Skip to content

Crypto++ 6.0 release

Choose a tag to compare
@noloader noloader released this 22 Jan 21:29
· 2958 commits to master since this release

Crypto++ 6.0

Crypto++ 6.0 was released on January 22, 2018. The 6.0 release was a major relase and the ABI changed. The release included two CVE fixes.

The first CVE, CVE-2016-9939, was a transient DoS due to allocating an oversized buffer on attacker controlled data. The transitivity was due to a zeroizer which cleared memory, even if the memory was unused.

The second CVE, CVE-2017-9434, was a misidentified finding that arose during fuzzing. The project detected a memory error that was due to a violation of aliasing rules in the test software, and not the library proper.

Release Notes

The release notes for Crypto++ 6.0 follows.

  • Major release, recompile of programs required
  • expanded community input and support
    • 43 unique contributors as of this release
  • fixed CVE-2016-9939 (Issue 346, transient DoS)
  • fixed CVE-2017-9434 (Issue 414, misidentified memory error)
  • converted to BASE+SIMD implementation
    • BASE provides an architecture neutral C++ implementation
    • SIMD provides architecture specific hardware acceleration
  • improved PowerPC Power4, Power7 and Power8 support
  • added ARIA, EC German DSA, Deterministic signatures (RFC 6979), Kalyna, NIST Hash and HMAC DRBG, Padlock RNG, Poly1305, SipHash, Simon, Speck, SM3, SM4, Threefish algorithms
  • added NaCl interface from the compact library
    • x25519 key exhange and ed25519 signing provided through NaCl interface
  • improved Testing and QA
  • ported to MSVC 2017, Xcode 8.1, Sun Studio 12.5, GCC 7.0, MacPorts GCC 7.0, Clang 4.0, Intel C++ 17.00, IBM XL C/C++ 13.1


Crypto++ moved byte into the CryptoPP namespace. The change could cause problems with some user programs. There is a wiki page available for fixing user programs at std::byte.

The change was due to C++17 std::byte causing ambiguous symbol references. Formerly Crypto++ byte was in the gobal namespace to avoid ambiguous symbol references due to Microsoft SDK's placement of a byte in the gobal namespace.

After the change Microsoft byte and std::byte will still cause ambiguous symbol references, and the wiki page should help user programs make a choice.


Crypto++ switched to BASE+SIMD to better support distros. BASE provides an agnostic C++ implementation, while SIMD provides a specialized implementation like ARMv8 or Intel for AES or SHA. The SIMD files, like rijndael-simd.cpp or sha-simd.cpp, require architecture specific flags, like -msse4.1 -maes and -march=armv8-a+crypto.

Both the Crypto++ makefile and the unoffical Autoools project adds the architecture specific flags. The makefile still honors your CXXFLAGS:

# AESNI, ARMv8a or Power8 available
rijndael-simd.o : rijndael-simd.cpp
        $(CXX) $(strip $(CXXFLAGS) $(AES_FLAG) -c) $<

If you encounter errors like shown below, then be sure your build tool is adding the necessary flags.

$ g++ -g2 -O3 rijndael-simd.cpp -c
In file included from rijndael-simd.cpp:37:0:
  error: inlining failed in call to always_inline '__m128i _mm_aesenc_si128(__m128i, __m128i)':
  target specific option mismatch
 _mm_aesenc_si128 (__m128i __X, __m128i __Y)
rijndael-simd.cpp:377:33: note: called from here
         block = _mm_aesenc_si128(block, skeys[i+1]);

Autotools project

BASE+SIMD caused a lot of extra work for Debian and László Böszörményi. We teamed with László and added an unofficial Autoools project to remove some of the burden. The Autotools project can be used to build Crypto++ by distributions.

If you experience a failed compile due to missing architecture flags, then run the makefile or Autool's configure. Autotools will provide summary information with the necessary flags:

$ autoreconf -f -i
$ ./configure

Auto-configuration complete. A summary of options are below. If
something looks wrong then please modify config.h and please report
it at

   Build triplet: x86_64-pc-linux-gnu
 Compiler target: x86_64-redhat-linux
Compiler version: g++ (GCC) 7.2.1 20170915 (Red Hat 7.2.1-2)

Static library: yes
Shared library: yes

CRYPTOPP_GCM_FLAG: -mssse3 -mpclmul
CRYPTOPP_AES_FLAG: -msse4.1 -maes
CRYPTOPP_SHA_FLAG: -msse4.2 -msha

Automake flags (can be overridden by user flags):
AM_CXXFLAGS:  -pthread -fdata-sections -ffunction-sections -pipe
AM_LDFLAGS:  -pthread -Wl,--gc-sections -Wl,--exclude-libs,ALL

User flags (overrides Automake flags on conflict):

Running configure on an Aarch64 machine produces similar results for ARMv8:

CRYPTOPP_NEON_FLAG: -march=armv8-a
CRYPTOPP_ARIA_FLAG: -march=armv8-a
CRYPTOPP_BLAKE2_FLAG: -march=armv8-a
CRYPTOPP_CRC_FLAG: -march=armv8-a+crc
CRYPTOPP_GCM_FLAG: -march=armv8-a+crypto
CRYPTOPP_AES_FLAG: -march=armv8-a+crypto
CRYPTOPP_SHA_FLAG: -march=armv8-a+crypto
CRYPTOPP_SPECK_FLAG: -march=armv8-a
CRYPTOPP_SIMON_FLAG: -march=armv8-a

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 6.0 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

CMake bugs were not included in the list below. There were approximately 40 of them. CMake did not achieve stability, and it was removed under Issue 506. The build tool was repsonsible for a disproportionate number of bugs between Crypto++ 5.6.4 and Crypto++ 6.0. We did not have the resources to work the reports.

  • Fixed CVE-2016-9939 (Issue 346, transient DoS)
  • Fixed CVE-2017-9434 (Issue 414, misidentified memory error)
  • Added std::byte, fixed compiles (Issues 442, 447, 458)
  • Converted to BASE+SIMD source code pattern (Issue 380, PR 461)
  • Updated documentation
  • Fixed x64dll.asm included in Windows Phone using MSbuilds (Issue 316)
  • Remove dependencies on WINVER and _WIN32_WINNT (Issue 318)
  • Fixed memcpy_s has not been declared on MinGW (Issue 319)
  • Fixed undeclared identifier '_mm_clmulepi64_si128' with Clang (Issue 320)
  • Fixed MASM RDRAND and access violation under VS2013 (Issue 321)
  • Fixed WSAStringToAddress was not declared in this scope on Cygwin (Issue 322)
  • Updated curve25519 OIDs (Issue 323)
  • Fixed error: operator '>=' has no left operand on Solaris (Issue 329)
  • Fixed Error: character following name is not '#' on Debian Hurd (Issue 330)
  • Fixed zeroizer removal by the optimizer (Issue 331)
  • Added AND, OR and XOR bitops to Integer class (Issue 336)
  • Fixed missing Integer ctor overload body (Issue 337)
  • Removed VC++ 5.0/6.0 support (Issue 342)
  • Updated DefaultEncryptor, DefaultEncryptorWithMAC with modern algorithms (Issue 345)
  • Added SipHash (Issue 348)
  • Increased Socket::Listen backlog (Issue 349)
  • Fixed RoundUpToMultipleOf bug (Issue 360)
  • Fixed <arm_acle.h> include for Apple and LLVM Clang (Issue 362)
  • Fixed Apple Clang and numeric_limits::max() returns 0 (Issue 362)
  • Fixed 32-bit SHA-384 and SHA-512 (Issue 365)
  • Fixed poor performance with ARMv8/Aarch64 on Cortex-A57 (Issue 367)
  • Added HeaderVersion() and LibraryVersion() functions (Issue 371)
  • Singleton::Ref() crashes on VS2012/2013 (Issue 372, 391)
  • Fixed Hang and loader lock on WinXP (Issues 373, 435)
  • Converted encoders to thread safe initialization (Issue 376)
  • Fixed OS_NO_DEPENDENCE in osrng.h (Issue 377)
  • Added Test namespace within CryptoPP namespace (Issue 379)
  • Removed NULL_CHANNEL and Code Warrior 8 workaround (Issue 382)
  • Added support for C++11 nullptr (Issue 383)
  • Converted to WSAStringToAddressA for Windows (Issue 385)
  • Added Random Number Generator benchmarks (Issue 386)
  • Improved RDRAND and RDSEED performance (Issue 387, 388)
  • Fixed EGCC assembler error on OpenBSD (Issue 395)
  • Fixed SIGBUS crashes in cryptest.exe on Solaris (Issue 403)
  • Fixed Inlining failed ... target specific option mismatch (Issue 407)
  • Added Kalyna block cipher (Issue 411)
  • Reduced fiddling with warnings in config.h (Issue 412)
  • Fixed incorrect BLAKE2 hash (Issue 415)
  • Added Gzip Filename, Filetime and Comment support (Issue 420)
  • Added Threefish block cipher (Issue 422)
  • Added Polynomials for CMAC and GCM mode (Issue 423)
  • Enabled SHA intrinsics when SHA is not defined (BASE+SIMD pattern) (Issue 427, PR 461)
  • Enabled CRC32 intrinsics when CRC is not defined (BASE+SIMD pattern) (Issue 428, PR 461)
  • Enabled AES intrinsics when AES is not defined (BASE+SIMD pattern) (Issue 429, PR 461)
  • Enabled CLMUL intrinsics when PCLMUL is not defined (BASE+SIMD pattern) (Issue 430, PR 461)
  • Fixed GCC7 and -Wimplicit-fallthrough warnings (Issue 411)
  • Make SecBlock<T,A> data members protected (Issue 448)
  • Fixed Clang and sequence point warning (Issue 449)
  • Added OldRandomPool for pre-Crypto++ 5.5 compatibility (Issue 452)
  • Switched from -O2 to -O3 in the makefile (Issue 454)
  • Fixed static SHA::Transform on Intel SHA (Issue 455, 456)
  • Added ARMv8 AES (Issue 458)
  • Fixed inlining failed in call on MinGW (Issue 466)
  • Fixed Clang 3.8 and SHA assembler error on OpenBSD (Issue 468)
  • Fixed crash in ARIA_ProcessAndXorBlock_Xor_SSSE3 (Issue 473)
  • Fixed SecBlock compile failure due to lack of strongly typed enums with VS2010 (Issue 400)
  • Fixed ARM feature detection with BASE+SIMD (Issue 480, PR 461)
  • Fixed load/store on ARM NEON using BASE+SIMD (Issue 481, PR 461)
  • Fixed GCC 6 compile failure with -std=c++03 on AIX (Issue 485)
  • Improved under-aligned buffers for AltiVec and Power8 (Issue 487)
  • Fixed AOSP_STL_INC using (Issue 490)
  • Fixed Android ARM compile using (Issue 491)
  • Fixed CentOS 6.6 amd64 compile error (Issue 494)
  • Added Power8 AES (Issue 497)
  • Fixed DL_PrivateKey_GFP::~DL_PrivateKey_GFP() section type conflict on AIX (Issue 499)
  • Fixed CpuID function using Borland (Issue 500)
  • Fixed SHA512 failed self tests on AIX (Issue 502)
  • Fixed TEA failed self tests on AIX (Issue 502)
  • Removed CMake from library sources (Issue 506)
  • Fixed Android x86 compile using (Issue 508)
  • Fixed Android ARMEABI compile using (Issue 509)
  • Added CRYPTOPP_NO_CPU_FEATURE_PROBES to disable SIGILL probes (Issues 511, 521)
  • Fixed compile with Borland 2010 (Issue 512)
  • Added SHA3 OIDs for signature schemes (Issue 517)
  • Fixed long compile time for BLAKE2 using MSVC (Issue 527)
  • Fixed Poly1305 link error (Issue 528)
  • Added CRYPTOPP_NO_CXX11 for old compilers (Issue 529)
  • Fixed RSA signature failures when using libcryptopp.dylib on OS X (Issue 533)
  • Removed variable block size support for block ciphers (Issue 535)
  • Added SPECK-64 and SPECK-128 block ciphers (Issue 538)
  • Added SIMON-64 and SIMON-128 block ciphers (Issue 539)
  • Added SM4 block cipher (Issue 540)
  • Added SM3 hash function (Issue 541)
  • Fixed no such instruction: 'sha1rnds4 $0,%xmm0,%xmm7' on Solaris (Issue 551)
  • Fixed SM3 failed self tests at -O3 on AIX (Issue 553)
  • Fixed impossible register constraint in 'asm' (Issue 554)
  • Removed DL_PrivateKey_GFP_OldFormat (Issue 567)
  • Improved <arm_acle.h> include for GCC, Apple and LLVM Clang on ARM, Aarch32 and Aarch64 (Issue 568)
  • Removed AsymmetricAlgorithm::BERDecode and DEREncode (Issue 569)
  • Fixed Clang warnings in pkcspad.h (Pull Request 270)
  • Improved Keccak and SHA3 support (Pull Requests 280, 291, 296)
  • Fixed MARS key sizes (Pull Requests 281, 282)
  • Fixed VS2012 project files (Pull Request 286)
  • Fixed GCC warning "type qualifiers ignored on function return type" (Pull Request 339)
  • Fixed CRYPTOPP_ASSERT (Pull Request 356)
  • Fixed VS2017 warnings (Pull Request 363)
  • Added W3C padding support (Pull Request 368)
  • Added DragonFly support (Pull Request 378)
  • Removed static from reference to singleton (Pull Request 392)
  • Improved SunCC support (Pull Request 402)
  • Fixed Sun SPARC alignment (Pull Request 405)
  • Fixed BLAKE2 when using non-standard digest sizes (Pull Request 416)
  • Implemented reproducible builds (Pull Request 426)
  • Improved Windows XP support under VS2015 (Pull Request 439)
  • Removed -march=native as default in Makefile (Pull Request 465)
  • Removed WORKAROUND_MS_BUG_Q258000 (Pull Request 478)
  • Fixed Clang FreeBSD 10.3 builds (Pull Request 483)
  • Added Android cpufeatures library integration (Pull Request 489)
  • Improved MinGW support (Pull Request 531)
  • Updated shared object build rules (Pull Request 547)
  • Fixed C++ Builder compiles (Pull Request 552)
  • Used lambda instead of std::bind2nd in C++11 (Pull Request 559)
  • Fixed deterministic signatures for EC (Pull Request 560)
  • Added interface to TweetNaCl library (Pull Request 566)
  • Removed all BACKWARDS_COMPATIBILITY code and macros. The clock is reset.
  • Fixed approximately 25 Asan and UBsan findings
  • Fixed approximately 50 Coverity findings

Notes for Distros

There are three items of interest for distros. First, we fixed the ABI breaks by bumping to Crypto++ 6.0. We apologize for the problems it caused in Crypto++ 5.6.5.

Second, we have an unoffical Autotools project at Crypto++ | Autoools. It is based on the Autotools project files supplied by Debian and László Böszörményi. Autotools has several contributors, including László, so it should be mostly up to date.

Third, we have an unoffical Cmake project at Crypto++ | Cmake. It is based on the Cmake project files that were removed from the distribution. There are fewer contributors to the Cmake project and the files may not be up to date.

File Changes

Below is a list of all files that were added or deleted at Crypto++ 6.0.

$ git diff-tree -r --summary CRYPTOPP_5_6_5 CRYPTOPP_6_0_0 | grep -v "change" | awk '{$2=$3=""; print $0}' | egrep '(.h|.cpp|.txt|.dat)'
create   TestData/aria.dat
create   TestData/rsa2048a.dat
create   TestVectors/aria.txt
create   TestVectors/kalyna.txt
create   TestVectors/sha1_160_fips_180.txt
create   TestVectors/sha1_fips_180.txt
create   TestVectors/sha2.txt
create   TestVectors/sha2_224_fips_180.txt
create   TestVectors/sha2_256_fips_180.txt
create   TestVectors/sha2_384_fips_180.txt
create   TestVectors/sha2_512_fips_180.txt
create   TestVectors/sha2_fips_180.txt
create   TestVectors/sha3.txt
create   TestVectors/simon.txt
create   TestVectors/siphash.txt
create   TestVectors/sm3.txt
create   TestVectors/sm4.txt
create   TestVectors/speck.txt
create   TestVectors/threefish.txt
create   adv-simd.h
create   aria-simd.cpp
create   aria.cpp
create   aria.h
create   ariatab.cpp
create   blake2-simd.cpp
create   crc-simd.cpp
create   drbg.h
create   ecpoint.h
create   gcm-simd.cpp
create   hashfwd.h
create   kalyna.cpp
create   kalyna.h
create   kalynatab.cpp
create   nacl.h
create   neon-simd.cpp
create   padlkrng.cpp
create   padlkrng.h
create   poly1305.cpp
create   poly1305.h
create   ppc-simd.cpp
create   ppc-simd.h
delete   regtest.cpp
create   regtest1.cpp
create   regtest2.cpp
create   regtest3.cpp
create   rijndael-simd.cpp
create   sha-simd.cpp
create   shacal2-simd.cpp
create   simon-simd.cpp
create   simon.cpp
create   simon.h
create   siphash.h
create   sm3.cpp
create   sm3.h
create   sm4.cpp
create   sm4.h
create   speck-simd.cpp
create   speck.cpp
create   speck.h
create   sse-simd.cpp
create   threefish.cpp
create   threefish.h
create   tweetnacl.cpp
create   tweetnacl.h
create   validat0.cpp
create   validat4.cpp