Mercurial > dropbear
comparison libtomcrypt/changes @ 302:973fccb59ea4 ucc-axis-hack
propagate from branch 'au.asn.ucc.matt.dropbear' (head 11034278bd1917bebcbdc69cf53b1891ce9db121)
to branch 'au.asn.ucc.matt.dropbear.ucc-axis-hack' (head 10a1f614fec73d0820c3f61160d9db409b9beb46)
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sat, 25 Mar 2006 12:59:58 +0000 |
parents | 1b9e69c058d2 |
children | 0cbe8f6dbf9e |
comparison
equal
deleted
inserted
replaced
299:740e782679be | 302:973fccb59ea4 |
---|---|
1 June 27th, 2005 | |
2 v1.05 | |
3 -- Added Technote #6 which covers the current PK compliance. | |
4 -- Fixed buffer overflow in OAEP decoder | |
5 -- Added CHOICE to the list of ASN.1 types | |
6 -- Added UTCTIME to the list of ASN.1 types | |
7 -- Added MUTEX locks around descriptor table functions [but not on the functions that are dependent on them] | |
8 All functions call *_is_valid() before using a descriptor index which means the respective table must be unlocked before | |
9 it can be accessed. However, during the operation [e.g. CCM] if the descriptor has been altered the results will be | |
10 undefined. | |
11 -- Minor updates to the manual to reflect recent changes | |
12 -- Added a catch to for an error that should never come up in rsa_exptmod(). Just being thorough. | |
13 | |
14 June 15th, 2005 | |
15 v1.04 | |
16 -- Fixed off by one [bit] error in dsa_make_key() it was too high by one bit [not a security problem just inconsistent] | |
17 -- ECC-224 curve was wrong [it was an ok curve just not NIST, so no security flaw just interoperability]. | |
18 -- Removed point compression since it slows down ECC ops to save a measly couple bytes. | |
19 This makes the ecc export format incompatible with 1.03 [it shouldn't change in the future] | |
20 -- Removed ECC-160 from timing and added the other curves | |
21 | |
22 June 9th, 2005 | |
23 v1.03 | |
24 -- Users may want to note that on a P4/GCC3.4 platform "-fno-regmove" greatly accelerates the ciphers/hashes. | |
25 -------------------------------------------------------------------------------------------------------------- | |
26 -- Made it install the testing library in the icc/static makefiles | |
27 -- Found bug in ccm_memory.c which would fail to compile when LTC_CLEAN_STACK was enabled | |
28 -- Simon Johnson proposed I do a fully automated test suite. Hence "testme.sh" was born | |
29 -- Added LTC_NO_TEST which forces test vectors off (regardless of what tomcrypt_custom.h has) | |
30 -- Added LTC_NO_TABLES which disables large tables (where possible, regardless of what tomcrypt_custom.h has) | |
31 -- New test script found a bug in twofish.c when TABLES was disabled. Yeah testing! | |
32 -- Added a LTC_FAST specific test to the testing software. | |
33 -- Updated test driver to actually halt on errors and just print them out (useful for say... automated testing...) | |
34 -- Added bounds checking to Pelican MAC | |
35 -- Added BIT and OCTET STRING to the ASN.1 side of things. | |
36 -- Pekka Riikonen pointed out that my ctr_start() function should accept the counter mode. | |
37 -- Cleaned up warnings in testprof | |
38 -- Removed redundant mu and point mapping in ecc_verify_hash() so it should be a bit faster now | |
39 -- Pekka pointed out that the AES key structure was using 32 bytes more than it ought to. | |
40 -- Added quick defines to remove entire classes of algorithms. This makes it easier if you want to build with just | |
41 one algorithm (say AES or SHA-256). Defines are LTC_NO_CIPHERS, LTC_NO_MODES, LTC_NO_HASHES, LTC_NO_MACS, | |
42 LTC_NO_PRNGS, LTC_NO_PK, LTC_NO_PKCS | |
43 -- As part of the move for ECC to X9.62 I've changed the signature algorithm to EC DSA. No API changes. | |
44 -- Pekka helped me clean up the PKCS #1 v2.1 [OAEP/PSS] code | |
45 -- Wrote new DER SEQUENCE coder/decoder | |
46 -- RSA, DSA and ECDSA now use the DER SEQUENCE code (saves a lot of code!) | |
47 -- DSA output is now a DER SEQUENCE (so not compatible with previous releases). | |
48 -- Added Technote #5 which shows how to build LTC on an AMD64 to have a variety of algorithms in only ~80KB of code. | |
49 -- Changed temp variable in LOAD/STORE macros to "ulong32" for 32-bit ops. Makes it safer on Big endian platforms | |
50 -- Added INSTALL_GROUP and INSTALL_USER which you can specify on the build to override the default USER/GROUP the library | |
51 is to be installed as | |
52 -- Removed "testprof" from the default build. | |
53 -- Added IA5, NULL and Object Identifier to the list of ASN.1 DER supported types | |
54 -- The "no_oops" target (part of zipup) now scans for non-cvs files. This helps prevent temp/scratch files from appearing in releases ;-) | |
55 -- Added DERs for missing hashes, but just the OID not the PKCS #1 v1.5 additions. | |
56 -- Removed PKCS #1 v1.5 from the tree since it's taking up space and you ought to use v2.1 anyways | |
57 -- Kevin Kenny pointed out a few stray // comments | |
58 -- INTEGER code properly supports negatives and zero padding [Pekka!] | |
59 -- Sorted asn1/der/ directory ... less of a mess now ;-) | |
60 -- Added PRINTABLE STRING type | |
61 -- Removed ECC-160 as it wasn't a standard curve | |
62 -- Made ecc_shared_secret() ANSI X9.63 compliant | |
63 -- Changed "printf" to "fprintf(stderr, " in the testbench... ;-) | |
64 -- Optimized the GCM table creation. On 1KB packets [with key switching] the new GCM is 12.7x faster than before. | |
65 -- Changed OID representation for hashes to be just a list of unsigned longs (so you can compare against them nicely after decoding a sequence) | |
66 -- ECC code now uses Montgomery reduction ... it's even faster [ECC-256 make key down from 37.4M to 4.6M cycles on an Athlon64] | |
67 -- Added SHORT_INTEGER so users can easily store DER encoded INTEGER types without using the bignum math library | |
68 -- Fixed OMAC code so that with LTC_FAST it doesn't require that LTC_FAST_TYPE divides 16 [it has to divide the block size instead] | |
69 -- ECC key export is now a simple [and documented] SEQUENCE, the "encrypt_key" also uses a new SEQUENCE format. | |
70 -- Thanks goes to the following testers | |
71 Michael Brown - Solaris 10/uSPARCII | |
72 Richard Outerbridge - MacOS | |
73 Martin Carpenter - Solaris 8/uSPARCII [Thanks for cleaning up the scripts] | |
74 Greg Rose - ... SunOS 5.8/SPARC [... what's with the SPARCS?] | |
75 Matt Johnston - MacOS X [Thanks for pointing out GCC 4 problems with -Os] | |
76 | |
77 April 19th, 2005 | |
78 v1.02 | |
79 -- Added LTC_TEST support to gcm_test() | |
80 -- "pt/ct" can now be NULL in gcm_process() if you are processing zero bytes | |
81 -- Optimized GCM by removing the "double copy" handling of the plaintext/aad | |
82 -- Richard Outerbridge pointed out that x86_prof won't build on MACOS and that the manual | |
83 erroneously refers to "mycrypt" all over the place. Fixed. | |
84 | |
85 April 17th, 2005 | |
86 v1.01 | |
87 ** Secure Science Corporation has supported this release cycle by sponsoring the development time taken. Their | |
88 continuing support of this project has helped me maintain a steady pace in order to keep LibTomCrypt up to date, | |
89 stable and more efficient. | |
90 ----------------------------------------------------------------------------------------------------- | |
91 -- Updated base64_decode.c so if there are more than 3 '=' signs it would stop parsing | |
92 -- Merged in latest mpi that fixed a few bugs here and there | |
93 -- Updated OAEP encoder/decoder to catch when the hash output is too large | |
94 Cleaned up PSS code too | |
95 -- Andy Bontoft fixed a bug in my demos/tests/makefile.msvc ... seems "dsa_test.c" isn't an object | |
96 afterall. Thanks. | |
97 -- Made invalid ECC key sizes (configuration) not hard fault the program (it returns an error code now) | |
98 -- SAFER has been re-enabled after I was pointed to http://www.ciphersbyritter.com/NEWS2/95032301.HTM | |
99 [Mark Kotiaho] | |
100 -- Added CCM mode to the encauth list (now has EAX, OCB and CCM, c'est un treo magnifique!) | |
101 -- Added missing ASN.1 header to the RSA keys ... oops... now the rsa_export/import are FULLY compatible | |
102 with other libs like OpenSSL (comment: Test vectors would go a long way RSA...) | |
103 -- Manually merged in fix to the prime_random_ex() LTM function that ensures the 2nd MSB is set properly. Now | |
104 When you say "I want a 1024/8 byte RSA key" the MSB bit of the modulus is set as expected. Note I generally | |
105 don't view this as a "huge issue" but it's just one less nit to worry about. [Bryan Klisch] | |
106 -- A new CVS has been setup on my Athlon64 box... if you want developer access send me an email (and at this point the email would have to be awesome). | |
107 -- Updated API for ECB and CBC shell code. Now can process N whole blocks in one call (like $DEITY intended) | |
108 -- Introduced a new "hardware accel" framework that can be used to speed up cipher ECB, CBC and CTR mode | |
109 calls. Later on dependent code (e.g. OMAC, CCM) will be re-written to use the generic cbc/ctr functions. But now | |
110 if you [say] call ctr_encrypt() with a cipher descriptor that has hardware CTR it will automatically | |
111 be used (e.g. no code rewrites) | |
112 -- Now ships with 20% more love. | |
113 -- x86_prof now uses ECB shell code (hint: accelerators) and outputs cycles per BLOCK not byte. This will make it a bit | |
114 easier to compare hardware vs. software cipher implementations. It also emits timings for CBC and CTR modes | |
115 -- [Peter LaDow] fixed a typo w.r.t. XREALLOC macro (spelling counts kids!) | |
116 -- Fixed bug with __x86_64__ where ROL64/ROR64 with LTC_NO_ROLC would be the 32-bit versions instead... | |
117 -- Shipping with preliminary GCM code (disabled). It's buggy (stack overflow hidden somewhere). If anyone can spot it let me know. | |
118 -- Added Pelican MAC [it's an AES based fast MAC] to the list of supported MACs | |
119 -- Added LTC_FAST [and you can disable by defining LTC_NO_FAST] so that CBC and CTR mode XOR whole words [e.g. 32 or 64 bits] at a time | |
120 instead of one byte. On my AMD64 this reduced the overhead for AES-128-CBC from 4.56 cycles/byte to around 1 cycle/byte. This requires | |
121 that you either allow unaligned read/writes [e.g. x86_32/x86_64] or align all your data. It won't go out of it's way to ensure | |
122 aligned access. Only enabled for x86_* platforms by default since they allow unaligned read/writes. | |
123 -- Added LTC_FAST support to PMAC (drops the cycle/byte by about 9 cycles on my AMD64) [note: I later rewrote this prior to release] | |
124 -- Updated "profiled" target to work with the new directory layout | |
125 -- Added [demo only] optimized RC5-CTR code to x86_prof demo to show off how to make an accelerator | |
126 [This has been removed prior to release... It may re-appear later] | |
127 -- Added CCM acelerator callbacks to the list [now supports ECB, CTR, CBC and now CCM]. | |
128 -- Added chapter to manual about accelerators (you know you want it) | |
129 -- Added "bswap" optimizations to x86 LOAD/STORE with big endian. Can be disabled by defining LTC_NO_BSWAP | |
130 -- LTC_NO_ASM is now the official "disable all non-portable stuff" macro. When defined it will make the code endian-neutral, | |
131 disable any form of ASM and disable LTC_FAST load/stores. Essentially build the library with this defined if you're having | |
132 trouble building the library (old GCCs for instance dislike the ROLc macro) | |
133 -- Added tomcrypt_mac.h and moved MAC/encMAC functions from tomcrypt_hash.h into it | |
134 -- Added "done" function to ciphers and the five chaining modes [and things like omac/pmac/etc] | |
135 -- Changed install group to "wheel" from "root". | |
136 -- Replaced // comments with /**/ so it will build on older UNIX-like platforms | |
137 -- x86_prof builds and runs with IntelCC fine now | |
138 -- Added "stest" build to intel CC to test static linked from within the dir (so you don't have to install to test) | |
139 -- Moved testing/benchmark into testprof directory and build it as part of the build. Now you can link against libtomcrypt_prof.a to get | |
140 testing info (hint: hardware developers ;-) ) | |
141 -- Added CCM to tv_gen | |
142 -- Added demos to MSVC makefile | |
143 -- Removed -funroll-all-loops from GCC makefile and replaced with -funroll-loops which is a bit more sane (P4 ain't got much cache for the IDATA) | |
144 -- Fixed GCM prior to release and re-enabled it. It has not been optimized but it does conform when compiled with optimizations. | |
145 -- I've since optimized GCM and CCM. They're close in speed but GCM is more flexible imho (though EAX is more flexible than both) | |
146 -- For kicks I optimized the ECC code to use projective points. Gets between 3.21x (Prescott P4) to 4.53x (AMD64) times faster than before at 160-bit keys and the | |
147 speedup grows as the keysize grows. Basically removing most practical reasons to "not use the ECC code". Enjoy. | |
148 -- Added LTC_FAST support to OMAC/PMAC and doubled it's speed on my amd64 [faster on the P4 too I guess] | |
149 -- Added GCM to tv_gen | |
150 -- Removed "makefile.cygwin_dll" as it's not really used by anyone and not worth the effort (hell I hardly maintain the MSVC makefiles ...) | |
151 -- Updated a few files in the "misc" directory to have correct @file comments for doxygen | |
152 -- Removed "profile" target since it was slower anyways (go figure...) | |
153 | |
154 December 31st, 2004 | |
155 v1.00 | |
156 -- Added "r,s == 0" check to dsa_verify_hash() | |
157 -- Added "multi block" helpers for hash, hmac, pmac and omac routines so you can process multiple non-adjacent | |
158 blocks of data with one call (added demos/multi.c to make sure they work) | |
159 -- Note these are not documented but they do have doxygen comments inside them | |
160 -- Also I don't use them in other functions (like pkcs_5_2()) because I didn't have the time. Job for the new LTC maintainer ;-) | |
161 -- Added tweaked Anubis test vectors and made it default (undefined ANUBIS_TWEAK to get original Anubis) | |
162 -- Merged in fix for mp_prime_random_ex() to deal with MSB and LSB "bugs" | |
163 -- Removed tim_exptmod() completely, updated several RSA functions (notably v15 and the decrypt/verify) so they | |
164 don't require a prng now | |
165 -- This release brought to you by the fine tunes of Macy Gray. We miss you. | |
166 | |
167 December 23rd, 2004 | |
168 v1.00rc1 | |
169 -- Renamed "mycrypt_*" to "tomcrypt_*" to be more specific and professional | |
170 Now just include "tomcrypt.h" instead of "mycrypt.h" to get LTC ;-) | |
171 -- Cleaned up makefiles to ensure all headers are correctly installed | |
172 -- Added "rotate by constant" macros for portable, x86-32 and x86-64 | |
173 You can disable this new code with LTC_NO_ROLC which is useful for older GCCs | |
174 -- Cleaned up detection of x86-64 so it works for ROL/ROR macros | |
175 -- Fixed rsa_import() so that it would detect multi-prime RSA keys and error appropriately | |
176 -- Sorted the source files by category and updated the makefiles appropriately | |
177 -- Added LTC_DER define so you can trim out DER code if not required | |
178 -- Fixed up RSA's decrypt functions changing "res" to "stat" to be more in sync | |
179 with the signature variables nomenclature. (no code change just renamed the arguments) | |
180 -- Removed all labels starting with __ and replaced with LBL_ to avoid namespace conflicts (Randy Howard) | |
181 -- Merged in LTM fix to mp_prime_random_ex() which zap'ed the most significant byte if the bit size | |
182 requested was a multiple of eight. | |
183 -- Made RSA_TIMING off by default as it's not terribly useful [and likely to be deprecated] | |
184 -- Renamed SMALL_CODE, CLEAN_STACK and NO_FILE to have a LTC_ prefix to avoid namespace collisions | |
185 with other programs. e.g. SMALL_CODE => LTC_SMALL_CODE | |
186 -- Zed Shaw pointed out that on certain systems installing libs as "root" isn't possible as the super-user | |
187 is not root. Now the makefiles allow this to be changed easily. | |
188 -- Renamed "struct _*_descriptor" to "struct ltc_*_descriptor" to avoid using a leading _ | |
189 Also renamed _ARGCHK to LTC_ARGCHK | |
190 -- Zed Shaw pointed out that I still defined the prng structs in tomcrypt_prng.h even if they | |
191 weren't defined. This made undef'ing FORTUNA break the build. | |
192 -- Added LTC_NO_ASM to disable inline asm macros [ROL/ROR/etc] | |
193 -- Changed RSA decrypt functions to change the output length variable name from "keylen" to "outlen" to make | |
194 it more consistent. | |
195 -- Added the 64-bit Khazad block cipher [NESSIE] | |
196 -- Added the 128-bit Anubis block cipher [with key support for 128...320 bit keys] [NESSIE] | |
197 -- Changes to several MAC functions to rename input arguments to more sensible names | |
198 -- Removed FAST_PK support from dh_sys.c | |
199 -- Declared deskey() from des.c as static instead of a global | |
200 -- Added pretty much all practical GCC warning tests to the GCC [related] makefiles. These additional | |
201 warnings can easily be disabled for those with older copies of GCC [or even non GNU cc's] | |
202 -- Added doxygen @ tags to the code... phew that was a hell of a lot of [repetitive] work | |
203 -- Also added pre-configured Doxygen script. | |
204 -- Cleaned up quite a few functions [ciphers, pk, etc] to make the parameters naming style consistent | |
205 E.g. ciphers keys are called "skey" consistently now. The input to PK encryption is called "in", etc. | |
206 These changes require no code changes on the behalf of developers fortunately | |
207 -- Started a SAFER+ optimizer [does encrypt only] which shaves a good 30 or so cycles/byte on my AMD64 | |
208 at an expense of huge code. It's in notes/etc/saferp_optimizer.c | |
209 -- DSA sign/verify now uses DER encoded output/inputs and no LTC style headers. | |
210 -- Matt Johnston found a missing semi-colon in mp_exptmod(). Fix has been merged in. | |
211 | |
212 October 29th, 2004 | |
213 v0.99 -- Merged in the latest version of LTM which includes all of the recent bug fixes | |
214 -- Deprecated LTMSSE and removed it (to be replaced with TFM later on) | |
215 -- Stefan Arentz pointed out that mp_s_rmap should be extern | |
216 -- Kristian Gj�steen pointed out that there are typos in the | |
217 "test" makefile and minor issues in Yarrow and Sober [just cosmetics really] | |
218 -- Matthew P. Cashdollar pointed out that "export" is a C++ keyword | |
219 so changed the PRNG api to use "pexport" and "pimport" | |
220 -- Updated "hashsum" demo so it builds ;-) | |
221 -- Added automatic support for x86-64 (will configure for 64-bit little endian automagically) | |
222 -- Zhi Chen pointed out a bug in rsa_exptmod which would leak memory on error. | |
223 -- Made hash functions "init" return an int. slight change to API ;-( | |
224 -- Added "CHC" mode which turns any cipher into a hash the other LTC functions can use | |
225 -- Added CHC mode stuff to demos such as tv_gen and hashsum | |
226 -- Added "makefile.shared" which builds and installs shared/static object copies | |
227 of the library. | |
228 -- Added DER for bignum support | |
229 -- RSA is now fully joy. rsa_export/rsa_import use PKCS #1 encodings and should be | |
230 compatible with other crypto libs that use the format. | |
231 -- Added support for x86-64 for the ROL/ROR macros | |
232 -- Changed the DLL and SO makefiles to optimize for speed, commented SMALL_CODE in | |
233 mycrypt_custom.h and added -DSMALL_CODE to the default makefile | |
234 -- Updated primality testing code so it does a minimum of 5 tests [of Miller-Rabin] | |
235 (AFAIK not a security fix, just warm fuzzies) | |
236 -- Minor updates to the OMAC code (additional __ARGCHK and removed printf from omac_test... oops!) | |
237 -- Update build and configuration info which was really really really out of date. (Chapter 14) | |
238 ++ Minor update, switch RSA to use the PKCS style CRT | |
239 | |
240 August 6th, 2004 | |
241 v0.98 -- Update to hmac_init to free all allocated memory on error | |
242 -- Update to PRNG API to fix import/export functions of Fortuna and Yarrow | |
243 -- Added test functions to PRNG api, RC4 now conforms ;-) [was a minor issue] | |
244 -- Added the SOBER-128 PRNG based off of code donated by Greg Rose. | |
245 -- Added Tech Note #4 [notes/tech0004.txt] | |
246 -- Changed RC4 back [due to request]. It will now XOR the output so you can use it like | |
247 a stream cipher easily. | |
248 -- Update Fortuna's export() to emit a hash of each pool. This means that the accumulated | |
249 entropy that was spread over all the pools isn't entirely lost when you export/import. | |
250 -- Zhi Chen suggested a comment for rsa_encrypt_key() to let users know [easily] that it was | |
251 PKCS #1 v2.0 padding. (updated other rsa_* functions) | |
252 -- Cleaned up Noekeon to remove unrolling [wasn't required, was messy and actually slower with GCC/ICC] | |
253 -- Updated RC4 so that when you feed it >256 bytes of entropy it quietly ignores additional | |
254 bytes. Also removed the % from the key setup to speed it up a bit. | |
255 -- Added cipher/hash/prng tests to x86_prof to help catch bugs while testing | |
256 -- Made the PRNG "done" return int, fixed sprng_done to not require prng* to be non-null | |
257 -- Spruced up mycrypt_custom.h to trap more errors and also help prevent LTMSSE from being defined | |
258 on non-i386 platforms by accident. | |
259 -- Added RSA/ECC/DH speed tests to x86_prof and cleaned it up to build with zero warnings | |
260 -- Changed Fortuna to count only entropy [not the 2 byte header] added to pool[0] into the | |
261 reseed mechanism. | |
262 -- Added "export_size" member to prng_descriptor tables so you can know in advance the size of | |
263 the exported state for any given PRNG. | |
264 -- Ported over patch on LTM 0.30 [not ready to release LTM 0.31] that fixes bug in mp_mul()/mp_div() | |
265 that used to result in negative zeroes when you multiplied zero by a negative integer. | |
266 (patch due to "Wolfgang Ehrhardt" <[email protected]>) | |
267 -- Fixed rsa_*decrypt_key() and rsa_*verify_hash() to default to invalid "stat" or "res". This way | |
268 if any of the higher level functions fail [before you get to the padding] the result will be in | |
269 a known state]. Applied to both v2 and v1.5 padding helpers. | |
270 -- Added MACs to x86_prof | |
271 -- Fixed up "warnings" in x86_prof and tv_gen | |
272 -- Added a "profiled" target back [for GCC 3.4 and ICC v8]. Doesn't seem to help but might be worth | |
273 tinkering with. | |
274 -- Beefed up load/store test in demos/test | |
275 | |
276 ++ New note, in order to use the optimized LOAD/STORE macros your platform | |
277 must support unaligned 32/64 bit load/stores. The x86s support this | |
278 but some [ARM for instance] do not. If your platform cannot perform | |
279 unaligned operations you must use the endian neutral code which is safe for | |
280 any sort of platform. | |
281 | |
282 July 23rd, 2004 | |
283 v0.97b -- Added PKCS #1 v1.5 RSA encrypt/sign helpers (like rsa_sign_hash, etc...) | |
284 -- Added missing prng check to rsa_decrypt_key() [not critical as I don't use | |
285 descriptors directly in that function] | |
286 -- Merged in LTM-SSE, define LTMSSE before you build and you will get SSE2 optimized math ;-) | |
287 (roughly 3x faster on a P4 Northwood). By default it will compile as ISO C portable | |
288 code (when LTMSSE is undefined). | |
289 -- Fixed bug in ltc_tommath.h where I had the kara/toom cutoffs not marked as ``extern'' | |
290 Thanks to "Stefan Arentz" <stefan at organicnetwork.net> | |
291 -- Steven Dake <[email protected]> and Richard Amacker <[email protected]> submitted patches to | |
292 fix pkcs_5_2(). It now matches the output of another crypto library. Whoops... hehehe | |
293 -- Updated PRNG api. Added Fortuna PRNG to the list of supported PRNGs | |
294 -- Fixed up the descriptor tables since globals are automatically zero'ed on startup. | |
295 -- Changed RC4 to store it's output. If you want to encrypt with RC4 | |
296 you'll have to do the XOR yourself. | |
297 -- Fixed buffer overflows/overruns in the HMAC code. | |
298 | |
299 ++ API change for the PRNGs there now is a done() function per PRNG. You | |
300 should call it when you are done with a prng state. So far it's | |
301 not absolutely required (won't cause problems) but is a good idea to | |
302 start. | |
303 | |
304 | |
305 June 23rd, 2004 | |
306 v0.97a ++ Fixed several potentially crippling bugs... [read on] | |
307 -- Fixed bug in OAEP decoder that would incorrectly report | |
308 buffer overflows. [Zhi Chen] | |
309 -- Fixed headers which had various C++ missing [extern "C"]'s | |
310 -- Added "extern" to sha384_desc descriptor which I removed by mistake | |
311 -- Fixed bugs in ENDIAN_BIG macros using the wrong byte order [Matt Johnston] | |
312 -- Updated tiger.c and des.c to not shadow "round" which is intrinsic on | |
313 some C compilers. | |
314 -- Updated demos/test/rsa_test.c to test the RSA functionality better | |
315 ++ This update has been tested with GCC [v3.3.3], ICC [v8] and MSVC [v6+SP6] | |
316 all on a x86 P4 [GCC/ICC tested in Gentoo Linux, MSVC in WinXP] | |
317 ++ Outcome: The bug Zhi Chen pointed out has been fixed. So have the bugs | |
318 that Matt Johnston found. | |
319 | |
320 June 19th, 2004 | |
321 v0.97 -- Removed spurious unused files [arrg!] | |
322 -- Patched buffer overflow in tim_exptmod() | |
323 -- Fixed buffer overrun bug in pkcs_1_v15_es_decode() | |
324 -- Reduced stack usage in PKCS #1 v2.0 padding functions (by several KBs) | |
325 -- Removed useless extern's that were an artifact from the project start... ;-) | |
326 -- Replaced memcpy/memset with XMEMCPY and XMEMSET for greater flexibility | |
327 -- fixed bugs in hmac_done()/hmac_init()/[various others()] where I didn't trap errors | |
328 -- Reduced stack usage in OMAC/PMAC/HMAC/EAX/OCB/PKCS#5 by mallocing any significant sized | |
329 arrays (e.g. > 100 bytes or so). Only in non-critical functions (e.g. eax_init()) | |
330 -- "Zhi Chen" <[email protected]> pointed out that rsa_decrypt_key() requires | |
331 an incorrect output size (too large). Fixed. | |
332 -- Added a "pretty" target to the GCC makefile. Requires PERL. It is NEAT! | |
333 -- Minor updates to ch1 of the manual. | |
334 -- Cleaned up the indentation and added comments to rsa_make_key(), rsa_exptmod() and | |
335 rsa_verify_hash() | |
336 -- Updated makefile.icc so the "install" target would work ;-) | |
337 -- Removed demos/test.c [deprecated from demos/test/test.c] | |
338 -- Changed MAXBLOCKSIZE from 128 to 64 to reflect the true size... | |
339 | |
340 May 30th, 2004 | |
341 v0.96 -- Removed GF and Keyring code | |
342 -- Extended OAEP decoder to distinguish better [and use a more uniform API] | |
343 -- Changed PSS/OAEP API slightly to be more consistent with other PK functions (order of arguments) | |
344 -- rsa_exptmod() now pads with leading zeroes as per I2OSP. | |
345 -- added error checking to yarrow code | |
346 -- pointed out that tommath.h from this distro will overwrite tommath.h | |
347 from libtommath. I changed this to ltc_tommath.h to avoid any such problems. | |
348 -- Fixed bug in PSS encoder/decoder that didn't handle the MSB properly | |
349 -- refactored AES, now sports an "encrypt only" descriptor which uses half as much code space. | |
350 -- modded Yarrow to try and use refactored AES code and added WHIRLPOOL support (d'oh) ;-) | |
351 -- updated ECB, OCB and CBC decrypt functions to detect when "encrypt only" descriptor is used. | |
352 -- replaced old RSA code with new code that uses PKCS #1 v2.0 padding | |
353 -- replaced old test harness with new over-engineer'ed one in /demos/test/ | |
354 -- updated cbc/cfb/ofb/ctr code with setiv/getiv functions to change/read the IV without re-keying. | |
355 -- Added PKCS #1 v1.5 RSA encryption and signature padding routines | |
356 -- Added DER OID's to most hash descriptors (as many as I could find) | |
357 -- modded rsa_exptmod() to use timing-resilient tim_exptmod() when doing private key operations | |
358 added #define RSA_TIMING which can turn on/off this feature. | |
359 -- No more config.pl so please just read mycrypt_custom.h for build-time tweaks | |
360 -- Small update to rand_prime() | |
361 -- Updated sha1, md5 and sha256 so they are smaller when SMALL_CODE is defined. If you want speed though, | |
362 you're going to have to undefine SMALL_CODE ;-) | |
363 -- Worked over AES so that it's even smaller now [in both modes]. | |
364 | |
365 May 12th, 2004 | |
366 v0.95 -- Optimized AES and WHIRLPOOL for SMALL_CODE by taking advantage of the fact | |
367 the transforms are circulant. AES dropped 5KB and WHIRLPOOL dropped 13KB | |
368 using the default build options on the x86. | |
369 -- Updated eax so the eax_done() would clear the state [like hmac,pmac,ocb] when | |
370 CLEAN_STACK has been defined. | |
371 -- added LTC_TEST support to rmd160 | |
372 -- updates to mycrypt_pk.h | |
373 -- updated rand_prime() to faciliate making RSA composites | |
374 -- DSA/RSA now makes composites of the exact size desired. | |
375 -- Refactored quite a bit of the code, fewer functions per C file | |
376 -- cleaned up the makefiles to organize the objects logically | |
377 -- added ICC makefile along with "profiled" targets for both GNU and ICC compilers | |
378 -- Marked functions for removal before v1.00 see PLAN for more information | |
379 -- GCC 3.4.0 tested and seems to work | |
380 -- Added PKCS #5 support | |
381 -- Fixed typo in comment header of .C files ;-) | |
382 -- Added PKCS #1 OAEP and PSS support. | |
383 | |
384 Feb 20th, 2004 | |
385 v0.94 -- removed unused variables from ocb.c and fixed it to match known test vectors. | |
386 -- Added PMAC support, minor changes to OMAC/EAX code [I think....] | |
387 -- Teamed up with Brian Gladman. His code verifies against my vectors and my code | |
388 verifies against his test vectors. Hazaa for co-operation! | |
389 -- Various small changes (added missing ARGCHKs and cleaned up indentation) | |
390 -- Optimization to base64, removed unused variable "c" | |
391 -- Added base64 gen to demos/tv_gen.c | |
392 -- Fix to demos/x86_prof.c to correctly identify the i386 architecture... weird... | |
393 -- Fixed up all of the PK code by adding missing error checking, removed "res" variables, | |
394 shrunk some stack variables, removed non-required stack variables and added proper | |
395 error conversion from MPI to LTC codes. I also spotted a few "off by one" error | |
396 checking which could have been used to force the code to read past the end of | |
397 the buffer (in theory, haven't checked if it would work) by a few bytes. | |
398 -- Added checks to OUTPUT_BIGNUM so the *_export() functions cannot overflow the output and I | |
399 also modded it so it stores in the output provided to the function (that is not on | |
400 the local stack) which saves memory and time. | |
401 -- Made SAFER default to disabled for now (plans are to cleanhouse write an implementation later) | |
402 -- Added the 512-bit one-way hash WHIRLPOOL which clocks in at 138 cycles per byte on my | |
403 Athlon XP [for comparison, SHA-512 clocks in at 77 cycles per byte]. This code uses the | |
404 teams new sbox design (not the original NESSIE one). | |
405 | |
406 | |
407 Jan 25th, 2004 | |
408 v0.93 -- [note: deleted v0.93 changes by accident... recreating from memory...] | |
409 -- Fix to RC2 to not deference pointer before ARGCHK | |
410 -- Fix to NOEKEON to match published test vectors as well as cleaned up the code a bit | |
411 -- Optimized Twofish [down to 28 cycles/byte on my box] and Blowfish | |
412 -- Fix to OMAC to test cipher block size first [prevents wasting any time] | |
413 -- Added more OMAC test vectors | |
414 -- Added EAX Encrypt+Authenticate support | |
415 -- Fix to DSA to check return of a few LTM functions I forgot [mp_to_unsigned_bin] | |
416 -- Added common headers to all C files | |
417 -- CTR mode supports big and little [default] endian counters now. | |
418 -- fix to find_cipher_any() so that it can handle a fragmented cipher_descriptor table. | |
419 -- added find_hash_any() akin to find_cipher_any(). | |
420 -- Added EAX code to demos/tv_gen.c Hazaa! | |
421 -- Removed SONY defines and files from codebase. | |
422 -- Added OCB support [patents be damned] and to demos/tv_gen.c | |
423 -- Merge all of the INPUT/OUTPUT BIGNUM macros (less toc) into mycrypt_pk.h | |
424 -- Made appropriate changes to the debug string in crypt.c | |
425 | |
426 Dec 24th, 2003 | |
427 v0.92 -- Updated the config.pl script so the options have more details. | |
428 -- Updated demos/tv_gen to include RIPEMD hashes | |
429 -- Updated Twofish so when TWOFISH_ALL_TABLES is defined a pre-computed RS table | |
430 is included [speedup: slight, about 4k cycles on my Athlon]. | |
431 -- Re-wrote the twofish large key generation [the four 8x32 key dependent tables]. Now about twice as fast. | |
432 With both optimizations [e.g. TWOFISH_ALL_TABLES defined] a 128-bit Twofish key can now be scheduled | |
433 in 26,000 cycles on my Athlon XP [as opposed to 49,000 before] when optimized for size. | |
434 -- config.pl has been updated so rmd128.o and rmd160.o are objects included in the build [oops] | |
435 -- Andrew Mann found a bug in rsa_exptmod() which wouldn't indicate if the wrong type of key was specified | |
436 (e.g. not PK_PRIVATE or PK_PUBLIC) | |
437 -- Fixed up demos/x86_prof so it sorts the output now :-) | |
438 -- The project is now powered by radioactive rubber pants. | |
439 -- Fixed dh_encrypt_key() so if you pass it a hash with a smaller output than the input key it | |
440 will return CRYPT_INVALID_HASH [to match what ecc_encrypt_key() will do] | |
441 -- Merge the store/encrypt key part of ecc_encrypt_key() as per dh_encrypt_key() [can you guess what I'm upto?] | |
442 -- Massive updates to the prime generation code. I use the LTM random prime functions [and provide a nice | |
443 interface between the LTC PRNG's and the LTM generic prng prototype]. I also use a variable number of tests | |
444 depending on the input size. This nicely speeds up most prime generation/testing within the library. | |
445 -- Added SHA-224 to the list of hashes. | |
446 -- Made HMAC test vectors constant and static [takes ROM space instead of RAM] | |
447 -- This release was brought to you by the letter P which stands for Patent Infringement. | |
448 -- Added generic HASH_PROCESS macro to mycrypt_hash.h which simplifies the hash "process" functions | |
449 I also optimized the compression functions of all but MD2 to not perform input copies when avoidable. | |
450 -- Removed the division from the Blowfish setup function [dropped 3k cycles on my Athlon] | |
451 -- Added stack cleaning to rijndael, cast5 so now all ciphers have CLEAN_STACK code. | |
452 -- Added Skipjack to the list of ciphers [made appropriate changes to demos/test.c, demos/tv_gen.c and | |
453 demos/x86_prof.c] | |
454 -- Added mechanical testing to cipher test vector routines. Now it encrypts 1000 times, then decrypts and | |
455 compares. Any fault (e.g. bug in code, compiler) in the routines is likely to show through. Doesn't | |
456 stress test the key gen though... | |
457 -- Matt Johnson found a bug in the blowfish.c apparently I was out of my mind and put twofish defines in there | |
458 The code now builds with any config. Thanks. | |
459 -- Added OMAC1 Message Authentication Code support to the library. | |
460 -- Re-prototyped the hash "process" and "done" to prevent buffer overflows [which don't seem easy to exploit]. | |
461 Updated HMAC code to use them too. Hazaa! | |
462 -- Fixed bug in ECC code which wouldn't do an _ARGCHK on stat in ecc_verify_hash(). | |
463 -- Fixed [temp fix] bug in all PK where the OUTPUT_BIGNUM macros would not trap errors on the to_unsigned_bin | |
464 conversion [now returns CRYPT_MEM, will fix it up better later] | |
465 -- Added DSA to the list of supported PK algorithms. | |
466 -- Fixed up various ciphers to &255 the input key bytes where required [e.g. where used to index a table] to prevent | |
467 problems on platforms where CHAR_BIT != 8 | |
468 -- Merged in LibTomMath v0.28 | |
469 -- Updated demos/x86_prof.c to use Yarrow during the key sched testing [was horribly slow on platforms with blockable | |
470 /dev/random]. | |
471 -- Added OMAC/HMAC tests to demos/tv_gen and I now store the output of this in notes/ | |
472 -- Fixed a bug in config.pl that wouldn't have TWOFISH_TABLES defined by default (too many commas on the line) | |
473 -- Fixed bug in hmac_done(). Apparently FIPS-198 [HMAC] specifies that the output can be truncated. My code | |
474 would not support that (does now just like the new OMAC code). | |
475 -- Removed "hashsize" from hmac_state as it wasn't being used. | |
476 -- Made demos/test.c stop if OMAC or HMAC tests fail (instead of just printing a failed message and keep going). | |
477 -- Updated notes/tech0003.txt to take into account the existence of Skipjack [also I fixed a few typos]. | |
478 -- Slight changes to Noekeon, with SMALL_CODE undefined it uses a fully unrolled version. Dropped +10 cycles/byte | |
479 on my Athlon (35 cycles per byte or 410.4Mbit/sec at 1795Mhz) | |
480 -- Added _ARGCHK() calls to is_prime() for the two input pointers. | |
481 | |
482 Sept 25th, 2003 | |
483 v0.91 -- HMAC fix of 0.90 was incorrect for keys larger than the block size of the hash. | |
484 -- Added error CRYPT_FILE_NOTFOUND for the file [hmac/hash] routines. | |
485 -- Added RIPEMD hashes to the hashsum demo. | |
486 -- Added hashsum demo to MSVC makefile. | |
487 -- Added RMD160 to the x86_prof demo [oops] | |
488 -- Merged in LibTomMath-0.27 with a patch to mp_shrink() that will be in LibTomMath-0.28 | |
489 Fixes another potential memory leak. | |
490 | |
491 Sept 7th, 2003 | |
492 v0.90 -- new ROL/ROR for x86 GCC | |
493 -- Jochen Katz submitted a patch to the makefile to prevent "make" from making the .a library | |
494 when not required. | |
495 == By default the KR code is not enabled [it's only a demo anyways!] | |
496 -- changed the "buf" in ecc_make_key from 4KB to 128 bytes [since the largest key is 65 bytes] | |
497 -- hmac_done() now requires you pass it the size of the destination buffer to prevent | |
498 buffer overflows. (API CHANGE) | |
499 -- hmac/hash filebased routines now return CRYPT_NOP if NO_FILE is defined. | |
500 -- I've removed the primes from dh.c and replaced them with DR safe primes suitable for the default | |
501 configuration of LibTomMath. Check out these comparisons on a 1.3Ghz Athlon XP, optimized for size, | |
502 | |
503 768-bit, 4 vs. 10 | |
504 1024-bit, 8 vs. 18 | |
505 1280-bit, 12 vs. 34 | |
506 1536-bit, 20 vs. 56 | |
507 1792-bit 28 vs. 88 | |
508 2048-bit, 40 vs. 124 | |
509 2560-bit, 71 vs. 234 | |
510 3072-bit, 113 vs. 386 | |
511 4096-bit, 283 vs. 916 | |
512 | |
513 Times are all in milliseconds for key generation. New primes times on the left. This makes the code binary | |
514 incompatible with previous releases. However, this addition is long overdue as LibTomMath has supported DR | |
515 reductions for quite some time. | |
516 -- Added RIPE-MD 128 and 160 to the list of supported hashes [10 in total]. | |
517 -- The project has been released as public domain. TDCAL no longer applies. | |
518 | |
519 July 15th, 2003 | |
520 v0.89 -- Fix a bug in bits.c which would prevent it from building with msvc | |
521 -- Merged in LibTomMath v0.24 [and I used the alloc/free macros this time!] | |
522 -- Removed the LTC version of next_prime() and replaced it with a call to the | |
523 mp_prime_next_prime() from LibTomMath | |
524 -- reverted bits.c to the 0.86 copy since the new one doesn't build in MSVC | |
525 or cygwin. | |
526 | |
527 Jul 10th, 2003 | |
528 v0.88 -- Sped up CAST5 key schedule for MSVC | |
529 -- added "ulong32" which allows people on 64-bit platforms to force the 32-bit tables in | |
530 ciphers like blowfish and AES to be 32-bits. E.g. when unsigned long is 64-bits. | |
531 -- Optimized the SAFER-SK64, SAFER-SK128, SAFER+, RC5 and RC6 key schedule [big time!] | |
532 -- Optimized SHA-1 and SHA-256 quite a bit too. | |
533 -- Fixed up the makefile to use -fomit-frame-pointer more liberally | |
534 -- Added tv_gen program which makes test vectors for ciphers/hashes | |
535 -- Merged in LibTomMath v0.22 | |
536 | |
537 Jun 19th, 2003 | |
538 v0.87 -- Many MSVC optimizations to the code base | |
539 -- Improved the AES and Twofish key schedule [faster, more constant time] | |
540 -- Tons of optimizations here and there. | |
541 | |
542 Jun 15th, 2003 | |
543 v0.86 -- Fixed up AES to workaround MSVC optimizer bug | |
544 -- Merged in fresh LTM base [based on v0.20] so there are no warnings with MSVC | |
545 -- Wrote x86_prof which will time the hashes and ciphers downto cycles per byte. | |
546 -- Fixed up demos/encrypt to remove serpent_desc from the list | |
547 -- Re-enabled MSVC optimizations w00t w00t | |
548 -- Replaced "errno" with "err" in all functions that had it so it wouldn't clash | |
549 with the global "errno" | |
550 -- Removed a set of unused variables from certain functions | |
551 -- Removed {#line 0 "..."} stuff from mpi.c to comply with ISO C :-) | |
552 | |
553 Jun 11th, 2003 | |
554 v0.85 -- Swapped in a new AES routine | |
555 -- Removed Serpent | |
556 -- Added TDCAL policy document | |
557 | |
558 Jun 1st, 2003 | |
559 v0.84 -- Removed a 4KB buffer from rsa_decrypt_key that wasn't being used no more | |
560 -- Fixed another potential buffer problem. Not an overflow but could cause the | |
561 PK import routines to read past the end of the buffer. | |
562 -- Optimized the ECC mulmod more by removing a if condition that will always be false | |
563 -- Optimized prime.c to not include a 2nd prime table, removed code from is_prime calls prime | |
564 test from LibTomMath now | |
565 -- Added LTC_TEST define which when defined will enable the test vector routines [see mycrypt_custom.h] | |
566 -- Removed ampi.o from the depends cuz it ain't no not working in *nix with it [routines are in mpi.c now]. | |
567 | |
568 | |
569 Mar 29th, 2003 | |
570 v0.83 -- Optimized the ecc_mulmod, it's faster and takes less heap/stack space | |
571 -- Fixed a free memory error in ecc_mulmod and del_point which would try to free NULL | |
572 -- Fixed two serious bugs in rsa_decrypt_key and rsa_verify_hash that would allow a trivialy | |
573 buffer overflow. | |
574 -- Fixed a bug in the hmac testing code if you don't register all the hashes it won't return | |
575 errors now. | |
576 | |
577 Mar 15th, 2003 | |
578 v0.82 -- Manual updated | |
579 -- Added MSVC makefile [back, actually its written from scratch to work with NMAKE] | |
580 -- Change to HMAC helper functions API to avoid buffer overflow [source changes] | |
581 -- the rsa_encrypt_key was supposed to reject key sizes out of bounds ... | |
582 same fix to the rsa_sign_hash | |
583 -- Added code to ensure that that chaining mode code (cfb/ofb/ctr/cbc) have valid | |
584 structures when being called. E.g. the indexes to the pad/ivs are not out of bounds | |
585 -- Cleaned up the DES code and simplified the core desfunc routine. | |
586 -- Simplified one of the boolean functions in MD4 | |
587 | |
588 Jan 16th, 2003 | |
589 v0.81 -- Merged in new makefile from Clay Culver and Mike Frysinger | |
590 -- Sped up the ECC mulmod() routine by making the word size adapt to the input. Saves a whopping 9 point | |
591 operations on 521-bit keys now (translates to about 8ms on my Athlon XP). I also now use barrett reduction | |
592 as much as possible. This sped the routine up quite a bit. | |
593 -- Fixed a huge flaw in ecc_verify_hash() where it would return CRYPT_OK on error... Now fixed. | |
594 -- Fixed up config.pl by fixing an invalid query and the file is saved in non-windows [e.g. not CR/LF] format | |
595 (fix due to Mika Bostr�m) | |
596 -- Merged in LibTomMath for kicks | |
597 -- Changed the build process so that by default "mycrypt_custom.h" is included and provided | |
598 The makefile doesn't include any build options anymore | |
599 -- Removed the PS2 and VC makefiles. | |
600 | |
601 Dec 16th, 2002 | |
602 v0.80 -- Found a change I made to the MPI that is questionable. Not quite a bug but definately not desired. Had todo | |
603 with the digit shifting. In v0.79 I simply truncated without zeroing. It didn't cause problems during my | |
604 testing but I fixed it up none the less. | |
605 -- Optimized s_mp_mul_dig() from MPI to do a minimal number of passes. | |
606 -- Fixed in rsa_exptmod() where I was getting the size of the result. Basically it accomplishes the same thing | |
607 but the fixed code is more readable. | |
608 -- Fixed slight bug in dh_sign_hash() where the random "k" value was 1 byte shorter than it should have been. I've | |
609 also made the #define FAST_PK speed up signatures as well. Essentially FAST_PK tells the DH sub-system to | |
610 limit any private exponent to 256-bits. Note that when FAST_PK is defined does not make the library | |
611 binary or source incompatible with a copy of the library with it undefined. | |
612 -- Removed the DSA code. If you want fast diffie-hellman just define FAST_PK :-) | |
613 -- Updated dh_sign_hash()/dh_verify_hash() to export "unsigned" bignums. Saves two bytes but is not binary | |
614 compatible with the previous release... sorry! I've performed the same fix to the ecc code as well. | |
615 -- Fixed up the PK code to remove all use of mp_toraw() and mp_read_raw() [get all the changes out of the way now] | |
616 -- Fixed a bug in the DH code where it missed trapping a few errors if they occurred. | |
617 -- Fixed a slight "its-not-a-bug-but-could-be-done-better" bug in the next_prime() function. Essentially it was | |
618 testing to ensure that in the loop that searches for the next candidate that the step never grows beyond | |
619 65000. Should have been testing for MP_DIGIT_MAX | |
620 -- Spruced up the config.pl script. It now makes a header file "mycrypt_custom.h" which can be included *before* | |
621 you include mycrypt.h. This allows you to add libtomcrypt to a project without completely changing your make | |
622 system around. Note that you should use the makefile it writes to at least build the library initially. | |
623 -- Used splint to check alot of the code out. Tons of minor fixes and explicit casts added. | |
624 -- Also made all the internal functions of MPI are now static to avoid poluting the namespace | |
625 -- **Notice**: There are no planned future releases for at least a month from the this release date. | |
626 | |
627 Dec 14th, 2002 | |
628 v0.79 -- Change to PK code [binary and source]. I made it so you have to pass the buffer size to the *_decrypt_key and | |
629 *_verify_hash functions. This prevents malformed packets from performing buffer overflows. I've also trimmed | |
630 the packet header size [by 4 bytes]. | |
631 -- Made the test program halt on the first error it occurs. Also made it trap more errors than before. | |
632 -- Wrote the first chapter of my new book [DRAFT!], not in this package but check my website! | |
633 -- Included a perl script "config.pl" that will make "makefile.out" according to the users needs. | |
634 -- Added shell script to look for latest release | |
635 -- Merge DH and ECC key defines from mycrypt_cfg.h into the makefiles | |
636 -- updated the makefile to use BSD friendly archiving invokations | |
637 -- Changed the DH and ECC code to use base64 static key settings [e.g. the primes]. Dropped the code size by 3KB | |
638 and is ever-so-slightly faster than before. | |
639 -- added "mp_shrink" function to shrink the size of bignums. Specially useful for PK code :-) | |
640 -- Added new exptmod function that calculates a^b mod c with fewer multiplies then before [~20% for crypto | |
641 sized numbers]. Also added a "low mem" variant that doesn't use more than 20KB [upto 4096 bit nums] of | |
642 heap todo the calculation. Both are #define'able controlled | |
643 -- Added XREALLOC macro to provide realloc() functionality. | |
644 -- Added fix where in rsa_import() if you imported a public key or a non-optimized key it would free the mp_int's | |
645 not being used. | |
646 -- Fixed potential bug in the ECC code. Only would occur on platforms where char is not eight bits [which isn't | |
647 often!] | |
648 -- Fixed up the ECC point multiplication, its about 15% faster now | |
649 -- While I was at it [since the lib isn't binary backwards compatible anyways] I've fixed the PK export routines | |
650 so they export as "unsigned" types saving 1 byte per bignum outputted. Not a lot but heck why not. | |
651 | |
652 Nov 28th, 2002 | |
653 v0.78 -- Made the default ARGCHK macro a function call instead which reduced the code size from 264KB to 239KB. | |
654 -- Fixed a bug in the XTEA keysize function which called ARGCHK incorrectly. | |
655 -- Added Noekeon block cipher at 2,800 bytes of object code and 345Mbit/sec it is a welcome addition. | |
656 -- Made the KR code check if the other PK systems are included [provides error when building otherwise]. | |
657 -- Made "aes" an alias for Rijndael via a pre-processor macro. Now you can use "aes_ecb_encrypt", etc... :-) | |
658 Thanks to Jean-Luc Cooke for the "buzzword conformance" suggestion. | |
659 -- Removed the old PK code entirely (e.g. rsa_sign, dh_encrypt). The *_sign_hash and *_encrypt_key functions | |
660 are all that is to remain. | |
661 -- **NOTE** Changed the PK *_import (including the keyring) routine to accept a "inlen" parameter. This fixes a | |
662 bug where improperly made key packets could result in reading passed the end of the buffer. This means | |
663 the code is no longer source compatible but still binary compatible. | |
664 -- Fixed a few other minor bugs in the PK import code while I was at it. | |
665 | |
666 Nov 26th, 2002 | |
667 v0.77 -- Updated the XTEA code to use pre-computed keys. With optimizations for speed it achieves 222Mbit/sec | |
668 compared to the 121Mbit/sec before. It is 288 bytes bigger than before. | |
669 -- Cleaned up some of the ciphers and hashes (coding style, cosmetic changes) | |
670 -- Optimized AES slightly for 256-bit keys [only one if statement now, still two for 192-bit keys] | |
671 -- Removed most test cases from Blowfish, left three of them there. Makes it smaller and faster to test. | |
672 -- Changed the primality routines around. I now use 8 rounds of Rabin-Miller, I use 256 primes in the sieve | |
673 step and the "rand_prime" function uses a modified sieve that avoids alot of un-needed bignum work. | |
674 -- Fixed a bug in the ECC/DH signatures where the keys "setting" value was not checked for validity. This means | |
675 that a invalid value could have caused segfaults, etc... | |
676 -- **NOTE** Changed the way the ECC/DH export/import functions work. They are source but not binary compatible | |
677 with v0.76. Essentially insteading of exporting the setting index like before I export the key size. Now | |
678 if you ever re-configure which key settings are supported the lib will still be able to make use of your | |
679 keys. | |
680 -- Optimized Blowfish by inlining the round function, unrolling it for four rounds then using a for loop for the | |
681 rest. It achieves a rate of 425Mbit/sec with the new code compared to 314Mbit/sec before. The new blowfish | |
682 object file is 7,813 bytes compared to 8,663 before and is 850 bytes smaller. So the code is both smaller and | |
683 faster! | |
684 -- Optimized Twofish as well by inlining the round function. Gets ~400Mbit/sec compared to 280Mbit/sec before | |
685 and the code is only 78 bytes larger than the previous copy. | |
686 -- Removed SMALL_PRIME_TAB build option. I use the smaller table always. | |
687 -- Fixed some mistakes concerning prime generation in the manual. | |
688 -- [Note: sizes/speeds are for GCC 3.2 on an x86 Athlon XP @ 1.53Ghz] | |
689 | |
690 Nov 25th, 2002 | |
691 v0.76 -- Updated makefiles a bit more, use "-Os" instead of "-O2" to optimize for size. Got the lib | |
692 downto 265KB using GCC 3.2 on my x86 box. | |
693 -- Updated the SAFER+, Twofish and Rijndael test vector routine to use the table driven design. | |
694 -- Updated all other test vector routines to return as soon as an error is found | |
695 -- fixed a bug in the test program where errors in the hash test routines would not be reported | |
696 correctly. I found this by temporarily changing one of the bytes of the test vectors. All the | |
697 hashes check out [the demos/test.c would still have reported an error, just the wrong one]. | |
698 | |
699 | |
700 Nov 24th, 2002 | |
701 v0.75 -- Fixed a flaw in hash_filehandle, it should ARGCHK that the filehandle is not NULL | |
702 -- Fixed a bug where in hash_file if the call to hash_filehandle failed the open file would | |
703 not be closed. | |
704 -- Added more strict rules to build process, starting to weed out "oh this works in GCC" style code | |
705 In the next release "-Wconversion" will be enabled which will deal with all implicit casts. | |
706 | |
707 Nov 22nd, 2002 [later in the day] | |
708 v0.74 -- Wrote a small variant of SAFER+ which shaved 50KB off the size of the library on x86 platforms | |
709 -- Wrote a build option to remove the PK packet functions [keeps the encrypt_key/sign_hash functions] | |
710 -- Wrote a small variant of Rijndael (trimmed 13KB) | |
711 -- Trimmed the TIGER/192 hash function a bit | |
712 -- Overall the entire lib compiled is 295KB [down from 400KB before] | |
713 -- Fixed a few minor oversights in the MSVC makefile | |
714 | |
715 Nov 22nd, 2002 | |
716 v0.73 -- Fixed bug in RC4 code where it could only use 255 byte keys. | |
717 -- Fixed bug in yarrow code where it would allow cast5 or md2 to be used with it... | |
718 -- Removed the ecc compress/expand points from the global scope. Reduces namespace polution | |
719 -- Fixed bug where if you used the SPRNG you couldn't pass NULL as your prng_state which you should be | |
720 able todo since the SPRNG has no state... | |
721 -- Corrected some oversights in the manual and the examples... | |
722 -- By default the GF(2^W) math library is excluded from the build. The source is maintained because I wrote it | |
723 and like it :-). This way the built library is a tad smaller | |
724 -- the MSVC makefile will now build for a SPACE optimized library rather than TIME optimized. | |
725 | |
726 Nov 21th, 2002 | |
727 v0.72 -- Fixed bug in the prime testing. In the Miller-Rabin test I was raising the base to "N-1" not "r". | |
728 The math still worked out fine because in effect it was performing a Fermat test. Tested the new code and it | |
729 works properly | |
730 -- Fixed some of the code where it was still using the old error syntax | |
731 -- Sped up the RSA decrypt/sign routines | |
732 -- Optimized the ecc_shared_secret routine to not use so much stack | |
733 -- Fixed up the makefile to make releases where the version # is in the file name and directory it will unzip | |
734 to | |
735 | |
736 Nov 19th, 2002 | |
737 v0.71 -- HELP TOM. I need tuition for the January semester. Now I don't want to force donations [nor will I ever] | |
738 but I really need the help! See my website http://tom.iahu.ca/help_tom.html for more details. Please help | |
739 if you can! | |
740 -------------------------------------------------------------------------------------------------------------- | |
741 -- Officially the library is no longer supported in GCC 3.2 in windows [cygwin]. | |
742 In windows you can either use GCC 2.95.3 or try your luck with 3.2 It seems that | |
743 "-fomit-frame-pointer" is broken in the windows build [but not the linux x86 build???] | |
744 If you simply must use 3.2 then I suggest you limit the optimizations to simply "-O2" | |
745 -- Started new error handling API. Similar to the previous except there are more error codes than just | |
746 CRYPT_ERROR | |
747 -- Added my implementation of the MD2 hash function [despite the errors in the RFC I managed to get it right!] | |
748 -- Merged in more changes from Sky Schulz. I have to make mention here that he has been a tremendous help in | |
749 getting me motivated to make some much needed updates to the library! | |
750 -- Fixed one of the many mistakes in the manual as pointed out by Daniel Richards | |
751 -- Fixed a bug in the RC4 code [wasn't setting up the key correctly] | |
752 -- Added my implementation of the CAST5 [aka CAST-128] block cipher (conforms...) | |
753 -- Fixed numerous bugs in the PK code. Essentially I was "freeing" keys when the import failed. This is neither | |
754 required nor a good a idea [double free]. | |
755 -- Tom needs a job. | |
756 -- Fixed up the test harness as requested by Sky Schulz. Also modifed the timing routines to run for X seconds | |
757 and count # of ops performed. This is more suitable than say encrypting 10 million blocks on a slow processor | |
758 where it could take minutes! | |
759 -- Modified test programs hashsum/encrypt to use the new algorithms and error handling syntax | |
760 -- Removed the PKCS code since it was incomplete. In the future I plan on writing a "add-on" library that | |
761 provides PKCS support... | |
762 -- updated the config system so the #defines are in the makefiles instead of mycrypt_cfg.h | |
763 -- Willing to work on an hourly basis for 15$ CDN per hour. | |
764 -- updated the test program to not test ciphers not included | |
765 -- updated the makefile to make "rsa_sys.c" a dependency of rsa.o [helps develop the code...] | |
766 -- fixed numerous failures to detect buffer overflows [minor] in the PK code. | |
767 -- fixed the safer [64-bit block version] test routines which didn't check the returns of the setup | |
768 function | |
769 -- check out my CV at http://tom.iahu.ca/cv.html | |
770 -- removed the GBA makefile and code from demos/test.c [not a particularly useful demo...] | |
771 -- merged in rudimentary [for testing] PS2 RNG from Sky Schulz | |
772 -- merged in PS2 timer code [only shell included due to NDA reasons...] | |
773 -- updated HMAC code to return errors where possible | |
774 -- Thanks go to Sky Schulz who bought me a RegCode for TextPad [the official editor of libtomcrypt] | |
775 | |
776 Nov 12th, 2002 | |
777 v0.70 -- Updated so you can swap out the default malloc/calloc/free routines at build time with others. (Sky Schulz) | |
778 -- Sky Schulz contributed some code towards autodetecting the PS2 in mycrypt_cfg.h | |
779 -- Added PS2 makefile contributed by Sky Schulz [see a pattern forming?] | |
780 -- Added ability to have no FILE I/O functions at all (see makefile), Sky Schulz.... | |
781 -- Added support for substituting out the clock() function (Sky Schulz) | |
782 -- Fixed up makefile to include new headers in the HEADERS variable | |
783 -- Removed "coin.c" as its not really useful anyways | |
784 -- Removed many "debug" printfs that would show up on failures. Basically I wanted to ensure the only output | |
785 would be from the developer themselves. | |
786 -- Added "rc4.c" a RC4 implementation with a PRNG interface. Since RC4 isn't a block cipher it wouldn't work | |
787 too well as a block cipher. | |
788 -- Fixed ARGCHK macro usage when ARGTYPE=1 throughout the code | |
789 -- updated makefile to make subdirectory properly (Sku Schulz) | |
790 -- Started towards new API setup. Instead of checking for "== CRYPT_ERROR" you should check "!= CRYPT_OK" | |
791 In future releases functions will return things other than CRYPT_ERROR on error to give more useful | |
792 thread safe error reporting. The manual will be updated to reflect this. For this release all | |
793 errors are returned as CRYPT_ERROR (except as noted) but in future releases this will change. | |
794 -- Removed the zlib branch since its not really required anyways. Makes the package smaller | |
795 | |
796 Nov 11th, 2002 | |
797 v0.69 -- Added ARGCHK (see mycrypt_argchk.h) "arguement checking" to all functions that accept pointers | |
798 -- Note I forgot to change the CRYPT version tag in v0.68... fixed now. | |
799 | |
800 Nov 8th, 2002 | |
801 v0.68 -- Fixed flaw in kr_import/kr_export that wasted 4 bytes. Source but not binary compatible with v0.67 | |
802 -- Fixed bug in kr_find_name that used memcmp to match strings. Uses strncmp now. | |
803 -- kr_clear now sets the pointer to NULL to facilate debugging [e.g. using the keyring after clearing] | |
804 -- static functions in _write/_read in keyring.c now check the return of ctr_encrypt/ctr_decrypt. | |
805 -- Updated blowfish/rc2/rc5/rc6 keysize() function to not reject keys larger than the biggest key the | |
806 respective ciphers can use. | |
807 -- Fixed a bug in hashsum demo that would report the hash for files that don't exist! | |
808 | |
809 Oct 16th, 2002 | |
810 v0.67 -- Moved the function prototypes into files mycrypt_*.h. To "install" the lib just copy all the | |
811 header files "*.h" from the base of this project into your global include path. | |
812 -- Made the OFB/CFB/CTR functions use "unsigned long" for the length instead of "int" | |
813 -- Added keyring support for the PK functions | |
814 -- ***API CHANGE*** changed the ecc_make_key and dh_make_key to act more like rsa_make_key. Basically | |
815 move the first argument to the next to last. | |
816 -- Fixed bug in dh_test() that wouldn't test the primality of the order of the sub-group | |
817 -- replaced the primes in the DH code with new ones that are larger than the size they are | |
818 associated with. That is a 1024-bit DH key will have a 1025-bit prime as the modulus | |
819 -- cleaned up all the PK code, changed a bit of the API around [not source compatible with v0.66] | |
820 -- major editing of the manual, started Docer program | |
821 -- added 160 and 224 bit key settings for ECC. This makes the DH and ECC binary wise incompatible with v0.66 | |
822 -- Added an additional check for memory errors in is_prime() and cleaned up prime.c a bit | |
823 -- Removed ID_TAG from all files [meh, not a big fan...] | |
824 -- Removed unused variable from yarrow state and made AES/SHA256 the default cipher/hash combo | |
825 -- Fixed a bug in the Yarrow code that called prng_is_valid instead of cipher_is_valid from yarrow_start() | |
826 -- The ECB/CBC/OFB/CFB/CTR wrappers now check that the cipher is valid in the encrypt/decrypt calls | |
827 Returns int now instead of void. | |
828 | |
829 Sept 24th, 2002 | |
830 v0.66 -- Updated the /demos/test.c program to time the hashes correctly. Also it uses the yarrow PRNG for all of the | |
831 tests meaning its possible to run on RNG less platforms | |
832 -- Updated the /demos/hashsum.c program to hash from the standard input | |
833 -- Updated the RSA code to make keys a bit quicker [update by Wayne Scott] by not making both primes at the same | |
834 time. | |
835 -- Dan Kaminsky suggested some cleanups for the code and the MPI config | |
836 Code ships in unix LF format by default now too... will still build in MSVC and all... but if you want | |
837 to read the stuff you'll have to convert it | |
838 -- Changes to the manual to reflect new API [e.g. hash_memory/file have v0.65 prototypes]and some typos fixed | |
839 | |
840 Sept 20th, 2002 | |
841 v0.65 -- Wayne Scott ([email protected]) made a few of suggestions to improve the library. Most | |
842 importantly he pointed out the math lib is not really required. He's also tested the lib on 18 | |
843 different platforms. According to him with only a few troubles [lack of /dev/random, etc] the | |
844 library worked as it was supposed to. You can find the list at | |
845 http://www.bitkeeper.com/Products.BitKeeper.Platforms.html | |
846 -- Updated the hash_file and hash_memory functions to keep track of the size of the output | |
847 -- Wayne Scott updated the demos/test.c file to use the SPRNG less and Yarrow more | |
848 -- Modified the mycrypt_cfg.h to autodetect x86-32 machines | |
849 | |
850 Sept 19th, 2002 | |
851 v0.64 -- wrote makefile for the GBA device [and hacked the demos/test.c file to support it conditionally] | |
852 -- Fixed error in PK (e.g. ECC, RSA, DH) import functions where I was clobbering the packet error messages | |
853 -- fixed more typos in the manual | |
854 -- removed all unused variables from the core library (ignore the ID_TAG stuff) | |
855 -- added "const char *crypt_build_settings" string which is a build time constant that gives a listing | |
856 of all the build time options. Useful for debugging since you can send that to me and I will know what | |
857 exactly you had set for the mycrypt_cfg.h file. | |
858 -- Added control over endianess. Out of the box it defaults to endianess neutral but you can trivially | |
859 configure the library for your platform. Using this I boosted RC5 from 660Mbit/sec to 785Mbit/sec on my | |
860 Athlon box. See "mycrypt_cfg.h" for more information. | |
861 | |
862 Sept 11th, 2002 | |
863 v0.63 -- Made hashsum demo output like the original md5sum program | |
864 -- Made additions to the examples in the manual (fixed them up a bunch) | |
865 -- Merged in the base64 code from Wayne Scott ([email protected]) | |
866 | |
867 Aug 29th, 2002 | |
868 v0.62 -- Added the CLEAN_STACK functionality to several of the hashes I forgot to update. | |
869 | |
870 Aug 9th, 2002 | |
871 v0.61 -- Fixed a bug in the DES code [oops I read something wrong]. | |
872 | |
873 Aug 8th, 2002 | |
874 v0.60 -- Merged in DES code [and wrote 3DES-EDE code based on it] from Dobes V. | |
875 | |
876 Aug 7th, 2002 | |
877 v0.59 -- Fixed a "unsigned long long" bug that caused v0.58 not to build in MSVC. | |
878 -- Cleaned up a little in the makefile | |
879 -- added code that times the hash functions too in the test program | |
880 | |
881 Aug 3rd, 2002 | |
882 v0.58 -- Added more stack cleaning conditionals throughout the code. | |
883 -- corrected some CLEAR_STACK conditionals... should have been CLEAN_STACK | |
884 -- Simplified the RSA, DH and ECC encrypt() routines where they use CTR to encode the message | |
885 now they only make one call to ctr_encrypt()/ctr_decrypt(). | |
886 | |
887 Aug 2nd, 2002 | |
888 v0.57 -- Fixed a few errors messages in the SAFER code to actually report the correct cipher name. | |
889 -- rsa_encrypt() uses the "keysize()" method of the cipher being used to more accurately pick a | |
890 key size. By default rsa_encrypt() will choose to use a 256-bit key but the cipher can turn that | |
891 down if required. | |
892 -- The rsa_exptmod() function will now more reliably detect invalid inputs (e.g. greater than the modulus). | |
893 -- The padding method for RSA is more clearly documented. Namely if you want to encrypt/sign something of length | |
894 N then your modulus must be of length 1+3N. So to sign a message with say SHA-384 [48 bytes] you need a | |
895 145 byte (1160 bits) modulus. This is all in the manual now. | |
896 -- Added build option CLEAN_STACK which will allow you to choose whether you want to clean the stack or not after every | |
897 cipher/hash call | |
898 -- Sped up the hash "process()" functions by not copying one byte at a time. | |
899 ++ (added just after I uploaded...) | |
900 MD4 process() now handles input buffers > 64 bytes | |
901 | |
902 Aug 1st, 2002 | |
903 v0.56 -- Cleaned up the comments in the Blowfish code. | |
904 -- Oh yeah, in v0.55 I made all of the descriptor elements constant. I just forgot to mention it. | |
905 -- fixed a couple of places where descriptor indexes were tested wrong. Not a huge bug but now its harder | |
906 to mess up. | |
907 -- Added the SAFER [64-bit block] ciphers K64, SK64, K128 and SK128 to the library. | |
908 -- Added the RC2 block cipher to the library. | |
909 -- Changed the SAFER define for the SAFER+ cipher to SAFERP so that the new SAFER [64-bit] ciphers | |
910 can use them with less confusion. | |
911 | |
912 July 29th, 2002 | |
913 v0.55 -- My god stupid Blowfish has yet again been fixed. I swear I hate that cipher. Next bug in it and boom its out of the | |
914 library. Use AES or something else cuz I really hate Blowfish at this stage.... | |
915 -- Partial PKCS support [hint DONT USE IT YET CUZ ITS UNTESTED!] | |
916 | |
917 July 19th, 2002 | |
918 v0.54 -- Blowfish now conforms to known test vectors. Silly bad coding tom! | |
919 -- RC5/RC6/Serpent all have more test vectors now [and they seemed to have been working before] | |
920 | |
921 July 18th, 2002 | |
922 v0.53 -- Added more test vectors to the blowfish code just for kicks [and they are const now too :-)] | |
923 -- added prng/hash/cipher is_valid functions and used them in all of the PK code so you can't enter the code | |
924 with an invalid index ever now. | |
925 -- Simplified the Yarrow code once again :-) | |
926 | |
927 July 12th, 2002 | |
928 v0.52 -- Fixed a bug in MD4 where the hash descriptor ID was the same as SHA-512. Now MD4 will work with | |
929 all the routines... | |
930 -- Fixed the comments in SHA-512 to be a bit more meaningful | |
931 -- In md4 I made the PADDING array const [again to store it in ROM] | |
932 -- in hash_file I switched the constant "512" to "sizeof(buf)" to be a bit safer | |
933 -- in SHA-1's test routine I fixed the string literal to say SHA-1 not sha1 | |
934 -- Fixed a logical error in the CTR code which would make it skip the first IV value. This means | |
935 the CTR code from v0.52 will be incompatible [binary wise] with previous releases but it makes more | |
936 sense this way. | |
937 -- Added {} braces for as many if/for/blocks of code I could find. My rule is that every for/if/while/do block | |
938 must have {} braces around it. | |
939 -- made the rounds table in saferp_setup const [again for the ROM think about the ROM!] | |
940 -- fixed RC5 since it no longer requires rc5 to be registered in the lib. It used to since the descriptors used to | |
941 be part of the table... | |
942 -- the packet.c code now makes crypt_error literal string errors when an error occurs | |
943 -- cleaned up the SAFER+ key schedule to be a bit easier to read. | |
944 -- fixed a huge bug in Twofish with the TWOFISH_SMALL define. Because I clean the stack now I had | |
945 changed the "g_func()" to be called indirectly. I forgot to actually return the return of the Twofish | |
946 g_func() function which caused it not to work... [does now :-)] | |
947 | |
948 July 11th, 2002 | |
949 v0.51 -- Fixed a bug in SHA512/384 code for multi-block messages. | |
950 -- Added more test vectors to the SHA384/512 and TIGER hash functions | |
951 -- cleaned up the hash done routines to make more sense | |
952 | |
953 July 10th, 2002 | |
954 v0.50 -- Fixed yarrow.c so that the cipher/hash used would be registered. Also fixed | |
955 a bug where the SAFER+ name was "safer" but should have been "safer+". | |
956 -- Added an element to the hash descriptors that gives the size of a block [sent into the compressor] | |
957 -- Cleaned up the support for HMAC's | |
958 -- Cleaned up the test vector routines to make the test vector data const. This means on some platforms it will be | |
959 placed in ROM not RAM now. | |
960 -- Added MD4 code submited by Dobes Vandermeer ([email protected]) | |
961 -- Added "burn_stack" function [idea taken from another source of crypto code]. The idea is if a function has | |
962 alot of variables it will clean up better. Functions like the ecb serpent and twofish code will now have their | |
963 stacks cleaned and the rest of the code is getting much more straightforward. | |
964 -- Added a hashing demo by Daniel Richards ([email protected]) | |
965 -- I (Tom) modified some of the test vector routines to use more vectors ala Dobes style. | |
966 For example, the MD5/SHA1 code now uses all of the test vectors from the RFC/FIPS spec. | |
967 -- Fixed the register/unregister functions to properly report errors in crypt_error | |
968 -- Correctly updated yarrow code to remove a few unused variables. | |
969 -- Updated manual to fix a few erroneous examples. | |
970 -- Added section on Hash based Message Authentication Codes (HMAC) to the manual | |
971 | |
972 June 19th, 2002 | |
973 v0.46 -- Added in HMAC code from Dobes Vandermeer ([email protected]) | |
974 | |
975 June 8th, 2002 | |
976 v0.45 -- Fixed bug in rc5.c where if you called rc5_setup() before registering RC5 it would cause | |
977 undefined behaviour. | |
978 -- Fixed mycrypt_cfg.h to eliminate the 224 bit ECC key. | |
979 -- made the "default" makefile target have depends on mycrypt.h and mycrypt_cfg.h | |
980 | |
981 Apr 4th, 2002 | |
982 v0.44 -- Fixed bug in ecc.c::new_point() where if the initial malloc fails it would not catch it. | |
983 | |
984 Mar 22nd, 2002 | |
985 v0.43 -- Changed the ZLIB code over to the 1.1.4 code base to avoid the "double free" bug. | |
986 -- Updated the GCC makefile not to use -O3 or -funroll-loops | |
987 -- Version tag in mycrypt.h has been updated :-) | |
988 | |
989 Mar 10th, 2002 | |
990 v0.42 -- The RNG code can now use /dev/urandom before trying /dev/random (J. Klapste) | |
991 | |
992 Mar 3rd, 2002 | |
993 v0.41 -- Added support to link and use ciphers at compile time. This can greatly reduce the code size! | |
994 -- Added a demo to show off how small an application can get... 46kb! | |
995 -- Disastry pointed out that Blowfish is supposed to be high endian. | |
996 -- Made registry code for the PRNGs as well [now the smallest useable link is 43kb] | |
997 | |
998 Feb 11th, 2002 | |
999 v0.40 -- RSA signatures use [and check for] fixed padding scheme. | |
1000 -- I'm developing in Linux now :-) | |
1001 -- No more warnings from GCC 2.96 | |
1002 | |
1003 Feb 5th, 2002 | |
1004 v0.39 -- Updated the XTEA code to work in accordance with the XTEA design | |
1005 | |
1006 January 24th, 2002 | |
1007 v0.38 -- CFB and OFB modes can now handle blocks of variable size like the CTR code | |
1008 -- Wrote a wrapper around the memory compress functions in Zlib that act like the functions | |
1009 in the rest of my crypto lib | |
1010 | |
1011 January 23rd, 2002 | |
1012 v0.37 -- Added support code so that if a hash size and key size for a cipher don't match up they will | |
1013 use the next lower key supported. (mainly for the PK code). So you can now use SHA-1 with | |
1014 Twofish, etc... | |
1015 -- Added more options for Twofish. You can now tell it to use precomputed sboxes and MDS multiplications | |
1016 This will speed up the TWOFISH_SMALL implementation by increasing the code size by 1024 bytes. | |
1017 -- Fixed a bug in prime.c that would not use the correct table if you undefined SMALL_PRIME_TAB | |
1018 -- Fixed all of the PK packet code to use the same header format [see packet.c]. This makes the PK code | |
1019 binary wise incompatible with previous releases while the API has not changed at all. | |
1020 | |
1021 January 22nd, 2002 | |
1022 v0.36 -- Corrections to the manual | |
1023 -- Made a modification to Twofish which lets you build a "small ram" variant. It requires | |
1024 about 190 bytes of ram for the key storage compared to the 4,200 bytes the normal | |
1025 variant requires. | |
1026 -- Reduced the stack space used in all of the PK routines. | |
1027 | |
1028 January 19th, 2002 | |
1029 v0.35 -- If you removed the first hash or cipher from the library it wouldn't return an error if | |
1030 you used an ID=0 [i.e blowfish or sha256] in any routine. Now it checks for that and will | |
1031 return an error like it should | |
1032 -- Merged in new routines from Clay Culver. These routines are for the PK code so you can easily | |
1033 encode a symmetric key for multiple recipients. | |
1034 -- Made the ecc and DH make_key() routines make secret keys of the same size as the keysize listed. | |
1035 Originally I wanted to ensure that the keys were smaller than the order of the field used | |
1036 However, the bias is so insignifcant using full sizes. For example, with a ECC-192 key the order | |
1037 is about 2^191.99, so instead I rounded down and used a 184-bit secret key. Now I simply use a full 192-bit | |
1038 key the code will work just the same except that some 192-bit keys will be duplicates which is not a big | |
1039 deal since 1/2^192 is a very small bias! | |
1040 -- Made the configuration a bit simpler and more exacting. You can for example now select which DH or ECC | |
1041 key settings you wish to support without including the data for all other key settings. I put the #defines | |
1042 in a new file called "mycrypt_cfg.h" | |
1043 -- Configured "mpi-config.h" so its a bit more conservative with the memory required and code space used | |
1044 -- Jason Klapste submitted bug fixes to the yarrow, hash and various other issues. The yarrow code will now | |
1045 use what ever remaining hash/cipher combo is left [after you #undef them] at build time. He also suggested | |
1046 a fix to remove unused structures from the symmetric_key and hash_state unions. | |
1047 -- Made the CTR code handle variable length blocks better. It will buffer the encryption pad so you can | |
1048 encrypt messages any size block at a time. | |
1049 -- Simplified the yarrow code to take advantage of the new CTR code. | |
1050 -- Added a 4096-bit DH key setting. That took me about 36 hours to find! | |
1051 -- Changed the base64 routines to use a real base64 encoding scheme. | |
1052 -- Added in DH and ECC "encrypt_key()" functions. They are still rather "beta"ish. | |
1053 -- Added **Twofish** to the list of ciphers! | |
1054 | |
1055 January 18th, 2002 | |
1056 v0.34 -- Added "sha512" to the list of hashes. Produces a 512-bit message digest. Note that with the current | |
1057 padding with the rsa_sign() function you cannot use sha512 with a key less than 1536 bits for signatures. | |
1058 -- Cleaned up the other hash functions to use the LOAD and STORE macros... | |
1059 | |
1060 January 17th, 2002 | |
1061 v0.33 -- Made the lower limit on keysizes for RSA 1024 bits again because I realized that 768 bit keys wouldn't | |
1062 work with the padding scheme and large symmetric keys. | |
1063 -- Added information concerning the Zlib license to the manual | |
1064 -- Added a 3072-bit key setting for the DH code. | |
1065 -- Made the "find_xyz()" routines take "const char *" as per Clay Culver's suggestion. | |
1066 -- Fixed an embarassing typo in the manual concerning the hashes. Thank's Clay for finding it! | |
1067 -- Fixed rand_prime() so that it makes primes bigger than the setting you give. For example, | |
1068 if you want a 1024-bit prime it would make a 1023-bit one. Now it ensures that the prime | |
1069 it makes is always greater than 2^(8n) (n == bytes in prime). This doesn't have a huge | |
1070 impact on security but I corrected it just the same. | |
1071 -- Fixed the CTR routine to work on platforms where char != 8-bits | |
1072 -- Fixed sha1/sha256/md5/blowfish to not assume "unsigned long == 32-bits", Basically any operation with carries | |
1073 I "AND" with 0xFFFFFFFF. That forces only the lower 32-bits to have information in it. On x86 platforms | |
1074 most compilers optimize out the AND operation since its a nop. | |
1075 | |
1076 January 16th, 2002 | |
1077 v0.32 -- Made Rijndael's setup function fully static so it is thread safe | |
1078 -- Svante Seleborg suggested a cosmetic style fixup for aes.c, | |
1079 basically to remove some of the #defines to clean it up | |
1080 -- Made the PK routines not export the ASCII version of the names of ciphers/hashes which makes | |
1081 the PK message formats *incompatible* with previous releases. | |
1082 -- Merge in Zlib :-) | |
1083 | |
1084 | |
1085 January 15th, 2002 | |
1086 v0.31 -- The RSA routines can now use CRT to speed up decryption/signatures. The routines are backwards | |
1087 compatible with previous releases. | |
1088 -- Fixed another bug that Svante Seleborg found. Basically you could buffer-overrun the | |
1089 rsa_exptmod() function itself if you're not careful. That's fixed now. Fixed another bug in | |
1090 rsa_exptmod() where if it knows the buffer you passed is too small it wouldn't free all used | |
1091 memory. | |
1092 -- improved the readability of the PK import/export functions | |
1093 -- Added a fix to RSA.C by Clay Culver | |
1094 -- Changed the CONST64 macro for MSVC to use the "unsigned __int64" type, e.g. "ui64" instead of "i64". | |
1095 | |
1096 January 14th, 2002 | |
1097 v0.30 -- Major change to the Yarrow PRNG code, fixed a bug that Eugene Starokoltsev found. | |
1098 Basically if you added entropy to the pool in small increments it could in fact | |
1099 cancel out. Now I hash the pool with the new data which is way smarter. | |
1100 | |
1101 January 12th, 2002 | |
1102 v0.29 -- Added MPI code written by Svante Seleborg to the library. This will make the PK code much | |
1103 easier to follow and debug. Actually I've already fixed a memory leak in dh_shared_secret(). | |
1104 -- Memory leaks found and correct in all three PK routines. The leaks would occur when a bignum | |
1105 operation fails so it wouldn't normally turn up in the course of a program | |
1106 -- Fixed bugs in dh_key_size and ecc_key_size which would return garbage for invalid key idx'es | |
1107 | |
1108 January 11th, 2002 | |
1109 v0.28 -- Cleaned up some code so that it doesn't assume "char == 8bits". Mainly SAFER+ has been | |
1110 changed. | |
1111 -- ***HUGE*** changes in the PK code. I check all return values in the bignum code so if there | |
1112 are errors [insufficient memory, etc..] it will be reported. This makes the code fairly more | |
1113 robust and likely to catch any errors. | |
1114 -- Updated the is_prime() function to use a new prototype [it can return errors now] and it also | |
1115 does trial divisions against more primes before the Rabin Miller steps | |
1116 -- Added OFB, CFB and ECB generic wrappers for the symmetric ciphers to round out the implementations. | |
1117 -- Added Xtea to the list of ciphers, to the best of my ability I have verified this implementation. | |
1118 I should note that there is not alot of concrete information about the cipher. "Ansi C" versions | |
1119 I found did not address endianess and were not even portable!. This code is portable and to the | |
1120 best of my knowledge implements the Xtea algorithm as per the [short] X-Tea paper. | |
1121 -- Reformated the manual to include the **FULL** source code optimized to be pritable. | |
1122 | |
1123 January 9th, 2002 | |
1124 v0.27 -- Changed the char constants to numerical values. It is backwards compatible and should work on | |
1125 platforms where 'd' != 100 [for example]. | |
1126 -- Made a change to rand_prime() which takes the input length as a signed type so you can pass | |
1127 a negative len to get a "3 mod 4" style prime... oops | |
1128 -- changed the MSVC makefile to build with a warning level of three, no warnings! | |
1129 | |
1130 January 8th, 2002 | |
1131 v0.26 -- updated SHA-256 to use ROR() for a rotate so 64-bit machines won't corrupt | |
1132 the output | |
1133 -- Changed #include <> to #include "" for local .h files as per Richard Heathfields' suggestions. | |
1134 -- Fixed bug in MPI [well bug in MSVC] that compiled code incorrectly in mp_set_int() | |
1135 I added a work around that catches the error and continues normally. | |
1136 | |
1137 January 8th, 2002 | |
1138 v0.25 -- Added a stupid define so MSVC 6.00 can build the library. | |
1139 -- Big thanks to sci.crypt and "Ajay K. Agrawal" for helping me port this to MSVC | |
1140 | |
1141 January 7th, 2002 | |
1142 v0.24 -- Sped up Blowfish by unrolling and removing the swaps. | |
1143 -- Made the code comply with more traditional ANSI C standards | |
1144 Should compile with MSVC with less errors | |
1145 -- moved the demos and documentation into their own directories | |
1146 so you can easily build the library with other tool chains | |
1147 by compiling the files in the root | |
1148 -- converted functions with length of outputs to use | |
1149 "unsigned long" so 16-bit platforms will like this library more. | |
1150 | |
1151 January 5th, 2002 | |
1152 v0.23 -- Fixed a small error in the MPI config it should build fine anywhere. | |
1153 | |
1154 January 4th, 2002 | |
1155 v0.22 -- faster gf_mul() code | |
1156 -- gf_shl() and gf_shr() are safe on 64-bit platforms now | |
1157 -- Fixed an error in the hashes that Brian Gladman found. | |
1158 Basically if the message has exactly 56 bytes left to be | |
1159 compressed I handled them incorrectly. | |
1160 | |
1161 January 4th, 2002 | |
1162 v0.21 -- sped up the ECC code by removing redundant divisions in the | |
1163 point add and double routines. I also extract the bits more | |
1164 efficiently in "ecc_mulmod()" now. | |
1165 -- sped up [and documented] the rand_prime() function. Now it just | |
1166 makes a random integer and increments by two until a prime is found | |
1167 This is faster since it doesn't require alot of calls to the PRNG and | |
1168 it doesn't require loading huge integers over and over. rand_prime() | |
1169 can also make primes congruent to 3 mod 4 [i.e for a blum integer] | |
1170 -- added a gf_sqrt() function that finds square roots in a GF(2^w) field | |
1171 -- fixed a bug in gf_div() that would return the wrong results if the divisor had a greator | |
1172 divisor than the dividend. | |
1173 | |
1174 January 4th, 2002 | |
1175 v0.20 -- Added the fixed MPI back in so RSA and DH are much faster again | |
1176 | |
1177 v0.19 -- Updated the manual to reflect the fact that Brian Gladman wrote the AES and Serpent code. | |
1178 -- DH, ECC and RSA signature/decryption functions check if the key is private | |
1179 -- new DH signature/verification code works just like the RSA/ECC versions | |
1180 | |
1181 January 3rd, 2002 | |
1182 v0.18 -- Added way more comments to each .C file | |
1183 -- fixed a bug in cbc_decrypt(pt, ct, key) where pt == ct [i.e same buffer] | |
1184 -- fixed RC5 so it reads the default rounds out of the cipher_descriptor table | |
1185 -- cleaned up ecc_export() | |
1186 -- Cleaned up dh_import() and ecc_import() which also perform more | |
1187 error checking now | |
1188 -- Fixed a serious flaw in rsa_import() with private keys. | |
1189 | |
1190 January 2nd, 2002 | |
1191 v0.17 -- Fixed a bug in the random prime generator that fixes the wrong bits to one | |
1192 -- ECC and DH code verify that the moduli and orders are in fact prime. That | |
1193 slows down the test routines alot but what are you gonna do? | |
1194 -- Fixed a huge bug in the mp_exptmod() function which incorrectly calculates g^x mod p for some | |
1195 values of p. I replaced it with a slow function. Once the author of MPI fixes his faster routine | |
1196 I will switch back. | |
1197 | |
1198 January 1st, 2002 [whoa new year!] | |
1199 v0.16 -- Improved GF division code that is faster. | |
1200 -- documented the GF code | |
1201 | |
1202 December 31st, 2001 | |
1203 v0.15 -- A 1792-bit and 2048-bit DH setting was added. Took me all night to | |
1204 find a 1792 and 2048-bit strong prime but what the heck | |
1205 -- Library now has polynomial-basis GF(2^w) routines I wrote myself. Can be used to perform | |
1206 ECC over GF(2^w) later on.... | |
1207 -- Fixed a bug with the defines that allows it to build in windows | |
1208 | |
1209 December 30th, 2001 | |
1210 v0.14 -- Fixed the xxx_encrypt() packet routines to make an IV of appropriate size | |
1211 for the cipher used. It was defaulting to making a 256-bit IV... | |
1212 -- base64_encode() now appends a NULL byte, um "duh" stupid mistake now fixed... | |
1213 -- spell checked the manual again... :-) | |
1214 | |
1215 December 30th, 2001 | |
1216 v0.13 -- Switching back to older copy of MPI since it works! arrg.. | |
1217 -- Added sign/verify functions for ECC | |
1218 -- all signature verification routines default to invalid signatures. | |
1219 -- Changed all calls to memset to zeromem. Fixed up some buffer problems | |
1220 in other routines. All calls to zeromem let the compiler determine the size | |
1221 of the data to wipe. | |
1222 | |
1223 December 29th, 2001 | |
1224 v0.12 -- Imported a new version of MPI [the bignum library] that should | |
1225 be a bit more stable [if you want to write your own bignum | |
1226 routines with the library that is...] | |
1227 -- Manual has way more info | |
1228 -- hash_file() clears stack now [like it should] | |
1229 -- The artificial cap on the hash input size of 2^32 bits has been | |
1230 removed. Basically I was too lazy todo 64-bit math before | |
1231 [don't ask why... I can't remember]. Anyways the hashes | |
1232 support the size of 2^64 bits [if you ever use that many bits in a message | |
1233 that's just wierd...] | |
1234 -- The hashes now wipe the "hash_state" after the digest is computed. This helps | |
1235 prevent the internal state of the hash being leaked accidently [i.e stack problems] | |
1236 | |
1237 December 29th, 2001 | |
1238 v0.11 -- Made #define's so you can trim the library down by removing | |
1239 ciphers, hashs, modes of operation, prngs, and even PK algorithms | |
1240 For example, the library with rijndael+ctr+sha1+ECC is 91KB compared | |
1241 to the 246kb the full library takes. | |
1242 -- Added ECC packet routines for encrypt/decrypt/sign/verify much akin to | |
1243 the RSA packet routines. | |
1244 -- ECC now compresses the public key, a ECC-192 public key takes 33 bytes | |
1245 for example.... | |
1246 | |
1247 December 28th, 2001 | |
1248 v0.10 -- going to restart the manual from scratch to make it more | |
1249 clear and professional | |
1250 -- Added ECC over Z/pZ. Basically provides as much as DH | |
1251 except its faster since the numbers are smaller. For example, | |
1252 A comparable 256-bit ECC key provides as much security as expected | |
1253 from a DH key over 1024-bits. | |
1254 -- Cleaned up the DH code to not export the symbol "sets[]" | |
1255 -- Fixed a bug in the DH code that would not make the correct size | |
1256 random string if you made the key short. For instance if you wanted | |
1257 a 512-bit DH key it would make a 768-bit one but only make up 512-bits | |
1258 for the exponent... now it makes the full 768 bits [or whatever the case | |
1259 is] | |
1260 -- Fixed another ***SERIOUS*** bug in the DH code that would default to 768-bit | |
1261 keys by mistake. | |
1262 | |
1263 December 25th, 2001 | |
1264 v0.09 -- Includes a demo program called file_crypt which shows off | |
1265 how to use the library to make a command line tool which | |
1266 allows the user to encode/decode a file with any | |
1267 hash (on the passphrase) and cipher in CTR mode. | |
1268 -- Switched everything to use typedef's now to clear up the code. | |
1269 -- Added AES (128/192 and 256 bit key modes) | |
1270 | |
1271 December 24th, 2001 | |
1272 v0.08 -- fixed a typo in the manual. MPI stores its bignums in | |
1273 BIG endian not little. | |
1274 -- Started adding a RNG to the library. Right now it tries | |
1275 to open /dev/random and if that fails it uses either the | |
1276 MS CSP or the clock drift RNG. It also allows callbacks | |
1277 since the drift RNG is slow (about 3.5 bytes/sec) | |
1278 -- the RNG can also automatically setup a PRNG as well now | |
1279 | |
1280 v0.07 -- Added basic DH routines sufficient to | |
1281 negotiate shared secrets | |
1282 [see the manual for a complete example!] | |
1283 -- Fixed rsa_import to detect when the input | |
1284 could be corrupt. | |
1285 -- added more to the manual. | |
1286 | |
1287 December 22nd, 2001 | |
1288 v0.06 -- Fixed some formatting errors in | |
1289 the hash functions [just source code cleaning] | |
1290 -- Fixed a typo in the error message for sha256 :-) | |
1291 -- Fixed an error in base64_encode() that | |
1292 would fail to catch all buffer overruns | |
1293 -- Test program times the RSA and symmetric cipher | |
1294 routines for kicks... | |
1295 -- Added the "const" modifier to alot of routines to | |
1296 clear up the purpose of each function. | |
1297 -- Changed the name of the library to "TomCrypt" | |
1298 following a suggestion from a sci.crypt reader.... | |
1299 | |
1300 v0.05 -- Fixed the ROL/ROR macro to be safe on platforms | |
1301 where unsigned long is not 32-bits | |
1302 -- I have added a bit more to the documentation | |
1303 manual "crypt.pdf" provided. | |
1304 -- I have added a makefile for LCC-Win32. It should be | |
1305 easy to port to other LCC platforms by changing a few lines. | |
1306 -- Ran a spell checker over the manual. | |
1307 -- Changed the header and library from "crypt" to "mycrypt" to not | |
1308 clash with the *nix package "crypt". | |
1309 | |
1310 v0.04 -- Fixed a bug in the RC5,RC6,Blowfish key schedules | |
1311 where if the key was not a multiple of 4 bytes it would | |
1312 not get loaded correctly. | |
1313 | |
1314 December 21st, 2001 | |
1315 | |
1316 v0.03 -- Added Serpent to the list of ciphers. | |
1317 | |
1318 v0.02 -- Changed RC5 to only allow 12 to 24 rounds | |
1319 -- Added more to the manual. | |
1320 | |
1321 v0.01 -- We will call this the first version. | |
1322 | |
1323 /* $Source: /cvs/libtom/libtomcrypt/changes,v $ */ | |
1324 /* $Revision: 1.106 $ */ | |
1325 /* $Date: 2005/06/27 12:37:06 $ */ | |
1326 |