diff --git a/Cargo.lock b/Cargo.lock index 2990de9c..8a948d09 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -548,6 +548,7 @@ name = "scrypt" version = "0.12.0-rc.10" dependencies = [ "cfg-if", + "ctutils", "kdf", "mcf", "password-hash", @@ -555,7 +556,6 @@ dependencies = [ "rayon", "salsa20", "sha2", - "subtle", ] [[package]] @@ -611,10 +611,10 @@ name = "sha-crypt" version = "0.6.0-rc.4" dependencies = [ "base64ct", + "ctutils", "mcf", "password-hash", "sha2", - "subtle", ] [[package]] @@ -648,12 +648,6 @@ dependencies = [ "digest", ] -[[package]] -name = "subtle" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" - [[package]] name = "syn" version = "2.0.117" @@ -872,6 +866,7 @@ dependencies = [ name = "yescrypt" version = "0.1.0-rc.5" dependencies = [ + "ctutils", "hex-literal", "hmac", "kdf", @@ -880,7 +875,6 @@ dependencies = [ "pbkdf2", "salsa20", "sha2", - "subtle", ] [[package]] diff --git a/scrypt/Cargo.toml b/scrypt/Cargo.toml index 856b511b..be9c08cc 100644 --- a/scrypt/Cargo.toml +++ b/scrypt/Cargo.toml @@ -21,17 +21,17 @@ sha2 = { version = "0.11.0-rc.5", default-features = false } rayon = { version = "1.11", optional = true } # optional dependencies +ctutils = { version = "0.4", optional = true } kdf = { version = "0.1", optional = true } mcf = { version = "0.6", optional = true } password-hash = { version = "0.6.0-rc.12", optional = true, default-features = false } -subtle = { version = "2", optional = true, default-features = false } [features] alloc = ["password-hash?/alloc"] getrandom = ["password-hash", "password-hash/getrandom"] kdf = ["alloc", "dep:kdf"] -mcf = ["alloc", "phc", "dep:mcf", "dep:subtle"] +mcf = ["alloc", "phc", "dep:ctutils", "dep:mcf"] phc = ["password-hash/phc"] rand_core = ["password-hash/rand_core"] parallel = ["dep:rayon"] diff --git a/scrypt/src/mcf.rs b/scrypt/src/mcf.rs index 7e8d33b3..70426867 100644 --- a/scrypt/src/mcf.rs +++ b/scrypt/src/mcf.rs @@ -112,7 +112,7 @@ impl PasswordVerifier for Scrypt { let mut actual = vec![0u8; expected.len()]; scrypt(password, salt, ¶ms, &mut actual).map_err(|_| Error::OutputSize)?; - if subtle::ConstantTimeEq::ct_ne(actual.as_slice(), &expected).into() { + if ctutils::CtEq::ct_ne(actual.as_slice(), &expected).into() { return Err(Error::PasswordInvalid); } diff --git a/sha-crypt/Cargo.toml b/sha-crypt/Cargo.toml index dcce7dbf..9b821649 100644 --- a/sha-crypt/Cargo.toml +++ b/sha-crypt/Cargo.toml @@ -22,15 +22,15 @@ sha2 = { version = "0.11.0-rc.5", default-features = false } base64ct = { version = "1.8", default-features = false, features = ["alloc"] } # optional dependencies +ctutils = { version = "0.4", optional = true } mcf = { version = "0.6", optional = true, default-features = false, features = ["alloc", "base64"] } password-hash = { version = "0.6.0-rc.12", optional = true, default-features = false } -subtle = { version = "2", optional = true, default-features = false } [features] default = ["password-hash"] getrandom = ["password-hash/getrandom", "password-hash"] rand_core = ["password-hash/rand_core"] -password-hash = ["dep:mcf", "dep:password-hash", "dep:subtle"] +password-hash = ["dep:ctutils", "dep:mcf", "dep:password-hash"] [package.metadata.docs.rs] all-features = true diff --git a/sha-crypt/src/mcf.rs b/sha-crypt/src/mcf.rs index 13fcfdd6..78330a56 100644 --- a/sha-crypt/src/mcf.rs +++ b/sha-crypt/src/mcf.rs @@ -5,11 +5,11 @@ pub use mcf::{PasswordHash, PasswordHashRef}; use crate::{BLOCK_SIZE_SHA256, BLOCK_SIZE_SHA512, Params, algorithm::Algorithm}; use base64ct::{Base64ShaCrypt, Encoding}; use core::str::FromStr; +use ctutils::CtEq; use mcf::Base64; use password_hash::{ CustomizedPasswordHasher, Error, PasswordHasher, PasswordVerifier, Result, Version, }; -use subtle::ConstantTimeEq; /// SHA-crypt type for use with the [`PasswordHasher`] and [`PasswordVerifier`] traits, which can /// produce and verify password hashes in [`Modular Crypt Format`][`mcf`]. diff --git a/yescrypt/Cargo.toml b/yescrypt/Cargo.toml index 3cccb8ca..c471a22b 100644 --- a/yescrypt/Cargo.toml +++ b/yescrypt/Cargo.toml @@ -14,11 +14,11 @@ edition = "2024" rust-version = "1.85" [dependencies] +ctutils = "0.4" hmac = { version = "0.13.0-rc.5", default-features = false } pbkdf2 = { version = "0.13.0-rc.9", default-features = false, features = ["hmac"] } salsa20 = { version = "0.11.0-rc.2", default-features = false } sha2 = { version = "0.11.0-rc.5", default-features = false } -subtle = { version = "2", default-features = false } # optional dependencies kdf = { version = "0.1", optional = true } diff --git a/yescrypt/src/mcf.rs b/yescrypt/src/mcf.rs index aa0fa2cb..79c8619a 100644 --- a/yescrypt/src/mcf.rs +++ b/yescrypt/src/mcf.rs @@ -110,7 +110,7 @@ impl PasswordVerifier for Yescrypt { let mut actual = vec![0u8; expected.len()]; yescrypt(password, &salt, ¶ms, &mut actual)?; - if subtle::ConstantTimeEq::ct_ne(actual.as_slice(), &expected).into() { + if ctutils::CtEq::ct_ne(actual.as_slice(), &expected).into() { return Err(Error::PasswordInvalid); }