Security Assessment for oqsprovider (Open Quantum Safe provider for OpenSSL 3.x)

[anvega]

Project Name: oqsprovider - (Open Quantum Safe provider for OpenSSL3.x )

Github URL: https://github.com/open-quantum-safe/oqs-provider Issue tracker: https://github.com/open-quantum-safe/oqs-provider/issues/451

The oqsprovider project offers standards-track post-quantum key exchange, authentication, and ciphersuites in the TLS protocol without requiring code changes to any installation running OpenSSLv3.

The project is now part of the Linux Foundation PQCA. This will be the first time an assessment is done for a project not seeking to progress stages in the CNCF, but solely for sensibly "scrutinizing" it.

As @baentsch expressed:

"Most things are pretty obvious but I'm feeling an ethical obligation to first witness more committed contributors before implementing/declaring as "good" things this self-assessment suggests. Otherwise, I'd be afraid this would create a false sense of reliability to users ("badges", "alliance endorsement", etc marketing fluff) -- all the while the code is [maintained thanklessly by the proverbial random guy in Nebraska](https://www.theregister.com/2021/05/10/untangling_open_sources_sustainability_problem/) (err, Switzerland :)."

The project lead has completed a self-assessment, and I volunteer to be the lead reviewer. I declare a soft conflict of interest, having made a cosmetic contribution by fixing the CI build badges of another Open Quantum Safe project and starting to use it in my work.

• [X] Identify team
  • [X] Project security lead: @baentsch
  • [X] Lead security reviewer: @anvega
  • [X] 1 or more additional reviewer(s) @hubbertsmith @dehatideep @SophiaUgo (observer @amanda-gonzalez )
  • [X] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [X] Sign off by facilitator on reviewer conflicts
• [X] Project lead provides draft document: oqsprovider-self-assessment-20240726.md
• [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [X] Assign issue to security reviewers
• [ ] Initial review
• [ ] The draft findings will be shared with the project team.
• [ ] There will be a presentation and discussion about the findings.
• [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)

Maybe I can interest @mnm678, @JustinCappos, and @hlandau to participate as reviewers.

[dehatideep]

I am very keen to be part of this review. Being a newbie to this process I am going through various guides available at https://github.com/cncf/tag-security/tree/main/community/assessments/guide with furious pace, though I have done various similar security assessments for my work projects and hoping I'll move fast, and that I have no hard or soft conflict of interest whatsoever in this regard.

[hubbertsmith]

as a reviewer, I have no hard or soft conflicts of interest

[SophiaUgo]

I’m very much interested in contributing and a Cloud Sec, I’m going through the doc at https://github.com/cncf/tag-security/tree/main/community/assessments/guide

[JustinCappos]

I’m very much interested in contributing and a Cloud Sec, I’m going through the doc at https://github.com/cncf/tag-security/tree/main/community/assessments/guide

Okay @SophiaUgo, please send your conflict statement when ready.

[amanda-gonzalez]

I'd love to be an observer for this assessment if you all are open to having one! I have no soft or hard conflicts :)

[JustinCappos]

Dropping @SophiaUgo until she approves her conflict statement.

@anvega , you're ready to go!

[SophiaUgo]

How do I drop my conflict statement @Justin Cappos

On Sat, Aug 3, 2024 at 7:53 PM Justin Cappos @.***> wrote:

Dropping @SophiaUgo https://github.com/SophiaUgo until she approves her conflict statement.

@babysor https://github.com/babysor @anvega https://github.com/anvega , you're ready to go!

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1333#issuecomment-2267100515, or unsubscribe https://github.com/notifications/unsubscribe-auth/AY3KAZY6QHRZJIUWO7F7IGLZPURKHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEYDANJRGU . You are receiving this because you were mentioned.Message ID: @.***>

[JustinCappos]

How do I drop my conflict statement @justin Cappos … On Sat, Aug 3, 2024 at 7:53 PM Justin Cappos @.> wrote: Dropping @SophiaUgo https://github.com/SophiaUgo until she approves her conflict statement. @babysor https://github.com/babysor @anvega https://github.com/anvega , you're ready to go! — Reply to this email directly, view it on GitHub <#1333 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AY3KAZY6QHRZJIUWO7F7IGLZPURKHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRXGEYDANJRGU . You are receiving this because you were mentioned.Message ID: @.>

Sorry for the broken link. Please read this: https://github.com/cncf/tag-security/blob/main/community/assessments/guide/security-reviewer.md#conflict-of-interest and post on this issue.

[SophiaUgo]

Conflict of Interest Statement

Hard Conflicts

• Y/N: No
  • Reviewer is a currently a maintainer of the project: No
  • Reviewer is direct report of/to a current maintainer of the project: No
  • Reviewer has significant personal relationships with project maintainers: No

Soft Conflicts

• Y/N: No

  • Reviewer is interested in contributing to the project: Yes
  • Reviewer uses the project in their personal projects or studies: No
  • Reviewer has contributed to the project in the past: No

  I have reviewed the conflict of interest guidelines and declare that I have no hard conflicts of interest that would prevent me from participating in this security assessment and or soft link conflict. However, I am interested in contributing to the project and I am committed to providing a balanced and fair assessment.

I would also like to express my interest in shadowing experienced reviewers to learn more about the security assessment process.

[dehatideep]

@anvega @JustinCappos I just finished reading https://github.com/cncf/tag-security/blob/main/community/assessments/Open_and_Secure.pdf. I had started reading it to work on tag-security-baseline survey/assessment, which I just completed, and I am sure it will come handy or rather more useful for this assessment. I think you'll see some progress on this one now. I am writing though to let you know that I enjoyed reading your analysis/comments in the above doc. My entire experience of threat modeling etc. come from on the job experience and I have certainly read a few things on-demand basis, understand the terminologies and the issues involved, however above doc is so lucid, easy flowing, simple and easily understood bank example you have given, the conversational styles you have used, and I loved it all :) . Thank you!

[anvega]

I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here.

@dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of "naive" questions and aim to convene with @baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith, and myself on the US West Coast, and @SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time.

[hubbertsmith]

Confirmed -- Self-assessment received. meetings, yes please, discussion is how we improve generally, I am OK with those times. I can do earlier to make it more convenient for others do we know a day and cadence yet? cheers

@. | 385 321 0757 | LinkedIN https://www.linkedin.com/in/hubbertsmith/ CEO, **@.** Ops

• ... i4 Zero Exfil accelerates data-driven innovation. Prevents data breach in minutes not months. ... Even credentialed users and 3rd parties cannot walk away with data. * https://calendly.com/hubbert/60min

On Tue, Aug 13, 2024 at 10:39 PM Andrés Vega @.***> wrote:

I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here https://docs.google.com/document/d/1ypFQW_qf5Po06ZDqoMbmJpH1k3L-nPtWZ5CBmLFkOmg/edit#heading=h.gjdgxs .

@dehatideep https://github.com/dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of questions and aim to convene with @baentsch https://github.com/baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith https://github.com/hubbertsmith, and myself on the US West Coast, and @SophiaUgo https://github.com/SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1333#issuecomment-2287840212, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMQIVRYWMVP2XAJ526KHCU3ZRLNPHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBXHA2DAMRRGI . You are receiving this because you were mentioned.Message ID: @.***>

[dehatideep]

I've completed the initial phase of asking my naive questions, which Michael has been graciously helping me with. The Markdown has been successfully converted to Google Docs, and you can find the document here.

@dehatideep has also mentioned that he’s started reviewing the material independently. It might be a good idea to wrap up this initial round of "naive" questions and aim to convene with @baentsch and everyone else next week. Considering our locations—Michael in Switzerland, Deep, @hubbertsmith, and myself on the US West Coast, and @SophiaUgo in Nigeria—I suggest we meet at 10:00 AM PT (US West Coast) / 7:00 PM CET (Switzerland) / 6:00 PM WAT (Nigeria). If that doesn’t work, we could also consider 8:00 AM PT / 5:00 PM CET / 4:00 PM WAT as an alternative time.

@baentsch I have added my Qs in the google doc assessment. Please see and clarify. Sorry for the delay. @anvega I am fine with the proposed time above.

[baentsch]

@anvega Will you send an invite for the slot above? Which day? Hope I will still be awake enough to give reasonable answers (am an "early bird"). Any questions ahead (via the Google doc) thus would be welcome. I answered all by @anvega and @dehatideep so far.

[anvega]

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

[hubbertsmith]

I'm Ok with friday (anytime other than 9am MDT) I'm OK with next tuesday (anytime other than 8am MDT) cheers H

[dehatideep]

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

@baentsch @anvega Funny that Fri 9 am PDT is the only day when I am not available. Please choose any day except this Fri. Thank you.

[baentsch]

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

Hmm, 9 AM PST would be 6 PM CET, no? Assuming the PST time is right, Fri 1800 would be good for me, Tue 1800 would not be (OQS team call at 1830).

[dehatideep]

@baentsch @dehatideep How about 9 AM PST / 4 PM CET this coming Friday or next Tuesday?

Hmm, 9 AM PST would be 6 PM CET, no? Assuming the PST time is right, Fri 1800 would be good for me, Tue 1800 would not be (OQS team call at 1830).

@baentsch @anvega Unfortunately I've work related event on Fri, morning (PT) to afternoon, so can not manage at all. Tue I can manage in the morning except 7:50 am PT- 8:30 am PT. 8:30 am PT would be 17:30 am CET. 9 am PT works for me often, including Fri, but not this Fri.

[baentsch]

This then seems to suggest 1h max @ next Tue, 8:30am PST/1730 CET/1530 UTC.

OK, @anvega @dehatideep @hubbertsmith @SophiaUgo ?

[SophiaUgo]

That works for me @baentsch

[dehatideep]

Yes, next Tue, 8:30 AM PT works for me. @baentsch

[baentsch]

@anvega For the avoidance of doubt: I don't have a Zoom link available, so could you please send/post an invite as per the above with suitable login data? Thanks in advance!

[baentsch]

@anvega Are you out there? OK with you making available meeting details for the slot above tomorrow?

[hubbertsmith]

works for me

[anvega]

I'm returning from a trip that ended up being extended beyond the original plan.

Instead of meeting tomorrow, let's reschedule for Thursday.

I'll send a Zoom link that requires only password authentication, without the need for an account. If you prefer Google Meet, we can easily switch to that. I'll schedule it for an hour but plan for 45 min.

[anvega]

Topic: OQS Security Assessment Time: Aug 29, 2024 08:30 AM Pacific Time (US and Canada)

Join Zoom Meeting https://us04web.zoom.us/j/71432666369?pwd=klhOaaVA6bNF2JuKy9Jv4SA8y2qMJN.1

Meeting ID: 714 3266 6369 Passcode: FZPrx1

[baentsch]

Instead of meeting tomorrow, let's reschedule for Thursday.

Sorry, that doesn't work for me: I'm on the road Thu-Sat. Afterwards OK again, but then with rather mercurial Internet connectivity in our holiday home: I have a hunch there's still a microwave radio link involved connecting the island: Video often drops out, but speech is OK except in strong gales. Yes, I know, sad for the 21st century but it is how it is. Pick any day at 1530 UTC from Sep 1 onwards.

[hubbertsmith]

I am on zoom in the waiting in lobby :o(

@. | 385 321 0757 | LinkedIN https://www.linkedin.com/in/hubbertsmith/ CEO, **@.** Ops

Data-driven innovation thrives when the risk of data breach is mitigated.Protect data from walking away in minutes, not months. Including valid users & 3rd parties. i4 Zero Exfil keeps data IN

https://calendly.com/hubbert/60min

On Mon, Aug 26, 2024 at 3:42 PM Andrés Vega @.***> wrote:

Topic: OQS Security Assessment Time: Aug 29, 2024 08:30 AM Pacific Time (US and Canada)

Join Zoom Meeting https://us04web.zoom.us/j/71432666369?pwd=klhOaaVA6bNF2JuKy9Jv4SA8y2qMJN.1

Meeting ID: 714 3266 6369 Passcode: FZPrx1

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1333#issuecomment-2311150706, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMQIVR4VDAXV7V3JQJPAEC3ZTOOLHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJRGE2TANZQGY . You are receiving this because you were mentioned.Message ID: @.***>

[hubbertsmith]

my bad, its thursday... see you then

@. | 385 321 0757 | LinkedIN https://www.linkedin.com/in/hubbertsmith/ CEO, **@.** Ops

Data-driven innovation thrives when the risk of data breach is mitigated.Protect data from walking away in minutes, not months. Including valid users & 3rd parties. i4 Zero Exfil keeps data IN

https://calendly.com/hubbert/60min

On Mon, Aug 26, 2024 at 3:42 PM Andrés Vega @.***> wrote:

Topic: OQS Security Assessment Time: Aug 29, 2024 08:30 AM Pacific Time (US and Canada)

Join Zoom Meeting https://us04web.zoom.us/j/71432666369?pwd=klhOaaVA6bNF2JuKy9Jv4SA8y2qMJN.1

Meeting ID: 714 3266 6369 Passcode: FZPrx1

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1333#issuecomment-2311150706, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMQIVR4VDAXV7V3JQJPAEC3ZTOOLHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJRGE2TANZQGY . You are receiving this because you were mentioned.Message ID: @.***>

[baentsch]

@hubbertsmith FWIW, I also won't be there on Thu, either (see comment above). Besides, it originally had been scheduled for 1530 UTC, i.e., only in 30mins.

[baentsch]

Tagging @anvega to reschedule as per the above, if you'd like me to participate.

[anvega]

Could we aim for 1530 UTC next Tuesday? Let me know if that works for you, or if there's a better day next week

[dehatideep]

@anvega @baentsch 1530 UTC (08:30 AM Pacific Time) on Tue, Sep 3 works for me. Thank you.

[hubbertsmith]

works for me too

@. | 385 321 0757 | LinkedIN https://www.linkedin.com/in/hubbertsmith/ CEO, **@.** Ops

Data-driven innovation thrives when the risk of data breach is mitigated.Protect data from walking away in minutes, not months. Including valid users & 3rd parties. i4 Zero Exfil keeps data IN

https://calendly.com/hubbert/60min

On Wed, Aug 28, 2024 at 10:35 PM Deep Patel @.***> wrote:

@anvega https://github.com/anvega @baentsch https://github.com/baentsch 1530 UTC (08:30 AM Pacific Time) on Tue, Sep 3 works for me. Thank you.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1333#issuecomment-2316696696, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMQIVRZ7UVDNWVFVHRRFSTLZT2QHHAVCNFSM6AAAAABLQ3QJKCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJWGY4TMNRZGY . You are receiving this because you were mentioned.Message ID: @.***>

[dehatideep]

@anvega I do not see any zoom meeting info for today's (Sep 03) meeting. can you please share if this meeting is still on.

[baentsch]

I am waiting in the Zoom link for Aug 29 (assuming that is still valid -- "waiting for the host to open"....)

[dehatideep]

@baentsch Zoom doesn't allow me to use Aug 29 meeting link. I tried using just the meeting id but it gets stuck saying meeting was on Aug 29.

[baentsch]

@dehatideep Nope -- the link works OK (I'm using the brower access, not the app) -- it does state "Aug 29", but it opened OK -- just waiting for the host... @anvega : Any other link to use??

[baentsch]

Maybe a calendar invite would have been better (sync'd with the alarm clocks for folks on the Pacific rim :-)

[dehatideep]

Maybe a calendar invite would have been better (sync'd with the alarm clocks for folks on the Pacific rim :-)

Yes :) , I am at the west coast too!

[baentsch]

@anvega I'll stay on until 1545 UTC and then call it a day (for me it's about dinner time :). Please reschedule (maybe indeed with calendar reminder) for the same time another day that suits everyone. I'm available all (next) days except Friday.

[dehatideep]

@baentsch I am not able to join Aug 29 meeting at all, it bails out every time saying Aug 29 meeting. I am hanging here till you are around, just in case Andres joins. If he does, probably we'll need a new meeting.

[baentsch]

@baentsch I am not able to join Aug 29 meeting at all, it bails out every time saying Aug 29 meeting. I am hanging here till you are around, just in case Andres joins. If he does, probably we'll need a new meeting.

OK -- I'm indeed leaving now ... Thanks @dehatideep for "having been (t)here" -- hope to meet you another day! CU

[anvega]

Apologies—I had a minor accident over the holiday here in the US that required a checkup, but I'm finally back online after being discharged. I have emails for Michael and Deep, and I'll move the coordination to email to ensure everyone gets the calendar invite.

[dehatideep]

Apologies—I had a minor accident over the holiday here in the US that required a checkup, but I'm finally back online after being discharged. I have emails for Michael and Deep, and I'll move the coordination to email to ensure everyone gets the calendar invite.

Thanks and take care!

[baentsch]

I'll move the coordination to email to ensure everyone gets the calendar invite.

Take your time: First get well, @anvega !

[dehatideep]

@baentsch I have SonarQube static analysis with me. There are a few issues and I assume it could all very well be captured under https://github.com/open-quantum-safe/oqs-provider/issues/514, though issue#514 is a coverity scan. Majority of issues are for test code, do you care about it or only oqsprov and oqs-template code? My scan result URL is not public, so I can put it in a word file pointing to issue, code snippet, and probable fix. Do you want me to create one and attach it in the issue#514? Below are the findings but some careful looking suggests real issues are less than 10%.

Also a couple of cmd inj and an xss issue seem real but I am not sure if these can be invoked directly in real env.

So, please let me know. Thanks.

[baentsch]

Thanks for sharing the report @dehatideep .

Majority of issues are for test code, do you care about it or only oqsprov and oqs-template code

Fascinating observation: Indeed, I took less care when doing the test code as opposed to the actually running oqsprov code, but I wouldn't have imagined it becomes so clearly visible :-/ To answer the question: oqsprov takes precedence, but the rest should also be clean as wrong testing might also hide "real code" problems.

assume it could all very well be captured under https://github.com/open-quantum-safe/oqs-provider/issues/514

I wouldn't do that: These are different tools, so different issues should be used to report/fix them (unless you'd say that https://github.com/open-quantum-safe/oqs-provider/issues/514 pretty much covers everything that your tool detects (?)).

Finally, while I'm happy that several people look at the problem with different tools, this is not creating a long-term, continuous guard for oqsprovider: The code will continue to evolve and it cannot be a solution that you regularly manually run a tool to fix problems someone else introduced in a PR: CI should flag such problems and the original author should also fix them.

[dehatideep]

@baentsch Thank you for your response and clarifications. I'll create an issue and will attach issues which are indeed issues.