ChangeLog 474 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2022-09-29  Niels Möller  <nisse@lysator.liu.se>

	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Call ecc_mul_g and ecc_mul_a directly, not via
	function pointers.
	(ecc_ecdsa_verify_itch): Use ECC_MUL_A_ITCH
	rather than ecc->mul_itch.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify_itch)
	(ecc_gostdsa_verify): Analogous changes.

	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Call ecc_mul_g and ecc_j_to_a
	directly, not via function pointers.
	(ecc_ecdsa_sign_itch): Use ECC_MUL_G_ITCH rather than
	ecc->mul_g_itch.
	* ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign):
	Analogous changes.

17
18
2022-09-28  Niels Möller  <nisse@lysator.liu.se>

19
20
21
22
23
24
25
26
	* testsuite/meta-hash-test.c (test_main): Add check of
	NETTLE_MAX_HASH_BLOCK_SIZE.
	* nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE): Increase to 144,
	to accommodate sha3_224.
	* testsuite/meta-cipher-test.c (test_main): Check that cipher
	metadata doesn't exceed NETTLE_MAX_CIPHER_BLOCK_SIZE or
	NETTLE_MAX_CIPHER_KEY_SIZE.

27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
	From Daiki Ueno:
	* siv-gcm.c (siv_gcm_encrypt_message, siv_gcm_decrypt_message):
	New file, implementation of SIV-GCM.
	* siv-gcm.h (SIV_GCM_BLOCK_SIZE, SIV_GCM_DIGEST_SIZE)
	(SIV_GCM_NONCE_SIZE): New header file, new constants and
	declarations.
	* siv-gcm-aes128.c (siv_gcm_aes128_encrypt_message)
	(siv_gcm_aes128_decrypt_message): New file and functions.
	* siv-gcm-aes256.c (siv_gcm_aes256_encrypt_message)
	(siv_gcm_aes256_decrypt_message): Likewise.
	* siv-ghash-set-key.c (_siv_ghash_set_key): New file, new internal
	function.
	* siv-ghash-update.c (_siv_ghash_update): Likewise.
	* block-internal.h (block16_bswap): New inline function.
	* bswap-internal.h (bswap64_if_be): New macro.
	* nettle-internal.h (NETTLE_MAX_CIPHER_KEY_SIZE): New constant.
	* Makefile.in (nettle_SOURCES): Add new source files.
	(HEADERS): Add siv-gcm.h.
	* testsuite/siv-gcm-test.c: New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add siv-gcm-test.c.
	* nettle.texinfo (SIV-GCM): Documentation.

49
50
51
52
53
54
55
56
57
58
59
60
61
	From Zoltan Fridrich:
	* balloon.c (balloon, balloon_itch): Implementation of balloon
	password hash.
	* balloon.h: New header file.
	* balloon-sha1.c (balloon_sha1): New file and function.
	* balloon-sha256.c (balloon_sha256): Likewise.
	* balloon-sha384.c (balloon_sha384): Likewise.
	* balloon-sha512.c (balloon_sha512): Likewise.
	* Makefile.in (nettle_SOURCES): Add balloon source files.
	(HEADERS): Add ballon.h.
	* testsuite/balloon-test.c: New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add balloon-test.c.

62
63
64
65
66
67
68
69
2022-09-14  Niels Möller  <nisse@lysator.liu.se>

	* ecc-nonsec-add-jjj.c (ecc_nonsec_add_jjj): New file and
	function.
	* ecc-internal.h: Declare it.
	* Makefile.in (hogweed_SOURCES): Add ecc-nonsec-add-jjj.c.
	* testsuite/ecc-add-test.c (test_main): Add tests for ecc_nonsec_add_jjj.

Niels Möller's avatar
Niels Möller committed
70
71
72
73
74
75
76
77
78
79
	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj,
	to produce correct result in a corner case where point addition
	needs to use point duplication. Also use ecc_j_to_a rather than
	ecc->h_to_a, since ecdsa supports only weierstrass curves.
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change.

	* testsuite/ecdsa-verify-test.c (test_main): Add corresponding test.
	* testsuite/ecdsa-sign-test.c (test_main): And a test producing
	the problematic signature.

Niels Möller's avatar
Niels Möller committed
80
81
82
83
84
85
2022-09-08  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (string_toupper): New utility function.
	(output_modulo): Move more of the per-modulo output here.
	(output_curve): Remove corresponding code.

86
87
88
89
90
91
92
93
94
95
96
97
2022-08-31  Niels Möller  <nisse@lysator.liu.se>

	* bswap-internal.h (nettle_bswap64, nettle_bswap32)
	(bswap64_if_le): New header file, new inline functions/macros.
	* gcm.c (gcm_hash_sizes): Use bswap64_if_le, and bswap-internal.h,
	replacing local definition of bswap_if_le.
	* nist-keywrap.c (nist_keywrap16): Likewise.
	* blowfish-bcrypt.c (swap32): Renamed function, to...
	(bswap32_if_le): ...new name, rewritten to use nettle_bswap32.
	Update call sites.
	* Makefile.in (DISTFILES): Add bswap-internal.h.

98
99
2022-08-18  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
100
101
	* Makefile.in (HEADERS): Add sm4.h.

Niels Möller's avatar
Niels Möller committed
102
103
104
105
106
107
108
109
110
111
	From Tianjia Zhang: SM4 block cipher.
	* sm4.c: New file.
	* sm4.h: New file.
	* sm4-meta.c: New file.
	* gcm-sm4.c: New file
	* gcm-sm4-meta.c: New file.
	* nettle.texinfo: Document SM4.
	* testsuite/gcm-test.c (test_main): Add SM4 tests.
	* testsuite/sm4-test.c: New file.

112
113
	* configure.ac (ABI): Change mips abi check to apply only to mips64.

114
115
116
117
118
2022-08-17  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (mpz_urandomm) [NETTLE_USE_MINI_GMP]: New
	fallback definition when building with mini-gmp.

119
120
2022-08-16  Niels Möller  <nisse@lysator.liu.se>

121
122
123
124
125
126
127
128
	* ecc-mod-arith.c (ecc_mod_sub): Ensure that if inputs are in the
	range 0 <= a, b < 2m, then output is in the same range.
	* eccdata.c (output_curve): New outputs ecc_Bm2p and ecc_Bm2q.
	* ecc-internal.h (struct ecc_modulo): New member Bm2m (B^size -
	2m), needed by ecc_mod_sub. Update all curves.
	* testsuite/ecc-mod-arith-test.c: New tests for ecc_mod_add and
	ecc_mod_sub.

129
130
131
132
	* eccdata.c (output_modulo): Output the limb size, delete return
	value.
	(output_curve): Update calls to output_modulo, other minor cleanup.

Niels Möller's avatar
Niels Möller committed
133
134
2022-08-07  Niels Möller  <nisse@lysator.liu.se>

135
136
137
138
	Based on patch from Corentin Labbe:
	* nettle.texinfo: Document sha256_compress, sha512_compress,
	md5_compress and sha1_compress.

Niels Möller's avatar
Niels Möller committed
139
140
141
	* configure.ac: Refer to nettle-types.h, rather than arcfour.c,
	for AC_CONFIG_SRCDIR.

Niels Möller's avatar
Niels Möller committed
142
143
2022-08-05  Niels Möller  <nisse@lysator.liu.se>

144
145
146
	* nettle-internal.h: Include stdlib.h, fix alloca warnings on BSD.
	* hmac.c: Delete corresponding include here, no longer needed.

Niels Möller's avatar
Niels Möller committed
147
148
149
	* getopt.c: Include stdlib.h and unistd.h unconditionally,
	similarly to the gnulib version of this file.

150
151
152
153
154
155
156
2022-08-04  Niels Möller  <nisse@lysator.liu.se>

	From Brad Smith:
	* configure.ac: Fix 64-bit MIPS ABI check for other OS's like *BSD / Linux.
	* aclocal.m4 (LSH_CCPIC): Use proper PIC flag for *BSD OS's.
	* blowfish-bcrypt.c (swap32): Eliminate conflict with OpenBSD's swap32 macro.

157
158
159
160
161
162
163
164
2022-07-29  Niels Möller  <nisse@lysator.liu.se>

	* s390x/msa_x1/sha256-compress-n.asm: New file. replacing...
	* s390x/msa_x1/sha256-compress.asm: ...deleted file.
	* s390x/fat/sha256-compress-n-2.asm: New file. replacing...
	* s390x/fat/sha256-compress-2.asm: ...deleted file.
	* fat-s390x.c: Update fat setup.

165
166
167
168
169
170
171
172
2022-07-26  Niels Möller  <nisse@lysator.liu.se>

	* arm/v6/sha256-compress-n.asm: New file. replacing...
	* arm/v6/sha256-compress.asm: ...deleted file.
	* arm/fat/sha256-compress-n-2.asm: New file. replacing...
	* arm/fat/sha256-compress-2.asm: ...deleted file.
	* fat-arm.c: Update fat setup.

173
174
175
176
177
178
179
180
2022-07-11  Niels Möller  <nisse@lysator.liu.se>

	* arm64/crypto/sha256-compress-n.asm: New file. replacing...
	* arm64/crypto/sha256-compress.asm: ...deleted file.
	* arm64/fat/sha256-compress-n-2.asm: New file. replacing...
	* arm64/fat/sha256-compress-2.asm: ...deleted file.
	* fat-arm64.c: Update fat setup.

Niels Möller's avatar
Niels Möller committed
181
182
183
2022-07-05  Niels Möller  <nisse@lysator.liu.se>

	* md-internal.h (MD_FILL_OR_RETURN): New file, new macro.
184
185
186
187
188
189
190
191
192
193
194
195
196
197
	* sha256-compress-n.c (_nettle_sha256_compress_n): New file and
	function, replacing...
	* sha256-compress.c (_nettle_sha256_compress): ...deleted file and
	function.
	* sha2-internal.h (_nettle_sha256_compress_n): Declare new function..
	* sha256.c (sha256_compress): Update to use
	_nettle_sha256_compress_n and MD_FILL_OR_RETURN.
	* x86_64/sha256-compress-n.asm: New file. replacing...
	* x86_64/sha256-compress.asm: ...deleted file.
	* x86_64/sha_ni/sha256-compress-n.asm: New file. replacing...
	* x86_64/sha_ni/sha256-compress.asm: ...deleted file.
	* fat-setup.h (sha256_compress_n_func): New typedef, replacing...
	(sha256_compress_func): ... deleted typedef.
	* fat-x86_64.c: Update fat setup.
Niels Möller's avatar
Niels Möller committed
198

199
200
201
202
203
204
205
2022-06-20  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/sha1-test.c (test_sha1_compress): New function.
	(test_main): Add tests for compressing 0, 1 or 2 blocks.
	* testsuite/sha256-test.c (test_sha256_compress): New function.
	(test_main): Add tests for compressing 0, 1 or 2 blocks.

206
207
208
209
210
211
2022-06-12  Niels Möller  <nisse@lysator.liu.se>

	From Christian Weisgerber:
	* fat-arm64.c (get_arm64_features): Enable runtime feature
	detection for openbsd.

212
213
2022-06-09  Niels Möller  <nisse@lysator.liu.se>

214
215
216
	* md5.h (md5_compress): New public name for compression function.
	* sha1.h (sha1_compress): Likewise.

217
	Based on patches from Corentin Labbe:
218
219
	* sha2.h: Declare new functions.
	* sha256.c (sha256_compress): New function.
220
221
	(COMPRESS): Updated to use sha256_compress.
	(sha256_write_digest): Use sha256_compress directly.
222
	* sha512.c (sha512_compress): New function.
223
224
	(COMPRESS): Updated to use sha512_compress.
	(sha512_write_digest): Use sha512_compress directly.
225

226
227
228
229
2022-06-02  Niels Möller  <nisse@lysator.liu.se>

	* Released nettle-3.8.

230
231
2022-05-23  Niels Möller  <nisse@lysator.liu.se>

232
233
	* Makefile.in (OPT_SOURCES): Add missing file fat-arm64.c.

234
235
236
	* config.guess: Update to 2022-05-08 version.
	* config.sub: Update to 2022-01-03 version.

237
238
239
240
241
242
2022-05-20  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.8.
	(LIBNETTLE_MINOR): Bump minor number, to 8.5.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.5.

243
244
245
246
247
2022-05-05  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (CBC): Document cbc_aes128_encrypt,
	cbc_aes192_encrypt and cbc_aes256_encrypt.

248
249
250
251
252
253
2022-04-28  Niels Möller  <nisse@lysator.liu.se>

	* nettle.texinfo (Copyright): Deleted incomplete and out of date
	list of authors. Replaced by...
	* AUTHORS: New updated list of authors and contributions.

254
255
256
257
258
259
260
261
262
263
264
265
2022-02-23  Niels Möller  <nisse@lysator.liu.se>

	Analogous s390x update, by Mamone Tarsha:
	* fat-s390x.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.
	* s390x/fat/ghash-update-2.asm: New file.
	* s390x/fat/ghash-set-key-2.asm: New file.
	* s390x/fat/gcm-hash.asm: Deleted.
	* s390x/msa_x4/gcm-hash.asm: Deleted, split into two new files...
	* s390x/msa_x4/ghash-update.asm: New file.
	* s390x/msa_x4/ghash-set-key.asm: New file

266
267
2022-02-22  Niels Möller  <nisse@lysator.liu.se>

268
269
270
271
272
273
274
	* fat-ppc.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.

	* powerpc64/fat/ghash-update-2.asm: New file.
	* powerpc64/fat/ghash-set-key-2.asm: New file.
	* powerpc64/fat/gcm-hash.asm: Deleted.

275
276
277
278
	* powerpc64/p8/gcm-hash.asm: Deleted, split into two new files...
	* powerpc64/p8/ghash-update.asm: New file.
	* powerpc64/p8/ghash-set-key.asm: New file

279
280
2022-02-21  Niels Möller  <nisse@lysator.liu.se>

281
282
283
284
285
286
287
288
289
	* fat-arm64.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.

	* arm64/fat/ghash-update-2.asm: New file.
	* arm64/fat/ghash-set-key-2.asm: New file.
	* arm64/fat/gcm-hash.asm: Deleted.

	* ghash-update.c (_nettle_ghash_update_c): New name, for fat builds.

290
291
292
293
	* arm64/crypto/gcm-hash.asm: Deleted, split into two new files...
	* arm64/crypto/ghash-set-key.asm: New file.
	* arm64/crypto/ghash-update.asm: New file.

Niels Möller's avatar
Niels Möller committed
294
295
2022-02-19  Niels Möller  <nisse@lysator.liu.se>

296
297
298
299
300
301
302
303
304
305
306
307
308
309
	* fat-x86_64.c (fat_init): Update fat init for new _ghash_set_key
	and _ghash_update functions, delete setup for old gcm functions.
	* fat-setup.h (ghash_set_key_func, ghash_update_func): New
	typedefs.
	(gcm_init_key_func, gcm_hash_func): Deleted typedefs.
	* x86_64/fat/ghash-update.asm: New file.
	* x86_64/fat/ghash-update-2.asm: New file.
	* x86_64/fat/ghash-set-key-2.asm: New file.
	* x86_64/fat/gcm-hash.asm: Deleted.
	* ghash-set-key.c (_nettle_ghash_set_key_c): New name, for fat
	builds.
	* configure.ac (asm_nettle_optional_list): Add ghash-set-key-2.asm
	ghash-update-2.asm.

Niels Möller's avatar
Niels Möller committed
310
311
312
313
	* ghash-set-key.c (_ghash_digest): Deleted, and also deleted
	assembly implementations.
	* gcm.c (gcm_digest): Replace call to _ghash_digest with block16_xor.

314
315
316
317
	* x86_64/pclmul/gcm-hash.asm: Deleted, split into two new files...
	* x86_64/pclmul/ghash-set-key.asm: New file.
	* x86_64/pclmul/ghash-update.asm: New file.

318
319
320
321
322
323
	* configure.ac (asm_replace_list): Add ghash-set-key.asm ghash-update.asm.
	(asm_nettle_optional_list): Delete gcm-hash.asm gcm-hash8.asm.
	* x86_64/ghash-update.asm: New file, based on old gcm-hash8.asm,
	but without any handling of partial blocks.
	* x86_64/gcm-hash8.asm: Deleted.

Niels Möller's avatar
Niels Möller committed
324
325
326
	* ghash-set-key.c (_ghash_digest): Moved function from...
	* ghash-update.c (_ghash_digest): ...old location.

Niels Möller's avatar
Niels Möller committed
327
328
329
330
2022-02-18  Niels Möller  <nisse@lysator.liu.se>

	* block-internal.h (block16_zero): New function.

Niels Möller's avatar
Niels Möller committed
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
	* ghash-internal.h: New file, declaring new internal ghash interface.
	* gcm-internal.h: Deleted file.
	* ghash-update.c (gcm_gf_shift_8): Moved here (from gcm.c)
	(gcm_gf_mul): Likewise.
	(_ghash_update): New function, extracted from _nettle_gcm_hash_c.
	(_ghash_digest): New function.
	* ghash-set-key.c (_ghash_set_key): New file and function.
	Extracted from _nettle_gcm_init_key_c and _nettle_gcm_set_key.

	* gcm.c (INC32): Deleted macro, used in only one place.
	(gcm_set_key): Update to use _ghash_set_key.
	(gcm_hash): Renamed, was _gcm_hash, and implemented in terms of
	_ghash_update.
	(bswap_if_le): New function (copied from nist-keywrap.c).
	(gcm_hash_sizes): Use bswap_if_le and _ghash_update.
	(gcm_set_iv): Updated to use gcm_hash and block16_zero.
	(gcm_digest): Use _ghash_digest.

	* testsuite/gcm-test.c (test_ghash_internal): Updated to use
	_ghash_set_key and _ghash_update.

	* Makefile.in (nettle_SOURCES): Add ghash-set-key.c ghash-update.c.
	(DISTFILES): Replaced gcm-internal.h with ghash-internal.h.

355
356
357
358
359
360
361
362
363
364
2022-02-17  Niels Möller  <nisse@lysator.liu.se>

	* gcm.c: Require that GCM_TABLE_BITS == 8. Delete old code for
	GCM_TABLE_BITS == 0 and GCM_TABLE_BITS == 4.
	* gcm-internal.h: Delete checks for GCM_TABLE_BITS != 8.
	* fat-x86_64.c: Likewise.
	* fat-s390x.c: Likewise.
	* fat-ppc.c: Likewise.
	* fat-arm64.c: Likewise.

365
366
2022-02-15  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
367
368
369
	* fat-x86_64.c: Add fat setup for gcm.
	* x86_64/fat/gcm-hash.asm: New file.

370
371
372
373
374
375
	* Makefile.in (distdir): Add x86_64/pclmul directory.
	* configure.ac: New configure option --enable-x86-pclmul.
	(asm_path): Add x86_64/pclmul, if above option is set.
	* x86_64/pclmul/gcm-hash.asm: New file, initial implementation of
	GCM using the pclmulqdq instructions.

376
377
378
379
380
381
382
383
384
385
386
2022-02-08  Niels Möller  <nisse@lysator.liu.se>

	* gcm-internal.h (_gcm_hash): Arrange so that this is an alias for
	the appropriate implementation. Updated all users.
	* gcm.c (_nettle_gcm_set_key): New internal function, intended to
	make tests of internal ghash functions easier.
	(gcm_set_key): Use it.
	* testsuite/gcm-test.c (test_ghash_internal): New function.
	(test_main): Add tests of internal ghash functions, with keys
	corresponding to various single-bit polynomials.

387
388
389
390
391
392
393
394
395
396
397
398
399
2022-01-28  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/poly1305-test.c (poly1305_internal): Renamed function,
	was test_poly1305_internal.
	(test_poly1305_internal): New helper function.
	(test_fixed): New function, to test internal functions with fixed
	test inputs.
	(test_random): Use test_poly1305_internal.
	(test_main): Call test_fixed.

	* misc/poly1305-gen-example.pike: Program to generate poly1305
	inputs with a given digest.

400
401
402
403
404
405
406
407
408
2022-01-27  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/poly1305-internal.asm: Rewrote. Rearrange folding, so
	that all the multiply instructions needed to process a block are
	independent of each other. Measured speedup of 16% on AMD zen2 and
	28% on Intel broadwell, and expected to be generally faster.
	* asm.m4 (P1305): Rearrange struct contents, to fit 64-bit entries
	S0 and H2. Total struct size unchanged.

409
410
411
412
413
414
415
2022-01-25  Niels Möller  <nisse@lysator.liu.se>

	Chacha implementation for arm64, contributed by Mamone Tarsha.
	* arm64/chacha-core-internal.asm: New file.
	* arm64/chacha-2core.asm: New file.
	* arm64/chacha-4core.asm: New file

416
417
418
419
420
421
422
423
424
2022-01-24  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp224r1-modp.asm: New file, contributed by
	Amitay Isaacs.
	* powerpc64/ecc-curve25519-modp.asm: New file, contributed by
	Martin Schwenke & Alastair D´Silva
	* powerpc64/ecc-curve448-modp.asm: New file, contributed by Martin
	Schwenke & Amitay Isaacs.

425
426
2022-01-23  Niels Möller  <nisse@lysator.liu.se>

427
428
429
430
431
	* testsuite/poly1305-test.c (test_poly1305_internal): New function.
	(ref_poly1305_internal): New function.
	(test_random): New function.
	(test_main): Call test_random.

432
433
434
435
	Arrange so that GMP or mini-gmp is always available for tests.
	* testsuite/testutils.h [!WITH_HOGWEED]: Include mini-gmp.h.
	* testsuite/testutils.c [!WITH_HOGWEED]: Include mini-gmp.c.

436
437
438
439
440
441
442
443
444
2022-01-21  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp192r1-modp.asm: New file, contributed by
	Amitay Isaacs.
	* powerpc64/ecc-secp384r1-modp.asm: New file, contributed by
	Martin Schwenke, Amitay Isaacs & Alastair D´Silva.
	* powerpc64/ecc-secp521r1-modp.asm: New file, contributed by
	Martin Schwenke & Alastair D´Silva.

445
446
447
448
449
450
451
2022-01-17  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/testutils.c (test_ecc_point_valid_p): New function,
	moved from...
	* testsuite/ecdsa-keygen-test.c (ecc_valid_p): ... old copy.
	* testsuite/gostdsa-keygen-test.c (ecc_valid_p): ... old copy.
	* testsuite/testutils.h: Declare it.
452
453
	(test_randomize) [NETTLE_USE_MINI_GMP]: Use inline function rather
	than macro for dummy definition, to avoid compile time warnings.
454

455
456
457
458
459
460
461
2022-01-10  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/ecc-secp256r1-redc.asm: Reduce number of registers
	used, eliminating save and restore of callee-save registers.
	Speedup of 7% reported for POWER9 (and marginal speedup of secp256
	sign and verify operations).

462
463
464
465
466
467
468
469
470
2022-01-04  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac (ELFV2_ABI): New substituted variable, set on
	powerpc64 based on the _CALL_ELF define.
	* config.m4.in (ELFV2_ABI): Substituted here.
	* powerpc64/machine.m4: Use ELFV2_ABI rather than WORDS_BIGENDIAN
	to select abi flavor. Intended to support ppc64be + musl, which,
	unlike other big-endian configurations, uses ELFv2.

Niels Möller's avatar
Niels Möller committed
471
472
2021-12-09  Niels Möller  <nisse@lysator.liu.se>

473
474
475
476
477
478
	* x86_64/ecc-secp256r1-redc.asm: New folding scheme with one less
	carry propagation phase, and fewer registers, avoiding save and
	restore of callee-save registers. 17% speedup of this function on
	AMD Ryzen 5, resulting in a modest improvement in ecdsa
	performance.

Niels Möller's avatar
Niels Möller committed
479
480
481
	* powerpc64/ecc-secp256r1-redc.asm: New file, contributed by
	Amitay Isaacs.

482
483
484
485
486
487
488
489
490
491
492
2021-11-29  Niels Möller  <nisse@lysator.liu.se>

	From Tianjia Zhang: SM3 hash function.
	* sm3.h: New file.
	* sm3.c: New file.
	* sm3-meta.c: New file.
	* hmac-sm3.c: New file.
	* hmac-sm3-meta.c: New file.
	* testsuite/sm3-test.c: New file.
	* nettle.texinfo: Document SM3.

Niels Möller's avatar
Niels Möller committed
493
494
495
496
2021-11-19  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (mpz_limbs_cmp): Deleted function. Usage replaced
	with mpz_roinit_n and mpz_cmp.
497
498
	(mpz_limbs_read_n): Deleted function. Usage in tests only,
	replaced with mpz_limbs_copy.
Niels Möller's avatar
Niels Möller committed
499

500
501
2021-11-15  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
502
503
504
505
506
	* testsuite/eddsa-compress-test.c (test_main): Use test_randomize.
	* testsuite/ecc-redc-test.c (test_main): Likewise.
	* testsuite/ecc-mul-g-test.c (test_main): Likewise.
	* testsuite/ecc-mul-a-test.c (test_main): Likewise.

507
508
	* testsuite/ecc-modinv-test.c (test_modulo): Trim allocation for
	result area.
Niels Möller's avatar
Niels Möller committed
509
510
511
512
513
	(test_main): Use test_randomize.
	* testsuite/ecc-sqrt-test.c (test_sqrt): Trim allocation.
	(test_sqrt_ratio): Trim allocation. Fix sqrt_ratio test for v = 0,
	failure is expected.
	(test_main): Use test_randomize.
514

515
516
2021-11-13  Niels Möller  <nisse@lysator.liu.se>

517
518
519
520
521
522
523
	* testsuite/testutils.c (get_random_seed): Move function here.
	(test_randomize): New function.
	* testsuite/ecc-mod-test.c (get_random_seed): Delete old copy.
	(test_main): Use test_randomize.
	* testsuite/rsa-compute-root-test.c (get_random_seed): Delete old copy.
	(test_main): Use test_randomize.

524
525
526
527
528
529
530
531
	* ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero
	input, which needs handling as a special case in the
	Tonelli-Shanks algorithm.

	* testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0)
	returns 0.
	(test_sqrt_ratio): Check that sqrt (0/1) returns 0.

532
533
2021-11-11  Niels Möller  <nisse@lysator.liu.se>

534
535
536
	* eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only
	when computed. Fixes uninitialized value bug from previous change.

537
538
539
540
	* ecc-secp384r1.c (ecc_mod_pow_288m32m1): New function.
	(ecc_secp384r1_inv): Use ecc_mod_pow_288m32m1.
	(ecc_secp384r1_sqrt): Likewise.

541
542
543
	* eccdata.c (output_curve): Delete generation of unused values
	ecc_sqrt_t and ECC_SQRT_T_BITS.

544
545
546
547
548
549
2021-11-10  Niels Möller  <nisse@lysator.liu.se>

	* eccdata.c (output_bignum_redc): New function.
	(output_curve): Generate both redc and non-redc versions of
	ecc_sqrt_z. Fixes secp224r1 sqrt, in configs using redc.

550
551
552
553
554
555
556
557
2021-11-08  Niels Möller  <nisse@lysator.liu.se>

	Square root functions, based on patch by Wim Lewis.
	* ecc-internal.h (ecc_mod_sqrt_func): New typedef.
	(struct ecc_modulo): Add sqrt function pointer and sqrt_itch.
	Update all curve definitions.
	* ecc-secp192r1.c (ECC_SECP192R1_SQRT_ITCH): New constant.
	(ecc_secp192r1_sqrt): New function.
558
	* ecc-secp256r1.c (ecc_secp256r1_sqrt): New function.
559
	* ecc-secp384r1.c (ecc_secp384r1_sqrt): New function.
560
	* ecc-secp521r1.c (ecc_secp521r1_sqrt): New function.
561
562
	* ecc-secp224r1.c (ecc_secp224r1_sqrt): New function, using
	Tonelli-Shanks' algorithm.
563
564
565
566
567

	* testsuite/ecc-sqrt-test.c (test_sqrt): New function.
	(test_sqrt_ratio): Renamed function (was test_modulo).
	(test_main): Test sqrt function, for curves that define it.

568
569
	* ecc-secp224r1.c (ecc_mod_pow_127m1): New function.

570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
2021-11-07  Niels Möller  <nisse@lysator.liu.se>

	* ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to
	sqrt_ratio_itch.
	* eddsa-decompress.c (_eddsa_decompress_itch): Updated.

	* ecc-curve448.c (ECC_CURVE448_SQRT_RATIO_ITCH): Renamed, from ...
	(ECC_CURVE448_SQRT_ITCH): ... old name.
	(ecc_curve448_sqrt_ratio): Renamed, from ...
	(ecc_curve448_sqrt): ... old name.
	(_nettle_curve448): Updated.

	* ecc-curve25519.c (ECC_25519_SQRT_RATIO_ITCH): Renamed, from ...
	(ECC_25519_SQRT_ITCH): ... old name
	(ecc_curve25519_sqrt_ratio): Renamed, from ...
	(ecc_curve25519_sqrt): ... old name.
	(_nettle_curve25519): Updated.
587
588
589
590
591
592

	* ecc-internal.h (ecc_mod_sqrt_ratio_func): Renamed typedef...
	(ecc_mod_sqrt_func): ... from old name.
	(struct ecc_modulo): Renamed corresponding function pointer to
	sqrt_ratio. Updated all uses.

593
594
595
596
597
598
2021-10-28  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_equal_p): New function, moved from
	ecc-modinv-test.c. Based on patch by Wim Lewis.
	* testsuite/ecc-modinv-test.c (mod_eq_p): Deleted, replaced with ecc_mod_equal_p.

Niels Möller's avatar
Niels Möller committed
599
600
601
602
603
604
605
606
607
608
2021-10-26  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_zero_p): New function.
	* ecc-curve25519.c (ecc_curve25519_zero_p): Use it.
	* ecc-curve448.c (ecc_curve448_zero_p): Deleted, usage replaced
	with ecc_mod_zero_p.
	* testsuite/ecc-modinv-test.c (mod_eq_p): Rewritten to use
	ecc_mod_zero_p, and require that one input is canonically reduced.
	(zero_p): Deleted, usage replaced with ecc_mod_zero_p.

Niels Möller's avatar
Niels Möller committed
609
610
611
612
613
614
615
616
2021-10-23  Niels Möller  <nisse@lysator.liu.se>

	* gmp-glue.c (sec_zero_p): New function.
	* ecc-curve25519.c (ecc_curve25519_zero_p): Use it.
	* ecc-curve448.c (ecc_curve448_zero_p): Use it.
	* ecc-random.c (ecdsa_in_range): Use it.
	(zero_p): Delete static function.

617
618
619
620
621
622
623
624
2021-10-22  Niels Möller  <nisse@lysator.liu.se>

	* ecc-secp256r1.c: Rework ad-hoc reduction functions. In
	particular, arranged to always use single-limb quotients, no q2
	quotient carry.
	(ecc_secp256r1_modp): Reimplemented, closer to 2/1 division,
	(ecc_secp256r1_modq): Reimplemented, closer to divappr2 division.

625
626
627
628
629
2021-10-06  Niels Möller  <nisse@lysator.liu.se>

	* testsuite/ecc-mod-test.c: Extend tests to give better coverage
	of corner cases, with input close to a multiple of the modulo.

630
631
2021-09-21  Niels Möller  <nisse@lysator.liu.se>

632
633
634
635
	* Makefile.in (nettle.pdf): Generate pdf manual using texi2pdf,
	rather than texi2dvi + dvips + ps2pdf, which makes hyperlinks work
	better.

636
637
638
639
	* nettle.texinfo: Delete explicit node pointers in nettle.texinfo
	Instead, rely on makeinfo's automatic pointer creation.
	(Cipher functions): Split into nodes, with proper menu.

640
641
2021-09-14  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
642
643
644
645
646
	* cbc.h (cbc_aes128_encrypt, cbc_aes192_encrypt)
	(cbc_aes256_encrypt): Change interface, take cipher context
	pointer and iv as separate arguments. Update C and x86_64
	implementations and corresponding glue code.

647
648
649
	* testsuite/testutils.c (test_aead): Test encrypt/decrypt with
	message split into pieces.

650
651
652
653
2021-09-12  Niels Möller  <nisse@lysator.liu.se>

	* Merged CBC-AES changes into master branch.

654
655
656
657
658
659
660
2021-09-09  Niels Möller  <nisse@lysator.liu.se>

	Implementation of CBC-AES for x86_64 aesni. Roughly 40%-50%
	speedup benchmarked on Ryzen 5.
	* x86_64/aesni/cbc-aes128-encrypt.asm: New file.
	* x86_64/aesni/cbc-aes192-encrypt.asm: New file.
	* x86_64/aesni/cbc-aes256-encrypt.asm: New file.
661
662
663
664
665
666
667
668
	* x86_64/fat/cbc-aes128-encrypt-2.asm: New file.
	* x86_64/fat/cbc-aes192-encrypt-2.asm: New file.
	* x86_64/fat/cbc-aes256-encrypt-2.asm: New file.
	* configure.ac (asm_nettle_optional_list, asm_replace_list): Add
	new asm files.
	* fat-setup.h (cbc_aes128_encrypt_func, cbc_aes192_encrypt_func)
	(cbc_aes256_encrypt_func): New typedefs.
	* fat-x86_64.c (fat_init): Use new functions, when aesni is available
669

670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
2021-09-08  Niels Möller  <nisse@lysator.liu.se>

	* cbc-aes128-encrypt.c (nettle_cbc_aes128_encrypt): New file and
	function.
	* cbc-aes192-encrypt.c (cbc_aes192_set_encrypt_key): New file.
	* cbc-aes256-encrypt.c (cbc_aes256_set_encrypt_key): New file.
	* cbc.h (cbc_aes128_ctx, struct cbc_aes192_ctx, cbc_aes256_ctx):
	New context structs. Declare new functions.
	* Makefile.in (nettle_SOURCES): Add new files.
	* nettle-internal.c (nettle_cbc_aes128, nettle_cbc_aes192)
	(nettle_cbc_aes256): New algorithm structs, for tests and
	benchmarking.
	* testsuite/testutils.c (test_aead): Skip tests of decryption and
	authentication, if corresponding function pointers are NULL.
	* testsuite/cbc-test.c (test_main): Add tests of new cbc
	functions.
	* examples/nettle-benchmark.c (time_aead): Skip decrypt benchmark,
	if corresponding function pointer is NULL.

689
690
691
692
693
2021-09-09  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/fat/cpuid.asm: Fix usage of W64_ENTRY and W64_EXIT, to
	make fat builds work on 64-bit windows.

694
695
696
697
698
699
700
701
702
703
704
705
2021-08-16  Niels Möller  <nisse@lysator.liu.se>

	S390x functions for sha1, sha256 and sha512, from Mamone Tarsha:
	* s390x/msa/sha1-compress.asm: New file.
	* s390x/msa_x1/sha256-compress.asm: Likewise.
	* s390x/msa_x2/sha512-compress.asm: Likewise.
	* s390x/fat/sha1-compress-2.asm: Likewise.
	* s390x/fat/sha256-compress-2.asm: Likewise.
	* s390x/fat/sha512-compress-2.asm: Likewise.
	* fat-s390x.c: Update fat setup.
	* Makefile.in (distdir): Add s390x/msa_x1.

706
707
708
709
710
711
2021-08-10  Niels Möller  <nisse@lysator.liu.se>

	* x86_64/aesni/aes128-encrypt.asm: New file, with 2-way loop.
	* x86_64/aesni/aes128-decrypt.asm: Likewise.
	* x86_64/aesni/aes192-encrypt.asm: Likewise.
	* x86_64/aesni/aes192-decrypt.asm: Likewise.
712
	* x86_64/aesni/aes256-encrypt.asm: Likewise.
713
714
715
716
717
718
	* x86_64/aesni/aes256-decrypt.asm: Likewise.
	* x86_64/aesni/aes-encrypt-internal.asm: Deleted.
	* x86_64/aesni/aes-decrypt-internal.asm: Deleted.
	* x86_64/fat/: Corresponding new and deleted files.
	* fat-x86_64.c: Update fat setup accordingly.

719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
2021-08-09  Niels Möller  <nisse@lysator.liu.se>

	Arm64 AES functions, from Mamone Tarsha:
	* arm64/crypto/aes128-decrypt.asm: New file.
	* arm64/crypto/aes128-encrypt.asm: New file.
	* arm64/crypto/aes192-decrypt.asm: New file.
	* arm64/crypto/aes192-encrypt.asm: New file.
	* arm64/crypto/aes256-decrypt.asm: New file.
	* arm64/crypto/aes256-encrypt.asm: New file.
	* arm64/fat/aes128-decrypt-2.asm: New file.
	* arm64/fat/aes128-encrypt-2.asm: New file.
	* arm64/fat/aes192-decrypt-2.asm: New file.
	* arm64/fat/aes192-encrypt-2.asm: New file.
	* arm64/fat/aes256-decrypt-2.asm: New file.
	* arm64/fat/aes256-encrypt-2.asm: New file.
	* configure.ac: Add aes to arm64 FAT_TEST_LIST.
	* fat-arm64.c: Update fat setup.

737
738
739
740
741
742
743
744
745
746
2021-08-06  Niels Möller  <nisse@lysator.liu.se>

	S390x xor functions, from Mamone Tarsha:
	* configure.ac: New configure option --enable-s390x-vf.
	* fat-s390x.c: Fat setup for memxor3.
	* s390x/vf/memxor3.asm: New file.
	* s390x/memxor.asm: New file.
	* s390x/machine.m4 (XOR_LEN): New macro.
	* s390x/fat/memxor3-2.asm: New file.

747
748
749
750
751
752
753
754
755
756
757
2021-07-24  Niels Möller  <nisse@lysator.liu.se>

	Merged s390x code.

	GCM and fat build support for s390x, contributed by Mamone Tarsha:
	* s390x/machine.m4: New file.
	* s390x/msa_x4/gcm-hash.asm: New file.
	* fat-s390x.c: New file.
	* s390x/fat/cpu-facility.asm: New file.
	* s390x/fat/: New wrapper files for aes and gcm assembly.

758
759
760
761
2021-07-21  Niels Möller  <nisse@lysator.liu.se>

	* Makefile.in (OPT_SOURCES): Add fat-s390x.c.

762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
2021-05-09  Niels Möller  <nisse@lysator.liu.se>

	Implementation of AES using s390x "message security assist"
	extensions. Contributed by Mamone Tarsha:
	* s390x/msa_x1/aes128-decrypt.asm: New file.
	* s390x/msa_x1/aes128-encrypt.asm: New file.
	* s390x/msa_x1/aes128-set-decrypt-key.asm: New file.
	* s390x/msa_x1/aes128-set-encrypt-key.asm: New file.
	* s390x/msa_x2/aes192-decrypt.asm: New file.
	* s390x/msa_x2/aes192-encrypt.asm: New file.
	* s390x/msa_x2/aes192-set-decrypt-key.asm: New file.
	* s390x/msa_x2/aes192-set-encrypt-key.asm: New file.
	* s390x/msa_x2/aes256-decrypt.asm: New file.
	* s390x/msa_x2/aes256-encrypt.asm: New file.
	* s390x/msa_x2/aes256-set-decrypt-key.asm: New file.
	* s390x/msa_x2/aes256-set-encrypt-key.asm: New file.
	* configure.ac: Renamed option to --enable-s390x-msa. Enables both
	mas_x1 and msa_x2.
	(asm_replace_list): Add more aes files.
	* Makefile.in (distdir): Add s390x/msa_x1 s390x/msa_x2 directories.

783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
2021-04-01  Niels Möller  <nisse@lysator.liu.se>

	Move aes128_encrypt and similar functions to their own files. To
	make it easier for assembly implementations to override specific
	AES variants.
	* aes-decrypt.c: Split file, keep only legacy function aes_decrypt here.
	* aes-decrypt-table.c (_nettle_aes_decrypt_table): New file, moved
	table here.
	* aes128-decrypt.c (aes128_decrypt): New file, moved function here.
	* aes192-decrypt.c (aes192_decrypt): New file, moved function here.
	* aes256-decrypt.c (aes256_decrypt): New file, moved function here.
	* aes-encrypt.c: Split file, keep only legacy function aes_encrypt here.
	* aes128-encrypt.c (aes128_encrypt): New file, moved function here.
	* aes192-encrypt.c (aes192_encrypt): New file, moved function here.
	* aes256-encrypt.c (aes256_encrypt): New file, moved function here.
	* Makefile.in (nettle_SOURCES): Add new files.

800
801
802
803
804
805
806
807
2021-03-28  Niels Möller  <nisse@lysator.liu.se>

	Initial config for s390x, contributed by Mamone Tarsha.
	* configure.ac: Add flag --enable-s390x-msa-x1. Add ABI check for
	s390x, and setup asm_path.
	* Makefile.in (distdir): Add s390x directory.
	* s390x/README: New file

808
809
2021-07-08  Niels Möller  <nisse@lysator.liu.se>

810
811
	* configure.ac (FAT_TEST_LIST): Add sha2 to aarch64 fat tests.

812
813
814
815
816
	From Mamone Tarsha:
	* arm64/fat/sha256-compress-2.asm: New file.
	* arm64/crypto/sha256-compress.asm: New file.
	* fat-arm64.c: Add setup for nettle_sha1_compress.

817
818
2021-06-30  Niels Möller  <nisse@lysator.liu.se>

Niels Möller's avatar
Niels Möller committed
819
820
	* configure.ac (FAT_TEST_LIST): Add sha1 to aarch64 fat tests.

821
822
823
824
	From Mamone Tarsha:
	* fat-arm64.c: Add setup for nettle_sha1_compress.
	* arm64/fat/sha1-compress-2.asm: New file.

825
826
827
828
829
2021-06-01  Niels Möller  <nisse@lysator.liu.se>

	From Mamone Tarsha:
	* arm64/crypto/sha1-compress.asm: New file.

830
2021-05-17  Niels Möller  <nisse@lysator.liu.se>
831
832

	Bug fixes merged from from 3.7.3 release (starting from 2021-05-06).
833
834
835
836
837
838
839
840
	* rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is
	in range.
	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.
	* rsa-decrypt.c (rsa_decrypt): Likewise.
	* testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n.

2021-05-14  Niels Möller  <nisse@lysator.liu.se>

841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
	* rsa-sign-tr.c (rsa_sec_blind): Delete mn argument.
	(_rsa_sec_compute_root_tr): Delete mn argument, instead require
	that input size matches key size. Rearrange use of temporary
	storage, to support in-place operation, x == m. Update all
	callers.

	* rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of
	input, for calling _rsa_sec_compute_root_tr.
	* rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise.

	* testsuite/rsa-encrypt-test.c (test_main): Test calling all of
	rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input.

2021-05-06  Niels Möller  <nisse@lysator.liu.se>

856
857
858
859
860
	* pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message
	length is valid, for given key size.
	* testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for
	calls to rsa_sec_decrypt specifying a too large message length.

861
862
863
864
865
866
867
868
869
870
871
872
873
2021-05-23  Niels Möller  <nisse@lysator.liu.se>

	From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394).
	* nist-keywrap.c (bswap_if_le, nist_keywrap16, nist_keyunwrap16)
	(aes128_keywrap, aes192_keywrap, aes256_keywrap)
	(aes128_keyunwrap, aes192_keyunwrap, aes256_keyunwrap): New file,
	new functions.
	* nist-keywrap.h: New header file.
	* Makefile.in (nettle_SOURCES): Add nist-keywrap.c.
	(HEADERS): Add nist-keywrap.h.
	* testsuite/aes-keywrap-test.c (test_main): New tests.
	* testsuite/Makefile.in (TS_NETTLE_SOURCES): Add aes-keywrap-test.c.

874
875
876
877
878
879
2021-04-13  Niels Möller  <nisse@lysator.liu.se>

	* powerpc64/p8/aes-encrypt-internal.asm (SWAP_MASK): Change macro
	name to use all uppercase.
	* powerpc64/p8/aes-decrypt-internal.asm (SWAP_MASK): Likewise.

880
881
882
883
884
885
2021-04-11  Niels Möller  <nisse@lysator.liu.se>

	* config.guess: Update to 2021-01-25 version, from savannah's
	config.git. Needed to recognize M1 Macs.
	* config.sub: Similarly update to 2021-03-10 version.

886
887
888
889
2021-03-24  Niels Möller  <nisse@lysator.liu.se>

	* .gitlab-ci.yml: Add remote tests for s390x.

890
891
892
893
894
895
896
897
898
899
900
901
902
2021-03-22  Niels Möller  <nisse@lysator.liu.se>

	Arm64 improvements, including fat build support. Contributed by
	Mamone Tarsha:
	* configure.ac (asm_path): Setup for arm64 fat builds.
	* fat-arm64.c: New file.
	* fat-arm64.c: New file.
	* arm64/fat/gcm-hash.asm: New file.
	* arm64/crypto/gcm-hash.asm: Improved docs. Use m4 macros rather
	than as macros.
	(LOAD_REV_PARTIAL_BLOCK): New macro.
	* arm64/README: Improved docs.

Niels Möller's avatar
Niels Möller committed
903
904
2021-03-21  Niels Möller  <nisse@lysator.liu.se>

905
906
	* Released nettle-3.7.2 with ecc bug-fixes only.

Niels Möller's avatar
Niels Möller committed
907
908
	* NEWS: NEWS entries for 3.7.2.

909
910
2021-03-13  Niels Möller  <nisse@lysator.liu.se>

911
912
913
	* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
	compute the scalar used for ecc multiplication.

Niels Möller's avatar
Niels Möller committed
914
915
916
	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
	reduced. Two of the three call sites need that.

917
918
919
	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.

920
921
922
	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
	canonical range.

Niels Möller's avatar
Niels Möller committed
923
924
925
926
927
928
929
930
	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
	to compute the scalars used for ecc multiplication.
	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
	triggers an assert on 64-bit platforms, without above fix.
	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
	the same signature.

2021-03-13  Niels Möller  <nisse@lysator.liu.se>
931

Niels Möller's avatar
Niels Möller committed
932
	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
933

934
935
936
937
938
939
940
941
942
943
944
2021-03-11  Niels Möller  <nisse@lysator.liu.se>

	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	New functions.
	* ecc-internal.h: Declare and document new functions.
	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	* ecc-mul-m.c (ecc_mul_m): Likewise.

Niels Möller's avatar
Niels Möller committed
945
946
947
948
2021-03-04  Niels Möller  <nisse@lysator.liu.se>

	Merged initial arm64 code.

949
950
951
952
953
2021-02-03  Niels Möller  <nisse@lysator.liu.se>

	* arm64/crypto/gcm-hash.asm: Renamed directory, moved file,...
	* arm64/v8/gcm-hash.asm: ... old name.

954
955
956
957
958
959
960
2021-02-02  Niels Möller  <nisse@lysator.liu.se>

	* arm64/v8/gcm-hash.asm: Add ".arch armv8-a+crypto" directive.
	Supported by both GNU as and clang (the latter at least from
	version 3.9.1).
	* configure.ac: Don't add -march=armv8-a+crypto to CFLAGS.

961
962
963
964
965
966
967
2021-01-31  Niels Möller  <nisse@lysator.liu.se>

	* arm64/v8/gcm-hash.asm: New file, contributed by Maamoun TK and
	Michael Weiser.
	* arm64/README: New file. Document endianness issues, contributed
	by Michael Weiser.

968
969
970
971
2021-02-17  Niels Möller  <nisse@lysator.liu.se>

	* Released Nettle-3.7.1.

972
973
974
975
976
977
978
979
980
2021-02-15  Niels Möller  <nisse@lysator.liu.se>

	* examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted
	glue to openssl arcfour.
	(openssl_arcfour128_set_encrypt_key)
	(openssl_arcfour128_set_decrypt_key): Deleted.
	* nettle-internal.h: Deleted declaration.
	* examples/nettle-benchmark.c (aeads): Delete benchmarking.

981
982
983
984
985
986
2021-02-13  Niels Möller  <nisse@lysator.liu.se>

	* configure.ac: Bump package version, to 3.7.1.
	(LIBNETTLE_MINOR): Bump minor number, to 8.2.
	(LIBHOGWEED_MINOR): Bump minor number, to 6.2.

Niels Möller's avatar
Niels Möller committed
987
988
2021-02-10  Niels Möller  <nisse@lysator.liu.se>

989
990
991
992
	* chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case
	that counter increment should be 3 (129 <= message length <= 192).
	(_nettle_chacha_crypt32_4core): Likewise.

Niels Möller's avatar
Niels Möller committed
993
994
995
996
997
998
999
1000
	* testsuite/chacha-test.c (test_chacha_rounds): New function, for
	tests with non-standard round count. Extracted from _test_chacha.
	(_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32
	handling. When testing message prefixes of varying length, also
	encrypt the remainder of the message, to catch errors in counter
	value update.
	(test_main): Add a few tests with large messages (16 blocks, 1024
	octets), to improve test coverage for _nettle_chacha_crypt_4core
For faster browsing, not all history is shown. View entire blame