search

mcpcpc / kirc

A tiny IRC client written in POSIX C99.
https://mcpcpc.github.io/kirc/
MIT License
523 stars 31 forks source link

Tor Native Support #43

Closed mcpcpc closed 4 years ago

mcpcpc commented 4 years ago

First, I would like to apologize in advance as PR https://github.com/mcpcpc/kirc/pull/42 was only a partial implementation of the full solution to connect to an IRC host through Tor.

From what I can ascertain and, upon inspection of other client sources, the following are the "general" steps to connect:

  1. Generate a new self-assigned certificate using openssl: openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out client.pem -keyout client.pem
  2. Obtain the certificate fingerprint: openssl x509 -in client.pem -outform der | sha1sum -b | cut -d' ' -f1
  3. Start the IRC client specifying the path to the *.pem file and specifying SASL EXTERNAL mechanism.
  4. Add the certificate fingerprint to NickServ: /msg NickServ CERT ADD

The sticking point becomes loading the self-assigned certificate to kirc. This requires #include "openssl/ssl.h", which is not a POSIX compliant library. Since POSIX compliance is fundamental to the design of kirc, I do not see Tor ever being fully natively supported in this client. I would, however, support someone creating a fork dedicated to improved TLS handling using the openssl library.

I will leave this issue open for a while in case someone else has a different solution/suggestion or the addition of "external" application solutions.

References:

mcpcpc commented 4 years ago

A potential external solution using socat:

Potential SOCK4 Example (untested)

socat TCP4-LISTEN:4242,bind=127.0.0.1, fork SOCKS4A:localhost:examplename.onion:6667,socksport=9050
kirc -e -s 127.0.0.1 -p 4242 -n mynick

Example Client connection with self-assigned Cert (untested)


socat TCP4-LISTEN:65500,fork,bind=0,reuseaddr SOCKS4:local-socks-server:examplename.onion:6667
socat TCP4-LISTEN:65501,fork,bind=0,reuseaddr 'OPENSSL:127.0.0.1:65500,verify=0,cert=client.pem’
kirc -e -s 127.0.0.1 -p 65501 -n mynick

Reference Dump:

https://unix.stackexchange.com/questions/491846/using-socat-to-make-a-secure-tcp-connection-to-an-irc-server http://www.dest-unreach.org/socat/doc/socat-openssl.txt http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html https://gist.github.com/lene/a517e635de86e73f6a981b0b584fb68a https://cryptoanarchy.freed0m4all.net/wiki/IRC https://wiki.gentoo.org/wiki/IRC/Guide https://wiki.znc.in/Tor http://www.usenix.org.uk/content/socat.html

mcpcpc commented 4 years ago

As confirmed on irc by @soliwilos:

socat TCP4-LISTEN:1110,fork,bind=0,reuseaddr SOCKS4A:127.0.0.1:ajnvpgl6prmkb7yktvue6im5wiedlz2w32uhcwaamdiecdrfpwwgnlqd.onion:6697,socksport=9050
socat TCP4-LISTEN:1111,fork,bind=0,reuseaddr 'OPENSSL:127.0.0.1:1110,verify=0,cert=/full/path/to/client.pem'
kirc -e -s 127.0.0.1 -p 1111 -c kisslinux -n nick -x 'wait 5000'