From 8350bc861c95c2312681468d8a7eb1c3b8f8b842 Mon Sep 17 00:00:00 2001 From: cvs2hg Date: Thu, 14 Dec 2000 16:07:32 +0000 Subject: [PATCH] fixup commit for tag 'unreal3_1_1_darkshades' --- doc/Elite.Changes | 126 ------------------------------ doc/crypto.doc | 191 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+), 126 deletions(-) delete mode 100644 doc/Elite.Changes create mode 100644 doc/crypto.doc diff --git a/doc/Elite.Changes b/doc/Elite.Changes deleted file mode 100644 index 0c95ce22c..000000000 --- a/doc/Elite.Changes +++ /dev/null @@ -1,126 +0,0 @@ -[ $Id$ ] ---------------------------- -Version Elite2.0 ========== -=========================== -- Since +x was rewritten, the ban bug is 100% fixed. :) -- Rewrote +x hidden host function completely. -- Fixed FUNNY bug with hiddenhost and /who (Reported by Prod|gy) -- Added/Removed irc networks -- Fixed bug in /watch (Reported/Fixed by Despise) -- Added nick-change flood protection. -- Added an awesome manual... ./manual to run -- Removed /who notice for opers. -- Added protection of /akill *@* :) -- Removed java stuff completely. (Java clients are like normal IRC clients...right?) -- Added new +a mode. This mode can only be set by +q channel owners. When you are +a in a - channel, you cannot be deopped or kicked. (Syntax: /mode #chan +a ) -- Added new +q channel mode. ChanServ must set the channel founder +q so they are also - known as channel owners via the ircd. Channel owners are protected and may set - other users +a which they will also be protected (but not chan owners). - (Syntax: /mode #chan +q ) -- Re-coded /MAP -- Changed GLINE notices from sendto_ops to send to all opers with +e flag on. -- Added (addnet) script, you can run this to add your net settings to the next release. -- Changed to in whois "Blah is an oper on " -- Added new +L channel mode. If a #chat has a limit (+l) of 10 users, and +L set to channel - #chat2, when a user trys to join #chat, they won't get "#chat is full", they will be - auto-joined to #chat2 - (Linked channels in other words). - (Syntax: /mode #chan +L ) -- Changes user@shadow-33.com to user@user-33.one.com (noone will know one.com is the realhost) -- Changed +x for IP's from (x.x.x.***) to (x.x.x.network-#) -- In oline flags * will introduce +e on oper up. (before: required +e in oline flag) -- Removed +t usermode (UMODE_ALL) - wasn't used. -- Made 'create your own network setting' feature more stable. -- Added new channel mode (+x) to disable colored text in channel. -- Added +C (Co Administrator) -- Added +T (Technical Administrator) -- Changed /map to numerics... -- Made startup message when booting more stable. - -Version Elite1.3 (02/23/99) -============================ -- Cleaned up version.c.SH -- Added new net settings (netdomain & helpchan) -- Added new net config creator in ./Config -- Made ./Config more easier... -- Created new usermode +j (Java user) -- New hostname (java.shadownet.org) for java users. -- Removed RUN_SERVICES code from entire ircd. - -Version Elite1.2.4 (02/14/99) -============================ -- Fixed the nick crash bug! (damn m_kill small error) -- New network(s) added. -- Changed one thing in m_gline (nothing big) - -Version Elite1.2.3 (02/10/99) -============================ -- Removed SOCKS checking. (possibly cause of crashing) -- Added new networks - -Version Elite1.2.2 (02/02/99) -============================ -- Fixed the crashing bug. (Changing nicks with linked servers) -- Modified AceStar net settings. -- Q-line notices are back (except for ULined clients). -- Fixed /kill bug with services. - -Version Elite1.2.1 (01/29/99) -============================ -- Fixed multiple notices from +N / -N -- Added some text to s_err.c -- Possibly fixed the odd crashing... ? - -Version Elite1.2 (01/24/99) -============================ -- Netadmin can be used via +N in the oline slot now. -- When +N is executed, net-wide oper msg's are sent about it. -- Completely removed the freeze function (it's a toy unlike a command) -- Changed abit of the GLINE adding notice. -- Added logging to a file for glines (gline.log) -- Implemented SOCKS checking (thx Rhom). -- Changed channel lists only when 2 ppl in chan to 1. -- Changed sendto_ops function in many places in s_user.c/s_serv.c to - sendto_locfailops. -- Changed GNOTICE in s_user.c/s_serv.c to GLOBOPS -- Fixed hiddenhost bug with /kill (+w could see real host of oper) -- Fixed hiddenhost bug with /oper (+s could see real host of oper) - -[Special thanks goes out to Rhom for reporting/help patch bugs] - -Version Elite1.1.1 (12/12/98) -============================= -- Fixed /whois bug (had problems with mIRC clients *sigh*) -- Fixed /topic bug (didn't allow topic changes at all.) - -Version Elite1.1 (12/6/98) -============================ -- Fixed ./Config script (Net select) -- Fixed /remgline bug. -- If ULined clients, channels are not shown which they are in. -- Fixed +e / +t / +b (non-opers could get +et before) -- Fixed OperMode notice. -- Fixed Gline sending extra Global on expire. -- Fixed /whowas wrong hostname bug (by Thiago) -- Fixed chkconf ZLINE error (by matt) -- Added PhazeNet configuration -- Added option for auto +x in ./Config -- Freeze was disabled in this version (It will be back in 1.2) - -Version Elite1.0 (09/20/98) -============================ -- Changed Shadow3.9 to Elite1.0 (Starting a new IRCD) -- Changed some numeric's around in src/s_err.c -- Auto +x on Oper up. -- Fixed small error in ./ircd script. -- Made ./Config more Linux-redhat friendly. -- Added RelicNet to the ircd. -- include/config.h is much more compatible with all IRC nets. -- Added /gline (works 100%) [/gline ]. -- Fixed up /map. -- Added UMODE's +e & +t - * e: EYES [Can see ppl who /whois, and other notices.] - * t: ALL [See's all net notices ie: See's all Client connectings...] -- Fixed the hiddenhost bug with IP's... -- Fixed major bug with hiddenhost which caused coredump. -- Made a new script (makeconf) -- generates the ircd.conf file. diff --git a/doc/crypto.doc b/doc/crypto.doc new file mode 100644 index 000000000..f2a1d4d4e --- /dev/null +++ b/doc/crypto.doc @@ -0,0 +1,191 @@ + + UnrealIRCd Encryption Protocol + version 1.0 + by Carsten V. Munk (stskeeps@tspre.org) + + +1. Introduction +--------------- + +As of UnrealIRCd version 3.1 we have included capability for secure +connections (Encrypted IRC connections). This was done after I read an "Ask +Slashdot" article at slashdot.org, (http://slashdot.org/askslashdot/00/04/19/0443251.shtml) +where a guy asked: + +cylent asks: "I have a close-knit group of acquaintances that like to communicate with each other +often. Public IRC servers are fine for chit-chat, although for more in-depth discussions a more +secure form of communication is preferred. I'm wondering what GPL'd software exists to provide for a +secure form of realtime multi-party communication. Are there any IRC servers/clients that support any +form of public key cryptography? Blowfish? 3DES? Are there any other proprietary "chat" +programs available with a forte in cryptography?". + +I sat down, did some thoughts. The thing would not be public key, as I +believe client and server should have a keyfile, picked up by SSL, SSH +whatever. The communication would be client<->server, so that the stream +would be encrypted. Safest way to ensure 100% secure communications would be +to set up the IRC server, and join in with only secure communications to +same channel where no non secure clients were and set it +is. +Server<->server communications are not encrypted (yet), but we're working on +it. However, here is a description of the protocol: + +2. System Requiriments +-------------------------------- + +* OpenSSL (with libcrypto), win32 port also availible, read unreal.tspre.org + for more information. Read http://www.openssl.org for more information + (you need the openssl/ directory in includes to compile) + + +3. Negotiating the secure connection +------------------------------------ + +The client connects, and sends: (normal irc with \r\n as terminates) + +CRYPTO + | | | + | | \--- Unused currently, use "*" + | \--- The name of the file in keys/ containing the key + \--- This is algoritm name, in uppercase (see algoritm list) + +NOTE: the keyfilename must not contain a / or a \ + +Until connection is negotiated the connection is in non-secure mode (normal +irc protocol, see RFC 1459) + +The server then responds, if the key was acknowledged: + +CRYPTO ON + \---- (see algoritm list, this is in uppercase) + +and the connecting is marked as secure, sending secure packets now. + +The server responds, if an error has occoured: + +CRYPTO ERROR :test + +And the secure connection is disabled + +Some example errors: + +CRYPTO ERROR :Illegal keypath +- Means that keyfilename in CRYPTO command was illegal + +CRYPTO ERROR :Failed to open keyfile +- Means that the IRCd failed to open the keyfile + +CRYPTO ERROR :Unable to read keyfile +- Means that the IRCd failed to read the keyfile + +CRYPTO ERROR :No such method/command +- Means that the method (algoritm) or command does not exist + +4. The stream packets +--------------------- + +When secure mode (CRYPTO ON), is acknowledged the IRCd sends, and expects +to recieve packets with the encrypted data. + +The packet is started with a header + +struct crypto_header +{ + unsigned char highbyte; + unsigned char lowbyte; +}; + +after the header, a buffer with exact length ((highbyte * 256) + lowbyte) +is coming after (binary buffer). When the string is recieved, decrypt using +the cipher. + +Example function: (this decrypts a buffer), wont work with direct paste, but +you can see the principle: + +char *ep_decrypt(aClient *cptr, char *string) +{ + static char decryptbuffer[8192]; + int num; + char ivec[9]; + int length; + + if (!cptr->cryptinfo) + return string; + + bzero(decryptbuffer, sizeof(decryptbuffer)); + bzero(ivec, sizeof(ivec)); + num = 0; + length = (*(string) * 256) + (*(string + 1)); + + if (cptr->cryptinfo->method == METHOD_BLOWFISH) + { + BF_cfb64_encrypt(string + 2, decryptbuffer, length, + cptr->cryptinfo->key, ivec, &num, BF_DECRYPT); + return (decryptbuffer); + } +} + +The IRCd expects same format back, here is what the ircd encrypts with: + +char *ep_encrypt(aClient *cptr, char *string, int *len) +{ + static unsigned char cryptobuffer[8192]; + char ivec[9]; + int length; + char *c; + int num; + + if (!cptr->cryptinfo) + return string; + + bzero(cryptobuffer, sizeof(cryptobuffer)); + bzero(ivec, sizeof(ivec)); + num = 0; + + if ((c = (char *)strchr(string, '\n'))) + *c = '\0'; + if ((c = (char *)strchr(string, '\r'))) + *c = '\0'; + + length = strlen(string) + 1; + cryptobuffer[0] = (unsigned char) length / 256; + cryptobuffer[1] = (unsigned char) length - (cryptobuffer[0] * 256); + + if (cptr->cryptinfo->method == METHOD_BLOWFISH) + { + BF_cfb64_encrypt(string, &cryptobuffer[2], length, + cptr->cryptinfo->key, ivec, &num, BF_ENCRYPT); + + *len = length + 2; + return (cryptobuffer); + } +} + + +To abort the secure connection, either QUIT (to exit completely), or +send CRYPT OFF. + + +5. Algoritms +------------ + +As of Unreal3.1 only BLOWFISH is implemented, but there will be patches +for extended algoritms. We use the include at the +moment. + +Mail stskeeps@tspre.org if you show interest in other algoritms + +6. Credits +---------- + +Credits to the UnrealIRCd team (me, codemastr, DrBin) + +Credits to slashdot.org as well. + +This product includes software developed by Eric Young (eay@cryptsoft.com) + + +7. Contact info +---------------- + +Mail stskeeps@tspre.org for any questions + +