Cure53 security audit

Tankred Hase edited this page Apr 3, 2014 · 2 revisions
Clone this wiki locally

OpenPGP.js has received a first complete audit of its codebase conducted by Cure53. The audit started in Feb 2014 and was sponsored by the Open Technology Fund (RFA). The penetration test yielded an overall of 26 issues. Among these findings, Cure53 has classified 12 as vulnerabilities, with 2 issues rated ‘critical’ in regards to their severity.

The complete report is available at: https://cure53.de/pentest-report_openpgpjs.pdf

With release v0.5.0 all critical, high and medium issues have been fixed. In the following we list all issues with their status and reference to GitHub commits if available.

Fixed issues

  • OP-01-009 Cleartext Messages Spoofing by Lax Armor Headers parsing (Critical) (329c92bc73)
  • OP-01-015 EME-PKCS1-v1_5 padding uses Math.random() (Critical) (e1fcc51d0e)
  • OP-01-019 Cleartext Message Spoofing in Armor Headers (Critical) (93ca8b62fe)
  • OP-01-025 EME-PKCS1-v1_5 Error Handling in RSA Decryption (High) (ed13502dc2)
  • OP-01-026 Errors in EMSA-PKCS1-v1_5 decoding routine (High) (357d49f7e9)
  • OP-01-005 Side-channel leak in RSA decryption (High) (9f23c6a891)
  • OP-01-011 Error suppression in UTF-8 decoding function (Medium) (28e7a80eba)
  • OP-01-020 Missing check in DSA signature generation (Medium) (04680a67cd)
  • OP-01-006 Generated keys have no stored algorithm preference (Medium) (1c818f2410)
  • OP-01-024 Random Range Bias in DSA/Elgamal (Low) (3f626f4bfb)
  • OP-01-018 Suggested improvement in RSA signature verification (Low) (357d49f7e9)
  • OP-01-001 Type confusion in crypto.random.RandomBuffer (Low) (4d96089f72)
  • OP-01-002 Math.random() usage in dead Code Branch (Low) (1acf1cff9a)
  • OP-01-003 Suggested Code Enforcement of RandomBuffer (Low) (b9c597a41a)
  • OP-01-010 Invalid Armor Checksum Validation (Low) (e8ef355604)
  • OP-01-007 Algorithm Preferences ignored upon Encryption (Low) (22e4540ed9)

Open issues

  • OP-01-008 Algorithm Preferences ignored upon Decryption (Medium)
  • OP-01-014 RSA Key Generation: Seeds are not destroyed (Low)
  • OP-01-004 Inconsistent Bit Length of RSA Keys (Low) (proposed solution would drop performance of key generation by 60%)
  • OP-01-012 RNG Bias in RSA Key Generation (Low)
  • OP-01-013 RSA Key Gen.: Miller-Rabin-Test not conform with FIPS 186-4 (Low)
  • OP-01-016 Comments on Javascript Code Quality (Low)
  • OP-01-017 Consider to substitute the SHA module (Low)
  • OP-01-021 Silent error handling in various places (Low)
  • OP-01-022 Possible Optimization in RSA Supplemental Parameters (Low)
  • OP-01-023 Recommendation to avoid logging of Private Keys (Low)
  • OP-01-027 No check of armor type when de-armoring signed messages (Low)
  • OP-01-028 Inconsistent documentation of PublicKey.read (Low)
  • OP-01-029 Insufficient input validation in parsing packets (Low)
  • OP-01-030 Insufficient validation in parsing public keys (Low)
  • OP-01-031 Insufficient Validation in parsing PK-encrypted Session Keys (Low)
  • OP-01-032 Inconsistent documentation of SymEncryptedSessionKey.read (Low)
  • OP-01-033 Insufficient Validation for symmetrically Encrypted Session Keys (Low)
  • OP-01-034 Insufficient Validation in Parsing One Pass Signatures (Low)
  • OP-01-035 Insufficient Input Validation in Parsing Literals (Low)
  • OP-01-036 Special “for your eyes only” Directive Ignored (Low)

The OpenPGP.js team would like to thank Cure53 for the audit and Open Technology Fund for sponsoring this event.