Upgrade most dependencies. (#1202)

This PR updates the dependencies that don’t require complex changes.
NLnetLabs · Jun 24, 2024 · 3837a4d · 3837a4d
1 parent c3a870a
commit 3837a4d
Show file tree

Hide file tree

Showing 16 changed files with 366 additions and 218 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,46 +22,45 @@ exclude = [
 
 [dependencies]
 backoff         = { version = "0.4.0", optional = true }
-base64          = "^0.13"
-basic-cookies   = { version = "^0.1", optional = true }
+base64          = "0.22.1"
+basic-cookies   = { version = "0.1", optional = true }
 bytes           = "1"
-chrono          = { version = "^0.4", features = ["serde"] }
-clap            = "^2.33"
+chrono          = { version = "0.4", features = ["serde"] }
+clap            = "2.33"
 cryptoki        = { version = "^0.3", optional = true }
 cryptoki-sys    = { version = "=0.1.4", optional = true } # pin cryptoki-sys because of compilation issues on various systems
-fern            = { version = "^0.5", features = ["syslog-4"] }
-futures         = "^0.3"
-futures-util    = "^0.3"
+fern            = { version = "0.6.2", features = ["syslog-6"] }
+futures-util    = "0.3"
 fslock          = "0.2.1"
-hex             = "^0.4"
+hex             = "0.4"
 hyper           = { version = "^0.14", features = ["server"] }
 intervaltree    = "0.2.6"
-jmespatch       = { version = "^0.3", features = ["sync"], optional = true }
+jmespatch       = { version = "0.3", features = ["sync"], optional = true }
 kmip            = { version = "0.4.2", package = "kmip-protocol", features = [ "tls-with-openssl" ], optional = true }
 kvx             = { version = "0.9.3", features = ["macros"] }
-libflate        = "^1"
-log             = "^0.4"
-once_cell       = { version = "^1.7.2", optional = true }
-openidconnect   = { version = "^2.0.0", optional = true, default_features = false }
-openssl         = { version = "^0.10", features = ["v110"] }
-oso             = { version = "^0.12", optional = true, default_features = false }
+libflate        = "2.1.0"
+log             = "0.4"
+once_cell       = { version = "1.7.2", optional = true }
+openidconnect   = { version = "2.0.0", optional = true, default_features = false }
+openssl         = { version = "0.10", features = ["v110"] }
+oso             = { version = "0.12", optional = true, default_features = false }
 r2d2            = { version = "0.8.9", optional = true }
-rand            = "^0.8"
+rand            = "0.8"
 regex           = { version = "1.5.5", optional = true, default_features = false, features = [ "std" ] }
 reqwest         = { version = "0.11", features = ["json"] }
-rpassword       = { version = "^5.0", optional = true }
+rpassword       = { version = "7.3.1", optional = true }
 #rpki            = { version = "0.18.0", features = ["ca", "compat", "rrdp"] }
 rpki            = { git = "https://github.com/nLnetLabs/rpki-rs", features = [ "ca", "compat", "rrdp" ] }
 rustls-pemfile  = "1.0.4"
-scrypt          = { version = "^0.6", optional = true, default-features = false }
-serde           = { version = "^1.0", features = ["derive", "rc"] }
-serde_json      = "^1.0"
+scrypt          = { version = "0.11", optional = true, default-features = false }
+serde           = { version = "1.0", features = ["derive", "rc"] }
+serde_json      = "1.0"
 tokio           = { version = "1", features = [ "macros", "rt", "rt-multi-thread", "signal", "time" ] }
 tokio-rustls    = "0.24.1"
-toml            = "^0.5"
+toml            = "0.8.14"
 unicode-normalization = { version = "^0.1", optional = true }
 url             = { version = "2.3.1", features = ["serde"] }
-urlparse        = { version = "^0.7", optional = true }
+urlparse        = { version = "0.7", optional = true }
 uuid            = { version = "1.1", features = ["v4"] }
 
 # Disable compiler optimizations for the pkcs11 crate because otherwise with a release build the
@@ -72,8 +71,7 @@ uuid            = { version = "1.1", features = ["v4"] }
 # opt-level = 0
 
 [target.'cfg(unix)'.dependencies]
-libc = "^0.2"
-syslog = "^4.0"
+syslog = "6.1.1"
 
 [features]
 default = ["multi-user", "hsm"]
@@ -99,15 +97,15 @@ all = ["multi-user", "rta", "static-openssl"]
 hsm-tests-kmip = ["hsm"]
 hsm-tests-pkcs11 = ["hsm"]
 
+[dev-dependencies]
+regex    = "1.5.5"
+urlparse = "0.7"
+
 # Make sure that Krill crashes on panics, rather than losing threads and
 # limping on in a bad state.
 [profile.release]
 panic = "abort"
 
-[dev-dependencies]
-regex = "1.5.5"
-urlparse = "^0.7"
-
 # ------------------------------------------------------------------------------
 # START DEBIAN PACKAGING
 #

diff --git a/src/cli/client.rs b/src/cli/client.rs
@@ -580,7 +580,7 @@ impl KrillClient {
             config.push_str(hsm_add_on);
         }
 
-        let mut c: Config = toml::from_slice(config.as_ref()).map_err(Error::init)?;
+        let mut c: Config = toml::from_str(&config).map_err(Error::init)?;
         c.process().map_err(Error::init)?;
 
         Ok(ApiResponse::GenericBody(config))
@@ -592,7 +592,9 @@ impl KrillClient {
         let (password_hash, salt) = {
             use scrypt::scrypt;
 
-            let password = rpassword::read_password_from_tty(Some("Enter the password to hash: ")).unwrap();
+            let password = rpassword::prompt_password(
+                "Enter the password to hash: "
+            ).unwrap();
 
             // The scrypt-js NPM documentation (https://www.npmjs.com/package/scrypt-js) says:
             //   "TL;DR - either only allow ASCII characters in passwords, or use
@@ -602,7 +604,10 @@ impl KrillClient {
 
             let user_id = details.id().nfkc().collect::<String>();
             let password = password.trim().nfkc().collect::<String>();
-            let params = scrypt::Params::new(PW_HASH_LOG_N, PW_HASH_R, PW_HASH_P).unwrap();
+            let params = scrypt::Params::new(
+                PW_HASH_LOG_N, PW_HASH_R, PW_HASH_P,
+                scrypt::Params::RECOMMENDED_LEN,
+            ).unwrap();
 
             // hash twice with two different salts
             // hash first with a salt the client browser knows how to construct based on the users id and a site

diff --git a/src/commons/api/ca.rs b/src/commons/api/ca.rs
@@ -8,6 +8,8 @@ use std::str::FromStr;
 use std::sync::Arc;
 use std::{fmt, str};
 
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::STANDARD as BASE64_ENGINE;
 use bytes::Bytes;
 use chrono::{Duration, TimeZone, Utc};
 use rpki::ca::publication::{PublishDelta, PublishDeltaElement};
@@ -1062,8 +1064,14 @@ pub struct ParentStatusIssuingCert {
 
 impl From<&SigningCert> for ParentStatusIssuingCert {
     fn from(signing: &SigningCert) -> Self {
-        let cert = base64::encode(signing.cert().to_captured().as_slice());
-        let cert_pem = format!("-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----\n", cert);
+        let cert = BASE64_ENGINE.encode(
+            signing.cert().to_captured().as_slice()
+        );
+        let cert_pem = format!(
+            "-----BEGIN CERTIFICATE-----\n\
+            {cert}\n\
+            -----END CERTIFICATE-----\n",
+        );
 
         ParentStatusIssuingCert {
             uri: signing.url().clone(),
@@ -1080,8 +1088,14 @@ pub struct ParentStatusCert {
 
 impl From<&IssuedCert> for ParentStatusCert {
     fn from(issued: &IssuedCert) -> Self {
-        let cert = base64::encode(issued.cert().to_captured().as_slice());
-        let cert_pem = format!("-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----\n", cert);
+        let cert = BASE64_ENGINE.encode(
+            issued.cert().to_captured().as_slice()
+        );
+        let cert_pem = format!(
+            "-----BEGIN CERTIFICATE-----\n\
+            {cert}\n\
+            -----END CERTIFICATE-----\n",
+        );
         ParentStatusCert {
             uri: issued.uri().clone(),
             cert_pem,

diff --git a/src/commons/crypto/signing/signers/pkcs11/signer.rs b/src/commons/crypto/signing/signers/pkcs11/signer.rs
@@ -1415,10 +1415,7 @@ mod tests {
             slot = -1234
         "#;
         let err = toml::from_str::<Pkcs11SignerConfig>(config_str).unwrap_err();
-        assert_eq!(
-            err.to_string(),
-            "not a valid PKCS#11 slot ID for key `slot` at line 3 column 20"
-        )
+        assert!(err.to_string().contains("not a valid PKCS#11 slot ID"))
     }
 
     #[test]

diff --git a/src/commons/crypto/signing/signers/softsigner.rs b/src/commons/crypto/signing/signers/softsigner.rs
@@ -5,6 +5,8 @@ use std::{
     sync::{Arc, RwLock},
 };
 
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::STANDARD as BASE64_ENGINE;
 use bytes::Bytes;
 use openssl::{
     hash::MessageDigest,
@@ -259,7 +261,7 @@ impl Serialize for OpenSslKeyPair {
     {
         let bytes: Vec<u8> = self.pkey.as_ref().private_key_to_der().map_err(ser::Error::custom)?;
 
-        base64::encode(bytes).serialize(s)
+        BASE64_ENGINE.encode(bytes).serialize(s)
     }
 }
 
@@ -300,11 +302,15 @@ impl OpenSslKeyPair {
     }
 
     fn from_base64(base64: &str) -> Result<OpenSslKeyPair, SignerError> {
-        let bytes = base64::decode(base64).map_err(|_| SignerError::other("Cannot parse private key base64"))?;
+        let bytes = BASE64_ENGINE.decode(base64).map_err(|_| {
+            SignerError::other("Cannot parse private key base64")
+        })?;
 
         PKey::private_key_from_der(&bytes)
             .map(|pkey| OpenSslKeyPair { pkey })
-            .map_err(|e| SignerError::Other(format!("Invalid private key: {}", e)))
+            .map_err(|e| {
+                SignerError::Other(format!("Invalid private key: {}", e))
+            })
     }
 }
 

diff --git a/src/commons/util/ext_serde.rs b/src/commons/util/ext_serde.rs
@@ -5,6 +5,8 @@ use std::{
 };
 
 use bytes::Bytes;
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::STANDARD as BASE64_ENGINE;
 use log::LevelFilter;
 use serde::{de, Deserialize, Deserializer, Serialize, Serializer};
 use syslog::Facility;
@@ -18,15 +20,15 @@ where
     D: Deserializer<'de>,
 {
     let some = String::deserialize(d)?;
-    let dec = base64::decode(some).map_err(de::Error::custom)?;
+    let dec = BASE64_ENGINE.decode(some).map_err(de::Error::custom)?;
     Ok(Bytes::from(dec))
 }
 
 pub fn ser_bytes<S>(b: &Bytes, s: S) -> Result<S::Ok, S::Error>
 where
     S: Serializer,
 {
-    base64::encode(b).serialize(s)
+    BASE64_ENGINE.encode(b).serialize(s)
 }
 
 //------------ AsBlocks ------------------------------------------------------

diff --git a/src/daemon/auth/common/session.rs b/src/daemon/auth/common/session.rs
@@ -4,6 +4,9 @@ use std::{
     time::{Duration, SystemTime, UNIX_EPOCH},
 };
 
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::STANDARD as BASE64_ENGINE;
+
 use crate::{
     commons::{api::Token, error::Error, KrillResult},
     daemon::auth::common::crypt::{self, CryptState, NonceState},
@@ -194,7 +197,7 @@ impl LoginSessionCache {
         let unencrypted_bytes = session_json_str.as_bytes();
 
         let encrypted_bytes = (self.encrypt_fn)(&crypt_state.key, unencrypted_bytes, &crypt_state.nonce)?;
-        let token = Token::from(base64::encode(encrypted_bytes));
+        let token = Token::from(BASE64_ENGINE.encode(encrypted_bytes));
 
         self.cache_session(&token, &session);
         Ok(token)
@@ -208,7 +211,9 @@ impl LoginSessionCache {
             trace!("Session cache miss, deserializing...");
         }
 
-        let bytes = base64::decode(token.as_ref().as_bytes()).map_err(|err| {
+        let bytes = BASE64_ENGINE.decode(
+            token.as_ref().as_bytes()
+        ).map_err(|err| {
             debug!("Invalid bearer token: cannot decode: {}", err);
             Error::ApiInvalidCredentials("Invalid bearer token".to_string())
         })?;

diff --git a/src/daemon/auth/providers/config_file/provider.rs b/src/daemon/auth/providers/config_file/provider.rs
@@ -1,5 +1,7 @@
 use std::{collections::HashMap, sync::Arc};
 
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::STANDARD as BASE64_ENGINE;
 use unicode_normalization::UnicodeNormalization;
 
 use crate::{
@@ -85,7 +87,7 @@ impl ConfigFileAuthProvider {
     fn get_auth(&self, request: &hyper::Request<hyper::Body>) -> Option<Auth> {
         let header = request.headers().get(hyper::http::header::AUTHORIZATION)?;
         let auth = header.to_str().ok()?.strip_prefix("Basic ")?;
-        let auth = base64::decode(auth).ok()?;
+        let auth = BASE64_ENGINE.decode(auth).ok()?;
         let auth = String::from_utf8(auth).ok()?;
         let (username, password) = auth.split_once(':')?;
 
@@ -143,7 +145,10 @@ impl ConfigFileAuthProvider {
 
             // hash twice with two different salts
             // legacy hashing strategy to be compatible with lagosta
-            let params = scrypt::Params::new(PW_HASH_LOG_N, PW_HASH_R, PW_HASH_P).unwrap();
+            let params = scrypt::Params::new(
+                PW_HASH_LOG_N, PW_HASH_R, PW_HASH_P,
+                scrypt::Params::RECOMMENDED_LEN,
+            ).unwrap();
             let weak_salt = format!("krill-lagosta-{username}");
             let weak_salt = weak_salt.nfkc().collect::<String>();
 

diff --git a/src/daemon/auth/providers/openid_connect/provider.rs b/src/daemon/auth/providers/openid_connect/provider.rs
@@ -31,6 +31,8 @@ use std::{
 
 use tokio::sync::{RwLock, RwLockReadGuard};
 
+use base64::engine::Engine as _;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD as URL_BASE64_ENGINE;
 use basic_cookies::Cookie;
 use hyper::header::{HeaderValue, SET_COOKIE};
 use jmespatch as jmespath;
@@ -852,7 +854,7 @@ impl OpenIDConnectAuthProvider {
 
     fn verify_csrf_token(&self, state: String, csrf_token_hash: String) -> KrillResult<()> {
         let request_csrf_hash = sha256(state.as_bytes());
-        match base64::decode_config(csrf_token_hash, base64::URL_SAFE_NO_PAD) {
+        match URL_BASE64_ENGINE.decode(&csrf_token_hash) {
             Ok(cookie_csrf_hash) if request_csrf_hash == cookie_csrf_hash => Ok(()),
             Ok(cookie_csrf_hash) => Err(Self::internal_error(
                 "OpenID Connect: CSRF token mismatch",
@@ -1312,12 +1314,12 @@ impl OpenIDConnectAuthProvider {
         // in reversed positions.
         let csrf_token = CsrfToken::new_random();
         let csrf_token_hash = sha256(csrf_token.secret().as_bytes());
-        let csrf_token_hash_b64_str = base64::encode_config(csrf_token_hash, base64::URL_SAFE_NO_PAD);
+        let csrf_token_hash_b64_str = URL_BASE64_ENGINE.encode(csrf_token_hash);
 
         let mut request = conn.client.authorize_url(
             AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
             || csrf_token,
-            || Nonce::new(base64::encode_config(nonce_hash, base64::URL_SAFE_NO_PAD)),
+            || Nonce::new(URL_BASE64_ENGINE.encode(nonce_hash)),
         );
 
         // This unwrap is safe as we check in new() that the OpenID Connect
@@ -1502,7 +1504,9 @@ impl OpenIDConnectAuthProvider {
                 // claim is actually the hash of the original nonce, as per
                 // the advice in the OpenID Core 1.0 spec. See:
                 // https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
-                let nonce_hash = Nonce::new(base64::encode_config(sha256(nonce.as_bytes()), base64::URL_SAFE_NO_PAD));
+                let nonce_hash = Nonce::new(
+                    URL_BASE64_ENGINE.encode(sha256(nonce.as_bytes()))
+                );
 
                 let id_token_claims = self.get_token_id_claims(&token_response, nonce_hash).await?;