2017-06-29  Werner Koch  <wk@gnupg.org>

	Release 1.7.8.
	+ commit b16176769672a659b9a7c1d23325270338323385
	* configure.ac: Set LT version to C21/A1/R8.

2017-06-29  NIIBE Yutaka  <gniibe@fsij.org>

	rsa: More fix.
	+ commit 312101e1f266314b4391fcdbe11c03de5c147e38
	* cipher/rsa.c (secret): Free R.

	rsa: Fix exponent blinding.
	+ commit aff5fd0f2650e24cf99efcd7b499627ea48782c3
	* cipher/rsa.c (secret): Free D_BLIND.

2017-06-29  NIIBE Yutaka  <gniibe@fsij.org>
	    Werner Koch  <wk@gnupg.org>

	rsa: Add exponent blinding.
	+ commit a9f612def801c8145d551d995475e5d51a4c988c
	* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
	mpi_powm computation.

2017-06-29  NIIBE Yutaka  <gniibe@fsij.org>

	Same computation for square and multiply.
	+ commit 0e6788517eac6f508fa32ec5d5c1cada7fb980bc
	* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
	the assignment to base_u into the loop.  Copy content refered by RP to
	BASE_U except the last of the loop.

2017-06-23  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Simplify mpi_powm.
	+ commit fbd10abc057453789017f11c7f1fc8e6c61b79a3
	* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.

2017-06-08  Werner Koch  <wk@gnupg.org>

	build: Fix ChangeLog building for builds from other worktrees.
	+ commit 12ba983bb3be707d590706530dc1def1a048d6d2
	* Makefile.am (gen-ChangeLog): Test for existance of ".git" regardless
	on whether it is a file or directory.

2017-06-02  Werner Koch  <wk@gnupg.org>

	Release 1.7.7.
	+ commit d9cebf535ca323a07b30ed06e86a1c04c5920058
	* configure.ac: Set LT version to C21/A6/R7.

2017-06-02  NIIBE Yutaka  <gniibe@fsij.org>

	secmem: Fix SEGV and stat calculation.
	+ commit 91456759b887e153c4d4ce19538d478df260cab2
	* src/secmem (init_pool): Care about the header size.
	(_gcry_secmem_malloc_internal): Likewise.
	(_gcry_secmem_malloc_internal): Use mb->size for stats.

2017-06-01  Jo Van Bulck  <jo.vanbulck@cs.kuleuven.be>

	ecc: Store EdDSA session key in secure memory.
	+ commit f9494b3f258e01b6af8bd3941ce436bcc00afc56
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
	session key.

2017-05-30  Werner Koch  <wk@gnupg.org>

	mpi: Distribute asm files for aarch64 and asm.
	+ commit af0d7eeac09e1a240615d4c8ea2a245f211df650
	* mpi/aarch64/distfiles: New.
	* mpi/arm/distfiles: New.

	mpi: Distribute asm definitions for amd64.
	+ commit 7a339b1fc94cbda738cf7712830e783faa0e325e
	* mpi/amd64/distfiles: Add mpi-asm-defs.h.

	doc: Comment fixes.
	+ commit 992f3b37359646f8b9c9b006e9dc6190e4b5c760


2017-01-18  Werner Koch  <wk@gnupg.org>

	Release 1.7.6.
	+ commit 64e4808c05894b623f06c526a37ae2b77c31e36d
	* configure.ac: Set LT version to C21/A1/R6.

	Revert "rijndael-ssse3: move assembly functions to separate source-file"
	+ commit 5053e0112ee3ef757a3a4ae26eed117dd1fb0211
	This reverts commit a77c36921bde79418cdf6d7a7543514c39c9796c.

2017-01-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	mpi: amd64: fix too large jump alignment in mpih-rshift.
	+ commit 1817c9eab5699c097d3713f197e4a3e8b5c1442c
	* mpi/amd64/mpih-rshift.S (_gcry_mpih_rshift): Use 16-byte alignment
	with 'ALIGN(4)' instead of 256-byte.

	rijndael-ssse3: move assembly functions to separate source-file.
	+ commit a77c36921bde79418cdf6d7a7543514c39c9796c
	* cipher/Makefile.am: Add 'rinjdael-ssse3-amd64-asm.S'.
	* cipher/rinjdael-ssse3-amd64-asm.S: Moved assembly functions
	here ...
	* cipher/rinjdael-ssse3-amd64.c: ... from this file.
	(_gcry_aes_ssse3_enc_preload, _gcry_aes_ssse3_dec_preload)
	(_gcry_aes_ssse3_shedule_core, _gcry_aes_ssse3_encrypt_core)
	(_gcry_aes_ssse3_decrypt_core): New.
	(vpaes_ssse3_prepare_enc, vpaes_ssse3_prepare_dec)
	(_gcry_aes_ssse3_do_setkey, _gcry_aes_ssse3_prepare_decryption)
	(do_vpaes_ssse3_enc, do_vpaes_ssse3_dec): Update to use external
	assembly functions; remove 'aes_const_ptr' variable usage.
	(_gcry_aes_ssse3_encrypt, _gcry_aes_ssse3_decrypt)
	(_gcry_aes_ssse3_cfb_enc, _gcry_aes_ssse3_cbc_enc)
	(_gcry_aes_ssse3_ctr_enc, _gcry_aes_ssse3_cfb_dec)
	(_gcry_aes_ssse3_cbc_dec, ssse3_ocb_enc, ssse3_ocb_dec)
	(_gcry_aes_ssse3_ocb_auth): Remove 'aes_const_ptr' variable usage.
	* configure.ac: Add 'rinjdael-ssse3-amd64-asm.lo'.

	rijndael-ssse3: fix counter operand from read-only to read/write.
	+ commit 34135cd4128b7d2b288323474a8d05a38022b4fa
	* cipher/rijndael-ssse3-amd64.c (_gcry_aes_ssse3_ctr_enc): Change
	'ctrlow' operand from read-only to read-write.

2017-01-18  Werner Koch  <wk@gnupg.org>

	random: Call getrandom before select and emitting a progress callback.
	+ commit e4c0159974b011ddc1979acdec311234d9bc2ea8
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Move the getrandom
	call before the select.

2016-12-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.5.
	+ commit 89ec6c103739d41624bb5b899926efc26b215dda
	* configure.ac: Set LT version to C21/A1/R5.

2016-12-15  Werner Koch  <wk@gnupg.org>
	    Nicolas Porcel  <nicolasporcel06@gmail.com>

	Fix regression in broken mlock detection.
	+ commit b4d1ab824172b8221011680cda00d7623de5c9f5
	* acinclude.m4 (GNUPG_CHECK_MLOCK): Fix typo EGAIN->EAGAIN.

2016-12-09  Werner Koch  <wk@gnupg.org>

	Release 1.7.4.
	+ commit a72ce0a1fbb3648d80696885d6a7e78b3029bebc
	* configure.ac: Bump LT version to C21/A1/R4.

	Improve handling of mlock error codes.
	+ commit d6f84f4fc59235795ae393d8fab0081eb5889120
	* acinclude.m4 (GNUPG_CHECK_MLOCK): Check also for EAGAIN which is a
	legitimate return code and does not indicate a broken mlock().
	* src/secmem.c (lock_pool_pages): Test ERR instead of ERRNO which
	could have been overwritten by cap_from+text et al.

2016-12-09  Stephan Mueller  <smueller@chronox.de>

	random: Eliminate unneeded memcpy invocations in the DRBG.
	+ commit 008fd92917547981d3c4dc77fd1e8c242bf4a7ea
	* random/random-drbg.c (drbg_hash): Remove arg 'outval' and return a
	pointer instead.
	(drbg_instantiate): Reduce size of scratchpad.
	(drbg_hmac_update): Avoid use of scratch buffers for the hash.
	(drbg_hmac_generate, drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_hash_generate): Ditto.

	random: Add performance improvements for the DRBG.
	+ commit c6b7041bbc11391b7c6b0bf649aa4979ad3d0b52
	* random/random-drbg.c (struct drbg_state_ops_s): New function
	pointers 'crypto_init' and 'crypto-fini'.
	(struct drbg_state_s): New fields 'priv_data', 'ctr_handle', and
	'ctr_null'.
	(drbg_hash_init, drbg_hash_fini): New.
	(drbg_hmac_init, drbg_hmac_setkey): New.
	(drbg_sym_fini, drbg_sym_init, drbg_sym_setkey): New.
	(drbg_sym_ctr): New.
	(drbg_ctr_bcc): Set the key.
	(drbg_ctr_df): Ditto.
	(drbg_hmac_update): Ditto.
	(drbg_hmac_generate): Replace drgb_hmac by drbg_hash.
	(drbg_hash_df): Ditto.
	(drbg_hash_process_addtl): Ditto.
	(drbg_hash_hashgen): Ditto.
	(drbg_ctr_update): Rework.
	(drbg_ctr_generate): Rework.
	(drbg_ctr_ops): Init new functions pointers.
	(drbg_uninstantiate): Call fini function.
	(drbg_instantiate): Call init function.

	cipher: New function for reading the counter in CTR mode.
	+ commit 9678a9f3dcbd2944d62f12c63fa27a8fd72b1201
	* cipher/cipher.c (gcry_cipher_getctr): New.

2016-12-07  Werner Koch  <wk@gnupg.org>

	Implement overflow secmem pools for xmalloc style allocators.
	+ commit 73dca02b9cc6d542af153c527190832f9c421ef3
	* src/secmem.c (pooldesc_s): Add fields next, cur_alloced, and
	cur_blocks.
	(cur_alloced, cur_blocks): Remove vars.
	(ptr_into_pool_p): Make it inline.
	(stats_update): Add arg pool and update the new pool specific
	counters.
	(_gcry_secmem_malloc_internal): Add arg xhint and allocate overflow
	pools as needed.
	(_gcry_secmem_malloc): Pass XHINTS along.
	(_gcry_secmem_realloc_internal): Ditto.
	(_gcry_secmem_realloc): Ditto.
	(_gcry_secmem_free_internal): Take multiple pools in account.  Add
	return value to indicate whether the arg was freed.
	(_gcry_secmem_free): Add return value to indicate whether the arg was
	freed.
	(_gcry_private_is_secure): Take multiple pools in account.
	(_gcry_secmem_term): Release all pools.
	(_gcry_secmem_dump_stats): Print stats for all pools.
	* src/stdmem.c (_gcry_private_free): Replace _gcry_private_is_secure
	test with a direct call of _gcry_secmem_free to avoid double checking.

	Give the secmem allocators a hint when a xmalloc calls them.
	+ commit 1433fce11c90bb44ada51071f342ad67b469ea81
	* src/secmem.c (_gcry_secmem_malloc): New not yet used arg XHINT.
	(_gcry_secmem_realloc): Ditto.
	* src/stdmem.c (_gcry_private_malloc_secure): New arg XHINT to be
	passed to the secmem functions.
	(_gcry_private_realloc): Ditto.
	* src/g10lib.h (GCRY_ALLOC_FLAG_XHINT): New.
	* src/global.c (do_malloc): Pass this flag as XHINT to the private
	allocator.
	(_gcry_malloc_secure): Factor code out to ...
	(_gcry_malloc_secure_core): this.  Add arg XHINT.
	(_gcry_realloc): Factor code out to ...
	(_gcry_realloc_core): here.  Add arg XHINT.
	(_gcry_strdup): Factor code out to ...
	(_gcry_strdup_core): here.  Add arg XHINT.
	(_gcry_xrealloc): Use the core function and pass true for XHINT.
	(_gcry_xmalloc_secure): Ditto.
	(_gcry_xstrdup): Ditto.

	Reorganize code in secmem.c.
	+ commit 2bc361485d8bc0d8cdb3b4ae6e304885eeaab889
	* src/secmem.c (pooldesc_t): New type to collect information about one
	pool.
	(pool_size): Remove.  Now a member of pooldesc_t.
	(pool_okay): Ditto.
	(pool_is_mmapped): Ditto.
	(pool): Rename variable ...
	(mainpool): And change type to pooldesc_t.
	(ptr_into_pool_p): Add arg 'pool'.
	(mb_get_next): Ditto.
	(mb_get_prev): Ditto.
	(mb_merge): Ditto.
	(mb_get_new): Ditto.
	(init_pool): Ditto.
	(lock_pool): Rename to ...
	(look_pool_pages: this.
	(secmem_init): Rename to ...
	(_gcry_secmem_init_internal): this.  Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_secmem_malloc_internal): Add local var POOL and init with
	address of MAINPOOL.
	(_gcry_private_is_secure): Ditto.
	(_gcry_secmem_term): Ditto.
	(_gcry_secmem_dump_stats): Ditto.
	(_gcry_secmem_free_internal): Ditto.  Remove check for NULL arg.
	(_gcry_secmem_free): Add check for NULL arg before taking the lock.
	(_gcry_secmem_realloc): Factor most code out to ...
	(_gcry_secmem_realloc_internal): this.

2016-11-28  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests: Add PBKDF2 tests for Stribog512.
	+ commit a8b2d8b502d9cbc9157c261f12e4623ec20b3960
	* tests/t-kdf.c (check_pbkdf2): Add Stribog512 test cases from TC26's
	additions to PKCS#5.

	tests: Add Stribog HMAC tests from TC26ALG.
	+ commit 432eaf2ab83631a4e70ad4ecd20a9b6f81c1c329
	* tests/basic.c (check_mac): add HMAC test vectors from TC26ALG document
	for Stribog.

	cipher: Add Stribog OIDs from TC26 space.
	+ commit d0940e3d194296bc334f06f97ae91b411e1f152f
	* cipher/stribog.c (oid_spec_stribog256, oid_spec_stribog512): New.

2016-11-28  Justus Winter  <justus@g10code.com>

	tests: Fix memory leak.
	+ commit 4bfec0a52af8c847f558b9ade56d896c224019b3
	* tests/basic.c (check_gost28147_cipher): Free cipher handles.

2016-11-25  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	Cast oid argument of gcry_cipher_set_sbox to disable compiler warning.
	+ commit a22d7bb3945cec2d8a6b23d8f2bd2f675bb2f4e6
	* src/gcrypt.h.in (gcry_cipher_set_sbox): Cast oid to (void *).

	gost: Rename tc26 s-box from A to Z.
	+ commit 298cb926d28ae76ab2af1b028e7b06ae2358a234
	* cipher/gost-s-box.c (gost_sboxes): Rename TC26_A to TC26_Z as it is
	the name that ended up in all standards.

	tests: Add test to verify GOST 28147-89 against known results.
	+ commit 76fa65940ff9d4baf17b42f671191720b9ea96f1
	* tests/basic.c (check_gost28147_cipher): new test function.

2016-11-17  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	cipher/gost28147: Fix CryptoPro-B S-BOX.
	+ commit 15718db54b2888a704b020cb1032954b443c6686
	* cipher/gost-s-box.c: CryptoPro_B s-box missed one line, resulting in
	incorrect encryption/decryption using that s-box.  Add missing data.

2016-11-01  NIIBE Yutaka  <gniibe@fsij.org>

	cipher: Fix IDEA cipher for clearing memory.
	+ commit bf6d5b10cb4173826f47ac080506b68bb001acb2
	* cipher/idea.c (invert_key): Use wipememory, since this kind of memset
	may be removed by compiler optimization.

2016-10-09  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	GCM: Add bulk processing for ARMv8/AArch64 implementation.
	+ commit bfd732f53a9b5dfe14217a68a0fa289bf6913ec0
	* cipher/cipher-gcm-armv8-aarch64-ce.S: Add 6 blocks bulk processing.

	GCM: Add bulk processing for ARMv8/AArch32 implementation.
	+ commit 27747921cb1dfced83c5666cd1c474764724c52b
	* cipher/cipher-gcm-armv8-aarch32-ce.S: Add 4 blocks bulk processing.
	* tests/basic.c (check_digests): Print correct data length for "?"
	tests.
	(check_one_mac): Add large 1000000 bytes tests, when input is "!" or
	"?".
	(check_mac): Add "?" tests vectors for HMAC, CMAC, GMAC and POLY1305.

2016-09-11  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Twofish.
	+ commit 5418d9ca4c0e087fd6872ad350a996fe74880d86
	* cipher/Makefile.am: Add 'twofish-aarch64.S'.
	* cipher/twofish-aarch64.S: New.
	* cipher/twofish.c: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'twofish-aarch64.lo'.

2016-09-05  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Aarch64 assembly implementation of Camellia.
	+ commit de73a2e7237ba7c34ce48bb5fb671aa3993de832
	* cipher/Makefile.am: Add 'camellia-aarch64.S'.
	* cipher/camellia-aarch64.S: New.
	* cipher/camellia-glue.c [USE_ARM_ASM][__aarch64__]: Set stack burn
	size to zero.
	* cipher/camellia.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac [host=aarch64]: Add 'rijndael-aarch64.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of AES.
	+ commit 4cd8d40d698564d24ece2af24546e34c58bf2961
	* cipher/Makefile.am: Add 'rijndael-armv-aarch64-ce.S'.
	* cipher/rijndael-armv8-aarch64-ce.S: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): Enable for ARMv8/AArch64.
	* configure.ac: Add 'rijndael-armv-aarch64-ce.lo' and
	'rijndael-armv8-ce.lo' for ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of GCM.
	+ commit 0b332c1aef03a735c1fb0df184f74d523deb2f98
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch64-ce.S'.
	* cipher/cipher-gcm-armv8-aarch64-ce.S: New.
	* cipher/cipher-internal.h (GCM_USE_ARM_PMULL): Enable on
	ARMv8/AArch64.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-256.
	+ commit 2d4bbc0ad62c54bbdef77799f9db82d344b7219e
	* cipher/Makefile.am: Add 'sha256-armv8-aarch64-ce.S'.
	* cipher/sha256-armv8-aarch64-ce.S: New.
	* cipher/sha256-armv8-aarch32-ce.S: Move round macros to correct
	section.
	* cipher/sha256.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha256-armv8-aarch64-ce.lo'; Swap places for
	'sha512-arm.lo' and 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch64 Crypto Extension implementation of SHA-1.
	+ commit e4eb03f56683317c908cb55be727832810dc8c72
	* cipher/Makefile.am: Add 'sha1-armv8-aarch64-ce.S'.
	* cipher/sha1-armv8-aarch64-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): Enable on ARMv8/AArch64.
	* configure.ac: Add 'sha1-armv8-aarch64-ce.lo'.

2016-09-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add AArch64 assembly implementation of AES.
	+ commit 595251ad37bf1968261d7e781752513f67525803
	* cipher/Makefile.am: Add 'rijndael-aarch64.S'.
	* cipher/rijndael-aarch64.S: New.
	* cipher/rijndael-internal.h: Enable USE_ARM_ASM if __AARCH64EL__ and
	HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS defined.
	* configure.ac (gcry_cv_gcc_aarch64_platform_as_ok): New check.
	[host=aarch64]: Add 'rijndael-aarch64.lo'.

2016-08-17  Werner Koch  <wk@gnupg.org>

	Release 1.7.3.
	+ commit f8241874971478bdcd2bc2082d901d05db7b256d
	* configure.ac: Set LT version to C21/A1/R3.

	random: Hash continuous areas in the csprng pool.
	+ commit 8dd45ad957b54b939c288a68720137386c7f6501
	* random/random-csprng.c (mix_pool): Store the first hash at the end
	of the pool.

	random: Improve the diagram showing the random mixing.
	+ commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513
	* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.

2016-07-19  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	crc-intel-pclmul: split assembly block to ease register pressure.
	+ commit f38199dbc290003898a1799adc367265267784c2
	* cipher/crc-intel-pclmul.c (crc32_less_than_16): Split inline
	assembly block handling 4 byte input into multiple blocks.

	rijndael-aesni: split assembly block to ease register pressure.
	+ commit a4d1595a2638db63ac4c73e722c8ba95fdd85ff7
	* cipher/rijndael-aesni.c (do_aesni_ctr_4): Use single register
	constraint for passing 'bige_addb' to assembly block; split
	first inline assembly block into two parts.

2016-07-14  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARMv8/AArch32 Crypto Extension implementation of AES.
	+ commit 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a
	* cipher/Makefile.am: Add 'rijndael-armv8-ce.c' and
	'rijndael-armv-aarch32-ce.S'.
	* cipher/rijndael-armv8-aarch32-ce.S: New.
	* cipher/rijndael-armv8-ce.c: New.
	* cipher/rijndael-internal.h (USE_ARM_CE): New.
	(RIJNDAEL_context_s): Add 'use_arm_ce'.
	* cipher/rijndael.c [USE_ARM_CE] (_gcry_aes_armv8_ce_setkey)
	(_gcry_aes_armv8_ce_prepare_decryption)
	(_gcry_aes_armv8_ce_encrypt, _gcry_aes_armv8_ce_decrypt)
	(_gcry_aes_armv8_ce_cfb_enc, _gcry_aes_armv8_ce_cbc_enc)
	(_gcry_aes_armv8_ce_ctr_enc, _gcry_aes_armv8_ce_cfb_dec)
	(_gcry_aes_armv8_ce_cbc_dec, _gcry_aes_armv8_ce_ocb_crypt)
	(_gcry_aes_armv8_ce_ocb_auth): New.
	(do_setkey) [USE_ARM_CE]: Add ARM CE/AES HW feature check and key
	setup for ARM CE.
	(prepare_decryption, _gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth) [USE_ARM_CE]: Add
	ARM CE support.
	* configure.ac: Add 'rijndael-armv8-ce.lo' and
	'rijndael-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of GCM.
	+ commit 962b15470663db11e5c35b86768f1b5d8e600017
	* cipher/Makefile.am: Add 'cipher-gcm-armv8-aarch32-ce.S'.
	* cipher/cipher-gcm-armv8-aarch32-ce.S: New.
	* cipher/cipher-gcm.c [GCM_USE_ARM_PMULL]
	(_gcry_ghash_setup_armv8_ce_pmull, _gcry_ghash_armv8_ce_pmull)
	(ghash_setup_armv8_ce_pmull, ghash_armv8_ce_pmull): New.
	(setupM) [GCM_USE_ARM_PMULL]: Enable ARM PMULL implementation if
	HWF_ARM_PULL HW feature flag is enabled.
	* cipher/cipher-gcm.h (GCM_USE_ARM_PMULL): New.

	Add ARMv8/AArch32 Crypto Extension implemenation of SHA-256.
	+ commit 34c64eb03178fbfd34190148fec5a189df2b8f83
	* cipher/Makefile.am: Add 'sha256-armv8-aarch32-ce.S'.
	* cipher/sha256-armv8-aarch32-ce.S: New.
	* cipher/sha256.c (USE_ARM_CE): New.
	(sha256_init, sha224_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha256_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports.
	(SHA256_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha256-armv8-aarch32-ce.lo'.

	Add ARMv8/AArch32 Crypto Extension implementation of SHA-1.
	+ commit 3d6334f8d94c2a4df10eed203ae928298a4332ef
	* cipher/Makefile.am: Add 'sha1-armv8-aarch32-ce.S'.
	* cipher/sha1-armv7-neon.S (_gcry_sha1_transform_armv7_neon): Add
	missing size.
	* cipher/sha1-armv8-aarch32-ce.S: New.
	* cipher/sha1.c (USE_ARM_CE): New.
	(sha1_init): Check features for HWF_ARM_SHA1.
	[USE_ARM_CE] (_gcry_sha1_transform_armv8_ce): New.
	(transform) [USE_ARM_CE]: Use ARMv8 CE implementation if HW supports
	it.
	* cipher/sha1.h (SHA1_CONTEXT): Add 'use_arm_ce'.
	* configure.ac: Add 'sha1-armv8-aarch32-ce.lo'.

	Add HW feature check for ARMv8 AArch64 and crypto extensions.
	+ commit eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f
	* configure.ac: Add '--disable-arm-crypto-support'; enable hwf-arm
	module on 64-bit ARM.
	(armcryptosupport, gcry_cv_gcc_inline_aarch32_crypto)
	(gcry_cv_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto): New.
	* src/g10lib.h (HWF_ARM_AES, HWF_ARM_SHA1, HWF_ARM_SHA2)
	(HWF_ARM_PMULL): New.
	* src/hwf-arm.c [__aarch64__]: Enable building in AArch64 mode.
	(feature_map_s): New.
	[__arm__] (AT_HWCAP, AT_HWCAP2, HWCAP2_AES, HWCAP2_PMULL)
	(HWCAP2_SHA1, HWCAP2_SHA2, arm_features): New.
	[__aarch64__] (AT_HWCAP, AT_HWCAP2, HWCAP_ASIMD, HWCAP_AES)
	(HWCAP_PMULL, HWCAP_SHA1, HWCAP_SHA2, arm_features): New.
	(get_hwcap): Add reading of 'AT_HWCAP2'; Change auxv use
	'unsigned long'.
	(detect_arm_at_hwcap): Add mapping of HWCAP/HWCAP2 to HWF flags.
	(detect_arm_proc_cpuinfo): Add mapping of CPU features to HWF flags.
	(_gcry_hwf_detect_arm): Use __ARM_NEON instead of legacy __ARM_NEON__.
	* src/hwfeatures.c (hwflist): Add 'arm-aes', 'arm-sha1', 'arm-sha2'
	and 'arm-pmull'.

2016-07-14  Werner Koch  <wk@gnupg.org>

	Release 1.7.2.
	+ commit be0bec7d9208b2f2d2ffce9cc2ca6154853e7e59
	* configure.ac: Set LT version to C21/A1/R2.
	* Makefile.am (distcheck-hook): New.

2016-07-13  Werner Koch  <wk@gnupg.org>

	build: Update config.{guess,sub} to {2016-05-15,2016-06-20}.
	+ commit e535ea1bdc42309553007d60599d3147b8defe93
	* build-aux/config.guess: Update.
	* build-aux/config.sub: Update.

2016-07-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix unaligned accesses with ldm/stm in ChaCha20 and Poly1305 ARM/NEON.
	+ commit 1111d311fd6452abd4080d1072c75ddb1b5a3dd1
	* cipher/chacha20-armv7-neon.S (UNALIGNED_STMIA8)
	(UNALIGNED_LDMIA4): New.
	(_gcry_chacha20_armv7_neon_blocks): Use new helper macros instead of
	ldm/stm instructions directly.
	* cipher/poly1305-armv7-neon.S (UNALIGNED_LDMIA2)
	(UNALIGNED_LDMIA4): New.
	(_gcry_poly1305_armv7_neon_init_ext, _gcry_poly1305_armv7_neon_blocks)
	(_gcry_poly1305_armv7_neon_finish_ext): Use new helper macros instead
	of ldm instruction directly.

2016-07-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bench-slope: add unaligned buffer mode.
	+ commit 496790940753226f96b731a43d950bd268acd97a
	* tests/bench-slope.c (unaligned_mode): New.
	(do_slope_benchmark): Unalign buffer if in unaligned mode enabled.
	(print_help, main): Add '--unaligned' parameter.

2016-07-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix static build.
	+ commit cb79630ec567a5f2e03e5f863cda168faa7b8cc8
	* tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.

2016-06-30  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Disallow encryption/decryption if key is not set.
	+ commit 07de9858032826f5a7b08c372f6bcc73bbb503eb
	* cipher/cipher.c (cipher_encrypt, cipher_decrypt): If mode is not
	NONE, make sure that key is set.
	* cipher/cipher-ccm.c (_gcry_cipher_ccm_set_nonce): Do not clear
	'marks.key' when reseting state.

	Avoid unaligned accesses with ARM ldm/stm instructions.
	+ commit a6158a01a4d81a5d862e1e0a60bfd6063443311d
	* cipher/rijndael-arm.S: Remove __ARM_FEATURE_UNALIGNED ifdefs, always
	compile with unaligned load/store code paths.
	* cipher/sha512-arm.S: Ditto.

	Fix non-PIC reference in PIC for poly1305/ARMv7-NEON.
	+ commit a09126242a51c4ea4564b0f70b808e4f27fe5a91
	* cipher/poly1305-armv7-neon.S (GET_DATA_POINTER): New.
	(_gcry_poly1305_armv7_neon_init_ext): Use GET_DATA_POINTER.

	Fix wrong CPU feature #ifdef for SHA1/AVX.
	+ commit 4a983e3bef58b9d056517e25e0ab10b72d12ceba
	* cipher/sha1-avx-amd64.S: Check for HAVE_GCC_INLINE_ASM_AVX instead of
	HAVE_GCC_INLINE_ASM_AVX2 & HAVE_GCC_INLINE_ASM_BMI2.

2016-06-30  Werner Koch  <wk@gnupg.org>

	random: Remove debug message about not supported getrandom syscall.
	+ commit 6965515c73632a088fb126a4a55e95121671fa98
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove log_debug
	for getrandom error ENOSYS.

2016-06-27  Werner Koch  <wk@gnupg.org>

	tests: Do not test SHAKE128 et al with gcry_md_hash_buffer.
	+ commit 4d634a098742ff425b324e9f2a67b9f62de09744
	* tests/benchmark.c (md_bench): Do not test variable lengths algos
	with the gcry_md_hash_buffer.

	md: Improve diagnostic when using SHAKE128 with gcry_md_hash_buffer.
	+ commit ae26edf4b60359bfa5fe3a27b2c24b336e7ec35c
	* cipher/md.c (md_read): Detect missing read function.
	(_gcry_md_hash_buffers): Return an error.

2016-06-25  Werner Koch  <wk@gnupg.org>

	ecc: Fix memory leak.
	+ commit 7a7f7c147f888367dfee6093d26bfeaf750efc3a
	* cipher/ecc.c (ecc_check_secret_key): Do not init point if already
	set.

	doc: Update yat2m.
	+ commit 1feb01940062a74c27230434fc3babdddca8caf4
	* doc/yat2m.c: Update from Libgpg-error

	tests: Add attributes to helper functions.
	+ commit c870cb5d385c1d6e1e28ca481cf9cf44b3bfeea9
	* tests/t-common.h (die, fail, info): Add attributes.
	* tests/random.c (die, inf): Ditto.
	* tests/pubkey.c (die, fail, info): Add attributes.
	* tests/fipsdrv.c (die): Add attribute.
	(main): Take care of missing --key,--iv,--dt options.

	Improve robustness and help lint.
	+ commit 5a5b055b81ee60a22a846bdf2031516b1c24df98
	* cipher/rsa.c (rsa_encrypt): Check for !DATA.
	* cipher/md.c (search_oid): Check early for !OID.
	(md_copy): Use gpg_err_code_from_syserror.  Replace chains of if(!err)
	tests.
	* cipher/cipher.c (search_oid): Check early for !OID.
	* src/misc.c (do_printhex): Allow for BUFFER==NULL even with LENGTH>0.
	* mpi/mpicoder.c (onecompl): Allow for A==NULL to help static
	analyzers.

	cipher: Improve fatal error message for bad use of gcry_md_read.
	+ commit 3f98b1e92d5afd720d7cea5b4e8295c5018bf9ac
	* cipher/md.c (md_read): Use _gcry_fatal_error instead of BUG.

2016-06-16  Niibe Yutaka  <gniibe@fsij.org>

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	+ commit b0b70e7fe37b1bf13ec0bfc8effcb5c7f5db6b7d
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

	ecc: Default cofactor 1 for PUBKEY_FLAG_PARAM.
	+ commit 0f3a069211d8d24a61aa0dc2cc6c4ef04cc4fab7
	* cipher/ecc.c (ecc_check_secret_key, ecc_sign, ecc_verify)
	(ecc_encrypt_raw, ecc_decrypt_raw, compute_keygrip): Set default
	cofactor as 1, when not specified.

2016-06-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.1.
	+ commit 48aa6d6602564d6ba0cef10cf08f9fb0c59b3223


	doc: Describe envvars.
	+ commit c3173bbe3f1a9c73f81a538dd49ccfa0447bfcdc
	* doc/gcrypt.texi: Add chapter Configuration.

	random: Change names of debug envvars.
	+ commit 131b4f0634cee0e5c47d2250c59f51127b10f7b3
	* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
	GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
	* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
	GCRYPT_RNDW32_NOPERF.

2016-06-14  Werner Koch  <wk@gnupg.org>

	cipher: Assign OIDs to the Serpent cipher.
	+ commit e13a6a1ba53127af602713d0c2aaa85c94b3cd7e
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

	cipher: Assign OIDs to the Serpent cipher.
	+ commit 6cc2100c00a65dff07b095dea7b32cb5c5cd96d4
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

2016-06-08  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	+ commit 1f769e3e8442bae2f1f73c656920bb2df70153c0
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	+ commit 52cdfb1960808aaad48b5a501bbce0e3141c3961
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

	Fix gcc portability on Solaris 9 SPARC boxes.
	+ commit b766ea14ad1c27d6160531b200cc70aaa479c6dc
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-06-08  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	+ commit dc76313308c184c92eb78452b503405b90fc7ebd
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-06-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	+ commit bd39eb9fba47dc8500c83769a679cc8b683d6c6e
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-06-08  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	+ commit c05837211e5221d3f56146865e823bc20b4ff1ab
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-06-03  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	+ commit ef6e4d004b10f5740bcd2125fb70e199dd21e3e8
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	+ commit 82df6c63a72fdd969c3923523f10d0cef5713ac7
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

2016-06-02  Werner Koch  <wk@gnupg.org>

	Fix gcc portability on Solaris 9 SPARC boxes.
	+ commit 4121f15122501d8946f1589b303d1f7949c15e30
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-05-28  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	+ commit 3e8074ecd3a534e8bd7f11cf17f0b22d252584c8
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-05-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	+ commit c7430aa752232aa690c5d8f16575a345442ad8d7
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-04-26  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	+ commit ee5a32226a7ca4ab067864e06623fc11a1768900
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-04-19  Werner Koch  <wk@gnupg.org>

	asm fix for older gcc versions.
	+ commit caa9d14c914bf6116ec3f773a322a94e2be0c0fb
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

	asm fix for older gcc versions.
	+ commit 4545372c0f8dd35aef2a7abc12b588ed1a4a0363
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

2016-04-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.0.
	+ commit 795f9cb090c776658a0e3117996e3fb7e2ebd94a


2016-04-14  Werner Koch  <wk@gnupg.org>

	tests: Add test vectors for 256 GiB test of SHA3-256.
	+ commit 1737c546dc7268fa9edcd4a23b7439c56d37ee4f
	* tests/hashtest.c: Add new test vectros.

2016-04-14  Justus Winter  <justus@g10code.com>

	src: Improve S-expression parsing.
	+ commit 491586bc7f7b9edc6b78331a77e653543983c9e4
	* src/sexp.c (do_vsexp_sscan): Return an error if a closing
	parenthesis is encountered with no matching opening parenthesis.

2016-04-14  Werner Koch  <wk@gnupg.org>

	cipher: Add constant for 8 bit CFB mode.
	+ commit 47c6a1f88eb763e9baa394e34d873b761abcebbe
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
	* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.

	tests: Add a new test for S-expressions.
	+ commit 88c6b98350193abbdcfb227754979b0c097ee09c
	* tests/t-sexp.c (compare_to_canon): New.
	(back_and_forth_one): Add another test.

2016-04-13  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix corner cases for X25519.
	+ commit 8472b71812e71c69d66e2fcc02a6e21b66755f8b
	* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
	GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
	it's not an error, thus, let it return 0.
	(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
	X25519, not by the name of the curve.
	(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
	of aborting with log_fatal.  For X25519, it's not an error by its
	definition, but we deliberately let it return the error to detect
	looks-like-encrypted-message.
	* tests/t-cv25519.c: Add points to record the issue.

2016-04-12  Werner Koch  <wk@gnupg.org>

	cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
	+ commit b6d2a25a275a35ec4dbd53ecaa9ea0ed7aa99c7b
	* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
	aad_leftover and aad_nleftover to u_mode.ocb.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
	aad_nleftover.
	(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
	to ...
	(ocb_aad_finalize): new.
	(compute_tag_if_needed): Call new function.
	* tests/basic.c (check_ocb_cipher_splitaad): New.
	(check_ocb_cipher): Call new function.
	(main): Also call check_cipher_modes with --ciper-modes.

2016-04-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix X25519 computation on Curve25519.
	+ commit ee7e1a0e835f8ffcfbcba2a44abab8632db8fed5
	* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
	PUBKEY_FLAG_DJB_TWEAK is enabled.
	(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
	* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

	ecc: Fix initialization of EC context.
	+ commit 7fbdb99b8c56360adfd1fb4e7f4c95e0f8aa34de
	* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
	(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
	by _gcry_mpi_ec_p_internal_new should carry FLAGS.

2016-04-06  Werner Koch  <wk@gnupg.org>

	Allow building with configure option --enable-hmac-binary-check.
	+ commit 65c63144b66392f40b991684789b8b793248e3ba
	* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
	* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
	* src/hmac256.c (main): Add option --stdkey

2016-04-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Positive values in computation.
	+ commit 6f386ceae86a058e26294f744750f1ed2a95e604
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
	coefficients A and B are positive.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
	"P - T" instead of "-T", so that the result will be positive.
	(_gcry_ecc_eddsa_verify): Likewise.
	* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
	instead of _gcry_ecc_update_curve_param.
	* mpi/ec.c (ec_subm): Make sure the result will be positive.
	(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
	mpi_sub instead of mpi_neg.
	(add_points_edwards): Simply use ec_addm.
	* tests/t-mpi-point.c (test_curve): Define curves with positive
	coefficients.

2016-04-01  Werner Koch  <wk@gnupg.org>

	mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
	+ commit 862cf19a119427dd7ee7959a36c72d905f5ea5ca
	* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
	(mpi_fromstr): Check against this limit.
	(_gcry_mpi_scan): Ditto.
	* tests/mpitests.c (test_maxsize): New.
	(main): Cal that test.

2016-03-31  Werner Koch  <wk@gnupg.org>

	cipher: Remove specialized rmd160 functions.
	+ commit fcce0cb6e8af70b134c6ecc3f56afa07a7d31f27
	* cipher/rmd160.c: Replace rmd.h by hash-common.h.
	(RMD160_CONTEXT): Move from rmd.h to here.
	(_gcry_rmd160_init): Remove.
	(_gcry_rmd160_mixblock): Remove.
	(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
	* cipher/md.c: Remove rmd.h which was not actually used.
	* cipher/rmd.h: Remove.
	* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
	* configure.ac (USE_RMD160): Allow to build without RMD160.

	random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
	+ commit a9cbe2d1f6a517a831517da8bc1d29e3e0b2c0c0
	* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
	(_gcry_sha1_mixblock): New.
	* random/random-csprng.c: Include sha1.h instead of rmd.h.
	(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

	cipher: Move sha1 context definition to a separate file.
	+ commit 142a479a484cb4e84d0561be9b05b44dac9e6fe2
	* cipher/sha1.c: Replace hash-common.h by sha1.h.
	(SHA1_CONTEXT): Move to ...
	* cipher/sha1.h: new.  Always include all flags.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.

2016-03-29  Werner Koch  <wk@gnupg.org>

	tests: Fix buffer overflow in bench-slope.
	+ commit 48ee918400762281bec5b6fc218a9f0d119aac7c
	* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
	strncat.

2016-03-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: GCM: check that length of supplied tag is one of valid lengths.
	+ commit f2260e3a2e962ac80124ef938e54041bbea08561
	* cipher/cipher-gcm.c (is_tag_length_valid): New.
	(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
	* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
	valid tag lengths and negative test vectors with invalid lengths.

2016-03-24  Peter Wu  <peter@lekensteyn.nl>

	cipher: Fix memleaks in (self)tests.
	+ commit 4a064e2a06fe737f344d1dfd8a45cc4c2abbe4c9
	* cipher/dsa.c: Release memory for MPI and sexp structures.
	* cipher/ecc.c: Release memory for sexp structure.
	* tests/keygen.c: Likewise.

	Mark constant MPIs as non-leaked.
	+ commit 470a30db241a2d567739ef2adb2a2ee64992d8b4
	* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.

2016-03-23  Werner Koch  <wk@gnupg.org>

	Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
	+ commit fea5971488e049f902d7912df22a945bc755ad6d
	* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
	* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

	* tests/basic.c (_check_gcm_cipher): Check that new feature.
	(_check_poly1305_cipher): Ditto.
	(check_ccm_cipher): Ditto.
	(do_check_ocb_cipher): Ditto.
	(check_ctr_cipher): Add negative test for new feature.

	cipher: Avoid NULL-segv in GCM mode if a key has not been set.
	+ commit e709d86fe596a4bcf235799468947c13ae657d78
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
	has been initialized.
	(_gcry_cipher_gcm_decrypt): Ditto.
	(_gcry_cipher_gcm_authenticate): Ditto.
	(_gcry_cipher_gcm_initiv): Ditto.
	(_gcry_cipher_gcm_tag): Ditto.

	cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
	+ commit 7c9c82feecf94a455c66d9c38576f36c9c4b484c
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
	provided tag length matches the actual tag length.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for Poly1305.
	+ commit 6821e1bd94969106a70e3de17b86f6e6181f4e59
	* cipher/cipher-poly1305.c: copy a fixed length instead of the
	  user-supplied number.

2016-03-23  Werner Koch  <wk@gnupg.org>

	cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
	+ commit 15785bc9fb1787554bf371945ecb191830c15bfd
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
	tag length matches the actual tag length.  Avoid gratuitous return
	statements.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for GCM.
	+ commit d3d7bdf8215275b3b20690dfde3f43dbe25b6f85
	* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
	  number.

2016-03-22  Werner Koch  <wk@gnupg.org>

	tests: Add options --fips to keygen for manual tests.
	+ commit d328095dd4de83b839d9d8c4bdbeec0956971016
	(main): Add option --fips.
	* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
