[#75687] [Ruby trunk Bug#12416] struct rb_id_table lacks mark function — shyouhei@...
Issue #12416 has been reported by Shyouhei Urabe.
3 messages
2016/05/23
[#75763] [Ruby trunk Feature#12435] Using connect_nonblock to open TCP connections in Net::HTTP#connect — mohamed.m.m.hafez@...
Issue #12435 has been reported by Mohamed Hafez.
3 messages
2016/05/28
[#75774] Errno::EAGAIN thrown by OpenSSL::SSL::SSLSocket#connect_nonblock — Mohamed Hafez <mohamed.m.m.hafez@...>
Hi all, every now and then in my production server, I'm
4 messages
2016/05/30
[#75775] Re: Errno::EAGAIN thrown by OpenSSL::SSL::SSLSocket#connect_nonblock
— Mohamed Hafez <mohamed.m.m.hafez@...>
2016/05/30
Or does MRI's OpenSSL::SSL::SSLSocket#connect_nonblock just return
[#75782] Important: Somewhat backwards-incompatible change (Fwd: [ruby-cvs:62388] duerst:r55225 (trunk): * string.c: Activate full Unicode case mapping for UTF-8) — Martin J. Dürst <duerst@...>
With the change below, I have activated full Unicode case mapping for
4 messages
2016/05/31
[ruby-core:75343] [Ruby trunk Bug#9569] SecureRandom should try /dev/urandom first
From:
delan@...
Date:
2016-05-04 02:07:18 UTC
List:
ruby-core #75343
Issue #9569 has been updated by Delan Azabani. For anyone reading this thread after me: * `SecureRandom.gen_random` calls `OpenSSL::Random.random_bytes` before falling back on `Random.raw_seed` [1] * `Random.raw_seed` calls `fill_random_bytes` [2] * `fill_random_bytes` calls `fill_random_bytes_syscall` before falling back on `fill_random_bytes_urandom` [3] * `fill_random_bytes_syscall` is compiled to wrap `CryptGenRandom` if available, falling back on `getrandom(2)` [4] * `fill_random_bytes_urandom` reads from `/dev/urandom` if it considers the device reasonable [5] It’s good to see that `fill_random_bytes` already prefers `getrandom(2)` over `/dev/urandom`, as `getrandom(2)` blocks only if it has been called so early in the boot process that there isn’t enough *initial* entropy [6], and it isn’t susceptible to file descriptor exhaustion attacks [7]. Changing the order of `SecureRandom.gen_random` should be enough to fix this bug, but I would also suggest adding `arc4random(3)` or `getentropy(2)` to the collection of system calls tried by `fill_random_bytes_syscall`, which will mitigate file descriptor exhaustion attacks for OpenBSD users. 1. https://github.com/ruby/ruby/blob/8ef6dacb248876b444595a26ea78c35eb07a188b/lib/securerandom.rb#L50-78 2. https://github.com/ruby/ruby/blob/8ef6dacb248876b444595a26ea78c35eb07a188b/random.c#L620-635 3. https://github.com/ruby/ruby/blob/8ef6dacb248876b444595a26ea78c35eb07a188b/random.c#L549-555 4. https://github.com/ruby/ruby/blob/8ef6dacb248876b444595a26ea78c35eb07a188b/random.c#L493-547 5. https://github.com/ruby/ruby/blob/8ef6dacb248876b444595a26ea78c35eb07a188b/random.c#L444-481 6. http://www.2uo.de/myths-about-urandom/ 7. https://lwn.net/Articles/606141/ 8. http://man.openbsd.org/OpenBSD-current/man3/arc4random.3 9. http://man.openbsd.org/OpenBSD-current/man2/getentropy.2 ---------------------------------------- Bug #9569: SecureRandom should try /dev/urandom first https://bugs.ruby-lang.org/issues/9569#change-58472 * Author: Corey Csuhta * Status: Rejected * Priority: Normal * Assignee: ruby-core * ruby -v: * Backport: ---------------------------------------- Right now, `SecureRandom.random_bytes` tries to detect an OpenSSL to use before it tries to detect `/dev/urandom`. I think it should be the other way around. In both cases, you just need random bytes to unpack, so SecureRandom could skip the middleman (and [second point of failure](http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/)) and just talk to `/dev/urandom` directly if it's available. Is this a case of just re-ordering the two code chunks so that `/dev/urandom` is tried first? Relevant lines: https://github.com/ruby/ruby/blob/trunk/lib/securerandom.rb#L59-L90 -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>