A security review of the D library Crypto
Steven Schveighoffer
schveiguy at gmail.com
Wed Jul 1 13:09:43 UTC 2020
On 7/1/20 3:19 AM, Cym13 wrote:
> As some of you may know one of my hobbies is to review open source
> software for security issues. About a year ago I reviewed the RSA
> implementation of Crypto[1]: a native D library which, according to dub
> statistics, is fairly popular.
>
> Issues were found and after discussion with the author I decided to wait
> for them to be fixed. A year later I would like to present the results
> of an updated review of the library:
>
> https://breakpoint.purrfect.fr/article/review_crypto_d.html
>
> Here's what you should know if you are a user:
>
> RSA, as implemented in the library, is still very much broken. I do not
> recommend using it. The confidentiality and integrity of all messages
> exchanged using this library must be questionned: if you exchanged
> sensitive information such as passwords using it I recommend to change
> them since their security is not guaranteed.
>
> “Is this really the place to have this discussion? Shouldn't this be
> between the author and you?“
>
> The author was contacted a year ago and although our discussion was kind
> and productive I have not heard from him since. Most of the issues
> present today were already present in my first assessment. Some
> modifications were made, but most recommendations were ignored. After a
> year without action I feel that the users should know exactly what they
> are exposed to since they are the ones affected by these security
> issues. This follows standard vulnerability disclosure processes.
>
> For all details and analysis I direct you to the blog post. It is a
> rather thorough and technical read so I would recommend grabbing a cup
> of tea first.
>
> If you find any mistake or unclear parts I'll be glad to correct it so
> feel free to point it out. Furthermore if you would like someone to have
> a look at your project to identify issues I am always glad to help free
> and open source projects that can't afford security review through
> traditional means so feel free to reach out.
>
> [1] https://code.dlang.org/packages/crypto
This is a fantastic writeup, and being someone who is naturally good at
math, but never really cared for it at the advanced level, I find the
level of detail perfect.
Thanks for the post!
-Steve
More information about the Digitalmars-d-announce
mailing list