mirrors/rage
1
0
Fork 0
mirror of https://github.com/str4d/rage.git synced 2025-04-04 11:27:43 +03:00
Code Issues Projects Releases Packages Wiki Activity

Migrate to base64 0.21

Browse source
This commit is contained in:
Jack Grigg 2023-06-13 23:14:24 +00:00
parent 4e5e0eeb34
commit 5c67ec2180
18 changed files with 121 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Cargo.lock generated
View file

@ -213,9 +213,9 @@ dependencies = [
[[package]] [[package]]
name = "base64" name = "base64"
version = "0.13.1" version = "0.21.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d"
[[package]] [[package]]
name = "base64ct" name = "base64ct"

2
Cargo.toml
View file

@ -20,7 +20,7 @@ age-core = { version = "0.9.0", path = "age-core" }
# Dependencies required by the age specification: # Dependencies required by the age specification:
# - Base64 from RFC 4648 # - Base64 from RFC 4648
base64 = "0.13" base64 = "0.21"
# - ChaCha20-Poly1305 from RFC 7539 # - ChaCha20-Poly1305 from RFC 7539
chacha20poly1305 = { version = "0.10", default-features = false, features = ["alloc"] } chacha20poly1305 = { version = "0.10", default-features = false, features = ["alloc"] }

31
age-core/src/format.rs
View file

@ -1,5 +1,6 @@
//! Core types and encoding operations used by the age file format. //! Core types and encoding operations used by the age file format.
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use rand::{ use rand::{
distributions::{Distribution, Uniform}, distributions::{Distribution, Uniform},
thread_rng, RngCore, thread_rng, RngCore,
@ -60,7 +61,7 @@ impl<'a> AgeStanza<'a> {
data[full_chunks.len() * 64..].copy_from_slice(partial_chunk); data[full_chunks.len() * 64..].copy_from_slice(partial_chunk);
// The chunks are guaranteed to contain Base64 characters by construction. // The chunks are guaranteed to contain Base64 characters by construction.
base64::decode_config(&data, base64::STANDARD_NO_PAD).unwrap() BASE64_STANDARD_NO_PAD.decode(&data).unwrap()
} }
} }
@ -324,6 +325,7 @@ pub mod read {
/// Encoding operations for age types. /// Encoding operations for age types.
pub mod write { pub mod write {
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use cookie_factory::{ use cookie_factory::{
combinator::string, combinator::string,
multi::separated_list, multi::separated_list,
@ -336,7 +338,7 @@ pub mod write {
use super::STANZA_TAG; use super::STANZA_TAG;
fn wrapped_encoded_data<'a, W: 'a + Write>(data: &[u8]) -> impl SerializeFn<W> + 'a { fn wrapped_encoded_data<'a, W: 'a + Write>(data: &[u8]) -> impl SerializeFn<W> + 'a {
let encoded = base64::encode_config(data, base64::STANDARD_NO_PAD); let encoded = BASE64_STANDARD_NO_PAD.encode(data);
move |mut w: WriteContext<W>| { move |mut w: WriteContext<W>| {
let mut s = encoded.as_str(); let mut s = encoded.as_str();
@ -377,6 +379,7 @@ pub mod write {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use nom::error::ErrorKind; use nom::error::ErrorKind;
use super::{read, write}; use super::{read, write};
@ -385,11 +388,9 @@ mod tests {
fn parse_age_stanza() { fn parse_age_stanza() {
let test_tag = "X25519"; let test_tag = "X25519";
let test_args = &["CJM36AHmTbdHSuOQL+NESqyVQE75f2e610iRdLPEN20"]; let test_args = &["CJM36AHmTbdHSuOQL+NESqyVQE75f2e610iRdLPEN20"];
let test_body = base64::decode_config( let test_body = BASE64_STANDARD_NO_PAD
"C3ZAeY64NXS4QFrksLm3EGz+uPRyI0eQsWw7LWbbYig", .decode("C3ZAeY64NXS4QFrksLm3EGz+uPRyI0eQsWw7LWbbYig")
base64::STANDARD_NO_PAD, .unwrap();
)
.unwrap();
// The only body line is short, so we don't need a trailing empty line. // The only body line is short, so we don't need a trailing empty line.
let test_stanza = "-> X25519 CJM36AHmTbdHSuOQL+NESqyVQE75f2e610iRdLPEN20 let test_stanza = "-> X25519 CJM36AHmTbdHSuOQL+NESqyVQE75f2e610iRdLPEN20
@ -433,11 +434,9 @@ C3ZAeY64NXS4QFrksLm3EGz+uPRyI0eQsWw7LWbbYig
fn age_stanza_with_full_body() { fn age_stanza_with_full_body() {
let test_tag = "full-body"; let test_tag = "full-body";
let test_args = &["some", "arguments"]; let test_args = &["some", "arguments"];
let test_body = base64::decode_config( let test_body = BASE64_STANDARD_NO_PAD
"xD7o4VEOu1t7KZQ1gDgq2FPzBEeSRqbnqvQEXdLRYy143BxR6oFxsUUJCRB0ErXA", .decode("xD7o4VEOu1t7KZQ1gDgq2FPzBEeSRqbnqvQEXdLRYy143BxR6oFxsUUJCRB0ErXA")
base64::STANDARD_NO_PAD, .unwrap();
)
.unwrap();
// The body fills a complete line, so it requires a trailing empty line. // The body fills a complete line, so it requires a trailing empty line.
let test_stanza = "-> full-body some arguments let test_stanza = "-> full-body some arguments
@ -460,11 +459,9 @@ xD7o4VEOu1t7KZQ1gDgq2FPzBEeSRqbnqvQEXdLRYy143BxR6oFxsUUJCRB0ErXA
fn age_stanza_with_legacy_full_body() { fn age_stanza_with_legacy_full_body() {
let test_tag = "full-body"; let test_tag = "full-body";
let test_args = &["some", "arguments"]; let test_args = &["some", "arguments"];
let test_body = base64::decode_config( let test_body = BASE64_STANDARD_NO_PAD
"xD7o4VEOu1t7KZQ1gDgq2FPzBEeSRqbnqvQEXdLRYy143BxR6oFxsUUJCRB0ErXA", .decode("xD7o4VEOu1t7KZQ1gDgq2FPzBEeSRqbnqvQEXdLRYy143BxR6oFxsUUJCRB0ErXA")
base64::STANDARD_NO_PAD, .unwrap();
)
.unwrap();
// The body fills a complete line, but lacks a trailing empty line. // The body fills a complete line, but lacks a trailing empty line.
let test_stanza = "-> full-body some arguments let test_stanza = "-> full-body some arguments

3
age-plugin/src/identity.rs
View file

@ -5,6 +5,7 @@ use age_core::{
plugin::{self, BidirSend, Connection}, plugin::{self, BidirSend, Connection},
secrecy::{ExposeSecret, SecretString}, secrecy::{ExposeSecret, SecretString},
}; };
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use bech32::FromBase32; use bech32::FromBase32;
use std::collections::HashMap; use std::collections::HashMap;
use std::io; use std::io;
@ -71,7 +72,7 @@ impl<'a, 'b, R: io::Read, W: io::Write> Callbacks<Error> for BidirCallbacks<'a,
let metadata: Vec<_> = Some(yes_string) let metadata: Vec<_> = Some(yes_string)
.into_iter() .into_iter()
.chain(no_string) .chain(no_string)
.map(|s| base64::encode_config(s, base64::STANDARD_NO_PAD)) .map(|s| BASE64_STANDARD_NO_PAD.encode(s))
.collect(); .collect();
let metadata: Vec<_> = metadata.iter().map(|s| s.as_str()).collect(); let metadata: Vec<_> = metadata.iter().map(|s| s.as_str()).collect();

3
age-plugin/src/recipient.rs
View file

@ -5,6 +5,7 @@ use age_core::{
plugin::{self, BidirSend, Connection}, plugin::{self, BidirSend, Connection},
secrecy::SecretString, secrecy::SecretString,
}; };
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use bech32::FromBase32; use bech32::FromBase32;
use std::io; use std::io;
@ -70,7 +71,7 @@ impl<'a, 'b, R: io::Read, W: io::Write> Callbacks<Error> for BidirCallbacks<'a,
let metadata: Vec<_> = Some(yes_string) let metadata: Vec<_> = Some(yes_string)
.into_iter() .into_iter()
.chain(no_string) .chain(no_string)
.map(|s| base64::encode_config(s, base64::STANDARD_NO_PAD)) .map(|s| BASE64_STANDARD_NO_PAD.encode(s))
.collect(); .collect();
let metadata: Vec<_> = metadata.iter().map(|s| s.as_str()).collect(); let metadata: Vec<_> = metadata.iter().map(|s| s.as_str()).collect();

1
age/CHANGELOG.md
View file

@ -14,6 +14,7 @@ to 1.0.0 are beta releases.
### Changed ### Changed
- MSRV is now 1.65.0. - MSRV is now 1.65.0.
- Migrated to `base64 0.21`.
## [0.9.2] - 2023-06-12 ## [0.9.2] - 2023-06-12
### Added ### Added

4
age/src/format.rs
View file

@ -238,7 +238,9 @@ mod read {
preceded( preceded(
pair(tag(MAC_TAG), tag(b" ")), pair(tag(MAC_TAG), tag(b" ")),
terminated( terminated(
map_opt(take(ENCODED_MAC_LENGTH), |tag| base64_arg(&tag, [0; 32])), map_opt(take(ENCODED_MAC_LENGTH), |tag| {
base64_arg::<_, 32, 33>(&tag)
}),
newline, newline,
), ),
), ),

3
age/src/plugin.rs
View file

@ -6,6 +6,7 @@ use age_core::{
plugin::{Connection, Reply, Response, IDENTITY_V1, RECIPIENT_V1}, plugin::{Connection, Reply, Response, IDENTITY_V1, RECIPIENT_V1},
secrecy::ExposeSecret, secrecy::ExposeSecret,
}; };
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use bech32::Variant; use bech32::Variant;
use i18n_embed_fl::fl; use i18n_embed_fl::fl;
@ -233,7 +234,7 @@ fn handle_confirm<R: io::Read, W: io::Write, C: Callbacks>(
.args .args
.iter() .iter()
.take(2) .take(2)
.map(|s| base64::decode_config(s, base64::STANDARD_NO_PAD)); .map(|s| BASE64_STANDARD_NO_PAD.decode(s));
let (yes_string, no_string) = match (strings.next(), strings.next()) { let (yes_string, no_string) = match (strings.next(), strings.next()) {
(None, _) => { (None, _) => {
errors.push(PluginError::Other { errors.push(PluginError::Other {

37
age/src/primitives/armor.rs
View file

@ -1,5 +1,6 @@
//! I/O helper structs for the age ASCII armor format. //! I/O helper structs for the age ASCII armor format.
use base64::{prelude::BASE64_STANDARD, Engine};
use pin_project::pin_project; use pin_project::pin_project;
use std::cmp; use std::cmp;
use std::error; use std::error;
@ -318,8 +319,9 @@ impl<W: Write> ArmoredWriter<W> {
.. ..
} => { } => {
let byte_buf = byte_buf.unwrap(); let byte_buf = byte_buf.unwrap();
let encoded = let encoded = BASE64_STANDARD
base64::encode_config_slice(&byte_buf, base64::STANDARD, &mut encoded_buf[..]); .encode_slice(&byte_buf, &mut encoded_buf[..])
.expect("byte_buf.len() <= BASE64_CHUNK_SIZE_BYTES");
inner.write_all(&encoded_buf[..encoded])?; inner.write_all(&encoded_buf[..encoded])?;
inner.finish() inner.finish()
} }
@ -361,11 +363,9 @@ impl<W: Write> Write for ArmoredWriter<W> {
break; break;
} else { } else {
assert_eq!( assert_eq!(
base64::encode_config_slice( BASE64_STANDARD
&byte_buf, .encode_slice(&byte_buf, &mut encoded_buf[..])
base64::STANDARD, .expect("byte_buf.len() <= BASE64_CHUNK_SIZE_BYTES"),
&mut encoded_buf[..],
),
BASE64_CHUNK_SIZE_COLUMNS BASE64_CHUNK_SIZE_COLUMNS
); );
inner.write_all(&encoded_buf[..])?; inner.write_all(&encoded_buf[..])?;
@ -461,11 +461,9 @@ impl<W: AsyncWrite> AsyncWrite for ArmoredWriter<W> {
// line must be written in poll_close(). // line must be written in poll_close().
if !buf.is_empty() { if !buf.is_empty() {
assert_eq!( assert_eq!(
base64::encode_config_slice( BASE64_STANDARD
&byte_buf, .encode_slice(&byte_buf, &mut encoded_buf[..],)
base64::STANDARD, .expect("byte_buf.len() <= BASE64_CHUNK_SIZE_BYTES"),
&mut encoded_buf[..],
),
ARMORED_COLUMNS_PER_LINE ARMORED_COLUMNS_PER_LINE
); );
*encoded_line = Some(EncodedBytes { *encoded_line = Some(EncodedBytes {
@ -509,8 +507,9 @@ impl<W: AsyncWrite> AsyncWrite for ArmoredWriter<W> {
if let Some(byte_buf) = byte_buf { if let Some(byte_buf) = byte_buf {
// Finish the armored format with a partial line (if necessary) and the end // Finish the armored format with a partial line (if necessary) and the end
// marker. // marker.
let encoded = let encoded = BASE64_STANDARD
base64::encode_config_slice(&byte_buf, base64::STANDARD, &mut encoded_buf[..]); .encode_slice(&byte_buf, &mut encoded_buf[..])
.expect("byte_buf.len() <= BASE64_CHUNK_SIZE_BYTES");
*encoded_line = Some(EncodedBytes { *encoded_line = Some(EncodedBytes {
offset: 0, offset: 0,
end: encoded, end: encoded,
@ -533,7 +532,7 @@ impl<W: AsyncWrite> AsyncWrite for ArmoredWriter<W> {
#[derive(Debug)] #[derive(Debug)]
pub enum ArmoredReadError { pub enum ArmoredReadError {
/// An error occurred while parsing Base64. /// An error occurred while parsing Base64.
Base64(base64::DecodeError), Base64(base64::DecodeSliceError),
/// The begin marker for the armor is invalid. /// The begin marker for the armor is invalid.
InvalidBeginMarker, InvalidBeginMarker,
/// Invalid UTF-8 characters were encountered between the begin and end marker. /// Invalid UTF-8 characters were encountered between the begin and end marker.
@ -787,11 +786,9 @@ impl<R> ArmoredReader<R> {
// Decode the line // Decode the line
self.byte_start = 0; self.byte_start = 0;
self.byte_end = self.byte_end = BASE64_STANDARD
base64::decode_config_slice(line.as_bytes(), base64::STANDARD, self.byte_buf.as_mut()) .decode_slice(line.as_bytes(), self.byte_buf.as_mut())
.map_err(|e| { .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, ArmoredReadError::Base64(e)))?;
io::Error::new(io::ErrorKind::InvalidData, ArmoredReadError::Base64(e))
})?;
// Finished with this buffered line! // Finished with this buffered line!
self.line_buf.clear(); self.line_buf.clear();

8
age/src/scrypt.rs
View file

@ -3,6 +3,7 @@ use age_core::{
primitives::{aead_decrypt, aead_encrypt}, primitives::{aead_decrypt, aead_encrypt},
secrecy::{ExposeSecret, SecretString}, secrecy::{ExposeSecret, SecretString},
}; };
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use rand::{rngs::OsRng, RngCore}; use rand::{rngs::OsRng, RngCore};
use std::time::Duration; use std::time::Duration;
use zeroize::Zeroize; use zeroize::Zeroize;
@ -94,7 +95,7 @@ impl crate::Recipient for Recipient {
scrypt(&inner_salt, log_n, self.passphrase.expose_secret()).expect("log_n < 64"); scrypt(&inner_salt, log_n, self.passphrase.expose_secret()).expect("log_n < 64");
let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret()); let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret());
let encoded_salt = base64::encode_config(salt, base64::STANDARD_NO_PAD); let encoded_salt = BASE64_STANDARD_NO_PAD.encode(salt);
Ok(vec![Stanza { Ok(vec![Stanza {
tag: SCRYPT_RECIPIENT_TAG.to_owned(), tag: SCRYPT_RECIPIENT_TAG.to_owned(),
@ -118,7 +119,10 @@ impl<'a> crate::Identity for Identity<'a> {
// Enforce valid and canonical stanza format. // Enforce valid and canonical stanza format.
// https://c2sp.org/age#scrypt-recipient-stanza // https://c2sp.org/age#scrypt-recipient-stanza
let (salt, log_n) = match &stanza.args[..] { let (salt, log_n) = match &stanza.args[..] {
[salt, log_n] => match (base64_arg(salt, [0; SALT_LEN]), decimal_digit_arg(log_n)) { [salt, log_n] => match (
base64_arg::<_, SALT_LEN, 18>(salt),
decimal_digit_arg(log_n),
) {
(Some(salt), Some(log_n)) => (salt, log_n), (Some(salt), Some(log_n)) => (salt, log_n),
_ => return Some(Err(DecryptError::InvalidHeader)), _ => return Some(Err(DecryptError::InvalidHeader)),
}, },

12
age/src/ssh/identity.rs
View file

@ -3,6 +3,7 @@ use age_core::{
primitives::{aead_decrypt, hkdf}, primitives::{aead_decrypt, hkdf},
secrecy::{ExposeSecret, Secret}, secrecy::{ExposeSecret, Secret},
}; };
use base64::prelude::BASE64_STANDARD;
use i18n_embed_fl::fl; use i18n_embed_fl::fl;
use nom::{ use nom::{
branch::alt, branch::alt,
@ -47,7 +48,7 @@ impl UnencryptedKey {
pub(crate) fn unwrap_stanza(&self, stanza: &Stanza) -> Option<Result<FileKey, DecryptError>> { pub(crate) fn unwrap_stanza(&self, stanza: &Stanza) -> Option<Result<FileKey, DecryptError>> {
match (self, stanza.tag.as_str()) { match (self, stanza.tag.as_str()) {
(UnencryptedKey::SshRsa(ssh_key, sk), SSH_RSA_RECIPIENT_TAG) => { (UnencryptedKey::SshRsa(ssh_key, sk), SSH_RSA_RECIPIENT_TAG) => {
let tag = base64_arg(stanza.args.get(0)?, [0; TAG_LEN_BYTES])?; let tag = base64_arg::<_, TAG_LEN_BYTES, 6>(stanza.args.get(0)?)?;
if ssh_tag(ssh_key) != tag { if ssh_tag(ssh_key) != tag {
return None; return None;
} }
@ -72,7 +73,7 @@ impl UnencryptedKey {
) )
} }
(UnencryptedKey::SshEd25519(ssh_key, privkey), SSH_ED25519_RECIPIENT_TAG) => { (UnencryptedKey::SshEd25519(ssh_key, privkey), SSH_ED25519_RECIPIENT_TAG) => {
let tag = base64_arg(stanza.args.get(0)?, [0; TAG_LEN_BYTES])?; let tag = base64_arg::<_, TAG_LEN_BYTES, 6>(stanza.args.get(0)?)?;
if ssh_tag(ssh_key) != tag { if ssh_tag(ssh_key) != tag {
return None; return None;
} }
@ -81,7 +82,8 @@ impl UnencryptedKey {
} }
let epk = let epk =
base64_arg(stanza.args.get(1)?, [0; crate::x25519::EPK_LEN_BYTES])?.into(); base64_arg::<_, { crate::x25519::EPK_LEN_BYTES }, 33>(stanza.args.get(1)?)?
.into();
let sk: StaticSecret = { let sk: StaticSecret = {
let mut sk = [0; 32]; let mut sk = [0; 32];
@ -316,7 +318,7 @@ fn rsa_privkey(input: &str) -> IResult<&str, Identity> {
map_opt( map_opt(
pair( pair(
opt(terminated(rsa_pem_encryption_header, line_ending)), opt(terminated(rsa_pem_encryption_header, line_ending)),
wrapped_str_while_encoded(base64::STANDARD), wrapped_str_while_encoded(BASE64_STANDARD),
), ),
|(enc_header, privkey)| { |(enc_header, privkey)| {
if enc_header.is_some() { if enc_header.is_some() {
@ -345,7 +347,7 @@ fn openssh_privkey(input: &str) -> IResult<&str, Identity> {
preceded( preceded(
pair(tag("-----BEGIN OPENSSH PRIVATE KEY-----"), line_ending), pair(tag("-----BEGIN OPENSSH PRIVATE KEY-----"), line_ending),
terminated( terminated(
map_opt(wrapped_str_while_encoded(base64::STANDARD), |privkey| { map_opt(wrapped_str_while_encoded(BASE64_STANDARD), |privkey| {
read_ssh::openssh_privkey(&privkey).ok().map(|(_, key)| key) read_ssh::openssh_privkey(&privkey).ok().map(|(_, key)| key)
}), }),
pair(line_ending, tag("-----END OPENSSH PRIVATE KEY-----")), pair(line_ending, tag("-----END OPENSSH PRIVATE KEY-----")),

30
age/src/ssh/recipient.rs
View file

@ -3,6 +3,10 @@ use age_core::{
primitives::{aead_encrypt, hkdf}, primitives::{aead_encrypt, hkdf},
secrecy::ExposeSecret, secrecy::ExposeSecret,
}; };
use base64::{
prelude::{BASE64_STANDARD, BASE64_STANDARD_NO_PAD},
Engine,
};
use curve25519_dalek::edwards::EdwardsPoint; use curve25519_dalek::edwards::EdwardsPoint;
use nom::{ use nom::{
branch::alt, branch::alt,
@ -74,10 +78,20 @@ impl fmt::Display for Recipient {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self { match self {
Recipient::SshRsa(ssh_key, _) => { Recipient::SshRsa(ssh_key, _) => {
write!(f, "{} {}", SSH_RSA_KEY_PREFIX, base64::encode(ssh_key)) write!(
f,
"{} {}",
SSH_RSA_KEY_PREFIX,
BASE64_STANDARD.encode(ssh_key)
)
} }
Recipient::SshEd25519(ssh_key, _) => { Recipient::SshEd25519(ssh_key, _) => {
write!(f, "{} {}", SSH_ED25519_KEY_PREFIX, base64::encode(ssh_key)) write!(
f,
"{} {}",
SSH_ED25519_KEY_PREFIX,
BASE64_STANDARD.encode(ssh_key)
)
} }
} }
} }
@ -127,7 +141,7 @@ impl crate::Recipient for Recipient {
) )
.expect("pubkey is valid and file key is not too long"); .expect("pubkey is valid and file key is not too long");
let encoded_tag = base64::encode_config(ssh_tag(ssh_key), base64::STANDARD_NO_PAD); let encoded_tag = BASE64_STANDARD_NO_PAD.encode(ssh_tag(ssh_key));
Ok(vec![Stanza { Ok(vec![Stanza {
tag: SSH_RSA_RECIPIENT_TAG.to_owned(), tag: SSH_RSA_RECIPIENT_TAG.to_owned(),
@ -158,8 +172,8 @@ impl crate::Recipient for Recipient {
); );
let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret()); let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret());
let encoded_tag = base64::encode_config(ssh_tag(ssh_key), base64::STANDARD_NO_PAD); let encoded_tag = BASE64_STANDARD_NO_PAD.encode(ssh_tag(ssh_key));
let encoded_epk = base64::encode_config(epk.as_bytes(), base64::STANDARD_NO_PAD); let encoded_epk = BASE64_STANDARD_NO_PAD.encode(epk.as_bytes());
Ok(vec![Stanza { Ok(vec![Stanza {
tag: SSH_ED25519_RECIPIENT_TAG.to_owned(), tag: SSH_ED25519_RECIPIENT_TAG.to_owned(),
@ -175,7 +189,7 @@ fn ssh_rsa_pubkey(input: &str) -> IResult<&str, ParsedRecipient> {
preceded( preceded(
pair(tag(SSH_RSA_KEY_PREFIX), tag(" ")), pair(tag(SSH_RSA_KEY_PREFIX), tag(" ")),
map_opt( map_opt(
str_while_encoded(base64::STANDARD_NO_PAD), str_while_encoded(BASE64_STANDARD_NO_PAD),
|ssh_key| match read_ssh::rsa_pubkey(&ssh_key) { |ssh_key| match read_ssh::rsa_pubkey(&ssh_key) {
Ok((_, pk)) => Some(ParsedRecipient::Supported(Recipient::SshRsa(ssh_key, pk))), Ok((_, pk)) => Some(ParsedRecipient::Supported(Recipient::SshRsa(ssh_key, pk))),
Err(_) => None, Err(_) => None,
@ -188,7 +202,7 @@ fn ssh_ed25519_pubkey(input: &str) -> IResult<&str, ParsedRecipient> {
preceded( preceded(
pair(tag(SSH_ED25519_KEY_PREFIX), tag(" ")), pair(tag(SSH_ED25519_KEY_PREFIX), tag(" ")),
map_opt( map_opt(
encoded_str(51, base64::STANDARD_NO_PAD), encoded_str(51, BASE64_STANDARD_NO_PAD),
|ssh_key| match read_ssh::ed25519_pubkey(&ssh_key) { |ssh_key| match read_ssh::ed25519_pubkey(&ssh_key) {
Ok((_, pk)) => Some(ParsedRecipient::Supported(Recipient::SshEd25519( Ok((_, pk)) => Some(ParsedRecipient::Supported(Recipient::SshEd25519(
ssh_key, pk, ssh_key, pk,
@ -206,7 +220,7 @@ fn ssh_ignore_pubkey(input: &str) -> IResult<&str, ParsedRecipient> {
separated_pair( separated_pair(
is_not(" "), is_not(" "),
tag(" "), tag(" "),
str_while_encoded(base64::STANDARD_NO_PAD), str_while_encoded(BASE64_STANDARD_NO_PAD),
), ),
|(key_type, ssh_key)| { |(key_type, ssh_key)| {
read_ssh::string_tag(key_type)(&ssh_key) read_ssh::string_tag(key_type)(&ssh_key)

33
age/src/util.rs
View file

@ -18,6 +18,7 @@ pub(crate) fn parse_bech32(s: &str) -> Option<(String, Vec<u8>)> {
pub(crate) mod read { pub(crate) mod read {
use std::str::FromStr; use std::str::FromStr;
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use nom::{character::complete::digit1, combinator::verify, ParseTo}; use nom::{character::complete::digit1, combinator::verify, ParseTo};
#[cfg(feature = "ssh")] #[cfg(feature = "ssh")]
@ -32,7 +33,7 @@ pub(crate) mod read {
#[cfg_attr(docsrs, doc(cfg(feature = "ssh")))] #[cfg_attr(docsrs, doc(cfg(feature = "ssh")))]
pub(crate) fn encoded_str( pub(crate) fn encoded_str(
count: usize, count: usize,
config: base64::Config, engine: impl base64::Engine,
) -> impl Fn(&str) -> IResult<&str, Vec<u8>> { ) -> impl Fn(&str) -> IResult<&str, Vec<u8>> {
use nom::bytes::streaming::take; use nom::bytes::streaming::take;
@ -41,7 +42,7 @@ pub(crate) mod read {
move |input: &str| { move |input: &str| {
let (i, data) = take(encoded_count)(input)?; let (i, data) = take(encoded_count)(input)?;
match base64::decode_config(data, config) { match engine.decode(data) {
Ok(decoded) => Ok((i, decoded)), Ok(decoded) => Ok((i, decoded)),
Err(_) => Err(nom::Err::Failure(make_error(input, ErrorKind::Eof))), Err(_) => Err(nom::Err::Failure(make_error(input, ErrorKind::Eof))),
} }
@ -51,7 +52,7 @@ pub(crate) mod read {
#[cfg(feature = "ssh")] #[cfg(feature = "ssh")]
#[cfg_attr(docsrs, doc(cfg(feature = "ssh")))] #[cfg_attr(docsrs, doc(cfg(feature = "ssh")))]
pub(crate) fn str_while_encoded( pub(crate) fn str_while_encoded(
config: base64::Config, engine: impl base64::Engine,
) -> impl Fn(&str) -> IResult<&str, Vec<u8>> { ) -> impl Fn(&str) -> IResult<&str, Vec<u8>> {
use nom::bytes::complete::take_while1; use nom::bytes::complete::take_while1;
@ -61,9 +62,9 @@ pub(crate) mod read {
let c = c as u8; let c = c as u8;
// Substitute the character in twice after AA, so that padding // Substitute the character in twice after AA, so that padding
// characters will also be detected as a valid if allowed. // characters will also be detected as a valid if allowed.
base64::decode_config_slice([65, 65, c, c], config, &mut [0, 0, 0]).is_ok() engine.decode_slice([65, 65, c, c], &mut [0, 0, 0]).is_ok()
}), }),
|data| base64::decode_config(data, config), |data| engine.decode(data),
)(input) )(input)
} }
} }
@ -71,7 +72,7 @@ pub(crate) mod read {
#[cfg(feature = "ssh")] #[cfg(feature = "ssh")]
#[cfg_attr(docsrs, doc(cfg(feature = "ssh")))] #[cfg_attr(docsrs, doc(cfg(feature = "ssh")))]
pub(crate) fn wrapped_str_while_encoded( pub(crate) fn wrapped_str_while_encoded(
config: base64::Config, engine: impl Engine,
) -> impl Fn(&str) -> IResult<&str, Vec<u8>> { ) -> impl Fn(&str) -> IResult<&str, Vec<u8>> {
use nom::{bytes::streaming::take_while1, character::streaming::line_ending}; use nom::{bytes::streaming::take_while1, character::streaming::line_ending};
@ -83,25 +84,28 @@ pub(crate) mod read {
let c = c as u8; let c = c as u8;
// Substitute the character in twice after AA, so that padding // Substitute the character in twice after AA, so that padding
// characters will also be detected as a valid if allowed. // characters will also be detected as a valid if allowed.
base64::decode_config_slice([65, 65, c, c], config, &mut [0, 0, 0]).is_ok() engine.decode_slice([65, 65, c, c], &mut [0, 0, 0]).is_ok()
}), }),
), ),
|chunks| { |chunks| {
let data = chunks.join(""); let data = chunks.join("");
base64::decode_config(&data, config) engine.decode(&data)
}, },
)(input) )(input)
} }
} }
pub(crate) fn base64_arg<A: AsRef<[u8]>, B: AsMut<[u8]>>(arg: &A, mut buf: B) -> Option<B> { pub(crate) fn base64_arg<A: AsRef<[u8]>, const N: usize, const B: usize>(
if arg.as_ref().len() != ((4 * buf.as_mut().len()) + 2) / 3 { arg: &A,
) -> Option<[u8; N]> {
if N > B {
return None; return None;
} }
match base64::decode_config_slice(arg, base64::STANDARD_NO_PAD, buf.as_mut()) { let mut buf = [0; B];
Ok(_) => Some(buf), match BASE64_STANDARD_NO_PAD.decode_slice(arg, buf.as_mut()) {
Err(_) => None, Ok(n) if n == N => Some(buf[..N].try_into().unwrap()),
_ => None,
} }
} }
@ -114,11 +118,12 @@ pub(crate) mod read {
} }
pub(crate) mod write { pub(crate) mod write {
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use cookie_factory::{combinator::string, SerializeFn}; use cookie_factory::{combinator::string, SerializeFn};
use std::io::Write; use std::io::Write;
pub(crate) fn encoded_data<W: Write>(data: &[u8]) -> impl SerializeFn<W> { pub(crate) fn encoded_data<W: Write>(data: &[u8]) -> impl SerializeFn<W> {
let encoded = base64::encode_config(data, base64::STANDARD_NO_PAD); let encoded = BASE64_STANDARD_NO_PAD.encode(data);
string(encoded) string(encoded)
} }
} }

5
age/src/x25519.rs
View file

@ -5,6 +5,7 @@ use age_core::{
primitives::{aead_decrypt, aead_encrypt, hkdf}, primitives::{aead_decrypt, aead_encrypt, hkdf},
secrecy::{ExposeSecret, SecretString}, secrecy::{ExposeSecret, SecretString},
}; };
use base64::{prelude::BASE64_STANDARD_NO_PAD, Engine};
use bech32::{ToBase32, Variant}; use bech32::{ToBase32, Variant};
use rand_7::rngs::OsRng; use rand_7::rngs::OsRng;
use std::fmt; use std::fmt;
@ -91,7 +92,7 @@ impl crate::Identity for Identity {
// Enforce valid and canonical stanza format. // Enforce valid and canonical stanza format.
// https://c2sp.org/age#x25519-recipient-stanza // https://c2sp.org/age#x25519-recipient-stanza
let ephemeral_share = match &stanza.args[..] { let ephemeral_share = match &stanza.args[..] {
[arg] => match base64_arg(arg, [0; EPK_LEN_BYTES]) { [arg] => match base64_arg::<_, EPK_LEN_BYTES, 33>(arg) {
Some(ephemeral_share) => ephemeral_share, Some(ephemeral_share) => ephemeral_share,
None => return Some(Err(DecryptError::InvalidHeader)), None => return Some(Err(DecryptError::InvalidHeader)),
}, },
@ -211,7 +212,7 @@ impl crate::Recipient for Recipient {
let enc_key = hkdf(&salt, X25519_RECIPIENT_KEY_LABEL, shared_secret.as_bytes()); let enc_key = hkdf(&salt, X25519_RECIPIENT_KEY_LABEL, shared_secret.as_bytes());
let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret()); let encrypted_file_key = aead_encrypt(&enc_key, file_key.expose_secret());
let encoded_epk = base64::encode_config(epk.as_bytes(), base64::STANDARD_NO_PAD); let encoded_epk = BASE64_STANDARD_NO_PAD.encode(epk.as_bytes());
Ok(vec![Stanza { Ok(vec![Stanza {
tag: X25519_RECIPIENT_TAG.to_owned(), tag: X25519_RECIPIENT_TAG.to_owned(),

4
fuzz-afl/Cargo.lock generated
View file

@ -107,9 +107,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]] [[package]]
name = "base64" name = "base64"
version = "0.13.1" version = "0.21.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d"
[[package]] [[package]]
name = "bech32" name = "bech32"

4
fuzz/Cargo.lock generated
View file

@ -82,9 +82,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]] [[package]]
name = "base64" name = "base64"
version = "0.13.1" version = "0.21.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d"
[[package]] [[package]]
name = "bech32" name = "bech32"

4
supply-chain/config.toml
View file

@ -71,10 +71,6 @@ criteria = "safe-to-deploy"
version = "0.7.3" version = "0.7.3"
criteria = "safe-to-run" criteria = "safe-to-run"
[[exemptions.base64]]
version = "0.13.1"
criteria = "safe-to-deploy"
[[exemptions.base64ct]] [[exemptions.base64ct]]
version = "1.6.0" version = "1.6.0"
criteria = "safe-to-deploy" criteria = "safe-to-deploy"

16
supply-chain/imports.lock
View file

@ -196,6 +196,12 @@ Linux-specific constructs and does not constitute any major changes to the
crate. crate.
""" """
[[audits.bytecode-alliance.audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
[[audits.bytecode-alliance.audits.block-buffer]] [[audits.bytecode-alliance.audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>" who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy" criteria = "safe-to-deploy"
@ -409,6 +415,16 @@ who = "Tim Geoghegan <timg@letsencrypt.org>"
criteria = "safe-to-deploy" criteria = "safe-to-deploy"
delta = "0.10.1 -> 0.10.2" delta = "0.10.1 -> 0.10.2"
[[audits.isrg.audits.base64]]
who = "Tim Geoghegan <timg@letsencrypt.org>"
criteria = "safe-to-deploy"
delta = "0.21.0 -> 0.21.1"
[[audits.isrg.audits.base64]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "0.21.1 -> 0.21.2"
[[audits.isrg.audits.block-buffer]] [[audits.isrg.audits.block-buffer]]
who = "David Cook <dcook@divviup.org>" who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy" criteria = "safe-to-deploy"