From b9a5c3767f3d953907c8a53f5381223e0c983dab Mon Sep 17 00:00:00 2001
From: Herbert Valerio Riedel <hvr@gnu.org>
Date: Thu, 14 Apr 2016 16:46:36 +0200
Subject: [PATCH] Swap `cryptohash`/`byteable` dep with
 `cryptohash-sha256`/`base16-bytestring`

See well-typed/hackage-security#152 for rationale
---
 .../Distribution/Client/PackageHash.hs        | 21 ++++++++++---------
 cabal-install/cabal-install.cabal             |  4 ++--
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/cabal-install/Distribution/Client/PackageHash.hs b/cabal-install/Distribution/Client/PackageHash.hs
index 74601c40c1e..51ea9949e01 100644
--- a/cabal-install/Distribution/Client/PackageHash.hs
+++ b/cabal-install/Distribution/Client/PackageHash.hs
@@ -40,13 +40,14 @@ import Distribution.Text
 import Distribution.Client.Types
          ( InstalledPackageId )
 
+import qualified Crypto.Hash.SHA256         as SHA256
+import qualified Data.ByteString.Base16     as Base16
 import qualified Data.ByteString.Char8      as BS
 import qualified Data.ByteString.Lazy.Char8 as LBS
-import qualified Crypto.Hash                as Hash
-import qualified Data.Byteable              as Hash
 import qualified Data.Set as Set
 import           Data.Set (Set)
 
+import Control.Monad     (unless)
 import Data.Maybe        (catMaybes)
 import Data.List         (sortBy, intercalate)
 import Data.Function     (on)
@@ -203,22 +204,22 @@ renderPackageHashInputs PackageHashInputs{
 -- there is some value in preventing intentional hash collisions in installed
 -- package ids.
 
-newtype HashValue = HashValue (Hash.Digest Hash.SHA256)
+newtype HashValue = HashValue BS.ByteString
   deriving (Eq, Show)
 
 instance Binary HashValue where
-  put (HashValue digest) = put (Hash.toBytes digest)
+  put (HashValue digest) = put digest
   get = do
-    bs <- get
-    case Hash.digestFromByteString bs of
-      Nothing     -> fail "HashValue: bad digest"
-      Just digest -> return (HashValue digest)
+    digest <- get
+    unless (BS.length digest == 32) $ -- NB: valid for SHA256
+        fail "HashValue: bad digest"
+    return (HashValue digest)
 
 hashValue :: LBS.ByteString -> HashValue
-hashValue = HashValue . Hash.hashlazy
+hashValue = HashValue . SHA256.hashlazy
 
 showHashValue :: HashValue -> String
-showHashValue (HashValue digest) = BS.unpack (Hash.digestToHexByteString digest)
+showHashValue (HashValue digest) = BS.unpack (Base16.encode digest)
 
 readFileHashValue :: FilePath -> IO HashValue
 readFileHashValue tarball =
diff --git a/cabal-install/cabal-install.cabal b/cabal-install/cabal-install.cabal
index e1e073aafb9..d90d8697d81 100644
--- a/cabal-install/cabal-install.cabal
+++ b/cabal-install/cabal-install.cabal
@@ -232,12 +232,12 @@ executable cabal
         async      >= 2.0      && < 3,
         array      >= 0.4      && < 0.6,
         base       >= 4.5      && < 5,
+        base16-bytestring >= 0.1.1 && < 0.2,
         binary     >= 0.5      && < 0.9,
-        byteable   >= 0.1      && < 0.2,
         bytestring >= 0.9      && < 1,
         Cabal      >= 1.24     && < 1.25,
         containers >= 0.4      && < 0.6,
-        cryptohash >= 0.11     && < 0.12,
+        cryptohash-sha256 >= 0.11 && < 0.12,
         filepath   >= 1.3      && < 1.5,
         hashable   >= 1.0      && < 2,
         HTTP       >= 4000.1.5 && < 4000.4,