rust update tiny-keccak, hmac, sha2 dependencies

.changelog/3260.internal.md

@@ -0,0 +1 @@
+rust: Update tiny-keccak, hmac, sha2 dependencies

.github/dependabot.yml

@@ -57,13 +57,10 @@ updates:
       # version, remove it from the ignore list.
       - dependency-name: futures
       - dependency-name: grpcio
-      - dependency-name: hmac
       - dependency-name: intrusive-collections
       - dependency-name: rustracing
       - dependency-name: rustracing_jaeger
       - dependency-name: serde
       - dependency-name: serde_bytes
       - dependency-name: serde_cbor
-      - dependency-name: sha2
       - dependency-name: snow
-      - dependency-name: tiny-keccak

keymanager-lib/Cargo.toml

@@ -16,6 +16,6 @@ io-context = "0.2.0"
 rand = "0.7.3"
 sgx-isa = { version = "0.3.2", features = ["sgxstd"] }
 sp800-185 = "0.2.0"
-tiny-keccak = "1.4.2"
+tiny-keccak = { version = "2.0.2", features = ["sha3"] }
 x25519-dalek = "1.1.0"
 zeroize = "1.1"

keymanager-lib/src/policy.rs

@@ -7,7 +7,7 @@ use std::{
 use anyhow::Result;
 use lazy_static::lazy_static;
 use sgx_isa::Keypolicy;
-use tiny_keccak::sha3_256;
+use tiny_keccak::{Hasher, Sha3};
 
 use oasis_core_keymanager_api_common::*;
 use oasis_core_runtime::{
@@ -209,10 +209,15 @@ impl CachedPolicy {
         let policy = untrusted_policy.verify()?;
 
         let mut cached_policy = Self::default();
-        cached_policy.checksum = sha3_256(&raw).to_vec();
         cached_policy.serial = policy.serial;
         cached_policy.runtime_id = policy.id;
 
+        let mut sha3 = Sha3::v256();
+        sha3.update(&raw);
+        let mut k = [0; 32];
+        sha3.finalize(&mut k);
+        cached_policy.checksum = k.to_vec();
+
         // Convert the policy into a cached one.
         //
         // TODO: Need a mock enclave identity for non-sgx builds if we want to

runtime/Cargo.toml

@@ -39,12 +39,12 @@ io-context = "0.2.0"
 x25519-dalek = "1.1.0"
 ed25519-dalek = "1.0.0-pre.3"
 deoxysii = { git = "https://github.com/oasisprotocol/deoxysii-rust" }
-tiny-keccak = "1.4.2"
+tiny-keccak = { version = "2.0.2", features = ["sha3"] }
 sp800-185 = "0.2.0"
 zeroize = "1.1"
 intrusive-collections = "0.8"
-sha2 = "0.8.1"
-hmac = "0.7.1"
+sha2 = "0.9.1"
+hmac = "0.9.0"
 honggfuzz = "0.5.47"
 arbitrary = { version = "0.4.1", features = ["derive"] }
 

runtime/src/common/crypto/hash.rs

@@ -16,11 +16,11 @@ impl Hash {
     pub fn digest_bytes_list(data: &[&[u8]]) -> Hash {
         let mut ctx = Sha512Trunc256::new();
         for datum in data {
-            ctx.input(datum);
+            ctx.update(datum);
         }
 
         let mut result = [0u8; 32];
-        result[..].copy_from_slice(ctx.result().as_ref());
+        result[..].copy_from_slice(ctx.finalize().as_ref());
 
         Hash(result)
     }

runtime/src/common/crypto/mrae/deoxysii.rs

@@ -3,7 +3,7 @@
 pub use super::deoxysii_rust::{DeoxysII, KEY_SIZE, NONCE_SIZE, TAG_SIZE};
 
 use super::{
-    hmac::{Hmac, Mac},
+    hmac::{Hmac, Mac, NewMac},
     sha2::Sha512Trunc256,
     x25519_dalek,
 };
@@ -22,12 +22,12 @@ fn derive_symmetric_key(public: &[u8; 32], private: &[u8; 32]) -> [u8; KEY_SIZE]
     let pmk = private.diffie_hellman(&public);
 
     let mut kdf = Kdf::new_varkey(b"MRAE_Box_Deoxys-II-256-128").expect("Hmac::new_varkey");
-    kdf.input(pmk.as_bytes());
+    kdf.update(pmk.as_bytes());
     drop(pmk);
 
     let mut derived_key = [0u8; KEY_SIZE];
-    let digest = kdf.result();
-    derived_key.copy_from_slice(&digest.code().as_ref()[..KEY_SIZE]);
+    let digest = kdf.finalize();
+    derived_key.copy_from_slice(&digest.into_bytes()[..KEY_SIZE]);
 
     derived_key
 }

runtime/src/common/sgx/egetkey.rs

@@ -6,16 +6,7 @@ use sp800_185::KMac;
 #[cfg(target_env = "sgx")]
 use sgx_isa::{Keyname, Keyrequest};
 #[cfg(target_env = "sgx")]
-use tiny_keccak::sha3_256;
-
-// This crate is not portable due to dependencies, even when using the mock
-// key derivation:
-//
-//  * sp800_185 relies on tiny_keccak, which as of 1.4.2, will produce
-//    incorrect results on big endian targets, and will crash on any
-//    architecture that requires aligned 64 bit loads and stores.
-#[cfg(not(target_arch = "x86_64"))]
-error!("Only x86_64 is supported");
+use tiny_keccak::{Hasher, Sha3};
 
 #[cfg(not(target_env = "sgx"))]
 const MOCK_MRENCLAVE_KEY: &[u8] = b"Ekiden Test MRENCLAVE KEY";
@@ -32,7 +23,13 @@ fn egetkey_impl(key_policy: Keypolicy, context: &[u8]) -> [u8; 16] {
 
     req.keyname = Keyname::Seal as u16;
     req.keypolicy = key_policy;
-    req.keyid = sha3_256(context);
+
+    let mut sha3 = Sha3::v256();
+    sha3.update(context);
+    let mut k = [0; 32];
+    sha3.finalize(&mut k);
+    req.keyid = k;
+
     // Fucking sgx_isa::Attributes doesn't have a -> [u64;2].
     req.attributemask[0] = 1 | 2 | 4; // SGX_FLAGS_INITTED | SGX_FLAGS_DEBUG | SGX_FLAGS_MODE64BIT
     req.attributemask[1] = 3; // SGX_XFRM_LEGACY