Files
libsmx/SECURITY.md
T
huangxt a58fe8275e 发布 v0.2.0:新增 BLS 签名与 FPE 格式保留加密
新增功能:
- BLS 签名:基于 BN256 配对的最小签名尺寸变体
- BLS 门限签名:Shamir 秘密分享 + Lagrange 插值聚合
- Hash-to-Curve:RFC 9380 兼容,SM3 消息扩展
- FPE 格式保留加密:基于 SM4 的 Feistel 密码
- SM9 Fp 平方根:Tonelli-Shanks 算法

文档更新:
- README 添加 BLS/FPE 算法描述
- CHANGELOG 添加 v0.2.0 变更记录
- SECURITY 更新版本支持表
2026-03-08 20:02:06 +08:00

56 lines
2.1 KiB
Markdown

# Security Policy
## Supported Versions
| Version | Supported |
|---------|-----------|
| 0.2.x | Yes |
| 0.1.x | Yes |
| < 0.1 | No |
## Reporting a Vulnerability
If you discover a security vulnerability in libsmx, please report it responsibly:
**Email**: [kintai@foxmail.com](mailto:kintai@foxmail.com)
**Please include**:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Any potential impact assessment
**Response timeline**:
This project is maintained by an individual. No fixed response time is guaranteed. The author will handle all security reports as soon as possible, but cannot commit to specific timelines.
## Scope
The following areas are considered in-scope for security reports:
- **Timing side-channels**: Any operation whose execution time depends on secret data (private keys, plaintext, nonces)
- **Memory safety**: Buffer overflows, use-after-free, or uninitialized memory reads (note: this crate uses `#![forbid(unsafe_code)]`)
- **Key material leakage**: Private keys or intermediate secret values not properly zeroized
- **Cryptographic correctness**: Deviations from GB/T standards that weaken security guarantees
- **Authentication bypass**: Incorrect MAC/tag verification in GCM/CCM modes
## Out of Scope
- Performance issues that don't affect security
- Dependencies' vulnerabilities (report upstream)
- Attacks requiring physical access to the device
## Security Design
libsmx employs the following defenses:
- **Constant-time operations**: All secret-dependent code uses `subtle::ConstantTimeEq`, `ConditionallySelectable`, and fixed-iteration loops
- **No table lookups for S-boxes**: SM4 uses boolean circuit bitslice implementation to prevent cache-timing attacks
- **Automatic key zeroization**: All private key types derive `ZeroizeOnDrop`
- **No unsafe code**: `#![forbid(unsafe_code)]` is enforced at the crate level
- **Complete EC formulas**: SM2 point addition uses branch-free complete addition formulas (Renes-Costello-Batina 2016)
## Disclosure Policy
We follow coordinated disclosure. Please do **not** open public GitHub issues for security vulnerabilities.