comparison changes @ 380:d5faf4814ddb libtomcrypt-orig libtomcrypt-1.16

Update to LibTomCrypt 1.16
author Matt Johnston <>
date Thu, 11 Jan 2007 02:22:00 +0000
parents 59400faa4b44
equal deleted inserted replaced
280:59400faa4b44 380:d5faf4814ddb
1 December 16th, 2006
2 v1.16 -- Brian Gladman pointed out that a recent change to GCM broke how the IV was handled. Currently the code complies against his test vectors
3 so the code should be considered frozen now.
4 -- Trevor from Cryptography Research Inc. submitted patches to convert the ECC code to be generic allowing curve parameters to be submitted
5 at runtime.
6 -- Fixed various doxygen comments
7 -- Added UTF8 support to the ASN1 code
8 -- Fixed STOREXXH macros for x86 platforms (Fix found at Elliptic Inc.)
9 -- Added makefile.unix which is BSD compatible, you have to manually tweak it since well I don't use it normally
10 -- removed a few lingering memcpy's
11 -- Fixed memory free errors in ecc_sign_hash() that can arise if the mp_init_multi() fails
12 -- Fixed incorrect return value in pkcs_1_pss_decode() which would correctly set res to 0 (indicating an incorrect signature) but
13 would return CRYPT_OK to the caller
14 -- ltc_ecc_mulmod() could leak memory if mp_init(&mu) failed, fixed. Would you believe that ltc_ecc_mulmod_timing() had the same
15 bug? Also fixed. :-)
16 -- Added Shamir's trick to the ECC side (defined as LTC_ECC_SHAMIR, enabled by default), gets ~1.34x to ~1.40x faster ECC verifications
17 -- Added Brian's vector #46 to the GCM code. It catches the ctr counter error from v1.15. Originally I was going to add all of his vectors,
18 but they're not as easy to parse and I got a lot of other things to do. Regression!
19 -- Various other small fixes to the ECC code to clean up error handling (I think most of that was from the move in 1.06 to the plugins)
20 All of the errors were in cleaning up from heap failures. So they were not likely to be triggered in normal usage
21 Made similar fixes to the RSA and DSA code (my bad)
22 -- Cryptography Research Inc. contributed a bunch of fixes to silence warnings (with MSVC) w.r.t. assigned data to unsigned char types.
23 -- Martin Marko suggested some fixes to make the RNG build with WinCE.
24 -- Updates to the manual for print (some fixes thanks to Martin Marko)
27 November 17th, 2006
28 v1.15 -- Andreas Lange found that if sha256_init DID fail in fortuna it wouldn't clean up the state correctly. Thanks.
29 Fortunately sha256_init cannot fail (as of v1.14) :-)
30 -- Andreas Lange contributed RMD-256 and RMD-320 code.
31 -- Removed mutex locks from fortuna_import as they create a deadlock and aren't required anyways [Avi Zelmanovich]
32 -- Added LTC_NO_PROTOTYPES to avoid prototyping functions like memset/memcpy. Required for fans of GCC 3.3.x
33 -- David Eder caught a off by one overrun bug in pmac_done() which can be exploited if your output tag buffer is
34 smaller than the block size of the cipher, e.g. if you have a 4-byte buffer and you tell pmac_done that you want
35 a 4-byte TAG it will store 4 bytes but return an outlen of 5.
36 -- Added signatures to the ECC and RSA benchmarks
37 -- Added LTC_PROFILE to run the PK tests only once in the timing demo (so you can capture events properly)
38 -- Andreas contributed PKCS #1 v1.5 code that merged cleanly with the existing PKCS code. w00t.
39 (update: I had to fix it to include the digestInfo and what not. Bad Andreas, bad! hehehe)
40 -- Fixed a signed variable error in gcm_process() (hard to trigger bug fortunately)
41 -- Removed all memcmp/memset/memcpy from the source (replaced with X macros)
42 -- Renamed macros HMAC/OMAC/PMAC to have a LTC_ prefix. If you pass these on the command line please update your makefiles
43 -- Added XCBC-MAC support [RFC 3566]
44 -- fixed LOAD32H and LOAD64H to stop putting out that darn warning :-)
45 -- Added the Korean SEED block cipher [RFC 4269]
46 -- Added LTC_VALGRIND define which makes SOBER-128 and RC4 a pure PRNG (and not a stream cipher). Useful if you use
47 Valgrind to debug your code (reported by Andreas Lange)
48 -- Made SOBER-128 more portable by removing the ASCII key in the test function (my bad, sorry).
49 -- Martin Mocko pointed out that if you have no PRNGs defined the lib won't build. Fixed, also fixed for if you have no
50 hashes defined.
51 -- Sped up F8 mode with LTC_FAST
52 -- Made CTR mode RFC 3686 compliant (increment counter first), to enable, OR the value LTC_CTR_RFC3686 to the "mode"
53 parameter you pass to ctr_start(), otherwise it will be LTC compliant (e.g. encrypt then increment)
54 -- Added ctr_test() to test CTR mode against RFC 3686
55 -- Added crypt_fsa() ... O_o
56 -- Fixed LTC_ECC_TIMING_RESISTANT so it once again builds properly (pt add/dbl are through the plugin now)
57 -- Added ANSI X9.63 (sec 4.3.6) import/export of public keys (cannot export to compressed formats but will import
58 hybrid compressed)
59 -- Added SECP curves for 112, 128, and 160 bits (only the 'r1' curves)
60 -- Added 3GPP-F9 MAC (thanks to Greg Rose for the test vectors)
61 -- Added the KASUMI block cipher
62 -- Added F9/XCBC/OMAC callbacks to the cipher plugin
63 -- Added RSA PKCS #1 v1.5 signature/encrypt tests to rsa_test.c
64 -- Fix to yarrow_test() to not call yarrow_done() which is invalid in that context (thanks Valgrind)
65 -- Christophe Devine pointed out that Anubis would fail on various 64-bit UNIX boxes when "x>>24" was used as an index, we needed
66 to mask it with 0xFF. Thanks. Fixed.
68 August 0x1E, 0x07D6
69 v1.14 -- Renamed the chaining mode macros from XXX to LTC_XXX_MODE. Should help avoid polluting the macro name space.
70 -- clean up of SHA-256
71 -- Chris Colman pointed out that der_decode_sequence_* allows LTC_ASN1_SETOF to accept SEQUENCEs and vice versa.
72 Decoder [non-flexi decoder that is] is more strict now and requires a match.
73 -- Steffen Jaeckel pointed out a typo in the user manual (re: rsa_exptmod). Fixed. This disproves the notion that
74 nobody reads it. :-)
75 -- Made GCM a bit more portable w.r.t. handling the CTR IV (e.g. & with 255)
76 -- Add LTC_VERBOSE if you really want to see what test is doing :-)
77 -- Added SSE2 support to GCM [use GCM_TABLES_SSE2 to enable], shaves 2 cycles per byte on Opteron processors
78 Shaved 4 cycles on a Prescott (Intel P4)
79 Requires you align your gcm_state on a 16 byte boundary, see gcm_memory() for more info
80 -- Added missing prototype for f8_test_mode()
81 -- two fixes to CCM for corner cases [L+noncelen > 15] and fixing the CTR pad to encrypt the CBC-MAC tag
82 -- Franz Glasner pointed out the ARGTYPE=4 is not actually valid. Fixed.
83 -- Fixed bug in f8_start() if your key < saltkey unspecified behaviour occurs. :-(
84 -- Documented F8 mode. Yeah, because you read the manual.
85 -- Minor updates to the technotes.
88 June 17th, 2006
89 v1.13 -- Fixed to fortuna_start() to clean up state if an error occurs. Not really useful at this stage (sha256 can't fail) but useful
90 if I ever make fortuna pluggable
91 -- Mike Marin submitted a whole bunch of patches for fixing up the libs on traditional UNIX platforms. Go AIX! Thanks!
92 -- One of bugs found in the multi demo highlights that at least with gcc you need to pass integers with a UL prefix to ensure
93 they're unsigned long
94 -- Updated the FP ECC code to use affine points. It's teh fast.
95 -- Made it so many functions which return CRYPT_BUFFER_OVERFLOW now also indicate the required buffer size, note that not all functions
96 do this (most do though).
97 -- Added F8 chaining mode. It's super neato.
99 May 29th, 2006
100 v1.12 -- Fixed OID encoder/decoder/length to properly handle the first two parts of an OID, matches 2002 X.690 now.
101 -- [Wesley Shields] Allows both GMP/LTM and TFM to be defined now.
102 -- [Wesley Shields] GMP pluggin is cleaner now and doesn't use deprecated symbols. Yipee
103 -- Added count_lsb_bits to get the number of leading LSB zero bits there are.
104 -- Fixed a bug in the INTEGER encoders for values of -(256**k)/2
105 -- Added BOOLEAN type to ASN.1 thingy-ma-do-hicky
106 -- Testprof doesn't strictly require GMP ... oops [Nils Durner]
107 -- Added LTC_CALL and LTC_EXPORT macros in tomcrypt_cfg.h to support various calling and linker conventions
108 (Thanks to John Kirk from Demonware)
109 -- In what has to be the best thing since sliced bread I bring you MECC_FP which is the fixed point
110 ECC point multiplier. It's fast, it's sexy and what's more it's hella fast [did I mention it's fast?]
111 You can tune it somewhat with FP_LUT (default to 8) for look-up width.
112 Read section 8.2 of the manual for more info.
113 It is disabled by default, you'll have to build LTC with it defined to get it.
114 -- Fixed bug in ecc_test.c (from testprof) to include the 521 [not 512] bit curve. :-)
116 April 4th, 2006
117 v1.11 -- Removed printf's from lrw_test ... whoops
118 -- lrw_process now checks the return of the cipher ecb encrypt/decrypt calls
119 -- lrw_start was not using num_rounds ...
120 -- Adam Miller reported a bug in the flexi decoder with elements past the end of a sequence. Fixed.
121 -- Bruce Guenter suggested I use --tag=CC for libtool builds where the compiler may think it's C++. (I applied this to LTM and TFM)
122 -- Optimized the ECC for TFM a bit by removing the useless "if" statements (most TFM functions don't return error codes)
123 Actually shaved a good chunk of time off and made the code smaller. By default with TFM the stock LTC point add/dbl functions
124 will be totally omitted (ECC-256 make key times on a Prescott for old vs. new are 11.03M vs. 9.59M cycles)
125 -- added missing CVS tags to ltc_ecc_mulmod.c
126 -- corrected typo in tomcrypt_cfg.h about what the file has been called
127 -- corrected my address in the user manual. A "bit" out of date.
128 -- added lrw_gen to tv_gen
129 -- added GMP plugin, only tested on a AMD64 and x86_32 Gentoo Linux box so be aware
130 -- made runs diff case insensitivityly [whatever...] cuz GMP outputs lowercase satan text
131 -- added LDFLAGS to the makefile to allow cross porting linking options
132 -- added lrw_test() to the header file ... whoops
133 -- changed to .... mumble mumble
134 -- Updates to detect __STRICT_ANSI__ which is defined in --std=c99 modes (note -ansi is not supported as it lacks long long) so you can
135 build LTC out of the box with c99 (note: it'll be slower as there is no asm in this case)
136 -- Updated pelican.c and aes_tab.c to undef tables not-required. The tables are static so both AES and Pelican MAC would have copies. Save a few KB in the final binary.
137 -- Added LTC_NO_FAST to the makefile.icc to compensate for the fact ICC v9 can't handle it (Pelican MAC fails for instance)
139 February 11th, 2006
140 v1.10 -- Free ecb/cbc/ctr/lrw structures in timing code by calling the "done" function
141 -- fixed bug in lrw_process() which would always use the slow update ...
142 -- vastly sped up gcm_gf_mult() when LTC_FAST is defined. This speeds up LRW and GCM state creation, useful for servers with GCM
143 -- Removed NLS since there are some attacks against it.
144 -- fixed memory leak in rsa_import reported by John Kuhns
145 ++ re-released as the rsa fix was incorrect (bad John bad ... hehehe) and I missed some NULLs in the static descriptor entry for ciphers
147 January 26th, 2006
148 v1.09 -- Added missing doxygen comments to some of the ASN.1 routines
149 -- Added "easy button" define LTC_EASY and LTC will build with a subset of all the algos. Reduces build times for typical
150 configurations. Tunable [see tomcrypt_custom.h]
151 -- Added some error detection to reg_algs() of the testprof.a library to detect when the PRNG is not setup correctly (took me 10 mins to figure out, PITA!)
152 -- Similar fixes to timing demo (MD5 not defined when EASY is defined)
153 -- Added the NLS enc+mac stream cipher from QUALCOMM, disabled for this release, waiting on test vectors
154 -- Finally added an auto-update script for the makefiles. So when I add new files/dirs it can automatically fix up the makefiles [all four of them...]
155 -- Added LRW to the list of cipher modes supported
156 -- cleaned up ciphers definitions to remove cbc/cfb/ofb/ctr/etc from the namespace when not used.
158 November 24th, 2005
159 v1.08 -- Added SET and SET OF support to the ASN.1 side
160 -- Fixed up X macros, added QSORT to the mix [thanks SET/SETOF]
161 -- Added XMEMCMP to the list of X macros
162 -- In der_decode_sequence() the SHORT_INTEGER type was not being handled correctly [oddly enough it worked just enough to make RSA work ... go figure!]
163 -- Fixed bug in math descriptors where if you hadn't defined MECC (ECC support) you would get linker errors
164 -- Added RSA accelerators to the math descriptors to make it possible to not include the stock routines if you supply your own.
165 -- dsa_decrypt_key() was erroneously dependent on MECC not MDSA ... whoops
166 -- Moved DSA size limits to tomcrypt_pk.h so they're defined with LTC_NO_PK+MDSA
167 -- cleaned up tomcrypt_custom.h to make customizable PK easier (and also cleaned up the error traps so they're correctly reported)
169 November 18th, 2005
170 v1.07 -- Craig Schlenter pointed out the "encrypt" demo doesn't call ctr_start() correctly. That's because as of a few releases ago
171 I added support to set the mode of the counter at init time
172 -- Fixed some "testprof" make issues
173 -- Added RSA keygen to the math descriptors
174 -- Fixed install_test target ... oops
175 -- made the "ranlib" program renamable useful for cross-compiling
176 -- Made the cipher accelerators return error codes. :-)
177 -- Made CCM accept a pre-scheduled key to speed it up if you use the same key for multiple packets
178 -- Added "Katja" public key crypto. It's based on the recent N = p^2q work by Katja. I added OAEP padding
179 to it. Note this code has been disabled not because it doesn't work but because it hasn't been thoroughly
180 analyzed. It does carry some advantages over RSA (slightly smaller public key, faster decrypt) but also
181 some annoying "setup" issues like the primes are smaller which makes ECM factoring more plausible.
182 -- Made makefile accept a NODOCS flag to disable the requirement of tetex to install LTC for you no tetex people... all 3 of ya :-)
183 -- Cleaned up rsa_export() since "zero" was handled with a SHORT_INTEGER
184 -- Cleaned up the LIBTEST_S definitions in both GNU makefiles. A few minor touchups as well.
185 -- Made the cipher ecb encrypt/decrypt return an int as well, changed ALL dependent code to check for this.
186 -- der_decode_choice() would fail to mark a NULL as "used" when decoding. Fixed
187 -- ecc_decrypt_key() now uses find_hash_oid() to clean up the code ;-)
188 -- Added mp_neg() to the math descriptors.
189 -- Swapped arguments for the pkcs_1_mgf1() function so the hash_idx is the first param (to be more consistent)
190 -- Made the math descriptors buildable when RSA has been undefined
191 -- ECC timing demo now capable of detecting which curves have been defined
192 -- Refactored the ECC code so it's easier to maintain. (note: the form of this code hasn't really changed since I first added ECC ... :-/)
193 -- Updated the documentation w.r.t. ECC and the accelerators to keep it current
194 -- Fixed bug in ltc_init_multi() which would fail to free all allocated memory on error.
195 -- Fixed bug in ecc_decrypt_key() which could possibly lead to overflows (if MAXBLOCKSIZE > ECC_BUF_SIZE and you have a hash that emits MAXBLOCKSIZE bytes)
196 -- Added encrypt/decrypt to the DSA side (basically DH with DSA parameters)
197 -- Updated makefiles to remove references to the old DH object files and the ecc_sys.o crap ... clean code ahead!
198 -- ecc_import() now checks if the point it reads in lies on the curve (to prevent degenerative points from being used)
199 -- ECC code now ALWAYS uses the accelerator interface. This allows people who use the accelerators to not have the stock
200 ECC point add/dbl/mul code linked in. Yeah space savings! Rah Rah Rah.
201 -- Added LTC_MUTEX_* support to Yarrow and Fortuna allowing you to use respective prng_state as a global PRNG state [e.g. thread-safe] if you define one of the LTC_* defines at
202 build time (e.g. LTC_PTHREAD == pthreads)
203 -- Added PPC32 support to the rotate macros (tested on an IBM PPC 405) and LTC_FAST macros (it aint fast but it's faster than stock)
204 -- Added ltc_mp checks in all *_make_key() and *_import() which will help catch newbs who don't register their bignum first :-)
205 -- the UTCTIME type was missing from der_length_sequence() [oops, oh like you've never done that]
206 -- the main makefile allows you to rename the make command [e.g. MAKE=gmake gmake install] so you can build LTC on platforms where the default make command sucks [e.g. BSD]
207 -- Added DER flexi decoder which allows the decoding of arbitrary DER encoded packets without knowing
208 their structure in advance (thanks to MSVC for finding 3 bugs in it just prior to release! ... don't ask)
210 August 1st, 2005
211 v1.06 -- Fixed rand_prime() to accept negative inputs as a signal for BBS primes. [Fredrik Olsson]
212 -- Added fourth ARGCHK type which outputs to stderr and continues. Useful if you trap sigsegv. [Valient Gough]
213 -- Removed the DH code from the tree
214 -- Made the ECC code fully public (you can access ecc_mulmod directly now) useful for debuging
215 -- Added ecc test to tv_gen
216 -- Added hmac callback to hash descriptors.
217 -- Fixed two doxy comment errors in the UTCTIME functions
218 -- rsa_import() can now read OpenSSL format DER public keys as well as the PKCS #1 RSAPublicKey format.
219 Note that rsa_export() **ONLY** writes PKCS #1 formats
220 -- Changed MIN/MAX to only define if not already present. -- Kirk J from Demonware ...
221 -- Ported tv_gen to new framework (and yes, I made ecc vectors BEFORE changing the API and YES they match now :-))
222 -- ported testing scripts to support pluggable math. yipee!
223 -- Wrote a TFM descriptor ... yipee
224 -- Cleaned up LTC_FAST in CBC mode a bit
225 -- Merged in patches from Michael Brown for the sparc/sparc64 targets
226 -- Added find_hash_oid() to search for a hash by its OID
227 -- Cleaned up a few stray CLEAN_STACKs that should have been LTC_CLEAN_STACK
228 -- Added timing resistant ECC, enable by defining LTC_ECC_TIMING_RESISTANT then use ECC API as normal
229 -- Updated the ECC documentation as it was a bit out of date
1 June 27th, 2005 231 June 27th, 2005
2 v1.05 232 v1.05
3 -- Added Technote #6 which covers the current PK compliance. 233 -- Added Technote #6 which covers the current PK compliance.
4 -- Fixed buffer overflow in OAEP decoder 234 -- Fixed buffer overflow in OAEP decoder
5 -- Added CHOICE to the list of ASN.1 types 235 -- Added CHOICE to the list of ASN.1 types
211 441
212 October 29th, 2004 442 October 29th, 2004
213 v0.99 -- Merged in the latest version of LTM which includes all of the recent bug fixes 443 v0.99 -- Merged in the latest version of LTM which includes all of the recent bug fixes
214 -- Deprecated LTMSSE and removed it (to be replaced with TFM later on) 444 -- Deprecated LTMSSE and removed it (to be replaced with TFM later on)
215 -- Stefan Arentz pointed out that mp_s_rmap should be extern 445 -- Stefan Arentz pointed out that mp_s_rmap should be extern
216 -- Kristian Gjøsteen pointed out that there are typos in the 446 -- Kristian Gj?steen pointed out that there are typos in the
217 "test" makefile and minor issues in Yarrow and Sober [just cosmetics really] 447 "test" makefile and minor issues in Yarrow and Sober [just cosmetics really]
218 -- Matthew P. Cashdollar pointed out that "export" is a C++ keyword 448 -- Matthew P. Cashdollar pointed out that "export" is a C++ keyword
219 so changed the PRNG api to use "pexport" and "pimport" 449 so changed the PRNG api to use "pexport" and "pimport"
220 -- Updated "hashsum" demo so it builds ;-) 450 -- Updated "hashsum" demo so it builds ;-)
221 -- Added automatic support for x86-64 (will configure for 64-bit little endian automagically) 451 -- Added automatic support for x86-64 (will configure for 64-bit little endian automagically)
590 -- Sped up the ECC mulmod() routine by making the word size adapt to the input. Saves a whopping 9 point 820 -- Sped up the ECC mulmod() routine by making the word size adapt to the input. Saves a whopping 9 point
591 operations on 521-bit keys now (translates to about 8ms on my Athlon XP). I also now use barrett reduction 821 operations on 521-bit keys now (translates to about 8ms on my Athlon XP). I also now use barrett reduction
592 as much as possible. This sped the routine up quite a bit. 822 as much as possible. This sped the routine up quite a bit.
593 -- Fixed a huge flaw in ecc_verify_hash() where it would return CRYPT_OK on error... Now fixed. 823 -- Fixed a huge flaw in ecc_verify_hash() where it would return CRYPT_OK on error... Now fixed.
594 -- Fixed up by fixing an invalid query and the file is saved in non-windows [e.g. not CR/LF] format 824 -- Fixed up by fixing an invalid query and the file is saved in non-windows [e.g. not CR/LF] format
595 (fix due to Mika Boström) 825 (fix due to Mika Bostr?m)
596 -- Merged in LibTomMath for kicks 826 -- Merged in LibTomMath for kicks
597 -- Changed the build process so that by default "mycrypt_custom.h" is included and provided 827 -- Changed the build process so that by default "mycrypt_custom.h" is included and provided
598 The makefile doesn't include any build options anymore 828 The makefile doesn't include any build options anymore
599 -- Removed the PS2 and VC makefiles. 829 -- Removed the PS2 and VC makefiles.
600 830
1319 -- Added more to the manual. 1549 -- Added more to the manual.
1320 1550
1321 v0.01 -- We will call this the first version. 1551 v0.01 -- We will call this the first version.
1322 1552
1323 /* $Source: /cvs/libtom/libtomcrypt/changes,v $ */ 1553 /* $Source: /cvs/libtom/libtomcrypt/changes,v $ */
1324 /* $Revision: 1.106 $ */ 1554 /* $Revision: 1.274 $ */
1325 /* $Date: 2005/06/27 12:37:06 $ */ 1555 /* $Date: 2006/12/16 19:08:17 $ */
1326 1556