User:Taffer: Difference between revisions
From OuroDev
No edit summary |
investigation into OpenSSL usage |
||
Line 10: | Line 10: | ||
* Crypto++ woefully out of date | * Crypto++ woefully out of date | ||
* OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL? | * OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL? | ||
** arda2 in AuthServer | ** arda2 in AuthServer, specifically the stoFileCryptFile class (and only for Blowfish encryption)... stoFileCryptFile ''isn't used'' anywhere in the code base! | ||
** any others? | ** any others? ''No!'' :-D libs/UtilitiesLib uses system() to call the openssl utility (which is bad in a different way, but with one exception (an "openssl version" call), it's limited to TEST() calls, which are probably like assert()s? In related news, they're written their own bignum and RSA code... | ||
I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe. | I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe. |
Revision as of 05:38, 5 May 2019
Being a place for notes about my investigation into the code. I'm focusing on security.
General
What are these _test folders for? Not unit tests (lulz of course not), just one project file...
3rdparty
- zlib woefully out of date; have a pull request already in place to update it to current
- Crypto++ woefully out of date
- OpenSSL is ancient and needs to be updated ASAP to a supported version. What references OpenSSL?
- arda2 in AuthServer, specifically the stoFileCryptFile class (and only for Blowfish encryption)... stoFileCryptFile isn't used anywhere in the code base!
- any others? No! :-D libs/UtilitiesLib uses system() to call the openssl utility (which is bad in a different way, but with one exception (an "openssl version" call), it's limited to TEST() calls, which are probably like assert()s? In related news, they're written their own bignum and RSA code...
I need to look at the rest of the libs, and also figure out what's used where. Only a few things get built during a build (zlib, Crypto++, zeromq, IJG, yajl), maybe.
AuthServer
- Doesn't appear to use any of the external/* libs. Arda2 appears to reference them though at least in the Linux Makefile.
- cryptLib is a SHA512 implementation; it may be specific to AuthServer messages. It should be replaced by calls to OpenSSL or Crypto++ as they'll be faster and bug-free. Yes, three implementations of SHA-512.
- Need to make it use zlib, etc. from 3rdparty instead of the local duplicates so we can upgrade things sanely.
Game
- Looked in game.c, oh dear there's a lot of unsafe string handling going on in this code base...