Update ring and curve25519-dalek to address security vulnerabilities #451
Description
Summary
Boringtun v0.6.0 has hardcoded dependencies on outdated versions of cryptographic libraries that have known security vulnerabilities:
- ring: Currently locked to
0.16.20, needs upgrade to0.17.13+ - curve25519-dalek: Currently locked to
4.0.0-rc.3, needs upgrade to4.1.3+
Security Vulnerabilities
ring 0.16.20
- CVE/Advisory: Multiple medium-severity issues
- Issue: Some AES functions may panic when overflow checking is enabled
- Impact: Potential DoS in debug/hardened builds
- Fixed in: 0.17.12 / 0.17.13
curve25519-dalek 4.0.0-rc.3
- Advisory: GHSA-4w9g-9ghq-5g7x
- Issue: Timing variability in
Scalar29::sub/Scalar52::suboperations - Impact: Potential timing side-channel attacks
- Fixed in: 4.1.3
Proposed Solution
Update Cargo.toml dependencies:
[dependencies]
# Current
x25519-dalek = "=2.0.0-rc.3"
blake2 = "0.10"
chacha20poly1305 = "0.10"
# Proposed
x25519-dalek = "2.0" # Will pull in secure ring + curve25519-dalek
blake2 = "0.10"
chacha20poly1305 = "0.10"The x25519-dalek 2.0.x stable releases (e.g., 2.0.1) use updated dependencies that resolve these vulnerabilities.
Additional Context
- These vulnerabilities are reported by GitHub Dependabot for projects using boringtun
- While the vulnerabilities are medium severity, they affect all downstream consumers
- The API changes from x25519-dalek 2.0.0-rc.3 to 2.0.x stable should be minimal
References
- ring security advisories: https://rustsec.org/advisories?q=ring
- curve25519-dalek GHSA-4w9g-9ghq-5g7x: https://github.com/dalek-cryptography/curve25519-dalek/security/advisories/GHSA-4w9g-9ghq-5g7x
Would maintainers be open to a PR updating these dependencies?