From d1ff150cbfda5f7e780da0585ed3413d52ad0af0 Mon Sep 17 00:00:00 2001
From: Carson McManus <dyc3@users.noreply.github.com>
Date: Mon, 10 Jul 2023 10:53:31 -0400
Subject: [PATCH] replace crates hmac-sha1 and hmac-sha256 with equivalent
 crates from RustCrypto (#288)

---
 Cargo.lock                     | 27 +++------------------------
 Cargo.toml                     |  1 -
 steamguard/Cargo.toml          |  5 +++--
 steamguard/src/confirmation.rs | 12 +++++++-----
 steamguard/src/lib.rs          |  1 -
 steamguard/src/qrapprover.rs   | 14 ++++++++------
 steamguard/src/token.rs        |  8 ++++++--
 7 files changed, 27 insertions(+), 41 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a83cb29..f03bb23 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1156,21 +1156,6 @@ dependencies = [
  "digest",
 ]
 
-[[package]]
-name = "hmac-sha1"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1333fad8d94b82cab989da428b0b36a3435db3870d85e971a1d6dc0a8576722"
-dependencies = [
- "sha1 0.2.0",
-]
-
-[[package]]
-name = "hmac-sha256"
-version = "1.1.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3688e69b38018fec1557254f64c8dc2cc8ec502890182f395dbb0aa997aa5735"
-
 [[package]]
 name = "html5ever"
 version = "0.25.2"
@@ -2812,12 +2797,6 @@ dependencies = [
  "stable_deref_trait",
 ]
 
-[[package]]
-name = "sha1"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc30b1e1e8c40c121ca33b86c23308a090d19974ef001b4bf6e61fd1a0fb095c"
-
 [[package]]
 name = "sha1"
 version = "0.6.1"
@@ -3032,8 +3011,7 @@ dependencies = [
  "anyhow",
  "base64 0.13.1",
  "cookie 0.14.4",
- "hmac-sha1",
- "hmac-sha256",
+ "hmac",
  "lazy_static 1.4.0",
  "log",
  "maplit",
@@ -3050,6 +3028,8 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_path_to_error",
+ "sha1 0.10.5",
+ "sha2",
  "standback",
  "thiserror",
  "uuid",
@@ -3071,7 +3051,6 @@ dependencies = [
  "crossterm",
  "dirs",
  "gethostname",
- "hmac-sha1",
  "inout",
  "keyring",
  "lazy_static 1.4.0",
diff --git a/Cargo.toml b/Cargo.toml
index 374df23..f8a436f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,7 +31,6 @@ path = "src/main.rs"
 
 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
 base64 = "0.13.0"
 text_io = "0.1.8"
 rpassword = "5.0"
diff --git a/steamguard/Cargo.toml b/steamguard/Cargo.toml
index f689e0b..f3e846e 100644
--- a/steamguard/Cargo.toml
+++ b/steamguard/Cargo.toml
@@ -12,7 +12,7 @@ license = "MIT OR Apache-2.0"
 
 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
+sha1 = "^0.10"
 base64 = "0.13.0"
 reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls", "multipart"] }
 serde = { version = "1.0", features = ["derive"] }
@@ -32,9 +32,10 @@ secrecy = { version = "0.8", features = ["serde"] }
 zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
 protobuf = "3.2.0"
 protobuf-json-mapping = "3.2.0"
-hmac-sha256 = "1.1.7"
 phonenumber = "0.3"
 serde_path_to_error = "0.1.11"
+hmac = "^0.12"
+sha2 = "^0.10"
 
 [build-dependencies]
 anyhow = "^1.0"
diff --git a/steamguard/src/confirmation.rs b/steamguard/src/confirmation.rs
index c09c29c..ef3acfd 100644
--- a/steamguard/src/confirmation.rs
+++ b/steamguard/src/confirmation.rs
@@ -1,6 +1,6 @@
 use std::borrow::Cow;
 
-use hmacsha1::hmac_sha1;
+use hmac::{Hmac, Mac};
 use log::*;
 use reqwest::{
 	cookie::CookieStore,
@@ -9,6 +9,7 @@ use reqwest::{
 };
 use secrecy::ExposeSecret;
 use serde::Deserialize;
+use sha1::Sha1;
 
 use crate::{
 	steamapi::{self},
@@ -403,10 +404,11 @@ fn generate_confirmation_hash_for_time(
 	identity_secret: impl AsRef<[u8]>,
 ) -> String {
 	let decode: &[u8] = &base64::decode(identity_secret).unwrap();
-	let time_bytes = build_time_bytes(time);
-	let tag_bytes = tag.as_bytes();
-	let array = [&time_bytes, tag_bytes].concat();
-	let hash = hmac_sha1(decode, &array);
+	let mut mac = Hmac::<Sha1>::new_from_slice(decode).unwrap();
+	mac.update(&build_time_bytes(time));
+	mac.update(tag.as_bytes());
+	let result = mac.finalize();
+	let hash = result.into_bytes();
 	base64::encode(hash)
 }
 
diff --git a/steamguard/src/lib.rs b/steamguard/src/lib.rs
index 1467e28..bb98fc3 100644
--- a/steamguard/src/lib.rs
+++ b/steamguard/src/lib.rs
@@ -32,7 +32,6 @@ pub mod userlogin;
 
 extern crate base64;
 extern crate cookie;
-extern crate hmacsha1;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SteamGuardAccount {
diff --git a/steamguard/src/qrapprover.rs b/steamguard/src/qrapprover.rs
index 00f8f0e..5db8d4e 100644
--- a/steamguard/src/qrapprover.rs
+++ b/steamguard/src/qrapprover.rs
@@ -1,5 +1,7 @@
+use hmac::{Hmac, Mac};
 use log::debug;
 use reqwest::IntoUrl;
+use sha2::Sha256;
 
 use crate::{
 	protobufs::steammessages_auth_steamclient::CAuthentication_UpdateAuthSessionWithMobileConfirmation_Request,
@@ -67,12 +69,12 @@ fn build_signature(
 	steam_id: u64,
 	challenge: &Challenge,
 ) -> [u8; 32] {
-	let mut data = Vec::<u8>::with_capacity(18);
-	data.extend_from_slice(&challenge.version.to_le_bytes());
-	data.extend_from_slice(&challenge.client_id.to_le_bytes());
-	data.extend_from_slice(&steam_id.to_le_bytes());
-
-	hmac_sha256::HMAC::mac(data, shared_secret.expose_secret())
+	let mut mac = Hmac::<Sha256>::new_from_slice(shared_secret.expose_secret()).unwrap();
+	mac.update(&challenge.version.to_le_bytes());
+	mac.update(&challenge.client_id.to_le_bytes());
+	mac.update(&steam_id.to_le_bytes());
+	let result = mac.finalize();
+	result.into_bytes().into()
 }
 
 fn parse_challenge_url(challenge_url: impl IntoUrl) -> Result<Challenge, QrApproverError> {
diff --git a/steamguard/src/token.rs b/steamguard/src/token.rs
index dff0c59..9ecb030 100644
--- a/steamguard/src/token.rs
+++ b/steamguard/src/token.rs
@@ -1,5 +1,7 @@
+use hmac::{Hmac, Mac};
 use secrecy::{ExposeSecret, Secret, SecretString};
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use sha1::Sha1;
 use std::convert::TryInto;
 
 #[derive(Debug, Clone)]
@@ -34,9 +36,11 @@ impl TwoFactorSecret {
 			86, 87, 88, 89,
 		];
 
+		let mut mac = Hmac::<Sha1>::new_from_slice(self.0.expose_secret()).unwrap();
 		// this effectively makes it so that it creates a new code every 30 seconds.
-		let time_bytes: [u8; 8] = build_time_bytes(time / 30u64);
-		let hashed_data = hmacsha1::hmac_sha1(self.0.expose_secret(), &time_bytes);
+		mac.update(&build_time_bytes(time / 30u64));
+		let result = mac.finalize();
+		let hashed_data = result.into_bytes();
 		let mut code_array: [u8; 5] = [0; 5];
 		let b = (hashed_data[19] & 0xF) as usize;
 		let mut code_point: i32 = ((hashed_data[b] & 0x7F) as i32) << 24