From 751747e69fa2b2c3847ecf560c9acd541592dd2d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 7 Jul 2026 15:57:35 +0000 Subject: [PATCH 1/2] chore(deps): bump scrypt from 0.11.0 to 0.12.0 Bumps [scrypt](https://github.com/RustCrypto/password-hashes) from 0.11.0 to 0.12.0. - [Commits](https://github.com/RustCrypto/password-hashes/compare/scrypt-v0.11.0...scrypt-v0.12.0) --- updated-dependencies: - dependency-name: scrypt dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- Cargo.lock | 23 ++++++++++++----------- crates/core/Cargo.toml | 2 +- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 10ac2cfbd..1c75864f8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5758,12 +5758,12 @@ checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3" [[package]] name = "pbkdf2" -version = "0.12.2" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" +checksum = "112d82ceb8c5bf524d9af484d4e4970c9fd5a0cc15ba14ad93dccd28873b0629" dependencies = [ - "digest 0.10.7", - "hmac 0.12.1", + "digest 0.11.3", + "hmac 0.13.0", ] [[package]] @@ -7070,11 +7070,12 @@ checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f" [[package]] name = "salsa20" -version = "0.10.2" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" +checksum = "2f874456e72520ff1375a06c588eaf074b0f01f9e9e1aada45bd9b7954a6e42c" dependencies = [ - "cipher 0.4.4", + "cfg-if", + "cipher 0.5.2", ] [[package]] @@ -7115,14 +7116,14 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "scrypt" -version = "0.11.0" +version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" +checksum = "d87af57419b594aa23fa95f09f0e06d80d84ba01c26148c43844cad6ff4485f0" dependencies = [ - "password-hash", + "cfg-if", "pbkdf2", "salsa20", - "sha2 0.10.9", + "sha2 0.11.0", ] [[package]] diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml index d25d48678..e6a90abbb 100644 --- a/crates/core/Cargo.toml +++ b/crates/core/Cargo.toml @@ -50,7 +50,7 @@ validator.workspace = true # pbkdf2 crate removed: PBKDF2-HMAC-SHA512 is implemented directly in # password_hashing.rs using the workspace hmac/sha2 to avoid a # digest v0.10 vs v0.11 version conflict (pbkdf2 v0.12 uses sha2 v0.10). -scrypt = "0.11" +scrypt = "0.12" subtle = "2.6.1" [dev-dependencies] From 1d9db7d60527cea39a94d41ebda5779f47459858 Mon Sep 17 00:00:00 2001 From: Artem Goncharov Date: Tue, 7 Jul 2026 19:52:50 +0200 Subject: [PATCH 2/2] fix: Adapt to the bumped scrypt version Signed-off-by: Artem Goncharov --- crates/core/src/api_key/crypto.rs | 14 +++++++++++--- crates/core/src/common/password_hashing/scrypt.rs | 6 +++--- crates/core/src/credential/ec2_signature.rs | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/crates/core/src/api_key/crypto.rs b/crates/core/src/api_key/crypto.rs index 7d147327f..4d746563e 100644 --- a/crates/core/src/api_key/crypto.rs +++ b/crates/core/src/api_key/crypto.rs @@ -12,9 +12,10 @@ // // SPDX-License-Identifier: Apache-2.0 //! # API Key Argon2id hashing & verification (ADR 0021 §3 Step 3, §6.B). -use argon2::password_hash::rand_core::OsRng; use argon2::password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString}; use argon2::{Algorithm, Argon2, Params, Version}; +use base64::{Engine as _, engine::general_purpose::STANDARD_NO_PAD}; +use rand::RngExt; use openstack_keystone_config::ApiKeyProvider; @@ -25,6 +26,12 @@ use crate::api_key::ApiKeyProviderError; /// 7). Deliberately not derived from any request data. const DUMMY_ENTROPY: &str = "keystone-api-key-dummy-entropy-constant-time-padding"; +fn _generate_salt() -> String { + let mut bytes = [0u8; 16]; + rand::rng().fill(&mut bytes); + STANDARD_NO_PAD.encode(bytes) +} + fn build_params(config: &ApiKeyProvider) -> Result { Params::new( config.argon2_memory_kib, @@ -46,10 +53,11 @@ pub async fn hash_secret( tokio::task::spawn_blocking(move || { let params = build_params(&config)?; let argon2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, params); - let salt = SaltString::generate(&mut OsRng); + let salt = + SaltString::from_b64(_generate_salt().as_str()).map_err(ApiKeyProviderError::crypto)?; argon2 .hash_password(entropy.as_bytes(), &salt) - .map(|hash| hash.to_string()) + .map(|h| h.to_string()) .map_err(ApiKeyProviderError::crypto) }) .await diff --git a/crates/core/src/common/password_hashing/scrypt.rs b/crates/core/src/common/password_hashing/scrypt.rs index f1cb046d5..f830be46d 100644 --- a/crates/core/src/common/password_hashing/scrypt.rs +++ b/crates/core/src/common/password_hashing/scrypt.rs @@ -34,8 +34,8 @@ impl PasswordHasher for ScryptHasher { let password_bytes = password.to_vec(); let hash = task::spawn_blocking(move || { let salt = generate_salt(); - // Params::new(log_n, r, p, output_len): ln=16 means n=2^16=65536. - let params = ::scrypt::Params::new(16, 8, 1, 32) + // Params::new(log_n, r, p): ln=16 means n=2^16=65536. + let params = ::scrypt::Params::new(16, 8, 1) .map_err(|e| PasswordHashError::CryptoHash(e.to_string()))?; let mut digest = vec![0u8; 32]; ::scrypt::scrypt(&password_bytes, &salt, ¶ms, &mut digest) @@ -99,7 +99,7 @@ impl PasswordHasher for ScryptHasher { .decode(digest_b64.replace('.', "+").as_bytes()) .map_err(|_| PasswordHashError::CryptoHash("Invalid scrypt digest".into()))?; - let params = ::scrypt::Params::new(ln, r, p, expected.len()) + let params = ::scrypt::Params::new(ln, r, p) .map_err(|e| PasswordHashError::CryptoHash(e.to_string()))?; let mut computed = vec![0u8; expected.len()]; ::scrypt::scrypt(&password_bytes, &salt, ¶ms, &mut computed) diff --git a/crates/core/src/credential/ec2_signature.rs b/crates/core/src/credential/ec2_signature.rs index 1477ec8a4..2a5ca0500 100644 --- a/crates/core/src/credential/ec2_signature.rs +++ b/crates/core/src/credential/ec2_signature.rs @@ -24,7 +24,7 @@ use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64}; use chrono::{DateTime, NaiveDateTime, TimeZone, Utc}; use hmac::{Hmac, KeyInit, Mac}; -use sha1::{Digest as _, Sha1}; +use sha1::Sha1; use sha2::{Digest, Sha256}; use subtle::ConstantTimeEq;