Comments (5)
How often are you exchanging keys so that this is a problem? More key exchanges can even make communication less secure than more (unless you have some external means of confirming the other side's identity).
But indeed the DH_check
call is not well-placed. Thanks for your input already, I'll see if I can come up with a solution that uses DH_check_params
(which should be much quicker) and/or performs a lazy check on startup or on first use. I'll also double check the flow around DH_compute_key
.
from mirc_fish_10.
with auto key exchange, it would introduce a noticeable freeze while typing, mouse clicking, etc.
A global memory variable within the DLL could be initialized to zero, and could be flipped to 1 after running DH_Check, so checking the global var would allow the dll to do the DH_check only 1 time, or do it zero times if they never generated a key pair.
I don't think DH_check_params is a good substitute. If I'm reading the source correctly, it looks like all it does is verify:
g >= 2
g < (p-1)
p is odd
p > 1
p >= minimum bits 512
p <= max bits 65536
If I'm reading that correctly, DH_check_params would validate approximately half of random 'p' values since they were odd numbers, so isn't worth the effort.
I guess if the older semi-fast check isn't part of OpenSSL anymore, it either needs to keep using the slower DH_check or not bother checking. The former check was reasonably fast and still managed to do reasonable validation of 'p'. Under the old dll, it verified that 'p' was prime, as well as q=(p-1)/2 being prime, and that 'p modulo 24 was 11. What I don't know is how strong were the verify that p and q were prime.
from mirc_fish_10.
I'm just going to fire up a background thread for initialization ON STARTUP with the appropriate synchronization primitives.
from mirc_fish_10.
That sounds like a great solution that I didn't think of, and would work as long as someone didn't manually unload FiSH with "/dll -u fish_10.dll" then try to immediately call DH1080_Generate causing it to reload the dll, which there should be no legit reason for doing.
from mirc_fish_10.
New version released today, including a fix for this issue, please test, and open a new issue if required 😝
from mirc_fish_10.
Related Issues (20)
- OpenSSL 1.1.1d HOT 2
- mIRC has Blowfish. This script needs modernization. HOT 1
- mIRC 7.53 - outgoing chat is displayed twice HOT 8
- curious HOT 1
- Mirc 7.56 - FiSH will no longer load HOT 16
- 1 out of every 128 DH1080 handshakes fails HOT 9
- FiSH for Mirc is a dead project
- How to compile with visual studio
- fish_inject.dll causing issues with anti-vira software HOT 3
- ERROR: key length exceeds limit of 56 bytes. HOT 1
- Fish on Mirc v7.59 ERROR!!! HOT 1
- PRIVMSG / CPRIVMSG ?! HOT 7
- openssl-1.1.1h HOT 1
- IRCv3 support HOT 2
- decode_utf8 bug in FiSH_WriteKey10 HOT 1
- ECB and CBC modes shouldn't support decrypting each other's messages HOT 1
- DLL export procedures for encrypting and decrypting messages aren't handling spaces properly
- write/show/using keys not always agree with enforce_max_key_length HOT 1
- OpenSSL v3: fish_inject.dll won't load in today's beta version HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mirc_fish_10.