Results of a Five Minute Audit
Issue #1
resolved
By default, PHP will read 8192 bytes from /dev/urandom unless you invoke stream_set_read_buffer(), like so:
See https://github.com/paragonie/random_compat/blob/master/lib/random_bytes_dev_urandom.php#L74
Instead of padding with null bytes, why not guarantee that this is random?
As Defuse said on Twitter, this should read
$mac = hash_hmac($this->algorithm, $iv . $encrypted, $salt);
and
should read
$calcmac = hash_hmac($algo, $iv . $hashed, $salt);
Comments (2)
-
repo owner -
repo owner - changed status to resolved
Resolved, I believe, but you're welcome to log new issue if not
- Log in to comment
Think I've fixed it Was using fgets() instead of fread(), whoops!