New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
argon2: std feature pulls in rand number generator #250
Comments
It's definitely expected. For any of our crates that rely on an RNG, we're trying to make it possible to pull everything required in without a complicated recipe that involves things like upgrading It's unfortunate there's no unified RNG option for WASM, however. It seems like the best we can offer is explicitly linking to I suppose we should split out something like a |
What is important for me here is to keep the rng out. Adding the rnd implicitly via |
Yes, apologies we don't have the WASM ergonomics figured out as we are trying to optimize for more traditional If you have any suggestions regarding what we can do in order to properly activate RNG features for WASM users, that would be helpful. For example, what is your use case: are you inside a JS environment? What RNG do you have access to? |
I'll think about what that could mean for the feature organization.
Yes, I develop Wasm for a JS environment. But as long as the use case allows me to provide random data to Wasm, the crate does not need to access the entropy source. In this particular use case I create the salt in the host and provide it to the guest in something like (quick'n'dirty PoC): #[wasm_bindgen]
pub fn hash(password: &str, salt: &[u8]) -> Result<Vec<u8>, JsValue> {
let argon2 = Argon2::new(
Algorithm::Argon2id,
Version::V0x13,
Params::new(2, 3, 4, Some(32)).map_err(|e| e.to_string())?,
);
let mut out = Vec::<u8>::with_capacity(32);
argon2
.hash_password_into(password.as_bytes(), salt, &mut out)
.map_err(|e| e.to_string())?;
Ok(out)
} The JS host can then access environment specific entropy sources. |
I think the best way forward here is to properly split out |
I would argue that it's the Rust handling of the |
Good question: Is std and entropy source orthogonal? So far my thinking is yes, as On the otherhand as you pointed out rand_core also pulls getrandom when its std feature is enabled, but lookinh at the history of this fact, it does not seem convincing this is the final answer:
I can do that, it works. But I fear missing out on features that are available in std but not alloc. It would be great to not only solve this particular use case but find a pattern we're happy with for all compile crypto lib from Rust to web use cases for me and other users. |
Well, there is, but it used only for seeding hash maps for DoS protection. This is one of the reasons, why I hope that
IIRC the main feature dependent on |
TL;DR: It's complicated. That sounds so simple in theory. Unfortunately wasm-bindgen is an best effort approch in a horrible mess of JS module systems with bad support for Wasm asset compilation. Last time I tried it was impossible to write a JS lib that includes Wasm and works with webpack4+5 and CommonJS. If you try to achive async Wasm compiling it gets even worse. There is still no embed Wasm blob as text target, which is the only compatible solution (used by e.g. long.js and libsodium.js). If you need to support multiple JS environments, the best you get out of wasm-bindgen is an interface on the Wasm side and a draft of a JS wrapper that you then need to modify. Now with getrandom+js you suddenly get not one interface but two interfaces to worry about (call into Wasm and call out of Wasm). I'm not saying every application developer should mess around with entropy sources. But a well maintained JS library that bundles Wasm is certainly able to use JS system RNGs and pass the random data to Wasm from outside. |
It seems like what we should actually do here is have a |
I think the problem is |
As you said, this issue is ultimately that Given that, closing this issue. |
I'm not sure to what degree this is expected, but if I enable the
std
feature in argon2, it pulls in a random number generator viagetrandom
. This is unfortunately not available in all std environments, especially when compiling to Wasm.causes a compile fail with target wasm32-unknown-unknown because
Seems like
password-hash
gets pulled in implicitly with default arguments or something like that.Adding
resolver = "2"
does not seems to change things.Using alloc instead lets me compile.
The text was updated successfully, but these errors were encountered: