fix(deps): replace unmaintained rust-crypto with sha2, bump vulnerabl…

[EddieHouston]

Summary

• Replace rust-crypto with sha2 0.10 for hardware-accelerated SHA-256 (SHA-NI on x86_64, ARMv8 crypto on aarch64)
• Bump tokio 1.49→1.52 and tar 0.4.44→0.4.45 to resolve known vulnerabilities
• Add unit tests for SHA-256 correctness (NIST test vectors + P2PKH script hash)
• Resolves 11 of 18 cargo audit findings; remaining 7 are pinned by upstream crates (electrum-client, electrumd, minreq)

Motivation

cargo audit flagged 18 vulnerabilities and 15 warnings. The most actionable was rust-crypto, a direct dependency used only for SHA-256 hashing in three places:

• compute_script_hash in src/new_index/schema.rs and src/new_index/precache.rs
• get_status_hash and hash_ip_with_salt in src/electrum/server.rs

rust-crypto is unmaintained (last release 2016) and has a known AES miscomputation advisory (RUSTSEC-2022-0011). Its transitive dependency rustc-serialize has a stack overflow advisory (RUSTSEC-2022-0004) and is also unmaintained.

Prior art

mempool/electrs made the same rust-crypto → sha2 swap in 06cf2ff. Our change follows the same approach with one minor improvement: we use
.finalize().into() instead of .finalize().try_into().unwrap() for the GenericArray<u8, U32> → [u8; 32] conversion, since Into is implemented directly and avoids an unnecessary runtime panic path.

Changes

File	Change
Cargo.toml	rust-crypto = "0.2" → sha2 = "0.10"
src/new_index/schema.rs	Use sha2::{Digest, Sha256} API
src/new_index/precache.rs	Use sha2::{Digest, Sha256} API
src/electrum/server.rs	Use sha2::{Digest, Sha256} API
Cargo.lock	Remove rust-crypto/rustc-serialize tree, add sha2 tree, bump tokio and tar

Advisories resolved

Crate	Advisory	Fix
rust-crypto	RUSTSEC-2022-0011 (AES miscomputation)	Replaced with sha2
rustc-serialize	RUSTSEC-2022-0004 (stack overflow)	Removed (transitive of rust-crypto)
bytes	RUSTSEC-2026-0007 (integer overflow)	Resolved in lockfile
crossbeam-channel	RUSTSEC-2025-0024 (double free)	Resolved in lockfile
h2	RUSTSEC-2024-0332 (CONTINUATION flood)	Resolved in lockfile
hyper-util	RUSTSEC-2025-0002 (incomplete requests)	Resolved in lockfile
protobuf	RUSTSEC-2024-0437 (uncontrolled recursion)	Resolved in lockfile
rocksdb	RUSTSEC-2024-0433 (miscompilation)	Resolved in lockfile
url	RUSTSEC-2024-0438 (hostname confusion)	Resolved in lockfile
tokio	RUSTSEC-2025-0023 (broadcast unsoundness)	Bumped 1.49→1.52
tar	RUSTSEC-2026-0068 (PAX header bypass)	Bumped 0.4.44→0.4.45

Remaining (upstream-blocked)

The 7 remaining advisories cannot be resolved without upstream releases. Most are in dev-only dependencies that do not ship in the production binary; electrum-client is the exception — it ships when the electrum-discovery feature is
enabled.

Crate	Advisory	Dep chain	Production?
ring 0.16.20	RUSTSEC-2025-0009	electrum-client, electrumd	Yes (via electrum-discovery)
rustls 0.16.0	RUSTSEC-2024-0336	electrum-client	Yes (via electrum-discovery)
webpki 0.21.4	RUSTSEC-2023-0052	electrum-client	Yes (via electrum-discovery)
rustls 0.19.1	RUSTSEC-2024-0336	electrumd → ureq	No (dev-dep)
idna 0.2.3	RUSTSEC-2024-0421	electrumd → ureq	No (dev-dep)
rustls-webpki 0.101.7	RUSTSEC-2026-0098, 0099	minreq → corepc-node	No (dev-dep)

Test plan

• cargo check passes (default features)
• cargo check --features liquid passes
• cargo test new_index::schema::tests — 3 unit tests pass:
  • test_sha256_empty_input — NIST test vector for SHA-256("")
  • test_sha256_abc — NIST test vector for SHA-256("abc")
  • test_p2pkh_script_hash — real P2PKH scriptPubKey verified against independent SHA-256 computation
• rest of tests also pass: cargo test -p electrs