<div dir="ltr"><div><div>Hi,<br><br></div>The rand_bytes function in the crypto module is using the openssl <span>RAND_pseudo_bytes function, which is deprecated.<br><br></span></div><div><span>This raises three issues / questions:<br><br></span></div><ol><li><span>Should he function rand_bytes be deprecated?<br></span></li><li><span>Should the documentation state that it should not be used for cryptographic purposes (this is the openssl recommendation)?<br></span></li><li><span>In </span><span>otp/lib/ssl/src/ssl.erl (starting line 595) and in </span><span>otp/lib/crypto/src/crypto.erl
(starting line 643) there are functions which fall back to rand_bytes
if strong_rand_bytes cannot be used. It is therefore possible that
rand_bytes might be used to generate<span style="color:rgb(0,0,0)"> keys.</span><span class=""><font color="#888888"><span style="color:rgb(0,0,0)"> Should these functions return an error instead?</span></font></span></span></li></ol><p><span style="color:rgb(0,0,0)">If you need any more info, please let me know,</span></p><p><span style="color:rgb(0,0,0)"></span></p><p><span style="color:rgb(0,0,0)">David Whitlock</span><br></p><div class=""><div id=":222" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div></div>