Crypto++ 8.4

Crypto++ 8.4 was released on January 2, 2021. The 8.4 release was a minor, unplanned release. There were no CVEs and one memory error fixed. A recompile of programs is required due to an unintentional ABI break in Crypto++ 8.3.

The Crypto++ 8.4 release reverted the changes for constant-time elliptic curve algorithms. Marcel Keller reported some operations broke under the new algorithm in Issue 992. The revert reactivated CVE-2019-14318.

The release also cleared a memory error reported by Daniel McRobb in Issue 988. McRobb discovered FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned.

Download

The download is available from the Crypto++ website. The checksums for the download are below. Release signatures can be verified using GnuPG according to Release Signing.

• Download: cryptopp840.zip, cryptopp840.zip.sig
• SHA1: f964e176c4543593579a2f0ba48b6a79eb128001
• SHA256: c0f5e5cd2c693c8160e9c51666e95949a1c19fd4fe4fef874af2ec1e42757b9a
• SHA512: 4c32b6a9ce8a6925286185f65f7413fa1a430471f09624219656b1d088674c56f95fcc3b64f611632f12cb56dfecdcd41c9d1468942b8c391425a548245dde09
• BLAKE2b: de57ece8644aef68e40527e2dfe1892f924f1939617ce11d8d27253f15f2dd11cba6e594dd32f75ce799392c12ef22472fcb2f3e44b9c66bb2ae093d4c7e781e
• WHIRLPOOL: ac7ed4ec3ff948858abf0166c5430564ef72a0baf6d2b3857a8a5bcdb1cad944742f581b50613b5a1d39fc165edc965910927b2fce4a31a71ddb19bee87a6498

Mirrors for the download are below. Note that GitHub checksums on the ZIP or TAR are different because the service creates the archive from sources.

• GitHub cryptopp840.zip

Release Notes

The release notes for Crypto++ 8.4 follows.

• minor release, recompile of programs required
• • an unintentional ABI break in Crypto++ 8.3 may surface under Crypto++ 8.4
• expanded community input and support
• • 67 unique contributors as of this release
• fix SIGILL on POWER8 when compiling with GCC 10
• fix potential out-of-bounds write in FixedSizeAllocatorWithCleanup
• fix compile on AIX POWER7 with IBM XLC 12.01
• fix compile on Solaris with SunCC 12.6
• revert changes for constant-time elliptic curve algorithms
• fix makefile clean and distclean recipes

Bug fixes and Minor Issues

The bug fix and minor issue list for Crypto++ 8.4 follows. Many non-trivial issues are tracked for auditing and C&A purposes, but the list may not be complete. A number in parenthesis is the GitHub Issue number, if it was tracked. Sometimes a Git commit is referenced, but many trivial GitHub commits are omitted. Missing Issue numbers or lack of consecutiveness usually indicates feature requests and "won't fix/can't fix" type reports.

• fix SIGILL on POWER8 when compiling with GCC 10 (GH #986)
• fix potential out-of-bounds write in FixedSizeAllocatorWithCleanup (GH #988)
• fix compile on AIX POWER7 with IBM XLC 12.01 (Commit 4577311727f2)
• fix compile on Solaris with SunCC 12.6 (PR #990)
• revert changes for constant-time elliptic curve algorithms (GH #992, CVE-2019-14318)
• fix makefile clean and distclean recipes (GH #998)

CVE-2019-14318

Marcel Keller discovered recent contant-time elliptic curve changes checked-in under Issue 862 broke some operations. As a hotfix the contant-time code was reverted, which means CVE-2019-14318 is active again. The break and CVE-2019-14318 are being tracked under Issue 994.

Memory error

Daniel McRobb discovered FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned. The FixedSizeAllocatorWithCleanup typically has an allocation on the stack, and not the heap. The impact of the memory error was lessened because FixedSizeAllocatorWithCleanup is typically used for table data with a known size, like the state of BLAKE2s or BLAKE2b hash. Attackers generally don't have direct access to the pointer. However, an attacker who can find a message (preimage) that hashes to a particular string (image) may be able to control an address.

Based on research of older Crypto++, it appears the issue affects Crypto++ 5.6 and forward. Crypto++ 5.6 was released March 2009.

The issue was tracked under Issue 988. No CVE was assigned because the web form at https://cveform.mitre.org would not submit. We then tried to email cve@mitre.org but the email response directed us to the webform.

Configure.sh script

The Crypto++ 8.3 release added a configure.sh script. The script helps fix misdetected features on Android, Clang, OS X and iOS. You should use the script before a build if the library misdetects features for you.

The script fixes misdetected features by rewriting config_asm.h and config_cxx.h for the platform it is run on. To run the script perform these steps. You should set CXX and CXXFLAGS to your preferred flags before running the script.

$ cp -p TestScripts/configure.sh .
$ CXX=g++ ./configure.sh
Configuring for x86_64
Compiler: /usr/bin/g++
Linker: /usr/bin/ld
Done writing config_asm.h
Done writing config_cxx.h

The configure.sh script is located in TestScripts/. It was placed there to avoid confusing users because the script is usually not needed.

A wiki page is available at Configure.sh script.

X.509 Certificate interface

Crypto++ 8.3 was modified to support certificates by way of a Certificate base class. The library does not provide concrete certificate classes, however. An X.509 Certificate class is available as an add-on at noloader | cryptopp-pem.

FIPS DLL deprecation

The FIPS DLL used to be an important artifact for Windows builds. NIST moved the Crypto++ library to the Historical Validation List in 2014. The Windows DLL is no longer validated.

The project files to build the FIPS DLL are cryptdll.vcxproj and dlltest.vcxproj. The projects are now deprecated and subject to removal.

File Changes

No files were added or removed at Crypto++ 8.4.