Re: [RFC] certfp for rcirc

[Omar Polo <op@omarpolo.com>]

[-- Attachment #1: Type: text/plain, Size: 1383 bytes --]


Philip Kaludercic <philipk@posteo.net> writes:

> Omar Polo <op@omarpolo.com> writes:
>
>> For some reason I don't know yet, the NickServ still says that I've got
>> 30 seconds to identify myself, but in reality I'm already logged in.  I
>> don't know basically anything about how the irc protocol works, so I'm
>> probably missing something incredibly obvious.
>
> Have you experienced any issues since? It might also be that this is a
> server side issue?  What do other clients say?
>
>> What do you think?
>
> I think this would be a good addition.  One might even want to go
> further and add functions to automate the certfp authentication.  But
> that might be a too much for rcirc.
>
> Also, the manual should be updated to explain how this works.

here's another try.

The first diff is something I noticed while trying to document the cerfp
option in the rcirc documentation: the sasl section seems to split the
bitlbee paragraph, so I move that.

The second diff is the certfp implementation revised after your
comments.

The third diff reworks some function to avoid the manual lookup with
dolist and use assoc instead.

I'm not sure if/how should I edit the etc/NEWS file and if the commit
messages are fine.  Additionally, should the paragraph explaining certfp
in the manual also tell the user how to create a certificate and how to
activate it?

Thanks,

Omar Polo


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Move-the-sasl-section-after-the-bitlbee-text.patch --]
[-- Type: text/x-patch, Size: 1444 bytes --]

From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:33:51 +0000
Subject: [PATCH 1/3] Move the sasl section after the bitlbee text

---
 doc/misc/rcirc.texi | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index a4ca54a8b0..696983dc77 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the Bitlbee channel
 as follows: @code{identify secret}.  The necessary arguments are the
 nickname you want to use this for, and the password to use.
 
-@item sasl
-@cindex sasl authentication
-Use this symbol if you want to use @acronym{SASL} authentication.  The
-necessary arguments are the nickname you want to use this for, and the
-password to use.
-
 @cindex gateway to other IM services
 @cindex instant messaging, other services
 @cindex Jabber
@@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log you in.  All
 @code{rcirc} needs to know, is the login to your Bitlbee account.  Don't
 confuse the Bitlbee account with all the other accounts.
 
+@item sasl
+@cindex sasl authentication
+Use this symbol if you want to use @acronym{SASL} authentication.  The
+necessary arguments are the nickname you want to use this for, and the
+password to use.
+
 @end table
 
 @end table
-- 
2.33.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0002-implement-certfp-authentication-to-rcirc.patch --]
[-- Type: text/x-patch, Size: 4815 bytes --]

From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:40:58 +0000
Subject: [PATCH 2/3] implement certfp authentication to rcirc

* lisp/net/rcirc.el (rcirc-connect): Use the provided client certs
* doc/misc/rcirc.texi (Configuration): Document the change
---
 doc/misc/rcirc.texi |  7 +++++++
 lisp/net/rcirc.el   | 26 ++++++++++++++++++++++----
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index 696983dc77..58ca045e78 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} authentication.  The
 necessary arguments are the nickname you want to use this for, and the
 password to use.
 
+@item certfp
+@cindex certfp authentication
+Use this symbol if you want to use CertFP authentication.  The
+necessary arguments are the path to the client certificate key and
+password.  The CertFP authentication requires a @acronym{TLS}
+connection.
+
 @end table
 
 @end table
diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 5c92c60eda..6030db9dae 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are:
   `bitlbee': NICK PASSWORD
   `quakenet': ACCOUNT PASSWORD
   `sasl': NICK PASSWORD
+  `certfp': KEY CERT
 
 Examples:
  ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\")
@@ -291,7 +292,11 @@ Examples:
                                     (list :tag "SASL"
                                           (const sasl)
                                           (string :tag "Nick")
-                                          (string :tag "Password")))))
+                                          (string :tag "Password"))
+                                    (list :tag "CertFP"
+                                          (const certfp)
+                                          (string :tag "Key")
+                                          (string :tag "Certificate")))))
 
 (defcustom rcirc-auto-authenticate-flag t
   "Non-nil means automatically send authentication string to server.
@@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection parameters."
               (password (plist-get (cdr c) :password))
               (encryption (plist-get (cdr c) :encryption))
               (server-alias (plist-get (cdr c) :server-alias))
+              (client-cert (when (eq (rcirc-get-server-method (car c))
+                                     'certfp)
+                             (rcirc-get-server-cert (car c))))
               contact)
           (when-let (((not password))
                      (auth (auth-source-search :host server
@@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection parameters."
 		  (condition-case nil
 		      (let ((process (rcirc-connect server port nick user-name
                                                     full-name channels password encryption
-                                                    server-alias)))
+                                                    client-cert server-alias)))
                         (when rcirc-display-server-buffer
                           (pop-to-buffer-same-window (process-buffer process))))
 		    (quit (message "Quit connecting to %s"
@@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.")
 	(when (string-match server-i server)
           (throw 'pass (car args)))))))
 
+(defun rcirc-get-server-cert (server)
+  "Return a list of key and certificate for SERVER."
+  (catch 'cert
+    (dolist (i rcirc-authinfo)
+      (let ((server-i (car i))
+            (args (cddr i)))
+        (when (string-match server-i server)
+          (throw 'cert args))))))
+
 ;;;###autoload
 (defun rcirc-connect (server &optional port nick user-name
                              full-name startup-channels password encryption
-                             server-alias)
+                             certfp server-alias)
   "Connect to SERVER.
 The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD,
-ENCRYPTION, SERVER-ALIAS are interpreted as in
+ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in
 `rcirc-server-alist'.  STARTUP-CHANNELS is a list of channels
 that are joined after authentication."
   (save-excursion
@@ -695,6 +712,7 @@ that are joined after authentication."
       (setq process (open-network-stream
                      (or server-alias server) nil server port-number
                      :type (or encryption 'plain)
+                     :client-certificate certfp
                      :nowait t))
       (set-process-coding-system process 'raw-text 'raw-text)
       (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil))
-- 
2.33.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #4: 0003-Simplify-rcirc-authentication-querying-functions.patch --]
[-- Type: text/x-patch, Size: 1827 bytes --]

From f8bcf03d4f98467e30b112664e9bfe7e42f40d6d Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 18:00:58 +0000
Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions

---
 lisp/net/rcirc.el | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 6030db9dae..b69b7ca4cc 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -654,30 +654,18 @@ See `rcirc-connect' for more details on these variables.")
 
 (defun rcirc-get-server-method (server)
   "Return authentication method for SERVER."
-  (catch 'method
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-	    (method (cadr i)))
-	(when (string-match server-i server)
-          (throw 'method method))))))
+  (cadr (assoc server rcirc-authinfo (lambda (s server)
+                                       (string-match server s)))))
 
 (defun rcirc-get-server-password (server)
   "Return password for SERVER."
-  (catch 'pass
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-	    (args (cdddr i)))
-	(when (string-match server-i server)
-          (throw 'pass (car args)))))))
+  (cadddr (assoc server rcirc-authinfo (lambda (s server)
+                                         (string-match server s)))))
 
 (defun rcirc-get-server-cert (server)
   "Return a list of key and certificate for SERVER."
-  (catch 'cert
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-            (args (cddr i)))
-        (when (string-match server-i server)
-          (throw 'cert args))))))
+  (cddr (assoc server rcirc-authinfo (lambda (s server)
+                                       (string-match server s)))))
 
 ;;;###autoload
 (defun rcirc-connect (server &optional port nick user-name
-- 
2.33.1