Skip to content

Seed weak_rng with the current time if OsRng fails #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexcrichton merged 3 commits into from
Oct 27, 2017
Merged

Seed weak_rng with the current time if OsRng fails #181

alexcrichton merged 3 commits into from
Oct 27, 2017

Conversation

@cpeterso
Copy link
Contributor

@cpeterso cpeterso commented Oct 22, 2017

And add a test for weak_rng.

dhardy
dhardy reviewed Oct 22, 2017
View reviewed changes
Copy link
Member

@dhardy dhardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main thing I want to say here is that Xorshift is a terrible PRNG to use to seed other PRNGs with. If you want a fallback source of entropy to use when seeding stuff, I'd recommend still using a better PRNG internally (e.g. Isaac: StdRng).

Xorshift is really so bad for seeding stuff that if you seed one XorshiftRng from another, they essentially end up being clones. The refactor in progress will very likely remove this algorithm.

Possibly my recommendation here would be to adapt thread_rng instead, and make weak_rng seed from thread_rng. This does make thread_rng weaker, but it's not supposed to be used for crypto anyway. Not 100% sure if this is agreeable; alternatively you could add a new function.

src/lib.rs Outdated
Err(e) => panic!("weak_rng: failed to create seeded RNG: {:?}", e)
Err(_) => {
// Set a bit because XorShiftRng will panic if the seed is
// entirely zero.
Copy link
Member

@dhardy dhardy Oct 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure you don't want this to panic if precise_time_ns is so broken it returns zero? You've got zero entropy in this case... for some uses that doesn't matter but not necessarily all.

@dhardy dhardy mentioned this pull request Oct 23, 2017
Closed
@dhardy
Copy link
Member

dhardy commented Oct 23, 2017

See also dhardy#21 which makes a similar change on my branch of rand

@cpeterso
Copy link
Contributor Author

cpeterso commented Oct 23, 2017
edited
Loading

Possibly my recommendation here would be to adapt thread_rng instead, and make weak_rng seed from thread_rng. This does make thread_rng weaker, but it's not supposed to be used for crypto anyway. Not 100% sure if this is agreeable; alternatively you could add a new function.

Thanks. I see that fixing thread_rng instead of just weak_rng would avoid these panics for other callers. I will need to check that thread_rng's periodic reseeding also avoids these panics.

@cpeterso cpeterso force-pushed the cpeterso-weak_rng-seed branch from 030c961 to b008e1d Compare October 24, 2017 06:28
@cpeterso
Copy link
Contributor Author

cpeterso commented Oct 24, 2017

This PR moves the OsRng fallback into thread_rng and then uses thread_rng to seed weak_rng.

I construct the weak fallback seed from the current system time using std::time, as suggested in dhardy#21 (comment), instead of adding a new crate dependency just for time::precise_time_ns().

dhardy
dhardy reviewed Oct 24, 2017
View reviewed changes
src/lib.rs Outdated
let unix_time = now.duration_since(time::UNIX_EPOCH).unwrap();
let secs = unix_time.as_secs() as usize;
let nanos = unix_time.subsec_nanos() as usize;
[(secs << 32) | nanos]
Copy link
Member

@dhardy dhardy Oct 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1s = 10^9 ns, not 2^32 ns

It doesn't matter precisely, but if you want a fast approximation use << 30 to avoid leaving 2 empty bits

Copy link
Contributor Author

@cpeterso cpeterso Oct 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If usize is 32 bits, then shifting secs << 32 (or 30) will lose data. Instead of shifting any bits, I could return them all like [secs, nanos] and let StdRng use the bits as it sees fit. A comment in isaac.rs says reseed() will "make the seed into [seed[0], seed[1], ..., seed[seed.len() - 1], 0, 0, ...], to fill rng.rsl."

@cpeterso cpeterso force-pushed the cpeterso-weak_rng-seed branch from b008e1d to 0812927 Compare October 25, 2017 05:30
@cpeterso cpeterso force-pushed the cpeterso-weak_rng-seed branch from 0812927 to 6d297d5 Compare October 25, 2017 05:37
@dhardy dhardy mentioned this pull request Oct 27, 2017
Closed
@alexcrichton alexcrichton merged commit 81a5422 into rust-random:master Oct 27, 2017
@alexcrichton
Copy link
Contributor

alexcrichton commented Oct 27, 2017

Thanks @cpeterso!

@dhardy dhardy mentioned this pull request Oct 27, 2017
Closed
4 tasks
@cpeterso cpeterso deleted the cpeterso-weak_rng-seed branch October 30, 2017 05:08
@dhardy dhardy mentioned this pull request Nov 25, 2017
Merged
pitdicker pushed a commit to pitdicker/rand that referenced this pull request Apr 4, 2018
@alexcrichton
Merge pull request rust-random#181 from cpeterso/cpeterso-weak_rng-seed
f9d184e 
 Seed weak_rng with the current time if OsRng fails
@dhardy dhardy mentioned this pull request Sep 29, 2018
Closed
@dhardy dhardy mentioned this pull request Jan 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhardy dhardy dhardy left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cpeterso @dhardy @alexcrichton