lua-resty-random does not check OpenSSL RAND_bytes return value

[pamiel]

Hi,

lua-resty-random uses the OpenSSL RAND_bytes function for computing bytes randoms. The OpenSSL documentation (https://www.openssl.org/docs/man1.0.2/crypto/RAND_bytes.html) says about this function:

An error occurs if the PRNG has not been seeded with enough randomness to ensure an unpredictable byte sequence.
[…]
RAND_bytes() returns 1 on success, 0 otherwise.

However, lua-resty-random is currently NOT checking the return value of the C.RAND_bytes call. As random generation is really a key root element for security, the risk is to drastically lower the security of the system relying on lua-resty-random. Risk is for example to get reproducible values (so no longer randoms!), allowing people to guess next randoms.

I think it would definitely make sense to check the return value of RAND_bytes, and in case of issue, raise an error to the caller.

The current implementation is testing if not s then return nil end, but I don’t think it is enough (at least, the error condition explained in RAND_bytes is not referring to this kind of test. It is just referring to the returned value of RAND_bytes).