From: mike@... Date: 2016-05-25T06:13:39+00:00 Subject: [ruby-core:75717] [Ruby trunk Bug#9569] SecureRandom should try /dev/urandom first Issue #9569 has been updated by Mike Pastore. Yui NARUSE wrote: > Mike Pastore wrote: > > Yui NARUSE wrote: > > > Anyway I'm creating a securerandom.gem which uses arc4random_buf internally like libressl RAND_bytes. > > > https://github.com/nurse/securerandom > > > > You might want to take a look at (shameless self-plug, sorry) https://github.com/mwpastore/securer_randomer for a comparable solution. > > You mean utility methods which are implemented in Random::Formatter on Ruby 2.4? > They are out of scope now, though I may merge the module from Ruby repo. What? No, it uses RbNaCl.random_bytes instead of OpenSSL's RAND_bytes. ---------------------------------------- Bug #9569: SecureRandom should try /dev/urandom first https://bugs.ruby-lang.org/issues/9569#change-58841 * Author: Corey Csuhta * Status: Open * Priority: Normal * Assignee: * ruby -v: * Backport: ---------------------------------------- Right now, `SecureRandom.random_bytes` tries to detect an OpenSSL to use before it tries to detect `/dev/urandom`. I think it should be the other way around. In both cases, you just need random bytes to unpack, so SecureRandom could skip the middleman (and [second point of failure](http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/)) and just talk to `/dev/urandom` directly if it's available. Is this a case of just re-ordering the two code chunks so that `/dev/urandom` is tried first? Relevant lines: https://github.com/ruby/ruby/blob/trunk/lib/securerandom.rb#L59-L90 -- https://bugs.ruby-lang.org/ Unsubscribe: