Security Assessment for oqsprovider (Open Quantum Safe provider for OpenSSL 3.x)

[anvega]

Project Name: oqsprovider - (Open Quantum Safe provider for OpenSSL3.x )

Github URL: https://github.com/open-quantum-safe/oqs-provider Issue tracker: https://github.com/open-quantum-safe/oqs-provider/issues/451

The oqsprovider project offers standards-track post-quantum key exchange, authentication, and ciphersuites in the TLS protocol without requiring code changes to any installation running OpenSSLv3.

The project is now part of the Linux Foundation PQCA. This will be the first time an assessment is done for a project not seeking to progress stages in the CNCF, but solely for sensibly "scrutinizing" it.

As @baentsch expressed:

"Most things are pretty obvious but I'm feeling an ethical obligation to first witness more committed contributors before implementing/declaring as "good" things this self-assessment suggests. Otherwise, I'd be afraid this would create a false sense of reliability to users ("badges", "alliance endorsement", etc marketing fluff) -- all the while the code is [maintained thanklessly by the proverbial random guy in Nebraska](https://www.theregister.com/2021/05/10/untangling_open_sources_sustainability_problem/) (err, Switzerland :)."

The project lead has completed a self-assessment, and I volunteer to be the lead reviewer. I declare a soft conflict of interest, having made a cosmetic contribution by fixing the CI build badges of another Open Quantum Safe project and starting to use it in my work.

• [X] Identify team
  • [X] Project security lead: @baentsch
  • [X] Lead security reviewer: @anvega
  • [X] 1 or more additional reviewer(s) @hubbertsmith @dehatideep @SophiaUgo (observer @amanda-gonzalez )
  • [X] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [X] Sign off by facilitator on reviewer conflicts
• [X] Project lead provides draft document: oqsprovider-self-assessment-20240726.md
• [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [X] Assign issue to security reviewers
• [ ] Initial review
• [ ] The draft findings will be shared with the project team.
• [ ] There will be a presentation and discussion about the findings.
• [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)

Maybe I can interest @mnm678, @JustinCappos, and @hlandau to participate as reviewers.

[dehatideep]

@baentsch @anvega SonarQube Static Analysis captured at: https://github.com/open-quantum-safe/oqs-provider/issues/526 Thank you.

[dehatideep]

This assessment is complete and following findings were shared with oqsprovider team:

1. Static analysis report tied to code, XSS issues and test case issues were shared with oqsprovider team.
2. Assessment where openssl issues may also be percolated to oqsprovider, were discussed with oqsprovider team but this is no different to any provider attachment.
3. Given oqsprovider supports hybrid mode, it must be made sure libcrypto and libpq are safeguarded against malicious update.

Given these feedback were enough to get the general feedback, this issue is closed from assessment perspective.