-
Notifications
You must be signed in to change notification settings - Fork 839
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update curve25519-dalek to v4.1.3 #24287
Conversation
[puLL-Merge] - brave/brave-core@24287 DescriptionThis PR updates the ChangesChanges
The changes appear to be an incremental version update with some code changes in the backend implementation. No major API changes are evident. Security HotspotsNone identified. The changes are focused on backend optimizations and upgrades. Proper review of the specific code changes, especially in security-sensitive cryptographic operations, is still recommended to ensure no vulnerabilities were introduced. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Dismissing since I see there's more to come in terms of changes
37721ee
to
afec5e5
Compare
This turned out to be a hyphen vs. underscore confusion; using the native version of the crate name works ok. |
"i128", | ||
"std", | ||
] | ||
features = [ "std" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was made by gnrt
. I looked through the various references and couldn't find a matching specification for the i128
feature, so I suspect this is correct. Normally we need 128-bit support for crypto token serialization, so maybe we were using this at one point and then switched to a different approach without regenerating the rust build files?
"simd", | ||
"std", | ||
] | ||
features = [ "std" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On t he other hand, this seems incorrect; simd
is implied by std
in rand_chacha v0.2.2 although it's deprecated in favour of the ppv_lite86
feature used in v0.3.
Any ideas here, @bridiver? Seems like this could be a performance regression. I thought BUILD.gn
had to exhaustively list all features, but e.g. upstream doesn't enable the ppv feature
Switch to the latest version for uses already on v4. Removes the no-longer necessary `platforms` dependency. Addresses a timing attack vulnerability https://rustsec.org/advisories/RUSTSEC-2024-0344
Port the wallet code to the latest release to address audit warnings about the new timing attack. There is still a dependency through ed25519-dalek-bip32.
Port to the new ed25519-dalek v2 API which renames Keypair -> SigningKey and PublicKey -> VerifyingKey. This completes migrating the wallet code to curve25519-dalek v4.1.3 removing the v3 variant required by the v0.2 version of this dependency.
Run `gnrt vendor` and `gnrt gen` to update vendored dependencies for the port the current release of this rust code used by brave_wallet.
gnrt seems to have a bug with the const-oid crate name which prevents propagating the extra inputs, so I did this manually, and apparently incorrectly. Result of running `npm run presubmit -- --fix`.
Apply standard formatting to recent changes.
Migrate to newer versions of the underlying library and related dependencies.
Port to the latest stable release of the rust `rand` crate, which is available from upstream chromium.
This removes the last dependency on curve25519-dalek < v4.0.3, consolidating dependencies and addressing RUSTSEC-2024-0344. Updates dependency declarations to match new requirements and consolidate versions. Runs gnrt to update vendored crates and build descriptions. Adds a temporary binding to work around partial borrow issues with the new api.
These are no longer needed.
Add a license header to a few files with did not already have one.
This is no longer necessary now that v0.3.1 is available in upstream chromium. NB the `gnrt` tool seems confused here, trying to restore this file and pointing some build references toward it instead of the upstream copy. Possibly the `gnrt.config` reference needs a version specification?
A Storybook has been deployed to preview UI for the latest push |
73d45e1
to
0688a9c
Compare
Thanks for taking a look at the first half of this, @kdenhartog. The complete change set is ready for review now. |
A Storybook has been deployed to preview UI for the latest push |
1 similar comment
A Storybook has been deployed to preview UI for the latest push |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wallet core lgtm
Uplift of #24287 (squashed) to beta
Switch to the latest version for uses already on v4. Removes the no-longer necessary
platforms
dependency.Addresses a timing attack vulnerability
https://rustsec.org/advisories/RUSTSEC-2024-0344
We still have code using different versions of curve25519-dalek
Resolves brave/brave-browser#39142
Submitter Checklist:
QA/Yes
orQA/No
;release-notes/include
orrelease-notes/exclude
;OS/...
) to the associated issuenpm run test -- brave_browser_tests
,npm run test -- brave_unit_tests
wikinpm run presubmit
wiki,npm run gn_check
,npm run tslint
git rebase master
(if needed)Reviewer Checklist:
gn
After-merge Checklist:
changes has landed on
Test Plan:
Verification of normal wallet and premium features should cover this change; no behaviour changes are intended.