ChangeLog 440 KB
Newer Older
1
2
2021-03-13  Niels Möller  <nisse@lysator.liu.se>

3
4
5
	* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
	compute the scalar used for ecc multiplication.

Niels Möller's avatar
Niels Möller committed
6
7
8
	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
	reduced. Two of the three call sites need that.

9
10
11
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.

12
13
14
	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
	canonical range.

Niels Möller's avatar
Niels Möller committed
15
16
17
18
19
20
21
22
	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.
	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
	triggers an assert on 64-bit platforms, without above fix.
	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
	the same signature.

2021-03-13  Niels Möller  <nisse@lysator.liu.se>
23

Niels Möller's avatar
Niels Möller committed
24
	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
25
26
27
28
29
30
31
32
33
34
35
2021-03-11  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	New functions.
	* ecc-internal.h: Declare and document new functions.
	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	* ecc-mul-m.c (ecc_mul_m): Likewise.

Niels Möller's avatar
Niels Möller committed
36
37
38
39
2021-03-04  Niels Möller  <nisse@lysator.liu.se>

	Merged initial arm64 code.

40
41
42
43
44
2021-02-03  Niels Möller  <nisse@lysator.liu.se>

	* arm64/crypto/gcm-hash.asm: Renamed directory, moved file,...
	* arm64/v8/gcm-hash.asm: ... old name.

45
46
47
48
49
50
51
2021-02-02  Niels Möller  <nisse@lysator.liu.se>

	* arm64/v8/gcm-hash.asm: Add ".arch armv8-a+crypto" directive.
	Supported by both GNU as and clang (the latter at least from
	version 3.9.1).
	* configure.ac: Don't add -march=armv8-a+crypto to CFLAGS.

52
53
54
55
56
57
58
2021-01-31  Niels Möller  <nisse@lysator.liu.se>

	* arm64/v8/gcm-hash.asm: New file, contributed by Maamoun TK and
	Michael Weiser.
	* arm64/README: New file. Document endianness issues, contributed
	by Michael Weiser.

59
60
61
62
2021-02-17  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.7.1.

63
64
65
66
67
68
69
70
71
2021-02-15  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted
	glue to openssl arcfour.
	(openssl_arcfour128_set_encrypt_key)
	(openssl_arcfour128_set_decrypt_key): Deleted.
	* nettle-internal.h: Deleted declaration.
	* examples/nettle-benchmark.c (aeads): Delete benchmarking.

72
73
74
75
76
77
2021-02-13  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.7.1.
	(LIBNETTLE_MINOR): Bump minor number, to 8.2.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.2.

Niels Möller's avatar
Niels Möller committed
78
79
2021-02-10  Niels Möller  <nisse@lysator.liu.se>

80
81
82
83
	* chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
	that counter increment should be 3 (129 <= message length <= 192).
	(_nettle_chacha_crypt32_4core): Likewise.

Niels Möller's avatar
Niels Möller committed
84
85
86
87
88
89
90
91
92
93
	* testsuite/chacha-test.c (test_chacha_rounds): New function, for
	tests with non-standard round count. Extracted from _test_chacha.
	(_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
	handling. When testing message prefixes of varying length, also
	encrypt the remainder of the message, to catch errors in counter
	value update.
	(test_main): Add a few tests with large messages (16 blocks, 1024
	octets), to improve test coverage for _nettle_chacha_crypt_4core
	and _nettle_chacha_crypt32_4core.

94
95
96
97
98
99
100
101
102
103
2021-01-25  Niels Möller  <nisse@lysator.liu.se>

	* arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon
	implementation reportedly gave a speedup of 45% on Cortex A9,
	compared to the C implementation, when it was added back in 2013.
	That appears to no longer be the case with more recent processors
	and compilers. And it's even significantly slower than the C
	implementation on some platforms, including the Raspberry Pi 4.
	With the introduction of salsa20-2core.asm, performance of this
	function is also less important.
104
	* arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons.
105
	* arm/fat/salsa20-core-internal-2.asm: Deleted file.
106
107
	* arm/fat/chacha-core-internal-2.asm: Deleted file.
	* fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup.
108

109
110
111
112
113
114
115
2021-01-31  Niels Möller  <nisse@lysator.liu.se>

	New variants, contributed by Nicolas Mora.
	* pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function.
	* pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function.
	* testsuite/pbkdf2-test.c (test_main): Corresponding tests.

116
117
118
119
2021-01-20  Niels Möller  <nisse@lysator.liu.se>

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with
	all-zero hash. Reported by Guido Vranken.
120
	* testsuite/ecdsa-verify-test.c: Add corresponding test case.
121

122
123
124
125
126
127
128
2021-01-10  Niels Möller  <nisse@lysator.liu.se>

	* fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor
	conditional as defined(__GLIBC_PREREQ), but move to a nested #if
	conditional. Fixes compile error on OpenBSD/powerpc64, reported by
	Jasper Lievisse Adriaanse.

Niels Möller's avatar
Niels Möller committed
129
130
131
132
2021-01-04  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.7.

Niels Möller's avatar
Niels Möller committed
133
134
135
136
2020-12-27  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Enable fat build by default.

137
138
2020-12-26  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
139
140
	* NEWS: News entries for Nettle-3.7.

141
142
143
	* Makefile.in (distdir): Distribute the README files in assembly
	directories.

144
145
146
147
	* configure.ac: Bump package version, to 3.7.
	(LIBNETTLE_MINOR): Bump minor number, to 8.1.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.1.

148
149
150
151
152
2020-12-21  Niels Möller  <nisse@lysator.liu.se>

	From Mamone Tarsha:
	* fat-ppc.c: Check glibc version, and use getauxval only when available.

153
154
155
156
157
2020-12-12  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-4core.asm: More interleaving of independent
	instructions, gives slight speedup on Power9.

158
159
2020-12-01  Niels Möller  <nisse@lysator.liu.se>

160
161
162
163
	* powerpc64/p7/chacha-4core.asm: Use protected zone below stack
	pointer to save registers, without modifying the stack pointer.
	(QR): Instruction level interleaving in the main loop, written by
	Torbjörn Granlund.
164

165
166
2020-11-30  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
167
168
169
	* m4-utils.m4 (m4_unquote): New macro, copied from GMP's
	mpn/asm-defs.m4.

170
171
	* chacha-crypt.c: (_nettle_chacha_crypt_4core)
	(_nettle_chacha_crypt32_4core): New functions.
172
173
	(_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core):
	Deleted, no longer needed.
174
175
176
177
178
179
180
181
182
	* chacha-internal.h: Add prototypes for _nettle_chacha_4core and
	related functions.
	* configure.ac (asm_nettle_optional_list): Add chacha-4core.asm.
	* powerpc64/fat/chacha-4core.asm: New file.
	* powerpc64/p7/chacha-4core.asm: New file.
	* fat-ppc.c (fat_init): When altivec is available, use
	_nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core
	instead of _2core variants.

183
184
185
	* chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in
	handling of counter; this function should not propagate any carry.

186
187
	* aes-internal.h: Delete name mangling of internal symbols. Update
	all internal references to use _nettle prefix.
188
	* camellia-internal.h: Likewise.
189
	* chacha-internal.h: Likewise.
190
	* ctr-internal.h: Likewise.
191
	* dsa-internal.h: Likewise.
192
	* gost28147-internal.h: Likewise.
193
	* poly1305-internal.h: Likewise.
194
	* salsa20-internal.h: Likewise.
195
	* sha3-internal.h: Likewise.
196
	* umac-internal.h: Likewise.
197

198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
2020-11-26  Niels Möller  <nisse@lysator.liu.se>

	Enable powerpc64 gcm code in fat builds. Based on patch
	contributed by Mamone Tarsha:
	* powerpc64/fat/gcm-hash.asm: New file.
	* configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and
	HAVE_NATIVE_fat_gcm_hash.
	* gcm.c (gcm_init_key): Renamed, to ...
	(_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals.
	(gcm_hash): Renamed, to...
	(_nettle_gcm_hash_c): ... new name. Add fat setup conditionals.
	* fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs.
	* fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash.
	* gcm-internal.h: New file.
	* Makefile.in (DISTFILES): Add gcm-internal.h.

214
215
216
	* powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone
	Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash.

217
218
2020-11-28  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
219
220
221
	* powerpc64/p7/chacha-2core.asm: Simplify counter carry handling
	using the vaddcuw instruction.

222
223
224
225
226
	Merge changes by Marco Bodrato and Torbjorn Granlund, from the
	gmp/mini-gmp copy of this file.
	* run-tests: Delete special handling of zero arguments. Update
	WINEPATH, instead of overwriting it.

Niels Möller's avatar
Niels Möller committed
227
228
229
230
231
232
233
234
2020-11-27  Niels Möller  <nisse@lysator.liu.se>

	* aclocal.m4: Replace some calls to exit with return, since exit
	requires stdlib.h. Including patch contributed by Adrien Béraud.

	* testsuite/version-test.c: Include version.h. Patch contributed
	by Brian Smith.

235
236
237
238
239
2020-11-25  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for
	big-endian builds.

240
241
242
243
244
245
246
247
248
249
250
2020-11-24  Niels Möller  <nisse@lysator.liu.se>

	Enable ppc chacha_2core in fat builds.
	* configure.ac: Add HAVE_NATIVE_fat_chacha_2core.
	* chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core.
	* chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core):
	Add declarations.
	* fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and
	_nettle_chacha_crypt32_2core when altivec is available.
	* powerpc64/fat/chacha-2core.asm: New file, including p7 version.

251
252
2020-11-23  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
253
254
	* powerpc64/p7/chacha-2core.asm: New file.

255
256
257
258
259
260
	* chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New
	variants of chacha_crypt, using _chacha_2core to do two blocks at
	a time.
	* chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations.
	* configure.ac (asm_nettle_optional_list): Add chacha-2core.asm.

261
262
263
264
265
266
267
268
269
2020-11-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all
	scratch needs, don't use memory after the result area.
	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call.
	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise.
	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise.
270
271
272
	* curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise.
	* curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and
	reduce scratch need from 9*size to 5*size.
273
274
275
276
	* ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH)
	(ECC_EH_TO_A_ITCH): Update accordingly, but no change in total
	scratch need.

Niels Möller's avatar
Niels Möller committed
277
278
279
280
281
282
2020-11-13  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert
	itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all
	secp and gost curve definitions to use it.

283
284
285
286
287
288
289
2020-10-21  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_384r1): Analogous updates. Increases signing
	performance roughly 15% on x86_64.

290
291
2020-10-20  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
292
293
294
	* ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed.
	(ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv.

295
296
297
298
299
300
301
302
303
304
	* ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_256r1): Analogous updates. Increases signing
	performance roughly 6% on x86_64.

	* ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_224r1): Analogous updates. Increases signing
	performance roughly 17% on x86_64.

305
306
307
308
309
310
311
2020-10-19  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_521r1): Analogous updates. Increases signing
	performance roughly 15% on x86_64.

312
313
2020-10-15  Niels Möller  <nisse@lysator.liu.se>

314
315
316
317
318
	* ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular
	inverse using powering.
	(_nettle_secp_192r1): Use it for p.invert, and also update
	h_to_a_itch. Increases signing performance roughly 25% on x86_64.

319
320
321
	* testsuite/ecc-modinv-test.c (test_modulo): Allow invert function
	to return a non-canonical representation.

322
323
2020-11-08  Niels Möller  <nisse@lysator.liu.se>

324
	Merge refactoring of ecc modulo and reduce functions.
325
326
327
328
329
330
331
332
	* eddsa-sign.c (_eddsa_sign_itch): Update, since now point
	multiplication needs less scratch than point compression.
	* eddsa-pubkey.c (_eddsa_public_key_itch): Likewise.

	* ecc-internal.h: Update *_ITCH macros for point multiplication
	and signatures. They need slightly less scratch after optimization
	of the point addition functions.

333
	* ecc-mul-m.c (ecc_mul_m): Reduce scratch need.
334
335
336
	(ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap
	per iteration.

337
	* ecc-add-jja.c (ecc_add_jja): Reduce scratch need.
338
	* ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need.
339
	* ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size.
340
	(ECC_MUL_M_ITCH): New 8*size.
341

342
343
2020-11-06  Niels Möller  <nisse@lysator.liu.se>

344
345
346
347
348
349
	After these changes, both curve25519 and curve448 need 4*size for
	invert and 6*size for sqrt.
	* ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need.
	(ecc_curve448_inv): Likewise.
	(ecc_curve448_sqrt): Likewise.
	* ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need.
350

351
352
	* ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy.

353
354
355
356
357
2020-11-05  Niels Möller  <nisse@lysator.liu.se>

	* ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need.
	* ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size.

358
359
2020-11-03  Niels Möller  <nisse@lysator.liu.se>

360
	* ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need.
361
362
	* ecc-dup-th.c (ecc_dup_th): Analogous changes.
	* ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size.
363

364
365
366
367
	* ecc-internal.h (ecc_add_func): Document in-place operation.
	* ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly.
	* testsuite/ecc-add-test.c (test_main): Likewise.

368
	* ecc-add-eh.c (ecc_add_eh): Reduce scratch need.
369
	* ecc-add-th.c (ecc_add_th): Analogous changes.
370
	* ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need.
371
372
373
	* ecc-add-thh.c (ecc_add_thh): Analogous changes.
	* ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH)
	(ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size.
374

375
376
377
378
2020-11-02  Niels Möller  <nisse@lysator.liu.se>

	* ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need.
	(ecc_curve25519_inv): Likewise.
379
	(ecc_curve25519_sqrt): Likewise.
380

381
382
2020-11-01  Niels Möller  <nisse@lysator.liu.se>

383
384
385
386
387
388
	* ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument
	for scratch area, reducing required size of result area. Update
	all callers to naïvely keep using result in scratch area.
	(ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing
	required size of result area.

389
390
	* testsuite/testutils.c (test_ecc_point): Show curve bits on failure.

Niels Möller's avatar
Niels Möller committed
391
392
2020-10-31  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
393
394
395
	* ecc-internal.h (typedef ecc_mod_func): Updated all assembly
	implementations.

Niels Möller's avatar
Niels Möller committed
396
397
398
399
	* testsuite/ecc-mod-test.c (test_one): Extend tests, to also test
	with different destination area.
	* testsuite/ecc-redc-test.c (test_main): Likewise.

400
401
402
403
404
2020-10-30  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (typedef ecc_mod_func): Add separate result
	argument. Updated all C implementations and callers.

405
406
2020-10-29  Niels Möller  <nisse@lysator.liu.se>

407
408
409
	* ecc-mod.c (ecc_mod): More unified handling of final carry
	folding. Also eliminates a goto statement.

410
411
2020-11-07  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
412
	Merged initial powerpc64 implementation of chacha.
413
414
415
416
417
	* configure.ac: New command line option --enable-power-altivec.
	Update asm_path logic, and add altivec to FAT_TEST_LIST.
	* fat-ppc.c (get_ppc_features): Add logic to check for altivec and
	vsx support, and select aither C or altivec implementation of
	chacha_core.
Niels Möller's avatar
Niels Möller committed
418
	* powerpc64/p7/chacha-core-internal.asm: New file.
419

420
421
2020-09-25  Niels Möller  <nisse@lysator.liu.se>

422
423
424
	* powerpc64/p7/chacha-core-internal.asm: New file.
	* Makefile.in (distdir): Add powerpc64/p7.

425
426
427
428
429
430
2020-10-29  Niels Möller  <nisse@lysator.liu.se>

	* blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids
	undefined behavior, since shifting an 8-bit value left by 24 bits
	overflows the range of signed int. Reported by Guido Vranken.

431
432
433
434
435
436
437
438
439
440
441
2020-10-28  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use
	corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n,
	mpn_cnd_swap, available from GMP version 6.1.0. Update all
	callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one
	more argument than the old functions.

	* gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap)
	[NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds.

442
443
444
445
446
447
448
449
450
451
2020-10-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved
	functions here.
	* ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more
	general ecc_mod_pow_2k_mul.
	* ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function.
	* ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted
	static functions.

452
2020-10-13  Niels Möller  <nisse@lysator.liu.se>
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470

	* ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function,
	not preserving input argument. Extracted from old ecc_mod_inv.
	(ecc_mod_inv): Call ecc_mod_inv_destructive.
	(ecc_mod_inv_redc): New inversion function, with input and output
	in redc form.

	* ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc.
	* ecc-secp256r1.c: Likewise.

	* ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking
	advantage of ecc->p.invert handling redc, when appropriate. Reduce
	scratch need from 5n to 4n in the process (assuming inversion
	needs 2n).

	* testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if
	appropriate.

471
472
473
474
475
2020-09-25  Niels Möller  <nisse@lysator.liu.se>

	* gcm.c (gcm_fill): Added separate implementations for big- and
	little-endian, to use uint64_t stores and less overhead.

476
2020-09-24  Niels Möller  <nisse@lysator.liu.se>
477
478
479
480

	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register
	names. Can be tested by configuring with CC='gcc -Wa,-mregnames'.

481
2020-09-21  Niels Möller  <nisse@lysator.liu.se>
Niels Möller's avatar
Niels Möller committed
482
483
484
485

	* m4-utils.m4: New file with m4 utilities, copied from GMP's
	mpn/asm-defs.m4.
	* Makefile.in (DISTFILES): Add m4-utils.m4.
486
487
488
489
490
491
492
493
494
495
496
	(%.asm): Include m4-utils.m4 for preprocessing of .asm files, and
	include config.m4 before machine.m4.

	* aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test,
	adapted from corresponding test in GMP's acinlude.m4.
	* configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted
	variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64
	assembly code is enabled.
	* config.m4.in: Substituted here.
	* powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and
	if needed, replace register names like r0, r1, ... with integers.
Niels Möller's avatar
Niels Möller committed
497

498
2020-09-15  Niels Möller  <nisse@lysator.liu.se>
499
500
501

	* Makefile.in (DISTFILES): Add missing file blowfish-internal.h.

502
2020-09-14  Niels Möller  <nisse@lysator.liu.se>
503
504
505
506
507

	* asm.m4: Delete use of changequote, stick to the m4 default
	quoting characters `'. Updated all assembly and m4 files.
	* x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround.

508
2020-09-12  Niels Möller  <nisse@lysator.liu.se>
509
510
511

	* x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT.

512
2020-08-29  Niels Möller  <nisse@lysator.liu.se>
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529

	Initial powerpc64 assembly support, contributed by Mamone Tarsha:
	* configure.ac: New configure option --enable-power-crypto-ext.
	(asm_path): Setup this and related variables for powerpc64.
	* powerpc64/machine.m4: New file.
	* powerpc64/README: New file.
	* powerpc64/p8/aes-encrypt-internal.asm: New file.
	* powerpc64/p8/aes-decrypt-internal.asm: New file.
	* powerpc64/fat/aes-encrypt-internal-2.asm: New file.
	* powerpc64/fat/aes-decrypt-internal-2.asm: New file.
	* fat-ppc.c: New file.
	* Makefile.in (OPT_SOURCES): Add fat-ppc.c.
	(distdir): Add powerpc64 directories.
	* aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative
	name, for fat builds.
	* aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise.

Niels Möller's avatar
Niels Möller committed
530
531
532
533
534
535
2020-07-28  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (FAT_TEST_LIST): New substituted variable. Set for
	fat builds, otherwise empty.
	* Makefile.in (check-fat): New target, using $(FAT_TEST_LIST).

536
537
2020-07-13  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
538
539
540
	* chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use
	_chacha_3core.

541
542
543
	* arm/neon/chacha-3core.asm: New file, 3-way interleaving of
	chacha.

544
545
546
547
2020-07-11  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/chacha-test.c (test_main): Delete obsolete tests for
	chacha with 128-bit keys. #if:ed out since 2014-03-04, see below.
548
549
	(test_chacha_core): New function, test chacha with simple input
	structure.
550

551
552
553
2020-07-10  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/salsa20-2core.asm: New file.
Niels Möller's avatar
Niels Möller committed
554
	* x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is
555
556
	faster.

557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
2020-07-08  Niels Möller  <nisse@lysator.liu.se>

	Rearrange salsa20, enabling ARM fat builds to use sala20_2core.
	* salsa20-crypt-internal.c (_salsa20_crypt_2core)
	(_salsa20_crypt_1core): New file, new functions. One or the other
	is used for implementing salsa20_crypt and salsa20r12_crypt,
	depending on availability of salsa20_2core.
	* salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt.
	* salsa20r12-crypt.c (salsa20r12_crypt): Likewise.
	* salsa20-internal.h: Declare new internal functions.
	* Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c.
	* fat-setup.h (salsa20_crypt_func): New typedef.
	* fat-arm.c (_salsa20_crypt): Select _salsa20_crypt
	implementation, use 2core version when Neon instructions are
	available.
	* arm/fat/salsa20-2core.asm: New file, including Neon
	implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core,
	* configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the
	case that salsa20_2core is defined, but runtime checks are needed
	to determine if it is usable.

578
579
2020-07-06  Niels Möller  <nisse@lysator.liu.se>

580
581
582
	* testsuite/salsa20-test.c (test_salsa20_core): New function, test
	salsa20 with simple input structure.

583
584
585
	* configure.ac: Obey --enable-arm-neon=yes, even if not explicitly
	targetting ARM v6 or later.

586
587
588
589
590
591
592
593
594
595
596
597
2020-07-01  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/bcrypt-test.c: New file. Moved bcrypt tests here.

	Support for bcrypt, contributed by Stephen R. van den Berg.
	* blowfish-bcrypt.c (blowfish_bcrypt_hash)
	(blowfish_bcrypt_verify): New file, new functions.
	* blowfish-internal.h: New header file, declaring internals needed
	for bcrypt.
	* testsuite/blowfish-test.c: Add bcrypt tests.
	* nettle.texinfo (Cipher functions): Document bcrypt.

598
599
600
601
602
603
2020-06-30  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (Miscellaneous hash functions): New section, with
	Streebog documentation, contributed by Dmitry Baryshkov.
	(Top): Added some missing entries to the detailed node listing

604
605
606
607
608
2020-06-29  Niels Möller  <nisse@lysator.liu.se>

	* .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch
	by Maamoun TK.

609
610
611
612
613
2020-06-25  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/chacha-core-internal.asm (QROUND): Fix use of macro
	arguments. Spotted by Torbjörn Granlund.

614
615
616
617
618
619
620
621
2020-06-02  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-benchmark.c (main): Delete call to
	time_overhead. The attempt to measure function call overhead is
	not very useful or accurate. The benchmarking loop is optimized
	away by gcc-10, making the benchmark program hang.
	(bench_nothing, time_overhead): Deleted.

Niels Möller's avatar
Niels Möller committed
622
623
624
625
2020-04-29  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.6.

626
627
2020-04-27  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
628
629
630
631
632
	* configure.ac: Tweak gcc command line options. Delete checks for
	older gcc versions. Add -Wno-sign-compare, since warnings for
	signed/unsigned comparisons adds a lot of noise, in particular
	when building mini-gmp.

633
634
635
636
	* mini-gmp.c: Updated mini-gmp from the gmp repository, latest
	change from 2020-04-20.
	* mini-gmp.h: Likewise.

Niels Möller's avatar
Niels Möller committed
637
638
2020-04-25  Niels Möller  <nisse@lysator.liu.se>

639
640
641
642
643
644
	* gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify)
	(mpz_limbs_finish, mpz_roinit_n): Delete compatibility
	definitions. These functions available in GMP since version 6.0.0.
	* gmp-glue.h: Delete corresponding declarations, and preprocessor
	conditions.

645
646
647
648
649
650
651
652
	* configure.ac: Update required version of GMP to 6.1.0, needed
	for mpn_zero_p.
	* ecc-ecdsa-verify.c (zero_p): Deleted static function, usage
	replaced with mpn_zero_p.
	* testsuite/testutils.c (mpn_zero_p): Delete conditional
	definition.
	* testsuite/testutils.h: Delete corresponding declarations.

Niels Möller's avatar
Niels Möller committed
653
654
655
	* Makefile.in (DISTFILES): Add poly1305-internal.h.
	* testsuite/Makefile.in (DISTFILES): Delete setup-env.

656
657
2020-04-23  Niels Möller  <nisse@lysator.liu.se>

658
659
660
661
662
663
664
	* run-tests: Set WINEPATH, since it appears wine doesn't search
	for dlls in the unix PATH.
	* examples/setup-env: Delete creation of extra dll symlinks.
	* examples/teardown-env: Delete corresponding cleanup.
	* testsuite/setup-env: Deleted file (same symlink creation).
	* testsuite/teardown-env: Delete corresponding cleanup.

665
666
667
668
669
	* testsuite/ecc-add-test.c (test_main): Delete ASSERTs with
	functions pointer comparisons. They provide little value, and fail
	when linking with hogweed.dll on windows.
	* testsuite/ecc-dup-test.c (test_main): Likewise.

670
671
672
673
674
675
676
2020-04-22  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/Makefile.in: Use pattern rules for test executables,
	replacing...
	(test-rules): ...deleted rule.
	* testsuite/.test-rules.make: Deleted file.

Niels Möller's avatar
Niels Möller committed
677
678
679
680
681
682
683
2020-04-21  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gostdsa-vko.c (gostdsa_vko): New file and function.
	* testsuite/gostdsa-vko-test.c (test_vko): New test.
	* nettle.texinfo (GOSTDSA): Document it.

684
685
686
687
688
689
690
691
692
693
694
2020-04-19  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable
	use of MD_UPDATE macro, in particular, replacing byte count with
	block count and index. Also move buffer last, for consistency with
	other hash functions.
	* gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro.
	(gosthash94_write_digest): Update for block count rather than byte
	count.

695
696
697
698
699
700
2020-04-17  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (LIBNETTLE_MAJOR): Increase libnettle version
	number to 8.0, for move of internal poly1305 functions.
	(LIBNETTLE_MINOR): Reset to zero.

701
702
703
704
705
706
707
708
709
710
2020-04-15  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block):
	Removed declarations from this public header file.
	* poly1305-internal.h: New file, with declarations of internal
	poly1305 functions.
	(_poly1305_set_key, _poly1305_digest): Renamed, with leading
	underscore. Updated definitions and all uses.

711
712
2020-04-12  Niels Möller  <nisse@lysator.liu.se>

713
714
715
	* Makefile.in (DISTFILES): Reorder to ensure that generated des
	headers can't be older than desdata.stamp.

716
717
718
	* testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc
	-std=c89.

719
720
2020-04-06  Niels Möller  <nisse@lysator.liu.se>

721
722
	* configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version
	number to 6.0, at request of Gnutls team.
723
724
	(LIBHOGWEED_MINOR): Reset to zero.

725
726
727
728
729
730
2020-04-01  Niels Möller  <nisse@lysator.liu.se>

	* config.guess: Update to 2020-01-01 version, from savannah's
	config.git.
	* config.sub: Likewise.

731
732
2020-03-31  Niels Möller  <nisse@lysator.liu.se>

733
734
735
	* aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP)
	(LSH_MAKE_CONDITIONAL): Delete unused macros.

736
737
738
739
740
741
742
743
744
745
	* config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables.

	* run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and
	related member variables.

	* testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR
	to the run-tests script, and leave setting of LD_LIBRARY_PATH and
	related variables to that script.
	* examples/Makefile.in (check): Likewise.

746
747
748
749
750
751
2020-03-26  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version to 3.6.
	(LIBNETTLE_MINOR): Bump minor number, now 7.1.
	(LIBHOGWEED_MINOR): Bump minor numbers, now 5.1

752
753
754
755
756
757
758
759
760
761
2020-03-14  Niels Möller  <nisse@lysator.liu.se>

	From H.J. Lu:
	* configure.ac (ASM_X86_ENDBR)
	(ASM_X86_MARK_CETASM_X86_MARK_CET_ALIGN): New substituted
	variables.
	* config.m4.in: Substituted here. Add ASM_X86_MARK_CET to
	diversion inserted at end of assembly files.
	* asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point.

Niels Möller's avatar
Niels Möller committed
762
763
764
765
766
767
768
769
770
771
772
773
774
2020-03-09  Niels Möller  <nisse@lysator.liu.se>

	From Daiki Ueno:
	* chacha-crypt.c (chacha_crypt32): New function.
	* chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32):
	New functions.
	* chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants.
	* chacha-poly1305.c (chacha_poly1305_encrypt)
	(chacha_poly1305_decrypt): Use chacha_crypt32.
	* testsuite/chacha-test.c: Update tests to use new functions.
	* nettle.texinfo: Document new chacha functions, and update
	out-of-date chacha-poly1305 documentation.

Niels Möller's avatar
Niels Möller committed
775
776
777
778
779
780
781
782
2020-03-08  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* cmac-des3-meta.c (nettle_cmac_des): New file, moving definition
	from...
	* testsuite/cmac-test.c: ... old location.
	* nettle-meta.h (nettle_cmac_des): Declare it.

Niels Möller's avatar
Niels Möller committed
783
784
785
786
787
788
789
790
791
2020-02-15  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr)
	(ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add)
	(ecc_modp_sub): Deleted macros. Updated callers to use respective
	functions instead.
	(ecc_modp_addmul_1): Delete unused macro.

792
793
2020-02-09  Niels Möller  <nisse@lysator.liu.se>

794
795
796
797
	Addition of struct nettle_mac based on patches by Daiki Ueno.
	* nettle-meta-macs.c (nettle_get_macs): New file, new function.
	* testsuite/meta-mac-test.c: New test.

798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
	* nettle-meta.h (_NETTLE_HMAC): New macro.
	(nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1)
	(nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384)
	(nettle_hmac_sha512): Declare.
	(struct nettle_mac): New public struct,
	* testsuite/testutils.h: ...moved from this file.

	* hmac-md5-meta.c: New file.
	* hmac-ripemd160-meta.c: Likewise.
	* hmac-sha1-meta.c: Likewise.
	* hmac-sha224-meta.c: Likewise.
	* hmac-sha256-meta.c: Likewise.
	* hmac-sha384-meta.c: Likewise.
	* hmac-sha512-meta.c: Likewise.

	* Makefile.in (nettle_SOURCES): Add new files.

	* testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of
	this macro.
	* testsuite/testutils.c (test_mac): Allow testing with smaller
	digest size.
	* testsuite/hmac-test.c (test_main): Use test_mac for tests using
	key size == digest size.

822
823
824
825
826
	* testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
	Moved to...
	* cmac-aes128-meta.c: New file.
	* cmac-aes256-meta.c: New file.

827
828
829
	* nettle-meta.h (struct nettle_mac): New public struct,
	* testsuite/testutils.h: ...moved from this file.

Niels Möller's avatar
Niels Möller committed
830
831
832
833
834
2020-02-06  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Baryshkov:
	* gost28147.h: Deleted, move declarations to gost28147-internal.h.

835
836
837
838
839
840
841
842
843
2020-02-05  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: On Solaris, link shared libraries with --shared
	rather than -G. For gcc, --shared is the proper way. For Solaris'
	proprietary cc, according to docs, it accepts --shared as an alias
	for -G since Oracle Solaris Studio 12.4, and it was made more gcc
	compatible in later versions. Since 12.4 was released in 2014,
	don't attempt to cater for older versions.

844
845
2020-01-26  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
	* ecc-internal.h (struct ecc_curve): Delete g, the curve
	generator, since it was used only by tests. Update all curve
	instances.

	* eccdata.c (output_curve): Delete output of ecc_g.
	(output_point): Delete name argument, and update callers.

	* testsuite/testutils.c (ecc_ref): Table of reference points moved
	out of test_ecc_mul_a. Add generator to the list of points.
	(test_ecc_mul_a): Use ecc_ref table also for the n == 1 case.
	(test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions,
	using the tabulated generator.

	* testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of
	accessing ecc->g.
	* testsuite/ecc-dup-test.c: Likewise.
	* testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga.
	Delete special case for n == 1.
	* testsuite/ecc-mul-g-test.c: Use test_ecc_ga.

Niels Möller's avatar
Niels Möller committed
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
	Support for GOST DSA, contributed by Dmitry Baryshkov.
	* gostdsa-verify.c (gostdsa_verify): New file and function.
	* gostdsa-sign.c (gostdsa_sign): New file and function.
	* ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch)
	(ecc_gostdsa_verify): New file and functions.
	* ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign):
	New file and functions.
	* ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro.
	* ecc-hash.c (gost_hash): New function.
	* testsuite/gostdsa-verify-test.c: New test.
	* testsuite/gostdsa-sign-test.c: New test.
	* testsuite/gostdsa-keygen-test.c: New test.
	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests.

	Support for GOST gc256b and gc512a curves, contributed by Dmitry
	Baryshkov.
	* eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and
	gost_gc512a.
	* ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b.
	* ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a.
	* Makefile.in: Add rules to generate ecc-gost-gc256b.h and
	ecc-gost-gc512a.h.
	(hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c.
	* examples/ecc-benchmark.c (curves): Add to list.
	* testsuite/testutils.c (ecc_curves): Add to list.
	(test_ecc_mul_a): Reference points for new curves.

893
894
	* NEWS: Started on entries for Nettle-3.6.

895
896
897
898
899
2020-01-25  Niels Möller  <nisse@lysator.liu.se>

	* examples/hogweed-benchmark.c (bench_curve_init): Pass correct
	sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov.

900
901
2020-01-15  Niels Möller  <nisse@lysator.liu.se>

902
903
904
905
906
907
908
909
910
911
912
913
914
915
	* Makefile.in: Replace suffix rules by pattern rules. Move .asm
	rule above .c rule, since now the order of rules in the Makefile
	matters, rather than the order in the .SUFFIXES list.
	(aesdata, desdata, twofishdata, shadata, gcmdata, eccparams):
	Individual rules replaced by a pattern rule.
	(eccdata): Add explicit dependencies, to complement the pattern
	rule.
	* examples/Makefile.in: Replace suffix rules by pattern rules.
	* testsuite/Makefile.in: Likewise.
	* tools/Makefile.in: Likewise.

	* config.make.in: Empty .SUFFIXES, to not accidentally use any
	suffix rules.

916
917
918
919
920
921
922
923
924
925
	* aclocal.m4 (DEP_INCLUDE): Delete substituted variable.

	* Makefile.in: Use the GNU make directive -include to include
	dependency .d files. Delete dependency files on make clean.
	* examples/Makefile.in: Likewise.
	* testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly.
	* tools/Makefile.in: Likewise.

	* configure.ac (dummy-dep-files): Delete these config commands.

926
927
928
929
930
931
932
933
934
935
2020-01-10  Niels Möller  <nisse@lysator.liu.se>

	From Dmitry Eremin-Solenikov: Consistently rename ecc files and
	internal functions to include curve name rather than just number
	of bits. E.g.,
	* ecc-256.c (nettle_ecc_256_redc): File and function renamed to...
	* ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names.
	* eccdata.c (ecc_curve_init, main): Take curve name as input, not
	bit size.

936
937
938
939
940
941
942
943
944
945
946
947
948
949
2020-01-03  Niels Möller  <nisse@lysator.liu.se>

	Add benchmarking of ed25519, ed448 and curve448.
	* examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct.
	(bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify)
	(bench_eddsa_clear): New functions.
	(struct curve_ctx): New struct, generalizing struct curve25519_ctx.
	(bench_curve_init, bench_curve_mul_g, bench_curve_mul)
	(bench_curve_clear): New functions.
	(struct curve25519_ctx, bench_curve25519_mul_g)
	(bench_curve25519_mul, bench_curve25519): Deleted.
	(alg_list): Add eddsa and curve entries.
	(main): Delete call to bench_curve25519.

950
951
2020-01-02  Niels Möller  <nisse@lysator.liu.se>

952
953
954
955
956
957
958
959
960
961
962
963
964
	* eddsa-internal.h (nettle_eddsa_dom_func): New typedef.
	(struct ecc_eddsa): Use function pointer to represent eddsa dom
	string. To avoid calling sha512_update with empty input for
	ed25519.
	* ed448-shake256.c (ed448_dom): New function, calling
	sha3_256_update with the magic dom prefix.
	(_nettle_ed448_shake256): Point to it.
	* ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function.

	* eddsa-sign.c (_eddsa_sign): Update to use dom function pointer.
	* eddsa-verify.c (_eddsa_verify): Likewise.

	* eddsa-internal.h (struct ecc_eddsa): Add magic dom string,
965
	needed for ed448.
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
	* ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string.
	* ed448-shake256.c (_nettle_ed448_shake256): New file and
	parameter struct.

	* eddsa-hash.c (_eddsa_hash): Add digest_size as input argument.
	Handle ed448 digests with two extra bytes. Update callers.
	* eddsa-verify.c (_eddsa_verify): Hash dom string.
	* eddsa-sign.c (_eddsa_sign_itch): Assert that
	_eddsa_compress_itch isn't too large.
	(_eddsa_sign): New argument k1, with the hash prefix. Add hashing
	of this prefix and the dom string. Update callers. Fix final
	reduction, it's different for ed25519, with q slightly larger than
	a power of two, and ed448, with q slightly smaller.
	* eddsa-pubkey.c (_eddsa_public_key_itch): Assert that
	_eddsa_compress_itch isn't too large.
981

Niels Möller's avatar
Niels Möller committed
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
	Implementation of ed448-shake256, based on patch by Daiki Ueno.
	* ed448-shake256-pubkey.c (ed448_shake256_public_key): New file
	and function.
	* ed448-shake256-sign.c (ed448_shake256_sign): New file and function.
	* ed448-shake256-verify.c (ed448_shake256_verify): New file and function.

	* Makefile.in (hogweed_SOURCES): Add new ed448 files.

	* testsuite/eddsa-verify-test.c (test_ed448): New function.
	(test_main): New ed448 tests.
	* testsuite/eddsa-sign-test.c (test_ed448_sign): New function.
	(test_main): New ed448 tests.
	* testsuite/ed448-test.c: New tests.
	* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c.

	* nettle.texinfo (Curve 25519 and Curve 448): Document ed448.

999
1000
2020-01-01  Niels Möller  <nisse@lysator.liu.se>

For faster browsing, not all history is shown. View entire blame