Crypto Amateurism
I discovered today that the latest port of Digest::SHA256 (0.01b) on FreeBSD doesn’t work – it produces incorrect digests.
Now, I don’t know whether this is because the underlying implementation is broken, or because the port is broken. But that’s irrelevant – I expect my favourite operating system to at least check test vectors when implementing cryptographic algorithms. Apparently they don’t, and that’s a disgrace.
It should, in my opinion, be a part of the install process that test vectors are checked for every cryptographic algorithm. Anything less exposes users to potentially extremely serious security issues.
It doesn’t look like this module has a great testing history. There was a FreeBSD PASS a few years ago, but that was with a very old version of Perl (older now than it was then, of course). You should file a bug in RT.
Comment by Darren Chamberlain — 5 Jan 2006 @ 22:34
I have reported the bug to the port author and to FreeBSD, since it appears to be FreeBSD-specific.
Comment by Ben — 6 Jan 2006 @ 10:55
yes, test vectors should be checked. That’s why it’s so annoying that “make test” doesn’t work in openssl 🙁
Comment by Rodney Thayer — 9 Jan 2006 @ 8:16