Skip to content

Commit

Permalink
chore!: align to draft 16, update dependencies (#365)
Browse files Browse the repository at this point in the history
* chore!: align to draft 16, update dependencies

* chore: fix toml formatting
  • Loading branch information
cyyynthia authored Sep 24, 2024
1 parent 4e52556 commit 94d9c56
Show file tree
Hide file tree
Showing 10 changed files with 675 additions and 693 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ jobs:
- name: Install Taplo
# Adding the --locked flag because of
# https://github.com/tamasfe/taplo/issues/242
run: cargo install taplo-cli --locked
run: cargo install taplo-cli --locked

- name: Checkout sources
uses: actions/checkout@main
Expand All @@ -249,4 +249,4 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: EmbarkStudios/cargo-deny-action@v2
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog

## 3.0.0-pre.6 (TBD)
* Synced implementation with draft-irtf-cfrg-opaque-16
* **Breaking: protocol context string changed from `RFCXXXX` to `OPAQUEv1-`**
* Dropped unmaintained json crate in favor of serde_json
* Updated dependencies

## 3.0.0-pre.5 (September 18, 2024)
* Increased MSRV to 1.74
* Updated voprf dependency
Expand All @@ -15,6 +21,7 @@

## 3.0.0-pre.2 (March 14, 2023)
* Updated VOPRF to draft 19
* **Breaking: backwards-incompatible changes introduced in OPRF protocol**
* Added P384 testing support
* Increased MSRV to 1.65
* Updating dependencies
Expand Down
7 changes: 3 additions & 4 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ name = "opaque-ke"
readme = "README.md"
repository = "https://github.com/facebook/opaque-ke"
rust-version = "1.74"
version = "3.0.0-pre.5"
version = "3.0.0-pre.6"

[features]
argon2 = ["dep:argon2"]
Expand Down Expand Up @@ -38,9 +38,9 @@ rand = { version = "0.8", default-features = false }
serde = { version = "1", default-features = false, features = [
"derive",
], optional = true }
subtle = { version = "2.3", default-features = false }
subtle = { version = "2.6", default-features = false }
voprf = { version = "0.5", default-features = false, features = ["danger"] }
zeroize = { version = "1.5", features = ["zeroize_derive"] }
zeroize = { version = "1.8", features = ["zeroize_derive"] }

[target.'cfg(target_arch = "wasm32")'.dependencies]
getrandom = { version = "0.2", features = ["js"], optional = true }
Expand All @@ -50,7 +50,6 @@ bincode = "1"
chacha20poly1305 = "0.10"
criterion = "0.5"
hex = "0.4"
json = "0.12"
p256 = { version = "0.13", default-features = false, features = [
"hash2curve",
"voprf",
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
## The OPAQUE key exchange protocol ![Build Status](https://github.com/facebook/opaque-ke/workflows/Rust%20CI/badge.svg)

[OPAQUE](https://eprint.iacr.org/2018/163.pdf) is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server using a password, without ever having to expose the plaintext password to the server.
[OPAQUE](https://eprint.iacr.org/2018/163.pdf) is an augmented password-authenticated key exchange protocol. It allows a client to authenticate to a server using a password, without ever having to expose the plaintext password to the server.

This implementation is based on the [Internet Draft for OPAQUE](https://github.com/cfrg/draft-irtf-cfrg-opaque).

Background
----------

Asymmetric Password Authenticated Key Exchange (aPAKE) protocols are designed to provide password authentication and mutually authenticated key exchange without relying on PKI (except during user/password registration) and without disclosing passwords to servers or other entities other than the client machine.
Augmented Password Authenticated Key Exchange (aPAKE) protocols are designed to provide password authentication and mutually authenticated key exchange without relying on PKI (except during user/password registration) and without disclosing passwords to servers or other entities other than the client machine.

OPAQUE is a PKI-free aPAKE that is secure against pre-computation attacks and capable of using a secret salt.

Expand Down
41 changes: 7 additions & 34 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
# The values provided in this template are the default values that will be used
# when any section or field is not specified in your own configuration

[graph]
# If 1 or more target triples (and optionally, target_features) are specified,
# only the specified targets will be checked when running `cargo deny check`.
# This means, if a particular package is only ever used as a target specific
Expand All @@ -17,6 +18,7 @@
# this list would mean the nix crate, as well as any of its exclusive
# dependencies not shared by any other crates, would be ignored, as the target
# list here is effectively saying which targets you are building for.
all-features = true
targets = [
# The triple can be any string, but only the target triples built in to
# rustc (as of 1.40) can be checked against actual config expressions
Expand All @@ -35,16 +37,8 @@ targets = [
db-path = "~/.cargo/advisory-db"
# The url of the advisory database to use
db-urls = ["https://github.com/rustsec/advisory-db"]
# The lint level for security vulnerabilities
vulnerability = "deny"
# The lint level for unmaintained crates
unmaintained = "warn"
# The lint level for crates that have been yanked from their source registry
yanked = "warn"
# The lint level for crates with security notices. Note that as of
# 2019-12-17 there are no security notice advisories in
# https://github.com/rustsec/advisory-db
notice = "deny"
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [
Expand All @@ -64,47 +58,26 @@ ignore = [
# More documentation for the licenses section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
# The lint level for crates which do not have a detectable license
unlicensed = "deny"
# List of explictly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
allow = [
#"MIT",
#"Apache-2.0",
"MIT",
"BSD-3-Clause",
"Apache-2.0",
#"Apache-2.0 WITH LLVM-exception",
]
# List of explictly disallowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
deny = [
#"Nokia",
]
# Lint level for licenses considered copyleft
copyleft = "warn"
# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
# * both - The license will be approved if it is both OSI-approved *AND* FSF
# * either - The license will be approved if it is either OSI-approved *OR* FSF
# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF
# * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved
# * neither - This predicate is ignored and the default lint level is used
allow-osi-fsf-free = "neither"
# Lint level used when no other predicates are matched
# 1. License isn't in the allow or deny lists
# 2. License isn't copyleft
# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
default = "allow"
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
# canonical license text of a valid SPDX license file.
# [possible values: any between 0.0 and 1.0].
confidence-threshold = 0.8
confidence-threshold = 0.95
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
# Each entry is the crate and version constraint, and its specific allow
# list
#{ allow = ["Zlib"], name = "adler32", version = "*" },
{ allow = ["Unicode-DFS-2016"], name = "unicode-ident", version = "*" },
]

# Some crates don't have (easily) machine readable licensing information,
Expand Down
6 changes: 3 additions & 3 deletions src/key_exchange/tripledh.rs
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ use crate::serialization::{Input, UpdateExt};
///////////////

pub(crate) type NonceLen = U32;
static STR_RFC: &[u8] = b"RFCXXXX";
static STR_CONTEXT: &[u8] = b"OPAQUEv1-";
static STR_CLIENT_MAC: &[u8] = b"ClientMAC";
static STR_HANDSHAKE_SECRET: &[u8] = b"HandshakeSecret";
static STR_SERVER_MAC: &[u8] = b"ServerMAC";
Expand Down Expand Up @@ -215,7 +215,7 @@ where
let server_nonce = generate_nonce::<R>(rng);

let mut transcript_hasher = D::new()
.chain(STR_RFC)
.chain(STR_CONTEXT)
.chain_iter(
Input::<U2>::from(context)
.map_err(ProtocolError::into_custom)?
Expand Down Expand Up @@ -278,7 +278,7 @@ where
context: &[u8],
) -> Result<GenerateKe3Result<Self, D, KG>, ProtocolError> {
let mut transcript_hasher = D::new()
.chain(STR_RFC)
.chain(STR_CONTEXT)
.chain_iter(Input::<U2>::from(context)?.iter())
.chain_iter(id_u)
.chain_iter(serialized_credential_request)
Expand Down
2 changes: 1 addition & 1 deletion src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
// of this source tree. You may select, at your option, one of the above-listed
// licenses.

//! An implementation of the OPAQUE asymmetric password authentication key
//! An implementation of the OPAQUE augmented password authentication key
//! exchange protocol
//!
//! Note: This implementation is in sync with [draft-irtf-cfrg-opaque-16](https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/16/),
Expand Down
Loading

0 comments on commit 94d9c56

Please sign in to comment.