About SASL authentication in rcirc

About SASL authentication in rcirc

[Tassilo Horn]

Hi Alex,

thanks for bringing SASL authentication to rcirc.  I'm using the
rcirc-update branch of Philip for my IRC needs where Philip has
cherry-picked your commit implementing SASL authentication for rcirc.
So obviously I wanted to try that out and changed my

--8<---------------cut here---------------start------------->8---
(setq rcirc-authinfo
      `(("libera" nickserv "tsdh" ,th/nickserv-password-liberachat)))
--8<---------------cut here---------------end--------------->8---

to

--8<---------------cut here---------------start------------->8---
(setq rcirc-authinfo
      `(("libera" sasl "tsdh" ,th/nickserv-password-liberachat)))
--8<---------------cut here---------------end--------------->8---

and restarted my rcirc session after rebuilding emacs.

After that, the *irc.libera.chat* buffer contained a message that tsdh
is a registered nick but not the message afterwards that I'm
successfully registered now (as it is the case with nickserv
authentication).  And when querying NickServ, it told me that I'm not
logged it.

If I understand SASL/IRC correctly, it should have logged in immediately
on connecting, right?

So apparently, it seems that it didn't work when I've tried.  I'd be
happy to debug where it fails if you give me some pointers what to look
for.

Bye,
Tassilo

Re: About SASL authentication in rcirc

[amk]

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

June 28, 2021 11:36 AM, "Tassilo Horn" <tsdh@gnu.org> wrote:

> Hi Alex,
> 
> thanks for bringing SASL authentication to rcirc. I'm using the
> rcirc-update branch of Philip for my IRC needs where Philip has
> cherry-picked your commit implementing SASL authentication for rcirc.
> So obviously I wanted to try that out and changed my
> 
> --8<---------------cut here---------------start------------->8---
> (setq rcirc-authinfo
> `(("libera" nickserv "tsdh" ,th/nickserv-password-liberachat)))
> --8<---------------cut here---------------end--------------->8---
> 
> to
> 
> --8<---------------cut here---------------start------------->8---
> (setq rcirc-authinfo
> `(("libera" sasl "tsdh" ,th/nickserv-password-liberachat)))
> --8<---------------cut here---------------end--------------->8---
> 
> and restarted my rcirc session after rebuilding emacs.
> 
> After that, the *irc.libera.chat* buffer contained a message that tsdh
> is a registered nick but not the message afterwards that I'm
> successfully registered now (as it is the case with nickserv
> authentication). And when querying NickServ, it told me that I'm not
> logged it.
> 
> If I understand SASL/IRC correctly, it should have logged in immediately
> on connecting, right?
> 
> So apparently, it seems that it didn't work when I've tried. I'd be
> happy to debug where it fails if you give me some pointers what to look
> for.
> 
> Bye,
> Tassilo

Hey, 

Correct, It should authenticate automatically

I think the issue is that some of the original sasl commit got lost in
cherry picking. I've attached a patch that fixes it, I'm not sure if
there is a better place to send a patch to a branch.

With this patch rcirc now checks that sasl authentication has completed
before running CAP END as specified here 
https://ircv3.net/specs/extensions/sasl-3.1

Thanks,
Alex

[-- Attachment #2: 0001-Fix-SASL-on-rcirc-update.patch --]
[-- Type: application/octet-stream, Size: 2971 bytes --]

From b86f9f022acf630dbeb4cd3cbeaf22212e1d8eed Mon Sep 17 00:00:00 2001
From: Alex McGrath <alexmcgraak@arista.com>
Date: Mon, 28 Jun 2021 13:41:31 +0100
Subject: [PATCH] Fix SASL on rcirc-update

---
 lisp/net/rcirc.el | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 37c31be58f..4c197aea54 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -610,6 +610,8 @@ See `rcirc-connect' for more details on these variables.")
   "A list of capabilities that client has requested.")
 (defvar-local rcirc-acked-capabilities nil
   "A list of capabilities that the server supports.")
+(defvar-local rcirc-finished-sasl t
+  "Check whether SASL authentication has completed")
 
 (defun rcirc-get-server-method (server)
   "Return authentication method for SERVER."
@@ -650,10 +652,13 @@ that are joined after authentication."
 	   (user-name (or user-name rcirc-default-user-name))
 	   (full-name (or full-name rcirc-default-full-name))
 	   (startup-channels startup-channels)
+           (use-sasl (eq (rcirc-get-server-method server) 'sasl))
            (process (open-network-stream
                      (or server-alias server) nil server port-number
                      :type (or encryption 'plain))))
       ;; set up process
+      (when use-sasl
+        (setq-local rcirc-finished-sasl nil))
       (set-process-coding-system process 'raw-text 'raw-text)
       (switch-to-buffer (rcirc-generate-new-buffer-name process nil))
       (set-process-buffer process (current-buffer))
@@ -685,6 +690,10 @@ that are joined after authentication."
         (rcirc-send-string process "PASS" password))
       (rcirc-send-string process "NICK" nick)
       (rcirc-send-string process "USER" user-name "0" "*" : full-name)
+      ;; Setup sasl, and initiate authentication.
+      (when (and rcirc-auto -authenticate-flag
+                 use-sasl)
+        (rcirc-send-string process "AUTHENTICATE" "PLAIN"))
 
       ;; setup ping timer if necessary
       (unless rcirc-keepalive-timer
@@ -3435,7 +3444,7 @@ is the process object for the current connection."
               ((string= subcmd "NAK")
                (setq rcirc-requested-capabilities
                      (delete cap rcirc-requested-capabilities))))))
-    (when (null rcirc-requested-capabilities)
+    (when (and (null rcirc-requested-capabilities) rcirc-finished-sasl)
       ;; All requested capabilities have been responded to
       (rcirc-send-string process "CAP" "END"))))
 
@@ -3500,7 +3509,9 @@ PROCESS is the process object for the current connection."
    (base64-encode-string
     ;; use connection user-name
     (concat "\0" (nth 3 rcirc-connection-info)
-            "\0" (rcirc-get-server-password rcirc-server)))))
+            "\0" (rcirc-get-server-password rcirc-server))))
+  (setq-local rcirc-finished-sasl t)
+  (rcirc-send-string process "CAP" "END"))
 
 \f
 (defgroup rcirc-faces nil
-- 
2.25.1

Re: About SASL authentication in rcirc

[Tassilo Horn]

amk@amk.ie writes:

Hi Alex,

> I think the issue is that some of the original sasl commit got lost in
> cherry picking. I've attached a patch that fixes it, I'm not sure if
> there is a better place to send a patch to a branch.

Thanks, after removing the superfluous space between rcirc-auto and
-authenticate-flag in the hunk below, SASL authentication worked fine
for me on libera.chat.

--8<---------------cut here---------------start------------->8---
@@ -685,6 +690,10 @@ that are joined after authentication."
         (rcirc-send-string process "PASS" password))
       (rcirc-send-string process "NICK" nick)
       (rcirc-send-string process "USER" user-name "0" "*" : full-name)
+      ;; Setup sasl, and initiate authentication.
+      (when (and rcirc-auto -authenticate-flag
+                 use-sasl)
+        (rcirc-send-string process "AUTHENTICATE" "PLAIN"))
 
       ;; setup ping timer if necessary
       (unless rcirc-keepalive-timer
--8<---------------cut here---------------end--------------->8---

Philip, I've committed Alex' patch with the whitespace fix on the
rcirc-update branch.

Thank you,
Tassilo

Re: About SASL authentication in rcirc

[Tassilo Horn]

Tassilo Horn <tsdh@gnu.org> writes:

> Thanks, after removing the superfluous space between rcirc-auto and
> -authenticate-flag in the hunk below, SASL authentication worked fine
> for me on libera.chat.

Oh, apparently I've looked at the wrong rcirc server buffer.  On
libera.chat where I've tried authentication with SASL, I eventually get
the message

    *** 904 SASL authentication failed

If you give me a pointer what needs to be debugger, I'll do so.

Bye,
Tassilo

Re: About SASL authentication in rcirc

[Alex McGrath]

June 28, 2021 8:58 PM, "Tassilo Horn" <tsdh@gnu.org> wrote:

> Tassilo Horn <tsdh@gnu.org> writes:
> 
>> Thanks, after removing the superfluous space between rcirc-auto and
>> -authenticate-flag in the hunk below, SASL authentication worked fine
>> for me on libera.chat.
> 
> Oh, apparently I've looked at the wrong rcirc server buffer. On
> libera.chat where I've tried authentication with SASL, I eventually get
> the message
> 
> *** 904 SASL authentication failed
> 
> If you give me a pointer what needs to be debugger, I'll do so.
> 
> Bye,
> Tassilo

I'm not sure why that would be, I tested with libera and it seemed to be 
working. It might be worth checking that 

```
(rcirc-get-server-password rcirc-server)
```
In the AUTHENTICATE handler is correctly retrieving the password. 
Is there any sort of `SASL authentication aborted` message?

Thanks,
Alex

Re: About SASL authentication in rcirc

[Tassilo Horn]

"Alex McGrath" <amk@amk.ie> writes:

Hi Alex,

>> Oh, apparently I've looked at the wrong rcirc server buffer. On
>> libera.chat where I've tried authentication with SASL, I eventually
>> get the message
>> 
>> *** 904 SASL authentication failed
>> 
>> If you give me a pointer what needs to be debugger, I'll do so.
>
> I'm not sure why that would be, I tested with libera and it seemed to
> be working. It might be worth checking that
>
> ```
> (rcirc-get-server-password rcirc-server)
> ```
> In the AUTHENTICATE handler is correctly retrieving the password.

It is.  It concats \0, my nick (tsdh), \0, my nickserv password.  I
guess that is correct, right?

> Is there any sort of `SASL authentication aborted` message?

Oh, yes.  Right at the top of the *irc.libera.chat* buffer there is:

--8<---------------cut here---------------start------------->8---
07:03 -cadmium.libera.chat- *** Checking Ident
07:03 -cadmium.libera.chat- *** Looking up your hostname...
07:03 -cadmium.libera.chat- *** No Ident response
07:03 -cadmium.libera.chat- *** Found your hostname: j289989.servers.jiffybox.net
07:03 *** cadmium.libera.chat 906 SASL authentication aborted
07:03 *** cadmium.libera.chat 001 Welcome to the Libera.Chat Internet Relay
                                  Chat Network tsdh
07:03 *** 002 Your host is cadmium.libera.chat[103.196.36.38/6697], running
              version solanum-1.0-dev
07:03 *** 003 This server was created Mon Jun 14 2021 at 17:34:05 UTC
...
07:03 *** 904 SASL authentication failed
--8<---------------cut here---------------end--------------->8---

Bye,
Tassilo

Re: About SASL authentication in rcirc

[Philip Kaludercic]

Sorry for my late response,

amk@amk.ie writes:

> June 28, 2021 11:36 AM, "Tassilo Horn" <tsdh@gnu.org> wrote:
>
>> Hi Alex,
>> 
>> thanks for bringing SASL authentication to rcirc. I'm using the
>> rcirc-update branch of Philip for my IRC needs where Philip has
>> cherry-picked your commit implementing SASL authentication for rcirc.
>> So obviously I wanted to try that out and changed my
>> 
>> --8<---------------cut here---------------start------------->8---
>> (setq rcirc-authinfo
>> `(("libera" nickserv "tsdh" ,th/nickserv-password-liberachat)))
>> --8<---------------cut here---------------end--------------->8---
>> 
>> to
>> 
>> --8<---------------cut here---------------start------------->8---
>> (setq rcirc-authinfo
>> `(("libera" sasl "tsdh" ,th/nickserv-password-liberachat)))
>> --8<---------------cut here---------------end--------------->8---
>> 
>> and restarted my rcirc session after rebuilding emacs.
>> 
>> After that, the *irc.libera.chat* buffer contained a message that tsdh
>> is a registered nick but not the message afterwards that I'm
>> successfully registered now (as it is the case with nickserv
>> authentication). And when querying NickServ, it told me that I'm not
>> logged it.
>> 
>> If I understand SASL/IRC correctly, it should have logged in immediately
>> on connecting, right?
>> 
>> So apparently, it seems that it didn't work when I've tried. I'd be
>> happy to debug where it fails if you give me some pointers what to look
>> for.
>> 
>> Bye,
>> Tassilo
>
> Hey, 
>
> Correct, It should authenticate automatically
>
> I think the issue is that some of the original sasl commit got lost in
> cherry picking. I've attached a patch that fixes it, I'm not sure if
> there is a better place to send a patch to a branch.

That was probably the issue, I didn't get around to properly test it
yet. Sorry about that.

> Thanks,
> Alex
>
>

-- 
	Philip K.