viper-framework/viper

Rats modules using outdated crypto library

Open

#710 opened on Oct 14, 2018

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Python (1,527 stars) (372 forks)batch import
help wanted

Description

There are several modules in the rats/ folder by @kevthehermit that are using a crypto library called pycrypto, mostly for AES and DES support. Unfortunately, this library hasn't been updated since 2014 and also has a vulnerable ElGamal implementation: https://nvd.nist.gov/vuln/detail/CVE-2018-6594

We should update these modules to make use of cryptography instead and drop pycrypto all together from our dependencies.

Contributor guide

Tech stack
python
Domain
backendsecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic PythonFamiliarity with cryptography libraryAbility to write testsKnowledge of AES/DES
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Review the modules in the `rats/` directory that currently import from `pycrypto`. For each, identify the cryptographic operations (e.g., AES, DES) and replace them with equivalent functions from the `cryptography` library. Update the setup.py or requirements to remove `pycrypto` and add `cryptography`. Run existing tests and add new ones to verify the replacement works correctly. Check if any comments or previous attempts exist in the issue thread.
Rats modules using outdated crypto library · viper-framework/viper#710 | Good First Issue