chore(deps): upgrade hmac and related deps (#2300)

chenba · web-flow · commit 391addb02e07 · 2026-05-11T20:07:24.000-07:00
KeyInit is no longer bundled in the Mac trait so we need to import
KeyInit for new_from_slice.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -52,8 +52,8 @@ futures-util = { version = "0.3", features = [
 ] }
 hex = "0.4"
 hostname = "0.4"
-hkdf = "0.12"
-hmac = "0.12"
+hkdf = "0.13"
+hmac = "0.13"
 http = "1.4"
 jsonwebtoken = { version = "10.3", default-features = false, features = ["aws_lc_rs"] }
 lazy_static = "1.5"
@@ -71,7 +71,7 @@ sentry-backtrace = "0.46.2"
 serde = "1.0"
 serde_derive = "1.0"
 serde_json = { version = "1.0", features = ["arbitrary_precision"] }
-sha2 = "0.10"
+sha2 = "0.11"
 slog = { version = "2.8", features = [
   "max_level_trace",
   "release_max_level_info",
diff --git a/syncserver/src/server/test.rs b/syncserver/src/server/test.rs
@@ -12,7 +12,7 @@ use actix_web::{
 use base64::{Engine, engine};
 use chrono::offset::Utc;
 use hawk::{self, Credentials, Key, RequestBuilder};
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use http::StatusCode;
 use lazy_static::lazy_static;
 use serde::de::DeserializeOwned;
diff --git a/syncserver/src/tokenserver/extractors.rs b/syncserver/src/tokenserver/extractors.rs
@@ -15,7 +15,7 @@ use actix_web::{
 use base64::{Engine, engine};
 use futures::future::LocalBoxFuture;
 use hex;
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use http::StatusCode;
 use lazy_static::lazy_static;
 use regex::Regex;
diff --git a/syncserver/src/web/auth.rs b/syncserver/src/web/auth.rs
@@ -9,7 +9,7 @@
 use base64::{Engine, engine};
 use chrono::{TimeDelta, offset::Utc};
 use hawk::{self, Header as HawkHeader, Key, RequestBuilder};
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use serde::{Deserialize, Serialize};
 use sha2::Sha256;
 use syncserver_common;
@@ -201,7 +201,7 @@ impl HawkPayload {
 fn verify_hmac(info: &[u8], key: &[u8], expected: &[u8]) -> ApiResult<()> {
     let mut hmac = Hmac::<Sha256>::new_from_slice(key)?;
     hmac.update(info);
-    hmac.verify(expected.into()).map_err(From::from)
+    hmac.verify_slice(expected).map_err(From::from)
 }
 
 #[cfg(test)]
diff --git a/syncserver/src/web/extractors/test_utils.rs b/syncserver/src/web/extractors/test_utils.rs
@@ -12,7 +12,7 @@ use base64::{Engine, engine};
 use futures::executor::block_on;
 use glean::server_events::GleanEventsLogger;
 use hawk::{Credentials, Key, RequestBuilder};
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use lazy_static::lazy_static;
 use sha2::Sha256;
 use tokio::sync::RwLock;
diff --git a/tokenserver-auth/src/crypto.rs b/tokenserver-auth/src/crypto.rs
@@ -1,5 +1,5 @@
 use hkdf::Hkdf;
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, KeyInit, Mac};
 use jsonwebtoken::{Algorithm, DecodingKey, Validation, errors::ErrorKind, jwk::Jwk};
 use ring::rand::{SecureRandom, SystemRandom};
 use serde::de::DeserializeOwned;
