crypto.rs icon indicating copy to clipboard operation
crypto.rs copied to clipboard

Published 20 hours ago verified publisher icon iotaledger

Bump dependencies to fix vulnerability from `cargo audit`

Open wulfraem opened this issue 8 months ago • 0 comments

Description of change

Running cargo audit in identity.rs currently producing errors due to vulnerabilities in the current curve25519-dalek version:

Crate:     curve25519-dalek
Version:   3.2.0
Title:     Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
Date:      2024-06-18
ID:        RUSTSEC-2024-0344
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0344
Solution:  Upgrade to >=4.1.3
Dependency tree:
curve25519-dalek 3.2.0
├── x25519-dalek 1.1.1
│   ├── iota-crypto 0.23.1
│   └── age 0.9.2
│       └── iota-crypto 0.23.1
└── iota-crypto 0.23.1

error: 1 vulnerability found!

Same audit message could be produces when running cargo audit in crypto.rs. This PR bumps the dependencies to fix the vulnerability.

Changes:

  • bump dependencies to latest versions:
    • curve25519-dalek
    • x25519-dalek
    • age
  • remove by now outdated feature u64_backend for
    • curve25519-dalek
    • x25519-dalek
  • enable features for x25519-dalek:
    • static_secrets
    • zeroize
  • fix cargo clippy messages from CI

The features static_secrets and zeroize had to be enabled for x25519-dalek so that identity.rs to be able to use crypto.rs with the updated dependencies.

⚠️ There may be dragons (or not)

Interestingly, all tests run with cargo test --lib --all --all-features --tests completed successfully without the features static_secrets and zeroize, but building identity.rs against a version without those features enabled fails due to:

  • x25519_dalek::StaticSecret not being found in crypto.rs/src/keys/x25519.rs:105
  • not being able to derive Zeroize and ZeroizeOnDrop in crypto.rs/src/keys/x25519.rs:105

So the outward behavior changes without those features.

I'm not entirely sure, if similar behavior changes may affect other dependents similarly for other features.

Type of change

Choose a type of change, and delete any options that are not relevant.

  • [ ] Bug fix (a non-breaking change which fixes an issue)
  • [ ] Enhancement (a non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Documentation Fix
  • [x] Chore?

How the change has been tested

cargo audit on current dev should produce the message from above, doing the same on this branch should not.

Tested locally and verified with CI.

Change checklist

Add an x to the boxes that are relevant to your changes, and delete any items that are not.

  • [x] I have followed the contribution guidelines for this project
  • [x] I have performed a self-review of my own code
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes

wulfraem avatar Jun 28 '24 14:06 wulfraem