On Mon, Sep 16, 2013 at 01:56:58PM +0200, Johannes Schlüter wrote: > On Mon, 2013-09-16 at 11:56 +0100, Alain Williams wrote: > > In the light of the recent scandal of the NSA (& others) attacking > > encryption > > would it be a good idea to see if we can get an audit of all the security > > related code in PHP ? It would do a bit to help boost confidence in PHP - > > and > > might even find something (although I hope not). > > PHP itself doesn't do much crypto stuff. We rely mostly on libs like > openssl etc. and provide hashing algorithms which follow the > specifications. If the specifications are bad this is a global non-PHP > issue.
I just looked at this, it does look like a small shim to underlying modules: ./ext/mcrypt/mcrypt.c Which means that there should not be a lot of work. A statement like this would be good: The PHP cryptographic functions have been indepdendently verified as being well implemented without any weakening of security in the way that they use the underlying cryptographic and hashing libraries. The implementations of the underlying libraries is platform (operating system) dependent and users should see separate verification of these.[**] The API calls verified are: crypt(), md5(), the mcrypt functions, ... The code that we do own are the tests. I don't know what could be done to make them better, I suspect that it would be hard to check against the sort of attacks that the NSA is doing. [**] we could provide links to where this has been done. > If you get reviewers to review our code we're happy to receive feedback > on bugs.php.net or secur...@php.net. Would it not be worth the PHP team putting out a 'request for idependent help', it would get more notice than just me asking ? > Note that most of these things don't refer to PHP directly. i.e. > encryption between user and PHP is usually done by the web server. > Encryption between PHP and databases by database libraries. If > applications built on top of PHP don't do proper end-to-end encryption > it is also no issue of the platform in itself. I am aware of that. Unless we are careful all the components in an application stack (of which PHP is just one part) will just sit on their hands and tell people to look elsewhere. I am trying to kick start something that other components will pick up and do their bit. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php