|
14 | 14 | use std::fmt; |
15 | 15 | use rand_core::{RngCore, Error, impls}; |
16 | 16 |
|
17 | | -/// A random number generator that retrieves randomness straight from |
18 | | -/// the operating system. |
| 17 | +/// A random number generator that retrieves randomness straight from the |
| 18 | +/// operating system. This is the preferred external source of randomness for |
| 19 | +/// most applications. Commonly it is used to initialize a user-space RNG, which |
| 20 | +/// can then be used with much lower overhead. |
19 | 21 | /// |
20 | | -/// Platform sources: |
| 22 | +/// You may prefer to use [`EntropyRng`] instead of `OsRng`. Is is unlikely, but |
| 23 | +/// not entirely theoretical, for `OsRng` to fail. In such cases `EntropyRng` |
| 24 | +/// falls back on a good alternative entropy source. |
21 | 25 | /// |
22 | | -/// - Linux, Android: read from `getrandom(2)` system call if available, |
23 | | -/// otherwise from` /dev/urandom`. |
24 | | -/// - MacOS, iOS: calls SecRandomCopyBytes. |
25 | | -/// - Windows: calls `RtlGenRandom`, exported from `advapi32.dll` as |
26 | | -/// `SystemFunction036`. |
| 26 | +/// `OsRng` usually does not block. On some systems, and notably virtual |
| 27 | +/// machines, it may block very early in the init process, when the OS CSPRNG |
| 28 | +/// has not yet been seeded. |
| 29 | +/// |
| 30 | +/// `OsRng::new()` is guaranteed to be very cheap (after first call), and will |
| 31 | +/// never consume more than one file handle per process. |
| 32 | +/// |
| 33 | +/// ## Platform sources: |
| 34 | +/// |
| 35 | +/// - Linux, Android: reads from the `getrandom(2)` system call if available, |
| 36 | +/// otherwise from `/dev/urandom`. |
| 37 | +/// - macOS, iOS: calls `SecRandomCopyBytes`. |
| 38 | +/// - Windows: calls `RtlGenRandom`. |
27 | 39 | /// - WASM: calls `window.crypto.getRandomValues` in browsers, |
28 | | -/// `require("crypto").randomBytes` in Node.js. |
| 40 | +/// and in Node.js `require("crypto").randomBytes`. |
29 | 41 | /// - OpenBSD: calls `getentropy(2)`. |
30 | 42 | /// - FreeBSD: uses the `kern.arandom` `sysctl(2)` mib. |
31 | 43 | /// - Fuchsia: calls `cprng_draw`. |
32 | 44 | /// - Redox: reads from `rand:` device. |
33 | 45 | /// - CloudABI: calls `random_get`. |
34 | | -/// - Other Unix-like systems: read directly from `/dev/urandom`. |
35 | | -/// |
36 | | -/// This usually does not block. On some systems (e.g. FreeBSD, OpenBSD, |
37 | | -/// Max OS X, and modern Linux) this may block very early in the init |
38 | | -/// process, if the CSPRNG has not been seeded yet.[1] |
39 | | -/// |
40 | | -/// *Note*: many Unix systems provide `/dev/random` as well as `/dev/urandom`. |
41 | | -/// This module uses `getrandom` if available, otherwise `/dev/urandom`, for |
42 | | -/// the following reasons: |
| 46 | +/// - Other Unix-like systems: reads directly from `/dev/urandom`. |
| 47 | +/// Note: many Unix systems provide `/dev/random` as well as `/dev/urandom`. |
| 48 | +/// On all modern systems these two interfaces offer identical quality, with |
| 49 | +/// the difference that on some systems `/dev/random` may block. This is a |
| 50 | +/// dated design, and `/dev/urandom` is preferred by cryptography experts. [1] |
43 | 51 | /// |
44 | | -/// - On Linux, `/dev/random` may block if entropy pool is empty; |
45 | | -/// `/dev/urandom` will not block. This does not mean that `/dev/random` |
46 | | -/// provides better output than `/dev/urandom`; the kernel internally runs a |
47 | | -/// cryptographically secure pseudorandom number generator (CSPRNG) based on |
48 | | -/// entropy pool for random number generation, so the "quality" of |
49 | | -/// `/dev/random` is not better than `/dev/urandom` in most cases. However, |
50 | | -/// this means that `/dev/urandom` can yield somewhat predictable randomness |
51 | | -/// if the entropy pool is very small, such as immediately after first |
52 | | -/// booting. Linux 3.17 added the `getrandom(2)` system call which solves |
53 | | -/// the issue: it blocks if entropy pool is not initialized yet, but it does |
54 | | -/// not block once initialized. `OsRng` tries to use `getrandom(2)` if |
55 | | -/// available, and use `/dev/urandom` fallback if not. If an application |
56 | | -/// does not have `getrandom` and likely to be run soon after first booting, |
57 | | -/// or on a system with very few entropy sources, one should consider using |
58 | | -/// `/dev/random` via `ReadRng`. |
59 | | -/// - On some systems (e.g. FreeBSD, OpenBSD and Mac OS X) there is no |
60 | | -/// difference between the two sources. (Also note that, on some systems |
61 | | -/// e.g. FreeBSD, both `/dev/random` and `/dev/urandom` may block once if |
62 | | -/// the CSPRNG has not seeded yet.) |
| 52 | +/// [1] See [Myths about urandom](https://www.2uo.de/myths-about-urandom/). |
63 | 53 | /// |
64 | | -/// [1] See <https://www.python.org/dev/peps/pep-0524/> for a more |
65 | | -/// in-depth discussion. |
| 54 | +/// [`EntropyRng`]: struct.EntropyRng.html |
66 | 55 |
|
67 | 56 | #[allow(unused)] // not used by all targets |
68 | 57 | pub struct OsRng(imp::OsRng); |
|
0 commit comments