Add advisory for hpke-rs-rust-crypto

jschneider-bensch · djc · commit 9b12362f9244 · 2026-03-24T09:13:52.000+01:00
diff --git a/crates/hpke-rs-rust-crypto/RUSTSEC-0000-0000.md b/crates/hpke-rs-rust-crypto/RUSTSEC-0000-0000.md
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hpke-rs-rust-crypto"
+date = "2026-02-04"
+aliases = ["GHSA-g433-pq76-6cmf"]
+url = "https://github.com/cryspen/hpke-rs/pull/124"
+
+[affected.functions]
+"hpke_rs_rust_crypto::HpkeRustCrypto::dh" = [ "<= 0.5.0" ]
+
+[versions]
+patched = [">= 0.6.0"]
+```
+
+# Missing Check for All-Zero X25519 Shared Secret
+
+Computing an X25519 shared secret with
+`x25519_dalek::StaticSecret::diffie_hellman` does not include the
+check that the key exchange was contributory, i.e. does not ensure on
+its own that the resulting shared secret is non-zero.
+
+## Impact
+RFC 9180 mandates that implementations of HPKE must check for all zero
+Diffie-Hellman shared secrets and abort if so.
+
+Applications using hpke-rs with the RustCryto provider would not
+perform this check allowing for non-contributive Diffie-Hellman shared
+secrets. Applications using hpke-rs with the libcrux provider are not
+affected.
+
+## Mitigation
+Starting with version `0.6.0`, an error will be returned when
+the computed Diffie-Hellman shared secret is all-zero.
