libtomcrypt 1.18.0

Hi Folks,

finally we’ve mangaged to finish version 1.18.0 of libtomcrypt.

There were some minor changes since the RC5, namely:

• A fix regarding ltc_mp_digit when compiling for win64.
• Fixing the build when building on a machine without git installed.

The tarballs of the release can be downloaded here:

[crypt-1.18.0.tar.xz] [tar.xz.asc]

[crypt-1.18.0.zip] [zip.asc]

After nearly 1400 commits over the last 10 years there were some changes accumulated… :) Therefore we’re splitting this summary here up in bugfixes, cryptographic fixes, major additions and major improvements. A detailed list of all changes is included in the changes file.

Bugfixes

• Multi2 decrypt operation was broken when a non-standard number of rounds is used. 21ddcf35681916c091ae91e7e8e5bd6bdf8ab51d
• Noekeon decrypt and encrypt operations were broken. 6dc089015adfc4f66679b6b680476422bd6b6c01
• XTEA decrypt and encrypt operations were broken. 2526d5df8f9a228cf20ba90982aed4a5e951ac5f
• The Windows implementation of rng_get_bytes() tried to read from c:\dev\urandom resp. c:\dev\random before using the Windows CSP. b36e75b7f12c75bd852b8bcee36ea6bd9727d5c0
• rsa_make_key() could try to free uninitialized variables in case something in the MPI provider went wrong. 98893c077bd603d5c1aeb972a88c23ffe59a8ae6
• The RSA/PKCS#1 v2.0 PSS hash verification was broken in cases where bitlength(key) % 8 == 1. 3324da26019640d7df72841f5e644d7e42a6b8f6
• Camellia decrypt operation was broken (which only plays a role if you used Tom’s last tarball as it wasn’t in 1.17 yet). 45dcbc654d5867bb5ee475b9b1be0b2c3959d0de
• Issues reported by miscellaneous analysers (valgrind, asan, ubsan, clang/scan-build, coverity).

Cryptographic fixes

• A Bleichenbacher Signature attack was fixed in the RSA/PKCS#1 v1.5 EMSA code. 5eb9743410ce4657e9d54fef26a2ee31a1b5dd09
• Fixed potential Timing attacks in EAX, OCB and OCBv3. 05e28d6cfa473e5c6e312ef8bfe6137bc8caa0da
• Fixed potential Timing attack in CCM. (09e4b0ec9b46ac4db3fa904658821c54106a1d0e & 75b114517a3f8db2075a45b0af87d4d74778ad66)
• Fixed potential counter reuse in GCM. 7d418b34b3fe6d49354d5a9ef5a442c387a1bd06

Major additions

• Blake2b & Blake2s (hash & mac)
• ChaCha (stream cipher), Poly1305 (mac), ChaCha20Poly1305 (encauth)
• Diffie-Hellman (has been revived from an earlier version and re-worked)
• SHA3 (incl. SHAKE3)
• OCBv3 (encauth)
• Camellia (block cipher)
• New stream cipher API (ChaCha, RC4, Sober128)
• ChaCha20-based PRNG
• RSA - loading keys PKCS#8 (private) and X.509 (public)

Major improvements

• Re-worked all makefiles.
• Fixed a bunch of build issues on a lot of platforms.
• ECC, DSA and RSA hardened in multiple ways.

Thanks go out to all contributors and bug reporters. I wanted to thank especially Karel, who’s using the library in his PERL bindings perl-CryptX, and Larry Bugbee, who both contributed loads of improvements and invaluable feedback (before and behind the scenes). Thanks go also out to @rolf0r, François Perrad, all the OS package maintainers who reported feedback and organisations like Linaro who are using the library in their OP-TEE environment and upstreamed some nice patches.

Let’s see how this goes on and hopefully evolves into a 2.0 version of the library :)

Cheers,

Karel & Steffen

P.S.: If you experience any issues, feel free to drop us a mail on the [ML] or open a PR on [GitHub].