|
Boost : |
Subject: Re: [boost] Crypto Proposal
From: Domagoj Saric (domagoj.saric_at_[hidden])
Date: 2010-04-12 07:52:32
"Chad Seibert" <chadseibert_at_[hidden]> wrote in message
news:BAY113-W109DEA4654FE7B53F0F6F5D3160_at_phx.gbl...
> Also, Botan was engineered mostly by a security expert, meaning it is likely
> to be more secure.
Hopefully coding skills also matter in the Boost community and sadly Botan
leaves a lot to be desired in this regard. 'Hacking up' an example to test a
real use case of a simple RSA+SHA256 message verification with the public key
stored in static memory gives the following results:
(MSVC++ 9.0 SP1, Botan built with default parameters (makefile only changed to
use link time code generation))
- project with an empty main : 40.448 bytes
- project with the following Botan code
int main()
{
unsigned char const in_memory_key[] = "an invalid key" ;
unsigned char const msg [] = "a dummy message";
unsigned char const sig [] = "an invalid sig";
LibraryInitializer init;
DataSource_Memory botan_in_memory_key( in_memory_key, _countof(
in_memory_key ) );
std::auto_ptr<X509_PublicKey> key( X509::load_key( botan_in_memory_key ) );
RSA_PublicKey* rsakey = dynamic_cast<RSA_PublicKey*>(key.get());
std::auto_ptr<PK_Verifier> verifier( get_pk_verifier( *rsakey,
"EMSA1(SHA-256)") );
return verifier->verify_message(msg,sizeof(msg),sig,sizeof(sig));
}
...: 1.092.096 bytes (yup, over a megabyte!)
- an equivalent project only using LibTomCrypt+LibTomMath (mentioned here
http://permalink.gmane.org/gmane.comp.lib.boost.devel/202443): 84.480 bytes
IMNHO that's a failed test by any standard (worse than OpenSSL and Crypto++)...
(must I really pay for e.g. virtual inheritance, dynamic_casts,
by-std::string-runtime-algorithm-lookups etc. etc... for such a simple use
case?)...
> It is also being maintained, so security and feature patches will be made.
>From this I gather that the original author plans to continue to develop and
maintain the original library, in which case I wonder what would be the purpose
of having a library that is nothing more but a 'parallel' 'boostified' version
of the original that in itself offers nothing new and is updated only after the
original one is updated?
-- "What Huxley teaches is that in the age of advanced technology, spiritual devastation is more likely to come from an enemy with a smiling face than from one whose countenance exudes suspicion and hate." Neil Postman
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk