Bump password-hash to v0.6.0-rc.2

tarcieri · tarcieri · commit b282b45ad7c5 · 2025-11-05T15:01:12.000-07:00
This upgrades `rand_core` to v0.10 prereleases and depends directly on `getrandom` for access to the system RNG. It additionally bumps other crates like `digest` and `blake2` which use the new `crypto-common` with an upgraded `rand_core`. This required restoring some functionality in `blake2` which was used by `argon2`: RustCrypto/hashes#754 This is currently referenced as a git branch until we decide if this is a permanent solution for `argon2` or not, so as to unblock the upgrade.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
 /target/
-/.readme/target/
-/benches/target/
+**/target/
 **/Cargo.lock
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -15,3 +15,7 @@ exclude = ["benches", "fuzz"]
 
 [profile.dev]
 opt-level = 2
+
+[patch.crates-io.blake2]
+git = "https://github.com/RustCrypto/hashes"
+branch = "blake2/restore-blake-var"
diff --git a/argon2/Cargo.toml b/argon2/Cargo.toml
@@ -35,8 +35,9 @@ password-hash = { version = "0.6.0-rc.1", features = ["rand_core"] }
 [features]
 default = ["alloc", "password-hash", "rand"]
 alloc = ["password-hash?/alloc"]
-std = ["alloc", "password-hash?/os_rng", "base64ct/std"]
+std = ["alloc", "base64ct/std"]
 
+getrandom = ["simple", "password-hash/getrandom"]
 parallel = ["dep:rayon"]
 rand = ["password-hash?/rand_core"]
 simple = ["password-hash"]
diff --git a/argon2/src/blake2b_long.rs b/argon2/src/blake2b_long.rs
@@ -4,7 +4,7 @@ use crate::{Error, Result};
 
 use blake2::{
     Blake2b512, Blake2bVar,
-    digest::{self, Digest, VariableOutput},
+    digest::{self, Digest},
 };
 
 use core::convert::TryFrom;
diff --git a/argon2/src/lib.rs b/argon2/src/lib.rs
@@ -39,16 +39,12 @@
 )]
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
 //! use argon2::{
-//!     password_hash::{
-//!         // `OsRng` requires enabled `std` crate feature
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
 //!     Argon2
 //! };
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng).unwrap();
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `argon2` enabled
 //!
 //! // Argon2 with default params (Argon2id v19)
 //! let argon2 = Argon2::default();
@@ -77,16 +73,12 @@
 )]
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
 //! use argon2::{
-//!     password_hash::{
-//!         // `OsRng` requires enabled `std` crate feature
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString },
 //!     Algorithm, Argon2, Params, Version
 //! };
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng).unwrap();
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `argon2` enabled
 //!
 //! // Argon2 with default params (Argon2id v19) and pepper
 //! let argon2 = Argon2::new_with_secret(
diff --git a/balloon-hash/Cargo.toml b/balloon-hash/Cargo.toml
@@ -14,25 +14,27 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-digest = { version = "0.11.0-rc.1", default-features = false }
-crypto-bigint = { version = "0.7.0-rc.4", default-features = false, features = ["hybrid-array"] }
-rand_core = { version = "0.9", default-features = false }
+digest = { version = "0.11.0-rc.4", default-features = false }
+crypto-bigint = { version = "0.7.0-rc.9", default-features = false, features = ["hybrid-array"] }
+rand_core = { version = "0.10.0-rc-2", default-features = false }
 
 # optional dependencies
-password-hash = { version = "0.6.0-rc.0", default-features = false, optional = true }
+password-hash = { version = "0.6.0-rc.2", default-features = false, optional = true }
 rayon = { version = "1.7", optional = true }
 zeroize = { version = "1", default-features = false, optional = true }
 
 [dev-dependencies]
 hex-literal = "1"
-sha2 = "0.11.0-rc.2"
+sha2 = "0.11.0-rc.3"
 
 [features]
 default = ["alloc", "password-hash", "rand"]
 alloc = ["password-hash/alloc"]
+std = ["alloc", "getrandom"]
+
+getrandom = ["password-hash/getrandom"]
 parallel = ["rayon", "std"]
 rand = ["password-hash/rand_core"]
-std = ["alloc", "password-hash/os_rng", "rand_core/std"]
 zeroize = ["dep:zeroize"]
 
 [package.metadata.docs.rs]
diff --git a/balloon-hash/src/lib.rs b/balloon-hash/src/lib.rs
@@ -30,19 +30,14 @@
 //!
 //! ```
 //! # fn main() -> Result<(), Box<dyn std::error::Error>> {
-//! # #[cfg(all(feature = "password-hash", feature = "std"))]
-//! # {
 //! use balloon_hash::{
-//!     password_hash::{
-//!         rand_core::OsRng,
-//!         PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-//!     },
+//!     password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
 //!     Balloon
 //! };
 //! use sha2::Sha256;
 //!
 //! let password = b"hunter42"; // Bad password; don't actually use!
-//! let salt = SaltString::try_from_rng(&mut OsRng)?;
+//! let salt = SaltString::generate(); // Note: needs the `getrandom` feature of `balloon-hash` enabled
 //!
 //! // Balloon with default params
 //! let balloon = Balloon::<Sha256>::default();
@@ -53,7 +48,6 @@
 //! // Verify password against PHC string
 //! let parsed_hash = PasswordHash::new(&password_hash)?;
 //! assert!(balloon.verify_password(password, &parsed_hash).is_ok());
-//! # }
 //! # Ok(())
 //! # }
 //! ```
diff --git a/bcrypt-pbkdf/Cargo.toml b/bcrypt-pbkdf/Cargo.toml
@@ -14,9 +14,11 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-blowfish = { version = "0.10.0-rc.1", features = ["bcrypt"] }
+blowfish = { version = "0.10.0-rc.2", features = ["bcrypt"] }
 pbkdf2 = { version = "0.13.0-rc.1", default-features = false, path = "../pbkdf2" }
-sha2 = { version = "0.11.0-rc.2", default-features = false }
+sha2 = { version = "0.11.0-rc.3", default-features = false }
+
+# optional features
 zeroize = { version = "1", default-features = false, optional = true }
 
 [dev-dependencies]
diff --git a/password-auth/Cargo.toml b/password-auth/Cargo.toml
@@ -17,14 +17,13 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-password-hash = { version = "0.6.0-rc.0", features = ["alloc", "rand_core"] }
-rand_core = { version = "0.9", features = ["os_rng"] }
+getrandom = { version = "0.3", default-features = false }
+password-hash = { version = "0.6.0-rc.2", features = ["alloc", "getrandom"] }
 
 # optional dependencies
 argon2 = { version = "0.6.0-rc.0", optional = true, default-features = false, features = ["alloc", "simple"], path = "../argon2" }
 pbkdf2 = { version = "0.13.0-rc.0", optional = true, default-features = false, features = ["simple"], path = "../pbkdf2" }
 scrypt = { version = "0.12.0-rc.0", optional = true, default-features = false, features = ["simple"], path = "../scrypt" }
-getrandom = { version = "0.3", optional = true, default-features = false }
 
 [features]
 default = ["argon2", "std"]
diff --git a/password-auth/src/lib.rs b/password-auth/src/lib.rs
@@ -27,7 +27,6 @@ pub use crate::errors::{ParseError, VerifyError};
 
 use alloc::string::{String, ToString};
 use password_hash::{ParamsString, PasswordHash, PasswordHasher, PasswordVerifier, SaltString};
-use rand_core::OsRng;
 
 #[cfg(not(any(feature = "argon2", feature = "pbkdf2", feature = "scrypt")))]
 compile_error!(
@@ -46,7 +45,7 @@ use scrypt::Scrypt;
 /// Uses the best available password hashing algorithm given the enabled
 /// crate features (typically Argon2 unless explicitly disabled).
 pub fn generate_hash(password: impl AsRef<[u8]>) -> String {
-    let salt = SaltString::try_from_rng(&mut OsRng).expect("Rng error");
+    let salt = SaltString::generate();
     generate_phc_hash(password.as_ref(), &salt)
         .map(|hash| hash.to_string())
         .expect("password hashing error")
diff --git a/pbkdf2/Cargo.toml b/pbkdf2/Cargo.toml
@@ -14,25 +14,26 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-digest = { version = "0.11.0-rc.1", features = ["mac"] }
+digest = { version = "0.11.0-rc.4", features = ["mac"] }
 
 # optional dependencies
-password-hash = { version = "0.6.0-rc.0", default-features = false, optional = true, features = ["rand_core"] }
-hmac = { version = "0.13.0-rc.1", default-features = false, optional = true }
-sha1 = { version = "0.11.0-rc.2", default-features = false, optional = true }
-sha2 = { version = "0.11.0-rc.2", default-features = false, optional = true }
+password-hash = { version = "0.6.0-rc.2", default-features = false, optional = true, features = ["rand_core"] }
+hmac = { version = "0.13.0-rc.3", default-features = false, optional = true }
+sha1 = { version = "0.11.0-rc.3", default-features = false, optional = true }
+sha2 = { version = "0.11.0-rc.3", default-features = false, optional = true }
 
 [dev-dependencies]
-hmac = "0.13.0-rc.1"
+hmac = "0.13.0-rc.3"
 hex-literal = "1"
-sha1 = "0.11.0-rc.2"
-sha2 = "0.11.0-rc.2"
-streebog = "0.11.0-rc.2"
-belt-hash = "0.2.0-rc.1"
+sha1 = "0.11.0-rc.3"
+sha2 = "0.11.0-rc.3"
+streebog = "0.11.0-rc.3"
+belt-hash = "0.2.0-rc.3"
 
 [features]
 default = ["hmac"]
-std = ["password-hash/os_rng"]
+std = []
+getrandom = ["simple", "password-hash/getrandom"]
 simple = ["hmac", "password-hash", "sha2"]
 
 [package.metadata.docs.rs]
diff --git a/scrypt/Cargo.toml b/scrypt/Cargo.toml
diff --git a/sha-crypt/Cargo.toml b/sha-crypt/Cargo.toml
diff --git a/sha-crypt/src/simple.rs b/sha-crypt/src/simple.rs
diff --git a/yescrypt/Cargo.toml b/yescrypt/Cargo.toml
