implementation.
	+ commit 1e72c50f864ae1c77ba80c191224b9ef1d22a2e2
	* cipher/sha512.c (do_transform_generic)
	[USE_ARM_ASM]: Switch to the non-NEON assembly implementation.

2021-01-26  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2: fix RIP register access for AVX/AVX2 implementations.
	+ commit b2f78ae034b8d4aa3d4cc7bf85262317832f6e0a
	* cipher/blake2b-amd64-avx2.S: Use rRIP instead of (RIP).
	* cipher/blake2s-amd64-avx.S: Use rRIP instead of (RIP).

	sha512/sha256: remove assembler macros from AMD64 implementations.
	+ commit 9f49e806f9506533236fd44b17f17b85961b20f1
	* configure.ac (gcry_cv_gcc_platform_as_ok_for_intel_syntax): Remove
	assembler macro check from Intel syntax assembly support check.
	* cipher/sha256-avx-amd64.S: Replace assembler macros with C
	preprocessor counterparts.
	* cipher/sha256-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha256-ssse3-amd64.S: Ditto.
	* cipher/sha512-avx-amd64.S: Ditto.
	* cipher/sha512-avx2-bmi2-amd64.S: Ditto.
	* cipher/sha512-ssse3-amd64.S: Ditto.

	configure.ac: run assembler checks through linker for better LTO support
	+ commit 393bd6c3d1aa2b2a1b05be0e2d7fb2514e6c5ad0
	* configure.ac (gcry_cv_gcc_arm_platform_as_ok)
	(gcry_cv_gcc_aarch64_platform_as_ok)
	(gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
	(gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
	(gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
	(gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_as_const_division_ok)
	(gcry_cv_gcc_as_const_division_with_wadivide_ok)
	(gcry_cv_gcc_amd64_platform_as_ok, gcry_cv_gcc_win64_platform_as_ok)
	(gcry_cv_gcc_platform_as_ok_for_intel_syntax)
	(gcry_cv_gcc_inline_asm_neon, gcry_cv_gcc_inline_asm_aarch32_crypto)
	(gcry_cv_gcc_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto)
	(gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00)
	(gcry_cv_gcc_inline_asm_s390x, gcry_cv_gcc_inline_asm_s390x): Use
	AC_LINK_IFELSE check instead of AC_COMPILE_IFELSE.

	rijndael: remove unused use_xxx flags.
	+ commit a14447f8169aff30a49f5c2ab06bd5bbd1cc3531
	* cipher/rijndael-internal.h (RIJNDAEL_context_s): Remove unused
	'use_padlock', 'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto'
	and 'use_ppc9le_crypto'.
	* cipher/rijndael.c (do_setkey): Do not setup 'use_padlock',
	'use_aesni', 'use_ssse3', 'use_arm_ce', 'use_ppc_crypto' and
	'use_ppc9le_crypto'.

	Define HW-feature flags per architecture.
	+ commit 8d404a629167d67ed56e45de3e65d1e0b7cdeb24
	* random/rand-internal.h (_gcry_rndhw_poll_slow): Add requested length
	parameter.
	* random/rndhw.c (_gcry_rndhw_poll_slow): Limit accounted bytes to 50%
	(or 25% for RDRAND) - this code is moved from caller side.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Move
	HWF_INTEL_RDRAND check to _gcry_rndhw_poll_slow.
	* src/g10lib.h (HWF_PADLOCK_*, HWF_INTEL_*): Define only if
	HAVE_CPU_ARCH_X86.
	(HWF_ARM_*): Define only if HAVE_CPU_ARCH_ARM.
	(HWF_PPC_*): Define only if HAVE_CPU_ARCH_PPC.
	(HWF_S390X_*): Define only if HAVE_CPU_ARCH_S390X.

	Add configure option to force enable 'soft' HW feature bits.
	+ commit 3b34bd6e178614d6021ee7d1140646f7c8ed7519
	* configure.ac (force_soft_hwfeatures)
	(ENABLE_FORCE_SOFT_HWFEATURES): New.
	* src/hwf-x86.c (detect_x86_gnuc): Enable HWF_INTEL_FAST_SHLD
	and HWF_INTEL_FAST_VPGATHER if ENABLE_FORCE_SOFT_HWFEATURES enabled.

2021-01-26  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Ed25519 private key handling for preceding ZEROs.
	+ commit 1b74f633bd3e358fb07a856a70597019980651d2
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fill-up or remove
	preceding ZEROs correctly, fixing the third argument of mpi_set_opaque.

	ecc: Fix initialization of CTX for sign and verify.
	+ commit 652b102697cbfe2d7bc642fc7374cb21a9cf03e6
	* cipher/ecc.c (ecc_sign, ecc_verify): Call
	_gcry_pk_util_init_encoding_ctx at first.

2021-01-21  NIIBE Yutaka  <gniibe@fsij.org>

	build: Fix build of tests with non-default installation.
	+ commit fa3420b011c105ca21894489e62c7e882a3ac4dd
	* tests/Makefile.am: Add forgotten @LDADD_FOR_TESTS_KLUDGE@.

2021-01-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Split inline assembly blocks with many memory operands.
	+ commit 00df9f27181d77166ceb55f319329400bf2e6a48
	* cipher/rijndael-aesni.c (aesni_ocb_checksum, aesni_ocb_enc)
	(aesni_ocb_dec, _gcry_aes_aesni_ocb_auth): Split assembly blocks
	with more than 4 memory operands to smaller blocks.
	* cipher/sha512-ssse3-i386.c (W2): Split big assembly block to
	three smaller blocks.

	tests/basic: fix build on ARM32 when NEON disabled.
	+ commit 81354e911bfa3e135d3e07f6a8d9e98033cd921a
	* tests/basic.c (CLUTTER_VECTOR_REGISTER_NEON)
	(CLUTTER_VECTOR_REGISTER_AARCH64): Remove check for __ARM_FEATURE_SIMD32.

	kdf: make self-test test-vector array read-only.
	+ commit 097148bc89ec8c18b9e4795733e0f0b1ae0ecd1d
	* cipher/kdf.c (selftest_pbkdf2): Make 'tv[]' constant.

	kdf: add missing null-terminator for self-test test-vector array.
	+ commit c6425a5537294dfe2beaafc9105f7af4ceac677f
	* cipher/kdf.c (selftest_pbkdf2): Add null-terminator to TV array.

	cipher/bithelp: use __builtin_ctzl when available.
	+ commit 807827cda3bacf5f475167ee6d34657713111838
	* cipher/bithelp.h (_gcry_ctz64): Use __builtin_ctzl if available.

	mpi/longlong: make use of compiler provided __builtin_ctz/__builtin_clz.
	+ commit 477355047e5c75ad2b2238a8716e4646b861184c
	* configure.ac (gcry_cv_have_builtin_ctzl, gcry_cv_have_builtin_clz)
	(gcry_cv_have_builtin_clzl): New checks.
	* mpi/longlong.h (count_leading_zeros, count_trailing_zeros): Use
	__buildin_clz[l]/__builtin_ctz[l] if available and bit counting
	macros not yet provided by inline assembly.

2021-01-19  Werner Koch  <wk@gnupg.org>

	Release 1.9.0.
	+ commit 0dc49af9b5371c5e2f766b70c3bede2b10db9f7e


2021-01-19  NIIBE Yutaka  <gniibe@fsij.org>

	Fix DSA for FIPS 186-3.
	+ commit 30ed9593f632c728d918598037358deaeccd1968
	* cipher/dsa.c (generate_fips186): Supply INITIAL_SEED to
	_gcry_generate_fips186_3_prime.
	* tests/fips186-dsa.c (check_dsa_gen_186_2): Add where tv comes from.
	(check_dsa_gen_186_3): Implement tests.
	* tests/pubkey.c (get_dsa_key_fips186_with_seed_new): Use the qbits
	and seed of tests/fips186-dsa.c.

2021-01-19  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	Check if FIPS is operational and error return if not.
	+ commit ebeae53222648c637907f4b358888fc0e7123dc9
	* src/visibility.c (gcry_kdf_derive): Add the check.
	(gcry_prime_generate, gcry_prime_group_generator): Likewise.
	(gcry_mpi_randomize): Likewise, but no return.

2021-01-18  Werner Koch  <wk@gnupg.org>

	ecc: Change an error code of gcry_ecc_mul_point.
	+ commit ca5a90bf70598247589078478d237287ca524453
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return
	GPG_ERR_UNKNOWN_CURVE.

2021-01-15  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	kdf: Add selftest.
	+ commit 7a0da24925361a3109474d0e433511467a9e35d1
	* src/cipher-proto.h (_gcry_kdf_selftest): New.
	* cipher/kdf.c (check_one, selftest_pbkdf2): New.
	(_gcry_kdf_selftest): New.
	* src/fips.c (run_kdf_selftests): New.
	(_gcry_fips_run_selftests): Call run_kdf_selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	cmac: Add selftest.
	+ commit 385a89e35b0b95f15b4c6e4d5482b1fc6906f7c5
	* cipher/mac-cmac.c (check_one, selftests_cmac_3des): New.
	(selftests_cmac_aes, cmac_selftest): New.
	(cmac_ops): Add cmac_selftest.
	* src/fips.c (run_mac_selftests): Add CMAC selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Raise an error when an integer is negative with USG.
	+ commit 00d7c1c632019066a4884930d413ccc044d81af5
	* src/sexp.c (do_vsexp_sscan): Return GPG_ERR_INV_ARG if negative.

2021-01-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add backward compatibility support for Ed25519 key in SEXP.
	+ commit 4768baf74be03d8973d004725f796aef329c45bf
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Support Ed25519 keys with
	parameter {p,a,b,g,n}.

	ecc: Minor implementation change for _gcry_ecc_get_curve.
	+ commit 3fe7036d05f283df9441d42242f0047b6ea11a32
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Flatten.

2020-12-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add s390x/zSeries implementation of Poly1305.
	+ commit 1f75681cbba895ea2f7ea0637900721f4522e729
	* cipher/Makefile.am: Add 'poly1305-s390x.S' and
	'asm-poly1305-s390x.h'.
	* cipher/asm-poly1305-s390x.h: New
	* cipher/chacha20-s390x.S (_gcry_chacha20_poly1305_s390x_vx_blocks8)
	(_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New, stitched
	chacha20-poly1305 implementation.
	* cipher/chacha20.c (USE_S390X_VX_POLY1305): New.
	(_gcry_chacha20_poly1305_s390x_vx_blocks8)
	(_gcry_chacha20_poly1305_s390x_vx_blocks4_2_1): New prototypes.
	(_gcry_chacha20_poly1305_encrypt, _gcry_chacha20_poly1305_decrypt): Add
	s390x/VX stitched chacha20-poly1305 code-path.
	* cipher/poly1305-s390x.S: New.
	* cipher/poly1305.c (USE_S390X_ASM, HAVE_ASM_POLY1305_BLOCKS): New.
	[USE_S390X_ASM] (_gcry_poly1305_s390x_blocks1, poly1305_blocks): New.
	* configure.ac (gcry_cv_gcc_inline_asm_s390x): Check for 'risbgn' and
	'algrk' instructions.
	* tests/basic.c (_check_poly1305_cipher): Add large chacha20-poly1305
	test vector.

	Add s390x/zSeries implementation of ChaCha20.
	+ commit 6a0bb9ab7f886087d7edb0725c90485086a1c0b4
	* cipher/Makefile.am: Add 'asm-common-s390x.h' and 'chacha20-s390x.S'.
	* cipher/asm-common-s390x.h: New.
	* cipher/chacha20-s390x.S: New.
	* cipher/chacha20.c (USE_S390X_VX): New.
	(CHACHA20_context_t): Change 'use_*' bit-field to unsigned type; Add
	'use_s390x'.
	(_gcry_chacha20_s390x_vx_blocks8)
	(_gcry_chacha20_s390x_vx_blocks4_2_1): New.
	(chacha20_do_setkey): Add HW feature detect for s390x/VX.
	(chacha20_blocks, do_chacha20_encrypt_stream_tail): Add s390x/VX
	code-path.
	* configure.ac: Add 'chacha20-s390x.lo'.

	hwf-s390x: add VX vector instruction set detection.
	+ commit 1d13794780e3d052cd5ed6f900bf5900cf44b377
	* configure.ac (gcry_cv_gcc_inline_asm_s390x_vx): New check.
	* src/g10lib.h (HWF_S390X_VX): New.
	* src/hwf-s390x.c (HWCAP_S390_VXRS): New.
	(s390x_features) [HAVE_GCC_INLINE_ASM_S390X_VX]: Add VX feature check.
	* src/hwfeatures.c (hwlist): Add "s390x-vx".

	mpi/longlong: add s390x/zSeries macros.
	+ commit 0252cc9b62dfe20c77211f093b4fda54786177d3
	* mpi/longlong.h [__s390x__] (add_ssaaaa, sub_ddmmss, UTItype)
	(umul_ppmm, udiv_qrnnd): New.

2020-12-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-arm: fix incorrect HWCAP2 for SHA1 and SHA2 on AArch32.
	+ commit 6b6bfd57d0a6b2b4577c084db35078cd9fadafa5
	* src/hwf-arm.c (HWCAP2_SHA1, HWCAP2_SHA2): Change from bit indexes to
	flags.

	Add missing prototype for _gcry_mac_selftest.
	+ commit e47f04b4a28947c90db70ccaf93e149cfd5213c9
	* src/cipher-proto.h (_gcry_hmac_selftest): Rename to...
	(_gcry_mac_selftest): ... this.

2020-12-21  NIIBE Yutaka  <gniibe@fsij.org>

	Merge hmac-tests.c into mac-hmac.c.
	+ commit 2ab14b23afc092fd25395954c2a94db932ca4d95
	* cipher/Makefile.am (EXTRA_DIST): Remove hmac-tests.c.
	* cipher/hmac-tests.c: Remove, merge into...
	* cipher/mac-hmac.c: ... here.

2020-12-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add s390x/zSeries acceleration for SHA3.
	+ commit 7532e27cacb74c92fd561524a0897163b0fcd7f4
	* cipher/asm-inline-s390x.h (KLMD_PADDING_STATE): New.
	(kimd_execute): Change 'reg0' from read-only to read/write.
	(klmd_shake_execute): New.
	* cipher/keccak.c (USE_S390X_CRYPTO): New.
	(KECCAK_CONTEXT) [USE_S390X_CRYPTO]: New members.
	[USE_S390X_CRYPTO] (keccak_bwrite_s390x, keccak_final_s390x)
	(keccak_bextract_s390x, keccak_write_s390x, keccak_extract_s390x): New.
	(keccak_write) [USE_S390X_CRYPTO]: Use accelerated function if enabled.
	(keccak_final) [USE_S390X_CRYPTO]: Likewise.
	(keccak_extract) [USE_S390X_CRYPTO]: Likewise.
	(keccak_init) [USE_S390X_CRYPTO]: Detect and setup zSeries
	acceleration.

	Add s390x/zSeries acceleration for SHA512.
	+ commit 45f0ec0c4e3b08627cbf7e65f5f110c321710d01
	* cipher/sha512.c (USE_S390X_CRYPTO): New.
	(SHA512_CONTEXT) [USE_S390X_CRYPTO]: New members.
	(do_sha512_transform_s390x, do_sha512_final_s390x): New.
	(sha512_init_common) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha512_final) [USE_S390X_CRYPTO]: Use accelerated final function.

	Add s390x/zSeries acceleration for SHA256.
	+ commit 0b555c3cc7c2b80ec2628685946a6139a1996911
	* cipher/sha256.c (USE_S390X_CRYPTO): New.
	(SHA256_CONTEXT) [USE_S390X_CRYPTO]: New members.
	(do_sha256_transform_s390x, do_sha256_final_s390x): New.
	(sha256_common_init) [USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha256_final) [USE_S390X_CRYPTO]: Use accelerated final function.

	Add s390x/zSeries acceleration for SHA1.
	+ commit 88570515b4ca92a44c4e40c31f877c11cc00ab68
	* cipher/asm-inline-s390x.h (ALWAYS_INLINE): New.
	(klmd_query): New.
	(km_function_to_mask, kimd_execute, klmd_execute): Mark as always
	inline.
	* cipher/rijndael-s390x.c (ALWAYS_INLINE): Remove.
	* cipher/sha1.c (do_sha1_transform_s390x, do_sha1_final_s390x): New.
	(sha1_init) [SHA1_USE_S390X_CRYPTO]: Detect and setup s390x/zSeries
	acceleration.
	(sha1_final) [SHA1_USE_S390X_CRYPTO]: Use accelerated final function.
	* cipher/sha1.h (SHA1_USE_S390X_CRYPTO): New.
	(SHA1_CONTEXT) [SHA1_USE_S390X_CRYPTO]: New.

	Add bulk AES-GCM acceleration for s390x/zSeries.
	+ commit 5aeb091f911398217b2e9facb9bdeb05c63d7844
	* cipher/Makefile.am: Add 'asm-inline-s390x.h'.
	* cipher/asm-inline-s390x.h: New.
	* cipher/cipher-gcm.c [GCM_USE_S390X_CRYPTO] (ghash_s390x_kimd): New.
	(setupM) [GCM_USE_S390X_CRYPTO]: Add setup for s390x GHASH function.
	* cipher/cipher-internal.h (GCM_USE_S390X_CRYPTO): New.
	* cipher/rijndael-s390x.c (u128_t, km_functions_e): Move to
	'asm-inline-s390x.h'.
	(aes_s390x_gcm_crypt): New.
	(_gcry_aes_s390x_setup_acceleration): Use 'km_function_to_mask'; Add
	setup for GCM bulk function.

	Add bulk function interface for GCM mode.
	+ commit f4e63e92dc0b79633f48b11d292dd7bdf2752ede
	* cipher/cipher-gcm.c (do_ghash_buf): Proper handling for the case
	where 'unused' gets filled to full blocksize.
	(gcm_crypt_inner): New.
	(_gcry_cipher_gcm_encrypt, _gcry_cipher_gcm_decrypt): Use
	'gcm_crypt_inner'.
	* cipher/cipher-internal.h (cipher_bulk_ops_t): Add 'gcm_crypt'.

	Add s390x/zSeries acceleration for AES.
	+ commit 9219d9d1b60c01a4c7dbde05ee6b5b52e0d7d072
	* configure.ac: Add 'rijndael-s390x.lo'.
	* cipher/Makefile.am: Add 'rijndael-s390x.c'.
	* cipher/rijndael-internal.c (USE_S390X_CRYPTO): New.
	(RIJNDAEL_context_s) [USE_S390X_CRYPTO]: New 'km*_func' members.
	* cipher/rijndael-s390x.c: New.
	* cipher/rijndael.c (_gcry_aes_s390x_setup_acceleration)
	(_gcry_aes_s390x_setup_setkey)
	(_gcry_aes_s390x_setup_prepare_decryption, _gcry_aes_s390x_encrypt)
	(_gcry_aes_s390x_decrypt): New.
	(do_setkey) [USE_S390X_CRYPTO]: Add s390x acceleration setup.

	Add bulk function interface for OFB mode.
	+ commit f12b6788f2297391265af93a7794bfbc503de6d7
	* cipher/cipher-internal.h (cipher_bulk_ops): Add 'ofb_enc'.
	* cipher/cipher-ofb.c (_gcry_cipher_ofb_encrypt): Use bulk encryption
	function if defined.
	* cipher/basic.c (check_bulk_cipher_modes): Add OFB-AES test vectors.

	hwf: add detection of s390x/zSeries hardware features.
	+ commit 128054767d5f864798a39d432997f7d38c4bf729
	* configure.ac (gcry_cv_gcc_inline_asm_s390x)
	(HAVE_CPU_ARCH_S390X): Add s390x detection support.
	* mpi/config.links: Add setup for s390x links.
	* src/Makefile.am: Add 'hwf-s390x.c'.
	* src/g10lib.h (HWF_S390X_MSA, HWF_S390X_MSA_4, HWF_S390X_8): New.
	* src/hwf_common.h (_gcry_hwf_detect_s390x): New.
	* src/hwf-s390x.c: New.
	* src/hwfeatures.c: Add "s390x-msa", "s390x-msa-4" and "s390x-msa-8".

	tests/bench-slope: use same benchmarking for XTS as for other modes.
	+ commit 0e37bb32e215feb4716341f7053c4f54806645cb
	* tests/bench-slope.c (bench_xts_encrypt_init): Use same buffer
	sizes as other tests.
	(bench_xts_encrypt_do_bench, bench_xts_decrypt_do_bench): Remove.
	(xts_encrypt_ops): Use 'bench_encrypt_do_bench'.
	(xts_decrypt_ops): Use 'bench_decrypt_do_bench'.

	aarch64: mpi/longlong.h: fix operand size mismatch.
	+ commit c59b5b03a063ebc73935dbb10bc4f568faddbedf
	* mpi/longlong.h [__aarch64__] (count_leading_zeros): Use correctly
	sized temporary variable for asm output.

	aarch64: use configure check for assembly ELF directives support.
	+ commit 8352b0ece5237e3f86f1525b072e8f690ad0fa94
	* configure.ac (gcry_cv_gcc_asm_elf_directives): New check.
	(HAVE_GCC_ASM_ELF_DIRECTIVES): New 'config.h' macro.
	* cipher/asm-common-aarch64.h (ELF): Change feature macro check from
	__ELF__ to HAVE_GCC_ASM_ELF_DIRECTIVES.

2020-12-18  NIIBE Yutaka  <gniibe@fsij.org>

	Reorganize self-tests for HMAC.
	+ commit c90fb0d8fb7a84bbcc8d6832de6a554405591850
	* cipher/Makefile.am: Prepare merge of hmac-test.c into mac-hmac.c.
	* cipher/hmac-tests.c: Ifdef-out run_selftests and _gcry_hmac_selftest.
	* cipher/mac-internal.h: Include cipher-proto.h for selftest.
	(gcry_mac_spec_ops): Add selftest field.
	* cipher/mac-hmac.c: Include hmac-tests.c for migration.
	(hmac_selftest) New.
	(hmac_ops): Add hmac_selftest.
	* cipher/gost28147.c, cipher/mac-cmac.c: Add new field for selftest.
	* cipher/mac-gmac.c, cipher/mac-poly1305.c: Likewise..
	* cipher/mac.c (_gcry_mac_selftest): New.
	* src/fips.c (run_mac_selftests): Rename from run_hmac_selftests.
	Use GCRY_MAC_HMAC_*, and call _gcry_mac_selftest.
	(_gcry_fips_run_selftests): Use run_mac_selftests.

2020-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Prevent link-time optimization from inlining __gcry_burn_stack.
	+ commit 1a83df98b198902ee6d71549231a3af37088d452
	* src/g10lib.h (NOINLINE_FUNC): New attribute macro.
	* src/misc.c (__gcry_burn_stack): Add NOINLINE_FUNC attribute.

	tests/basic: check 32-bit and 64-bit overflow for CTR and ChaCha20.
	+ commit 2065720b5b0642cc1a0e08086a434244ebb1abf2
	* tests/basic.c (check_one_cipher_ctr_reset)
	(check_one_cipher_ctr_overflow): New.
	(check_one_cipher): Add counter overflow tests for ChaCha20 and CTR
	mode.

	chacha20-ppc: fix 32-bit counter overflow handling.
	+ commit ed45eac3b721c1313902b977379fbd4886ccca7b
	* cipher/chacha20-ppc.c (vec_add_ctr_u64, ADD_U64): New.
	(_gcry_chacha20_ppc8_blocks1, _gcry_chacha20_ppc8_blocks4)
	(_gcry_chacha20_poly1305_ppc8_blocks4): Use ADD_U64 when incrementing
	counter.

2020-12-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Put a work around to tests/random for macOS.
	+ commit 9769b40b54cf010a0c41c4ab05a7a88e17d70613
	* configure.ac [*-apple-darwin*] (USE_POSIX_SPAWN_FOR_TESTS): New.
	* tests/random.c [USE_POSIX_SPAWN_FOR_TESTS] (run_all_rng_tests): New.

2020-11-18  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update to newer autoconf constructs.
	+ commit 9485ca7b5bf11194cff59edbfa6a0fba3bf6162a
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Use AS_MESSAGE_LOG_FD
	instead of AC_FD_CC.
	(GNUPG_CHECK_MLOCK): Use AC_LINK_IFELSE instead of AC_TRY_LINK.
	Use AC_RUN_IFELSE instead of AC_TRY_RUN.
	* configure.ac (AC_ISC_POSIX): Replace by AC_SEARCH_LIBS.
	Use AC_USE_SYSTEM_EXTENSIONS instead of AC_GNU_SOURCE.
	Use AS_HELP_STRING instead of AC_HELP_STRING.
	(AC_TYPE_SIGNAL): Remove.
	(AC_DECL_SYS_SIGLIST): Remove.
	* m4/Makefile.am (EXTRA_DIST): Update.
	* m4/onceonly.m4: Remove.
	* m4/socklen.m4: Update from gnulib.
	* m4/libtool.m4: Update from libgpg-error.
	* m4/gpg-error.m4: Update from libgpg-error.
	* m4/noexecstack.m4: Use AS_HELP_STRING instead of AC_HELP_STRING.

	build: Use modern Autoconf check for type.
	+ commit 425bf499185d78aa8fcad6a30b8771e7865d449d
	* configure.ac (byte, ushort, us6, u32, u64): Use AC_CHECK_TYPES.
	* cipher/poly1305.c: Use HAVE_TYPE_U64.
	* src/hmac256.c: HAVE_TYPE_U32.
	* src/types.h: Use HAVE_TYPE_BYTE, HAVE_TYPE_USHORT, HAVE_TYPE_U16,
	HAVE_TYPE_U32, and HAVE_TYPE_U64.

	m4: Update with newer autoconf constructs.
	+ commit 908e347fb68b28e180ac816b5050406358e81a0f
	* src/libgcrypt.m4: Replace AC_HELP_STRING to AS_HELP_STRING.

2020-10-30  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Handle removed zeros at the beginning for Ed25519.
	+ commit 361a0588489cf4a539da8debd1771024a1faa218
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Accept private
	key with removed zeros.

2020-10-23  Werner Koch  <wk@gnupg.org>

	random: Allow for a Unicode random seed file on Windows.
	+ commit 24341f58f0d38bd62c45d285bcf8472f82b56135
	* random/random-csprng.c (utf8_to_wchar) [W32]: New.
	(any8bitchar) [W32]: New.
	(my_open): New.  Replace all calls to open with this.

2020-10-01  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Fix typo in comment.
	+ commit 4a50c6b88d6d8d843e50add851a8a5e691349097
	* tests/basic.c: Fix typo in comment.

2020-09-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: clean-up prepare_decryption function.
	+ commit 2051d5bd6f732a36e5a536cba734531a9e2e915f
	* cipher/rijndael-internal.h (rijndael_prepare_decfn_t): New.
	(RIJNDAEL_context_s): New member 'prepare_decryption'.
	* cipher/rijndael-padlock.c (_gcry_aes_padlock_prepare_decryption): New.
	* cipher/rijndael.c (_gcry_aes_padlock_prepare_decryption): New.
	(do_setkey): Setup 'ctx->prepare_decryption' for each acceleration type.
	(prepare_decryption): Remove calls to other prepare decryption functions.
	(check_decryption_preparation): Call 'ctx->prepare_decryption' instead
	of 'prepare_decryption'.

	rijndael: clean-up generic bulk functions.
	+ commit 7679c918ade9d334bc80cb8c10916bbc847ff382
	* cipher/rijndael.c (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Remove
	calls to hardware accelerated AES bulk functions.

	cipher: setup bulk functions at each algorithms key setup.
	+ commit 51271eb86bcb0eb89e55a2add9607c503f182c89
	* cipher/cipher-internal.h (cipher_mode_ops_t, cipher_bulk_ops_t): New.
	(gcry_cipher_handle): Define members 'mode_ops' and 'bulk' using new
	types.
	* cipher/cipher.c (_gcry_cipher_open_internal): Remove bulk function
	setup.
	(cipher_setkey): Pass context bulk function pointer to algorithm setkey
	function.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter; Use bulk function returned by setkey function.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter.
	* cipher/arcfour.c (arcfour_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/blowfish.c (bf_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/camellia.c (camellia_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
	(_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/cast5.c (cast_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Make
	static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/chacha20.c (chacha20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/cast5.c (do_tripledes_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec): Make
	static.
	(bulk_selftest_setkey): Change 'hd' parameter to 'bulk_ops'.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(do_des_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/gost28147.c (gost_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/idea.c (idea_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rfc2268.c (do_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rijndael.c (do_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(rijndael_setkey): Change 'hd' parameter to 'bulk_ops'.
	(_gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
	(_gcry_aes_cbc_dec, _gcry_aes_ctr_enc, _gcry_aes_ocb_crypt)
	(_gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Make static.
	(selftest_basic_128, selftest_basic_192, selftest_basic_256): Pass
	'bulk_ops' to setkey function.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	* cipher/salsa20.c (salsa20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/seed.c (seed_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/serpent.c (serpent_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec, _gcry_serpent_cfb_dec)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/sm4.c (sm4_setkey): Change 'hd' parameter to 'bulk_ops'; Setup
	'bulk_ops' with bulk acceleration functions.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/twofish.c (twofish_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(_gcry_twofish_cfb_dec, _gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest, main): Pass 'bulk_ops' to setkey function.
	* src/cipher-proto.h: Forward declare 'cipher_bulk_ops_t'.
	(gcry_cipher_setkey_t): Replace 'hd' with 'bulk_ops'.
	* src/cipher.h: Remove bulk acceleration function prototypes for
	'aes', 'blowfish', 'cast5', 'camellia', '3des', 'serpent', 'sm4' and
	'twofish'.

2020-09-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: tidy do_setkey little bit.
	+ commit e0829ae648d9d9da67cd8a8fae7aa05774a0d0f7
	* cipher/rijndael.c (do_setkey): Reduce number of ifdefs by using
	function pointer for accelerated key-setup.

2020-09-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-aesni: tweak x86_64 AES-NI for better performance on AMD Zen2.
	+ commit f96989f0e9085fa58b475131d29b37f68ba564ec
	* cipher/rijndael-aesni.c (do_aesni_enc_vec8, do_aesni_dec_vec8): Move
	first round key xoring and last round out to caller.
	(do_aesni_ctr_4): Change low 8-bit counter overflow check to 8-bit
	addition to low-bits and detect overflow from carry flag; Adjust
	slow path to restore counter.
	(do_aesni_ctr_8): Same as above; Interleave first round key xoring and
	first round with CTR generation on fast path; Interleave last round
	with output xoring.
	(_gcry_aes_aesni_cfb_dec, _gcry_aes_aesni_cbc_dec): Add first round
	key xoring; Change order of last round xoring and output xoring
	(shorten the dependency path).
	(_gcry_aes_aesni_ocb_auth): Add first round key xoring and last round
	handling.

2020-08-26  Werner Koch  <wk@gnupg.org>

	build: Allow customization of the signing key.
	+ commit 9cd92ebae21900e54cc3d8b607c8ed1afbf2eb9b
	* Makefile.am (sign-release): Read variabales from user configuration.

2020-08-21  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix basic.c.
	+ commit fd51bc523d095168ee9367fe3f18d18f7a88ad90
	* tests/basic.c (check_one_hmac): Fix error paths.
	(check_pubkey_crypt): Fix wrong call of gcry_sexp_new.

	ecc: Fix an error path.
	+ commit 65a2cd139e21250e6581a4f610015937e7b91451
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Avoid null dereference on
	error.

2020-07-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20-aarch64: improve performance through higher SIMD interleaving.
	+ commit 8d7b1d0a52bde173646e5b42b31d23593eabecf2
	* cipher/chacha20-aarch64.S (ROTATE2, ROTATE2_8, ROTATE2_16)
	(QUARTERROUND2): Replace with...
	(ROTATE4, ROTATE4_8, ROTATE4_16, QUARTERROUND4): ...these.
	(_gcry_chacha20_aarch64_blocks4)
	(_gcry_chacha20_poly1305_aarch64_blocks4): Adjust to use QUARTERROUND4.

	tests/bench-slope: improve CPU frequency auto-detection.
	+ commit f1c3db3bf40e07cfd1a6a92209865ee7a98129ca
	* configure.ac (gcry_cv_have_asm_volatile_memory): Check also if
	assembly memory barrier with input/output register is supported.
	* tests/bench-slope.c (auto_ghz_bench): Change to use base operation
	that takes two CPU cycles and unroll loop by 1024 operations.

	Enable jitter entropy also on non-x86 architectures.
	+ commit 886120f33bd3f10e6e6a09920eca1f9ed81044e7
	* configure.ac: Do not force jentsupport to "n/a" on non-x86
	architectures.

	random/jitterentropy: fix USE_JENT == JENT_USES_GETTIME code path.
	+ commit 4ed9b949485448816a70d86260d572f08ae34621
	* random/jitterentropy-base-user.h (jent_get_nstime): Use 'tv' variable
	instead of non-existing 'time'.

	Camellia AES-NI/AVX/AVX2 size optimization.
	+ commit 4c0e244fc53e0f7b927bfe4cf54695b5d282fd27
	* cipher/camellia-aesni-avx-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds16/fls16' portions of encryption/decryption.
	* cipher/camellia-aesni-avx2-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds32/fls32' portions of encryption/decryption.

2020-07-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support reading EC point in compressed format for good curves.
	+ commit e0dabf74bf276500257f15b85ded9cf24ccc8334
	* cipher/ecc-curves.c (gcry_ecc_get_curve): Handle G, differently.
	* cipher/ecc-misc.c (_gcry_ecc_sec_decodepoint): Support compressed
	representation of EC point.  Rename from _gcry_ecc_os2ec.
	* cipher/ecc-sm2.c (_gcry_ecc_sm2_decrypt) Follow the change.
	* cipher/ecc.c (ecc_decrypt_raw): Likewise.
	* mpi/ec.c (_gcry_mpi_ec_set_point): Likewise.
	* src/ec-context.h: API change _gcry_ecc_sec_decodepoint from
	_gcry_ecc_os2ec.
	* tests/basic.c (check_pubkey): Use compressed representation
	for two public keys of NIST P192 and NIST P256.

2020-07-06  Werner Koch  <wk@gnupg.org>

	mpi: Consider +0 and -0 the same in mpi_cmp.
	+ commit 1f3a92e103d4a8e019d8d022647a2b9fb2681327
	* mpi/mpi-cmp.c (do_mpi_cmp): Check size of U an V.

2020-06-23  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix length computation.
	+ commit 1db1dc7945b111b6e20a8420ad38a358316681ab
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add one only for
	Edwards case.

2020-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SM4 x86-64/AES-NI/AVX2 implementation.
	+ commit 35a78eb248d6bacd2a58477a122a0020d796ce63
	* cipher/Makefile.am: Add 'sm4-aesni-avx2-amd64.S'.
	* cipher/sm4-aesni-avx2-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX2): New.
	(SM4_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
	[USE_AESNI_AVX2] (_gcry_sm4_aesni_avx2_ctr_enc)
	(_gcry_sm4_aesni_avx2_cbc_dec, _gcry_sm4_aesni_avx2_cfb_dec)
	(_gcry_sm4_aesni_avx2_ocb_enc, _gcry_sm4_aesni_avx2_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth): New.
	(sm4_setkey): Enable AES-NI/AVX2 if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX2]: Add
	AES-NI/AVX2 bulk functions.
	* configure.ac: Add ''sm4-aesni-avx2-amd64.lo'.

	Add SM4 x86-64/AES-NI/AVX implementation.
	+ commit c9a3f1bb91e63033e3bf3e06bdd6075622626d0d
	* cipher/Makefile.am: Add 'sm4-aesni-avx-amd64.S'.
	* cipher/sm4-aesni-avx-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX, ASM_FUNC_ABI): New.
	(SM4_context) [USE_AESNI_AVX]: Add 'use_aesni_avx'.
	[USE_AESNI_AVX] (_gcry_sm4_aesni_avx_expand_key)
	(_gcry_sm4_aesni_avx_crypt_blk1_8, _gcry_sm4_aesni_avx_ctr_enc)
	(_gcry_sm4_aesni_avx_cbc_dec, _gcry_sm4_aesni_avx_cfb_dec)
	(_gcry_sm4_aesni_avx_ocb_enc, _gcry_sm4_aesni_avx_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth, sm4_aesni_avx_crypt_blk1_8): New.
	(sm4_expand_key) [USE_AESNI_AVX]: Use AES-NI/AVX key setup.
	(sm4_setkey): Enable AES-NI/AVX if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX]: Add
	AES-NI/AVX bulk functions.
	* configure.ac: Add ''sm4-aesni-avx-amd64.lo'.

	Optimizations for SM4 cipher.
	+ commit 81fee26bbbae820a311a3ce3ac55e304655c2acd
	* cipher/cipher.c (_gcry_cipher_open_internal): Add SM4 bulk
	functions.
	* cipher/sm4.c (ATTR_ALIGNED_64): New.
	(sbox): Convert to ...
	(sbox_table): ... this structure for sbox hardening as is done
	for AES and GCM.
	(prefetch_sbox_table): New.
	(sm4_t_non_lin_sub): Make inline; Optimize sbox access pattern.
	(sm4_key_lin_sub): Make inline; Tune slightly.
	(sm4_key_sub, sm4_enc_sub): Make inline.
	(sm4_round): Make inline; Take 'x' as separate parameters instead
	of array.
	(sm4_expand_key): Return void; Drop keylen; Unroll loops by 4;
	Wipe sensitive variables at end; Move key-length check to
	'sm4_setkey'.
	(sm4_setkey): Add initial self-test step; Add key-length check;
	Remove burn stack (as variables wiped in 'sm4_expand_key').
	(sm4_do_crypt): Return burn stack depth; Unroll loops by 4.
	(sm4_encrypt, sm4_decrypt): Prefetch sbox table; Return burn
	stack from 'sm4_do_crypt', as allows tail-call optimization
	by compiler.
	(sm4_do_crypt_blks2): New two parallel block function for greater
	instruction level parallelism.
	(sm4_crypt_blocks, _gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New
	bulk processing functions.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): New
	bulk processing self-tests.
	(sm4_selftest): Clear SM4 context before use; Use 'sm4_expand_key'
	instead of 'sm4_setkey'; Call bulk processing self-tests.
	* src/cipher.h (_gcry_sm4_ctr_enc, _gcry_sm4_ctr_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add SM4-OCB test vector.

2020-06-18  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: For Ed448, it's only for EdDSA.
	+ commit a6177e1bc948a7af052d62bcd62aa6b5825bfaff
	* cipher/ecc.c (ecc_sign): Ed448 is only for EdDSA.
	Hash algo is determined by the curve.
	(ecc_verify): Likewise.
	* tests/t-ed448.c (one_test): Don't specify (flags eddsa).
	Don't specify hash-algo.

	ecc: Fix the condition for EdDSA data handling.
	+ commit f2847d56cce2afdd993f797812a673495a41c234
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): It may be
	the encoding context which determines EdDSA.  Hash-algo can be
	omitted.  Flags are OR-ed.

	ecc: Support EdDSA with context and enabling PH(M).
	+ commit ba78ad8f19674b94edfdf4998f40feee081481bc
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Simplify.
	(DOM4_0_NONE, DOM4_0_NONE_LEN): Remove.
	(DOM25519, DOM25519_LEN): New.
	(DOM448, DOM448_LEN): New.
	(_gcry_ecc_eddsa_sign): Support EdDSA with context and PH.
	(_gcry_ecc_eddsa_verify): Likewise.
	* tests/t-ed448.c: Add tests with context and PH=1.
	* tests/t-ed448.inp: Add test data.

	ecc: Change EdDSA internal API.
	+ commit 2856ac14ae3e4c9e6288e1f0d8bc1945bb874081
	* cipher/ecc-common.h (_gcry_ecc_eddsa_sign): Last arg is CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Get hash algo from CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc.c (ecc_sign, ecc_verify): Follow the change.

2020-06-17  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support "label" for EdDSA context in data.
	+ commit 1cf49754694611620fd383327cf127e91f6883df
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Handle ctx->label.

	ecc: Initialize key before handling data.
	+ commit d51a9c259d49c63121fab48bce48d826e9b57733
	* cipher/ecc.c (ecc_sign): Initialize key at first.
	(ecc_verify): Likewise.

	ecc: Add new flag "prehash".
	+ commit 9a640eba6dd7504c90a65151cdaf1e4093a8b475
	* src/cipher.h (PUBKEY_FLAG_PREHASH): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse it.

	ecc: No (flags eddsa) required for Ed448.
	+ commit b1721f9b291a4c226caa2bfbe4fefe8fde5216e0
	* cipher/ecc.c (check_secret_key): Ed448 means EdDSA.
	(ecc_generate): Likewise.
	* tests/t-ed448.c (one_test): Remove the flag in key.

	ecc: Support Ed448 by _gcry_ecc_compute_public.
	+ commit 5585ee4947082f932ee01d93dfe295c769e96671
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Handle Ed448.

2020-06-16  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Add basic test-vectors for SM4.
	+ commit c1535d0b8797e9b3bbfb5193b6ab23bf788ffd36
	* tests/basic.c (check_ciphers): Add SM4 check and test-vectors.

	Add SM4 symmetric cipher algorithm.
	+ commit ddcce166ab8bc6f51f5b509bcbea13a8746384ec
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm4.c.
	* cipher/cipher.c (cipher_list, cipher_list_algo301): Add
	_gcry_cipher_spec_sm4.
	* cipher/mac-cmac.c (map_mac_algo_to_cipher): Add cmac SM4.
	(_gcry_mac_type_spec_cmac_sm4): Add cmac SM4.
	* cipher/mac-internal.h: Declare spec_cmac_sm4.
	* cipher/mac.c (mac_list, mac_list_algo201): Add cmac SM4.
	* cipher/sm4.c: New.
	* configure.ac (available_ciphers): Add sm4.
	* doc/gcrypt.texi: Add SM4 document.
	* src/cipher.h: Add declarations for SM4 and cmac SM4.
	* src/gcrypt.h.in (gcry_cipher_algos): Add algorithm ID for SM4.

2020-06-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and GCRY_MAC_GOST28147_IMIT.
	+ commit 6c571bfda6409d7d668f5d44cea0c6c31e2688be
	* doc/gcrypt.texi: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and
	GCRY_MAC_GOST28147_IMIT.

2020-06-16  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Ed448 key generation.
	+ commit c15cc1a38199cf0d758579eb01d0e88c99cd4b80
	* cipher/ecc.c (ecc_generate): Fix point representation for Ed448.

	ecc,test: Add testing Ed448.
	+ commit c7779e499e9051ee79ed720f576dbf40d90cdfb1


	ecc: Support Ed448 for verify.
	+ commit d1baad35c65030e41fcba69854c57032eee0d111
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Support Ed448.

	ecc: Support Ed448 signing.
	+ commit 951b37c5038667b461692454397bb058b5e1e184
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Support Ed448.

	ecc: Use SHAKE256 in EdDSA with Ed448.
	+ commit 32d6d73d44d372dd1ec0b08ba03f1b7b085c09d9
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Fix for SHAKE256.

	ecc: Support shake128 and shake256 for message digest.
	+ commit f6815a96e51be44a361ddcd3a20a5b969b1dab1b
	* cipher/pubkey-util.c (get_hash_algo): Add shake128 and shake256.

	ecc: Support Ed448 for key generation.
	+ commit e25446ecc04442b399302ce72db6d5ea2e9e85e8
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Support Ed448.
	(_gcry_ecc_eddsa_genkey): Support Ed448, using
	_gcry_ecc_eddsa_compute_h_d.

	ecc: Support Ed448 in decoding point.
	+ commit bd22b029bbf50737f90535c506fba4f812bcf040
	* cipher/ecc-eddsa.c (ecc_ed448_recover_x): New.
	(_gcry_ecc_eddsa_recover_x): Support Ed448.
	(_gcry_ecc_eddsa_decodepoint): Support Ed448.
	* mpi/ec.c (_gcry_mpi_ec_decode_point): For Ed448, use
	_gcry_ecc_eddsa_decodepoint.

	ecc: Add new curve: Ed448.
	+ commit 339b03acf0971a31997901dd674fb75c4dde31d0
	* cipher/ecc-curves.c (curve_aliases): Add Ed448.
	(domain_parms): Add domain parameters for Ed448.
	* tests/curves.c (N_CURVES): Increment.

	ecc: Fix EdDSA encoding for Ed448.
	+ commit 3386aaf84d4d89b6ff931533df2ff82ed3f7c7f9
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fix point/scalar
	length condition.
	* cipher/ecc-eddsa.c (eddsa_encodempi): The second argument is NBITS.
	(eddsa_encode_x_y): Likewise.
	(_gcry_ecc_eddsa_encodepoint): Follow the change.
	(_gcry_ecc_eddsa_ensure_compact): Likewise.
	(_gcry_ecc_eddsa_decodepoint): Likewise.
	(_gcry_ecc_eddsa_sign): Likewise.  Remove restriction of 256 bits.

2020-06-12  NIIBE Yutaka  <gniibe@fsij.org>
