Deps.rs

openmls_libcrux_crypto 0.3.1

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate openmls_libcrux_crypto

Dependencies

(14 total, 4 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 hpke-rs^0.6.00.6.1up to date
 hpke-rs-crypto^0.6.00.6.1up to date
 hpke-rs-libcrux^0.6.00.6.1up to date
 libcrux-aead^0.0.60.0.7out of date
 libcrux-ed25519 ⚠️^0.0.60.0.7out of date
 libcrux-hkdf^0.0.60.0.6up to date
 libcrux-hmac^0.0.60.0.6up to date
 libcrux-sha2^0.0.60.0.6up to date
 libcrux-traits^0.0.60.0.6up to date
 openmls_memory_storage^0.5.00.5.0up to date
 openmls_traits^0.5.00.5.0up to date
 rand^0.90.10.0out of date
 rand_chacha^0.90.10.0out of date
 tls_codec^0.4.20.4.2up to date

Security Vulnerabilities

libcrux-ed25519: All-Zero Key Generation on Catastrophic RNG Failure

RUSTSEC-2026-0075

The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.

Impact

This bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.

Mitigation

Instead of silently continuing with an all-zero signing key, starting from version 0.0.7 key generation will error in the case of 100 failed attempts at sampling a valid key.