User:Taffer: Difference between revisions

From OuroDev
Taffer (talk | contribs)
investigation into OpenSSL usage
Taffer (talk | contribs)
looked into current 3rdparty/* code usage
 
Line 7: Line 7:
== 3rdparty ==
== 3rdparty ==


* zlib woefully out of date; have a pull request already in place to update it to current
As of 2019-05-11, here's a list of which 3rdparty directories are referenced from which projects:
* Crypto++ woefully out of date
* OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL?
** arda2 in AuthServer, specifically the stoFileCryptFile class (and only for Blowfish encryption)... stoFileCryptFile ''isn't used'' anywhere in the code base!
** any others? ''No!'' :-D libs/UtilitiesLib uses system() to call the openssl utility (which is bad in a different way, but with one exception (an "openssl version" call), it's limited to TEST() calls, which are probably like assert()s? In related news, they're written their own bignum and RSA code...


I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe.
* 3dsmax - Utilties/3dsmax (animation import/export?)
* 'AlienFX SDK' - Game_test (so, unused?)
* cg - Game_test, GetTex, StreamingClientPrototype
* cryptopp - all over the place
* DirectX - GetVrml, libs/crashrpt
* DoubleFusion - Game_test
* fmod - not used!
* freetype - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
* freetype-2.1.9 - not used!
* gc-7.2alpha6 - not used!
* glew - Game, Game_test, GetTex, StreamingClientPrototype
* IJGWin32 - CostumeCreator, Game
* jpgdlib - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
* libcubemapgen - Game, Game_test
* libiconv - StructParser
* libxml2 - StructParser
* lua-5.1.5 - MapServer
* nvcpl - Game_test
* nvdxt - not used!
* nvidia-texture-tools-2.0.7-1 - GetTex, StreamingClientPrototype
* nvparse - CostumeCreator, Game
* nvperf - Game_test
* oggvorbis - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
* PhysX - Game_test, mapserver_test
* UnitTest++ - mapserver_test, PropertySheets/unitTest.vsprops
* VTune - CostumeCreator, dbquery_test, Game_test, mapserver_test, RaidServer_test, StatServer_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
* wtl70 - libs/crashrpt
* yajl - AccountServer
* zeromq2-1 - AccountServer, dbserver, MapServer
* zlibsrc - all over the place
 
cryptopp and zlib are used everywhere. @Cattan's already updated zlib, but we really need to update cryptopp ASAP.
 
If the *_test projects aren't actually useful (they link in UnitTest++, but there don't appear to be any unit tests in the code?) we could eliminate some additional unused code.


== AuthServer ==
== AuthServer ==

Latest revision as of 07:28, 11 May 2019

Being a place for notes about my investigation into the code. I'm focusing on security.

General

What are these _test folders for? Not unit tests (lulz of course not), just one project file...

3rdparty

As of 2019-05-11, here's a list of which 3rdparty directories are referenced from which projects:

  • 3dsmax - Utilties/3dsmax (animation import/export?)
  • 'AlienFX SDK' - Game_test (so, unused?)
  • cg - Game_test, GetTex, StreamingClientPrototype
  • cryptopp - all over the place
  • DirectX - GetVrml, libs/crashrpt
  • DoubleFusion - Game_test
  • fmod - not used!
  • freetype - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • freetype-2.1.9 - not used!
  • gc-7.2alpha6 - not used!
  • glew - Game, Game_test, GetTex, StreamingClientPrototype
  • IJGWin32 - CostumeCreator, Game
  • jpgdlib - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • libcubemapgen - Game, Game_test
  • libiconv - StructParser
  • libxml2 - StructParser
  • lua-5.1.5 - MapServer
  • nvcpl - Game_test
  • nvdxt - not used!
  • nvidia-texture-tools-2.0.7-1 - GetTex, StreamingClientPrototype
  • nvparse - CostumeCreator, Game
  • nvperf - Game_test
  • oggvorbis - CostumeCreator, Game_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • PhysX - Game_test, mapserver_test
  • UnitTest++ - mapserver_test, PropertySheets/unitTest.vsprops
  • VTune - CostumeCreator, dbquery_test, Game_test, mapserver_test, RaidServer_test, StatServer_test, TestClientLauncher, TestClientLauncher_test, TestClient_test
  • wtl70 - libs/crashrpt
  • yajl - AccountServer
  • zeromq2-1 - AccountServer, dbserver, MapServer
  • zlibsrc - all over the place

cryptopp and zlib are used everywhere. @Cattan's already updated zlib, but we really need to update cryptopp ASAP.

If the *_test projects aren't actually useful (they link in UnitTest++, but there don't appear to be any unit tests in the code?) we could eliminate some additional unused code.

AuthServer

  • Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
  • cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
  • Need to make it use zlib, etc. from 3rdparty instead of the local duplicates so we can upgrade things sanely.

Game

  • Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...