1July 1st, 2018 2v1.18.2 3 -- Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408) 4 -- Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373) 5 -- Fix two-key 3DES (PR #390) 6 -- Fix accelerated CTR mode (PR #359) 7 -- Fix Fortuna PRNG (PR #363) 8 -- Fix compilation on platforms where cc doesn't point to gcc (PR #382) 9 -- Fix using the wrong environment variable LT instead of LIBTOOL (PR #392) 10 -- Fix build on platforms where the compiler provides __WCHAR_MAX__ but wchar.h is not available (PR #390) 11 -- Fix & re-factor crypt_list_all_sizes() and crypt_list_all_constants() (PR #414) 12 -- Minor fixes (PR's #350 #351 #375 #377 #378 #379) 13 14January 22nd, 2018 15v1.18.1 16 -- Fix wrong SHA3 blocksizes, thanks to Claus Fischer for reporting this via Mail (PR #329) 17 -- Fix NULL-pointer dereference in `ccm_memory()` with LTC_CLEAN_STACK enabled (PR #327) 18 -- Fix `ccm_process()` being unable to process input buffers longer than 256 bytes (PR #326) 19 -- Fix the `register_all_{ciphers,hashes,prngs}()` return values (PR #316) 20 -- Fix some typos, warnings and duplicate prototypes in code & doc (PR's #310 #320 #321 #335) 21 -- Fix possible undefined behavior with LTC_PTHREAD (PR #337) 22 -- Fix some DER bugs (PR #339) 23 -- Fix CTR-mode when accelerator is used (OP-TEE/optee_os #2086) 24 -- Fix installation procedure (Issue #340) 25 26October 10th, 2017 27v1.18.0 28 -- Bugfix multi2 29 -- Bugfix Noekeon 30 -- Bugfix XTEA 31 -- Bugfix rng_get_bytes() on windows where we could read from c:\dev\random 32 -- Fixed the Bleichbacher Signature attack in PKCS#1 v1.5 EMSA, thanks to Alex Dent 33 -- Fixed a potential cache-based timing attack in CCM, thanks to Sebastian Verschoor 34 -- Fix GCM counter reuse and potential timing attacks in EAX, OCB and OCBv3, 35 thanks to Raphaël Jamet 36 -- Implement hardened RSA operations when CRT is used 37 -- Enabled timing resistant calculations of ECC and RSA operations per default 38 -- Applied some patches from the OLPC project regarding PKCS#1 and preventing 39 the hash algorithms from overflowing 40 -- Larry Bugbee contributed the necessary stuff to more easily call libtomcrypt 41 from a dynamic language like Python, as shown in his pyTomCrypt 42 -- Nikos Mavrogiannopoulos contributed RSA blinding and export of RSA and DSA keys 43 in OpenSSL/GnuTLS compatible format 44 -- Patrick Pelletier contributed a smart volley of patches 45 -- Christopher Brown contributed some patches and additions to ASN.1/DER 46 -- Pascal Brand of STMicroelectronics contributed patches regarding CCM, the 47 XTS mode and RSA private key operations with keys without CRT parameters 48 -- RC2 now also works with smaller key-sizes 49 -- Improved/extended several tests & demos 50 -- Hardened DSA and RSA by testing (through Karel's perl-CryptX) 51 against Google's "Wycheproof" and Kudelski Security's "CDF" 52 -- Fixed all compiler warnings 53 -- Fixed several build issues on FreeBSD, NetBSD, Linux x32 ABI, HP-UX/IA64, 54 Mac OS X, Windows (32&64bit, Cygwin, MingW & MSVC) ... 55 -- Re-worked all makefiles 56 -- Re-worked most PRNG's 57 -- The code is now verified by a linter, thanks to Francois Perrad 58 -- Documentation (crypt.pdf) is now built deterministically, thanks to Michael Stapelberg 59 -- Add Adler32 and CRC32 checksum algorithms 60 -- Add Base64-URL de-/encoding and some strict variants 61 -- Add Blake2b & Blake2s (hash & mac), thanks to Kelvin Sherlock 62 -- Add Camellia block cipher 63 -- Add ChaCha (stream cipher), Poly1305 (mac), ChaCha20Poly1305 (encauth) 64 -- Add constant-time mem-compare mem_neq() 65 -- Add DER GeneralizedTime de-/encoding 66 -- Add DSA and ECC key generation FIPS-186-4 compliance 67 -- Add HKDF, thanks to RyanC (especially for also providing documentation :-) ) 68 -- Add OCBv3 69 -- Add PKCS#1 v1.5 mode of SSL3.0 70 -- Add PKCS#1 testvectors from RSA 71 -- Add PKCS#8 & X.509 import for RSA keys 72 -- Add stream cipher API 73 -- Add SHA3 & SHAKE 74 -- Add SHA512/256 and SHA512/224 75 -- Add Triple-DES 2-key mode, thanks to Paul Howarth 76 -- Brought back Diffie-Hellman 77 78May 12th, 2007 79v1.17 -- Cryptography Research Inc. contributed another small volley of patches, one to fix __WCHAR_DEFINED__ for BSD platforms, 80 another to silence MSVC warnings. 81 -- Added LTC_XCBC_PURE to XCBC mode which lets you use it in three-key mode. 82 -- [CRI] Added libtomcrypt.dsp for Visual C++ users. 83 -- [CRI] Added more functions for manipulating the ECC fixed point cache (including saving and loading) 84 -- [CRI] Modified ecc_make_key() to always produce keys smaller than base point order, for standards-compliance 85 -- Elliptic Semiconductor contributed XTS chaining mode to the cipher suite (subsequently optimized it) 86 -- Fixed xcbc_init() keylen when using single key mode. 87 -- Bruce Fortune pointed out a typo in the hmac_process() description in the manual. Fixed. 88 -- Added variable width counter support to CTR mode 89 -- Fixed CMAC (aka OMAC) when using 64-bit block ciphers and LTC_FAST ... my bad. 90 -- Fixed bug in ecc_is_valid() that would basically always return true 91 -- renamed a lot of macros to add the LTC_ prefix [e.g. RIJNDAEL => LTC_RIJNDAEL] 92 93December 16th, 2006 94v1.16 -- Brian Gladman pointed out that a recent change to GCM broke how the IV was handled. Currently the code complies against his test vectors 95 so the code should be considered frozen now. 96 -- Trevor from Cryptography Research Inc. submitted patches to convert the ECC code to be generic allowing curve parameters to be submitted 97 at runtime. 98 -- Fixed various doxygen comments 99 -- Added UTF8 support to the ASN1 code 100 -- Fixed STOREXXH macros for x86 platforms (Fix found at Elliptic Inc.) 101 -- Added makefile.unix which is BSD compatible, you have to manually tweak it since well I don't use it normally 102 -- removed a few lingering memcpy's 103 -- Fixed memory free errors in ecc_sign_hash() that can arise if the mp_init_multi() fails 104 -- Fixed incorrect return value in pkcs_1_pss_decode() which would correctly set res to 0 (indicating an incorrect signature) but 105 would return CRYPT_OK to the caller 106 -- ltc_ecc_mulmod() could leak memory if mp_init(&mu) failed, fixed. Would you believe that ltc_ecc_mulmod_timing() had the same 107 bug? Also fixed. :-) 108 -- Added Shamir's trick to the ECC side (defined as LTC_ECC_SHAMIR, enabled by default), gets ~1.34x to ~1.40x faster ECC verifications 109 -- Added Brian's vector #46 to the GCM code. It catches the ctr counter error from v1.15. Originally I was going to add all of his vectors, 110 but they're not as easy to parse and I got a lot of other things to do. Regression! 111 -- Various other small fixes to the ECC code to clean up error handling (I think most of that was from the move in 1.06 to the plugins) 112 All of the errors were in cleaning up from heap failures. So they were not likely to be triggered in normal usage 113 Made similar fixes to the RSA and DSA code (my bad) 114 -- Cryptography Research Inc. contributed a bunch of fixes to silence warnings (with MSVC) w.r.t. assigned data to unsigned char types. 115 -- Martin Marko suggested some fixes to make the RNG build with WinCE. 116 -- Updates to the manual for print (some fixes thanks to Martin Marko) 117 118 119November 17th, 2006 120v1.15 -- Andreas Lange found that if sha256_init DID fail in fortuna it wouldn't clean up the state correctly. Thanks. 121 Fortunately sha256_init cannot fail (as of v1.14) :-) 122 -- Andreas Lange contributed RMD-256 and RMD-320 code. 123 -- Removed mutex locks from fortuna_import as they create a deadlock and aren't required anyways [Avi Zelmanovich] 124 -- Added LTC_NO_PROTOTYPES to avoid prototyping functions like memset/memcpy. Required for fans of GCC 3.3.x 125 -- David Eder caught a off by one overrun bug in pmac_done() which can be exploited if your output tag buffer is 126 smaller than the block size of the cipher, e.g. if you have a 4-byte buffer and you tell pmac_done that you want 127 a 4-byte TAG it will store 4 bytes but return an outlen of 5. 128 -- Added signatures to the ECC and RSA benchmarks 129 -- Added LTC_PROFILE to run the PK tests only once in the timing demo (so you can capture events properly) 130 -- Andreas contributed PKCS #1 v1.5 code that merged cleanly with the existing PKCS code. w00t. 131 (update: I had to fix it to include the digestInfo and what not. Bad Andreas, bad! hehehe) 132 -- Fixed a signed variable error in gcm_process() (hard to trigger bug fortunately) 133 -- Removed all memcmp/memset/memcpy from the source (replaced with X macros) 134 -- Renamed macros HMAC/OMAC/PMAC to have a LTC_ prefix. If you pass these on the command line please update your makefiles 135 -- Added XCBC-MAC support [RFC 3566] 136 -- fixed LOAD32H and LOAD64H to stop putting out that darn warning :-) 137 -- Added the Korean SEED block cipher [RFC 4269] 138 -- Added LTC_VALGRIND define which makes SOBER-128 and RC4 a pure PRNG (and not a stream cipher). Useful if you use 139 Valgrind to debug your code (reported by Andreas Lange) 140 -- Made SOBER-128 more portable by removing the ASCII key in the test function (my bad, sorry). 141 -- Martin Mocko pointed out that if you have no PRNGs defined the lib won't build. Fixed, also fixed for if you have no 142 hashes defined. 143 -- Sped up F8 mode with LTC_FAST 144 -- Made CTR mode RFC 3686 compliant (increment counter first), to enable, OR the value LTC_CTR_RFC3686 to the "mode" 145 parameter you pass to ctr_start(), otherwise it will be LTC compliant (e.g. encrypt then increment) 146 -- Added ctr_test() to test CTR mode against RFC 3686 147 -- Added crypt_fsa() ... O_o 148 -- Fixed LTC_ECC_TIMING_RESISTANT so it once again builds properly (pt add/dbl are through the plugin now) 149 -- Added ANSI X9.63 (sec 4.3.6) import/export of public keys (cannot export to compressed formats but will import 150 hybrid compressed) 151 -- Added SECP curves for 112, 128, and 160 bits (only the 'r1' curves) 152 -- Added 3GPP-F9 MAC (thanks to Greg Rose for the test vectors) 153 -- Added the KASUMI block cipher 154 -- Added F9/XCBC/OMAC callbacks to the cipher plugin 155 -- Added RSA PKCS #1 v1.5 signature/encrypt tests to rsa_test.c 156 -- Fix to yarrow_test() to not call yarrow_done() which is invalid in that context (thanks Valgrind) 157 -- Christophe Devine pointed out that Anubis would fail on various 64-bit UNIX boxes when "x>>24" was used as an index, we needed 158 to mask it with 0xFF. Thanks. Fixed. 159 160August 0x1E, 0x07D6 161v1.14 -- Renamed the chaining mode macros from XXX to LTC_XXX_MODE. Should help avoid polluting the macro name space. 162 -- clean up of SHA-256 163 -- Chris Colman pointed out that der_decode_sequence_* allows LTC_ASN1_SETOF to accept SEQUENCEs and vice versa. 164 Decoder [non-flexi decoder that is] is more strict now and requires a match. 165 -- Steffen Jaeckel pointed out a typo in the user manual (re: rsa_exptmod). Fixed. This disproves the notion that 166 nobody reads it. :-) 167 -- Made GCM a bit more portable w.r.t. handling the CTR IV (e.g. & with 255) 168 -- Add LTC_VERBOSE if you really want to see what test is doing :-) 169 -- Added SSE2 support to GCM [use GCM_TABLES_SSE2 to enable], shaves 2 cycles per byte on Opteron processors 170 Shaved 4 cycles on a Prescott (Intel P4) 171 Requires you align your gcm_state on a 16 byte boundary, see gcm_memory() for more info 172 -- Added missing prototype for f8_test_mode() 173 -- two fixes to CCM for corner cases [L+noncelen > 15] and fixing the CTR pad to encrypt the CBC-MAC tag 174 -- Franz Glasner pointed out the ARGTYPE=4 is not actually valid. Fixed. 175 -- Fixed bug in f8_start() if your key < saltkey unspecified behaviour occurs. :-( 176 -- Documented F8 mode. Yeah, because you read the manual. 177 -- Minor updates to the technotes. 178 179 180June 17th, 2006 181v1.13 -- Fixed to fortuna_start() to clean up state if an error occurs. Not really useful at this stage (sha256 can't fail) but useful 182 if I ever make fortuna pluggable 183 -- Mike Marin submitted a whole bunch of patches for fixing up the libs on traditional UNIX platforms. Go AIX! Thanks! 184 -- One of bugs found in the multi demo highlights that at least with gcc you need to pass integers with a UL prefix to ensure 185 they're unsigned long 186 -- Updated the FP ECC code to use affine points. It's teh fast. 187 -- Made it so many functions which return CRYPT_BUFFER_OVERFLOW now also indicate the required buffer size, note that not all functions 188 do this (most do though). 189 -- Added F8 chaining mode. It's super neato. 190 191May 29th, 2006 192v1.12 -- Fixed OID encoder/decoder/length to properly handle the first two parts of an OID, matches 2002 X.690 now. 193 -- [Wesley Shields] Allows both GMP/LTM and TFM to be defined now. 194 -- [Wesley Shields] GMP pluggin is cleaner now and doesn't use deprecated symbols. Yipee 195 -- Added count_lsb_bits to get the number of leading LSB zero bits there are. 196 -- Fixed a bug in the INTEGER encoders for values of -(256**k)/2 197 -- Added BOOLEAN type to ASN.1 thingy-ma-do-hicky 198 -- Testprof doesn't strictly require GMP ... oops [Nils Durner] 199 -- Added LTC_CALL and LTC_EXPORT macros in tomcrypt_cfg.h to support various calling and linker conventions 200 (Thanks to John Kirk from Demonware) 201 -- In what has to be the best thing since sliced bread I bring you MECC_FP which is the fixed point 202 ECC point multiplier. It's fast, it's sexy and what's more it's hella fast [did I mention it's fast?] 203 You can tune it somewhat with FP_LUT (default to 8) for look-up width. 204 Read section 8.2 of the manual for more info. 205 It is disabled by default, you'll have to build LTC with it defined to get it. 206 -- Fixed bug in ecc_test.c (from testprof) to include the 521 [not 512] bit curve. :-) 207 208April 4th, 2006 209v1.11 -- Removed printf's from lrw_test ... whoops 210 -- lrw_process now checks the return of the cipher ecb encrypt/decrypt calls 211 -- lrw_start was not using num_rounds ... 212 -- Adam Miller reported a bug in the flexi decoder with elements past the end of a sequence. Fixed. 213 -- Bruce Guenter suggested I use --tag=CC for libtool builds where the compiler may think it's C++. (I applied this to LTM and TFM) 214 -- Optimized the ECC for TFM a bit by removing the useless "if" statements (most TFM functions don't return error codes) 215 Actually shaved a good chunk of time off and made the code smaller. By default with TFM the stock LTC point add/dbl functions 216 will be totally omitted (ECC-256 make key times on a Prescott for old vs. new are 11.03M vs. 9.59M cycles) 217 -- added missing CVS tags to ltc_ecc_mulmod.c 218 -- corrected typo in tomcrypt_cfg.h about what the file has been called 219 -- corrected my address in the user manual. A "bit" out of date. 220 -- added lrw_gen to tv_gen 221 -- added GMP plugin, only tested on a AMD64 and x86_32 Gentoo Linux box so be aware 222 -- made testme.sh runs diff case insensitivityly [whatever...] cuz GMP outputs lowercase satan text 223 -- added LDFLAGS to the makefile to allow cross porting linking options 224 -- added lrw_test() to the header file ... whoops 225 -- changed libtomcrypt.org to libtomcrypt.com .... mumble mumble 226 -- Updates to detect __STRICT_ANSI__ which is defined in --std=c99 modes (note -ansi is not supported as it lacks long long) so you can 227 build LTC out of the box with c99 (note: it'll be slower as there is no asm in this case) 228 -- Updated pelican.c and aes_tab.c to undef tables not-required. The tables are static so both AES and Pelican MAC would have copies. Save a few KB in the final binary. 229 -- Added LTC_NO_FAST to the makefile.icc to compensate for the fact ICC v9 can't handle it (Pelican MAC fails for instance) 230 231February 11th, 2006 232v1.10 -- Free ecb/cbc/ctr/lrw structures in timing code by calling the "done" function 233 -- fixed bug in lrw_process() which would always use the slow update ... 234 -- vastly sped up gcm_gf_mult() when LTC_FAST is defined. This speeds up LRW and GCM state creation, useful for servers with GCM 235 -- Removed NLS since there are some attacks against it. 236 -- fixed memory leak in rsa_import reported by John Kuhns 237 ++ re-released as the rsa fix was incorrect (bad John bad ... hehehe) and I missed some NULLs in the static descriptor entry for ciphers 238 239January 26th, 2006 240v1.09 -- Added missing doxygen comments to some of the ASN.1 routines 241 -- Added "easy button" define LTC_EASY and LTC will build with a subset of all the algos. Reduces build times for typical 242 configurations. Tunable [see tomcrypt_custom.h] 243 -- Added some error detection to reg_algs() of the testprof.a library to detect when the PRNG is not setup correctly (took me 10 mins to figure out, PITA!) 244 -- Similar fixes to timing demo (MD5 not defined when EASY is defined) 245 -- Added the NLS enc+mac stream cipher from QUALCOMM, disabled for this release, waiting on test vectors 246 -- Finally added an auto-update script for the makefiles. So when I add new files/dirs it can automatically fix up the makefiles [all four of them...] 247 -- Added LRW to the list of cipher modes supported 248 -- cleaned up ciphers definitions to remove cbc/cfb/ofb/ctr/etc from the namespace when not used. 249 250November 24th, 2005 251v1.08 -- Added SET and SET OF support to the ASN.1 side 252 -- Fixed up X macros, added QSORT to the mix [thanks SET/SETOF] 253 -- Added XMEMCMP to the list of X macros 254 -- In der_decode_sequence() the SHORT_INTEGER type was not being handled correctly [oddly enough it worked just enough to make RSA work ... go figure!] 255 -- Fixed bug in math descriptors where if you hadn't defined MECC (ECC support) you would get linker errors 256 -- Added RSA accelerators to the math descriptors to make it possible to not include the stock routines if you supply your own. 257 -- dsa_decrypt_key() was erroneously dependent on MECC not MDSA ... whoops 258 -- Moved DSA size limits to tomcrypt_pk.h so they're defined with LTC_NO_PK+MDSA 259 -- cleaned up tomcrypt_custom.h to make customizable PK easier (and also cleaned up the error traps so they're correctly reported) 260 261November 18th, 2005 262v1.07 -- Craig Schlenter pointed out the "encrypt" demo doesn't call ctr_start() correctly. That's because as of a few releases ago 263 I added support to set the mode of the counter at init time 264 -- Fixed some "testprof" make issues 265 -- Added RSA keygen to the math descriptors 266 -- Fixed install_test target ... oops 267 -- made the "ranlib" program renamable useful for cross-compiling 268 -- Made the cipher accelerators return error codes. :-) 269 -- Made CCM accept a pre-scheduled key to speed it up if you use the same key for multiple packets 270 -- Added "Katja" public key crypto. It's based on the recent N = p^2q work by Katja. I added OAEP padding 271 to it. Note this code has been disabled not because it doesn't work but because it hasn't been thoroughly 272 analyzed. It does carry some advantages over RSA (slightly smaller public key, faster decrypt) but also 273 some annoying "setup" issues like the primes are smaller which makes ECM factoring more plausible. 274 -- Made makefile accept a NODOCS flag to disable the requirement of tetex to install LTC for you no tetex people... all 3 of ya :-) 275 -- Cleaned up rsa_export() since "zero" was handled with a SHORT_INTEGER 276 -- Cleaned up the LIBTEST_S definitions in both GNU makefiles. A few minor touchups as well. 277 -- Made the cipher ecb encrypt/decrypt return an int as well, changed ALL dependent code to check for this. 278 -- der_decode_choice() would fail to mark a NULL as "used" when decoding. Fixed 279 -- ecc_decrypt_key() now uses find_hash_oid() to clean up the code ;-) 280 -- Added mp_neg() to the math descriptors. 281 -- Swapped arguments for the pkcs_1_mgf1() function so the hash_idx is the first param (to be more consistent) 282 -- Made the math descriptors buildable when RSA has been undefined 283 -- ECC timing demo now capable of detecting which curves have been defined 284 -- Refactored the ECC code so it's easier to maintain. (note: the form of this code hasn't really changed since I first added ECC ... :-/) 285 -- Updated the documentation w.r.t. ECC and the accelerators to keep it current 286 -- Fixed bug in ltc_init_multi() which would fail to free all allocated memory on error. 287 -- Fixed bug in ecc_decrypt_key() which could possibly lead to overflows (if MAXBLOCKSIZE > ECC_BUF_SIZE and you have a hash that emits MAXBLOCKSIZE bytes) 288 -- Added encrypt/decrypt to the DSA side (basically DH with DSA parameters) 289 -- Updated makefiles to remove references to the old DH object files and the ecc_sys.o crap ... clean code ahead! 290 -- ecc_import() now checks if the point it reads in lies on the curve (to prevent degenerative points from being used) 291 -- ECC code now ALWAYS uses the accelerator interface. This allows people who use the accelerators to not have the stock 292 ECC point add/dbl/mul code linked in. Yeah space savings! Rah Rah Rah. 293 -- Added LTC_MUTEX_* support to Yarrow and Fortuna allowing you to use respective prng_state as a global PRNG state [e.g. thread-safe] if you define one of the LTC_* defines at 294 build time (e.g. LTC_PTHREAD == pthreads) 295 -- Added PPC32 support to the rotate macros (tested on an IBM PPC 405) and LTC_FAST macros (it aint fast but it's faster than stock) 296 -- Added ltc_mp checks in all *_make_key() and *_import() which will help catch newbs who don't register their bignum first :-) 297 -- the UTCTIME type was missing from der_length_sequence() [oops, oh like you've never done that] 298 -- the main makefile allows you to rename the make command [e.g. MAKE=gmake gmake install] so you can build LTC on platforms where the default make command sucks [e.g. BSD] 299 -- Added DER flexi decoder which allows the decoding of arbitrary DER encoded packets without knowing 300 their structure in advance (thanks to MSVC for finding 3 bugs in it just prior to release! ... don't ask) 301 302August 1st, 2005 303v1.06 -- Fixed rand_prime() to accept negative inputs as a signal for BBS primes. [Fredrik Olsson] 304 -- Added fourth ARGCHK type which outputs to stderr and continues. Useful if you trap sigsegv. [Valient Gough] 305 -- Removed the DH code from the tree 306 -- Made the ECC code fully public (you can access ecc_mulmod directly now) useful for debuging 307 -- Added ecc test to tv_gen 308 -- Added hmac callback to hash descriptors. 309 -- Fixed two doxy comment errors in the UTCTIME functions 310 -- rsa_import() can now read OpenSSL format DER public keys as well as the PKCS #1 RSAPublicKey format. 311 Note that rsa_export() **ONLY** writes PKCS #1 formats 312 -- Changed MIN/MAX to only define if not already present. -- Kirk J from Demonware ... 313 -- Ported tv_gen to new framework (and yes, I made ecc vectors BEFORE changing the API and YES they match now :-)) 314 -- ported testing scripts to support pluggable math. yipee! 315 -- Wrote a TFM descriptor ... yipee 316 -- Cleaned up LTC_FAST in CBC mode a bit 317 -- Merged in patches from Michael Brown for the sparc/sparc64 targets 318 -- Added find_hash_oid() to search for a hash by its OID 319 -- Cleaned up a few stray CLEAN_STACKs that should have been LTC_CLEAN_STACK 320 -- Added timing resistant ECC, enable by defining LTC_ECC_TIMING_RESISTANT then use ECC API as normal 321 -- Updated the ECC documentation as it was a bit out of date 322 323June 27th, 2005 324v1.05 325 -- Added Technote #6 which covers the current PK compliance. 326 -- Fixed buffer overflow in OAEP decoder 327 -- Added CHOICE to the list of ASN.1 types 328 -- Added UTCTIME to the list of ASN.1 types 329 -- Added MUTEX locks around descriptor table functions [but not on the functions that are dependent on them] 330 All functions call *_is_valid() before using a descriptor index which means the respective table must be unlocked before 331 it can be accessed. However, during the operation [e.g. CCM] if the descriptor has been altered the results will be 332 undefined. 333 -- Minor updates to the manual to reflect recent changes 334 -- Added a catch to for an error that should never come up in rsa_exptmod(). Just being thorough. 335 336June 15th, 2005 337v1.04 338 -- Fixed off by one [bit] error in dsa_make_key() it was too high by one bit [not a security problem just inconsistent] 339 -- ECC-224 curve was wrong [it was an ok curve just not NIST, so no security flaw just interoperability]. 340 -- Removed point compression since it slows down ECC ops to save a measly couple bytes. 341 This makes the ecc export format incompatible with 1.03 [it shouldn't change in the future] 342 -- Removed ECC-160 from timing and added the other curves 343 344June 9th, 2005 345v1.03 346 -- Users may want to note that on a P4/GCC3.4 platform "-fno-regmove" greatly accelerates the ciphers/hashes. 347 -------------------------------------------------------------------------------------------------------------- 348 -- Made it install the testing library in the icc/static makefiles 349 -- Found bug in ccm_memory.c which would fail to compile when LTC_CLEAN_STACK was enabled 350 -- Simon Johnson proposed I do a fully automated test suite. Hence "testme.sh" was born 351 -- Added LTC_NO_TEST which forces test vectors off (regardless of what tomcrypt_custom.h has) 352 -- Added LTC_NO_TABLES which disables large tables (where possible, regardless of what tomcrypt_custom.h has) 353 -- New test script found a bug in twofish.c when TABLES was disabled. Yeah testing! 354 -- Added a LTC_FAST specific test to the testing software. 355 -- Updated test driver to actually halt on errors and just print them out (useful for say... automated testing...) 356 -- Added bounds checking to Pelican MAC 357 -- Added BIT and OCTET STRING to the ASN.1 side of things. 358 -- Pekka Riikonen pointed out that my ctr_start() function should accept the counter mode. 359 -- Cleaned up warnings in testprof 360 -- Removed redundant mu and point mapping in ecc_verify_hash() so it should be a bit faster now 361 -- Pekka pointed out that the AES key structure was using 32 bytes more than it ought to. 362 -- Added quick defines to remove entire classes of algorithms. This makes it easier if you want to build with just 363 one algorithm (say AES or SHA-256). Defines are LTC_NO_CIPHERS, LTC_NO_MODES, LTC_NO_HASHES, LTC_NO_MACS, 364 LTC_NO_PRNGS, LTC_NO_PK, LTC_NO_PKCS 365 -- As part of the move for ECC to X9.62 I've changed the signature algorithm to EC DSA. No API changes. 366 -- Pekka helped me clean up the PKCS #1 v2.1 [OAEP/PSS] code 367 -- Wrote new DER SEQUENCE coder/decoder 368 -- RSA, DSA and ECDSA now use the DER SEQUENCE code (saves a lot of code!) 369 -- DSA output is now a DER SEQUENCE (so not compatible with previous releases). 370 -- Added Technote #5 which shows how to build LTC on an AMD64 to have a variety of algorithms in only ~80KB of code. 371 -- Changed temp variable in LOAD/STORE macros to "ulong32" for 32-bit ops. Makes it safer on Big endian platforms 372 -- Added INSTALL_GROUP and INSTALL_USER which you can specify on the build to override the default USER/GROUP the library 373 is to be installed as 374 -- Removed "testprof" from the default build. 375 -- Added IA5, NULL and Object Identifier to the list of ASN.1 DER supported types 376 -- The "no_oops" target (part of zipup) now scans for non-cvs files. This helps prevent temp/scratch files from appearing in releases ;-) 377 -- Added DERs for missing hashes, but just the OID not the PKCS #1 v1.5 additions. 378 -- Removed PKCS #1 v1.5 from the tree since it's taking up space and you ought to use v2.1 anyways 379 -- Kevin Kenny pointed out a few stray // comments 380 -- INTEGER code properly supports negatives and zero padding [Pekka!] 381 -- Sorted asn1/der/ directory ... less of a mess now ;-) 382 -- Added PRINTABLE STRING type 383 -- Removed ECC-160 as it wasn't a standard curve 384 -- Made ecc_shared_secret() ANSI X9.63 compliant 385 -- Changed "printf" to "fprintf(stderr, " in the testbench... ;-) 386 -- Optimized the GCM table creation. On 1KB packets [with key switching] the new GCM is 12.7x faster than before. 387 -- Changed OID representation for hashes to be just a list of unsigned longs (so you can compare against them nicely after decoding a sequence) 388 -- ECC code now uses Montgomery reduction ... it's even faster [ECC-256 make key down from 37.4M to 4.6M cycles on an Athlon64] 389 -- Added SHORT_INTEGER so users can easily store DER encoded INTEGER types without using the bignum math library 390 -- Fixed OMAC code so that with LTC_FAST it doesn't require that LTC_FAST_TYPE divides 16 [it has to divide the block size instead] 391 -- ECC key export is now a simple [and documented] SEQUENCE, the "encrypt_key" also uses a new SEQUENCE format. 392 -- Thanks goes to the following testers 393 Michael Brown - Solaris 10/uSPARCII 394 Richard Outerbridge - MacOS 395 Martin Carpenter - Solaris 8/uSPARCII [Thanks for cleaning up the scripts] 396 Greg Rose - ... SunOS 5.8/SPARC [... what's with the SPARCS?] 397 Matt Johnston - MacOS X [Thanks for pointing out GCC 4 problems with -Os] 398 399April 19th, 2005 400v1.02 401 -- Added LTC_TEST support to gcm_test() 402 -- "pt/ct" can now be NULL in gcm_process() if you are processing zero bytes 403 -- Optimized GCM by removing the "double copy" handling of the plaintext/aad 404 -- Richard Outerbridge pointed out that x86_prof won't build on MACOS and that the manual 405 erroneously refers to "mycrypt" all over the place. Fixed. 406 407April 17th, 2005 408v1.01 409 ** Secure Science Corporation has supported this release cycle by sponsoring the development time taken. Their 410 continuing support of this project has helped me maintain a steady pace in order to keep LibTomCrypt up to date, 411 stable and more efficient. 412 ----------------------------------------------------------------------------------------------------- 413 -- Updated base64_decode.c so if there are more than 3 '=' signs it would stop parsing 414 -- Merged in latest mpi that fixed a few bugs here and there 415 -- Updated OAEP encoder/decoder to catch when the hash output is too large 416 Cleaned up PSS code too 417 -- Andy Bontoft fixed a bug in my demos/tests/makefile.msvc ... seems "dsa_test.c" isn't an object 418 afterall. Thanks. 419 -- Made invalid ECC key sizes (configuration) not hard fault the program (it returns an error code now) 420 -- SAFER has been re-enabled after I was pointed to http://www.ciphersbyritter.com/NEWS2/95032301.HTM 421 [Mark Kotiaho] 422 -- Added CCM mode to the encauth list (now has EAX, OCB and CCM, c'est un treo magnifique!) 423 -- Added missing ASN.1 header to the RSA keys ... oops... now the rsa_export/import are FULLY compatible 424 with other libs like OpenSSL (comment: Test vectors would go a long way RSA...) 425 -- Manually merged in fix to the prime_random_ex() LTM function that ensures the 2nd MSB is set properly. Now 426 When you say "I want a 1024/8 byte RSA key" the MSB bit of the modulus is set as expected. Note I generally 427 don't view this as a "huge issue" but it's just one less nit to worry about. [Bryan Klisch] 428 -- A new CVS has been setup on my Athlon64 box... if you want developer access send me an email (and at this point the email would have to be awesome). 429 -- Updated API for ECB and CBC shell code. Now can process N whole blocks in one call (like $DEITY intended) 430 -- Introduced a new "hardware accel" framework that can be used to speed up cipher ECB, CBC and CTR mode 431 calls. Later on dependent code (e.g. OMAC, CCM) will be re-written to use the generic cbc/ctr functions. But now 432 if you [say] call ctr_encrypt() with a cipher descriptor that has hardware CTR it will automatically 433 be used (e.g. no code rewrites) 434 -- Now ships with 20% more love. 435 -- x86_prof now uses ECB shell code (hint: accelerators) and outputs cycles per BLOCK not byte. This will make it a bit 436 easier to compare hardware vs. software cipher implementations. It also emits timings for CBC and CTR modes 437 -- [Peter LaDow] fixed a typo w.r.t. XREALLOC macro (spelling counts kids!) 438 -- Fixed bug with __x86_64__ where ROL64/ROR64 with LTC_NO_ROLC would be the 32-bit versions instead... 439 -- Shipping with preliminary GCM code (disabled). It's buggy (stack overflow hidden somewhere). If anyone can spot it let me know. 440 -- Added Pelican MAC [it's an AES based fast MAC] to the list of supported MACs 441 -- Added LTC_FAST [and you can disable by defining LTC_NO_FAST] so that CBC and CTR mode XOR whole words [e.g. 32 or 64 bits] at a time 442 instead of one byte. On my AMD64 this reduced the overhead for AES-128-CBC from 4.56 cycles/byte to around 1 cycle/byte. This requires 443 that you either allow unaligned read/writes [e.g. x86_32/x86_64] or align all your data. It won't go out of it's way to ensure 444 aligned access. Only enabled for x86_* platforms by default since they allow unaligned read/writes. 445 -- Added LTC_FAST support to PMAC (drops the cycle/byte by about 9 cycles on my AMD64) [note: I later rewrote this prior to release] 446 -- Updated "profiled" target to work with the new directory layout 447 -- Added [demo only] optimized RC5-CTR code to x86_prof demo to show off how to make an accelerator 448 [This has been removed prior to release... It may re-appear later] 449 -- Added CCM acelerator callbacks to the list [now supports ECB, CTR, CBC and now CCM]. 450 -- Added chapter to manual about accelerators (you know you want it) 451 -- Added "bswap" optimizations to x86 LOAD/STORE with big endian. Can be disabled by defining LTC_NO_BSWAP 452 -- LTC_NO_ASM is now the official "disable all non-portable stuff" macro. When defined it will make the code endian-neutral, 453 disable any form of ASM and disable LTC_FAST load/stores. Essentially build the library with this defined if you're having 454 trouble building the library (old GCCs for instance dislike the ROLc macro) 455 -- Added tomcrypt_mac.h and moved MAC/encMAC functions from tomcrypt_hash.h into it 456 -- Added "done" function to ciphers and the five chaining modes [and things like omac/pmac/etc] 457 -- Changed install group to "wheel" from "root". 458 -- Replaced // comments with /**/ so it will build on older UNIX-like platforms 459 -- x86_prof builds and runs with IntelCC fine now 460 -- Added "stest" build to intel CC to test static linked from within the dir (so you don't have to install to test) 461 -- Moved testing/benchmark into testprof directory and build it as part of the build. Now you can link against libtomcrypt_prof.a to get 462 testing info (hint: hardware developers ;-) ) 463 -- Added CCM to tv_gen 464 -- Added demos to MSVC makefile 465 -- Removed -funroll-all-loops from GCC makefile and replaced with -funroll-loops which is a bit more sane (P4 ain't got much cache for the IDATA) 466 -- Fixed GCM prior to release and re-enabled it. It has not been optimized but it does conform when compiled with optimizations. 467 -- I've since optimized GCM and CCM. They're close in speed but GCM is more flexible imho (though EAX is more flexible than both) 468 -- For kicks I optimized the ECC code to use projective points. Gets between 3.21x (Prescott P4) to 4.53x (AMD64) times faster than before at 160-bit keys and the 469 speedup grows as the keysize grows. Basically removing most practical reasons to "not use the ECC code". Enjoy. 470 -- Added LTC_FAST support to OMAC/PMAC and doubled it's speed on my amd64 [faster on the P4 too I guess] 471 -- Added GCM to tv_gen 472 -- Removed "makefile.cygwin_dll" as it's not really used by anyone and not worth the effort (hell I hardly maintain the MSVC makefiles ...) 473 -- Updated a few files in the "misc" directory to have correct @file comments for doxygen 474 -- Removed "profile" target since it was slower anyways (go figure...) 475 476December 31st, 2004 477v1.00 478 -- Added "r,s == 0" check to dsa_verify_hash() 479 -- Added "multi block" helpers for hash, hmac, pmac and omac routines so you can process multiple non-adjacent 480 blocks of data with one call (added demos/multi.c to make sure they work) 481 -- Note these are not documented but they do have doxygen comments inside them 482 -- Also I don't use them in other functions (like pkcs_5_2()) because I didn't have the time. Job for the new LTC maintainer ;-) 483 -- Added tweaked Anubis test vectors and made it default (undefined ANUBIS_TWEAK to get original Anubis) 484 -- Merged in fix for mp_prime_random_ex() to deal with MSB and LSB "bugs" 485 -- Removed tim_exptmod() completely, updated several RSA functions (notably v15 and the decrypt/verify) so they 486 don't require a prng now 487 -- This release brought to you by the fine tunes of Macy Gray. We miss you. 488 489December 23rd, 2004 490v1.00rc1 491 -- Renamed "mycrypt_*" to "tomcrypt_*" to be more specific and professional 492 Now just include "tomcrypt.h" instead of "mycrypt.h" to get LTC ;-) 493 -- Cleaned up makefiles to ensure all headers are correctly installed 494 -- Added "rotate by constant" macros for portable, x86-32 and x86-64 495 You can disable this new code with LTC_NO_ROLC which is useful for older GCCs 496 -- Cleaned up detection of x86-64 so it works for ROL/ROR macros 497 -- Fixed rsa_import() so that it would detect multi-prime RSA keys and error appropriately 498 -- Sorted the source files by category and updated the makefiles appropriately 499 -- Added LTC_DER define so you can trim out DER code if not required 500 -- Fixed up RSA's decrypt functions changing "res" to "stat" to be more in sync 501 with the signature variables nomenclature. (no code change just renamed the arguments) 502 -- Removed all labels starting with __ and replaced with LBL_ to avoid namespace conflicts (Randy Howard) 503 -- Merged in LTM fix to mp_prime_random_ex() which zap'ed the most significant byte if the bit size 504 requested was a multiple of eight. 505 -- Made RSA_TIMING off by default as it's not terribly useful [and likely to be deprecated] 506 -- Renamed SMALL_CODE, CLEAN_STACK and NO_FILE to have a LTC_ prefix to avoid namespace collisions 507 with other programs. e.g. SMALL_CODE => LTC_SMALL_CODE 508 -- Zed Shaw pointed out that on certain systems installing libs as "root" isn't possible as the super-user 509 is not root. Now the makefiles allow this to be changed easily. 510 -- Renamed "struct _*_descriptor" to "struct ltc_*_descriptor" to avoid using a leading _ 511 Also renamed _ARGCHK to LTC_ARGCHK 512 -- Zed Shaw pointed out that I still defined the prng structs in tomcrypt_prng.h even if they 513 weren't defined. This made undef'ing FORTUNA break the build. 514 -- Added LTC_NO_ASM to disable inline asm macros [ROL/ROR/etc] 515 -- Changed RSA decrypt functions to change the output length variable name from "keylen" to "outlen" to make 516 it more consistent. 517 -- Added the 64-bit Khazad block cipher [NESSIE] 518 -- Added the 128-bit Anubis block cipher [with key support for 128...320 bit keys] [NESSIE] 519 -- Changes to several MAC functions to rename input arguments to more sensible names 520 -- Removed FAST_PK support from dh_sys.c 521 -- Declared deskey() from des.c as static instead of a global 522 -- Added pretty much all practical GCC warning tests to the GCC [related] makefiles. These additional 523 warnings can easily be disabled for those with older copies of GCC [or even non GNU cc's] 524 -- Added doxygen @ tags to the code... phew that was a hell of a lot of [repetitive] work 525 -- Also added pre-configured Doxygen script. 526 -- Cleaned up quite a few functions [ciphers, pk, etc] to make the parameters naming style consistent 527 E.g. ciphers keys are called "skey" consistently now. The input to PK encryption is called "in", etc. 528 These changes require no code changes on the behalf of developers fortunately 529 -- Started a SAFER+ optimizer [does encrypt only] which shaves a good 30 or so cycles/byte on my AMD64 530 at an expense of huge code. It's in notes/etc/saferp_optimizer.c 531 -- DSA sign/verify now uses DER encoded output/inputs and no LTC style headers. 532 -- Matt Johnston found a missing semi-colon in mp_exptmod(). Fix has been merged in. 533 534October 29th, 2004 535v0.99 -- Merged in the latest version of LTM which includes all of the recent bug fixes 536 -- Deprecated LTMSSE and removed it (to be replaced with TFM later on) 537 -- Stefan Arentz pointed out that mp_s_rmap should be extern 538 -- Kristian Gj?steen pointed out that there are typos in the 539 "test" makefile and minor issues in Yarrow and Sober [just cosmetics really] 540 -- Matthew P. Cashdollar pointed out that "export" is a C++ keyword 541 so changed the PRNG api to use "pexport" and "pimport" 542 -- Updated "hashsum" demo so it builds ;-) 543 -- Added automatic support for x86-64 (will configure for 64-bit little endian automagically) 544 -- Zhi Chen pointed out a bug in rsa_exptmod which would leak memory on error. 545 -- Made hash functions "init" return an int. slight change to API ;-( 546 -- Added "CHC" mode which turns any cipher into a hash the other LTC functions can use 547 -- Added CHC mode stuff to demos such as tv_gen and hashsum 548 -- Added "makefile.shared" which builds and installs shared/static object copies 549 of the library. 550 -- Added DER for bignum support 551 -- RSA is now fully joy. rsa_export/rsa_import use PKCS #1 encodings and should be 552 compatible with other crypto libs that use the format. 553 -- Added support for x86-64 for the ROL/ROR macros 554 -- Changed the DLL and SO makefiles to optimize for speed, commented SMALL_CODE in 555 mycrypt_custom.h and added -DSMALL_CODE to the default makefile 556 -- Updated primality testing code so it does a minimum of 5 tests [of Miller-Rabin] 557 (AFAIK not a security fix, just warm fuzzies) 558 -- Minor updates to the OMAC code (additional __ARGCHK and removed printf from omac_test... oops!) 559 -- Update build and configuration info which was really really really out of date. (Chapter 14) 560 ++ Minor update, switch RSA to use the PKCS style CRT 561 562August 6th, 2004 563v0.98 -- Update to hmac_init to free all allocated memory on error 564 -- Update to PRNG API to fix import/export functions of Fortuna and Yarrow 565 -- Added test functions to PRNG api, RC4 now conforms ;-) [was a minor issue] 566 -- Added the SOBER-128 PRNG based off of code donated by Greg Rose. 567 -- Added Tech Note #4 [notes/tech0004.txt] 568 -- Changed RC4 back [due to request]. It will now XOR the output so you can use it like 569 a stream cipher easily. 570 -- Update Fortuna's export() to emit a hash of each pool. This means that the accumulated 571 entropy that was spread over all the pools isn't entirely lost when you export/import. 572 -- Zhi Chen suggested a comment for rsa_encrypt_key() to let users know [easily] that it was 573 PKCS #1 v2.0 padding. (updated other rsa_* functions) 574 -- Cleaned up Noekeon to remove unrolling [wasn't required, was messy and actually slower with GCC/ICC] 575 -- Updated RC4 so that when you feed it >256 bytes of entropy it quietly ignores additional 576 bytes. Also removed the % from the key setup to speed it up a bit. 577 -- Added cipher/hash/prng tests to x86_prof to help catch bugs while testing 578 -- Made the PRNG "done" return int, fixed sprng_done to not require prng* to be non-null 579 -- Spruced up mycrypt_custom.h to trap more errors and also help prevent LTMSSE from being defined 580 on non-i386 platforms by accident. 581 -- Added RSA/ECC/DH speed tests to x86_prof and cleaned it up to build with zero warnings 582 -- Changed Fortuna to count only entropy [not the 2 byte header] added to pool[0] into the 583 reseed mechanism. 584 -- Added "export_size" member to prng_descriptor tables so you can know in advance the size of 585 the exported state for any given PRNG. 586 -- Ported over patch on LTM 0.30 [not ready to release LTM 0.31] that fixes bug in mp_mul()/mp_div() 587 that used to result in negative zeroes when you multiplied zero by a negative integer. 588 (patch due to "Wolfgang Ehrhardt" <Wolfgang.Ehrhardt@munich.netsurf.de>) 589 -- Fixed rsa_*decrypt_key() and rsa_*verify_hash() to default to invalid "stat" or "res". This way 590 if any of the higher level functions fail [before you get to the padding] the result will be in 591 a known state]. Applied to both v2 and v1.5 padding helpers. 592 -- Added MACs to x86_prof 593 -- Fixed up "warnings" in x86_prof and tv_gen 594 -- Added a "profiled" target back [for GCC 3.4 and ICC v8]. Doesn't seem to help but might be worth 595 tinkering with. 596 -- Beefed up load/store test in demos/test 597 598 ++ New note, in order to use the optimized LOAD/STORE macros your platform 599 must support unaligned 32/64 bit load/stores. The x86s support this 600 but some [ARM for instance] do not. If your platform cannot perform 601 unaligned operations you must use the endian neutral code which is safe for 602 any sort of platform. 603 604July 23rd, 2004 605v0.97b -- Added PKCS #1 v1.5 RSA encrypt/sign helpers (like rsa_sign_hash, etc...) 606 -- Added missing prng check to rsa_decrypt_key() [not critical as I don't use 607 descriptors directly in that function] 608 -- Merged in LTM-SSE, define LTMSSE before you build and you will get SSE2 optimized math ;-) 609 (roughly 3x faster on a P4 Northwood). By default it will compile as ISO C portable 610 code (when LTMSSE is undefined). 611 -- Fixed bug in ltc_tommath.h where I had the kara/toom cutoffs not marked as ``extern'' 612 Thanks to "Stefan Arentz" <stefan at organicnetwork.net> 613 -- Steven Dake <scd@broked.org> and Richard Amacker <ramacker@yahoo.com> submitted patches to 614 fix pkcs_5_2(). It now matches the output of another crypto library. Whoops... hehehe 615 -- Updated PRNG api. Added Fortuna PRNG to the list of supported PRNGs 616 -- Fixed up the descriptor tables since globals are automatically zero'ed on startup. 617 -- Changed RC4 to store it's output. If you want to encrypt with RC4 618 you'll have to do the XOR yourself. 619 -- Fixed buffer overflows/overruns in the HMAC code. 620 621 ++ API change for the PRNGs there now is a done() function per PRNG. You 622 should call it when you are done with a prng state. So far it's 623 not absolutely required (won't cause problems) but is a good idea to 624 start. 625 626 627June 23rd, 2004 628v0.97a ++ Fixed several potentially crippling bugs... [read on] 629 -- Fixed bug in OAEP decoder that would incorrectly report 630 buffer overflows. [Zhi Chen] 631 -- Fixed headers which had various C++ missing [extern "C"]'s 632 -- Added "extern" to sha384_desc descriptor which I removed by mistake 633 -- Fixed bugs in ENDIAN_BIG macros using the wrong byte order [Matt Johnston] 634 -- Updated tiger.c and des.c to not shadow "round" which is intrinsic on 635 some C compilers. 636 -- Updated demos/test/rsa_test.c to test the RSA functionality better 637 ++ This update has been tested with GCC [v3.3.3], ICC [v8] and MSVC [v6+SP6] 638 all on a x86 P4 [GCC/ICC tested in Gentoo Linux, MSVC in WinXP] 639 ++ Outcome: The bug Zhi Chen pointed out has been fixed. So have the bugs 640 that Matt Johnston found. 641 642June 19th, 2004 643v0.97 -- Removed spurious unused files [arrg!] 644 -- Patched buffer overflow in tim_exptmod() 645 -- Fixed buffer overrun bug in pkcs_1_v15_es_decode() 646 -- Reduced stack usage in PKCS #1 v2.0 padding functions (by several KBs) 647 -- Removed useless extern's that were an artifact from the project start... ;-) 648 -- Replaced memcpy/memset with XMEMCPY and XMEMSET for greater flexibility 649 -- fixed bugs in hmac_done()/hmac_init()/[various others()] where I didn't trap errors 650 -- Reduced stack usage in OMAC/PMAC/HMAC/EAX/OCB/PKCS#5 by mallocing any significant sized 651 arrays (e.g. > 100 bytes or so). Only in non-critical functions (e.g. eax_init()) 652 -- "Zhi Chen" <zhi@massiveincorporated.com> pointed out that rsa_decrypt_key() requires 653 an incorrect output size (too large). Fixed. 654 -- Added a "pretty" target to the GCC makefile. Requires PERL. It is NEAT! 655 -- Minor updates to ch1 of the manual. 656 -- Cleaned up the indentation and added comments to rsa_make_key(), rsa_exptmod() and 657 rsa_verify_hash() 658 -- Updated makefile.icc so the "install" target would work ;-) 659 -- Removed demos/test.c [deprecated from demos/test/test.c] 660 -- Changed MAXBLOCKSIZE from 128 to 64 to reflect the true size... 661 662May 30th, 2004 663v0.96 -- Removed GF and Keyring code 664 -- Extended OAEP decoder to distinguish better [and use a more uniform API] 665 -- Changed PSS/OAEP API slightly to be more consistent with other PK functions (order of arguments) 666 -- rsa_exptmod() now pads with leading zeroes as per I2OSP. 667 -- added error checking to yarrow code 668 -- pointed out that tommath.h from this distro will overwrite tommath.h 669 from libtommath. I changed this to ltc_tommath.h to avoid any such problems. 670 -- Fixed bug in PSS encoder/decoder that didn't handle the MSB properly 671 -- refactored AES, now sports an "encrypt only" descriptor which uses half as much code space. 672 -- modded Yarrow to try and use refactored AES code and added WHIRLPOOL support (d'oh) ;-) 673 -- updated ECB, OCB and CBC decrypt functions to detect when "encrypt only" descriptor is used. 674 -- replaced old RSA code with new code that uses PKCS #1 v2.0 padding 675 -- replaced old test harness with new over-engineer'ed one in /demos/test/ 676 -- updated cbc/cfb/ofb/ctr code with setiv/getiv functions to change/read the IV without re-keying. 677 -- Added PKCS #1 v1.5 RSA encryption and signature padding routines 678 -- Added DER OID's to most hash descriptors (as many as I could find) 679 -- modded rsa_exptmod() to use timing-resilient tim_exptmod() when doing private key operations 680 added #define RSA_TIMING which can turn on/off this feature. 681 -- No more config.pl so please just read mycrypt_custom.h for build-time tweaks 682 -- Small update to rand_prime() 683 -- Updated sha1, md5 and sha256 so they are smaller when SMALL_CODE is defined. If you want speed though, 684 you're going to have to undefine SMALL_CODE ;-) 685 -- Worked over AES so that it's even smaller now [in both modes]. 686 687May 12th, 2004 688v0.95 -- Optimized AES and WHIRLPOOL for SMALL_CODE by taking advantage of the fact 689 the transforms are circulant. AES dropped 5KB and WHIRLPOOL dropped 13KB 690 using the default build options on the x86. 691 -- Updated eax so the eax_done() would clear the state [like hmac,pmac,ocb] when 692 CLEAN_STACK has been defined. 693 -- added LTC_TEST support to rmd160 694 -- updates to mycrypt_pk.h 695 -- updated rand_prime() to faciliate making RSA composites 696 -- DSA/RSA now makes composites of the exact size desired. 697 -- Refactored quite a bit of the code, fewer functions per C file 698 -- cleaned up the makefiles to organize the objects logically 699 -- added ICC makefile along with "profiled" targets for both GNU and ICC compilers 700 -- Marked functions for removal before v1.00 see PLAN for more information 701 -- GCC 3.4.0 tested and seems to work 702 -- Added PKCS #5 support 703 -- Fixed typo in comment header of .C files ;-) 704 -- Added PKCS #1 OAEP and PSS support. 705 706Feb 20th, 2004 707v0.94 -- removed unused variables from ocb.c and fixed it to match known test vectors. 708 -- Added PMAC support, minor changes to OMAC/EAX code [I think....] 709 -- Teamed up with Brian Gladman. His code verifies against my vectors and my code 710 verifies against his test vectors. Hazaa for co-operation! 711 -- Various small changes (added missing ARGCHKs and cleaned up indentation) 712 -- Optimization to base64, removed unused variable "c" 713 -- Added base64 gen to demos/tv_gen.c 714 -- Fix to demos/x86_prof.c to correctly identify the i386 architecture... weird... 715 -- Fixed up all of the PK code by adding missing error checking, removed "res" variables, 716 shrunk some stack variables, removed non-required stack variables and added proper 717 error conversion from MPI to LTC codes. I also spotted a few "off by one" error 718 checking which could have been used to force the code to read past the end of 719 the buffer (in theory, haven't checked if it would work) by a few bytes. 720 -- Added checks to OUTPUT_BIGNUM so the *_export() functions cannot overflow the output and I 721 also modded it so it stores in the output provided to the function (that is not on 722 the local stack) which saves memory and time. 723 -- Made SAFER default to disabled for now (plans are to cleanhouse write an implementation later) 724 -- Added the 512-bit one-way hash WHIRLPOOL which clocks in at 138 cycles per byte on my 725 Athlon XP [for comparison, SHA-512 clocks in at 77 cycles per byte]. This code uses the 726 teams new sbox design (not the original NESSIE one). 727 728 729Jan 25th, 2004 730v0.93 -- [note: deleted v0.93 changes by accident... recreating from memory...] 731 -- Fix to RC2 to not deference pointer before ARGCHK 732 -- Fix to NOEKEON to match published test vectors as well as cleaned up the code a bit 733 -- Optimized Twofish [down to 28 cycles/byte on my box] and Blowfish 734 -- Fix to OMAC to test cipher block size first [prevents wasting any time] 735 -- Added more OMAC test vectors 736 -- Added EAX Encrypt+Authenticate support 737 -- Fix to DSA to check return of a few LTM functions I forgot [mp_to_unsigned_bin] 738 -- Added common headers to all C files 739 -- CTR mode supports big and little [default] endian counters now. 740 -- fix to find_cipher_any() so that it can handle a fragmented cipher_descriptor table. 741 -- added find_hash_any() akin to find_cipher_any(). 742 -- Added EAX code to demos/tv_gen.c Hazaa! 743 -- Removed SONY defines and files from codebase. 744 -- Added OCB support [patents be damned] and to demos/tv_gen.c 745 -- Merge all of the INPUT/OUTPUT BIGNUM macros (less toc) into mycrypt_pk.h 746 -- Made appropriate changes to the debug string in crypt.c 747 748Dec 24th, 2003 749v0.92 -- Updated the config.pl script so the options have more details. 750 -- Updated demos/tv_gen to include RIPEMD hashes 751 -- Updated Twofish so when TWOFISH_ALL_TABLES is defined a pre-computed RS table 752 is included [speedup: slight, about 4k cycles on my Athlon]. 753 -- Re-wrote the twofish large key generation [the four 8x32 key dependent tables]. Now about twice as fast. 754 With both optimizations [e.g. TWOFISH_ALL_TABLES defined] a 128-bit Twofish key can now be scheduled 755 in 26,000 cycles on my Athlon XP [as opposed to 49,000 before] when optimized for size. 756 -- config.pl has been updated so rmd128.o and rmd160.o are objects included in the build [oops] 757 -- Andrew Mann found a bug in rsa_exptmod() which wouldn't indicate if the wrong type of key was specified 758 (e.g. not PK_PRIVATE or PK_PUBLIC) 759 -- Fixed up demos/x86_prof so it sorts the output now :-) 760 -- The project is now powered by radioactive rubber pants. 761 -- Fixed dh_encrypt_key() so if you pass it a hash with a smaller output than the input key it 762 will return CRYPT_INVALID_HASH [to match what ecc_encrypt_key() will do] 763 -- Merge the store/encrypt key part of ecc_encrypt_key() as per dh_encrypt_key() [can you guess what I'm upto?] 764 -- Massive updates to the prime generation code. I use the LTM random prime functions [and provide a nice 765 interface between the LTC PRNG's and the LTM generic prng prototype]. I also use a variable number of tests 766 depending on the input size. This nicely speeds up most prime generation/testing within the library. 767 -- Added SHA-224 to the list of hashes. 768 -- Made HMAC test vectors constant and static [takes ROM space instead of RAM] 769 -- This release was brought to you by the letter P which stands for Patent Infringement. 770 -- Added generic HASH_PROCESS macro to mycrypt_hash.h which simplifies the hash "process" functions 771 I also optimized the compression functions of all but MD2 to not perform input copies when avoidable. 772 -- Removed the division from the Blowfish setup function [dropped 3k cycles on my Athlon] 773 -- Added stack cleaning to rijndael, cast5 so now all ciphers have CLEAN_STACK code. 774 -- Added Skipjack to the list of ciphers [made appropriate changes to demos/test.c, demos/tv_gen.c and 775 demos/x86_prof.c] 776 -- Added mechanical testing to cipher test vector routines. Now it encrypts 1000 times, then decrypts and 777 compares. Any fault (e.g. bug in code, compiler) in the routines is likely to show through. Doesn't 778 stress test the key gen though... 779 -- Matt Johnson found a bug in the blowfish.c apparently I was out of my mind and put twofish defines in there 780 The code now builds with any config. Thanks. 781 -- Added OMAC1 Message Authentication Code support to the library. 782 -- Re-prototyped the hash "process" and "done" to prevent buffer overflows [which don't seem easy to exploit]. 783 Updated HMAC code to use them too. Hazaa! 784 -- Fixed bug in ECC code which wouldn't do an _ARGCHK on stat in ecc_verify_hash(). 785 -- Fixed [temp fix] bug in all PK where the OUTPUT_BIGNUM macros would not trap errors on the to_unsigned_bin 786 conversion [now returns CRYPT_MEM, will fix it up better later] 787 -- Added DSA to the list of supported PK algorithms. 788 -- Fixed up various ciphers to &255 the input key bytes where required [e.g. where used to index a table] to prevent 789 problems on platforms where CHAR_BIT != 8 790 -- Merged in LibTomMath v0.28 791 -- Updated demos/x86_prof.c to use Yarrow during the key sched testing [was horribly slow on platforms with blockable 792 /dev/random]. 793 -- Added OMAC/HMAC tests to demos/tv_gen and I now store the output of this in notes/ 794 -- Fixed a bug in config.pl that wouldn't have TWOFISH_TABLES defined by default (too many commas on the line) 795 -- Fixed bug in hmac_done(). Apparently FIPS-198 [HMAC] specifies that the output can be truncated. My code 796 would not support that (does now just like the new OMAC code). 797 -- Removed "hashsize" from hmac_state as it wasn't being used. 798 -- Made demos/test.c stop if OMAC or HMAC tests fail (instead of just printing a failed message and keep going). 799 -- Updated notes/tech0003.txt to take into account the existence of Skipjack [also I fixed a few typos]. 800 -- Slight changes to Noekeon, with SMALL_CODE undefined it uses a fully unrolled version. Dropped +10 cycles/byte 801 on my Athlon (35 cycles per byte or 410.4Mbit/sec at 1795Mhz) 802 -- Added _ARGCHK() calls to is_prime() for the two input pointers. 803 804Sept 25th, 2003 805v0.91 -- HMAC fix of 0.90 was incorrect for keys larger than the block size of the hash. 806 -- Added error CRYPT_FILE_NOTFOUND for the file [hmac/hash] routines. 807 -- Added RIPEMD hashes to the hashsum demo. 808 -- Added hashsum demo to MSVC makefile. 809 -- Added RMD160 to the x86_prof demo [oops] 810 -- Merged in LibTomMath-0.27 with a patch to mp_shrink() that will be in LibTomMath-0.28 811 Fixes another potential memory leak. 812 813Sept 7th, 2003 814v0.90 -- new ROL/ROR for x86 GCC 815 -- Jochen Katz submitted a patch to the makefile to prevent "make" from making the .a library 816 when not required. 817 == By default the KR code is not enabled [it's only a demo anyways!] 818 -- changed the "buf" in ecc_make_key from 4KB to 128 bytes [since the largest key is 65 bytes] 819 -- hmac_done() now requires you pass it the size of the destination buffer to prevent 820 buffer overflows. (API CHANGE) 821 -- hmac/hash filebased routines now return CRYPT_NOP if NO_FILE is defined. 822 -- I've removed the primes from dh.c and replaced them with DR safe primes suitable for the default 823 configuration of LibTomMath. Check out these comparisons on a 1.3Ghz Athlon XP, optimized for size, 824 825768-bit, 4 vs. 10 8261024-bit, 8 vs. 18 8271280-bit, 12 vs. 34 8281536-bit, 20 vs. 56 8291792-bit 28 vs. 88 8302048-bit, 40 vs. 124 8312560-bit, 71 vs. 234 8323072-bit, 113 vs. 386 8334096-bit, 283 vs. 916 834 835 Times are all in milliseconds for key generation. New primes times on the left. This makes the code binary 836 incompatible with previous releases. However, this addition is long overdue as LibTomMath has supported DR 837 reductions for quite some time. 838 -- Added RIPE-MD 128 and 160 to the list of supported hashes [10 in total]. 839 -- The project has been released as public domain. TDCAL no longer applies. 840 841July 15th, 2003 842v0.89 -- Fix a bug in bits.c which would prevent it from building with msvc 843 -- Merged in LibTomMath v0.24 [and I used the alloc/free macros this time!] 844 -- Removed the LTC version of next_prime() and replaced it with a call to the 845 mp_prime_next_prime() from LibTomMath 846 -- reverted bits.c to the 0.86 copy since the new one doesn't build in MSVC 847 or cygwin. 848 849Jul 10th, 2003 850v0.88 -- Sped up CAST5 key schedule for MSVC 851 -- added "ulong32" which allows people on 64-bit platforms to force the 32-bit tables in 852 ciphers like blowfish and AES to be 32-bits. E.g. when unsigned long is 64-bits. 853 -- Optimized the SAFER-SK64, SAFER-SK128, SAFER+, RC5 and RC6 key schedule [big time!] 854 -- Optimized SHA-1 and SHA-256 quite a bit too. 855 -- Fixed up the makefile to use -fomit-frame-pointer more liberally 856 -- Added tv_gen program which makes test vectors for ciphers/hashes 857 -- Merged in LibTomMath v0.22 858 859Jun 19th, 2003 860v0.87 -- Many MSVC optimizations to the code base 861 -- Improved the AES and Twofish key schedule [faster, more constant time] 862 -- Tons of optimizations here and there. 863 864Jun 15th, 2003 865v0.86 -- Fixed up AES to workaround MSVC optimizer bug 866 -- Merged in fresh LTM base [based on v0.20] so there are no warnings with MSVC 867 -- Wrote x86_prof which will time the hashes and ciphers downto cycles per byte. 868 -- Fixed up demos/encrypt to remove serpent_desc from the list 869 -- Re-enabled MSVC optimizations w00t w00t 870 -- Replaced "errno" with "err" in all functions that had it so it wouldn't clash 871 with the global "errno" 872 -- Removed a set of unused variables from certain functions 873 -- Removed {#line 0 "..."} stuff from mpi.c to comply with ISO C :-) 874 875Jun 11th, 2003 876v0.85 -- Swapped in a new AES routine 877 -- Removed Serpent 878 -- Added TDCAL policy document 879 880Jun 1st, 2003 881v0.84 -- Removed a 4KB buffer from rsa_decrypt_key that wasn't being used no more 882 -- Fixed another potential buffer problem. Not an overflow but could cause the 883 PK import routines to read past the end of the buffer. 884 -- Optimized the ECC mulmod more by removing a if condition that will always be false 885 -- Optimized prime.c to not include a 2nd prime table, removed code from is_prime calls prime 886 test from LibTomMath now 887 -- Added LTC_TEST define which when defined will enable the test vector routines [see mycrypt_custom.h] 888 -- Removed ampi.o from the depends cuz it ain't no not working in *nix with it [routines are in mpi.c now]. 889 890 891Mar 29th, 2003 892v0.83 -- Optimized the ecc_mulmod, it's faster and takes less heap/stack space 893 -- Fixed a free memory error in ecc_mulmod and del_point which would try to free NULL 894 -- Fixed two serious bugs in rsa_decrypt_key and rsa_verify_hash that would allow a trivialy 895 buffer overflow. 896 -- Fixed a bug in the hmac testing code if you don't register all the hashes it won't return 897 errors now. 898 899Mar 15th, 2003 900v0.82 -- Manual updated 901 -- Added MSVC makefile [back, actually its written from scratch to work with NMAKE] 902 -- Change to HMAC helper functions API to avoid buffer overflow [source changes] 903 -- the rsa_encrypt_key was supposed to reject key sizes out of bounds ... 904 same fix to the rsa_sign_hash 905 -- Added code to ensure that that chaining mode code (cfb/ofb/ctr/cbc) have valid 906 structures when being called. E.g. the indexes to the pad/ivs are not out of bounds 907 -- Cleaned up the DES code and simplified the core desfunc routine. 908 -- Simplified one of the boolean functions in MD4 909 910Jan 16th, 2003 911v0.81 -- Merged in new makefile from Clay Culver and Mike Frysinger 912 -- Sped up the ECC mulmod() routine by making the word size adapt to the input. Saves a whopping 9 point 913 operations on 521-bit keys now (translates to about 8ms on my Athlon XP). I also now use barrett reduction 914 as much as possible. This sped the routine up quite a bit. 915 -- Fixed a huge flaw in ecc_verify_hash() where it would return CRYPT_OK on error... Now fixed. 916 -- Fixed up config.pl by fixing an invalid query and the file is saved in non-windows [e.g. not CR/LF] format 917 (fix due to Mika Bostr?m) 918 -- Merged in LibTomMath for kicks 919 -- Changed the build process so that by default "mycrypt_custom.h" is included and provided 920 The makefile doesn't include any build options anymore 921 -- Removed the PS2 and VC makefiles. 922 923Dec 16th, 2002 924v0.80 -- Found a change I made to the MPI that is questionable. Not quite a bug but definately not desired. Had todo 925 with the digit shifting. In v0.79 I simply truncated without zeroing. It didn't cause problems during my 926 testing but I fixed it up none the less. 927 -- Optimized s_mp_mul_dig() from MPI to do a minimal number of passes. 928 -- Fixed in rsa_exptmod() where I was getting the size of the result. Basically it accomplishes the same thing 929 but the fixed code is more readable. 930 -- Fixed slight bug in dh_sign_hash() where the random "k" value was 1 byte shorter than it should have been. I've 931 also made the #define FAST_PK speed up signatures as well. Essentially FAST_PK tells the DH sub-system to 932 limit any private exponent to 256-bits. Note that when FAST_PK is defined does not make the library 933 binary or source incompatible with a copy of the library with it undefined. 934 -- Removed the DSA code. If you want fast diffie-hellman just define FAST_PK :-) 935 -- Updated dh_sign_hash()/dh_verify_hash() to export "unsigned" bignums. Saves two bytes but is not binary 936 compatible with the previous release... sorry! I've performed the same fix to the ecc code as well. 937 -- Fixed up the PK code to remove all use of mp_toraw() and mp_read_raw() [get all the changes out of the way now] 938 -- Fixed a bug in the DH code where it missed trapping a few errors if they occurred. 939 -- Fixed a slight "its-not-a-bug-but-could-be-done-better" bug in the next_prime() function. Essentially it was 940 testing to ensure that in the loop that searches for the next candidate that the step never grows beyond 941 65000. Should have been testing for MP_DIGIT_MAX 942 -- Spruced up the config.pl script. It now makes a header file "mycrypt_custom.h" which can be included *before* 943 you include mycrypt.h. This allows you to add libtomcrypt to a project without completely changing your make 944 system around. Note that you should use the makefile it writes to at least build the library initially. 945 -- Used splint to check alot of the code out. Tons of minor fixes and explicit casts added. 946 -- Also made all the internal functions of MPI are now static to avoid poluting the namespace 947 -- **Notice**: There are no planned future releases for at least a month from the this release date. 948 949Dec 14th, 2002 950v0.79 -- Change to PK code [binary and source]. I made it so you have to pass the buffer size to the *_decrypt_key and 951 *_verify_hash functions. This prevents malformed packets from performing buffer overflows. I've also trimmed 952 the packet header size [by 4 bytes]. 953 -- Made the test program halt on the first error it occurs. Also made it trap more errors than before. 954 -- Wrote the first chapter of my new book [DRAFT!], not in this package but check my website! 955 -- Included a perl script "config.pl" that will make "makefile.out" according to the users needs. 956 -- Added shell script to look for latest release 957 -- Merge DH and ECC key defines from mycrypt_cfg.h into the makefiles 958 -- updated the makefile to use BSD friendly archiving invokations 959 -- Changed the DH and ECC code to use base64 static key settings [e.g. the primes]. Dropped the code size by 3KB 960 and is ever-so-slightly faster than before. 961 -- added "mp_shrink" function to shrink the size of bignums. Specially useful for PK code :-) 962 -- Added new exptmod function that calculates a^b mod c with fewer multiplies then before [~20% for crypto 963 sized numbers]. Also added a "low mem" variant that doesn't use more than 20KB [upto 4096 bit nums] of 964 heap todo the calculation. Both are #define'able controlled 965 -- Added XREALLOC macro to provide realloc() functionality. 966 -- Added fix where in rsa_import() if you imported a public key or a non-optimized key it would free the mp_int's 967 not being used. 968 -- Fixed potential bug in the ECC code. Only would occur on platforms where char is not eight bits [which isn't 969 often!] 970 -- Fixed up the ECC point multiplication, its about 15% faster now 971 -- While I was at it [since the lib isn't binary backwards compatible anyways] I've fixed the PK export routines 972 so they export as "unsigned" types saving 1 byte per bignum outputted. Not a lot but heck why not. 973 974Nov 28th, 2002 975v0.78 -- Made the default ARGCHK macro a function call instead which reduced the code size from 264KB to 239KB. 976 -- Fixed a bug in the XTEA keysize function which called ARGCHK incorrectly. 977 -- Added Noekeon block cipher at 2,800 bytes of object code and 345Mbit/sec it is a welcome addition. 978 -- Made the KR code check if the other PK systems are included [provides error when building otherwise]. 979 -- Made "aes" an alias for Rijndael via a pre-processor macro. Now you can use "aes_ecb_encrypt", etc... :-) 980 Thanks to Jean-Luc Cooke for the "buzzword conformance" suggestion. 981 -- Removed the old PK code entirely (e.g. rsa_sign, dh_encrypt). The *_sign_hash and *_encrypt_key functions 982 are all that is to remain. 983 -- **NOTE** Changed the PK *_import (including the keyring) routine to accept a "inlen" parameter. This fixes a 984 bug where improperly made key packets could result in reading passed the end of the buffer. This means 985 the code is no longer source compatible but still binary compatible. 986 -- Fixed a few other minor bugs in the PK import code while I was at it. 987 988Nov 26th, 2002 989v0.77 -- Updated the XTEA code to use pre-computed keys. With optimizations for speed it achieves 222Mbit/sec 990 compared to the 121Mbit/sec before. It is 288 bytes bigger than before. 991 -- Cleaned up some of the ciphers and hashes (coding style, cosmetic changes) 992 -- Optimized AES slightly for 256-bit keys [only one if statement now, still two for 192-bit keys] 993 -- Removed most test cases from Blowfish, left three of them there. Makes it smaller and faster to test. 994 -- Changed the primality routines around. I now use 8 rounds of Rabin-Miller, I use 256 primes in the sieve 995 step and the "rand_prime" function uses a modified sieve that avoids alot of un-needed bignum work. 996 -- Fixed a bug in the ECC/DH signatures where the keys "setting" value was not checked for validity. This means 997 that a invalid value could have caused segfaults, etc... 998 -- **NOTE** Changed the way the ECC/DH export/import functions work. They are source but not binary compatible 999 with v0.76. Essentially insteading of exporting the setting index like before I export the key size. Now 1000 if you ever re-configure which key settings are supported the lib will still be able to make use of your 1001 keys. 1002 -- Optimized Blowfish by inlining the round function, unrolling it for four rounds then using a for loop for the 1003 rest. It achieves a rate of 425Mbit/sec with the new code compared to 314Mbit/sec before. The new blowfish 1004 object file is 7,813 bytes compared to 8,663 before and is 850 bytes smaller. So the code is both smaller and 1005 faster! 1006 -- Optimized Twofish as well by inlining the round function. Gets ~400Mbit/sec compared to 280Mbit/sec before 1007 and the code is only 78 bytes larger than the previous copy. 1008 -- Removed SMALL_PRIME_TAB build option. I use the smaller table always. 1009 -- Fixed some mistakes concerning prime generation in the manual. 1010 -- [Note: sizes/speeds are for GCC 3.2 on an x86 Athlon XP @ 1.53Ghz] 1011 1012Nov 25th, 2002 1013v0.76 -- Updated makefiles a bit more, use "-Os" instead of "-O2" to optimize for size. Got the lib 1014 downto 265KB using GCC 3.2 on my x86 box. 1015 -- Updated the SAFER+, Twofish and Rijndael test vector routine to use the table driven design. 1016 -- Updated all other test vector routines to return as soon as an error is found 1017 -- fixed a bug in the test program where errors in the hash test routines would not be reported 1018 correctly. I found this by temporarily changing one of the bytes of the test vectors. All the 1019 hashes check out [the demos/test.c would still have reported an error, just the wrong one]. 1020 1021 1022Nov 24th, 2002 1023v0.75 -- Fixed a flaw in hash_filehandle, it should ARGCHK that the filehandle is not NULL 1024 -- Fixed a bug where in hash_file if the call to hash_filehandle failed the open file would 1025 not be closed. 1026 -- Added more strict rules to build process, starting to weed out "oh this works in GCC" style code 1027 In the next release "-Wconversion" will be enabled which will deal with all implicit casts. 1028 1029Nov 22nd, 2002 [later in the day] 1030v0.74 -- Wrote a small variant of SAFER+ which shaved 50KB off the size of the library on x86 platforms 1031 -- Wrote a build option to remove the PK packet functions [keeps the encrypt_key/sign_hash functions] 1032 -- Wrote a small variant of Rijndael (trimmed 13KB) 1033 -- Trimmed the TIGER/192 hash function a bit 1034 -- Overall the entire lib compiled is 295KB [down from 400KB before] 1035 -- Fixed a few minor oversights in the MSVC makefile 1036 1037Nov 22nd, 2002 1038v0.73 -- Fixed bug in RC4 code where it could only use 255 byte keys. 1039 -- Fixed bug in yarrow code where it would allow cast5 or md2 to be used with it... 1040 -- Removed the ecc compress/expand points from the global scope. Reduces namespace polution 1041 -- Fixed bug where if you used the SPRNG you couldn't pass NULL as your prng_state which you should be 1042 able todo since the SPRNG has no state... 1043 -- Corrected some oversights in the manual and the examples... 1044 -- By default the GF(2^W) math library is excluded from the build. The source is maintained because I wrote it 1045 and like it :-). This way the built library is a tad smaller 1046 -- the MSVC makefile will now build for a SPACE optimized library rather than TIME optimized. 1047 1048Nov 21th, 2002 1049v0.72 -- Fixed bug in the prime testing. In the Miller-Rabin test I was raising the base to "N-1" not "r". 1050 The math still worked out fine because in effect it was performing a Fermat test. Tested the new code and it 1051 works properly 1052 -- Fixed some of the code where it was still using the old error syntax 1053 -- Sped up the RSA decrypt/sign routines 1054 -- Optimized the ecc_shared_secret routine to not use so much stack 1055 -- Fixed up the makefile to make releases where the version # is in the file name and directory it will unzip 1056 to 1057 1058Nov 19th, 2002 1059v0.71 -- HELP TOM. I need tuition for the January semester. Now I don't want to force donations [nor will I ever] 1060 but I really need the help! See my website http://tom.iahu.ca/help_tom.html for more details. Please help 1061 if you can! 1062 -------------------------------------------------------------------------------------------------------------- 1063 -- Officially the library is no longer supported in GCC 3.2 in windows [cygwin]. 1064 In windows you can either use GCC 2.95.3 or try your luck with 3.2 It seems that 1065 "-fomit-frame-pointer" is broken in the windows build [but not the linux x86 build???] 1066 If you simply must use 3.2 then I suggest you limit the optimizations to simply "-O2" 1067 -- Started new error handling API. Similar to the previous except there are more error codes than just 1068 CRYPT_ERROR 1069 -- Added my implementation of the MD2 hash function [despite the errors in the RFC I managed to get it right!] 1070 -- Merged in more changes from Sky Schulz. I have to make mention here that he has been a tremendous help in 1071 getting me motivated to make some much needed updates to the library! 1072 -- Fixed one of the many mistakes in the manual as pointed out by Daniel Richards 1073 -- Fixed a bug in the RC4 code [wasn't setting up the key correctly] 1074 -- Added my implementation of the CAST5 [aka CAST-128] block cipher (conforms...) 1075 -- Fixed numerous bugs in the PK code. Essentially I was "freeing" keys when the import failed. This is neither 1076 required nor a good a idea [double free]. 1077 -- Tom needs a job. 1078 -- Fixed up the test harness as requested by Sky Schulz. Also modifed the timing routines to run for X seconds 1079 and count # of ops performed. This is more suitable than say encrypting 10 million blocks on a slow processor 1080 where it could take minutes! 1081 -- Modified test programs hashsum/encrypt to use the new algorithms and error handling syntax 1082 -- Removed the PKCS code since it was incomplete. In the future I plan on writing a "add-on" library that 1083 provides PKCS support... 1084 -- updated the config system so the #defines are in the makefiles instead of mycrypt_cfg.h 1085 -- Willing to work on an hourly basis for 15$ CDN per hour. 1086 -- updated the test program to not test ciphers not included 1087 -- updated the makefile to make "rsa_sys.c" a dependency of rsa.o [helps develop the code...] 1088 -- fixed numerous failures to detect buffer overflows [minor] in the PK code. 1089 -- fixed the safer [64-bit block version] test routines which didn't check the returns of the setup 1090 function 1091 -- check out my CV at http://tom.iahu.ca/cv.html 1092 -- removed the GBA makefile and code from demos/test.c [not a particularly useful demo...] 1093 -- merged in rudimentary [for testing] PS2 RNG from Sky Schulz 1094 -- merged in PS2 timer code [only shell included due to NDA reasons...] 1095 -- updated HMAC code to return errors where possible 1096 -- Thanks go to Sky Schulz who bought me a RegCode for TextPad [the official editor of libtomcrypt] 1097 1098Nov 12th, 2002 1099v0.70 -- Updated so you can swap out the default malloc/calloc/free routines at build time with others. (Sky Schulz) 1100 -- Sky Schulz contributed some code towards autodetecting the PS2 in mycrypt_cfg.h 1101 -- Added PS2 makefile contributed by Sky Schulz [see a pattern forming?] 1102 -- Added ability to have no FILE I/O functions at all (see makefile), Sky Schulz.... 1103 -- Added support for substituting out the clock() function (Sky Schulz) 1104 -- Fixed up makefile to include new headers in the HEADERS variable 1105 -- Removed "coin.c" as its not really useful anyways 1106 -- Removed many "debug" printfs that would show up on failures. Basically I wanted to ensure the only output 1107 would be from the developer themselves. 1108 -- Added "rc4.c" a RC4 implementation with a PRNG interface. Since RC4 isn't a block cipher it wouldn't work 1109 too well as a block cipher. 1110 -- Fixed ARGCHK macro usage when ARGTYPE=1 throughout the code 1111 -- updated makefile to make subdirectory properly (Sku Schulz) 1112 -- Started towards new API setup. Instead of checking for "== CRYPT_ERROR" you should check "!= CRYPT_OK" 1113 In future releases functions will return things other than CRYPT_ERROR on error to give more useful 1114 thread safe error reporting. The manual will be updated to reflect this. For this release all 1115 errors are returned as CRYPT_ERROR (except as noted) but in future releases this will change. 1116 -- Removed the zlib branch since its not really required anyways. Makes the package smaller 1117 1118Nov 11th, 2002 1119v0.69 -- Added ARGCHK (see mycrypt_argchk.h) "arguement checking" to all functions that accept pointers 1120 -- Note I forgot to change the CRYPT version tag in v0.68... fixed now. 1121 1122Nov 8th, 2002 1123v0.68 -- Fixed flaw in kr_import/kr_export that wasted 4 bytes. Source but not binary compatible with v0.67 1124 -- Fixed bug in kr_find_name that used memcmp to match strings. Uses strncmp now. 1125 -- kr_clear now sets the pointer to NULL to facilate debugging [e.g. using the keyring after clearing] 1126 -- static functions in _write/_read in keyring.c now check the return of ctr_encrypt/ctr_decrypt. 1127 -- Updated blowfish/rc2/rc5/rc6 keysize() function to not reject keys larger than the biggest key the 1128 respective ciphers can use. 1129 -- Fixed a bug in hashsum demo that would report the hash for files that don't exist! 1130 1131Oct 16th, 2002 1132v0.67 -- Moved the function prototypes into files mycrypt_*.h. To "install" the lib just copy all the 1133 header files "*.h" from the base of this project into your global include path. 1134 -- Made the OFB/CFB/CTR functions use "unsigned long" for the length instead of "int" 1135 -- Added keyring support for the PK functions 1136 -- ***API CHANGE*** changed the ecc_make_key and dh_make_key to act more like rsa_make_key. Basically 1137 move the first argument to the next to last. 1138 -- Fixed bug in dh_test() that wouldn't test the primality of the order of the sub-group 1139 -- replaced the primes in the DH code with new ones that are larger than the size they are 1140 associated with. That is a 1024-bit DH key will have a 1025-bit prime as the modulus 1141 -- cleaned up all the PK code, changed a bit of the API around [not source compatible with v0.66] 1142 -- major editing of the manual, started Docer program 1143 -- added 160 and 224 bit key settings for ECC. This makes the DH and ECC binary wise incompatible with v0.66 1144 -- Added an additional check for memory errors in is_prime() and cleaned up prime.c a bit 1145 -- Removed ID_TAG from all files [meh, not a big fan...] 1146 -- Removed unused variable from yarrow state and made AES/SHA256 the default cipher/hash combo 1147 -- Fixed a bug in the Yarrow code that called prng_is_valid instead of cipher_is_valid from yarrow_start() 1148 -- The ECB/CBC/OFB/CFB/CTR wrappers now check that the cipher is valid in the encrypt/decrypt calls 1149 Returns int now instead of void. 1150 1151Sept 24th, 2002 1152v0.66 -- Updated the /demos/test.c program to time the hashes correctly. Also it uses the yarrow PRNG for all of the 1153 tests meaning its possible to run on RNG less platforms 1154 -- Updated the /demos/hashsum.c program to hash from the standard input 1155 -- Updated the RSA code to make keys a bit quicker [update by Wayne Scott] by not making both primes at the same 1156 time. 1157 -- Dan Kaminsky suggested some cleanups for the code and the MPI config 1158 Code ships in unix LF format by default now too... will still build in MSVC and all... but if you want 1159 to read the stuff you'll have to convert it 1160 -- Changes to the manual to reflect new API [e.g. hash_memory/file have v0.65 prototypes]and some typos fixed 1161 1162Sept 20th, 2002 1163v0.65 -- Wayne Scott (wscott@bitmover.com) made a few of suggestions to improve the library. Most 1164 importantly he pointed out the math lib is not really required. He's also tested the lib on 18 1165 different platforms. According to him with only a few troubles [lack of /dev/random, etc] the 1166 library worked as it was supposed to. You can find the list at 1167 http://www.bitkeeper.com/Products.BitKeeper.Platforms.html 1168 -- Updated the hash_file and hash_memory functions to keep track of the size of the output 1169 -- Wayne Scott updated the demos/test.c file to use the SPRNG less and Yarrow more 1170 -- Modified the mycrypt_cfg.h to autodetect x86-32 machines 1171 1172Sept 19th, 2002 1173v0.64 -- wrote makefile for the GBA device [and hacked the demos/test.c file to support it conditionally] 1174 -- Fixed error in PK (e.g. ECC, RSA, DH) import functions where I was clobbering the packet error messages 1175 -- fixed more typos in the manual 1176 -- removed all unused variables from the core library (ignore the ID_TAG stuff) 1177 -- added "const char *crypt_build_settings" string which is a build time constant that gives a listing 1178 of all the build time options. Useful for debugging since you can send that to me and I will know what 1179 exactly you had set for the mycrypt_cfg.h file. 1180 -- Added control over endianess. Out of the box it defaults to endianess neutral but you can trivially 1181 configure the library for your platform. Using this I boosted RC5 from 660Mbit/sec to 785Mbit/sec on my 1182 Athlon box. See "mycrypt_cfg.h" for more information. 1183 1184Sept 11th, 2002 1185v0.63 -- Made hashsum demo output like the original md5sum program 1186 -- Made additions to the examples in the manual (fixed them up a bunch) 1187 -- Merged in the base64 code from Wayne Scott (wscott@bitmover.com) 1188 1189Aug 29th, 2002 1190v0.62 -- Added the CLEAN_STACK functionality to several of the hashes I forgot to update. 1191 1192Aug 9th, 2002 1193v0.61 -- Fixed a bug in the DES code [oops I read something wrong]. 1194 1195Aug 8th, 2002 1196v0.60 -- Merged in DES code [and wrote 3DES-EDE code based on it] from Dobes V. 1197 1198Aug 7th, 2002 1199v0.59 -- Fixed a "unsigned long long" bug that caused v0.58 not to build in MSVC. 1200 -- Cleaned up a little in the makefile 1201 -- added code that times the hash functions too in the test program 1202 1203Aug 3rd, 2002 1204v0.58 -- Added more stack cleaning conditionals throughout the code. 1205 -- corrected some CLEAR_STACK conditionals... should have been CLEAN_STACK 1206 -- Simplified the RSA, DH and ECC encrypt() routines where they use CTR to encode the message 1207 now they only make one call to ctr_encrypt()/ctr_decrypt(). 1208 1209Aug 2nd, 2002 1210v0.57 -- Fixed a few errors messages in the SAFER code to actually report the correct cipher name. 1211 -- rsa_encrypt() uses the "keysize()" method of the cipher being used to more accurately pick a 1212 key size. By default rsa_encrypt() will choose to use a 256-bit key but the cipher can turn that 1213 down if required. 1214 -- The rsa_exptmod() function will now more reliably detect invalid inputs (e.g. greater than the modulus). 1215 -- The padding method for RSA is more clearly documented. Namely if you want to encrypt/sign something of length 1216 N then your modulus must be of length 1+3N. So to sign a message with say SHA-384 [48 bytes] you need a 1217 145 byte (1160 bits) modulus. This is all in the manual now. 1218 -- Added build option CLEAN_STACK which will allow you to choose whether you want to clean the stack or not after every 1219 cipher/hash call 1220 -- Sped up the hash "process()" functions by not copying one byte at a time. 1221 ++ (added just after I uploaded...) 1222 MD4 process() now handles input buffers > 64 bytes 1223 1224Aug 1st, 2002 1225v0.56 -- Cleaned up the comments in the Blowfish code. 1226 -- Oh yeah, in v0.55 I made all of the descriptor elements constant. I just forgot to mention it. 1227 -- fixed a couple of places where descriptor indexes were tested wrong. Not a huge bug but now its harder 1228 to mess up. 1229 -- Added the SAFER [64-bit block] ciphers K64, SK64, K128 and SK128 to the library. 1230 -- Added the RC2 block cipher to the library. 1231 -- Changed the SAFER define for the SAFER+ cipher to SAFERP so that the new SAFER [64-bit] ciphers 1232 can use them with less confusion. 1233 1234July 29th, 2002 1235v0.55 -- My god stupid Blowfish has yet again been fixed. I swear I hate that cipher. Next bug in it and boom its out of the 1236 library. Use AES or something else cuz I really hate Blowfish at this stage.... 1237 -- Partial PKCS support [hint DONT USE IT YET CUZ ITS UNTESTED!] 1238 1239July 19th, 2002 1240v0.54 -- Blowfish now conforms to known test vectors. Silly bad coding tom! 1241 -- RC5/RC6/Serpent all have more test vectors now [and they seemed to have been working before] 1242 1243July 18th, 2002 1244v0.53 -- Added more test vectors to the blowfish code just for kicks [and they are const now too :-)] 1245 -- added prng/hash/cipher is_valid functions and used them in all of the PK code so you can't enter the code 1246 with an invalid index ever now. 1247 -- Simplified the Yarrow code once again :-) 1248 1249July 12th, 2002 1250v0.52 -- Fixed a bug in MD4 where the hash descriptor ID was the same as SHA-512. Now MD4 will work with 1251 all the routines... 1252 -- Fixed the comments in SHA-512 to be a bit more meaningful 1253 -- In md4 I made the PADDING array const [again to store it in ROM] 1254 -- in hash_file I switched the constant "512" to "sizeof(buf)" to be a bit safer 1255 -- in SHA-1's test routine I fixed the string literal to say SHA-1 not sha1 1256 -- Fixed a logical error in the CTR code which would make it skip the first IV value. This means 1257 the CTR code from v0.52 will be incompatible [binary wise] with previous releases but it makes more 1258 sense this way. 1259 -- Added {} braces for as many if/for/blocks of code I could find. My rule is that every for/if/while/do block 1260 must have {} braces around it. 1261 -- made the rounds table in saferp_setup const [again for the ROM think about the ROM!] 1262 -- fixed RC5 since it no longer requires rc5 to be registered in the lib. It used to since the descriptors used to 1263 be part of the table... 1264 -- the packet.c code now makes crypt_error literal string errors when an error occurs 1265 -- cleaned up the SAFER+ key schedule to be a bit easier to read. 1266 -- fixed a huge bug in Twofish with the TWOFISH_SMALL define. Because I clean the stack now I had 1267 changed the "g_func()" to be called indirectly. I forgot to actually return the return of the Twofish 1268 g_func() function which caused it not to work... [does now :-)] 1269 1270July 11th, 2002 1271v0.51 -- Fixed a bug in SHA512/384 code for multi-block messages. 1272 -- Added more test vectors to the SHA384/512 and TIGER hash functions 1273 -- cleaned up the hash done routines to make more sense 1274 1275July 10th, 2002 1276v0.50 -- Fixed yarrow.c so that the cipher/hash used would be registered. Also fixed 1277 a bug where the SAFER+ name was "safer" but should have been "safer+". 1278 -- Added an element to the hash descriptors that gives the size of a block [sent into the compressor] 1279 -- Cleaned up the support for HMAC's 1280 -- Cleaned up the test vector routines to make the test vector data const. This means on some platforms it will be 1281 placed in ROM not RAM now. 1282 -- Added MD4 code submited by Dobes Vandermeer (dobes@smartt.com) 1283 -- Added "burn_stack" function [idea taken from another source of crypto code]. The idea is if a function has 1284 alot of variables it will clean up better. Functions like the ecb serpent and twofish code will now have their 1285 stacks cleaned and the rest of the code is getting much more straightforward. 1286 -- Added a hashing demo by Daniel Richards (kyhwana@world-net.co.nz) 1287 -- I (Tom) modified some of the test vector routines to use more vectors ala Dobes style. 1288 For example, the MD5/SHA1 code now uses all of the test vectors from the RFC/FIPS spec. 1289 -- Fixed the register/unregister functions to properly report errors in crypt_error 1290 -- Correctly updated yarrow code to remove a few unused variables. 1291 -- Updated manual to fix a few erroneous examples. 1292 -- Added section on Hash based Message Authentication Codes (HMAC) to the manual 1293 1294June 19th, 2002 1295v0.46 -- Added in HMAC code from Dobes Vandermeer (dobes@smartt.com) 1296 1297June 8th, 2002 1298v0.45 -- Fixed bug in rc5.c where if you called rc5_setup() before registering RC5 it would cause 1299 undefined behaviour. 1300 -- Fixed mycrypt_cfg.h to eliminate the 224 bit ECC key. 1301 -- made the "default" makefile target have depends on mycrypt.h and mycrypt_cfg.h 1302 1303Apr 4th, 2002 1304v0.44 -- Fixed bug in ecc.c::new_point() where if the initial malloc fails it would not catch it. 1305 1306Mar 22nd, 2002 1307v0.43 -- Changed the ZLIB code over to the 1.1.4 code base to avoid the "double free" bug. 1308 -- Updated the GCC makefile not to use -O3 or -funroll-loops 1309 -- Version tag in mycrypt.h has been updated :-) 1310 1311Mar 10th, 2002 1312v0.42 -- The RNG code can now use /dev/urandom before trying /dev/random (J. Klapste) 1313 1314Mar 3rd, 2002 1315v0.41 -- Added support to link and use ciphers at compile time. This can greatly reduce the code size! 1316 -- Added a demo to show off how small an application can get... 46kb! 1317 -- Disastry pointed out that Blowfish is supposed to be high endian. 1318 -- Made registry code for the PRNGs as well [now the smallest useable link is 43kb] 1319 1320Feb 11th, 2002 1321v0.40 -- RSA signatures use [and check for] fixed padding scheme. 1322 -- I'm developing in Linux now :-) 1323 -- No more warnings from GCC 2.96 1324 1325Feb 5th, 2002 1326v0.39 -- Updated the XTEA code to work in accordance with the XTEA design 1327 1328January 24th, 2002 1329v0.38 -- CFB and OFB modes can now handle blocks of variable size like the CTR code 1330 -- Wrote a wrapper around the memory compress functions in Zlib that act like the functions 1331 in the rest of my crypto lib 1332 1333January 23rd, 2002 1334v0.37 -- Added support code so that if a hash size and key size for a cipher don't match up they will 1335 use the next lower key supported. (mainly for the PK code). So you can now use SHA-1 with 1336 Twofish, etc... 1337 -- Added more options for Twofish. You can now tell it to use precomputed sboxes and MDS multiplications 1338 This will speed up the TWOFISH_SMALL implementation by increasing the code size by 1024 bytes. 1339 -- Fixed a bug in prime.c that would not use the correct table if you undefined SMALL_PRIME_TAB 1340 -- Fixed all of the PK packet code to use the same header format [see packet.c]. This makes the PK code 1341 binary wise incompatible with previous releases while the API has not changed at all. 1342 1343January 22nd, 2002 1344v0.36 -- Corrections to the manual 1345 -- Made a modification to Twofish which lets you build a "small ram" variant. It requires 1346 about 190 bytes of ram for the key storage compared to the 4,200 bytes the normal 1347 variant requires. 1348 -- Reduced the stack space used in all of the PK routines. 1349 1350January 19th, 2002 1351v0.35 -- If you removed the first hash or cipher from the library it wouldn't return an error if 1352 you used an ID=0 [i.e blowfish or sha256] in any routine. Now it checks for that and will 1353 return an error like it should 1354 -- Merged in new routines from Clay Culver. These routines are for the PK code so you can easily 1355 encode a symmetric key for multiple recipients. 1356 -- Made the ecc and DH make_key() routines make secret keys of the same size as the keysize listed. 1357 Originally I wanted to ensure that the keys were smaller than the order of the field used 1358 However, the bias is so insignifcant using full sizes. For example, with a ECC-192 key the order 1359 is about 2^191.99, so instead I rounded down and used a 184-bit secret key. Now I simply use a full 192-bit 1360 key the code will work just the same except that some 192-bit keys will be duplicates which is not a big 1361 deal since 1/2^192 is a very small bias! 1362 -- Made the configuration a bit simpler and more exacting. You can for example now select which DH or ECC 1363 key settings you wish to support without including the data for all other key settings. I put the #defines 1364 in a new file called "mycrypt_cfg.h" 1365 -- Configured "mpi-config.h" so its a bit more conservative with the memory required and code space used 1366 -- Jason Klapste submitted bug fixes to the yarrow, hash and various other issues. The yarrow code will now 1367 use what ever remaining hash/cipher combo is left [after you #undef them] at build time. He also suggested 1368 a fix to remove unused structures from the symmetric_key and hash_state unions. 1369 -- Made the CTR code handle variable length blocks better. It will buffer the encryption pad so you can 1370 encrypt messages any size block at a time. 1371 -- Simplified the yarrow code to take advantage of the new CTR code. 1372 -- Added a 4096-bit DH key setting. That took me about 36 hours to find! 1373 -- Changed the base64 routines to use a real base64 encoding scheme. 1374 -- Added in DH and ECC "encrypt_key()" functions. They are still rather "beta"ish. 1375 -- Added **Twofish** to the list of ciphers! 1376 1377January 18th, 2002 1378v0.34 -- Added "sha512" to the list of hashes. Produces a 512-bit message digest. Note that with the current 1379 padding with the rsa_sign() function you cannot use sha512 with a key less than 1536 bits for signatures. 1380 -- Cleaned up the other hash functions to use the LOAD and STORE macros... 1381 1382January 17th, 2002 1383v0.33 -- Made the lower limit on keysizes for RSA 1024 bits again because I realized that 768 bit keys wouldn't 1384 work with the padding scheme and large symmetric keys. 1385 -- Added information concerning the Zlib license to the manual 1386 -- Added a 3072-bit key setting for the DH code. 1387 -- Made the "find_xyz()" routines take "const char *" as per Clay Culver's suggestion. 1388 -- Fixed an embarassing typo in the manual concerning the hashes. Thank's Clay for finding it! 1389 -- Fixed rand_prime() so that it makes primes bigger than the setting you give. For example, 1390 if you want a 1024-bit prime it would make a 1023-bit one. Now it ensures that the prime 1391 it makes is always greater than 2^(8n) (n == bytes in prime). This doesn't have a huge 1392 impact on security but I corrected it just the same. 1393 -- Fixed the CTR routine to work on platforms where char != 8-bits 1394 -- Fixed sha1/sha256/md5/blowfish to not assume "unsigned long == 32-bits", Basically any operation with carries 1395 I "AND" with 0xFFFFFFFF. That forces only the lower 32-bits to have information in it. On x86 platforms 1396 most compilers optimize out the AND operation since its a nop. 1397 1398January 16th, 2002 1399v0.32 -- Made Rijndael's setup function fully static so it is thread safe 1400 -- Svante Seleborg suggested a cosmetic style fixup for aes.c, 1401 basically to remove some of the #defines to clean it up 1402 -- Made the PK routines not export the ASCII version of the names of ciphers/hashes which makes 1403 the PK message formats *incompatible* with previous releases. 1404 -- Merge in Zlib :-) 1405 1406 1407January 15th, 2002 1408v0.31 -- The RSA routines can now use CRT to speed up decryption/signatures. The routines are backwards 1409 compatible with previous releases. 1410 -- Fixed another bug that Svante Seleborg found. Basically you could buffer-overrun the 1411 rsa_exptmod() function itself if you're not careful. That's fixed now. Fixed another bug in 1412 rsa_exptmod() where if it knows the buffer you passed is too small it wouldn't free all used 1413 memory. 1414 -- improved the readability of the PK import/export functions 1415 -- Added a fix to RSA.C by Clay Culver 1416 -- Changed the CONST64 macro for MSVC to use the "unsigned __int64" type, e.g. "ui64" instead of "i64". 1417 1418January 14th, 2002 1419v0.30 -- Major change to the Yarrow PRNG code, fixed a bug that Eugene Starokoltsev found. 1420 Basically if you added entropy to the pool in small increments it could in fact 1421 cancel out. Now I hash the pool with the new data which is way smarter. 1422 1423January 12th, 2002 1424v0.29 -- Added MPI code written by Svante Seleborg to the library. This will make the PK code much 1425 easier to follow and debug. Actually I've already fixed a memory leak in dh_shared_secret(). 1426 -- Memory leaks found and correct in all three PK routines. The leaks would occur when a bignum 1427 operation fails so it wouldn't normally turn up in the course of a program 1428 -- Fixed bugs in dh_key_size and ecc_key_size which would return garbage for invalid key idx'es 1429 1430January 11th, 2002 1431v0.28 -- Cleaned up some code so that it doesn't assume "char == 8bits". Mainly SAFER+ has been 1432 changed. 1433 -- ***HUGE*** changes in the PK code. I check all return values in the bignum code so if there 1434 are errors [insufficient memory, etc..] it will be reported. This makes the code fairly more 1435 robust and likely to catch any errors. 1436 -- Updated the is_prime() function to use a new prototype [it can return errors now] and it also 1437 does trial divisions against more primes before the Rabin Miller steps 1438 -- Added OFB, CFB and ECB generic wrappers for the symmetric ciphers to round out the implementations. 1439 -- Added Xtea to the list of ciphers, to the best of my ability I have verified this implementation. 1440 I should note that there is not alot of concrete information about the cipher. "Ansi C" versions 1441 I found did not address endianess and were not even portable!. This code is portable and to the 1442 best of my knowledge implements the Xtea algorithm as per the [short] X-Tea paper. 1443 -- Reformated the manual to include the **FULL** source code optimized to be pritable. 1444 1445January 9th, 2002 1446v0.27 -- Changed the char constants to numerical values. It is backwards compatible and should work on 1447 platforms where 'd' != 100 [for example]. 1448 -- Made a change to rand_prime() which takes the input length as a signed type so you can pass 1449 a negative len to get a "3 mod 4" style prime... oops 1450 -- changed the MSVC makefile to build with a warning level of three, no warnings! 1451 1452January 8th, 2002 1453v0.26 -- updated SHA-256 to use ROR() for a rotate so 64-bit machines won't corrupt 1454 the output 1455 -- Changed #include <> to #include "" for local .h files as per Richard Heathfields' suggestions. 1456 -- Fixed bug in MPI [well bug in MSVC] that compiled code incorrectly in mp_set_int() 1457 I added a work around that catches the error and continues normally. 1458 1459January 8th, 2002 1460v0.25 -- Added a stupid define so MSVC 6.00 can build the library. 1461 -- Big thanks to sci.crypt and "Ajay K. Agrawal" for helping me port this to MSVC 1462 1463January 7th, 2002 1464v0.24 -- Sped up Blowfish by unrolling and removing the swaps. 1465 -- Made the code comply with more traditional ANSI C standards 1466 Should compile with MSVC with less errors 1467 -- moved the demos and documentation into their own directories 1468 so you can easily build the library with other tool chains 1469 by compiling the files in the root 1470 -- converted functions with length of outputs to use 1471 "unsigned long" so 16-bit platforms will like this library more. 1472 1473January 5th, 2002 1474v0.23 -- Fixed a small error in the MPI config it should build fine anywhere. 1475 1476January 4th, 2002 1477v0.22 -- faster gf_mul() code 1478 -- gf_shl() and gf_shr() are safe on 64-bit platforms now 1479 -- Fixed an error in the hashes that Brian Gladman found. 1480 Basically if the message has exactly 56 bytes left to be 1481 compressed I handled them incorrectly. 1482 1483January 4th, 2002 1484v0.21 -- sped up the ECC code by removing redundant divisions in the 1485 point add and double routines. I also extract the bits more 1486 efficiently in "ecc_mulmod()" now. 1487 -- sped up [and documented] the rand_prime() function. Now it just 1488 makes a random integer and increments by two until a prime is found 1489 This is faster since it doesn't require alot of calls to the PRNG and 1490 it doesn't require loading huge integers over and over. rand_prime() 1491 can also make primes congruent to 3 mod 4 [i.e for a blum integer] 1492 -- added a gf_sqrt() function that finds square roots in a GF(2^w) field 1493 -- fixed a bug in gf_div() that would return the wrong results if the divisor had a greator 1494 divisor than the dividend. 1495 1496January 4th, 2002 1497v0.20 -- Added the fixed MPI back in so RSA and DH are much faster again 1498 1499v0.19 -- Updated the manual to reflect the fact that Brian Gladman wrote the AES and Serpent code. 1500 -- DH, ECC and RSA signature/decryption functions check if the key is private 1501 -- new DH signature/verification code works just like the RSA/ECC versions 1502 1503January 3rd, 2002 1504v0.18 -- Added way more comments to each .C file 1505 -- fixed a bug in cbc_decrypt(pt, ct, key) where pt == ct [i.e same buffer] 1506 -- fixed RC5 so it reads the default rounds out of the cipher_descriptor table 1507 -- cleaned up ecc_export() 1508 -- Cleaned up dh_import() and ecc_import() which also perform more 1509 error checking now 1510 -- Fixed a serious flaw in rsa_import() with private keys. 1511 1512January 2nd, 2002 1513v0.17 -- Fixed a bug in the random prime generator that fixes the wrong bits to one 1514 -- ECC and DH code verify that the moduli and orders are in fact prime. That 1515 slows down the test routines alot but what are you gonna do? 1516 -- Fixed a huge bug in the mp_exptmod() function which incorrectly calculates g^x mod p for some 1517 values of p. I replaced it with a slow function. Once the author of MPI fixes his faster routine 1518 I will switch back. 1519 1520January 1st, 2002 [whoa new year!] 1521v0.16 -- Improved GF division code that is faster. 1522 -- documented the GF code 1523 1524December 31st, 2001 1525v0.15 -- A 1792-bit and 2048-bit DH setting was added. Took me all night to 1526 find a 1792 and 2048-bit strong prime but what the heck 1527 -- Library now has polynomial-basis GF(2^w) routines I wrote myself. Can be used to perform 1528 ECC over GF(2^w) later on.... 1529 -- Fixed a bug with the defines that allows it to build in windows 1530 1531December 30th, 2001 1532v0.14 -- Fixed the xxx_encrypt() packet routines to make an IV of appropriate size 1533 for the cipher used. It was defaulting to making a 256-bit IV... 1534 -- base64_encode() now appends a NULL byte, um "duh" stupid mistake now fixed... 1535 -- spell checked the manual again... :-) 1536 1537December 30th, 2001 1538v0.13 -- Switching back to older copy of MPI since it works! arrg.. 1539 -- Added sign/verify functions for ECC 1540 -- all signature verification routines default to invalid signatures. 1541 -- Changed all calls to memset to zeromem. Fixed up some buffer problems 1542 in other routines. All calls to zeromem let the compiler determine the size 1543 of the data to wipe. 1544 1545December 29th, 2001 1546v0.12 -- Imported a new version of MPI [the bignum library] that should 1547 be a bit more stable [if you want to write your own bignum 1548 routines with the library that is...] 1549 -- Manual has way more info 1550 -- hash_file() clears stack now [like it should] 1551 -- The artificial cap on the hash input size of 2^32 bits has been 1552 removed. Basically I was too lazy todo 64-bit math before 1553 [don't ask why... I can't remember]. Anyways the hashes 1554 support the size of 2^64 bits [if you ever use that many bits in a message 1555 that's just wierd...] 1556 -- The hashes now wipe the "hash_state" after the digest is computed. This helps 1557 prevent the internal state of the hash being leaked accidently [i.e stack problems] 1558 1559December 29th, 2001 1560v0.11 -- Made #define's so you can trim the library down by removing 1561 ciphers, hashs, modes of operation, prngs, and even PK algorithms 1562 For example, the library with rijndael+ctr+sha1+ECC is 91KB compared 1563 to the 246kb the full library takes. 1564 -- Added ECC packet routines for encrypt/decrypt/sign/verify much akin to 1565 the RSA packet routines. 1566 -- ECC now compresses the public key, a ECC-192 public key takes 33 bytes 1567 for example.... 1568 1569December 28th, 2001 1570v0.10 -- going to restart the manual from scratch to make it more 1571 clear and professional 1572 -- Added ECC over Z/pZ. Basically provides as much as DH 1573 except its faster since the numbers are smaller. For example, 1574 A comparable 256-bit ECC key provides as much security as expected 1575 from a DH key over 1024-bits. 1576 -- Cleaned up the DH code to not export the symbol "sets[]" 1577 -- Fixed a bug in the DH code that would not make the correct size 1578 random string if you made the key short. For instance if you wanted 1579 a 512-bit DH key it would make a 768-bit one but only make up 512-bits 1580 for the exponent... now it makes the full 768 bits [or whatever the case 1581 is] 1582 -- Fixed another ***SERIOUS*** bug in the DH code that would default to 768-bit 1583 keys by mistake. 1584 1585December 25th, 2001 1586v0.09 -- Includes a demo program called file_crypt which shows off 1587 how to use the library to make a command line tool which 1588 allows the user to encode/decode a file with any 1589 hash (on the passphrase) and cipher in CTR mode. 1590 -- Switched everything to use typedef's now to clear up the code. 1591 -- Added AES (128/192 and 256 bit key modes) 1592 1593December 24th, 2001 1594v0.08 -- fixed a typo in the manual. MPI stores its bignums in 1595 BIG endian not little. 1596 -- Started adding a RNG to the library. Right now it tries 1597 to open /dev/random and if that fails it uses either the 1598 MS CSP or the clock drift RNG. It also allows callbacks 1599 since the drift RNG is slow (about 3.5 bytes/sec) 1600 -- the RNG can also automatically setup a PRNG as well now 1601 1602v0.07 -- Added basic DH routines sufficient to 1603 negotiate shared secrets 1604 [see the manual for a complete example!] 1605 -- Fixed rsa_import to detect when the input 1606 could be corrupt. 1607 -- added more to the manual. 1608 1609December 22nd, 2001 1610v0.06 -- Fixed some formatting errors in 1611 the hash functions [just source code cleaning] 1612 -- Fixed a typo in the error message for sha256 :-) 1613 -- Fixed an error in base64_encode() that 1614 would fail to catch all buffer overruns 1615 -- Test program times the RSA and symmetric cipher 1616 routines for kicks... 1617 -- Added the "const" modifier to alot of routines to 1618 clear up the purpose of each function. 1619 -- Changed the name of the library to "TomCrypt" 1620 following a suggestion from a sci.crypt reader.... 1621 1622v0.05 -- Fixed the ROL/ROR macro to be safe on platforms 1623 where unsigned long is not 32-bits 1624 -- I have added a bit more to the documentation 1625 manual "crypt.pdf" provided. 1626 -- I have added a makefile for LCC-Win32. It should be 1627 easy to port to other LCC platforms by changing a few lines. 1628 -- Ran a spell checker over the manual. 1629 -- Changed the header and library from "crypt" to "mycrypt" to not 1630 clash with the *nix package "crypt". 1631 1632v0.04 -- Fixed a bug in the RC5,RC6,Blowfish key schedules 1633 where if the key was not a multiple of 4 bytes it would 1634 not get loaded correctly. 1635 1636December 21st, 2001 1637 1638v0.03 -- Added Serpent to the list of ciphers. 1639 1640v0.02 -- Changed RC5 to only allow 12 to 24 rounds 1641 -- Added more to the manual. 1642 1643v0.01 -- We will call this the first version. 1644 1645/* $Source: /cvs/libtom/libtomcrypt/changes,v $ */ 1646/* $Revision: 1.288 $ */ 1647/* $Date: 2007/05/12 14:37:41 $ */ 1648 1649