Updated some dependencies to the latest version + implemented workaround to make test code compile with newer version of the "rand" package.

Author: danieltrick

Cargo.lock

@@ -31,8 +31,8 @@ function_name = "0.3.0"
 hex = "0.4.3"
 memory-stats = "1.2.0"
 p256 = "0.13.2"
-rand = "0.8.5"
-rand_chacha = "0.3.1"
+rand = "0.9.1"
+rand_chacha = "0.9.0"
 regex = "1.11.1"
 rsa = "0.9.8"
 serial_test = "3.2.0"

Cargo.toml

@@ -67,11 +67,11 @@ type QuoteResult = (JsonValue, Vec<u8>, Option<JsonValue>, Option<String>);
 ///
 /// ### Thread Safety
 ///
-/// In general, the FAPI is considered “thread-safe”, but individual instances of `FapiContext` are **not**.
+/// In general, the FAPI is considered “thread-safe”, but individual instances of `FapiContext` are **not** &#128680;
 ///
-/// This means that an application may safely access the FAPI from multiple *concurrent* threads, provided that each of these threads uses its own separate `FapiContext` instance. Sharing the same `FapiContext` instance between *concurrent* threads is also possible, but this requires an explicit synchronization to ensure that *at most* **one** thread at a time will access the "shared" instance! Specifically, `FapiContext` implements the [`Send`] trait, so it may be transferred to another thread, but it does **not** implement the [`Sync`] trait. However, you can wrap the context in an `Arc<Mutex<T>>` in order to share it safely between multiple threads.
+/// This means that an application may safely access the FAPI from multiple *concurrent* threads <u>without</u> any synchronization (locking) at the application level, provided that each thread uses its own separate `FapiContext`. Meanwhile, sharing the same `FapiContext` between *concurrent* threads requires an explicit synchronization in the application code to ensure that *at most* **one** thread at a time will access the "shared" context! Consequently, `FapiContext` implements the [`Send`] trait, but it does **not** implement the [`Sync`] trait. You can wrap the context in an `Arc<Mutex<T>>` in order to share it safely between multiple threads.
 ///
-/// By default, the `tss2-fapi-rs` library does **not** serialize FAPI calls from *concurrent* application threads, except for a few “critical” functions. The optional **`full_locking`** feature can be enabled to enforce the serialization of *all* FAPI calls.
+/// By default, the `tss2-fapi-rs` library does **not** serialize FAPI calls from *concurrent* contexts (threads), except for a few “critical” functions that need to be serialized. The optional **`full_locking`** feature can be enabled to enforce full serialization of *all* FAPI calls. Be aware, though, that the serialization of the FAPI calls is implemented *per-process*, **not** globally.
 ///
 /// ### FAPI Library
 ///
@@ -252,6 +252,8 @@ impl FapiContext {
 
     /// Provisions a TSS with its TPM. This includes the setting of important passwords and policy settings as well as the readout of the EK and its certificate and the initialization of the system-wide keystore.
     ///
+    /// Invocations of this function are serialized between concurrent FAPI contexts (threads) by default.
+    ///
     /// *See also:* [`Fapi_Provision()`](https://tpm2-tss.readthedocs.io/en/latest/group___fapi___provision.html)
     pub fn provision(&mut self, auth_eh: Option<&str>, auth_sh: Option<&str>, auth_lo: Option<&str>) -> Result<(), ErrorCode> {
         let cstr_eh = CStringHolder::try_from(auth_eh)?;

src/context.rs

@@ -13,7 +13,7 @@ use common::{
 };
 use function_name::named;
 use log::{debug, trace};
-use rand::{thread_rng, RngCore, SeedableRng};
+use rand::{rng, RngCore, SeedableRng};
 use rand_chacha::ChaChaRng;
 use serial_test::serial;
 use tss2_fapi_rs::{FapiContext, NvFlags};
@@ -57,7 +57,7 @@ fn test_nv_write() {
         }
 
         // Generate random data
-        thread_rng().fill_bytes(&mut data[..]);
+        rng().fill_bytes(&mut data[..]);
 
         // Write data to NV index
         match context.nv_write(nv_path, &data[..]) {
@@ -66,7 +66,7 @@ fn test_nv_write() {
         }
 
         // Generate random number
-        let number = thread_rng().next_u64();
+        let number = rng().next_u64();
 
         // Write number to NV index
         match context.nv_write_u64(nv_path, number) {
@@ -103,7 +103,7 @@ fn test_nv_read() {
         }
 
         // Generate random data
-        thread_rng().fill_bytes(&mut data[..]);
+        rng().fill_bytes(&mut data[..]);
 
         // Write data to NV index
         match context.nv_write(nv_path, &data[..]) {

tests/08_nv_test.rs

@@ -10,11 +10,14 @@ use p256::{
     pkcs8::DecodePrivateKey,
     PublicKey as EccPublicKey, SecretKey as EccPrivateKey,
 };
-use rand::thread_rng;
+use rand::{rng, RngCore};
 use rsa::{
     pkcs8::DecodePublicKey,
     pss::{Signature as RsaSignature, SigningKey as RsaSigningKey},
-    signature::{RandomizedDigestSigner as RsaRandomizedDigestSigner, SignatureEncoding},
+    signature::{
+        rand_core::{CryptoRng as LegacyCryptoRng, Error as LegacyRngError, RngCore as LegacyRngCore},
+        RandomizedDigestSigner as RsaRandomizedDigestSigner, SignatureEncoding,
+    },
     RsaPrivateKey, RsaPublicKey,
 };
 use sha2::{Sha256, Sha384, Sha512};
@@ -80,6 +83,36 @@ pub fn load_private_key(pem_data: &str, key_type: KeyType) -> Option<PrivateKey>
     }
 }
 
+// ==========================================================================
+// RNG wrapper for signing
+// ==========================================================================
+
+/// Workaround to implement the `RngCore` and `CryptoRng` traits from the **`rsa::signature::rand_core`** crate.
+///
+/// **TODO:** Remove when `rsa::signature::rand_core` is updated eventually!
+struct LegacyCompatRng;
+
+impl LegacyRngCore for LegacyCompatRng {
+    fn next_u32(&mut self) -> u32 {
+        rng().next_u32()
+    }
+
+    fn next_u64(&mut self) -> u64 {
+        rng().next_u64()
+    }
+
+    fn fill_bytes(&mut self, dest: &mut [u8]) {
+        rng().fill_bytes(dest);
+    }
+
+    fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), LegacyRngError> {
+        self.fill_bytes(dest);
+        Ok(())
+    }
+}
+
+impl LegacyCryptoRng for LegacyCompatRng {}
+
 // ==========================================================================
 // Signature computation
 // ==========================================================================
@@ -108,7 +141,7 @@ where
     D: Digest + FixedOutputReset,
 {
     let sign_key = RsaSigningKey::<D>::from(private_key.to_owned());
-    RsaRandomizedDigestSigner::<D, RsaSignature>::sign_digest_with_rng(&sign_key, &mut thread_rng(), digest).to_vec()
+    RsaRandomizedDigestSigner::<D, RsaSignature>::sign_digest_with_rng(&sign_key, &mut LegacyCompatRng, digest).to_vec()
 }
 
 /// Compute signature using the ECDSA-scheme on NIST P-256 curve
@@ -122,7 +155,7 @@ fn create_signature_ecc(private_key: &EccPrivateKey, hash_algo: &HashAlgorithm,
 /// Compute signature using the ECDSA-scheme on NIST P-256 curve
 fn _create_signature_ecc(private_key: &EccPrivateKey, message: &[u8]) -> Vec<u8> {
     let sign_key = EccSigningKey::from(private_key);
-    EccRandomizedDigestSigner::<Sha256, EccSignature>::sign_digest_with_rng(&sign_key, &mut thread_rng(), Sha256::new_with_prefix(message))
+    EccRandomizedDigestSigner::<Sha256, EccSignature>::sign_digest_with_rng(&sign_key, &mut LegacyCompatRng, Sha256::new_with_prefix(message))
         .to_der()
         .to_vec()
 }

tests/common/crypto.rs

@@ -39,7 +39,7 @@ pub fn generate_string<const N: usize>(rand_gen: &mut impl RngCore) -> String {
     ];
     let mut rand_str = ['\0'; N];
     for i in 0..N {
-        rand_str[i] = ASCII_PRINTABLE[rand_gen.gen_range(0..ASCII_PRINTABLE.len())];
+        rand_str[i] = ASCII_PRINTABLE[rand_gen.random_range(0..ASCII_PRINTABLE.len())];
     }
     String::from_iter(rand_str)
 }

tests/common/random.rs

@@ -21,7 +21,7 @@ impl TempFile {
 
     pub fn with_suffix(base_dir: &Path, suffix: &str) -> Option<TempFile> {
         assert!(!suffix.is_empty() && suffix.chars().all(|c| char::is_ascii_alphanumeric(&c)));
-        let mut rng = rand::thread_rng();
+        let mut rng = rand::rng();
 
         for _i in 0..99 {
             let file_path = base_dir.join(format!("temp-{:16X}.{}", rng.next_u64(), suffix));