1
Crypto++: a C++ Class Library of Cryptographic Schemes
2
Version 5.6.1 (8/9/2010, SVN r520)
4
Crypto++ Library is a free C++ class library of cryptographic schemes.
5
Currently the library contains the following algorithms:
9
authenticated encryption schemes GCM, CCM, EAX
11
high speed stream ciphers Panama, Sosemanuk, Salsa20, XSalsa20
13
AES and AES candidates AES (Rijndael), RC6, MARS, Twofish, Serpent,
16
IDEA, Triple-DES (DES-EDE2 and DES-EDE3),
17
other block ciphers Camellia, SEED, RC5, Blowfish, TEA, XTEA,
20
block cipher modes of operation ECB, CBC, CBC ciphertext stealing (CTS),
21
CFB, OFB, counter mode (CTR)
23
message authentication codes VMAC, HMAC, GMAC, CMAC, CBC-MAC, DMAC,
26
SHA-1, SHA-2 (SHA-224, SHA-256, SHA-384, and
27
hash functions SHA-512), Tiger, WHIRLPOOL, RIPEMD-128,
28
RIPEMD-256, RIPEMD-160, RIPEMD-320
30
RSA, DSA, ElGamal, Nyberg-Rueppel (NR),
31
public-key cryptography Rabin-Williams (RW), LUC, LUCELG,
32
DLIES (variants of DHAES), ESIGN
34
padding schemes for public-key PKCS#1 v2.0, OAEP, PSS, PSSR, IEEE P1363
35
systems EMSA2 and EMSA5
37
Diffie-Hellman (DH), Unified Diffie-Hellman
38
key agreement schemes (DH2), Menezes-Qu-Vanstone (MQV), LUCDIF,
41
elliptic curve cryptography ECDSA, ECNR, ECIES, ECDH, ECMQV
43
insecure or obsolescent MD2, MD4, MD5, Panama Hash, DES, ARC4, SEAL
44
algorithms retained for backwards 3.0, WAKE, WAKE-OFB, DESX (DES-XEX3), RC2,
45
compatibility and historical SAFER, 3-WAY, GOST, SHARK, CAST-128, Square
48
Other features include:
50
* pseudo random number generators (PRNG): ANSI X9.17 appendix C, RandomPool
51
* password based key derivation functions: PBKDF1 and PBKDF2 from PKCS #5,
52
PBKDF from PKCS #12 appendix B
53
* Shamir's secret sharing scheme and Rabin's information dispersal algorithm
55
* fast multi-precision integer (bignum) and polynomial operations
56
* finite field arithmetics, including GF(p) and GF(2^n)
57
* prime number generation and verification
58
* useful non-cryptographic algorithms
59
+ DEFLATE (RFC 1951) compression/decompression with gzip (RFC 1952) and
60
zlib (RFC 1950) format support
61
+ hex, base-32, and base-64 coding/decoding
62
+ 32-bit CRC and Adler32 checksum
63
* class wrappers for these operating system features (optional):
64
+ high resolution timers on Windows, Unix, and Mac OS
65
+ Berkeley and Windows style sockets
67
+ /dev/random, /dev/urandom, /dev/srandom
68
+ Microsoft's CryptGenRandom on Windows
69
* A high level interface for most of the above, using a filter/pipeline
71
* benchmarks and validation testing
72
* x86, x86-64 (x64), MMX, and SSE2 assembly code for the most commonly used
73
algorithms, with run-time CPU feature detection and code selection
74
* some versions are available in FIPS 140-2 validated form
76
You are welcome to use it for any purpose without paying me, but see
77
License.txt for the fine print.
79
The following compilers are supported for this release. Please visit
80
http://www.cryptopp.com the most up to date build instructions and porting notes.
85
* Intel C++ Compiler 9 - 11.1
86
* Sun Studio 12u1, Express 11/08, Express 06/10
88
*** Important Usage Notes ***
90
1. If a constructor for A takes a pointer to an object B (except primitive
91
types such as int and char), then A owns B and will delete B at A's
92
destruction. If a constructor for A takes a reference to an object B,
93
then the caller retains ownership of B and should not destroy it until
96
2. Crypto++ is thread safe at the class level. This means you can use
97
Crypto++ safely in a multithreaded application, but you must provide
98
synchronization when multiple threads access a common Crypto++ object.
100
*** MSVC-Specific Information ***
102
On Windows, Crypto++ can be compiled into 3 forms: a static library
103
including all algorithms, a DLL with only FIPS Approved algorithms, and
104
a static library with only algorithms not in the DLL.
105
(FIPS Approved means Approved according to the FIPS 140-2 standard.)
106
The DLL may be used by itself, or it may be used together with the second
107
form of the static library. MSVC project files are included to build
108
all three forms, and sample applications using each of the three forms
111
To compile Crypto++ with MSVC, open the "cryptest.dsw" (for MSVC 6 and MSVC .NET
112
2003) or "cryptest.sln" (for MSVC 2005 - 2010) workspace file and build one or
113
more of the following projects:
115
cryptopp - This builds the DLL. Please note that if you wish to use Crypto++
116
as a FIPS validated module, you must use a pre-built DLL that has undergone
117
the FIPS validation process instead of building your own.
118
dlltest - This builds a sample application that only uses the DLL.
119
cryptest Non-DLL-Import Configuration - This builds the full static library
120
along with a full test driver.
121
cryptest DLL-Import Configuration - This builds a static library containing
122
only algorithms not in the DLL, along with a full test driver that uses
123
both the DLL and the static library.
125
To use the Crypto++ DLL in your application, #include "dll.h" before including
126
any other Crypto++ header files, and place the DLL in the same directory as
127
your .exe file. dll.h includes the line #pragma comment(lib, "cryptopp")
128
so you don't have to explicitly list the import library in your project
129
settings. To use a static library form of Crypto++, make the "cryptlib"
130
project a dependency of your application project, or specify it as
131
an additional library to link with in your project settings.
132
In either case you should check the compiler options to
133
make sure that the library and your application are using the same C++
134
run-time libraries and calling conventions.
136
*** DLL Memory Management ***
138
Because it's possible for the Crypto++ DLL to delete objects allocated
139
by the calling application, they must use the same C++ memory heap. Three
140
methods are provided to achieve this.
141
1. The calling application can tell Crypto++ what heap to use. This method
142
is required when the calling application uses a non-standard heap.
143
2. Crypto++ can tell the calling application what heap to use. This method
144
is required when the calling application uses a statically linked C++ Run
145
Time Library. (Method 1 does not work in this case because the Crypto++ DLL
146
is initialized before the calling application's heap is initialized.)
147
3. Crypto++ can automatically use the heap provided by the calling application's
148
dynamically linked C++ Run Time Library. The calling application must
149
make sure that the dynamically linked C++ Run Time Library is initialized
150
before Crypto++ is loaded. (At this time it is not clear if it is possible
151
to control the order in which DLLs are initialized on Windows 9x machines,
152
so it might be best to avoid using this method.)
154
When Crypto++ attaches to a new process, it searches all modules loaded
155
into the process space for exported functions "GetNewAndDeleteForCryptoPP"
156
and "SetNewAndDeleteFromCryptoPP". If one of these functions is found,
157
Crypto++ uses methods 1 or 2, respectively, by calling the function.
158
Otherwise, method 3 is used.
160
*** GCC-Specific Information ***
162
A makefile is included for you to compile Crypto++ with GCC. Make sure
163
you are using GNU Make and GNU ld. The make process will produce two files,
164
libcryptopp.a and cryptest.exe. Run "cryptest.exe v" for the validation
167
*** Documentation and Support ***
169
Crypto++ is documented through inline comments in header files, which are
170
processed through Doxygen to produce an HTML reference manual. You can find
171
a link to the manual from http://www.cryptopp.com. Also at that site is
172
the Crypto++ FAQ, which you should browse through before attempting to
173
use this library, because it will likely answer many of questions that
176
If you run into any problems, please try the Crypto++ mailing list.
177
The subscription information and the list archive are available on
178
http://www.cryptopp.com. You can also email me directly by visiting
179
http://www.weidai.com, but you will probably get a faster response through
184
1.0 - First public release. Withdrawn at the request of RSA DSI.
185
- included Blowfish, BBS, DES, DH, Diamond, DSA, ElGamal, IDEA,
186
MD5, RC4, RC5, RSA, SHA, WAKE, secret sharing, DEFLATE compression
187
- had a serious bug in the RSA key generation code.
189
1.1 - Removed RSA, RC4, RC5
190
- Disabled calls to RSAREF's non-public functions
193
2.0 - a completely new, faster multiprecision integer class
194
- added MD5-MAC, HAVAL, 3-WAY, TEA, SAFER, LUC, Rabin, BlumGoldwasser,
195
elliptic curve algorithms
196
- added the Lucas strong probable primality test
197
- ElGamal encryption and signature schemes modified to avoid weaknesses
198
- Diamond changed to Diamond2 because of key schedule weakness
199
- fixed bug in WAKE key setup
200
- SHS class renamed to SHA
201
- lots of miscellaneous optimizations
203
2.1 - added Tiger, HMAC, GOST, RIPE-MD160, LUCELG, LUCDIF, XOR-MAC,
205
- added precomputation to DH, ElGamal, DSA, and elliptic curve algorithms
206
- added back RC5 and a new RSA
207
- optimizations in elliptic curves over GF(p)
208
- changed Rabin to use OAEP and PSSR
209
- changed many classes to allow copy constructors to work correctly
210
- improved exception generation and handling
212
2.2 - added SEAL, CAST-128, Square
213
- fixed bug in HAVAL (padding problem)
214
- fixed bug in triple-DES (decryption order was reversed)
215
- fixed bug in RC5 (couldn't handle key length not a multiple of 4)
216
- changed HMAC to conform to RFC-2104 (which is not compatible
217
with the original HMAC)
218
- changed secret sharing and information dispersal to use GF(2^32)
220
- removed zero knowledge prover/verifier for graph isomorphism
221
- removed several utility classes in favor of the C++ standard library
224
- fixed incomplete workaround of min/max conflict in MSVC
226
3.0 - placed all names into the "CryptoPP" namespace
227
- added MD2, RC2, RC6, MARS, RW, DH2, MQV, ECDHC, CBC-CTS
228
- added abstract base classes PK_SimpleKeyAgreementDomain and
229
PK_AuthenticatedKeyAgreementDomain
230
- changed DH and LUCDIF to implement the PK_SimpleKeyAgreementDomain
231
interface and to perform domain parameter and key validation
232
- changed interfaces of PK_Signer and PK_Verifier to sign and verify
233
messages instead of message digests
234
- changed OAEP to conform to PKCS#1 v2.0
235
- changed benchmark code to produce HTML tables as output
236
- changed PSSR to track IEEE P1363a
237
- renamed ElGamalSignature to NR and changed it to track IEEE P1363
238
- renamed ECKEP to ECMQVC and changed it to track IEEE P1363
239
- renamed several other classes for clarity
240
- removed support for calling RSAREF
241
- removed option to compile old SHA (SHA-0)
242
- removed option not to throw exceptions
244
3.1 - added ARC4, Rijndael, Twofish, Serpent, CBC-MAC, DMAC
245
- added interface for querying supported key lengths of symmetric ciphers
247
- added sample code for RSA signature and verification
248
- changed CBC-CTS to be compatible with RFC 2040
249
- updated SEAL to version 3.0 of the cipher specification
250
- optimized multiprecision squaring and elliptic curves over GF(p)
251
- fixed bug in MARS key setup
252
- fixed bug with attaching objects to Deflator
254
3.2 - added DES-XEX3, ECDSA, DefaultEncryptorWithMAC
255
- renamed DES-EDE to DES-EDE2 and TripleDES to DES-EDE3
257
- generalized DSA to allow keys longer than 1024 bits
258
- fixed bugs in GF2N and ModularArithmetic that can cause calculation errors
259
- fixed crashing bug in Inflator when given invalid inputs
260
- fixed endian bug in Serpent
261
- fixed padding bug in Tiger
263
4.0 - added Skipjack, CAST-256, Panama, SHA-2 (SHA-256, SHA-384, and SHA-512),
265
- added a faster variant of Rabin's Information Dispersal Algorithm (IDA)
266
- added class wrappers for these operating system features:
267
- high resolution timers on Windows, Unix, and MacOS
268
- Berkeley and Windows style sockets
269
- Windows named pipes
270
- /dev/random and /dev/urandom on Linux and FreeBSD
271
- Microsoft's CryptGenRandom on Windows
272
- added support for SEC 1 elliptic curve key format and compressed points
273
- added support for X.509 public key format (subjectPublicKeyInfo) for
274
RSA, DSA, and elliptic curve schemes
275
- added support for DER and OpenPGP signature format for DSA
276
- added support for ZLIB compressed data format (RFC 1950)
277
- changed elliptic curve encryption to use ECIES (as defined in SEC 1)
278
- changed MARS key schedule to reflect the latest specification
279
- changed BufferedTransformation interface to support multiple channels
281
- changed CAST and SHA-1 implementations to use public domain source code
282
- fixed bug in StringSource
283
- optmized multi-precision integer code for better performance
285
4.1 - added more support for the recommended elliptic curve parameters in SEC 2
286
- added Panama MAC, MARC4
287
- added IV stealing feature to CTS mode
288
- added support for PKCS #8 private key format for RSA, DSA, and elliptic
290
- changed Deflate, MD5, Rijndael, and Twofish to use public domain code
291
- fixed a bug with flushing compressed streams
292
- fixed a bug with decompressing stored blocks
293
- fixed a bug with EC point decompression using non-trinomial basis
294
- fixed a bug in NetworkSource::GeneralPump()
295
- fixed a performance issue with EC over GF(p) decryption
296
- fixed syntax to allow GCC to compile without -fpermissive
297
- relaxed some restrictions in the license
299
4.2 - added support for longer HMAC keys
300
- added MD4 (which is not secure so use for compatibility purposes only)
301
- added compatibility fixes/workarounds for STLport 4.5, GCC 3.0.2,
303
- changed MD2 to use public domain code
304
- fixed a bug with decompressing multiple messages with the same object
305
- fixed a bug in CBC-MAC with MACing multiple messages with the same object
306
- fixed a bug in RC5 and RC6 with zero-length keys
307
- fixed a bug in Adler32 where incorrect checksum may be generated
309
5.0 - added ESIGN, DLIES, WAKE-OFB, PBKDF1 and PBKDF2 from PKCS #5
310
- added key validation for encryption and signature public/private keys
311
- renamed StreamCipher interface to SymmetricCipher, which is now implemented
312
by both stream ciphers and block cipher modes including ECB and CBC
313
- added keying interfaces to support resetting of keys and IVs without
314
having to destroy and recreate objects
315
- changed filter interface to support non-blocking input/output
316
- changed SocketSource and SocketSink to use overlapped I/O on Microsoft Windows
317
- grouped related classes inside structs to help templates, for example
318
AESEncryption and AESDecryption are now AES::Encryption and AES::Decryption
319
- where possible, typedefs have been added to improve backwards
320
compatibility when the CRYPTOPP_MAINTAIN_BACKWARDS_COMPATIBILITY macro is defined
321
- changed Serpent, HAVAL and IDEA to use public domain code
322
- implemented SSE2 optimizations for Integer operations
323
- fixed a bug in HMAC::TruncatedFinal()
324
- fixed SKIPJACK byte ordering following NIST clarification dated 5/9/02
326
5.01 - added known answer test for X9.17 RNG in FIPS 140 power-up self test
327
- submitted to NIST/CSE, but not publicly released
329
5.02 - changed EDC test to MAC integrity check using HMAC/SHA1
330
- improved performance of integrity check
331
- added blinding to defend against RSA timing attack
333
5.03 - created DLL version of Crypto++ for FIPS 140-2 validation
334
- fixed vulnerabilities in GetNextIV for CTR and OFB modes
336
5.0.4 - Removed DES, SHA-256, SHA-384, SHA-512 from DLL
338
5.1 - added PSS padding and changed PSSR to track IEEE P1363a draft standard
339
- added blinding for RSA and Rabin to defend against timing attacks
340
on decryption operations
341
- changed signing and decryption APIs to support the above
342
- changed WaitObjectContainer to allow waiting for more than 64
343
objects at a time on Win32 platforms
344
- fixed a bug in CBC and ECB modes with processing non-aligned data
345
- fixed standard conformance bugs in DLIES (DHAES mode) and RW/EMSA2
346
signature scheme (these fixes are not backwards compatible)
347
- fixed a number of compiler warnings, minor bugs, and portability problems
350
5.2 - merged in changes for 5.01 - 5.0.4
351
- added support for using encoding parameters and key derivation parameters
352
with public key encryption (implemented by OAEP and DL/ECIES)
353
- added Camellia, SHACAL-2, Two-Track-MAC, Whirlpool, RIPEMD-320,
354
RIPEMD-128, RIPEMD-256, Base-32 coding, FIPS variant of CFB mode
355
- added ThreadUserTimer for timing thread CPU usage
356
- added option for password-based key derivation functions
357
to iterate until a mimimum elapsed thread CPU time is reached
358
- added option (on by default) for DEFLATE compression to detect
359
uncompressible files and process them more quickly
360
- improved compatibility and performance on 64-bit platforms,
361
including Alpha, IA-64, x86-64, PPC64, Sparc64, and MIPS64
362
- fixed ONE_AND_ZEROS_PADDING to use 0x80 instead 0x01 as padding.
363
- fixed encoding/decoding of PKCS #8 privateKeyInfo to properly
364
handle optional attributes
366
5.2.1 - fixed bug in the "dlltest" DLL testing program
367
- fixed compiling with STLport using VC .NET
368
- fixed compiling with -fPIC using GCC
369
- fixed compiling with -msse2 on systems without memalign()
370
- fixed inability to instantiate PanamaMAC
371
- fixed problems with inline documentation
373
5.2.2 - added SHA-224
374
- put SHA-256, SHA-384, SHA-512, RSASSA-PSS into DLL
376
5.2.3 - fixed issues with FIPS algorithm test vectors
377
- put RSASSA-ISO into DLL
379
5.3 - ported to MSVC 2005 with support for x86-64
380
- added defense against AES timing attacks, and more AES test vectors
381
- changed StaticAlgorithmName() of Rijndael to "AES", CTR to "CTR"
384
- updated Whirlpool to version 3.0
385
- ported to GCC 4.1, Sun C++ 5.8, and Borland C++Builder 2006
387
5.5 - added VMAC and Sosemanuk (with x86-64 and SSE2 assembly)
388
- improved speed of integer arithmetic, AES, SHA-512, Tiger, Salsa20,
389
Whirlpool, and PANAMA cipher using assembly (x86-64, MMX, SSE2)
390
- optimized Camellia and added defense against timing attacks
391
- updated benchmarks code to show cycles per byte and to time key/IV setup
392
- started using OpenMP for increased multi-core speed
393
- enabled GCC optimization flags by default in GNUmakefile
394
- added blinding and computational error checking for RW signing
395
- changed RandomPool, X917RNG, GetNextIV, DSA/NR/ECDSA/ECNR to reduce
396
the risk of reusing random numbers and IVs after virtual machine state
398
- changed default FIPS mode RNG from AutoSeededX917RNG<DES_EDE3> to
399
AutoSeededX917RNG<AES>
400
- fixed PANAMA cipher interface to accept 256-bit key and 256-bit IV
401
- moved MD2, MD4, MD5, PanamaHash, ARC4, WAKE_CFB into the namespace "Weak"
402
- removed HAVAL, MD5-MAC, XMAC
404
5.5.1 - fixed VMAC validation failure on 32-bit big-endian machines
406
5.5.2 - ported x64 assembly language code for AES, Salsa20, Sosemanuk, and Panama
407
to MSVC 2005 (using MASM since MSVC doesn't support inline assembly on x64)
408
- fixed Salsa20 initialization crash on non-SSE2 machines
409
- fixed Whirlpool crash on Pentium 2 machines
410
- fixed possible branch prediction analysis (BPA) vulnerability in
411
MontgomeryReduce(), which may affect security of RSA, RW, LUC
412
- fixed link error with MSVC 2003 when using "debug DLL" form of runtime library
413
- fixed crash in SSE2_Add on P4 machines when compiled with
414
MSVC 6.0 SP5 with Processor Pack
415
- ported to MSVC 2008, GCC 4.2, Sun CC 5.9, Intel C++ Compiler 10.0,
416
and Borland C++Builder 2007
418
5.6.0 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
419
- added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
420
- added support for variable length IVs
421
- added OIDs for Brainpool elliptic curve parameters
422
- improved AES and SHA-256 speed on x86 and x64
423
- changed BlockTransformation interface to no longer assume data alignment
424
- fixed incorrect VMAC computation on message lengths
425
that are >64 mod 128 (x86 assembly version is not affected)
426
- fixed compiler error in vmac.cpp on x86 with GCC -fPIC
427
- fixed run-time validation error on x86-64 with GCC 4.3.2 -O2
428
- fixed HashFilter bug when putMessage=true
429
- fixed AES-CTR data alignment bug that causes incorrect encryption on ARM
430
- removed WORD64_AVAILABLE; compiler support for 64-bit int is now required
431
- ported to GCC 4.3, C++Builder 2009, Sun CC 5.10, Intel C++ Compiler 11
433
5.6.1 - added support for AES-NI and CLMUL instruction sets in AES and GMAC/GCM
435
- fixed several bugs in the SHA-256 x86/x64 assembly code:
436
* incorrect hash on non-SSE2 x86 machines on non-aligned input
437
* incorrect hash on x86 machines when input crosses 0x80000000
438
* incorrect hash on x64 when compiled with GCC with optimizations enabled
439
- fixed bugs in AES x86 and x64 assembly causing crashes in some MSVC build configurations
440
- switched to a public domain implementation of MARS
441
- ported to MSVC 2010, GCC 4.5.1, Sun Studio 12u1, C++Builder 2010, Intel C++ Compiler 11.1
442
- renamed the MSVC DLL project to "cryptopp" for compatibility with MSVC 2010
added
removed
cppForSwig/cryptopp/Readme.txt
