Closed romanb closed 4 years ago
Thanks for the heads up. We should also update https://github.com/wireapp/hkdf
As far as I know, we don't use generichash
(Which is Blake2b
) anywhere but instead use sha256
. E.g. https://github.com/wireapp/hkdf/blob/develop/src/lib.rs#L32 so I don't think we're directly vulnerable. It's still good to bump the versions though.
Nice catch @romanb!
I think @arianvp is right, generichash
wraps BLAKE2b
(https://libsodium.gitbook.io/doc/hashing/generic_hashing#algorithm-details) while Proteus only depends on HKDF (which in turn explicitely uses SHA256
):
The minimal sodiumoxide
version is now 0.2.5. through #25.
See the Rust security advisory: https://rustsec.org/advisories/RUSTSEC-2019-0026.html. This should be followed up with new releases of the cryptobox libraries and everything on top.