0.8.1 depends on a version of generic_array that has an unsoundness bug.
The VarBlake2b hasher now gives us a Box<[u8]> instead of a Vec, which meant it could no longer be passed straight to Identity::truncate in ratman-identity. I noticed that that method took an Into<&Vec<u8>>, which I don't think anything other than Vec actually implements -- other things implement Into<Vec<u8>>, but not Into<&Vec<u8>>. I think the correct type to use here to allow a vec to be borrowed is AsRef<[u8]> (which types like Box<[u8]> do actually implement), so I've changed it to take that instead. --- Cargo.lock | 94 +++++---------------------- irdest-core/Cargo.toml | 2 +- irdest-core/src/auth/pwhash.rs | 4 +- irdest-core/src/messages/generator.rs | 2 +- ratman/identity/Cargo.toml | 2 +- ratman/identity/src/lib.rs | 15 +++-- 6 files changed, 31 insertions(+), 88 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock index 2f1dfdd1..724cd098 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -313,27 +313,15 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
-[[package]] -name = "blake2" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94cb07b0da6a73955f8fb85d24c466778e70cda767a568229b104f0264089330" -dependencies = [ - "byte-tools", - "crypto-mac 0.7.0", - "digest 0.8.1", - "opaque-debug 0.2.3", -] - [[package]] name = "blake2" version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10a5720225ef5daecf08657f23791354e1685a8c91a4c60c7f3d3b2892f978f4" dependencies = [ - "crypto-mac 0.8.0", - "digest 0.9.0", - "opaque-debug 0.3.0", + "crypto-mac", + "digest", + "opaque-debug", ]
[[package]] @@ -342,7 +330,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" dependencies = [ - "generic-array 0.14.4", + "generic-array", ]
[[package]] @@ -365,12 +353,6 @@ version = "3.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "63396b8a4b9de3f4fdfb320ab6080762242f66a8ef174c49d8e19b674db4cdbe"
-[[package]] -name = "byte-tools" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7" - [[package]] name = "byteorder" version = "1.4.3" @@ -538,24 +520,14 @@ dependencies = [ "lazy_static", ]
-[[package]] -name = "crypto-mac" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5" -dependencies = [ - "generic-array 0.12.4", - "subtle 1.0.0", -] - [[package]] name = "crypto-mac" version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab" dependencies = [ - "generic-array 0.14.4", - "subtle 2.4.0", + "generic-array", + "subtle", ]
[[package]] @@ -575,28 +547,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3" dependencies = [ "byteorder", - "digest 0.9.0", + "digest", "rand_core 0.5.1", - "subtle 2.4.0", + "subtle", "zeroize", ]
-[[package]] -name = "digest" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" -dependencies = [ - "generic-array 0.12.4", -] - [[package]] name = "digest" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" dependencies = [ - "generic-array 0.14.4", + "generic-array", ]
[[package]] @@ -858,15 +821,6 @@ dependencies = [ "system-deps", ]
-[[package]] -name = "generic-array" -version = "0.12.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffdf9f34f1447443d37393cc6c2b8313aebddcd96906caf34e54c68d8e57d7bd" -dependencies = [ - "typenum", -] - [[package]] name = "generic-array" version = "0.14.4" @@ -1084,8 +1038,8 @@ version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840" dependencies = [ - "crypto-mac 0.8.0", - "digest 0.9.0", + "crypto-mac", + "digest", ]
[[package]] @@ -1123,7 +1077,7 @@ dependencies = [ "async-trait", "base64", "bincode", - "blake2 0.8.1", + "blake2", "hex", "ircore-types", "irpc-sdk", @@ -1284,7 +1238,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae8038be446bbffb5bebe247ab05a1b1cb4c33363e204102a01e44f5933e7451" dependencies = [ "base64", - "blake2 0.9.1", + "blake2", "hmac", "pbkdf2", "rand 0.7.3", @@ -1476,12 +1430,6 @@ version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3"
-[[package]] -name = "opaque-debug" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c" - [[package]] name = "opaque-debug" version = "0.3.0" @@ -1536,12 +1484,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "216eaa586a190f0a738f2f918511eecfa90f13295abec0e457cdebcceda80cbd" dependencies = [ "base64", - "crypto-mac 0.8.0", + "crypto-mac", "hmac", "rand 0.7.3", "rand_core 0.5.1", "sha2", - "subtle 2.4.0", + "subtle", ]
[[package]] @@ -1817,7 +1765,7 @@ name = "ratman-identity" version = "0.6.2" dependencies = [ "bincode", - "blake2 0.8.1", + "blake2", "cfg-if 1.0.0", "hex", "rand 0.7.3", @@ -1980,8 +1928,8 @@ dependencies = [ "block-buffer", "cfg-if 1.0.0", "cpuid-bool", - "digest 0.9.0", - "opaque-debug 0.3.0", + "digest", + "opaque-debug", ]
[[package]] @@ -2098,12 +2046,6 @@ dependencies = [ "syn 1.0.69", ]
-[[package]] -name = "subtle" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee" - [[package]] name = "subtle" version = "2.4.0" diff --git a/irdest-core/Cargo.toml b/irdest-core/Cargo.toml index ca894c73..3b2767bd 100644 --- a/irdest-core/Cargo.toml +++ b/irdest-core/Cargo.toml @@ -16,7 +16,7 @@ async-std = { version = "1.0", features = ["attributes", "unstable"] } async-trait = "0.1" base64 = "0.12" bincode = "1.0" -blake2 = "0.8" +blake2 = "0.9" hex = "0.4" jni = { version = "0.14", optional = true, default-features = false } rand = "0.7" diff --git a/irdest-core/src/auth/pwhash.rs b/irdest-core/src/auth/pwhash.rs index 35723157..0a916af6 100644 --- a/irdest-core/src/auth/pwhash.rs +++ b/irdest-core/src/auth/pwhash.rs @@ -28,7 +28,7 @@ impl PwHash { let new = Blake2b::new() .chain(pw.into()) .chain(&self.salt) - .result() + .finalize() .to_vec();
self.hash == new @@ -54,7 +54,7 @@ impl PwHash { let hash = Blake2b::new() .chain(pw.into()) .chain(&salt) - .result() + .finalize() .to_vec();
Self { hash, salt } diff --git a/irdest-core/src/messages/generator.rs b/irdest-core/src/messages/generator.rs index 351177e6..af7f0b89 100644 --- a/irdest-core/src/messages/generator.rs +++ b/irdest-core/src/messages/generator.rs @@ -72,7 +72,7 @@ impl MsgBuilder { pub(crate) fn generate(&self) -> Message { let mut rng = rand::thread_rng(); let sender = self.sender.clone().unwrap_or_else(|| { - Identity::truncate(&Standard.sample_iter(rng).take(ID_LEN).collect()) + Identity::truncate(Standard.sample_iter(rng).take(ID_LEN).collect::<Vec<_>>()) }); let associator = self.associator.clone().unwrap_or("".into()); let id = self.id.clone().unwrap_or_else(|| MsgId::random()); diff --git a/ratman/identity/Cargo.toml b/ratman/identity/Cargo.toml index f4eb957d..28200d5b 100644 --- a/ratman/identity/Cargo.toml +++ b/ratman/identity/Cargo.toml @@ -16,7 +16,7 @@ aligned = []
[dependencies] serde = { version = "1.0", features = ["derive"] } -blake2 = { version = "0.8.0", optional = true } +blake2 = { version = "0.9.0", optional = true } rand = { version = "0.7", optional = true } cfg-if = "1.0" hex = "0.4" diff --git a/ratman/identity/src/lib.rs b/ratman/identity/src/lib.rs index f0c7b674..7c7192f1 100644 --- a/ratman/identity/src/lib.rs +++ b/ratman/identity/src/lib.rs @@ -72,12 +72,13 @@ impl Identity { /// /// This function will panic, if the provided vector isn't long /// enough, but extra data will simply be discarded. - pub fn truncate<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self { - let vec = vec.into(); - assert!(vec.len() >= ID_LEN); + pub fn truncate(bytes: impl AsRef<[u8]>) -> Self { + let bytes = bytes.as_ref(); + assert!(bytes.len() >= ID_LEN);
Self( - vec.into_iter() + bytes + .into_iter() .enumerate() .take(ID_LEN) .fold([0; ID_LEN], |mut buf, (i, u)| { @@ -136,13 +137,13 @@ impl Identity { #[cfg(feature = "digest")] pub fn with_digest<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self { use blake2::{ - digest::{Input, VariableOutput}, + digest::{Update, VariableOutput}, VarBlake2b, };
let mut hasher = VarBlake2b::new(ID_LEN).unwrap(); - hasher.input(vec.into()); - Self::truncate(&hasher.vec_result()) + hasher.update(vec.into()); + Self::truncate(hasher.finalize_boxed()) }
/// Generate a new random Identity
Applied!
Commit: 384248f32c5507c20e2816890f7fcf3459dbff03
Alyssa Ross hi@alyssa.is writes:
0.8.1 depends on a version of generic_array that has an unsoundness bug.
The VarBlake2b hasher now gives us a Box<[u8]> instead of a Vec, which meant it could no longer be passed straight to Identity::truncate in ratman-identity. I noticed that that method took an Into<&Vec<u8>>, which I don't think anything other than Vec actually implements -- other things implement Into<Vec<u8>>, but not Into<&Vec<u8>>. I think the correct type to use here to allow a vec to be borrowed is AsRef<[u8]> (which types like Box<[u8]> do actually implement), so I've changed it to take that instead.
Cargo.lock | 94 +++++---------------------- irdest-core/Cargo.toml | 2 +- irdest-core/src/auth/pwhash.rs | 4 +- irdest-core/src/messages/generator.rs | 2 +- ratman/identity/Cargo.toml | 2 +- ratman/identity/src/lib.rs | 15 +++-- 6 files changed, 31 insertions(+), 88 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock index 2f1dfdd1..724cd098 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -313,27 +313,15 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
-[[package]] -name = "blake2" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94cb07b0da6a73955f8fb85d24c466778e70cda767a568229b104f0264089330" -dependencies = [
- "byte-tools",
- "crypto-mac 0.7.0",
- "digest 0.8.1",
- "opaque-debug 0.2.3",
-]
[[package]] name = "blake2" version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10a5720225ef5daecf08657f23791354e1685a8c91a4c60c7f3d3b2892f978f4" dependencies = [
- "crypto-mac 0.8.0",
- "digest 0.9.0",
- "opaque-debug 0.3.0",
- "crypto-mac",
- "digest",
- "opaque-debug",
]
[[package]] @@ -342,7 +330,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" dependencies = [
- "generic-array 0.14.4",
- "generic-array",
]
[[package]] @@ -365,12 +353,6 @@ version = "3.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "63396b8a4b9de3f4fdfb320ab6080762242f66a8ef174c49d8e19b674db4cdbe"
-[[package]] -name = "byte-tools" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7"
[[package]] name = "byteorder" version = "1.4.3" @@ -538,24 +520,14 @@ dependencies = [ "lazy_static", ]
-[[package]] -name = "crypto-mac" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5" -dependencies = [
- "generic-array 0.12.4",
- "subtle 1.0.0",
-]
[[package]] name = "crypto-mac" version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b584a330336237c1eecd3e94266efb216c56ed91225d634cb2991c5f3fd1aeab" dependencies = [
- "generic-array 0.14.4",
- "subtle 2.4.0",
- "generic-array",
- "subtle",
]
[[package]] @@ -575,28 +547,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3" dependencies = [ "byteorder",
- "digest 0.9.0",
- "digest", "rand_core 0.5.1",
- "subtle 2.4.0",
- "subtle", "zeroize",
]
-[[package]] -name = "digest" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" -dependencies = [
- "generic-array 0.12.4",
-]
[[package]] name = "digest" version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" dependencies = [
- "generic-array 0.14.4",
- "generic-array",
]
[[package]] @@ -858,15 +821,6 @@ dependencies = [ "system-deps", ]
-[[package]] -name = "generic-array" -version = "0.12.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffdf9f34f1447443d37393cc6c2b8313aebddcd96906caf34e54c68d8e57d7bd" -dependencies = [
- "typenum",
-]
[[package]] name = "generic-array" version = "0.14.4" @@ -1084,8 +1038,8 @@ version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "126888268dcc288495a26bf004b38c5fdbb31682f992c84ceb046a1f0fe38840" dependencies = [
- "crypto-mac 0.8.0",
- "digest 0.9.0",
- "crypto-mac",
- "digest",
]
[[package]] @@ -1123,7 +1077,7 @@ dependencies = [ "async-trait", "base64", "bincode",
- "blake2 0.8.1",
- "blake2", "hex", "ircore-types", "irpc-sdk",
@@ -1284,7 +1238,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae8038be446bbffb5bebe247ab05a1b1cb4c33363e204102a01e44f5933e7451" dependencies = [ "base64",
- "blake2 0.9.1",
- "blake2", "hmac", "pbkdf2", "rand 0.7.3",
@@ -1476,12 +1430,6 @@ version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3"
-[[package]] -name = "opaque-debug" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"
[[package]] name = "opaque-debug" version = "0.3.0" @@ -1536,12 +1484,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "216eaa586a190f0a738f2f918511eecfa90f13295abec0e457cdebcceda80cbd" dependencies = [ "base64",
- "crypto-mac 0.8.0",
- "crypto-mac", "hmac", "rand 0.7.3", "rand_core 0.5.1", "sha2",
- "subtle 2.4.0",
- "subtle",
]
[[package]] @@ -1817,7 +1765,7 @@ name = "ratman-identity" version = "0.6.2" dependencies = [ "bincode",
- "blake2 0.8.1",
- "blake2", "cfg-if 1.0.0", "hex", "rand 0.7.3",
@@ -1980,8 +1928,8 @@ dependencies = [ "block-buffer", "cfg-if 1.0.0", "cpuid-bool",
- "digest 0.9.0",
- "opaque-debug 0.3.0",
- "digest",
- "opaque-debug",
]
[[package]] @@ -2098,12 +2046,6 @@ dependencies = [ "syn 1.0.69", ]
-[[package]] -name = "subtle" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee"
[[package]] name = "subtle" version = "2.4.0" diff --git a/irdest-core/Cargo.toml b/irdest-core/Cargo.toml index ca894c73..3b2767bd 100644 --- a/irdest-core/Cargo.toml +++ b/irdest-core/Cargo.toml @@ -16,7 +16,7 @@ async-std = { version = "1.0", features = ["attributes", "unstable"] } async-trait = "0.1" base64 = "0.12" bincode = "1.0" -blake2 = "0.8" +blake2 = "0.9" hex = "0.4" jni = { version = "0.14", optional = true, default-features = false } rand = "0.7" diff --git a/irdest-core/src/auth/pwhash.rs b/irdest-core/src/auth/pwhash.rs index 35723157..0a916af6 100644 --- a/irdest-core/src/auth/pwhash.rs +++ b/irdest-core/src/auth/pwhash.rs @@ -28,7 +28,7 @@ impl PwHash { let new = Blake2b::new() .chain(pw.into()) .chain(&self.salt)
.result()
.finalize() .to_vec(); self.hash == new
@@ -54,7 +54,7 @@ impl PwHash { let hash = Blake2b::new() .chain(pw.into()) .chain(&salt)
.result()
.finalize() .to_vec(); Self { hash, salt }
diff --git a/irdest-core/src/messages/generator.rs b/irdest-core/src/messages/generator.rs index 351177e6..af7f0b89 100644 --- a/irdest-core/src/messages/generator.rs +++ b/irdest-core/src/messages/generator.rs @@ -72,7 +72,7 @@ impl MsgBuilder { pub(crate) fn generate(&self) -> Message { let mut rng = rand::thread_rng(); let sender = self.sender.clone().unwrap_or_else(|| {
Identity::truncate(&Standard.sample_iter(rng).take(ID_LEN).collect())
Identity::truncate(Standard.sample_iter(rng).take(ID_LEN).collect::<Vec<_>>()) }); let associator = self.associator.clone().unwrap_or("".into()); let id = self.id.clone().unwrap_or_else(|| MsgId::random());
diff --git a/ratman/identity/Cargo.toml b/ratman/identity/Cargo.toml index f4eb957d..28200d5b 100644 --- a/ratman/identity/Cargo.toml +++ b/ratman/identity/Cargo.toml @@ -16,7 +16,7 @@ aligned = []
[dependencies] serde = { version = "1.0", features = ["derive"] } -blake2 = { version = "0.8.0", optional = true } +blake2 = { version = "0.9.0", optional = true } rand = { version = "0.7", optional = true } cfg-if = "1.0" hex = "0.4" diff --git a/ratman/identity/src/lib.rs b/ratman/identity/src/lib.rs index f0c7b674..7c7192f1 100644 --- a/ratman/identity/src/lib.rs +++ b/ratman/identity/src/lib.rs @@ -72,12 +72,13 @@ impl Identity { /// /// This function will panic, if the provided vector isn't long /// enough, but extra data will simply be discarded.
- pub fn truncate<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self {
let vec = vec.into();
assert!(vec.len() >= ID_LEN);
pub fn truncate(bytes: impl AsRef<[u8]>) -> Self {
let bytes = bytes.as_ref();
assert!(bytes.len() >= ID_LEN); Self(
vec.into_iter()
bytes
.into_iter() .enumerate() .take(ID_LEN) .fold([0; ID_LEN], |mut buf, (i, u)| {
@@ -136,13 +137,13 @@ impl Identity { #[cfg(feature = "digest")] pub fn with_digest<'vec, V: Into<&'vec Vec<u8>>>(vec: V) -> Self { use blake2::{
digest::{Input, VariableOutput},
digest::{Update, VariableOutput}, VarBlake2b, }; let mut hasher = VarBlake2b::new(ID_LEN).unwrap();
hasher.input(vec.into());
Self::truncate(&hasher.vec_result())
hasher.update(vec.into());
Self::truncate(hasher.finalize_boxed())
}
/// Generate a new random Identity
-- 2.30.0