Links

Ben Laurie blathering


Crypto Amateurism

I discovered today that the latest port of Digest::SHA256 (0.01b) on FreeBSD doesn’t work – it produces incorrect digests.

Now, I don’t know whether this is because the underlying implementation is broken, or because the port is broken. But that’s irrelevant – I expect my favourite operating system to at least check test vectors when implementing cryptographic algorithms. Apparently they don’t, and that’s a disgrace.

It should, in my opinion, be a part of the install process that test vectors are checked for every cryptographic algorithm. Anything less exposes users to potentially extremely serious security issues.

3 Comments

  1. It doesn’t look like this module has a great testing history. There was a FreeBSD PASS a few years ago, but that was with a very old version of Perl (older now than it was then, of course). You should file a bug in RT.

    Comment by Darren Chamberlain — 5 Jan 2006 @ 22:34

  2. I have reported the bug to the port author and to FreeBSD, since it appears to be FreeBSD-specific.

    Comment by Ben — 6 Jan 2006 @ 10:55

  3. yes, test vectors should be checked. That’s why it’s so annoying that “make test” doesn’t work in openssl 🙁

    Comment by Rodney Thayer — 9 Jan 2006 @ 8:16

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress