Remove openssl, update some Windows deps

Alexendoo · Alexendoo · commit 9609b8b7ca99 · 2025-05-08T18:27:11.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,7 +9,6 @@ rust-version = "1.80.0"
 
 [dependencies]
 serde_json = "1"
-openssl = "0.10"
 dotenvy = "0.15"
 reqwest = { version = "0.11.4", features = ["json", "blocking"] }
 regex = "1"
@@ -46,6 +45,10 @@ postgres-types = { version = "0.2.4", features = ["derive"] }
 cron = { version = "0.15.0" }
 bytes = "1.1.0"
 structopt = "0.3.26"
+hmac = "0.12.1"
+sha1 = "0.10.6"
+digest = "0.10.7"
+subtle = "2.6.1"
 
 [dependencies.serde]
 version = "1"
diff --git a/src/payload.rs b/src/payload.rs
@@ -1,4 +1,5 @@
-use openssl::{hash::MessageDigest, memcmp, pkey::PKey, sign::Signer};
+use hmac::{Hmac, Mac};
+use sha1::Sha1;
 use std::fmt;
 
 #[derive(Debug)]
@@ -22,18 +23,12 @@ pub fn assert_signed(signature: &str, payload: &[u8]) -> Result<(), SignedPayloa
         }
     };
 
-    let key = PKey::hmac(
+    let mut mac = Hmac::<Sha1>::new_from_slice(
         std::env::var("GITHUB_WEBHOOK_SECRET")
             .expect("Missing GITHUB_WEBHOOK_SECRET")
             .as_bytes(),
     )
     .unwrap();
-    let mut signer = Signer::new(MessageDigest::sha1(), &key).unwrap();
-    signer.update(&payload).unwrap();
-    let hmac = signer.sign_to_vec().unwrap();
-
-    if !memcmp::eq(&hmac, &signature) {
-        return Err(SignedPayloadError);
-    }
-    Ok(())
+    mac.update(&payload);
+    mac.verify_slice(&signature).map_err(|_| SignedPayloadError)
 }
diff --git a/src/zulip.rs b/src/zulip.rs
@@ -12,6 +12,7 @@ use std::env;
 use std::fmt::Write as _;
 use std::str::FromStr;
 use std::sync::LazyLock;
+use subtle::ConstantTimeEq;
 use tracing as log;
 
 static ZULIP_URL: LazyLock<String> =
@@ -130,7 +131,7 @@ pub async fn respond(ctx: &Context, req: Request) -> String {
 async fn process_zulip_request(ctx: &Context, req: Request) -> anyhow::Result<Option<String>> {
     let expected_token = std::env::var("ZULIP_TOKEN").expect("`ZULIP_TOKEN` set for authorization");
 
-    if !openssl::memcmp::eq(req.token.as_bytes(), expected_token.as_bytes()) {
+    if !bool::from(req.token.as_bytes().ct_eq(expected_token.as_bytes())) {
         anyhow::bail!("Invalid authorization.");
     }
 
