From 90da94fff3ee7e4c2cc49865bf8978d3fa89e22f Mon Sep 17 00:00:00 2001 From: Deirdre Connolly Date: Tue, 16 Nov 2021 14:47:54 -0500 Subject: [PATCH] Upgrade crypto deps (#3059) * Upgrade aes and fpe * Upgrade bellman, bls12_381, jubjub to latest * Upgrade x25519-dalek to 1.2.0 and curve25519-dalek to 3.2.0 in the Cargo.lock * Skip outdated hdrhistogram rather than its dependencies Co-authored-by: teor --- Cargo.lock | 182 +++++++++---------------------------- deny.toml | 10 +- zebra-chain/Cargo.toml | 12 +-- zebra-consensus/Cargo.toml | 6 +- zebra-state/Cargo.toml | 49 +++++----- 5 files changed, 75 insertions(+), 184 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f46776f6e..316a03b2e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -68,17 +68,6 @@ dependencies = [ "generic-array", ] -[[package]] -name = "aes" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "884391ef1066acaa41e766ba8f596341b96e93ce34f9a43e7d24bf0a0eaf0561" -dependencies = [ - "aes-soft", - "aesni", - "cipher 0.2.5", -] - [[package]] name = "aes" version = "0.7.5" @@ -86,31 +75,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8" dependencies = [ "cfg-if 1.0.0", - "cipher 0.3.0", + "cipher", "cpufeatures", "opaque-debug", ] -[[package]] -name = "aes-soft" -version = "0.6.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be14c7498ea50828a38d0e24a765ed2effe92a705885b57d029cd67d45744072" -dependencies = [ - "cipher 0.2.5", - "opaque-debug", -] - -[[package]] -name = "aesni" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea2e11f5e94c2f7d386164cc2aa1f97823fed6f259e486940a71c174dd01b0ce" -dependencies = [ - "cipher 0.2.5", - "opaque-debug", -] - [[package]] name = "ahash" version = "0.7.4" @@ -272,21 +241,22 @@ checksum = "cf9ff0bbfd639f15c74af777d81383cf53efb7c93613f6cab67c6c11e05bbf8b" [[package]] name = "bellman" -version = "0.10.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7db9a104adfbc817ea09dec27d616c32dbf1d56fd741dcdc2444a3dfa1b9fffd" +checksum = "0944d18a9a37691b87733b39c9360c9950af9aa5f97e2455bc108d8eb64fc1c1" dependencies = [ "bitvec", "blake2s_simd", "byteorder", - "crossbeam", - "ff 0.10.0", - "futures 0.1.30", - "futures-cpupool", - "group 0.10.0", + "crossbeam-channel 0.5.1", + "ff 0.11.0", + "group 0.11.0", + "lazy_static", + "log", "num_cpus", - "pairing 0.20.0", + "pairing", "rand_core 0.6.3", + "rayon", "subtle", ] @@ -429,16 +399,6 @@ dependencies = [ "generic-array", ] -[[package]] -name = "block-modes" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57a0e8073e8baa88212fb5823574c02ebccb395136ba9a164ab89379ec6072f0" -dependencies = [ - "block-padding", - "cipher 0.2.5", -] - [[package]] name = "block-modes" version = "0.8.1" @@ -446,7 +406,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2cb03d1bed155d89dce0f845b7899b18a9a163e148fd004e1c28421a783e2d8e" dependencies = [ "block-padding", - "cipher 0.3.0", + "cipher", ] [[package]] @@ -462,8 +422,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "54757888b09a69be70b5ec303e382a74227392086ba808cb01eeca29233a2397" dependencies = [ "ff 0.10.0", - "group 0.10.0", - "pairing 0.20.0", "rand_core 0.6.3", "subtle", ] @@ -476,7 +434,7 @@ checksum = "6d28daeeded7949f1c7c72693377c98473b00be0aa0023760a84a300e4e7c74b" dependencies = [ "ff 0.11.0", "group 0.11.0", - "pairing 0.21.0", + "pairing", "rand_core 0.6.3", "subtle", ] @@ -584,7 +542,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "01b72a433d0cf2aef113ba70f62634c56fddb0f244e6377185c56a7cadbd8f91" dependencies = [ "cfg-if 1.0.0", - "cipher 0.3.0", + "cipher", "cpufeatures", "zeroize", ] @@ -597,7 +555,7 @@ checksum = "3b84ed6d1d5f7aa9bdde921a5090e0ca4d934d250ea3b402a5fab3a994e28a2a" dependencies = [ "aead", "chacha20", - "cipher 0.3.0", + "cipher", "poly1305", "zeroize", ] @@ -616,15 +574,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "cipher" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801" -dependencies = [ - "generic-array", -] - [[package]] name = "cipher" version = "0.3.0" @@ -949,9 +898,9 @@ dependencies = [ [[package]] name = "curve25519-dalek" -version = "3.0.0" +version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8492de420e9e60bc9a1d66e2dbb91825390b738a388606600663fc529b4b307" +checksum = "0b9fdf9972b2bd6af2d913799d9ebc165ea4d2e65878e329d9c6b372c4491b61" dependencies = [ "byteorder", "digest", @@ -1204,29 +1153,16 @@ dependencies = [ "percent-encoding", ] -[[package]] -name = "fpe" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a25080721bbcd2cd4d765b7d607ea350425fa087ce53cd3e31afcacdab850352" -dependencies = [ - "aes 0.6.0", - "block-modes 0.7.0", - "num-bigint 0.3.3", - "num-integer", - "num-traits", -] - [[package]] name = "fpe" version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fcf3e40fc9accc7218e082db8a75aeea244b8f5db73e591774ef93b4276365e6" dependencies = [ - "block-modes 0.8.1", - "cipher 0.3.0", + "block-modes", + "cipher", "libm", - "num-bigint 0.4.2", + "num-bigint", "num-integer", "num-traits", ] @@ -1243,12 +1179,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1847abb9cb65d566acd5942e94aea9c8f547ad02c98e1649326fc0e8910b8b1e" -[[package]] -name = "futures" -version = "0.1.30" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c7e4c2612746b0df8fed4ce0c69156021b704c9aefa360311c04e6e9e002eed" - [[package]] name = "futures" version = "0.3.17" @@ -1280,16 +1210,6 @@ version = "0.3.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "88d1c26957f23603395cd326b0ffe64124b818f4449552f960d815cfba83a53d" -[[package]] -name = "futures-cpupool" -version = "0.1.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab90cde24b3319636588d0c35fe03b1333857621051837ed769faefb4c2162e4" -dependencies = [ - "futures 0.1.30", - "num_cpus", -] - [[package]] name = "futures-executor" version = "0.3.17" @@ -2145,17 +2065,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "num-bigint" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f6f7833f2cbf2360a6cfd58cd41a53aa7a90bd4c202f5b1c7dd2ed73c57b2c3" -dependencies = [ - "autocfg", - "num-integer", - "num-traits", -] - [[package]] name = "num-bigint" version = "0.4.2" @@ -2235,13 +2144,13 @@ name = "orchard" version = "0.0.0" source = "git+https://github.com/zcash/orchard.git?rev=2c8241f25b943aa05203eacf9905db117c69bd29#2c8241f25b943aa05203eacf9905db117c69bd29" dependencies = [ - "aes 0.7.5", + "aes", "arrayvec 0.7.1", "bigint", "bitvec", "blake2b_simd", "ff 0.11.0", - "fpe 0.5.0", + "fpe", "group 0.11.0", "halo2", "incrementalmerkletree", @@ -2286,15 +2195,6 @@ version = "3.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9ad6d222cdc2351ccabb7af4f68bfaecd601b33c5f10d410ec89d2a273f6fff" -[[package]] -name = "pairing" -version = "0.20.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7de9d09263c9966e8196fe0380c9dbbc7ea114b5cf371ba29004bc1f9c6db7f3" -dependencies = [ - "group 0.10.0", -] - [[package]] name = "pairing" version = "0.21.0" @@ -3721,7 +3621,7 @@ version = "0.2.16" dependencies = [ "color-eyre", "ed25519-zebra", - "futures 0.3.17", + "futures", "futures-core", "pin-project 1.0.7", "rand 0.8.4", @@ -4308,9 +4208,9 @@ dependencies = [ [[package]] name = "x25519-dalek" -version = "1.1.1" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a0c105152107e3b96f6a00a65e86ce82d9b125230e1c4302940eca58ff71f4f" +checksum = "2392b6b94a576b4e2bf3c5b2757d63f10ada8020a2e4d08ac849ebcf6ea8e077" dependencies = [ "curve25519-dalek", "rand_core 0.5.1", @@ -4357,7 +4257,7 @@ name = "zcash_primitives" version = "0.5.0" source = "git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e#53d0a51d33a421cb76d3e3124d1e4c1c9036068e" dependencies = [ - "aes 0.7.5", + "aes", "bip0039", "bitvec", "blake2b_simd", @@ -4367,7 +4267,7 @@ dependencies = [ "chacha20poly1305", "equihash 0.1.0 (git+https://github.com/zcash/librustzcash.git?rev=53d0a51d33a421cb76d3e3124d1e4c1c9036068e)", "ff 0.11.0", - "fpe 0.5.0", + "fpe", "group 0.11.0", "hex", "incrementalmerkletree", @@ -4409,14 +4309,14 @@ dependencies = [ name = "zebra-chain" version = "1.0.0-beta.0" dependencies = [ - "aes 0.6.0", + "aes", "bech32", "bigint", "bitflags", "bitvec", "blake2b_simd", "blake2s_simd", - "bls12_381 0.5.0", + "bls12_381 0.6.0", "bs58", "byteorder", "chrono", @@ -4425,14 +4325,14 @@ dependencies = [ "displaydoc", "ed25519-zebra", "equihash 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)", - "fpe 0.4.0", - "futures 0.3.17", + "fpe", + "futures", "group 0.11.0", "halo2", "hex", "incrementalmerkletree", "itertools 0.10.1", - "jubjub 0.7.0", + "jubjub 0.8.0", "lazy_static", "orchard", "proptest", @@ -4468,14 +4368,14 @@ version = "1.0.0-beta.0" dependencies = [ "bellman", "blake2b_simd", - "bls12_381 0.5.0", + "bls12_381 0.6.0", "chrono", "color-eyre", "displaydoc", - "futures 0.3.17", + "futures", "futures-util", "halo2", - "jubjub 0.7.0", + "jubjub 0.8.0", "lazy_static", "metrics", "once_cell", @@ -4509,7 +4409,7 @@ dependencies = [ "byteorder", "bytes 1.1.0", "chrono", - "futures 0.3.17", + "futures", "hex", "indexmap", "lazy_static", @@ -4559,11 +4459,11 @@ dependencies = [ "color-eyre", "dirs", "displaydoc", - "futures 0.3.17", + "futures", "halo2", "hex", "itertools 0.10.1", - "jubjub 0.7.0", + "jubjub 0.8.0", "lazy_static", "metrics", "multiset", @@ -4589,7 +4489,7 @@ name = "zebra-test" version = "1.0.0-beta.0" dependencies = [ "color-eyre", - "futures 0.3.17", + "futures", "hex", "lazy_static", "once_cell", @@ -4631,7 +4531,7 @@ dependencies = [ "chrono", "color-eyre", "dirs", - "futures 0.3.17", + "futures", "gumdrop", "hyper", "inferno", @@ -4668,9 +4568,9 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.4.2" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf68b08513768deaa790264a7fac27a58cbf2705cfcdc9448362229217d7e970" +checksum = "4756f7db3f7b5574938c3eb1c117038b8e07f95ee6718c0efad4ac21508f1efd" dependencies = [ "zeroize_derive", ] diff --git a/deny.toml b/deny.toml index ddeecbcc2..72bdf2ea0 100644 --- a/deny.toml +++ b/deny.toml @@ -34,12 +34,6 @@ skip-tree = [ # ticket #2953: tracing dependencies { name = "tracing-subscriber", version = "=0.1.6" }, - # ticket #2952: cryptography dependencies - { name = "aes", version = "=0.6.0" }, - { name = "bellman", version = "=0.10.0" }, - { name = "bls12_381", version = "=0.5.0" }, - { name = "fpe", version = "=0.4.0" }, - # ticket #2982: librustzcash and orchard git versions # Note that the equihash duplication is probably because `zcash_primitives` # (which imports it with a path import) is being imported as a git dependency. @@ -61,8 +55,8 @@ skip-tree = [ # tickets #2985 and #2391: tempdir & rand dependencies { name = "tempdir", version = "=0.3.7" }, - # ticket #2998: base64 dependencies - { name = "base64", version = "=0.10.1" }, + # ticket #2998: hdrhistogram dependencies + { name = "hdrhistogram", version = "=6.3.4" }, # ticket #2999: http dependencies { name = "bytes", version = "=0.5.6" }, diff --git a/zebra-chain/Cargo.toml b/zebra-chain/Cargo.toml index 7ec443aac..57fa4f9d7 100644 --- a/zebra-chain/Cargo.toml +++ b/zebra-chain/Cargo.toml @@ -13,25 +13,25 @@ proptest-impl = ["proptest", "proptest-derive", "itertools", "zebra-test", "rand bench = ["zebra-test"] [dependencies] -aes = "0.6" +aes = "0.7.5" bech32 = "0.8.1" bigint = "4.4.3" bitflags = "1.2.1" bitvec = "0.22" blake2b_simd = "0.5.11" blake2s_simd = "0.5.11" -bls12_381 = "0.5.0" +bls12_381 = "0.6.0" bs58 = { version = "0.4", features = ["check"] } byteorder = "1.4" chrono = { version = "0.4", features = ["serde"] } displaydoc = "0.2.2" -fpe = "0.4" +fpe = "0.5.0" futures = "0.3" -group = "0.11" +group = "0.11.0" halo2 = "=0.1.0-beta.1" hex = "0.4" incrementalmerkletree = "0.1.0" -jubjub = "0.7.0" +jubjub = "0.8.0" lazy_static = "1.4.0" orchard = { git = "https://github.com/zcash/orchard.git", rev = "2c8241f25b943aa05203eacf9905db117c69bd29" } rand_core = "0.6" @@ -43,7 +43,7 @@ sha2 = { version = "0.9.8", features=["compress"] } subtle = "2.4" thiserror = "1" uint = "0.9.1" -x25519-dalek = { version = "1.1", features = ["serde"] } +x25519-dalek = { version = "1.2.0", features = ["serde"] } zcash_history = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" } zcash_primitives = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" } zcash_note_encryption = { git = "https://github.com/zcash/librustzcash.git", rev = "53d0a51d33a421cb76d3e3124d1e4c1c9036068e" } diff --git a/zebra-consensus/Cargo.toml b/zebra-consensus/Cargo.toml index 949f91b45..96053851e 100644 --- a/zebra-consensus/Cargo.toml +++ b/zebra-consensus/Cargo.toml @@ -11,11 +11,11 @@ proptest-impl = ["proptest", "proptest-derive", "zebra-chain/proptest-impl"] [dependencies] blake2b_simd = "0.5.11" -bellman = "0.10.0" -bls12_381 = "0.5.0" +bellman = "0.11.1" +bls12_381 = "0.6.0" chrono = "0.4.19" displaydoc = "0.2.2" -jubjub = "0.7.0" +jubjub = "0.8.0" lazy_static = "1.4.0" once_cell = "1.8" rand = "0.8" diff --git a/zebra-state/Cargo.toml b/zebra-state/Cargo.toml index a9d61d899..99dc8f3cd 100644 --- a/zebra-state/Cargo.toml +++ b/zebra-state/Cargo.toml @@ -9,51 +9,48 @@ edition = "2018" proptest-impl = ["proptest", "proptest-derive", "zebra-test"] [dependencies] -zebra-chain = { path = "../zebra-chain" } - +bincode = "1" +chrono = "0.4.19" dirs = "4.0.0" +displaydoc = "0.2.2" +futures = "0.3.17" hex = "0.4.3" lazy_static = "1.4.0" -regex = "1" -serde = { version = "1", features = ["serde_derive"] } -bincode = "1" - -futures = "0.3.17" metrics = "0.17.0" -tower = { version = "0.4.9", features = ["buffer", "util"] } -tracing = "0.1" -thiserror = "1.0.30" -tokio = { version = "1.13.0", features = ["sync"] } -displaydoc = "0.2.2" -rocksdb = "0.16.0" -tempdir = "0.3.7" -chrono = "0.4.19" -rlimit = "0.5.4" # TODO: this crate is not maintained anymore. Replace it? # https://github.com/ZcashFoundation/zebra/issues/2523 # # Pinned to a commit which includes bug fix https://github.com/jmitchell/multiset/pull/21 # The fix should be included in multiset 0.0.6. multiset = { git = "https://github.com/jmitchell/multiset", rev = "91ef8550b518f75ae87ae0d8771150f259fd34d5" } - proptest = { version = "0.10.1", optional = true } proptest-derive = { version = "0.3", optional = true } +regex = "1" +rlimit = "0.5.4" +rocksdb = "0.16.0" +serde = { version = "1", features = ["serde_derive"] } +tempdir = "0.3.7" +thiserror = "1.0.30" +tokio = { version = "1.13.0", features = ["sync"] } +tower = { version = "0.4.9", features = ["buffer", "util"] } +tracing = "0.1" + +zebra-chain = { path = "../zebra-chain" } zebra-test = { path = "../zebra-test/", optional = true } [dev-dependencies] -zebra-chain = { path = "../zebra-chain", features = ["proptest-impl"] } -zebra-test = { path = "../zebra-test/" } - color-eyre = "0.5.11" once_cell = "1.8" -itertools = "0.10.1" -spandoc = "0.2" -tempdir = "0.3.7" -tokio = { version = "1.13.0", features = ["full"] } # TODO: replace w/ crate version when released: https://github.com/ZcashFoundation/zebra/issues/2083 # Note: if updating this, also update the workspace Cargo.toml to match. halo2 = "=0.1.0-beta.1" -jubjub = "0.7.0" - +itertools = "0.10.1" +jubjub = "0.8.0" proptest = "0.10.1" proptest-derive = "0.3" +spandoc = "0.2" +tempdir = "0.3.7" +tokio = { version = "1.13.0", features = ["full"] } + +zebra-chain = { path = "../zebra-chain", features = ["proptest-impl"] } +zebra-test = { path = "../zebra-test/" }