Version 0.5.0
Pre-release
Pre-release
·
598 commits
to master
since this release
v0.5.0
paragonie-security
P.I.E. Security Team
This tag was signed with the committer’s verified signature.
paragonie-security
P.I.E. Security Team
- Security fix: Our
hash_equals()polyfill would return a false positive if the first byte matched. This was originally identified by a strange unit test failure, analyzed by @defuse, then a proposed future-proofing was suggested by @solardiz. This would not have affected PHP 5.6 or newer. ParagonIE_Sodium_Fileis now feature-complete for the operations we wish to expose (i.e. encrypting, signing, and verifying files).- Unlike Halite, it does not attempt to mitigate TOCTOU vulnerabilities. If TOCTOU is relevant to your threat model, you are encouraged to load the entire files into memory and use
ParagonIE_Sodium_Compatinstead ofParagonIE_Sodium_File.
- Unlike Halite, it does not attempt to mitigate TOCTOU vulnerabilities. If TOCTOU is relevant to your threat model, you are encouraged to load the entire files into memory and use
- More multiplication operations have been replaced with our constant time loop. See cryptographically secure PHP development for more information.