User:Taffer: Difference between revisions

From OuroDev
Taffer (talk | contribs)
No edit summary
Taffer (talk | contribs)
No edit summary
Line 9: Line 9:
* zlib woefully out of date; have a pull request already in place to update it to current
* zlib woefully out of date; have a pull request already in place to update it to current
* Crypto++ woefully out of date
* Crypto++ woefully out of date
* OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL?
** arda2 in AuthServer
** any others?


I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe.
I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe.
Line 16: Line 19:
* Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
* Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
* cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
* cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
* Need to make it use zlib, etc. from 3rdparty instead of the local duplicates so we can upgrade things sanely.


== Game ==
== Game ==


* Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...
* Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...

Revision as of 08:11, 4 May 2019

Being a place for notes about my investigation into the code. I'm focusing on security.

General

What are these _test folders for? Not unit tests (lulz of course not), just one project file...

3rdparty

  • zlib woefully out of date; have a pull request already in place to update it to current
  • Crypto++ woefully out of date
  • OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL?
    • arda2 in AuthServer
    • any others?

I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe.

AuthServer

  • Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
  • cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
  • Need to make it use zlib, etc. from 3rdparty instead of the local duplicates so we can upgrade things sanely.

Game

  • Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...