| View previous topic :: View next topic |
| Author |
Message |
naaina
Voice
Joined: 17 Apr 2007
Posts: 4
Location: Germany
|
 Posted: Tue Apr 17, 2007 6:20 pm Post subject: Extension for SSL DCC Chat between Eggdrop & psyBNC |
 |
|
Hi guys,
I don't know if someone is interested in such a thing, but I needed to encrypt the communication between IRC bouncer and Bot partyline, but in an easy and fast way. Instead of integrating a complex method of accepting and handling SSL-connections, I decided for stunnel, a SSL-wrapper for TCP protocols (http://www.stunnel.org).
I have extended the CTCP module of the eggdrop by a handler for CTCP "SCHAT", which will just return another connection port, which is handled by stunnel. I attached the patch for the ctcp.c (eggdrop version 1.6.18). Patch your eggdrop version with it and then you have to setup the parameter 'ctcp-client-ssl' in your eggdrop configuration:
| Code: | loadmodule ctcp
set ctcp-client-ssl [accept-port-of-stunnel] |
The stunnel configuration should be like this:
| Code: | ; Service-level configuration
[botname]
accept = [accept-port-of-stunnel]
connect = [listening-port-of-your-eggdrop] |
You have to have pending DCCs enabled in your psyBNC (/DCCENABLE 1)
This results in the following way to build up a SSL DCC-Chat connection:
1. Client sends a CTCP "SCHAT" to the bot (/CTCP YourBot SCHAT)
2. Since the psyBNC has pendings DCCs enabled, it accepts the CTCP reply from the bot and offers the Client to answer the DCC request:
| Code: | -> [YourBot] SCHAT
<-psyBNC> YourBot sent a DCC Chat Request. Use /DCCANSWER YourBot or
/DCCANSWER S=YourBot (SSL) to establish the connection ([Bot-IP]/[accept-port-of-stunnel]). |
As you can see, the CTCP reply does not include the telnet port of the eggdrop - it includes the port configured by 'ctcp-client-ssl'
3. Client answers with /DCCANSWER S=YourBot and the connection is built up!
Congratulations!
Have fun with this!
naaina
And now the diff:
| Code: | 35,36d34
< static int client_ssl = -1;
<
177,210d174
< static int ctcp_CHATSSL(char *nick, char *uhost, char *handle, char *object,
< char *keyword, char *text)
< {
< struct userrec *u = get_user_by_handle(userlist, handle);
< int atr = u ? u->flags : 0, i;
<
< if ((atr & (USER_PARTY | USER_XFER)) || ((atr & USER_OP) && !require_p)) {
<
< if (u_pass_match(u, "-")) {
< simple_sprintf(ctcp_reply, "%s\001ERROR no password set\001",
< ctcp_reply);
< return 1;
< }
<
< for (i = 0; i < dcc_total; i++) {
< if ((dcc[i].type->flags & DCT_LISTEN) &&
< (!strcmp(dcc[i].nick, "(telnet)") ||
< !strcmp(dcc[i].nick, "(users)"))) {
< /* Do me a favour and don't change this back to a CTCP reply,
< * CTCP replies are NOTICE's this has to be a PRIVMSG
< * -poptix 5/1/1997 */
< int port = client_ssl;
< if(port == -1) port = dcc[i].port;
< dprintf(DP_SERVER, "PRIVMSG %s :\001DCC CHAT chat %lu %u\001\n",
< nick, iptolong(natip[0] ? (IP) inet_addr(natip) : getmyip()),
< port);
< return 1;
< }
< }
< simple_sprintf(ctcp_reply, "%s\001ERROR no telnet port\001", ctcp_reply);
< }
< return 1;
< }
<
221d184
< {"SCHAT", "", ctcp_CHATSSL, NULL},
234d196
< {"ctcp-client-ssl", &client_ssl},
|
|
|
| Back to top |
|
 |
sKy
Op
Joined: 14 Apr 2005
Posts: 194
Location: Germany
|
| Posted: Wed Jun 20, 2007 1:56 pm Post subject: |
|
|
Interesting!
But I don`t really like the way to recompile my bot since this is quite complicated and takes a while.
What about implementing this on another way? The eggdrop plugin as normal script in pure tcl + a client written in some platform independent language (tcl or C++).
_________________
socketapi | Code less, create more. |
|
| Back to top |
|
|
naaina
Voice
Joined: 17 Apr 2007
Posts: 4
Location: Germany
|
| Posted: Wed Jun 20, 2007 2:23 pm Post subject: |
|
|
Of course you are right.
I was kind of stupid when I've written this because I just need to answer with
| Code: | dprintf(DP_SERVER, "PRIVMSG %s :\001DCC CHAT chat %lu %u\001\n",
nick, iptolong(natip[0] ? (IP) inet_addr(natip) : getmyip()),
port); |
and I think this is writable in TCL too. But I won't recode this completely now. |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Wed Jun 20, 2007 4:05 pm Post subject: |
|
|
Actually, would'nt be much to recompile, since it's a single module, and no other files with dependancies on it. As long as you've got the buildtree lying around somewhere, it'd be a swift make..
Ofcourse, it could be implemented as a tcl-script aswell:
| Code: | bind ctcp - "SCHAT" ctcp:schat
proc ctcp:schat {nick host hand dest key text} {
if {[matchattr +xp| $hand] || ([matchattr +o $hand] && !$::require-p)} {
if {[passwdok $hand ""]} {
putserv "NOTICE $nick :\001ERROR no password set\001"
return 0
}
putserv "PRIVMSG $nick :\001DCC CHAT chat [myip] $::ctcp-client-ssl\001
}
} |
Could probably be improved with a check wether ctcp-client-ssl is actually set or not, aswell with possible use of nat-ip setting...
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
sKy
Op
Joined: 14 Apr 2005
Posts: 194
Location: Germany
|
| Posted: Thu Jun 28, 2007 8:49 am Post subject: |
|
|
What is $::ctcp-client-ssl?
_________________
socketapi | Code less, create more. |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Thu Jun 28, 2007 10:19 am Post subject: |
|
|
A globalspace variable named ctcp-client-ssl. Intended to be used similar to the module in the first post.
Did'nt bother repeating that, as I expected ppl to read through all posts, aswell as the comment below my code also showing a hint.
Mainly an illustration on how you could write that module in tcl (for those who don't like compiling additional modules).
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
sKy
Op
Joined: 14 Apr 2005
Posts: 194
Location: Germany
|
| Posted: Tue Jul 03, 2007 9:23 pm Post subject: |
|
|
I also think now eggdrop <--ssl--> bouncer is not very effective. Only helpful if you run the bouncer on your own machine and this wouldn`t be much point. Because otherwise it would be still bouncer<--unencrypted--> your client.
Better would be end to end encryption, eggdrop <--ssl--> client. I also think ssl isn`t made for that and it`s to complicated to implement it correctly between this two points. Ssl works normally with a web of trust, or you would need to use a self singed certificate. You would also need to check the integrity of this certificate. There is a tclssl implementation but I think for eggdrop <--> user a symmetric encryptions would be fine enough, everything else would be overkill. But I am not a cryptography expert. Don`t think any crypto freaks nor many normal users are interested in that. 
_________________
socketapi | Code less, create more. |
|
| Back to top |
|
|
DragnLord
Owner
Joined: 24 Jan 2004
Posts: 711
Location: C'ville, Virginia, USA
|
| Posted: Wed Jul 04, 2007 10:46 am Post subject: |
|
|
Some bouncers support SSL encryption between bouncer and client.
I routinely use SSL for my psyBNC with my kvirc and mIRC clients.
Having worked for certain government organizations, I prefer to have most of my private communications encrypted.  |
|
| Back to top |
|
|
sKy
Op
Joined: 14 Apr 2005
Posts: 194
Location: Germany
|
| Posted: Wed Jul 04, 2007 6:48 pm Post subject: |
|
|
If the server supports ssl then using it is fine. Same for bouncer. This is a nice little security bonus you should catch if you can.
But the irc server (also ircops) could still read your messages thought if you don`t use an end to end encryption.
_________________
socketapi | Code less, create more. |
|
| Back to top |
|
|
BoaR
Halfop
Joined: 20 Jul 2007
Posts: 48
|
| Posted: Sat Jul 21, 2007 5:39 pm Post subject: |
|
|
diff not working on patching...
| Code: | $ patch -p0 < schat.diff
can't find file to patch at input line 1
Perhaps you used the wrong -p or --strip option?
File to patch: |
i dont understand why people get really hitchy when talking about securing bots... every time people jump to the conclusion that one wants to secure a bot because he/she is doing something illegal, [censored] ya!... and about telling people to learn to do it yourself then why the [censored] does this forum exist if you dont want to help about issues like this one.. securing a bot should of been the main feature in the eggdrop in the first place, then rest should of had followed/. |
|
| Back to top |
|
|
sKy
Op
Joined: 14 Apr 2005
Posts: 194
Location: Germany
|
| Posted: Thu Aug 23, 2007 8:21 am Post subject: |
|
|
You started to talk about illegal issues in this thread.
_________________
socketapi | Code less, create more. |
|
| Back to top |
|
|
Alchera
Revered One
Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia
|
| Posted: Thu Aug 23, 2007 7:23 pm Post subject: |
|
|
| BoaR wrote: | | ... and about telling people to learn to do it yourself then why the [censored] does this forum exist ... |
These forums exist as a learning and information tool. There is an expectation that a poster will make some effort in solving his/her own problem with assistance (if any) provided.
Things to do before posting..
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
