Comments (10)
@ProjectInitiative I am keen towards moving hardly: mut + version bump to 0.4.0 + rustsec advisory for <0.3.x.
Why:
- I haven't found evidence that I deliberately planned to have an immutable API, although I found a commit, where the API became to be immutable:
fa4d1d9. - Introducing additional API calls doesn't make the old API more secure for sequential usage.
from cocoon.
Closing issue!
from cocoon.
Created a pull request fixing the issue, and adding some new test criteria to all 4 of the encrypt functions #23
from cocoon.
Also opened an issue here: rust-random/rand#1345
from cocoon.
Wow, nice finding. I left comments in the PR.
from cocoon.
@ProjectInitiative What a nasty issue :) Here's the thing: originally, I designed API to be a one-shot, e.g. you initialize Cocoon, dump something, and leave. On the other side, sequential dumping/encrypting is a nice feature. However, changing the API to be mutable would break backward compatibility.
Options:
- We could introduce
dump_next(&mut self,...)
,encrypt_next(&mut self, ...)
. - Bumping version to
0.4.0
.
from cocoon.
Both are good, I would suggest a contingency on option 1: might be a good idea to add an crate.io advisory for < 3.x.x as I found this out by NOT using the crate in the intended way, and others might have as well while thinking their implementation was correct.
As for which to select? I am not sure, I will defer the direction of the project to project owner.
I will note from a security perspective, option 2 with a crate.io advisory would force/push dependent projects to re-evaluate and confirm the security they expect in their respective projects.
from cocoon.
@ProjectInitiative 0.4.0
is published (https://crates.io/crates/cocoon)
from cocoon.
Security Advisory PR: rustsec/advisory-db#1805
from cocoon.
@ProjectInitiative I just found that it was reproduced with MiniCocoon
only and with Cocoon::from_seed
(and others with custom RNGs and seeds) where StdRng
is used! That's why I haven't found it easily in the first place. It means that cloning ThreadRng
(which is used in Cocoon::new
) and StdRng
(which is used in MiniCocoon
and Cocoon::from_seed
) behaves differently, or maybe ThreadRng
adds entropy every time no matter what.
from cocoon.
Related Issues (8)
- Does anyone need a "raw" key encryption instead of password+KDF?
- This crate is broken. Please fix
- Change cocoon's `unwrap` and `wrap` method names to avoid ambiguity HOT 2
- Using --no-default-features still compiles getrandom HOT 10
- Extend the BorshSerialize with how to deserialize and use the hashmap HOT 3
- .dump is not recognized when container is passed as an argument! HOT 2
- Allowing MiniCocoon to be Clonable HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cocoon.