securer_randomer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c64cc94ae8ed41dc5612889e38d0bd8d7f814ebd
+  data.tar.gz: 428a48564b8eb0e9429973e9809f777ec4e9ccfa
+SHA512:
+  metadata.gz: 836c3eff41e7b0bb2316c777a377173bbfe3b38e94eddce50421519984f5a6bd4e41e666ffaf8a635712e39a0994d3eb25035a34aaaca1530dbf88dba911ba7d
+  data.tar.gz: db821db16a154ce3c4be8b4f4476c3e13ce71264fb92fcddeaac961ab6cb327d1e643d97b40adf4366a07fb151a580c1c6e787dc75d0435381bced2816c0034e

data/.gitignore

@@ -0,0 +1,10 @@
+.ruby-version
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,2 @@
+AllCops:
+  TargetRubyVersion: 1.9

data/.travis.yml

@@ -0,0 +1,17 @@
+sudo: required
+language: ruby
+cache: bundler
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.8
+  - 2.2.4
+  - 2.3.0
+before_install:
+  - gem install bundler -v 1.11.2
+  - sudo add-apt-repository -y ppa:chris-lea/libsodium
+  - sudo apt-get update -q
+  - sudo apt-get install -y libsodium-dev
+env:
+  - WITH_MONKEYPATCH=false
+  - WITH_MONKEYPATCH=true

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in securer_randomer.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Mike Pastore
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,125 @@
+# SecurerRandomer
+
+[![Build Status](https://travis-ci.org/mwpastore/securer_randomer.svg?branch=master)](https://travis-ci.org/mwpastore/securer_randomer)
+[![Gem Version](https://badge.fury.io/rb/securer_randomer.svg)](https://badge.fury.io/rb/securer_randomer)
+
+Ruby's SecureRandom prefers OpenSSL over other mechanisms (such as
+`/dev/urandom` and `getrandom()`). This has recently garnered [some][1]
+[criticism][2].
+
+[RbNaCl][3] provides Ruby bindings to a portable crypto library
+([libsodium][4]) that includes an alternative, OpenSSL-free pseudo-random
+number generator (PRNG) implementation.
+
+This gem monkeypatches RbNaCl into SecureRandom and aims to be "bug-for-bug"
+compatible with the "stock" implementation of SecureRandom across Ruby
+versions. It also provides a nice "do what I mean" random number method that
+can be used instead of Kernel`.rand` and SecureRandom`.random_number`.
+
+## History
+
+This gem started out as a very simple monkeypatch to
+SecureRandom`.random_bytes` and grew as I dug deeper. In newer Rubies, you need
+to patch `.gen_random` instead of `.random_bytes`, and it has no default byte
+size.
+
+Generating random numbers proved to be rather tricky due to inconsistencies
+between the implementations and functionality of Kernel`.rand` and
+SecureRandom`.random_number` between Ruby versions. For example:
+
+* `Kernel.rand(nil)` and `SecureRandom.random_number(nil)` both return a float
+  such that `{ 0.0 <= n < 1.0 }` in Ruby 2.3; but
+  `SecureRandom.random_number(nil)` throws an ArgumentError in Ruby 2.2
+* Kernel`.rand` with an inverted range (e.g. `0..-10`) returns `nil` in Ruby
+  2.2+, but SecureRandom`.random_number` throws an ArgumentError in Ruby 2.2
+  and returns a float such that `{ 0.0 <= n < 1.0 }` in Ruby 2.3
+
+Tests started to accumulate so I decided it was probably a good idea to gemify
+this!
+
+## Features
+
+* SecureRandom`.gen_random` (or `.random_bytes`)
+
+Monkeypatches SecureRandom such that its various formatter methods (`.uuid`,
+`.hex`, `.base64`, `.urlsafe_base64`, and `.random_bytes`) use RbNaCl for random
+byte generation instead of OpenSSL.
+
+* SecureRandom`.random_number`
+
+Monkeypatches SecureRandom such that it uses SecurerRandomer`.kernel_rand`
+instead of OpenSSL (or Kernel`.rand`) to generate random numbers from numeric
+types and ranges. It is bug-for-bug compatible with "stock" SecureRandom,
+meaning it "chokes" on the same inputs and throws the same exception types.
+
+* SecurerRandomer`.kernel_rand`
+
+A bug-for-bug reimplementation of Kernel`.rand`&mdash;meaning it "chokes" on
+the same inputs and throws the same exception types&mdash;that uses RbNaCl as
+its source of entropy.
+
+* SecurerRandomer`.rand`
+
+An idealistic, "do what I mean" random number method that accepts a variety of
+inputs and returns what you might expect. Whereas `Kernel.rand(-5.6)` returns
+an integer such that `{ 0 <= n < 5 }` and `SecureRandom.random_number(-5.6)`
+returns a float such that `{ 0.0 <= n < 1.0 }`, **`SecurerRandomer.rand(-5.6)`
+returns a float such that `{ 0 >= n > -5.6 }`**. Whereas `Kernel.rand(10..0)`
+returns `nil` and `SecureRandom.random_number(10..0)` returns a float such that
+`{ 0.0 <= n < 1.0 }` (in Ruby 2.3), **`SecurerRandomer.rand(10..0)` returns an
+integer such that `{ 10 >= n >= 0 }`**.
+
+## Installation
+
+Please review the installation instructions for [RbNaCl][3]. You will need to
+install either [libsodium][4] or [rbnacl-libsodium][5] before installing this
+gem.
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'securer_randomer', '~> 0.1.0'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install securer_randomer
+
+## Compatibility
+
+SecurerRandomer has been tested under MRI/YARV versions 1.9.3, 2.0, 2.1, 2.2,
+and 2.3.
+
+## DISCLAIMER
+
+**Use at your own risk!**
+
+I am neither a cryptologist nor a cryptographer. Although I'm fairly confident
+in the test suite, serious bugs affecting compatibility, randomness, and
+performance may be present. If you're cautious, I would recommend using the
+monkeypatched SecureRandom formatter methods for random data and Kernel`.rand`
+for random numbers. Bug reports are welcome.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/mwpastore/securer_randomer.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+[1]: https://bugs.ruby-lang.org/issues/9569
+[2]: https://news.ycombinator.com/item?id=11624890
+[3]: https://github.com/cryptosphere/rbnacl
+[4]: https://github.com/jedisct1/libsodium
+[5]: https://github.com/cryptosphere/rbnacl-libsodium

data/Rakefile

@@ -0,0 +1,8 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'securer_randomer'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/securer_randomer/monkeypatch/secure_random.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module SecureRandom
+  RUBY_VER_OBJ = Gem::Version.new(RUBY_VERSION.dup)
+  RUBY_GE_2_2 = RUBY_VER_OBJ >= Gem::Version.new(String.new('2.2.0'))
+  RUBY_GE_2_3 = RUBY_VER_OBJ >= Gem::Version.new(String.new('2.3.0'))
+
+  if RUBY_GE_2_2
+    def self.gen_random(n)
+      RbNaCl::Random.random_bytes(n)
+    end
+  else
+    def self.random_bytes(n = nil)
+      RbNaCl::Random.random_bytes(n ? n.to_i : 16)
+    end
+  end
+
+  if RUBY_GE_2_3
+    def self.random_number(n = 0)
+      arg =
+        case n
+        when nil
+          0
+        when Range
+          n.end < n.begin ? 0 : n
+        when Numeric
+          n > 0 ? n : 0
+        end
+
+      raise TypeError unless arg
+
+      SecurerRandomer.rand(arg, true)
+    rescue TypeError
+      raise ArgumentError, "invalid argument - #{n}"
+    end
+  else
+    def self.random_number(n = 0)
+      raise ArgumentError, "comparison of Fixnum with #{n} failed" unless n.is_a?(Numeric)
+      if n.is_a?(Float) and n > 0
+        if RUBY_GE_2_2
+          raise TypeError, 'Cannot convert into OpenSSL::BN'
+        else
+          raise ArgumentError, 'wrong number of arguments'
+        end
+      end
+
+      SecurerRandomer.rand(n > 0 ? n : 0, true)
+    end
+  end
+end

data/lib/securer_randomer/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SecurerRandomer
+  VERSION = '0.1.0' # rubocop:disable Style/MutableConstant
+end

data/lib/securer_randomer.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'rbnacl/sodium'
+require 'rbnacl/util'
+require 'rbnacl/random'
+
+require 'securer_randomer/version'
+require 'securer_randomer/monkeypatch/secure_random'
+
+module SecurerRandomer
+  def self.kernel_rand(max = 0)
+    rand(max, true)
+  end
+
+  def self.rand(n = 0, emulate_kernel = false)
+    if n.is_a?(Range)
+      raise TypeError, 'no implicit conversion of Range into Fixnum' \
+        unless n.begin.is_a?(Numeric) and n.end.is_a?(Numeric)
+
+      if n.end < n.begin
+        if emulate_kernel
+          nil
+        else
+          m = Range.new(n.end, n.begin, false)
+
+          while true # TODO: better way to do this than looping?
+            q = _rand_range(m)
+
+            break q unless n.exclude_end? and q == n.end
+          end
+        end
+      else
+        _rand_range(n)
+      end
+    else
+      raise TypeError, "no implicit conversion of #{n.class} into Fixnum" \
+        unless n.nil? or n.is_a?(Numeric)
+
+      if n.nil? or n.zero?
+        _randex
+      elsif emulate_kernel
+        _rand_range(Range.new(0, n.to_i.abs, true))
+      else
+        _rand_range(Range.new(0, n.abs, true)) * (n < 0 ? -1 : 1)
+      end
+    end
+  end
+
+  def self._randex
+    i64 = RbNaCl::Random.random_bytes(8).unpack('Q').first
+    Math.ldexp(i64 >> (64 - Float::MANT_DIG), -Float::MANT_DIG)
+  end
+
+  def self._randin
+    _randex >= 0.5 ? 1 - _randex : _randex
+  end
+
+  def self._rand_range(n)
+    n.begin + if n.end.is_a?(Float) or n.begin.is_a?(Float)
+      (n.exclude_end? ? _randex : _randin) * (n.end - n.begin)
+    else
+      (_randex * (n.end - n.begin + (n.exclude_end? ? 0 : 1))).to_i
+    end
+  end
+
+  private_class_method(:_randex, :_randin, :_rand_range) if respond_to?(:private_class_method)
+end

data/securer_randomer.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'securer_randomer/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'securer_randomer'
+  spec.version       = SecurerRandomer::VERSION
+  spec.authors       = ['Mike Pastore']
+  spec.email         = ['mike@oobak.org']
+
+  spec.summary       = 'Monkeypatch SecureRandom (and Kernel.rand) with RbNaCl'
+  spec.homepage      = 'https://github.com/mwpastore/securer_randomer'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split(%r{\x0}).reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.required_ruby_version = '>= 2.2.0'
+
+  spec.add_development_dependency 'bundler', '~> 1.11'
+  spec.add_development_dependency 'rake', '~> 11.1.1'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec-given', '~> 3.8.0'
+  spec.add_development_dependency 'rubocop', '~> 0.39.0'
+
+  spec.add_runtime_dependency 'rbnacl', '~> 3.3.0'
+end

metadata

@@ -0,0 +1,142 @@
+--- !ruby/object:Gem::Specification
+name: securer_randomer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Mike Pastore
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-05-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 11.1.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 11.1.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-given
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.39.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.39.0
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+description: 
+email:
+- mike@oobak.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/securer_randomer.rb
+- lib/securer_randomer/monkeypatch/secure_random.rb
+- lib/securer_randomer/version.rb
+- securer_randomer.gemspec
+homepage: https://github.com/mwpastore/securer_randomer
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Monkeypatch SecureRandom (and Kernel.rand) with RbNaCl
+test_files: []