@noloader noloader released this Apr 8, 2018 · 874 commits to master since this release

Assets 2

Crypto++ 7.0

Crypto++ 7.0 was released on April 8, 2018. The 7.0 release was a major, unplanned release. There are no CVE fixes but there is a fix for a memory error.


The download is available from the Crypto++ website. The checksums for the download are below.

  • Original cryptopp700.zip
  • SHA1: 1288682ae2f3062ea3a82ca2e90bd06d147568a4
  • SHA256: a4bc939910edd3d29fb819a6fc0dfdc293f686fa62326f61c56d72d0a366ceb0
  • SHA512: 8fd8d680e5ceaf10b3c32cb1504bda4b32abc9fcaa2c6e61e3b5e67aca805c792579884bc6a749c29a99105304c421d03d7fe7909fc58f750b3155c7c5cec8ec
  • BLAKE2b: 1b1a60e240a9d94b4edfea16beef0ec48ec26c61f7f9a3d89d29bd2e77b13a83ce942f81467bb90d3086253560a3c4acd6b89178dcb416ed4328340ad5222dfd
  • WHIRLPOOL: dd7133b278fd751f89ad462bd9b84cdabe0ed80e2d19a1b1df6487c5930a092d69feb6303aacc13562ac555e3109bdac9f231079ed5c4318f3c6d686ed6220e3

Mirrors for the download are below. Note that GitHub checksums on the ZIP or TAR are different because the service creates the archive from sources.

Release Notes

The release notes for Crypto++ 7.0 follows.

  • major release, recompile of programs required
  • expanded community input and support
    • 48 unique contributors as of this release
  • fix incorrect result when using Integer::InverseMod
    • may be CVE worthy, but request was not submitted
  • fix ARIA/CTR bus error on Sparc64
  • fix incorrect result when using a_exp_b_mod_c
  • fix undeclared identifier uint32_t on early Visual Studio
  • fix iPhoneSimulator build on i386
  • fix incorrect adler32 in ZlibDecompressor
  • fix Power7 test using PPC_FEATURE_ARCH_2_06
  • workaround incorrect Glibc sysconf return value on ppc64-le
  • add KeyDerivationFunction interface
  • add scrypt key derivation function
  • add Salsa20_Core transform callable from outside class
  • add sbyte, sword16, sword32 and sword64
  • remove s_nullNameValuePairs from unnamed namespace
  • ported to MSVC 2017, Xcode 9.3, Sun Studio 12.5, GCC 8.0.1, MacPorts GCC 7.0, Clang 5.0, Intel C++ 17.00, IBM XL C/C++ 13.1

Bug Fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 7.0 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

  • fix incorrect result when using Integer::InverseMod (Issue 602)
    • may be CVE worthy, but a request was not submitted
  • fix warning due to different string alignments in mqueue.cpp (Issue 591, PR 603)
  • add PowerPC Power8 SHA hashing (Issue 513)
  • define AT_HWCAP/AT_HWCAP2 if getauxval unavailable (PR 594)
  • fix compile error on Windows due to symbol U collision (Issue 599)
  • fix Adler32 error in ZlibDecompressor in multithreaded programs (Issue 596, PR 600)
  • fix ARIA/CTR bus error on Sparc64 (Issue 597)
  • fix GCC version for RDSEED intrinsic (PR 598)
  • fix incorrect result when using a_exp_b_mod_c (Issue 602)
  • fix undeclared identifier uint32_t on early Visual Studio (Issue 608)
  • add sbyte, sword16, sword32 and sword64 (Issue 608, 609)
  • add KeyDerivationFunction interface (Issue 610)
  • cutover PBKDF to KeyDerivationFunction interface (PR 612)
  • add Scrypt key derivation function (Issue 613)
  • remove extraneous semi-colons in source files (PR 605-625)
  • re-enable OS X and iOS tests on Travis (PR 627)
  • add OpenMP support to Scrypt (PR 628)
  • add Salsa20_Core transform (Issue 630)
  • remove s_nullNameValuePairs from unnamed namespace (Issue 631)
  • rename ECGDSA_ISO15946 -> ECGDSA (PR 634)
  • fix iPhoneSimulator build on i386 (Issue 635)
  • make CAST temporaries class members (Commit 71e9fec)
  • fix Scrypt and Coverity findings CID 189203, 189204, 189205 (Commit 11e0760)
  • change order of member initialization in ASN.1 decoders (Commit 64a15cf)
  • make AuthenticatedSymmetricCipher::AlgorithmName non-pure (Commit 62a9574)
  • add CPU feature queries for AIX (Commit 04e3618)

Memory error

The Integer class had a memory error in member function InverseMod that could cause a heap corruption. The error surfaced when x % m was used and x was much larger than m. The error usually occured when the bit count of x was larger than the bit count m by about 128-bits or 256-bits.

Below is the new code for InverseMod located in integer.cpp. InverseMod was fixed, and InverseModNext was added. The problem was Integer r was too small, and AlmostInverse wrote beyond the integer's internal buffer. Also see Issue 602 | Comment 376222204.

Integer Integer::InverseMod(const Integer &m) const
    if (IsNegative())
        return Modulo(m).InverseModNext(m);

    // http://github.com/weidai11/cryptopp/issues/602
    if (*this >= m)
        return Modulo(m).InverseModNext(m);

    return InverseModNext(m);

Integer Integer::InverseModNext(const Integer &m) const
    if (m.IsEven())
        if (!m || IsEven())
            return Zero();    // no inverse
        if (*this == One())
            return One();

        Integer u = m.Modulo(*this).InverseModNext(*this);
        return !u ? Zero() : (m*(*this-u)+1)/(*this);

    IntegerSecBlock T(m.reg.size() * 4);
    Integer r((word)0, m.reg.size());
    unsigned k = AlmostInverse(r.reg, T, reg, reg.size(), m.reg, m.reg.size());
    DivideByPower2Mod(r.reg, r.reg, k, m.reg, m.reg.size());
    return r;

Notes for Distros

The incorrect result when using Integer::InverseMod (Issue 602) is a memory error. The issue may be CVE worthy, and it is the reason for the Crypto++ 7.0 release. The library itself was not at risk of memory problems due to the way the library used the Integer class. User programs prior to Crypto++ 7.0 could be at risk because they might call the mod operation with an operand large enough to witness the problem.

The 7.0 version bump was not due to the memory error. The major version bump was due to ABI breaks caused by KeyDerivationFunction interface.

File Changes

Below is a list of all files that were added at Crypto++ 7.0.

$ git diff-tree -r --summary CRYPTOPP_6_1_0 CRYPTOPP_7_0_0 | grep -v "change" | awk '{$2=$3=""; print $0}' | egrep '(.h|.cpp|.txt|.dat)'
create   scrypt.cpp
create   scrypt.h