Links

Ben Laurie blathering

«
»

Crypto Amateurism

I discovered today that the latest port of Digest::SHA256 (0.01b) on FreeBSD doesn’t work – it produces incorrect digests.

Now, I don’t know whether this is because the underlying implementation is broken, or because the port is broken. But that’s irrelevant – I expect my favourite operating system to at least check test vectors when implementing cryptographic algorithms. Apparently they don’t, and that’s a disgrace.

It should, in my opinion, be a part of the install process that test vectors are checked for every cryptographic algorithm. Anything less exposes users to potentially extremely serious security issues.

This entry was posted on Thursday, January 5th, 2006 at 16:59 and is filed under Crypto, Rants, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Comments

  1. It doesn’t look like this module has a great testing history. There was a FreeBSD PASS a few years ago, but that was with a very old version of Perl (older now than it was then, of course). You should file a bug in RT.

    Comment by Darren Chamberlain — 5 Jan 2006 @ 22:34

  2. I have reported the bug to the port author and to FreeBSD, since it appears to be FreeBSD-specific.

    Comment by Ben — 6 Jan 2006 @ 10:55

  3. yes, test vectors should be checked. That’s why it’s so annoying that “make test” doesn’t work in openssl 🙁

    Comment by Rodney Thayer — 9 Jan 2006 @ 8:16

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress