Go Back   EQEmulator Home > EQEmulator Forums > Development > Development::Server Code Submissions

Reply
 
Thread Tools Display Modes
  #1  
Old 04-27-2013, 03:00 PM
PiB
Fire Beetle
 
Join Date: Aug 2012
Posts: 15
Default Loadable crypto for Linux

I have been working on making the Windows loadable crypto code work on Linux. This turned out to be mostly removing the #ifdefs and implementing
some functions in loginserver/Encryption.cpp with the Linux equivalents.

This seems to be working well for me, but one downside is that it requires recompiling EQEmuAuthCrypto as a shared library (.so). I have tried to do
this but the version I have is not compiled with -fPIC:

Code:
FAILED: : && /usr/bin/c++  -fPIC -O2 -g -DNDEBUG   -shared -Wl,-soname,libEQEmuAuthCrypto.so -o loginserver/libEQEmuAuthCrypto.so
 loginserver/CMakeFiles/EQEmuAuthCrypto.dir/EQCrypto.cpp.o  ../dependencies/libEQEmuAuthCrypto.a ../dependencies/libcryptopp.a && :

    /usr/bin/ld: ../dependencies/libEQEmuAuthCrypto.a(EQEmuAuthCrypto.o): relocation R_X86_64_32 against `.rodata' can not be used when making
 a shared object; recompile with -fPIC

    ../dependencies/libEQEmuAuthCrypto.a: could not read symbols: Bad value
    collect2: error: ld returned 1 exit status
To test this I have created a similar library that does not use any encryption (except for hashing the password). Using it is similar to how it is done
on Windows, by editing login.ini. One difference is that plugin should be a full path or explicit relative path:

Code:
[security]
plugin = ./libEQuilibrePlaintextAuth.so
mode = 5
I have commited these changes to a GitHub fork if anyone is interested: https://github.com/pixelbound/Server...e-crypto-linux.

Last edited by KLS; 05-04-2013 at 10:38 PM.. Reason: ridiculous page width
Reply With Quote
  #2  
Old 05-02-2013, 07:01 PM
KLS
Administrator
 
Join Date: Sep 2006
Posts: 1,348
Default

I've thought about perhaps redoing the crypto system for this at some point.
Reply With Quote
  #3  
Old 05-02-2013, 07:22 PM
Secrets's Avatar
Secrets
Demi-God
 
Join Date: May 2007
Location: b
Posts: 1,447
Default

Quote:
Originally Posted by KLS View Post
I've thought about perhaps redoing the crypto system for this at some point.
Honestly, does SOE even use this crypto system anymore? Is there a point in keeping it 'secret' from the general public?

I remember asking about this ages ago and it sure doesn't make sense to me personally that we are 'guarding' this. The only purpose to having it closed source right now is to appease people who don't even contribute to this project anymore, and likely don't care about EverQuest.

It's not like EQLive accounts go for as much as ivory horns anymore...
Reply With Quote
  #4  
Old 05-02-2013, 11:50 PM
KLS
Administrator
 
Join Date: Sep 2006
Posts: 1,348
Default

They don't really, you login via launchpad now which uses TLS.
Reply With Quote
  #5  
Old 05-03-2013, 12:05 AM
lerxst2112
Demi-God
 
Join Date: Aug 2010
Posts: 1,742
Default

You can still login with just the client. The ease of switching accounts in the launchpad is cool though.
Reply With Quote
  #6  
Old 05-04-2013, 10:44 AM
PiB
Fire Beetle
 
Join Date: Aug 2012
Posts: 15
Default

I have no idea if it is used any more on Live but this 'crypto system' is so weak and broken that they shouldn't be using it in 2013. I do respect keeping it closed, though ultimately it's your decision.
Reply With Quote
  #7  
Old 05-04-2013, 01:28 PM
image
Demi-God
 
Join Date: Jan 2002
Posts: 1,290
Default

Quote:
Originally Posted by PiB View Post
I have no idea if it is used any more on Live but this 'crypto system' is so weak and broken that they shouldn't be using it in 2013. I do respect keeping it closed, though ultimately it's your decision.
+1

Triple DES is quite weak and they do not use it anymore. But I think everyone already knew my stance on this for years Least there is a public login server available now though officially.
__________________
www.eq2emu.com
EQ2Emu Developer
Former EQEMu Developer / GuildWars / Zek Seasons Servers
Member of the "I hate devn00b" club.
Reply With Quote
  #8  
Old 05-04-2013, 10:37 PM
KLS
Administrator
 
Join Date: Sep 2006
Posts: 1,348
Default

So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.
Reply With Quote
  #9  
Old 12-13-2013, 04:24 PM
sereal
Fire Beetle
 
Join Date: Nov 2006
Posts: 8
Default

Quote:
Originally Posted by KLS View Post
So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.
Can you clear up this whole deal? From what I can understand reading old threads someone cracked the crypto Live used and gave it to the eqemu devs on the condition it not be distributed (because it would endanger live accounts). (in other words we are insecurely authenticating to eqemu?)

Is the reason we cannot authenticate securely using more modern methods due to constraints in the client? (being we can't patch it)

A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?

Excuse my ignorance on the subject. I'm really curious more than anything.
Reply With Quote
  #10  
Old 12-14-2013, 03:49 PM
KLS
Administrator
 
Join Date: Sep 2006
Posts: 1,348
Default

Quote:
A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?
The laws were relaxed and now have an exception that many consumer products (and to my knowledge EQEmu) fall under.

Quote:
(in other words we are insecurely authenticating to eqemu?)
The client is quite insecure in how it sends passwords when you don't use the live-launcher.
Reply With Quote
  #11  
Old 12-16-2013, 12:18 PM
sereal
Fire Beetle
 
Join Date: Nov 2006
Posts: 8
Default

Quote:
Originally Posted by KLS View Post
The client is quite insecure in how it sends passwords when you don't use the live-launcher.
By 'live-launcher' do you mean the eq client as of now(ie it's been patched to fix any insecurities) or something else that was present in Titanium and or underfoot?

Could there be a possible work around where we run a insecure login server on the users computer that eq authenticates to, it then communicates securely to the eqemulator official login server.

Code:
+==== users-computer =========+ 
|+---------+    +----------+  |              +---------------+
||eqclient |<-->|fake login|<---internet---->| eqemulator    |
|+---------+    +----------+  |              +---------------+
+=============================+
The downside would be that the user needs to install another program. Servers could support either insecure(meaning they run the closed crypto binary), secure or both.

Am I way off base and or missing something here?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

   

All times are GMT -4. The time now is 09:13 AM.


 

Everquest is a registered trademark of Daybreak Game Company LLC.
EQEmulator is not associated or affiliated in any way with Daybreak Game Company LLC.
Except where otherwise noted, this site is licensed under a Creative Commons License.
       
Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Template by Bluepearl Design and vBulletin Templates - Ver3.3