Boost logo

Boost :

Subject: Re: [boost] Crypto Proposal
From: Domagoj Saric (domagoj.saric_at_[hidden])
Date: 2010-04-12 07:52:32


"Chad Seibert" <chadseibert_at_[hidden]> wrote in message
news:BAY113-W109DEA4654FE7B53F0F6F5D3160_at_phx.gbl...
> Also, Botan was engineered mostly by a security expert, meaning it is likely
> to be more secure.

Hopefully coding skills also matter in the Boost community and sadly Botan
leaves a lot to be desired in this regard. 'Hacking up' an example to test a
real use case of a simple RSA+SHA256 message verification with the public key
stored in static memory gives the following results:

(MSVC++ 9.0 SP1, Botan built with default parameters (makefile only changed to
use link time code generation))

- project with an empty main : 40.448 bytes

- project with the following Botan code
int main()
{
    unsigned char const in_memory_key[] = "an invalid key" ;
    unsigned char const msg [] = "a dummy message";
    unsigned char const sig [] = "an invalid sig";

    LibraryInitializer init;
    DataSource_Memory botan_in_memory_key( in_memory_key, _countof(
        in_memory_key ) );
    std::auto_ptr<X509_PublicKey> key( X509::load_key( botan_in_memory_key ) );
    RSA_PublicKey* rsakey = dynamic_cast<RSA_PublicKey*>(key.get());
    std::auto_ptr<PK_Verifier> verifier( get_pk_verifier( *rsakey,
        "EMSA1(SHA-256)") );
    return verifier->verify_message(msg,sizeof(msg),sig,sizeof(sig));
}
...: 1.092.096 bytes (yup, over a megabyte!)

- an equivalent project only using LibTomCrypt+LibTomMath (mentioned here
http://permalink.gmane.org/gmane.comp.lib.boost.devel/202443): 84.480 bytes

IMNHO that's a failed test by any standard (worse than OpenSSL and Crypto++)...
(must I really pay for e.g. virtual inheritance, dynamic_casts,
by-std::string-runtime-algorithm-lookups etc. etc... for such a simple use
case?)...

> It is also being maintained, so security and feature patches will be made.

>From this I gather that the original author plans to continue to develop and
maintain the original library, in which case I wonder what would be the purpose
of having a library that is nothing more but a 'parallel' 'boostified' version
of the original that in itself offers nothing new and is updated only after the
original one is updated?

--
"What Huxley teaches is that in the age of advanced technology, spiritual
devastation is more likely to come from an enemy with a smiling face than from
one whose countenance exudes suspicion and hate."
Neil Postman

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk