From 772732185c65ac1e56adbbca8ff098778d3e5b45 Mon Sep 17 00:00:00 2001 From: Marcel Guzik Date: Fri, 6 Feb 2026 12:26:35 +0000 Subject: [PATCH] deps: bump cryptoki crate cryptoki 0.11 fixes UB when using CKA_ALLOWED_MECHANISMS with softhsm and also removes unmaintained paste crate in 0.12. Signed-off-by: Marcel Guzik --- Cargo.lock | 69 +++++++++---------- Cargo.toml | 4 +- .../tedge-p11-server/src/pkcs11/mod.rs | 19 ++--- .../tedge-p11-server/src/service.rs | 2 +- deny.toml | 1 - 5 files changed, 39 insertions(+), 56 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1d7759fdea4..dfa5a7ae33e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -681,7 +681,7 @@ version = "0.72.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "cexpr", "clang-sys", "itertools 0.13.0", @@ -718,11 +718,11 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd" +checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" dependencies = [ - "serde", + "serde_core", ] [[package]] @@ -1338,23 +1338,22 @@ dependencies = [ [[package]] name = "cryptoki" -version = "0.10.0" +version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "781357a7779a8e92ea985121bbf379a9adf0777f44ab6392efc6abd5aa9b67db" +checksum = "ff765b99fc49f3116c9a908484486a2b92fd73c48da45c3a69716471c6cc56c6" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.10.0", "cryptoki-sys", "libloading", "log", - "paste", "secrecy", ] [[package]] name = "cryptoki-sys" -version = "0.4.0" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "753e27d860277930ae9f394c119c8c70303236aab0ffab1d51f3d207dbb2bc4b" +checksum = "f1fd850498411e4057f1cba79e6e2bc7cbe960544c1046ab46d4685c403a1121" dependencies = [ "libloading", ] @@ -2440,7 +2439,7 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "inotify-sys", "libc", ] @@ -2616,11 +2615,11 @@ checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa" [[package]] name = "libloading" -version = "0.8.8" -source = "git+https://github.com/Bravo555/rust_libloading.git?branch=0.8.8#d000ffa239652d21152e5a3460095a27d5883113" +version = "0.8.9" +source = "git+https://github.com/Bravo555/rust_libloading.git?branch=0.8.9#bfc3d31bf4613dd91b6a3394b40ed304ea2c2f31" dependencies = [ "cfg-if", - "windows-targets 0.53.5", + "windows-link 0.2.1", ] [[package]] @@ -2635,7 +2634,7 @@ version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "libc", "redox_syscall", ] @@ -2664,9 +2663,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.27" +version = "0.4.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" [[package]] name = "lru-slab" @@ -2936,7 +2935,7 @@ version = "0.30.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "cfg-if", "cfg_aliases", "libc", @@ -2973,7 +2972,7 @@ version = "8.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "fsevent-sys", "inotify", "kqueue", @@ -3190,12 +3189,6 @@ dependencies = [ "windows-targets 0.52.6", ] -[[package]] -name = "paste" -version = "1.0.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" - [[package]] name = "path-clean" version = "1.0.1" @@ -3529,7 +3522,7 @@ checksum = "14cae93065090804185d3b75f0bf93b8eeda30c7a9b4a33d3bdb3988d6229e50" dependencies = [ "bit-set", "bit-vec", - "bitflags 2.9.0", + "bitflags 2.10.0", "lazy_static", "num-traits", "rand 0.8.5", @@ -3788,7 +3781,7 @@ version = "11.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "498cd0dc59d73224351ee52a95fee0f1a617a2eae0e7d9d720cc622c73a54186" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", ] [[package]] @@ -3811,7 +3804,7 @@ version = "0.5.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "928fca9cf2aa042393a8325b9ead81d2f0df4cb12e1e24cef072922ccd99c5af" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", ] [[package]] @@ -3942,7 +3935,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b91f7eff05f748767f183df4320a63d6936e9c6107d97c9e6bdd9784f4289c94" dependencies = [ "base64 0.21.7", - "bitflags 2.9.0", + "bitflags 2.10.0", "serde", "serde_derive", ] @@ -3953,7 +3946,7 @@ version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fd490c5b18261893f14449cbd28cb9c0b637aebf161cd77900bfdedaff21ec32" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "once_cell", "serde", "serde_derive", @@ -4182,7 +4175,7 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "errno", "libc", "linux-raw-sys", @@ -4326,9 +4319,9 @@ checksum = "8bb51d45a99c1bafff550fd40ce1d2152917dc9908fb3090c283e3f058d39b3f" [[package]] name = "secrecy" -version = "0.8.0" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9bd1c54ea06cfd2f6b63219704de0b9b4f72dcc2b8fdef820be6cd799780e91e" +checksum = "e891af845473308773346dc847b2c23ee78fe442e0472ac50e22a18a93d3ae5a" dependencies = [ "zeroize", ] @@ -4339,7 +4332,7 @@ version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "core-foundation", "core-foundation-sys", "libc", @@ -5837,7 +5830,7 @@ version = "0.6.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9cf146f99d442e8e68e585f5d798ccd3cad9a7835b917e09728880a862706456" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", "bytes", "http 1.3.1", "pin-project-lite", @@ -6578,7 +6571,7 @@ version = "0.39.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1" dependencies = [ - "bitflags 2.9.0", + "bitflags 2.10.0", ] [[package]] @@ -6595,7 +6588,7 @@ checksum = "a198f414f083fb19fcc1bffcb0fa0cf46d33ccfa229adf248cac12c180e91609" dependencies = [ "async-tungstenite 0.25.1", "async_io_stream", - "bitflags 2.9.0", + "bitflags 2.10.0", "futures-core", "futures-io", "futures-sink", @@ -6615,7 +6608,7 @@ checksum = "c3c9c55940d22313a53398bfeb9438c5f519de475fa37ed7ff068f8c1ca8eb45" dependencies = [ "async-tungstenite 0.29.1", "async_io_stream", - "bitflags 2.9.0", + "bitflags 2.10.0", "futures-core", "futures-io", "futures-sink", diff --git a/Cargo.toml b/Cargo.toml index 031810cf124..b6b50762304 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -108,7 +108,7 @@ clap = { version = "4.5", features = [ "unstable-styles", ] } clap_complete = { version = "4.5", features = ["unstable-dynamic"] } -cryptoki = "0.10.0" +cryptoki = "0.12.0" csv = "1.1" darling = "0.21" doku = "0.21" @@ -241,7 +241,7 @@ zeroize = "1.5" # dlopen is directly under libc, so we need to modify the extern block to not link libdl # TODO: remove once fix is upstreamed to libloading [patch.crates-io] -libloading = { git = "https://github.com/Bravo555/rust_libloading.git", branch = "0.8.8" } +libloading = { git = "https://github.com/Bravo555/rust_libloading.git", branch = "0.8.9" } [profile.release] codegen-units = 1 diff --git a/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs b/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs index 19a54130075..c289e1a00a0 100644 --- a/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs +++ b/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs @@ -68,6 +68,7 @@ use asn1_rs::ToDer; use camino::Utf8Path; use camino::Utf8PathBuf; use cryptoki::context::CInitializeArgs; +use cryptoki::context::CInitializeFlags; use cryptoki::context::Pkcs11; use cryptoki::error::Error; use cryptoki::mechanism::Mechanism; @@ -226,7 +227,7 @@ impl TedgeP11Service for Cryptoki { impl Cryptoki { pub fn new(config: CryptokiConfigDirect) -> anyhow::Result { let pkcs11client = Self::load(&config.module_path)?; - pkcs11client.initialize(CInitializeArgs::OsThreads)?; + pkcs11client.initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK))?; Ok(Self { context: Arc::new(Mutex::new(pkcs11client)), @@ -252,10 +253,11 @@ impl Cryptoki { // the spec says "(C_Finalize) should be the last Cryptoki call made by an application", so call it on the old // client before initializing new client // https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/pkcs11-base-v2.40-errata01-os-complete.html#_Toc441755803 - old_client.finalize(); + let _ = old_client.finalize(); // can return Error::AlreadyInitialized, but it shouldn't, only warn if it does anyway - if let Err(err) = context.initialize(CInitializeArgs::OsThreads) { + if let Err(err) = context.initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK)) + { warn!(?err, "Initializing cryptoki library failed"); } @@ -513,17 +515,6 @@ impl CryptokiSession<'_> { // ideally we'd simply get a cryptoki mechanism that corresponds to this sigscheme but it's not possible; // instead we have to manually parse additional attributes to select a proper sigscheme; currently don't do it // and just select the most common sigscheme for both types of keys - - // NOTE: cryptoki has AttributeType::AllowedMechanisms, but when i use it in get_attributes() with opensc-pkcs11 - // module it gets ignored (not present or supported) and with softhsm2 module it panics(seems to be an issue - // with cryptoki, but regardless): - - // thread 'main' panicked at library/core/src/panicking.rs:218:5: - // unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX` - // note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace - // thread caused non-unwinding panic. aborting. - // Aborted (core dumped) - let key = match keytype { KeyType::EC => { let sigscheme = diff --git a/crates/extensions/tedge-p11-server/src/service.rs b/crates/extensions/tedge-p11-server/src/service.rs index 37378b4ba0d..69734cceb85 100644 --- a/crates/extensions/tedge-p11-server/src/service.rs +++ b/crates/extensions/tedge-p11-server/src/service.rs @@ -78,7 +78,7 @@ impl SecretString { impl From for AuthPin { fn from(value: SecretString) -> Self { - AuthPin::new(value.0) + AuthPin::new(value.0.into()) } } diff --git a/deny.toml b/deny.toml index 00ebf87a1be..3fa75988027 100644 --- a/deny.toml +++ b/deny.toml @@ -72,7 +72,6 @@ feature-depth = 1 ignore = [ { id = "RUSTSEC-2024-0384", reason = "crate: instant. Used by backoff and requires refactoring to remove this dependency" }, { id = "RUSTSEC-2025-0012", reason = "crate: backoff. Needs refactoring to remove dependency" }, - { id = "RUSTSEC-2024-0436", reason = "crate: paste. Used by cryptoki dependency" }, { id = "RUSTSEC-2023-0071", reason = "crate: rsa. No patch available, not using affected API, added rules to clippy to forbid using these APIs" }, { id = "RUSTSEC-2026-0009", reason = "crate: time. Patching requires updating MSRV, applied workaround in one usage, added rules to clippy to forbid using these APIs elsewhere" },