aboutsummaryrefslogtreecommitdiff
path: root/cryptopp/Readme.txt
blob: 306c7ad47be7b683e528f50fc2b0bfbd7a8e1020 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
Crypto++: a C++ Class Library of Cryptographic Schemes
Version 5.6.0 (3/15/2009)

Crypto++ Library is a free C++ class library of cryptographic schemes.
Currently the library contains the following algorithms:

                   algorithm type  name

 authenticated encryption schemes  GCM, CCM, EAX
 
        high speed stream ciphers  Panama, Sosemanuk, Salsa20, XSalsa20

           AES and AES candidates  AES (Rijndael), RC6, MARS, Twofish, Serpent,
                                   CAST-256

                                   IDEA, Triple-DES (DES-EDE2 and DES-EDE3),
              other block ciphers  Camellia, SEED, RC5, Blowfish, TEA, XTEA,
                                   Skipjack, SHACAL-2

  block cipher modes of operation  ECB, CBC, CBC ciphertext stealing (CTS),
                                   CFB, OFB, counter mode (CTR)

     message authentication codes  VMAC, HMAC, CMAC, CBC-MAC, DMAC, 
                                   Two-Track-MAC

                                   SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and
                   hash functions  SHA-512), Tiger, WHIRLPOOL, RIPEMD-128,
                                   RIPEMD-256, RIPEMD-160, RIPEMD-320

                                   RSA, DSA, ElGamal, Nyberg-Rueppel (NR),
          public-key cryptography  Rabin, Rabin-Williams (RW), LUC, LUCELG,
                                   DLIES (variants of DHAES), ESIGN

   padding schemes for public-key  PKCS#1 v2.0, OAEP, PSS, PSSR, IEEE P1363
                          systems  EMSA2 and EMSA5

                                   Diffie-Hellman (DH), Unified Diffie-Hellman
            key agreement schemes  (DH2), Menezes-Qu-Vanstone (MQV), LUCDIF,
                                   XTR-DH

      elliptic curve cryptography  ECDSA, ECNR, ECIES, ECDH, ECMQV

          insecure or obsolescent  MD2, MD4, MD5, Panama Hash, DES, ARC4, SEAL
algorithms retained for backwards  3.0, WAKE, WAKE-OFB, DESX (DES-XEX3), RC2,
     compatibility and historical  SAFER, 3-WAY, GOST, SHARK, CAST-128, Square
                            value

Other features include:

  * pseudo random number generators (PRNG): ANSI X9.17 appendix C, RandomPool
  * password based key derivation functions: PBKDF1 and PBKDF2 from PKCS #5,
    PBKDF from PKCS #12 appendix B
  * Shamir's secret sharing scheme and Rabin's information dispersal algorithm
    (IDA)
  * fast multi-precision integer (bignum) and polynomial operations
  * finite field arithmetics, including GF(p) and GF(2^n)
  * prime number generation and verification
  * useful non-cryptographic algorithms
      + DEFLATE (RFC 1951) compression/decompression with gzip (RFC 1952) and
        zlib (RFC 1950) format support
      + hex, base-32, and base-64 coding/decoding
      + 32-bit CRC and Adler32 checksum
  * class wrappers for these operating system features (optional):
      + high resolution timers on Windows, Unix, and Mac OS
      + Berkeley and Windows style sockets
      + Windows named pipes
      + /dev/random, /dev/urandom, /dev/srandom
      + Microsoft's CryptGenRandom on Windows
  * A high level interface for most of the above, using a filter/pipeline
    metaphor
  * benchmarks and validation testing
  * x86, x86-64 (x64), MMX, and SSE2 assembly code for the most commonly used
    algorithms, with run-time CPU feature detection and code selection
  * some versions are available in FIPS 140-2 validated form

You are welcome to use it for any purpose without paying me, but see
License.txt for the fine print.

The following compilers are supported for this release. Please visit
http://www.cryptopp.com the most up to date build instructions and porting notes.

  * MSVC 6.0 - 2008
  * GCC 3.3 - 4.3
  * C++Builder 2009
  * Intel C++ Compiler 9 - 11
  * Sun Studio 12 (CC 5.9)

*** Important Usage Notes ***

1. If a constructor for A takes a pointer to an object B (except primitive
types such as int and char), then A owns B and will delete B at A's
destruction.  If a constructor for A takes a reference to an object B,
then the caller retains ownership of B and should not destroy it until
A no longer needs it. 

2. Crypto++ is thread safe at the class level. This means you can use
Crypto++ safely in a multithreaded application, but you must provide
synchronization when multiple threads access a common Crypto++ object.

*** MSVC-Specific Information ***

On Windows, Crypto++ can be compiled into 3 forms: a static library
including all algorithms, a DLL with only FIPS Approved algorithms, and
a static library with only algorithms not in the DLL.
(FIPS Approved means Approved according to the FIPS 140-2 standard.)
The DLL may be used by itself, or it may be used together with the second
form of the static library. MSVC project files are included to build
all three forms, and sample applications using each of the three forms
are also included.

To compile Crypto++ with MSVC, open the "cryptest.dsw" (for MSVC 6 and MSVC .NET 
2003) or "cryptest.sln" (for MSVC .NET 2005) workspace file and build one or 
more of the following projects:

cryptdll - This builds the DLL. Please note that if you wish to use Crypto++
  as a FIPS validated module, you must use a pre-built DLL that has undergone
  the FIPS validation process instead of building your own.
dlltest - This builds a sample application that only uses the DLL.
cryptest Non-DLL-Import Configuration - This builds the full static library
  along with a full test driver.
cryptest DLL-Import Configuration - This builds a static library containing
  only algorithms not in the DLL, along with a full test driver that uses
  both the DLL and the static library.

To use the Crypto++ DLL in your application, #include "dll.h" before including
any other Crypto++ header files, and place the DLL in the same directory as
your .exe file. dll.h includes the line #pragma comment(lib, "cryptopp")
so you don't have to explicitly list the import library in your project
settings. To use a static library form of Crypto++, specify it as
an additional library to link with in your project settings.
In either case you should check the compiler options to
make sure that the library and your application are using the same C++
run-time libraries and calling conventions.

*** DLL Memory Management ***

Because it's possible for the Crypto++ DLL to delete objects allocated 
by the calling application, they must use the same C++ memory heap. Three 
methods are provided to achieve this.
1.  The calling application can tell Crypto++ what heap to use. This method 
    is required when the calling application uses a non-standard heap.
2.  Crypto++ can tell the calling application what heap to use. This method 
    is required when the calling application uses a statically linked C++ Run 
    Time Library. (Method 1 does not work in this case because the Crypto++ DLL 
    is initialized before the calling application's heap is initialized.)
3.  Crypto++ can automatically use the heap provided by the calling application's 
    dynamically linked C++ Run Time Library. The calling application must
    make sure that the dynamically linked C++ Run Time Library is initialized
    before Crypto++ is loaded. (At this time it is not clear if it is possible
    to control the order in which DLLs are initialized on Windows 9x machines,
    so it might be best to avoid using this method.)

When Crypto++ attaches to a new process, it searches all modules loaded 
into the process space for exported functions "GetNewAndDeleteForCryptoPP" 
and "SetNewAndDeleteFromCryptoPP". If one of these functions is found, 
Crypto++ uses methods 1 or 2, respectively, by calling the function. 
Otherwise, method 3 is used. 

*** GCC-Specific Information ***

A makefile is included for you to compile Crypto++ with GCC. Make sure
you are using GNU Make and GNU ld. The make process will produce two files,
libcryptopp.a and cryptest.exe. Run "cryptest.exe v" for the validation
suite.

*** Documentation and Support ***

Crypto++ is documented through inline comments in header files, which are
processed through Doxygen to produce an HTML reference manual. You can find
a link to the manual from http://www.cryptopp.com. Also at that site is
the Crypto++ FAQ, which you should browse through before attempting to 
use this library, because it will likely answer many of questions that
may come up.

If you run into any problems, please try the Crypto++ mailing list.
The subscription information and the list archive are available on
http://www.cryptopp.com. You can also email me directly by visiting
http://www.weidai.com, but you will probably get a faster response through
the mailing list.

*** History ***

1.0 - First public release.  Withdrawn at the request of RSA DSI.
    - included Blowfish, BBS, DES, DH, Diamond, DSA, ElGamal, IDEA,
      MD5, RC4, RC5, RSA, SHA, WAKE, secret sharing, DEFLATE compression
    - had a serious bug in the RSA key generation code.

1.1 - Removed RSA, RC4, RC5
    - Disabled calls to RSAREF's non-public functions
    - Minor bugs fixed

2.0 - a completely new, faster multiprecision integer class
    - added MD5-MAC, HAVAL, 3-WAY, TEA, SAFER, LUC, Rabin, BlumGoldwasser,
      elliptic curve algorithms
    - added the Lucas strong probable primality test
    - ElGamal encryption and signature schemes modified to avoid weaknesses
    - Diamond changed to Diamond2 because of key schedule weakness
    - fixed bug in WAKE key setup
    - SHS class renamed to SHA
    - lots of miscellaneous optimizations

2.1 - added Tiger, HMAC, GOST, RIPE-MD160, LUCELG, LUCDIF, XOR-MAC,
      OAEP, PSSR, SHARK
    - added precomputation to DH, ElGamal, DSA, and elliptic curve algorithms
    - added back RC5 and a new RSA
    - optimizations in elliptic curves over GF(p)
    - changed Rabin to use OAEP and PSSR
    - changed many classes to allow copy constructors to work correctly
    - improved exception generation and handling

2.2 - added SEAL, CAST-128, Square
    - fixed bug in HAVAL (padding problem)
    - fixed bug in triple-DES (decryption order was reversed)
    - fixed bug in RC5 (couldn't handle key length not a multiple of 4)
    - changed HMAC to conform to RFC-2104 (which is not compatible
      with the original HMAC)
    - changed secret sharing and information dispersal to use GF(2^32)
      instead of GF(65521)
    - removed zero knowledge prover/verifier for graph isomorphism
    - removed several utility classes in favor of the C++ standard library

2.3 - ported to EGCS
    - fixed incomplete workaround of min/max conflict in MSVC

3.0 - placed all names into the "CryptoPP" namespace
    - added MD2, RC2, RC6, MARS, RW, DH2, MQV, ECDHC, CBC-CTS
    - added abstract base classes PK_SimpleKeyAgreementDomain and
      PK_AuthenticatedKeyAgreementDomain
    - changed DH and LUCDIF to implement the PK_SimpleKeyAgreementDomain
      interface and to perform domain parameter and key validation
    - changed interfaces of PK_Signer and PK_Verifier to sign and verify
      messages instead of message digests
    - changed OAEP to conform to PKCS#1 v2.0
    - changed benchmark code to produce HTML tables as output
    - changed PSSR to track IEEE P1363a
    - renamed ElGamalSignature to NR and changed it to track IEEE P1363
    - renamed ECKEP to ECMQVC and changed it to track IEEE P1363
    - renamed several other classes for clarity
    - removed support for calling RSAREF
    - removed option to compile old SHA (SHA-0)
    - removed option not to throw exceptions

3.1 - added ARC4, Rijndael, Twofish, Serpent, CBC-MAC, DMAC
    - added interface for querying supported key lengths of symmetric ciphers
      and MACs
    - added sample code for RSA signature and verification
    - changed CBC-CTS to be compatible with RFC 2040
    - updated SEAL to version 3.0 of the cipher specification
    - optimized multiprecision squaring and elliptic curves over GF(p)
    - fixed bug in MARS key setup
    - fixed bug with attaching objects to Deflator

3.2 - added DES-XEX3, ECDSA, DefaultEncryptorWithMAC
    - renamed DES-EDE to DES-EDE2 and TripleDES to DES-EDE3
    - optimized ARC4
    - generalized DSA to allow keys longer than 1024 bits
    - fixed bugs in GF2N and ModularArithmetic that can cause calculation errors
    - fixed crashing bug in Inflator when given invalid inputs
    - fixed endian bug in Serpent
    - fixed padding bug in Tiger

4.0 - added Skipjack, CAST-256, Panama, SHA-2 (SHA-256, SHA-384, and SHA-512),
      and XTR-DH
    - added a faster variant of Rabin's Information Dispersal Algorithm (IDA)
    - added class wrappers for these operating system features:
      - high resolution timers on Windows, Unix, and MacOS
      - Berkeley and Windows style sockets
      - Windows named pipes
      - /dev/random and /dev/urandom on Linux and FreeBSD
      - Microsoft's CryptGenRandom on Windows
    - added support for SEC 1 elliptic curve key format and compressed points
    - added support for X.509 public key format (subjectPublicKeyInfo) for
      RSA, DSA, and elliptic curve schemes
    - added support for DER and OpenPGP signature format for DSA
    - added support for ZLIB compressed data format (RFC 1950)
    - changed elliptic curve encryption to use ECIES (as defined in SEC 1)
    - changed MARS key schedule to reflect the latest specification
    - changed BufferedTransformation interface to support multiple channels
      and messages
    - changed CAST and SHA-1 implementations to use public domain source code
    - fixed bug in StringSource
    - optmized multi-precision integer code for better performance

4.1 - added more support for the recommended elliptic curve parameters in SEC 2
    - added Panama MAC, MARC4
    - added IV stealing feature to CTS mode
    - added support for PKCS #8 private key format for RSA, DSA, and elliptic
      curve schemes
    - changed Deflate, MD5, Rijndael, and Twofish to use public domain code
    - fixed a bug with flushing compressed streams
    - fixed a bug with decompressing stored blocks
    - fixed a bug with EC point decompression using non-trinomial basis
    - fixed a bug in NetworkSource::GeneralPump()
    - fixed a performance issue with EC over GF(p) decryption
    - fixed syntax to allow GCC to compile without -fpermissive
    - relaxed some restrictions in the license

4.2 - added support for longer HMAC keys
    - added MD4 (which is not secure so use for compatibility purposes only)
    - added compatibility fixes/workarounds for STLport 4.5, GCC 3.0.2,
      and MSVC 7.0
    - changed MD2 to use public domain code
    - fixed a bug with decompressing multiple messages with the same object
    - fixed a bug in CBC-MAC with MACing multiple messages with the same object
    - fixed a bug in RC5 and RC6 with zero-length keys
    - fixed a bug in Adler32 where incorrect checksum may be generated

5.0 - added ESIGN, DLIES, WAKE-OFB, PBKDF1 and PBKDF2 from PKCS #5
    - added key validation for encryption and signature public/private keys
    - renamed StreamCipher interface to SymmetricCipher, which is now implemented
      by both stream ciphers and block cipher modes including ECB and CBC
    - added keying interfaces to support resetting of keys and IVs without
      having to destroy and recreate objects
    - changed filter interface to support non-blocking input/output
    - changed SocketSource and SocketSink to use overlapped I/O on Microsoft Windows
    - grouped related classes inside structs to help templates, for example
      AESEncryption and AESDecryption are now AES::Encryption and AES::Decryption
    - where possible, typedefs have been added to improve backwards 
      compatibility when the CRYPTOPP_MAINTAIN_BACKWARDS_COMPATIBILITY macro is defined
    - changed Serpent, HAVAL and IDEA to use public domain code
    - implemented SSE2 optimizations for Integer operations
    - fixed a bug in HMAC::TruncatedFinal()
    - fixed SKIPJACK byte ordering following NIST clarification dated 5/9/02

5.01 - added known answer test for X9.17 RNG in FIPS 140 power-up self test
     - submitted to NIST/CSE, but not publicly released

5.02 - changed EDC test to MAC integrity check using HMAC/SHA1
     - improved performance of integrity check
     - added blinding to defend against RSA timing attack

5.03 - created DLL version of Crypto++ for FIPS 140-2 validation
     - fixed vulnerabilities in GetNextIV for CTR and OFB modes

5.0.4 - Removed DES, SHA-256, SHA-384, SHA-512 from DLL

5.1 - added PSS padding and changed PSSR to track IEEE P1363a draft standard
    - added blinding for RSA and Rabin to defend against timing attacks
      on decryption operations
    - changed signing and decryption APIs to support the above
    - changed WaitObjectContainer to allow waiting for more than 64
      objects at a time on Win32 platforms
    - fixed a bug in CBC and ECB modes with processing non-aligned data
    - fixed standard conformance bugs in DLIES (DHAES mode) and RW/EMSA2
      signature scheme (these fixes are not backwards compatible)
    - fixed a number of compiler warnings, minor bugs, and portability problems
    - removed Sapphire

5.2 - merged in changes for 5.01 - 5.0.4
    - added support for using encoding parameters and key derivation parameters
      with public key encryption (implemented by OAEP and DL/ECIES)
    - added Camellia, SHACAL-2, Two-Track-MAC, Whirlpool, RIPEMD-320,
      RIPEMD-128, RIPEMD-256, Base-32 coding, FIPS variant of CFB mode
    - added ThreadUserTimer for timing thread CPU usage
    - added option for password-based key derivation functions
      to iterate until a mimimum elapsed thread CPU time is reached
    - added option (on by default) for DEFLATE compression to detect
      uncompressible files and process them more quickly
    - improved compatibility and performance on 64-bit platforms,
      including Alpha, IA-64, x86-64, PPC64, Sparc64, and MIPS64
    - fixed ONE_AND_ZEROS_PADDING to use 0x80 instead 0x01 as padding.
    - fixed encoding/decoding of PKCS #8 privateKeyInfo to properly
      handle optional attributes

5.2.1 - fixed bug in the "dlltest" DLL testing program
      - fixed compiling with STLport using VC .NET
      - fixed compiling with -fPIC using GCC
      - fixed compiling with -msse2 on systems without memalign()
      - fixed inability to instantiate PanamaMAC
      - fixed problems with inline documentation

5.2.2 - added SHA-224
      - put SHA-256, SHA-384, SHA-512, RSASSA-PSS into DLL
      
5.2.3 - fixed issues with FIPS algorithm test vectors
      - put RSASSA-ISO into DLL

5.3 - ported to MSVC 2005 with support for x86-64
    - added defense against AES timing attacks, and more AES test vectors
    - changed StaticAlgorithmName() of Rijndael to "AES", CTR to "CTR"

5.4 - added Salsa20
    - updated Whirlpool to version 3.0
    - ported to GCC 4.1, Sun C++ 5.8, and Borland C++Builder 2006

5.5 - added VMAC and Sosemanuk (with x86-64 and SSE2 assembly)
    - improved speed of integer arithmetic, AES, SHA-512, Tiger, Salsa20,
      Whirlpool, and PANAMA cipher using assembly (x86-64, MMX, SSE2)
    - optimized Camellia and added defense against timing attacks
    - updated benchmarks code to show cycles per byte and to time key/IV setup
    - started using OpenMP for increased multi-core speed
    - enabled GCC optimization flags by default in GNUmakefile
    - added blinding and computational error checking for RW signing
    - changed RandomPool, X917RNG, GetNextIV, DSA/NR/ECDSA/ECNR to reduce
      the risk of reusing random numbers and IVs after virtual machine state
      rollback
    - changed default FIPS mode RNG from AutoSeededX917RNG<DES_EDE3> to
      AutoSeededX917RNG<AES>
    - fixed PANAMA cipher interface to accept 256-bit key and 256-bit IV
    - moved MD2, MD4, MD5, PanamaHash, ARC4, WAKE_CFB into the namespace "Weak"
    - removed HAVAL, MD5-MAC, XMAC

5.5.1 - fixed VMAC validation failure on 32-bit big-endian machines

5.5.2 - ported x64 assembly language code for AES, Salsa20, Sosemanuk, and Panama
        to MSVC 2005 (using MASM since MSVC doesn't support inline assembly on x64)
      - fixed Salsa20 initialization crash on non-SSE2 machines
      - fixed Whirlpool crash on Pentium 2 machines
      - fixed possible branch prediction analysis (BPA) vulnerability in
        MontgomeryReduce(), which may affect security of RSA, RW, LUC
      - fixed link error with MSVC 2003 when using "debug DLL" form of runtime library
      - fixed crash in SSE2_Add on P4 machines when compiled with 
        MSVC 6.0 SP5 with Processor Pack
      - ported to MSVC 2008, GCC 4.2, Sun CC 5.9, Intel C++ Compiler 10.0, 
        and Borland C++Builder 2007

5.6 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
    - added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
    - added support for variable length IVs
    - improved AES and SHA-256 speed on x86 and x64
    - fixed incorrect VMAC computation on message lengths 
      that are >64 mod 128 (x86 assembly version is not affected)
    - fixed compiler error in vmac.cpp on x86 with GCC -fPIC
    - fixed run-time validation error on x86-64 with GCC 4.3.2 -O2
    - fixed HashFilter bug when putMessage=true
    - removed WORD64_AVAILABLE; compiler support for 64-bit int is now required
    - ported to GCC 4.3, C++Builder 2009, Sun CC 5.10, Intel C++ Compiler 11

Written by Wei Dai