search

solana-labs / solana

Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.
https://solanalabs.com
Apache License 2.0
13.17k stars 4.26k forks source link

curve25519-dalek zeroize dependency not compatible with other libraries #26688

Open samuelvanderwaal opened 2 years ago

samuelvanderwaal commented 2 years ago

Problem

Solana v1.8.x relied on curve25519-dalek ^v2.1.0 which itself has a zeroize dependency of ^1.

However, Solana v1.9+ rely on curve25519-dalek ^v3.2.1 which limits zeroize to a range of >=1, <1.4 which is not compatible with many other cryptography libraries (or libraries which depend on cryptography libraries) which use ^1.4 or ^1.5. E.g.s:

It's unclear why curve25519-dalek hasn't bumped yet but there is an open PR to do so. Most other cryptography libraries seem to have bumped to v1.4+

Are there any known workarounds for this? If curve25519-dalek doesn't bump, is it possible for Solana to drop back down to ^v2.1?

Proposed Solution

tarcieri commented 4 months ago

FYI, all versions of curve25519-dalek prior to v4.1.3 contain a critical timing sidechannel vulnerability which may leak private keys: https://rustsec.org/advisories/RUSTSEC-2024-0344.html

It would be very good for Solana to prioritize PRs like https://github.com/anza-xyz/agave/pull/1693 as currently it's using unmaintained versions of important crypto libraries.

danielementary commented 4 months ago

Sure, I meant my comment as a workaround for those who just want to get started with the dependencies and can’t compile, rather than ignoring any security concerns (personally, this would have helped me a few weeks ago when I was starting my project). I’ve been patiently waiting for that PR to be merged too

sarmatdev commented 4 months ago 
> P.S Patching `aes-gcm-siv` and `curve25519-dalek` doesn't work. The error is:

@uandere Hey, did you managed to solve this issue?

klefevre commented 4 months ago

This PR was open in Jul 20, 2022. Still not fixed. I guess Solana owners don't want us to use their library.

samuelvanderwaal commented 4 months ago

This PR was open in Jul 20, 2022. Still not fixed. I guess Solana owners don't want us to use their library.

It's being worked on here and looks very close: https://github.com/anza-xyz/agave/pull/1693.

ohaddahan commented 3 months ago

More dependency issues https://github.com/anza-xyz/agave/issues/612 I'm also facing them. Tried your solution @juchiast but didn't help :(

ItsFunny commented 3 months ago

this works for me: [patch.crates-io] curve25519-dalek = { git = 'https://github.com/ivs/curve25519-dalek', branch='rustls-dep-hell' } aes-gcm-siv = { git = 'https://github.com/ivs/AEADs', branch='rustls-dep-hell' }

ohaddahan commented 3 months ago

this works for me:

[patch.crates-io]

curve25519-dalek = { git = 'https://github.com/ivs/curve25519-dalek', branch='rustls-dep-hell' }

aes-gcm-siv = { git = 'https://github.com/ivs/AEADs', branch='rustls-dep-hell' }

Try adding Tauri 2.0.0-beta with features rustls , that should fail 😢

solanagirl commented 2 months ago

i am also facing this with incompatible zeroize versions

jonwalch commented 1 month ago 
$ cargo build
    Updating crates.io index
error: failed to select a version for `zeroize`.
    ... required by package `curve25519-dalek v3.2.1`
    ... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v2.0.8`
    ... which satisfies dependency `solana-program = "=2.0.8"` of package `solana-sdk v2.0.8`
    ... which satisfies dependency `solana-sdk = "^2.0.8"` of package `webserver v0.1.0 (/Users/jon/Developer/superstate/webserver)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.5.3`
    ... which satisfies dependency `zeroize = "^1.5"` of package `elliptic-curve v0.13.6`
    ... which satisfies dependency `elliptic-curve = "^0.13.5"` of package `ethers-core v2.0.14`
    ... which satisfies dependency `ethers-core = "^2.0.14"` of package `ethers v2.0.14`
    ... which satisfies dependency `ethers = "^2.0.14"` of package `webserver v0.1.0 (/Users/jon/Developer/superstate/webserver)`

failed to select a version for `zeroize` which could resolve this conflict
tarcieri commented 1 month ago

Note: this PR to upgrade curve25519-dalek to v4.x was just merged: https://github.com/anza-xyz/agave/pull/2252

It's unclear when it will make it into a release, but it should address the issue.

danimhr commented 1 month ago

This solved my issued

IntelC-H commented 1 month ago

@danimhr, How to fix it?

pxr64 commented 2 weeks ago

How can i use the solana-sdk in my project?

error: failed to select a version for `zeroize`.
    ... required by package `curve25519-dalek v3.2.1`
    ... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v2.0.13`
    ... which satisfies dependency `solana-program = "=2.0.13"` of package `solana-sdk v2.0.13`
    ... which satisfies dependency `solana-sdk = "^2.0.13"` of package `integration_tests v0.1.0 (/Users/bogdanbrinzoiu/Work/liquidium-icp-pools/liquidium-pools/canisters/integration_tests)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.5.3`
    ... which satisfies dependency `zeroize = "^1.5"` of package `elliptic-curve v0.13.6`
    ... which satisfies dependency `elliptic-curve = "^0.13"` of package `k256 v0.13.1`
    ... which satisfies dependency `k256 = "^0.13.1"` of package `ic-agent v0.37.1`
    ... which satisfies dependency `ic-agent = "^0.37.1"` of package `pocket-ic v5.0.0 (https://github.com/dfinity/ic?rev=6dae2daa1888cc0f4ee191d0dacb7186a6b4570e#6dae2daa)`
    ... which satisfies git dependency `pocket-ic` (locked to 5.0.0) of package `integration_tests v0.1.0 (/Users/bogdanbrinzoiu/Work/liquidium-icp-pools/liquidium-pools/canisters/integration_tests)`
KirillLykov commented 2 weeks ago

you can try 

zeroize = { version = "1.7", default-features = false }

and check how we build downstream projects: https://github.com/anza-xyz/agave/blob/f9f8b60ca15fa721c6cdd816c99dfd4e9123fd77/scripts/build-downstream-anchor-projects.sh#L72

So maybe something like that helps

[patch.crates-io]
curve25519-dalek = { git = "https://github.com/anza-xyz/curve25519-dalek.git", rev = "b500cdc2a920cd5bff9e2dd974d7b97349d61464" }
acheroncrypto commented 2 days ago

This issue looks to be resolved with the release of Solana v2.1.0 crates (at least for the most part).

However, the new release has also introduced a new set of compatibility issues with existing crates that still use older versions of curve25519-dalek, e.g. spl-token-2022 (https://github.com/solana-labs/solana-program-library/pull/7416#discussion_r1824643243), which could have been avoided with proper versioning.