refactor(crypto): Don't use getrandom directly, we already use the rand crate

2026-05-16 20:49:05 -04:00 · 2022-02-15 11:30:02 +01:00
parent dbb500c4b8
commit 54e555f295
5 changed files with 23 additions and 15 deletions
--- a/crates/matrix-sdk-crypto/Cargo.toml
+++ b/crates/matrix-sdk-crypto/Cargo.toml
@@ -33,7 +33,6 @@ bs58 = { version = "0.4.0", optional = true }
 byteorder = "1.4.3"
 dashmap = "5.1.0"
 futures-util = { version = "0.3.15", default-features = false, features = ["alloc"] }
-getrandom = "0.2.3"
 hmac = "0.12.0"
 matrix-qrcode = { version = "0.2.0", path = "../matrix-qrcode", optional = true }
 matrix-sdk-common = { version = "0.4.0", path = "../matrix-sdk-common" }
--- a/crates/matrix-sdk-crypto/src/file_encryption/attachments.rs
+++ b/crates/matrix-sdk-crypto/src/file_encryption/attachments.rs
@@ -22,7 +22,7 @@ use aes::{
    Aes256, Aes256Ctr,
 };
 use base64::DecodeError;
-use getrandom::getrandom;
+use rand::{thread_rng, RngCore};
 use ruma::{
    events::room::{EncryptedFile, JsonWebKey, JsonWebKeyInit},
    serde::Base64,
@@ -218,10 +218,12 @@ impl<'a, R: Read + ?Sized + 'a> AttachmentEncryptor<'a, R> {
        let mut key = Zeroizing::new([0u8; KEY_SIZE]);
        let mut iv = Zeroizing::new([0u8; IV_SIZE]);

-        getrandom(&mut *key).expect("Can't generate randomness");
+        let mut rng = thread_rng();
+
+        rng.fill_bytes(&mut *key);
        // Only populate the first 8 bytes with randomness, the rest is 0
        // initialized for the counter.
-        getrandom(&mut iv[0..8]).expect("Can't generate randomness");
+        rng.fill_bytes(&mut iv[0..8]);

        let web_key = JsonWebKey::from(JsonWebKeyInit {
            kty: "oct".to_owned(),
--- a/crates/matrix-sdk-crypto/src/file_encryption/key_export.rs
+++ b/crates/matrix-sdk-crypto/src/file_encryption/key_export.rs
@@ -19,9 +19,9 @@ use aes::{
    Aes256, Aes256Ctr,
 };
 use byteorder::{BigEndian, ReadBytesExt};
-use getrandom::getrandom;
 use hmac::{Hmac, Mac};
 use pbkdf2::pbkdf2;
+use rand::{thread_rng, RngCore};
 use serde_json::Error as SerdeError;
 use sha2::{Sha256, Sha512};
 use thiserror::Error;
@@ -152,8 +152,10 @@ fn encrypt_helper(plaintext: &mut [u8], passphrase: &str, rounds: u32) -> String
    let mut iv = [0u8; IV_SIZE];
    let mut derived_keys = [0u8; KEY_SIZE * 2];

-    getrandom(&mut salt).expect("Can't generate randomness");
-    getrandom(&mut iv).expect("Can't generate randomness");
+    let mut rng = thread_rng();
+
+    rng.fill_bytes(&mut salt);
+    rng.fill_bytes(&mut iv);

    let mut iv = u128::from_be_bytes(iv);
    iv &= !(1 << 63);
--- a/crates/matrix-sdk-crypto/src/store/pickle_key.rs
+++ b/crates/matrix-sdk-crypto/src/store/pickle_key.rs
@@ -18,9 +18,9 @@ use aes_gcm::{
    aead::{generic_array::GenericArray, Aead, NewAead},
    Aes256Gcm, Error as DecryptionError,
 };
-use getrandom::getrandom;
 use hmac::Hmac;
 use pbkdf2::pbkdf2;
+use rand::{thread_rng, RngCore};
 use serde::{Deserialize, Serialize};
 use sha2::Sha256;
 use zeroize::{Zeroize, Zeroizing};
@@ -81,7 +81,8 @@ pub struct PickleKey {
 impl Default for PickleKey {
    fn default() -> Self {
        let mut key = vec![0u8; KEY_SIZE];
-        getrandom(&mut key).expect("Can't generate new pickle key");
+        let mut rng = thread_rng();
+        rng.fill_bytes(&mut key);

        Self { aes256_key: key }
    }
@@ -122,15 +123,17 @@ impl PickleKey {
    /// * `passphrase` - The passphrase that should be used to encrypt the
    /// pickle key.
    pub fn encrypt(&self, passphrase: &str) -> EncryptedPickleKey {
+        let mut rng = thread_rng();
        let mut salt = vec![0u8; KDF_SALT_SIZE];
-        getrandom(&mut salt).expect("Can't generate new random pickle key");
+
+        rng.fill_bytes(&mut salt);

        let key = PickleKey::expand_key(passphrase, &salt, KDF_ROUNDS);
        let key = GenericArray::from_slice(key.as_ref());
        let cipher = Aes256Gcm::new(key);

        let mut nonce = vec![0u8; NONCE_SIZE];
-        getrandom(&mut nonce).expect("Can't generate new random nonce for the pickle key");
+        rng.fill_bytes(&mut nonce);

        let ciphertext = cipher
            .encrypt(GenericArray::from_slice(nonce.as_ref()), self.aes256_key.as_slice())
--- a/crates/matrix-sdk-crypto/src/verification/qrcode.rs
+++ b/crates/matrix-sdk-crypto/src/verification/qrcode.rs
@@ -18,6 +18,7 @@ use matrix_qrcode::{
    qrcode::QrCode, EncodingError, QrVerificationData, SelfVerificationData,
    SelfVerificationNoMasterKey, VerificationData,
 };
+use rand::{thread_rng, RngCore};
 use ruma::{
    api::client::keys::upload_signatures::v3::Request as SignatureUploadRequest,
    events::{
@@ -431,10 +432,11 @@ impl QrVerification {
    }

    fn generate_secret() -> Base64 {
-        let mut shared_secret = [0u8; SECRET_SIZE];
-        getrandom::getrandom(&mut shared_secret)
-            .expect("Can't generate randomness for the shared secret");
-        Base64::new(shared_secret.to_vec())
+        let mut shared_secret = vec![0u8; SECRET_SIZE];
+        let mut rng = thread_rng();
+        rng.fill_bytes(&mut shared_secret);
+
+        Base64::new(shared_secret)
    }

    pub(crate) fn new_self(