Update dependencies and refactor random number generation to use getrandom crate

stevefan1999-personal · stevefan1999-personal · commit bec328a2eedd · 2026-01-07T16:56:27.000+08:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -57,6 +57,7 @@ webpki = { package = "rustls-webpki", version = "0.103.6", default-features = fa
 enum_dispatch = "0.3.13"
 tinyvec = { version = "1.10.0", default-features = false, optional = true }
 thiserror = { version = "2.0.17", default-features = false }
+getrandom = "0.3.4"
 
 [dev-dependencies]
 bytes = { version = "1.10.1", default-features = false }
diff --git a/src/kx/x448.rs b/src/kx/x448.rs
@@ -15,8 +15,8 @@ impl crypto::SupportedKxGroup for X448 {
 
     fn start(&self) -> Result<Box<dyn ActiveKeyExchange>, rustls::Error> {
         let mut priv_key = [0u8; 56];
-        rand_core::OsRng
-            .try_fill_bytes(&mut priv_key)
+        
+        getrandom::fill(&mut priv_key)
             .map_err(|_| rustls::Error::FailedToGetRandomBytes)?;
         let priv_key: x448::Secret = priv_key.into();
         let pub_key = x448::PublicKey::from(&priv_key);
diff --git a/src/ticketer.rs b/src/ticketer.rs
@@ -52,16 +52,12 @@ struct AeadTicketProducer {
 impl AeadTicketProducer {
     fn new() -> Result<Self, GetRandomFailed> {
         let mut key_bytes = [0u8; 32];
-        OsRng
-            .try_fill_bytes(&mut key_bytes)
-            .map_err(|_| GetRandomFailed)?;
+        getrandom::fill(&mut key_bytes).map_err(|_| GetRandomFailed)?;
 
         let key = ChaCha20Poly1305::new_from_slice(&key_bytes).map_err(|_| GetRandomFailed)?;
 
         let mut key_name = [0u8; 16];
-        OsRng
-            .try_fill_bytes(&mut key_name)
-            .map_err(|_| GetRandomFailed)?;
+        getrandom::fill(&mut key_name).map_err(|_| GetRandomFailed)?;
 
         Ok(Self {
             key,
@@ -86,7 +82,7 @@ impl ProducesTickets for AeadTicketProducer {
     fn encrypt(&self, message: &[u8]) -> Option<Vec<u8>> {
         // Random nonce, because a counter is a privacy leak.
         let mut nonce_buf = [0u8; 12];
-        OsRng.try_fill_bytes(&mut nonce_buf).ok()?;
+        getrandom::fill(&mut nonce_buf).ok()?;
         let nonce = nonce_buf.into();
 
         // ciphertext structure is:
diff --git a/tests/builder.rs b/tests/builder.rs
@@ -80,7 +80,8 @@ fn test_basic_round_trip() {
             let (socket_c2s, socket_s2c) = MemorySocket::new_pair();
 
             let mut random_data: [u8; 64 * 1024] = [0; 64 * 1024];
-            OsRng.try_fill_bytes(&mut random_data).unwrap();
+            
+            getrandom::fill(&mut random_data).unwrap();
 
             std::thread::Builder::new()
                 .name(format!("{base_name}-server"))
