Just to ask the obvious.... Why not just use the openssl library for this? 
Especially since the public and private keys are already being loaded in the 
initGlobals() function. I know that it's interface is not nearly so nice, and 
it doesn't support symmetric encryption for PHP <= 5.3, but here's some code 
that could be dropped in place in utils.php:

function encryptData($data){
    global $keys;
    if(! $data)
        return false;
    return trim(base64_encode($encrypted));

function decryptData($data){
    global $keys;
    if(! $data)
        return false;
    return trim($decrypted);

The other change would require modifying the initGlobals() function so that the 
public/private keys were read earlier in the execution of the function, i.e. 
before trying to decrypt a continuation value.


Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College

On May 17, 2012, at 8:34 AM, Josh Thompson wrote:

Hash: SHA1

On Wednesday, May 16, 2012 10:37:02 AM Kevan Miller wrote:
On May 11, 2012, at 3:17 PM, Josh Thompson wrote:


Ugh.  Thanks for looking at this.  I guess it goes to show you can't just
trust that another project that says it is MIT licensed is *completely*
licensed.  :(  I'll figure out a way to deal with it.  If it works out
bcpowmod.php and str_split.php are not actually needed, can I just remove
them?  If so, do I need to document that modification somewhere?

BTW, vcl/trunk/web/.ht-inc/phpseclib/index.html refers to PHP Secure
Communications Library as LGPL-licensed. Which is contradicted by

It looks like our documentation comes from
http://phpseclib.sourceforge.net/documentation/ -- I'd check with the
phpseclib project. Seems to be their reference to LGPL is unintended or
inconsistent. bcpowmod.php's LGPL license would seem to be a problem with
this, however…


After looking further, there are only two files (AES.php and Rijndael.php)
needed from the phpseclib project, and both of them appear as though they were
written to be able to be included by themselves (i.e. each one contains
information about the author, the project, and the license).  Both files state
that they are MIT licensed and contain that license in them.  Is it normal to
just pull in specific files from another project, or is it better to include
the whole project?

My only other experience in including another open source project in one I
work on is from including the Dojo Toolkit with VCL.  In that case, it seemed
to make the most sense to include the whole thing.

License wise, it seems simplest to just include the two files in the release,
but I just want to make sure we do the right thing in respecting other open
source projects.

- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu<http://pgp.mit.edu>

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
Version: GnuPG v2.0.17 (GNU/Linux)


Reply via email to