~qaul/community

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[PATCH] Update blake2 to 0.9.1 everywhere

Alyssa Ross
Details
Message ID
<20210301235218.29300-1-hi@alyssa.is>
DKIM signature
pass
Download raw message
Patch: +31 -88
0.8.1 depends on a version of generic_array that has an unsoundness
bug.

The VarBlake2b hasher now gives us a Box<[u8]> instead of a Vec, which
meant it could no longer be passed straight to Identity::truncate in
ratman-identity.  I noticed that that method took an Into<&Vec<u8>>,
which I don't think anything other than Vec actually implements --
other things implement Into<Vec<u8>>, but not Impl<&Vec<u8>>.  I think
the correct type to use here to allow a vec to be borrowed is
AsRef<[u8]> (which types like Box<[u8]> do actually implement), so
I've changed it to take that instead.

Fixes: RUSTSEC-2020-0146
---
 Cargo.lock                        | 94 ++++++-------------------------
 libqaul/Cargo.toml                |  2 +-
 libqaul/src/auth/pwhash.rs        |  4 +-
 libqaul/src/messages/generator.rs |  2 +-
 ratman/identity/Cargo.toml        |  2 +-
 ratman/identity/src/lib.rs        | 15 ++---
 6 files changed, 31 insertions(+), 88 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index d608c021..25a14a2f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -287,27 +287,15 @@ version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"

[[package]]
name = "blake2"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94cb07b0da6a73955f8fb85d24c466778e70cda767a568229b104f0264089330"
dependencies = [
 "byte-tools",
 "crypto-mac 0.7.0",
 "digest 0.8.1",
 "opaque-debug 0.2.3",
]

[[package]]
name = "blake2"
version = "0.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10a5720225ef5daecf08657f23791354e1685a8c91a4c60c7f3d3b2892f978f4"
dependencies = [
 "crypto-mac 0.8.0",
 "digest 0.9.0",
 "opaque-debug 0.3.0",
 "crypto-mac",
 "digest",
 "opaque-debug",
]

[[package]]
@@ -316,7 +304,7 @@ version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
dependencies = [
 "generic-array 0.14.4",
 "generic-array",
]

[[package]]
@@ -339,12 +327,6 @@ version = "3.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "63396b8a4b9de3f4fdfb320ab6080762242f66a8ef174c49d8e19b674db4cdbe"

[[package]]
name = "byte-tools"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7"

[[package]]
name = "byteorder"
version = "1.3.4"
@@ -501,24 +483,14 @@ dependencies = [
 "lazy_static",
]

[[package]]
name = "crypto-mac"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5"
dependencies = [
 "generic-array 0.12.3",
 "subtle 1.0.0",
]

[[package]]
name = "crypto-mac"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab"
dependencies = [
 "generic-array 0.14.4",
 "subtle 2.4.0",
 "generic-array",
 "subtle",
]

[[package]]
@@ -538,28 +510,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f627126b946c25a4638eec0ea634fc52506dea98db118aae985118ce7c3d723f"
dependencies = [
 "byteorder",
 "digest 0.9.0",
 "digest",
 "rand_core 0.5.1",
 "subtle 2.4.0",
 "subtle",
 "zeroize",
]

[[package]]
name = "digest"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5"
dependencies = [
 "generic-array 0.12.3",
]

[[package]]
name = "digest"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
dependencies = [
 "generic-array 0.14.4",
 "generic-array",
]

[[package]]
@@ -685,15 +648,6 @@ dependencies = [
 "waker-fn",
]

[[package]]
name = "generic-array"
version = "0.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c68f0274ae0e023facc3c97b2e00f076be70e254bc851d972503b328db79b2ec"
dependencies = [
 "typenum",
]

[[package]]
name = "generic-array"
version = "0.14.4"
@@ -766,8 +720,8 @@ version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840"
dependencies = [
 "crypto-mac 0.8.0",
 "digest 0.9.0",
 "crypto-mac",
 "digest",
]

[[package]]
@@ -827,7 +781,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae8038be446bbffb5bebe247ab05a1b1cb4c33363e204102a01e44f5933e7451"
dependencies = [
 "base64",
 "blake2 0.9.1",
 "blake2",
 "hmac",
 "pbkdf2",
 "rand 0.7.3",
@@ -889,7 +843,7 @@ dependencies = [
 "async-trait",
 "base64",
 "bincode",
 "blake2 0.8.1",
 "blake2",
 "hex",
 "jni",
 "libqaul-types",
@@ -1073,12 +1027,6 @@ version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10acf907b94fc1b1a152d08ef97e7759650268cf986bf127f387e602b02c7e5a"

[[package]]
name = "opaque-debug"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"

[[package]]
name = "opaque-debug"
version = "0.3.0"
@@ -1106,12 +1054,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "216eaa586a190f0a738f2f918511eecfa90f13295abec0e457cdebcceda80cbd"
dependencies = [
 "base64",
 "crypto-mac 0.8.0",
 "crypto-mac",
 "hmac",
 "rand 0.7.3",
 "rand_core 0.5.1",
 "sha2",
 "subtle 2.4.0",
 "subtle",
]

[[package]]
@@ -1393,7 +1341,7 @@ name = "ratman-identity"
version = "0.6.0"
dependencies = [
 "bincode",
 "blake2 0.8.1",
 "blake2",
 "cfg-if 1.0.0",
 "hex",
 "rand 0.7.3",
@@ -1528,8 +1476,8 @@ dependencies = [
 "block-buffer",
 "cfg-if 1.0.0",
 "cpuid-bool",
 "digest 0.9.0",
 "opaque-debug 0.3.0",
 "digest",
 "opaque-debug",
]

[[package]]
@@ -1618,12 +1566,6 @@ version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"

[[package]]
name = "subtle"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee"

[[package]]
name = "subtle"
version = "2.4.0"
diff --git a/libqaul/Cargo.toml b/libqaul/Cargo.toml
index bae1cc5a..8cb3b831 100644
--- a/libqaul/Cargo.toml
+++ b/libqaul/Cargo.toml
@@ -16,7 +16,7 @@ async-std = { version = "1.0", features = ["attributes", "unstable"] }
async-trait = "0.1"
base64 = "0.12"
bincode = "1.0"
blake2 = "0.8"
blake2 = "0.9"
hex = "0.4"
jni = { version = "0.14", optional = true, default-features = false }
rand = "0.7"
diff --git a/libqaul/src/auth/pwhash.rs b/libqaul/src/auth/pwhash.rs
index 35723157..0a916af6 100644
--- a/libqaul/src/auth/pwhash.rs
+++ b/libqaul/src/auth/pwhash.rs
@@ -28,7 +28,7 @@ impl PwHash {
        let new = Blake2b::new()
            .chain(pw.into())
            .chain(&self.salt)
            .result()
            .finalize()
            .to_vec();

        self.hash == new
@@ -54,7 +54,7 @@ impl PwHash {
        let hash = Blake2b::new()
            .chain(pw.into())
            .chain(&salt)
            .result()
            .finalize()
            .to_vec();

        Self { hash, salt }
diff --git a/libqaul/src/messages/generator.rs b/libqaul/src/messages/generator.rs
index e50a2203..dbcbcd98 100644
--- a/libqaul/src/messages/generator.rs
+++ b/libqaul/src/messages/generator.rs
@@ -72,7 +72,7 @@ impl MsgBuilder {
    pub(crate) fn generate(&self) -> Message {
        let mut rng = rand::thread_rng();
        let sender = self.sender.clone().unwrap_or_else(|| {
            Identity::truncate(&Standard.sample_iter(rng).take(ID_LEN).collect())
            Identity::truncate(Standard.sample_iter(rng).take(ID_LEN).collect::<Vec<_>>())
        });
        let associator = self.associator.clone().unwrap_or("".into());
        let id = self.id.clone().unwrap_or_else(|| MsgId::random());
diff --git a/ratman/identity/Cargo.toml b/ratman/identity/Cargo.toml
index dd757323..27e14fe5 100644
--- a/ratman/identity/Cargo.toml
+++ b/ratman/identity/Cargo.toml
@@ -17,7 +17,7 @@ aligned = []

[dependencies]
serde = { version = "1.0", features = ["derive"] }
blake2 = { version = "0.8.0", optional = true }
blake2 = { version = "0.9.0", optional = true }
rand = { version = "0.7", optional = true }
cfg-if = "1.0"
hex = "0.4"
diff --git a/ratman/identity/src/lib.rs b/ratman/identity/src/lib.rs
index f0c7b674..7c7192f1 100644
--- a/ratman/identity/src/lib.rs
+++ b/ratman/identity/src/lib.rs
@@ -72,12 +72,13 @@ impl Identity {
    ///
    /// This function will panic, if the provided vector isn't long
    /// enough, but extra data will simply be discarded.
    pub fn truncate<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self {
        let vec = vec.into();
        assert!(vec.len() >= ID_LEN);
    pub fn truncate(bytes: impl AsRef<[u8]>) -> Self {
        let bytes = bytes.as_ref();
        assert!(bytes.len() >= ID_LEN);

        Self(
            vec.into_iter()
            bytes
                .into_iter()
                .enumerate()
                .take(ID_LEN)
                .fold([0; ID_LEN], |mut buf, (i, u)| {
@@ -136,13 +137,13 @@ impl Identity {
    #[cfg(feature = "digest")]
    pub fn with_digest<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self {
        use blake2::{
            digest::{Input, VariableOutput},
            digest::{Update, VariableOutput},
            VarBlake2b,
        };

        let mut hasher = VarBlake2b::new(ID_LEN).unwrap();
        hasher.input(vec.into());
        Self::truncate(&hasher.vec_result())
        hasher.update(vec.into());
        Self::truncate(hasher.finalize_boxed())
    }

    /// Generate a new random Identity
-- 
2.30.0
Reply to thread Export thread (mbox)