From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-85506-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 42083138334
	for <garchives@archives.gentoo.org>; Sat,  4 Aug 2018 14:29:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 93B17E0805;
	Sat,  4 Aug 2018 14:29:51 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3B879E07F6
	for <gentoo-dev@lists.gentoo.org>; Sat,  4 Aug 2018 14:29:50 +0000 (UTC)
Received: from computer (unknown [136.179.21.77])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: hanno)
	by smtp.gentoo.org (Postfix) with ESMTPSA id 877B8335CA8
	for <gentoo-dev@lists.gentoo.org>; Sat,  4 Aug 2018 14:29:48 +0000 (UTC)
Date: Sat, 4 Aug 2018 07:29:47 -0700
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: mcrypt status (Re: [gentoo-dev] Idea for a new project:
 gentoo-libs)
Message-ID: <20180804072947.1f9ac221@computer>
In-Reply-To: <20180804114328.d4b31c885eba7cb98a1b5fd2@gentoo.org>
References: <20180623025046.djmsv44moxuqkv6t@proprietary-killer>
	<20180625075947.03bd4875@computer>
	<20180804114328.d4b31c885eba7cb98a1b5fd2@gentoo.org>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 boundary="Sig_/NV7_W3l0BReNc=jUYqIKZ7P"; protocol="application/pgp-signature"
X-Archives-Salt: 16081d2e-2e9d-41eb-8f7e-6a204ae89eb5
X-Archives-Hash: 3406ec9531cce18b58d57536efdc345b

--Sig_/NV7_W3l0BReNc=jUYqIKZ7P
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

On Sat, 4 Aug 2018 11:43:28 +0300
Andrew Savchenko <bircoph@gentoo.org> wrote:

> Do you have any evidence that mcrypt should not be used?

Well, PHP was as far as I'm aware its main user and PHP has declared
mcrypt support to be deprecated a while ago.

> Symmetric cryptography is quite conservative and it took years and
> even decades for algorithms and their implementations to become
> trusted, so there is nothing wrong in using good old verified
> software.

When it comes to cipher modes the fact that people use decades old
modes is a problem. See efail for a prominent example, but there
are many less prominent ones.

Look at the mcrypt webpage:
http://mcrypt.sourceforge.net/

Modes of Operation:

CBC
CFB
CTR
ECB
OFB
NCFB

That is a mixture of very insecure (ECB), insecure in most situations
(all others) and totally obscure modes. It doesn't include any
authenticated encryption modes, which in most situations is what you
want to use.

--=20
Hanno B=C3=B6ck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

--Sig_/NV7_W3l0BReNc=jUYqIKZ7P
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn3wfQCCb9MicJwD8dkhfABMwL8oFAltluFsACgkQdkhfABMw
L8qKIhAAkuk068hHpQXZH791GrHmMCGApn19QA9zu18CwzGivrj4frZ5rAosdZoZ
clJR4GhDvqY103MoJJaJIPGnHw2wUmXaI7NGfpjJCyXgtDwS6rhhFhE+tbGCF4Sy
bXCinICoxxvQxtZlUUfbPQS3TWZWn+flDy6GpG7oq/0/mgR/KDME3/HznCVsFlB0
R5ILEfs7KYde2H1u0rPdpI4v7lLkwqkvRcZRINaEsieR6xREdeLapIxRJiohO3z7
hvNCfs0kxG8jSz9y+h8ADeYKsWLplE18q1gOn68O+P0/yKqCkTXqPyNLnBXnT/83
LJu6Rp94QWoFIl3GVuEv7xXQi5X0/WAkNCz1OEBZCokVlKlh2dv+j7P/RySYCWWD
TuLVrru2/ddPxyZ+7mMxw0yCvsRkqdlsp8FwyQnuwCxpoRwVxEsAOFnYb+EPWx8a
3KXghaXZ/0LB30kDCEL1JaHKMXjf2CyLL42deSQ+ndDc6ZFKMRbYVxYQ2+RgP2pg
8fZZ9hVjG8mYcbmr/Q0GXo/1BKggHJ1Kmkyl/oMeCBph5Rxrp8T39l7T8t4HPxeI
FDnmAmYzi621axhJ7/1P+i8lwA/0/bamP6fFbeX8uLCX5n/gdAN/3yU4BhtuUYKL
7dcIl4AejBaZgTaHNlhwEAjBpRliOIKMmK0l9hJq3dpITpuAfEM=
=OIdm
-----END PGP SIGNATURE-----

--Sig_/NV7_W3l0BReNc=jUYqIKZ7P--