Freenode via SSL/SASL:ECDSA-NIST256P-CHALLENGE – Ubuntu & Irssi

posted in: ECDSA, Freenode, Irssi, Sasl, Ssl | 0

Useful links:
http://blog.freenode.net/2014/11/atheme-7-2-and-freenode/
http://freenode.net/sasl/sasl-irssi.shtml
https://github.com/kaniini/ecdsatool/blob/master/example-for-cap_sasl.pl
http://wdtz.org/freenode-sasl-upgrade-irssi-howto.html
http://nullroute.eu.org/~grawity/irc-sasl-dh.html

———————————————————————–
a.) This article assumes you already have SASL over SSL with DH-BLOWFISH or PLAIN.
a-1.)“Should the SSL stream become compromised in some manner,
PLAIN would make obtaining a user’s password as easy as forcing a reconnect,
while the other mechanisms provide additional layers of security.”

b.) You are reading this because you want to enforce a secure path over IRC with Irssi.
b-1.) Start your first process here. [Creating an SSL Certificate] – 3 Stages.
b-2.) Follow Freenode’s article to set SASL over SSL. [Configuring SASL for irssi]
c.) End goal is to have SASL over SSL(certs,cafile,verify) + ECDSA.
———————————————————————–
Right, let’s just get to it. In your home folder perform the following in terminal.

1.) wget https://github.com/kaniini/ecdsatool/archive/master.zip
2.) unzip master.zip — this creates a ‘ecdsatool-master‘ folder.
3.) Jump inside the folder ‘cd ecdsatool-master‘ and run autogen.sh. $ ‘./autogen.sh
4.) Run ‘./configure --prefix=$HOME/bin
5.) Run ‘make -j
6.) Run ‘make install

—————–SECOND PART——————–
1.) Add a line for your shell in your PATH. This can be done many ways depending on your shell.
PATH=~/bin:$PATH
2.) Test your ECDSATOOL. Should have similar results as below.
:~$ ecdsatool
usage: ecdsatool applet [options]
the following applets are available: keygen pubkey keyinfo sign usage

3.) In your ‘./irssi‘ folder create a certs(‘mkdir certs‘) directory. Browse into it, ‘cd certs‘.
4.) Generate your .pem cert using ‘ecdsatool keygen myNickFreenode.pem
5.) Back out of ‘certs‘ folder up one level to ‘/.irssi‘.

—————–THIRD PART——————–
1.) If you don’t have a ‘scripts‘ folder and an ‘autorun‘ folder.
2.) While under ‘./irssi‘. Create a scripts(‘mkdir scripts‘) folder. Browse it(‘cd scripts‘).
3.) Create an autorun(‘mkdir autorun‘) folder and Browse it.
4.) Grab ‘cap_sasl.pl‘ while inside the ‘autorun‘ folder. ‘wget http://freenode.net/sasl/cap_sasl.pl
5.) The version of 'cap_sasl.pl‘ should be ‘$VERSION = "1.5";‘. Look at line 8 in that perl script.

—————–FOURTH PART——————–
1.) You take this code found below and merge it with freenode’s code(‘cap_sasl.pl‘)
2.) example-for-cap_sasl.pl
3.) Open your ‘cap_sasl.pl’ with your favorite editor. Make sure you have Version 1.5, google it.
4.) Towards the bottom of the script you will see the following:
———————————————————————————
pack("n/a*Z*a*", $pubkey, $u, $crypted);
};
};
# If DH-BLOWFISH is not available and you want to see why, uncomment this line:
# Irssi::print($@) if ($@);

———————————————————————————
5.) Create a new line after that last ‘};‘ and before the ‘# If DH-BLOWFISH‘ line.
6.) Paste that entire ‘example-for-cap_sasl.pl‘ from ‘kaniini/ecdsatool @ github
7.) Save file and exit your editor.

—————–FIFTH PART——————–
1.) Back out of ‘scripts/autorun‘ folder. Browse into ‘certs‘ folder.
2.) Run ‘ecdsatool pubkey myNickFreenode.pem‘. Save key for ‘NickServ‘ to use later.
3.) Run ‘:~$ irssi
4.) ‘cap_sasl.pl‘ should load without errors.
5.) You should still be identified + cloaked from your previous setup. If not don’t join any channels.
6.) Issue this command on irssi: Change accordingly for your config to match network name.
/sasl set freenode myNick ~/.irssi/certs/myNickFreenode.pem ECDSA-NIST256P-CHALLENGE

7.) Issue ‘/sasl save‘. A ‘sasl.auth‘ file will be created in ‘~/.irssi’
b.) Quit irssi and check sasl.auth, inside it:
freenode myNick certs/myNickFreenode.pem ECDSA-NIST256P-CHALLENGE
8.) You can edit the config file, the sasl.auth file, or any other within ./irssi folder to match your needs.

—————–FINAL——————–
1.) Start irssi again.
2.) Grab that pubkey you generated on the fifth section.
3.) Link the key with your account.
/msg NickServ set property pubkey RANDOM-KEY-PREVIOUSLY-GENERATED
4.) NickServ should confirm the key.
-NickServ(NickServ@services.)- Metadata entry pubkey added.
5.) Disconnect from the network, quit irssi, start irssi again.
6.) Once connected, scrolling up the status bar should show a result of the SSL->SASL:ECDSA.
b.) Something similar to this:

-!- Irssi: CLICAP: supported by server: account-notify extended-join identify-msg multi-prefix sasl
-!- Irssi: CLICAP: requesting: multi-prefix sasl
-!- Irssi: CLICAP: now enabled: multi-prefix sasl
-!- myNick!myNick@about/whatever/regular/mynick myNick You are now logged in as myNick.
-!- Irssi: SASL authentication successful
-!- Welcome to the freenode Internet Relay Chat Network myNick

—————————————————–
7.) A simple ‘/whois myNick‘ should return similar results.
01:30:35 -!- : is using a secure connection
01:30:35 -!- : has client certificate fingerprint SOME-LONG-RANDOMLY-GENERATED-FINGERPRINT-APPROX~40chars

You should be set.

————————————————————-

Useful links:
http://blog.freenode.net/2014/11/atheme-7-2-and-freenode/
http://freenode.net/sasl/sasl-irssi.shtml
https://github.com/kaniini/ecdsatool/blob/master/example-for-cap_sasl.pl
http://wdtz.org/freenode-sasl-upgrade-irssi-howto.html
http://nullroute.eu.org/~grawity/irc-sasl-dh.html