Skip to content

fix(qr-link): remove legacy UserData with BLAKE3 domain separation flaw#1147

Merged
danielle-tfh merged 5 commits intomainfrom
danielle/remove-legacy-userdata-qr-link
Apr 9, 2026
Merged

fix(qr-link): remove legacy UserData with BLAKE3 domain separation flaw#1147
danielle-tfh merged 5 commits intomainfrom
danielle/remove-legacy-userdata-qr-link

Conversation

@danielle-tfh
Copy link
Copy Markdown
Contributor

@danielle-tfh danielle-tfh commented Apr 8, 2026
edited
Loading

Context

The hasher_update() in UserData concatenated variable-length fields into BLAKE3 without length prefixes or separators, allowing hash collisions by shifting bytes between adjacent fields (Security Report #3612933). UserData is superseded by AppAuthenticatedData from orb-relay-messages, which has the same flaw fixed in worldcoin/orb-relay-messages#98.

Changes

  • Remove UserData, DataPolicy, and the blake3/serde dependencies they required
  • Add QR v5 encode/decode support so the orb can accept hashes from apps using the fixed hash_with_length_prefix() method

QR v5

The version prefix in the QR code tells the orb which hash verification to use:

Version Prefix Verify method
v4 '4' AppAuthenticatedData::verify() (legacy)
v5 '5' AppAuthenticatedData::verify_with_length_prefix()

The payload format (UUID + hash bytes) is the same for both versions.

Dependencies

@danielle-tfh
fix(qr-link): remove legacy UserData with BLAKE3 domain separation flaw
7898c4f 
UserData and DataPolicy are superseded by AppAuthenticatedData from
orb-relay-messages. They were exported but unused by any downstream
crate (verified in both orb-software and priv-orb-core).

The removed hasher_update() concatenated variable-length fields without
length prefixes, allowing trivial hash collisions by shifting bytes
between adjacent fields. The fix for the production code path
(AppAuthenticatedData) will land in orb-relay-messages.

Also removes now-unused blake3 and serde dependencies from orb-qr-link,
and cleans up non-compiling doc examples that referenced removed types.
@danielle-tfh danielle-tfh requested a review from a team as a code owner April 8, 2026 09:30
@danielle-tfh
feat(qr-link): add QR v5 support for length-prefixed hash verification
d1c3922 
Add encode/decode support for QR v5, which uses the length-prefixed
BLAKE3 hash from orb-relay-messages to prevent domain separation
collisions. V4 (legacy) remains supported for backward compatibility.

- decode_qr_with_version now accepts both '4' and '5' version prefixes
- Add encode_static_qr_v5 for generating v5 QR codes
- Update orb-relay-messages to rev with hash_with_length_prefix
- Add tests for v5 roundtrip, rejection, and cross-version isolation
@danielle-tfh
style(qr-link): fix rustfmt formatting
7d4079a
@danielle-tfh danielle-tfh mentioned this pull request Apr 8, 2026
Merged
andronat
andronat reviewed Apr 8, 2026
View reviewed changes
Comment thread qr-link/src/decode.rs Outdated
Comment on lines +35 to +36
/// Shared by v4 (legacy hash) and v5 (length-prefixed hash) — the payload
/// format is identical, only the hash function differs.
Copy link
Copy Markdown
Member

@andronat andronat Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If v4 and v5 are identical, then why don't we just release the new lib with the length-prefixed hash and keep the version the same? If I understand correctly the length check is a bug right?

Copy link
Copy Markdown
Contributor Author

@danielle-tfh danielle-tfh Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are not identical :( but thats a confusing comment

The length-prefix fix changes the hash output — hash() and hash_with_length_prefix() produce different bytes for the same AppAuthenticatedData. So if an app starts using the new hash but the orb only knows v4, verification silently fails. The version byte lets the orb distinguish which hash function was used and call the right verify method. Does that make sense, or do you think trying both hashes without a version bump would be better?

@danielle-tfh danielle-tfh enabled auto-merge (squash) April 9, 2026 16:56
@danielle-tfh danielle-tfh merged commit c4e207b into main Apr 9, 2026
23 checks passed
@danielle-tfh danielle-tfh deleted the danielle/remove-legacy-userdata-qr-link branch April 9, 2026 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andronat andronat andronat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielle-tfh @andronat