Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RUSTSEC-2016-0005: rust-crypto is unmaintained; switch to a modern alternative #352

Closed
github-actions bot opened this issue Oct 31, 2020 · 1 comment · Fixed by #719
Closed

RUSTSEC-2016-0005: rust-crypto is unmaintained; switch to a modern alternative #352

github-actions bot opened this issue Oct 31, 2020 · 1 comment · Fixed by #719
Assignees
@adizere
Labels
I: dependencies Internal: related to dependencies O: security Objective: cause to enhance security and improve safety
Milestone
03.2021

Comments

@github-actions
Copy link

rust-crypto is unmaintained; switch to a modern alternative

Details
Status unmaintained
Package rust-crypto
Version 0.2.36
URL DaGenix/rust-crypto#440
Date 2016-09-06

The rust-crypto crate has not seen a release or GitHub commit since 2016,
and its author is unresponsive.

NOTE: The (old) rust-crypto crate (with hyphen) should not be confused with
similarly named (new) RustCrypto GitHub Org (without hyphen). The GitHub Org
is actively maintained.

We recommend you switch to one of the following crates instead, depending on
which algorithms you need:

  • dalek-cryptography GitHub Org:
  • ring:
    • AEAD algorithms: AES-GCM, ChaCha20Poly1305
    • Digest algorithms: SHA-256, SHA-384, SHA-512, SHA-512/256 (legacy: SHA-1)
    • HMAC
    • Key agreement: ECDH (P-256, P-384), X25519
    • Key derivation: HKDF
    • Password hashing: PBKDF2
    • Signature algorithms: ECDSA (P-256, P-384), Ed25519, RSA (PKCS#1v1.5, PSS)
  • RustCrypto GitHub Org:
  • secp256k1:
    • Key agreement: ECDH (secp256k1 only)
    • Signature algorithms: ECDSA (secp256k1 only)
  • sodiumoxide:
    • AEAD algorithms: ChaCha20Poly1305 (IETF version)
    • Digest algorithms: SHA-256, SHA-512
    • HMAC
    • Key agreement: X25519 + BLAKE2b
    • Password hashing: Argon2(i/d), scrypt
    • Public key encryption: NaCl "Box" (X25519 + XSalsa20Poly1305)
    • Signature algorithms: Ed25519
    • Short-input PRF: SipHash24
  • orion:
    • AEAD algorithms: ChaCha20Poly1305 (IETF version), XChaCha20Poly1305
    • Digest algorithms: SHA-512, BLAKE2b
    • Key derivation: HKDF
    • MACs: HMAC, Poly1305
    • Password hashing: PBKDF2
    • Stream ciphers: ChaCha20 (IETF version), XChaCha20

See advisory page for additional details.
@adizere
Copy link
Member

adizere commented Nov 6, 2020

cargo tree:

relayer v0.0.4 (/Users/adi/Hammers/ibc-rs/relayer)
...
├── bitcoin-wallet v1.1.0
│   .....
│   ├── rust-crypto v0.2.36
├── rust-crypto v0.2.36 (*)
...

Seems rust-crypto recently became a dependency. It was necessary to implement transaction signing #345. That code will most likely change a lot in the near future so maybe we can just replace this crate with another.

@adizere adizere added the I: dependencies Internal: related to dependencies label Nov 6, 2020
@andynog andynog self-assigned this Nov 26, 2020
@adizere adizere mentioned this issue Feb 12, 2021
Closed
5 tasks
@adizere adizere mentioned this issue Mar 1, 2021
Merged
5 tasks
@adizere adizere assigned adizere and unassigned andynog Mar 1, 2021
@adizere adizere added this to the 03.2021 milestone Mar 1, 2021
@adizere adizere added the O: security Objective: cause to enhance security and improve safety label Mar 2, 2021
@tarcieri tarcieri mentioned this issue Apr 29, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adizere adizere

Labels
I: dependencies Internal: related to dependencies O: security Objective: cause to enhance security and improve safety
Projects
None yet
Milestone
03.2021
Development

Successfully merging a pull request may close this issue.

Replace deprecated rust-crypto dep with RustCrypto org packages informalsystems/hermes
2 participants
@adizere @andynog