Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit Status #60

Closed
drahnr opened this issue Aug 31, 2020 · 13 comments · Fixed by #287
Closed

Audit Status #60

drahnr opened this issue Aug 31, 2020 · 13 comments · Fixed by #287
Labels
security

Comments

@drahnr
Copy link

drahnr commented Aug 31, 2020

Since this is one of the more widespread used rsa crates, it would be great if this could be audited by a third party. Are there currently any plans to do so?
@tarcieri
Copy link
Member

tarcieri commented Sep 1, 2020

I don't think anyone is planning an audit. If anyone would like to pay for one, that'd be great.

@zicklag
Copy link
Contributor

zicklag commented Sep 16, 2020

According to the README for the pgp crate, rsa actually has gotten a review. If this is true then we could take that note out of the README about the lack of an audit and replace it with this statement, which would be nice. :)

rPGP and its RSA dependency got a first independent security review mid 2019.

@tarcieri
Copy link
Member

tarcieri commented Sep 16, 2020
edited
Loading

Interesting! No one told us about it! 😉

We will soon publish the full review report.

It'd be great to know who performed the audit and have a published copy of the report so we can include it in the README.md. We've done something similar for the RustCrypto/AEAD crates:

https://github.com/RustCrypto/AEADs/tree/master/aes-gcm#security-notes

@r10s
Copy link

r10s commented Sep 16, 2020
edited
Loading

the RSA audit was performed by Include Security and was granted by the Open Technology Fund while supporting Delta Chat developments.

not sure if there is already a copy of the report published somewhere, but it is planned iirc :) cc @hpk42

@drahnr
Copy link
Author

drahnr commented Oct 9, 2020

@r10s @hpk42 is there an ETA of the mentioned report?

@hpk42
Copy link

hpk42 commented Oct 12, 2020 via email

@joshbenaron
Copy link

joshbenaron commented Mar 18, 2021
edited
Loading

Hey,
Has there been anymore progress/confirmation on the above issues? Have any low risk issues been fixed?

Also, is this crate still maintained?

@dignifiedquire dignifiedquire changed the title audit planned? Audit Status Jul 26, 2021
@tarcieri
Copy link
Member

I believe this might be it:

https://delta.chat/assets/1907-otf-deltachat-rpgp-rustrsa-gb-reportv1.pdf

@lolo32 lolo32 mentioned this issue Dec 30, 2021
Closed
@tarcieri
Copy link
Member

tarcieri commented May 24, 2022
edited
Loading

The following warning is still in README.md:

⚠️ WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the updates made since the audit has not been officially released yet. See #60 for more information.

Has this information been made publicly available via a first-party site yet? (i.e. hosted by someone directly involved in the audit)

The report I linked in the previous post seems to have been uploaded to a chat service, so it'd be nice to link to something official instead.

@andrewbaxter
Copy link

In case the report disappears, it looks like there was 1 finding with this RSA library:

  • key sizes are not bounded, so if a user can pass in an arbitrarily large key it could cause memory/cpu to be consumed for a very long time and lead to DOS (very rough summary)

@tarcieri
Copy link
Member

Key sizes are now bounded unless the user explicitly opts out of that. See e.g.:

https://docs.rs/rsa/0.7.2/rsa/struct.RsaPublicKey.html#method.new

(as well as new_with_max_size and new_unchecked)

@thomaseizinger thomaseizinger mentioned this issue Mar 29, 2023
Closed
@thomaseizinger
Copy link

The following warning is still in README.md:

warning WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the updates made since the audit has not been officially released yet. See #60 for more information.

Has this information been made publicly available via a first-party site yet? (i.e. hosted by someone directly involved in the audit)

The report I linked in the previous post seems to have been uploaded to a chat service, so it'd be nice to link to something official instead.

Could we just upload it to this repository instead? The warning is very discouraging from using the crate when in reality, the only problem found has been fixed already.

@tarcieri tarcieri mentioned this issue Apr 5, 2023
Merged
@tarcieri
Copy link
Member

tarcieri commented Apr 5, 2023

I opened #287 to remove the scary warning (which was somewhat nonsensical in its current state), and link to an officially hosted copy of the audit instead

@drHuangMHT drHuangMHT mentioned this issue Jan 2, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

README.md: link to officially hosted audit report RustCrypto/RSA
9 participants
@tarcieri @hpk42 @andrewbaxter @drahnr @dignifiedquire @thomaseizinger @r10s @zicklag @joshbenaron