Skip Menu |

This queue is for tickets about the Crypt-Random-Source-SSLeay CPAN distribution.

Report information
The Basics
Id: 82418
Status: new
Priority: 0/
Queue: Crypt-Random-Source-SSLeay

People
Owner: Nobody in particular
Requestors: DANAJ [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.02
Fixed in: (no value)



Subject: Wrong generator is used for strong source
In Crypt::Random::Source::Strong::SSLeay, the bytes are generated using: Net::SSLeay::RAND_pseudo_bytes(my $buf, $n); which is identical to the Weak version. The documentation for Net::SSLeay as well as the OpenSSL documentation indicate RAND_bytes is the cryptographically strong generator, while RAND_pseudo_bytes generates standard PRNG data. The top-level module documentation implies RAND_bytes is being used. As an aside, the get method for this module is documented as returning 10 bytes. It takes an argument indicating the number of bytes, as shown in the synopsis.