upgrade some dependencies (#272)

- upgrade `rsa`, `zeroize` crates, closes #268 - switch to parrallelized pbkdf2, closes #271 - cargo update
2023-07-03 11:42:10 -04:00 · 2023-07-03 11:42:10 -04:00 · 969baeed4c
commit 969baeed4c
parent d5218d770e
9 changed files with 649 additions and 492 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -38,8 +38,8 @@ rpassword = "5.0"
 reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-rsa = "0.5.0"
-rand = "0.8.4"
+rsa = "0.9.2"
+rand = "0.8.5"
 standback = "0.2.17" # required to fix a compilation error on a transient dependency
 clap = { version = "3.1.18", features = ["derive", "cargo", "env"] }
 clap_complete = "3.2.1"
@ -51,14 +51,13 @@ lazy_static = "1.4.0"
 uuid = { version = "0.8", features = ["v4"] }
 steamguard = { version = "^0.9.5", path = "./steamguard" }
 dirs = "3.0.2"
-ring = { version = "0.16.20", features = ["std"] }
 aes = "0.8.3"
 thiserror = "1.0.26"
 crossterm = { version = "0.23.2", features = ["event-stream"] }
 qrcode = { version = "0.12.0", optional = true }
 gethostname = "0.4.3"
 secrecy = { version = "0.8", features = ["serde"] }
-zeroize = "^1.4.3"
+zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
 serde_path_to_error = "0.1.11"
 update-informer = { version = "1.0.0", optional = true, default-features = false, features = ["github"] }
 phonenumber = "0.3"
@ -66,6 +65,8 @@ cbc = { version = "0.1.2", features = ["std"] }
 inout = { version = "0.1.3", features = ["std"] }
 keyring = { version = "2.0.4", optional = true }
 argon2 = { version = "0.5.0", features = ["std"] }
+pbkdf2 = { version = "0.12.1", features = ["parallel"] }
+sha1 = "0.10.5"

 [dev-dependencies]
 tempdir = "0.3"
--- a/src/accountmanager/legacy.rs
+++ b/src/accountmanager/legacy.rs
@ -10,7 +10,7 @@ use log::debug;
 use secrecy::{CloneableSecret, DebugSecret, ExposeSecret};
 use serde::Deserialize;
 use steamguard::{token::TwoFactorSecret, SecretString, SteamGuardAccount};
-use zeroize::Zeroize;
+use zeroize::{Zeroize, ZeroizeOnDrop};

 use crate::encryption::{EntryEncryptor, LegacySdaCompatible};

@ -139,8 +139,7 @@ pub struct SdaAccount {
 	pub session: Option<secrecy::Secret<Session>>,
 }

-#[derive(Debug, Clone, Deserialize, Zeroize)]
-#[zeroize(drop)]
+#[derive(Debug, Clone, Deserialize, Zeroize, ZeroizeOnDrop)]
 #[deprecated(note = "this is not used anymore, the closest equivalent is `Tokens`")]
 pub struct Session {
 	#[serde(default, rename = "SessionID")]
--- a/src/encryption.rs
+++ b/src/encryption.rs
@ -2,7 +2,6 @@ use aes::cipher::InvalidLength;

 use rand::Rng;

-use ring::rand::SecureRandom;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;

--- a/src/encryption/argon2id_aes.rs
+++ b/src/encryption/argon2id_aes.rs
@ -44,11 +44,11 @@ impl Argon2idAes256 {

 impl EntryEncryptor for Argon2idAes256 {
 	fn generate() -> Self {
-		let rng = ring::rand::SystemRandom::new();
+		let mut rng = rand::rngs::OsRng;
 		let mut salt = [0u8; Self::SALT_LENGTH];
 		let mut iv = [0u8; Self::IV_LENGTH];
-		rng.fill(&mut salt).expect("Unable to generate salt.");
-		rng.fill(&mut iv).expect("Unable to generate IV.");
+		rng.fill(&mut salt);
+		rng.fill(&mut iv);
 		Argon2idAes256 {
 			iv: base64::encode(iv),
 			salt: base64::encode(salt),
--- a/src/encryption/legacy.rs
+++ b/src/encryption/legacy.rs
@ -2,7 +2,7 @@ use aes::cipher::block_padding::Pkcs7;
 use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit};
 use aes::Aes256;
 use log::*;
-use ring::pbkdf2;
+use sha1::Sha1;

 use super::*;

@ -23,11 +23,10 @@ impl LegacySdaCompatible {
 		let password_bytes = passkey.as_bytes();
 		let salt_bytes = base64::decode(salt)?;
 		let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
-		pbkdf2::derive(
-			pbkdf2::PBKDF2_HMAC_SHA1,
-			std::num::NonZeroU32::new(Self::PBKDF2_ITERATIONS).unwrap(),
-			&salt_bytes,
+		pbkdf2::pbkdf2_hmac::<Sha1>(
 			password_bytes,
+			&salt_bytes,
+			Self::PBKDF2_ITERATIONS,
 			&mut full_key,
 		);
 		Ok(full_key)
@ -36,11 +35,11 @@ impl LegacySdaCompatible {

 impl EntryEncryptor for LegacySdaCompatible {
 	fn generate() -> LegacySdaCompatible {
-		let rng = ring::rand::SystemRandom::new();
+		let mut rng = rand::rngs::OsRng;
 		let mut salt = [0u8; Self::SALT_LENGTH];
 		let mut iv = [0u8; Self::IV_LENGTH];
-		rng.fill(&mut salt).expect("Unable to generate salt.");
-		rng.fill(&mut iv).expect("Unable to generate IV.");
+		rng.fill(&mut salt);
+		rng.fill(&mut iv);
 		LegacySdaCompatible {
 			iv: base64::encode(iv),
 			salt: base64::encode(salt),
--- a/src/main.rs
+++ b/src/main.rs
@ -21,7 +21,6 @@ extern crate base64;
 extern crate dirs;
 #[cfg(test)]
 extern crate proptest;
-extern crate ring;
 mod accountmanager;
 mod commands;
 mod debug;
--- a/steamguard/Cargo.toml
+++ b/steamguard/Cargo.toml
@ -17,7 +17,7 @@ base64 = "0.13.0"
 reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls", "multipart"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-rsa = "0.5.0"
+rsa = "0.9.2"
 rand = "0.8.4"
 standback = "0.2.17" # required to fix a compilation error on a transient dependency
 cookie = "0.14"
--- a/steamguard/src/userlogin.rs
+++ b/steamguard/src/userlogin.rs
@ -18,7 +18,7 @@ use crate::steamapi::EResult;
 use crate::token::Tokens;
 use crate::transport::Transport;
 use log::*;
-use rsa::{PublicKey, RsaPublicKey};
+use rsa::{Pkcs1v15Encrypt, RsaPublicKey};
 use std::time::Duration;

 #[derive(Debug)]
@ -272,13 +272,12 @@ fn encrypt_password(
 	let rsa_modulus = rsa::BigUint::parse_bytes(rsa_resp.publickey_mod().as_bytes(), 16).unwrap();
 	let public_key = RsaPublicKey::new(rsa_modulus, rsa_exponent).unwrap();
 	#[cfg(test)]
-	let mut rng = rand::rngs::mock::StepRng::new(2, 1);
+	let mut rng = tests::MockStepRng(rand::rngs::mock::StepRng::new(2, 1));
 	#[cfg(not(test))]
 	let mut rng = rand::rngs::OsRng;
-	let padding = rsa::PaddingScheme::new_pkcs1v15_encrypt();
 	base64::encode(
 		public_key
-			.encrypt(&mut rng, padding, password.as_ref())
+			.encrypt(&mut rng, Pkcs1v15Encrypt, password.as_ref())
 			.unwrap(),
 	)
 }
@ -406,6 +405,26 @@ impl From<anyhow::Error> for UpdateAuthSessionError {
 mod tests {
 	use super::*;

+	pub(crate) struct MockStepRng(pub rand::rngs::mock::StepRng);
+	impl rand::RngCore for MockStepRng {
+		fn next_u32(&mut self) -> u32 {
+			self.0.next_u32()
+		}
+
+		fn next_u64(&mut self) -> u64 {
+			self.0.next_u64()
+		}
+
+		fn fill_bytes(&mut self, dest: &mut [u8]) {
+			self.0.fill_bytes(dest)
+		}
+
+		fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand::Error> {
+			self.0.try_fill_bytes(dest)
+		}
+	}
+	impl rand::CryptoRng for MockStepRng {}
+
 	#[test]
 	fn test_encrypt_password() {
 		let mut rsa_resp = CAuthentication_GetPasswordRSAPublicKey_Response::new();