Popular crypto library audit reveals no major vulnerabilities

An audit of the popular cryptographic software library libsodium revealed no major vulnerabilities. The code was examined by cryptographer Matthew Green at the request of VPN provider Private Internet Access.

When presenting the results of the audit, the VPN provider stated that it uses the software library itself for its internal software. The research initially focused on version 1.0.12 of libsodium and after a few new commits, version 1.0.13 was also included. Green writes in the results of the audit: “Our overall finding is that libsodium is indeed a high-quality, secure library that delivers on its goals of usability and efficiency.”

Two problems with the estimation ‘low’ were found. The first has to do with the fact that libsodium on Windows only uses an unofficial api. This creates the risk that there will be no backup option if Microsoft decides to remove the api. The second problem has to do with a null pointer dereference, which can affect the stability of the software.

Libsodium is an open source fork of the C-written NaCl library. Developers can use the library on various platforms to implement cryptographic functions in their projects, such as password hashing, encryption, decryption, random number generators and signing. The libsodium team wants to provide an easy-to-use api for this.

Besides Private Internet Access, there are other companies and projects that use libsodium. For example, Facebook, hosts Digital Ocean and OVH, and the crypto chat app Wire. The code is also found in projects such as Discord, PowerDNS, the cryptocurrency Zcash and collaboration software Peerio. Matthew Green, who is also a professor at Johns Hopkins University, was previously involved in audits of TrueCrypt and OpenVPN.