Upgrade dependencies

honzasp · Jun 4, 2023 · 548e3c4 · 548e3c4
1 parent 5d8d6be
commit 548e3c4
Show file tree

Hide file tree

Showing 12 changed files with 159 additions and 181 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - Replace the `guard` crate with (now stabilized) `let else` expressions
   supported directly by the compiler. Fixes compatibility with Rust 1.70.0.
+- Upgraded dependencies.
 
 ## 0.2.1 (2023-02-09)
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -27,39 +27,37 @@ path = "tests/keys/main.rs"
 aes = "0.8"
 aes-gcm = "0.10"
 base64 = "0.21"
-bcrypt-pbkdf = "0.9"
+bcrypt-pbkdf = "0.10"
 bytes = "1.1"
 cbc = "0.1"
 chacha20 = "0.9"
 ctr = "0.9"
 derivative = "2.2"
-ecdsa = {version = "0.15", features = ["signing", "verifying"]}
-ed25519 = {version = "1.5", features = ["pkcs8"]}
-ed25519-dalek = "1.0"
+ecdsa = {version = "0.16", features = ["signing", "verifying", "digest"]}
+ed25519-dalek = {version = "^2.0.0-rc", features = ["pkcs8"]}
 futures-core = "0.3"
-hex-literal = "0.3"
+hex-literal = "0.4"
 hmac = "0.12"
 log = "0.4"
 num-bigint-dig = {version = "0.8", features = ["rand"]}
-p256 = "0.12"
-p384 = "0.12"
+p256 = "0.13"
+p384 = "0.13"
 parking_lot = "0.12"
-pem = "1.0"
+pem = "2.0"
 pin-project = "1.0"
-pkcs8 = {version = "0.9", features = ["encryption"]}
+pkcs8 = {version = "0.10", features = ["encryption"]}
 poly1305 = "0.8"
 rand = {version = "0.8", features = ["getrandom"]}
-rand_0_7 = {version = "0.7", package = "rand"} # because of x25519-dalek
 rand_chacha = "0.3"
 regex = {version = "1.6", features = ["std"], default-features = false}
-regex-syntax = {version = "0.6", features = [], default-features = false}
-rsa = {version = "0.8"}
+regex-syntax = {version = "0.7", features = [], default-features = false}
+rsa = {version = "0.9"}
 sha-1 = {version = "0.10", features = ["oid"]}
 sha2 = {version = "0.10", features = ["oid"]}
 thiserror = "1.0"
 tokio = {version = "1", features = ["sync"]}
 tokio-util = {version = "0.7", features = []}
-x25519-dalek = "1.1" # due to issue #89
+x25519-dalek = "^2.0.0-rc"
 
 [dev-dependencies]
 anyhow = "1"
@@ -70,7 +68,7 @@ enclose = "1.1"
 env_logger = "0.10"
 futures = "0.3"
 home = "0.5"
-rustix = {version = "0.36", features = ["termios"]}
+rustix = {version = "0.37", features = ["termios"]}
 tokio = {version = "1", features = ["full"]}
 
 [features]

diff --git a/examples/client.rs b/examples/client.rs
@@ -5,7 +5,6 @@ use enclose::enclose;
 use futures::ready;
 use futures::future::{FutureExt as _, FusedFuture as _, Fuse};
 use futures::stream::{StreamExt as _, TryStreamExt as _, FuturesUnordered};
-use guard::guard;
 use regex::Regex;
 use rustix::termios;
 use std::collections::{HashMap, HashSet};
@@ -189,7 +188,7 @@ struct HostFile {
 
 fn read_host_file(path: Option<PathBuf>) -> Result<Option<HostFile>> {
     let default_path = home::home_dir().map(|dir| dir.join(".ssh/known_hosts"));
-    guard!{let Some(path) = path.or(default_path) else { return Ok(None) }};
+    let Some(path) = path.or(default_path) else { return Ok(None) };
 
     let file_data = fs::read(&path)
         .context(format!("could not read known_hosts file {}", path.display()))?;
@@ -304,7 +303,7 @@ async fn run_events(
                 },
                 Some(makiko::ClientEvent::Tunnel(accept)) => {
                     let connect_addr = remote_tunnel_addrs.get(&accept.connected_addr);
-                    guard!{let Some(connect_addr) = connect_addr else { continue }};
+                    let Some(connect_addr) = connect_addr else { continue };
                     tunnel_tasks.push(TaskHandle(tokio::task::spawn(
                         run_remote_tunnel(accept, connect_addr.clone())
                     )));

diff --git a/src/host_file.rs b/src/host_file.rs
@@ -773,7 +773,7 @@ mod tests {
 
         let pubkey_b64 = "AAAAC3NzaC1lZDI1NTE5AAAAIPJUmxF+H42aRAqDYOHqs9Wh2JDecL51WgYygy1hxswl";
         let pubkey_bytes = hex!("f2549b117e1f8d9a440a8360e1eab3d5a1d890de70be755a0632832d61c6cc25");
-        let pubkey = ed25519_dalek::PublicKey::from_bytes(&pubkey_bytes).unwrap();
+        let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes).unwrap();
         let pubkey = Pubkey::Ed25519(pubkey.into());
 
         check_entry(format!("example.com ssh-ed25519 {} edward", pubkey_b64), Entry {

diff --git a/src/kex/curve25519.rs b/src/kex/curve25519.rs
@@ -42,7 +42,7 @@ struct EcdhReply {
 fn init_kex(_rng: &mut dyn CryptoRngCore) -> Result<Curve25519Kex> {
     // x25519-dalek depends on rand 0.7 and also requires an owned rng, so there is no way that we
     // could pass `&mut dyn CryptoRngCore` to `EphemeralSecret::new()`
-    let our_eph_privkey = x25519_dalek::EphemeralSecret::new(rand_0_7::rngs::OsRng);
+    let our_eph_privkey = x25519_dalek::EphemeralSecret::random_from_rng(rand::rngs::OsRng);
     let our_eph_pubkey = x25519_dalek::PublicKey::from(&our_eph_privkey);
     log::debug!("initialized curve25519 kex");
     Ok(Curve25519Kex {

diff --git a/src/keys/mod.rs b/src/keys/mod.rs
@@ -22,10 +22,10 @@ mod pkcs8;
 
 fn decode_pem(pem_data: &[u8], expected_tag: &'static str) -> Result<Vec<u8>> {
     let pem = pem::parse(pem_data).map_err(Error::Pem)?;
-    if pem.tag != expected_tag {
-        return Err(Error::BadPemTag(pem.tag, expected_tag.into()))
+    if pem.tag() != expected_tag {
+        return Err(Error::BadPemTag(pem.tag().into(), expected_tag.into()))
     }
-    Ok(pem.contents)
+    Ok(pem.into_contents())
 }
 
 /// Decode a private key from any supported PEM format.
@@ -43,13 +43,13 @@ fn decode_pem(pem_data: &[u8], expected_tag: &'static str) -> Result<Vec<u8>> {
 /// empty passphrase if the key is not encrypted.
 pub fn decode_pem_privkey(pem_data: &[u8], passphrase: &[u8]) -> Result<Privkey> {
     let pem = pem::parse(pem_data).map_err(Error::Pem)?;
-    match pem.tag.as_str() {
-        "OPENSSH PRIVATE KEY" => decode_openssh_binary_keypair(pem.contents.into(), passphrase)
+    match pem.tag() {
+        "OPENSSH PRIVATE KEY" => decode_openssh_binary_keypair(pem.into_contents().into(), passphrase)
             .map(|keypair| keypair.privkey),
-        "RSA PRIVATE KEY" => decode_pkcs1_der_privkey(&pem.contents).map(Privkey::Rsa),
-        "PRIVATE KEY" => decode_pkcs8_der_privkey(&pem.contents),
-        "ENCRYPTED PRIVATE KEY" => decode_pkcs8_encrypted_der_privkey(&pem.contents, passphrase),
-        _ => Err(Error::UnknownPemTag(pem.tag)),
+        "RSA PRIVATE KEY" => decode_pkcs1_der_privkey(pem.contents()).map(Privkey::Rsa),
+        "PRIVATE KEY" => decode_pkcs8_der_privkey(pem.contents()),
+        "ENCRYPTED PRIVATE KEY" => decode_pkcs8_encrypted_der_privkey(pem.contents(), passphrase),
+        _ => Err(Error::UnknownPemTag(pem.tag().into())),
     }
 }
 
@@ -99,20 +99,20 @@ impl DecodedPrivkeyNopass {
 /// [`DecodedPrivkeyNopass::Encrypted`].
 pub fn decode_pem_privkey_nopass(pem_data: &[u8]) -> Result<DecodedPrivkeyNopass> {
     let pem = pem::parse(pem_data).map_err(Error::Pem)?;
-    match pem.tag.as_str() {
+    match pem.tag() {
         "OPENSSH PRIVATE KEY" =>
-            decode_openssh_binary_keypair_nopass(pem.contents.into()).map(|keypair| {
+            decode_openssh_binary_keypair_nopass(pem.into_contents().into()).map(|keypair| {
                 match keypair.privkey {
                     Some(privkey) => DecodedPrivkeyNopass::Privkey(privkey),
                     None => DecodedPrivkeyNopass::Pubkey(keypair.pubkey),
                 }
             }),
-        "RSA PRIVATE KEY" => decode_pkcs1_der_privkey(&pem.contents)
+        "RSA PRIVATE KEY" => decode_pkcs1_der_privkey(pem.contents())
             .map(|privkey| DecodedPrivkeyNopass::Privkey(Privkey::Rsa(privkey))),
-        "PRIVATE KEY" => decode_pkcs8_der_privkey(&pem.contents)
+        "PRIVATE KEY" => decode_pkcs8_der_privkey(pem.contents())
             .map(DecodedPrivkeyNopass::Privkey),
         "ENCRYPTED PRIVATE KEY" => Ok(DecodedPrivkeyNopass::Encrypted),
-        _ => Err(Error::UnknownPemTag(pem.tag)),
+        _ => Err(Error::UnknownPemTag(pem.tag().into())),
     }
 }
 
@@ -125,9 +125,9 @@ pub fn decode_pem_privkey_nopass(pem_data: &[u8]) -> Result<DecodedPrivkeyNopass
 /// - PKCS#8 (`PUBLIC KEY`), see [`decode_pkcs8_pem_pubkey()`].
 pub fn decode_pem_pubkey(pem_data: &[u8]) -> Result<Pubkey> {
     let pem = pem::parse(pem_data).map_err(Error::Pem)?;
-    match pem.tag.as_str() {
-        "RSA PUBLIC KEY" => decode_pkcs1_der_pubkey(&pem.contents).map(Pubkey::Rsa),
-        "PUBLIC KEY" => decode_pkcs8_der_pubkey(&pem.contents),
-        _ => Err(Error::UnknownPemTag(pem.tag)),
+    match pem.tag() {
+        "RSA PUBLIC KEY" => decode_pkcs1_der_pubkey(pem.contents()).map(Pubkey::Rsa),
+        "PUBLIC KEY" => decode_pkcs8_der_pubkey(pem.contents()),
+        _ => Err(Error::UnknownPemTag(pem.tag().into())),
     }
 }
diff --git a/src/keys/pkcs8.rs b/src/keys/pkcs8.rs
@@ -1,5 +1,4 @@
 use ecdsa::elliptic_curve;
-use ed25519_dalek::ed25519;
 use pkcs8::AssociatedOid as _;
 use crate::error::{Result, Error};
 use crate::pubkey::{Privkey, Pubkey};
@@ -14,12 +13,12 @@ use crate::pubkey::{Privkey, Pubkey};
 /// empty passphrase if the key is not encrypted.
 pub fn decode_pkcs8_pem_privkey(pem_data: &[u8], passphrase: &[u8]) -> Result<Privkey> {
     let pem = pem::parse(pem_data).map_err(Error::Pem)?;
-    if pem.tag == "PRIVATE KEY" {
-        decode_pkcs8_der_privkey(&pem.contents)
-    } else if pem.tag == "ENCRYPTED PRIVATE KEY" {
-        decode_pkcs8_encrypted_der_privkey(&pem.contents, passphrase)
+    if pem.tag() == "PRIVATE KEY" {
+        decode_pkcs8_der_privkey(pem.contents())
+    } else if pem.tag() == "ENCRYPTED PRIVATE KEY" {
+        decode_pkcs8_encrypted_der_privkey(pem.contents(), passphrase)
     } else {
-        Err(Error::BadPemTag(pem.tag, "PRIVATE KEY".into()))
+        Err(Error::BadPemTag(pem.tag().into(), "PRIVATE KEY".into()))
     }
 }
 
@@ -32,9 +31,7 @@ pub fn decode_pkcs8_der_privkey(der_data: &[u8]) -> Result<Privkey> {
     let info = pkcs8::PrivateKeyInfo::try_from(der_data).map_err(Error::Pkcs8)?;
     let algo_oid = info.algorithm.oid;
     if algo_oid == RSA_OID {
-        // unfortunately, `rsa` uses an older version of `pkcs8`, so we must re-parse the DER
-        let info = rsa::pkcs8::PrivateKeyInfo::try_from(der_data).map_err(Error::Pkcs8Rsa)?;
-        let privkey = rsa::RsaPrivateKey::try_from(info).map_err(Error::Pkcs8Rsa)?;
+        let privkey = rsa::RsaPrivateKey::try_from(info).map_err(Error::Pkcs8)?;
         Ok(Privkey::Rsa(privkey.into()))
     } else if algo_oid == EC_OID {
         let curve_oid = info.algorithm.parameters_oid().map_err(Error::Pkcs8Spki)?;
@@ -48,14 +45,8 @@ pub fn decode_pkcs8_der_privkey(der_data: &[u8]) -> Result<Privkey> {
             Err(Error::Pkcs8BadCurveOid(curve_oid.to_string()))
         }
     } else if algo_oid == ED25519_OID {
-        let keypair_bytes = ed25519::pkcs8::KeypairBytes::try_from(info).map_err(Error::Pkcs8)?;
-        let secret = ed25519_dalek::SecretKey::from_bytes(&keypair_bytes.secret_key)
-            .map_err(Error::Pkcs8Ed25519)?;
-        let public = match keypair_bytes.public_key {
-            Some(bytes) => ed25519_dalek::PublicKey::from_bytes(&bytes).map_err(Error::Pkcs8Ed25519)?,
-            None => ed25519_dalek::PublicKey::from(&secret),
-        };
-        Ok(Privkey::Ed25519(ed25519_dalek::Keypair { secret, public }.into()))
+        let signing = ed25519_dalek::SigningKey::try_from(info).map_err(Error::Pkcs8)?;
+        Ok(Privkey::Ed25519(signing.into()))
     } else {
         Err(Error::Pkcs8BadAlgorithmOid(algo_oid.to_string()))
     }
@@ -81,9 +72,7 @@ pub fn decode_pkcs8_der_pubkey(der_data: &[u8]) -> Result<Pubkey> {
     let info = pkcs8::SubjectPublicKeyInfo::try_from(der_data).map_err(Error::Pkcs8Spki)?;
     let algo_oid = info.algorithm.oid;
     if algo_oid == RSA_OID {
-        // unfortunately, `rsa` uses an older version of `pkcs8`, so we must re-parse the DER
-        let info = rsa::pkcs8::SubjectPublicKeyInfo::try_from(der_data).map_err(Error::Pkcs8RsaSpki)?;
-        let pubkey = rsa::RsaPublicKey::try_from(info).map_err(Error::Pkcs8RsaSpki)?;
+        let pubkey = rsa::RsaPublicKey::try_from(info).map_err(Error::Pkcs8Spki)?;
         Ok(Pubkey::Rsa(pubkey.into()))
     } else if algo_oid == EC_OID {
         let curve_oid = info.algorithm.parameters_oid().map_err(Error::Pkcs8Spki)?;
@@ -99,10 +88,8 @@ pub fn decode_pkcs8_der_pubkey(der_data: &[u8]) -> Result<Pubkey> {
             Err(Error::Pkcs8BadCurveOid(curve_oid.to_string()))
         }
     } else if algo_oid == ED25519_OID {
-        let public_bytes = ed25519::pkcs8::PublicKeyBytes::try_from(info).map_err(Error::Pkcs8Spki)?;
-        let pubkey = ed25519_dalek::PublicKey::from_bytes(&public_bytes.to_bytes())
-            .map_err(Error::Pkcs8Ed25519)?;
-        Ok(Pubkey::Ed25519(pubkey.into()))
+        let verifying = ed25519_dalek::VerifyingKey::try_from(info).map_err(Error::Pkcs8Spki)?;
+        Ok(Pubkey::Ed25519(verifying.into()))
     } else {
         Err(Error::Pkcs8BadAlgorithmOid(algo_oid.to_string()))
     }