RustSec Advisories for hpke-rs

[nadimkobeissi]

This PR proposes three RustSec advisories for some of the cryptographic vulnerabilities discovered during research ("Verification Theatre: False Assurance in Formally Verified Cryptographic Libraries"), namely the ones for the hpke-rs crate, which included the disclosure of a critical nonce reuse vulnerability. The upstream maintainers (Cryspen) have patched these issues but have not filed RustSec advisories, which means cargo audit does not currently flag affected versions.

Cryspen has published GitHub Security Advisories (GHSAs) for some of these issues. However, we believe RustSec advisories are still warranted for the reasons outlined below.

Proposed Advisories

1. hpke-rs: Nonce reuse via sequence number overflow

The library stores HPKE encryption context sequence numbers as u32 (max 2^32 - 1) rather than enforcing the RFC 9180 limit of 2^96 - 1. The overflow guard is ineffective in release builds due to Rust's default wrapping behavior for integer overflow, allowing silent counter wrap-around. This enables nonce reuse in AES-GCM, which permits plaintext recovery and authentication key compromise, a critical vulnerability.

2. hpke-rs: Missing X25519 zero-check validation

RFC 9180, Section 7.1.4 requires that implementations check whether the Diffie-Hellman shared secret is the all-zero value. hpke-rs omits this check in both its RustCrypto and libcrux backends. An attacker supplying low-order points can force a zero shared secret, enabling session key prediction and message decryption.

Why RustSec advisories are needed alongside the existing GHSAs

Cryspen published GHSA-g433-pq76-6cmf for hpke-rs. While we appreciate that an advisory was issued, there are several gaps that leave downstream users without the information they need:

• Severity classification: The hpke-rs GHSA rates the nonce-reuse vulnerability as "moderate." Nonce reuse in AES-GCM enables full plaintext recovery and authentication key compromise, which is generally considered a critical or high-severity issue in cryptographic contexts.
• Missing impact analysis: The GHSA does not include a details or impact section explaining what an attacker can achieve by exploiting these vulnerabilities, making it difficult for downstream consumers to assess their risk.
• No RustSec coverage: The GHSA is not mirrored in RustSec, so cargo audit — the standard tool Rust developers rely on to check for known vulnerabilities — does not surface these issues.

Prior discussion

These advisories were previously proposed in PR #2637, which was closed. We sought an explanation in #2646. Another PR, #2647, was also closed after Cryspen submitted their own RustSec advisories for libcrux-psq, but the advisories for hpke-rs remain missing, hence this PR.

Thank you for your time and for maintaining this important resource for the Rust ecosystem.

[teor2345]

Some suggestions / questions to clarify these advisories

[teor2345]

This PR proposes three RustSec advisories

I can only see two advisories in the PR diff, but the PR description says three, is this a copy-paste oversight?

[djc]

Closing this since the OP has been blocked.

[daira]

Closing this since the OP has been blocked.

This is an incredible abdication of responsibility to users of software that depends on these libraries. 😕

No attempt to argue that any of what @nadimkobeissi has said is inaccurate. Just "we don't like him", basically. The Rust community sees what is happening here.

[djc]

This is an incredible abdication of responsibility to users of software that depends on these libraries. 😕

I have asked the maintainers multiple times to submit advisories explaining the issues here. I don't think I am the one who has been abdicating responsibility.

The maintainers have finally submitted a PR with advisories for these issues:

• Add advisories for hpke-rs, hpke-rs-rust-crypto #2742