[Botan-announce] Botan 1.2.2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi All,

Botan 1.2.2 was released about 5 minutes ago. The primary changes were in
the area of the modules, especially the entropy gathering modules. First,
the general changes:

 - There is an attack on RSA and RW implementations using the CRT, that if any
   hardware or software error occurs during a signature operation, the private
   key will be revealed. To prevent this, RSA and RW now check their results to
   make sure that no error has occured.
 - The Global_RNG::seed() function has changed.
 - The library initialization routines now use a somewhat more complicated
   method of seeding the RNG, but it should allow much greater flexibility.
 - A few minor locking bugs were fixed

This release, like 1.2.1, is primarily oriented towards Windows users, but
because of the new checks to prevent problems with RSA/RW, I would suggest that
all users upgrade to 1.2.2 as soon as possible. I am not currently aware of any
bugs in the MPI implementation (the last bugs I found in it were in 0.8.x), but
it's probable that some latent bugs do exist.

Changes and additions in the modules:

 - Another Win32 entropy source is available, which uses various Win32 APIs to
   gather information about processes running on the system. [1]
 - The BeOS and generic Unix entropy sources were both improved significantly.
 - A file descriptor leak in the EGD entropy source was fixed.
 - The Win32 CryptoAPI entropy source will query multiple providers until it
   finds one that works. By default, it will first try to access the Intel i810
   hardware RNG [2], and if that fails, will fall back to the standard software
   PRNG.

[1]: This entropy source will not run on NT4, but everything else (including
Win95), is fine.

[2]: This module has not actually been tested on a system that has an i810 RNG,
since the only x86 machine I have is an Athlon. If someone could test that it
actually reads the i810 RNG when it is available, I would appreciate it.

Because I'm a bit pressed for time, this release is only available from
botan.randombit.net, not off sourceforge (which is the typical distribution
site for stable releases). 1.2.2 will be up on sourceforge starting
tommorow afternoon (EST).

As always, let me know if you run into any problems building or running
Botan on your system.

Regards,
  Jack