Hi. I took a quick look while procrastinating at work and found a few potential issues:
- What's up with this hard-coded salt<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-16> ? - Any specific reason you picked CTR<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-88> ? - Use mlock<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-238> here? I don't think that will help you if you run within a guest VM though. - Buffer overflow<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-241>on password input - Is this safe for non-terminated strings<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/common.c?at=master#cl-41> ? - Why do you have this checksum<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-112>if you just HMACed the ciphertext? - HMAC verification is vulnerable to a timing attack<https://bitbucket.org/scassidy/dinet/src/9f3afe465afb124367e03b63c6b63cba261e4edf/client/broadcast_client.c?at=master#cl-129>. Since you're using CTR, it's that much easier to forge messages. - There's no forward security. This is by no means comprehensive. I've only been looking at a couple files. On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cass...@gmail.com>wrote: > Hello all, > > I have created a simple anonymity network that broadcasts all messages > to participants so that you cannot associate chatters. > > https://bitbucket.org/scassidy/dinet > > There is a simple sample client available, but you could write your > own client to build your own features atop the network. > > http://projects.existentialize.com/dinet/client.html > > Please let me know if you have any comments. > > Sean > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech