Bump password-hash to v0.6.0-rc.2 (#737)

This upgrades `rand_core` to v0.10 prereleases and depends directly on
`getrandom` for access to the system RNG.

It additionally bumps other crates like `digest` and `blake2` which use
the new `crypto-common` with an upgraded `rand_core`.

This required restoring some functionality in `blake2` which was used by
`argon2`: RustCrypto/hashes#754

This is currently referenced as a git branch until we decide if this is
a permanent solution for `argon2` or not, so as to unblock the upgrade.

Author: tarcieri

.github/workflows/pbkdf2.yml

@@ -35,13 +35,12 @@ jobs:
           toolchain: ${{ matrix.rust }}
           targets: ${{ matrix.target }}
       - run: cargo build --target ${{ matrix.target }} --no-default-features
-      - run: cargo build --target ${{ matrix.target }} --no-default-features --features simple
 
   minimal-versions:
     if: false # disabled while using pre-releases
     uses: RustCrypto/actions/.github/workflows/minimal-versions.yml@master
     with:
-        working-directory: ${{ github.workflow }}
+      working-directory: ${{ github.workflow }}
 
   test:
     runs-on: ubuntu-latest

.gitignore

@@ -1,4 +1,3 @@
 /target/
-/.readme/target/
-/benches/target/
+**/target/
 **/Cargo.lock

Cargo.lock

@@ -15,3 +15,7 @@ exclude = ["benches", "fuzz"]
 
 [profile.dev]
 opt-level = 2
+
+[patch.crates-io.blake2]
+git = "https://github.com/RustCrypto/hashes"
+branch = "blake2/restore-blake-var"

Cargo.toml

@@ -35,8 +35,9 @@ password-hash = { version = "0.6.0-rc.1", features = ["rand_core"] }
 [features]
 default = ["alloc", "password-hash", "rand"]
 alloc = ["password-hash?/alloc"]
-std = ["alloc", "password-hash?/os_rng", "base64ct/std"]
+std = ["alloc", "base64ct/std"]
 
+getrandom = ["simple", "password-hash/getrandom"]
 parallel = ["dep:rayon"]
 rand = ["password-hash?/rand_core"]
 simple = ["password-hash"]

argon2/Cargo.toml

@@ -4,7 +4,7 @@ use crate::{Error, Result};
 
 use blake2::{
     Blake2b512, Blake2bVar,
-    digest::{self, Digest, VariableOutput},
+    digest::{self, Digest},
 };
 
 use core::convert::TryFrom;

argon2/src/blake2b_long.rs

@@ -39,16 +39,12 @@
 )]
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
 //! use argon2::{
-//!     password_hash::{
-//!         // `OsRng` requires enabled `std` crate feature
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
 //!     Argon2
 //! };
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng).unwrap();
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `argon2` enabled
 //!
 //! // Argon2 with default params (Argon2id v19)
 //! let argon2 = Argon2::default();
@@ -77,16 +73,12 @@
 )]
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
 //! use argon2::{
-//!     password_hash::{
-//!         // `OsRng` requires enabled `std` crate feature
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString },
 //!     Algorithm, Argon2, Params, Version
 //! };
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng).unwrap();
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `argon2` enabled
 //!
 //! // Argon2 with default params (Argon2id v19) and pepper
 //! let argon2 = Argon2::new_with_secret(

argon2/src/lib.rs

@@ -14,25 +14,27 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-digest = { version = "0.11.0-rc.1", default-features = false }
-crypto-bigint = { version = "0.7.0-rc.4", default-features = false, features = ["hybrid-array"] }
-rand_core = { version = "0.9", default-features = false }
+digest = { version = "0.11.0-rc.4", default-features = false }
+crypto-bigint = { version = "0.7.0-rc.9", default-features = false, features = ["hybrid-array"] }
+rand_core = { version = "0.10.0-rc-2", default-features = false }
 
 # optional dependencies
-password-hash = { version = "0.6.0-rc.0", default-features = false, optional = true }
+password-hash = { version = "0.6.0-rc.2", default-features = false, optional = true }
 rayon = { version = "1.7", optional = true }
 zeroize = { version = "1", default-features = false, optional = true }
 
 [dev-dependencies]
 hex-literal = "1"
-sha2 = "0.11.0-rc.2"
+sha2 = "0.11.0-rc.3"
 
 [features]
 default = ["alloc", "password-hash", "rand"]
 alloc = ["password-hash/alloc"]
+std = ["alloc", "getrandom"]
+
+getrandom = ["password-hash/getrandom"]
 parallel = ["rayon", "std"]
 rand = ["password-hash/rand_core"]
-std = ["alloc", "password-hash/os_rng", "rand_core/std"]
 zeroize = ["dep:zeroize"]
 
 [package.metadata.docs.rs]

balloon-hash/Cargo.toml

@@ -28,21 +28,17 @@
 //!
 //! The following example demonstrates the high-level password hashing API:
 //!
-//! ```
+#![cfg_attr(feature = "getrandom", doc = "```")]
+#![cfg_attr(not(feature = "getrandom"), doc = "```ignore")]
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
-//! # #[cfg(all(feature = "password-hash", feature = "std"))]
-//! # {
 //! use balloon_hash::{
-//!     password_hash::{
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
 //!     Balloon
 //! };
 //! use sha2::Sha256;
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng)?;
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `balloon-hash` enabled
 //!
 //! // Balloon with default params
 //! let balloon = Balloon::<Sha256>::default();
@@ -53,7 +49,6 @@
 //! // Verify password against PHC string
 //! let parsed_hash = PasswordHash::new(&password_hash)?;
 //! assert!(balloon.verify_password(password, &parsed_hash).is_ok());
-//! # }
 //! # Ok(())
 //! # }
 //! ```

balloon-hash/src/lib.rs

@@ -14,9 +14,11 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-blowfish = { version = "0.10.0-rc.1", features = ["bcrypt"] }
+blowfish = { version = "0.10.0-rc.2", features = ["bcrypt"] }
 pbkdf2 = { version = "0.13.0-rc.1", default-features = false, path = "../pbkdf2" }
-sha2 = { version = "0.11.0-rc.2", default-features = false }
+sha2 = { version = "0.11.0-rc.3", default-features = false }
+
+# optional features
 zeroize = { version = "1", default-features = false, optional = true }
 
 [dev-dependencies]