Weechat Irc Crypto, a simple yet reasonnably safe & secure weechat IRC encryption system.
It combines a weechat python script (
wic.py) driving an external cryptographic "helper" written in go (
In the time of gazillions messengers, I still heavy rely & spend a large amount of time on IRC.
Unfortunately with IRC beside the transport encryption offloaded to the IRC network (TLS), there was/is no integrated mechanism to protect conversations from curious eyes.
IRC is an old protocol and even with v3 around the corner, with limitations and no end to end encryption.
This weechat script try to answer/solves that.
The design aims at simplicity and usability which derives security.
The irc client (
weechat) runs a script (
wic.py) that communicates (over stdio) with
wic to ask for crypto operations.
Severals type of keys are coexisting for different purposes:
Identity keys are generated locally using the
wic crypto helper.
More details on WIC internal are slowly being documented on the wiki
!REMEMBER! make sure $GOPATH/bin or $HOME/go/bin or $GOBIN is your PATH.
wic cryptographic helper (*):
$ go get git.sr.ht/~eau/wic/cmd/wic $ # or depending on your go version. $ GO111MODULE=on go get git.sr.ht/~eau/wic/cmd/wic@latest
generate your long term keys:
$ wic -keygen nick Identity key Password: Retype Identity key Password:
start weechat and setup basic auth variables
/set plugins.var.python.wic.identity mynickname /set plugins.var.python.wic.identity_passphrase mySup3rDup3rPassPhrase
install the wic.py script for your weechat
$ cp wic.py ~/.weechat/python` $ ln -s ~/.weechat/python/wic.py ~/.weechat/python/autoload/
start, configure weechat && connect
Borrowing the OpenSSH concept, authorized_nicks define the public keys of friends & users you decided to trust.
By default WIC will accept what we call "anonymous" key exchanges.
The authorized_nicks has the following format (one per line):
#<nick> <public key> eau 27wH6NCKlNI6/zBpON+MJL8f+c2qCsmshTf2rihlDjI= oz UXR/s2DfxpZPahFGOwVF15RvsU5j/N0TDpxzwybZ2zs=
they may be renamed later... on
(string) path to the wic binary (if not in PATH)
(string) your identity, your nickname, your name, whatever. (might get removed..)
(string) your identity key passphrase (see weechat secure to use the weechat provided encrypted storage)
(yes/no) ed25519 signed & verified public keys & kex transaction only
(yes/no) enable wic binary debug
These are the default KeyBindings for WIC on weechat
Alt + k
broadcast a new public key on the current buffer.
Alt + t
accept ONLY TRUSTED key broadcast/exchanges.
Alt + T
accept ALL key broadcast/exchanges
these are the commands once the script is loaded and runs, not all are implemented... work in progress
toggle wic encryption on the current buffer (on/off) [DONE]
show current wic state + identity information. [IN PROGRESS]
restart wic (crashed?)
re-read authorized_nicks [DONE]
save currently created symmetric keys. [IN PROGRESS]
load saved symetric keys. [IN PROGRESS]
show identity key information (id / public key).
generate a new symmetric key for the current channel/query buffer. [DONE]
broadcast a fresh & identity signed ephemeral public key on the current buffer. [DONE]
broadcast a fresh & identity signed ephemeral public key then (create if none &) send the current buffer channel key to
nickname must have
/kex before). [DONE]
if no shared key is present, it will AUTOMATICALLY generate a random symmetric key (like if you had typed
/wic newkey) to exchange with
the other members of an IRC channel, see the public ephemeral broadcast only, the key exchange is sent directly to the peer receiving it.
the server can SEE who is sending which key to whom, but cannot interfere as long as
plugins.var.python.wic.signed_kex is yes.
Mainly this was designed with weechat abilities in mind, I have not studied what or how to do similar things with other client, considering wic i/o is a trivial text based protocol, adapting to other clients should be fairly reachable & easy, I just don't have the time and need/energy.
patches are welcome
Could be interesting to use with?