-
-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rework CryptoRng #1273
Rework CryptoRng #1273
Conversation
Er, yes. Please either remove formatting changes to old code or run We should use Is it a major pain to remove formatting-only changes from this PR in the mean-time? (I usually use As for the actual purpose of this PR — these issues would appear related. Didn't we already discuss this? |
Yeah, I will do it somewhat later. I executed
I think I floated the drafted idea somewhere in issues. |
Summary of this PR: pub trait RngCore {
// keeps methods next_u32, next_u64, fill_bytes
// loses try_fill_bytes
}
// New bound on RngCore:
pub trait CryptoRng: RngCore {
fn crypto_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> { /* default impl */ }
}
// New:
pub trait CryptoBlockRng: BlockRngCore {}
// Removed:
// pub trait CryptoRngCore: CryptoRng + RngCore { .. } My thoughts, somewhat detached from the above... In the long term, do we even keep Given that, maybe we should make larger changes: // A revised BlockRngCore (maybe renamed or maybe not):
pub trait ByteRng {
const LEN: usize;
fn generate(&mut self) -> Result<[u8; Self::LEN]>;
}
// A cut-down RngCore (maybe we should keep the old name):
pub trait NumRng {
fn next_u32(&mut self) -> u32;
fn next_u64(&mut self) -> u64;
}
pub struct BlockRng<R: ByteRng>(..) ;
impl<R: ..> NumRng for ByteRng<R> {} Except, it would be nice to know at compile time the generation size of Maybe we should hold off on such a re-design until Either way, this would mean:
But this is mostly orthogonal to your changes. So:
|
See #1261 (comment) for reply to the middle part of the previous comment.
I don't think the name is good either, so I am open to changing it. But I am not sure whether it's a good idea to move |
Do these uses even want a
The
Nor is the original, but it seems we don't have a good reason to change it. If we want to simplify, we could probably remove |
f400d55
to
085cbff
Compare
@dhardy If such type aliases is the "recommended way" of doing things, then removal of the |
I think the new-type wrappers are used (a) to hide the inner type (thus not an API breaking change to replace it) and (b) to allow custom methods on that type. Without re-examining I don't know how important these are (probably only (b) is applicable to ChaCha). I don't follow why this justifies removing Thanks for cleaning up the PR. |
It does not look like we have users of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish we'd named RngCore
as Rng
instead, and what is now Rng
as RngExt
. Is it worth renaming now? It would make the names noted below more consistent, while also being better for common usage (where people use bounds like R: RngCore
).
Besides this is the idea that maybe we should move one or some RngCore
methods to a different trait. Most users don't need try_fill_bytes
and next_u32
. You mentioned moving try_fill_bytes
to CryptoRng
and we seem to have rejected that idea. If we wanted a separate ByteRng
for try_fill_bytes
, we'd then need pub trait CryptoByteRng: ByteRng {}
too.
Anyway, I'll provisionally approve this PR. If I don't, it might just get stuck.
/// supposed to be cryptographically secure. | ||
/// | ||
/// See [`CryptoRng`][crate::CryptoRng] docs for more information. | ||
pub trait CryptoBlockRng: BlockRngCore { } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The naming seems off: CryptoRng: RngCore
, CryptoBlockRng: BlockRngCore
.
Sounds great to me! |
@newpavlov this is still marked as a draft, but I think it's ready to be merged? I already approved. I'm also happy to rename |
This PR introduces the
CryptoBlockRng
marker trait. It's used instead ofCryptoRng
on block RNGs, which allows us to markCryptoRng
as a subtrait ofRngCore
and makes theCryptoRngCore
trait redundant.Additionally,try_fill_bytes
is moved toCryptoRng
and renamed tocrypto_fill_bytes
. The rationale here is that error checks for potential RNG failures are practically exclusive to cryptographic code.Unfortunately, this PR also contains a bunch of formatting changes introduced bycargo fmt
. I think it could be worth to include formatting check into our CI to prevent such changes in future.cc @tarcieri