From 54c75c6dae2cc8f96b63314984f35c546785a16c Mon Sep 17 00:00:00 2001 From: Denis Varlakov Date: Fri, 2 Aug 2024 15:34:04 +0200 Subject: [PATCH 1/2] Add contribution & vuln reporting guidelines Signed-off-by: Denis Varlakov --- CONTRIBUTING.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++ SECURITY.md | 20 ++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..9484b46 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,64 @@ +# Contributing Guide + +Thanks for taking interest to contributing to our project! + +## Pull Requests +Prior to making a PR, we ask you to communicate it with us, preferably by opening an issue. +This would help to keep your work aligned with the maintainers view and get insights from +them. + +All commits are required to be signed via verified GPG key. You can read about commit signing +in [this series of articles](https://docs.github.com/en/authentication/managing-commit-signature-verification) +(we recommend using a hardware GPG token). + +All commits are required to be signed off by including `Signed-off-by: YOUR NAME ` line. +By doing this, you certify that the commit is compliant with [Developer Certificate of Origin (DCO)](https://developercertificate.org/), +meaning that you wrote the code or otherwise have the right to submit the code you are +contributing to the project. + +```text +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +Commits can be automatically signed off automatically by using `-s` flag (i.e. `git commit -s`). + +## Issues +Feel free to open an issue if you found a bug, have a suggestion, or wish to +communicate with us for other reasons. + +However, if you want to report something that you believe might be a security +vulnerability or a security flaw in this or any upstream project, please report +it following the procedure described in [SECURITY.md](./SECURITY.md). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..dfa8cd5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ +# Security Policy + +## Supported Versions + +Only the latest version of the library is supported. + +## Reporting a Vulnerability + +We ask to report any security vulnerabilities or flaws through: + +1. Github, in the "Security" tab, using the "Report a vulnerability" button. +2. Email, security@dfns.co + +After receiving the report, it will take us up to 2 working days to respond. +We will evaluate the reported vulnerability, determine whether it needs to +be addressed, and (if so) and provide an estimated timeline for addressing it. + +After vulnerability was fixed and the new version of the library was +properly tested, we publish the fix, and publicly disclose the vulnerability +(credits for finding the issue go to the reporter). From 2fba43c0a13ee43fde211f771d966c8b05b4174f Mon Sep 17 00:00:00 2001 From: Denis Varlakov Date: Fri, 2 Aug 2024 15:47:59 +0200 Subject: [PATCH 2/2] clippy fix Signed-off-by: Denis Varlakov --- src/common/sqrt.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/common/sqrt.rs b/src/common/sqrt.rs index aa4c120..6b71a41 100644 --- a/src/common/sqrt.rs +++ b/src/common/sqrt.rs @@ -6,6 +6,7 @@ use rug::{Complete, Integer}; /// Pre-requisites: /// - x is a quadratic residue in Zn /// - `n = pq`, p and q are Blum primes +/// /// If these don't hold, the result is a bogus number in Zn pub fn blum_sqrt(x: &Integer, p: &Integer, q: &Integer, n: &Integer) -> Integer { // Exponent in pq Blum modulus to obtain the principal square root. @@ -27,7 +28,8 @@ pub fn blum_sqrt(x: &Integer, p: &Integer, q: &Integer, n: &Integer) -> Integer /// Pre-requisites: /// - `n = pq`, p and q are Blum primes /// - `jacobi(w, n) = -1`, that is w is quadratic non-residue in Zn with jacobi -/// symbol of -1 +/// symbol of -1 +/// /// If these don't hold, the y' might not exist. In this case, returns `None` pub fn find_residue( y: &Integer,