A security review of the D library Crypto

Steven Schveighoffer schveiguy at gmail.com
Wed Jul 1 13:09:43 UTC 2020

On 7/1/20 3:19 AM, Cym13 wrote:
> As some of you may know one of my hobbies is to review open source 
> software for security issues. About a year ago I reviewed the RSA 
> implementation of Crypto[1]: a native D library which, according to dub 
> statistics, is fairly popular.
> Issues were found and after discussion with the author I decided to wait 
> for them to be fixed. A year later I would like to present the results 
> of an updated review of the library:
> https://breakpoint.purrfect.fr/article/review_crypto_d.html
> Here's what you should know if you are a user:
> RSA, as implemented in the library, is still very much broken. I do not 
> recommend using it. The confidentiality and integrity of all messages 
> exchanged using this library must be questionned: if you exchanged 
> sensitive information such as passwords using it I recommend to change 
> them since their security is not guaranteed.
> “Is this really the place to have this discussion? Shouldn't this be 
> between the author and you?“
> The author was contacted a year ago and although our discussion was kind 
> and productive I have not heard from him since. Most of the issues 
> present today were already present in my first assessment. Some 
> modifications were made, but most recommendations were ignored. After a 
> year without action I feel that the users should know exactly what they 
> are exposed to since they are the ones affected by these security 
> issues. This follows standard vulnerability disclosure processes.
> For all details and analysis I direct you to the blog post. It is a 
> rather thorough and technical read so I would recommend grabbing a cup 
> of tea first.
> If you find any mistake or unclear parts I'll be glad to correct it so 
> feel free to point it out. Furthermore if you would like someone to have 
> a look at your project to identify issues I am always glad to help free 
> and open source projects that can't afford security review through 
> traditional means so feel free to reach out.
> [1] https://code.dlang.org/packages/crypto

This is a fantastic writeup, and being someone who is naturally good at 
math, but never really cared for it at the advanced level, I find the 
level of detail perfect.

Thanks for the post!


More information about the Digitalmars-d-announce mailing list