chore: update rand, crypto crates (2)

abonander · abonander · commit 5505e7801d3f · 2026-05-04T18:12:16.000-07:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -200,7 +200,7 @@ digest = { version = "0.11.2", default-features = false, features = ["alloc"] }
 hkdf = { version = "0.13.0" }
 hmac = { version = "0.13.0", default-features = false }
 md-5 = { version = "0.11.0", default-features = false }
-rsa = { version = "0.9" }
+rsa = { version = "0.10.0-rc.18" } # FIXME: when `rsa 0.10` is released
 rand = { version = "0.10.1", features = ["thread_rng"], default-features = false }
 sha1 = { version = "0.11.0", default-features = false }
 sha2 = { version = "0.11.0", default-features = false }
diff --git a/clippy.toml b/clippy.toml
@@ -1,3 +1,5 @@
+doc-valid-idents = ["SQLite"]
+
 [[disallowed-methods]]
 path = "core::cmp::Ord::min"
 reason = '''
diff --git a/sqlx-mysql/src/connection/auth.rs b/sqlx-mysql/src/connection/auth.rs
@@ -1,7 +1,6 @@
 use bytes::buf::Chain;
 use bytes::Bytes;
-use digest::{Digest, OutputSizeUser};
-use generic_array::GenericArray;
+use digest::Digest;
 use sha1::Sha1;
 use sha2::Sha256;
 
@@ -74,10 +73,7 @@ impl AuthPlugin {
     }
 }
 
-fn scramble_sha1(
-    password: &str,
-    nonce: &Chain<Bytes, Bytes>,
-) -> GenericArray<u8, <Sha1 as OutputSizeUser>::OutputSize> {
+fn scramble_sha1(password: &str, nonce: &Chain<Bytes, Bytes>) -> Vec<u8> {
     // SHA1( password ) ^ SHA1( seed + SHA1( SHA1( password ) ) )
     // https://mariadb.com/kb/en/connection/#mysql_native_password-plugin
 
@@ -99,13 +95,10 @@ fn scramble_sha1(
 
     xor_eq(&mut pw_hash, &pw_seed_hash_hash);
 
-    pw_hash
+    pw_hash.to_vec()
 }
 
-fn scramble_sha256(
-    password: &str,
-    nonce: &Chain<Bytes, Bytes>,
-) -> GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize> {
+fn scramble_sha256(password: &str, nonce: &Chain<Bytes, Bytes>) -> Vec<u8> {
     // XOR(SHA256(password), SHA256(SHA256(SHA256(password)), seed))
     // Order matches the server-side verification in MySQL's sha2_password
     // (generate_sha2_scramble): stage2 digest first, then the nonce.
@@ -127,7 +120,7 @@ fn scramble_sha256(
 
     xor_eq(&mut pw_hash, &pw_seed_hash_hash);
 
-    pw_hash
+    pw_hash.to_vec()
 }
 
 async fn encrypt_rsa<'s>(
@@ -185,15 +178,14 @@ fn to_asciz(s: &str) -> Vec<u8> {
 
 #[cfg(feature = "rsa")]
 mod rsa_backend {
-    use rand::thread_rng;
     use rsa::{pkcs8::DecodePublicKey, Oaep, RsaPublicKey};
 
     use super::Error;
 
     pub(super) fn encrypt(rsa_pub_key: &[u8], pass: &[u8]) -> Result<Vec<u8>, Error> {
         let pkey = parse_rsa_pub_key(rsa_pub_key)?;
-        let padding = Oaep::new::<sha1::Sha1>();
-        pkey.encrypt(&mut thread_rng(), padding, pass)
+        let padding = Oaep::<sha1::Sha1>::new();
+        pkey.encrypt(&mut rand::rng(), padding, pass)
             .map_err(Error::protocol)
     }
 
diff --git a/sqlx-postgres/src/any.rs b/sqlx-postgres/src/any.rs
@@ -83,7 +83,7 @@ impl AnyConnectionBackend for PgConnection {
         query: SqlStr,
         persistent: bool,
         arguments: Option<AnyArguments>,
-    ) -> BoxStream<sqlx_core::Result<Either<AnyQueryResult, AnyRow>>> {
+    ) -> BoxStream<'_, sqlx_core::Result<Either<AnyQueryResult, AnyRow>>> {
         let persistent = persistent && arguments.is_some();
         let arguments = match arguments.map(AnyArguments::convert_into).transpose() {
             Ok(arguments) => arguments,
@@ -109,7 +109,7 @@ impl AnyConnectionBackend for PgConnection {
         query: SqlStr,
         persistent: bool,
         arguments: Option<AnyArguments>,
-    ) -> BoxFuture<sqlx_core::Result<Option<AnyRow>>> {
+    ) -> BoxFuture<'_, sqlx_core::Result<Option<AnyRow>>> {
         let persistent = persistent && arguments.is_some();
         let arguments = arguments
             .map(AnyArguments::convert_into)
diff --git a/sqlx-postgres/src/connection/sasl.rs b/sqlx-postgres/src/connection/sasl.rs
@@ -4,11 +4,12 @@ use crate::message::{Authentication, AuthenticationSasl, SaslInitialResponse, Sa
 use crate::rt;
 use crate::PgConnectOptions;
 use hmac::{Hmac, Mac};
-use rand::Rng;
+use hmac::{HmacReset, KeyInit};
 use sha2::{Digest, Sha256};
 use stringprep::saslprep;
 
 use base64::prelude::{Engine as _, BASE64_STANDARD};
+use rand::RngExt;
 
 const GS2_HEADER: &str = "n,,";
 const CHANNEL_ATTR: &str = "c";
@@ -172,19 +173,19 @@ pub(crate) async fn authenticate(
 
 // nonce is a sequence of random printable bytes
 fn gen_nonce() -> String {
-    let mut rng = rand::thread_rng();
-    let count = rng.gen_range(64..128);
+    let mut rng = rand::rng();
+    let count = rng.random_range(64..128);
 
     // printable = %x21-2B / %x2D-7E
     // ;; Printable ASCII except ",".
     // ;; Note that any "printable" is also
     // ;; a valid "value".
     let nonce: String = std::iter::repeat(())
         .map(|()| {
-            let mut c = rng.gen_range(0x21u8..0x7F);
+            let mut c = rng.random_range(0x21u8..0x7F);
 
             while c == 0x2C {
-                c = rng.gen_range(0x21u8..0x7F);
+                c = rng.random_range(0x21u8..0x7F);
             }
 
             c
@@ -193,13 +194,12 @@ fn gen_nonce() -> String {
         .map(|c| c as char)
         .collect();
 
-    rng.gen_range(32..128);
     format!("{NONCE_ATTR}={nonce}")
 }
 
 // Hi(str, salt, i):
 async fn hi<'a>(s: &'a str, salt: &'a [u8], iter_count: u32) -> Result<[u8; 32], Error> {
-    let mut mac = Hmac::<Sha256>::new_from_slice(s.as_bytes()).map_err(Error::protocol)?;
+    let mut mac = HmacReset::<Sha256>::new_from_slice(s.as_bytes()).map_err(Error::protocol)?;
 
     mac.update(salt);
     mac.update(&1u32.to_be_bytes());
diff --git a/sqlx-postgres/src/message/flush.rs b/sqlx-postgres/src/message/flush.rs
@@ -8,6 +8,7 @@ use std::num::Saturating;
 /// A Flush must be sent after any extended-query command except Sync, if the
 /// frontend wishes to examine the results of that command before issuing more commands.
 #[derive(Debug)]
+#[expect(dead_code)]
 pub struct Flush;
 
 impl FrontendMessage for Flush {
diff --git a/sqlx-postgres/src/message/mod.rs b/sqlx-postgres/src/message/mod.rs
@@ -73,6 +73,7 @@ pub enum FrontendMessageFormat {
     CopyFail = b'f',
     Describe = b'D',
     Execute = b'E',
+    #[expect(dead_code)]
     Flush = b'H',
     Parse = b'P',
     /// This message format is polymorphic. It's used for:
diff --git a/sqlx-sqlite/src/connection/intmap.rs b/sqlx-sqlite/src/connection/intmap.rs
@@ -65,7 +65,7 @@ impl<V> IntMap<V> {
     pub(crate) fn insert(&mut self, idx: i64, value: V) -> Option<V> {
         let idx: usize = self.expand(idx);
 
-        std::mem::replace(&mut self.0[idx], Some(value))
+        self.0[idx].replace(value)
     }
 
     pub(crate) fn remove(&mut self, idx: &i64) -> Option<V> {
diff --git a/sqlx-sqlite/src/regexp.rs b/sqlx-sqlite/src/regexp.rs
@@ -68,12 +68,12 @@ unsafe extern "C" fn sqlite3_regexp_func(
     }
 
     // arg0: Regex
-    let Some(regex) = get_regex_from_arg(ctx, *args.offset(0), 0) else {
+    let Some(regex) = get_regex_from_arg(ctx, *args, 0) else {
         return;
     };
 
     // arg1: value
-    let Some(value) = get_text_from_arg(ctx, *args.offset(1)) else {
+    let Some(value) = get_text_from_arg(ctx, *args.add(1)) else {
         return;
     };
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+doc-valid-idents = ["SQLite"]`
	`2`	`+`
`1`	`3`	`[[disallowed-methods]]`
`2`	`4`	`path = "core::cmp::Ord::min"`
`3`	`5`	`reason = '''`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ impl<V> IntMap<V> {`
`65`	`65`	`pub(crate) fn insert(&mut self, idx: i64, value: V) -> Option<V> {`
`66`	`66`	`let idx: usize = self.expand(idx);`
`67`	`67`
`68`		`- std::mem::replace(&mut self.0[idx], Some(value))`
	`68`	`+ self.0[idx].replace(value)`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`pub(crate) fn remove(&mut self, idx: &i64) -> Option<V> {`