[erlang-bugs] crypto:rand_bytes using deprecated function

[David Whitlock]

Hi,

The rand_bytes function in the crypto module is using the openssl
RAND_pseudo_bytes
function, which is deprecated.

This raises three issues / questions:


   1. Should he function rand_bytes be deprecated?
   2. Should the documentation state that it should not be used for
   cryptographic purposes (this is the openssl recommendation)?
   3. In otp/lib/ssl/src/ssl.erl (starting line 595) and in
otp/lib/crypto/src/crypto.erl
   (starting line 643) there are functions which fall back to rand_bytes if
   strong_rand_bytes cannot be used. It is therefore possible that rand_bytes
   might be used to generate keys. Should these functions return an error
   instead?

If you need any more info, please let me know,

David Whitlock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20151008/b200ea20/attachment.htm>