2024-06-19  Werner Koch  <wk@gnupg.org>

	Release 1.11.0.
	+ commit 9d94d7846cde272b8b1519ba96e53967bf0b90d2


2024-06-14  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Update gpg-error.m4.
	+ commit 89adba4518d2c7f83a37361f66b3ac290c96525c
	* m4/gpg-error.m4: Update from libgpg-error master.

2024-06-13  NIIBE Yutaka  <gniibe@fsij.org>

	libgcrypt.m4: Fix setting/using GPG_ERROR_CONFIG.
	+ commit 0fd9ec3403ea66d39f32602dce53bc5219e4c158
	libgcrypt.m4 (_AM_PATH_GPGRT_CONFIG): Don't set GPG_ERROR_CONFIG and
	gpg_error_config_version.

2024-06-06  Jakub Jelen  <jjelen@redhat.com>

	cipher:aeswrap: Fix padding length check.
	+ commit dc8d84383a6bfa44f397132eae203efa0bf20e82
	* cipher/cipher-aeswrap.c (_gcry_cipher_keywrap_decrypt_auto): When
	padding length is 8, correctly return GPG_ERR_CHECKSUM.

2024-05-21  Jakub Jelen  <jjelen@redhat.com>

	mpi: Fix loop condition in bad point check.
	+ commit 1875758440158fe1943d1b19b29d77421d269256
	* mpi/ec.c (ec_p_init): Fix loop condition to avoid out-of-range read.

2024-05-17  Werner Koch  <wk@gnupg.org>

	build: Remove cruft from configure.ac.
	+ commit 0526d65afd34f9282e7fd125df6ee9a3c757ae79
	* configure.ac: Remove unused cruft.

2024-05-14  NIIBE Yutaka  <gniibe@fsij.org>

	m4: Include _AM_PATH_GPGRT_CONFIG definition.
	+ commit ad3b599462bdbc459f6c7be867e9a12ab46481b3
	* src/libgcrypt.m4: Find gpgrt-config.

2024-05-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	random: fix o_flag_munging for -O1.
	+ commit 5afadba008918d651afefb842ae123cc18454c74
	* random/Makefile.am (o_flag_munging): Also convert -O1 to -O0.

2024-05-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20-aarch64: use local symbols for read-only data.
	+ commit 3f5989014a1b7c01aced88897d878ce5105d15df
	* cipher/chacha20-aarch64.S: Remove '.globl' mark for RODATA section
	objects.

2024-05-07  simit.ghane  <simit.ghane@lge.com>

	Fix building error with '-O2' in sysroot path.
	+ commit b99952adc6ee611641709610d2e4dc90ba9acf37
	* cipher/Makefile.am (o_flag_munging): Tweak the sed script.
	* random/Makefile.am (o_flag_munging): Ditto.

2024-05-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem: Remove the experimental KEMs (PGP and CMS).
	+ commit c9affe97d20bc958d733206adf350214b32ae0b2
	* src/gcrypt.h.in (enum gcry_kem_algos): Remove
	GCRY_KEM_OPENPGP_X25519, GCRY_KEM_CMS_X25519_X963_SHA256, and
	GCRY_KEM_CMS_X25519_HKDF_SHA256.
	* cipher/kem.c (_gcry_kem_keypair, _gcry_kem_encap): Likewise.
	(_gcry_kem_decap): Likewise.
	* cipher/kem-ecc.c (algo_to_curve): Follow the removal.
	(algo_to_seckey_len): Likewise.
	(openpgp_kem_kdf, _gcry_openpgp_kem_encap): Remove.
	(_gcry_openpgp_kem_decap, cms_kem_kdf): Remove.
	(_gcry_cms_kem_encap, _gcry_cms_kem_decap): Remove.
	* cipher/kem-ecc.h: Follow the removal.
	* tests/t-kem.c (test_kem_openpgp_x25519) Remove.
	(test_kem_cms_x25519): Remove.
	(check_kem, main): Follow the change.

2024-04-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	serpent-avx512-x86: fix CBC and CFB decryption with clang-18.
	+ commit 5a653a9129d7cc2f203ab9ad37ccdbcb832337d1
	* cipher/serpent-avx512-x86.c (serpent_avx512_blk32): Avoid
	'_mm512_castsi128_si512' usage to prevent non-initialized
	vector register parts getting XOR into calculations for
	CBC and CFB decryption.

2024-04-26  Werner Koch  <wk@gnupg.org>

	Let gcry_print_config show whether it is amd64 or i686.
	+ commit 0729fb84a6a1c038d4ed10f9c60be7df48558d9e
	* src/global.c (print_config): Append a sub-cpu string.

2024-04-25  Werner Koch  <wk@gnupg.org>

	Require GpgRT 1.49.
	+ commit f895a69d3b4bd5b8f6fab11345c2663947b7e5e3
	* configure.ac (LIBGCRYPT_LT_REVISION): Require 1.49
	* src/global.c (print_config): Repalce gpgrt backward compatibility.
	* src/misc.c (_gcry_set_gpgrt_post_log_handler): Ditto.
	(_gcry_logv): Use new gpgrt_logv_domain.

2024-04-24  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem:ecc: Support NIST curves.
	+ commit 005292cf9f41179247918711b2968dd188aae122
	* cipher/kem-ecc (ECC_SECKEY_LEN_MAX): Fix for P521R1.
	(algo_to_curve): Using canonical name, add NIST curves,
	(algo_to_seckey_len): Likewise.
	* cipher/kem.c (_gcry_kem_keypair, _gcry_kem_encap): Likewise.
	(_gcry_kem_decap): Likewise.
	* src/gcrypt.h.in (enum gcry_kem_algos): Likewise.

	cipher:kem:ecc: Fix DHKEM implementation.
	+ commit 118fa95d8d36efb07dbebdbcbc0e3408e69ac5d2
	* cipher/kem-ecc.c (_gcry_ecc_dhkem_decap): Fix the size.

2024-04-23  Werner Koch  <wk@gnupg.org>

	cipher:kem:ecc: Support brainpoolP512r1.
	+ commit 4fb99ec266e5d38e0f6df5c2fd27da71f2fb441f
	* cipher/kem-ecc.c (algo_to_curve): Add GCRY_KEM_RAW_BP512.
	(algo_to_seckey_len): Ditto.
	* cipher/kem.c (_gcry_kem_keypair): Ditto.
	(_gcry_kem_encap): Ditto.
	(_gcry_kem_decap): Ditto.

	Use explicit values for the gcry_kem_algos enum.
	+ commit 66884c2d6b35bf418a267697a2726142a95188be
	* src/gcrypt.h.in (enum gcry_kem_algos): Use explicit values for
	improved ABI stability.
	(GCRY_KEM_RAW_BP512): New.

	cipher:kem:ecc: Fix for Weierstrass.
	+ commit 7ad308434f159952baf578eca60efc1f5bf93019
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): Use POINT_LEN and not
	NBYTES to create mpi_u.

	Divert log functions to the gpgrt log functions.
	+ commit ab0bdc72c79d5655e63047f768a202e063d8c18b
	* src/misc.c (my_gpgrt_post_fatal_handler): New.
	(_gcry_set_gpgrt_post_log_handler): New.
	(map_log_level): New.
	(_gcry_logv): Use gcrypt log function unless a handler has been
	installed.
	* src/global.c (global_init): Install post log handler.
	* src/gcrypt.h.in (gcry_set_log_handler): Deprecate.

2024-04-22  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem:ecc: Support brainpoolP256r1 and brainpoolP384r1.
	+ commit 9c65260f915f3eeebf10b51ab7c3c9b5f0004d9b
	* cipher/kem.c (_gcry_kem_keypair): Support classic curves.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.
	* cipher/kem-ecc.c (algo_to_curve, algo_to_seckey_len): New.
	(_gcry_ecc_raw_keypair): Support classic curves.
	(_gcry_ecc_raw_encap, _gcry_ecc_raw_decap): Likewise.
	(ecc_tweak_bits): Move to ...
	* cipher/ecc-ecdh.c (ecc_tweak_bits): here.
	(_gcry_ecc_curve_keypair): New.
	(_gcry_ecc_curve_mul_point): Add length arguments.
	* src/gcrypt-int.h (_gcry_ecc_curve_keypair): New.
	* src/gcrypt.h.in: Add constants for brainpoolP256r1 and
	brainpoolP384r1.

2024-04-19  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:ecc: Return the result in SEC1 point format for Weierstrass.
	+ commit 47f2cb8f6f35cf962158d9cffc79c23fab163585
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): Fix for
	MPI_EC_WEIERSTRASS curve.

	cipher:ecc: Add _gcry_ecc_curve_mul_point function with curve name.
	+ commit b1da8247dcbc036a5dc55dc7121ccd537c9b7ff3
	* cipher/ecc-ecdh.c (_gcry_ecc_curve_mul_point): New.  Also support
	Weierstrass curve as well as Montgomery one.
	(_gcry_ecc_mul_point): Use _gcry_ecc_curve_mul_point.

	cipher:kem: Rename Classic McEliece API constants.
	+ commit 72b1b8d447fb8046e5546998619206646dde2ea7
	* src/gcrypt.h.in (GCRY_KEM_CM6688128F): Rename.
	* cipher/kem.c (_gcry_kem_keypair): Follow the change.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.
	* tests/t-kem.c (test_kem_mceliece6688128f): Likewise.
	(main): Also change CLI option name.

2024-04-18  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: More clean up for Classic McEliece implementation.
	+ commit 9a552b80d6c44a05ab733e441664d19de6f23da3
	* cipher/mceliece6688128f.h: Provide GCC_ATTR_UNUSED.
	* cipher/mceliece6688128f.c: Use GCC_ATTR_UNUSED.

	cipher: Fix comments of Classic McEliece implementation.
	+ commit 6478203e77d173128c4c0810db6f41198c360ca2
	* cipher/mceliece6688128f.c: Don't use C++-style comments for old
	compilers (< C99).

2024-04-17  Simon Josefsson  <simon@josefsson.org>

	cipher: Add Classic McEliece mceliece6688128f.
	+ commit 003367b91272f499d6eecb32ab9a09f383bdc788
	* cipher/Makefile.am (libcipher_la_SOURCES): Add mceliece6688128f.{c,h}.
	* cipher/mceliece6688128f.c, cipher/mceliece6688128f.h: New.
	* tests/t-kem.c: Support mceliece6688128f.

2024-04-16  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix copyright notices for Kyber implementation.
	+ commit eec1a576dbd080eb54ad7c6027271fe3f71c8847
	* cipher/kyber-common.c: Fix copyright notice sentences.
	* cipher/kyber-kdep.c, cipher/kyber.c, cipher/kyber.h: Likewise.

2024-04-09  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add X448 based ECC KEM.
	+ commit 40b4781022c5f5ebf1ec6e6d814f9c2a346cb3ca
	* src/gcrypt.h.in (GCRY_KEM_RAW_X448, GCRY_KEM_DHKEM448): New.
	* cipher/kem-ecc.c (_gcry_ecc_raw_encap): Support X448.
	(ecc_dhkem_kdf, _gcry_ecc_dhkem_encap): Likewise.
	(_gcry_ecc_dhkem_decap): Likewise.
	* cipher/kem.c (_gcry_kem_keypair): Add support for GCRY_KEM_RAW_X448
	and GCRY_KEM_DHKEM448.
	(_gcry_kem_encap, _gcry_kem_decap): Likewise.

2024-04-05  Werner Koch  <wk@gnupg.org>

	Trailing comma removal for better portability.
	+ commit 9e6db9d74631e623164319f1fc9713afdf9e3eb9
	* cipher/kem.c (kem_names): Remove trailing comma.
	* src/gcrypt.h.in (enum gcry_kem_algos): Ditto.

	ecc: Add bp256, bp384, bp512 aliases for Brainpool curves.
	+ commit d211e7fe967381bfb19e4f18e0be067c68200c50
	* cipher/ecc-curves.c (curve_aliases): Add new aliases for Brainpool.

2024-04-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix t-kem for tests with X25519 for FIPS mode.
	+ commit a78dcad69872e1d6e6eb7ead174e398d9c7d4800
	* tests/t-kem.c (test_kem_raw_x25519): It is expected to fail.
	(test_kem_dhkem_x25519, test_kem_openpgp_x25519): Likewise.
	(test_kem_cms_x25519): Likewise.

2024-03-28  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kem: Add ECC KEM for X25519.
	+ commit 5da6c63fed34f6027a9531780252f0f54087c379
	* cipher/Makefile.am (libcipher_la_SOURCES): Add kem-ecc.{c,h}.
	* cipher/kem-ecc.c: New.
	* cipher/kem-ecc.h: New.
	* cipher/kem.c (_gcry_kem_keypair): Dispatch to _gcry_ecc_raw_keypair.
	(_gcry_kem_encap): Dispatch to _gcry_ecc_raw_encap,
	_gcry_ecc_dhkem_encap, _gcry_openpgp_kem_encap, and
	_gcry_cms_kem_encap.
	(_gcry_kem_decap): Dispatch to _gcry_ecc_raw_decap,
	_gcry_ecc_dhkem_decap, _gcry_openpgp_kem_decap, and
	_gcry_cms_kem_decap.
	* src/gcrypt.h.in: Add constants for ECC KEM.
	* tests/t-kem.c (test_kem_raw_x25519, test_kem_dhkem_x25519)
	(test_kem_openpgp_x25519, test_kem_cms_x25519): New.
	(check_kem, main): Add tests for ECC KEM.

2024-03-27  NIIBE Yutaka  <gniibe@fsij.org>
	    Falko Strenzke  <falko.strenzke@mtg.de>

	tests:basic: Add cSHAKE test vectors.
	+ commit b81076beba280c24923b0259a8973c777204c5df
	* tests/basic.c (check_one_md): Extend with customization N and S.
	(check_one_md_multi): Likewise.
	(check_digests): Add test vectors for GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.

2024-03-27  NIIBE Yutaka  <gniibe@fsij.org>

	md: Add cSHAKE digest algorithm and the implementation.
	+ commit 065b3f4e0271cc410c002842ea640f93e56c6a20
	* src/gcrypt.h.in (gcry_ctl_cmds): Add GCRYCTL_MD_CUSTOMIZE.
	(gcry_md_algos): Add GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	(struct gcry_cshake_customization): New.
	* cipher/keccak.c (CSHAKE_DELIMITED_SUFFIX): New.
	(keccak_init): Support GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	(selftests_keccak): Likewise.
	(cshake_input_n, cshake_input_s, _gcry_cshake_customize): New.
	(cshake128_init, cshake256_init, cshake_hash_buffers): New.
	(_gcry_cshake128_hash_buffers, _gcry_cshake256_hash_buffers): New.
	(_gcry_digest_spec_cshake128, _gcry_digest_spec_cshake256): New.
	* cipher/md.c (digest_list): Add cSHAKE md_specs.
	(digest_list_algo301): Likewise.
	(md_customize): New.
	(_gcry_md_ctl): Support GCRYCTL_MD_CUSTOMIZE.
	* src/cipher.h (_gcry_cshake_customize): New.
	(_gcry_digest_spec_cshake128, _gcry_digest_spec_cshake256): New.
	* src/fips.c (_gcry_fips_indicator_md): Support GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.
	* tests/basic.c (check_one_md): Support GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256 as xof.
	(check_one_md_multi): Exclude GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256
	as xof.
	* tests/bench-slope.c (hash_bench, kdf_bench): Exclude
	GCRY_MD_CSHAKE128 and GCRY_MD_CSHAKE256.
	* tests/benchmark.c (md_bench): Exclude GCRY_MD_CSHAKE128 and
	GCRY_MD_CSHAKE256.

2024-03-11  NIIBE Yutaka  <gniibe@fsij.org>

	Add gcry_md_hash_buffers_ext function.
	+ commit 3d48e6e37b040c955a84e58ce3147562fa74d1f3
	* src/gcrypt.h.in (gcry_md_hash_buffers_ext): New.
	* src/libgcrypt.def: Add gcry_md_hash_buffers_ext.
	* src/libgcrypt.vers: Likewise.
	* src/visibility.c: Add gcry_md_hash_buffers_ext.
	* src/visibility.h: Add gcry_md_hash_buffers_ext.

2024-03-05  NIIBE Yutaka  <gniibe@fsij.org>

	kem: Fix the previous commit.
	+ commit f4bcc69c3c9b0c2c948a9944cec7894cb590b211
	* cipher/kem.c (kem_compute_keygrip): Rever the change.

2024-03-04  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix Kyber key in SEXP, and its keygrip computation.
	+ commit 47c594386ebec3f9dea2d091c38cc7768a1840d9
	* cipher/kem.c (kem_generate): Include public key part in SEXP of
	private key.
	(kem_compute_keygrip): Fix keygrip computation.

	mpi: Fix ECC computation on hppa.
	+ commit b757f4130af987bdfc769b754b6e9e27882c349c
	* mpi/ec-inline.h [__hppa] (ADD4_LIMB32, SUB4_LIMB32): New.
	* mpi/longlong.h [__hppa] (add_ssaaaa, sub_ddmmss): Add __CLOBBER_CC.

2024-03-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix the previous commit.
	+ commit 23ccf8eafbc452fa5cf466bee219846400bd2424
	* tests/keygen.c (check_kem_keys): Those are not yet in the standard.

2024-03-02  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix keygen for FIPS mode.
	+ commit 58f93ea56f7173a5fc3f85710dbf167cb0e5e203
	* tests/keygen.c (check_kem_keys): Care about FIPS mode.

2024-02-29  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Silence warning for some architecture.
	+ commit 813a96de4ffec5d72dbb4473a42bd2b5b3f56b50
	* mpi/mpih-const-time.c (mpih_ct_limb_greater_than): DIFF_LO is not
	used.

2024-02-22  Werner Koch  <wk@gnupg.org>

	cipher: Add a way to get a keygrip for KEM algos.
	+ commit 4db7f3b07be5fc7b4c1c3b2e7548167cb1968533
	* src/gcrypt.h.in (GCRY_PK_KEM): New.
	* cipher/kem.c (kem_infos): New.
	(kem_names): New.
	(kem_generate): New.
	(kem_compute_keygrip): New.
	(kem_get_nbits): New.
	(_gcry_pubkey_spec_kem): New.
	* cipher/pubkey.c (pubkey_list): Add spec for KEM.
	* src/cipher.h (_gcry_pubkey_spec_kem): Declare.
	(_gcry_pubkey_spec_elg_e): Remove this used declaration.

	* tests/keygen.c (check_generated_kem_key): New.
	(check_kem_keys): New.
	(main): Add optional argument kem and all new function.

	cipher: Slight refactoring of kem.c.
	+ commit b36aee33dd00906a98d5d1295bf471140844f737
	* cipher/kem.c (_gcry_kem_keypair): Do not claim used variables.
	Slight refactoring to allow for a enum-case check.
	(_gcry_kem_encap): Ditto.
	(_gcry_kem_decap): Ditto.

	* cipher/kyber.h (crypto_kem_keypair_3) [KYBER_K]: Fix syntax error.

2024-02-09  Clemens Lang  <cllang@redhat.com>

	sha3: Fill OIDs and partial ASN.1 structs.
	+ commit b3750fb42a44760e65d8869bc9a64e79197ae96d
	* cipher/keccak.c (sha3_224_asn): New.
	(oid_spec_sha3_224, oid_spec_sha3_256): Update the OIDs.
	(sha3_256_asn): Have a correct value.
	(sha3_384_asn): Have a correct value.
	(oid_spec_sha3_384, oid_spec_sha3_512): Update the OIDs.
	(sha3_512_asn): Have a correct value.
	(shake128_asn): Have a correct value.
	(oid_spec_shake128, oid_spec_shake256): Update the OIDs.
	(shake256_asn): Have a correct value.

2024-02-06  Werner Koch  <wk@gnupg.org>

	doc: Fix link to the s-expression description.
	+ commit 52f18b9ffe6ce38eba159c39550c10a95bce3d11
	Note that there is also thr description at

	 https://people.csail.mit.edu/rivest/pubs
	 /RL96.ver-1.1.html#secSexpressions

2024-02-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix Kyber segfaulting on Win64.
	+ commit 0929a9f1ede27dc6c629a92d92002da14eafa68a
	* cipher/kyber.c (prg, pkprf): Cast variadic parameters to expected
	types ('void *' and 'size_t').

	rijndael-s390x: fix AES256-XTS feature mask.
	+ commit 679b07898897e16029dbf596dbcf0141ebb99792
	* cipher/rijndael-s390x.c (_gcry_aes_s390x_setup_acceleration): Fix
	AES256-XTS feature mask.

2024-01-30  NIIBE Yutaka  <gniibe@fsij.org>

	cipher:kdf: Add X963KDF for use in CMS.
	+ commit 3abac420b30ad4aeef803b23995303ac6bb563fa
	* src/gcrypt.h.in (gcry_kdf_algos): Add GCRY_KDF_X963_KDF.
	* cipher/kdf.c (x963_kdf_open, x963_kdf_compute): New.
	(x963_kdf_final, x963_kdf_close): New.
	(_gcry_kdf_open, _gcry_kdf_final, _gcry_kdf_close): Add
	support for GCRY_KDF_X963_KDF.

	Fix the version script for non-existing symbols.
	+ commit be328b4a3476d5cbe543a761c043c5923ea1e280
	* src/libgcrypt.vers: Remove gcry_md_get and gcry_pk_register.

2024-01-29  NIIBE Yutaka  <gniibe@fsij.org>

	build: Use @FGREP@ by configure for libgcrypt-config.
	+ commit 128121e74b66793fabd24e478df6ea2ab568e24a
	* configure.ac (AC_PROG_FGREP): Add.
	* src/libgcrypt-config.in: Use @FGREP@.

2024-01-16  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix tests/basic.
	+ commit 86812491c7541a6e76cc2f2c45538b4715121b88
	* tests/basic.c (check_ecb_cipher): Use 'i' instead of '0'.

	m4: Update acinclude.m4 to use $GREP.
	+ commit 656ca459e3d87f91dc20a2fb1001344f4c872ee3
	* acinclude.m4: Use $GREP, instead of egrep.  Simplify the detection.

2024-01-15  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix copyright notices for LGPL.
	+ commit 2eaaa8846f226ccd54f3165afe10583936d9d940
	* cipher/kem.c: Fix LGPL name, with correct capitalizing..
	* cipher/kyber-common.c: Likewise.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.
	* cipher/kyber.h: Likewise.
	* cipher/sntrup761.c: Likewise.
	* cipher/sntrup761.h: Likewise.

	tests: Add known answers test for ML-KEM (Kyber).
	+ commit 6765916e3b55dc45d93123e789973c7528df5232
	* tests/Makefile.am (tests_bin): Add t-mlkem.
	(EXTRA_DIST): Add t-mlkem.inp.
	* tests/t-mlkem.c: New.
	* tests/t-mlkem.inp: New.

	cipher:kyber: Fix comment style.
	+ commit 384638bc4a0dd4315ce2955d08f51f007ba88df9
	* cipher/kyber-common.c: Fix comments.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.

	cipher: Add use of the Kyber implementation.
	+ commit f2f9d56358acf3b38764bc4465db627162f42bbf
	* cipher/Makefile.am (EXTRA_DIST): Add kyber-common.c kyber-kdep.c.
	(libcipher_la_SOURCES): Add kyber.c and kyber.h.
	* cipher/kem.c (_gcry_kem_keypair): Add call to kyber_keypair.
	(_gcry_kem_encap): Add call to kyber_encap.
	(_gcry_kem_decap): Add call to kyber_decap.
	* tests/t-common.h (show_note): Factor from existing uses.
	(show_sexp, prepend_srcdir, read_textline, copy_data): Likewise.
	(hex2buffer, reverse_buffer): Likewise.
	* tests/t-kem.c (show_note): Remove.
	(test_kem_sntrup761): Rename from test_kem.
	(test_kem_mlkem512, test_kem_mlkem768, test_kem_mlkem1024): New.
	(check_kem): Add N_LOOPS argument.  Call relevant tests by the
	variable SELECTED_ALGO.
	(main): Add option handling to select testing specific algorithm.

	cipher:kyber: Modify VERIFY function.
	+ commit 5c9c4dca39f2806443aaec60972e648715d3b048
	* cipher/kyber-kdep.c (crypto_kem_dec): Use verify1.
	* cipher/kyber.c (verify1): Return 1 when success.

	cipher:kyber: Modification for xof_ routines.
	+ commit fe3ecf810370086df40f4cc980d0a290e5f3a9a5
	* cipher/kyber-kdep.c (gen_matrix): Remove comment for
	gen_matrix.  Add calls to xof_init and xof_close.

	cipher:kyber: Integrate into libgcrypt, adding glue code.
	+ commit 4e9aa70078c5537f1c56f54e78d769c8b5dc9f0c
	* cipher/kyber-common.c: Add copyright notice.
	* cipher/kyber-kdep.c: Likewise.
	* cipher/kyber.c: Likewise.
	* cipher/kyber-kdep.c: Add #undef to clear the definitions.
	* cipher/kyber.c: Integrate into libgcrypt, also allow standalone use.

	cipher:kyber: Have cipher/kyber.h.
	+ commit 31743c17d7bd1f6dc653e6dfcf76fab5356649ae
	* cipher/kyber.h: New.

	cipher:kyber: Move declarations to kyber-kdep.c.
	+ commit b6e20ed580e08278eb963a87f6355c43ba0d34d2
	* cipher/kyber.c: Move KYBER_K-dependent declarations into...
	* cipher/kyber-kdep.c: ... here, or kyber.h.

	cipher:kyber: Functions in poly for different KYBER_K.
	+ commit efd55d9ecae549318425dc7a867c9698cbc78410
	* cipher/kyber-common.c (load24_littleendian, cbd3): Fix the
	compile-time condition.
	(poly_cbd_eta1, poly_cbd_eta2): Remove.
	(zetas): Don't export.
	(poly_compress): Remove.
	(poly_compress_128, poly_compress_160): New.
	(poly_decompress): Remove.
	(poly_decompress_128, poly_decompress_160): New.
	(poly_getnoise_eta1): Remove.
	(poly_getnoise_eta1_2): New.  Directly call cbd3.
	(poly_getnoise_eta1_3_4): New.  Directly call cbd2.
	(poly_getnoise_eta2):  Directly call cbd2.
	* cipher/kyber.c: Fix declarations for poly_compress,
	poly_decompress and poly_getnoise_eta1.

	cipher:kyber: Make the implementation into three files.
	+ commit 01a14c0df2957900903895a3c49de2bdb708816f
	* cipher/kyber-common.c: New.  Common part.
	* cipher/kyber-kdep.c: New. KYBER_K dependent part.
	* cipher/kyber.c: Move functions and variables to two files.

	cipher:kyber: Constants common and k-dependent.
	+ commit fc35a5372a74c696f45b10dccbb84331673412b4
	* cipher/kyber.c (KYBER_ETA1): Remove.
	(KYBER_ETA1_2, KYBER_ETA1_3_4): New.
	(KYBER_POLYCOMPRESSEDBYTES): Remove.
	(KYBER_POLYCOMPRESSEDBYTES_2_3): New.
	(KYBER_POLYCOMPRESSEDBYTES_4): New.

	cipher:kyber: Export the KEM API only.
	+ commit 34dd0a1a75b2ee37ccd1215235f8b9f00f38bff1
	* cipher/kyber.c: Don't export other functions and data.

	cipher: Editorial clean up cipher/kyber.c for headers.
	+ commit 4b601fe5b3cff021e265df6eb64911e6a8105bd3
	* cipher/kyber.c: Clean up.

	cipher: Add headers to Kyber implementation.
	+ commit 10e9bcd5c67ed40292b06901b38fa9b94ccc09ba
	* cipher/kyber.c: Add headers from the reference implementation.

	cipher: Put the original Kyber implementation.
	+ commit 18e5c0d268b1aeac59f526b9730b39520750ca14
	* cipher/kyber.c: Kyber reference implementation.

	cipher: Allow standalone use of SNTRUP761 implementation.
	+ commit bdadd65d440b7f689f49450530a548c32007f71b
	* cipher/sntrup761.c [HAVE_CONFIG_H]: Conditionalize.

2024-01-08  NIIBE Yutaka  <gniibe@fsij.org>

	Avoid use of C99 feature for enum.
	+ commit dbfb7cc76ef3f98fe62f0549b97d76f395864ae0
	* src/gcrypt.h.in (enum gcry_kdf_algos): Remove last comma.
	(enum gcry_kem_algos): Likewise.

2023-12-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: restore compiler barriers for auto-GHZ check.
	+ commit c9cb10f3be226dfd65c670ff2565d81dfc668376
	* tests/bench-slope.c (auto_ghz_bench): Add memory barriers to
	AUTO_GHZ_OPERATION macro when barrier is supported by compiler.

	mpi/ec-inline: refactor i386 assembly to reduce register usage.
	+ commit 956f1ed4ec6ead59dc56f574f943f1fe25dac723
	* mpi/ec-inline.h [__i386__] (ADD2_LIMB32_CARRY_OUT)
	(ADD2_LIMB32_CARRY_IN_OUT, ADD2_LIB32_CARRY_IN, SUB2_LIMB32_CARRY_OUT)
	(SUB2_LIMB32_CARRY_IN_OUT, SUB2_LIB32_CARRY_IN, ADD8_LIMB32)
	(ADD10_LIMB32, ADD14_LIMB32, SUB8_LIMB32, SUB10_LIMB32)
	(SUB14_LIMB32): New.
	[__i386__] (ADD4_LIMB32, ADD6_LIMB32, SUB4_LIMB32, SUB6_LIMB32): Rewrite
	to use new *_CARRY_* macros.
	[BYTES_PER_MPI_LIMB == 4] (ADD4_LIMB64): Use ADD8_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (ADD5_LIMB64): Use ADD10_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (ADD7_LIMB64): Use ADD14_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB4_LIMB64): Use SUB8_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB5_LIMB64): Use SUB10_LIMB32 if available.
	[BYTES_PER_MPI_LIMB == 4] (SUB7_LIMB64): Use SUB14_LIMB32 if available.

2023-12-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi/ec-nist: fix for -Og build failure on i386.
	+ commit 90097bd2f41c217dc5c666570e5680f432cf92d3
	* mpi/ec-nist.c (_gcry_mpi_ec_nist256_mod)
	(_gcry_mpi_ec_nist384_mod): Load p_mult constant with carry offset
	to stack.

2023-12-12  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Update digest values following input changes.
	+ commit 4a104752d8a2f0ca15d7873011a14226925a773b
	* tests/basic.c (check_digests): Update the values.

2023-12-12  Andreas Metzler  <ametzler@bebt.de>

	Point to gnu.org as canonical license location.
	+ commit cd056b4d1614e9e245b66782b54aad1697e22a01


	Fix license header inconsistency.
	+ commit 25e93a02268b9f533b1ffa4f6a5fe47d686e2145


	Unify capitalization of LGPL copyright statements.
	+ commit ca5689367a837b6541307f6ae19e0176b051d06f


2023-12-08  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix sntrup761.h, so that it can be used outside.
	+ commit ebc9aaacd62bbc7f048020531398ccb9f97e4437
	* cipher/sntrup761.h [_GCRYPT_IN_LIBGCRYPT]: Ifdef-out
	libgcrypt specific glue code.  Recover the constants.

	cipher: Minor fix for C90 compiler.
	+ commit 2149888d47afea9946c3a748310ad27dfcda48c3
	* cipher/sntrup761.c (crypto_sort_int32): Declare A, before its use.

2023-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Add sntrup761 to KEM API.
	+ commit 947ad42450eadec079a1c50deba90e6453f0113c
	* cipher/kem.c (sntrup761_random): New glue code.
	( _gcry_kem_keypair, _gcry_kem_encap, _gcry_kem_decap): Call sntrup761
	functions.
	* cipher/sntrup761.h: Add glue code to libgcrypt.
	* src/visibility.h: Update for KEM functions.
	* tests/t-kem.c: Fix for the final KEM API.

2023-12-07  Simon Josefsson  <simon@josefsson.org>

	cipher: Add Streamlined NTRU Prime sntrup761.
	+ commit cf9923e1a59f2f535311f3676345d34e593ba108
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sntrup761.c and h.
	* cipher/sntrup761.c: New.
	* tests/Makefile.am (tests_bin): Add t-kem.
	* tests/t-kem.c: New.

2023-12-07  NIIBE Yutaka  <gniibe@fsij.org>

	Add an API for Key Encapsulation Mechanism.
	+ commit 7e503fa9170fd290105714d15a335f7748860e23
	* cipher/Makefile.am (libcipher_la_SOURCES): Add kem.c.
	* cipher/kem.c: New.
	* src/gcrypt-int.h (_gcry_kem_keypair, _gcry_kem_encap)
	(_gcry_kem_decap): New.
	* src/gcrypt.h.in (gcry_kem_keypair, gcry_kem_encap)
	(gcry_kem_decap): New.  Add constants.
	* src/libgcrypt.def (gcry_kem_keypair, gcry_kem_encap)
	(gcry_kem_decap): Add symbols.
	* src/libgcrypt.vers: Likewise.

2023-11-22  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix t-x448 for error handling.
	+ commit dc1c916da4ba3960495bca450d8f4bc6897d9167
	* tests/t-x448.c (test_cv_x448): Take the error code from ERR.

2023-11-16  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix return type of _gcry_ecc_mul_point.
	+ commit 354e53558e55fe5bc8fa4be32e1c1bace7623536
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return gpg_err_code_t.
	* src/gcrypt-int.h (_gcry_ecc_mul_point): Return gpg_err_code_t.
	* src/visibility.c (gcry_ecc_mul_point): Follow the change.

2023-11-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpih_mod: avoid unintentional conditional branch.
	+ commit 39d5364a9557d6f423de117601cb1e6414814f47
	* mpi/mpih-const-time.c (_gcry_mpih_mod): Avoid conditional branch
	on the_bit extraction.

	mpih-const-time: use constant-time comparisons conditional add/sub/abs.
	+ commit c419a04d529af7b5fb43732ec2b4304166c2579a
	* mpi/mpih-const-time.c (mpih_ct_limb_greater_than)
	(mpih_ct_limb_less_than): New.
	(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_abs_cond): Use
	mpih_ct_limb_greater_than and mpih_ct_limb_less_than for comparisons.

	const-time: add functions for generating masks from 0/1 input.
	+ commit cf757cf90e9ae966b95dcebfd2f31b9212697f0c
	* mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use mask generating
	functions.
	* mpi/mpi-internal.h (ct_limb_gen_mask, ct_limb_gen_inv_mask): New.
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond, _gcry_mpih_add_n_cond)
	(_gcry_mpih_sub_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond): Use
	mask generating functions.
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use mask
	generating functions.
	* src/const-time.h (DEFINE_CT_TYPE_GEN_MASK, ct_uintptr_gen_mask)
	(ct_ulong_gen_mask, DEFINE_CT_TYPE_GEN_INV_MASK, ct_uintptr_gen_inv_mask)
	(ct_ulong_gen_inv_mask): New.
	(DEFINE_CT_TYPE_SELECT_FUNC): Use mask generating functions.
	* src/const-time.c (_gcry_ct_memmov_cond): Use mask generating functions.

	ec: avoid unintentional condition branches for 25519, 448 and 256k1.
	+ commit 305a65c1ede8f78160100478d46efa199d334a64
	* mpi/ec.c (ec_addm_25519, ec_subm_25519, ec_mulm_25519, ec_addm_448)
	(ec_subm_448, ec_mulm_448, ec_secp256k1_mod): Use mpih_limb_is_zero
	and mpih_limb_is_not_zero instead of comparison to zero.

	ec-nist: avoid unintentional conditional branch by comparison.
	+ commit a9e7aa647e4b84964c76230370d71235383e5c2d
	* mpi/ec-nist.c (_gcry_mpi_ec_nist521_mod): Use mpih_limb_is_not_zero.
	* mpi/mpi-internal.h (mpih_limb_is_not_zero): New.

	mpih_cmp_ui: avoid unintentional conditional branch.
	+ commit aab6a42d5f44724b73a02598546a5e7d8b33298e
	* mpi/mpi-internal.h (mpih_limb_is_zero): New.
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): Use mpih_limb_is_zero
	instead of comparison.

	ec-nist: use global vone and vzero.
	+ commit 5c5ba1ec2b505726ee1311339ac9e8b5c62cac4a
	* mpi/ec-nist.c (vzero, vone): Remove.
	(_gcry_mpi_ec_nist192_mod, _gcry_mpi_ec_nist224_mod)
	(_gcry_mpi_ec_nist256_mod, _gcry_mpi_ec_nist384_mod): Use _gcry_ct_vzero
	and _gcry_ct_vone.

	mpiutil: use global vone and vzero.
	+ commit d4aee9ace9a904446b987dddc2999119c4d62dae
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Use
	_gcry_ct_vzero and _gcry_ct_vone.

	mpih-const-time: use global vzero/vone variable.
	+ commit 179df341162c74da312f76363a0ff1f2f303aa78
	* mpi/mpih-const-time.c (vzero, vone): Remove.
	(_gcry_mpih_set_cond, _gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond)
	(_gcry_mpih_swap_cond, _gcry_mpih_abs_cond): Use _gcry_ct_vzero and
	_gcry_ct_vone.

	const-time: ct_memmov_cond: switch to use dual mask approach.
	+ commit 4d3e0e30b98b2acb90acb2792b8327c26824a66f
	* src/const-time.c (_gcry_ct_memmov_cond): Use dual mask + AND/OR
	instead of single mask + XOR.

	const-time: prefix global symbols with _gcry_
	+ commit 22dde5150ee2be01651410ed9756601ba6a29c93
	* cipher/const-time.c (ct_not_memequal, ct_memequal)
	(ct_memmov_cond): Rename these to ...
	(_gcry_ct_not_memequal, _gcry_ct_memequal)
	(_gcry_ct_memmov_cond): ... these.
	* cipher/const-time.h (ct_not_memequal, ct_memequal)
	(ct_memmov_cond): Rename these to ...
	(_gcry_ct_not_memequal, _gcry_ct_memequal)
	(_gcry_ct_memmov_cond): ... these.
	(ct_not_memequal, ct_memequal, ct_memmov_cond): New macros.

	mpih_set_cond: restore EM leakage mitigation.
	+ commit 0c6ec6bbe788b8c4a6982b2128d442b51323c898
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Replace single mask + XOR
	with dual mask + AND/OR; Add comment about reason for dual mask usage.
	(_gcry_mpih_add_n_cond, _gcry_mpih_sub_n_cond, _gcry_mpih_swap_cond)
	(_gcry_mpih_abs_cond): Add comment about reason for dual mask usage.

	rsa, elgamal: avoid logical not operator in constant-time code.
	+ commit 84f934c09afac18b3f4351646c0fe6f93aede277
	* cipher/elgamal.c (elg_decrypt): Replace ! operator with calls to
	ct_is_not_zero/ct_is_zero/ct_ulong_select.
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Replace !
	operator with call to ct_is_zero.
	* cipher/rsa.c (rsa_decrypt): Replace ! operator with calls to
	ct_is_not_zero/ct_is_zero/ct_ulong_select.
	* src/const-time.c (_gcry_ct_vzero, _gcry_ct_vone): New.
	* src/const-time.h (_gcry_ct_vzero, _gcry_ct_vone): New.
	(ct_is_not_zero, ct_is_zero, DEFINE_CT_TYPE_SELECT_FUNC)
	(ct_uintptr_select, ct_ulong_select): New.
	(sexp_null_cond): Use ct_uintptr_select.

	const-time: always avoid comparison operator for byte comparison.
	+ commit 137e35ad47ee8734d0f3ffb6af1d1669c4621e0b
	* configure.ac: Remove POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON
	macro.
	* src/const-time.h (ct_not_equal_byte): Remove
	POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON ifdef.

	Use single constant-time memory comparison implementation.
	+ commit 1e9ddbd65c4627235611d75c3198c4ec197c9a05
	* src/const-time.c (ct_not_memequal): Use original 'buf_eq_const'
	implementation here.
	(ct_memequal): New.
	* cipher/bufhelp.h (buf_eq_const): Call to 'ct_memequal'.

2023-11-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: update auto-GHZ for alderlake-P.
	+ commit a047a9c7d10824593d5c9ae43d8a3d6319ef3c0b
	* tests/bench-slope.c (vone): New.
	(auto_ghz_bench): Remove memory barrier usage; Generate constant
	values from volatile variable.

2023-10-31  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix ElGamal decryption.
	+ commit 6d1d50ba3aad1850975f717adbedb4cb8b236fa7
	* cipher/elgamal.c (elg_decrypt): Call sexp_build always.
	* cipher/rsa.c (rsa_decrypt): Return an error code of sexp_build
	when RC != 0.

	rsa: Use memmov_independently when unpadding.
	+ commit 58b62be844549ad3d57c507d834027f1e2756567
	* cipher/rsa-common.c (memmov_independently): New.
	(_gcry_rsa_pkcs1_decode_for_enc): Use memmov_independently.
	(_gcry_rsa_oaep_decode): Use memmov_independently.

	const-time: Add ct_memmov_cond, fix _gcry_mpih_set_cond.
	+ commit bd08357436a9559766cd458d25781ee4f94012a2
	* src/const-time.c (ct_memmov_cond): New.
	* src/const-time.h (ct_memmov_cond): New.
	* mpi/mpih-const-time.c (_gcry_mpih_set_cond): Use XOR and a MASK.

2023-10-30  NIIBE Yutaka  <gniibe@fsij.org>

	const-time: Use ct_not_memequal, instead.  Tested with AVR.
	+ commit c31b70b2660c3d24bd54ee08c255c36d867fdea7
	* cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_not_memequal.
	* src/const-time.c (ct_not_memequal): Use ct_not_equal_byte.
	* src/const-time.h (ct_not_memequal): Rename from ct_memequal.

	build: Check if arch is VAX or compiler is MSVC.
	+ commit c848459e512615c1865a23cf24debb3ad4a1e85b
	* configure.ac (AH_BOTTOM): Add check for VAX and MSVC.
	* src/const-time.h (POSSIBLE_CONDITIONAL_BRANCH_IN_BYTE_COMPARISON):
	Rename.

2023-10-27  NIIBE Yutaka  <gniibe@fsij.org>

	rsa: Fix decoding of PKCS#1 v1.5 and OAEP padding.
	+ commit 34c20427926010d6fa95b1666e4b1b60f60a8742
	* src/Makefile.am (libgcrypt_la_SOURCES): Add const-time.h and
	const-time.c.
	* src/const-time.h (ct_not_equal_byte, sexp_null_cond): New.
	(ct_memequal): New from NetBSD, modified return type and name.
	* src/const-time.c: New.
	* cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Examine whole
	sequence of the byte-array.  Use N0 to find the separator position, with
	ct_not_equal_byte.  Return the MPI even when the case of an error.
	* cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_memequal to
	check LHASH.  Examine all the sequence of the byte-array.  Use N1 to
	find the separator of 0x01.  Return the MPI even when the case of an
	error.
	* cipher/rsa.c (rsa_decrypt): Always build a SEXP.

2023-10-06  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Minor clean-up of sexp output handling.
	+ commit 5e5dff0551fcd9a826db18188fa1e4a6ca45099a
	* src/sexp.c (suitable_encoding): Remove check for starting zero.

2023-10-05  NIIBE Yutaka  <gniibe@fsij.org>

	doc: Minor style fixes.
	+ commit edddc5738e6b1652ccc5db6861888de66112427f


	sexp: String with \0 is considered "binary".
	+ commit ddd41eb6ace02626b0bf7704fdec9b765fb717c4
	* src/sexp.c (suitable_encoding): It's "binary" when
	the buffer contains '\0'.

2023-09-15  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2-avx512: merge some of the gather loads.
	+ commit 325786acd445f9e74e4c44ba86c5b4e06788ea46
	* cipher/blake2b-amd64-avx512.S (GATHER_MSG_2, GATHER_MSG_3)
	(GATHER_MSG_5, GATHER_MSG_6, GATHER_MSG_8, GATHER_MSG_9): New.
	(LOAD_MSG_2, LOAD_MSG_3, LOAD_MSG_5, LOAD_MSG_6, LOAD_MSG_8)
	(LOAD_MSG_9): Use GATHER_MSG_<number>.
	(_blake2b_avx512_data): Add merged load masks ".L[4-7]_mask".
	(_gcry_blake2b_transform_amd64_avx512): Load merged load masks
	to %k[4-7] and clear registers on exit.
	* cipher/blake2s-amd64-avx512.S (VPINSRD_KMASK, GATHER_MSG_2)
	(GATHER_MSG_3, GATHER_MSG_5, GATHER_MSG_6, GATHER_MSG_8)
	(GATHER_MSG_9): New.
	(LOAD_MSG_2, LOAD_MSG_3, LOAD_MSG_5, LOAD_MSG_6, LOAD_MSG_8)
	(LOAD_MSG_9): Use GATHER_MSG_<number>.
	(_blake2s_avx512_data): Add merged load masks ".L[4-7]_mask".
	(_gcry_blake2s_transform_amd64_avx512): Load merged load masks
	to %k[4-7] and clear registers on exit.

2023-09-01  NIIBE Yutaka  <gniibe@fsij.org>

	build: Change the default for --with-libtool-modification.
	+ commit 36d014f919d1c5f00dde4509da9b5e02895467c9
	* configure.ac (--with-libtool-modification): default=never.

2023-08-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	blake2b-avx512: replace VPGATHER with manual gather.
	+ commit 59f14c1db37e16aba37af185dd0677f9783536ce
	* cipher/blake2.c (blake2b_init_ctx): Remove HWF_INTEL_FAST_VPGATHER
	check for AVX512 implementation.
	* cipher/blake2b-amd64-avx512.S (R16, VPINSRQ_KMASK, .Lshuf_ror16)
	(.Lk1_mask): New.
	(GEN_GMASK, RESET_KMASKS, .Lgmask*): Remove.
	(GATHER_MSG): Use manual gather instead of VPGATHER.
	(ROR_16): Use vpshufb for small speed improvement on tigerlake.
	(_gcry_blake2b_transform_amd64_avx512): New setup & clean-up for
	kmask registers; Reduce excess loop aligned from 64B to 16B.

	twofish-avx2-amd64: replace VPGATHER with manual gather.
	+ commit ded3a1ec2ec6980750e3e9eabde001cdbebece51
	* cipher/twofish-avx2-amd64.S (do_gather): New.
	(g16): Switch to use 'do_gather' instead of VPGATHER instruction.
	(__twofish_enc_blk16, __twofish_dec_blk16): Prepare stack
	for 'do_gather'.
	* cipher/twofish.c (twofish) [USE_AVX2]: Remove now unneeded
	HWF_INTEL_FAST_VPGATHER check.

	Avoid VPGATHER usage for most of Intel CPUs.
	+ commit f2bf9997d46590e688bad213267b8fb466e95ecd
	* cipher/blake2.c (blake2b_init_ctx): Check for fast VPGATHER
	for AVX512 implementation.
	* src/hwf-x86.c (detect_x86_gnuc): Do not enable
	HWF_INTEL_FAST_VPGATHER for Intel CPUs suffering from
	"Downfall" vulnerability.

2023-08-16  NIIBE Yutaka  <gniibe@fsij.org>

	build: New configure option --with-libtool-modification.
	+ commit 2143503b8f56a4e6909dc8b4f86e20c8ad76aaed
	* Makefile.am (EXTRA_DIST): Add build-aux/libtool-patch.sed.
	* build-aux/libtool-patch.sed: New.
	* configure.ac (--with-libtool-modification): New.
	* build-aux/ltmain.sh: Revert our own local modification.

2023-07-26  NIIBE Yutaka  <gniibe@fsij.org>

	doc: yat2m-stamp should depend on version.texi.
	+ commit f019c98fd418596074ffd2cc755be6c483aac932
	* doc/Makefile.am (yat2m-stamp): Depend on version.texi.

2023-07-17  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-x86: use CFI statements for 'is_cpuid_available'
	+ commit a5f88f30ce612b0239b946c4424d81cf0d552e96
	* src/hwf-x86.c (FORCE_FUNC_FRAME_POINTER): Remove.
	(CFI_ADJUST_CFA_OFFSET, CFI_PUSH4, CFI_POP4): New.
	(is_cpuid_available): Use CFI statements instead of frame-pointer
	attribute.

	configure: fix HAVE_GCC_ASM_CFI_DIRECTIVES check.
	+ commit 35829d38d61fa3130d88eaeea1af2591a3f07208
	* cipher/camellia-aesni-avx2-amd64.h (enc_blk1_32): Fix dual
	CFI_ENDPROC() usage.
	* configure.ac (gcry_cv_gcc_asm_cfi_directives): Add missing ';'
	after 'void asmfunc(void)'.
	* mpi/asm-common-i386.h: New.
	* mpi/i386/syntax.h: Remove CFI macros and instead include
	"asm-common-i386.h".

	Add VAES/AVX2 accelerated i386 implementation for AES.
	+ commit 4a42a042bcf6b25f13957207c2d13d420f450bb8
	* cipher/Makefile.am: Add 'rijndael-vaes-i386.c' and
	'rijndael-vaes-avx2-i386.S'.
	* cipher/asm-common-i386.h: New.
	* cipher/rijndael-internal.h (USE_VAES_I386): New.
	* cipher/rijndael-vaes-avx2-i386.S: New.
	* cipher/rijndael-vaes-i386.c: New.
	* cipher/rijndael-vaes.c: Update header description (add 'AMD64').
	* cipher/rijndael.c [USE_VAES]: Add 'USE_VAES_I386' to ifdef around
	'_gcry_aes_vaes_*' function prototypes.
	(setkey) [USE_VAES_I386]: Add setup of VAES/AVX2/i386 bulk functions.
	* configure.ac: Add 'rijndael-vaes-i386.lo' and
	'rijndael-vaes-avx2-i386.lo'.
	(gcry_cv_gcc_amd64_platform_as_ok): Rename this to ...
	(gcry_cv_gcc_x86_platform_as_ok): ... this and change to check for
	both AMD64 and i386 assembler compatibility.
	(gcry_cv_gcc_win32_platform_as_ok): New.

	rijndael-vaes-avx2-amd64: avoid extra load in CFB & CBC IV handling.
	+ commit 13f288edd5274880cf6833c80eba24183440a66d
	* cipher/rijndael-vaes-avx2-amd64.S
	(_gcry_vaes_avx2_cbc_dec_amd64, _gcry_vaes_avx2_cfb_dec_amd64): Avoid
	duplicate memory load from source buffer.

