Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10474
Return-Path: <valyala@tut.by>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70299 invoked by uid 1010); 15 Jun 2004 15:30:42 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 70273 invoked by uid 1007); 15 Jun 2004 15:30:42 -0000
To: internals@lists.php.net
Date: Tue, 15 Jun 2004 18:30:01 +0300
Organization: none
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <opr9m6obrit8r34v@valyala>
User-Agent: Opera M2/7.50 (Win32, build 3778)
X-Posted-By: 217.23.116.150
Subject: The open letter to Derick Rethans <derick@php.net>
From: valyala@tut.by ("Alexander Valyalkin")

On Tue, 15 Jun 2004 12:47:29 +0200 (CEST), Derick Rethans <derick@php.net>  
wrote:

> On Tue, 15 Jun 2004, Alexander Valyalkin wrote:
>
>> Today I checked file /win32/readdir.c
>> Below you can view its source with my comments.
>
> Just a little notice that you succesfully made it into my killfilter.
> Great job!
>
> Derick

And what about your job?
So, you are author of mcrypt module. Let audit your work:
/ext/mcrypt/mcrypt.c

Can you explain me the sense of the memset() after any memory allocation
in the mcrypt.c. For example:
===========================
/* missing type casting from (void *) to (unsigned char *) */
pointer = emalloc (length_of_data);
/* sense of the next string? wasting time? */
memset (pointer, 0, length_of_data);
memcpy (pointer, data_pointer, length_of_data);
===========================

Why you don't wipe keys and initialization vectors before freeing memory?
Leave it for spies from NSA and KGB ? :)
For example:
===========================
     if (key_s != NULL)
         efree (key_s);
     if (iv_s != NULL)
         efree (iv_s);
===========================

Can you explain me the sense of initialization vector [iv] for ECB mode? :
===========================
/* {{{ proto string mcrypt_ecb(int cipher, string key, string data, int  
mode, string iv)
    ECB crypt/decrypt data using key key with cipher cipher starting with  
iv */
===========================

Well, let see documentation of Mcrypt http://php.net/mcrypt/ :
==============================
MCRYPT_MODE_OFB (output feedback, in 8bit) is comparable to CFB, but can be
used in applications where error propagation cannot be tolerated. It's
insecure (because it operates in 8bit mode) so it is not recommended to  
use it.
==============================

1) What happens with error propagation after deleting/inserting any data  
into
encrypted in OFB-mode text? Do you know what means "self-synchronizing"  
words
for CFB mode?

2) Do you know that not only 8bit OFB is insecure? OFB mode always have  
less
security if size of encrypted text is not equal to blocksize of used  
cypher.
For example, the security of 256bit AES cypher in 255bit mode is the
same as for 256bit AES in 8bit OFB mode.


==============================
MCRYPT_MODE_CFB (cipher feedback) is the best mode for encrypting byte
streams where single bytes must be encrypted.
==============================
How can I use this mode for encrypting byte streams, if function
mcrypt_cfb() dont return current [iv] value?
The same question for other modes, excepting ECB.


-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/