-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
std: implement the random
feature (alternative version)
#129201
Conversation
r? @Noratrieb rustbot has assigned @Noratrieb. Use |
This comment has been minimized.
This comment has been minimized.
I'm nominating this for T-libs: Do you consider a periodically reseeded, non-RC4-based @rustbot label +I-libs-nominated |
The Miri subtree was changed cc @rust-lang/miri |
Thanks for adding the Miri shim! Could you also add a test (in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you consider a periodically reseeded, non-RC4-based arc4random_buf secure enough to serve as default random source on the non-Linux UNIX platforms?
So I'm not t-libs, but familiar with OS randomness, so just going to chime in politely. The documentation for arc4random_buf
states that it generates "cryptographic pseudo-random" and pretty much all modern UNIX distributions have moved on from RC4 to something better. For all the targets which use this function, does Rust officially support any OS versions which use weaker CSPRNG functions? I don't think we want the possibility of ever hitting a bad RNG "in the wild", so to speak.
Also related: I think the documentation of the RandomSource
trait needs to state more guarantees of implementations. At this time its just too loose to ever let it be recommended over the getrandom
crate or rand_core
's CryptoRng
. Is that intended per the accepted ACP?
@@ -0,0 +1,7 @@ | |||
pub fn fill_bytes(bytes: &mut [u8], best_effort: bool) { | |||
if best_effort { | |||
bytes.fill(4); // Chosen by fair dice roll. Guaranteed to be random. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a chance to improve this from the previous (1, 2)
is to get a stack or heap pointer address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea! Done.
all(target_family = "wasm", target_os = "unknown"), | ||
target_os = "xous", | ||
))] { | ||
// FIXME: finally remove std support for wasm32-unknown-unknown |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a tracking issue to link to this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, but perhaps we should open one.
library/std/src/random.rs
Outdated
/// The default random source. | ||
/// | ||
/// This asks the system for the best random data it can provide, meaning the | ||
/// resulting bytes *should* be usable for cryptographic purposes. Check your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like a problem to say should here because then its completely unreliable. imo std should guarantee this or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've improved the wording, it should be a bit more clear about our promises. If the platform has some specific requirements to ensure the strength of the RNG, we can't do anything about that, so we definitely should encourage people to consult the platform documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, makes sense. Its outside of std's control to enable all the various kernel configs etc.
It might be worth thinking about this change a bit more? Here's some numbers in case anyone else is curious. Funnily enough it actually appears to be faster to pull large amounts (>= 512) of bytes out of
|
Something is wrong with your benchmark code, Edit: The issue is that |
That is not intended; it should ideally be at least as good as |
I'll improve the wording, this is just as good as |
We discussed this during today's T-libs meeting and did not manage to reach consensus because the tradeoffs involved in what we want to promise. On BSDs where arc4random is implemented as a reseeded userspace CSPRNG that's properly wiped on fork it is probably fine as a fast RNG source that would even be appropriate for cryptographic uses in most scenarios. The issue is that there still are edge-cases where it's better to go directly to the kernel and have it tap hardware RNGs if those are available, e.g. to avoid state reuse when VMs get cloned. |
This comment was marked as resolved.
This comment was marked as resolved.
VM cloning is a good point! I'm not sure if providing two random sources is a good idea though, if we advertise the default as being "cryptographically secure" then people are going to use it as such without considering edge-cases. But that's a question for libs-api, as you said. I'm not sure that the choice between |
c02bc9e
to
228bd6d
Compare
Rebased to reintroduce |
228bd6d
to
6e78b60
Compare
I'm filing issues with some of the respective platforms, here's the list so far:
|
…shtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
…triplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
This comment has been minimized.
This comment has been minimized.
💔 Test failed - checks-actions |
f95e4c9
to
3ff09a0
Compare
I needed to reformat with the new 2024 rules. |
…shtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
…kingjubilee Rollup of 7 pull requests Successful merges: - rust-lang#129201 (std: implement the `random` feature (alternative version)) - rust-lang#130536 (bootstrap: Set the dylib path when building books with rustdoc) - rust-lang#130551 (Fix `break_last_token`.) - rust-lang#130657 (Remove x86_64-fuchsia and aarch64-fuchsia target aliases) - rust-lang#130721 (Add more test cases for block-no-opening-brace) - rust-lang#130736 (Add rustfmt 2024 reformatting to git blame ignore) - rust-lang#130746 (readd `@tgross35` and `@joboet` to the review rotation) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#129201 - joboet:random_faster_sources, r=joshtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
Implements the ACP rust-lang/libs-team#393.
This PR is an alternative version of #129120 that replaces
getentropy
withCCRandomGenerateBytes
(on macOS) andarc4random_buf
(other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs.CCRandomGenerateBytes
/arc4random_buf
on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded withgetentropy
.