Crypto++ 7.0 release

Crypto++ 7.0

Crypto++ 7.0 was released on April 8, 2018. The 7.0 release was a major, unplanned release. There are no CVE fixes but there is a fix for a memory error.

Release Notes

The release notes for Crypto++ 7.0 follows.

• major release, recompile of programs required
• expanded community input and support
  • 48 unique contributors as of this release
• fix incorrect result when using Integer::InverseMod
  • may be CVE worthy, but request was not submitted
• fix ARIA/CTR bus error on Sparc64
• fix incorrect result when using a_exp_b_mod_c
• fix undeclared identifier uint32_t on early Visual Studio
• fix iPhoneSimulator build on i386
• fix incorrect adler32 in ZlibDecompressor
• fix Power7 test using PPC_FEATURE_ARCH_2_06
• workaround incorrect Glibc sysconf return value on ppc64-le
• add KeyDerivationFunction interface
• add scrypt key derivation function
• add Salsa20_Core transform callable from outside class
• add sbyte, sword16, sword32 and sword64
• remove s_nullNameValuePairs from unnamed namespace
• ported to MSVC 2017, Xcode 9.3, Sun Studio 12.5, GCC 8.0.1, MacPorts GCC 7.0, Clang 5.0, Intel C++ 17.00, IBM XL C/C++ 13.1

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 7.0 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

• fix incorrect result when using Integer::InverseMod (Issue 602)
  • may be CVE worthy, but a request was not submitted
• fix warning due to different string alignments in mqueue.cpp (Issue 591, PR 603)
• add PowerPC Power8 SHA hashing (Issue 513)
• define AT_HWCAP/AT_HWCAP2 if getauxval unavailable (PR 594)
• fix compile error on Windows due to symbol U collision (Issue 599)
• fix Adler32 error in ZlibDecompressor in multithreaded programs (Issue 596, PR 600)
• fix ARIA/CTR bus error on Sparc64 (Issue 597)
• fix GCC version for RDSEED intrinsic (PR 598)
• fix incorrect result when using a_exp_b_mod_c (Issue 602)
• fix undeclared identifier uint32_t on early Visual Studio (Issue 608)
• add sbyte, sword16, sword32 and sword64 (Issue 608, 609)
• add KeyDerivationFunction interface (Issue 610)
• cutover PBKDF to KeyDerivationFunction interface (PR 612)
• add Scrypt key derivation function (Issue 613)
• remove extraneous semi-colons in source files (PR 605-625)
• re-enable OS X and iOS tests on Travis (PR 627)
• add OpenMP support to Scrypt (PR 628)
• add Salsa20_Core transform (Issue 630)
• remove s_nullNameValuePairs from unnamed namespace (Issue 631)
• rename ECGDSA_ISO15946 -> ECGDSA (PR 634)
• fix iPhoneSimulator build on i386 (Issue 635)
• make CAST temporaries class members (Commit 71e9fec)
• fix Scrypt and Coverity findings CID 189203, 189204, 189205 (Commit 11e0760)
• change order of member initialization in ASN.1 decoders (Commit 64a15cf)
• make AuthenticatedSymmetricCipher::AlgorithmName non-pure (Commit 62a9574)
• add CPU feature queries for AIX (Commit 04e3618)

Memory error

The Integer class had a memory error in member function InverseMod that could cause a heap corruption. The error surfaced when x % m was used and x was much larger than m. The error usually occured when the bit count of x was larger than the bit count m by about 128-bits or 256-bits.

Below is the new code for InverseMod located in integer.cpp. InverseMod was fixed, and InverseModNext was added. The problem was Integer r was too small, and AlmostInverse wrote beyond the integer's internal buffer. Also see Issue 602 | Comment 376222204.

Integer Integer::InverseMod(const Integer &m) const
{
    if (IsNegative())
        return Modulo(m).InverseModNext(m);

    // http://github.com/weidai11/cryptopp/issues/602
    if (*this >= m)
        return Modulo(m).InverseModNext(m);

    return InverseModNext(m);
}

Integer Integer::InverseModNext(const Integer &m) const
{
    if (m.IsEven())
    {
        if (!m || IsEven())
            return Zero();    // no inverse
        if (*this == One())
            return One();

        Integer u = m.Modulo(*this).InverseModNext(*this);
        return !u ? Zero() : (m*(*this-u)+1)/(*this);
    }

    IntegerSecBlock T(m.reg.size() * 4);
    Integer r((word)0, m.reg.size());
    unsigned k = AlmostInverse(r.reg, T, reg, reg.size(), m.reg, m.reg.size());
    DivideByPower2Mod(r.reg, r.reg, k, m.reg, m.reg.size());
    return r;
}

Notes for Distros

The incorrect result when using Integer::InverseMod (Issue 602) is a memory error. The issue may be CVE worthy, and it is the reason for the Crypto++ 7.0 release. The library itself was not at risk of memory problems due to the way the library used the Integer class. User programs prior to Crypto++ 7.0 could be at risk because they might call the mod operation with an operand large enough to witness the problem.

The 7.0 version bump was not due to the memory error. The major version bump was due to ABI breaks caused by KeyDerivationFunction interface.

File Changes

Below is a list of all files that were added at Crypto++ 7.0.

$ git diff-tree -r --summary CRYPTOPP_6_1_0 CRYPTOPP_7_0_0 | grep -v "change" | awk '{$2=$3=""; print $0}' | egrep '(.h|.cpp|.txt|.dat)'
create   scrypt.cpp
create   scrypt.h

Crypto++ 6.1 release

Crypto++ 6.1

Crypto++ 6.1 was released on February 22, 2018. The 6.1 release was a minor, planned release. There were no CVE fixes.

Release Notes

The release notes for Crypto++ 6.1 follows.

• minor release, maintenance items
• expanded community input and support
• • 46 unique contributors as of this release
• use 2048-bit modulus default for DSA
• fix build under Linuxbrew
• use /bin/sh in GNUmakefile
• fix missing flags for SIMON and SPECK in GNUMakefile-cross
• fix ARM and MinGW misdetection in GNUMakefile
• port setenv-android.sh to latest NDK
• fix Clang check for C++11 lambdas on FreeBSD
• convert Simon and Speck to little-endian implementation
• use LIB_MAJOR for ABI compatibility
• fix ODR violation in AdvancedProcessBlocks_{ARCH} templates
• handle C++17 std::uncaught_exceptions
• ported to MSVC 2017, Xcode 8.1, Sun Studio 12.5, GCC 8.0.1, MacPorts GCC 7.0, Clang 4.0, Intel C++ 17.00, IBM XL C/C++ 13.1

Simon and Speck

Crypto++ changed its implementation for Simon and Speck from big-endian to little-endian. Formerly we followed the published test vectors from the paper, but they turned out to be incorrect. We later learned we should have followed the algorithmic description from the paper. The Crypto++ implementation now aligns with the Simon and Speck paper's algorithmic description and the Linux kernel.

The Simon and Speck changed was tracked via Issue 585.

Meltdown and Spectre

Meltdown and Spectre are security vulnerabilities announced in December 2017. The defects are present in modern CPU's due to speculative execution and allow attackers to recover secrets and other sensitve information. More reading is available at Meltdown and Spectre website.

Crypto++ 6.1 (and Crypto++ 6.0) did not ship with Meltdown and Spectre remediations in place. The first remediations appeared in GCC 7.3 at the end of January 2018. If you want to build Crypto++ with GCC remediations in place then you should add -mfunction-return=thunk and -mindirect-branch=thunk to your CXXFLAGS. Optionally, you can disable assembly language routines. The steps to engage the hardening are:

• Optionally uncomment #define CRYPTOPP_DISABLE_ASM 1 in config.h around line 60.
• Add the appropriate flags to CXXFLAGS. For example, with GCC use CXXFLAGS="-DNDEBUG -g2 -O3 -mfunction-return=thunk -mindirect-branch=thunk".

It is hard to say how effective CRYPTOPP_DISABLE_ASM is when containing Meltdown and Spectre. Crypto++ has a fair amount of assembly langauge routines, including hardware accelerated AES and SHA. Downgrading back to C++ means other side channel leakage could be present that were remediated with the hardware intructions.

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 6.1 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

• use 2048-bit modulus default for DSA (Issue 571)
• add Kalyna typedefs (Issue 535)
• fix build under Linuxbrew (Issue 575)
• use /bin/sh in GNUmakefile (Issue 573)
• fix missing flags for SIMON and SPECK in GNUMakefile-cross (Issue 577)
• fix MinGW misdetection (Issue 573)
• fix ARM misdetection (Issue 573)
• fix SHA-512 crash on Debian X32 (Issue 578)
• fix misaligned SSE2 allocations on FreeBSD (Issue 562)
• switch to posix_memalign when available (Commit 22e783a)
• use install program for GNUmakefile (Issue 582)
• port setenv-android.sh to latest NDK
• fix Clang check for C++11 lambdas (Issue 587)
• convert Simon and Speck to little-endian (Issue 588)
• fix signed integer overflow on ppc64 (Issue 588)
• use LIB_MAJOR for ABI compatibility (Issue 589)
• fix ODR violation in AdvancedProcessBlocks_{ARCH} templates (Issue 588)
• handle C++17 std::uncaught_exceptions (Issue 590)

Notes for Distros

None.

File Changes

None.

Crypto++ 6.0 release

Crypto++ 6.0

Crypto++ 6.0 was released on January 22, 2018. The 6.0 release was a major relase and the ABI changed. The release included two CVE fixes.

The first CVE, CVE-2016-9939, was a transient DoS due to allocating an oversized buffer on attacker controlled data. The transitivity was due to a zeroizer which cleared memory, even if the memory was unused.

The second CVE, CVE-2017-9434, was a misidentified finding that arose during fuzzing. The project detected a memory error that was due to a violation of aliasing rules in the test software, and not the library proper.

Release Notes

The release notes for Crypto++ 6.0 follows.

• Major release, recompile of programs required
• expanded community input and support
  • 43 unique contributors as of this release
• fixed CVE-2016-9939 (Issue 346, transient DoS)
• fixed CVE-2017-9434 (Issue 414, misidentified memory error)
• converted to BASE+SIMD implementation
  • BASE provides an architecture neutral C++ implementation
  • SIMD provides architecture specific hardware acceleration
• improved PowerPC Power4, Power7 and Power8 support
• added ARIA, EC German DSA, Deterministic signatures (RFC 6979), Kalyna, NIST Hash and HMAC DRBG, Padlock RNG, Poly1305, SipHash, Simon, Speck, SM3, SM4, Threefish algorithms
• added NaCl interface from the compact library
  • x25519 key exhange and ed25519 signing provided through NaCl interface
• improved Testing and QA
• ported to MSVC 2017, Xcode 8.1, Sun Studio 12.5, GCC 7.0, MacPorts GCC 7.0, Clang 4.0, Intel C++ 17.00, IBM XL C/C++ 13.1

std::byte

Crypto++ moved byte into the CryptoPP namespace. The change could cause problems with some user programs. There is a wiki page available for fixing user programs at std::byte.

The change was due to C++17 std::byte causing ambiguous symbol references. Formerly Crypto++ byte was in the gobal namespace to avoid ambiguous symbol references due to Microsoft SDK's placement of a byte in the gobal namespace.

After the change Microsoft byte and std::byte will still cause ambiguous symbol references, and the wiki page should help user programs make a choice.

BASE + SIMD

Crypto++ switched to BASE+SIMD to better support distros. BASE provides an agnostic C++ implementation, while SIMD provides a specialized implementation like ARMv8 or Intel for AES or SHA. The SIMD files, like rijndael-simd.cpp or sha-simd.cpp, require architecture specific flags, like -msse4.1 -maes and -march=armv8-a+crypto.

Both the Crypto++ makefile and the unoffical Autoools project adds the architecture specific flags. The makefile still honors your CXXFLAGS:

# AESNI, ARMv8a or Power8 available
rijndael-simd.o : rijndael-simd.cpp
        $(CXX) $(strip $(CXXFLAGS) $(AES_FLAG) -c) $<

If you encounter errors like shown below, then be sure your build tool is adding the necessary flags.

$ g++ -g2 -O3 rijndael-simd.cpp -c
In file included from rijndael-simd.cpp:37:0:
...
/usr/lib/gcc/x86_64-redhat-linux/7/include/wmmintrin.h:61:1:
  error: inlining failed in call to always_inline '__m128i _mm_aesenc_si128(__m128i, __m128i)':
  target specific option mismatch
 _mm_aesenc_si128 (__m128i __X, __m128i __Y)
 ^~~~~~~~~~~~~~~~
rijndael-simd.cpp:377:33: note: called from here
         block = _mm_aesenc_si128(block, skeys[i+1]);

Autotools project

BASE+SIMD caused a lot of extra work for Debian and László Böszörményi. We teamed with László and added an unofficial Autoools project to remove some of the burden. The Autotools project can be used to build Crypto++ by distributions.

If you experience a failed compile due to missing architecture flags, then run the makefile or Autool's configure. Autotools will provide summary information with the necessary flags:

$ autoreconf -f -i
...
$ ./configure
...

Auto-configuration complete. A summary of options are below. If
something looks wrong then please modify config.h and please report
it at http://github.com/noloader/cryptopp-autotools.

   Build triplet: x86_64-pc-linux-gnu
 Compiler target: x86_64-redhat-linux
Compiler version: g++ (GCC) 7.2.1 20170915 (Red Hat 7.2.1-2)

Static library: yes
Shared library: yes

CRYPTOPP_SSE_FLAG: -msse2
CRYPTOPP_ARIA_FLAG: -mssse3
CRYPTOPP_BLAKE2_FLAG: -msse4.1
CRYPTOPP_CRC_FLAG: -msse4.2
CRYPTOPP_GCM_FLAG: -mssse3 -mpclmul
CRYPTOPP_AES_FLAG: -msse4.1 -maes
CRYPTOPP_SHA_FLAG: -msse4.2 -msha
CRYPTOPP_SPECK_FLAG: -msse4.1
CRYPTOPP_SIMON_FLAG: -msse4.1

Automake flags (can be overridden by user flags):
AM_CXXFLAGS:  -pthread -fdata-sections -ffunction-sections -pipe
AM_LDFLAGS:  -pthread -Wl,--gc-sections -Wl,--exclude-libs,ALL

User flags (overrides Automake flags on conflict):
CXXFLAGS: -g -O2
LDFLAGS:

Running configure on an Aarch64 machine produces similar results for ARMv8:

CRYPTOPP_NEON_FLAG: -march=armv8-a
CRYPTOPP_ARIA_FLAG: -march=armv8-a
CRYPTOPP_BLAKE2_FLAG: -march=armv8-a
CRYPTOPP_CRC_FLAG: -march=armv8-a+crc
CRYPTOPP_GCM_FLAG: -march=armv8-a+crypto
CRYPTOPP_AES_FLAG: -march=armv8-a+crypto
CRYPTOPP_SHA_FLAG: -march=armv8-a+crypto
CRYPTOPP_SPECK_FLAG: -march=armv8-a
CRYPTOPP_SIMON_FLAG: -march=armv8-a

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 6.0 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

CMake bugs were not included in the list below. There were approximately 40 of them. CMake did not achieve stability, and it was removed under Issue 506. The build tool was repsonsible for a disproportionate number of bugs between Crypto++ 5.6.4 and Crypto++ 6.0. We did not have the resources to work the reports.

• Fixed CVE-2016-9939 (Issue 346, transient DoS)
• Fixed CVE-2017-9434 (Issue 414, misidentified memory error)
• Added std::byte, fixed compiles (Issues 442, 447, 458)
• Converted to BASE+SIMD source code pattern (Issue 380, PR 461)
• Updated documentation
• Fixed x64dll.asm included in Windows Phone using MSbuilds (Issue 316)
• Remove dependencies on WINVER and _WIN32_WINNT (Issue 318)
• Fixed memcpy_s has not been declared on MinGW (Issue 319)
• Fixed undeclared identifier '_mm_clmulepi64_si128' with Clang (Issue 320)
• Fixed MASM RDRAND and access violation under VS2013 (Issue 321)
• Fixed WSAStringToAddress was not declared in this scope on Cygwin (Issue 322)
• Updated curve25519 OIDs (Issue 323)
• Fixed error: operator '>=' has no left operand on Solaris (Issue 329)
• Fixed Error: character following name is not '#' on Debian Hurd (Issue 330)
• Fixed zeroizer removal by the optimizer (Issue 331)
• Added AND, OR and XOR bitops to Integer class (Issue 336)
• Fixed missing Integer ctor overload body (Issue 337)
• Removed VC++ 5.0/6.0 support (Issue 342)
• Updated DefaultEncryptor, DefaultEncryptorWithMAC with modern algorithms (Issue 345)
• Added SipHash (Issue 348)
• Increased Socket::Listen backlog (Issue 349)
• Fixed RoundUpToMultipleOf bug (Issue 360)
• Fixed <arm_acle.h> include for Apple and LLVM Clang (Issue 362)
• Fixed Apple Clang and numeric_limits::max() returns 0 (Issue 362)
• Fixed 32-bit SHA-384 and SHA-512 (Issue 365)
• Fixed poor performance with ARMv8/Aarch64 on Cortex-A57 (Issue 367)
• Removed MAINTAIN_BACKWARDS_COMPATIBILITY (Issue 369)
• Added HeaderVersion() and LibraryVersion() functions (Issue 371)
• Singleton::Ref() crashes on VS2012/2013 (Issue 372, 391)
• Fixed Hang and loader lock on WinXP (Issues 373, 435)
• Converted encoders to thread safe initialization (Issue 376)
• Fixed OS_NO_DEPENDENCE in osrng.h (Issue 377)
• Added Test namespace within CryptoPP namespace (Issue 379)
• Removed NULL_CHANNEL and Code Warrior 8 workaround (Issue 382)
• Added support for C++11 nullptr (Issue 383)
• Converted to WSAStringToAddressA for Windows (Issue 385)
• Added Random Number Generator benchmarks (Issue 386)
• Improved RDRAND and RDSEED performance (Issue 387, 388)
• Fixed EGCC assembler error on OpenBSD (Issue 395)
• Fixed SIGBUS crashes in cryptest.exe on Solaris (Issue 403)
• Fixed Inlining failed ... target specific option mismatch (Issue 407)
• Added Kalyna block cipher (Issue 411)
• Reduced fiddling with warnings in config.h (Issue 412)
• Fixed incorrect BLAKE2 hash (Issue 415)
• Added Gzip Filename, Filetime and Comment support (Issue 420)
• Added Threefish block cipher (Issue 422)
• Added Polynomials for CMAC and GCM mode (Issue 423)
• Enabled SHA intrinsics when SHA is not defined (BASE+SIMD pattern) (Issue 427, PR 461)
• Enabled CRC32 intrinsics when CRC is not defined (BASE+SIMD pattern) (Issue 428, PR 461)
• Enabled AES intrinsics when AES is not defined (BASE+SIMD pattern) (Issue 429, PR 461)
• Enabled CLMUL intrinsics when PCLMUL is not defined (BASE+SIMD pattern) (Issue 430, PR 461)
• Fixed GCC7 and -Wimplicit-fallthrough warnings (Issue 411)
• Make SecBlock<T,A> data members protected (Issue 448)
• Fixed Clang and sequence point warning (Issue 449)
• Added OldRandomPool for pre-Crypto+...

Crypto++ 5.6.5 release

Crypto++ 5.6.5

Crypto++ 5.6.5 was released on October 11, 2016. The 5.6.5 release was mostly a maintenance release. The release included two CVE fixes.

The first, CVE-2016-7420, was a procedural finding due to external build systems failing to define NDEBUG for release builds. The gap was the project's failure to tell users to define NDEBUG. The second, CVE-2016-7544, was a potential memory corruption on Windows platforms when using Microsoft compilers due to use of _malloca and _freea.

Due to CVE-2016-7420 and the possibility for an unwanted assert to egress data, users and distros are encouraged to recompile the library and all dependent programs.

Release Notes

The release notes for Crypto++ 5.6.5 follows.

• maintenance release, recompile of programs recommended
• expanded community input and support
  • 25 unique contributors as of this release
• fixed CVE-2016-7420 (Issue 277, document NDEBUG for production/release)
• fixed CVE-2016-7544 (Issue 302, avoid _malloca and _freea for MSC compilers)
• shipped library in recommended state
  • backwards compatibility achieved with <config.compat>
• Visual Studio project file cleanup
  • improved X86 and X64 MSBuild support
  • added ARM-based MSBuild awareness
• improved Testing and QA
  • expanded platforms and compilers
  • expanded Coverity into OS X and Windows platforms
  • added Windows test scripts using Strawberry Perl
• ported to MSVC 2015 SP3, Xcode 7.3, Sun Studio 12.5, GCC 7.0, MacPorts GCC 7.0, Clang 3.8, Intel C++ 17.00

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 5.6.5 follows. Most non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

The list below has about 20 issues. The project's test scripts, cryptest.sh and cryptest.nmake, uncovered about 16 (80.0%) of them.

• Document need for NDEBUG in production/release (CVE-2016-7420, Issue 277)
• Add CRYPTOPP_ASSERT(); avoid Posix assert() (CVE-2016-7420, Issue 277)
• Potential memory corruption when using _malloca and _freea for MSC compilers (CVE-2016-7544, Issue 302)
• Fix missing CryptoPP::memcpy_s on MinGW32 (Issue 319)
• Visual Studio 2010 project file cleanup (Issue 314)
• Improved MSBuild support, including future ARM-based builds (Issue 316)
• Cygwin, Newlib and broken compile when -std=XXX due to <signal.h> (Issue 315)
• Sun Studio 12.2-12.4 and failed debug compile due to <signal.h> (Issue 289)
• Sun Studio 12.3-12.4, integer.cpp and "Types cannot be declared in anonymous union" (Issue 274)
• Sun Studio 12.5 and incorrect results for GCM when using SSE2 ASM (Issue 284)
• Solaris GCC and "error: constructor priorities are not supported" (Issue 289)
• Clang 3.3, i686 and "error: unknown use of instruction mnemonic without a size suffix (Issue 264)
• Clang 3.7 warnings for missing/undefined variable templates definitions in <pkcspad.h>
• Additional test scripts for Windows and OS X testing (Issue 303)
• Approximately 80 miscellaneous Coverity findings on Windows (Issues 310-12, all minor or false positives)
• Approximately 20 miscellaneous Coverity findings on OS X (Issues 295 and 299, all minor or false positives)
• MARS max keysize is limited at 32 bytes (Issue 278)
• CMake improvements (Issues 276)
• CMake, Solaris and output artifacts that can't be linked due to missing PIC (Issue 271)
• CMake, CMakeList.txt calls out GNUInstallDirs (Issue 268)
• Fix port forwarding in cryptest.exe program on Unix
• Move file scope statics into anonymous namespace
• Rewrite some Windows socket code, remove _WINSOCK_DEPRECATED_NO_WARNINGS (Issue 19)
• Guard DEBUG_NEW for Visual Studio and leak detection
• Remove library supplied aesenc, aesdec and friends (Issue 206)
• Use __BIGGEST_ALIGNMENT__ in <secblock.h> if its smaller than sizeof(T)
• Re-enable AES-NI/CLMUL when using Clang Integrated Assembler
• Updated documentation

File Changes

Below is a list of all files that were added or deleted at Crypto++ 5.6.5.

The header file ossig.h is new and needs to be distributed. Additions to TestScripts can probably be ignored.

$ git diff-tree -r --summary CRYPTOPP_5_6_4 CRYPTOPP_5_6_5 | grep -v "change" | awk '{$2=$3=""; print $0}' | egrep '(.h|.cpp|.txt|.dat)'
create TestScripts/coverity-linux.txt
create TestScripts/coverity-macosx.txt
create TestScripts/coverity-windows.txt
create TestScripts/cryptest-coverity.cpp
create TestVectors/tls_chacha.txt
create ossig.h

Note for Distros

If you start getting bug reports on missing symbols that implicate unsigned long long, then this applies to you. Depending on what you are using in Crypto++, it may surface as:

// Linux:
cryptest.exe: symbol lookup error: .../cryptest.exe: undefined symbol: CryptoPP::RandomNumberStore::TransferTo2(CryptoPP::BufferedTransformation&,
    unsigned long long&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool)
cryptest.exe: symbol lookup error: .../cryptest.exe: undefined symbol: CryptoPP::Whirlpool::InitState(unsigned long long*)

// OS X:
dyld: Symbol not found: CryptoPP::RandomPool::GenerateIntoBufferedTransformation(CryptoPP::BufferedTransformation&, std::string const&, unsigned long long)
  Referenced from: .../cryptest.exe
  Expected in: .../libcryptopp.dylib
 in .../cryptest.exe

In Crypto++ 5.6.4 and below word64 was unconditionally defined to unsigned long long on 32-bit and 64-bit platforms. Crypto++ 5.6.5 defined word64 to unsigned long on 64-bit machines due to compile problems with GCC and Clang when using SSE and NEON data types through intrinsics. Crypto++ 5.6.5 increased use of SSE and NEON intrinsics, and calls to SSE and NEON APIs had some hacks that were cleaned up.

Below if from config.h, and it is reposnsible for the "missing unsigned long long" issue.

#if defined(_MSC_VER) || defined(__BORLANDC__)
        typedef unsigned __int64 word64;
        #define W64LIT(x) x##ui64
#elif (_LP64 || __LP64__)
        typedef unsigned long word64;
        #define W64LIT(x) x##UL
#else
        typedef unsigned long long word64;
        #define W64LIT(x) x##ULL
#endif

To go back to Crypto++ 5.6.4, you have two choices. First, you can use config.compat in place of config.h to restore the compatibility. Second, you can remove the __LP64__ block. Be advised we did not test this configuration, so it may not completely clear the "missing unsigned long long" issue.

#if defined(_MSC_VER) || defined(__BORLANDC__)
        typedef unsigned __int64 word64;
        #define W64LIT(x) x##ui64
#else
        typedef unsigned long long word64;
        #define W64LIT(x) x##ULL
#endif

Since this break was unknown to the project, it was identified as a gap in our testing process. Commit 385a3914d6cfdc88 added a script to test for missing symbols by linking cryptest.exe against different versions of the dynamic library. For example, Crypto++ 5.6.4 cryptest.exe will runtime link against Crypto++ 5.6.5 libcryptopp.so or libcryptopp.dylib to nsure no symbols go missing.

Crypto++ 5.6.4 release

Crypto++ 5.6.4

Crypto++ 5.6.4 was released on September 11, 2016. The 5.6.4 release was mostly a maintenance release. The release included a few new classes, like BLAKE2b, BLAKE2s, ChaCha8/12/20, HMQV and FHMQV.

Release Notes

The release notes for Crypto++ 5.6.4 follows.

• maintenance release, honored API/ABI/Versioning requirements
• expanded community input and support
  • 22 unique contributors for this release
• fixed CVE-2016-3995
• changed SHA3 to FIPS 202 (F1600, XOF d=0x06)
• added Keccak (F1600, XOF d=0x01)
• added ChaCha (ChaCha8/12/20)
• added HMQV and FHMQV
  • Hashed and Fully Hashed MQV
• added BLAKE2 (BLAKE2s and BLAKE2b)
  • C++, SSE2, SSE4, ARM NEON and ARMv8 ASIMD
• added CRC32-C
  • C/C++, Amd64 CRC, and ARMv8 CRC
• improved Rabin-William signatures
  • Tweaked roots e and f
• improved C++11 support
  • atomics, threads and fences
  • alginof, alignas
  • constexpr
  • noexcept
• improved GCM mode
  • ARM NEON and ARMv8 ASIMD
  • ARMv8 carry-less multiply
• improved Windows 8 and 10 support
  • Windows Phone, Universal Windows Platform, Windows Store
• improved MIPS, ARMv7 and ARMv8 support
  • added scripts setenv-{android | embedded | ios}.sh for GNUmakefile-cross
  • aggressive use of -march= and -mfpu= in cryptest.sh
• improved build systems
  • Visual Studio 2010 default
  • added CMake support (lacks FindCryptopp.cmake)
  • archived VC++ 5.0/6.0 project files (vc60.zip)
  • archived VS2005 project files (vs2005.zip)
  • archived Borland project files (bds10.zip)
• improved Testing and QA
  • expanded platforms and compilers
  • added code generation tests based on CPU features
  • added C++03, C++11, C++14, C++17 testing
  • added -O3, -O5, -Ofast and -Os testing
• ported to MSVC 2015 SP3, Xcode 7.3, Sun Studio 12.5, GCC 7.0, MacPorts GCC 7.0, Clang 3.8, Intel C++ 17.00

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 5.6.4 follows. Most non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

The list below has about 70 issues. 10 of the 70 are roughly feature requests that required tracking due to non-trivial code changes. For the remaining 60 issues, the project's test scripts, cryptest.sh and cryptest.nmake, uncovered about 47 (78.3%) of them.

• Timing Attack Counter Measure AES (146) and Camellia (203) (AES was CVE'd; Camellia was pre-emptive)
• Implementing GCM on ARMv8 (177)
• Apple Clang 6.3 and undeclared identifier '_rdseed64_step' (183)
• Apple Clang 6.0 (LLVM Clang 3.5) and alignment on __m128i variable (256)
• Apple Clang 5.0 (LLVM Clang 3.4) and undeclared identifier '_mm_clmulepi64_si128' (184)
• Apple Clang 5.0 compiler crash when using pclmulqdq ASM insn (182)
• Apple Clang 6.0 (LLVM Clang 3.5), ARM and "error: no matching function for call to vcombine_u64" (234)
• Apple Clang 6.0 (LLVM Clang 3.5), ARM and "compiler does not support '-mfpu=neon-vfpv4'" (246)
• LLVM Clang and undeclared identifiers '_tzcnt_u32' and '_blsr_u32' (205)
• LLVM Clang 3.5 and "SSE instruction set not enabled" (196)
• LLVM Clang 3.5 and "error: SSSE3 instruction set not enabled" (245)
• Missing symbols for FixedKeyLength::KEYLENGTH under C++11 and C++14 with constexpr (255)
• StaticGetValidKeyLength returns incorrect values due to incorrect preprocessor macro (252)
• GCC, ARMv8 and "fatal error: arm_acle.h: No such file or directory" (238)
• Mingw-w64 and 'sigset_t' does not name a type (237)
• word64 compile problems due to SSE2 and NEON interfaces (236)
• GCC 4.9, Aarch32 and internal compiler error: in expand_shift_1, at expmed.c:2318 (233)
• GCC 4.9, Raspberry Pi 3 and Bus Error (231)
• Sun GCC 4.8 and missing 64-bit BMI/BMI2 instructions (230)
• Sun Studio 12.1-12.3 and "Error: cannot use vector unsigned long long[2] to initialize vector unsigned long long[2]" (229)
• Sun Studio 12.2 and failed compile using PLATFORM_CXXFLAGS (228, Commit 199c00f)
• Sun Studio 12.2-12.5 and failed compile for gcm.cpp (228, Commit 199c00f)
• Sun Studio 12.4 and failed compile for rijndael.cpp (224, Commit 199c00f)
• Sun Studio 12.4 and "Error: The operand ___LKDB cannot be assigned to..." (188)
• Sun Studio 12.3 and 12.4 builds broken (179)
• Sun Studio 12.5 and BLAKE2b runtime failure (247)
• Sun Studio 12.5 and "assertion failed in function pr_post_process_node() @ preopt.c:3868" (220, Commit 199c00f)
• OS X and Valgrind findings for uninitialized variables when using -Ofast (223)
• OS X and incorrect install_name for dynamic library (80)
• Android cross-compile autoconf header check (222)
• ld.gold and i686 without PIC: "/usr/bin/ld: -f may not be used without -shared" (219)
• VS2015 and multiple C4589 warnings, "Constructor of abstract class X ignores initializer for virtual base class Y" (214)
• Blake2s fails under VS2008/Win32/Release for Validation Suite (209)
• CMake and "No rule to make target 'static'. Stop" (192)
• CMake and "MACOSX_RPATH is not specified for the following targets..." (191)
• CMake and "unknown target_include_directories" (181)
• CMake and "include_directories given empty-string as include directory" (199)
• CMake and "write_basic_package_version_file" (198)
• CMake path variable should use CURRENT_SOURCE_DIR (135)
• cpu.h and error: expected unqualified-id before 'int' (193)
• MacPorts GCC should use Clang integrated assembler via -Wa,-q (190)
• MacPorts GCC engages -DCRYPTOPP_DISABLE_ASM (189)
• Cygwin i686/GCC 5.3 and error: 'u_short' was not declared in this scope (187)
• Cygwin x86_64 and failed compile when using std=c++03 (148)
• Cygwin x86_64 and 'fd_set' does not name a type (137)
• Cygwin x86_64 crash with -DDEBUG -Os (100)
• cryptest.exe reports wrong CPU features (176)
• Use std::call for singleton implementation (173)
• Performance based counter for TimerBase on Windows Phone and Windows Store apps (168)
• Deactivate FIPS code paths for Windows Store apps (167)
• NO_SOCKET macro (or similar) to remove sockets only for Windows Store apps (165)
• NonblockingRng using BCryptGenRandom for Windows 10 and above (165)
• VS2015 with Update2 and broken build using /MD (163)
• blake2.cpp and crc.cpp compile issues under [Visual Studio] ARM Developer Prompt (162)
• Failed build on Debian 8 and m68k processor (153)
• validat1.cpp compile issue with NO_OS_DEPENDENCE defined (141)
• Assert when running CMAC example on the wiki (138)
• StringNarrow may violate ODR and lead to UB (127)
• GCC and Clang warnings when compiling with -Wcast-align (122)
• VS2008 C4996 warning due to std::reverse_copy (123)
• Android NDK and failed compile due to g_pAssignIntToInteger (119)
• Inflator throws end of compressed block on complete compressed data (112)
• Crash when setting alternate alphabet for Base32 decoder (108)
• Valgrind reports unintialized reads under 32-bit ARM (105)
• Borland failed compile due to size_t/unsigned int mismatch in PKCS_DigestDecoration::length (102)
• SecBlock and incorrect result during self assignment (Issue 92, Commit 605744d)
• SecBlock and incorrect result during append when T is not a byte (Issue 92, Commit 81482d8)
• secblock.h failed compile and typo inside assert (92)
• Assert during ZDeflate operation (83)
• Assert in misc.h due to NULL pointers in memcpy_s and memmove_s (79)
• PolynomialMod2::operator<<= incorrect result (64)

File Changes

Below is a list of source files that were added or deleted at Crypto++ 5.6.4.

$ git diff-tree -r --summary CRYPTOPP_5_6_3 CRYPTOPP_5_6_4 | grep -v "change" | awk '{$2=$3=""; print $0}' | egrep '(.h|.cpp|.txt|.dat)'
create CMakeLists.txt
create TestData/fhmqv160.dat
create TestData/fhmqv256.dat
create TestData/fhmqv384.dat
create TestData/fhmqv512.dat
create TestData/hmqv160.dat
create TestData/hmqv256.dat
create TestData/hmqv384.dat
create TestData/hmqv512.dat
create TestVectors/blake2.txt
create TestVectors/blake2b.txt
create TestVectors/blake2s.txt
create TestVectors/chacha.txt
create TestVectors/dsa_rfc6979.txt
create TestVectors/keccak.txt
delete TestVectors/sha3.txt
create TestVectors/sha3_224_fips_202.txt
create TestVectors/sha3_256_fips_202.txt
create TestVectors/sha3_384_fips_202.txt
create TestVectors/sha3_512_fips_202.txt
create TestVectors/sha3_fips_202.txt
delete bench.cpp
create bench1.cpp
create blake2.cpp
create blake2.h
create chacha.cpp
create chacha.h
delete cryptlib_bds.cpp
create fhmqv.h
create hmqv.h
create keccak.cpp
create keccak.h

Below is a list of all files that were added or deleted at Crypto++ 5.6.4. The list includes Windows IDE project files and archives.

$ git diff-tree -r --summary CRYPTOPP_5_6_3 CRYPTOPP_5_6_4 | grep -v "change" | awk '{$2=$3=""; print $0}'
create CMakeLists.txt
create TestData/fhmqv160.dat
create TestData/fhmqv256.dat
create TestData/fhmqv384.dat
create TestData/fhmqv512.dat
create TestData/hmqv160.dat
create TestData/hmqv256.dat
create TestData/hmqv384.dat
create TestData/hmqv512.dat
create TestVectors/blake2.t...

Crypto++ 5.6.3 release

Crypto++ 5.6.3

Crypto++ 5.6.3 was released on November 20, 2015. The 5.6.3 release was mostly a maintenance release. The release included a few new minor classes, like Base64URLEncoder to provide encoding and decoding using a web safe alphabet.

Release Notes

The release notes for Crypto++ 5.6.3 follows.

• fixed CVE-2015-2141
• cleared most Undefined Behavior Sanitizer (UBsan) findings
• cleared all Address Sanitizer (Asan) findings
• cleared all Valgrind findings
• cleared all Coverity findings
• cleared all Enterprise Analysis (/analyze) findings
• cleared most GCC warnings with -Wall
• cleared most Clang warnings with -Wall
• cleared most MSVC warnings with /W4
• added -fPIC to 64-bit builds (off for 32-bit builds)
• added HKDF class from RFC 5869
• switched to member_ptr due to C++ 11 warnings for auto_ptr
• initialization of C++ static objects, off by default
  • GCC and init_priotirty/constructor attributes
  • MSVC and init_seg(lib)
  • CRYPTOPP_INIT_PRIORITY disabled by default, but available
• improved OS X support
• improved GNUmakefile support for Testing and QA
• added self tests for additional Testing and QA
• added cryptest.sh for systematic Testing and QA
• added GNU Gold linker support
• added Visual Studio 2010 solution and project files in vs2010.zip
• added Clang integrated assembler support
• unconditionally define CRYPTOPP_NO_UNALIGNED_DATA_ACCESS for Makefile target 'ubsan' and at -O3
• workaround ARMEL/GCC 5.2 bug and failed self test
• fixed crash in MQV due to GCC 4.9+ and inlining
• fixed hang in SHA due to GCC 4.9+ and inlining
• fixed missing rdtables::Te under VS with ALIGNED_DATA_ACCESS
• fixed S/390 and big endian feature detection
• fixed S/390 and int128_t/uint128_t detection
• fixed X32 (ILP32) feature detection
• removed _CRT_SECURE_NO_DEPRECATE for Microsoft platforms
• utilized bound checking interfaces from ISO/IEC TR 24772 when available
• improved ARM, ARM64, MIPS, MIPS64, S/390 and X32 (ILP32) support
• introduced CRYPTOPP_MAINTAIN_BACKWARDS_COMPATIBILITY_562
• added additional Doxygen-based documentation
• ported to MSVC 2015, Xcode 7.2, GCC 5.2, Clang 3.7, Intel C++ 16.00

File Changes

Below is a list of files that were added or deleted at Crypto++ 5.6.3.

$ git diff-tree -r --summary CRYPTOPP_5_6_2 CRYPTOPP_5_6_3 | grep -v "change" | awk '{$2=$3=""; print $0}'
create .gitignore
create Filelist.txt
create GNUmakefile-cross
create Install.txt
create TestVectors/hkdf.txt
create config.recommend
create cryptest.sh
create hkdf.h
create make-rdrand.cmd
create mersenne.h
create rdrand-masm.cmd
create rdrand-nasm.sh
create rdrand.S
create rdrand.asm
create rdrand.cpp
create rdrand.h
create trap.h
create vs2010.zip