2016-06-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.1.

	doc: Describe envvars.
	* doc/gcrypt.texi: Add chapter Configuration.

	random: Change names of debug envvars.
	* random/rndunix.c (start_gatherer): Change GNUPG_RNDUNIX_DBG to
	GCRYPT_RNDUNIX_DBG, change GNUPG_RNDUNIX_DBG to GCRYPT_RNDUNIX_DBG.
	* random/rndw32.c (registry_poll): Change GNUPG_RNDW32_NOPERF to
	GCRYPT_RNDW32_NOPERF.

2016-06-14  Werner Koch  <wk@gnupg.org>

	cipher: Assign OIDs to the Serpent cipher.
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

	cipher: Assign OIDs to the Serpent cipher.
	* cipher/serpent.c (serpent128_oids, serpent192_oids)
	(serpent256_oids): New. Add them to the specs blow.
	(serpent128_aliases): Add "SERPENT-128".
	(serpent256_aliases, serpent192_aliases): New.

2016-06-08  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

	Fix gcc portability on Solaris 9 SPARC boxes.
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-06-08  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-06-08  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-06-08  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-06-03  Werner Koch  <wk@gnupg.org>

	rsa: Implement blinding also for signing.
	* cipher/rsa.c (rsa_decrypt): Factor blinding code out to ...
	(secret_blinded): new.
	(rsa_sign): Use blinding by default.

	random: Remove debug output for getrandom(2) output.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Remove debug
	output.

2016-06-02  Werner Koch  <wk@gnupg.org>

	Fix gcc portability on Solaris 9 SPARC boxes.
	* mpi/longlong.h: Use __sparcv8 as alias for __sparc_v8__.

2016-05-28  Jérémie Courrèges-Anglas  <jca@wxcvbn.org>

	Check for compiler SSE4.1 support in PCLMUL CRC code.
	* cipher/crc-intel-pclmul.c: Build PCLMUL CRC implementation only if
	  compiler supports PCLMUL *and* SSE4.1
	* cipher/crc.c: Ditto
	* configure.ac (sse41support, gcry_cv_gcc_inline_asm_sse41): New.

2016-05-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix ecc_verify for cofactor support.
	* cipher/ecc.c (ecc_verify): Fix the argument for cofactor "h".

2016-04-26  Werner Koch  <wk@gnupg.org>

	random: Try to use getrandom() instead of /dev/urandom (Linux only).
	* configure.ac: Check for syscall.
	* random/rndlinux.c [HAVE_SYSCALL]: Include sys/syscall.h.
	(_gcry_rndlinux_gather_random): Use getrandom is available.

2016-04-19  Werner Koch  <wk@gnupg.org>

	asm fix for older gcc versions.
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

	asm fix for older gcc versions.
	* cipher/crc-intel-pclmul.c: Remove extra trailing colon from
	asm statements.

2016-04-15  Werner Koch  <wk@gnupg.org>

	Release 1.7.0.

2016-04-14  Werner Koch  <wk@gnupg.org>

	tests: Add test vectors for 256 GiB test of SHA3-256.
	* tests/hashtest.c: Add new test vectros.

2016-04-14  Justus Winter  <justus@g10code.com>

	src: Improve S-expression parsing.
	* src/sexp.c (do_vsexp_sscan): Return an error if a closing
	parenthesis is encountered with no matching opening parenthesis.

2016-04-14  Werner Koch  <wk@gnupg.org>

	cipher: Add constant for 8 bit CFB mode.
	* src/gcrypt.h.in (GCRY_CIPHER_MODE_CFB8): New.
	* tests/basic.c (check_cfb_cipher): Prepare for CFB-8 tests.

	tests: Add a new test for S-expressions.
	* tests/t-sexp.c (compare_to_canon): New.
	(back_and_forth_one): Add another test.

2016-04-13  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix corner cases for X25519.
	* cipher/ecc.c (ecc_encrypt_raw): For invalid input, returns
	GPG_ERR_INV_DATA instead of aborting with log_fatal.  For X25519,
	it's not an error, thus, let it return 0.
	(ecc_decrypt_raw): Use the flag PUBKEY_FLAG_DJB_TWEAK to distinguish
	X25519, not by the name of the curve.
	(ecc_decrypt_raw): For invalid input, returns GPG_ERR_INV_DATA instead
	of aborting with log_fatal.  For X25519, it's not an error by its
	definition, but we deliberately let it return the error to detect
	looks-like-encrypted-message.
	* tests/t-cv25519.c: Add points to record the issue.

2016-04-12  Werner Koch  <wk@gnupg.org>

	cipher: Buffer data from gcry_cipher_authenticate in OCB mode.
	* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
	aad_leftover and aad_nleftover to u_mode.ocb.
	* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
	aad_nleftover.
	(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
	to ...
	(ocb_aad_finalize): new.
	(compute_tag_if_needed): Call new function.
	* tests/basic.c (check_ocb_cipher_splitaad): New.
	(check_ocb_cipher): Call new function.
	(main): Also call check_cipher_modes with --ciper-modes.

2016-04-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix X25519 computation on Curve25519.
	* cipher/ecc.c (ecc_encrypt_raw): Tweak of bits when
	PUBKEY_FLAG_DJB_TWEAK is enabled.
	(ecc_decrypt_raw): Return 0 when PUBKEY_FLAG_DJB_TWEAK is enabled.
	* tests/t-cv25519.c (test_cv): Update by using gcry_pk_encrypt.

	ecc: Fix initialization of EC context.
	* cipher/ecc.c (test_ecdh_only_keys, ecc_generate)
	(ecc_check_secret_key, ecc_encrypt_raw, ecc_decrypt_raw): Initialize
	by _gcry_mpi_ec_p_internal_new should carry FLAGS.

2016-04-06  Werner Koch  <wk@gnupg.org>

	Allow building with configure option --enable-hmac-binary-check.
	* src/Makefile.am (mpicalc_LDADD): Add DL_LIBS.
	* src/fips.c (check_binary_integrity): Allow use of hmac256 output.
	* src/hmac256.c (main): Add option --stdkey

2016-04-06  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Positive values in computation.
	* cipher/ecc-curves.c (_gcry_ecc_fill_in_curve): Make sure
	coefficients A and B are positive.
	* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_recover_x): For negation, do
	"P - T" instead of "-T", so that the result will be positive.
	(_gcry_ecc_eddsa_verify): Likewise.
	* cipher/ecc.c (ecc_check_secret_key): Use _gcry_ecc_fill_in_curve
	instead of _gcry_ecc_update_curve_param.
	* mpi/ec.c (ec_subm): Make sure the result will be positive.
	(dup_point_edwards, sub_points_edwards, _gcry_mpi_ec_curve_point): Use
	mpi_sub instead of mpi_neg.
	(add_points_edwards): Simply use ec_addm.
	* tests/t-mpi-point.c (test_curve): Define curves with positive
	coefficients.

2016-04-01  Werner Koch  <wk@gnupg.org>

	mpi: Explicitly limit the allowed input length for gcry_mpi_scan.
	* mpi/mpicoder.c (MAX_EXTERN_SCAN_BYTES): New.
	(mpi_fromstr): Check against this limit.
	(_gcry_mpi_scan): Ditto.
	* tests/mpitests.c (test_maxsize): New.
	(main): Cal that test.

2016-03-31  Werner Koch  <wk@gnupg.org>

	cipher: Remove specialized rmd160 functions.
	* cipher/rmd160.c: Replace rmd.h by hash-common.h.
	(RMD160_CONTEXT): Move from rmd.h to here.
	(_gcry_rmd160_init): Remove.
	(_gcry_rmd160_mixblock): Remove.
	(_gcry_rmd160_hash_buffer): Use rmd160_init directly.
	* cipher/md.c: Remove rmd.h which was not actually used.
	* cipher/rmd.h: Remove.
	* cipher/Makefile.am (libcipher_la_SOURCES): Remove rmd.h.
	* configure.ac (USE_RMD160): Allow to build without RMD160.

	random: Replace RMD160 by SHA-1 for mixing the CSPRNG pool.
	* cipher/sha1.c (_gcry_sha1_mixblock_init): New.
	(_gcry_sha1_mixblock): New.
	* random/random-csprng.c: Include sha1.h instead of rmd.h.
	(mix_pool): Use SHA-1 instead of RIPE-MD-160 for mixing.

	cipher: Move sha1 context definition to a separate file.
	* cipher/sha1.c: Replace hash-common.h by sha1.h.
	(SHA1_CONTEXT): Move to ...
	* cipher/sha1.h: new.  Always include all flags.
	* cipher/Makefile.am (libcipher_la_SOURCES): Add sha1.h.

2016-03-29  Werner Koch  <wk@gnupg.org>

	tests: Fix buffer overflow in bench-slope.
	* tests/bench-slope.c (bench_print_result_std): Remove wrong use of
	strncat.

2016-03-27  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	cipher: GCM: check that length of supplied tag is one of valid lengths.
	* cipher/cipher-gcm.c (is_tag_length_valid): New.
	(_gcry_cipher_gcm_tag): Check that 'outbuflen' has valid tag length.
	* tests/basic.c (_check_gcm_cipher): Add test-vectors with different
	valid tag lengths and negative test vectors with invalid lengths.

2016-03-24  Peter Wu  <peter@lekensteyn.nl>

	cipher: Fix memleaks in (self)tests.
	* cipher/dsa.c: Release memory for MPI and sexp structures.
	* cipher/ecc.c: Release memory for sexp structure.
	* tests/keygen.c: Likewise.

	Mark constant MPIs as non-leaked.
	* mpi/mpiutil.c: Mark "constant" MPIs as explicitly leaked.

2016-03-23  Werner Koch  <wk@gnupg.org>

	Add new control GCRYCTL_GET_TAGLEN for use with gcry_cipher_info.
	* src/gcrypt.h.in (GCRYCTL_GET_TAGLEN): New.
	* cipher/cipher.c (_gcry_cipher_info): Add GCRYCTL_GET_TAGLEN feature.

	* tests/basic.c (_check_gcm_cipher): Check that new feature.
	(_check_poly1305_cipher): Ditto.
	(check_ccm_cipher): Ditto.
	(do_check_ocb_cipher): Ditto.
	(check_ctr_cipher): Add negative test for new feature.

	cipher: Avoid NULL-segv in GCM mode if a key has not been set.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_encrypt): Check that GHASH_FN
	has been initialized.
	(_gcry_cipher_gcm_decrypt): Ditto.
	(_gcry_cipher_gcm_authenticate): Ditto.
	(_gcry_cipher_gcm_initiv): Ditto.
	(_gcry_cipher_gcm_tag): Ditto.

	cipher: Check length of supplied tag in _gcry_cipher_poly1305_check_tag.
	* cipher/cipher-poly1305.c (_gcry_cipher_poly1305_tag): Check that the
	provided tag length matches the actual tag length.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for Poly1305.
	* cipher/cipher-poly1305.c: copy a fixed length instead of the
	  user-supplied number.

2016-03-23  Werner Koch  <wk@gnupg.org>

	cipher: Check length of supplied tag in _gcry_cipher_gcm_check_tag.
	* cipher/cipher-gcm.c (_gcry_cipher_gcm_tag): Check that the provided
	tag length matches the actual tag length.  Avoid gratuitous return
	statements.

2016-03-23  Peter Wu  <peter@lekensteyn.nl>

	Fix buffer overrun in gettag for GCM.
	* cipher/cipher-gcm.c: copy a fixed length instead of the user-supplied
	  number.

2016-03-22  Werner Koch  <wk@gnupg.org>

	tests: Add options --fips to keygen for manual tests.
	(main): Add option --fips.
	* tests/keygen.c (check_rsa_keys): Create an 2048 bit key with e=65539
	because that is valid in FIPS mode.  Check that key generation fails
	for too short keys in FIPS mode.
	(check_ecc_keys): Check that key generation fails for Ed25519 keys in
	FIPS mode.

2016-03-22  Tomáš Mráz  <tmraz@redhat.com>

	rsa: Add FIPS 186-4 compliant RSA probable prime key generator.
	* cipher/primegen.c (_gcry_fips186_4_prime_check): New.
	* cipher/rsa.c (generate_fips): New.
	(rsa_generate): Use new function in fips mode or with test-parms.

	* tests/keygen.c (check_rsa_keys): Add test using e=65539.

2016-03-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix ARM NEON support detection on ARMv6 target.
	* configure.ac (gcry_cv_gcc_inline_asm_neon): Use '.arm' directive
	instead of '.thumb'.

2016-03-18  Werner Koch  <wk@gnupg.org>

	Always require a 64 bit integer type.
	* configure.ac (available_digests_64): Merge with available_digests.
	(available_kdfs_64): Merge with available_kdfs.
	<64 bit datatype test>: Bail out if no such type is available.
	* src/types.h: Emit #error if no u64 can be defined.
	(PROPERLY_ALIGNED_TYPE): Always add u64 type.
	* cipher/bithelp.h: Remove all code paths which handle the
	case of !HAVE_U64_TYPEDEF.
	* cipher/bufhelp.h: Ditto.
	* cipher/cipher-ccm.c: Ditto.
	* cipher/cipher-gcm.c: Ditto.
	* cipher/cipher-internal.h: Ditto.
	* cipher/cipher.c: Ditto.
	* cipher/hash-common.h: Ditto.
	* cipher/md.c: Ditto.
	* cipher/poly1305.c: Ditto.
	* cipher/scrypt.c: Ditto.
	* cipher/tiger.c: Ditto.
	* src/g10lib.h: Ditto.
	* tests/basic.c: Ditto.
	* tests/bench-slope.c: Ditto.
	* tests/benchmark.c: Ditto.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	tests: Fix testsuite after the FIPS adjustments.
	* tests/benchmark.c (ecc_bench): Avoid not approved curves in FIPS.
	* tests/curves.c (check_get_params): Skip Brainpool curves in FIPS.
	* tests/keygen.c (check_dsa_keys): Generate 2048 and 3072 bits keys.
	(check_ecc_keys): Skip Ed25519 in FIPS mode.
	* tests/random.c (main): Don't switch DRBG in FIPS mode.
	* tests/t-ed25519.c (main): Ed25519 isn't supported in FIPS mode.
	* tests/t-kdf.c (check_openpgp): Skip vectors using md5 in FIPS.
	* tests/t-mpi-point.c (context_param): Skip P-192 and Ed25519 in FIPS.
	(main): Skip math tests that use P-192 and Ed25519 in FIPS.

	tests: Add new --pss option to fipsdrv.
	* tests/fipsdrv.c (run_rsa_sign, run_rsa_verify): Set salt-length
	to 0 for PSS.

	cipher: Add option to specify salt length for PSS verification.
	* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Check for
	salt-length token.

	tests: Add support for RSA keygen tests to fipsdrv.
	* tests/fipsdrv.c (run_rsa_keygen): New.
	(main): Support RSA keygen and RSA keygen KAT tests.

	tests: Fixes for RSA testsuite in FIPS mode.
	* tests/basic.c (get_keys_new): Generate 2048 bit key.
	* tests/benchmark.c (rsa_bench): Skip keys of lengths different
	than 2048 and 3072 in FIPS mode.
	* tests/keygen.c (check_rsa_keys): Failure if short keys can be
	generated in FIPS mode.
	(check_dsa_keys): Ditto for DSA keys.
	* tests/pubkey.c (check_x931_derived_key): Skip keys < 2048 in FIPS.

	rsa: Use 2048 bit RSA keys for selftest.
	* cipher/rsa.c (selftests_rsa): Use 2048 bit keys.
	(selftest_encr_1024): Replaced by selftest_encr_2048.
	(selftest_sign_1024): Replaced by selftest_sign_2048.
	(selftest_encr_2048): Add check against known ciphertext.
	(selftest_sign_2048): Add check against known signature.
	(selftest_sign_2048): Free SIG_MPI.
	* tests/pubkey.c (get_keys_new): Generate 2048 bit keys.

	Disable non-allowed algorithms in FIPS mode.
	* cipher/cipher.c (_gcry_cipher_init),
	* cipher/mac.c (_gcry_mac_init),
	* cipher/md.c (_gcry_md_init),
	* cipher/pubkey.c (_gcry_pk_init): In the FIPS mode, disable all the
	non-allowed ciphers.
	* cipher/md5.c: Mark MD5 as not allowed in FIPS.
	* src/g10lib.h (_gcry_mac_init): New.
	* src/global.c (global_init): Call the new _gcry_mac_init.
	* tests/basic.c (check_ciphers): Fix a typo.

2016-03-18  Werner Koch  <wk@gnupg.org>

	kdf: Make PBKDF2 check work on all platforms.
	* cipher/kdf.c (_gcry_kdf_pkdf2): Chnage DKLEN to unsigned long.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	kdf: Add upper bound for derived key length in PBKDF2.
	* cipher/kdf.c (_gcry_kdf_pkdf2): limit dkLen.

	ecc: ECDSA adjustments for FIPS 186-4.
	* cipher/ecc-curves.c: Unmark curve P-192 for FIPS.
	* cipher/ecc.c: Add ECDSA self test.
	* cipher/pubkey-util.c (_gcry_pk_util_init_encoding_ctx): Use SHA-2
	in FIPS mode.
	* tests/fipsdrv.c: Add support for ECDSA signatures.

2016-03-18  Werner Koch  <wk@gnupg.org>

	dsa: Make regression tests work.
	* cipher/dsa.c (sample_secret_key_1024): Comment out unused constant.
	(ogenerate_fips186): Make it work with use-fips183-2 flag.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Use Emacs
	standard comment out format.
	* tests/fips186-dsa.c (check_dsa_gen_186_3): New dummy fucntion.
	(main): Call it.
	(main): Compare against current version.
	* tests/pubkey.c (get_dsa_key_fips186_new): Create 2048 bit key.
	(get_dsa_key_fips186_with_seed_new): Ditto.
	(get_dsa_key_fips186_with_domain_new): Comment out.
	(check_run): Do not call that function.

2016-03-18  Vitezslav Cizek  <vcizek@suse.com>

	dsa: Adjustments to conform with FIPS 186-4.
	* cipher/dsa.c (generate_fips186): FIPS 186-4 adjustments.
	* cipher/primegen.c (_gcry_generate_fips186_3_prime): Fix incorrect
	  buflen passed to _gcry_mpi_scan.

2016-03-16  Justus Winter  <justus@g10code.com>

	Update documentation for 'gcry_sexp_extract_param'.
	* doc/gcrypt.texi (gcry_sexp_extract_param): Mention that all MIPs
	must be set to NULL first, and document how the function behaves in
	case of errors.
	* src/sexp.c (_gcry_sexp_extract_param): Likewise.
	* src/gcrypt.h.in (gcry_sexp_extract_param): Copy the comment from
	'_gcry_sexp_extract_param'.

	cipher: Update comment.
	* cipher/ecc.c (ecc_get_nbits): Update comment to reflect the fact
	that a curve parameter can be given.

2016-03-12  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add Intel PCLMUL implementations of CRC algorithms.
	* cipher/Makefile.am: Add 'crc-intel-pclmul.c'.
	* cipher/crc-intel-pclmul.c: New.
	* cipher/crc.c (USE_INTEL_PCLMUL): New macro.
	(CRC_CONTEXT) [USE_INTEL_PCLMUL]: Add 'use_pclmul'.
	[USE_INTEL_PCLMUL] (_gcry_crc32_intel_pclmul)
	(gcry_crc24rfc2440_intel_pclmul): New.
	(crc32_init, crc32rfc1510_init, crc24rfc2440_init)
	[USE_INTEL_PCLMUL]: Select PCLMUL implementation if SSE4.1 and PCLMUL
	HW features detected.
	(crc32_write, crc24rfc2440_write) [USE_INTEL_PCLMUL]: Use PCLMUL
	implementation if enabled.
	(crc24_init): Document storage format of 24-bit CRC.
	(crc24_next4): Use only 'data' for last table look-up.
	* configure.ac: Add 'crc-intel-pclmul.lo'.
	* src/g10lib.h (HWF_*, HWF_INTEL_SSE4_1): Update HWF flags to include
	Intel SSE4.1.
	* src/hwf-x86.c (detect_x86_gnuc): Add SSE4.1 detection.
	* src/hwfeatures.c (hwflist): Add 'intel-sse4.1'.
	* tests/basic.c (fillbuf_count): New.
	(check_one_md): Add "?" check (million byte data-set with byte pattern
	0x00,0x01,0x02,...); Test all buffer sizes 1 to 1000, for "!" and "?"
	checks.
	(check_one_md_multi): Skip "?".
	(check_digests): Add "?" test-vectors for MD5, SHA1, SHA224, SHA256,
	SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, RIPEMD160,
	CRC32, CRC32_RFC1510, CRC24_RFC2440, TIGER1 and WHIRLPOOL; Add "!"
	test-vectors for CRC32_RFC1510 and CRC24_RFC2440.

2016-02-25  NIIBE Yutaka  <gniibe@fsij.org>

	mpi: Normalize EXPO for mpi_powm.
	* mpi/mpi-pow.c (gcry_mpi_powm): Normalize EP.

2016-02-22  Andreas Metzler  <ametzler@bebt.de>

	Do not ship generated header file in tarball.
	* src/Makefile.am: Move gcrypt.h from include_HEADERS to
	  nodist_include_HEADERS to prevent inclusion in release tarball.
	  This could break out-of-tree-builds because the potentially outdated
	  src/gcrypt.h was not updated but was in the compiler search path.

2016-02-20  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Fix building random-drbg for Win32/64.
	* random/random-drbg.c: Remove include for sys/types.h and asm/types.h.
	(DRBG_PREDICTION_RESIST, DRBG_CTRAES, DRBG_CTRSERPENT, DRBG_CTRTWOFISH)
	(DRBG_HASHSHA1, DRBG_HASHSHA224, DRBG_HASHSHA256, DRBG_HASHSHA384)
	(DRBG_HASHSHA512, DRBG_HMAC, DRBG_SYM128, DRBG_SYM192)
	(DRBG_SYM256): Change 'u_int32_t' to 'u32'.
	(drbg_get_entropy) [USE_RNDUNIX, USE_RNDW32]: Fix parameters
	'drbg_read_cb' and 'len'.

2016-02-20  Werner Koch  <wk@gnupg.org>

	tests: Do not test DRBG_REINIT from "make check"
	* tests/random.c (main): Run check_drbg_reinit only if the envvar
	GCRYPT_IN_REGRESSION_TEST is set.

	doc: Fix possible dependency problem.
	* doc/Makefile.am (gcrypt.texi): Use the right traget.

2016-02-19  Stephan Mueller  <smueller@chronox.de>

	random: Remove ANSI X9.31 DRNG.
	* random-fips.c: Remove.

2016-02-19  Werner Koch  <wk@gnupg.org>

	random: Add a test case for DRBG_REINIT.
	* src/global.c (_gcry_vcontrol) <DRBG_REINIT>: Test for FIPS RNG.
	* tests/random.c (check_drbg_reinit): New.
	(main): Call new test.

	random: Allow DRBG_REINIT before initialization.
	* random/random-drbg.c (DRBG_DEFAULT_TYPE): New.
	(_drbg_init_internal): Set the default type if no type has been set
	before.
	(_gcry_rngdrbg_inititialize): Pass 0 for flags to use the default.

	Add new private header gcrypt-testapi.h.
	* src/gcrypt-testapi.h: New.
	* src/Makefile.am (libgcrypt_la_SOURCES): Add new file.
	* random/random.h: Include gcrypt-testapi.h.
	(struct gcry_drbg_test_vector) : Move to gcrypt-testapi.h.
	* src/global.c: Include gcrypt-testapi.h.
	(_gcry_vcontrol): Use PRIV_CTL_* constants instead of 58, 59, 60, 61.
	* cipher/cipher.c: Include gcrypt-testapi.h.
	(_gcry_cipher_ctl): Use PRIV_CIPHERCTL_ constants instead of 61, 62.
	* tests/fipsdrv.c: Include gcrypt-testapi.h.  Remove definition of
	PRIV_CTL_ constants and replace their use by the new PRIV_CIPHERCTL_
	constants.
	* tests/t-lock.c: Include gcrypt-testapi.h.  Remove
	PRIV_CTL_EXTERNAL_LOCK_TEST and EXTERNAL_LOCK_TEST_ constants.

	* random/random-drbg.c (gcry_rngdrbg_cavs_test): Rename to ...
	(_gcry_rngdrbg_cavs_test): this.
	(gcry_rngdrbg_healthcheck_one): Rename to ...
	(_gcry_rngdrbg_healthcheck_one): this.

	random: Make the DRBG C-90 clean and use a flag string.
	* random/random.h (struct gcry_drbg_test_vector): Rename "flags" to
	"flagstr" and turn it into a string.
	* random/random-drbg.c (drbg_test_pr, drbg_test_nopr): Replace use of
	designated initializers.  Use a string for the flags.
	(gcry_rngdrbg_cavs_test): Parse the flag string into a flag value.
	(drbg_healthcheck_sanity): Ditto.

	random: Symbol name cleanup for random-drbg.c.
	* random/random-drbg.c: Rename all static objects and macros from
	"gcry_drbg" to "drbg".
	(drbg_string_t): New typedef.
	(drbg_gen_t): New typedef.
	(drbg_state_t): New typedef.  Replace all "struct drbg_state_s *" by
	this.
	(_drbg_init_internal): Replace xcalloc_secure by xtrycalloc_secure so
	that an error if actually returned.
	(gcry_rngdrbg_cavs_test): Ditto.
	(gcry_drbg_healthcheck_sanity): Ditto.

	random: Use our symbol name pattern also for drbg functions.
	* random/random-drbg.c: Rename global functions from _gcry_drbg_*
	to _gcry_rngdrbg_*.
	* random/random.c: Adjust for this change.
	* src/global.c: Ditto.

	random: Rename drbg.c to random-drbg.c.
	* random/drbg.c: Rename to ...
	* random/random-drbg.c: this.
	* random/Makefile.am (librandom_la_SOURCES): Adjust accordingly.

	random: Remove the new API introduced by the new DRBG.
	* src/gcrypt.h.in (struct gcry_drbg_gen): Move to random/drbg.c.
	(struct gcry_drbg_string): Ditto.
	(gcry_drbg_string_fill): Ditto.
	(gcry_randomize_drbg): Remove.
	* random/drbg.c (parse_flag_string): New.
	(_gcry_drbg_reinit): Change the way the arguments are passed.
	* src/global.c (_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: Change calling
	convention.

	Add helper function _gcry_strtokenize.
	* src/misc.c (_gcry_strtokenize): New.

2016-02-18  Werner Koch  <wk@gnupg.org>

	random: Remove DRBG constants from the public API.
	* src/gcrypt.h.in (GCRY_DRBG_): Remove all new flags to ...
	* random/drbg.c: here.

2016-02-18  Stephan Mueller  <smueller@chronox.de>

	random: Add SP800-90A DRBG.
	* random/drbg.c: New.
	* random/random.c (_gcry_random_initialize): Replace rngfips init by
	drbg init.
	(__gcry_random_close_fds): Likewise.
	(_gcry_random_dump_stats): Likewise.
	(_gcry_random_is_faked): Likewise.
	(do_randomize): Likewise.
	(_gcry_random_selftest): Likewise.
	(_gcry_create_nonce): Replace rngfips_create_noce by drbg_randomize.
	(_gcry_random_init_external_test): Remove.
	(_gcry_random_run_external_test): Remove.
	(_gcry_random_deinit_external_test): Remove.
	* random/random.h (struct gcry_drbg_test_vector): New.
	* src/gcrypt.h.in (struct gcry_drbg_gen): New.
	(struct gcry_drbg_string): New.
	(gcry_drbg_string_fill): New.
	(gcry_randomize_drbg): New.
	(GCRY_DRBG_): Lots of new macros.
	* src/global.c (_gcry_vcontrol) <Init external random test>: Turn into
	a nop.
	(_gcry_vcontrol) <Deinit external random test>: Ditto.
	(_gcry_vcontrol) <Run external random test>: Change.
	(_gcry_vcontrol) <GCRYCTL_DRBG_REINIT>: New.

2016-02-13  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	bufhelp: disable unaligned memory accesses on powerpc.
	* cipher/bufhelp.h (BUFHELP_FAST_UNALIGNED_ACCESS): Disable for
	__powerpc__ and __powerpc64__.

2016-02-12  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Not validate input point for Curve25519.
	* cipher/ecc.c (ecc_decrypt_raw): Curve25519 is an exception.

2016-02-10  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix memory leaks on error.
	* cipher/ecc.c (ecc_decrypt_raw): Go to leave to release memory.
	* mpi/ec.c (_gcry_mpi_ec_curve_point): Likewise.

2016-02-09  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: input validation on ECDH.
	* cipher/ecc.c (ecc_decrypt_raw): Validate the point.

2016-02-08  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Add ARM assembly implementation of SHA-512.
	* cipher/Makefile.am: Add 'sha512-arm.S'.
	* cipher/sha512-arm.S: New.
	* cipher/sha512.c (USE_ARM_ASM): New.
	(_gcry_sha512_transform_arm): New.
	(transform) [USE_ARM_ASM]: Use ARM assembly implementation instead of
	generic.
	* configure.ac: Add 'sha512-arm.lo'.

2016-02-03  NIIBE Yutaka  <gniibe@fsij.org>

	tests: Add a test for Curve25519.
	* tests/Makefile.am (tests_bin): Add t-cv25519.
	* tests/t-cv25519.c: New.

2016-02-02  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Fix Curve25519 for data by older implementation.
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix code path for
	short length data.

	ecc: more fix of Curve25519.
	* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
	prefix.  Clear the MSB, according to RFC7748.

	ecc: Fix ECDH of Curve25519.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
	and prefix detection.
	* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
	(ecc_encrypt_raw): Use NBITS from curve instead of from P.
	Fix rawmpilen calculation.
	(ecc_decrypt_raw): Likewise.  Add debug output.

2016-01-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of generic SHA256 implementation.
	* cipher/sha256.c (R): Let caller do variable shuffling.
	(Chro, Maj, Sum0, Sum1): Convert from inline functions to macros.
	(W, I): New.
	(transform_blk): Unroll round loop; inline message expansion to rounds
	to make message expansion buffer smaller.

2016-01-28  Werner Koch  <wk@gnupg.org>

	ecc: New API function gcry_mpi_ec_decode_point.
	* mpi/ec.c (_gcry_mpi_ec_decode_point): New.
	* cipher/ecc-common.h: Move two prototypes to ...
	* src/ec-context.h: here.
	* src/gcrypt.h.in (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.def (gcry_mpi_ec_decode_point): New.
	* src/libgcrypt.vers (gcry_mpi_ec_decode_point): New.
	* src/visibility.c (gcry_mpi_ec_decode_point): New.
	* src/visibility.h: Add new function.

2016-01-15  Werner Koch  <wk@gnupg.org>

	Fix build problem for rndegd.c.
	* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Test all RND modules.
	* random/rndegd.c (_gcry_rndegd_connect_socket)
	(my_make_filename): Use functions with '_' prefix.

	random: Fix possible AIX problem with sysconf in rndunix.
	* random/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
	(start_gatherer): Detect misbehaving sysconf.

2015-12-27  Werner Koch  <wk@gnupg.org>

	random: Take at max 25% from RDRAND.
	* random/rndlinux.c (_gcry_rndlinux_gather_random): Change use of
	RDRAND from 50% to 25%.

2015-12-07  Justus Winter  <justus@g10code.com>

	cipher: Improve error handling.
	* cipher/ecc.c (ecc_decrypt_raw): Improve error handling.

	cipher: Initialize 'flags'.
	* cipher/ecc.c (ecc_encrypt_raw): Initialize 'flags' to 0.

2015-12-05  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: CHANGE point representation of Curve25519.
	* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Decode point with
	the prefix 0x40, additional 0x00 by MPI handling, and shorter octets
	by MPI normalization.
	* cipher/ecc.c (ecc_generate, ecc_encrypt_raw, ecc_decrypt_raw):
	Always add the prefix 0x40.

2015-12-03  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	chacha20: fix alignment of self-test context.
	* cipher/chacha20.c (selftest): Ensure 16-byte alignment for chacha20
	context structure.

	salsa20: fix alignment of self-test context.
	* cipher/salsa20.c (selftest): Ensure 16-byte alignment for salsa20
	context structure.

2015-12-02  Justus Winter  <justus@g10code.com>

	random: Drop fake entropy gathering function.
	* random/random-csprng.c (faked_rng): Drop variable.
	(gather_faked): Drop prototype and function.
	(initialize): Drop fallback code.
	(_gcry_rngcsprng_is_faked): Change accordingly.

	random: Fix selection of entropy gathering function.
	* random/random-csprng.c (getfnc_gather_random): Do return NULL if no
	usable entropy gathering function is found.  The callsite then
	installs the fake gather function.

2015-11-26  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: minor improvement of point multiplication.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.

2015-11-25  NIIBE Yutaka  <gniibe@fsij.org>

	ecc: Constant-time multiplication for Weierstrass curve.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
	method for Weierstrass curve when SCALAR is secure.

	mpi: fix gcry_mpi_swap_cond.
	* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.

	mpi: Fix mpi_set_cond and mpi_swap_cond .
	* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
	the operator of !!, but assume SET/SWAP is 0 or 1.

	ecc: multiplication of Edwards curve to be constant-time.
	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.

	ecc: Add point_resize and point_swap_cond.
	* mpi/ec.c (point_resize, point_swap_cond): New.
	(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.

2015-11-18  Justus Winter  <justus@g10code.com>

	cipher: Fix error handling.
	* cipher/cipher.c (_gcry_cipher_ctl): Fix error handling.

2015-11-18  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Tweak Keccak for small speed-up.
	* cipher/keccak_permute_32.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Track
	rounds with round constant pointer instead of separate round counter.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Ditto.
	(KECCAK_F1600_ABSORB_FUNC_NAME): Tweak lanes pointer increment for bulk
	absorb loops.

	Update license information for CRC.
	* LICENSES: Remove 'Simple permissive' and 'IETF permissive' licenses
	for 'cipher/crc.c' as result of rewrite of CRC implementations.

2015-11-17  Justus Winter  <justus@g10code.com>

	Fix typos found using codespell.
	* cipher/cipher-ocb.c: Fix typos.
	* cipher/des.c: Likewise.
	* cipher/dsa-common.c: Likewise.
	* cipher/ecc.c: Likewise.
	* cipher/pubkey.c: Likewise.
	* cipher/rsa-common.c: Likewise.
	* cipher/scrypt.c: Likewise.
	* random/random-csprng.c: Likewise.
	* random/random-fips.c: Likewise.
	* random/rndw32.c: Likewise.
	* src/cipher-proto.h: Likewise.
	* src/context.c: Likewise.
	* src/fips.c: Likewise.
	* src/gcrypt.h.in: Likewise.
	* src/global.c: Likewise.
	* src/sexp.c: Likewise.
	* tests/mpitests.c: Likewise.
	* tests/t-lock.c: Likewise.

2015-11-01  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Improve performance of Tiger hash algorithms.
	* cipher/tiger.c (tiger_round, pass, key_schedule): Convert functions
	to macros.
	(transform_blk): Pass variable names instead of pointers to 'pass'.

	Add ARMv7/NEON implementation of Keccak.
	* cipher/Makefile.am: Add 'keccak-armv7-neon.S'.
	* cipher/keccak-armv7-neon.S: New.
	* cipher/keccak.c (USE_64BIT_ARM_NEON): New.
	(NEED_COMMON64): Select if USE_64BIT_ARM_NEON.
	[NEED_COMMON64] (round_consts_64bit): Rename to...
	[NEED_COMMON64] (_gcry_keccak_round_consts_64bit): ...this; Add
	terminator at end.
	[USE_64BIT_ARM_NEON] (_gcry_keccak_permute_armv7_neon)
	(_gcry_keccak_absorb_lanes64_armv7_neon, keccak_permute64_armv7_neon)
	(keccak_absorb_lanes64_armv7_neon, keccak_armv7_neon_64_ops): New.
	(keccak_init) [USE_64BIT_ARM_NEON]: Select ARM/NEON implementation
	if supported by HW.
	* cipher/keccak_permute_64.h (KECCAK_F1600_PERMUTE_FUNC_NAME): Update
	to use new round constant table.
	* configure.ac: Add 'keccak-armv7-neon.lo'.

	Optimize Keccak 64-bit absorb functions.
	* cipher/keccak.c [USE_64BIT] [__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	* cipher/keccak.c [USE_64BIT] [!__x86_64__] (absorb_lanes64_8)
	(absorb_lanes64_4, absorb_lanes64_2, absorb_lanes64_1): New.
	[USE_64BIT] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT] (keccak_absorb_lanes64): Remove.
	[USE_64BIT_SHLD] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_SHLD] (keccak_absorb_lanes64_shld): Remove.
	[USE_64BIT_BMI2] (KECCAK_F1600_ABSORB_FUNC_NAME): New.
	[USE_64BIT_BMI2] (keccak_absorb_lanes64_bmi2): Remove.
	* cipher/keccak_permute_64.h (KECCAK_F1600_ABSORB_FUNC_NAME): New.

2015-10-31  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	Enable CRC test vectors with zero bytes.
	* tests/basic.c (check_digests): Enable CRC test-vectors with zero
	bytes.

	Keccak: Add SHAKE Extendable-Output Functions.
	* src/hash-common.c (_gcry_hash_selftest_check_one): Add handling for
	XOFs.
	* src/keccak.c (keccak_ops_t): Rename 'extract_inplace' to 'extract'
	and add 'pos' argument.
	(KECCAK_CONTEXT): Add 'suffix'.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi): Rename to...
	(keccak_extract32bi): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace64): Rename to...
	(keccak_extract64): ...this; Add handling for 'pos' argument.
	(keccak_extract_inplace32bi_bmi2): Rename to...
	(keccak_extract32bi_bmi2): ...this; Add handling for 'pos' argument.
	(keccak_init): Setup 'suffix'; add SHAKE128 & SHAKE256.
	(shake128_init, shake256_init): New.
	(keccak_final): Do not initial permute for SHAKE output; use correct
	suffix for SHAKE.
	(keccak_extract): New.
	(keccak_selftests_keccak): Add SHAKE128 & SHAKE256 test-vectors.
	(run_selftests): Add SHAKE128 & SHAKE256.
	(shake128_asn, oid_spec_shake128, shake256_asn, oid_spec_shake256)
	(_gcry_digest_spec_shake128, _gcry_digest_spec_shake256): New.
	* cipher/md.c (digest_list): Add SHAKE128 & SHAKE256.
	* doc/gcrypt.texi: Ditto.
	* src/cipher.h (_gcry_digest_spec_shake128)
	(_gcry_digest_spec_shake256): New.
	* src/gcrypt.h.in (GCRY_MD_SHAKE128, GCRY_MD_SHAKE256): New.
	* tests/basic.c (check_one_md): Add XOF check; Add 'elen' argument.
	(check_one_md_multi): Skip if algo is XOF.
	(check_digests): Add SHAKE128 & SHAKE256 test vectors.
	* tests/bench-slope.c (kdf_bench_one): Skip XOFs.

	Few updates to documentation.
	* doc/gcrypt.text: Add mention of new 'intel-fast-shld' hw feature
	flag; Add mention of x86 RDRAND support in rndhw.

	Add HMAC-SHA3 test vectors.
	* tests/basic.c (check_mac): Add HMAC_SHA3 test vectors.

2015-10-28  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	md: add variable length output interface.
	* cipher/crc.c (_gcry_digest_spec_crc32)
	(_gcry_digest_spec_crc32_rfc1510, _gcry_digest_spec_crc24_rfc2440): Set
	'extract' NULL.
	* cipher/gostr3411-94.c (_gcry_digest_spec_gost3411_94)
	(_gcry_digest_spec_gost3411_cp): Ditto.
	* cipher/keccak.c (_gcry_digest_spec_sha3_224)
	(_gcry_digest_spec_sha3_256, _gcry_digest_spec_sha3_384)
	(_gcry_digest_spec_sha3_512): Ditto.
	* cipher/md2.c (_gcry_digest_spec_md2): Ditto.
	* cipher/md4.c (_gcry_digest_spec_md4): Ditto.
	* cipher/md5.c (_gcry_digest_spec_md5): Ditto.
	* cipher/rmd160.c (_gcry_digest_spec_rmd160): Ditto.
	* cipher/sha1.c (_gcry_digest_spec_sha1): Ditto.
	* cipher/sha256.c (_gcry_digest_spec_sha224)
	(_gcry_digest_spec_sha256): Ditto.
	* cipher/sha512.c (_gcry_digest_spec_sha384)
	(_gcry_digest_spec_sha512): Ditto.
	* cipher/stribog.c (_gcry_digest_spec_stribog_256)
	(_gcry_digest_spec_stribog_512): Ditto.
	* cipher/tiger.c (_gcry_digest_spec_tiger)
	(_gcry_digest_spec_tiger1, _gcry_digest_spec_tiger2): Ditto.
	* cipher/whirlpool.c (_gcry_digest_spec_whirlpool): Ditto.
	* cipher/md.c (md_enable): Do not allow combination of HMAC and
	'expandable-output function'.
	(md_final): Check if spec->read is NULL before calling.
	(md_read): Ditto.
	(md_extract, _gcry_md_extract): New.
	* doc/gcrypt.texi: Add SHA3 algorithms and gcry_md_extract.
	* src/cipher-proto.h (gcry_md_extract_t): New.
	(gcry_md_spec_t): Add 'extract'.
	* src/gcrypt-int.g (_gcry_md_extract): New.
	* src/gcrypt.h.in (gcry_md_extract): New.
	* src/libgcrypt.def: Add gcry_md_extract.
	* src/libgcrypt.vers: Add gcry_md_extract.
	* src/visibility.c (gcry_md_extract): New.
	* src/visibility.h (gcry_md_extract): New.

	md: check hmac flag in prepare_macpads.
	* cipher/md.c (prepare_macpads): Check hmac flag.

	keccak: rewrite for improved performance.
	* cipher/Makefile.am: Add 'keccak_permute_32.h' and
	'keccak_permute_64.h'.
	* cipher/hash-common.h [USE_SHA3] (MD_BLOCK_MAX_BLOCKSIZE): Remove.
	* cipher/keccak.c (USE_64BIT, USE_32BIT, USE_64BIT_BMI2)
	(USE_64BIT_SHLD, USE_32BIT_BMI2, NEED_COMMON64, NEED_COMMON32BI)
	(keccak_ops_t): New.
	(KECCAK_STATE): Add 'state64' and 'state32bi' members.
	(KECCAK_CONTEXT): Remove 'bctx'; add 'blocksize', 'count' and 'ops'.
	(rol64, keccak_f1600_state_permute): Remove.
	[NEED_COMMON64] (round_consts_64bit, keccak_extract_inplace64): New.
	[NEED_COMMON32BI] (round_consts_32bit, keccak_extract_inplace32bi)
	(keccak_absorb_lane32bi): New.
	[USE_64BIT] (ANDN64, ROL64, keccak_f1600_state_permute64)
	(keccak_absorb_lanes64, keccak_generic64_ops): New.
	[USE_64BIT_SHLD] (ANDN64, ROL64, keccak_f1600_state_permute64_shld)
	(keccak_absorb_lanes64_shld, keccak_shld_64_ops): New.
	[USE_64BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute64_bmi2)
	(keccak_absorb_lanes64_bmi2, keccak_bmi2_64_ops): New.
	[USE_32BIT] (ANDN64, ROL64, keccak_f1600_state_permute32bi)
	(keccak_absorb_lanes32bi, keccak_generic32bi_ops): New.
	[USE_32BIT_BMI2] (ANDN64, ROL64, keccak_f1600_state_permute32bi_bmi2)
	(pext, pdep, keccak_absorb_lane32bi_bmi2, keccak_absorb_lanes32bi_bmi2)
	(keccak_extract_inplace32bi_bmi2, keccak_bmi2_32bi_ops): New.
	(keccak_write): New.
	(keccak_init): Adjust to KECCAK_CONTEXT changes; add implementation
	selection based on HWF features.
	(keccak_final): Adjust to KECCAK_CONTEXT changes; use selected 'ops'
	for state manipulation.
	(keccak_read): Adjust to KECCAK_CONTEXT changes.
	(_gcry_digest_spec_sha3_224, _gcry_digest_spec_sha3_256)
	(_gcry_digest_spec_sha3_348, _gcry_digest_spec_sha3_512): Use
	'keccak_write' instead of '_gcry_md_block_write'.
	* cipher/keccak_permute_32.h: New.
	* cipher/keccak_permute_64.h: New.

	hwf-x86: add detection for Intel CPUs with fast SHLD instruction.
	* cipher/sha1.c (sha1_init): Use HWF_INTEL_FAST_SHLD instead of
	HWF_INTEL_CPU.
