On Sun, Feb 8, 2015 at 5:15 PM, Daniel Lowrey <rdlow...@php.net> wrote:
> Currently PHP's openssl_random_pseudo_bytes() uses the latter function and > allows users to pass a by-reference $crypto_strong out parameter to > determine if the result is cryptographically strong. This is fine if you > know all of the above and have read the manual for this function. However, > it may be desirable to add a new openssl_rand_bytes() function that uses > RAND_bytes() under the hood to make it less likely for someone to > accidentally use insufficiently random output. Hi Daniel, Just to clarify: OpenSSL automatically seeds its random pool from crypto-safe system-specific sources (/dev/[u]random on Linux): it is just *impossible* on modern systems to end up in the case of not having enough entropy. Damien
