New subject: [irdest Community] Re: [PATCH v2] Update blake2 to 0.9.1 everywhere

16 Apr 2021

0.8.1 depends on a version of generic_array that has an unsoundness
bug.
The VarBlake2b hasher now gives us a Box<[u8]> instead of a Vec, which
meant it could no longer be passed straight to Identity::truncate in
ratman-identity.  I noticed that that method took an Into<&Vec<u8>>,
which I don't think anything other than Vec actually implements --
other things implement Into<Vec<u8>>, but not Into<&Vec<u8>>.  I think
the correct type to use here to allow a vec to be borrowed is
AsRef<[u8]> (which types like Box<[u8]> do actually implement), so
I've changed it to take that instead.
---
 Cargo.lock                            | 94 +++++----------------------
 irdest-core/Cargo.toml                |  2 +-
 irdest-core/src/auth/pwhash.rs        |  4 +-
 irdest-core/src/messages/generator.rs |  2 +-
 ratman/identity/Cargo.toml            |  2 +-
 ratman/identity/src/lib.rs            | 15 +++--
 6 files changed, 31 insertions(+), 88 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2f1dfdd1..724cd098 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -313,27 +313,15 @@ version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
-[[package]]
-name = "blake2"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94cb07b0da6a73955f8fb85d24c466778e70cda767a568229b104f0264089330"
-dependencies = [
- "byte-tools",
- "crypto-mac 0.7.0",
- "digest 0.8.1",
- "opaque-debug 0.2.3",
-]
-
 [[package]]
 name = "blake2"
 version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "10a5720225ef5daecf08657f23791354e1685a8c91a4c60c7f3d3b2892f978f4"
 dependencies = [
- "crypto-mac 0.8.0",
- "digest 0.9.0",
- "opaque-debug 0.3.0",
+ "crypto-mac",
+ "digest",
+ "opaque-debug",
 ]
[[package]]
@@ -342,7 +330,7 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
 dependencies = [
- "generic-array 0.14.4",
+ "generic-array",
 ]
[[package]]
@@ -365,12 +353,6 @@ version = "3.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63396b8a4b9de3f4fdfb320ab6080762242f66a8ef174c49d8e19b674db4cdbe"
-[[package]]
-name = "byte-tools"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7"
-
 [[package]]
 name = "byteorder"
 version = "1.4.3"
@@ -538,24 +520,14 @@ dependencies = [
  "lazy_static",
 ]
-[[package]]
-name = "crypto-mac"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5"
-dependencies = [
- "generic-array 0.12.4",
- "subtle 1.0.0",
-]
-
 [[package]]
 name = "crypto-mac"
 version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab"
 dependencies = [
- "generic-array 0.14.4",
- "subtle 2.4.0",
+ "generic-array",
+ "subtle",
 ]
[[package]]
@@ -575,28 +547,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
 dependencies = [
  "byteorder",
- "digest 0.9.0",
+ "digest",
  "rand_core 0.5.1",
- "subtle 2.4.0",
+ "subtle",
  "zeroize",
 ]
-[[package]]
-name = "digest"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5"
-dependencies = [
- "generic-array 0.12.4",
-]
-
 [[package]]
 name = "digest"
 version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
 dependencies = [
- "generic-array 0.14.4",
+ "generic-array",
 ]
[[package]]
@@ -858,15 +821,6 @@ dependencies = [
  "system-deps",
 ]
-[[package]]
-name = "generic-array"
-version = "0.12.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ffdf9f34f1447443d37393cc6c2b8313aebddcd96906caf34e54c68d8e57d7bd"
-dependencies = [
- "typenum",
-]
-
 [[package]]
 name = "generic-array"
 version = "0.14.4"
@@ -1084,8 +1038,8 @@ version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840"
 dependencies = [
- "crypto-mac 0.8.0",
- "digest 0.9.0",
+ "crypto-mac",
+ "digest",
 ]
[[package]]
@@ -1123,7 +1077,7 @@ dependencies = [
  "async-trait",
  "base64",
  "bincode",
- "blake2 0.8.1",
+ "blake2",
  "hex",
  "ircore-types",
  "irpc-sdk",
@@ -1284,7 +1238,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae8038be446bbffb5bebe247ab05a1b1cb4c33363e204102a01e44f5933e7451"
 dependencies = [
  "base64",
- "blake2 0.9.1",
+ "blake2",
  "hmac",
  "pbkdf2",
  "rand 0.7.3",
@@ -1476,12 +1430,6 @@ version = "1.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3"
-[[package]]
-name = "opaque-debug"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"
-
 [[package]]
 name = "opaque-debug"
 version = "0.3.0"
@@ -1536,12 +1484,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "216eaa586a190f0a738f2f918511eecfa90f13295abec0e457cdebcceda80cbd"
 dependencies = [
  "base64",
- "crypto-mac 0.8.0",
+ "crypto-mac",
  "hmac",
  "rand 0.7.3",
  "rand_core 0.5.1",
  "sha2",
- "subtle 2.4.0",
+ "subtle",
 ]
[[package]]
@@ -1817,7 +1765,7 @@ name = "ratman-identity"
 version = "0.6.2"
 dependencies = [
  "bincode",
- "blake2 0.8.1",
+ "blake2",
  "cfg-if 1.0.0",
  "hex",
  "rand 0.7.3",
@@ -1980,8 +1928,8 @@ dependencies = [
  "block-buffer",
  "cfg-if 1.0.0",
  "cpuid-bool",
- "digest 0.9.0",
- "opaque-debug 0.3.0",
+ "digest",
+ "opaque-debug",
 ]
[[package]]
@@ -2098,12 +2046,6 @@ dependencies = [
  "syn 1.0.69",
 ]
-[[package]]
-name = "subtle"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee"
-
 [[package]]
 name = "subtle"
 version = "2.4.0"
diff --git a/irdest-core/Cargo.toml b/irdest-core/Cargo.toml
index ca894c73..3b2767bd 100644
--- a/irdest-core/Cargo.toml
+++ b/irdest-core/Cargo.toml
@@ -16,7 +16,7 @@ async-std = { version = "1.0", features = ["attributes", "unstable"] }
 async-trait = "0.1"
 base64 = "0.12"
 bincode = "1.0"
-blake2 = "0.8"
+blake2 = "0.9"
 hex = "0.4"
 jni = { version = "0.14", optional = true, default-features = false }
 rand = "0.7"
diff --git a/irdest-core/src/auth/pwhash.rs b/irdest-core/src/auth/pwhash.rs
index 35723157..0a916af6 100644
--- a/irdest-core/src/auth/pwhash.rs
+++ b/irdest-core/src/auth/pwhash.rs
@@ -28,7 +28,7 @@ impl PwHash {
         let new = Blake2b::new()
             .chain(pw.into())
             .chain(&self.salt)
-            .result()
+            .finalize()
             .to_vec();
self.hash == new
@@ -54,7 +54,7 @@ impl PwHash {
         let hash = Blake2b::new()
             .chain(pw.into())
             .chain(&salt)
-            .result()
+            .finalize()
             .to_vec();
Self { hash, salt }
diff --git a/irdest-core/src/messages/generator.rs b/irdest-core/src/messages/generator.rs
index 351177e6..af7f0b89 100644
--- a/irdest-core/src/messages/generator.rs
+++ b/irdest-core/src/messages/generator.rs
@@ -72,7 +72,7 @@ impl MsgBuilder {
     pub(crate) fn generate(&self) -> Message {
         let mut rng = rand::thread_rng();
         let sender = self.sender.clone().unwrap_or_else(|| {
-            Identity::truncate(&Standard.sample_iter(rng).take(ID_LEN).collect())
+            Identity::truncate(Standard.sample_iter(rng).take(ID_LEN).collect::<Vec<_>>())
         });
         let associator = self.associator.clone().unwrap_or("".into());
         let id = self.id.clone().unwrap_or_else(|| MsgId::random());
diff --git a/ratman/identity/Cargo.toml b/ratman/identity/Cargo.toml
index f4eb957d..28200d5b 100644
--- a/ratman/identity/Cargo.toml
+++ b/ratman/identity/Cargo.toml
@@ -16,7 +16,7 @@ aligned = []
[dependencies]
 serde = { version = "1.0", features = ["derive"] }
-blake2 = { version = "0.8.0", optional = true }
+blake2 = { version = "0.9.0", optional = true }
 rand = { version = "0.7", optional = true }
 cfg-if = "1.0"
 hex = "0.4"
diff --git a/ratman/identity/src/lib.rs b/ratman/identity/src/lib.rs
index f0c7b674..7c7192f1 100644
--- a/ratman/identity/src/lib.rs
+++ b/ratman/identity/src/lib.rs
@@ -72,12 +72,13 @@ impl Identity {
     ///
     /// This function will panic, if the provided vector isn't long
     /// enough, but extra data will simply be discarded.
-    pub fn truncate<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self {
-        let vec = vec.into();
-        assert!(vec.len() >= ID_LEN);
+    pub fn truncate(bytes: impl AsRef<[u8]>) -> Self {
+        let bytes = bytes.as_ref();
+        assert!(bytes.len() >= ID_LEN);
Self(
-            vec.into_iter()
+            bytes
+                .into_iter()
                 .enumerate()
                 .take(ID_LEN)
                 .fold([0; ID_LEN], |mut buf, (i, u)| {
@@ -136,13 +137,13 @@ impl Identity {
     #[cfg(feature = "digest")]
     pub fn with_digest<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self {
         use blake2::{
-            digest::{Input, VariableOutput},
+            digest::{Update, VariableOutput},
             VarBlake2b,
         };
let mut hasher = VarBlake2b::new(ID_LEN).unwrap();
-        hasher.input(vec.into());
-        Self::truncate(&hasher.vec_result())
+        hasher.update(vec.into());
+        Self::truncate(hasher.finalize_boxed())
     }
/// Generate a new random Identity
-- 
2.30.0


    

[Community] [PATCH v2] Update blake2 to 0.9.1 everywhere