Hi. I took a quick look while procrastinating at work and found a few
potential issues:

- What's up with this hard-coded
salt<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-16>
?
- Any specific reason you picked
CTR<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-88>
?
- Use 
mlock<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-238>
here?
I don't think that will help you if you run within a guest VM though.
- Buffer 
overflow<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-241>on
password input
- Is this safe for non-terminated
strings<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/common.c?at=master#cl-41>
?
- Why do you have this
checksum<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-112>if
you just HMACed the ciphertext?
- HMAC verification is vulnerable to a timing
attack<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-129>.
Since you're using CTR, it's that much easier to forge messages.
- There's no forward security.

This is by no means comprehensive. I've only been looking at a couple files.


On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cass...@gmail.com>wrote:

> Hello all,
>
> I have created a simple anonymity network that broadcasts all messages
> to participants so that you cannot associate chatters.
>
> https://bitbucket.org/scassidy/dinet
>
> There is a simple sample client available, but you could write your
> own client to build your own features atop the network.
>
> http://projects.existentialize.com/dinet/client.html
>
> Please let me know if you have any comments.
>
> Sean
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at compa...@stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Reply via email to