Log Message:
nettle: update to 3.9.

NEWS for the Nettle 3.9 release

	This release includes bug fixes, several new features, a few
	performance improvements, and one performance regression
	affecting GCM on certain platforms.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.7 and libhogweed.so.6.7, with sonames
	libnettle.so.8 and libhogweed.so.6.

	This release includes a rewrite of the C implementation of
	GHASH (dating from 2011), as well as the plain x86_64 assembly
	version, to use precomputed tables in a different way, with
	tables always accessed in the same sequential manner.

	This should make Nettle's GHASH implementation side-channel
	silent on all platforms, but considerably slower on platforms
	without carry-less mul instructions. E.g., benchmarks of the C
	implementation on x86_64 showed a slowdown of 3 times.

	Bug fixes:

	* Fix bug in ecdsa and gostdsa signature verify operation, for
	  the unlikely corner case that point addition really is point
	  duplication.

	* Fix for chacha on Power7, nettle's assembly used an
	  instruction only available on later processors. Fixed by
	  Mamone Tarsha.

	* GHASH implementation should now be side-channel silent on
	  all architectures.

	* A few portability fixes for *BSD.

	New features:

	* Support for the SM4 block cipher, contributed by Tianjia
          Zhang.

	* Support for the Balloon password hash, contributed by Zoltan
          Fridrich.

	* Support for SIV-GCM authenticated encryption mode,
          contributed by Daiki Ueno.

	* Support for OCB authenticated encryption mode.

	* New exported functions md5_compress, sha1_compress,
	  sha256_compress, sha512_compress, based on patches from
	  Corentin Labbe.

	Optimizations:

	* Improved sha256 performance, in particular for x86_64 and
	  s390x.

	* Use GMP's mpn_sec_tabselect, which is implemented in
	  assembly on many platforms, and delete the similar nettle
	  function. Gives a modest speedup to all ecc operations.

	* Faster poly1305 for x86_64 and ppc64. New ppc code
	  contributed by Mamone Tarsha.

	Miscellaneous:

	* New ASM_FLAGS variable recognized by configure.

	* Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
	  and 64-bit sparc.

	Known issues:

	* Version 6.2.1 of GNU GMP (the most recent GMP release as of
	  this writing) has a known issue for MacOS on 64-bit ARM: GMP
	  assembly files use the reserved x18 register. On this
	  platform it is recommended to use a GMP snapshot where this
	  bug is fixed, and upgrade to a later GMP release when one
	  becomes available.

	* Also on MacOS, Nettle's testsuite may still break due to
	  DYLD_LIBRARY_PATH being discarded under some circumstances.
	  As a workaround, use

	  make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'