Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use crypton instead of cryptonite #6200

Closed
mpilgrem opened this issue Jul 26, 2023 · 6 comments
Closed

Use crypton instead of cryptonite #6200

mpilgrem opened this issue Jul 26, 2023 · 6 comments

Comments

@mpilgrem
Copy link
Member

See yesodweb/wai#931. hpack-0.35.3 has moved to crypton - see sol/hpack@26ec126.
@hasufell
Copy link
Contributor

crypton has never been audited either and there's no evidence that GHC/Haskell is not particularly prone to side channel attacks.

@mpilgrem
Copy link
Member Author

@hasufell, I recognise your warnings from your contributions to this discussion https://discourse.haskell.org/t/a-new-future-for-cryptography-in-haskell/3888/5 and the Reddit thread on the fork: https://www.reddit.com/r/haskell/comments/14245q8/crypton_is_forked_from_cryptonite_with_the/.

In the case of Pantry and Stack and cryptonite, the direct use is only:

  • SHA256 hashing (Pantry)
  • MD5, SHA1 and SHA256 hashing (Stack)

I am assuming that if those particular functions did not do what they purport to do, somebody would notice sooner rather than later.

@cdornan
Copy link

cdornan commented Jul 28, 2023
edited
Loading

The point is that crypton is being actively maintained, it is a better choice than cryptonite.

I get the sense that the crypton maintainer would like to address the underlying issues, but the first step is to execute the fork, no?

Thanks @mpilgrem for your incredible work — I feel we are all in your debt. (And too @hasufell.)

@hasufell
Copy link
Contributor

Well true... but crypton is also a dependency of tls, which stack uses indirectly. But that is an old discussion.

@cdornan
Copy link

cdornan commented Jul 28, 2023

Indeed — I think tls was the main motivation for creating crypton.

@mpilgrem
Copy link
Member Author

I started to implement this but got stuck with cryptonite-conduit. Raised kazu-yamamoto/crypton#13.

@mpilgrem mpilgrem mentioned this issue Jul 28, 2023
Closed
This was referenced Aug 6, 2023
Closed
Closed
mpilgrem added a commit that referenced this issue Aug 14, 2023
@mpilgrem
Fix #6200 Eliminate dependency on cryptonite, use crypton instead
00bd5f6
@mpilgrem mpilgrem mentioned this issue Aug 15, 2023
Closed
mpilgrem added a commit that referenced this issue Aug 15, 2023
@mpilgrem
Fix #6200 Eliminate dependency on cryptonite, use crypton instead
bd365e7
mpilgrem added a commit that referenced this issue Aug 18, 2023
@mpilgrem
Merge pull request #6209 from commercialhaskell/fix6200
5e3b248 
Fix #6200 Eliminate dependency on `cryptonite`, use `crypton` instead
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cdornan @hasufell @mpilgrem