added libtomcrypt-1.17

Author: Tom St Denis

Doxyfile

@@ -23,7 +23,7 @@ PROJECT_NAME           = LibTomCrypt
 # This could be handy for archiving the generated documentation or 
 # if some version control system is used.
 
-PROJECT_NUMBER         = 1.16
+PROJECT_NUMBER         = 1.17
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
 # base path where the generated documentation will be put. 

TODO

@@ -1,11 +1,3 @@
-stopped at ch12
--- needs examples for ecc/dsa!!! (and for asn.1)
-
-must have for v1.16
-- document PK build flags
-- document makefile flags [INSTALL_* for instance]
-- prepare manual for printing (both soft and hard cover)
-
-Nice to have [in order of precedence]
-- add X9.63 IES
-- add CPP macros like OpenSSL has for ASN1 (e.g. encode/decode functions, etc) shameless ripoff :-)
+for 1.18
+- document new ECC functions
+- add test for new functions

changes

@@ -1,3 +1,18 @@
+May 12th, 2007
+v1.17 -- Cryptography Research Inc. contributed another small volley of patches, one to fix __WCHAR_DEFINED__ for BSD platforms, 
+         another to silence MSVC warnings.
+      -- Added LTC_XCBC_PURE to XCBC mode which lets you use it in three-key mode. 
+      -- [CRI] Added libtomcrypt.dsp for Visual C++ users.
+      -- [CRI] Added more functions for manipulating the ECC fixed point cache (including saving and loading)
+      -- [CRI] Modified ecc_make_key() to always produce keys smaller than base point order, for standards-compliance
+      -- Elliptic Semiconductor contributed XTS chaining mode to the cipher suite (subsequently optimized it)
+      -- Fixed xcbc_init() keylen when using single key mode.
+      -- Bruce Fortune pointed out a typo in the hmac_process() description in the manual.  Fixed.
+      -- Added variable width counter support to CTR mode
+      -- Fixed CMAC (aka OMAC) when using 64-bit block ciphers and LTC_FAST ... my bad.
+      -- Fixed bug in ecc_is_valid() that would basically always return true
+      -- renamed a lot of macros to add the LTC_ prefix [e.g. RIJNDAEL => LTC_RIJNDAEL]
+
 December 16th, 2006
 v1.16 -- Brian Gladman pointed out that a recent change to GCM broke how the IV was handled.  Currently the code complies against his test vectors
          so the code should be considered frozen now.
@@ -1551,6 +1566,6 @@ v0.02  -- Changed RC5 to only allow 12 to 24 rounds
 v0.01  -- We will call this the first version.
 
 /* $Source: /cvs/libtom/libtomcrypt/changes,v $ */
-/* $Revision: 1.274 $ */
-/* $Date: 2006/12/16 19:08:17 $ */
+/* $Revision: 1.288 $ */
+/* $Date: 2007/05/12 14:37:41 $ */
 

crypt.lof

@@ -6,19 +6,19 @@
 \contentsline {figure}{\numberline {3.1}{\ignorespaces Built--In Software Ciphers}}{19}{figure.3.1}
 \contentsline {figure}{\numberline {3.2}{\ignorespaces Twofish Build Options}}{21}{figure.3.2}
 \addvspace {10\p@ }
-\contentsline {figure}{\numberline {4.1}{\ignorespaces Built--In Software Hashes}}{57}{figure.4.1}
+\contentsline {figure}{\numberline {4.1}{\ignorespaces Built--In Software Hashes}}{59}{figure.4.1}
 \addvspace {10\p@ }
 \addvspace {10\p@ }
-\contentsline {figure}{\numberline {6.1}{\ignorespaces List of Provided PRNGs}}{82}{figure.6.1}
+\contentsline {figure}{\numberline {6.1}{\ignorespaces List of Provided PRNGs}}{84}{figure.6.1}
 \addvspace {10\p@ }
 \addvspace {10\p@ }
 \addvspace {10\p@ }
-\contentsline {figure}{\numberline {9.1}{\ignorespaces DSA Key Sizes}}{119}{figure.9.1}
+\contentsline {figure}{\numberline {9.1}{\ignorespaces DSA Key Sizes}}{121}{figure.9.1}
 \addvspace {10\p@ }
-\contentsline {figure}{\numberline {10.1}{\ignorespaces List of ASN.1 Supported Types}}{127}{figure.10.1}
+\contentsline {figure}{\numberline {10.1}{\ignorespaces List of ASN.1 Supported Types}}{129}{figure.10.1}
 \addvspace {10\p@ }
 \addvspace {10\p@ }
-\contentsline {figure}{\numberline {12.1}{\ignorespaces RSA/DH Key Strength}}{149}{figure.12.1}
-\contentsline {figure}{\numberline {12.2}{\ignorespaces ECC Key Strength}}{149}{figure.12.2}
+\contentsline {figure}{\numberline {12.1}{\ignorespaces RSA/DH Key Strength}}{151}{figure.12.1}
+\contentsline {figure}{\numberline {12.2}{\ignorespaces ECC Key Strength}}{151}{figure.12.2}
 \addvspace {10\p@ }
 \addvspace {10\p@ }

crypt.tex

@@ -190,7 +190,7 @@ \subsection{Modular}
 \mysection{Patent Disclosure}
 
 The author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice.  To the best
-of the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers.  
+of the author's knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers.  
 They can be removed from a build by simply commenting out the two appropriate lines in \textit{tomcrypt\_custom.h}.  The rest
 of the ciphers and hashes are patent free or under patents that have since expired.
 
@@ -616,8 +616,8 @@ \subsection{Simple Encryption Demonstration}
      \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
                 & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
      \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\
-     \hline DES & des\_desc & 8 & 7 & 16 \\
-     \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\
+     \hline DES & des\_desc & 8 & 8 & 16 \\
+     \hline 3DES (EDE mode) & des3\_desc & 8 & 24 & 16 \\
      \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\
      \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\
      \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\
@@ -879,14 +879,37 @@ \subsection{Initialization}
 parameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call.  The final parameter 
 is a pointer to the structure you want to hold the information for the mode of operation.
 
+The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code.  
 
+\subsubsection{CTR Mode}
 In the case of CTR mode there is an additional parameter \textit{ctr\_mode} which specifies the mode that the counter is to be used in.
 If \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value.  Otherwise, if 
 \textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value.  As of v1.15 the RFC 3686 style of
 increment then encrypt is also supported.  By OR'ing \textbf{LTC\_CTR\_RFC3686} with the CTR \textit{mode} value, ctr\_start() will increment
 the counter before encrypting it for the first time.
 
-The routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code.  
+As of V1.17, the library supports variable length counters for CTR mode.  The (optional) counter length is specified by OR'ing the octet
+length of the counter against the \textit{ctr\_mode} parameter.  The default, zero, indicates that a full block length counter will be used.  This also
+ensures backwards compatibility with software that uses older versions of the library.
+
+\begin{small}
+\begin{verbatim}
+symmetric_CTR ctr;
+int           err;
+unsigned char IV[16], key[16];
+
+/* use a 32-bit little endian counter */
+if ((err = ctr_start(find_cipher("aes"),
+                     IV, key, 16, 0,
+                     CTR_COUNTER_LITTLE_ENDIAN | 4, 
+                     &ctr)) != CRYPT_OK) {
+   handle_error(err);
+}
+\end{verbatim}
+\end{small}
+
+Changing the counter size has little (really no) effect on the performance of the CTR chaining mode.  It is provided for compatibility
+with other software (and hardware) which have smaller fixed sized counters.
 
 \subsection{Encryption and Decryption}
 To actually encrypt or decrypt the following routines are provided:
@@ -1093,6 +1116,55 @@ \subsection{LRW Mode}
 int lrw_done(symmetric_LRW *lrw);
 \end{verbatim}
 
+\subsection{XTS Mode}
+As of v1.17, LibTomCrypt supports XTS mode with code donated by Elliptic Semiconductor Inc.\footnote{www.ellipticsemi.com}.  
+XTS is a chaining mode for 128--bit block ciphers, recommended by IEEE (P1619) 
+for disk encryption.  It is meant to be an encryption mode with random access to the message data without compromising privacy.  It requires two private keys (of equal 
+length) to perform the encryption process.  Each encryption invocation includes a sector number or unique identifier specified as a 128--bit string.  
+
+To initialize XTS mode use the following function call:
+
+\index{xts\_start()}
+\begin{verbatim}
+int xts_start(                int  cipher,
+              const unsigned char *key1, 
+              const unsigned char *key2, 
+                    unsigned long  keylen,
+                              int  num_rounds, 
+                    symmetric_xts *xts)
+\end{verbatim}
+This will start the XTS mode with the two keys pointed to by \textit{key1} and \textit{key2} of length \textit{keylen} octets each.  
+
+To encrypt or decrypt a sector use the following calls:
+
+\index{xts\_encrypt()} \index{xts\_decrypt()}
+\begin{verbatim}
+int xts_encrypt(
+   const unsigned char *pt, unsigned long ptlen,
+         unsigned char *ct,
+   const unsigned char *tweak,
+         symmetric_xts *xts);
+
+int xts_decrypt(
+   const unsigned char *ct, unsigned long ptlen,
+         unsigned char *pt,
+   const unsigned char *tweak,
+         symmetric_xts *xts);
+\end{verbatim}
+The first will encrypt the plaintext pointed to by \textit{pt} of length \textit{ptlen} octets, and store the ciphertext in the array pointed to by 
+\textit{ct}.  It uses the 128--bit tweak pointed to by \textit{tweak} to encrypt the block.  The decrypt function performs the opposite operation.  Both 
+functions support ciphertext stealing (blocks that are not multiples of 16 bytes).  
+
+The P1619 specification states the tweak for sector number shall be represented as a 128--bit little endian string.  
+
+To terminate the XTS state call the following function:
+
+\index{xts\_done()}
+\begin{verbatim}
+void xts_done(symmetric_xts *xts);
+\end{verbatim}
+
+
 \subsection{F8 Mode}
 \index{F8 Mode}
 The F8 Chaining mode (see RFC 3711 for instance) is yet another chaining mode for block ciphers.  It behaves much like CTR mode in that it XORs a keystream
@@ -2098,8 +2170,8 @@ \chapter{Message Authentication Codes}
                  const unsigned char *in, 
                        unsigned long  inlen);
 \end{verbatim}
-\textit{hmac} is the HMAC state you are working with. \textit{buf} is the array of octets to send into the HMAC process.  \textit{len} is the
-number of octets to process.  Like the hash process routines you can send the data in arbitrarily sized chunks. When you 
+\textit{hmac} is the HMAC state you are working with. \textit{in} is the array of octets to send into the HMAC process.  \textit{inlen} is the
+number of octets to process.  Like the hash process routines, you can send the data in arbitrarily sized chunks. When you 
 are finished with the HMAC process you must call the following function to get the HMAC code:
 \index{hmac\_done()}
 \begin{verbatim}
@@ -2511,6 +2583,13 @@ \subsection{Example}
 This will initialize the XCBC--MAC state \textit{xcbc}, with the key specified in \textit{key} of length \textit{keylen} octets.  The cipher indicated
 by the \textit{cipher} index can be either a 64 or 128--bit block cipher.  This will return \textbf{CRYPT\_OK} on success.
 
+\index{LTC\_XCBC\_PURE}
+It is possible to use XCBC in a three key mode by OR'ing the value \textbf{LTC\_XCBC\_PURE} against the \textit{keylen} parameter.  In this mode, the key is
+interpretted as three keys.  If the cipher has a block size of $n$ octets, the first key is then $keylen - 2n$ octets and is the encryption key.  The next 
+$2n$ octets are the $K_1$ and $K_2$ padding keys (used on the last block).  For example, to use AES--192 \textit{keylen} should be $24 + 2 \cdot 16 = 56$ octets.
+The three keys are interpretted as if they were concatenated in the \textit{key} buffer.
+
+
 To process data through XCBC--MAC use the following function:
 
 \index{xcbc\_process()}
@@ -6485,5 +6564,5 @@ \subsection{RSA Functions}
 \end{document}
 
 % $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $   
-% $Revision: 1.123 $   
-% $Date: 2006/12/16 19:08:17 $ 
+% $Revision: 1.128 $   
+% $Date: 2007/03/10 23:59:54 $ 

demos/encrypt.c

@@ -26,58 +26,58 @@ void register_algs(void)
 {
    int x;
 
-#ifdef RIJNDAEL
+#ifdef LTC_RIJNDAEL
   register_cipher (&aes_desc);
 #endif
-#ifdef BLOWFISH
+#ifdef LTC_BLOWFISH
   register_cipher (&blowfish_desc);
 #endif
-#ifdef XTEA
+#ifdef LTC_XTEA
   register_cipher (&xtea_desc);
 #endif
-#ifdef RC5
+#ifdef LTC_RC5
   register_cipher (&rc5_desc);
 #endif
-#ifdef RC6
+#ifdef LTC_RC6
   register_cipher (&rc6_desc);
 #endif
-#ifdef SAFERP
+#ifdef LTC_SAFERP
   register_cipher (&saferp_desc);
 #endif
-#ifdef TWOFISH
+#ifdef LTC_TWOFISH
   register_cipher (&twofish_desc);
 #endif
-#ifdef SAFER
+#ifdef LTC_SAFER
   register_cipher (&safer_k64_desc);
   register_cipher (&safer_sk64_desc);
   register_cipher (&safer_k128_desc);
   register_cipher (&safer_sk128_desc);
 #endif
-#ifdef RC2
+#ifdef LTC_RC2
   register_cipher (&rc2_desc);
 #endif
-#ifdef DES
+#ifdef LTC_DES
   register_cipher (&des_desc);
   register_cipher (&des3_desc);
 #endif
-#ifdef CAST5
+#ifdef LTC_CAST5
   register_cipher (&cast5_desc);
 #endif
-#ifdef NOEKEON
+#ifdef LTC_NOEKEON
   register_cipher (&noekeon_desc);
 #endif
-#ifdef SKIPJACK
+#ifdef LTC_SKIPJACK
   register_cipher (&skipjack_desc);
 #endif
-#ifdef KHAZAD
+#ifdef LTC_KHAZAD
   register_cipher (&khazad_desc);
 #endif
-#ifdef ANUBIS
+#ifdef LTC_ANUBIS
   register_cipher (&anubis_desc);
 #endif
 
    if (register_hash(&sha256_desc) == -1) {
-      printf("Error registering SHA256\n");
+      printf("Error registering LTC_SHA256\n");
       exit(-1);
    } 
 
@@ -144,7 +144,7 @@ int main(int argc, char *argv[])
 
    hash_idx = find_hash("sha256");
    if (hash_idx == -1) {
-      printf("SHA256 not found...?\n");
+      printf("LTC_SHA256 not found...?\n");
       exit(-1);
    }
 

demos/hashsum.c

@@ -68,43 +68,43 @@ void register_algs(void)
 {
   int err;
 
-#ifdef TIGER
+#ifdef LTC_TIGER
   register_hash (&tiger_desc);
 #endif
-#ifdef MD2
+#ifdef LTC_MD2
   register_hash (&md2_desc);
 #endif
-#ifdef MD4
+#ifdef LTC_MD4
   register_hash (&md4_desc);
 #endif
-#ifdef MD5
+#ifdef LTC_MD5
   register_hash (&md5_desc);
 #endif
-#ifdef SHA1
+#ifdef LTC_SHA1
   register_hash (&sha1_desc);
 #endif
-#ifdef SHA224
+#ifdef LTC_SHA224
   register_hash (&sha224_desc);
 #endif
-#ifdef SHA256
+#ifdef LTC_SHA256
   register_hash (&sha256_desc);
 #endif
-#ifdef SHA384
+#ifdef LTC_SHA384
   register_hash (&sha384_desc);
 #endif
-#ifdef SHA512
+#ifdef LTC_SHA512
   register_hash (&sha512_desc);
 #endif
-#ifdef RIPEMD128
+#ifdef LTC_RIPEMD128
   register_hash (&rmd128_desc);
 #endif
-#ifdef RIPEMD160
+#ifdef LTC_RIPEMD160
   register_hash (&rmd160_desc);
 #endif
-#ifdef WHIRLPOOL
+#ifdef LTC_WHIRLPOOL
   register_hash (&whirlpool_desc);
 #endif
-#ifdef CHC_HASH
+#ifdef LTC_CHC_HASH
   register_hash(&chc_desc);
   if ((err = chc_register(register_cipher(&aes_enc_desc))) != CRYPT_OK) {
      printf("chc_register error: %s\n", error_to_string(err));

demos/multi.c

@@ -33,7 +33,7 @@ int main(void)
       return EXIT_FAILURE;
    }
 
-/* HMAC */
+/* LTC_HMAC */
    len = sizeof(buf[0]);
    hmac_memory(find_hash("sha256"), key, 16, (unsigned char*)"hello", 5, buf[0], &len);
    len2 = sizeof(buf[0]);
@@ -55,7 +55,7 @@ int main(void)
       return EXIT_FAILURE;
    }
 
-/* OMAC */
+/* LTC_OMAC */
    len = sizeof(buf[0]);
    omac_memory(find_cipher("aes"), key, 16, (unsigned char*)"hello", 5, buf[0], &len);
    len2 = sizeof(buf[0]);