|
|
|
|
|
|
by lcampbell
842 days ago
|
|
|
This is briefly mentioned in the article, but from the report[1]: > It should be noted that the scope of the code reviewed within this audit is relatively narrow. In particular, while we audited cURL’s use of the third-party libraries ngtcp2, nghttp3, quiche, and msh3 to implement HTTP/3 functionality, we did not investigate the internals of those libraries—which is where the majority of the low-level parsing and data transformation necessitated by the HTTP/3 protocol occurs. the report goes on to concede > [we] did not observe any coverage of the nghttp3 library code. We suspect that, as the HTTP/3 protocol itself is significantly intertwined with TLS, the encryption makes it hard for a fuzzer to progress to the point where data can be decoded and parsed meaningfully. [1] https://curl.se/docs/audit/trail-of-bits-http3-report.pdf |
|
|
> Because of curl’s use of third party libraries for doing QUIC and HTTP/3, the report advises that there should be follow-up audits of the involved libraries. Fair proposal, but that is of course something that is beyond what we as a project can do.
Indeed, the next thing would be for the third-party libraries to go through a similar audit!