On 03/09/2016 11:11 AM, Stuart Henderson wrote:
On 2016/03/09 10:05, Stuart Henderson wrote:That should be fixed in mcrypt - it should use arc4random functions instead.In addition, https://github.com/paragonie/random_compat/blob/master/ERRATA.md 1. libsodium if available 2. fread() /dev/urandom if available 3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM) 4. COM('CAPICOM.Utilities.1')->GetRandom() 5. openssl_random_pseudo_bytes() - libsodium is "security/pecl-libsodium", please set that as a dep, it's the best choice for crypto primitives in PHP. But mcrypt should still be fixed.
mcrypt upstream won't probably fix anything. Are you suggesting to fix this in the port of mcrypt itself?
smime.p7s
Description: S/MIME Cryptographic Signature
