Issue #15039 has been updated by shyouhei (Shyouhei Urabe).


Freaky (Thomas Hurst) wrote:
> > Or is it not about the code quality in general?  Maybe the problem here is that having _any_ bits of instructions in a userland?
> 
> It's a mix of the two, and it might be worth separating the issues.
> 
> One is that arc4random() is pretty much only sensibly implemented on OpenBSD, as far as I know, and its use should probably be limited to that and maybe other platforms where it's *confirmed* to be not-awful.

Hmm, OK.  I respect your feeling that the arc4random() in FreeBSD (up to 11) is questionable.  +1 to avoid using such implementation(s).

> The other is clarifying the intent of `Random.urandom` and the priorities of `SecureRandom`.  Following #9569, *are* they meant to be avoiding using userspace CSPRNGs?  They do so on Linux and Windows, but don't on platforms with arc4random().

As far as I understand Random.urandom intends to be cryptographically secure; nothing more.  My attempt when fixing #9569 was that arc4random() supposedly adequately fulfilled this property like OpenBSD's.  I did not see any reason to reject such thing.  Maybe is it getting hard for a "userspace CSPRNG" in general to make sense these days?  That is a possible situation and I have to change my mind then.

----------------------------------------
Bug #15039: Random.urandom and SecureRandom arc4random use
https://bugs.ruby-lang.org/issues/15039#change-73781

* Author: Freaky (Thomas Hurst)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Random.urandom defaults to arc4random() on a lot of platforms, including FreeBSD.

On all currently released versions of FreeBSD, arc4random() is, as the name suggests, a dubious ARC4-based userspace PRNG dating from circa 1997.  Given the entire point of #9569 was that using the userspace CSPRNG in OpenSSL over /dev/urandom or equivalent is a bad idea, this seems to mean it's regressed to an *even worse* state on these platforms.  Even in cases where it's using something more modern (FreeBSD 12, OpenBSD), it's still a userspace CSPRNG.

If that's fine, we might as well *pick a known-good one* and use that everywhere.  Like, say, OpenSSL's.

Since the conclusion of #9569 seems to have been otherwise, I'd suggest dropping arc4random() as a potential source for Random.urandom due to it not matching the desired semantics.

Rust's OsRng seems a good template for alternative _syscall implementations: https://docs.rs/rand/0.5.5/rand/rngs/struct.OsRng.html#platform-sources



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>