fix: update extension to 0.2.2

2025-08-15 10:36:07 -07:00 · 2025-08-15 10:36:07 -07:00 · ee6c652c6b
commit ee6c652c6b
parent 9c1859e99b
4 changed files with 58 additions and 19 deletions
--- a/deps/extension/Cargo.lock
+++ b/deps/extension/Cargo.lock
@ -425,6 +425,17 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
 [[package]]
 name = "sha2"
 version = "0.10.8"
@ -454,7 +465,7 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"

 [[package]]
 name = "signal-sqlcipher-extension"
-version = "0.2.1"
+version = "0.2.2"
 dependencies = [
 "aes",
 "cbc",
@ -462,6 +473,7 @@ dependencies = [
 "hmac",
 "pbkdf2",
 "rand_core",
+ "sha1",
 "sha2",
 "signal-tokenizer",
 ]
--- a/deps/extension/Cargo.toml
+++ b/deps/extension/Cargo.toml
@ -5,7 +5,7 @@

 [package]
 name = "signal-sqlcipher-extension"
-version = "0.2.1"
+version = "0.2.2"
 edition = "2021"
 license = "AGPL-3.0-only"

@ -23,6 +23,7 @@ cbc = "0.1.2"
 hmac = "0.12.1"
 pbkdf2 = "0.12.2"
 rand_core = { version = "0.6.4", "default-features" = false, features = ["getrandom"] }
+sha1 = { version = "0.10.6", "default-features" = false }
 sha2 = { version = "0.10.8", "default-features" = false }
 signal-tokenizer = { git = "https://github.com/signalapp/Signal-FTS5-Extension" }

--- a/deps/extension/src/lib.rs
+++ b/deps/extension/src/lib.rs
@ -10,6 +10,7 @@ use core::ffi::{c_char, c_int, c_uchar, c_void};
 use hmac::{Hmac, Mac};
 use pbkdf2::pbkdf2_hmac;
 use rand_core::{OsRng, RngCore};
+use sha1::Sha1;
 use sha2::Sha512;

 pub use signal_tokenizer;
@ -70,6 +71,7 @@ extern "C" fn random(_ctx: *mut c_void, buf: *mut c_void, length: c_int) -> c_in
 extern "C" fn get_hmac_sz(_ctx: *mut c_void, algorithm: c_int) -> c_int {
    match algorithm {
        SQLCIPHER_HMAC_SHA512 => 64,
+        SQLCIPHER_HMAC_SHA1 => 20,
        _ => 0,
    }
 }
@ -85,9 +87,6 @@ extern "C" fn hmac(
    in2_sz: c_int,
    out: *mut c_uchar,
 ) -> c_int {
-    if algorithm != SQLCIPHER_HMAC_SHA512 {
-        return SQLITE_ERROR;
-    }
    if hmac_key.is_null() || in1.is_null() || out.is_null() {
        return SQLITE_ERROR;
    }
@ -99,16 +98,34 @@ extern "C" fn hmac(
        Some(unsafe { core::slice::from_raw_parts(in2 as *mut c_uchar, in2_sz as usize) })
    };

-    let Ok(mut mac) = Hmac::<Sha512>::new_from_slice(key) else {
-        return SQLITE_ERROR;
-    };
-    mac.update(in1);
-    if let Some(in2) = in2 {
-        mac.update(in2);
-    }
-    let digest = mac.finalize().into_bytes();
-    unsafe {
-        out.copy_from(digest.as_ptr(), digest.len());
+    match algorithm {
+        SQLCIPHER_HMAC_SHA512 => {
+            let Ok(mut mac) = Hmac::<Sha512>::new_from_slice(key) else {
+                return SQLITE_ERROR;
+            };
+            mac.update(in1);
+            if let Some(in2) = in2 {
+                mac.update(in2);
+            }
+            let digest = mac.finalize().into_bytes();
+            unsafe {
+                out.copy_from(digest.as_ptr(), digest.len());
+            };
+        }
+        SQLCIPHER_HMAC_SHA1 => {
+            let Ok(mut mac) = Hmac::<Sha1>::new_from_slice(key) else {
+                return SQLITE_ERROR;
+            };
+            mac.update(in1);
+            if let Some(in2) = in2 {
+                mac.update(in2);
+            }
+            let digest = mac.finalize().into_bytes();
+            unsafe {
+                out.copy_from(digest.as_ptr(), digest.len());
+            };
+        }
+        _ => return SQLITE_ERROR,
    };
    SQLITE_OK
 }
@ -124,16 +141,21 @@ extern "C" fn pbkdf(
    key_sz: c_int,
    key: *mut c_uchar,
 ) -> c_int {
-    if algorithm != SQLCIPHER_PBKDF2_HMAC_SHA512 {
-        return SQLITE_ERROR;
-    }
    if pass.is_null() || salt.is_null() || key.is_null() {
        return SQLITE_ERROR;
    }
    let password = unsafe { core::slice::from_raw_parts(pass as *const c_uchar, pass_sz as usize) };
    let salt = unsafe { core::slice::from_raw_parts(salt as *const c_uchar, salt_sz as usize) };
    let buf = unsafe { core::slice::from_raw_parts_mut(key as *mut c_uchar, key_sz as usize) };
-    pbkdf2_hmac::<Sha512>(password, salt, workfactor as u32, buf);
+    match algorithm {
+        SQLCIPHER_PBKDF2_HMAC_SHA512 => {
+            pbkdf2_hmac::<Sha512>(password, salt, workfactor as u32, buf);
+        }
+        SQLCIPHER_PBKDF2_HMAC_SHA1 => {
+            pbkdf2_hmac::<Sha1>(password, salt, workfactor as u32, buf);
+        }
+        _ => return SQLITE_ERROR,
+    };
    SQLITE_OK
 }

--- a/deps/extension/src/sqlcipher.rs
+++ b/deps/extension/src/sqlcipher.rs
@ -10,6 +10,10 @@ use core::ffi::{c_char, c_int, c_uchar, c_void};
 pub const SQLCIPHER_HMAC_SHA512: c_int = 2;
 pub const SQLCIPHER_PBKDF2_HMAC_SHA512: c_int = 2;

+// Legacy encryption primitives
+pub const SQLCIPHER_HMAC_SHA1: c_int = 0;
+pub const SQLCIPHER_PBKDF2_HMAC_SHA1: c_int = 0;
+
 pub const CIPHER_ENCRYPT: c_int = 1;

 #[repr(C)]