Alyssa Ross: 1 Update blake2 to 0.9.1 everywhere 6 files changed, 31 insertions(+), 88 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.sr.ht/~qaul/community/patches/20729/mbox | git am -3Learn more about email & git
0.8.1 depends on a version of generic_array that has an unsoundness bug. The VarBlake2b hasher now gives us a Box<[u8]> instead of a Vec, which meant it could no longer be passed straight to Identity::truncate in ratman-identity. I noticed that that method took an Into<&Vec<u8>>, which I don't think anything other than Vec actually implements -- other things implement Into<Vec<u8>>, but not Impl<&Vec<u8>>. I think the correct type to use here to allow a vec to be borrowed is AsRef<[u8]> (which types like Box<[u8]> do actually implement), so I've changed it to take that instead. Fixes: RUSTSEC-2020-0146 --- Cargo.lock | 94 ++++++------------------------- libqaul/Cargo.toml | 2 +- libqaul/src/auth/pwhash.rs | 4 +- libqaul/src/messages/generator.rs | 2 +- ratman/identity/Cargo.toml | 2 +- ratman/identity/src/lib.rs | 15 ++--- 6 files changed, 31 insertions(+), 88 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d608c021..25a14a2f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -287,27 +287,15 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" -[[package]] -name = "blake2" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94cb07b0da6a73955f8fb85d24c466778e70cda767a568229b104f0264089330" -dependencies = [ - "byte-tools", - "crypto-mac 0.7.0", - "digest 0.8.1", - "opaque-debug 0.2.3", -] - [[package]] name = "blake2" version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10a5720225ef5daecf08657f23791354e1685a8c91a4c60c7f3d3b2892f978f4" dependencies = [ - "crypto-mac 0.8.0", - "digest 0.9.0", - "opaque-debug 0.3.0", + "crypto-mac", + "digest", + "opaque-debug", ] [[package]] @@ -316,7 +304,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" dependencies = [ - "generic-array 0.14.4", + "generic-array", ] [[package]] @@ -339,12 +327,6 @@ version = "3.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "63396b8a4b9de3f4fdfb320ab6080762242f66a8ef174c49d8e19b674db4cdbe" -[[package]] -name = "byte-tools" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7" - [[package]] name = "byteorder" version = "1.3.4" @@ -501,24 +483,14 @@ dependencies = [ "lazy_static", ] -[[package]] -name = "crypto-mac" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5" -dependencies = [ - "generic-array 0.12.3", - "subtle 1.0.0", -] - [[package]] name = "crypto-mac" version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab" dependencies = [ - "generic-array 0.14.4", - "subtle 2.4.0", + "generic-array", + "subtle", ] [[package]] @@ -538,28 +510,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f627126b946c25a4638eec0ea634fc52506dea98db118aae985118ce7c3d723f" dependencies = [ "byteorder", - "digest 0.9.0", + "digest", "rand_core 0.5.1", - "subtle 2.4.0", + "subtle", "zeroize", ] -[[package]] -name = "digest" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" -dependencies = [ - "generic-array 0.12.3", -] - [[package]] name = "digest" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" dependencies = [ - "generic-array 0.14.4", + "generic-array", ] [[package]] @@ -685,15 +648,6 @@ dependencies = [ "waker-fn", ] -[[package]] -name = "generic-array" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c68f0274ae0e023facc3c97b2e00f076be70e254bc851d972503b328db79b2ec" -dependencies = [ - "typenum", -] - [[package]] name = "generic-array" version = "0.14.4" @@ -766,8 +720,8 @@ version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840" dependencies = [ - "crypto-mac 0.8.0", - "digest 0.9.0", + "crypto-mac", + "digest", ] [[package]] @@ -827,7 +781,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae8038be446bbffb5bebe247ab05a1b1cb4c33363e204102a01e44f5933e7451" dependencies = [ "base64", - "blake2 0.9.1", + "blake2", "hmac", "pbkdf2", "rand 0.7.3", @@ -889,7 +843,7 @@ dependencies = [ "async-trait", "base64", "bincode", - "blake2 0.8.1", + "blake2", "hex", "jni", "libqaul-types", @@ -1073,12 +1027,6 @@ version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10acf907b94fc1b1a152d08ef97e7759650268cf986bf127f387e602b02c7e5a" -[[package]] -name = "opaque-debug" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c" - [[package]] name = "opaque-debug" version = "0.3.0" @@ -1106,12 +1054,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "216eaa586a190f0a738f2f918511eecfa90f13295abec0e457cdebcceda80cbd" dependencies = [ "base64", - "crypto-mac 0.8.0", + "crypto-mac", "hmac", "rand 0.7.3", "rand_core 0.5.1", "sha2", - "subtle 2.4.0", + "subtle", ] [[package]] @@ -1393,7 +1341,7 @@ name = "ratman-identity" version = "0.6.0" dependencies = [ "bincode", - "blake2 0.8.1", + "blake2", "cfg-if 1.0.0", "hex", "rand 0.7.3", @@ -1528,8 +1476,8 @@ dependencies = [ "block-buffer", "cfg-if 1.0.0", "cpuid-bool", - "digest 0.9.0", - "opaque-debug 0.3.0", + "digest", + "opaque-debug", ] [[package]] @@ -1618,12 +1566,6 @@ version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" -[[package]] -name = "subtle" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee" - [[package]] name = "subtle" version = "2.4.0" diff --git a/libqaul/Cargo.toml b/libqaul/Cargo.toml index bae1cc5a..8cb3b831 100644 --- a/libqaul/Cargo.toml +++ b/libqaul/Cargo.toml @@ -16,7 +16,7 @@ async-std = { version = "1.0", features = ["attributes", "unstable"] } async-trait = "0.1" base64 = "0.12" bincode = "1.0" -blake2 = "0.8" +blake2 = "0.9" hex = "0.4" jni = { version = "0.14", optional = true, default-features = false } rand = "0.7" diff --git a/libqaul/src/auth/pwhash.rs b/libqaul/src/auth/pwhash.rs index 35723157..0a916af6 100644 --- a/libqaul/src/auth/pwhash.rs +++ b/libqaul/src/auth/pwhash.rs @@ -28,7 +28,7 @@ impl PwHash { let new = Blake2b::new() .chain(pw.into()) .chain(&self.salt) - .result() + .finalize() .to_vec(); self.hash == new @@ -54,7 +54,7 @@ impl PwHash { let hash = Blake2b::new() .chain(pw.into()) .chain(&salt) - .result() + .finalize() .to_vec(); Self { hash, salt } diff --git a/libqaul/src/messages/generator.rs b/libqaul/src/messages/generator.rs index e50a2203..dbcbcd98 100644 --- a/libqaul/src/messages/generator.rs +++ b/libqaul/src/messages/generator.rs @@ -72,7 +72,7 @@ impl MsgBuilder { pub(crate) fn generate(&self) -> Message { let mut rng = rand::thread_rng(); let sender = self.sender.clone().unwrap_or_else(|| { - Identity::truncate(&Standard.sample_iter(rng).take(ID_LEN).collect()) + Identity::truncate(Standard.sample_iter(rng).take(ID_LEN).collect::<Vec<_>>()) }); let associator = self.associator.clone().unwrap_or("".into()); let id = self.id.clone().unwrap_or_else(|| MsgId::random()); diff --git a/ratman/identity/Cargo.toml b/ratman/identity/Cargo.toml index dd757323..27e14fe5 100644 --- a/ratman/identity/Cargo.toml +++ b/ratman/identity/Cargo.toml @@ -17,7 +17,7 @@ aligned = [] [dependencies] serde = { version = "1.0", features = ["derive"] } -blake2 = { version = "0.8.0", optional = true } +blake2 = { version = "0.9.0", optional = true } rand = { version = "0.7", optional = true } cfg-if = "1.0" hex = "0.4" diff --git a/ratman/identity/src/lib.rs b/ratman/identity/src/lib.rs index f0c7b674..7c7192f1 100644 --- a/ratman/identity/src/lib.rs +++ b/ratman/identity/src/lib.rs @@ -72,12 +72,13 @@ impl Identity { /// /// This function will panic, if the provided vector isn't long /// enough, but extra data will simply be discarded. - pub fn truncate<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self { - let vec = vec.into(); - assert!(vec.len() >= ID_LEN); + pub fn truncate(bytes: impl AsRef<[u8]>) -> Self { + let bytes = bytes.as_ref(); + assert!(bytes.len() >= ID_LEN); Self( - vec.into_iter() + bytes + .into_iter() .enumerate() .take(ID_LEN) .fold([0; ID_LEN], |mut buf, (i, u)| { @@ -136,13 +137,13 @@ impl Identity { #[cfg(feature = "digest")] pub fn with_digest<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self { use blake2::{ - digest::{Input, VariableOutput}, + digest::{Update, VariableOutput}, VarBlake2b, }; let mut hasher = VarBlake2b::new(ID_LEN).unwrap(); - hasher.input(vec.into()); - Self::truncate(&hasher.vec_result()) + hasher.update(vec.into()); + Self::truncate(hasher.finalize_boxed()) } /// Generate a new random Identity -- 2.30.0