Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade (or replace) *ring* #11

Closed
tarcieri opened this issue Aug 12, 2019 · 2 comments
Closed

Upgrade (or replace) *ring* #11

tarcieri opened this issue Aug 12, 2019 · 2 comments
Labels
dependencies Pull requests that update a dependency file

Comments

@tarcieri
Copy link
Contributor

The ring crate (BoringSSL crypto primitives wrapped in Rust) is two versions out-of-date (currently 0.14, latest 0.16), and unfortunately like most other Rust crates, does not allow two versions to be linked simultaneously. I just updated Signatory and yubihsm-rs to use ring 0.16, but they're presently incompatible with the KMS due to the older version used by this crate:

$ cargo test --all --all-features -- --test-threads 1
    Updating crates.io index
error: failed to select a version for `ring`.
    ... required by package `yubihsm v0.27.0`
    ... which is depended on by `tmkms v0.6.3 (/Users/bascule/src/tmkms)`
versions that meet the requirements `^0.16` are: 0.16.6, 0.16.5, 0.16.4, 0.16.3, 0.16.2, 0.16.1, 0.16.0

the package `ring` links to the native library `ring-asm`, but it conflicts with a previous package which links to `ring-asm` as well:
package `ring v0.14.0`
    ... which is depended on by `tendermint v0.10.0`
    ... which is depended on by `tmkms v0.6.3 (/Users/bascule/src/tmkms)`

failed to select a version for `ring` which could resolve this conflict

All ring is used for is the ChaCha20Poly1305 implementation, which for me it seems like a particularly heavyweight dependency if we're only using it for that.

I've been contributing to the chacha20 crate as part of RustCrypto stream ciphers, which provides a potential replacement.
@tarcieri
Copy link
Contributor Author

I released a full chacha20poly1305 crate.

I'd say it's a bit "bleeding edge" to swap out immediately, but I know some people who want to play with it, so I'll let you know how that goes.

@tarcieri tarcieri mentioned this issue Sep 6, 2019
Closed
@ebuchman ebuchman mentioned this issue Sep 7, 2019
Closed
@tarcieri tarcieri mentioned this issue Oct 17, 2019
Merged
tarcieri pushed a commit to tendermint/tmkms that referenced this issue Oct 18, 2019
@tony-iqlusion
Upgrade signatory -> 0.15; yubihsm -> 0.28; use chacha20poly1305 crate
d240bc9 
This commit updates `signatory` and `yubihsm` to the latest versions.

This requires either upgrading *ring* to 0.16, or replacing it:

informalsystems/tendermint-rs#11

This commit has opted to replace it with the (i.e. my)
`chacha20poly1305` crate:

https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305

While *ring* is a great crate with excellent cryptographic
implementations, the inability to link two versions of `ring-asm` is a
major impediment to doing upgrades, as it requires updating all
*ring*-dependent dependencies at once, or not at all, which so far has
been a major blocker and has been stalling KMS development for awhile.
As we're only using it for ChaCha20Poly1305, it seems like a rather
heavyweight dependency just to serve that one purpose.
@tarcieri tarcieri mentioned this issue Oct 18, 2019
Merged
This was referenced Nov 6, 2019
Closed
Merged
@ebuchman ebuchman added the dependencies Pull requests that update a dependency file label Jun 3, 2020
@xla
Copy link
Contributor

xla commented Jun 14, 2020

The dependency was removed in a47430a.

@xla xla closed this as completed Jun 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tarcieri @xla @ebuchman