Deprecating fromIntegral
Niklas Hambüchen
mail at nh2.me
Sat Aug 8 03:08:29 UTC 2020
Today I found another big bug caused by `fromIntegral`:
https://github.com/haskell-crypto/cryptonite/issues/330
Incorrect hashes for all hash algorithms beyond 4 GiB of input. SHA hash collisions in my productions system.
Restating what I said there:
* Until we deprecate fromIntegral, Haskell code will always be subtly wrong and never be secure.
* If we don't fix this, people will shy away from using Haskell for serious work (or learn it the hard way). Rust and C both do this better.
* If the authors of key crypto libraries fall for these traps (no blame on them), who can get it right? We should remove the traps.
The wrong code,
hashInternalUpdate ctx d (fromIntegral $ B.length b)
exists because it simply does not look like wrong code. In contrast,
hashInternalUpdate ctx d (fromIntegralWrapping $ B.length b)
does look like wrong code and would make anyone scrolling by suspicious.
We can look away while continuing to claim that Haskell is a high-correctness language, or fix stuff like this and make it one.
More information about the Libraries
mailing list