replace crates hmac-sha1 and hmac-sha256 with equivalent crates from RustCrypto (#288)

2023-07-10 10:53:31 -04:00 · 2023-07-10 10:53:31 -04:00 · d1ff150cbf
commit d1ff150cbf
parent 9c6d10dc1f
7 changed files with 27 additions and 41 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1156,21 +1156,6 @@ dependencies = [
 "digest",
 ]

-[[package]]
-name = "hmac-sha1"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1333fad8d94b82cab989da428b0b36a3435db3870d85e971a1d6dc0a8576722"
-dependencies = [
- "sha1 0.2.0",
-]
-
-[[package]]
-name = "hmac-sha256"
-version = "1.1.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3688e69b38018fec1557254f64c8dc2cc8ec502890182f395dbb0aa997aa5735"
-
 [[package]]
 name = "html5ever"
 version = "0.25.2"
@ -2812,12 +2797,6 @@ dependencies = [
 "stable_deref_trait",
 ]

-[[package]]
-name = "sha1"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc30b1e1e8c40c121ca33b86c23308a090d19974ef001b4bf6e61fd1a0fb095c"
-
 [[package]]
 name = "sha1"
 version = "0.6.1"
@ -3032,8 +3011,7 @@ dependencies = [
 "anyhow",
 "base64 0.13.1",
 "cookie 0.14.4",
- "hmac-sha1",
- "hmac-sha256",
+ "hmac",
 "lazy_static 1.4.0",
 "log",
 "maplit",
@ -3050,6 +3028,8 @@ dependencies = [
 "serde",
 "serde_json",
 "serde_path_to_error",
+ "sha1 0.10.5",
+ "sha2",
 "standback",
 "thiserror",
 "uuid",
@ -3071,7 +3051,6 @@ dependencies = [
 "crossterm",
 "dirs",
 "gethostname",
- "hmac-sha1",
 "inout",
 "keyring",
 "lazy_static 1.4.0",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -31,7 +31,6 @@ path = "src/main.rs"

 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
 base64 = "0.13.0"
 text_io = "0.1.8"
 rpassword = "5.0"
--- a/steamguard/Cargo.toml
+++ b/steamguard/Cargo.toml
@ -12,7 +12,7 @@ license = "MIT OR Apache-2.0"

 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
+sha1 = "^0.10"
 base64 = "0.13.0"
 reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls", "multipart"] }
 serde = { version = "1.0", features = ["derive"] }
@ -32,9 +32,10 @@ secrecy = { version = "0.8", features = ["serde"] }
 zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
 protobuf = "3.2.0"
 protobuf-json-mapping = "3.2.0"
-hmac-sha256 = "1.1.7"
 phonenumber = "0.3"
 serde_path_to_error = "0.1.11"
+hmac = "^0.12"
+sha2 = "^0.10"

 [build-dependencies]
 anyhow = "^1.0"
--- a/steamguard/src/confirmation.rs
+++ b/steamguard/src/confirmation.rs
@ -1,6 +1,6 @@
 use std::borrow::Cow;

-use hmacsha1::hmac_sha1;
+use hmac::{Hmac, Mac};
 use log::*;
 use reqwest::{
 	cookie::CookieStore,
@ -9,6 +9,7 @@ use reqwest::{
 };
 use secrecy::ExposeSecret;
 use serde::Deserialize;
+use sha1::Sha1;

 use crate::{
 	steamapi::{self},
@ -403,10 +404,11 @@ fn generate_confirmation_hash_for_time(
 	identity_secret: impl AsRef<[u8]>,
 ) -> String {
 	let decode: &[u8] = &base64::decode(identity_secret).unwrap();
-	let time_bytes = build_time_bytes(time);
-	let tag_bytes = tag.as_bytes();
-	let array = [&time_bytes, tag_bytes].concat();
-	let hash = hmac_sha1(decode, &array);
+	let mut mac = Hmac::<Sha1>::new_from_slice(decode).unwrap();
+	mac.update(&build_time_bytes(time));
+	mac.update(tag.as_bytes());
+	let result = mac.finalize();
+	let hash = result.into_bytes();
 	base64::encode(hash)
 }

--- a/steamguard/src/lib.rs
+++ b/steamguard/src/lib.rs
@ -32,7 +32,6 @@ pub mod userlogin;

 extern crate base64;
 extern crate cookie;
-extern crate hmacsha1;

 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SteamGuardAccount {
--- a/steamguard/src/qrapprover.rs
+++ b/steamguard/src/qrapprover.rs
@ -1,5 +1,7 @@
+use hmac::{Hmac, Mac};
 use log::debug;
 use reqwest::IntoUrl;
+use sha2::Sha256;

 use crate::{
 	protobufs::steammessages_auth_steamclient::CAuthentication_UpdateAuthSessionWithMobileConfirmation_Request,
@ -67,12 +69,12 @@ fn build_signature(
 	steam_id: u64,
 	challenge: &Challenge,
 ) -> [u8; 32] {
-	let mut data = Vec::<u8>::with_capacity(18);
-	data.extend_from_slice(&challenge.version.to_le_bytes());
-	data.extend_from_slice(&challenge.client_id.to_le_bytes());
-	data.extend_from_slice(&steam_id.to_le_bytes());
-
-	hmac_sha256::HMAC::mac(data, shared_secret.expose_secret())
+	let mut mac = Hmac::<Sha256>::new_from_slice(shared_secret.expose_secret()).unwrap();
+	mac.update(&challenge.version.to_le_bytes());
+	mac.update(&challenge.client_id.to_le_bytes());
+	mac.update(&steam_id.to_le_bytes());
+	let result = mac.finalize();
+	result.into_bytes().into()
 }

 fn parse_challenge_url(challenge_url: impl IntoUrl) -> Result<Challenge, QrApproverError> {
--- a/steamguard/src/token.rs
+++ b/steamguard/src/token.rs
@ -1,5 +1,7 @@
+use hmac::{Hmac, Mac};
 use secrecy::{ExposeSecret, Secret, SecretString};
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use sha1::Sha1;
 use std::convert::TryInto;

 #[derive(Debug, Clone)]
@ -34,9 +36,11 @@ impl TwoFactorSecret {
 			86, 87, 88, 89,
 		];

+		let mut mac = Hmac::<Sha1>::new_from_slice(self.0.expose_secret()).unwrap();
 		// this effectively makes it so that it creates a new code every 30 seconds.
-		let time_bytes: [u8; 8] = build_time_bytes(time / 30u64);
-		let hashed_data = hmacsha1::hmac_sha1(self.0.expose_secret(), &time_bytes);
+		mac.update(&build_time_bytes(time / 30u64));
+		let result = mac.finalize();
+		let hashed_data = result.into_bytes();
 		let mut code_array: [u8; 5] = [0; 5];
 		let b = (hashed_data[19] & 0xF) as usize;
 		let mut code_point: i32 = ((hashed_data[b] & 0x7F) as i32) << 24