diff --git a/WORKSPACE b/WORKSPACE index 9e88832f..6b391b02 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -100,6 +100,15 @@ http_archive( url = "https://github.com/bazelbuild/rules_scala/releases/download/v%s/rules_scala-v%s.tar.gz" % (RULES_SCALA_TAG, RULES_SCALA_TAG), ) +RULES_FUZZING_TAG = "0.5.2" + +http_archive( + name = "rules_fuzzing", + integrity = "sha256-5rwhm/rJ4fg7Mn3QkPcoqflz7pm5tdjloYSicy7whiM=", + strip_prefix = "rules_fuzzing-%s" % RULES_FUZZING_TAG, + urls = ["https://github.com/bazelbuild/rules_fuzzing/releases/download/v%s/rules_fuzzing-%s.zip" % (RULES_FUZZING_TAG, RULES_FUZZING_TAG)], +) + # Third-party # ========================================================= @@ -259,10 +268,11 @@ http_archive( url = "https://github.com/TokTok/jvm-macros/archive/%s.tar.gz" % JVM_MACROS_TAG, ) -C_TOXCORE_TAG = "0.2.12" +C_TOXCORE_TAG = "0.2.20" http_archive( name = "c-toxcore", + integrity = "sha256-qciaja6nRdU+XXjnqsuZx7R5LEQApaaccSOPRdYWT0w=", patch_cmds = [ # Delete references to the "project" stuff that lives in toktok-stack. "sed -i /project/d BUILD.bazel", @@ -276,6 +286,7 @@ http_archive( "sed -i /no_undefined/d toxencryptsave/BUILD.bazel", "sed -i /no_undefined/d toxav/BUILD.bazel", "sed -i /no_undefined/d toxcore/BUILD.bazel", + "sed -i /no_undefined/d third_party/BUILD.bazel", # Replace toktok-stack selects w/ more standard versions. "sed -i 's|//tools/config:linux|@platforms//os:linux|g' toxcore/BUILD.bazel", @@ -290,13 +301,13 @@ http_archive( "sed -i 's|//c-toxcore:|@c-toxcore//:|g' toxcore/BUILD.bazel", "sed -i 's|//c-toxcore:|@c-toxcore//:|g' toxav/BUILD.bazel", "sed -i 's|//c-toxcore:|@c-toxcore//:|g' toxencryptsave/BUILD.bazel", + "sed -i 's|//c-toxcore:|@c-toxcore//:|g' third_party/BUILD.bazel", # Flatten the gendir structure to deal with c-toxcore having its own workspace. "sed -i 's|$(GENDIR)/c-toxcore/|$(RULEDIR)/|g' BUILD.bazel", ], - sha256 = "6d21fcd8d505e03dcb302f4c94b4b4ef146a2e6b79d4e649f99ce4d9a4c0281f", strip_prefix = "c-toxcore-%s" % C_TOXCORE_TAG, - url = "https://github.com/TokTok/c-toxcore/archive/v%s.zip" % C_TOXCORE_TAG, + url = "https://github.com/TokTok/c-toxcore/releases/download/v%s/c-toxcore-%s.tar.gz" % (C_TOXCORE_TAG, C_TOXCORE_TAG), ) # Transitive dependencies and toolchain setup @@ -347,3 +358,11 @@ scala_repositories() scala_proto_repositories() scala_proto_register_enable_all_options_toolchain() + +load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies") + +rules_fuzzing_dependencies() + +load("@rules_fuzzing//fuzzing:init.bzl", "rules_fuzzing_init") + +rules_fuzzing_init() diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index efb7e248..4c9b1d76 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -12,7 +12,7 @@ espresso = "3.6.1" lifecycle = "2.8.7" navigation = "2.7.7" # 2.8.2 requires minSdk 21. room = "2.6.1" -tox4j-android = "0.2.19" +tox4j-android = "0.2.20" tox4j-core = "0.2.3" [plugins] diff --git a/scripts/dependencies.mk b/scripts/dependencies.mk index 09f008c3..52ee9c10 100644 --- a/scripts/dependencies.mk +++ b/scripts/dependencies.mk @@ -90,8 +90,7 @@ $(PREFIX)/protobuf.stamp: $(SRCDIR)/protobuf $(TOOLCHAIN_FILE) $(PROTOC) # toxcore $(SRCDIR)/toxcore: - git clone --depth=1 --branch=v0.2.19 --recursive https://github.com/TokTok/c-toxcore $@ - cd $@ && patch -p1 < $(CURDIR)/scripts/patches/enable_cbr_in_tox.patch + git clone --depth=1 --branch=v0.2.20 --recursive https://github.com/TokTok/c-toxcore $@ $(PREFIX)/toxcore.stamp: $(foreach f,$(shell cd $(SRCDIR)/toxcore && git ls-files),$(SRCDIR)/toxcore/$f) $(PREFIX)/toxcore.stamp: $(SRCDIR)/toxcore $(TOOLCHAIN_FILE) $(foreach i,libsodium opus libvpx,$(PREFIX)/$i.stamp) diff --git a/scripts/patches/enable_cbr_in_tox.patch b/scripts/patches/enable_cbr_in_tox.patch deleted file mode 100644 index c39eaabd..00000000 --- a/scripts/patches/enable_cbr_in_tox.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 4bdf8645db4df32916824e68eb2a5a08bdbf3e8f Mon Sep 17 00:00:00 2001 -From: Maxim Biro -Date: Fri, 10 May 2024 01:07:43 -0400 -Subject: [PATCH] fix: Use Opus in the CBR mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -VBR is susceptible to a transcription attack, where words can be -deducted from bandwidth fluctuations, even despite the audio being -encrypted. Toxcore does add padding, but it's just 0-7 bytes, to pad to -a 8 byte boundary, which might not be enough. CBR is safe from this -attack, it is the industry recommendation to use CBR: "Applications -conveying highly sensitive unstructured information SHOULD NOT use -codecs in VBR mode."[1], and is what other secure messengers use too, -e.g. Signal. - -Here are some papers on this topic: -- A. M. White, A. R. Matthews, K. Z. Snow and F. Monrose, "Phonotactic - Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks," - 2011 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 2011, - pp. 3-18, doi: 10.1109/SP.2011.34. -- L. A. Khan, M. S. Baig, and Amr M. Youssef. Speaker recognition - from encrypted VoIP communications. Digit. Investig. 7, 1–2 (October, - 2010), 65–73. https://doi.org/10.1016/j.diin.2009.10.001 -- C. V. Wright, L. Ballard, S. E. Coull, F. Monrose and G. M. Masson, - "Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP - Conversations," 2008 IEEE Symposium on Security and Privacy (sp 2008), - Oakland, CA, USA, 2008, pp. 35-49, doi: 10.1109/SP.2008.21. - -Thanks to an IRC user who asked to remain anonymous for sending the -diff. - -[1] https://datatracker.ietf.org/doc/html/rfc6562#section-3 ---- - toxav/audio.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/toxav/audio.c b/toxav/audio.c -index 2cbc02d20a..92df2b8b47 100644 ---- a/toxav/audio.c -+++ b/toxav/audio.c -@@ -377,6 +377,21 @@ static OpusEncoder *create_audio_encoder(const Logger *log, uint32_t bit_rate, u - goto FAILURE; - } - -+ /* -+ * The libopus library defaults to VBR, which is unsafe in any VoIP environment -+ * (see for example doi:10.1109/SP.2011.34). Switching to CBR very slightly -+ * decreases audio quality at lower bitrates. -+ * -+ * Parameters: -+ * `[in]` `x` `opus_int32`: Whether to use VBR mode, 1 (VBR) is default -+ */ -+ status = opus_encoder_ctl(rc, OPUS_SET_VBR(0)); -+ -+ if (status != OPUS_OK) { -+ LOGGER_ERROR(log, "Error while setting encoder ctl: %s", opus_strerror(status)); -+ goto FAILURE; -+ } -+ - /* - * Configures the encoder's use of inband forward error correction. - * Note: