2021-01-19  Werner Koch  <wk@gnupg.org>

	Release 1.9.0.
	+ commit 0dc49af9b5371c5e2f766b70c3bede2b10db9f7e


2021-01-18  Werner Koch  <wk@gnupg.org>

	ecc: Change an error code of gcry_ecc_mul_point.
	+ commit ca5a90bf70598247589078478d237287ca524453
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Return
	GPG_ERR_UNKNOWN_CURVE.

2021-01-15  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	kdf: Add selftest.
	+ commit 7a0da24925361a3109474d0e433511467a9e35d1
	* src/cipher-proto.h (_gcry_kdf_selftest): New.
	* cipher/kdf.c (check_one, selftest_pbkdf2): New.
	(_gcry_kdf_selftest): New.
	* src/fips.c (run_kdf_selftests): New.
	(_gcry_fips_run_selftests): Call run_kdf_selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>
	    Tomáš Mráz  <tm@t8m.info>

	cmac: Add selftest.
	+ commit 385a89e35b0b95f15b4c6e4d5482b1fc6906f7c5
	* cipher/mac-cmac.c (check_one, selftests_cmac_3des): New.
	(selftests_cmac_aes, cmac_selftest): New.
	(cmac_ops): Add cmac_selftest.
	* src/fips.c (run_mac_selftests): Add CMAC selftests.

2021-01-13  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Raise an error when an integer is negative with USG.
	+ commit 00d7c1c632019066a4884930d413ccc044d81af5
	* src/sexp.c (do_vsexp_sscan): Return GPG_ERR_INV_ARG if negative.

2021-01-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Add backward compatibility support for Ed25519 key in SEXP.
	+ commit 4768baf74be03d8973d004725f796aef329c45bf
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Support Ed25519 keys with
	parameter {p,a,b,g,n}.

	ecc: Minor implementation change for _gcry_ecc_get_curve.
	+ commit 3fe7036d05f283df9441d42242f0047b6ea11a32
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Flatten.

2020-12-22  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	hwf-arm: fix incorrect HWCAP2 for SHA1 and SHA2 on AArch32.
	+ commit 6b6bfd57d0a6b2b4577c084db35078cd9fadafa5
	* src/hwf-arm.c (HWCAP2_SHA1, HWCAP2_SHA2): Change from bit indexes to
	flags.

	Add missing prototype for _gcry_mac_selftest.
	+ commit e47f04b4a28947c90db70ccaf93e149cfd5213c9
	* src/cipher-proto.h (_gcry_hmac_selftest): Rename to...
	(_gcry_mac_selftest): ... this.

2020-12-21  NIIBE Yutaka  <gniibe@fsij.org>

	Merge hmac-tests.c into mac-hmac.c.
	+ commit 2ab14b23afc092fd25395954c2a94db932ca4d95
	* cipher/Makefile.am (EXTRA_DIST): Remove hmac-tests.c.
	* cipher/hmac-tests.c: Remove, merge into...
	* cipher/mac-hmac.c: ... here.

2020-12-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	aarch64: mpi/longlong.h: fix operand size mismatch.
	+ commit c59b5b03a063ebc73935dbb10bc4f568faddbedf
	* mpi/longlong.h [__aarch64__] (count_leading_zeros): Use correctly
	sized temporary variable for asm output.

	aarch64: use configure check for assembly ELF directives support.
	+ commit 8352b0ece5237e3f86f1525b072e8f690ad0fa94
	* configure.ac (gcry_cv_gcc_asm_elf_directives): New check.
	(HAVE_GCC_ASM_ELF_DIRECTIVES): New 'config.h' macro.
	* cipher/asm-common-aarch64.h (ELF): Change feature macro check from
	__ELF__ to HAVE_GCC_ASM_ELF_DIRECTIVES.

2020-12-18  NIIBE Yutaka  <gniibe@fsij.org>

	Reorganize self-tests for HMAC.
	+ commit c90fb0d8fb7a84bbcc8d6832de6a554405591850
	* cipher/Makefile.am: Prepare merge of hmac-test.c into mac-hmac.c.
	* cipher/hmac-tests.c: Ifdef-out run_selftests and _gcry_hmac_selftest.
	* cipher/mac-internal.h: Include cipher-proto.h for selftest.
	(gcry_mac_spec_ops): Add selftest field.
	* cipher/mac-hmac.c: Include hmac-tests.c for migration.
	(hmac_selftest) New.
	(hmac_ops): Add hmac_selftest.
	* cipher/gost28147.c, cipher/mac-cmac.c: Add new field for selftest.
	* cipher/mac-gmac.c, cipher/mac-poly1305.c: Likewise..
	* cipher/mac.c (_gcry_mac_selftest): New.
	* src/fips.c (run_mac_selftests): Rename from run_hmac_selftests.
	Use GCRY_MAC_HMAC_*, and call _gcry_mac_selftest.
	(_gcry_fips_run_selftests): Use run_mac_selftests.

2020-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Prevent link-time optimization from inlining __gcry_burn_stack.
	+ commit 1a83df98b198902ee6d71549231a3af37088d452
	* src/g10lib.h (NOINLINE_FUNC): New attribute macro.
	* src/misc.c (__gcry_burn_stack): Add NOINLINE_FUNC attribute.

	tests/basic: check 32-bit and 64-bit overflow for CTR and ChaCha20.
	+ commit 2065720b5b0642cc1a0e08086a434244ebb1abf2
	* tests/basic.c (check_one_cipher_ctr_reset)
	(check_one_cipher_ctr_overflow): New.
	(check_one_cipher): Add counter overflow tests for ChaCha20 and CTR
	mode.

	chacha20-ppc: fix 32-bit counter overflow handling.
	+ commit ed45eac3b721c1313902b977379fbd4886ccca7b
	* cipher/chacha20-ppc.c (vec_add_ctr_u64, ADD_U64): New.
	(_gcry_chacha20_ppc8_blocks1, _gcry_chacha20_ppc8_blocks4)
	(_gcry_chacha20_poly1305_ppc8_blocks4): Use ADD_U64 when incrementing
	counter.

2020-12-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Put a work around to tests/random for macOS.
	+ commit 9769b40b54cf010a0c41c4ab05a7a88e17d70613
	* configure.ac [*-apple-darwin*] (USE_POSIX_SPAWN_FOR_TESTS): New.
	* tests/random.c [USE_POSIX_SPAWN_FOR_TESTS] (run_all_rng_tests): New.

2020-11-18  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update to newer autoconf constructs.
	+ commit 9485ca7b5bf11194cff59edbfa6a0fba3bf6162a
	* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Use AS_MESSAGE_LOG_FD
	instead of AC_FD_CC.
	(GNUPG_CHECK_MLOCK): Use AC_LINK_IFELSE instead of AC_TRY_LINK.
	Use AC_RUN_IFELSE instead of AC_TRY_RUN.
	* configure.ac (AC_ISC_POSIX): Replace by AC_SEARCH_LIBS.
	Use AC_USE_SYSTEM_EXTENSIONS instead of AC_GNU_SOURCE.
	Use AS_HELP_STRING instead of AC_HELP_STRING.
	(AC_TYPE_SIGNAL): Remove.
	(AC_DECL_SYS_SIGLIST): Remove.
	* m4/Makefile.am (EXTRA_DIST): Update.
	* m4/onceonly.m4: Remove.
	* m4/socklen.m4: Update from gnulib.
	* m4/libtool.m4: Update from libgpg-error.
	* m4/gpg-error.m4: Update from libgpg-error.
	* m4/noexecstack.m4: Use AS_HELP_STRING instead of AC_HELP_STRING.

	build: Use modern Autoconf check for type.
	+ commit 425bf499185d78aa8fcad6a30b8771e7865d449d
	* configure.ac (byte, ushort, us6, u32, u64): Use AC_CHECK_TYPES.
	* cipher/poly1305.c: Use HAVE_TYPE_U64.
	* src/hmac256.c: HAVE_TYPE_U32.
	* src/types.h: Use HAVE_TYPE_BYTE, HAVE_TYPE_USHORT, HAVE_TYPE_U16,
	HAVE_TYPE_U32, and HAVE_TYPE_U64.

	m4: Update with newer autoconf constructs.
	+ commit 908e347fb68b28e180ac816b5050406358e81a0f
	* src/libgcrypt.m4: Replace AC_HELP_STRING to AS_HELP_STRING.

2020-10-30  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Handle removed zeros at the beginning for Ed25519.
	+ commit 361a0588489cf4a539da8debd1771024a1faa218
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Accept private
	key with removed zeros.

2020-10-23  Werner Koch  <wk@gnupg.org>

	random: Allow for a Unicode random seed file on Windows.
	+ commit 24341f58f0d38bd62c45d285bcf8472f82b56135
	* random/random-csprng.c (utf8_to_wchar) [W32]: New.
	(any8bitchar) [W32]: New.
	(my_open): New.  Replace all calls to open with this.

2020-10-01  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Fix typo in comment.
	+ commit 4a50c6b88d6d8d843e50add851a8a5e691349097
	* tests/basic.c: Fix typo in comment.

2020-09-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: clean-up prepare_decryption function.
	+ commit 2051d5bd6f732a36e5a536cba734531a9e2e915f
	* cipher/rijndael-internal.h (rijndael_prepare_decfn_t): New.
	(RIJNDAEL_context_s): New member 'prepare_decryption'.
	* cipher/rijndael-padlock.c (_gcry_aes_padlock_prepare_decryption): New.
	* cipher/rijndael.c (_gcry_aes_padlock_prepare_decryption): New.
	(do_setkey): Setup 'ctx->prepare_decryption' for each acceleration type.
	(prepare_decryption): Remove calls to other prepare decryption functions.
	(check_decryption_preparation): Call 'ctx->prepare_decryption' instead
	of 'prepare_decryption'.

	rijndael: clean-up generic bulk functions.
	+ commit 7679c918ade9d334bc80cb8c10916bbc847ff382
	* cipher/rijndael.c (_gcry_aes_cfb_enc, _gcry_aes_cbc_enc)
	(_gcry_aes_ctr_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_dec)
	(_gcry_aes_ocb_crypt, _gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Remove
	calls to hardware accelerated AES bulk functions.

	cipher: setup bulk functions at each algorithms key setup.
	+ commit 51271eb86bcb0eb89e55a2add9607c503f182c89
	* cipher/cipher-internal.h (cipher_mode_ops_t, cipher_bulk_ops_t): New.
	(gcry_cipher_handle): Define members 'mode_ops' and 'bulk' using new
	types.
	* cipher/cipher.c (_gcry_cipher_open_internal): Remove bulk function
	setup.
	(cipher_setkey): Pass context bulk function pointer to algorithm setkey
	function.
	* cipher/cipher-selftest.c (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter; Use bulk function returned by setkey function.
	* cipher/cipher-selftest.h (_gcry_selftest_helper_cbc)
	(_gcry_selftest_helper_cfb, _gcry_selftest_helper_ctr): Remove bulk
	function parameter.
	* cipher/arcfour.c (arcfour_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/blowfish.c (bf_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_blowfish_ctr_enc, _gcry_blowfish_cbc_dec)
	(_gcry_blowfish_cfb_dec): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/camellia.c (camellia_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_camellia_ctr_enc, _gcry_camellia_cbc_dec)
	(_gcry_camellia_cfb_dec, _gcry_camellia_ocb_crypt)
	(_gcry_camellia_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/cast5.c (cast_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_cast5_ctr_enc, _gcry_cast5_cbc_dec, _gcry_cast5_cfb_dec): Make
	static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest): Pass 'bulk_ops' to setkey function.
	* cipher/chacha20.c (chacha20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/cast5.c (do_tripledes_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_3des_ctr_enc, _gcry_3des_cbc_dec, _gcry_3des_cfb_dec): Make
	static.
	(bulk_selftest_setkey): Change 'hd' parameter to 'bulk_ops'.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(do_des_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/gost28147.c (gost_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/idea.c (idea_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rfc2268.c (do_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/rijndael.c (do_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(rijndael_setkey): Change 'hd' parameter to 'bulk_ops'.
	(_gcry_aes_cfb_enc, _gcry_aes_cfb_dec, _gcry_aes_cbc_enc)
	(_gcry_aes_cbc_dec, _gcry_aes_ctr_enc, _gcry_aes_ocb_crypt)
	(_gcry_aes_ocb_auth, _gcry_aes_xts_crypt): Make static.
	(selftest_basic_128, selftest_basic_192, selftest_basic_256): Pass
	'bulk_ops' to setkey function.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	* cipher/salsa20.c (salsa20_setkey): Change 'hd' parameter to
	'bulk_ops'.
	* cipher/seed.c (seed_setkey): Change 'hd' parameter to 'bulk_ops'.
	* cipher/serpent.c (serpent_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_serpent_ctr_enc, _gcry_serpent_cbc_dec, _gcry_serpent_cfb_dec)
	(_gcry_serpent_ocb_crypt, _gcry_serpent_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/sm4.c (sm4_setkey): Change 'hd' parameter to 'bulk_ops'; Setup
	'bulk_ops' with bulk acceleration functions.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): Make static.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): Do not pass
	bulk function to selftest helper.
	* cipher/twofish.c (twofish_setkey): Change 'hd' parameter to
	'bulk_ops'; Setup 'bulk_ops' with bulk acceleration functions.
	(_gcry_twofish_ctr_enc, _gcry_twofish_cbc_dec)
	(_gcry_twofish_cfb_dec, _gcry_twofish_ocb_crypt)
	(_gcry_twofish_ocb_auth): Make static.
	(selftest_ctr, selftest_cbc, selftest_cfb): Do not pass bulk function
	to selftest helper.
	(selftest, main): Pass 'bulk_ops' to setkey function.
	* src/cipher-proto.h: Forward declare 'cipher_bulk_ops_t'.
	(gcry_cipher_setkey_t): Replace 'hd' with 'bulk_ops'.
	* src/cipher.h: Remove bulk acceleration function prototypes for
	'aes', 'blowfish', 'cast5', 'camellia', '3des', 'serpent', 'sm4' and
	'twofish'.

2020-09-21  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: tidy do_setkey little bit.
	+ commit e0829ae648d9d9da67cd8a8fae7aa05774a0d0f7
	* cipher/rijndael.c (do_setkey): Reduce number of ifdefs by using
	function pointer for accelerated key-setup.

2020-09-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael-aesni: tweak x86_64 AES-NI for better performance on AMD Zen2.
	+ commit f96989f0e9085fa58b475131d29b37f68ba564ec
	* cipher/rijndael-aesni.c (do_aesni_enc_vec8, do_aesni_dec_vec8): Move
	first round key xoring and last round out to caller.
	(do_aesni_ctr_4): Change low 8-bit counter overflow check to 8-bit
	addition to low-bits and detect overflow from carry flag; Adjust
	slow path to restore counter.
	(do_aesni_ctr_8): Same as above; Interleave first round key xoring and
	first round with CTR generation on fast path; Interleave last round
	with output xoring.
	(_gcry_aes_aesni_cfb_dec, _gcry_aes_aesni_cbc_dec): Add first round
	key xoring; Change order of last round xoring and output xoring
	(shorten the dependency path).
	(_gcry_aes_aesni_ocb_auth): Add first round key xoring and last round
	handling.

2020-08-26  Werner Koch  <wk@gnupg.org>

	build: Allow customization of the signing key.
	+ commit 9cd92ebae21900e54cc3d8b607c8ed1afbf2eb9b
	* Makefile.am (sign-release): Read variabales from user configuration.

2020-08-21  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Fix basic.c.
	+ commit fd51bc523d095168ee9367fe3f18d18f7a88ad90
	* tests/basic.c (check_one_hmac): Fix error paths.
	(check_pubkey_crypt): Fix wrong call of gcry_sexp_new.

	ecc: Fix an error path.
	+ commit 65a2cd139e21250e6581a4f610015937e7b91451
	* cipher/ecc-ecdh.c (_gcry_ecc_mul_point): Avoid null dereference on
	error.

2020-07-23  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20-aarch64: improve performance through higher SIMD interleaving.
	+ commit 8d7b1d0a52bde173646e5b42b31d23593eabecf2
	* cipher/chacha20-aarch64.S (ROTATE2, ROTATE2_8, ROTATE2_16)
	(QUARTERROUND2): Replace with...
	(ROTATE4, ROTATE4_8, ROTATE4_16, QUARTERROUND4): ...these.
	(_gcry_chacha20_aarch64_blocks4)
	(_gcry_chacha20_poly1305_aarch64_blocks4): Adjust to use QUARTERROUND4.

	tests/bench-slope: improve CPU frequency auto-detection.
	+ commit f1c3db3bf40e07cfd1a6a92209865ee7a98129ca
	* configure.ac (gcry_cv_have_asm_volatile_memory): Check also if
	assembly memory barrier with input/output register is supported.
	* tests/bench-slope.c (auto_ghz_bench): Change to use base operation
	that takes two CPU cycles and unroll loop by 1024 operations.

	Enable jitter entropy also on non-x86 architectures.
	+ commit 886120f33bd3f10e6e6a09920eca1f9ed81044e7
	* configure.ac: Do not force jentsupport to "n/a" on non-x86
	architectures.

	random/jitterentropy: fix USE_JENT == JENT_USES_GETTIME code path.
	+ commit 4ed9b949485448816a70d86260d572f08ae34621
	* random/jitterentropy-base-user.h (jent_get_nstime): Use 'tv' variable
	instead of non-existing 'time'.

	Camellia AES-NI/AVX/AVX2 size optimization.
	+ commit 4c0e244fc53e0f7b927bfe4cf54695b5d282fd27
	* cipher/camellia-aesni-avx-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds16/fls16' portions of encryption/decryption.
	* cipher/camellia-aesni-avx2-amd64.S: Use loop for handling repeating
	'(enc|dec)_rounds32/fls32' portions of encryption/decryption.

2020-07-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support reading EC point in compressed format for good curves.
	+ commit e0dabf74bf276500257f15b85ded9cf24ccc8334
	* cipher/ecc-curves.c (gcry_ecc_get_curve): Handle G, differently.
	* cipher/ecc-misc.c (_gcry_ecc_sec_decodepoint): Support compressed
	representation of EC point.  Rename from _gcry_ecc_os2ec.
	* cipher/ecc-sm2.c (_gcry_ecc_sm2_decrypt) Follow the change.
	* cipher/ecc.c (ecc_decrypt_raw): Likewise.
	* mpi/ec.c (_gcry_mpi_ec_set_point): Likewise.
	* src/ec-context.h: API change _gcry_ecc_sec_decodepoint from
	_gcry_ecc_os2ec.
	* tests/basic.c (check_pubkey): Use compressed representation
	for two public keys of NIST P192 and NIST P256.

2020-07-06  Werner Koch  <wk@gnupg.org>

	mpi: Consider +0 and -0 the same in mpi_cmp.
	+ commit 1f3a92e103d4a8e019d8d022647a2b9fb2681327
	* mpi/mpi-cmp.c (do_mpi_cmp): Check size of U an V.

2020-06-23  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix length computation.
	+ commit 1db1dc7945b111b6e20a8420ad38a358316681ab
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add one only for
	Edwards case.

2020-06-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add SM4 x86-64/AES-NI/AVX2 implementation.
	+ commit 35a78eb248d6bacd2a58477a122a0020d796ce63
	* cipher/Makefile.am: Add 'sm4-aesni-avx2-amd64.S'.
	* cipher/sm4-aesni-avx2-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX2): New.
	(SM4_context) [USE_AESNI_AVX2]: Add 'use_aesni_avx2'.
	[USE_AESNI_AVX2] (_gcry_sm4_aesni_avx2_ctr_enc)
	(_gcry_sm4_aesni_avx2_cbc_dec, _gcry_sm4_aesni_avx2_cfb_dec)
	(_gcry_sm4_aesni_avx2_ocb_enc, _gcry_sm4_aesni_avx2_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth): New.
	(sm4_setkey): Enable AES-NI/AVX2 if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX2]: Add
	AES-NI/AVX2 bulk functions.
	* configure.ac: Add ''sm4-aesni-avx2-amd64.lo'.

	Add SM4 x86-64/AES-NI/AVX implementation.
	+ commit c9a3f1bb91e63033e3bf3e06bdd6075622626d0d
	* cipher/Makefile.am: Add 'sm4-aesni-avx-amd64.S'.
	* cipher/sm4-aesni-avx-amd64.S: New.
	* cipher/sm4.c (USE_AESNI_AVX, ASM_FUNC_ABI): New.
	(SM4_context) [USE_AESNI_AVX]: Add 'use_aesni_avx'.
	[USE_AESNI_AVX] (_gcry_sm4_aesni_avx_expand_key)
	(_gcry_sm4_aesni_avx_crypt_blk1_8, _gcry_sm4_aesni_avx_ctr_enc)
	(_gcry_sm4_aesni_avx_cbc_dec, _gcry_sm4_aesni_avx_cfb_dec)
	(_gcry_sm4_aesni_avx_ocb_enc, _gcry_sm4_aesni_avx_ocb_dec)
	(_gcry_sm4_aesni_avx_ocb_auth, sm4_aesni_avx_crypt_blk1_8): New.
	(sm4_expand_key) [USE_AESNI_AVX]: Use AES-NI/AVX key setup.
	(sm4_setkey): Enable AES-NI/AVX if supported by HW.
	(_gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec, _gcry_sm4_cfb_dec)
	(_gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth) [USE_AESNI_AVX]: Add
	AES-NI/AVX bulk functions.
	* configure.ac: Add ''sm4-aesni-avx-amd64.lo'.

	Optimizations for SM4 cipher.
	+ commit 81fee26bbbae820a311a3ce3ac55e304655c2acd
	* cipher/cipher.c (_gcry_cipher_open_internal): Add SM4 bulk
	functions.
	* cipher/sm4.c (ATTR_ALIGNED_64): New.
	(sbox): Convert to ...
	(sbox_table): ... this structure for sbox hardening as is done
	for AES and GCM.
	(prefetch_sbox_table): New.
	(sm4_t_non_lin_sub): Make inline; Optimize sbox access pattern.
	(sm4_key_lin_sub): Make inline; Tune slightly.
	(sm4_key_sub, sm4_enc_sub): Make inline.
	(sm4_round): Make inline; Take 'x' as separate parameters instead
	of array.
	(sm4_expand_key): Return void; Drop keylen; Unroll loops by 4;
	Wipe sensitive variables at end; Move key-length check to
	'sm4_setkey'.
	(sm4_setkey): Add initial self-test step; Add key-length check;
	Remove burn stack (as variables wiped in 'sm4_expand_key').
	(sm4_do_crypt): Return burn stack depth; Unroll loops by 4.
	(sm4_encrypt, sm4_decrypt): Prefetch sbox table; Return burn
	stack from 'sm4_do_crypt', as allows tail-call optimization
	by compiler.
	(sm4_do_crypt_blks2): New two parallel block function for greater
	instruction level parallelism.
	(sm4_crypt_blocks, _gcry_sm4_ctr_enc, _gcry_sm4_cbc_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New
	bulk processing functions.
	(selftest_ctr_128, selftest_cbc_128, selftest_cfb_128): New
	bulk processing self-tests.
	(sm4_selftest): Clear SM4 context before use; Use 'sm4_expand_key'
	instead of 'sm4_setkey'; Call bulk processing self-tests.
	* src/cipher.h (_gcry_sm4_ctr_enc, _gcry_sm4_ctr_dec)
	(_gcry_sm4_cfb_dec, _gcry_sm4_ocb_crypt, _gcry_sm4_ocb_auth): New.
	* tests/basic.c (check_ocb_cipher): Add SM4-OCB test vector.

2020-06-18  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: For Ed448, it's only for EdDSA.
	+ commit a6177e1bc948a7af052d62bcd62aa6b5825bfaff
	* cipher/ecc.c (ecc_sign): Ed448 is only for EdDSA.
	Hash algo is determined by the curve.
	(ecc_verify): Likewise.
	* tests/t-ed448.c (one_test): Don't specify (flags eddsa).
	Don't specify hash-algo.

	ecc: Fix the condition for EdDSA data handling.
	+ commit f2847d56cce2afdd993f797812a673495a41c234
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): It may be
	the encoding context which determines EdDSA.  Hash-algo can be
	omitted.  Flags are OR-ed.

	ecc: Support EdDSA with context and enabling PH(M).
	+ commit ba78ad8f19674b94edfdf4998f40feee081481bc
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Simplify.
	(DOM4_0_NONE, DOM4_0_NONE_LEN): Remove.
	(DOM25519, DOM25519_LEN): New.
	(DOM448, DOM448_LEN): New.
	(_gcry_ecc_eddsa_sign): Support EdDSA with context and PH.
	(_gcry_ecc_eddsa_verify): Likewise.
	* tests/t-ed448.c: Add tests with context and PH=1.
	* tests/t-ed448.inp: Add test data.

	ecc: Change EdDSA internal API.
	+ commit 2856ac14ae3e4c9e6288e1f0d8bc1945bb874081
	* cipher/ecc-common.h (_gcry_ecc_eddsa_sign): Last arg is CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Get hash algo from CTX.
	(_gcry_ecc_eddsa_verify): Ditto.
	* cipher/ecc.c (ecc_sign, ecc_verify): Follow the change.

2020-06-17  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Support "label" for EdDSA context in data.
	+ commit 1cf49754694611620fd383327cf127e91f6883df
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Handle ctx->label.

	ecc: Initialize key before handling data.
	+ commit d51a9c259d49c63121fab48bce48d826e9b57733
	* cipher/ecc.c (ecc_sign): Initialize key at first.
	(ecc_verify): Likewise.

	ecc: Add new flag "prehash".
	+ commit 9a640eba6dd7504c90a65151cdaf1e4093a8b475
	* src/cipher.h (PUBKEY_FLAG_PREHASH): New.
	* cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Parse it.

	ecc: No (flags eddsa) required for Ed448.
	+ commit b1721f9b291a4c226caa2bfbe4fefe8fde5216e0
	* cipher/ecc.c (check_secret_key): Ed448 means EdDSA.
	(ecc_generate): Likewise.
	* tests/t-ed448.c (one_test): Remove the flag in key.

	ecc: Support Ed448 by _gcry_ecc_compute_public.
	+ commit 5585ee4947082f932ee01d93dfe295c769e96671
	* cipher/ecc-misc.c (_gcry_ecc_compute_public): Handle Ed448.

2020-06-16  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	tests: Add basic test-vectors for SM4.
	+ commit c1535d0b8797e9b3bbfb5193b6ab23bf788ffd36
	* tests/basic.c (check_ciphers): Add SM4 check and test-vectors.

	Add SM4 symmetric cipher algorithm.
	+ commit ddcce166ab8bc6f51f5b509bcbea13a8746384ec
	* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add sm4.c.
	* cipher/cipher.c (cipher_list, cipher_list_algo301): Add
	_gcry_cipher_spec_sm4.
	* cipher/mac-cmac.c (map_mac_algo_to_cipher): Add cmac SM4.
	(_gcry_mac_type_spec_cmac_sm4): Add cmac SM4.
	* cipher/mac-internal.h: Declare spec_cmac_sm4.
	* cipher/mac.c (mac_list, mac_list_algo201): Add cmac SM4.
	* cipher/sm4.c: New.
	* configure.ac (available_ciphers): Add sm4.
	* doc/gcrypt.texi: Add SM4 document.
	* src/cipher.h: Add declarations for SM4 and cmac SM4.
	* src/gcrypt.h.in (gcry_cipher_algos): Add algorithm ID for SM4.

2020-06-16  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	doc: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and GCRY_MAC_GOST28147_IMIT.
	+ commit 6c571bfda6409d7d668f5d44cea0c6c31e2688be
	* doc/gcrypt.texi: add GCRY_MD_SM3, GCRY_MAC_HMAC_SM3 and
	GCRY_MAC_GOST28147_IMIT.

2020-06-16  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Ed448 key generation.
	+ commit c15cc1a38199cf0d758579eb01d0e88c99cd4b80
	* cipher/ecc.c (ecc_generate): Fix point representation for Ed448.

	ecc,test: Add testing Ed448.
	+ commit c7779e499e9051ee79ed720f576dbf40d90cdfb1


	ecc: Support Ed448 for verify.
	+ commit d1baad35c65030e41fcba69854c57032eee0d111
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_verify): Support Ed448.

	ecc: Support Ed448 signing.
	+ commit 951b37c5038667b461692454397bb058b5e1e184
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): Support Ed448.

	ecc: Use SHAKE256 in EdDSA with Ed448.
	+ commit 32d6d73d44d372dd1ec0b08ba03f1b7b085c09d9
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Fix for SHAKE256.

	ecc: Support shake128 and shake256 for message digest.
	+ commit f6815a96e51be44a361ddcd3a20a5b969b1dab1b
	* cipher/pubkey-util.c (get_hash_algo): Add shake128 and shake256.

	ecc: Support Ed448 for key generation.
	+ commit e25446ecc04442b399302ce72db6d5ea2e9e85e8
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_compute_h_d): Support Ed448.
	(_gcry_ecc_eddsa_genkey): Support Ed448, using
	_gcry_ecc_eddsa_compute_h_d.

	ecc: Support Ed448 in decoding point.
	+ commit bd22b029bbf50737f90535c506fba4f812bcf040
	* cipher/ecc-eddsa.c (ecc_ed448_recover_x): New.
	(_gcry_ecc_eddsa_recover_x): Support Ed448.
	(_gcry_ecc_eddsa_decodepoint): Support Ed448.
	* mpi/ec.c (_gcry_mpi_ec_decode_point): For Ed448, use
	_gcry_ecc_eddsa_decodepoint.

	ecc: Add new curve: Ed448.
	+ commit 339b03acf0971a31997901dd674fb75c4dde31d0
	* cipher/ecc-curves.c (curve_aliases): Add Ed448.
	(domain_parms): Add domain parameters for Ed448.
	* tests/curves.c (N_CURVES): Increment.

	ecc: Fix EdDSA encoding for Ed448.
	+ commit 3386aaf84d4d89b6ff931533df2ff82ed3f7c7f9
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Fix point/scalar
	length condition.
	* cipher/ecc-eddsa.c (eddsa_encodempi): The second argument is NBITS.
	(eddsa_encode_x_y): Likewise.
	(_gcry_ecc_eddsa_encodepoint): Follow the change.
	(_gcry_ecc_eddsa_ensure_compact): Likewise.
	(_gcry_ecc_eddsa_decodepoint): Likewise.
	(_gcry_ecc_eddsa_sign): Likewise.  Remove restriction of 256 bits.

2020-06-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix NBITS in domain_parms.
	+ commit db7b2c591004868abedbc2c19d3bb2efebf8529d
	* cipher/ecc-curves.c (cipher/ecc-curves.c): It's NBITS of 'p'.

2020-06-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	rijndael: fix UBSAN warning on left shift by 24 places with type 'int'
	+ commit 6cdd7268fe19b066ddb373e2f3c0b7ebf9b938dd
	* cipher/rijndael.c (do_encrypt_fn, do_decrypt_fn): Cast final
	sbox/inv_sbox look-ups to 'u32' type.

	Disable all assembly modules with --disable-asm.
	+ commit 3060aadec396802af13f08c4b2dd1b28f2a68c5d
	* configure.ac (try_asm_modules): Update description,
	"MPI" => "MPI and cipher".
	(gcry_cv_gcc_arm_platform_as_ok, gcry_cv_gcc_aarch64_platform_as_ok)
	(gcry_cv_gcc_inline_asm_ssse3, gcry_cv_gcc_inline_asm_pclmul)
	(gcry_cv_gcc_inline_asm_shaext, gcry_cv_gcc_inline_asm_sse41)
	(gcry_cv_gcc_inline_asm_avx, gcry_cv_gcc_inline_asm_avx2)
	(gcry_cv_gcc_inline_asm_bmi2, gcry_cv_gcc_amd64_platform_as_ok)
	(gcry_cv_gcc_platform_as_ok_for_intel_syntax)
	(gcry_cv_cc_arm_arch_is_v6, gcry_cv_gcc_inline_asm_neon)
	(gcry_cv_gcc_inline_asm_aarch32_crypto)
	(gcry_cv_gcc_inline_asm_aarch64_neon)
	(gcry_cv_gcc_inline_asm_aarch64_crypto)
	(gcry_cv_cc_ppc_altivec, gcry_cv_gcc_inline_asm_ppc_altivec)
	(gcry_cv_gcc_inline_asm_ppc_arch_3_00): Check for "try_asm_modules".
	* mpi/config.links: Set "mpi_cpu_arch" to "disabled"
	with --disable-asm.

2020-06-05  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	mpicalc: fix typo.
	+ commit 2dd3e27fc53cf408f799d2e7b379c1441e0d62c8
	* src/mpicalc.c (print_help): fix typo in commands description.

2020-06-04  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix flags in mpi_copy for opaque MPI.
	+ commit 78a5a1aa7627afaa24e2ea1eb9b08f1cfdd71561
	* mpi/mpiutil.c (_gcry_mpi_copy): Copy flags.

2020-06-03  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Use opaque MPI for 'd' of Ed25519/EdDSA.
	+ commit 0d8346f84a1f5865da3375ce92420d92fb5ae652
	* cipher/ecc-curves.c (mpi_ec_setup_elliptic_curve): Add FLAGS.
	Use opaque MPI for Ed25519/EdDSA, too.
	(_gcry_mpi_ec_internal_new): Follow the change.
	(_gcry_mpi_ec_new): Likewise.

2020-06-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher-ocb: fix out-of-array stack memory access.
	+ commit 8cfaeae42522778052c36fceccab504826a30cbf
	* cipher/cipher-ocb.c (bit_copy): Do not access memory beyond
	's' array when bitoff > 8.

2020-06-01  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: More fix of off-by-one mistake mpi_invm_pow2.
	+ commit 6a2cd0fe78a9cdc78911694a84b08762dd8658b4
	* mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.

	ecc: Consistently handle parameters as unsigned value.
	+ commit 6f8b1d4cb798375e6d830fd6b73c71da93ee5f3f
	* cipher/ecc-curves.c (_gcry_ecc_get_curve): Parse as unsigned value.

2020-05-27  NIIBE Yutaka  <gniibe@fsij.org>

	sexp: Fix coding of line break.
	+ commit 33c972b6a6fe79aacb0a732d1df9a9deacafca29
	* src/sexp.c (_gcry_sexp_vextract_param): Add missing newline.

2020-05-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Make sure it's the fixed size bytes.
	+ commit eb2288f3b1f338a9aec11d559ec84bdb201960e1
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_decodepoint): Checking the size
	of EC point representation, return GPG_ERR_INV_OBJ if not valid.

2020-05-13  Werner Koch  <wk@gnupg.org>

	ecc: Detect the use of a Montgomery curve earlier in ecc_verify.
	+ commit d0f995afe2e0228d3b9e30b0fc7091631d7d0090
	* cipher/ecc.c (ecc_verify): Do not allow a Montgomery curve.

2020-05-13  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix off-by-one mistake mpi_invm_pow2.
	+ commit 69b55f87053ce2494cd4b38dc600f867bc4355be
	* mpi/mpi-inv.c (mpi_invm_pow2): Avoid out-of-band read/write.

2020-05-12  Werner Koch  <wk@gnupg.org>

	ecc: Initialize a dummy parameter.
	+ commit 75a7b17878e02c3882070d6c86e0d2efbc3d680a
	* cipher/ecc.c (ecc_verify): Rename flags to dummy_flags and
	initialize.

2020-05-06  Dmitry Eremin-Solenikov  <dbaryshkov@gmail.com>

	tests/benchmark.c: fix error message for invalid MAC algo.
	+ commit 79e196a610b1b734a1f573288b148d62787f5281


2020-04-27  Tianjia Zhang  <tianjia.zhang@linux.alibaba.com>

	ecc: Fix typo error in ecc-gost.
	+ commit fe688ce7e14f14d7d3a7e16aa0304d24b5b1a179
	* cipher/ecc-gost.c (_gcry_ecc_gost_verify): Fix typo in comment.

2020-04-27  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix the return value of mpi_invm_generic.
	+ commit f10eb240a30ac115cfeb63848c67a936e1059ab9
	* mpi/mpi-inv.c (mpi_invm_generic): Return correct value.

2020-04-24  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix return value of mpi_invm_generic.
	+ commit bc3b6a6a45cf9fa6cc0556da870628c53570f52f
	* mpi/mpi-inv.c (mpi_invm_generic): Return 0 if inverse does not exist.

	mpi: More use of mpih API for _gcry_mpi_invm.
	+ commit 559ba9b36c9cdf4762d28beb3b4c59665c671818
	* mpi/mpi-inv.c (mpi_invm_pow2): Remove.
	(_gcry_mpi_invm): Use mpih_invm_pow2 instead.

	mpi: Use mpih interface internally for mpi-inv.
	+ commit beefbb90d71d7fbd0b4429472b7d4b39670ff64b
	* mpi/mpi-inv.c (mpih_invm_pow2): Converted from mpi_invm_pow2.
	(mpi_invm_pow2): Use mpih_invm_pow2.

	mpi: Fix size of A in mpi_invm_pow2.
	+ commit efa5151ea1c2a2c049b2651581e71b6becba4e16
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix size of A.

2020-04-23  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: More fix for _gcry_mpi_invm.
	+ commit f81a1dd7317513000e5bc4d1bfffd6d2bfb8c2a2
	* mpi/mpi-inv.c (_gcry_mpi_invm): Fix comments and use of CRT path.

2020-04-22  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Fix off-by-one mistake mpi_invm_pow2.
	+ commit 3bb9f74764b3626ed1116fc7e517921232d6be54
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix computation of iterations.

2020-04-21  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Use mpi_invm_pow2 for mpi_invm.
	+ commit bac01a6cfb3d645ff8439cbd3b310d255735d792
	* mpi/mpi-inv.c (_gcry_mpi_invm): Use mpi_invm_pow2.

	mpi: Fix mpi_invm_pow2.
	+ commit 2a3c58a0b4db01c17da0bf8c035fb1def2af114c
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix the algo implementation.

2020-04-19  Dmitry Baryshkov  <dbaryshkov@gmail.com>

	gost28147: implement special MAC mode called imitovstavka (IMIT)
	+ commit 45f21f871982753716d4a7676d948e8c7d644db5
	* src/gcrypt.h.in (GCRY_MAC_GOST28147_IMIT): New.
	* cipher/gost28147.c (gost_imit_open, gost_imit_close)
	(gost_imit_setkey, gost_imit_setiv, gost_imit_reset, _gost_imit_block)
	(gost_imit_block, gost_imit_write, gost_imit_finish, gost_imit_read)
	(gost_imit_verify, gost_imit_get_maclen, gost_imit_get_keylen)
	(gost_imit_set_extra_info): New functions implementing GOST 28147-89
	MAC (imitovstavka, IMIT) mode.
	* cipher/gost28147.c (gost_imit_ops)
	(_gcry_mac_type_spec_gost28147_imit): declare GOST 28147-89 IMIT
	handler.
	* cipher/mac-internal.h (gcry_mac_handle): add fields to support GOST
	28147-89 IMIT mode.
	* cipher/mac.c (mac_list): add _gcry_mac_type_spec_gost28147_imit.
	(spec_from_algo): handle GCRY_MAC_GOST28147_IMIT.
	* tests/basic.c (check_mac): add GOST28147-89 IMIT test vector.

	mac: add support for gcry_mac_ctl(GCRYCTL_SET_SBOX)
	+ commit d7fa70ed9ddc6e0189a8b59016b1f17717a26865
	* cipher/mac-internal.h (gcry_mac_spec_ops_t): add set_extra_info field
	for providing additional settings.
	* cipher/mac.c (_gcry_mac_ctl): support GCRYCTL_SET_SBOX call.
	* cipher/mac-cmac.c (cmac_ops): set set_extra_info to NULL.
	* cipher/mac-gmac.c (gmac_ops): the same.
	* cipher/mac-hmac.c (hmac_ops): the same.
	* cipher/mac-poly1305.c (poly1305mac_ops): the same.

2020-04-17  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Use mpi_invm_pow2 for N=2^k.
	+ commit 469e2fefb64e3a4bd80995935f82caf416e3a4ae
	* mpi/mpi-inv.c (mpi_invm_pow2): Fix.
	(_gcry_mpi_invm): Use mpi_invm_pow2.

	mpi: Rewrite mpi_invm_odd into mpih_invm_odd.
	+ commit 05ceac8e2f6f28f97428c005d0a318d71d7cf9d9
	* mpi/mpi-inv.c (mpih_invm_odd): Use mpi_ptr_t API.
	(_gcry_mpi_invm): Use _gcry_mpih_mod and mpih_invm_odd.

	mpi: Add _gcry_mpih_cmp_ui.
	+ commit 128045a12139fe2e4be877df59da10c7d4857d9a
	* mpi/mpih-const-time.c (_gcry_mpih_cmp_ui): New.

	mpi: Add internal functipn mpi_invm_pow2.
	+ commit 515bd6e9fae448e966f71e23635503716201158d
	* mpi/mpi-inv.c (mpi_invm_pow2): New.

2020-04-16  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Add mpi_set_bit_cond.
	+ commit a91bd0211c4e5f0ce575b3a63a36049dd9edbf90
	* mpi/mpiutil.c (_gcry_mpi_set_bit_cond): New.
	* src/mpi.h (mpi_set_bit_cond): New macro.
	(_gcry_mpi_set_bit_cond): New.

	mpi: Add _gcry_mpih_mod.
	+ commit 95bdfd9ce9e114f447f3639e551e8f4f63d024fe
	* mpi/mpi-internal.h (mpih_mod, _gcry_mpih_mod): New.
	* mpi/mpih-const-time.c (_gcry_mpih_mod): New.

	mpih: Expose const-time MPI helper functions.
	+ commit 9b7e0d89006fce0641da05d8ef2696b1fb73145b
	* mpi/Makefile.am (libmpi_la_SOURCES): Add mpih-const-time.c.
	* mpi/ec.c (mpih_set_cond): Move to mpih-const-time.c.
	* mpi/mpi-internal.h: Add macros and declarations.
	* mpi/mpi-inv.c (mpih_add_n_cond): Likewise.
	(mpih_sub_n_cond, mpih_swap_cond, mpih_abs_cond): Likewise.
	* mpi/mpih-const-time.c: New.

2020-04-14  Werner Koch  <wk@gnupg.org>

	sexp: Extend gcry_sexp_extract_param with a multi-string extractor.
	+ commit 32b08e38628b3ed409054db05a7f73b1ab86464a
	* src/sexp.c (_gcry_sexp_vextract_param): Implement "%#s" control
	sequence.

2020-04-14  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Remove hard-coded value for ECC_DIALECT_ED25519.
	+ commit 0ff36e04f7cdef961610e7bc674a9c9ef0fd4853
	* mpi/ec.c (ec_p_init): Remove special handling for Ed25519.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_encodepoint): Fix assumption
	ec->nbits is 256 for EdDSA.
	(_gcry_ecc_eddsa_decodepoint): Likewise.
	(_gcry_ecc_eddsa_verify): Likewise.

2020-04-09  Werner Koch  <wk@gnupg.org>

	sexp: Extend gcry_sexp_extract_param with new format specifiers.
	+ commit 60c179b59e538aebb3a5f7621d92eee60b90c785
	* src/sexp.c (_gcry_sexp_vextract_param): Add new conversion methods.
	* tests/t-sexp.c (check_extract_param): Add corresponding tests.

2020-04-04  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	ppc: avoid using vec_vsx_ld/vec_vsx_st for 2x64-bit vectors.
	+ commit 1250a9cd859d99f487ca8d76a98d70d464324bbe
	* cipher/crc-ppc.c (CRC_VEC_U64_LOAD, CRC_VEC_U64_LOAD_LE)
	(CRC_VEC_U64_LOAD_BE): Remove vec_vsx_ld usage.
	(asm_vec_u64_load, asm_vec_u64_load_le): New.
	* cipher/sha512-ppc.c (vec_vshasigma_u64): Use '__asm__' instead of
	'asm' for assembly block.
	(vec_u64_load, vec_u64_store): New.
	(_gcry_sha512_transform_ppc8): Use vec_u64_load/store instead of
	vec_vsx_ld/vec_vsx_st.
	* configure.ac (gcy_cv_cc_ppc_altivec)
	(gcy_cv_cc_ppc_altivec_cflags): Add check for vec_vsx_ld with
	'unsigned int *' pointer type.

2020-04-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	asm-poly1305-aarch64: fix building with clang.
	+ commit 89b3ded8df969fe5fb31313c60419dd34d36b605
	* cipher/asm-poly1305-aarch64.h (POLY1305_BLOCK_PART25): Use correct
	instruction format for right-shifting.

2020-03-31  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

	libgcrypt.m4: Fix spelling.
	+ commit 6a5743469a4366b1e238d378e427442f04400950


	libgcrypt.m4: Fix spelling.
	+ commit e16e7e619183f36720d17855419860d1dc6fe3a5


2020-03-20  Dmitry Baryshkov  <dbaryshkov@gmail.com>

	tests/basic: add GOST 28147 keymeshing testcase from LibreSSL testsuite.
	+ commit 3441f4c94c49a589c5e323b1526d2d6b5974cf2f
	* tests/basic.c (check_cfb_cipher): add check for GOST 28147 CFB with
	KeyMeshing enabled.

	gost28147: add support for CryptoPro key meshing per RFC 4357.
	+ commit dcee00adbd1c0a2cde1aeed1bb94421e81d0de3b
	* cipher/gost28147.c (gost_do_set_sbox, cryptopro_key_meshing,
	CryptoProMeshingKey, gost_encrypt_block_mesh): New.
	(_gcry_cipher_spec_gost28147_mesh): New cipher with keymeshing,
	(_gcry_cipher_spec_gost28147): Remove OIDs for this cipher should not
	be selected using these OIDs (they are for CFB with keymeshing).

	* cipher/cipher.c (cipher_list, cipher_list_algo301): add
	_gcry_cipher_spec_gost28147_mesh.

	* src/gcrypt.h.in (GCRY_CIPHER_GOST28147_MESH): New cipher with
	keymeshing.

	* doc/gcrypt.texi (GCRY_CIPHER_GOST28147_MESH): Add definition.

	* tests/basic.c (check_gost28147_cipher, check_gost28147_cipher_basic):
	Run basic tests on GCRY_CIPHER_GOST28147_MESH.

	gost: add keymeshing support per RFC 4357.
	+ commit 18cd3f0c473ae909cdaa5a820faef50d7670fcbb
	* cipher/gost-s-box.c (gost_sbox): define if keymeshing should be
	enabled or not.
	(main): output whether we should enable or disable keymeshing for a
	particular parameters set.

2020-03-18  NIIBE Yutaka  <gniibe@fsij.org>

	DSA,ECDSA: Fix use of mpi_invm.
	+ commit ada758e3019c2585213a132960613b1ac48502b8
	* cipher/dsa.c (sign): Call mpi_invm before _gcry_dsa_modify_k.
	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.

	mpi: Constant time mpi_inv with some conditions.
	+ commit 20082ca965eab5665af60956c4ed72709836b1ed
	* mpi/mpi-inv.c (mpih_add_n_cond, mpih_sub_n_cond, mpih_swap_cond)
	(mpih_abs_cond): New.
	(mpi_invm_odd): New.
	(mpi_invm_generic): Rename from _gcry_mpi_invm.
	(_gcry_mpi_invm): Use mpi_invm_odd for usual odd cases.

2020-03-11  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Support opaque MPI with gcry_mpi_print.
	+ commit b4b04ae6c2e55bc2b24efc663d1eeaa0b3613f4c
	* mpi/mpicoder.c (_gcry_mpi_get_buffer): Return the bytes as-is.

2020-03-09  Werner Koch  <wk@gnupg.org>

	mpi: Abort on division by zero also in _gcry_mpi_tdiv_qr.
	+ commit afbab896fa04d9481dbb9f4d01f607b12e31dcbf
	* mpi/mpi-div.c (_gcry_mpi_tdiv_qr): Error out on division by zero.

2020-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	build: More accurate dependency to -lgpg-error.
	+ commit 9b8ac13761f0407bd701e43b0a65fbada204958f
	* configure.ac (LIBGCRYPT_CONFIG_LIBS): Remove DL_LIBS.
	* src/libgcrypt.c.in: Distinguish static link use case.
	* tests/Makefile.am: Fix use of -lgpg-error.

	build: Fix linking -ldl.
	+ commit c21e5d72e24e62752559f92b1825287298ae2f03
	* src/Makefile.am (libgcrypt_la_LIBADD): Add DL_LIBS.
	(mpicalc_LDADD): Remove DL_LIBS.
	* tests/Makefile.am (standard_ldadd): Remove DL_LIBS.

2020-02-02  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	crc-ppc: fix bad register used for vector load/store assembly.
	+ commit b64b029318e7d0b66123015146614118f466a7a9
	* cipher/crc-ppc.c (CRC_VEC_U64_LOAD_BE): Move implementation to...
	(asm_vec_u64_load_be): ...here; Add "r0" to clobber list for load
	instruction when offset is not zero; Add zero offset path.

	rinjdael-aes: use zero offset vector load/store when possible.
	+ commit 89776d45c824032409f581e5fd1db6bf149df57f
	* cipher/rijndael-ppc-common.h (asm_aligned_ld, asm_aligned_st): Use
	zero offset instruction variant when input offset is constant zero.
	* cipher/rijndael-ppc.c (asm_load_be_noswap)
	(asm_store_be_noswap): Likewise.

	Add POWER9 little-endian variant of PPC AES implementation.
