linuxdcpp-team team mailing list archive

Thread
Date

[Bug 991342] Re: KEYP Vulnerability

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: poy <991342@xxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Jan 2014 20:43:56 -0000
Reply-to: Bug 991342 <991342@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

this is too evolved for me to fully comprehend so i am tempted to just
trust the patch authors... however, some test cases (either direct ones
or instructions on how to set them up) would be useful to 1) ensure the
patch prevents impersonations the previous implementation would have
allowed, 2) doesn't introduce regressions and 3) cross-test with other
clients (notably Jucy).

nothing wrong jumps out in terms of code; some comments on the following
would be welcome: a) new locking mechanism; b) DHs of different sizes;
c) CryptoManager clean-up (really necessary since the process is
exiting? there was none before - does this fix other issues?); d)
changes to cert generation; e) the TODO / commented-out code.

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/991342

Title:
  KEYP Vulnerability

Status in DC++:
  New

Bug description:
  With the current vulnerability with DC++'s current KEYP implementation
  the underlying issue seems to be this ...

  [2012-04-26 09:24] <Crise> anyways, the thing with keyp is entirely
  different problem... which is basically that it only verifies keyp on
  the peer level certificate and not on the whole chain as it should

  Crise has stated he has another source who knows the exploit but will
  not divulge in who he is.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/991342/+subscriptions

References

[Bug 991342] [NEW] KEYP Vulnerability
From: iceman50, 2012-04-29