Issue #6928 has been reported by MartinBosslet (Martin Bosslet).

----------------------------------------
Bug #6928: SecureRandom.random_bytes: assume zero entropy for seed value
https://bugs.ruby-lang.org/issues/6928

Author: MartinBosslet (Martin Bosslet)
Status: Open
Priority: Normal
Assignee: akr (Akira Tanaka)
Category: lib
Target version: 2.0.0
ruby -v: trunk


If OpenSSL is available SecureRandom.random_bytes uses 
OpenSSL::Random.random_bytes and the random generator is reseeded [1] 
whenever the current pid changes (due to repeated values when a pid 
is reused, cf. #4579).

Since this seeding is also called the first time the method is entered, 
using OpenSSL::Random.seed is potentially dangerous. OpenSSL::Random.seed 
is equal to using OpenSSL::Random.random_add where it is assumed that the 
string passed to seed possesses full entropy. This is definitely not the 
case for pid and time values. In fact, OpenSSL itself assumes an entropy 
of 1.0 or even 0.0 when doing similar seeding in RAND_poll [2][3]. However, 
this seems to have no impact so far, since the OpenSSL random generator 
gathers enough entropy on startup even if we seeded with what it would 
consider enough bytes of entropy (32 by default). So even if our seed 
string is already 32 bytes or larger, OpenSSL's RAND_poll still seems to
collect 32 bytes of entropy on initialization regardless of what has been
added/seeded so far, which is a good thing in this case. Still, this could
change over time if OpenSSL for example changes internal behaviour and 
would decide that enough entropy had been provided while seeding.

Therefore I believe using OpenSSL::Random.random_add with an assumed 
entropy of 0.0 might be a more defensive choice. The forking test from 
#4579 still passes with the attached patch. What do you think?

[1] https://github.com/ruby/ruby/blob/trunk/lib/securerandom.rb#L56
[2] https://github.com/plenluno/openssl/blob/master/crypto/rand/rand_unix.c#L179
[3] https://github.com/plenluno/openssl/blob/master/crypto/rand/rand_unix.c#L398 


-- 
http://bugs.ruby-lang.org/