OsRng run-time failure / the rand_os crate / modularity

[dhardy]

Roughly, rand could be modularised as follows:

component	dependencies
rand_core
PRNG crates	core
rand_os	core + std
JitterRng	core + std
EntropyRng	core + os + jitter + std
ThreadRng	core + os + jitter + entropy + std + hc
seq	core
distributions	core
Rng	core + seq + distributions

Roughly 30% of the current code comes under non-linear distributions, which is its own story (#290). For the rest I don't think there's sufficient utility for more crates.

I regret accepting #643 as-is; it "promises" to support all std platforms yet fails on WASM with a compile error (#674, #678) and on any unsupported platforms. The reasons that is an issue are convoluted (probably involving users depending on rand with default features yet not needing them all), but the conclusion of #678 is that Rand should always build for wasm32-unknown-unknown, failing if necessary at run-time.

We used to use run-time failure within EntropyRng but disable OsRng at compile time where unneeded. Practical solutions are:

1. Restore the old behavior: rand_os must compile but without the OsRng struct on unsupported platforms. EntropyRng is currently available on all platforms but with run-time failure when no source is available, however it requires a complex cfg pattern in order to disable the missing OsRng dependency when not available; it would therefore make sense to have this in the same crate.
2. Enable OsRng on WASM, and use run-time failure on missing implementation.
3. Enable OsRng on all platforms, and use run-time failure on missing implementation.

I think the cleanest solution would be (1), but @tarcieri @naftulikay I understand there would be resistance to moving JitterRng into rand_os. Is this really justified? I guess in part this depends on whether the RFC proposed in #648 gets accepted, though this will be a while coming.

Otherwise we can do (2) or (3); the difference is that (2) would cause build failures on any platform where Rand is used with std/default features but OsRng is unavailable. I'm not sure whether this is a good idea?

I suppose (2) is most sensible now.

CC @newpavlov @burdges

[tarcieri]

I understand there would be resistance to moving JitterRng into rand_os. Is this really justified?

I do not consider JitterRng as meeting the contract of an OsRng. It is bespoke Rust code, as opposed to a system-provided CSRNG. Personally I would like something where if an OS / platform-specific RNG is not available, it will refuse to compile, as opposed to falling back to JitterRng.

[dhardy]

Personally I would like something where if an OS / platform-specific RNG is not available, it will refuse to compile

The current compile_error! is not an option due to the required cfgs being over-complex, but (1) is close enough.

I am not proposing to adjust OsRng in any other way; simply to add EntropyRng and JitterRng to the same crate.

[newpavlov]

the conclusion of #678 is that Rand should always build for wasm32-unknown-unknown, failing if necessary at run-time.

I disagree with it. I believe that rand_os should fail at compile time for wasm32-unknown-unknown if none of stdweb or wasm_bindgen features are enabled, or if they are enabled both.

The breakage caused by splitting code into rand_os is indeed unfortunate, but I think we better do the following:

• publish rand_os v0.1.1 which will use stdweb as a "default"
• yank rand_os v0.1.0
• publish rand_os v0.2.0 which will use compile error if both or none of the features are enabled

[CryZe]

You can't have target specific features with cargo atm, therefore it is impossible to correctly implement failing to compile at the moment. I have indirect dependencies on rand through criterion and parking_lot. You can't realistically disable the rand_os dependency (via rand's std feature as far as I understand) for both of these crates. Therefore my use case will always (or at least until cargo can support target specific features) compile in rand_os without using stdweb or wasm_bindgen. So failing to compile is not a realistic option until then.

What is needed is either a split between the -unknown and a potential -web target and / or fixing cargo.

[dhardy]

I disagree with it.

Noted, but the alternative is to keep telling those who complain about broken CI that they need more complex set-up to add the required feature on WASM... I guess this is possible, but it's a support nightmare.

@CryZe you can probably do this — force your CI tests to depend on WASM + stdweb (or -bindgen). However if you don't use Rand directly, you will need to add it (as a dev-dependency or via another crate only used for testing).

publish rand_os v0.2.0 which will use compile error if both or none of the features are enabled

Well, I disagree with that, because there is a plan to eventually make the two compatible.

What is needed is either a split between the -unknown and a potential -web target and / or fixing cargo.

Agreed; however for now we have to support wasm32-unknown-unknown, and for that I think we're justified in deviating a little from how we normally do things.

[CryZe]

It's not my tests that are broken, it's the actual compile (the tests work just fine). For my actual compile, I can't activate either stdweb or wasm-bindgen feature, because I'm not using them (I'm using a different binding generator, so this is kind of the truly "unknown" use case where I'm fine with rand not having a notion of an OS RNG). Also my crate does not exercise any code paths in the wasm compiled code that uses rand_os. However it gets compiled regardless because criterion is a dev-dependency, so cargo not separating features across different dependency kinds or targets is a big problem.

[dhardy]

But you could work around this by adding one of the features in your build?

[tarcieri]

You can't have target specific features with cargo atm, therefore it is impossible to correctly implement failing to compile at the moment.

I'm confused why this can't be done with combinations of cfg(all(...)) / cfg(all(not(...), ...)), feature, target, and compile_error!. It seems possible to implement correctly to me, albeit a bit onerous (and also seems like something to this effect is already happening).

[CryZe]

The stdweb feature doesn't work as I'm not using cargo web (this wouldn't make sense for my unknown use case):

error: custom attribute panicked
  --> C:\Users\Christopher Serr\.cargo\registry\src\github.com-1ecc6299db9ec823\stdweb-0.4.12\src\webcore\macros.rs:32:9
   |
32 |         #[$crate::private::js_raw_attr]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   |
  ::: C:\Users\Christopher Serr\.cargo\registry\src\github.com-1ecc6299db9ec823\stdweb-0.4.12\src\webcore\initialization.rs:20:5
   |
20 |     stdweb_internal_runtime_initialize!( __js_raw_asm );
   |     ---------------------------------------------------- in this macro invocation
   |
   = help: message: you need to use `cargo-web` to compile your project for the `wasm32-unknown-unknown` target

However I just tried the wasm-bindgen feature too and it does seem like it does not conflict with anything the unknown use case needs. So I'm actually fine with that.

I'm confused why this can't be done with combinations of cfg(all(...)) / cfg(all(not(...), ...)), feature, target, and compile_error!.

Cargo propagates features of any cfg combination in the Cargo.toml to all dev-dependencies / (normal-)dependencies and all cfg combinations. They are all in a shared feature space, the cfg'ing or dev-dependency-ing doesn't do anything. This is a bug which is not fixed. Therefore within your actual code your cfg will be against the wrong feature flags, that are actually coming from a different target of a different dependency kind. So here it is the dev-dependency criterion compiled for the host that needs OsRng, but the actual wasm32-unknown-unknown target that your code is targeting doesn't need or want OsRng, but criterion's rand/std feature gets propagated to rand regardless and thus OsRng gets compiled in, even though it's only needed in the dev-dependency on the host (x86, not wasm).

[burdges]

I'd prefer if ThreadRng remained cryptographic, so I'm now more curious about insecurities in the fallback to JitterRng. I suppose ThreadRng: CryptoRng could become platform dependent though?

I've no opinion on rand_os being a separate crate, but reverting that decision sounds doable. I love combining all this mess into one crate regardless, so I'd say throw JitterRng, EntropyRng, etc. all into rand_os even if not required. OsRng would never call JitterRng of course, but JitterRng exists due to OS shortcomings, so rand_os makes sense. Anyone writing an OS PRNG could reuse this code inside their OS by providing a different build target for the kernel itself.

I think runtime failures sound perfectly acceptable here too. impl RngCore for OsRng could just call debug_assert_eq!(true,false,"OsRng unavailable!"); everywhere. It triggers in debug builds and CI only if you use OsRng. I'm curious though if pub type OsRng = !; or pub enum OsRng {} provides a compile time solution, preferably omitting OsRng: RngCore or OsRng: CryptoRng in those cases.

[newpavlov]

IIRC jitter fallback is only needed for Windows. One option will be to incorporate it into Windows OS RNG implementation inside rand_os (feature gated maybe?). This way we can remove EntropyRng altogether and use OsRng directly.

I'm now more curious about insecurities in the fallback to JitterRng

In my understanding JitterRng should be cryptographically secure, the main issue with it is its performance. Citing JitterRng docs:

A consequence is that it is orders of magnitude slower than OsRng and PRNGs (about 10³..10⁶ slower).

[dhardy]

Interesting point about JitterRng only being needed for Windows. We added it because of one observed problem, though don't know in general how widely useful it is — certainly, most of the time it will not be used.

We could put it behind a feature gate which is disabled by default — most people won't notice the difference, and those that do can consider enabling it.

I'd prefer if ThreadRng remained cryptographic

It will — at the very least we will avoid known security problems and only use things we have reason to believe are secure. Whether or not this meets your standards of security is another matter; currently we don't have formal standards and I don't really want to go there.