Open Kansuler opened 1 week ago
Many thanks @Kansuler for the report.
We have previously investigated RUSTSEC-2022-0093 and confirmed that the usage of ed25519-dalek@1.0.1
in code was not a problem for this issue. More specifically, we wrap the private keys in Ed25519PrivateKey
which ensures that the secret
and public
properties of KeyPair
are aligned, so the oracle attack is not possible.
We will need to investigate RUSTSEC-2024-0344, but it looks likely the code is affected, and we will look into fixing this.
Whilst we generally advise that integrators use their own signing libraries, we appreciate that some may choose to use those built into the engine test framework, so will look at whether we can update to offset the risk of timing attacks.
There seem to be two security issues that are patched in future versions of
ed25519-dalek
and sub dependencycurve25519-dalek
.The list of issues due to
ed25519-dalek@1.0.1
areThe issues are resolved in the latest version of
ed25519-dalek@2.1.1
.