Boost logo

Boost :

Subject: Re: [boost] Crypto Proposal
From: Domagoj Saric (domagoj.saric_at_[hidden])
Date: 2010-04-12 07:52:32

"Chad Seibert" <chadseibert_at_[hidden]> wrote in message
> Also, Botan was engineered mostly by a security expert, meaning it is likely
> to be more secure.

Hopefully coding skills also matter in the Boost community and sadly Botan
leaves a lot to be desired in this regard. 'Hacking up' an example to test a
real use case of a simple RSA+SHA256 message verification with the public key
stored in static memory gives the following results:

(MSVC++ 9.0 SP1, Botan built with default parameters (makefile only changed to
use link time code generation))

- project with an empty main : 40.448 bytes

- project with the following Botan code
int main()
    unsigned char const in_memory_key[] = "an invalid key" ;
    unsigned char const msg [] = "a dummy message";
    unsigned char const sig [] = "an invalid sig";

    LibraryInitializer init;
    DataSource_Memory botan_in_memory_key( in_memory_key, _countof(
        in_memory_key ) );
    std::auto_ptr<X509_PublicKey> key( X509::load_key( botan_in_memory_key ) );
    RSA_PublicKey* rsakey = dynamic_cast<RSA_PublicKey*>(key.get());
    std::auto_ptr<PK_Verifier> verifier( get_pk_verifier( *rsakey,
        "EMSA1(SHA-256)") );
    return verifier->verify_message(msg,sizeof(msg),sig,sizeof(sig));
...: 1.092.096 bytes (yup, over a megabyte!)

- an equivalent project only using LibTomCrypt+LibTomMath (mentioned here 84.480 bytes

IMNHO that's a failed test by any standard (worse than OpenSSL and Crypto++)...
(must I really pay for e.g. virtual inheritance, dynamic_casts,
by-std::string-runtime-algorithm-lookups etc. etc... for such a simple use

> It is also being maintained, so security and feature patches will be made.

>From this I gather that the original author plans to continue to develop and
maintain the original library, in which case I wonder what would be the purpose
of having a library that is nothing more but a 'parallel' 'boostified' version
of the original that in itself offers nothing new and is updated only after the
original one is updated?

"What Huxley teaches is that in the age of advanced technology, spiritual
devastation is more likely to come from an enemy with a smiling face than from
one whose countenance exudes suspicion and hate."
Neil Postman

Boost list run by bdawes at, gregod at, cpdaniel at, john at