On Tue, 15 Jun 2004, Alexander Valyalkin wrote:
Today I checked file /win32/readdir.c Below you can view its source with my comments.
Just a little notice that you succesfully made it into my killfilter. Great job!
Derick
And what about your job? So, you are author of mcrypt module. Let audit your work: /ext/mcrypt/mcrypt.c
Can you explain me the sense of the memset() after any memory allocation in the mcrypt.c. For example: =========================== /* missing type casting from (void *) to (unsigned char *) */ pointer = emalloc (length_of_data); /* sense of the next string? wasting time? */ memset (pointer, 0, length_of_data); memcpy (pointer, data_pointer, length_of_data); ===========================
Why you don't wipe keys and initialization vectors before freeing memory?
Leave it for spies from NSA and KGB ? :)
For example:
===========================
if (key_s != NULL)
efree (key_s);
if (iv_s != NULL)
efree (iv_s);
===========================Can you explain me the sense of initialization vector [iv] for ECB mode? :
===========================
/* {{{ proto string mcrypt_ecb(int cipher, string key, string data, int mode, string iv)
ECB crypt/decrypt data using key key with cipher cipher starting with iv */
===========================
Well, let see documentation of Mcrypt http://php.net/mcrypt/ :
==============================
MCRYPT_MODE_OFB (output feedback, in 8bit) is comparable to CFB, but can be
used in applications where error propagation cannot be tolerated. It's
insecure (because it operates in 8bit mode) so it is not recommended to use it.
==============================
1) What happens with error propagation after deleting/inserting any data into
encrypted in OFB-mode text? Do you know what means "self-synchronizing" words
for CFB mode?
2) Do you know that not only 8bit OFB is insecure? OFB mode always have less
security if size of encrypted text is not equal to blocksize of used cypher.
For example, the security of 256bit AES cypher in 255bit mode is the
same as for 256bit AES in 8bit OFB mode.
============================== MCRYPT_MODE_CFB (cipher feedback) is the best mode for encrypting byte streams where single bytes must be encrypted. ============================== How can I use this mode for encrypting byte streams, if function mcrypt_cfb() dont return current [iv] value? The same question for other modes, excepting ECB.
-- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
