A security review of the D library Crypto
Cym13
cpicard at purrfect.fr
Wed Jul 1 07:19:11 UTC 2020
As some of you may know one of my hobbies is to review open
source software for security issues. About a year ago I reviewed
the RSA implementation of Crypto[1]: a native D library which,
according to dub statistics, is fairly popular.
Issues were found and after discussion with the author I decided
to wait for them to be fixed. A year later I would like to
present the results of an updated review of the library:
https://breakpoint.purrfect.fr/article/review_crypto_d.html
Here's what you should know if you are a user:
RSA, as implemented in the library, is still very much broken. I
do not recommend using it. The confidentiality and integrity of
all messages exchanged using this library must be questionned: if
you exchanged sensitive information such as passwords using it
I recommend to change them since their security is not guaranteed.
“Is this really the place to have this discussion? Shouldn't this
be between the author and you?“
The author was contacted a year ago and although our discussion
was kind and productive I have not heard from him since. Most of
the issues present today were already present in my first
assessment. Some modifications were made, but most
recommendations were ignored. After a year without action I feel
that the users should know exactly what they are exposed to since
they are the ones affected by these security issues. This follows
standard vulnerability disclosure processes.
For all details and analysis I direct you to the blog post. It is
a rather thorough and technical read so I would recommend
grabbing a cup of tea first.
If you find any mistake or unclear parts I'll be glad to correct
it so feel free to point it out. Furthermore if you would like
someone to have a look at your project to identify issues I am
always glad to help free and open source projects that can't
afford security review through traditional means so feel free to
reach out.
[1] https://code.dlang.org/packages/crypto
More information about the Digitalmars-d-announce
mailing list