znc icon indicating copy to clipboard operation
znc copied to clipboard

Published 20 hours ago verified publisher icon znc

Crypt: KeyX not working in both directions

Open keigel2001 opened this issue 7 years ago • 7 comments

zncuser: znc 1.7.0 + crypt mircuser: mirc 7.52 + FiSH 10.2 (https://syndicode.org/fish_10/) CBC keyXchange is enabled in mirc, which is the default setting.

SetNickPrefix   # disabling prefix
KeyX mircuser   # starting keyXchange

zncuser messages are shown correctly in mirc. mircuser messages aren't shown correctly in znc <mircuser> +OK T.tQp17Q7/z0

If the mircuser is starting the DH1080 keyXchange, messages on boths ends are shown correctly.

keigel2001 avatar Jul 13 '18 22:07 keigel2001

This is due to znc not specifying it's using CBC in the KeyX and thus fish10 thinking it should use ECB when sending messages. As ECB is deprecated and the goal is to get rid of it, you should open an issue at fish10 to use CBC mode by default or to add an option to enfore CBC mode on a(ll) quer(y/ies).

Cizzle avatar Jul 13 '18 23:07 Cizzle

But CBC keyXchange is enabled by default in mIRC. Shouldn't it use CBC then? I just checked. You're right. It has set an ECB key in mIRC. Strange...

I sadly know that crypt has no ECB support. I was trying to migrate to thelounge and using crypt for fish. But like half of my contacts, that use fish, use older or lazy clients with ECB. How much work would it be to add ECB support in crypt (looking at the code of the fish-module)? Maybe disabled by default for the obvious security reasons. Then we would've an actively maintained module with a maximum of compatiblity. Right now it isn't possible to have a znc solution for both. You can't run both modules in parallel and fish isn't maintained anymore.

I would really appreciate it. And looking at older issues these problems happen quite frequently. With the optional ECB support they would've at least a fallback solution.

keigel2001 avatar Jul 13 '18 23:07 keigel2001

Adding ECB as fallback-only is sort of on the roadmap but as I don't actively use znc there's not that much incentive except of appraisal and honour...

Cizzle avatar Jul 13 '18 23:07 Cizzle

I noticed the CBC / ECB problem in #1532 that stopped me from being able to use "crypt" instead of the https://wiki.znc.in/Fish I'm currently using to have the enc/dec on the ZNC side and not the client.

EDIT: Would be nice to migrated to this official module, but I also understand that people might not want to spend extra time writing the code for it if they are not using it themselves. I would have done it myself if i knew C++ :smile: but I don't :frowning_face: Many of the tools using fish (iYKwIM) does not have CBC only ECB.

hrxcodes avatar Jul 30 '18 22:07 hrxcodes

Slightly offtopic, but: Why do you encrypt at all when you do it so insecurely? I'm not saying that CBC is good, but ECB is obviously worse.

psychon avatar Jul 31 '18 07:07 psychon

Would say it comes down to bad software https://github.com/znc/znc/issues/1532#issuecomment-387847863 Some tools/bots/software does not support ECB and you can't use a mix of CBC/ECB on the same IRC-channel.

If a module (such as crypt) had support for CBC/ECB that would help to be able to run both CBC/ECB in the same module, and otr <-> otr for users that have it. Before CBC fish was added to crypt it was possible to use both crypt and fish side-by-side but since crypt is now listening for keyx etc.. you can't run them side-by-side.

I'm guessing adding ECB on top of the current CBC implementation in crypt is not very hard but will require some time ofc.

hrxcodes avatar Aug 01 '18 18:08 hrxcodes

Would it be possible to make it so that you can run both modules side by side again? Or add ECB to the Crypt module?

Happy to put some $ towards this, not sure if Bountysource is still the preferred method?

catatonik avatar Dec 31 '20 12:12 catatonik