feat: upgrade to rand@0.9

iroh-base/Cargo.toml

@@ -15,13 +15,13 @@ rust-version = "1.85"
 workspace = true
 
 [dependencies]
-curve25519-dalek = { version = "4.1.3", features = ["serde", "rand_core", "zeroize"], optional = true }
+curve25519-dalek = { version = "=5.0.0-pre.1", features = ["serde", "rand_core", "zeroize"], optional = true }
 data-encoding = { version = "2.3.3", optional = true }
-ed25519-dalek = { version = "2.1.1", features = ["serde", "rand_core", "zeroize"], optional = true }
+ed25519-dalek = { version = "=3.0.0-pre.1", features = ["serde", "rand_core", "zeroize"], optional = true }
 derive_more = { version = "2.0.1", features = ["display"], optional = true }
 url = { version = "2.5.3", features = ["serde"], optional = true }
 postcard = { version = "1", default-features = false, features = ["alloc", "use-std", "experimental-derive"], optional = true }
-rand_core = { version = "0.6.4", optional = true }
+rand_core = { version = "0.9.3", optional = true }
 serde = { version = "1", features = ["derive", "rc"] }
 snafu = { version = "0.8.5", features = ["rust_1_81"], optional = true }
 n0-snafu = "0.2.2"
@@ -30,7 +30,8 @@ nested_enum_utils = "0.2.0"
 [dev-dependencies]
 postcard = { version = "1", features = ["use-std"] }
 proptest = "1.0.0"
-rand = "0.8"
+rand = "0.9.2"
+rand_chacha = "0.9"
 serde_json = "1"
 serde_test = "1"
 

iroh-base/src/key.rs

@@ -13,7 +13,7 @@ use curve25519_dalek::edwards::CompressedEdwardsY;
 pub use ed25519_dalek::{Signature, SignatureError};
 use ed25519_dalek::{SigningKey, VerifyingKey};
 use nested_enum_utils::common_fields;
-use rand_core::CryptoRngCore;
+use rand_core::CryptoRng;
 use serde::{Deserialize, Serialize};
 use snafu::{Backtrace, Snafu};
 
@@ -288,11 +288,10 @@ impl SecretKey {
     ///
     /// ```rust
     /// // use the OsRng option for OS depedndent most secure RNG.
-    /// let mut rng = rand::rngs::OsRng;
-    /// let _key = iroh_base::SecretKey::generate(&mut rng);
+    /// let _key = iroh_base::SecretKey::generate(&mut rand::rng());
     /// ```
-    pub fn generate<R: CryptoRngCore>(mut csprng: R) -> Self {
-        let secret = SigningKey::generate(&mut csprng);
+    pub fn generate<R: CryptoRng + ?Sized>(csprng: &mut R) -> Self {
+        let secret = SigningKey::generate(csprng);
 
         Self { secret }
     }
@@ -372,6 +371,7 @@ fn decode_base32_hex(s: &str) -> Result<[u8; 32], KeyParsingError> {
 #[cfg(test)]
 mod tests {
     use data_encoding::HEXLOWER;
+    use rand::SeedableRng;
 
     use super::*;
 
@@ -405,7 +405,8 @@ mod tests {
 
     #[test]
     fn test_from_str() {
-        let key = SecretKey::generate(&mut rand::thread_rng());
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let key = SecretKey::generate(&mut rng);
         assert_eq!(
             SecretKey::from_str(&HEXLOWER.encode(&key.to_bytes()))
                 .unwrap()

iroh-base/src/ticket/node.rs

@@ -136,12 +136,14 @@ mod tests {
     use std::net::{Ipv4Addr, SocketAddr};
 
     use data_encoding::HEXLOWER;
+    use rand::SeedableRng;
 
     use super::*;
     use crate::key::{PublicKey, SecretKey};
 
     fn make_ticket() -> NodeTicket {
-        let peer = SecretKey::generate(&mut rand::thread_rng()).public();
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let peer = SecretKey::generate(&mut rng).public();
         let addr = SocketAddr::from((Ipv4Addr::LOCALHOST, 1234));
         let relay_url = None;
         NodeTicket {

iroh-dns-server/Cargo.toml

@@ -32,7 +32,7 @@ iroh-metrics = { version = "0.35", features = ["service"] }
 lru = "0.13"
 n0-future = "0.1.2"
 n0-snafu = "0.2.2"
-pkarr = { version = "3.7", features = ["relays", "dht"], default-features = false }
+pkarr = { version = "5", features = ["relays", "dht"], default-features = false }
 rcgen = "0.13"
 redb = "2.6.3"
 regex = "1.10.3"
@@ -64,8 +64,8 @@ criterion = "0.5.1"
 data-encoding = "2.3.3"
 hickory-resolver = "0.25.0"
 iroh = { path = "../iroh" }
-rand = "0.8"
-rand_chacha = "0.3.1"
+rand = "0.9.2"
+rand_chacha = "0.9"
 tracing-test = "0.2.5"
 
 [[bench]]

iroh-dns-server/examples/publish.rs

@@ -63,7 +63,7 @@ async fn main() -> Result<()> {
         Ok(s) => SecretKey::from_str(&s)
             .context("failed to parse IROH_SECRET environment variable as iroh secret key")?,
         Err(_) => {
-            let s = SecretKey::generate(rand::rngs::OsRng);
+            let s = SecretKey::generate(&mut rand::rng());
             println!("Generated a new node secret. To reuse, set");
             println!(
                 "\tIROH_SECRET={}",

iroh-dns-server/src/lib.rs

@@ -27,6 +27,7 @@ mod tests {
     };
     use n0_snafu::{Result, ResultExt};
     use pkarr::{SignedPacket, Timestamp};
+    use rand::{CryptoRng, SeedableRng};
     use tracing_test::traced_test;
 
     use crate::{
@@ -167,7 +168,9 @@ mod tests {
 
         let origin = "irohdns.example.";
 
-        let secret_key = SecretKey::generate(rand::thread_rng());
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
+        let secret_key = SecretKey::generate(&mut rng);
         let node_id = secret_key.public();
         let pkarr = PkarrRelayClient::new(pkarr_relay);
         let relay_url: RelayUrl = "https://relay.example.".parse()?;
@@ -189,6 +192,8 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn store_eviction() -> Result {
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
         let options = ZoneStoreOptions {
             eviction: Duration::from_millis(100),
             eviction_interval: Duration::from_millis(100),
@@ -198,7 +203,7 @@ mod tests {
         let store = ZoneStore::in_memory(options, Default::default())?;
 
         // create a signed packet
-        let signed_packet = random_signed_packet()?;
+        let signed_packet = random_signed_packet(&mut rng)?;
         let key = PublicKeyBytes::from_signed_packet(&signed_packet);
 
         store
@@ -219,6 +224,8 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn integration_mainline() -> Result {
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
         // run a mainline testnet
         let testnet = pkarr::mainline::Testnet::new_async(5).await.e()?;
         let bootstrap = testnet.bootstrap.clone();
@@ -231,7 +238,7 @@ mod tests {
         let origin = "irohdns.example.";
 
         // create a signed packet
-        let secret_key = SecretKey::generate(rand::thread_rng());
+        let secret_key = SecretKey::generate(&mut rng);
         let node_id = secret_key.public();
         let relay_url: RelayUrl = "https://relay.example.".parse()?;
         let node_info = NodeInfo::new(node_id).with_relay_url(Some(relay_url.clone()));
@@ -260,8 +267,8 @@ mod tests {
         DnsResolver::with_nameserver(nameserver)
     }
 
-    fn random_signed_packet() -> Result<SignedPacket> {
-        let secret_key = SecretKey::generate(rand::thread_rng());
+    fn random_signed_packet<R: CryptoRng + ?Sized>(rng: &mut R) -> Result<SignedPacket> {
+        let secret_key = SecretKey::generate(rng);
         let node_id = secret_key.public();
         let relay_url: RelayUrl = "https://relay.example.".parse()?;
         let node_info = NodeInfo::new(node_id).with_relay_url(Some(relay_url.clone()));

iroh-relay/Cargo.toml

@@ -36,15 +36,15 @@ iroh-metrics = { version = "0.35", default-features = false }
 n0-future = "0.1.2"
 num_enum = "0.7"
 pin-project = "1"
-pkarr = { version = "3.7", default-features = false, features = ["signed_packet"] }
+pkarr = { version = "5", default-features = false, features = ["signed_packet"] }
 postcard = { version = "1", default-features = false, features = [
     "alloc",
     "use-std",
     "experimental-derive",
 ] }
 quinn = { package = "iroh-quinn", version = "0.14.0", default-features = false, features = ["rustls-ring"] }
 quinn-proto = { package = "iroh-quinn-proto", version = "0.13.0" }
-rand = "0.8"
+rand = "0.9.2"
 reqwest = { version = "0.12", default-features = false, features = [
     "rustls-tls",
 ] }
@@ -123,7 +123,7 @@ getrandom = { version = "0.3.2", features = ["wasm_js"] }
 clap = { version = "4", features = ["derive"] }
 crypto_box = { version = "0.9.1", features = ["serde", "chacha20"] }
 proptest = "1.2.0"
-rand_chacha = "0.3.1"
+rand_chacha = "0.9"
 tokio = { version = "1", features = [
     "io-util",
     "sync",

iroh-relay/src/protos/handshake.rs

@@ -34,7 +34,7 @@ use iroh_base::{PublicKey, SecretKey};
 use n0_future::{SinkExt, TryStreamExt};
 use nested_enum_utils::common_fields;
 #[cfg(feature = "server")]
-use rand::{CryptoRng, RngCore};
+use rand::CryptoRng;
 use snafu::{Backtrace, ResultExt, Snafu};
 use tracing::trace;
 
@@ -196,7 +196,7 @@ pub(crate) enum VerificationError {
 impl ServerChallenge {
     /// Generates a new challenge.
     #[cfg(feature = "server")]
-    pub(crate) fn new(mut rng: impl RngCore + CryptoRng) -> Self {
+    pub(crate) fn new<R: CryptoRng + ?Sized>(rng: &mut R) -> Self {
         let mut challenge = [0u8; 16];
         rng.fill_bytes(&mut challenge);
         Self { challenge }
@@ -402,7 +402,6 @@ pub(crate) enum Mechanism {
 pub(crate) async fn serverside(
     io: &mut (impl BytesStreamSink + ExportKeyingMaterial),
     client_auth_header: Option<HeaderValue>,
-    rng: impl RngCore + CryptoRng,
 ) -> Result<SuccessfulAuthentication, Error> {
     if let Some(client_auth_header) = client_auth_header {
         let client_auth_bytes = data_encoding::BASE64URL_NOPAD
@@ -433,7 +432,7 @@ pub(crate) async fn serverside(
         // We'll fall back to verification that takes another round trip more time.
     }
 
-    let challenge = ServerChallenge::new(rng);
+    let challenge = ServerChallenge::new(&mut rand::rng());
     write_frame(io, &challenge).await?;
 
     let (_, frame) = read_frame(io, &[ClientAuth::TAG]).await?;
@@ -531,6 +530,7 @@ mod tests {
     use iroh_base::{PublicKey, SecretKey};
     use n0_future::{Sink, SinkExt, Stream, TryStreamExt};
     use n0_snafu::{Result, ResultExt};
+    use rand::SeedableRng;
     use tokio_util::codec::{Framed, LengthDelimitedCodec};
     use tracing::{Instrument, info_span};
     use tracing_test::traced_test;
@@ -647,10 +647,9 @@ mod tests {
             }
             .instrument(info_span!("clientside")),
             async {
-                let auth_n =
-                    super::serverside(&mut server_io, client_auth_header, rand::rngs::OsRng)
-                        .await
-                        .context("serverside")?;
+                let auth_n = super::serverside(&mut server_io, client_auth_header)
+                    .await
+                    .context("serverside")?;
                 let mechanism = auth_n.mechanism;
                 let is_authorized = restricted_to.is_none_or(|key| key == auth_n.client_key);
                 let key = auth_n.authorize_if(is_authorized, &mut server_io).await?;
@@ -664,7 +663,9 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_via_shared_secrets() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
+        let secret_key = SecretKey::generate(&mut rng);
         let (client, server) = simulate_handshake(&secret_key, Some(42), Some(42), None).await;
         client?;
         let (public_key, auth) = server?;
@@ -676,7 +677,9 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_via_challenge() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
+        let secret_key = SecretKey::generate(&mut rng);
         let (client, server) = simulate_handshake(&secret_key, None, None, None).await;
         client?;
         let (public_key, auth) = server?;
@@ -688,7 +691,9 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_mismatching_shared_secrets() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+
+        let secret_key = SecretKey::generate(&mut rng);
         // mismatching shared secrets *might* happen with HTTPS proxies that don't also middle-man the shared secret
         let (client, server) = simulate_handshake(&secret_key, Some(10), Some(99), None).await;
         client?;
@@ -701,7 +706,8 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_challenge_fallback() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         // clients might not have access to shared secrets
         let (client, server) = simulate_handshake(&secret_key, None, Some(99), None).await;
         client?;
@@ -714,7 +720,8 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_with_auth_positive() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         let public_key = secret_key.public();
         let (client, server) = simulate_handshake(&secret_key, None, None, Some(public_key)).await;
         client?;
@@ -726,9 +733,10 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_with_auth_negative() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         let public_key = secret_key.public();
-        let wrong_secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let wrong_secret_key = SecretKey::generate(&mut rng);
         let (client, server) =
             simulate_handshake(&wrong_secret_key, None, None, Some(public_key)).await;
         assert!(client.is_err());
@@ -739,9 +747,10 @@ mod tests {
     #[tokio::test]
     #[traced_test]
     async fn test_handshake_via_shared_secret_with_auth_negative() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         let public_key = secret_key.public();
-        let wrong_secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let wrong_secret_key = SecretKey::generate(&mut rng);
         let (client, server) =
             simulate_handshake(&wrong_secret_key, Some(42), Some(42), Some(public_key)).await;
         assert!(client.is_err());
@@ -751,8 +760,9 @@ mod tests {
 
     #[test]
     fn test_client_auth_roundtrip() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
-        let challenge = ServerChallenge::new(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
+        let challenge = ServerChallenge::new(&mut rng);
         let client_auth = ClientAuth::new(&secret_key, &challenge);
 
         let bytes = postcard::to_allocvec(&client_auth).e()?;
@@ -766,7 +776,8 @@ mod tests {
 
     #[test]
     fn test_km_client_auth_roundtrip() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         let client_auth = KeyMaterialClientAuth::new(
             &secret_key,
             &TestKeyingMaterial {
@@ -787,8 +798,9 @@ mod tests {
 
     #[test]
     fn test_challenge_verification() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
-        let challenge = ServerChallenge::new(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
+        let challenge = ServerChallenge::new(&mut rng);
         let client_auth = ClientAuth::new(&secret_key, &challenge);
         assert!(client_auth.verify(&challenge).is_ok());
 
@@ -797,7 +809,8 @@ mod tests {
 
     #[test]
     fn test_key_material_verification() -> Result {
-        let secret_key = SecretKey::generate(rand::rngs::OsRng);
+        let mut rng = rand_chacha::ChaCha8Rng::seed_from_u64(0u64);
+        let secret_key = SecretKey::generate(&mut rng);
         let io = TestKeyingMaterial {
             inner: (),
             shared_secret: Some(42),