curve25519-dalek zeroize dependency not compatible with other libraries

[samuelvanderwaal]

Problem

Solana v1.8.x relied on curve25519-dalek ^v2.1.0 which itself has a zeroize dependency of ^1.

However, Solana v1.9+ rely on curve25519-dalek ^v3.2.1 which limits zeroize to a range of >=1, <1.4 which is not compatible with many other cryptography libraries (or libraries which depend on cryptography libraries) which use ^1.4 or ^1.5. E.g.s:

• aws-types
• num-big-int-dig (which RSA relies on)
• jsonwebkey

It's unclear why curve25519-dalek hasn't bumped yet but there is an open PR to do so. Most other cryptography libraries seem to have bumped to v1.4+

Are there any known workarounds for this? If curve25519-dalek doesn't bump, is it possible for Solana to drop back down to ^v2.1?

Proposed Solution

[anthontaylor]

I'm currently running into the same issue with dependencies being incompatible with the outdated zeroize on curve25519-dalek.

[whymidnight]

this was blocking for me when i tried using RustCrypto/RSA

however, at least for rsa, i found sfackler/rust-openssl that binds to openssl OS package.

this seems to be a viable alternative in the meantime.

[whymidnight]

can confirm that i was able to implement RSA key generation and decryption using sfackler/rust-openssl without dependency issues.

[samuelvanderwaal]

can confirm that i was able to implement RSA key generation and decryption using sfackler/rust-openssl without dependency issues.

Thanks for sharing this!

[NorbertBodziony]

Any update on this ? Majority of packages already bumped zeroize.

[mschneider]

curve25519-dalek 3.2.1 seems to be a blocker here, a 4.0.0 release is imminent (rc.2 was published on March 26)

[juchiast]

4.0.0 is released

[hlgltvnnk]

Upgrading curve25519-dalek to version 4 will not solve the problem
Because there is also ed25519-dalek-bip32 (v0.2.0), which depends on ed25519-dalek (v1.0.1), which also depends on curve25519-dalek (version = "3")
There is an ed25519-dalek v2.0.0-rc.3 that uses curve25519-dalek "=4.0.0-rc.3", but there is no stable version yet, so ed25519-dalek-bip32 is still on ed25519-dalek 1.0.1
So the way out of this situation may be:

1. Wait for the release of the stable version of ed25519-dalek -> and then update ed25519-dalek-bip32 -> and then update deps in solana core
2. Replace the ed25519-dalek-bip32 crate - as far as I understand it is used only for generating a keypair using Bip32 Hierarchical Derivation

[juchiast]

2. Replace the ed25519-dalek-bip32 crate - as far as I understand it is used only for generating a keypair using Bip32 Hierarchical Derivation

solana also uses ed25519-dalek 1.01, so I don't think this is an option.

solana/Cargo.toml

Line 182 in 3dcb382

ed25519-dalek = "=1.0.1"

[hlgltvnnk]

2. Replace the ed25519-dalek-bip32 crate - as far as I understand it is used only for generating a keypair using Bip32 Hierarchical Derivation

solana also uses ed25519-dalek 1.01, so I don't think this is an option.

solana/Cargo.toml

Line 182 in 3dcb382

ed25519-dalek = "=1.0.1"

This is a temporary workaround (if you want solana to be compatible with other crates that use zeroize) to use the raw version of ed25519-dalek (Im using "2.0.0-rc.3" in my fork) and then replace the ed25519-dalek-bip32 (because I don't want to fork it as well).
This is not stable and should only be used if it blocks development (for example, I need to use the async solana cli in my project, which is implemented in the latest versions of solana, so incompatibility with other packages is a big issue for me).
The best option would be to wait until ed25519-dalek releases v2 and then 1) wait for ed25519-dalek-bip32 to update or 2) replace ed25519-dalek-bip32 (spl also needs to be updated)

[hlgltvnnk]

ed25519-dalek v2.0.0 is released!

[jbuckmccready]

There is another dependency that needs to be updated to eliminate the awkward zeroize <1.4 dependency problem: aes-gcm-siv needs to be updated to v0.11.1.