ok let's fix those bugs, need to implement SAS.. but i'll still that from olvid implementation when it's done.
implemented the beginning of load/save for the keys.
updated some docs.
Weechat Irc Crypto, a simple yet reasonnably safe & secure weechat IRC encryption system.
It combines a weechat python script (wic.py
) driving an external cryptographic "helper" written in go (wic
).
In the time of gazillions messengers, I still heavy rely & spend a large amount of time on IRC.
Unfortunately with IRC beside the transport encryption offloaded to the IRC network (TLS), there was/is no integrated mechanism to protect conversations from curious eyes.
IRC is an old protocol and even with v3 around the corner, with limitations and no end to end encryption.
This weechat script try to answer/solves that.
The design aims at simplicity and usability which derives security.
The irc client (weechat
) runs a script (wic.py
) that communicates (over stdio) with wic
to ask for crypto operations.
Severals type of keys are coexisting for different purposes:
Identity keys are generated locally using the wic
crypto helper.
More details on WIC internal are slowly being documented on the wiki
!REMEMBER! make sure $GOPATH/bin or $HOME/go/bin or $GOBIN is your PATH.
install the wic
cryptographic helper (*):
$ go get git.sr.ht/~eau/wic/cmd/wic
$ # or depending on your go version.
$ GO111MODULE=on go get git.sr.ht/~eau/wic/cmd/wic@latest
generate your long term keys:
$ wic -keygen nick
Identity key Password:
Retype Identity key Password:
start weechat and setup basic auth variables
/set plugins.var.python.wic.identity mynickname
/set plugins.var.python.wic.identity_passphrase mySup3rDup3rPassPhrase
install the wic.py script for your weechat
$ cp wic.py ~/.weechat/python`
$ ln -s ~/.weechat/python/wic.py ~/.weechat/python/autoload/
start, configure weechat && connect
Borrowing the OpenSSH concept, authorized_nicks define the public keys of friends & users you decided to trust.
By default WIC will accept what we call "anonymous" key exchanges.
The authorized_nicks has the following format (one per line):
Example:
#<nick> <public key>
eau 27wH6NCKlNI6/zBpON+MJL8f+c2qCsmshTf2rihlDjI=
oz UXR/s2DfxpZPahFGOwVF15RvsU5j/N0TDpxzwybZ2zs=
they may be renamed later... on
plugins.var.python.wic.binary
(string) path to the wic binary (if not in PATH)
plugins.var.python.wic.identity
(string) your identity, your nickname, your name, whatever. (might get removed..)
plugins.var.python.wic.identity_passphrase
(string) your identity key passphrase (see weechat secure to use the weechat provided encrypted storage)
plugins.var.python.wic.signed_kex
(yes/no) ed25519 signed & verified public keys & kex transaction only
plugins.var.python.wic.debug
(yes/no) enable wic binary debug
These are the default KeyBindings for WIC on weechat
Alt + k
broadcast a new public key on the current buffer.
Alt + t
accept ONLY TRUSTED key broadcast/exchanges.
Alt + T
accept ALL key broadcast/exchanges
these are the commands once the script is loaded and runs, not all are implemented... work in progress
/wic
toggle wic encryption on the current buffer (on/off) [DONE]
/wic status
show current wic state + identity information. [IN PROGRESS]
/wic restart
restart wic (crashed?)
/wic rehash
re-read authorized_nicks [DONE]
/wic save
save currently created symmetric keys. [IN PROGRESS]
/wic load
load saved symetric keys. [IN PROGRESS]
/wic id
show identity key information (id / public key).
/wic newkey
generate a new symmetric key for the current channel/query buffer. [DONE]
/kex
broadcast a fresh & identity signed ephemeral public key on the current buffer. [DONE]
/kex <nickname>
broadcast a fresh & identity signed ephemeral public key then (create if none &) send the current buffer channel key to nickname
(nickname
must have /kex
before). [DONE]
if no shared key is present, it will AUTOMATICALLY generate a random symmetric key (like if you had typed /wic newkey
) to exchange with nickname
.
the other members of an IRC channel, see the public ephemeral broadcast only, the key exchange is sent directly to the peer receiving it.
the server can SEE who is sending which key to whom, but cannot interfere as long as plugins.var.python.wic.signed_kex
is yes.
Mainly this was designed with weechat abilities in mind, I have not studied what or how to do similar things with other client, considering wic i/o is a trivial text based protocol, adapting to other clients should be fairly reachable & easy, I just don't have the time and need/energy.
patches are welcome
Could be interesting to use with?
Send patches and questions to ~eau/wic@lists.sr.ht.
Subscribe to announcements, conversations on ~eau/wic, submit bugs/requests here.