Use workspace.dependencies for common dependencies

.taplo.toml

@@ -6,7 +6,7 @@ indent_string = '    '
 
 [[rule]]
 include = ["**/Cargo.toml"]
-keys = ["dependencies"]
+keys = ["dependencies", "workspace.dependencies"]
 
 [rule.formatting]
 reorder_keys = true

Cargo.lock

@@ -2125,10 +2125,8 @@ dependencies = [
 name = "libsignal-jni-testing"
 version = "0.56.0"
 dependencies = [
- "jni 0.21.1",
  "libsignal-bridge-testing",
  "log",
- "log-panics",
 ]
 
 [[package]]
@@ -2357,7 +2355,7 @@ dependencies = [
  "prost-build",
  "rand_core",
  "sha2",
- "strum_macros",
+ "strum",
  "subtle",
  "test-case",
  "zerocopy",
@@ -3897,6 +3895,7 @@ dependencies = [
  "hex-literal",
  "hkdf",
  "hmac",
+ "rand_core",
  "sha2",
  "static_assertions",
  "thiserror",

Cargo.toml

@@ -34,10 +34,95 @@ default-members = [
 ]
 resolver = "2" # so that our dev-dependency features don't leak into products
 
+[workspace.dependencies]
+# Our forks of some dependencies, accessible as xxx_signal so that usages of them are obvious in source code. Crates
+# that want to use the real things can depend on those directly.
+
+boring-signal = { git = "https://github.com/signalapp/boring", tag = "signal-v4.9.0", package = "boring", default-features = false }
+curve25519-dalek-signal = { git = 'https://github.com/signalapp/curve25519-dalek', package = "curve25519-dalek", tag = 'signal-curve25519-4.1.3' }
+tokio-boring-signal = { git = "https://github.com/signalapp/boring", package = "tokio-boring", tag = "signal-v4.9.0" }
+
+aes = "0.8.3"
+aes-gcm-siv = "0.11.1"
+array-concat = "0.5.2"
+arrayvec = "0.7.4"
+asn1 = "0.16.1"
+assert_matches = "1.5"
+async-trait = "0.1.41"
+atomic-take = "1.1.0"
+base64 = "0.21"
+bincode = "1.0"
+bitflags = "2.3.3"
+boring = { version = "4.6.0", default-features = false }
+cbc = "0.1.2"
+cfg-if = "1.0.0"
+chacha20poly1305 = "0.10.1"
+chrono = "0.4"
+ciborium = "0.2"
+clap = "4.4.11"
+criterion = "0.5"
+ctr = "0.9.2"
+curve25519-dalek = "4.1.3"
+derive-where = "1.2.5"
+displaydoc = "0.2"
+ed25519-dalek = "2.1.0"
+env_logger = "0.11.4"
+futures = "0.3"
+futures-util = "0.3"
+heck = "0.5"
+hex = "0.4"
+hex-literal = "0.4.1"
+hkdf = "0.12"
+hmac = "0.12.0"
+http = "1.0.0"
+indexmap = "2.1.0"
+itertools = "0.13.0"
+jni = "0.21"
+lazy_static = "1.4.0"
+libc = "0.2"
+linkme = "0.3.9"
+log = "0.4"
+log-panics = "2.1.0"
+mediasan-common = "0.5.0"
+neon = { version = "1.0.0", default-features = false }
+nonzero_ext = "0.3.0"
+num_enum = "0.7.2"
+once_cell = "1.19.0"
+partial-default = "0.1.0"
+paste = "1.0"
+proc-macro2 = "1.0"
+proptest = "1.0"
+prost = "0.13.1"
+prost-build = "0.13.1"
+quote = "1.0"
+rand = "0.8"
+rand_core = "0.6"
+rayon = "1.8.0"
+rustls-platform-verifier = "0.3.1"
+scopeguard = "1.0"
+serde = "1.0"
+serde_json = "1.0"
+sha1 = "0.10"
+sha2 = "0.10"
+snow = { version = "0.9.6", default-features = false }
+static_assertions = "1.1"
+strum = "0.26"
+subtle = "2.5"
+syn = "2.0"
+syn-mid = "0.6"
+test-case = "3.3"
+testing_logger = "0.1.1"
+thiserror = "1.0.57"
+tokio = "1"
+uuid = "1.1.2"
+x25519-dalek = "2.0.0"
+zerocopy = "0.7.34"
+
 [patch.crates-io]
-# Use our fork of curve25519-dalek for zkgroup support.
-curve25519-dalek = { git = 'https://github.com/signalapp/curve25519-dalek', tag = 'signal-curve25519-4.1.3' }
+# When building libsignal, just use our forks so we don't end up with two different versions of the libraries.
+
 boring = { git = 'https://github.com/signalapp/boring', tag = 'signal-v4.9.0' }
+curve25519-dalek = { git = 'https://github.com/signalapp/curve25519-dalek', tag = 'signal-curve25519-4.1.3' }
 
 [profile.dev.package.argon2]
 opt-level = 2 # signal-signal-pin unit tests are too slow with an unoptimized argon2

rust/attest/Cargo.toml

@@ -11,42 +11,41 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-boring = { git = "https://github.com/signalapp/boring", tag = "signal-v4.9.0", default-features = false }
-
-asn1 = "0.16.1"
-base64 = "0.21"
-bitflags = "2.3.3"
+asn1 = { workspace = true }
+base64 = { workspace = true }
+bitflags = { workspace = true }
 blake2 = "0.10"
-chacha20poly1305 = "0.10.1"
-chrono = { version = "0.4", features = ["serde"] }
-ciborium = "0.2"
-displaydoc = "0.2"
-hex = { version = "0.4", features = ["serde"] }
-hex-literal = "0.4.1"
-lazy_static = "1.4.0"
-libc = "0.2"
-log = "0.4"
-prost = "0.13.1"
-rand_core = { version = "0.6", features = ["getrandom"] }
-serde = { version = "1.0", features = ["derive"] }
-serde_json = { version = "1.0", features = ["raw_value"] }
-sha2 = "0.10"
-snow = { version = "0.9.5", default-features = false }
-static_assertions = "1.1"
-strum = { version = "0.26", features = ["derive"] }
-subtle = "2.5"
-thiserror = "1.0.57"
-uuid = "1.1.2"
-x25519-dalek = "2.0.0"
-zerocopy = { version = "0.7.34", features = ["derive"] }
+boring-signal = { workspace = true }
+chacha20poly1305 = { workspace = true }
+chrono = { workspace = true, features = ["serde"] }
+ciborium = { workspace = true }
+displaydoc = { workspace = true }
+hex = { workspace = true, features = ["serde"] }
+hex-literal = { workspace = true }
+lazy_static = { workspace = true }
+libc = { workspace = true }
+log = { workspace = true }
+prost = { workspace = true }
+rand_core = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true, features = ["raw_value"] }
+sha2 = { workspace = true }
+snow = { workspace = true }
+static_assertions = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
+subtle = { workspace = true }
+thiserror = { workspace = true }
+uuid = { workspace = true }
+x25519-dalek = { workspace = true }
+zerocopy = { workspace = true, features = ["derive"] }
 
 [dev-dependencies]
-assert_matches = "1.5"
-snow = { version = "0.9.5", features = ["default-resolver"] }
-test-case = "3.3"
+assert_matches = { workspace = true }
+snow = { workspace = true, features = ["default-resolver"] }
+test-case = { workspace = true }
 
 [build-dependencies]
-prost-build = "0.13.1"
+prost-build = { workspace = true }
 
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }

rust/attest/src/cert_chain.rs

@@ -3,12 +3,12 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use boring::ec::EcKey;
-use boring::pkey::Public;
-use boring::stack::{Stack, Stackable};
-use boring::x509::crl::X509CRLRef;
-use boring::x509::store::X509StoreRef;
-use boring::x509::{X509StoreContext, X509};
+use boring_signal::ec::EcKey;
+use boring_signal::pkey::Public;
+use boring_signal::stack::{Stack, Stackable};
+use boring_signal::x509::crl::X509CRLRef;
+use boring_signal::x509::store::X509StoreRef;
+use boring_signal::x509::{X509StoreContext, X509};
 
 use std::time::SystemTime;
 
@@ -93,7 +93,7 @@ impl CertChain {
     }
 
     /// Converts the iterator into a stack, preserving the iterator's original order
-    fn stack<T, I>(ts: I) -> std::result::Result<Stack<T>, boring::error::ErrorStack>
+    fn stack<T, I>(ts: I) -> std::result::Result<Stack<T>, boring_signal::error::ErrorStack>
     where
         T: Stackable,
         I: IntoIterator<Item = T>,
@@ -164,15 +164,15 @@ impl Expireable for CertChain {
 pub mod testutil {
     use super::CertChain;
 
-    use boring::asn1::{Asn1Integer, Asn1IntegerRef, Asn1Time};
-    use boring::bn::{BigNum, MsbOption};
-    use boring::ec::{EcGroup, EcKey};
-    use boring::hash::MessageDigest;
-    use boring::nid::Nid;
-    use boring::pkey::{PKey, Private};
-    use boring::x509::crl::{X509CRLBuilder, X509Revoked, X509CRL};
-    use boring::x509::extension::BasicConstraints;
-    use boring::x509::{X509Name, X509};
+    use boring_signal::asn1::{Asn1Integer, Asn1IntegerRef, Asn1Time};
+    use boring_signal::bn::{BigNum, MsbOption};
+    use boring_signal::ec::{EcGroup, EcKey};
+    use boring_signal::hash::MessageDigest;
+    use boring_signal::nid::Nid;
+    use boring_signal::pkey::{PKey, Private};
+    use boring_signal::x509::crl::{X509CRLBuilder, X509Revoked, X509CRL};
+    use boring_signal::x509::extension::BasicConstraints;
+    use boring_signal::x509::{X509Name, X509};
     use std::borrow::Borrow;
 
     /// generate EC private key
@@ -313,10 +313,10 @@ mod test {
     use super::*;
 
     use assert_matches::assert_matches;
-    use boring::nid::Nid;
-    use boring::x509::store::{X509Store, X509StoreBuilder};
-    use boring::x509::verify::X509VerifyFlags;
-    use boring::x509::X509Ref;
+    use boring_signal::nid::Nid;
+    use boring_signal::x509::store::{X509Store, X509StoreBuilder};
+    use boring_signal::x509::verify::X509VerifyFlags;
+    use boring_signal::x509::X509Ref;
 
     fn names(certs: &[X509]) -> Vec<String> {
         certs

rust/attest/src/dcap.rs

@@ -25,16 +25,16 @@ use std::collections::HashMap;
 
 use std::time::SystemTime;
 
-use boring::asn1::{Asn1Time, Asn1TimeRef};
-use boring::bn::BigNumContext;
-use boring::ec::*;
-use boring::error::ErrorStack;
-use boring::nid::Nid;
-use boring::pkey::{PKey, PKeyRef, Public};
-use boring::x509::crl::X509CRLRef;
-use boring::x509::store::{X509Store, X509StoreBuilder};
-use boring::x509::verify::X509VerifyFlags;
-use boring::x509::{X509Ref, X509};
+use boring_signal::asn1::{Asn1Time, Asn1TimeRef};
+use boring_signal::bn::BigNumContext;
+use boring_signal::ec::*;
+use boring_signal::error::ErrorStack;
+use boring_signal::nid::Nid;
+use boring_signal::pkey::{PKey, PKeyRef, Public};
+use boring_signal::x509::crl::X509CRLRef;
+use boring_signal::x509::store::{X509Store, X509StoreBuilder};
+use boring_signal::x509::verify::X509VerifyFlags;
+use boring_signal::x509::{X509Ref, X509};
 use hex::ToHex;
 use lazy_static::lazy_static;
 use uuid::Uuid;
@@ -653,7 +653,7 @@ mod test {
 
     use crate::dcap::endorsements::{QeTcbLevel, TcbInfoVersion};
     use crate::dcap::fakes::FakeAttestation;
-    use boring::bn::BigNum;
+    use boring_signal::bn::BigNum;
     use hex_literal::hex;
 
     use super::*;

rust/attest/src/dcap/ecdsa.rs

@@ -3,10 +3,10 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use boring::bn::BigNum;
-use boring::ec::EcKeyRef;
-use boring::ecdsa::{EcdsaSig, EcdsaSigRef};
-use boring::pkey::Public;
+use boring_signal::bn::BigNum;
+use boring_signal::ec::EcKeyRef;
+use boring_signal::ecdsa::{EcdsaSig, EcdsaSigRef};
+use boring_signal::pkey::Public;
 use sha2::Digest;
 
 /// Deserialize a 64 byte ECDSA Signature

rust/attest/src/dcap/endorsements.rs

@@ -8,9 +8,9 @@
 //! through the Intel Provisioning Certification Service (PCS), or a cache (PCCS).
 //! For specification of the json data structures within the OE structures,
 //! see <https://api.portal.trustedservices.intel.com/documentation>
-use boring::ec::EcKeyRef;
-use boring::ecdsa::{EcdsaSig, EcdsaSigRef};
-use boring::pkey::Public;
+use boring_signal::ec::EcKeyRef;
+use boring_signal::ecdsa::{EcdsaSig, EcdsaSigRef};
+use boring_signal::pkey::Public;
 use chrono::Utc;
 use serde::Deserialize;
 use serde_json::value::RawValue;

rust/attest/src/dcap/fakes.rs

@@ -19,13 +19,13 @@ use crate::dcap::endorsements::SgxEndorsements;
 use crate::dcap::evidence::Evidence;
 use crate::dcap::revocation_list::RevocationList;
 use crate::dcap::{attest_impl, Attestation};
-use boring::asn1::{Asn1Integer, Asn1IntegerRef};
-use boring::bn::{BigNum, BigNumContext};
-use boring::ec::{EcGroup, EcKey, EcKeyRef};
-use boring::ecdsa::EcdsaSig;
-use boring::hash::{Hasher, MessageDigest};
-use boring::nid::Nid;
-use boring::pkey::{PKey, Private, Public};
+use boring_signal::asn1::{Asn1Integer, Asn1IntegerRef};
+use boring_signal::bn::{BigNum, BigNumContext};
+use boring_signal::ec::{EcGroup, EcKey, EcKeyRef};
+use boring_signal::ecdsa::EcdsaSig;
+use boring_signal::hash::{Hasher, MessageDigest};
+use boring_signal::nid::Nid;
+use boring_signal::pkey::{PKey, Private, Public};
 use chrono::Utc;
 
 use std::time::SystemTime;
@@ -162,7 +162,7 @@ pub(crate) struct FakeAttestationBuilder {
 
 impl FakeAttestationBuilder {
     fn sign_data(data: &[u8], key: &EcKeyRef<Private>) -> EcdsaSig {
-        let hash = boring::hash::hash(MessageDigest::sha256(), data).unwrap();
+        let hash = boring_signal::hash::hash(MessageDigest::sha256(), data).unwrap();
         EcdsaSig::sign(&hash, key).unwrap()
     }
 

rust/attest/src/dcap/revocation_list.rs

@@ -4,8 +4,8 @@
 //
 
 use crate::dcap::{Error, Expireable, Result};
-use boring::nid::Nid;
-use boring::x509::crl::{X509CRLRef, X509CRL};
+use boring_signal::nid::Nid;
+use boring_signal::x509::crl::{X509CRLRef, X509CRL};
 use std::collections::HashSet;
 use std::time::SystemTime;
 

rust/attest/src/dcap/sgx_quote.rs

@@ -7,12 +7,12 @@
 //!
 //! See <https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf> section A.4
 
-use boring::bn::BigNum;
-use boring::ec::{EcGroup, EcKey};
-use boring::ecdsa::{EcdsaSig, EcdsaSigRef};
-use boring::error::ErrorStack;
-use boring::nid::Nid;
-use boring::pkey::Public;
+use boring_signal::bn::BigNum;
+use boring_signal::ec::{EcGroup, EcKey};
+use boring_signal::ecdsa::{EcdsaSig, EcdsaSigRef};
+use boring_signal::error::ErrorStack;
+use boring_signal::nid::Nid;
+use boring_signal::pkey::Public;
 use sha2::Digest;
 use zerocopy::{AsBytes, FromBytes, FromZeroes};
 
@@ -327,7 +327,7 @@ static_assertions::const_assert_eq!(578, std::mem::size_of::<SgxEcdsaSignatureHe
 mod tests {
     use super::*;
 
-    use boring::pkey::Private;
+    use boring_signal::pkey::Private;
 
     use std::fs;
     use std::path::Path;

rust/attest/src/dcap/sgx_x509.rs

@@ -8,8 +8,8 @@ use std::collections::HashMap;
 use crate::dcap::{Error, Result};
 use crate::error::Context;
 use asn1::{oid, ObjectIdentifier, SequenceOf};
-use boring::asn1::Asn1ObjectRef;
-use boring::nid::Nid;
+use boring_signal::asn1::Asn1ObjectRef;
+use boring_signal::nid::Nid;
 
 pub const SGX_EXTENSIONS_OID: &str = "1.2.840.113741.1.13.1";
 const _SGX_EXTENSIONS_OID_OID: ObjectIdentifier = oid!(1, 2, 840, 113741, 1, 13, 1);

rust/attest/src/ias.rs

@@ -8,13 +8,13 @@ use std::error::Error;
 use std::string::ToString;
 use std::time::SystemTime;
 
-use boring::error::ErrorStack;
-use boring::hash::MessageDigest;
-use boring::nid::Nid;
-use boring::rsa::Padding;
-use boring::sign::Verifier;
-use boring::x509::crl::X509CRL;
-use boring::x509::X509;
+use boring_signal::error::ErrorStack;
+use boring_signal::hash::MessageDigest;
+use boring_signal::nid::Nid;
+use boring_signal::rsa::Padding;
+use boring_signal::sign::Verifier;
+use boring_signal::x509::crl::X509CRL;
+use boring_signal::x509::X509;
 use lazy_static::lazy_static;
 
 use crate::cert_chain::CertChain;
@@ -134,7 +134,7 @@ impl CertChain {
 
 #[cfg(test)]
 mod test {
-    use boring::base64::decode_block;
+    use boring_signal::base64::decode_block;
     use chrono::DateTime;
     use std::time::Duration;
 

rust/attest/src/nitro.rs

@@ -5,11 +5,11 @@
 use std::collections::HashMap;
 use std::time::SystemTime;
 
-use boring::bn::BigNum;
-use boring::ecdsa::EcdsaSig;
-use boring::stack;
-use boring::x509::store::X509StoreBuilder;
-use boring::x509::{X509StoreContext, X509};
+use boring_signal::bn::BigNum;
+use boring_signal::ecdsa::EcdsaSig;
+use boring_signal::stack;
+use boring_signal::x509::store::X509StoreBuilder;
+use boring_signal::x509::{X509StoreContext, X509};
 use ciborium::value::{Integer, Value};
 use prost::{DecodeError, Message};
 use sha2::{Digest, Sha384};
@@ -95,8 +95,8 @@ impl From<ciborium::de::Error<std::io::Error>> for NitroError {
     }
 }
 
-impl From<boring::error::ErrorStack> for NitroError {
-    fn from(err: boring::error::ErrorStack) -> NitroError {
+impl From<boring_signal::error::ErrorStack> for NitroError {
+    fn from(err: boring_signal::error::ErrorStack) -> NitroError {
         NitroError::InvalidCertificate(err.to_string())
     }
 }

rust/attest/src/tpm2snp.rs

@@ -4,10 +4,10 @@
 //
 use std::time::SystemTime;
 
-use boring::pkey::{PKey, Public};
-use boring::rsa::Rsa;
-use boring::x509::store::X509StoreBuilder;
-use boring::x509::X509;
+use boring_signal::pkey::{PKey, Public};
+use boring_signal::rsa::Rsa;
+use boring_signal::x509::store::X509StoreBuilder;
+use boring_signal::x509::X509;
 use prost::Message;
 
 use crate::cert_chain::{self, CertChain};
@@ -178,8 +178,8 @@ fn verify_vcek_cert(
     }
 }
 
-impl From<boring::error::ErrorStack> for Error {
-    fn from(_err: boring::error::ErrorStack) -> Error {
+impl From<boring_signal::error::ErrorStack> for Error {
+    fn from(_err: boring_signal::error::ErrorStack) -> Error {
         Error::AttestationDataError {
             reason: "Invalid certificate".to_string(),
         }

rust/attest/src/tpm2snp/snp.rs

@@ -4,10 +4,10 @@
 //
 
 use base64::prelude::{Engine as _, BASE64_URL_SAFE_NO_PAD};
-use boring::bn::BigNum;
-use boring::ecdsa::EcdsaSig;
-use boring::pkey::{PKey, Public};
-use boring::rsa::Rsa;
+use boring_signal::bn::BigNum;
+use boring_signal::ecdsa::EcdsaSig;
+use boring_signal::pkey::{PKey, Public};
+use boring_signal::rsa::Rsa;
 use sha2::{Digest as _, Sha256, Sha384};
 use subtle::ConstantTimeEq as _;
 

rust/attest/src/tpm2snp/tpm2.rs

@@ -3,9 +3,9 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use boring::hash::MessageDigest;
-use boring::sign::Verifier;
-use boring::x509::X509;
+use boring_signal::hash::MessageDigest;
+use boring_signal::sign::Verifier;
+use boring_signal::x509::X509;
 use sha2::{Digest, Sha256};
 use subtle::ConstantTimeEq;
 

rust/attest/src/util.rs

@@ -5,7 +5,7 @@
 
 use std::time::SystemTime;
 
-use boring::asn1::Asn1Time;
+use boring_signal::asn1::Asn1Time;
 use libc::time_t;
 
 /// A replacement for [`std::collections::HashMap`] that performs linear lookups.

rust/bridge/ffi/Cargo.toml

@@ -27,9 +27,9 @@ libsignal-net = { path = "../../net" }
 libsignal-protocol = { path = "../../protocol" }
 signal-media = { path = "../../media" }
 
-futures-util = "0.3"
-log = "0.4"
-log-panics = { version = "2.1.0", features = ["with-backtrace"] }
+futures-util = { workspace = true }
+log = { workspace = true }
+log-panics = { workspace = true, features = ["with-backtrace"] }
 
 [target.aarch64-apple-ios.dependencies]
 cpufeatures = "0.2.1" # Make sure iOS gets optimized crypto.

rust/bridge/jni/Cargo.toml

@@ -19,10 +19,10 @@ libsignal-bridge = { path = "../shared", features = ["jni", "signal-media"] }
 libsignal-protocol = { path = "../../protocol" }
 signal-crypto = { path = "../../crypto" }
 
-cfg-if = "1.0.0"
-jni = "0.21.0"
-log = "0.4"
-log-panics = { version = "2.1.0", features = ["with-backtrace"] }
+cfg-if = { workspace = true }
+jni = { workspace = true }
+log = { workspace = true }
+log-panics = { workspace = true, features = ["with-backtrace"] }
 
 [features]
 testing-fns = ["libsignal-bridge/testing-fns"]

rust/bridge/jni/testing/Cargo.toml

@@ -17,6 +17,4 @@ crate-type = ["cdylib"]
 [dependencies]
 libsignal-bridge-testing = { path = "../../shared/testing", features = ["jni"] }
 
-jni = "0.21.0"
-log = { version = "0.4", features = ["release_max_level_info"] }
-log-panics = { version = "2.1.0", features = ["with-backtrace"] }
+log = { workspace = true }

rust/bridge/node/Cargo.toml

@@ -19,9 +19,9 @@ libsignal-bridge = { path = "../shared", features = ["node", "signal-media"] }
 libsignal-bridge-testing = { path = "../shared/testing", features = ["node", "signal-media"] }
 libsignal-protocol = { path = "../../protocol" }
 
-futures = { version = "0.3", default-features = false, features = ["executor"] }
-log = "0.4"
-log-panics = { version = "2.0.0", features = ["with-backtrace"] }
+futures = { workspace = true }
+log = { workspace = true }
+log-panics = { workspace = true, features = ["with-backtrace"] }
 minidump = { version = "0.20.0", default-features = false }
 minidump-processor = { version = "0.20.0", default-features = false }
 minidump-unwind = { version = "0.20.0", default-features = false }

rust/bridge/node/futures/Cargo.toml

@@ -21,8 +21,8 @@ path = "benches/node.rs"
 harness = false
 
 [dependencies]
-futures-util = "0.3.7"
-neon = { version = "1.0.0", default-features = false, features = ["napi-4"] }
+futures-util = { workspace = true }
+neon = { workspace = true, features = ["napi-4"] }
 
 [dev-dependencies]
 signal-neon-futures-tests = { path = "tests-node-module" }

rust/bridge/node/futures/tests-node-module/Cargo.toml

@@ -18,8 +18,8 @@ crate-type = ["cdylib"]
 [dependencies]
 signal-neon-futures = { path = ".." }
 
-futures-util = "0.3.7"
-neon = { version = "1.0.0", default-features = false, features = ["napi-1"] }
+futures-util = { workspace = true }
+neon = { workspace = true, default-features = false, features = ["napi-1"] }
 
 [features]
 # Enable default-panic-hook to get backtraces of panics.

rust/bridge/shared/Cargo.toml

@@ -26,36 +26,36 @@ usernames = { path = "../../usernames" }
 zkgroup = { path = "../../zkgroup" }
 
 aes-gcm-siv = "0.11.1"
-base64 = "0.21"
-bincode = "1.0"
-futures-util = "0.3.7"
-hkdf = "0.12"
-hmac = "0.12.0"
-http = "1.0.0"
-log = "0.4"
-nonzero_ext = "0.3.0"
-paste = "1.0"
-prost = "0.13.1"
-rand = "0.8"
-scopeguard = "1.0"
-sha2 = "0.10"
-static_assertions = "1.1"
-tokio = { version = "1", features = ["rt-multi-thread"] }
-uuid = "1.1.2"
+base64 = { workspace = true }
+bincode = { workspace = true }
+futures-util = { workspace = true }
+hkdf = { workspace = true }
+hmac = { workspace = true }
+http = { workspace = true }
+log = { workspace = true }
+nonzero_ext = { workspace = true }
+paste = { workspace = true }
+prost = { workspace = true }
+rand = { workspace = true }
+scopeguard = { workspace = true }
+sha2 = { workspace = true }
+static_assertions = { workspace = true }
+tokio = { workspace = true, features = ["rt-multi-thread"] }
+uuid = { workspace = true }
 
 # Enable this for all libsignal app language libraries
-subtle = { version = "2.5", features = ["core_hint_black_box"] }
+subtle = { workspace = true, features = ["core_hint_black_box"] }
 
-jni = { version = "0.21", package = "jni", optional = true }
-linkme = { version = "0.3.9", optional = true }
-neon = { version = "1.0.0", optional = true, default-features = false, features = ["napi-6"] }
-strum = { version = "0.26", features = ["derive"] }
+jni = { workspace = true, optional = true }
+linkme = { workspace = true, optional = true }
+neon = { workspace = true, optional = true, default-features = false, features = ["napi-6"] }
+strum = { workspace = true, features = ["derive"] }
 
 [dev-dependencies]
-assert_matches = "1.5"
-test-case = "3.3.1"
-testing_logger = "0.1.1"
-tokio = { version = "1", features = ["test-util", "time", "macros"] }
+assert_matches = { workspace = true }
+test-case = { workspace = true }
+testing_logger = { workspace = true }
+tokio = { workspace = true, features = ["test-util", "time", "macros"] }
 
 [features]
 ffi = ["libsignal-bridge-types/ffi"]

rust/bridge/shared/macros/Cargo.toml

@@ -14,11 +14,11 @@ license = "AGPL-3.0-only"
 proc-macro = true
 
 [dependencies]
-heck = "0.5"
-proc-macro2 = "1.0"
-quote = "1.0"
-syn = "2.0"
-syn-mid = "0.6"
+heck = { workspace = true }
+proc-macro2 = { workspace = true }
+quote = { workspace = true }
+syn = { workspace = true }
+syn-mid = { workspace = true }
 
 [dev-dependencies]
-syn = { version = "2.0", features = ["extra-traits"] }
+syn = { workspace = true, features = ["extra-traits"] }

rust/bridge/shared/testing/Cargo.toml

@@ -15,14 +15,14 @@ libsignal-bridge-macros = { path = "../macros" }
 libsignal-bridge-types = { path = "../types" }
 libsignal-message-backup = { path = "../../../message-backup", features = ["json"] }
 
-futures-util = "0.3.7"
-paste = "1.0"
-scopeguard = "1.0"
-tokio = "1"
+futures-util = { workspace = true }
+paste = { workspace = true }
+scopeguard = { workspace = true }
+tokio = { workspace = true }
 
-jni = { version = "0.21", package = "jni", optional = true }
-linkme = { version = "0.3.9", optional = true }
-neon = { version = "1.0.0", optional = true, default-features = false, features = ["napi-6"] }
+jni = { workspace = true, optional = true }
+linkme = { workspace = true, optional = true }
+neon = { workspace = true, optional = true, default-features = false, features = ["napi-6"] }
 
 [features]
 ffi = ["libsignal-bridge-types/ffi"]

rust/bridge/shared/types/Cargo.toml

@@ -24,42 +24,42 @@ signal-pin = { path = "../../../pin" }
 usernames = { path = "../../../usernames" }
 zkgroup = { path = "../../../zkgroup" }
 
-aes-gcm-siv = "0.11.1"
-async-trait = "0.1.41"
-atomic-take = "1.1.0"
-derive-where = "1.2.5"
-displaydoc = "0.2"
-futures-util = "0.3.30"
-hmac = "0.12.0"
-http = "1.0.0"
-log = "0.4"
-mediasan-common = "0.5.0"
-num_enum = "0.7.2"
-once_cell = "1.19.0"
-partial-default = "0.1.0"
-paste = "1.0"
-rayon = "1.8.0"
-serde = "1.0"
-sha2 = "0.10"
-static_assertions = "1.1"
-thiserror = "1.0.50"
-tokio = { version = "1", features = ["rt-multi-thread"] }
-uuid = "1.1.2"
+aes-gcm-siv = { workspace = true }
+async-trait = { workspace = true }
+atomic-take = { workspace = true }
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
+futures-util = { workspace = true }
+hmac = { workspace = true }
+http = { workspace = true }
+log = { workspace = true }
+mediasan-common = { workspace = true }
+num_enum = { workspace = true }
+once_cell = { workspace = true }
+partial-default = { workspace = true }
+paste = { workspace = true }
+rayon = { workspace = true }
+serde = { workspace = true }
+sha2 = { workspace = true }
+static_assertions = { workspace = true }
+thiserror = { workspace = true }
+tokio = { workspace = true, features = ["rt-multi-thread"] }
+uuid = { workspace = true }
 
 # Enable this for all libsignal app language libraries
-subtle = { version = "2.5", features = ["core_hint_black_box"] }
+subtle = { workspace = true, features = ["core_hint_black_box"] }
 
-jni = { version = "0.21", package = "jni", optional = true }
-linkme = { version = "0.3.9", optional = true }
-neon = { version = "1.0.0", optional = true, default-features = false, features = ["napi-6"] }
+jni = { workspace = true, optional = true }
+linkme = { workspace = true, optional = true }
+neon = { workspace = true, optional = true, default-features = false, features = ["napi-6"] }
 signal-neon-futures = { path = "../../node/futures", optional = true }
-strum = { version = "0.26", features = ["derive"] }
-zerocopy = { version = "0.7.34", optional = true }
+strum = { workspace = true }
+zerocopy = { workspace = true, optional = true }
 
 [dev-dependencies]
-assert_matches = "1.5"
-test-case = "3.3.1"
-tokio = { version = "1", features = ["test-util", "time", "macros"] }
+assert_matches = { workspace = true }
+test-case = { workspace = true }
+tokio = { workspace = true, features = ["test-util", "time", "macros"] }
 
 [features]
 ffi = []

rust/core/Cargo.toml

@@ -11,10 +11,10 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-num_enum = "0.7.2"
-uuid = "1.1.2"
+num_enum = { workspace = true }
+uuid = { workspace = true }
 
 [dev-dependencies]
-hex-literal = "0.4.1"
-proptest = "1.0"
-rand = "0.8"
+hex-literal = { workspace = true }
+proptest = { workspace = true }
+rand = { workspace = true }

rust/crypto/Cargo.toml

@@ -11,23 +11,23 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-aes = { version = "0.8.3", features = ["zeroize"] }
-cbc = { version = "0.1.2", features = ["std", "zeroize"] }
-ctr = { version = "0.9.2", features = ["zeroize"] }
-displaydoc = "0.2"
+aes = { workspace = true, features = ["zeroize"] }
+cbc = { workspace = true, features = ["std", "zeroize"] }
+ctr = { workspace = true, features = ["zeroize"] }
+displaydoc = { workspace = true }
 ghash = { version = "0.5.0", features = ["zeroize"] }
-hmac = { version = "0.12", features = ["reset"] }
-sha1 = "0.10"
-sha2 = "0.10"
-subtle = "2.3"
-thiserror = "1.0.38"
+hmac = { workspace = true, features = ["reset"] }
+sha1 = { workspace = true }
+sha2 = { workspace = true }
+subtle = { workspace = true }
+thiserror = { workspace = true }
 
 [dev-dependencies]
-criterion = "0.5"
-hex = "0.4"
-hex-literal = "0.4.1"
-rand = "0.8"
-serde = { version = "1.0", features = ["derive"] }
+criterion = { workspace = true }
+hex = { workspace = true }
+hex-literal = { workspace = true }
+rand = { workspace = true }
+serde = { workspace = true }
 serde_json = "1.0"
 
 [[bench]]

rust/device-transfer/Cargo.toml

@@ -6,8 +6,8 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-boring = { version = "4.6.0", default-features = false }
-libc = "0.2"
+boring = { workspace = true }
+libc = { workspace = true }
 
 [dev-dependencies]
-hex = "0.4"
+hex = { workspace = true }

rust/keytrans/Cargo.toml

@@ -11,18 +11,18 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-curve25519-dalek = { version = "4.1.3" }
-displaydoc = "0.2"
-ed25519-dalek = "2.1.0"
-hmac = "0.12.1"
-prost = "0.13"
-sha2 = "0.10"
+curve25519-dalek = { workspace = true }
+displaydoc = { workspace = true }
+ed25519-dalek = { workspace = true }
+hmac = { workspace = true }
+prost = { workspace = true }
+sha2 = { workspace = true }
 
 [build-dependencies]
-prost-build = "0.13"
+prost-build = { workspace = true }
 
 [dev-dependencies]
-assert_matches = "1.5.0"
-hex-literal = "0.4.1"
-proptest = "1.5.0"
-test-case = "3.3.1"
+assert_matches = { workspace = true }
+hex-literal = { workspace = true }
+proptest = { workspace = true }
+test-case = { workspace = true }

rust/media/Cargo.toml

@@ -6,10 +6,10 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-futures-util = "0.3.7"
-mediasan-common = "0.5.0"
+futures-util = { workspace = true }
+mediasan-common = { workspace = true }
 mp4san = { version = "0.5.0", optional = true }
-thiserror = "1.0.38"
+thiserror = { workspace = true }
 webpsan = { version = "0.5.0", optional = true, default-features = false }
 
 [features]

rust/message-backup/Cargo.toml

@@ -29,55 +29,55 @@ usernames = { path = "../usernames" }
 zkcredential = { path = "../zkcredential", features = ["rayon"] }
 zkgroup = { path = "../zkgroup" }
 
-aes = "0.8.3"
-arrayvec = "0.7.4"
+aes = { workspace = true }
+arrayvec = { workspace = true }
 async-compression = { version = "0.4.5", features = ["futures-io", "gzip"] }
-async-trait = "0.1.41"
-cbc = "0.1.2"
-clap = { version = "4.2.1", features = ["derive"] }
+async-trait = { workspace = true }
+cbc = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
 clap-stdin = "0.3.0"
-derive-where = "1.2.5"
-displaydoc = "0.2.5"
-env_logger = "0.11.4"
-futures = "0.3.29"
-hex = { version = "0.4.3", features = ["serde"] }
-hkdf = "0.12"
-hmac = "0.12"
-itertools = "0.13.0"
-log = "0.4"
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
+env_logger = { workspace = true }
+futures = { workspace = true }
+hex = { workspace = true, features = ["serde"] }
+hkdf = { workspace = true }
+hmac = { workspace = true }
+itertools = { workspace = true }
+log = { workspace = true }
 macro_rules_attribute = "0.2.0"
-mediasan-common = "0.5.0"
-num_enum = "0.7.2"
+mediasan-common = { workspace = true }
+num_enum = { workspace = true }
 protobuf = "3.3.0"
 protobuf-json-mapping = { version = "3.3.0", optional = true }
-serde = { version = "1.0", features = ["derive", "rc"] }
-serde_json = { version = "1.0", optional = true, features = ["preserve_order"] }
-sha2 = "0.10"
-strum = { version = "0.26", features = ["derive"] }
+serde = { workspace = true, features = ["derive", "rc"] }
+serde_json = { workspace = true, optional = true, features = ["preserve_order"] }
+sha2 = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
 # This isn't strictly necessary but we need at least this version to avoid
 # warnings from the latest nightly rustc. Remove this when the referenced strum
 # version has at least this version as a dependency.
 strum_macros = { version = "0.26.4" }
-subtle = "2.5.0"
-thiserror = "1.0.50"
-uuid = { version = "1.1.2", features = ["serde"] }
+subtle = { workspace = true }
+thiserror = { workspace = true }
+uuid = { workspace = true, features = ["serde"] }
 
 [dev-dependencies]
 libsignal-message-backup = { path = "./", features = ["json"] }
 signal-crypto = { path = "../crypto" }
 
-array-concat = "0.5.2"
+array-concat = { workspace = true }
 assert_cmd = "2.0.13"
-assert_matches = "1.5.0"
+assert_matches = { workspace = true }
 dir-test = "0.2.0"
-futures = { version = "0.3.29", features = ["executor"] }
-hex-literal = "0.4.1"
+futures = { workspace = true, features = ["executor"] }
+hex-literal = { workspace = true }
 json5 = "0.4.1"
-nonzero_ext = "0.3.0"
-once_cell = "1.19"
-test-case = "3.3.1"
+nonzero_ext = { workspace = true }
+once_cell = { workspace = true }
+test-case = { workspace = true }
 test-log = "0.2.14"
-testing_logger = "0.1.1"
+testing_logger = { workspace = true }
 pretty_assertions = "1.4.0"
 
 [build-dependencies]

rust/message-backup/macros/Cargo.toml

@@ -13,10 +13,10 @@ license = "AGPL-3.0-only"
 proc-macro = true
 
 [dependencies]
-heck = "0.5"
-proc-macro2 = "1.0.74"
-quote = "1.0.35"
-syn = { version = "2.0.46", features = ["full", "extra-traits"] }
+heck = { workspace = true }
+proc-macro2 = { workspace = true }
+quote = { workspace = true }
+syn = { workspace = true, features = ["full", "extra-traits"] }
 
 [dev-dependencies]
-test-case = "3.3.1"
+test-case = { workspace = true }

rust/net/Cargo.toml

@@ -14,69 +14,72 @@ libsignal-core = { path = "../core" }
 libsignal-protocol = { path = "../protocol" }
 libsignal-svr3 = { path = "../svr3" }
 
-async-trait = "0.1.41"
-base64 = "0.21"
-bincode = "1.0"
+async-trait = { workspace = true }
+base64 = { workspace = true }
+bincode = { workspace = true }
 bitstream-io = "1.10.0"
-boring = { git = "https://github.com/signalapp/boring", tag = "signal-v4.9.0" }
+boring-signal = { workspace = true }
 bytes = "1.4.0"
 const-str = { version = "0.5.6", features = ["std"] }
-derive-where = "1.2.7"
-displaydoc = "0.2"
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
 either = "1.10.0"
-futures-util = "0.3.7"
-hex = "0.4"
-hmac = "0.12"
-http = "1.0.0"
+futures-util = { workspace = true }
+hex = { workspace = true }
+hmac = { workspace = true }
+http = { workspace = true }
 http-body-util = "0.1.1"
 hyper = { version = "1.3.1", features = ["http2", "client"] }
 hyper-util = { version = "0.1.3", features = ["tokio"] }
-indexmap = "2.1.0"
-itertools = "0.13.0"
-log = "0.4.19"
-nonzero_ext = "0.3.0"
-num_enum = "0.7.2"
-prost = "0.13.1"
-rand = "0.8.0"
-rand_core = "0.6"
+indexmap = { workspace = true }
+itertools = { workspace = true }
+log = { workspace = true }
+nonzero_ext = { workspace = true }
+num_enum = { workspace = true }
+prost = { workspace = true }
+rand = { workspace = true }
+rand_core = { workspace = true }
 rustls = { version = "0.23.4", default-features = false, features = ["ring", "std", "tls12"] }
-rustls-platform-verifier = "0.3.1"
-serde = { version = "1.0", features = ["derive"] }
-serde_json = "1.0"
-sha2 = "0.10.8"
-snow = { version = "0.9.5", default-features = false }
-static_assertions = "1.1"
-strum = { version = "0.26", features = ["derive"] }
-thiserror = "1.0.38"
-tokio = { version = "1", features = ["rt", "time", "macros"] }
-tokio-boring = { git = "https://github.com/signalapp/boring", tag = "signal-v4.9.0" }
+rustls-platform-verifier = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+sha2 = { workspace = true }
+snow = { workspace = true }
+static_assertions = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
+thiserror = { workspace = true }
+tokio = { workspace = true, features = ["rt", "time", "macros"] }
+tokio-boring-signal = { workspace = true }
 tokio-stream = "0.1.14"
 tokio-tungstenite = "0.23.0"
 tokio-util = "0.7.9"
 tungstenite = { version = "0.23.0", features = ["url"] }
 url = "2.4.1"
-uuid = "1.1.2"
-zerocopy = { version = "0.7", features = ["derive"] }
+uuid = { workspace = true }
+zerocopy = { workspace = true }
 
 [build-dependencies]
-prost-build = "0.13.1"
+prost-build = { workspace = true }
 
 [dev-dependencies]
-assert_matches = "1.5.0"
-clap = { version = "4.4.11", features = ["derive"] }
+assert_matches = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
 colored = "2.1"
-env_logger = "0.11.4"
-hex-literal = "0.4.1"
+env_logger = { workspace = true }
+hex-literal = { workspace = true }
 hickory-proto = "0.24.1"
-lazy_static = "1.4.0"
-proptest = "1.4.0"
+lazy_static = { workspace = true }
+proptest = { workspace = true }
 proptest-state-machine = "0.1.0"
 rcgen = "0.13.0"
-snow = "0.9.5"
-test-case = "3.3.1"
+snow = { workspace = true }
+test-case = { workspace = true }
 tls-parser = "0.11.0"
-tokio = { version = "1", features = ["test-util", "io-std", "rt-multi-thread"] }
-url = "2.4.1"
+tokio = { workspace = true, features = [
+    "test-util",
+    "io-std",
+    "rt-multi-thread",
+] }
 warp = { version = "0.3.6", features = ["tls"] }
 
 [[example]]

rust/net/src/cdsi.rs

@@ -13,7 +13,7 @@ use libsignal_core::{Aci, Pni};
 use prost::Message as _;
 use thiserror::Error;
 use tokio::net::TcpStream;
-use tokio_boring::SslStream;
+use tokio_boring_signal::SslStream;
 use tungstenite::protocol::frame::coding::CloseCode;
 use tungstenite::protocol::CloseFrame;
 use uuid::Uuid;

rust/net/src/enclave.rs

@@ -439,7 +439,7 @@ mod test {
     use async_trait::async_trait;
     use nonzero_ext::nonzero;
     use tokio::net::TcpStream;
-    use tokio_boring::SslStream;
+    use tokio_boring_signal::SslStream;
 
     use crate::auth::Auth;
     use crate::infra::connection_manager::ConnectionAttemptOutcome;

rust/net/src/infra/certs.rs

@@ -5,10 +5,10 @@
 
 use std::borrow::Cow;
 
-use boring::error::ErrorStack;
-use boring::ssl::{SslAlert, SslConnectorBuilder, SslVerifyError, SslVerifyMode};
-use boring::x509::store::X509StoreBuilder;
-use boring::x509::X509;
+use boring_signal::error::ErrorStack;
+use boring_signal::ssl::{SslAlert, SslConnectorBuilder, SslVerifyError, SslVerifyMode};
+use boring_signal::x509::store::X509StoreBuilder;
+use boring_signal::x509::X509;
 use rustls::client::danger::ServerCertVerifier;
 
 const SIGNAL_ROOT_CERT_DER: &[u8] = include_bytes!("../../res/signal.cer");
@@ -93,7 +93,7 @@ fn set_up_platform_verifier(
 
         // The rest of the chain should be valid intermediate certificates.
         let intermediates: Vec<_> = cert_chain
-            .collect::<Result<_, boring::error::ErrorStack>>()
+            .collect::<Result<_, boring_signal::error::ErrorStack>>()
             .map_err(|_| SslVerifyError::Invalid(SslAlert::BAD_CERTIFICATE))?;
 
         // We don't do our own OCSP. Either the platform will do its own checks, or it won't.
@@ -168,7 +168,7 @@ mod test {
     use std::sync::Arc;
 
     use assert_matches::assert_matches;
-    use boring::ssl::{ErrorCode, SslConnector, SslMethod};
+    use boring_signal::ssl::{ErrorCode, SslConnector, SslMethod};
     use rustls::RootCertStore;
     use tokio::net::TcpStream;
 
@@ -201,7 +201,7 @@ mod test {
         .expect("valid");
 
         let transport = TcpStream::connect(addr).await.expect("can connect");
-        let connection = tokio_boring::connect(
+        let connection = tokio_boring_signal::connect(
             ssl.build().configure().expect("valid"),
             SERVER_HOSTNAME,
             transport,
@@ -236,7 +236,7 @@ mod test {
 
         let transport = TcpStream::connect(addr).await.expect("can connect");
         assert_matches!(
-            tokio_boring::connect(
+            tokio_boring_signal::connect(
                 ssl.build().configure().expect("valid"),
                 SERVER_HOSTNAME,
                 transport,

rust/net/src/infra/errors.rs

@@ -5,7 +5,7 @@
 
 use std::fmt::Display;
 
-use tokio_boring::HandshakeError;
+use tokio_boring_signal::HandshakeError;
 
 use crate::infra::certs;
 
@@ -29,7 +29,7 @@ pub enum TransportConnectError {
 }
 
 #[derive(Debug)]
-pub struct SslErrorReasons(boring::error::ErrorStack);
+pub struct SslErrorReasons(boring_signal::error::ErrorStack);
 
 impl Display for SslErrorReasons {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -38,7 +38,7 @@ impl Display for SslErrorReasons {
                 self.0
                     .errors()
                     .iter()
-                    .flat_map::<Option<&'static str>, _>(boring::error::Error::reason),
+                    .flat_map::<Option<&'static str>, _>(boring_signal::error::Error::reason),
             )
             .finish()
     }
@@ -47,7 +47,7 @@ impl Display for SslErrorReasons {
 #[derive(Debug)]
 pub struct FailedHandshakeReason {
     io: Option<std::io::ErrorKind>,
-    code: Option<boring::ssl::ErrorCode>,
+    code: Option<boring_signal::ssl::ErrorCode>,
 }
 
 impl<S> From<HandshakeError<S>> for FailedHandshakeReason {
@@ -77,8 +77,8 @@ impl Display for FailedHandshakeReason {
     }
 }
 
-impl From<boring::error::ErrorStack> for TransportConnectError {
-    fn from(value: boring::error::ErrorStack) -> Self {
+impl From<boring_signal::error::ErrorStack> for TransportConnectError {
+    fn from(value: boring_signal::error::ErrorStack) -> Self {
         Self::SslError(SslErrorReasons(value))
     }
 }

rust/net/src/infra/tcp_ssl.rs

@@ -9,11 +9,11 @@ use std::sync::Arc;
 
 use crate::timeouts::TCP_CONNECTION_ATTEMPT_DELAY;
 use async_trait::async_trait;
-use boring::ssl::{ConnectConfiguration, SslConnector, SslMethod};
+use boring_signal::ssl::{ConnectConfiguration, SslConnector, SslMethod};
 use futures_util::TryFutureExt;
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio::net::TcpStream;
-use tokio_boring::SslStream;
+use tokio_boring_signal::SslStream;
 use tokio_util::either::Either;
 
 use crate::infra::certs::RootCertificates;
@@ -130,7 +130,9 @@ impl TransportConnector for ProxyConnector {
                     self.proxy_port
                 );
                 let ssl_config = ssl_config(&self.proxy_certs, &self.proxy_host, None)?;
-                Either::Left(tokio_boring::connect(ssl_config, &self.proxy_host, tcp_stream).await?)
+                Either::Left(
+                    tokio_boring_signal::connect(ssl_config, &self.proxy_host, tcp_stream).await?,
+                )
             }
             ShouldUseTls::No => {
                 log::debug!(
@@ -209,7 +211,7 @@ async fn connect_tls<S: AsyncRead + AsyncWrite + Unpin>(
 ) -> Result<SslStream<S>, TransportConnectError> {
     let ssl_config = ssl_config(&connection_params.certs, &connection_params.sni, Some(alpn))?;
 
-    Ok(tokio_boring::connect(ssl_config, &connection_params.sni, transport).await?)
+    Ok(tokio_boring_signal::connect(ssl_config, &connection_params.sni, transport).await?)
 }
 
 async fn connect_tcp(
@@ -349,9 +351,9 @@ pub(crate) mod testutil {
     use std::net::{Ipv6Addr, SocketAddr};
 
     use assert_matches::assert_matches;
-    use boring::pkey::PKey;
-    use boring::ssl::{SslAcceptor, SslMethod};
-    use boring::x509::X509;
+    use boring_signal::pkey::PKey;
+    use boring_signal::ssl::{SslAcceptor, SslMethod};
+    use boring_signal::x509::X509;
     use lazy_static::lazy_static;
     use rcgen::CertifiedKey;
     use tls_parser::{ClientHello, TlsExtension, TlsMessage, TlsMessageHandshake, TlsPlaintext};
@@ -458,7 +460,7 @@ pub(crate) mod testutil {
                 let (tcp_stream, _remote_addr) =
                     tcp_listener.accept().await.expect("incoming connection");
                 let mut input_stream = if let Some(ssl_acceptor) = &ssl_acceptor {
-                    let ssl_stream = tokio_boring::accept(ssl_acceptor, tcp_stream)
+                    let ssl_stream = tokio_boring_signal::accept(ssl_acceptor, tcp_stream)
                         .await
                         .expect("handshake successful");
 

rust/net/src/infra/ws.rs

@@ -479,7 +479,7 @@ impl From<attest::client_connection::Error> for AttestedConnectionError {
     }
 }
 
-pub type DefaultStream = tokio_boring::SslStream<tokio::net::TcpStream>;
+pub type DefaultStream = tokio_boring_signal::SslStream<tokio::net::TcpStream>;
 
 /// Encrypted connection to an attested host.
 #[derive(Debug)]

rust/pin/Cargo.toml

@@ -13,16 +13,17 @@ license = "AGPL-3.0-only"
 
 [dependencies]
 argon2 = { version = "0.5.0", features = ["zeroize"] }
-displaydoc = "0.2"
-hkdf = "0.12"
-sha2 = "0.10"
-static_assertions = "1.1"
-thiserror = "1.0.57"
+displaydoc = { workspace = true }
+hkdf = { workspace = true }
+rand_core = { workspace = true, features = ["getrandom"] }
+sha2 = { workspace = true }
+static_assertions = { workspace = true }
+thiserror = { workspace = true }
 
 [dev-dependencies]
-hex-literal = "0.4.1"
-hmac = { version = "0.12", features = ["reset"] }
-criterion = "0.5"
+hex-literal = { workspace = true }
+hmac = { workspace = true, features = ["reset"] }
+criterion = { workspace = true }
 
 
 [[bench]]

rust/poksho/Cargo.toml

@@ -11,16 +11,16 @@ edition = "2021"
 license = "AGPL-3.0-only"
 
 [dependencies]
-curve25519-dalek = "4.1.3"
-hmac = { version = "0.12", features = ["reset"] }
-sha2 = "0.10"
+curve25519-dalek = { workspace = true }
+hmac = { workspace = true, features = ["reset"] }
+sha2 = { workspace = true }
 
 [dev-dependencies]
-hex = "0.4"
+hex = { workspace = true }
 
 # For benchmarking
-criterion = "0.5"
-rand = "0.8"
+criterion = { workspace = true }
+rand = { workspace = true }
 
 [[bench]]
 name = "sho"

rust/protocol/Cargo.toml

@@ -14,32 +14,32 @@ license = "AGPL-3.0-only"
 libsignal-core = { path = "../core" }
 signal-crypto = { path = "../crypto" }
 
-aes = { version = "0.8.3", features = ["zeroize"] }
-aes-gcm-siv = "0.11.1"
+aes = { workspace = true, features = ["zeroize"] }
+aes-gcm-siv = { workspace = true }
 arrayref = "0.3.6"
-async-trait = "0.1.41"
-ctr = { version = "0.9.2", features = ["zeroize"] }
-curve25519-dalek = { version = "4.1.3", features = ["digest"] }
-derive-where = "1.2.5"
-displaydoc = "0.2"
-hex = "0.4"
-hkdf = "0.12"
-hmac = "0.12"
-indexmap = "2.1.0"
-itertools = "0.13.0"
-log = "0.4"
-num_enum = "0.7.2"
+async-trait = { workspace = true }
+ctr = { workspace = true, features = ["zeroize"] }
+curve25519-dalek = { workspace = true, features = ["digest"] }
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
+hex = { workspace = true }
+hkdf = { workspace = true }
+hmac = { workspace = true }
+indexmap = { workspace = true }
+itertools = { workspace = true }
+log = { workspace = true }
+num_enum = { workspace = true }
 pqcrypto-kyber = { version = "0.7.6", default-features = false, features = ["std"] }
 pqcrypto-traits = "0.3.4"
-prost = "0.13.1"
-rand = "0.8"
-rayon = "1.8.0"
-serde = { version = "1.0", features = ["derive"] }
-sha2 = "0.10"
-subtle = "2.3"
-thiserror = "1.0.30"
-uuid = "1.1.2"
-x25519-dalek = { version = "2.0.0", features = ["static_secrets"] }
+prost = { workspace = true }
+rand = { workspace = true }
+rayon = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+sha2 = { workspace = true }
+subtle = { workspace = true }
+thiserror = { workspace = true }
+uuid = { workspace = true }
+x25519-dalek = { workspace = true, features = ["static_secrets"] }
 
 # WARNING: pqcrypto-kyber 0.8 and 0.7 don't actually coexist, they both depend on the same C symbols.
 # We keep this here for if/when that gets cleared up.
@@ -53,15 +53,15 @@ kyber768 = []
 mlkem1024 = ["pqcrypto-ml-kem"]
 
 [dev-dependencies]
-clap = { version = "4.4.11", features = ["derive"] }
-criterion = "0.5"
-hex-literal = "0.4.1"
-proptest = "1.0"
-futures-util = "0.3.7"
-env_logger = "0.11.4"
+clap = { workspace = true, features = ["derive"] }
+criterion = { workspace = true }
+hex-literal = { workspace = true }
+proptest = { workspace = true }
+futures-util = { workspace = true }
+env_logger = { workspace = true }
 
 [build-dependencies]
-prost-build = "0.13.1"
+prost-build = { workspace = true }
 
 [[bench]]
 name = "curve"

rust/svr3/Cargo.toml

@@ -10,24 +10,24 @@ authors = ["Signal Messenger LLC"]
 license = "AGPL-3.0-only"
 
 [dependencies]
-curve25519-dalek = { version = "4.1.3", features = ["rand_core"] }
-displaydoc = "0.2"
-hkdf = "0.12"
-prost = "0.13.1"
-rand_core = { version = "0.6", features = ["getrandom"] }
-sha2 = "0.10"
-strum_macros = "0.26"
-subtle = "2.5"
+curve25519-dalek = { workspace = true, features = ["rand_core"] }
+displaydoc = { workspace = true }
+hkdf = { workspace = true }
+prost = { workspace = true }
+rand_core = { workspace = true, features = ["getrandom"] }
+sha2 = { workspace = true }
+strum = { workspace = true, features = ["derive"] }
+subtle = { workspace = true }
 
 [dev-dependencies]
-assert_matches = "1.5"
-zerocopy = "0.7.34"
-criterion = "0.5"
-hex = "0.4"
-hex-literal = "0.4.1"
-nonzero_ext = "0.3.0"
-test-case = "3.2.1"
-proptest = "1.0"
+assert_matches = { workspace = true }
+zerocopy = { workspace = true }
+criterion = { workspace = true }
+hex = { workspace = true }
+hex-literal = { workspace = true }
+nonzero_ext = { workspace = true }
+test-case = { workspace = true }
+proptest = { workspace = true }
 
 [build-dependencies]
-prost-build = "0.13.1"
+prost-build = { workspace = true }

rust/svr3/src/errors.rs

@@ -38,7 +38,7 @@ impl std::fmt::Display for svr4::response4::Status {
 }
 
 /// Represents an erroneous SVR3 response status
-#[derive(Debug, strum_macros::Display, PartialEq)]
+#[derive(Debug, strum::Display, PartialEq)]
 pub enum ErrorStatus {
     Unset,
     Missing,

rust/usernames/Cargo.toml

@@ -15,27 +15,27 @@ license = "AGPL-3.0-only"
 poksho = { path = "../poksho" }
 signal-crypto = { path = "../crypto" }
 
-curve25519-dalek = { version = "4.1.3", features = ["digest"] }
-displaydoc = "0.2"
-hkdf = "0.12"
-hmac = "0.12"
-lazy_static = "1.4.0"
-log = "0.4"
-prost = "0.13.1"
-rand = "0.8"
-sha2 = "0.10"
-subtle = "2.5.0"
-thiserror = "1.0.40"
+curve25519-dalek = { workspace = true, features = ["digest"] }
+displaydoc = { workspace = true }
+hkdf = { workspace = true }
+hmac = { workspace = true }
+lazy_static = { workspace = true }
+log = { workspace = true }
+prost = { workspace = true }
+rand = { workspace = true }
+sha2 = { workspace = true }
+subtle = { workspace = true }
+thiserror = { workspace = true }
 
 [dev-dependencies]
 zkgroup = { path = "../zkgroup" }
 
-proptest = "1.0"
-criterion = "0.5"
+proptest = { workspace = true }
+criterion = { workspace = true }
 
 [[bench]]
 name = "usernames_benchmarks"
 harness = false
 
 [build-dependencies]
-prost-build = "0.13.1"
+prost-build = { workspace = true }

rust/zkcredential/Cargo.toml

@@ -13,27 +13,27 @@ license = "AGPL-3.0-only"
 [dependencies]
 poksho = { path = "../poksho" }
 
-cfg-if = "1.0.0"
-curve25519-dalek = { version = "4.1.3", features = ["serde"] }
-derive-where = "1.2.5"
-displaydoc = "0.2"
-lazy_static = "1.4.0"
-partial-default = { version = "0.1.0", features = ["derive"] }
-serde = { version = "1.0.106", features = ["derive"] }
-sha2 = "0.10"
-subtle = "2.3"
-thiserror = "1.0.57"
+cfg-if = { workspace = true }
+curve25519-dalek = { workspace = true, features = ["serde"] }
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
+lazy_static = { workspace = true }
+partial-default = { workspace = true, features = ["derive"] }
+serde = { workspace = true, features = ["derive"] }
+sha2 = { workspace = true }
+subtle = { workspace = true }
+thiserror = { workspace = true }
 
 # If rayon is enabled, certain operations will use rayon's thread pool.
 rayon = { version = "1.8.0", optional = true }
 
 [dev-dependencies]
-bincode = "1.2.1"
-hex = "0.4"
-hex-literal = "0.4.1"
+bincode = { workspace = true }
+hex = { workspace = true }
+hex-literal = { workspace = true }
 
 # For benchmarking
-criterion = "0.5"
+criterion = { workspace = true }
 
 # Many of zkcredential's tests live in the zkgroup crate,
 # since zkcredential was designed to work with existing verifiably encrypted attribute types.

rust/zkgroup/Cargo.toml

@@ -17,35 +17,36 @@ poksho = { path = "../poksho" }
 signal-crypto = { path = "../crypto" }
 zkcredential = { path = "../zkcredential", features = ["rayon"] }
 
-curve25519-dalek = { git = 'https://github.com/signalapp/curve25519-dalek', tag = 'signal-curve25519-4.1.3', version = "4.1.1", features = ["serde"] }
+# Use our fork of curve25519-dalek for zkgroup support.
+curve25519-dalek-signal = { workspace = true, features = ["serde"] }
 
-aes-gcm-siv = "0.11.1"
-bincode = "1.2.1"
-derive-where = "1.2.5"
-displaydoc = "0.2"
-hex = "0.4.0"
-hex-literal = "0.4.1"
-hkdf = "0.12"
-lazy_static = "1.4.0"
-num_enum = "0.7.2"
-partial-default = { version = "0.1.0", features = ["derive"] }
-rand = "0.8"
-rayon = "1.8.0"
-serde = { version = "1.0.106", features = ["derive"] }
-sha2 = "0.10.0"
-subtle = "2.3"
-thiserror = "1.0.57"
-uuid = "1.1.2"
+aes-gcm-siv = { workspace = true }
+bincode = { workspace = true }
+derive-where = { workspace = true }
+displaydoc = { workspace = true }
+hex = { workspace = true }
+hex-literal = { workspace = true }
+hkdf = { workspace = true }
+lazy_static = { workspace = true }
+num_enum = { workspace = true }
+partial-default = { workspace = true, features = ["derive"] }
+rand = { workspace = true }
+rayon = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+sha2 = { workspace = true }
+subtle = { workspace = true }
+thiserror = { workspace = true }
+uuid = { workspace = true }
 
 # For generation
-base64 = { version = "0.21", optional = true }
+base64 = { workspace = true, optional = true }
 
 [dev-dependencies]
-uuid = { version = "1", features = ["v5"] }
+uuid = { workspace = true, features = ["v5"] }
 
 # For benchmarking
-criterion = "0.5"
-test-case = "3.3.1"
+criterion = { workspace = true }
+test-case = { workspace = true }
 
 [[bench]]
 name = "zkgroup_benchmarks"

rust/zkgroup/src/api/backups/auth_credential.rs

@@ -15,7 +15,7 @@
 //! The BackupAuthCredential has the additional constraint that it should be deterministically reproducible. Rather than a randomly
 //! seeded blinding key pair, the key pair is derived from, you guessed it, the client's master key.
 
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use hkdf::Hkdf;
 use partial_default::PartialDefault;
 use poksho::ShoApi;

rust/zkgroup/src/api/call_links/create_credential.rs

@@ -10,7 +10,7 @@
 //! - the user's ACI (provided by the chat server at issuance, passed encrypted to the calling server for verification)
 //! - a timestamp, truncated to day granularity (chosen by the chat server at issuance, passed publicly to the calling server for verification)
 
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use partial_default::PartialDefault;
 use poksho::ShoApi;
 use serde::{Deserialize, Serialize};

rust/zkgroup/src/api/groups/group_send_endorsement.rs

@@ -93,9 +93,9 @@ impl GroupSendEndorsementsResponse {
     /// it.
     ///
     /// The `usize` in each pair must be the original index of the point.
-    fn sort_points(points: &mut [(usize, curve25519_dalek::RistrettoPoint)]) {
+    fn sort_points(points: &mut [(usize, curve25519_dalek_signal::RistrettoPoint)]) {
         debug_assert!(points.iter().enumerate().all(|(i, (j, _))| i == *j));
-        let sort_keys = curve25519_dalek::RistrettoPoint::double_and_compress_batch(
+        let sort_keys = curve25519_dalek_signal::RistrettoPoint::double_and_compress_batch(
             points.iter().map(|(_i, point)| point),
         );
         points.sort_unstable_by_key(|(i, _point)| sort_keys[*i].as_bytes());
@@ -112,7 +112,8 @@ impl GroupSendEndorsementsResponse {
         // Note: we could save some work here by pulling the single point we need out of the
         // serialized bytes, and operating directly on that. However, we'd have to remember to
         // update that if the serialization format ever changes.
-        let mut points_to_sign: Vec<(usize, curve25519_dalek::RistrettoPoint)> = member_ciphertexts
+        let mut points_to_sign: Vec<(usize, curve25519_dalek_signal::RistrettoPoint)> =
+            member_ciphertexts
                 .into_iter()
                 .map(|ciphertext| ciphertext.ciphertext.as_points()[0])
                 .enumerate()
@@ -194,7 +195,7 @@ impl GroupSendEndorsementsResponse {
         // We have to compute the ciphertexts (expensive), but we can skip the second point (which
         // would be much more expensive).
         // We zip the results together with a set of indexes so we can un-sort the results later.
-        let mut member_points: Vec<(usize, curve25519_dalek::RistrettoPoint)> = user_ids
+        let mut member_points: Vec<(usize, curve25519_dalek_signal::RistrettoPoint)> = user_ids
             .into_iter()
             .map(|user_id| {
                 group_params.uid_enc_key_pair.a1 * crypto::uid_struct::UidStruct::calc_M1(user_id)
@@ -251,7 +252,7 @@ impl GroupSendEndorsementsResponse {
         // We have to compute the ciphertexts (expensive), but we can skip the second point (which
         // would be much more expensive).
         // We zip the results together with a set of indexes so we can un-sort the results later.
-        let mut member_points: Vec<(usize, curve25519_dalek::RistrettoPoint)> = user_ids
+        let mut member_points: Vec<(usize, curve25519_dalek_signal::RistrettoPoint)> = user_ids
             .into_par_iter()
             .map(|user_id| {
                 group_params.uid_enc_key_pair.a1 * crypto::uid_struct::UidStruct::calc_M1(user_id)
@@ -340,18 +341,18 @@ impl GroupSendEndorsementsResponse {
 
 /// A single endorsement, for one or multiple group members.
 ///
-/// `Storage` is usually [`curve25519_dalek::RistrettoPoint`], but the `receive` APIs on
+/// `Storage` is usually [`curve25519_dalek_signal::RistrettoPoint`], but the `receive` APIs on
 /// [`GroupSendEndorsementsResponse`] produce "compressed" endorsements, since they are usually
 /// immediately serialized.
 #[derive(Serialize, Deserialize, PartialDefault, Clone, Copy)]
-#[partial_default(bound = "Storage: curve25519_dalek::traits::Identity")]
+#[partial_default(bound = "Storage: curve25519_dalek_signal::traits::Identity")]
 #[derive_where(PartialEq; Storage: subtle::ConstantTimeEq)]
-pub struct GroupSendEndorsement<Storage = curve25519_dalek::RistrettoPoint> {
+pub struct GroupSendEndorsement<Storage = curve25519_dalek_signal::RistrettoPoint> {
     reserved: ReservedByte,
     endorsement: zkcredential::endorsements::Endorsement<Storage>,
 }
 
-impl Debug for GroupSendEndorsement<curve25519_dalek::RistrettoPoint> {
+impl Debug for GroupSendEndorsement<curve25519_dalek_signal::RistrettoPoint> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("GroupSendEndorsement")
             .field("reserved", &self.reserved)
@@ -360,7 +361,7 @@ impl Debug for GroupSendEndorsement<curve25519_dalek::RistrettoPoint> {
     }
 }
 
-impl Debug for GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto> {
+impl Debug for GroupSendEndorsement<curve25519_dalek_signal::ristretto::CompressedRistretto> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("GroupSendEndorsement")
             .field("reserved", &self.reserved)
@@ -388,11 +389,11 @@ pub struct ReceivedEndorsement {
     // existing memory allocation isn't sufficient anyway, and thus we're better off constructing a
     // single big Vec rather than two smaller ones, especially since we have to un-permute the
     // results. (It's close, though, only a 3-6% difference at the largest group sizes.)
-    pub compressed: GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto>,
+    pub compressed: GroupSendEndorsement<curve25519_dalek_signal::ristretto::CompressedRistretto>,
     pub decompressed: GroupSendEndorsement,
 }
 
-impl GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto> {
+impl GroupSendEndorsement<curve25519_dalek_signal::ristretto::CompressedRistretto> {
     /// Attempts to decompress the GroupSendEndorsement.
     ///
     /// Produces [`ZkGroupDeserializationFailure`] if the compressed storage isn't a valid
@@ -402,8 +403,10 @@ impl GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto> {
     /// `GroupSendEndorsement<CompressedRistretto>` and then calling `decompress`.
     pub fn decompress(
         self,
-    ) -> Result<GroupSendEndorsement<curve25519_dalek::RistrettoPoint>, ZkGroupDeserializationFailure>
-    {
+    ) -> Result<
+        GroupSendEndorsement<curve25519_dalek_signal::RistrettoPoint>,
+        ZkGroupDeserializationFailure,
+    > {
         Ok(GroupSendEndorsement {
             reserved: self.reserved,
             endorsement: self
@@ -414,14 +417,14 @@ impl GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto> {
     }
 }
 
-impl GroupSendEndorsement<curve25519_dalek::RistrettoPoint> {
+impl GroupSendEndorsement<curve25519_dalek_signal::RistrettoPoint> {
     /// Compresses the GroupSendEndorsement for storage.
     ///
     /// Serializing an `GroupSendEndorsement<RistrettoPoint>` is equivalent to calling `compress` and
     /// serializing the resulting `GroupSendEndorsement<CompressedRistretto>`.
     pub fn compress(
         self,
-    ) -> GroupSendEndorsement<curve25519_dalek::ristretto::CompressedRistretto> {
+    ) -> GroupSendEndorsement<curve25519_dalek_signal::ristretto::CompressedRistretto> {
         GroupSendEndorsement {
             reserved: self.reserved,
             endorsement: self.endorsement.compress(),
@@ -567,7 +570,7 @@ impl GroupSendFullToken {
             "wrong key pair used for this token"
         );
 
-        let user_id_sum: curve25519_dalek::RistrettoPoint = user_ids
+        let user_id_sum: curve25519_dalek_signal::RistrettoPoint = user_ids
             .into_iter()
             .map(crypto::uid_struct::UidStruct::calc_M1)
             .sum();

rust/zkgroup/src/common/sho.rs

@@ -3,8 +3,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use poksho::ShoApi;
 
 pub struct Sho {

rust/zkgroup/src/common/simple_types.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 use zkcredential::attributes::PublicAttribute;

rust/zkgroup/src/crypto/credentials.rs

@@ -5,9 +5,9 @@
 
 #![allow(non_snake_case)]
 
-use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/profile_key_commitment.rs

@@ -9,8 +9,8 @@ use crate::common::constants::*;
 use crate::common::sho::*;
 use crate::common::simple_types::*;
 use crate::crypto::profile_key_struct;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/profile_key_credential_request.rs

@@ -10,9 +10,9 @@ use crate::crypto::credentials::{
     BlindedExpiringProfileKeyCredential, ExpiringProfileKeyCredential,
 };
 use crate::crypto::profile_key_struct;
-use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/profile_key_encryption.rs

@@ -9,7 +9,7 @@ use crate::common::errors::*;
 use crate::common::sho::*;
 use crate::common::simple_types::*;
 use crate::crypto::profile_key_struct;
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/profile_key_struct.rs

@@ -8,7 +8,7 @@
 use crate::common::constants::*;
 use crate::common::sho::*;
 use crate::common::simple_types::*;
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/proofs.rs

@@ -5,9 +5,9 @@
 
 #![allow(non_snake_case)]
 
-use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::traits::Identity;
+use curve25519_dalek_signal::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::traits::Identity;
 
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};

rust/zkgroup/src/crypto/receipt_credential_request.rs

@@ -5,9 +5,9 @@
 
 #![allow(non_snake_case)]
 
-use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/receipt_struct.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::scalar::Scalar;
 use serde::{Deserialize, Serialize};
 
 use crate::common::sho::Sho;

rust/zkgroup/src/crypto/signature.rs

@@ -7,9 +7,9 @@ use crate::common::constants::*;
 use crate::common::errors::*;
 use crate::common::sho::*;
 use crate::common::simple_types::*;
-use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
-use curve25519_dalek::ristretto::RistrettoPoint;
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::constants::RISTRETTO_BASEPOINT_POINT;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::scalar::Scalar;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};
 

rust/zkgroup/src/crypto/timestamp_struct.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use curve25519_dalek::scalar::Scalar;
+use curve25519_dalek_signal::scalar::Scalar;
 use serde::{Deserialize, Serialize};
 
 use crate::common::sho::Sho;

rust/zkgroup/src/crypto/uid_encryption.rs

@@ -9,7 +9,7 @@ use crate::common::errors::*;
 use crate::common::sho::*;
 use crate::crypto::uid_struct;
 
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use lazy_static::lazy_static;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};

rust/zkgroup/src/crypto/uid_struct.rs

@@ -7,7 +7,7 @@
 
 use crate::common::sho::*;
 use crate::common::simple_types::*;
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use libsignal_core::ServiceId;
 use partial_default::PartialDefault;
 use serde::{Deserialize, Serialize};

rust/zkgroup/src/crypto/zkcredential_examples.rs

@@ -7,7 +7,7 @@
 //!
 //! Has to live in zkgroup because they implement zkcredential traits on zkgroup types.
 
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use poksho::{ShoApi, ShoSha256};
 use serde::{Deserialize, Serialize};
 use zkcredential::attributes::{Attribute, Domain, RevealedAttribute};
@@ -453,8 +453,8 @@ struct InverseUidDecryptionKey;
 impl zkcredential::attributes::Domain for InverseUidDecryptionKey {
     type Attribute = uid_encryption::Ciphertext;
     const ID: &'static str = "InverseUidEncryptionDomain_20231011";
-    fn G_a() -> [curve25519_dalek::RistrettoPoint; 2] {
-        static STORAGE: std::sync::OnceLock<[curve25519_dalek::RistrettoPoint; 2]> =
+    fn G_a() -> [curve25519_dalek_signal::RistrettoPoint; 2] {
+        static STORAGE: std::sync::OnceLock<[curve25519_dalek_signal::RistrettoPoint; 2]> =
             std::sync::OnceLock::new();
         *zkcredential::attributes::derive_default_generator_points::<Self>(&STORAGE)
     }

rust/zkgroup/tests/integration_tests.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 //
 
-use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek_signal::ristretto::RistrettoPoint;
 use hex_literal::hex;
 use sha2::Sha256;
 use zkgroup::{Timestamp, SECONDS_PER_DAY};