17 KiB
Zebra dependencies
This is a list of production Rust code that is in scope and out of scope for Zebra's first audit.
Test code, deployment configurations, and other configuration files in the zebra repository are out of scope. Due to the way we've created the audit-v1.0.0-rc.0 tag, tests might not compile, run, or pass.
Full Audit
Zebra Crates
| Name | Version | Notes |
|---|---|---|
| tower-batch | audit-v1.0.0-rc.0 | |
| tower-fallback | audit-v1.0.0-rc.0 | |
| zebra-chain | audit-v1.0.0-rc.0 | |
| zebra-consensus | audit-v1.0.0-rc.0 | |
| zebra-network | audit-v1.0.0-rc.0 | |
| zebra-node-services | audit-v1.0.0-rc.0 | |
| zebra-rpc | audit-v1.0.0-rc.0 | |
| zebra-script | audit-v1.0.0-rc.0 | |
| zebra-state | audit-v1.0.0-rc.0 | |
| zebrad | audit-v1.0.0-rc.0 |
Zcash/ZF dependencies
| Name | Version | Notes |
|---|---|---|
| ed25519-zebra | 3.1.0 |
Partial Audit
Zebra Crates
| Name | Version | Notes |
|---|---|---|
| zebra-utils | audit-v1.0.0-rc.0 | Only the zebra-checkpoints utility needs to be audited. |
Zcash/ZF dependencies
| Name | Version | Audited | Notes |
|---|---|---|---|
| zcash_proofs | 0.8.0 | qedit | Most of zcash_proofs got audited as part of the ECC audit, so we only need to audit the proof parameter download code in: - downloadreader.rs, - hashreader.rs, and - lib.rs. |
| zcash_script | 0.1.8 | The C++ parts of zcashd got audited as part of the ECC audit, so we only need to audit: - zcash_script.cpp, - zcash_script.h, and - the rust code in the zcash_script crate. |
|
| redjubjub | 0.5.0 | jp (FROST only) | Optional All files should be audited EXCEPT: - the signing code - the FROST code, and - the FROST messages module and directory |
| reddsa | 0.4.0 | jp (FROST only) | Optional This code was moved from zebra/zebra-chain/src/primitives/redpallas into a separate crate after the Zebra v1.0.0-rc.0 release. A previous version of this code was audited as the redjubjub crate.All files should be audited EXCEPT: - the signing code, and - the Sapling code |
Note: there are duplicate zcash_primitives, zcash_proofs, and reddsa dependencies in Zebra's audit and development branches, this will get fixed after the zcashd 5.4.0 release.
Not Included
The changes in these PRs are out of scope for the audit. When the Zebra team checks for bugs that have already been fixed, we can check these PRs, and any changes after commit c4032e2b.
The following consensus, security, and functional changes are in Zebra's development branch, but they are not included in the audit-v1.0.0-rc.0 tag, because they caused too many merge conflicts:
- fix(sync): Pause new downloads when Zebra reaches the lookahead limit #5561
- fix(rpc): Shut down the RPC server properly when Zebra shuts down #5591
- refactor(state): Make implementation of block consensus rules clearer #5915
Out of Scope
The following list of dependencies is out of scope for the audit.
Please ignore the dependency versions in these tables, some of them are are outdated. All versions of these dependencies are out of scope.
The latest versions of Zebra's dependencies are in Cargo.lock, including transitive dependencies. They can be viewed using cargo tree.
Click the triangle for details:
Zcash/ZF dependencies
| Name | Version | Audited | Notes |
|---|---|---|---|
| equihash | 0.2.0 | qedit | |
| halo2_proofs | 0.2.0 | qedit mary | |
| incrementalmerkletree | 0.3.0 | ||
| zcash_encoding | 0.1.0 | qedit | |
| zcash_history | 0.3.0 | qedit | |
| zcash_note_encryption | 0.1.0 | qedit | |
| zcash_primitives | 0.7.0 | qedit | |
| orchard | 0.2.0 | qedit |
Cryptography dependencies
All crypto dependencies are out of scope of the 1st audit
| Name | Version | Audited | Notes |
|---|---|---|---|
| aes | 0.7.5 | audited | struct aes::Aes256 |
| bech32 | 0.9.1 | no audit, but seems simple enough | |
| blake2b_simd | 1.0.0 | no audit, but is widely used | |
| blake2s_simd | 1.0.0 | no audit, but is widely used | |
| bls12_381 | 0.7.0 | no audit, but seems widely used | |
| bs58 | 0.4.0 | no audit, but seems simple enough | |
| rand | 0.8.5 | no audits, but seems widely used | |
| rand_core | 0.6.4 | no audits, but seems widely used | |
| sha2 | 0.9.9 | no audits, but seems widely used | |
| ripemd | 0.1.3 | no audits, but seems widely used | |
| secp256k1 | 0.21.3 | no audits, but seems widely used | |
| subtle | 2.4.1 | no audits, but seems widely used | |
| group | 0.12.0 | no audits but it's just traits, seems widely used | |
| x25519-dalek | 1.2.0 | no audits, but seems widely used | |
| jubjub | 0.9.0 | not sure if were covered by ECC audits. Seem widely used. | |
| bellman | 0.13.1 | not sure if were covered by ECC audits. Seem widely used. |
Async code and services
| Name | Version | Notes |
|---|---|---|
| futures | 0.3.24 | |
| futures-core | 0.3.24 | |
| pin-project | 1.0.12 | |
| rayon | 1.5.3 | |
| tokio | 1.21.2 | |
| tokio-util | 0.7.4 | |
| tower | 0.4.13 | |
| futures-util | 0.3.24 | |
| tokio-stream | 0.1.10 | |
| hyper | 0.14.20 | |
| jsonrpc-core | 18.0.0 | |
| jsonrpc-derive | 18.0.0 | |
| jsonrpc-http-server | 18.0.0 |
Types and encoding
| Name | Version | Notes |
|---|---|---|
| bitflags | 1.3.2 | |
| bitvec | 1.0.1 | We use it to build bit vectors, which are used when computing commitments. It's important, but does not seem particularly risky. |
| byteorder | 1.4.3 | |
| chrono | 0.4.22 | We treat chrono as a time library, and assume it works. It only implements the consensus rule about the local clock. |
| hex | 0.4.3 | |
| humantime | 2.1.0 | |
| itertools | 0.10.5 | |
| serde | 1.0.145 | |
| serde-big-array | 0.4.1 | |
| serde_with | 2.0.1 | |
| uint | 0.9.4 | |
| bytes | 1.2.1 | |
| humantime-serde | 1.1.1 | |
| indexmap | 1.9.1 | |
| ordered-map | 0.4.2 | |
| serde_json | 1.0.85 | |
| bincode | 1.3.3 | |
| mset | 0.1.0 | |
| tinyvec | 1.6.0 | |
| num-integer | 0.1.45 | |
| sentry | 0.27.0 | |
| primitive-types | 0.11.1 |
Other Zebra dependencies
| Name | Version | Notes |
|---|---|---|
| rocksdb | 0.19.0 | We can treat rocksdb as a database library, and assume it works. It is consensus-critical that stored data is returned without any mistakes. But we don't want to audit a huge pile of C++ code |
| abscissa_core | 0.5.2 | |
| gumdrop | 0.7.0 |
Misc.
| Name | Version | Reason | Notes |
|---|---|---|---|
| proptest | 0.10.1 | Testing | |
| proptest-derive | 0.3.0 | Testing | |
| tracing | 0.1.36 | Tracing | |
| tracing-futures | 0.2.5 | Tracing | |
| lazy_static | 1.4.0 | ||
| static_assertions | 1.1.0 | ||
| thiserror | 1.0.37 | Error handling | |
| dirs | 4.0.0 | ||
| displaydoc | 0.2.3 | Docs | |
| metrics | 0.20.1 | Metrics | |
| once_cell | 1.15.0 | ||
| regex | 1.6.0 | ||
| tracing-error | 0.2.0 | Tracing | |
| num_cpus | 1.13.1 | Trivial use | |
| rlimit | 0.8.3 | ||
| tempfile | 3.3.0 | ||
| color-eyre | 0.6.2 | Error handling | |
| tracing-subscriber | 0.3.15 | Logging | |
| log | 0.4.17 | ||
| metrics-exporter-prometheus | 0.11.0 | Metrics | |
| sentry-tracing | 0.27.0 | Tracing | |
| toml | 0.5.9 | ||
| tracing-appender | 0.2.2 | Tracing | |
| tracing-journald | 0.3.0 | Tracing | |
| atty | 0.2.14 | ||
| rand_chacha | 0.3.1 | Testing | |
| structopt | 0.3.26 | Trivial usage in zebra-utils |