* [RFC] certfp for rcirc
@ 2021-11-11 9:02 Omar Polo
2021-11-14 18:25 ` Philip Kaludercic
0 siblings, 1 reply; 8+ messages in thread
From: Omar Polo @ 2021-11-11 9:02 UTC (permalink / raw)
To: Emacs developers
Hello,
I was told earlier today that is actually possible to log in to an irc
server using TLS client certificates. I like the idea and I wanted to
used it, but unfortunately, rcirc doesn't seem to support them.
I briefly tried circe, which has support for certfp, and while it's a
great irc client, I still like rcirc more (eheh) so here's a try at
adding the certfp login style to rcirc. It's still missing the
documentation bits, but as per the subject, I'd like to get a feedback
on the diff before proceding with the documentation.
Here's some documentation on how to use certfp:
https://libera.chat/guides/certfp
To use certfp you need to:
1. generate a certificate (e.g. with openssl(1))
2. the first time:
- connect using the certificate
- authenticate via the usual /msg nickserv identify ...
- associate the certificate with your account
/msg NickServ CERT ADD
3. from now on every time you connect with that cert, you're
automatically authenticated. No passwords needed.
With the following patch I can connect to libera with the following
configuration:
(setq rcirc-server-alist
'(("irc.libera.chat" :channels (...) :port 6697)))
(setq rcirc-authinfo
'(("libera"
certfp
"/home/op/.emacs.d/irc/key.pem"
"/home/op/.emacs.d/irc/cert.pem")))
Here's an excerpt from the *irc.libera.chat* server in a emacs -Q with
the above config and the custom rcirc.el loaded:
[...]
23:28 *** erbium.libera.chat 001 Welcome to the Libera.Chat Internet
Relay Chat Network op2
^^^
note how I'm already logged in
[...]
23:28 *** op2 MODE +Zi
23:28 -NickServ- This nickname is registered. Please choose a
different nickname, or identify via /msg NickServ
IDENTIFY op2 <password>
23:28 -NickServ- You have 30 seconds to identify to your nickname
before it is changed.
23:28 -NickServ- You are now identified for op2.
23:28 -NickServ- Last login from: ~op<redacted>
on Nov 10 22:27:31 2021 +0000.
23:29 /whois op2
[...]
23:29 *** 276 op2 has client certificate fingerprint
<redacted>
[...]
For some reason I don't know yet, the NickServ still says that I've got
30 seconds to identify myself, but in reality I'm already logged in. I
don't know basically anything about how the irc protocol works, so I'm
probably missing something incredibly obvious.
What do you think?
Cheers,
Omar Polo
diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 52d74a3394..070218ef0a 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -262,10 +262,12 @@ The ARGUMENTS for each METHOD symbol are:
`bitlbee': NICK PASSWORD
`quakenet': ACCOUNT PASSWORD
`sasl': NICK PASSWORD
+ `certfp': KEY CERT
Examples:
((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\")
(\"Libera.Chat\" chanserv \"bob\" \"#bobland\" \"passwd99\")
+ (\"Libera.Chat\" certfp \"/path/to/key.pem\" \"/path/to/cert.pem\")
(\"bitlbee\" bitlbee \"robert\" \"sekrit\")
(\"dal.net\" nickserv \"bob\" \"sekrit\" \"NickServ@services.dal.net\")
(\"quakenet.org\" quakenet \"bobby\" \"sekrit\")
@@ -291,7 +293,11 @@ Examples:
(list :tag "SASL"
(const sasl)
(string :tag "Nick")
- (string :tag "Password")))))
+ (string :tag "Password"))
+ (list :tag "CertFP"
+ (const certfp)
+ (string :tag "Key")
+ (string :tag "Certificate")))))
(defcustom rcirc-auto-authenticate-flag t
"Non-nil means automatically send authentication string to server.
@@ -547,6 +553,9 @@ If ARG is non-nil, instead prompt for connection parameters."
(password (plist-get (cdr c) :password))
(encryption (plist-get (cdr c) :encryption))
(server-alias (plist-get (cdr c) :server-alias))
+ (client-cert (when (eq (rcirc-get-server-method (car c))
+ 'certfp)
+ (rcirc-get-server-cert (car c))))
contact)
(when-let (((not password))
(auth (auth-source-search :host server
@@ -563,7 +572,7 @@ If ARG is non-nil, instead prompt for connection parameters."
(condition-case nil
(let ((process (rcirc-connect server port nick user-name
full-name channels password encryption
- server-alias)))
+ client-cert server-alias)))
(when rcirc-display-server-buffer
(pop-to-buffer-same-window (process-buffer process))))
(quit (message "Quit connecting to %s"
@@ -662,13 +671,22 @@ See `rcirc-connect' for more details on these variables.")
(when (string-match server-i server)
(throw 'pass (car args)))))))
+(defun rcirc-get-server-cert (server)
+ "Return a list of key and certificate for SERVER."
+ (catch 'pass
+ (dolist (i rcirc-authinfo)
+ (let ((server-i (car i))
+ (args (cddr i)))
+ (when (string-match server-i server)
+ (throw 'pass args))))))
+
;;;###autoload
(defun rcirc-connect (server &optional port nick user-name
full-name startup-channels password encryption
- server-alias)
+ certfp server-alias)
"Connect to SERVER.
The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD,
-ENCRYPTION, SERVER-ALIAS are interpreted as in
+ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in
`rcirc-server-alist'. STARTUP-CHANNELS is a list of channels
that are joined after authentication."
(save-excursion
@@ -692,10 +710,16 @@ that are joined after authentication."
(delete-process process))
;; Set up process
- (setq process (open-network-stream
- (or server-alias server) nil server port-number
- :type (or encryption 'plain)
- :nowait t))
+ (setq process (if certfp
+ (open-network-stream
+ (or server-alias server) nil server port-number
+ :type 'tls
+ :nowait t
+ :client-certificate certfp)
+ (open-network-stream
+ (or server-alias server) nil server port-number
+ :type (or encryption 'plain)
+ :nowait t)))
(set-process-coding-system process 'raw-text 'raw-text)
(with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil))
(set-process-buffer process (current-buffer))
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [RFC] certfp for rcirc 2021-11-11 9:02 [RFC] certfp for rcirc Omar Polo @ 2021-11-14 18:25 ` Philip Kaludercic 2021-11-14 18:36 ` Omar Polo 2021-11-15 18:02 ` Omar Polo 0 siblings, 2 replies; 8+ messages in thread From: Philip Kaludercic @ 2021-11-14 18:25 UTC (permalink / raw) To: Omar Polo; +Cc: Emacs developers Omar Polo <op@omarpolo.com> writes: > For some reason I don't know yet, the NickServ still says that I've got > 30 seconds to identify myself, but in reality I'm already logged in. I > don't know basically anything about how the irc protocol works, so I'm > probably missing something incredibly obvious. Have you experienced any issues since? It might also be that this is a server side issue? What do other clients say? > What do you think? I think this would be a good addition. One might even want to go further and add functions to automate the certfp authentication. But that might be a too much for rcirc. Also, the manual should be updated to explain how this works. > Cheers, > > Omar Polo > > > diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el > index 52d74a3394..070218ef0a 100644 > --- a/lisp/net/rcirc.el > +++ b/lisp/net/rcirc.el > @@ -262,10 +262,12 @@ The ARGUMENTS for each METHOD symbol are: > `bitlbee': NICK PASSWORD > `quakenet': ACCOUNT PASSWORD > `sasl': NICK PASSWORD > + `certfp': KEY CERT > > Examples: > ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") > (\"Libera.Chat\" chanserv \"bob\" \"#bobland\" \"passwd99\") > + (\"Libera.Chat\" certfp \"/path/to/key.pem\" \"/path/to/cert.pem\") > (\"bitlbee\" bitlbee \"robert\" \"sekrit\") > (\"dal.net\" nickserv \"bob\" \"sekrit\" \"NickServ@services.dal.net\") > (\"quakenet.org\" quakenet \"bobby\" \"sekrit\") > @@ -291,7 +293,11 @@ Examples: > (list :tag "SASL" > (const sasl) > (string :tag "Nick") > - (string :tag "Password"))))) > + (string :tag "Password")) > + (list :tag "CertFP" > + (const certfp) > + (string :tag "Key") > + (string :tag "Certificate"))))) > > (defcustom rcirc-auto-authenticate-flag t > "Non-nil means automatically send authentication string to server. > @@ -547,6 +553,9 @@ If ARG is non-nil, instead prompt for connection parameters." > (password (plist-get (cdr c) :password)) > (encryption (plist-get (cdr c) :encryption)) > (server-alias (plist-get (cdr c) :server-alias)) > + (client-cert (when (eq (rcirc-get-server-method (car c)) > + 'certfp) > + (rcirc-get-server-cert (car c)))) > contact) > (when-let (((not password)) > (auth (auth-source-search :host server > @@ -563,7 +572,7 @@ If ARG is non-nil, instead prompt for connection parameters." > (condition-case nil > (let ((process (rcirc-connect server port nick user-name > full-name channels password encryption > - server-alias))) > + client-cert server-alias))) > (when rcirc-display-server-buffer > (pop-to-buffer-same-window (process-buffer process)))) > (quit (message "Quit connecting to %s" > @@ -662,13 +671,22 @@ See `rcirc-connect' for more details on these variables.") > (when (string-match server-i server) > (throw 'pass (car args))))))) > > +(defun rcirc-get-server-cert (server) > + "Return a list of key and certificate for SERVER." > + (catch 'pass > + (dolist (i rcirc-authinfo) > + (let ((server-i (car i)) > + (args (cddr i))) > + (when (string-match server-i server) > + (throw 'pass args)))))) Why not use alist-get with a test function? > ;;;###autoload > (defun rcirc-connect (server &optional port nick user-name > full-name startup-channels password encryption > - server-alias) > + certfp server-alias) > "Connect to SERVER. > The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, > -ENCRYPTION, SERVER-ALIAS are interpreted as in > +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in > `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels > that are joined after authentication." > (save-excursion > @@ -692,10 +710,16 @@ that are joined after authentication." > (delete-process process)) > > ;; Set up process > - (setq process (open-network-stream > - (or server-alias server) nil server port-number > - :type (or encryption 'plain) > - :nowait t)) > + (setq process (if certfp > + (open-network-stream > + (or server-alias server) nil server port-number > + :type 'tls > + :nowait t > + :client-certificate certfp) Is this case-distinction necessary? If `certfp' is nil, then open-network-stream should just ignore the argument if I am not mistaken. > + (open-network-stream > + (or server-alias server) nil server port-number > + :type (or encryption 'plain) > + :nowait t))) > (set-process-coding-system process 'raw-text 'raw-text) > (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) > (set-process-buffer process (current-buffer)) > > -- Philip Kaludercic ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-14 18:25 ` Philip Kaludercic @ 2021-11-14 18:36 ` Omar Polo 2021-11-15 18:02 ` Omar Polo 1 sibling, 0 replies; 8+ messages in thread From: Omar Polo @ 2021-11-14 18:36 UTC (permalink / raw) To: Philip Kaludercic; +Cc: Emacs developers Philip Kaludercic <philipk@posteo.net> writes: > Omar Polo <op@omarpolo.com> writes: > >> For some reason I don't know yet, the NickServ still says that I've got >> 30 seconds to identify myself, but in reality I'm already logged in. I >> don't know basically anything about how the irc protocol works, so I'm >> probably missing something incredibly obvious. > > Have you experienced any issues since? It might also be that this is a > server side issue? What do other clients say? I've been happily using it for the last three day. The "auto-magic" login is nice and works reliably :D I've only used circe with this setup, and iirc nickserv didn't send the message (or maybe it was hidden.) I read the circe code, but nothing caught my eye really. I'll try some other client to see what's the output like. >> What do you think? > > I think this would be a good addition. One might even want to go > further and add functions to automate the certfp authentication. But > that might be a too much for rcirc. > > Also, the manual should be updated to explain how this works. I'll send an updated diff soon. I've never touched an emacs manual, it may take a bit to figure things out :) >> Cheers, >> >> Omar Polo >> >> >> diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el >> index 52d74a3394..070218ef0a 100644 >> --- a/lisp/net/rcirc.el >> +++ b/lisp/net/rcirc.el >> @@ -262,10 +262,12 @@ The ARGUMENTS for each METHOD symbol are: >> `bitlbee': NICK PASSWORD >> `quakenet': ACCOUNT PASSWORD >> `sasl': NICK PASSWORD >> + `certfp': KEY CERT >> >> Examples: >> ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") >> (\"Libera.Chat\" chanserv \"bob\" \"#bobland\" \"passwd99\") >> + (\"Libera.Chat\" certfp \"/path/to/key.pem\" \"/path/to/cert.pem\") >> (\"bitlbee\" bitlbee \"robert\" \"sekrit\") >> (\"dal.net\" nickserv \"bob\" \"sekrit\" \"NickServ@services.dal.net\") >> (\"quakenet.org\" quakenet \"bobby\" \"sekrit\") >> @@ -291,7 +293,11 @@ Examples: >> (list :tag "SASL" >> (const sasl) >> (string :tag "Nick") >> - (string :tag "Password"))))) >> + (string :tag "Password")) >> + (list :tag "CertFP" >> + (const certfp) >> + (string :tag "Key") >> + (string :tag "Certificate"))))) >> >> (defcustom rcirc-auto-authenticate-flag t >> "Non-nil means automatically send authentication string to server. >> @@ -547,6 +553,9 @@ If ARG is non-nil, instead prompt for connection parameters." >> (password (plist-get (cdr c) :password)) >> (encryption (plist-get (cdr c) :encryption)) >> (server-alias (plist-get (cdr c) :server-alias)) >> + (client-cert (when (eq (rcirc-get-server-method (car c)) >> + 'certfp) >> + (rcirc-get-server-cert (car c)))) >> contact) >> (when-let (((not password)) >> (auth (auth-source-search :host server >> @@ -563,7 +572,7 @@ If ARG is non-nil, instead prompt for connection parameters." >> (condition-case nil >> (let ((process (rcirc-connect server port nick user-name >> full-name channels password encryption >> - server-alias))) >> + client-cert server-alias))) >> (when rcirc-display-server-buffer >> (pop-to-buffer-same-window (process-buffer process)))) >> (quit (message "Quit connecting to %s" >> @@ -662,13 +671,22 @@ See `rcirc-connect' for more details on these variables.") >> (when (string-match server-i server) >> (throw 'pass (car args))))))) >> >> +(defun rcirc-get-server-cert (server) >> + "Return a list of key and certificate for SERVER." >> + (catch 'pass >> + (dolist (i rcirc-authinfo) >> + (let ((server-i (car i)) >> + (args (cddr i))) >> + (when (string-match server-i server) >> + (throw 'pass args)))))) > > Why not use alist-get with a test function? Agreed, and usually I would have written like that, but the other function around did exactly that so for coherence I stick with that pattern. I can send a follow-up diff to improve rcirc-get-server-{method,password,cert}. >> ;;;###autoload >> (defun rcirc-connect (server &optional port nick user-name >> full-name startup-channels password encryption >> - server-alias) >> + certfp server-alias) >> "Connect to SERVER. >> The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, >> -ENCRYPTION, SERVER-ALIAS are interpreted as in >> +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in >> `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels >> that are joined after authentication." >> (save-excursion >> @@ -692,10 +710,16 @@ that are joined after authentication." >> (delete-process process)) >> >> ;; Set up process >> - (setq process (open-network-stream >> - (or server-alias server) nil server port-number >> - :type (or encryption 'plain) >> - :nowait t)) >> + (setq process (if certfp >> + (open-network-stream >> + (or server-alias server) nil server port-number >> + :type 'tls >> + :nowait t >> + :client-certificate certfp) > > Is this case-distinction necessary? If `certfp' is nil, then > open-network-stream should just ignore the argument if I am not > mistaken. (I think you meant `tls' rather then `certfp', implying that I could simply have added `:client-certificate certfp' argument to open-network-stream.) It's an attempt to being user-friendly (the wrong way maybe), i.e. by implicitly use tls if the user asks for certfp. Now that I think it better, one has to set the correct port anyway so maybe it's better to be less clever and require the user to specify `:encryption tls' in rcirc-server-alist if certfp is requested. >> + (open-network-stream >> + (or server-alias server) nil server port-number >> + :type (or encryption 'plain) >> + :nowait t))) >> (set-process-coding-system process 'raw-text 'raw-text) >> (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) >> (set-process-buffer process (current-buffer)) >> >> I'll send an improved diff with the manual bits later, Thanks! ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-14 18:25 ` Philip Kaludercic 2021-11-14 18:36 ` Omar Polo @ 2021-11-15 18:02 ` Omar Polo 2021-11-15 21:49 ` Omar Polo 1 sibling, 1 reply; 8+ messages in thread From: Omar Polo @ 2021-11-15 18:02 UTC (permalink / raw) To: Philip Kaludercic; +Cc: Emacs developers [-- Attachment #1: Type: text/plain, Size: 1383 bytes --] Philip Kaludercic <philipk@posteo.net> writes: > Omar Polo <op@omarpolo.com> writes: > >> For some reason I don't know yet, the NickServ still says that I've got >> 30 seconds to identify myself, but in reality I'm already logged in. I >> don't know basically anything about how the irc protocol works, so I'm >> probably missing something incredibly obvious. > > Have you experienced any issues since? It might also be that this is a > server side issue? What do other clients say? > >> What do you think? > > I think this would be a good addition. One might even want to go > further and add functions to automate the certfp authentication. But > that might be a too much for rcirc. > > Also, the manual should be updated to explain how this works. here's another try. The first diff is something I noticed while trying to document the cerfp option in the rcirc documentation: the sasl section seems to split the bitlbee paragraph, so I move that. The second diff is the certfp implementation revised after your comments. The third diff reworks some function to avoid the manual lookup with dolist and use assoc instead. I'm not sure if/how should I edit the etc/NEWS file and if the commit messages are fine. Additionally, should the paragraph explaining certfp in the manual also tell the user how to create a certificate and how to activate it? Thanks, Omar Polo [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-Move-the-sasl-section-after-the-bitlbee-text.patch --] [-- Type: text/x-patch, Size: 1444 bytes --] From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 17:33:51 +0000 Subject: [PATCH 1/3] Move the sasl section after the bitlbee text --- doc/misc/rcirc.texi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index a4ca54a8b0..696983dc77 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the Bitlbee channel as follows: @code{identify secret}. The necessary arguments are the nickname you want to use this for, and the password to use. -@item sasl -@cindex sasl authentication -Use this symbol if you want to use @acronym{SASL} authentication. The -necessary arguments are the nickname you want to use this for, and the -password to use. - @cindex gateway to other IM services @cindex instant messaging, other services @cindex Jabber @@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log you in. All @code{rcirc} needs to know, is the login to your Bitlbee account. Don't confuse the Bitlbee account with all the other accounts. +@item sasl +@cindex sasl authentication +Use this symbol if you want to use @acronym{SASL} authentication. The +necessary arguments are the nickname you want to use this for, and the +password to use. + @end table @end table -- 2.33.1 [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #3: 0002-implement-certfp-authentication-to-rcirc.patch --] [-- Type: text/x-patch, Size: 4815 bytes --] From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 17:40:58 +0000 Subject: [PATCH 2/3] implement certfp authentication to rcirc * lisp/net/rcirc.el (rcirc-connect): Use the provided client certs * doc/misc/rcirc.texi (Configuration): Document the change --- doc/misc/rcirc.texi | 7 +++++++ lisp/net/rcirc.el | 26 ++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index 696983dc77..58ca045e78 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} authentication. The necessary arguments are the nickname you want to use this for, and the password to use. +@item certfp +@cindex certfp authentication +Use this symbol if you want to use CertFP authentication. The +necessary arguments are the path to the client certificate key and +password. The CertFP authentication requires a @acronym{TLS} +connection. + @end table @end table diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 5c92c60eda..6030db9dae 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are: `bitlbee': NICK PASSWORD `quakenet': ACCOUNT PASSWORD `sasl': NICK PASSWORD + `certfp': KEY CERT Examples: ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") @@ -291,7 +292,11 @@ Examples: (list :tag "SASL" (const sasl) (string :tag "Nick") - (string :tag "Password"))))) + (string :tag "Password")) + (list :tag "CertFP" + (const certfp) + (string :tag "Key") + (string :tag "Certificate"))))) (defcustom rcirc-auto-authenticate-flag t "Non-nil means automatically send authentication string to server. @@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection parameters." (password (plist-get (cdr c) :password)) (encryption (plist-get (cdr c) :encryption)) (server-alias (plist-get (cdr c) :server-alias)) + (client-cert (when (eq (rcirc-get-server-method (car c)) + 'certfp) + (rcirc-get-server-cert (car c)))) contact) (when-let (((not password)) (auth (auth-source-search :host server @@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection parameters." (condition-case nil (let ((process (rcirc-connect server port nick user-name full-name channels password encryption - server-alias))) + client-cert server-alias))) (when rcirc-display-server-buffer (pop-to-buffer-same-window (process-buffer process)))) (quit (message "Quit connecting to %s" @@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.") (when (string-match server-i server) (throw 'pass (car args))))))) +(defun rcirc-get-server-cert (server) + "Return a list of key and certificate for SERVER." + (catch 'cert + (dolist (i rcirc-authinfo) + (let ((server-i (car i)) + (args (cddr i))) + (when (string-match server-i server) + (throw 'cert args)))))) + ;;;###autoload (defun rcirc-connect (server &optional port nick user-name full-name startup-channels password encryption - server-alias) + certfp server-alias) "Connect to SERVER. The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, -ENCRYPTION, SERVER-ALIAS are interpreted as in +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels that are joined after authentication." (save-excursion @@ -695,6 +712,7 @@ that are joined after authentication." (setq process (open-network-stream (or server-alias server) nil server port-number :type (or encryption 'plain) + :client-certificate certfp :nowait t)) (set-process-coding-system process 'raw-text 'raw-text) (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) -- 2.33.1 [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #4: 0003-Simplify-rcirc-authentication-querying-functions.patch --] [-- Type: text/x-patch, Size: 1827 bytes --] From f8bcf03d4f98467e30b112664e9bfe7e42f40d6d Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 18:00:58 +0000 Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions --- lisp/net/rcirc.el | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 6030db9dae..b69b7ca4cc 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -654,30 +654,18 @@ See `rcirc-connect' for more details on these variables.") (defun rcirc-get-server-method (server) "Return authentication method for SERVER." - (catch 'method - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (method (cadr i))) - (when (string-match server-i server) - (throw 'method method)))))) + (cadr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) (defun rcirc-get-server-password (server) "Return password for SERVER." - (catch 'pass - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cdddr i))) - (when (string-match server-i server) - (throw 'pass (car args))))))) + (cadddr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) (defun rcirc-get-server-cert (server) "Return a list of key and certificate for SERVER." - (catch 'cert - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cddr i))) - (when (string-match server-i server) - (throw 'cert args)))))) + (cddr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) ;;;###autoload (defun rcirc-connect (server &optional port nick user-name -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-15 18:02 ` Omar Polo @ 2021-11-15 21:49 ` Omar Polo 2021-11-16 7:42 ` Lars Ingebrigtsen ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Omar Polo @ 2021-11-15 21:49 UTC (permalink / raw) To: Philip Kaludercic; +Cc: Emacs developers [-- Attachment #1: Type: text/plain, Size: 1531 bytes --] Omar Polo <op@omarpolo.com> writes: > Philip Kaludercic <philipk@posteo.net> writes: > >> Omar Polo <op@omarpolo.com> writes: >> >>> For some reason I don't know yet, the NickServ still says that I've got >>> 30 seconds to identify myself, but in reality I'm already logged in. I >>> don't know basically anything about how the irc protocol works, so I'm >>> probably missing something incredibly obvious. >> >> Have you experienced any issues since? It might also be that this is a >> server side issue? What do other clients say? >> >>> What do you think? >> >> I think this would be a good addition. One might even want to go >> further and add functions to automate the certfp authentication. But >> that might be a too much for rcirc. >> >> Also, the manual should be updated to explain how this works. > > here's another try. > > The first diff is something I noticed while trying to document the cerfp > option in the rcirc documentation: the sasl section seems to split the > bitlbee paragraph, so I move that. > > The second diff is the certfp implementation revised after your > comments. > > The third diff reworks some function to avoid the manual lookup with > dolist and use assoc instead. > > I'm not sure if/how should I edit the etc/NEWS file and if the commit > messages are fine. Additionally, should the paragraph explaining certfp > in the manual also tell the user how to create a certificate and how to > activate it? > > Thanks, > > Omar Polo I messed up with the third diff, here's another try :) [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-Move-the-sasl-section-after-the-bitlbee-text.patch --] [-- Type: text/x-patch, Size: 1444 bytes --] From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 17:33:51 +0000 Subject: [PATCH 1/3] Move the sasl section after the bitlbee text --- doc/misc/rcirc.texi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index a4ca54a8b0..696983dc77 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the Bitlbee channel as follows: @code{identify secret}. The necessary arguments are the nickname you want to use this for, and the password to use. -@item sasl -@cindex sasl authentication -Use this symbol if you want to use @acronym{SASL} authentication. The -necessary arguments are the nickname you want to use this for, and the -password to use. - @cindex gateway to other IM services @cindex instant messaging, other services @cindex Jabber @@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log you in. All @code{rcirc} needs to know, is the login to your Bitlbee account. Don't confuse the Bitlbee account with all the other accounts. +@item sasl +@cindex sasl authentication +Use this symbol if you want to use @acronym{SASL} authentication. The +necessary arguments are the nickname you want to use this for, and the +password to use. + @end table @end table -- 2.33.1 [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #3: 0002-implement-certfp-authentication-to-rcirc.patch --] [-- Type: text/x-patch, Size: 4815 bytes --] From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 17:40:58 +0000 Subject: [PATCH 2/3] implement certfp authentication to rcirc * lisp/net/rcirc.el (rcirc-connect): Use the provided client certs * doc/misc/rcirc.texi (Configuration): Document the change --- doc/misc/rcirc.texi | 7 +++++++ lisp/net/rcirc.el | 26 ++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index 696983dc77..58ca045e78 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} authentication. The necessary arguments are the nickname you want to use this for, and the password to use. +@item certfp +@cindex certfp authentication +Use this symbol if you want to use CertFP authentication. The +necessary arguments are the path to the client certificate key and +password. The CertFP authentication requires a @acronym{TLS} +connection. + @end table @end table diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 5c92c60eda..6030db9dae 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are: `bitlbee': NICK PASSWORD `quakenet': ACCOUNT PASSWORD `sasl': NICK PASSWORD + `certfp': KEY CERT Examples: ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") @@ -291,7 +292,11 @@ Examples: (list :tag "SASL" (const sasl) (string :tag "Nick") - (string :tag "Password"))))) + (string :tag "Password")) + (list :tag "CertFP" + (const certfp) + (string :tag "Key") + (string :tag "Certificate"))))) (defcustom rcirc-auto-authenticate-flag t "Non-nil means automatically send authentication string to server. @@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection parameters." (password (plist-get (cdr c) :password)) (encryption (plist-get (cdr c) :encryption)) (server-alias (plist-get (cdr c) :server-alias)) + (client-cert (when (eq (rcirc-get-server-method (car c)) + 'certfp) + (rcirc-get-server-cert (car c)))) contact) (when-let (((not password)) (auth (auth-source-search :host server @@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection parameters." (condition-case nil (let ((process (rcirc-connect server port nick user-name full-name channels password encryption - server-alias))) + client-cert server-alias))) (when rcirc-display-server-buffer (pop-to-buffer-same-window (process-buffer process)))) (quit (message "Quit connecting to %s" @@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.") (when (string-match server-i server) (throw 'pass (car args))))))) +(defun rcirc-get-server-cert (server) + "Return a list of key and certificate for SERVER." + (catch 'cert + (dolist (i rcirc-authinfo) + (let ((server-i (car i)) + (args (cddr i))) + (when (string-match server-i server) + (throw 'cert args)))))) + ;;;###autoload (defun rcirc-connect (server &optional port nick user-name full-name startup-channels password encryption - server-alias) + certfp server-alias) "Connect to SERVER. The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, -ENCRYPTION, SERVER-ALIAS are interpreted as in +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels that are joined after authentication." (save-excursion @@ -695,6 +712,7 @@ that are joined after authentication." (setq process (open-network-stream (or server-alias server) nil server port-number :type (or encryption 'plain) + :client-certificate certfp :nowait t)) (set-process-coding-system process 'raw-text 'raw-text) (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) -- 2.33.1 [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #4: 0003-Simplify-rcirc-authentication-querying-functions.patch --] [-- Type: text/x-patch, Size: 1615 bytes --] From a21962b6213cef558ae9294d41e14d42035495fc Mon Sep 17 00:00:00 2001 From: Omar Polo <op@omarpolo.com> Date: Mon, 15 Nov 2021 21:49:23 +0000 Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions --- lisp/net/rcirc.el | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 6030db9dae..b4e9031e0d 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -654,30 +654,15 @@ See `rcirc-connect' for more details on these variables.") (defun rcirc-get-server-method (server) "Return authentication method for SERVER." - (catch 'method - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (method (cadr i))) - (when (string-match server-i server) - (throw 'method method)))))) + (cadr (assoc server rcirc-authinfo #'string-match))) (defun rcirc-get-server-password (server) "Return password for SERVER." - (catch 'pass - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cdddr i))) - (when (string-match server-i server) - (throw 'pass (car args))))))) + (cadddr (assoc server rcirc-authinfo #'string-match))) (defun rcirc-get-server-cert (server) "Return a list of key and certificate for SERVER." - (catch 'cert - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cddr i))) - (when (string-match server-i server) - (throw 'cert args)))))) + (cddr (assoc server rcirc-authinfo #'string-match))) ;;;###autoload (defun rcirc-connect (server &optional port nick user-name -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-15 21:49 ` Omar Polo @ 2021-11-16 7:42 ` Lars Ingebrigtsen 2021-11-17 20:23 ` Philip Kaludercic 2021-11-21 18:01 ` Philip Kaludercic 2 siblings, 0 replies; 8+ messages in thread From: Lars Ingebrigtsen @ 2021-11-16 7:42 UTC (permalink / raw) To: Omar Polo; +Cc: Philip Kaludercic, Emacs developers Omar Polo <op@omarpolo.com> writes: > I messed up with the third diff, here's another try :) Looks OK to me, but I don't use rcirc -- could somebody who does have a look? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-15 21:49 ` Omar Polo 2021-11-16 7:42 ` Lars Ingebrigtsen @ 2021-11-17 20:23 ` Philip Kaludercic 2021-11-21 18:01 ` Philip Kaludercic 2 siblings, 0 replies; 8+ messages in thread From: Philip Kaludercic @ 2021-11-17 20:23 UTC (permalink / raw) To: Omar Polo; +Cc: Emacs developers Omar Polo <op@omarpolo.com> writes: > I messed up with the third diff, here's another try :) It looks good to me, I will push these changes to master in the coming days. > From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001 > From: Omar Polo <op@omarpolo.com> > Date: Mon, 15 Nov 2021 17:33:51 +0000 > Subject: [PATCH 1/3] Move the sasl section after the bitlbee text > > --- > doc/misc/rcirc.texi | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi > index a4ca54a8b0..696983dc77 100644 > --- a/doc/misc/rcirc.texi > +++ b/doc/misc/rcirc.texi > @@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the Bitlbee channel > as follows: @code{identify secret}. The necessary arguments are the > nickname you want to use this for, and the password to use. > > -@item sasl > -@cindex sasl authentication > -Use this symbol if you want to use @acronym{SASL} authentication. The > -necessary arguments are the nickname you want to use this for, and the > -password to use. > - > @cindex gateway to other IM services > @cindex instant messaging, other services > @cindex Jabber > @@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log you in. All > @code{rcirc} needs to know, is the login to your Bitlbee account. Don't > confuse the Bitlbee account with all the other accounts. > > +@item sasl > +@cindex sasl authentication > +Use this symbol if you want to use @acronym{SASL} authentication. The > +necessary arguments are the nickname you want to use this for, and the > +password to use. > + > @end table > > @end table > -- > 2.33.1 > > From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001 > From: Omar Polo <op@omarpolo.com> > Date: Mon, 15 Nov 2021 17:40:58 +0000 > Subject: [PATCH 2/3] implement certfp authentication to rcirc > > * lisp/net/rcirc.el (rcirc-connect): Use the provided client certs > * doc/misc/rcirc.texi (Configuration): Document the change > --- > doc/misc/rcirc.texi | 7 +++++++ > lisp/net/rcirc.el | 26 ++++++++++++++++++++++---- > 2 files changed, 29 insertions(+), 4 deletions(-) > > diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi > index 696983dc77..58ca045e78 100644 > --- a/doc/misc/rcirc.texi > +++ b/doc/misc/rcirc.texi > @@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} authentication. The > necessary arguments are the nickname you want to use this for, and the > password to use. > > +@item certfp > +@cindex certfp authentication > +Use this symbol if you want to use CertFP authentication. The > +necessary arguments are the path to the client certificate key and > +password. The CertFP authentication requires a @acronym{TLS} > +connection. > + > @end table > > @end table > diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el > index 5c92c60eda..6030db9dae 100644 > --- a/lisp/net/rcirc.el > +++ b/lisp/net/rcirc.el > @@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are: > `bitlbee': NICK PASSWORD > `quakenet': ACCOUNT PASSWORD > `sasl': NICK PASSWORD > + `certfp': KEY CERT > > Examples: > ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") > @@ -291,7 +292,11 @@ Examples: > (list :tag "SASL" > (const sasl) > (string :tag "Nick") > - (string :tag "Password"))))) > + (string :tag "Password")) > + (list :tag "CertFP" > + (const certfp) > + (string :tag "Key") > + (string :tag "Certificate"))))) > > (defcustom rcirc-auto-authenticate-flag t > "Non-nil means automatically send authentication string to server. > @@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection parameters." > (password (plist-get (cdr c) :password)) > (encryption (plist-get (cdr c) :encryption)) > (server-alias (plist-get (cdr c) :server-alias)) > + (client-cert (when (eq (rcirc-get-server-method (car c)) > + 'certfp) > + (rcirc-get-server-cert (car c)))) > contact) > (when-let (((not password)) > (auth (auth-source-search :host server > @@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection parameters." > (condition-case nil > (let ((process (rcirc-connect server port nick user-name > full-name channels password encryption > - server-alias))) > + client-cert server-alias))) > (when rcirc-display-server-buffer > (pop-to-buffer-same-window (process-buffer process)))) > (quit (message "Quit connecting to %s" > @@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.") > (when (string-match server-i server) > (throw 'pass (car args))))))) > > +(defun rcirc-get-server-cert (server) > + "Return a list of key and certificate for SERVER." > + (catch 'cert > + (dolist (i rcirc-authinfo) > + (let ((server-i (car i)) > + (args (cddr i))) > + (when (string-match server-i server) > + (throw 'cert args)))))) > + > ;;;###autoload > (defun rcirc-connect (server &optional port nick user-name > full-name startup-channels password encryption > - server-alias) > + certfp server-alias) > "Connect to SERVER. > The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, > -ENCRYPTION, SERVER-ALIAS are interpreted as in > +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in > `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels > that are joined after authentication." > (save-excursion > @@ -695,6 +712,7 @@ that are joined after authentication." > (setq process (open-network-stream > (or server-alias server) nil server port-number > :type (or encryption 'plain) > + :client-certificate certfp > :nowait t)) > (set-process-coding-system process 'raw-text 'raw-text) > (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) > -- > 2.33.1 > > From a21962b6213cef558ae9294d41e14d42035495fc Mon Sep 17 00:00:00 2001 > From: Omar Polo <op@omarpolo.com> > Date: Mon, 15 Nov 2021 21:49:23 +0000 > Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions > > --- > lisp/net/rcirc.el | 21 +++------------------ > 1 file changed, 3 insertions(+), 18 deletions(-) > > diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el > index 6030db9dae..b4e9031e0d 100644 > --- a/lisp/net/rcirc.el > +++ b/lisp/net/rcirc.el > @@ -654,30 +654,15 @@ See `rcirc-connect' for more details on these variables.") > > (defun rcirc-get-server-method (server) > "Return authentication method for SERVER." > - (catch 'method > - (dolist (i rcirc-authinfo) > - (let ((server-i (car i)) > - (method (cadr i))) > - (when (string-match server-i server) > - (throw 'method method)))))) > + (cadr (assoc server rcirc-authinfo #'string-match))) > > (defun rcirc-get-server-password (server) > "Return password for SERVER." > - (catch 'pass > - (dolist (i rcirc-authinfo) > - (let ((server-i (car i)) > - (args (cdddr i))) > - (when (string-match server-i server) > - (throw 'pass (car args))))))) > + (cadddr (assoc server rcirc-authinfo #'string-match))) > > (defun rcirc-get-server-cert (server) > "Return a list of key and certificate for SERVER." > - (catch 'cert > - (dolist (i rcirc-authinfo) > - (let ((server-i (car i)) > - (args (cddr i))) > - (when (string-match server-i server) > - (throw 'cert args)))))) > + (cddr (assoc server rcirc-authinfo #'string-match))) > > ;;;###autoload > (defun rcirc-connect (server &optional port nick user-name -- Philip Kaludercic ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [RFC] certfp for rcirc 2021-11-15 21:49 ` Omar Polo 2021-11-16 7:42 ` Lars Ingebrigtsen 2021-11-17 20:23 ` Philip Kaludercic @ 2021-11-21 18:01 ` Philip Kaludercic 2 siblings, 0 replies; 8+ messages in thread From: Philip Kaludercic @ 2021-11-21 18:01 UTC (permalink / raw) To: Omar Polo; +Cc: Emacs developers Omar Polo <op@omarpolo.com> writes: > I messed up with the third diff, here's another try :) The changes have been pushed. -- Philip Kaludercic ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-11-21 18:01 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-11-11 9:02 [RFC] certfp for rcirc Omar Polo 2021-11-14 18:25 ` Philip Kaludercic 2021-11-14 18:36 ` Omar Polo 2021-11-15 18:02 ` Omar Polo 2021-11-15 21:49 ` Omar Polo 2021-11-16 7:42 ` Lars Ingebrigtsen 2021-11-17 20:23 ` Philip Kaludercic 2021-11-21 18:01 ` Philip Kaludercic
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).