* testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR
to the run-tests script, and leave setting of LD_LIBRARY_PATH and
related variables to that script.
* examples/Makefile.in (check): Likewise.

* run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and
related member variables.

* config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables.

* configure.ac: Bump package version to 3.6.
(LIBNETTLE_MINOR): Bump minor number, now 7.1.
(LIBHOGWEED_MINOR): Bump minor numbers, now 5.1

Based on patches by Daiki Ueno.

Based on patches by Daiki Ueno.

Based on patches by Daiki Ueno.
* testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256):
Moved to...
* cmac-aes128-meta.c: New file.
* cmac-aes256-meta.c: New file.

* aclocal.m4 (DEP_INCLUDE): Delete substituted variable.

* Makefile.in: Use the GNU make directive -include to include
dependency .d files. Delete dependency files on make clean.
* examples/Makefile.in: Likewise.
* testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly.
* tools/Makefile.in: Likewise.

* configure.ac (dummy-dep-files): Delete these config commands.

* eddsa-internal.h (struct ecc_eddsa): New struct for eddsa
parameters.
* ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct.
* eddsa-expand.c (_eddsa_expand_key): Replace input
struct nettle_hash with struct ecc_eddsa, and generalize for
ed448. Update all callers.
* eddsa-sign.c (_eddsa_sign): Likewise.
* eddsa-verify.c (_eddsa_verify): Likewise.
* eddsa-compress.c (_eddsa_compress): Store sign bit in most
significant bit of last byte, as specified by RFC 8032.
* eddsa-decompress.c (_eddsa_decompress): Corresponding update.
Also generalize to support ed448, and make validity checks
stricter.
* testsuite/eddsa-sign-test.c (test_ed25519_sign): New function.
(test_main): Use it.
* testsuite/eddsa-verify-test.c (test_ed25519): New function.
(test_main): Use it.

* bignum.h: Drop unreleted include of nettle-meta.h.
* pss.h: Include nettle-meta.h explicitly.
* eddsa-internal.h: Likewise.

* shake256.c (sha3_256_shake): New file and function.
* Makefile.in (nettle_SOURCES): Add shake256.c.
* testsuite/testutils.c (test_hash): Allow arbitrary digest size,
if hash->digest_size == 0.
* testsuite/shake.awk: New script to extract test vectors.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c.
(DISTFILES): Add shake.awk.

* ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use
add_hh rather than add_hhh.
(table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise.
* ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]:
Reduced from 13*n to 12*n.

* eddsa-verify.c (_eddsa_verify): Use function pointer rather than
calling ecc_add_eh directly. Preparation for eddsa over curve448.

* curve25519-mul.c (curve25519_mul): Use ecc_mul_m.
* curve448-mul.c (curve448_mul): Likewise.

* ecc-mul-m.c (ecc_mul_m): New file and function. Implements
multipliction for curves in Montgomery representation, as used for
curve25519 and curve448. Extracted from curve25519_mul.
* ecc-internal.h (ecc_mul_m): Declare.
(ECC_MUL_M_ITCH): New macro.
* Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c.