Skip to content

Ai security fixes#130

Open
lauris71 wants to merge 33 commits into
open-eid:masterfrom
lauris71:ai-security
Open

Ai security fixes#130
lauris71 wants to merge 33 commits into
open-eid:masterfrom
lauris71:ai-security

Conversation

@lauris71

@lauris71 lauris71 commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Fixes most critical and high security bugs found by Claude/DeepSeek/GLM/Gwen

  • Peer certificates can only be ignored by compile-time flag
  • Sensitive info logging can only be enabled by compile-time keys
  • Random number entropy failure returns error
  • AESWrap handles error/success correctly
  • Disable Bleichenbacher attack vector for CDoc1 RSA keys
  • Always log out PKCS11 sessions
  • Fix path-traversal in extracted filenames
  • Limit maximum PAX header size
  • Keep secrets in secured memory
  • Require https protocol for key/share servers
  • and more...

Signed-off-by: Lauris Kaplinski lauris@raulwalter.com

Lauris Kaplinski and others added 30 commits May 20, 2026 17:29
Some fixes from ai security audit
53a6898
Fixed cdoc-tool index usage
47715fe
@lauris71 @metsma
Update cdoc/cdoc-tool.cpp
fef2389 
Co-authored-by: Raul Metsma <raul@metsma.ee>
@lauris71 @metsma
Update cdoc/cdoc-tool.cpp
8848542 
Co-authored-by: Raul Metsma <raul@metsma.ee>
Some more AI issue fixes
bf5ca62
Hardcode SSL timeout
0a6b12b
Fixed xstream uint overflow and tool logging
a4dafb9
Some more fixes
8c9b789
Secure tool key handling, use explicid compile time definitions for k…
e9a8a6e 
…ey dump and TLS diabling
Fixed potential tar size overflow and secured proxy password
fa288ee
Windows build fix
b89e4f1
Revert proxy password for now
d0e0c90
Make proxy password string_view
87d1547
Disable potential Bleichenbacher attack for CDoc1 RSA encryption
3631991
Moved fix to main decryptRSA method
7e6cdaa
Added ct.h
f01510a
Bleichenbacher fix for NCrypt backend
0aec4a1
Some cleanups
6f37761
All C,H & M fixes from Caludo Opus review
cc19133
@lauris71
Merge branch 'open-eid:master' into master
6bd12a8
Update cdoc-tool
8102224
@lauris71
Merge branch 'open-eid:master' into master
c3d8dd2
Merge branch 'master' into ai-security
bb9945c 
# Conflicts:
#	cdoc/CDocCipher.cpp
#	cdoc/PKCS11Backend.cpp
#	cdoc/RcptInfo.h
#	cdoc/cdoc-tool.cpp
Make default KDF iter 600000
08ca9e5
Added std_string_view.i
004ce57
Fixed label parsing on Ubuntu 22
212825a
Include <string.h>
6db3372
Use explicit_bzero on glibc
8a2f494
Use SecureZeroMemory on windows
573f147
Use OPENSSL_cleanse for secure cleanup
2d552cb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lauris71