std: implement the random feature (alternative version)
#129201
Conversation
|
r? @Noratrieb rustbot has assigned @Noratrieb. Use |
rustbot
added
O-hermit
This comment has been minimized.
This comment has been minimized.
|
I'm nominating this for T-libs: Do you consider a periodically reseeded, non-RC4-based @rustbot label +I-libs-nominated |
rustbot
added
the
I-libs-nominated
|
The Miri subtree was changed cc @rust-lang/miri |
|
Thanks for adding the Miri shim! Could you also add a test (in |
There was a problem hiding this comment.
Do you consider a periodically reseeded, non-RC4-based arc4random_buf secure enough to serve as default random source on the non-Linux UNIX platforms?
So I'm not t-libs, but familiar with OS randomness, so just going to chime in politely. The documentation for arc4random_buf states that it generates "cryptographic pseudo-random" and pretty much all modern UNIX distributions have moved on from RC4 to something better. For all the targets which use this function, does Rust officially support any OS versions which use weaker CSPRNG functions? I don't think we want the possibility of ever hitting a bad RNG "in the wild", so to speak.
Also related: I think the documentation of the RandomSource trait needs to state more guarantees of implementations. At this time its just too loose to ever let it be recommended over the getrandom crate or rand_core's CryptoRng. Is that intended per the accepted ACP?
| @@ -0,0 +1,7 @@ | |||
| pub fn fill_bytes(bytes: &mut [u8], best_effort: bool) { | |||
| if best_effort { | |||
| bytes.fill(4); // Chosen by fair dice roll. Guaranteed to be random. | |||
There was a problem hiding this comment.
Maybe a chance to improve this from the previous (1, 2) is to get a stack or heap pointer address?
| all(target_family = "wasm", target_os = "unknown"), | ||
| target_os = "xous", | ||
| ))] { | ||
| // FIXME: finally remove std support for wasm32-unknown-unknown |
There was a problem hiding this comment.
Is there a tracking issue to link to this?
There was a problem hiding this comment.
No, but perhaps we should open one.
library/std/src/random.rs
Outdated
| /// The default random source. | ||
| /// | ||
| /// This asks the system for the best random data it can provide, meaning the | ||
| /// resulting bytes *should* be usable for cryptographic purposes. Check your |
There was a problem hiding this comment.
Seems like a problem to say should here because then its completely unreliable. imo std should guarantee this or not.
There was a problem hiding this comment.
I've improved the wording, it should be a bit more clear about our promises. If the platform has some specific requirements to ensure the strength of the RNG, we can't do anything about that, so we definitely should encourage people to consult the platform documentation.
There was a problem hiding this comment.
Yeah, makes sense. Its outside of std's control to enable all the various kernel configs etc.
It might be worth thinking about this change a bit more? Here's some numbers in case anyone else is curious. Funnily enough it actually appears to be faster to pull large amounts (>= 512) of bytes out of |
Something is wrong with your benchmark code, Edit: The issue is that |
That is not intended; it should ideally be at least as good as |
|
I'll improve the wording, this is just as good as |
Noratrieb
added
S-waiting-on-team
We discussed this during today's T-libs meeting and did not manage to reach consensus because the tradeoffs involved in what we want to promise. On BSDs where arc4random is implemented as a reseeded userspace CSPRNG that's properly wiped on fork it is probably fine as a fast RNG source that would even be appropriate for cryptographic uses in most scenarios. The issue is that there still are edge-cases where it's better to go directly to the kernel and have it tap hardware RNGs if those are available, e.g. to avoid state reuse when VMs get cloned. |
This comment was marked as resolved.
This comment was marked as resolved.
|
VM cloning is a good point! I'm not sure if providing two random sources is a good idea though, if we advertise the default as being "cryptographically secure" then people are going to use it as such without considering edge-cases. But that's a question for libs-api, as you said. I'm not sure that the choice between |
joboet
force-pushed
the
random_faster_sources
branch
from
c02bc9e
to
228bd6d
Compare
|
Rebased to reintroduce |
joboet
force-pushed
the
random_faster_sources
branch
from
228bd6d
to
6e78b60
Compare
|
I'm filing issues with some of the respective platforms, here's the list so far:
|
bors
added
the
S-waiting-on-bors
…shtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
…triplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
This comment has been minimized.
This comment has been minimized.
|
💔 Test failed - checks-actions |
bors
added
S-waiting-on-review
joboet
force-pushed
the
random_faster_sources
branch
from
f95e4c9
to
3ff09a0
Compare
|
I needed to reformat with the new 2024 rules. |
bors
added
S-waiting-on-bors
…shtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
…kingjubilee Rollup of 7 pull requests Successful merges: - rust-lang#129201 (std: implement the `random` feature (alternative version)) - rust-lang#130536 (bootstrap: Set the dylib path when building books with rustdoc) - rust-lang#130551 (Fix `break_last_token`.) - rust-lang#130657 (Remove x86_64-fuchsia and aarch64-fuchsia target aliases) - rust-lang#130721 (Add more test cases for block-no-opening-brace) - rust-lang#130736 (Add rustfmt 2024 reformatting to git blame ignore) - rust-lang#130746 (readd `@tgross35` and `@joboet` to the review rotation) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#129201 - joboet:random_faster_sources, r=joshtriplett std: implement the `random` feature (alternative version) Implements the ACP rust-lang/libs-team#393. This PR is an alternative version of rust-lang#129120 that replaces `getentropy` with `CCRandomGenerateBytes` (on macOS) and `arc4random_buf` (other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs. `CCRandomGenerateBytes`/`arc4random_buf` on the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded with `getentropy`.
Implements the ACP rust-lang/libs-team#393.
This PR is an alternative version of #129120 that replaces
getentropywithCCRandomGenerateBytes(on macOS) andarc4random_buf(other BSDs), since that function is not suited for generating large amounts of data and should only be used to seed other CPRNGs.CCRandomGenerateBytes/arc4random_bufon the other hand is (on modern platforms) just as secure and uses its own, very strong CPRNG (ChaCha20 on the BSDs, AES on macOS) periodically seeded withgetentropy.