Update curve25519-dalek to v4.1.3 reland (#25665)

Update curve25519-dalek to v4.1.3

---------

Co-authored-by: Ralph Giles <[email protected]>

components/brave_wallet/rust/BUILD.gn

@@ -14,7 +14,7 @@ rust_static_library("rust_lib") {
 
   deps = [
     "//brave/third_party/rust/bech32/v0_9:lib",
-    "//brave/third_party/rust/curve25519_dalek/v3:lib",
-    "//brave/third_party/rust/ed25519_dalek_bip32/v0_2:lib",
+    "//brave/third_party/rust/curve25519_dalek/v4:lib",
+    "//brave/third_party/rust/ed25519_dalek_bip32/v0_3:lib",
   ]
 }

components/brave_wallet/rust/Cargo.toml

@@ -8,8 +8,8 @@ license = "MPL-2.0"
 
 [dependencies]
 cxx = { version = "1.0", features = [ "alloc", "std" ] }
-ed25519-dalek-bip32 = "0.2.0"
-curve25519-dalek = "3.2.0"
+ed25519-dalek-bip32 = "0.3.0"
+curve25519-dalek = "4.1.3"
 bech32 = "0.9.1"
 
 [lib]

components/brave_wallet/rust/lib.rs

@@ -6,16 +6,15 @@
 use bech32::Error as Bech32Error;
 use bech32::FromBase32;
 use core::fmt;
-use curve25519_dalek;
 use ed25519_dalek_bip32::derivation_path::{
     ChildIndexError, DerivationPath, DerivationPathParseError,
 };
 use ed25519_dalek_bip32::ed25519_dalek::{
-    Keypair, SecretKey, Signature, SignatureError, Signer, KEYPAIR_LENGTH, PUBLIC_KEY_LENGTH,
+    Signature, SignatureError, Signer, SigningKey, KEYPAIR_LENGTH, PUBLIC_KEY_LENGTH,
     SECRET_KEY_LENGTH, SIGNATURE_LENGTH,
 };
 use ed25519_dalek_bip32::Error as Ed25519Bip32Error;
-use ed25519_dalek_bip32::{ChildIndex, ExtendedSecretKey};
+use ed25519_dalek_bip32::{ChildIndex, ExtendedSigningKey};
 use ffi::Bech32DecodeVariant;
 
 #[macro_export]
@@ -144,6 +143,7 @@ pub enum Error {
     ChildIndex(ChildIndexError),
     Signature(SignatureError),
     Bech32(Bech32Error),
+    KeyLengthMismatch,
 }
 
 impl_error!(Ed25519Bip32Error, Ed25519Bip32);
@@ -160,6 +160,9 @@ impl fmt::Display for Error {
             Error::ChildIndex(e) => write!(f, "Error: {}", e.to_string()),
             Error::Signature(e) => write!(f, "Error: {}", e.to_string()),
             Error::Bech32(e) => write!(f, "Error: {}", e.to_string()),
+            Error::KeyLengthMismatch => {
+                write!(f, "Error: raw key bytes were not the expected length")
+            }
         }
     }
 }
@@ -170,15 +173,19 @@ pub struct Bech32Decoded {
 }
 
 pub struct Bech32DecodeValue(Bech32Decoded);
-pub struct Ed25519DalekExtendedSecretKey(ExtendedSecretKey);
+pub struct Ed25519DalekExtendedSecretKey(ExtendedSigningKey);
 pub struct Ed25519DalekSignature(Signature);
 
 struct Ed25519DalekExtendedSecretKeyResult(Result<Ed25519DalekExtendedSecretKey, Error>);
 struct Ed25519DalekSignatureResult(Result<Ed25519DalekSignature, Error>);
 struct Ed25519DalekVerificationResult(Result<(), Error>);
 struct Bech32DecodeResult(Result<Bech32DecodeValue, Error>);
 
-impl_result!(Ed25519DalekExtendedSecretKey, Ed25519DalekExtendedSecretKeyResult, ExtendedSecretKey);
+impl_result!(
+    Ed25519DalekExtendedSecretKey,
+    Ed25519DalekExtendedSecretKeyResult,
+    ExtendedSigningKey
+);
 impl_result!(Ed25519DalekSignature, Ed25519DalekSignatureResult, Signature);
 impl_result!(Bech32DecodeValue, Bech32DecodeResult, Bech32Decoded);
 
@@ -220,25 +227,36 @@ fn generate_ed25519_extended_secret_key_from_seed(
     bytes: &[u8],
 ) -> Box<Ed25519DalekExtendedSecretKeyResult> {
     Box::new(Ed25519DalekExtendedSecretKeyResult::from(
-        ExtendedSecretKey::from_seed(bytes).map_err(|err| Error::from(err)),
+        ExtendedSigningKey::from_seed(bytes).map_err(Error::from),
     ))
 }
+
 fn generate_ed25519_extended_secret_key_from_bytes(
     bytes: &[u8],
 ) -> Box<Ed25519DalekExtendedSecretKeyResult> {
-    Box::new(Ed25519DalekExtendedSecretKeyResult::from(
-        SecretKey::from_bytes(bytes).map_err(|err| Error::from(err)).and_then(|secret_key| {
-            Ok(ExtendedSecretKey {
+    let key_result = match bytes.try_into() {
+        Err(_) => Err(Error::KeyLengthMismatch),
+        Ok(array) => {
+            let signing_key = SigningKey::from_bytes(array);
+            Ok(ExtendedSigningKey {
                 depth: 0,
                 child_index: ChildIndex::Normal(0),
-                secret_key,
+                signing_key,
                 chain_code: [0; 32],
             })
-        }),
-    ))
+        }
+    };
+    Box::new(Ed25519DalekExtendedSecretKeyResult::from(key_result))
 }
+
 fn bytes_are_curve25519_point(bytes: &[u8]) -> bool {
-    curve25519_dalek::edwards::CompressedEdwardsY::from_slice(bytes).decompress().is_some()
+    match curve25519_dalek::edwards::CompressedEdwardsY::from_slice(bytes) {
+        // If the y coordinate decompresses, it represents a curve point.
+        Ok(point) => point.decompress().is_some(),
+        // Creating the CompressedEdwardsY failed, so bytes does not represent
+        // a curve point, probably the slice wasn't the expected size.
+        Err(_) => false,
+    }
 }
 
 fn decode_bech32(input: &str) -> Box<Bech32DecodeResult> {
@@ -276,34 +294,31 @@ impl Ed25519DalekExtendedSecretKey {
         ))
     }
     fn keypair_raw(&self) -> [u8; KEYPAIR_LENGTH] {
-        let mut bytes: [u8; KEYPAIR_LENGTH] = [0u8; KEYPAIR_LENGTH];
-        bytes[..SECRET_KEY_LENGTH].copy_from_slice(&self.0.secret_key.to_bytes());
-        bytes[SECRET_KEY_LENGTH..].copy_from_slice(&self.0.public_key().to_bytes());
-        bytes
+        self.0.signing_key.to_keypair_bytes()
     }
     fn secret_key_raw(&self) -> [u8; SECRET_KEY_LENGTH] {
-        self.0.secret_key.to_bytes()
+        self.0.signing_key.to_bytes()
     }
     fn public_key_raw(&self) -> [u8; PUBLIC_KEY_LENGTH] {
-        self.0.public_key().to_bytes()
+        self.0.verifying_key().to_bytes()
     }
+
     fn sign(self: &Ed25519DalekExtendedSecretKey, msg: &[u8]) -> Box<Ed25519DalekSignatureResult> {
         Box::new(Ed25519DalekSignatureResult::from(
-            Keypair::from_bytes(&self.keypair_raw())
-                .map_err(|err| Error::from(err))
-                .and_then(|keypair| Ok(keypair.try_sign(msg)?)),
+            self.0.signing_key.try_sign(msg).map_err(Error::from),
         ))
     }
+
     fn verify(
         self: &Ed25519DalekExtendedSecretKey,
         msg: &[u8],
         sig: &[u8],
     ) -> Box<Ed25519DalekVerificationResult> {
-        Box::new(Ed25519DalekVerificationResult::from(
-            Keypair::from_bytes(&self.keypair_raw())
-                .map_err(|err| Error::from(err))
-                .and_then(|keypair| Ok(keypair.verify(msg, &Signature::from_bytes(sig)?)?)),
-        ))
+        let sig_result = match Signature::from_slice(sig) {
+            Ok(signature) => self.0.signing_key.verify(msg, &signature).map_err(Error::from),
+            Err(e) => Err(Error::from(e)),
+        };
+        Box::new(Ed25519DalekVerificationResult::from(sig_result))
     }
 }
 

components/challenge_bypass_ristretto/rust/cxx/BUILD.gn

@@ -13,11 +13,11 @@ rust_static_library("rust_lib") {
   cxx_bindings = [ "src/lib.rs" ]
 
   deps = [
-    "//brave/third_party/rust/challenge_bypass_ristretto/v1:lib",
+    "//brave/third_party/rust/challenge_bypass_ristretto/v2:lib",
     "//brave/third_party/rust/derive_more/v0_99:lib",
-    "//brave/third_party/rust/hmac/v0_10:lib",
-    "//brave/third_party/rust/rand/v0_7:lib",
-    "//brave/third_party/rust/sha2/v0_9:lib",
+    "//brave/third_party/rust/hmac/v0_12:lib",
+    "//brave/third_party/rust/sha2/v0_10:lib",
     "//third_party/rust/lazy_static/v1:lib",
+    "//third_party/rust/rand/v0_8:lib",
   ]
 }

components/challenge_bypass_ristretto/rust/cxx/Cargo.toml

@@ -6,10 +6,10 @@ edition = "2018"
 license = "MPL-2.0"
 
 [dependencies]
-challenge-bypass-ristretto = { version = "1.0.2", features = ["base64"] }
+challenge-bypass-ristretto = { version = "2.0.0", features = ["base64"] }
 cxx = { version = "1.0" }
 derive_more = "0.99"
-hmac = "0.10"
+hmac = "0.12"
 lazy_static = "1.4.0"
-rand = "0.7"
-sha2 = "0.9"
+rand = { version = "0.8", features = ["getrandom"] }
+sha2 = "0.10"

components/skus/browser/rs/lib/BUILD.gn

@@ -26,18 +26,18 @@ rust_static_library("rust_lib") {
   deps = [
     "//brave/third_party/rust/async_trait/v0_1:lib",
     "//brave/third_party/rust/bigdecimal/v0_1:lib",
-    "//brave/third_party/rust/challenge_bypass_ristretto/v1:lib",
+    "//brave/third_party/rust/challenge_bypass_ristretto/v2:lib",
     "//brave/third_party/rust/chrono/v0_4:lib",
     "//brave/third_party/rust/data_encoding/v2:lib",
     "//brave/third_party/rust/futures_retry/v0_5:lib",
-    "//brave/third_party/rust/hmac/v0_10:lib",
+    "//brave/third_party/rust/hmac/v0_12:lib",
     "//brave/third_party/rust/http/v1:lib",
-    "//brave/third_party/rust/rand/v0_7:lib",
-    "//brave/third_party/rust/sha2/v0_9:lib",
+    "//brave/third_party/rust/sha2/v0_10:lib",
     "//brave/third_party/rust/tracing/v0_1:lib",
     "//brave/third_party/rust/urlencoding/v1:lib",
     "//brave/third_party/rust/uuid/v1:lib",
     "//third_party/rust/base64/v0_13:lib",
+    "//third_party/rust/rand/v0_8:lib",
     "//third_party/rust/serde/v1:lib",
     "//third_party/rust/serde_json/v1:lib",
   ]

components/skus/browser/rs/lib/Cargo.toml

@@ -15,19 +15,19 @@ required-features = ["e2e_test"]
 [dependencies]
 http = { version = "1" }
 async-trait = "0.1.64"
-rand = { version = "0.7" }
+rand = { version = "0.8", features = ["getrandom"] }
 serde_json = "1.0"
-sha2 = "0.9"
+sha2 = "0.10"
 data-encoding = "2.1.2"
 tracing = { version = "0.1", default-features = false, features = ["release_max_level_debug"] }
 bigdecimal = { version = "0.1", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }
 chrono = { version = "0.4", default-features = false, features = ["clock", "serde"] }
 uuid = { version = "1", features = ["v4"] }
-challenge-bypass-ristretto = { version = "1.0.2", features = ["serde_base64"] }
+challenge-bypass-ristretto = { version = "2.0.0", features = ["serde_base64"] }
 futures-retry = "0.5.0"
 urlencoding = "1.1.1"
-hmac = "0.10"
+hmac = "0.12"
 base64 = "0.13.0"
 git-version = { version = "0.3.5", optional = true }
 
@@ -40,4 +40,7 @@ tracing-subscriber = { version = "0.2.0", default-features = false, features = [
 [features]
 default = []
 e2e_test = []
-wasm = ["chrono/wasmbind", "futures-retry/wasm", "challenge-bypass-ristretto/nightly", "rand/wasm-bindgen"]
+wasm = ["chrono/wasmbind", "futures-retry/wasm"]
+
+[patch.crates-io.futures-retry]
+path = "../../../../../third_party/rust/futures_retry/v0_5/crate"

components/skus/browser/rs/lib/src/cache.rs

@@ -1,3 +1,8 @@
+// Copyright (c) 2022 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
 use std::collections::HashMap;
 use std::iter;
 use std::time::Duration;

components/skus/browser/rs/lib/src/errors.rs

@@ -1,3 +1,8 @@
+// Copyright (c) 2022 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
 use core::fmt;
 use core::fmt::Display;
 

components/skus/browser/rs/lib/src/http.rs

@@ -1,3 +1,8 @@
+// Copyright (c) 2022 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
 use std::cmp;
 use std::time::Duration;
 
@@ -89,7 +94,7 @@ where
             | InternalError::InvalidResponse(_) => {
                 // Default to an exponential backoff with jitter along the full range
                 // https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/
-                rng.gen_range(0, cmp::min(MAX_DELAY_MS, BASE_DELAY_MS * (1 << current_attempt)))
+                rng.gen_range(0..cmp::min(MAX_DELAY_MS, BASE_DELAY_MS * (1 << current_attempt)))
             }
             InternalError::RetryLater(Some(after)) => {
                 let after_ms = (after.as_millis() as u64) + 1;
@@ -107,7 +112,7 @@ where
                 // If the server instructed us with a specific delay, delay for at least that long
                 // while incorporating some random delay based on our current attempt
                 cmp::min(
-                    after_ms + rng.gen_range(0, BASE_DELAY_MS * (1 << current_attempt)),
+                    after_ms + rng.gen_range(0..BASE_DELAY_MS * (1 << current_attempt)),
                     MAX_DELAY_MS,
                 )
             }

components/skus/browser/rs/lib/src/lib.rs

@@ -1,3 +1,8 @@
+// Copyright (c) 2022 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
 pub mod cache;
 pub mod errors;
 pub mod http;

components/skus/browser/rs/lib/src/sdk/credentials/mod.rs

@@ -149,12 +149,13 @@ where
                     .unwrap_or_default()
                     .into_iter()
                     .filter_map(|tlv2_cred| {
+                        let valid_from = tlv2_cred.valid_from;
                         tlv2_cred
                             .unblinded_creds
                             .unwrap_or_default()
                             .into_iter()
-                            .filter(|single_cred| !single_cred.spent && tlv2_cred.valid_from > now)
-                            .map(|_| tlv2_cred.valid_from)
+                            .filter(|single_cred| !single_cred.spent && valid_from > now)
+                            .map(|_| valid_from)
                             .next()
                     })
                     .min(); // Find the smallest valid_from among them

third_party/rust/base64ct/v1/BUILD.gn

@@ -0,0 +1,47 @@
+# Copyright (c) 2024 The Brave Authors. All rights reserved.
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this file,
+# You can obtain one at https://mozilla.org/MPL/2.0/.
+
+# @generated from third_party/rust/chromium_crates_io/BUILD.gn.hbs by
+# tools/crates/gnrt.
+# Do not edit!
+
+import("//build/rust/cargo_crate.gni")
+
+cargo_crate("lib") {
+  crate_name = "base64ct"
+  epoch = "1"
+  crate_type = "rlib"
+  crate_root = "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/lib.rs"
+  sources = [
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet/bcrypt.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet/crypt.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet/shacrypt.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet/standard.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/alphabet/url.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/decoder.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/encoder.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/encoding.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/errors.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/lib.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/line_ending.rs",
+    "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/test_vectors.rs",
+  ]
+  inputs = [ "//brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/src/../README.md" ]
+
+  build_native_rust_unit_tests = false
+  edition = "2021"
+  cargo_pkg_version = "1.6.0"
+  cargo_pkg_authors = "RustCrypto Developers"
+  cargo_pkg_name = "base64ct"
+  cargo_pkg_description = "Pure Rust implementation of Base64 (RFC 4648) which avoids any usages of data-dependent branches/LUTs and thereby provides portable \"best effort\" constant-time operation and embedded-friendly no_std support"
+  library_configs -= [ "//build/config/compiler:chromium_code" ]
+  library_configs += [ "//build/config/compiler:no_chromium_code" ]
+  executable_configs -= [ "//build/config/compiler:chromium_code" ]
+  executable_configs += [ "//build/config/compiler:no_chromium_code" ]
+  proc_macro_configs -= [ "//build/config/compiler:chromium_code" ]
+  proc_macro_configs += [ "//build/config/compiler:no_chromium_code" ]
+  features = [ "alloc" ]
+}

third_party/rust/base64ct/v1/README.chromium

@@ -0,0 +1,12 @@
+Name: base64ct
+URL: https://crates.io/crates/base64ct
+Description: Pure Rust implementation of Base64 (RFC 4648) which avoids any usages of
+data-dependent branches/LUTs and thereby provides portable "best effort"
+constant-time operation and embedded-friendly no_std support
+
+Version: 1.6.0
+Security Critical: yes
+Shipped: yes
+License: Apache 2.0
+License File: //brave/third_party/rust/chromium_crates_io/vendor/base64ct-1.6.0/LICENSE-APACHE
+Revision: 084b09a7a694009a6f3d66e3ed5e11ca4fd2ac80

third_party/rust/byteorder/v1/BUILD.gn

@@ -33,8 +33,5 @@ cargo_crate("lib") {
   executable_configs += [ "//build/config/compiler:no_chromium_code" ]
   proc_macro_configs -= [ "//build/config/compiler:chromium_code" ]
   proc_macro_configs += [ "//build/config/compiler:no_chromium_code" ]
-  features = [
-    "i128",
-    "std",
-  ]
+  features = [ "std" ]
 }