Merge branch 'LIBGCRYPT-1.9-BRANCH'

--

Master is missing latest NEWS and some other last minute changes from
the 1.9.0 release.

10 files changed, 206 insertions, 42 deletions

diff --git a/AUTHORS b/AUTHORS
index 9e2d92f4..f6bfcb85 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -6,6 +6,7 @@ Repository: git://git.gnupg.org/libgcrypt.git
 Maintainer: Werner Koch <wk@gnupg.org>
 Bug reports: https://bugs.gnupg.org
 Security related bug reports: <security@gnupg.org>
+End-of-life: TBD
 License (library): LGPLv2.1+
 License (manual and tools): GPLv2+
 
@@ -30,14 +31,17 @@ List of Copyright holders
   Copyright (C) 1996-2006 Peter Gutmann, Matt Thomlinson and Blake Coverett
   Copyright (C) 2003 Nikos Mavroyanopoulos
   Copyright (C) 2006-2007 NTT (Nippon Telegraph and Telephone Corporation)
-  Copyright (C) 2012-2018 g10 Code GmbH
+  Copyright (C) 2012-2021 g10 Code GmbH
   Copyright (C) 2012 Simon Josefsson, Niels Möller
   Copyright (c) 2012 Intel Corporation
   Copyright (C) 2013 Christian Grothoff
-  Copyright (C) 2013-2017 Jussi Kivilinna
+  Copyright (C) 2013-2021 Jussi Kivilinna
   Copyright (C) 2013-2014 Dmitry Eremin-Solenikov
   Copyright (C) 2014 Stephan Mueller
+  Copyright (C) 2017 Jia Zhang
   Copyright (C) 2018 Bundesamt für Sicherheit in der Informationstechnik
+  Copyright (C) 2020 Alibaba Group.
+  Copyright (C) 2020 Tianjia Zhang
 
 
 Authors with a FSF copyright assignment
diff --git a/NEWS b/NEWS
index 264f34f1..11825112 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,74 @@
-Noteworthy changes in version 1.9.0 (unreleased)  [C22/A3/R0]
+Noteworthy changes in version 1.9.1 (unreleased)  [C23/A3/R_]
 ------------------------------------------------
 
- * Bug fixes
+
+Noteworthy changes in version 1.9.0 (2021-01-19)  [C23/A3/R0]
+------------------------------------------------
+
+ * New and extended interfaces:
+
+   - New curves Ed448, X448, and SM2.
+
+   - New cipher mode EAX.
+
+   - New cipher algo SM4.
+
+   - New hash algo SM3.
+
+   - New hash algo variants SHA512/224 and SHA512/256.
+
+   - New MAC algos for Blake-2 algorithms, the new SHA512 variants,
+     SM3, SM4 and for a GOST variant.
+
+   - New convenience function gcry_mpi_get_ui.
+
+   - gcry_sexp_extract_param understands new format specifiers to
+     directly store to integers and strings.
+
+   - New function gcry_ecc_mul_point and curve constants for Curve448
+     and Curve25519.  [#4293]
+
+   - New function gcry_ecc_get_algo_keylen.
+
+   - New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the
+     secure memory area.  Also in 1.8.2 as an undocumented feature.
+
+ * Performance:
+
+   - Optimized implementations for Aarch64.
+
+   - Faster implementations for Poly1305 and ChaCha.  Also for
+     PowerPC.  [b9a471ccf5,172ad09cbe,#4460]
+
+   - Optimized implementations of AES and SHA-256 on PowerPC.
+     [#4529,#4530]
+
+   - Improved use of AES-NI to speed up AES-XTS (6 times faster).
+     [a00c5b2988]
+
+   - Improved use of AES-NI for OCB.  [eacbd59b13,e924ce456d]
+
+   - Speedup AES-XTS on ARMv8/CE (2.5 times faster).  [93503c127a]
+
+   - New AVX and AVX2 implementations for Blake-2 (1.3/1.4 times
+     faster).  [af7fc732f9, da58a62ac1]
+
+   - Use Intel SHA extension for SHA-1 and SHA-256 (4.0/3.7 times
+     faster).  [d02958bd30, 0b3ec359e2]
+
+   - Use ARMv7/NEON accelerated GCM implementation (3 times faster).
+     [2445cf7431]
+
+   - Use of i386/SSSE3 for SHA-512 (4.5 times faster on Ryzen 7).
+     [b52dde8609]
+
+   - Use 64 bit ARMv8/CE PMULL for CRC (7 times faster).  [14c8a593ed]
+
+   - Improve CAST5 (40% to 70% faster).  [4ec566b368]
+
+   - Improve Blowfish (60% to 80% faster).  [ced7508c85]
+
+ * Bug fixes:
 
    - Fix infinite loop due to applications using fork the wrong
      way.  [#3491][also in 1.8.4]
@@ -41,24 +108,82 @@ Noteworthy changes in version 1.9.0 (unreleased)  [C22/A3/R0]
    - Fix fatal out of secure memory status in the s-expression parser
      on heavy loaded systems.  [also in 1.8.2]
 
- * Extended interfaces:
+   - Fix build problems on OpenIndiana et al. [#4818, also in 1.8.6]
 
-   - gcry_sexp_extract_param understands new format specifiers to
-     directly store to integers and strings.
+   - Fix GCM bug on arm64 which troubles for example OMEMO.  [#4986,
+     also in 1.8.6]
+
+   - Detect a div-by-zero in a debug helper tool.  [#4868, also in 1.8.6]
+
+   - Use a constant time mpi_inv and related changes.  [#4869, partly
+     also in 1.8.6]
+
+   - Fix mpi_copy to correctly handle flags of opaque MPIs.
+     [also in 1.8.6]
 
+   - Fix mpi_cmp to consider +0 and -0 the same.  [also in 1.8.6]
+
+   - Fix extra entropy collection via clock_gettime.  Note that this
+     fallback code path is not used on any decent hardware.  [#4966,
+     also in 1.8.7]
+
+   - Support opaque MPI with gcry_mpi_print.  [#4872, also in 1.8.7]
+
+   - Allow for a Unicode random seed file on Windows.  [#5098, also in
+     1.8.7]
+
+ * Other features:
+
+   - Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519.
+     [also in 1.8.6]
+
+   - Add mitigation against ECC timing attack CVE-2019-13627.  [#4626]
+
+   - Internal cleanup of the ECC implementation.
+
+   - Support reading EC point in compressed format for some curves.
+     [#4951]
 
  * Interface changes relative to the 1.8.0 release:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    gcry_mpi_get_ui                 NEW function.
    GCRYCTL_AUTO_EXPAND_SECMEM      NEW control code.
    gcry_sexp_extract_param         EXTENDED.
-
-
- * Release dates of 1.8.x versions:
-   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   GCRY_CIPHER_GOST28147_MESH      NEW cipher algo.
+   GCRY_CIPHER_SM4                 NEW cipher algo.
+   GCRY_CIPHER_MODE_EAX            NEW mode.
+   GCRY_ECC_CURVE25519             NEW curve id.
+   GCRY_ECC_CURVE448               NEW curve id.
+   gcry_ecc_get_algo_keylen        NEW function.
+   gcry_ecc_mul_point              NEW function.
+   GCRY_MD_SM3                     NEW hash algo.
+   GCRY_MD_SHA512_256              NEW hash algo.
+   GCRY_MD_SHA512_224              NEW hash algo.
+   GCRY_MAC_GOST28147_IMIT         NEW mac algo.
+   GCRY_MAC_HMAC_GOSTR3411_CP      NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2B_512       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2B_384       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2B_256       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2B_160       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2S_256       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2S_224       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2S_160       NEW mac algo.
+   GCRY_MAC_HMAC_BLAKE2S_128       NEW mac algo.
+   GCRY_MAC_HMAC_SM3               NEW mac algo.
+   GCRY_MAC_HMAC_SHA512_256        NEW mac algo.
+   GCRY_MAC_HMAC_SHA512_224        NEW mac algo.
+   GCRY_MAC_CMAC_SM4               NEW mac algo.
+
+ Release-info: https://dev.gnupg.org/T4294
+
+ Release dates of 1.8.x versions:
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Version 1.8.2 (2017-12-13)
    Version 1.8.3 (2018-06-13)
    Version 1.8.4 (2018-10-26)
+   Version 1.8.5 (2019-08-29)
+   Version 1.8.6 (2020-07-06)
+   Version 1.8.7 (2020-10-23)
 
 
 Noteworthy changes in version 1.8.1 (2017-08-27)  [C22/A2/R1]
diff --git a/README b/README
index 92f2f1b3..1304669a 100644
--- a/README
+++ b/README
@@ -3,8 +3,8 @@
                              Version 1.9
 
        Copyright (C) 1989,1991-2018 Free Software Foundation, Inc.
-       Copyright (C) 2012-2018 g10 Code GmbH
-       Copyright (C) 2013-2018 Jussi Kivilinna
+       Copyright (C) 2012-2021 g10 Code GmbH
+       Copyright (C) 2013-2021 Jussi Kivilinna
 
     Libgcrypt is free software.  See the file AUTHORS for full copying
     notices, and LICENSES for notices about contributions that require
@@ -261,12 +261,11 @@
     Commercial grade support for Libgcrypt is available; for a listing
     of offers see https://www.gnupg.org/service.html .
 
-    Maintenance and development of Libgcrypt is mostly financed by
-    donations.  We currently employ 3 full-time developers, one
-    part-timer, and one contractor.  They all work on GnuPG and
-    closely related software like Libgcrypt.  Please visit
-    https://gnupg.org/donate/ to see out how you can help.
-
+    Since 2001 maintenance and development of Libgcrypt is done by g10
+    Code GmbH and mostly financed by donations.  g10 Code currently
+    employs 3 full-time developers and two contractors.  They all work
+    on GnuPG and closely related software like Libgcrypt.  Please
+    visit https://gnupg.org/donate/ to see how you can help.
 
   This file is Free Software; as a special exception the authors gives
   unlimited permission to copy and/or distribute it, with or without
diff --git a/cipher/ecc-ecdh.c b/cipher/ecc-ecdh.c
index 39458788..43eb731a 100644
--- a/cipher/ecc-ecdh.c
+++ b/cipher/ecc-ecdh.c
@@ -46,20 +46,20 @@ prepare_ec (mpi_ec_t *r_ec, const char *name)
 }
 
 unsigned int
-_gcry_ecc_get_algo_keylen (int algo)
+_gcry_ecc_get_algo_keylen (int curveid)
 {
   unsigned int len = 0;
 
-  if (algo == GCRY_ECC_CURVE25519)
+  if (curveid == GCRY_ECC_CURVE25519)
     len = ECC_CURVE25519_BYTES;
-  else if (algo == GCRY_ECC_CURVE448)
+  else if (curveid == GCRY_ECC_CURVE448)
     len = ECC_CURVE448_BYTES;
 
   return len;
 }
 
 gpg_error_t
-_gcry_ecc_mul_point (int algo, unsigned char *result,
+_gcry_ecc_mul_point (int curveid, unsigned char *result,
                      const unsigned char *scalar, const unsigned char *point)
 {
   unsigned int nbits;
@@ -73,12 +73,12 @@ _gcry_ecc_mul_point (int algo, unsigned char *result,
   unsigned int len;
   unsigned char *buf;
 
-  if (algo == GCRY_ECC_CURVE25519)
+  if (curveid == GCRY_ECC_CURVE25519)
     curve = "Curve25519";
-  else if (algo == GCRY_ECC_CURVE448)
+  else if (curveid == GCRY_ECC_CURVE448)
     curve = "X448";
   else
-    return gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
+    return gpg_error (GPG_ERR_UNKNOWN_CURVE);
 
   err = prepare_ec (&ec, curve);
   if (err)
diff --git a/compat/compat.c b/compat/compat.c
index 8b001de3..88f20c13 100644
--- a/compat/compat.c
+++ b/compat/compat.c
@@ -31,8 +31,8 @@ _gcry_compat_identification (void)
     "\n\n"
     "This is Libgcrypt " PACKAGE_VERSION " - The GNU Crypto Library\n"
     "Copyright (C) 2000-2018 Free Software Foundation, Inc.\n"
-    "Copyright (C) 2012-2018 g10 Code GmbH\n"
-    "Copyright (C) 2013-2018 Jussi Kivilinna\n"
+    "Copyright (C) 2012-2021 g10 Code GmbH\n"
+    "Copyright (C) 2013-2021 Jussi Kivilinna\n"
     "\n"
     "(" BUILD_REVISION " " BUILD_TIMESTAMP ")\n"
     "\n\n";
diff --git a/configure.ac b/configure.ac
index 6a2051a9..bcbd16d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 # Configure.ac script for Libgcrypt
 # Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2006,
 #               2007, 2008, 2009, 2011 Free Software Foundation, Inc.
-# Copyright (C) 2012-2017  g10 Code GmbH
+# Copyright (C) 2012-2021  g10 Code GmbH
 #
 # This file is part of Libgcrypt.
 #
@@ -31,7 +31,7 @@ min_automake_version="1.14"
 m4_define([mym4_package],[libgcrypt])
 m4_define([mym4_major], [1])
 m4_define([mym4_minor], [9])
-m4_define([mym4_micro], [0])
+m4_define([mym4_micro], [1])
 
 # Below is m4 magic to extract and compute the git revision number,
 # the decimalized short revision number, a beta version string and a
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 9c0a3463..11c1549f 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -2135,6 +2135,7 @@ S-expressions.
 * Available algorithms::        Algorithms supported by the library.
 * Used S-expressions::          Introduction into the used S-expression.
 * Cryptographic Functions::     Functions for performing the cryptographic actions.
+* Dedicated ECC Functions::     Dedicated functions for elliptic curves.
 * General public-key related Functions::  General functions, not implementing any cryptography.
 @end menu
 
@@ -2142,8 +2143,7 @@ S-expressions.
 @section Available algorithms
 
 Libgcrypt supports the RSA (Rivest-Shamir-Adleman) algorithms as well
-as DSA (Digital Signature Algorithm) and Elgamal.  The versatile
-interface allows to add more algorithms in the future.
+as DSA (Digital Signature Algorithm), Elgamal, ECDSA, ECDH, and EdDSA.
 
 @node Used S-expressions
 @section Used S-expressions
@@ -2151,7 +2151,7 @@ interface allows to add more algorithms in the future.
 Libgcrypt's API for asymmetric cryptography is based on data structures
 called S-expressions (see
 @uref{http://people.csail.mit.edu/@/rivest/@/sexp.html}) and does not work
-with contexts as most of the other building blocks of Libgcrypt do.
+with contexts/handles as most of the other building blocks of Libgcrypt do.
 
 @noindent
 The following information are stored in S-expressions:
@@ -2797,6 +2797,42 @@ to indicate that the signature does not match the provided data.
 @end deftypefun
 @c end gcry_pk_verify
 
+
+@node Dedicated ECC Functions
+@section Dedicated functions for elliptic curves.
+
+@noindent
+The S-expression based interface is for certain operations on elliptic
+curves not optimal.  Thus a few special functions are implemented to
+support common operations on curves with one of these assigned curve
+ids:
+
+@table @code
+@item GCRY_ECC_CURVE25519
+@item GCRY_ECC_CURVE448
+@end table
+
+@deftypefun @w{unsigned int} gcry_ecc_get_algo_keylen (@w{int @var{curveid}});
+
+Returns the length in bytes of a point on the curve with the id
+@var{curveid}.  0 is returned for curves which have no assigned id.
+@end deftypefun
+
+
+@deftypefun gpg_error_t gcry_ecc_mul_point @
+            (@w{int @var{curveid}}, @
+            @w{unsigned char *@var{result}}, @
+            @w{const unsigned char *@var{scalar}}, @
+            @w{const unsigned char *@var{point}})
+
+This function computes the scalar multiplication on the Montgomery
+form of the curve with id @var{curveid}.  If @var{point} is NULL the
+base point of the curve is used.  The caller needs to provide a large
+enough buffer for @var{result} and a valid @var{scalar} and
+@var{point}.
+@end deftypefun
+
+
 @node General public-key related Functions
 @section General public-key related Functions
 
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 5668e625..e77b6e74 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -946,7 +946,7 @@ enum gcry_cipher_algos
     GCRY_CIPHER_SALSA20R12  = 314,
     GCRY_CIPHER_GOST28147   = 315,
     GCRY_CIPHER_CHACHA20    = 316,
-    GCRY_CIPHER_GOST28147_MESH   = 317, /* GOST 28247 with optional CryptoPro keymeshing */
+    GCRY_CIPHER_GOST28147_MESH   = 317, /* With CryptoPro key meshing.  */
     GCRY_CIPHER_SM4         = 318
   };
 
@@ -1215,11 +1215,11 @@ enum gcry_ecc_curves
   };
 
 /* Get the length of point to prepare buffer for the result.  */
-unsigned int gcry_ecc_get_algo_keylen (int algo);
+unsigned int gcry_ecc_get_algo_keylen (int curveid);
 
 /* Convenience function to compute scalar multiplication of the
-   Montgomery form of curve.  */
-gpg_error_t gcry_ecc_mul_point (int algo, unsigned char *result,
+ * Montgomery form of curve.  */
+gpg_error_t gcry_ecc_mul_point (int curveid, unsigned char *result,
                                 const unsigned char *scalar,
                                 const unsigned char *point);
 
diff --git a/src/versioninfo.rc.in b/src/versioninfo.rc.in
index b85d4947..f87d0d05 100644
--- a/src/versioninfo.rc.in
+++ b/src/versioninfo.rc.in
@@ -39,7 +39,7 @@ BEGIN
             VALUE "FileDescription", "Libgcrypt - The GNU Crypto Library\0"
             VALUE "FileVersion", "@LIBGCRYPT_LT_CURRENT@.@LIBGCRYPT_LT_AGE@.@LIBGCRYPT_LT_REVISION@.@BUILD_REVISION@\0"
             VALUE "InternalName", "libgcrypt\0"
-            VALUE "LegalCopyright", "Copyright © 2017 Free Software Foundation, Inc.\0"
+            VALUE "LegalCopyright", "Copyright © 2021 g10 Code GmbH\0"
             VALUE "LegalTrademarks", "\0"
             VALUE "OriginalFilename", "libgcrypt.dll\0"
             VALUE "PrivateBuild", "\0"
diff --git a/src/visibility.c b/src/visibility.c
index eb0d7e3e..8cda962c 100644
--- a/src/visibility.c
+++ b/src/visibility.c
@@ -1113,16 +1113,16 @@ gcry_pubkey_get_sexp (gcry_sexp_t *r_sexp, int mode, gcry_ctx_t ctx)
 }
 
 unsigned int
-gcry_ecc_get_algo_keylen (int algo)
+gcry_ecc_get_algo_keylen (int curveid)
 {
-  return _gcry_ecc_get_algo_keylen (algo);
+  return _gcry_ecc_get_algo_keylen (curveid);
 }
 
 gpg_error_t
-gcry_ecc_mul_point (int algo, unsigned char *result,
+gcry_ecc_mul_point (int curveid, unsigned char *result,
                     const unsigned char *scalar, const unsigned char *point)
 {
-  return _gcry_ecc_mul_point (algo, result, scalar, point);
+  return _gcry_ecc_mul_point (curveid, result, scalar, point);
 }
 
 gcry_error_t