- update to 3.21.0:
  * By setting the PYCRYPTODOME_DISABLE_GMP environment variable,
    the GMP library will not be used even if detected.
  * Add support for Curve25519 / X25519.
  * Add support for Curve448 / X448.
  * Add attribute curve to EccPoint and EccXPoint classes, with
    the canonical name of the curve.
  * GH#781: the label for the SP800_108_Counter KDF may now
    contain zero bytes. Thanks to Julien Rische.
  * GH#814: RSA keys for PSS can be imported.
  * GH#810: fixed negation of Ed25519 points.
  * GH#819: accept an RFC5916 ECPrivateKey even if it doesn't
    contain any of the optional elements (parameters [0] and
    publicKey[1]).
  * Remove support for Python 3.5.

• Files Changed
• Browse Source

- update to 3.20.0:
  * Added support for TurboSHAKE128 and TurboSHAKE256.
  * Added method Crypto.Hash.new() to generate a hash object
    given a hash name.
  * Added support for AES-GCM encryption of PBES2 and PKCS#8
    containers.
  * Added support for SHA-2 and SHA-3 algorithms in PBKDF2 when
    creating PBES2 and PKCS#8 containers.
  * Export of RSA keys accepts the prot_params dictionary as
    parameter to control the number of iterations for PBKDF2 and
    scrypt.
  * C unit tests also run on non-x86 architectures.
  * GH#787: Fixed autodetect logic for GCC 14 in combination with
    LTO.

• Files Changed
• Browse Source

- update to 3.19.1 (bsc#1218564, CVE-2023-52323)

• Files Changed
• Browse Source

- update to 3.19.1:
  * Fixed a side-channel leakage with OAEP decryption that could be
    exploited to carry out a Manger attack. Thanks to Hubert
    Kario.

• Files Changed
• Browse Source

- update to 3.19.0:
  * The ``update()`` methods of TupleHash128 and TupleHash256
    objects can now hash multiple items (byte strings) at once.
  * Added support for ECDH, with ``Crypto.Protocol.DH``.
  * GH#754: due to a bug in ``cffi``, do not use it on Windows
    with Python 3.12+.

- Update to 3.16.0
    * New parameter output for Crypto.Util.strxor.strxor,
      Crypto.Util.strxor.strxor_c, encrypt and decrypt methods in
      symmetric ciphers (Crypto.Cipher package). output is a
      pre-allocated buffer (a bytearray or a writeable memoryview)
      where the result must be stored. This requires less memory for
      very large payloads; it is also more efficient when encrypting
    * Fix vulnerability on AESNI ECB with payloads smaller than
    * Fixed incorrect AES encryption/decryption with AES
      acceleration on x86 due to gcc’s optimization and strict
    * More prime number candidates than necessary where discarded
      as composite due to the limited way D values were searched
    * More meaningful exceptions in case of mismatch in IV length

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.18.0:
  * Added support for DER BOOLEAN encodings.
  * The library now compiles on Windows ARM64. Thanks to Niyas
    Sait.
  * Resolved issues
  * GH#722: ``nonce`` attribute was not correctly set for
    XChaCha20_Poly1305 ciphers. Thanks to Liam Haber.
  * GH#728: Workaround for a possible x86 emulator bug in Windows
    for ARM64.
  * GH#739: OID encoding for arc 2 didn't accept children larger
    than 39. Thanks to James.
  * Correctly check that the scalar matches the point when
    importing an ECC private key.

- update to 3.17.0:
  * Added support for the Counter Mode KDF defined in SP 800-108
    Rev 1.
  * Reduce the minimum tag length for the EAX cipher to 2 bytes.
  * An RSA object has 4 new properties for the CRT coefficients:
    ``dp``, ``dq``, ``invq`` and ``invq`` (``invp`` is the same
    value  as the existing ``u``).
  * GH#526: improved typing for ``RSA.construct``.
  * GH#534: reduced memory consumption when using a large number
    of cipher objects.
  * GH#598: fixed missing error handling for
    ``Util.number.inverse``.
  * GH#629: improved typing for ``AES.new`` and the various
    mode-specific types it returns. Thanks to Greg Werbin.
  * GH#653: added workaround for an alleged GCC compiler bug
    that affected Ed25519 code compiled for AVX2.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.15.0:
  * Add support for curves Ed25519 and Ed448, including export and import of keys.
  * Add support for EdDSA signatures.
  * Add support for Asymmetric Key Packages (RFC5958) to import private keys.
  * GH#620: for Crypto.Util.number.getPrime , do not sequentially scan numbers searching for a prime.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.14.1:
  * GH#595: Fixed memory leak for GMP integers.
  * Add support for curve NIST P-192.
  * Add support for curve NIST P-224.
  * GH#590: Fixed typing info for ``Crypto.PublicKey.ECC``.
  * Relaxed ECDSA requirements for FIPS 186 signatures and accept any SHA-2 or
  * SHA-3 hash.  ``sign()`` and ``verify()`` will be performed even if the hash is stronger
    than the ECC key.

• Files Changed
• Browse Source

- update to 3.12.0:
  * ECC keys in the SEC1 format can be exported and imported.
  * Add support for KMAC128, KMAC256, TupleHash128, and TupleHash256 (NIST SP-800 185).
  * Add support for KangarooTwelve.
  * GH#563: An asymmetric key could not be imported as a ``memoryview``.
  * GH#566: cSHAKE128/256 generated a wrong output for customization strings
  * GH#582: CBC decryption generated the wrong plaintext when the input and the output were the same buffer.

• Files Changed
• Browse Source

- update to 3.11.0:
  * GH#512: Especially for very small bit sizes, ``Crypto.Util.number.getPrime()`` was
    occasionally generating primes larger than given the bit size.
  * GH#552: Correct typing annotations for ``PKCS115_Cipher.decrypt()``.
  * GH#555: ``decrypt()`` method of a PKCS#1v1.5 cipher returned a ``bytearray`` instead of ``bytes``.
  * GH#557: External DSA domain parameters were accepted even when the modulus (``p``) was not prime.
    This affected ``Crypto.PublicKey.DSA.generate()`` and ``Crypto.PublicKey.DSA.construct()``.
  * Added cSHAKE128 and cSHAKE256 (of SHA-3 family).
  * GH#558: The flag RTLD_DEEPBIND passed to ``dlopen()`` is not well supported by
    `address sanitizers <https://github.com/google/sanitizers/issues/611>`_.
    It is now possible to set the environment variable ``PYCRYPTDOME_DISABLE_DEEPBIND``
    to drop that flag and allow security testing.

• Files Changed
• Browse Source

- update to 3.10.1:
  * Python 3 wheels use ``abi3`` ABI tag.
  * Remove Appveyor CI.
  
  3.10.0 (6 February 2021)
  ++++++++++++++++++++++++
  
  Resolved issues
  ---------------
  * Fixed a potential memory leak when initializing block ciphers.
  * GH#466: ``Crypto.Math.miller_rabin_test()`` was still using the system random
    source and not the one provided as parameter.
  * GH#469: RSA objects have the method ``public_key()`` like ECC objects.
    The old method ``publickey()`` is still available for backward compatibility.
  * GH#476: ``Crypto.Util.Padding.unpad()`` was raising an incorrect exception
    in case of zero-length inputs. Thanks to Captainowie.
  * GH#491: better exception message when ``Counter.new()`` is called with an integer
    ``initial_value`` than doesn't fit into ``nbits`` bits.
  * GH#496: added missing ``block_size`` member for ECB cipher objects. Thanks to willem.
  * GH#500: ``nonce`` member of an XChaCha20 cipher object was not matching the original nonce.
    Thanks to Charles Machalow.
  
  Other changes
  -------------
  * The bulk of the test vectors have been moved to the separate
    package ``pycryptodome-test-vectors``. As result, packages ``pycryptodome`` and
    ``pycryptodomex`` become significantly smaller (from 14MB to 3MB).
  * Moved CI tests and build service from Travis CI to GitHub Actions.
  
  Breaks in compatibility

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- update to 3.9.8:
  * GH#426: The Shamir's secret sharing implementation is not actually compatible with ``ssss``.
  Added an optional parameter to enable interoperability.
  * GH#427: Skip altogether loading of ``gmp.dll`` on Windows.
  * GH#420: Fix incorrect CFB decryption when the input and the output are the same buffer.
  * Speed up Shamir's secret sharing routines. Thanks to ncarve.

• Files Changed
• Browse Source

- update to 3.9.7:
* GH#381: Make notarization possible again on OS X when using wheels.
    Thanks to Colin Atkinson.
  * RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
  * GH#372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
  * Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
  * GH#341: Prevent ``key_to_english`` from creating invalid data when fed with
    keys of length not multiple of 8. Thanks to vstoykovbg.
  * GH#347: Fix blocking RSA signing/decryption when key has very small factor.
    Thanks to Martijn Pieters.
  * GH#308: Align stack of functions using SSE2 intrinsics to avoid crashes,
    when compiled with gcc on 32-bit x86 platforms.

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Add export LC_ALL=en_US.UTF-8 to %build, %install and %check to
  fix the build on older distros

• Files Changed
• Browse Source