Extension for SSL DCC Chat between Eggdrop & psyBNC

naaina · Post by **naaina** » Tue Apr 17, 2007 6:20 pm

Hi guys,

I don't know if someone is interested in such a thing, but I needed to encrypt the communication between IRC bouncer and Bot partyline, but in an easy and fast way. Instead of integrating a complex method of accepting and handling SSL-connections, I decided for stunnel, a SSL-wrapper for TCP protocols (http://www.stunnel.org).

I have extended the CTCP module of the eggdrop by a handler for CTCP "SCHAT", which will just return another connection port, which is handled by stunnel. I attached the patch for the ctcp.c (eggdrop version 1.6.18). Patch your eggdrop version with it and then you have to setup the parameter 'ctcp-client-ssl' in your eggdrop configuration:

Code: Select all

	loadmodule ctcp
	set ctcp-client-ssl [accept-port-of-stunnel]

The stunnel configuration should be like this:

Code: Select all

	; Service-level configuration
	[botname]
	accept = [accept-port-of-stunnel]
	connect = [listening-port-of-your-eggdrop]

You have to have pending DCCs enabled in your psyBNC (/DCCENABLE 1)

This results in the following way to build up a SSL DCC-Chat connection:

1. Client sends a CTCP "SCHAT" to the bot (/CTCP YourBot SCHAT)

2. Since the psyBNC has pendings DCCs enabled, it accepts the CTCP reply from the bot and offers the Client to answer the DCC request:

Code: Select all

   -> [YourBot] SCHAT
	<-psyBNC> YourBot sent a DCC Chat Request. Use /DCCANSWER YourBot or 
		/DCCANSWER S=YourBot (SSL) to establish the connection ([Bot-IP]/[accept-port-of-stunnel]).

As you can see, the CTCP reply does not include the telnet port of the eggdrop - it includes the port configured by 'ctcp-client-ssl'

3. Client answers with /DCCANSWER S=YourBot and the connection is built up!

Congratulations!

Have fun with this!

naaina

And now the diff:

Code: Select all

35,36d34
< static int client_ssl = -1;
<
177,210d174
< static int ctcp_CHATSSL(char *nick, char *uhost, char *handle, char *object,
<                      char *keyword, char *text)
< {
<   struct userrec *u = get_user_by_handle(userlist, handle);
<   int atr = u ? u->flags : 0, i;
<
<   if ((atr & (USER_PARTY | USER_XFER)) || ((atr & USER_OP) && !require_p)) {
<
<     if (u_pass_match(u, "-")) {
<       simple_sprintf(ctcp_reply, "%s\001ERROR no password set\001",
<                      ctcp_reply);
<       return 1;
<     }
<
<     for (i = 0; i < dcc_total; i++) {
<       if ((dcc[i].type->flags & DCT_LISTEN) &&
<           (!strcmp(dcc[i].nick, "(telnet)") ||
<            !strcmp(dcc[i].nick, "(users)"))) {
<         /* Do me a favour and don't change this back to a CTCP reply,
<          * CTCP replies are NOTICE's this has to be a PRIVMSG
<          * -poptix 5/1/1997 */
<       int port = client_ssl;
<       if(port == -1) port = dcc[i].port;
<         dprintf(DP_SERVER, "PRIVMSG %s :\001DCC CHAT chat %lu %u\001\n",
<                 nick, iptolong(natip[0] ? (IP) inet_addr(natip) : getmyip()),
<                 port);
<         return 1;
<       }
<     }
<     simple_sprintf(ctcp_reply, "%s\001ERROR no telnet port\001", ctcp_reply);
<   }
<   return 1;
< }
<
221d184
<   {"SCHAT",      "",   ctcp_CHATSSL,    NULL},
234d196
<   {"ctcp-client-ssl", &client_ssl},

sKy · Post by **sKy** » Wed Jun 20, 2007 1:56 pm

Interesting!

But I don`t really like the way to recompile my bot since this is quite complicated and takes a while.

What about implementing this on another way? The eggdrop plugin as normal script in pure tcl + a client written in some platform independent language (tcl or C++).

naaina · Post by **naaina** » Wed Jun 20, 2007 2:23 pm

Of course you are right.

I was kind of stupid when I've written this because I just need to answer with

Code: Select all

dprintf(DP_SERVER, "PRIVMSG %s :\001DCC CHAT chat %lu %u\001\n",
                 nick, iptolong(natip[0] ? (IP) inet_addr(natip) : getmyip()),
                 port);

and I think this is writable in TCL too. But I won't recode this completely now.

Post by **nml375** » Wed Jun 20, 2007 4:05 pm

Actually, would'nt be much to recompile, since it's a single module, and no other files with dependancies on it. As long as you've got the buildtree lying around somewhere, it'd be a swift make..

Ofcourse, it could be implemented as a tcl-script aswell:

Code: Select all

bind ctcp - "SCHAT" ctcp:schat
proc ctcp:schat {nick host hand dest key text} {
 if {[matchattr +xp| $hand] || ([matchattr +o $hand] && !$::require-p)} {
  if {[passwdok $hand ""]} {
   putserv "NOTICE $nick :\001ERROR no password set\001"
   return 0
  }
  putserv "PRIVMSG $nick :\001DCC CHAT chat [myip] $::ctcp-client-ssl\001
 }
}

Could probably be improved with a check wether ctcp-client-ssl is actually set or not, aswell with possible use of nat-ip setting...

sKy · Post by **sKy** » Thu Jun 28, 2007 8:49 am

What is $::ctcp-client-ssl?

Post by **nml375** » Thu Jun 28, 2007 10:19 am

A globalspace variable named ctcp-client-ssl. Intended to be used similar to the module in the first post.

Did'nt bother repeating that, as I expected ppl to read through all posts, aswell as the comment below my code also showing a hint.
Mainly an illustration on how you could write that module in tcl (for those who don't like compiling additional modules).

sKy · Post by **sKy** » Tue Jul 03, 2007 9:23 pm

I also think now eggdrop <--ssl--> bouncer is not very effective. Only helpful if you run the bouncer on your own machine and this wouldn`t be much point. Because otherwise it would be still bouncer<--unencrypted--> your client.

Better would be end to end encryption, eggdrop <--ssl--> client. I also think ssl isn`t made for that and it`s to complicated to implement it correctly between this two points. Ssl works normally with a web of trust, or you would need to use a self singed certificate. You would also need to check the integrity of this certificate. There is a tclssl implementation but I think for eggdrop <--> user a symmetric encryptions would be fine enough, everything else would be overkill. But I am not a cryptography expert. Don`t think any crypto freaks nor many normal users are interested in that.

DragnLord · Post by **DragnLord** » Wed Jul 04, 2007 10:46 am

Some bouncers support SSL encryption between bouncer and client.
I routinely use SSL for my psyBNC with my kvirc and mIRC clients.

Having worked for certain government organizations, I prefer to have most of my private communications encrypted.

sKy · Post by **sKy** » Wed Jul 04, 2007 6:48 pm

If the server supports ssl then using it is fine. Same for bouncer. This is a nice little security bonus you should catch if you can.

But the irc server (also ircops) could still read your messages thought if you don`t use an end to end encryption.

BoaR · Post by **BoaR** » Sat Jul 21, 2007 5:39 pm

diff not working on patching...

Code: Select all

$ patch -p0 < schat.diff
can't find file to patch at input line 1
Perhaps you used the wrong -p or --strip option?
File to patch:

i dont understand why people get really hitchy when talking about securing bots... every time people jump to the conclusion that one wants to secure a bot because he/she is doing something illegal, [censored] ya!... and about telling people to learn to do it yourself then why the [censored] does this forum exist if you dont want to help about issues like this one.. securing a bot should of been the main feature in the eggdrop in the first place, then rest should of had followed/.

sKy · Post by **sKy** » Thu Aug 23, 2007 8:21 am

You started to talk about illegal issues in this thread.

Alchera · Post by **Alchera** » Thu Aug 23, 2007 7:23 pm

BoaR wrote:... and about telling people to learn to do it yourself then why the [censored] does this forum exist ...

These forums exist as a learning and information tool. There is an expectation that a poster will make some effort in solving his/her own problem with assistance (if any) provided.

Things to do before posting..