Leancrypto Version 1.7.0

Code

Changes 1.7.0

  • FIPS: mark only seeded DRBG instances as FIPS-approved

  • ASN.1: add lc_x509_cert_check_issuer_ca convenience function

  • Enable side-channel-resistant AES implementation (and thus enable respective Timecop tests)

  • Fix some side channel test failures (all failures are due to test case issues, and no real problems)

  • AARCH64: enable GCS support (see https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/gcc-15-continuously-improving#guarded and https://docs.kernel.org/next/arch/arm64/gcs.html)

  • Add PKCS#8 support for ML-DSA following RFC9881 including full support for the seed or full keys. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate –create-keypair changed to comply with RFC9881.

  • Add PKCS#8 support for SLH-DSA. The change adds OpenSSL interoperability testing as well. NOTE: The raw on-disk private key format that is generated with lc_x509_generate –create-keypair changed to dump the raw key instead of wrapping it into a BIT STRING to comply with OpenSSL’s format.

  • Provide full PKCS#7 interoperability with OpenSSL: OpenSSL artificially orders the parsing of the authenticated attributes. This implies that the message digest part of the authenticated attributes is parsed as last entry. This ordering is important for the signature generation and verification. Furthermore, for ML-DSA/SLH-DSA, the authenticated attributes are signed with the pure algorithm instead of the pre-hashed operation as suggested by RFC5652 section 9.2.

  • ML-KEM/DSA: add safety measures against compilers trying to reason about code they should not reason about. Changes are suggested by “Becker, Hanno” beckphan@amazon.co.uk and derived from https://github.com/pq-code-package/ml[dsa|kem]-native/

  • ML-DSA: reduce amount of duplicate code compilation suggested by “Becker, Hanno” beckphan@amazon.co.uk

  • ML-DSA: fix bug in poly_uniform which, however, is unlikely to be triggered

  • AVX2 / AVX512 / CLMUL detection: Follow Intel instructions on detecting support. Also, ensure that code compiled with acceleration support is always invoked by non-accelerated code which has the check for acceleration support.

  • X.509: add lc_x509_policy_cert_subject_match API

  • Linux kernel: add support for rfc4106(gcm(aes)), xts(aes), cbc(aes), ctr(aes), chacha20, chacha20(rfc7539,poly1305), chacha20(rfc7539esp,poly1305), aes

  • Linux kernel: Add simple approach to compie leancrypto in-tree either as module or statically bound into the Linux kernel binary.

  • AES-XTS AESNI / ARMv8-CE support: fix stream mode operation by extracting IV from state

  • Add CTR-DRBG with AES-256 core (with and without derivation function) support - this DRBG has an unmatched performance (generation of 1GB random data requires only 90ms on an Apple M4 Max) as it uses the accelerated AES-CTR mode implementation, if available. The implementation is verified against NIST CAVP testing.

  • Significantly reduce use of VLA

  • Add support of PEM

  • Add sbsign, sbverify, sbsiglist, sbvarsign, sbattach, sbkeysync (currently untested as its usage is not fully clear) tools as a drop-in replacement for the one provided with http://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git

  • PKCS7 generator: support altering the generation process (allow content type setting, additional authenticated attributes)

  • ASN.1: Make encoder and decoder available as API

  • Add UUID generator / parser

  • Update of X.509 composite signatures with latest draft + cross testing with all IETF-Hackathon providers

  • Add proper status indication APIs for all algorithms

  • ChaCha20 DRNG wrapped in common wrapper

  • Seeded RNG: always insert the current time stamp as additional data during a generate operation - this is cheap as the time stamp is always gathered and the insertion of additional 8 bytes into the DRBG state requires minimal operations

  • ChaCha20: fix crasher when assembler support is not compiled

  • Jitter RNG: allow enabling NTG.1 mode and additional entropy-related options

  • Add AES constant time C implementation accessible with the lc_aes_*ct references. Yet, it is about 3 times slower than the default C implementation. Thus is is only provided if somebody truly relies on a constant time implementation.