Update curve25519-dalek to v4.1.3

[rillian]

Switch to the latest version for uses already on v4. Removes the no-longer necessary platforms dependency.

Addresses a timing attack vulnerability
https://rustsec.org/advisories/RUSTSEC-2024-0344

We still have code using different versions of curve25519-dalek

• Update current uses of v4 to v4.1.3 (ppoprf)
• Update brave_wallet from v3.2.0 to v4.1.3
• Update brave_wallet to ed25519-dalek-bip32 v0.3
• Update challenge-bypass-ristretto from v3 to v4
• Update cxx wrapper to challenge-bypass v2
• Update skus to challenge-bypass v2

Resolves brave/brave-browser#39142

Submitter Checklist:

• I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

Verification of normal wallet and premium features should cover this change; no behaviour changes are intended.

[github-actions]

[puLL-Merge] - brave/brave-core@24287

Description

This PR updates the curve25519-dalek crate from version 4.1.1 to 4.1.3. The curve25519-dalek crate provides an implementation of Curve25519 operations for Rust.

Changes

Changes

• third_party/rust/chromium_crates_io/vendor/curve25519-dalek-4.1.1 directory renamed to third_party/rust/chromium_crates_io/vendor/curve25519-dalek-4.1.3
• Updated version number in various files under the curve25519-dalek directory
• Added new file .cargo_vcs_info.json in curve25519-dalek-4.1.3 directory
• Minor changes to Rust source files:
  • src/backend/mod.rs
  • src/backend/serial/mod.rs
  • src/backend/serial/scalar_mul/mod.rs
  • src/backend/serial/scalar_mul/straus.rs
  • src/backend/serial/scalar_mul/vartime_double_base.rs
  • src/backend/vector/mod.rs
  • src/backend/vector/scalar_mul/mod.rs
  • src/backend/vector/scalar_mul/pippenger.rs
  • src/backend/vector/scalar_mul/precomputed_straus.rs
  • src/backend/vector/scalar_mul/straus.rs
  • src/backend/vector/scalar_mul/variable_base.rs
  • src/backend/vector/scalar_mul/vartime_double_base.rs
  • src/backend/vector/ifma/edwards.rs
  • src/backend/vector/ifma/field.rs
  • src/constants.rs
  • src/diagnostics.rs
  • src/montgomery.rs

The changes appear to be an incremental version update with some code changes in the backend implementation. No major API changes are evident.

Security Hotspots

None identified. The changes are focused on backend optimizations and upgrades. Proper review of the specific code changes, especially in security-sensitive cryptographic operations, is still recommended to ensure no vulnerabilities were introduced.

[kdenhartog]

LGTM

Dismissing since I see there's more to come in terms of changes

[rillian]

NB a hitch here is that gnrt seems to have a parsing bug with the name of the new const-oid dependency and can't properly generate build files when it's in Cargo.lock. I've been fixing things up manually, but this needs to be fixed to avoid breaking future updates.

This turned out to be a hyphen vs. underscore confusion; using the native version of the crate name works ok.

[rillian]

This change was made by gnrt. I looked through the various references and couldn't find a matching specification for the i128 feature, so I suspect this is correct. Normally we need 128-bit support for crypto token serialization, so maybe we were using this at one point and then switched to a different approach without regenerating the rust build files?

[rillian]

On t he other hand, this seems incorrect; simd is implied by std in rand_chacha v0.2.2 although it's deprecated in favour of the ppv_lite86 feature used in v0.3.

Any ideas here, @bridiver? Seems like this could be a performance regression. I thought BUILD.gn had to exhaustively list all features, but e.g. upstream doesn't enable the ppv feature

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[rillian]

Thanks for taking a look at the first half of this, @kdenhartog. The complete change set is ready for review now.

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[brave-builds]

A Storybook has been deployed to preview UI for the latest push

[supermassive]

wallet core lgtm