Skip to content

Update crypto ecosystem#246

Merged
Threated merged 2 commits into
developfrom
dependabot/cargo/develop/rand-0.9.2
Jul 2, 2026
Merged

Update crypto ecosystem#246
Threated merged 2 commits into
developfrom
dependabot/cargo/develop/rand-0.9.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 21, 2025

Copy link
Copy Markdown
Contributor

Updates the requirements on rand to permit the latest version.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jul 21, 2025
@dependabot dependabot Bot requested a review from Threated July 21, 2025 22:43
@Threated Threated force-pushed the dependabot/cargo/develop/rand-0.9.2 branch from bffc1ac to 960fb17 Compare November 5, 2025 08:31
@Threated Threated changed the title chore(deps): update rand requirement from 0.8.5 to 0.9.2 Update crypto ecosystem Nov 5, 2025
@Threated Threated marked this pull request as draft November 5, 2025 08:33
@Threated

Threated commented Nov 5, 2025

Copy link
Copy Markdown
Member

I updated all the rust crypto libs to their latest rc versions to make them compatible with rand 0.9. The rsa crate also received an update that hardens it against the Marvin Attack more info.

@dependabot @github

dependabot Bot commented on behalf of github Feb 9, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of rand exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@Threated Threated force-pushed the dependabot/cargo/develop/rand-0.9.2 branch from 960fb17 to a0d4dc4 Compare July 1, 2026 09:51
@Threated Threated force-pushed the dependabot/cargo/develop/rand-0.9.2 branch from a0d4dc4 to a70f533 Compare July 1, 2026 12:16
@Threated Threated marked this pull request as ready for review July 1, 2026 12:39
@Threated Threated requested a review from TKussel July 1, 2026 12:39
Comment thread shared/src/crypto.rs
let key_mod_bignum = openssl::bn::BigNum::from_slice(&key_mod.to_bytes_be())?;
let is_equal = cert_mod.ucmp(&key_mod_bignum) == std::cmp::Ordering::Equal;
let cert_mod = rsa::BoxedUint::from_be_slice_vartime(&cert_rsa.n().to_vec());
let is_equal = cert_mod.cmp(&key.n()) == std::cmp::Ordering::Equal;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is fine (and cmp() is constant time), but keep in mind that this is only fine because we are comparing moduli. If any secret data would be compared, we would need the constant time from_be_slice.

Comment thread proxy/src/serve_sockets.rs Outdated
.len()
.try_into()
.expect("item too large");
dst.reserve(FRAME_LEN_SIZE + encrypted.len());

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, the Tag lenghs is already included in FRAME_LEN_SIZE?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No its part of encrypted.len(). In the next commit we are computing it fully before encryption so there you will see we add TAG_LEN manually.

@Threated Threated merged commit 02a576f into develop Jul 2, 2026
33 checks passed
@Threated Threated deleted the dependabot/cargo/develop/rand-0.9.2 branch July 2, 2026 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants