ChangeLog

	* x86/machine.m4 (LREG, HREG): Moved macros here, from...
	* x86/aes.m4: ...here.

	* x86/camellia-crypt-internal.asm: New file.

	* nettle.texinfo: Updated and expanded section on DSA.
	Document aes_invert_key, and camellia. Added missing functions
	rsa_sha512_verify and rsa_sha512_verify_digest.

	* camellia.h (struct camellia_ctx): Eliminate the two unused
	subkeys, and renumber the remaining ones.
	* camellia-crypt-internal.c (_camellia_crypt): Updated for
	renumbered subkeys.
	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise.
	* camellia-set-decrypt-key.c (camellia_invert_key): Likewise.

	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline
	the expansion of camellia_setup128 and camellia_setup256, keeping
	the unexpanded key in scalar variables.
	(camellia_setup128): Deleted.
	(camellia_setup256): Deleted.

2010-07-24  Niels Mller  <nisse@lysator.liu.se>

	* camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced
	code size, no complete loop unroll. Use one loop for each phase of
	the post-processing.

	* testsuite/camellia-test.c: New tests for camellia_invert_key.
	* testsuite/aes-test.c: New tests for aes_invert_key.

	* aes.h (aes_invert_key): Declare it.

	* aes-set-decrypt-key.c (aes_invert_key): New function, key
	inversion code extracted from aes_set_decrypt_key.
	(aes_set_decrypt_key): Use aes_invert_key.

	* camellia-set-encrypt-key.c (camellia_setup128): Generate
	unmodified subkeys according to the spec. Moved clever combination
	of subkeys to camellia_set_encrypt_key.
	(camellia_setup256): Likewise.
	(camellia_set_encrypt_key): Moved subkey post-processing code
	here, and reduce code duplication between 128-bit keys and larger
	keys.

	* camellia.c: Deleted file, split into several new files...
	* camellia-table.c (_camellia_table): New file with the constant
	sbox tables.
	* camellia-set-encrypt-key.c: New file.
	(camellia_setup128): Generate unmodified subkeys according to the
	spec. Moved clever combination of subkeys to camellia_set_encrypt_key.
	(camellia_setup256): Likewise.

	* camellia-set-decrypt-key.c: New file.
	(camellia_invert_key): Key inversion function.
	(camellia_set_decrypt_key): New key setup function.
	* camellia-internal.h: New file.
	* camellia-crypt.c (camellia_crypt): New file, new wrapper
	function passing the sbox table to _camellia_crypt.
	* camellia-crypt-internal.c (_camellia_crypt): New file, with main
	encrypt/decrypt function.
	* Makefile.in (nettle_SOURCES): Updated list of camellia source files.	
	(DISTFILES): Added camellia-internal.h.

2010-07-20  Niels Mller  <nisse@lysator.liu.se>

	* camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY.

	* camellia.h (struct camellia_ctx): Replaced flag camellia128 by
	expanded key length nkeys.

	* camellia.c (camellia_set_encrypt_key): Renamed, from...
	(camellia_set_key): ... old name.
	(camellia_invert_key): New function.
	(camellia_set_decrypt_key): New function, using
	camellia_invert_key.
	(camellia_crypt): Renamed, from...
	(camellia_encrypt): ... old name.
	(camellia_decrypt): Deleted, no longer needed. camellia_crypt used
	for both encryption and decryption.

	* nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro.

	* dsa-keygen.c: Removed unnecessary include of memxor.h.

	* camellia.c: Rewrote to use 64-bit type for subkeys and use
	64-bit operations throughout. Performance on x86_32, when compiled
	with gcc-4.4.4, is reduced by roughly 15%, this should be fixed
	later.

	* camellia.h (struct camellia_ctx): Use type uint64_t for subkeys.

2010-07-07  Niels Mller  <nisse@lysator.liu.se>

	* aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const.
	Also updated implementation.
	* blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise.
	* cast128.h (cast128_encrypt, cast128_decrypt): Likewise.
	* serpent.h (serpent_encrypt, serpent_decrypt): Likewise.
	* twofish.h (twofish_encrypt, twofish_decrypt): Likewise.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
	camellia-test.c.

	* examples/nettle-benchmark.c: Added camellia ciphers.

	* Makefile.in (nettle_SOURCES): Added camellia.c and
	camellia-meta.c.
	(HEADERS): Added camellia.h.

	* nettle-meta.h (nettle_camellia128): Declare.
	(nettle_camellia192): Likewise.
	(nettle_camellia256): Likewise.

	* camellia-meta.c: New file.

	* camellia.h: Rewrote interface to match nettle conventions.

	* camellia.c: Converted to nettle conventions.
	(camellia_encrypt128, camellia_encrypt256): Unified to new
	function...
	(camellia_encrypt): ...New function, with a loop doing 6
	regular rounds, one FL round and one FLINV round per iteration,
	with iteration count depending on the key size.

	(camellia_decrypt128, camellia_decrypt256): Similarly unified
	as...
	(camellia_decrypt): ...New function, analogous to
	camellia_encrypt.

2010-07-06  Niels Mller  <nisse@lysator.liu.se>

	* camellia.c, camellia.h: New files, copied from
	http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz.

	* testsuite/camellia-test.c: New file.

2010-07-05  Niels Mller  <nisse@lysator.liu.se>

	* nettle.texinfo: Document new conventions for weak key and des
	parity checks. Document des_check_parity.

	* testsuite/des-test.c (test_weak): Don't check the deleted status
	attribute.

	* des-compat.c (des_key_sched): Rewrote error checking logic for
	the case of non-zero des_check_key.

	* des3.c (des3_set_key): Changed weak key detection logic.
	Complete key setup also for weak keys, and don't set the status
	attribute.

	* des.c (des_set_key): New iteration logic, to keep key pointer
	unchanged. Moved weak key check to the end, and don't set the
	status attribute.
	(des_encrypt): Ignore status attribute.
	(des_decrypt): Likewise.

	* des.h (enum des_error): Deleted.
	(struct des_ctx): Deleted status attribute.
	(struct des3_ctx): Likewise.

	* blowfish.c (initial_ctx): Deleted status value.
	(blowfish_encrypt): Ignore status attribute.
	(blowfish_decrypt): Likewise.
	(blowfish_set_key): Return result from weak key check, without
	setting the status attribute.

	* blowfish.h (enum blowfish_error): Deleted.
	(struct blowfish_ctx): Deleted status attribute.

	* Makefile.in (des_headers): Deleted parity.h.

2010-06-30  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/des-test.c (test_des): New function.
	(test_weak): New function.
	(test_main): Use test_des and test_weak. Added tests for all the
	weak keys. Added some tests with invalid (to be ignored) parity
	bits.

	* des.c (parity_16): New smaller parity table.
	(des_check_parity): New function.
	(des_fix_parity): Use parity_16.
	(des_weak_p): New weak-key detection. Ignores parity bits, and
	uses a hash table.
	(des_set_key): Deleted parity checking code. Replaced old weak-key
	detection code by a call to des_weak_p.

2010-06-04  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (test_dsa_key): Updated for new name
	DSA_SHA1_MIN_P_BITS.

	* dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and
	DSA_SHA256_MIN_P_BITS.

	* dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to...
	(DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New
	names.

	* sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits.
	Renamed parameter limit to p_max_bits.
	(dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp.
	Updated to call dsa_keypair_from_sexp_alist with the new argument.
	(dsa_sha256_keypair_from_sexp): New function.
	(dsa_signature_from_sexp): New argument q_bits.

	* der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit
	on q. Renamed parameter limit to p_max_bits.
	(dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit
	on q and x. Renamed parameter limit to p_max_bits.

2010-06-03  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Added test for dsa-sha256.

2010-06-02  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Provide expected value of the
	signature.

	* testsuite/testutils.c (test_dsa160): Added argument for expected
	signature.
	(test_dsa256): Likewise.

2010-06-01  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/rsa-keygen-test.c (test_main): Updated expected
	signatures.

	* examples/random-prime.c (main): Updated for nettle_random_prime
	change.
	* testsuite/random-prime-test.c (test_main): Likewise.

	* rsa-keygen.c (bignum_random_prime): Deleted function.
	(rsa_generate_keypair): Use new nettle_random_prime. Generate
	secret factors p and q with the two most significant bits set.

	* dsa-keygen.c (dsa_generate_keypair): Updated for changes in
	nettle_random_prime and _nettle_generate_pocklington_prime. Invoke
	progress callback.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
	argument top_bits_set, to optionally generate primes with the two
	most significant bits set. Reordered argument list.
	(nettle_random_prime): Likewise, added top_bits_set argument.
	Invoke progress callback when a prime is generated.

2010-05-26  Niels Mller  <nisse@lysator.liu.se>

	* dsa-keygen.c (dsa_generate_keypair): Use
	_nettle_generate_pocklington_prime. Deleted old key generation
	code.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): Also
	return the used r. Updated caller.

	* examples/random-prime.c (main): Allow sizes down to 3 bits.

	* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
	function. Rely on mpz_probab_prime_p (for lack of a trial division
	function) for trial division.
	(nettle_random_prime): Rewritten. Uses the prime table for the
	smallest sizes, then trial division using a new set of tables, and
	then Maurer's algorithm, calling the new
	_nettle_generate_pocklington_prime for the final search.

2010-05-25  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/dsa-test.c (test_main): Updated for dsa testing
	changes.

	* testsuite/dsa-keygen-test.c (test_main): Test dsa256.

	* testsuite/testutils.h (struct nettle_mac): New struct, currently
	unused.

	* testsuite/testutils.c (test_mac): New function (currently not
	used).
	(test_dsa): Replaced by two new functions...
	(test_dsa160): New function.
	(test_dsa256): New function.
	(test_dsa_key): New argument q_size.
	(DSA_VERIFY): Generalized.

	* dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating
	primes using Pocklington's theorem. Takes both p_size and q_size
	as arguments.

2010-05-20  Niels Mller  <nisse@lysator.liu.se>

	* bignum-random-prime.c (miller_rabin_pocklington): Fixed broken
	logic when Miller-rabin succeeds early.

2010-04-09  Niels Mller  <nisse@lysator.liu.se>

	* bignum-next-prime.c: Include stdlib.h, needed for alloca on
	freebsd.
	* hmac.c: Likewise.

	* examples/Makefile.in (SOURCES): Added random-prime.c.

	* examples/random-prime.c: New program.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved
	knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from
	TS_HOGWEED_SOURCES.
	(TS_HOGWEED_SOURCES): Added random-prime-test.c.

	* testsuite/random-prime-test.c: New test case.

	* examples/next-prime.c (main): With no command line arguments.
	exit after dislaying usage message.

	* examples/io.c (simple_random): Free buffer when done.

	* configure.ac: Changed message, say CC is the recommended
	way to configure the ABI.

	* bignum-random.c: Deleted test of HAVE_LIBGMP.
	* bignum.c: Likewise.
	* sexp2bignum.c: Likewise.

	* Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c.

	* bignum-random-prime.c (nettle_random_prime): New file, new
	function.

2010-03-31  Niels Mller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Benchmark sha224.

2010-03-30  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify
	rename.
	(test_dsa): Check return value from dsa_sha1_sign.

	* Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c,
	dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c.

	* dsa.h: Updated and added dsa declarations.

	* dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new
	function.
	(dsa_sha256_verify): New function.
	* dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new
	function.
	(dsa_sha256_sign): New function.

	* dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and
	renamed function, from dsa_verify_digest, rewrote to use
	_dsa_verify.
	(dsa_sha1_verify): Analogous change, renamed from dsa_verify.
	* dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and
	renamed function, from dsa_sign_digest, rewrote to use _dsa_sign,
	and added return value.
	(dsa_sha1_sign): Analogous change, renamed from dsa_sign.

	* dsa-verify.c (_dsa_verify): New general verification function,
	for any hash.
	* dsa-sign.c (_dsa_sign): New general signing function, for any
	hash. Returns success code, like the rsa signture functions.

2010-03-29  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac (ABI): Attempt to use a better, ABI-dependant,
	default value for libdir.

	* x86/md5-compress.asm: Fixed function name in epilogue.

	* asm.m4 (EPILOGUE): Use . to refer to current address.

	* configure.ac (ABI): Detect which ABI the compiler is using.
	On x86_64, also check for __arch64__.

2010-03-28  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac (asm_path): For x86_64, check if compiler is
	generating 32-bit code.

2010-03-27  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/hmac-test.c (test_main): Rewrote rest of tests to use
	HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from
	RFC 4231.

	* Makefile.in (nettle_SOURCES): Added hmac-sha224.c and
	hmac-sha384.c.

	* hmac.h: Added declarations of hmac-sha224 and hmac-sha384.

	* hmac-sha224.c: New file.

2010-03-26  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/hmac-test.c (HMAC_TEST): New macro.
	(test_main): Use HMAC_TEST for the md5 and sha1 tests, and add
	test vectors from Daniel Kahn Gillmor.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c.

	* Makefile.in (nettle_SOURCES): Added sha224-meta.c and
	write-be32.c.
	(DISTFILES): Added nettle-write.h.

	* sha.h: Added declarations for sha224. Some are aliases for the
	corresponding sha256 definition.

	* sha256.c (sha256_digest): Use _nettle_write_be32.
	(sha224_init): New function.
	(sha224_digest): New function.

	* sha1.c (sha1_digest): Use _nettle_write_be32.

	* nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE)
	(NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into
	account.

	* nettle-write.h: New file.

	* write-be32.c (_nettle_write_be32): New file, new function.

	* sha224-meta.c: New file.

2010-03-25  Niels Mller  <nisse@lysator.liu.se>

	* hmac-sha384.c: New file.

	* testsuite/sha224-test.c: New file.

	* testsuite/md4-test.c (test_main): More test vectors, provided by
	Daniel Kahn Gillmor.
	* testsuite/md5-test.c (test_main): Likewise.
	* testsuite/sha1-test.c (test_main): Likewise.
	* testsuite/sha256-test.c (test_main): Likewise.
	* testsuite/sha384-test.c (test_main): Likewise.
	* testsuite/sha512-test.c (test_main): Likewise.

	* configure.ac: Bumped version numbers. Package version
	nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0.

	* examples/nettle-benchmark.c (main): Benchmark sha384.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c.

	* testsuite/sha384-test.c: New file.

	* Makefile.in (nettle_SOURCES): Added sha384-meta.c.

	* sha384-meta.c: New file.

	* sha.h: Added declarations for sha384. Some are aliases for the
	corresponding sha512 definition.

	* sha512.c (sha512_write_digest): New function.
	(sha512_digest): Use it.
	(sha384_init): New function.
	(sha384_digest): New function.

2010-03-24  Niels Mller  <nisse@lysator.liu.se>

	* sha512.c: (sha512_digest): Simplified handling of any final
	partial word of the digest.

	* sha512.c: Reorganized to use _nettle_sha512_compress.

	* sha512-compress.c (_nettle_sha512_compress): Compression
	function extracted from sha512.c to a new file.

	* Makefile.in (nettle_SOURCES): Added sha256-compress.c and
	sha512-compress.c.

	* sha256.c: Reorganized to use _nettle_sha256_compress.

	* sha256-compress.c (_nettle_sha256_compress): Compression
	function extracted from sha256.c to a new file.

	* examples/nettle-benchmark.c (main): Benchmark sha512.

	* rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e
	is less than bit size of n, and check for the unlikely case p = q.

	* rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to
	correspond to pkcs#1 encryption of single byte messagees.

	* pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value
	from rsa_sha1_sign.
	* rsa-compat.c (R_SignFinal): Likewise.

	* rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value
	from pkcs1_rsa_md5_encode.
	(rsa_md5_sign_digest): Check and propagate return value from
	pkcs1_rsa_md5_encode_digest.
	* rsa-md5-verify.c (rsa_md5_verify): Check return value from
	pkcs1_rsa_md5_encode.
	(rsa_md5_verify_digest): Check return value from
	pkcs1_rsa_md5_encode_digest.
	* rsa-sha1-sign.c: Analogous changes.
	* rsa-sha1-verify.c: Analogous changes.
	* rsa-sha256-sign.c: Analogous changes.
	* rsa-sha256-verify.c: Analogous changes.
	* rsa-sha512-sign.c: Analogous changes.
	* rsa-sha512-verify.c: Analogous changes.

	* pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode)
	(pkcs1_rsa_md5_encode_digest): Added return value. Check and
	propagate return value from pkcs1_signature_prefix.
	* pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode)
	(pkcs1_rsa_sha256_encode_digest): Likewise.
	* pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode)
	(pkcs1_rsa_sha1_encode_digest): Likewise.
	* pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode)
	(pkcs1_rsa_sha512_encode_digest): Likewise.

	* pkcs1.c (pkcs1_signature_prefix): Interface change, take both
	the total size and digest size as arguments, and return a status
	code to say if the size was large enough.

	* testsuite/Makefile.in: Added hogweed dependency for the test
	programs.

2010-03-23  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/rsa-test.c (test_main): Test signing with sha512.

	* testsuite/testutils.c (test_rsa_sha512): New function.

	* Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c,
	rsa-sha512-sign.c and rsa-sha512-verify.c.

	* rsa.h: Added prototypes for sha512-related functions.
	(RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased.
	* pkcs1.h: Added prototypes for sha512-related functions.

	* rsa-sha512-verify.c: New file.
	* rsa-sha512-sign.c: New file.
	* pkcs1-rsa-sha512.c: New file.

2010-03-22  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (nettle_SOURCES): Added hmac-sha512.c.

	* testsuite/hmac-test.c (test_main): Added test cases for
	hmac-sha512.

	* hmac.h: Declare functions sha512-related functions.
	* hmac-sha512.c (hmac_sha512_set_key): New file.

	Basic sha512 support.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c.
	* testsuite/sha512-test.c: New file.

	* macros.h (READ_UINT64, WRITE_UINT64): New macros.

	* Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c.
	* sha.h: Added sha512-related declarations.
	* nettle-meta.h: Likewise.
	* sha512-meta.c: New file.
	* sha512.c: New file.

2010-03-06  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (distdir): Include x86_64 assembler files.

2010-01-20  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac: Check for mpz_powm_sec.

2010-01-13  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on
	$(LIBNETTLE_FORLINK).

	* configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the
	default case. Follows debian, and also makes dlopen of
	libhogweed.so work, without having to use RTLD_GLOBAL.
	(LIBHOGWEED_LINK): Added -L., to find our libnettle.so.

2009-10-21  Niels Mller  <nisse@lysator.liu.se>

	* tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on
	../libhogweed.a.

2009-10-19  Niels Mller  <nisse@lysator.liu.se>

	* tools/pkcs1-conv.c: Updated for dsa/der interface change.

	* der2dsa.c (dsa_public_key_from_der_iterators): Split into two
	new functions...
	(dsa_params_from_der_iterator): New function.
	(dsa_public_key_from_der_iterator): New function.
	(dsa_openssl_private_key_from_der_iterator): Renamed, was
	dsa_private_key_from_der_iterator.
	(dsa_openssl_private_key_from_der): Likewise.
	* dsa.h: Corresponding changees to prototypes and #defines.

2009-10-12  Niels Mller  <nisse@lysator.liu.se>

	* sexp-format.c: Removed conditioning on HAVE_LIBGMP.

	* tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus
	Holmgren.

	* Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c.

	* der2dsa.c: New file, contributed by Magnus Holmgren.
	* dsa2sexp.c: Likewise.
	* dsa.h: Added prototypes.

	* configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor
	version, now it's 1.1.

	* testsuite/rsa2sexp-test.c (test_main): Updated testcase for
	"rsa-pkcs1".

2009-10-11  Niels Mller  <nisse@lysator.liu.se>

	* rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name
	to "rsa-pkcs1".

2009-09-20  Niels Mller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Improved performance by 17% on AMD K7,
	by letting loopmix scramble the instruction order.

2009-09-15  Niels Mller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Cleanup, removing old cruft. Slight
	improvement to ROUND_F1_NOEXP. Slight reduction of
	dependency-chains.

2009-08-25  Niels Mller  <nisse@lysator.liu.se>

	* x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds.

	* examples/nettle-benchmark.c (bench_sha1_compress): New function,
	for precise benchmarking of the compression function.

2009-06-08  Niels Mller  <nisse@lysator.liu.se>

	* Released nettle-2.0.

2009-06-04  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac: Set version to 2.0

2009-05-30  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (.texinfo.info): Don't use a temporary output file
	$@T, trust makeinfo to remove output file on errors.

2009-05-19  Niels Mller  <nisse@lysator.liu.se>

	* nettle.texinfo: Changed license to public domain.

2009-05-11  Niels Mller  <nisse@lysator.liu.se>

	* nettle.texinfo: Fixes from Karl Berry. Added some more index
	terms.

2009-03-06  Niels Mller  <nisse@lysator.liu.se>

	* x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state
	in %eax--%edx only.
	* x86_64/aes-decrypt-internal.asm: Likewise.

	* x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed.
	(AES_STORE): Reduced offsets.
	(AES_ROUND): Use HREG directly, not MOVE_HREG.

	* x86_64/aes-decrypt-internal.asm: Rearrange register allocation.
	Put SA--SD in %eax--%edx, so the second byte can be accessed as
	%ah-%dh. TD is not needed, SD can be reused. Use the register that
	is saved for the outer loop counter, getting it off the stack.
	* x86_64/aes-encrypt-internal.asm: Likewise.

	* x86_64/aes.m4 (HREG, MOVE_HREG): New macros.
	(XREG): Fixed bug in handling of %r8 and %r9.
	(AES_ROUND): Use MOVE_HREG.

2009-02-10  Niels Mller  <nisse@lysator.liu.se>

	* base16-meta.c (base16_encode_update_wrapper): Mark ctx argument
	as UNUSED.

	* testsuite/sexp-conv-test: Updated testcases for improved
	handling of comments.

	* tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline
	to terminate comments, and modify indentation for the case that a
	list starts with a comment.

	* tools/output.c (sexp_output_init): Initialize soft_newline.
	(sexp_put_raw_char): Clear soft_newline.
	(sexp_put_newline): Check and reset soft_newline.
	(sexp_put_soft_newline): New function.

	* tools/output.h (struct sexp_output): Removed union with single
	element, and updated all users. New attribute soft_newline.

2008-12-22  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in ($(des_headers)): Create files in $(srcdir).

2008-11-28  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/cxx-test.cxx: Include <cstdio>.

2008-11-22  Niels Mller  <nisse@lysator.liu.se>

	* yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so
	that it is set if and only if the aes context has been initialized
	with aes_set_encrypt_key.
	(yarrow256_seed): No need to set ctx->seeded here.
	(yarrow256_update): Likewise.

2008-11-04  Niels Mller  <nisse@lysator.liu.se>

	* examples/next-prime.c (main): Avoid using gmp_fprintf, to stay
	compatible with gmp-3.1.

2008-11-01  Niels Mller  <nisse@lysator.liu.se>

	* nettle.texinfo: Updated for 2.0. New section on linking.

	* nettle-types.h, nettle-meta.h: Moved all typedefs for function
	types to nettle-types.h. Use non-pointer types, so that the types
	can be used to declare functions. Updated all users.

2008-10-31  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/yarrow-test.c (test_main): Updated for seed file
	changes.

	* sha-example.c (display_hex): Use %02x, not %2x.

2008-10-30  Niels Mller  <nisse@lysator.liu.se>

	* tools/sexp-conv.c (main): Fixed file locking.

2008-10-25  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac: Set version to 2.0rc1.

	* examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to
	linker.

2008-10-24  Niels Mller  <nisse@lysator.liu.se>

	* sha256.c (ROUND): Simplified macro.

	* yarrow256.c (yarrow256_fast_reseed): Renamed (was
	yarrow_fast_reseed) and made non-static. Don't generate seed file
	here, let the application use yarrow256_random instead.
	(yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made
	non-static.
	(yarrow256_force_reseed): Deleted function, use
	yarrow256_slow_reseed instead. For backwards compatibility,
	yarrow.h defines yarrow256_force_reseed as an alias for that
	function.

	* yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer.

2008-09-17  Niels Mller  <nisse@lysator.liu.se>

	* x86/arcfour-crypt.asm: Improved loop logic, and unrolled
	loop twice. Gave a modest speedup.

2008-09-15  Niels Mller  <nisse@lysator.liu.se>

	* yarrow256.c (yarrow256_seed): Disallow length == 0.

	* base64-decode.c (decode_table): Added vertical tab (VT) and form
	feed (FF) as white space characters.

	* x86_64/aes-decrypt-internal.asm: New file.

2008-09-13  Niels Mller  <nisse@lysator.liu.se>

	* x86/aes-encrypt-internal.asm: Replaced pushl and popl in the
	loop with movl.	Eliminated redundant movl.
	* x86/aes-decrypt-internal.asm: Likewise.

	* x86_64/aes.m4: New file.

	* x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only
	three times through the substitution loop.
	* x86/aes-decrypt-internal.asm: Likewise.
	* x86_64/aes-encrypt-internal.asm: Likewise.

	* x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least
	significant byte here.

	* x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe
	decl for outer loop.
	* x86/aes-decrypt-internal.asm: Likewise.

	* x86/aes.m4 (LREG, HREG): New macros.
	(AES_SUBST_BYTE): Take state registers as argument. Use LREG to
	get the corresponding byte register.
	(AES_ROUND): Use movzbl together with LREG and HREG.
	(AES_SUBST_BYTE): Likewise.

2008-09-10  Niels Mller  <nisse@lysator.liu.se>

	* x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp,
	which must be preserved.

2008-09-08  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (stamp-h.in): Use $(AUTOHEADER).

	* x86_64/sha1-compress.asm: New x86_64 assembler, based on the x86
	version.

	* configure.ac (asm_path): Set up asm_path for x86_64.

	* x86_64/machine.m4: New file, new directory.

2008-08-28  Niels Mller  <nisse@lysator.liu.se>

	* examples/eratosthenes.c (main): Rewrote block-wise sieving to
	use less memory. New options -s and -v.

2008-08-27  Niels Mller  <nisse@lysator.liu.se>

	* testsuite/sexp-conv-test (print_raw, print_nl): Use printf.
	Updated testcases with comments; comments are now preserved.

	* tools/sexp-conv.c (sexp_convert_item): Keep comments in advanced
	output.
	(parse_options): New --lock option.
	(main): Optionally lock output file.

	* tools/parse.c (sexp_check_token): Removed check for "any" token.
	All callers specify the token they expect.
	(sexp_parse): Pass on comment tokens.

	* tools/output.c (sexp_put_data): Made non-static.

	* tools/input.c (sexp_get_comment): New function.
	(sexp_get_token): Use sexp_get_comment.

	* tools/misc.h (enum sexp_token): Start enumeration with zero, zero
	is no longer used to mean any type. New type SEXP_COMMENT.

	* configure.ac: Check for fcntl file locking.

2008-08-26  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (tags-here): Put TAGS file in the source directory.
	* examples/Makefile.in (tags): Likewise.
	* testsuite/Makefile.in (tags): Likewise.
	* tools/Makefile.in (tags): Likewise.

2008-02-29  Niels Mller  <nisse@lysator.liu.se>

	* examples/Makefile.in (SOURCES): Added next-prime.c.

2008-01-05  Niels Mller  <nisse@lysator.liu.se>

	* examples/Makefile.in (TARGETS): Added eratosthenes and next-prime.
	(next-prime, eratosthenes): New rules.
	(nettle-benchmark): Don't rely on $@.

	* examples/eratosthenes.c (find_first_one): Optimized, using
	slightly larger table.
	(main): Use atol, rather than atoi.

	* testsuite/symbols-test: Check symbols also in libhogweed.

	* examples/next-prime.c: New file.
	Deleted code for detailed timing.

	* Makefile.in (hogweed_SOURCES): Added bignum-next-prime.c.
	(DISTFILES): Added prime-list.h.
	(hogweed_OBJS): Removed $(LIBOBJS).

	* bignum-next-prime.c (nettle_next_prime): Renamed function, for
	name space reasons. Was bignum_next_prime. Updated call in
	rsa-keygen.c.
	(primes): Use prime-list.h.
	(nettle_next_prime): Skip Fermat test. Use mpz_millerrabin
	directly, rather than mpz_probab_prime_p, when the former is
	available.

	* bignum.h (nettle_next_prime): New prototype.

	* rsa-keygen.c (bignum_next_prime): Deleted, moved to
	bignum-next-prime.c. Call with a larger prime limit, this improves
	the running time of lsh-keygen by roughly 25%.

	* prime-list.h: List of odd primes < 2^16.

	* configure.ac: Check for sizeof(long).

2008-01-03  Niels Mller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Removed incorrect UNUSED
	from declaration.

	* bignum-next-prime.c: Moved the bignum_next_prime function to a
	separate file.

2007-09-08  Niels Mller  <nisse@lysator.liu.se>

	* sparc64/aes-encrypt-internal.asm: The directory with the aes.m4
	include file was renamed from "sparc" to "sparc32". Updated include.
	* sparc64/aes-decrypt-internal.asm: Likewise.
	* sparc32/aes-encrypt-internal.asm: Likewise.
	* sparc32/aes-decrypt-internal.asm: Likewise.

2007-09-07  Niels Mller  <nisse@lysator.liu.se>

	* examples/read_rsa_key.c: Include stdlib.h.

2007-06-02  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in: Typo fixes to install targets, spotted by Magnus
	Holmgren.

2007-05-14  Niels Mller  <niels@s3.kth.se>

	* configure.ac: Fixed copy-and-paste errors in shared library
	name setup.

	* config.make.in (LIBNETTLE_SONAME, LIBHOGWEED_SONAME): Define.

	* Makefile.in (libnettle.so, libhogweed.so): Fixed rules.

	* Makefile.in: Split nettle library into two files, libnettle.a
	and libhogweed.a, and similarly for the shared libraries.

	* configure.ac: Bumped nettle so-versions to 3.0. Set hogweed
	so-versions to 1.0. New makefile conditionals IF_SHARED and
	IF_HOGWEED. Renamed WITH_PUBLIC_KEY to WITH_HOGWEED. Deleted
	SHLIBTARGET, SHLIBINSTALL, RSA_EXAMPLES and RSA_TOOLS.

	* config.make.in: Updated for hogweed split.

	* C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the
	Makefile sorts out which files should be compiled.

	* pgp.h: Include bignum.h, don't pretend to work without bignums.

	* pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key)
	(pgp_put_rsa_sha1_signature): Define unconditionally. Removed the
	checking of HAVE_LIBGMP and WITH_PUBLIC_KEY.

	* examples/io.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY.
	* examples/io.c (read_rsa_key): Deleted, moved to...
	* examples/read_rsa_key.c: New file, extracted from io.c.

	* examples/Makefile.in: Use IF_HOGWEED instead of RSA_EXAMPLES.
	Link appropriate programs with -lhogweed.
	(SOURCES): Added read_rsa_key.c.

	* tools/Makefile.in (pkcs1-conv): Use IF_HOGWEED, not @RSA_TOOLS@,
	for configuration. Link with -lhogweed.

	* testsuite/testutils.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY.
	* testsuite/testutils.c: Likewise.

	* testsuite/Makefile.in (TS_NETTLE_SOURCES, TS_HOGWEED_SOURCES):
	Separate test cases using nettle and those also using hogweed.

2007-04-05  Niels Mller  <nisse@lysator.liu.se>

	* Moved in CVS tree. Also renamed directory sparc to sparc32.

2007-02-24  Niels Mller  <nisse@lysator.liu.se>

	* Makefile.in (clean-here): Remove .lib directory.
	(distclean-here): Remove machine.m4.

2006-12-05  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac: AC_PREREQ 2.61, for AC_PROG_MKDIR_P.

	* config.make.in (datarootdir): New directory variable (for
	autoconf-2.61).

2006-11-28  Niels Mller  <nisse@lysator.liu.se>

	* configure.ac: Bumped version to 1.16.

	* Released nettle-1.15.

2006-11-27  Niels Mller  <nisse@lysator.liu.se>

	* NEWS: New entry for nettle-1.15.

	* configure.ac (SHLIBMINOR): Bumped version. Library name is now
	libnettle.so.2.6.

	* sha256.c: Changed copyright notice to use the LGPL.