ChangeLog

	failure.

2010-12-14  Niels Möller  <nisse@lysator.liu.se>

	* nettle-types.h: Deleted some unnecessary parenthesis from
	function typedefs.
	(nettle_realloc_func): Moved typedef here...
	* realloc.h: ...from here.

	* buffer.c (nettle_buffer_init_realloc): Use an explicit pointer
	for realloc argument.

2010-12-07  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (Copyright): Updated info on blowfish.

2010-11-26  Niels Möller  <nisse@lysator.liu.se>

	Reapplied optimizations (150% speedup on x86_32) and other fixes,
	relicensing them as LGPL.
	* blowfish.c (do_encrypt): Renamed, to...
	(encrypt): ...new name.
	(F): Added context argument. Shift input explicitly, instead of
	reading individual bytes via memory.
	(R): Added context argument.
	(encrypt): Deleted a bunch of local variables. Using the context
	pointer for everything should consume less registers.
	(decrypt): Likewise.
	(initial_ctx): Arrange constants into a struct, to simplify key
	setup.
	(blowfish_set_key): Some simplification.

2010-11-26  Simon Josefsson  <simon@josefsson.org>

	* blowfish.c: New version ported from libgcrypt. License changed
	from GPL to LGPL.

2010-11-25  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (install-shared-nettle): Use INSTALL_DATA, which
	clears the execute permission bits.
	(install-shared-hogweed): Likewise.

2010-11-16  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Updated gmp url.

2010-11-01  Niels Möller  <nisse@lysator.liu.se>

	* tools/misc.c (werror): Don't call exit (copy&paste-error).

2010-10-26  Niels Möller  <nisse@lysator.liu.se>

	* examples/rsa-encrypt.c (main): No extra message for bad options.

	* examples/rsa-keygen.c (main): Added long options. Deleted -?,
	and fixed handling of bad options.

	* examples/next-prime.c (main): Deleted -?, and fixed handling of
	bad options.
	* examples/random-prime.c (main): Likewise.

2010-10-22  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Added long options. Deleted -?,
	and fixed handling of bad options.

	* examples/eratosthenes.c (main): Added long options. Deleted -?,
	and fixed handling of bad options. Renamed -s to -q (long option
	--quiet).

	* tools/pkcs1-conv.c (main): Deleted short alias -? for --help,
	and fixed handling of bad options.
	* tools/sexp-conv.c (parse_options): Likewise.

2010-10-06  Niels Möller  <nisse@lysator.liu.se>

	* memxor.c (memxor3): Optimized.
	(memxor3_common_alignment): New function.
	(memxor3_different_alignment_b): New function.
	(memxor3_different_alignment_ab): New function.
	(memxor3_different_alignment_all): New function.

	* examples/nettle-benchmark.c (time_function): Reorganized, to
	reduce overhead.
	(time_memxor): Also benchmark memxor3.

	* x86_64/memxor.asm: New file.

	* examples/nettle-benchmark.c (overhead): New global variable.
	(time_function): Compensate for call overhead.
	(bench_nothing, time_overhead): New functions.
	(time_memxor): Tweaked src size, making it an integral number of
	words.
	(main): Call time_overhead.

2010-10-01  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/camellia-crypt-internal.asm (ROUND): Reordered sbox
	lookups.

	* testsuite/memxor-test.c: Also test memxor3.

2010-09-30  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Link in memxor.asm, if found.

	* testsuite/testutils.c (test_cipher_cbc): Print more info when
	failing.

	* testsuite/memxor-test.c (test_xor): Added verbose printout.

	* examples/nettle-benchmark.c (time_memxor): Count size of
	unsigned long as "block size" for memxor.

2010-09-24  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/.test-rules.make: Added rule for memxor-test.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added memxor-test.c
	* testsuite/memxor-test.c: New file.

	* memxor.c (memxor_common_alignment): New function.
	(memxor_different_alignment): New function.
	(memxor): Optimized to do word-operations rather than byte
	operations.

	* configure.ac (HAVE_NATIVE_64_BIT): New config.h define.

	Partial revert of 2010-09-20 changes.
	* camellia-set-encrypt-key.c (camellia_set_encrypt_key):
	Reintroduce CAMELLIA_F_HALF_INV, for 32-bit machines.
	* camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Two variants,
	differing in where addition of the key is done.
	* x86/camellia-crypt-internal.asm: Moved addition of key.

2010-09-22  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (BENCH_INTERVAL): Changed unit to
	seconds.
	(time_function): Use clock_gettime with CLOCK_PROCESS_CPUTIME_ID,
	if available. This gives better accuracy, at least on recent
	linux.
	(BENCH_INTERVAL): Reduced to 0.1 s.
	(struct bench_memxor_info): New struct.
	(bench_memxor): New function.
	(time_memxor): New function.
	(main): Use time_memxor. Added optional argument used to limit the
	algorithms being benchmarked.
	(GET_CYCLE_COUNTER): Define also for x86_64.
	(time_memxor): Improved display.

	* examples/Makefile.in (nettle-benchmark): Link using
	$(BENCH_LIBS) rather than $(LIBS).

	* configure.ac: Check for clock_gettime, and add -lrt to
	BENCH_LIBS if needed.

2010-09-20  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Less quoting when invoking $CC, to allow CC="gcc
	-m32".

	* x86/camellia-crypt-internal.asm (ROUND): Adapted to new key
	convention, moving key xor to the end.

	* camellia-set-encrypt-key.c (CAMELLIA_F_HALF_INV): Deleted macro.
	(camellia_set_encrypt_key): Deleted the CAMELLIA_F_HALF_INV
	operations intended for moving the key xor into the middle of the
	round.

	* camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Moved addition of
	key to the end, to use a 64-bit xor operation.

	* x86_64/camellia-crypt-internal.asm: New file.

	* x86_64/machine.m4 (LREG, HREG, XREG): New macros.

2010-09-17  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Support shared libraries (dlls) with mingw32.
	Contributed by David Hoyt.

2010-07-25  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Changed version number to nettle-2.2.

	* Released nettle-2.1.

	* configure.ac: Use camellia-crypt-internal.asm, if available.
	Bumped soname to libnettle.so.4, and reset LIBNETTLE_MINOR to
	zero.

	* x86/machine.m4 (LREG, HREG): Moved macros here, from...
	* x86/aes.m4: ...here.

	* x86/camellia-crypt-internal.asm: New file.

	* nettle.texinfo: Updated and expanded section on DSA.
	Document aes_invert_key, and camellia. Added missing functions
	rsa_sha512_verify and rsa_sha512_verify_digest.

	* camellia.h (struct camellia_ctx): Eliminate the two unused
	subkeys, and renumber the remaining ones.
	* camellia-crypt-internal.c (_camellia_crypt): Updated for
	renumbered subkeys.
	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise.
	* camellia-set-decrypt-key.c (camellia_invert_key): Likewise.

	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline
	the expansion of camellia_setup128 and camellia_setup256, keeping
	the unexpanded key in scalar variables.
	(camellia_setup128): Deleted.
	(camellia_setup256): Deleted.

2010-07-24  Niels Möller  <nisse@lysator.liu.se>

	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced
	code size, no complete loop unroll. Use one loop for each phase of
	the post-processing.

	* testsuite/camellia-test.c: New tests for camellia_invert_key.
	* testsuite/aes-test.c: New tests for aes_invert_key.

	* aes.h (aes_invert_key): Declare it.

	* aes-set-decrypt-key.c (aes_invert_key): New function, key
	inversion code extracted from aes_set_decrypt_key.
	(aes_set_decrypt_key): Use aes_invert_key.

	* camellia-set-encrypt-key.c (camellia_setup128): Generate
	unmodified subkeys according to the spec. Moved clever combination
	of subkeys to camellia_set_encrypt_key.
	(camellia_setup256): Likewise.
	(camellia_set_encrypt_key): Moved subkey post-processing code
	here, and reduce code duplication between 128-bit keys and larger
	keys.

	* camellia.c: Deleted file, split into several new files...
	* camellia-table.c (_camellia_table): New file with the constant
	sbox tables.
	* camellia-set-encrypt-key.c: New file.
	(camellia_setup128): Generate unmodified subkeys according to the
	spec. Moved clever combination of subkeys to camellia_set_encrypt_key.
	(camellia_setup256): Likewise.

	* camellia-set-decrypt-key.c: New file.
	(camellia_invert_key): Key inversion function.
	(camellia_set_decrypt_key): New key setup function.
	* camellia-internal.h: New file.
	* camellia-crypt.c (camellia_crypt): New file, new wrapper
	function passing the sbox table to _camellia_crypt.
	* camellia-crypt-internal.c (_camellia_crypt): New file, with main
	encrypt/decrypt function.
	* Makefile.in (nettle_SOURCES): Updated list of camellia source files.
	(DISTFILES): Added camellia-internal.h.

2010-07-20  Niels Möller  <nisse@lysator.liu.se>

	* camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY.

	* camellia.h (struct camellia_ctx): Replaced flag camellia128 by
	expanded key length nkeys.

	* camellia.c (camellia_set_encrypt_key): Renamed, from...
	(camellia_set_key): ... old name.
	(camellia_invert_key): New function.
	(camellia_set_decrypt_key): New function, using
	camellia_invert_key.
	(camellia_crypt): Renamed, from...
	(camellia_encrypt): ... old name.
	(camellia_decrypt): Deleted, no longer needed. camellia_crypt used
	for both encryption and decryption.

	* nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro.

	* dsa-keygen.c: Removed unnecessary include of memxor.h.

	* camellia.c: Rewrote to use 64-bit type for subkeys and use
	64-bit operations throughout. Performance on x86_32, when compiled
	with gcc-4.4.4, is reduced by roughly 15%, this should be fixed
	later.

	* camellia.h (struct camellia_ctx): Use type uint64_t for subkeys.

2010-07-07  Niels Möller  <nisse@lysator.liu.se>

	* aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const.
	Also updated implementation.
	* blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise.
	* cast128.h (cast128_encrypt, cast128_decrypt): Likewise.
	* serpent.h (serpent_encrypt, serpent_decrypt): Likewise.
	* twofish.h (twofish_encrypt, twofish_decrypt): Likewise.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
	camellia-test.c.

	* examples/nettle-benchmark.c: Added camellia ciphers.

	* Makefile.in (nettle_SOURCES): Added camellia.c and
	camellia-meta.c.
	(HEADERS): Added camellia.h.

	* nettle-meta.h (nettle_camellia128): Declare.
	(nettle_camellia192): Likewise.
	(nettle_camellia256): Likewise.

	* camellia-meta.c: New file.

	* camellia.h: Rewrote interface to match nettle conventions.

	* camellia.c: Converted to nettle conventions.
	(camellia_encrypt128, camellia_encrypt256): Unified to new
	function...
	(camellia_encrypt): ...New function, with a loop doing 6
	regular rounds, one FL round and one FLINV round per iteration,
	with iteration count depending on the key size.

	(camellia_decrypt128, camellia_decrypt256): Similarly unified
	as...
	(camellia_decrypt): ...New function, analogous to
	camellia_encrypt.

2010-07-06  Niels Möller  <nisse@lysator.liu.se>

	* camellia.c, camellia.h: New files, copied from
	http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.

	* testsuite/camellia-test.c: New file.

2010-07-05  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo: Document new conventions for weak key and des
	parity checks. Document des_check_parity.

	* testsuite/des-test.c (test_weak): Don't check the deleted status
	attribute.

	* des-compat.c (des_key_sched): Rewrote error checking logic for
	the case of non-zero des_check_key.

	* des3.c (des3_set_key): Changed weak key detection logic.
	Complete key setup also for weak keys, and don't set the status
	attribute.

	* des.c (des_set_key): New iteration logic, to keep key pointer
	unchanged. Moved weak key check to the end, and don't set the
	status attribute.
	(des_encrypt): Ignore status attribute.
	(des_decrypt): Likewise.

	* des.h (enum des_error): Deleted.
	(struct des_ctx): Deleted status attribute.
	(struct des3_ctx): Likewise.

	* blowfish.c (initial_ctx): Deleted status value.
	(blowfish_encrypt): Ignore status attribute.
	(blowfish_decrypt): Likewise.
	(blowfish_set_key): Return result from weak key check, without
	setting the status attribute.

	* blowfish.h (enum blowfish_error): Deleted.
	(struct blowfish_ctx): Deleted status attribute.

	* Makefile.in (des_headers): Deleted parity.h.

2010-06-30  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/des-test.c (test_des): New function.
	(test_weak): New function.
	(test_main): Use test_des and test_weak. Added tests for all the
	weak keys. Added some tests with invalid (to be ignored) parity
	bits.

	* des.c (parity_16): New smaller parity table.
	(des_check_parity): New function.
	(des_fix_parity): Use parity_16.
	(des_weak_p): New weak-key detection. Ignores parity bits, and
	uses a hash table.
	(des_set_key): Deleted parity checking code. Replaced old weak-key
	detection code by a call to des_weak_p.

2010-06-04  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (test_dsa_key): Updated for new name
	DSA_SHA1_MIN_P_BITS.

	* dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and
	DSA_SHA256_MIN_P_BITS.

	* dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to...
	(DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New
	names.

	* sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits.
	Renamed parameter limit to p_max_bits.
	(dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp.
	Updated to call dsa_keypair_from_sexp_alist with the new argument.
	(dsa_sha256_keypair_from_sexp): New function.
	(dsa_signature_from_sexp): New argument q_bits.

	* der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit
	on q. Renamed parameter limit to p_max_bits.
	(dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit
	on q and x. Renamed parameter limit to p_max_bits.

2010-06-03  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Added test for dsa-sha256.

2010-06-02  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Provide expected value of the
	signature.

	* testsuite/testutils.c (test_dsa160): Added argument for expected
	signature.
	(test_dsa256): Likewise.

2010-06-01  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/rsa-keygen-test.c (test_main): Updated expected
	signatures.

	* examples/random-prime.c (main): Updated for nettle_random_prime
	change.
	* testsuite/random-prime-test.c (test_main): Likewise.

	* rsa-keygen.c (bignum_random_prime): Deleted function.
	(rsa_generate_keypair): Use new nettle_random_prime. Generate
	secret factors p and q with the two most significant bits set.

	* dsa-keygen.c (dsa_generate_keypair): Updated for changes in
	nettle_random_prime and _nettle_generate_pocklington_prime. Invoke
	progress callback.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
	argument top_bits_set, to optionally generate primes with the two
	most significant bits set. Reordered argument list.
	(nettle_random_prime): Likewise, added top_bits_set argument.
	Invoke progress callback when a prime is generated.

2010-05-26  Niels Möller  <nisse@lysator.liu.se>

	* dsa-keygen.c (dsa_generate_keypair): Use
	_nettle_generate_pocklington_prime. Deleted old key generation
	code.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): Also
	return the used r. Updated caller.

	* examples/random-prime.c (main): Allow sizes down to 3 bits.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
	function. Rely on mpz_probab_prime_p (for lack of a trial division
	function) for trial division.
	(nettle_random_prime): Rewritten. Uses the prime table for the
	smallest sizes, then trial division using a new set of tables, and
	then Maurer's algorithm, calling the new
	_nettle_generate_pocklington_prime for the final search.

2010-05-25  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Updated for dsa testing
	changes.

	* testsuite/dsa-keygen-test.c (test_main): Test dsa256.

	* testsuite/testutils.h (struct nettle_mac): New struct, currently
	unused.

	* testsuite/testutils.c (test_mac): New function (currently not
	used).
	(test_dsa): Replaced by two new functions...
	(test_dsa160): New function.
	(test_dsa256): New function.
	(test_dsa_key): New argument q_size.
	(DSA_VERIFY): Generalized.

	* dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating
	primes using Pocklington's theorem. Takes both p_size and q_size
	as arguments.

2010-05-20  Niels Möller  <nisse@lysator.liu.se>

	* bignum-random-prime.c (miller_rabin_pocklington): Fixed broken
	logic when Miller-rabin succeeds early.

2010-04-09  Niels Möller  <nisse@lysator.liu.se>

	* bignum-next-prime.c: Include stdlib.h, needed for alloca on
	freebsd.
	* hmac.c: Likewise.

	* examples/Makefile.in (SOURCES): Added random-prime.c.

	* examples/random-prime.c: New program.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved
	knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from
	TS_HOGWEED_SOURCES.
	(TS_HOGWEED_SOURCES): Added random-prime-test.c.

	* testsuite/random-prime-test.c: New test case.

	* examples/next-prime.c (main): With no command line arguments.
	exit after dislaying usage message.

	* examples/io.c (simple_random): Free buffer when done.

	* configure.ac: Changed message, say CC is the recommended
	way to configure the ABI.

	* bignum-random.c: Deleted test of HAVE_LIBGMP.
	* bignum.c: Likewise.
	* sexp2bignum.c: Likewise.

	* Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c.

	* bignum-random-prime.c (nettle_random_prime): New file, new
	function.

2010-03-31  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Benchmark sha224.

2010-03-30  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify
	rename.
	(test_dsa): Check return value from dsa_sha1_sign.

	* Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c,
	dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c.

	* dsa.h: Updated and added dsa declarations.

	* dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new
	function.
	(dsa_sha256_verify): New function.
	* dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new
	function.
	(dsa_sha256_sign): New function.

	* dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and
	renamed function, from dsa_verify_digest, rewrote to use
	_dsa_verify.
	(dsa_sha1_verify): Analogous change, renamed from dsa_verify.
	* dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and
	renamed function, from dsa_sign_digest, rewrote to use _dsa_sign,
	and added return value.
	(dsa_sha1_sign): Analogous change, renamed from dsa_sign.

	* dsa-verify.c (_dsa_verify): New general verification function,
	for any hash.
	* dsa-sign.c (_dsa_sign): New general signing function, for any
	hash. Returns success code, like the rsa signture functions.

2010-03-29  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (ABI): Attempt to use a better, ABI-dependant,
	default value for libdir.

	* x86/md5-compress.asm: Fixed function name in epilogue.

	* asm.m4 (EPILOGUE): Use . to refer to current address.

	* configure.ac (ABI): Detect which ABI the compiler is using.
	On x86_64, also check for __arch64__.

2010-03-28  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (asm_path): For x86_64, check if compiler is
	generating 32-bit code.

2010-03-27  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/hmac-test.c (test_main): Rewrote rest of tests to use
	HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from
	RFC 4231.

	* Makefile.in (nettle_SOURCES): Added hmac-sha224.c and
	hmac-sha384.c.

	* hmac.h: Added declarations of hmac-sha224 and hmac-sha384.

	* hmac-sha224.c: New file.

2010-03-26  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/hmac-test.c (HMAC_TEST): New macro.
	(test_main): Use HMAC_TEST for the md5 and sha1 tests, and add
	test vectors from Daniel Kahn Gillmor.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c.

	* Makefile.in (nettle_SOURCES): Added sha224-meta.c and
	write-be32.c.
	(DISTFILES): Added nettle-write.h.

	* sha.h: Added declarations for sha224. Some are aliases for the
	corresponding sha256 definition.

	* sha256.c (sha256_digest): Use _nettle_write_be32.
	(sha224_init): New function.
	(sha224_digest): New function.

	* sha1.c (sha1_digest): Use _nettle_write_be32.

	* nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE)
	(NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into
	account.

	* nettle-write.h: New file.

	* write-be32.c (_nettle_write_be32): New file, new function.

	* sha224-meta.c: New file.

2010-03-25  Niels Möller  <nisse@lysator.liu.se>

	* hmac-sha384.c: New file.

	* testsuite/sha224-test.c: New file.

	* testsuite/md4-test.c (test_main): More test vectors, provided by
	Daniel Kahn Gillmor.
	* testsuite/md5-test.c (test_main): Likewise.
	* testsuite/sha1-test.c (test_main): Likewise.
	* testsuite/sha256-test.c (test_main): Likewise.
	* testsuite/sha384-test.c (test_main): Likewise.
	* testsuite/sha512-test.c (test_main): Likewise.

	* configure.ac: Bumped version numbers. Package version
	nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0.

	* examples/nettle-benchmark.c (main): Benchmark sha384.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c.

	* testsuite/sha384-test.c: New file.

	* Makefile.in (nettle_SOURCES): Added sha384-meta.c.

	* sha384-meta.c: New file.

	* sha.h: Added declarations for sha384. Some are aliases for the
	corresponding sha512 definition.

	* sha512.c (sha512_write_digest): New function.
	(sha512_digest): Use it.
	(sha384_init): New function.
	(sha384_digest): New function.

2010-03-24  Niels Möller  <nisse@lysator.liu.se>

	* sha512.c: (sha512_digest): Simplified handling of any final
	partial word of the digest.

	* sha512.c: Reorganized to use _nettle_sha512_compress.

	* sha512-compress.c (_nettle_sha512_compress): Compression
	function extracted from sha512.c to a new file.

	* Makefile.in (nettle_SOURCES): Added sha256-compress.c and
	sha512-compress.c.

	* sha256.c: Reorganized to use _nettle_sha256_compress.

	* sha256-compress.c (_nettle_sha256_compress): Compression
	function extracted from sha256.c to a new file.

	* examples/nettle-benchmark.c (main): Benchmark sha512.

	* rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e
	is less than bit size of n, and check for the unlikely case p = q.

	* rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to
	correspond to pkcs#1 encryption of single byte messagees.

	* pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value
	from rsa_sha1_sign.
	* rsa-compat.c (R_SignFinal): Likewise.

	* rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value
	from pkcs1_rsa_md5_encode.
	(rsa_md5_sign_digest): Check and propagate return value from
	pkcs1_rsa_md5_encode_digest.
	* rsa-md5-verify.c (rsa_md5_verify): Check return value from
	pkcs1_rsa_md5_encode.
	(rsa_md5_verify_digest): Check return value from
	pkcs1_rsa_md5_encode_digest.
	* rsa-sha1-sign.c: Analogous changes.
	* rsa-sha1-verify.c: Analogous changes.
	* rsa-sha256-sign.c: Analogous changes.
	* rsa-sha256-verify.c: Analogous changes.
	* rsa-sha512-sign.c: Analogous changes.
	* rsa-sha512-verify.c: Analogous changes.

	* pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode)
	(pkcs1_rsa_md5_encode_digest): Added return value. Check and
	propagate return value from pkcs1_signature_prefix.
	* pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode)
	(pkcs1_rsa_sha256_encode_digest): Likewise.
	* pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode)
	(pkcs1_rsa_sha1_encode_digest): Likewise.
	* pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode)
	(pkcs1_rsa_sha512_encode_digest): Likewise.

	* pkcs1.c (pkcs1_signature_prefix): Interface change, take both
	the total size and digest size as arguments, and return a status
	code to say if the size was large enough.

	* testsuite/Makefile.in: Added hogweed dependency for the test
	programs.

2010-03-23  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/rsa-test.c (test_main): Test signing with sha512.

	* testsuite/testutils.c (test_rsa_sha512): New function.

	* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c,
	rsa-sha512-sign.c and rsa-sha512-verify.c.

	* rsa.h: Added prototypes for sha512-related functions.
	(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased.
	* pkcs1.h: Added prototypes for sha512-related functions.

	* rsa-sha512-verify.c: New file.
	* rsa-sha512-sign.c: New file.
	* pkcs1-rsa-sha512.c: New file.

2010-03-22  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (nettle_SOURCES): Added hmac-sha512.c.

	* testsuite/hmac-test.c (test_main): Added test cases for
	hmac-sha512.

	* hmac.h: Declare functions sha512-related functions.
	* hmac-sha512.c (hmac_sha512_set_key): New file.

	Basic sha512 support.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c.
	* testsuite/sha512-test.c: New file.

	* macros.h (READ_UINT64, WRITE_UINT64): New macros.

	* Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c.
	* sha.h: Added sha512-related declarations.
	* nettle-meta.h: Likewise.
	* sha512-meta.c: New file.
	* sha512.c: New file.

2010-03-06  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (distdir): Include x86_64 assembler files.

2010-01-20  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Check for mpz_powm_sec.

2010-01-13  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on
	$(LIBNETTLE_FORLINK).

	* configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the
	default case. Follows debian, and also makes dlopen of
	libhogweed.so work, without having to use RTLD_GLOBAL.
	(LIBHOGWEED_LINK): Added -L., to find our libnettle.so.

2009-10-21  Niels Möller  <nisse@lysator.liu.se>

	* tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on
	../libhogweed.a.

2009-10-19  Niels Möller  <nisse@lysator.liu.se>

	* tools/pkcs1-conv.c: Updated for dsa/der interface change.

	* der2dsa.c (dsa_public_key_from_der_iterators): Split into two
	new functions...
	(dsa_params_from_der_iterator): New function.
	(dsa_public_key_from_der_iterator): New function.
	(dsa_openssl_private_key_from_der_iterator): Renamed, was
	dsa_private_key_from_der_iterator.
	(dsa_openssl_private_key_from_der): Likewise.
	* dsa.h: Corresponding changees to prototypes and #defines.

2009-10-12  Niels Möller  <nisse@lysator.liu.se>

	* sexp-format.c: Removed conditioning on HAVE_LIBGMP.

	* tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus
	Holmgren.

	* Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c.

	* der2dsa.c: New file, contributed by Magnus Holmgren.
	* dsa2sexp.c: Likewise.
	* dsa.h: Added prototypes.

	* configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor
	version, now it's 1.1.

	* testsuite/rsa2sexp-test.c (test_main): Updated testcase for
	"rsa-pkcs1".

2009-10-11  Niels Möller  <nisse@lysator.liu.se>

	* rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name
	to "rsa-pkcs1".

2009-09-20  Niels Möller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Improved performance by 17% on AMD K7,
	by letting loopmix scramble the instruction order.

2009-09-15  Niels Möller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Cleanup, removing old cruft. Slight
	improvement to ROUND_F1_NOEXP. Slight reduction of
	dependency-chains.

2009-08-25  Niels Möller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds.

	* examples/nettle-benchmark.c (bench_sha1_compress): New function,
	for precise benchmarking of the compression function.

2009-06-08  Niels Möller  <nisse@lysator.liu.se>

	* Released nettle-2.0.

2009-06-04  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Set version to 2.0

2009-05-30  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (.texinfo.info): Don't use a temporary output file
	$@T, trust makeinfo to remove output file on errors.

2009-05-19  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo: Changed license to public domain.

2009-05-11  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo: Fixes from Karl Berry. Added some more index
	terms.

2009-03-06  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state
	in %eax--%edx only.
	* x86_64/aes-decrypt-internal.asm: Likewise.

	* x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed.
	(AES_STORE): Reduced offsets.
	(AES_ROUND): Use HREG directly, not MOVE_HREG.

	* x86_64/aes-decrypt-internal.asm: Rearrange register allocation.
	Put SA--SD in %eax--%edx, so the second byte can be accessed as
	%ah-%dh. TD is not needed, SD can be reused. Use the register that
	is saved for the outer loop counter, getting it off the stack.
	* x86_64/aes-encrypt-internal.asm: Likewise.

	* x86_64/aes.m4 (HREG, MOVE_HREG): New macros.
	(XREG): Fixed bug in handling of %r8 and %r9.
	(AES_ROUND): Use MOVE_HREG.

2009-02-10  Niels Möller  <nisse@lysator.liu.se>

	* base16-meta.c (base16_encode_update_wrapper): Mark ctx argument
	as UNUSED.

	* testsuite/sexp-conv-test: Updated testcases for improved
	handling of comments.

	* tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline
	to terminate comments, and modify indentation for the case that a
	list starts with a comment.

	* tools/output.c (sexp_output_init): Initialize soft_newline.
	(sexp_put_raw_char): Clear soft_newline.
	(sexp_put_newline): Check and reset soft_newline.
	(sexp_put_soft_newline): New function.

	* tools/output.h (struct sexp_output): Removed union with single
	element, and updated all users. New attribute soft_newline.

2008-12-22  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in ($(des_headers)): Create files in $(srcdir).

2008-11-28  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/cxx-test.cxx: Include <cstdio>.

2008-11-22  Niels Möller  <nisse@lysator.liu.se>

	* yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so
	that it is set if and only if the aes context has been initialized
	with aes_set_encrypt_key.
	(yarrow256_seed): No need to set ctx->seeded here.
	(yarrow256_update): Likewise.

2008-11-04  Niels Möller  <nisse@lysator.liu.se>

	* examples/next-prime.c (main): Avoid using gmp_fprintf, to stay
	compatible with gmp-3.1.

2008-11-01  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo: Updated for 2.0. New section on linking.

	* nettle-types.h, nettle-meta.h: Moved all typedefs for function
	types to nettle-types.h. Use non-pointer types, so that the types
	can be used to declare functions. Updated all users.

2008-10-31  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/yarrow-test.c (test_main): Updated for seed file
	changes.

	* sha-example.c (display_hex): Use %02x, not %2x.

2008-10-30  Niels Möller  <nisse@lysator.liu.se>

	* tools/sexp-conv.c (main): Fixed file locking.

2008-10-25  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Set version to 2.0rc1.

	* examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to
	linker.

2008-10-24  Niels Möller  <nisse@lysator.liu.se>

	* sha256.c (ROUND): Simplified macro.

	* yarrow256.c (yarrow256_fast_reseed): Renamed (was
	yarrow_fast_reseed) and made non-static. Don't generate seed file
	here, let the application use yarrow256_random instead.
	(yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made
	non-static.
	(yarrow256_force_reseed): Deleted function, use
	yarrow256_slow_reseed instead. For backwards compatibility,
	yarrow.h defines yarrow256_force_reseed as an alias for that
	function.

	* yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer.

2008-09-17  Niels Möller  <nisse@lysator.liu.se>

	* x86/arcfour-crypt.asm: Improved loop logic, and unrolled
	loop twice. Gave a modest speedup.

2008-09-15  Niels Möller  <nisse@lysator.liu.se>

	* yarrow256.c (yarrow256_seed): Disallow length == 0.

	* base64-decode.c (decode_table): Added vertical tab (VT) and form
	feed (FF) as white space characters.

	* x86_64/aes-decrypt-internal.asm: New file.

2008-09-13  Niels Möller  <nisse@lysator.liu.se>

	* x86/aes-encrypt-internal.asm: Replaced pushl and popl in the
	loop with movl.	Eliminated redundant movl.
	* x86/aes-decrypt-internal.asm: Likewise.

	* x86_64/aes.m4: New file.

	* x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only
	three times through the substitution loop.
	* x86/aes-decrypt-internal.asm: Likewise.
	* x86_64/aes-encrypt-internal.asm: Likewise.

	* x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least
	significant byte here.

	* x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe
	decl for outer loop.
	* x86/aes-decrypt-internal.asm: Likewise.

	* x86/aes.m4 (LREG, HREG): New macros.
	(AES_SUBST_BYTE): Take state registers as argument. Use LREG to
	get the corresponding byte register.
	(AES_ROUND): Use movzbl together with LREG and HREG.
	(AES_SUBST_BYTE): Likewise.

2008-09-10  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp,