Botan 1.8.2: Entropy seeding improvements, GOST 34.11 hash function
A new release of botan is tagged in the monotone repository, and tarballs are available.
Entropy polling/scanning for the PRNG has been sped up quite a bit, mostly by removing redundant operations, as well as by maintaining a target bit count to collect. Once this goal is reached, the poll is stopped. Since entropy sources are scanned (more or less) in the order fastest to slowest, this tends to improve the runtime of an entropy poll quite noticably.
The GOST 34.11 hash function has been added. This hash function is standardized in Russia, and uses the GOST 28147 block cipher as a cryptographic component. RFC 4357 specifies a particular set of sboxes for the GOST cipher for use in the 34.11 hash function. Adding support for 34.11 required modifying the block cipher implementation, and it now supports the standard 'test' sboxes as well as the RFC 4357 parameters. The so-called 'test' parameters are commonly used in other GOST 28147 software implementations (such as in Crypto++ and BeeCrypt), and, according to Wikipedia, are also used by the Russian Central Bank.
One caveat: the previous implementation of GOST 28147 used a completely non-standard set of sboxes. These sboxes are not supported any longer. While introducing an incompatible change in a point release normally is not very nice, it seems justifiable in the current situation, as the API document has stated for years:
Generally, cryptographic algorithms are well standardized, thus compatibility between implementations is relatively simple (of course, not all algorithms are supported by all implementations). But there are a few algorithms which are poorly specified, and these should be avoided if you wish your data to be processed in the same way by another implementation (including future versions of Botan). The block cipher GOST has a particularly poor specification: there are no standard Sboxes [...]
If necessary, a new sbox parameter set cooresponding to the one used in previous versions of botan could be defined.
It was noticed that the datestamp for this release, 20090407, is a prime number. This seemed quite neat, and it has henceforth been decided that all future releases of botan will occur on similar 'prime days'.
posted 2009/04/07 20:53 [/releases]
Thomas Moschny has packaged botan for Fedora, and builds for Fedora 9 and 10 are already available, with packages for RHEL5 coming soon through the Extra Packages for Enterprise Linux Fedora community project.
Many thanks to Thomas for creating the RPM and getting it through the Fedora review process.
posted 2009/01/29 20:27 [/announcements]
Botan 1.8.1 released, fixing memory leak and Valgrind warning
A new release of Botan, 1.8.1, has been released. This version plugs two memory leaks in the PKCS #8 key handling system which were introduced late in the 1.7 development releases. Anyone using PKCS8::load_key or related APIs for loading PKCS#8 private keys should upgrade.
In addition, a bug in the Unix entropy gathering code which caused Valgrind to produce warnings about uninitialized data usage on at least some 32-bit Linux systems was fixed. This warning was in fact harmless to application code: it seems on some systems, the stat structure contains padding bytes which are not written to by the stat syscall. However, Botan's usage of the stat buffer involves copying the entire binary representation into a buffer which is used as part of a PRNG seed. Thus the padding bytes not being written to is actually pretty harmless, but, because the uninitialized bytes are fed into the PRNG state, Valgrind taints both the PRNG's internal state as well as all of the PRNG's output as depending on an uninitialized value. Since this is quite undesirable, the stat buffer is zeroized with memset before calling stat, so Valgrind knows that all bytes were initialized.
A bug in the botan-config program that caused it to produce bogus output on some systems was fixed. It assumed that the echo command supported the -n option, however that is not true on (at least) MacOS X and Solaris 10. Now the printf shell command is used instead, which should work portably across most Unix/Unix-like systems of interest.
Previously the API reference was licensed under the Creative Commons Attribution-ShareAlike license. However this caused unnecessary complications in terms of licensing of the overall distribution, so it has been changed to the standard BSD license that the rest of the code and documentation is distributed under.
posted 2009/01/20 02:03 [/releases]
1.8.0, the first release of the new stable tree, is now available for download.
Features new to this release as compared to the previous stable releases include the addition of the elliptic curve algorithms ECDSA and ECDH, the SHA-224 hash function, the Salsa20 stream cipher, the Noekeon block cipher, CBC-MAC, and the custom PRF and MAC functions used by the SSLv3/TLSv1 protocols. DSA keys larger than 1024 bits can now be generated.
This release also features a huge number of optimizations and code cleanups, including a new modularized source layout and build system.
Many thanks to all of the people and organizations that contributed to this release, especially Yves Jerschow, who contributed numerous optimizations throughout the codebase, and the InSiTo team (Falko Strenzke, Martin Doering, Manuel Hartl, Christoph Ludwig, and others from FlexSecure GmbH and Technische Universitat Darmstadt), who developed and contributed, among other things, the implementations of ECDSA/ECDH and card verificable certificates.
posted 2008/12/07 20:30 [/releases]
On botan-devel, Rickard Bondesson noted that SHA-512 signatures using the EMSA3 padding scheme (aka PKCS #1 v1.5; the EMSA3 terminology is taken from IEEE 1363) were not matching the values produced by OpenSSL. Investigation showed that botan had been using an incorrect object identifier for SHA-512 EMSA3 signatures, basically since time immemorial. To help prevent a recurrence of such problems, more test vectors for the padding schemes EMSA2, EMSA3, and EMSA4 using a variety of different hash functions have been added in this release. These test vectors were created by a third party implementation of EMSA3, Crypto++ and thus at least imply botan should be interoperable with that implementation.
This change unfortunately means that all such signatures created by previous botan versions are incorrect and will not be accepted by new versions of botan or by any other conforming implementation. Currently the thought/hope is that signatures of this type are rare in practice, so no provision is being made for backwards compatibility with the old object identifier. SHA-512 itself is not going to be used outside of new applications, and hopefully new applications are moving to using PSS rather than continuing with PKCS #1 padding.
A bug in the EGD entropy poller was introduced in the 1.7.23 release; this bug prevented any output from being produced by the poller, even if EGD was running and returned data. A new program in the examples directory, test_es.cpp, has been added that will poll each entropy source on the system and print the gathered raw output to the screen for inspection. This makes it easier for users and developers to check that botan's entropy sources are doing something useful on the particular operating system in use.
A variant of EMSA3 padding called EMSA3_Raw has been added. This variant signs its inputs directly (without using a hash function), and without adding an object identifier. This variant is useful in software implementations of security tokens, and is called CKM_RSA_PKCS in PKCS #11.
The SHA-224 hash function was added in 1.7.16, but until now it was not supported with the EMSA2 or EMSA3 padding schemes, because the hash identifiers for it were not available. These ids are now included in the library.
posted 2008/12/01 23:19 [/releases]
Botan 1.7.23 aka 1.8.0 RC2 Released
Botan 1.7.23 has been released with optimizations in the hash functions implementations and entropy polling routines. TR1 is now used by default when compiling with GNU C++ or Intel C++.
For Gentoo users, botan-1.7.23.ebuild can be used to install this version of botan using portage.
posted 2008/11/23 18:06 [/releases]
Algorithm Benchmarking and Provider Selection in Botan 1.8
A major driver for Botan's performance in the last couple of years has been from its use in Monotone, a distributed revision control system. There were two major design decisions made by Monotone's developers which caused Botan to become a bottleneck in Monotone's performance. This post is about those design decisions, and changes made in the last two years during the 1.7 development process intended to improve Monotone's performance.
posted 2008/11/22 15:39 [/devnotes]
Botan In Feature Freeze for 1.8.0
The most recent release of the development 1.7 tree, 1.7.22, has been declared as 1.8.0 release candidate 1. Read more about the release schedule for Botan 1.8 in this post to the botan-devel list.
posted 2008/11/20 10:50 [/announcements]
Botan 1.7.19 has been released with several new features for random number generation, as well as significant optimizations for the Turing stream cipher.
posted 2008/11/06 15:10 [/releases]
New Benchmarks for Botan 1.7.18
Several years ago I compared Botan's benchmark output for three compilers (GNU C++, Intel C++, and KAI C++), which showed some interesting results that are of course completely irrelevant to modern compilers and machines. With the Botan 1.7.18 release I have redone this comparison (with 5 different versions of GNU C++ and 2 of Intel C++) on an Intel Core2 machine.
posted 2008/10/23 12:04 [/benchmarks]
Archives: 2003, 2004, 2005, 2006, 2007, 2008, 2009
Categories: administrivia, announcements, benchmarks, devnotes, releases