v0.10.1

CHANGES:

• mirage-crypto-ec: make inversion run in constant time (#121 by @dfaranha)

v0.10.0

CHANGES:

• mirage-crypto-rng on arm32 only use mrrc if in kernel mode, use mrc in user
  land mode, and clock_gettime as fallback (reported by @adams-1979 in #113,
  fix in #120 by @hannesm)
• mirage-crypto-ec: revise key generation API, and provide Dh.secret_of_cstruct
  for test vectors (and other scenarios where you need to decode an existing
  DH secret). Before, this was embedded into the generate function, which
  could diverged for some input (#119 @hannesm)

v0.9.2

CHANGES:

• mirage-crypto-ec: fix X25519 and Ed25519 if called with Cstruct.t whose
  offset is not equal to 0. Add unit tests to avoid the same issue in the
  future (#118 by @hannesm)

v0.9.1

CHANGES:

• mirage-crypto-ec: fix ECDSA verify if r or s are shorter than the modulus
  (#117 by @hannesm)
• Fixed esy cross-compile CI (#116 by @EduardoRFS)

v0.9.0

CHANGES:

• Elliptic curve support in the new package mirage-crypto-ec

  The arithmetic code is generated by
  fiat-crypto, a development in Coq
  which includes proofs of constant time behaviour. The generation can be
  reproduced (see ec/native/GNUmakefile).

  The group operation implementations are taken from BoringSSL. The high-level
  mechanisms (signature DSA and key exchange ECDH) are implemented in OCaml.
  The ECDSA implementation (as our DSA one) uses a deterministic k (RFC 6979).

  The NIST curves P224 (SECP224R1), P256 (SECP256R1), P384 (SECP384R1), and
  P521 (SECP521R1) are supported (ECDH and ECDSA), in addition to Curve25519
  (X25519 and Ed25519).

  Performance of X25519 has been measured and is roughly the same as
  the hacl_x25519 and also the hacl opam package (see #107 for numbers).

  Tests vectors are from RFCs and wycheproof.

  Import mirage/fiat repository (@pascutto @emillon @NathanReb @hannesm #101)
  Check bounds of message (reported by @greg42, fixed by @hannesm #108)
  Remove blinding, since constant time arithmetics is used (@hannesm #106)
  Curve 25519 (X25519 & Ed25519) support (@hannesm #107 imported from BoringSSL)

  Partially reviewed by @JasonGross @avsm @dinosaure
  Partially sponsored by Nitrokey GmbH

v0.8.10

CHANGES:

• Rsa.priv: require 1 = d * e mod (lam n). This allows interoperability with
  OpenSSL generated keys. Reported and fixed by @psafont in #100.

v0.8.9

CHANGES:

• Rsa: Adapt computation of d = e ^ -1 mod (lam n), with
  lam n = lcm (p - 1) (q - 1) (previously lam n = (p - 1) * (q - 1))
  Fixes #62 reported by @mattjbray, investigated by @psafont, code by @hannesm

v0.8.8

CHANGES:

• new package mirage-crypto-rng-async, entropy feeding using async (#90 @seliopou)
• Entropy.cpu_rng and Entropy.cpu_rng_bootstrap result in Error `Not_supported
  on CPUs without RDRAND/RDSEED support (previously an exception was raised
  in cpu_rng_bootstrap, and cpu_rng resulted in a no-op) (#92 @seliopou)
• Entropy.cpu_rng delays entropy feeding (returns unit -> unit instead of unit).
  This fixes a memory leak, reported by @talex5 #94, fixed in #95 by @hannesm
• Avoid illegal instructions on X86 CPUs without SSSE3 instruction set. Both
  SHA256 and ChaCha used PSHUFB which is not available on e.g. AMD Phenom II
  (report #93 by @dinosaure @samoht @pirbo @RichAyotte @sebeec, fixed in #96 by
  @hannesm)

v0.8.7

CHANGES:

• revise MirageOS cross-compilation (#89, @hannesm)

v0.8.6

CHANGES:

• Detect CPU architecture from C compiler, allowing cross-compiling to Android
  and iOS (#84 by @EduardoRFC)
• Upgrade to dune2, use a Makefile for building freestanding libraries, drop
  mirage-xen-posix support (solo5-based PVH exists now) #86 by @hannesm