From c2e2da5dc35b2e0aa4cc17865ec4d14c725558c7 Mon Sep 17 00:00:00 2001 From: eta Date: Tue, 5 Jul 2022 11:57:10 +0100 Subject: [PATCH] Update `rsa` dependency (and use `x25519-dalek` prerelease) - arti#448 and arti!607 highlight an issue with upgrading `rsa`: namely, the `x25519-dalek` version previously used has a hard dependency on `zeroize` 1.3, which creates a dependency conflict. - However, `x25519-dalek` version `2.0.0-pre.1` relaxes this dependency. Reviewing the changelogs, it doesn't look like that version is substantially different from the current one at all, so it should be safe to use despite the "prerelease" tag. - The new `x25519-dalek` version also bumps `rand_core`, which means we don't have to use the RNG compat wrapper in `tor-llcrypto` as much. closes arti#448 --- Cargo.lock | 89 ++++++++----------- crates/tor-llcrypto/Cargo.toml | 4 +- crates/tor-llcrypto/src/pk/rsa.rs | 2 +- crates/tor-llcrypto/src/util/rand_compat.rs | 17 ++-- crates/tor-proto/src/crypto/handshake/ntor.rs | 11 ++- maint/downgrade_dependencies | 2 +- 6 files changed, 58 insertions(+), 67 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 03934f8c1..50fd9ed74 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -452,7 +452,7 @@ version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b88d82667eca772c4aa12f0f1348b3ae643424c8876448f3f7bd5787032e234c" dependencies = [ - "autocfg 1.1.0", + "autocfg", ] [[package]] @@ -472,15 +472,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "autocfg" -version = "0.1.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0dde43e75fd43e8a1bf86103336bc699aa8d17ad1be60c76c0bdfd4828e19b78" -dependencies = [ - "autocfg 1.1.0", -] - [[package]] name = "autocfg" version = "1.1.0" @@ -680,9 +671,9 @@ dependencies = [ [[package]] name = "const-oid" -version = "0.6.2" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d6f2aa4d0537bcc1c74df8755072bd31c1ef1a3a1b85a68e8404a8c353b7b8b" +checksum = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3" [[package]] name = "convert_case" @@ -756,12 +747,11 @@ dependencies = [ [[package]] name = "crypto-bigint" -version = "0.2.11" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f83bd3bb4314701c568e340cd8cf78c975aa0ca79e03d3f6d1677d5b0c9c0c03" +checksum = "03c6a1d5fa1de37e071642dfa44ec552ca5b299adb128fab16138e24b548fd21" dependencies = [ "generic-array", - "rand_core 0.6.3", "subtle", ] @@ -806,9 +796,9 @@ dependencies = [ [[package]] name = "curve25519-dalek" -version = "3.2.1" +version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90f9d052967f590a76e62eb387bd0bbb1b000182c3cefe5364db6b7211651bc0" +checksum = "0b9fdf9972b2bd6af2d913799d9ebc165ea4d2e65878e329d9c6b372c4491b61" dependencies = [ "byteorder", "digest 0.9.0", @@ -895,12 +885,13 @@ checksum = "3ee2393c4a91429dffb4bedf19f4d6abf27d8a732c8ce4980305d782e5426d57" [[package]] name = "der" -version = "0.4.5" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79b71cca7d95d7681a4b3b9cdf63c8dbc3730d0584c2c74e31416d64a90493f4" +checksum = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c" dependencies = [ "const-oid", "crypto-bigint", + "pem-rfc7468", ] [[package]] @@ -1792,7 +1783,7 @@ version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53" dependencies = [ - "autocfg 1.1.0", + "autocfg", "scopeguard", ] @@ -2041,18 +2032,17 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-integer", "num-traits", ] [[package]] name = "num-bigint-dig" -version = "0.7.0" +version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4547ee5541c18742396ae2c895d0717d0f886d8823b8399cdaf7b07d63ad0480" +checksum = "566d173b2f9406afbc5510a90925d5a2cd80cae4605631f1212303df265de011" dependencies = [ - "autocfg 0.1.8", "byteorder", "lazy_static", "libm", @@ -2079,7 +2069,7 @@ version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-traits", ] @@ -2089,7 +2079,7 @@ version = "0.1.43" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-integer", "num-traits", ] @@ -2100,7 +2090,7 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-integer", "num-traits", ] @@ -2111,7 +2101,7 @@ version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" dependencies = [ - "autocfg 1.1.0", + "autocfg", "libm", ] @@ -2202,7 +2192,7 @@ version = "0.9.74" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "835363342df5fba8354c5b453325b110ffd54044e588c539cf2f20a8014e4cb1" dependencies = [ - "autocfg 1.1.0", + "autocfg", "cc", "libc", "openssl-src", @@ -2289,9 +2279,9 @@ dependencies = [ [[package]] name = "pem-rfc7468" -version = "0.2.3" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f22eb0e3c593294a99e9ff4b24cf6b752d43f193aa4415fe5077c159996d497" +checksum = "01de5d978f34aa4b2296576379fcc416034702fd94117c56ffd8a1a767cefb30" dependencies = [ "base64ct", ] @@ -2380,24 +2370,22 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "pkcs1" -version = "0.2.4" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "116bee8279d783c0cf370efa1a94632f2108e5ef0bb32df31f051647810a4e2c" +checksum = "a78f66c04ccc83dd4486fd46c33896f4e17b24a7a3a6400dedc48ed0ddd72320" dependencies = [ "der", - "pem-rfc7468", + "pkcs8", "zeroize", ] [[package]] name = "pkcs8" -version = "0.7.6" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee3ef9b64d26bad0536099c816c6734379e45bbd5f14798def6809e5cc350447" +checksum = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0" dependencies = [ "der", - "pem-rfc7468", - "pkcs1", "spki", "zeroize", ] @@ -2699,20 +2687,20 @@ dependencies = [ [[package]] name = "rsa" -version = "0.5.0" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e05c2603e2823634ab331437001b411b9ed11660fbc4066f3908c84a9439260d" +checksum = "4cf22754c49613d2b3b119f0e5d46e34a2c628a937e3024b8762de4e7d8c710b" dependencies = [ "byteorder", - "digest 0.9.0", - "lazy_static", + "digest 0.10.3", "num-bigint-dig", "num-integer", "num-iter", "num-traits", "pkcs1", "pkcs8", - "rand 0.8.5", + "rand_core 0.6.3", + "smallvec", "subtle", "zeroize", ] @@ -3113,10 +3101,11 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] name = "spki" -version = "0.4.1" +version = "0.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c01a0c15da1b0b0e1494112e7af814a678fec9bd157881b49beac661e9b6f32" +checksum = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27" dependencies = [ + "base64ct", "der", ] @@ -4499,12 +4488,12 @@ dependencies = [ [[package]] name = "x25519-dalek" -version = "1.2.0" +version = "2.0.0-pre.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2392b6b94a576b4e2bf3c5b2757d63f10ada8020a2e4d08ac849ebcf6ea8e077" +checksum = "e5da623d8af10a62342bcbbb230e33e58a63255a58012f8653c578e54bab48df" dependencies = [ "curve25519-dalek", - "rand_core 0.5.1", + "rand_core 0.6.3", "zeroize", ] @@ -4529,9 +4518,9 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.3.0" +version = "1.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4756f7db3f7b5574938c3eb1c117038b8e07f95ee6718c0efad4ac21508f1efd" +checksum = "20b578acffd8516a6c3f2a1bdefc1ec37e547bb4e0fb8b6b01a4cafc886b4442" dependencies = [ "zeroize_derive", ] diff --git a/crates/tor-llcrypto/Cargo.toml b/crates/tor-llcrypto/Cargo.toml index 804d62485..941782b54 100644 --- a/crates/tor-llcrypto/Cargo.toml +++ b/crates/tor-llcrypto/Cargo.toml @@ -35,7 +35,7 @@ hex = "0.4" old_rand_core = { package = "rand_core", version = "0.5.1" } openssl = { version = "0.10.30", optional = true } rand_core = "0.6.2" -rsa = "0.5.0" +rsa = "0.6.0" serde = "1.0.103" sha-1 = "0.10.0" sha2 = "0.10.0" @@ -45,7 +45,7 @@ simple_asn1 = "0.6" subtle = "2" thiserror = "1" typenum = { version = "1.15.0", optional = true } -x25519-dalek = "1.2" +x25519-dalek = "2.0.0-pre.1" zeroize = "1" [dev-dependencies] diff --git a/crates/tor-llcrypto/src/pk/rsa.rs b/crates/tor-llcrypto/src/pk/rsa.rs index 4afa1dca1..dd95e17b0 100644 --- a/crates/tor-llcrypto/src/pk/rsa.rs +++ b/crates/tor-llcrypto/src/pk/rsa.rs @@ -16,7 +16,7 @@ //! This module should expose RustCrypto trait-based wrappers, //! but the [`rsa`] crate didn't support them as of initial writing. use arrayref::array_ref; -use rsa::pkcs1::{FromRsaPrivateKey, FromRsaPublicKey}; +use rsa::pkcs1::{DecodeRsaPrivateKey, DecodeRsaPublicKey}; use std::fmt; use subtle::{Choice, ConstantTimeEq}; use zeroize::Zeroize; diff --git a/crates/tor-llcrypto/src/util/rand_compat.rs b/crates/tor-llcrypto/src/util/rand_compat.rs index 4f216784e..4ac69523b 100644 --- a/crates/tor-llcrypto/src/util/rand_compat.rs +++ b/crates/tor-llcrypto/src/util/rand_compat.rs @@ -8,29 +8,32 @@ //! //! # Example: //! -//! As of May 2021, if you're using the current version of -//! [`x25519-dalek`], and the latest [`rand_core`], then you can't use +//! As of July 2022, if you're using the current version of +//! [`ed25519-dalek`], and the latest [`rand_core`], then you can't use //! this code, because of the compatibility issue mentioned above. //! //! ```compile_fail //! use rand_core::OsRng; -//! use x25519_dalek::EphemeralSecret; +//! use ed25519_dalek::Keypair; //! -//! let my_secret = EphemeralSecret::new(OsRng); +//! let keypair = Keypair::generate(&mut OsRng); //! ``` //! +//! (This used to be a problem for `x25519-dalek` too, but that crate has +//! been updated to a version that doesn't have this problem.) +//! //! But instead, you can wrap the random number generator using the //! [`RngCompatExt`] extension trait. //! //! ``` //! use tor_llcrypto::util::rand_compat::RngCompatExt; //! use rand_core::OsRng; -//! use x25519_dalek::EphemeralSecret; +//! use ed25519_dalek::Keypair; //! -//! let my_secret = EphemeralSecret::new(OsRng.rng_compat()); +//! let keypair = Keypair::generate(&mut OsRng.rng_compat()); //! ``` //! -//! The wrapped RNG can be used with the old version of the RngCode +//! The wrapped RNG can be used with the old version of the RngCore //! trait, as well as the new one. use old_rand_core::{CryptoRng as OldCryptoRng, Error as OldError, RngCore as OldRngCore}; diff --git a/crates/tor-proto/src/crypto/handshake/ntor.rs b/crates/tor-proto/src/crypto/handshake/ntor.rs index 74e14f332..9ff5d6a5b 100644 --- a/crates/tor-proto/src/crypto/handshake/ntor.rs +++ b/crates/tor-proto/src/crypto/handshake/ntor.rs @@ -7,7 +7,6 @@ use tor_bytes::{Reader, Writer}; use tor_llcrypto::d; use tor_llcrypto::pk::curve25519::*; use tor_llcrypto::pk::rsa::RsaIdentity; -use tor_llcrypto::util::rand_compat::RngCompatExt; use digest::Mac; use rand_core::{CryptoRng, RngCore}; @@ -134,7 +133,7 @@ fn client_handshake_ntor_v1( where R: RngCore + CryptoRng, { - let my_sk = StaticSecret::new(rng.rng_compat()); + let my_sk = StaticSecret::new(rng); let my_public = PublicKey::from(&my_sk); client_handshake_ntor_v1_no_keygen(my_public, my_sk, relay_public) @@ -262,7 +261,7 @@ where // actually going to find our nodeid or keyid. Perhaps we should // delay that till later? It shouldn't matter for most cases, // though. - let ephem = EphemeralSecret::new(rng.rng_compat()); + let ephem = EphemeralSecret::new(rng); let ephem_pub = PublicKey::from(&ephem); server_handshake_ntor_v1_no_keygen(ephem_pub, ephem, msg, keys) @@ -323,7 +322,7 @@ mod tests { #[test] fn simple() -> Result<()> { use crate::crypto::handshake::{ClientHandshake, ServerHandshake}; - let mut rng = testing_rng().rng_compat(); + let mut rng = testing_rng(); let relay_secret = StaticSecret::new(&mut rng); let relay_public = PublicKey::from(&relay_secret); let relay_identity = RsaIdentity::from_bytes(&[12; 20]).unwrap(); @@ -353,7 +352,7 @@ mod tests { fn make_fake_ephem_key(bytes: &[u8]) -> EphemeralSecret { assert_eq!(bytes.len(), 32); - let mut rng = FakePRNG::new(bytes).rng_compat(); + let mut rng = FakePRNG::new(bytes); EphemeralSecret::new(&mut rng) } @@ -405,7 +404,7 @@ mod tests { #[test] fn failing_handshakes() { use crate::crypto::handshake::{ClientHandshake, ServerHandshake}; - let mut rng = testing_rng().rng_compat(); + let mut rng = testing_rng(); // Set up keys. let relay_secret = StaticSecret::new(&mut rng); diff --git a/maint/downgrade_dependencies b/maint/downgrade_dependencies index 120127ebb..33ba6cb37 100755 --- a/maint/downgrade_dependencies +++ b/maint/downgrade_dependencies @@ -16,5 +16,5 @@ set -euo pipefail cargo +nightly update -Z minimal-versions cargo update \ -p crc32fast \ - -p zeroize_derive:1.1.1 \ + -p zeroize_derive:1.3.2 \ -p env_logger:0.5.0