Bump crypto-bigint dependency to v0.7.0-rc.12 (#615)

This release migrates from `subtle` to the new `ctutils` library, which
should improve constant-time properties.

It also brings a new `rand_core` release and the first new `getrandom`
series prerelease: v0.4.0-rc.0, which makes it possible to remove the
direct dependency on `rand`.

I've pulled `getrandom` in through an optional dependency on
`crypto-common`, as I'd like to impl the `Generate` trait in a followup.

Finally, as noted earlier `crypto-common` has migrated to `ctutils`, so
this also removes the direct dependency on `subtle`, replacing it with
the same-named types from `ctutils` which act as a mostly drop-in
replacement.

Author: tarcieri

.github/workflows/ci.yml

@@ -51,8 +51,8 @@ jobs:
         with:
           toolchain: ${{ matrix.rust }}
       - uses: RustCrypto/actions/cargo-hack-install@master
-      - run: cargo hack test --release --feature-powerset --exclude-features os_rng,serde
-      - run: cargo test --release --features os_rng
+      - run: cargo hack test --release --feature-powerset --exclude-features getrandom,serde
+      - run: cargo test --release --features getrandom
       - run: cargo test --release --features serde
 
   minimal-versions:
@@ -66,7 +66,7 @@ jobs:
       - uses: dtolnay/rust-toolchain@nightly
       - run: cargo update -Z minimal-versions
       - uses: dtolnay/rust-toolchain@stable
-      - run: cargo test --release --features os_rng,serde,pkcs5
+      - run: cargo test --release --features getrandom,serde,pkcs5
 
   nightly:
     runs-on: ubuntu-latest

Cargo.lock

@@ -15,31 +15,30 @@ exclude = ["marvin_toolkit/", "thirdparty/"]
 
 [dependencies]
 const-oid = { version = "0.10", default-features = false }
-crypto-bigint = { version = "0.7.0-rc.10", default-features = false, features = ["zeroize", "alloc"] }
-crypto-primes = { version = "0.7.0-pre.4", default-features = false }
+crypto-bigint = { version = "0.7.0-rc.12", default-features = false, features = ["zeroize", "alloc"] }
+crypto-primes = { version = "0.7.0-dev", default-features = false }
 digest = { version = "0.11.0-rc.4", default-features = false, features = ["alloc", "oid"] }
 rand_core = { version = "0.10.0-rc-2", default-features = false }
 signature = { version = "3.0.0-rc.5", default-features = false, features = ["alloc", "digest", "rand_core"] }
-subtle = { version = "2.6.1", default-features = false }
 zeroize = { version = "1.8", features = ["alloc"] }
 
 # optional dependencies
+crypto-common = { version = "0.2.0-rc.8", optional = true, features = ["getrandom"] }
 pkcs1 = { version = "0.8.0-rc.3", optional = true, default-features = false, features = ["alloc", "pem"] }
 pkcs8 = { version = "0.11.0-rc.8", optional = true, default-features = false, features = ["alloc", "pem"] }
 serdect = { version = "0.4", optional = true }
 sha1 = { version = "0.11.0-rc.3", optional = true, default-features = false, features = ["oid"] }
 sha2 = { version = "0.11.0-rc.3", optional = true, default-features = false, features = ["oid"] }
 spki = { version = "0.8.0-rc.4", optional = true, default-features = false, features = ["alloc"] }
 serde = { version = "1.0.184", optional = true, default-features = false, features = ["derive"] }
-rand = { version = "0.10.0-rc.1", optional = true, default-features = false }
 
 [dev-dependencies]
 base64ct = { version = "1", features = ["alloc"] }
 hex-literal = "1"
 proptest = "1"
 serde_test = "1.0.89"
-rand = { version = "0.10.0-rc.1", features = ["chacha"] }
-rand_core = { version = "0.10.0-rc-2", default-features = false }
+rand = { version = "0.10.0-rc.5", features = ["chacha"] }
+rand_core = { version = "0.10.0-rc-3", default-features = false }
 sha1 = { version = "0.11.0-rc.3", default-features = false, features = ["oid"] }
 sha2 = { version = "0.11.0-rc.3", default-features = false, features = ["oid"] }
 sha3 = { version = "0.11.0-rc.3", default-features = false, features = ["oid"] }
@@ -55,10 +54,10 @@ name = "key"
 default = ["std", "encoding"]
 encoding = ["dep:pkcs1", "dep:pkcs8", "dep:spki"]
 hazmat = []
-os_rng = ["crypto-bigint/rand_core", "rand/os_rng"]
+getrandom = ["crypto-bigint/getrandom", "crypto-common"]
 serde = ["encoding", "dep:serde", "dep:serdect", "crypto-bigint/serde"]
 pkcs5 = ["pkcs8/encryption"]
-std = ["pkcs1?/std", "pkcs8?/std", "crypto-bigint/rand"]
+std = ["pkcs1?/std", "pkcs8?/std"]
 
 [package.metadata.docs.rs]
 features = ["std", "serde", "hazmat", "sha2"]
@@ -69,3 +68,7 @@ opt-level = 2
 
 [profile.bench]
 debug = true
+
+[patch.crates-io]
+crypto-primes = { git = "https://github.com/tarcieri/crypto-primes", branch = "crypto-bigint/v0.7.0-rc.12" }
+rand = { git = "https://github.com/rust-random/rand" }

Cargo.toml

@@ -3,9 +3,9 @@
 use alloc::boxed::Box;
 use alloc::vec::Vec;
 
+use crypto_bigint::{Choice, CtEq, CtOption, CtSelect};
 use digest::{Digest, FixedOutputReset};
 use rand_core::TryCryptoRng;
-use subtle::{Choice, ConditionallySelectable, ConstantTimeEq, CtOption};
 use zeroize::Zeroizing;
 
 use super::mgf::{mgf1_xor, mgf1_xor_digest};
@@ -242,14 +242,14 @@ fn decrypt_inner<MGF: FnMut(&mut [u8], &mut [u8])>(
     //   looking_for_index: 1 if we are still looking for the 0x01
     //   index: the offset of the first 0x01 byte
     //   zero_before_one: 1 if we saw a non-zero byte before the 1
-    let mut looking_for_index = Choice::from(1u8);
+    let mut looking_for_index = Choice::TRUE;
     let mut index = 0u32;
-    let mut nonzero_before_one = Choice::from(0u8);
+    let mut nonzero_before_one = Choice::FALSE;
 
     for (i, el) in db.iter().skip(h_size).enumerate() {
         let equals0 = el.ct_eq(&0u8);
         let equals1 = el.ct_eq(&1u8);
-        index.conditional_assign(&(i as u32), looking_for_index & equals1);
+        index.ct_assign(&(i as u32), looking_for_index & equals1);
         looking_for_index &= !equals1;
         nonzero_before_one |= looking_for_index & !equals0;
     }

src/algorithms/oaep.rs

@@ -8,9 +8,9 @@
 
 use alloc::vec::Vec;
 use const_oid::AssociatedOid;
+use crypto_bigint::{Choice, CtEq, CtSelect};
 use digest::Digest;
 use rand_core::TryCryptoRng;
-use subtle::{Choice, ConditionallySelectable, ConstantTimeEq};
 use zeroize::Zeroizing;
 
 use crate::errors::{Error, Result};
@@ -99,8 +99,8 @@ fn decrypt_inner(em: Vec<u8>, k: usize) -> Result<(u8, Vec<u8>, u32)> {
 
     for (i, el) in em.iter().enumerate().skip(2) {
         let equals0 = el.ct_eq(&0u8);
-        index.conditional_assign(&(i as u32), Choice::from(looking_for_index) & equals0);
-        looking_for_index.conditional_assign(&0u8, equals0);
+        index.ct_assign(&(i as u32), Choice::new(looking_for_index) & equals0);
+        looking_for_index.ct_assign(&0u8, equals0);
     }
 
     // The PS padding must be at least 8 bytes long, and it starts two
@@ -109,12 +109,12 @@ fn decrypt_inner(em: Vec<u8>, k: usize) -> Result<(u8, Vec<u8>, u32)> {
     // Ref: https://github.com/dalek-cryptography/subtle/issues/20
     // This is currently copy & paste from the constant time impl in
     // go, but very likely not sufficient.
-    let valid_ps = Choice::from((((2i32 + 8i32 - index as i32 - 1i32) >> 31) & 1) as u8);
+    let valid_ps = Choice::new((((2i32 + 8i32 - index as i32 - 1i32) >> 31) & 1) as u8);
     let valid =
-        first_byte_is_zero & second_byte_is_two & Choice::from(!looking_for_index & 1) & valid_ps;
-    index = u32::conditional_select(&0, &(index + 1), valid);
+        first_byte_is_zero & second_byte_is_two & Choice::new(!looking_for_index & 1) & valid_ps;
+    index = u32::ct_select(&0, &(index + 1), valid);
 
-    Ok((valid.unwrap_u8(), em, index))
+    Ok((valid.to_u8(), em, index))
 }
 
 #[inline]
@@ -155,7 +155,8 @@ pub(crate) fn pkcs1v15_sign_unpad(prefix: &[u8], hashed: &[u8], em: &[u8], k: us
         ok &= el.ct_eq(&0xff)
     }
 
-    if ok.unwrap_u8() != 1 {
+    // TODO(tarcieri): avoid branching here by e.g. using a pseudorandom rejection symbol
+    if !ok.to_bool() {
         return Err(Error::Verification);
     }