Several issues with the fish module

[DarthGandalf]

Reported by Meliorator on 18 Apr 2012 16:17:37 UTC Several problems with the auto-(un)loading of the fish module:

1) If the key exchange has taken place and an extended period of time (a few hours for example) has elapsed since then, replying to the person that exchanged keys might, or might not be encrypted, depending on whether kvirc has randomly (?) decideded to unload the module.

2) If the end user has another implementation of fish running in a bouncer that KVIrc is connected through, we end up with a "double-fish" issue. KVIrc needs to allow the end user to implicitly disable the fish module if they need to.

3) The KVIrc implemenation of fish does not seem compatiable with all other implemntations of fish. I have experienced issues with people using mirc and znc. After a key exchange has been performed, sometimes text received from the other person appears encrypted, complete with the +OK prefix. This is seemingly random, but I would be happy to do some testing with a developer.

4) Key exchanges are not always successfull. Similar to 3) - seemingly random. Confirmed issue with mirc and znc. Again, I would be happy to test with a developer.

---

Migrated from: https://svn.kvirc.de/kvirc/ticket/1285

[DarthGandalf]

Comment by Meliorator on 21 Apr 2012 15:09:03 5) Fish module is not loaded when a handshake init is received.

[DarthGandalf]

Modified by HelLViS69 on 02 Jan 2015 14:49:43 Version: 4.0.4 Insomnia → 4.2.0 Equilibrium

[un1versal]

can someone with this setup test this in current builds and take action necessary in this report/close/label whatever?

Thx...

[ghost]

1) I find this hard to believe since keyx and the crypto settings are two separate things as far as I know. Once the keyx is done, the keys should be stored until the channel window is closed, regardless of whether the keyx (fish) module is unloaded.

2) /fish.unload

3) Nobody conforms to a "standard" way of doing keyx messages; some default to cbc, others to ecb. Some append _cbc to the keyx message, some don't. I patched this about a year ago (f79cda7) that partially fixes keyx between kvirc and mirc. (Meaning it'll work if mirc [read mircryption addon] initiates a cbc keyx)

4) Related to what I said in 3)

I don't use znc, so I have no idea about how they address blowfish and keyx.

[un1versal]

@DarthGandalf is a znc dev or is part of that world, so maybe he can answer that Q.

[DarthGandalf]

I don't know what is the difference between fish and mircryption (if any), but ZNC supports mircryption via http://wiki.znc.in/Crypt There is some third-party module for fish, probably it works. http://wiki.znc.in/Fish

Anyway, this issue is not about ZNC, but about KVIrc. Is there any specification for fish, which KVIrc correctly (or not) follows?

[ghost]

mircryption = blowfish-cbc fish = blowfish-ecb

At least, that's my understanding.

[ghost]

The only differences I see between the clients/addons are in two areas.

1) Default ecb/cbc keys. Some clients default "<key>" to ecb and make "cbc:<key>" be the cbc key. Other clients choose to have "<key>" be cbc and "ecb:<key>" be the ecb key.

2) Keyx init messages. Some DH1080_INIT means ecb, others it means cbc. Some use DH1080_INIT as ecb and DH1080_INIT_cbc as cbc. There really is no standard.

I'll update with a list of clients/addons that do which method if I get time later. I went through this headache when I last patched DH1080_INIT stuff.

[ctrlaltca]

I'm quite scared to hear people is still using ECB at all! I digged a bit in this mess some years ago, and i remember the maximum key length being another difference between micryption/fish implementations.

[ghost]

I agree, CBC should be default these days. I'm also curious as to why we're still using blowfish when twofish has been out for many many years and is considered the replacement for blowfish.

However, to be able to talk to other clients/addons properly as well as defaulting to a securer standard makes it next to impossible to do both.

Legacy is a headache...

[IceN9ne]

1) KVIrc will not randomly unload a set key during a single session of KVIrc (keys are not stored between sessions). Keys are only removed if you manually click the lock icon and uncheck the encryption method, unset it with window.setCryptEngine, or close the window.

2) fish.unload

3) Fixed as good as it can be in f79cda7

4) Related to f79cda7

5) Fixed in 8cd2641