From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Omar Polo Newsgroups: gmane.emacs.devel Subject: Re: [RFC] certfp for rcirc Date: Mon, 15 Nov 2021 19:02:37 +0100 Message-ID: <87r1bhi92e.fsf@omarpolo.com> References: <87mtmb2hg4.fsf@omarpolo.com> <877ddaegqy.fsf@posteo.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="13839"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.6.9; emacs 29.0.50 Cc: Emacs developers To: Philip Kaludercic Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Nov 15 19:12:25 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mmgSv-0003J2-Gi for ged-emacs-devel@m.gmane-mx.org; Mon, 15 Nov 2021 19:12:25 +0100 Original-Received: from localhost ([::1]:60076 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mmgSu-00058T-Er for ged-emacs-devel@m.gmane-mx.org; Mon, 15 Nov 2021 13:12:24 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:52638) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmgSC-0004PC-9o for emacs-devel@gnu.org; Mon, 15 Nov 2021 13:11:40 -0500 Original-Received: from mail.omarpolo.com ([144.91.116.244]:50842) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmgS7-0001zK-Uy for emacs-devel@gnu.org; Mon, 15 Nov 2021 13:11:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omarpolo.com; s=20200327; t=1636999846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=TTBaQMo9cEDUaI70FqseAObhnyhcVjTmOenrCuqInss=; b=Py73bVkbepJqGe8VUBURLg5G8ZfpkUMsL6li9HrkpFaG792NQkCvJBNxsL0+/W8C5QRUnj WyQIeA8GioSbDRkrFOnQpMZMusXjLnquU8DpZf5StYxhd6Q5ATPvzQPEVPemzxsU6mnrje n8DAj6KtuRPj/F+3Z25sk9mOUWww3UU= Original-Received: from localhost (host-213-45-155-59.retail.telecomitalia.it [213.45.155.59]) by mail.omarpolo.com (OpenSMTPD) with ESMTPSA id dc54d57e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 15 Nov 2021 19:10:45 +0100 (CET) Original-Received: from venera (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 01b2ab4f; Mon, 15 Nov 2021 19:10:33 +0100 (CET) In-reply-to: <877ddaegqy.fsf@posteo.net> Received-SPF: pass client-ip=144.91.116.244; envelope-from=op@omarpolo.com; helo=mail.omarpolo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:279513 Archived-At: --=-=-= Content-Type: text/plain Philip Kaludercic writes: > Omar Polo writes: > >> For some reason I don't know yet, the NickServ still says that I've got >> 30 seconds to identify myself, but in reality I'm already logged in. I >> don't know basically anything about how the irc protocol works, so I'm >> probably missing something incredibly obvious. > > Have you experienced any issues since? It might also be that this is a > server side issue? What do other clients say? > >> What do you think? > > I think this would be a good addition. One might even want to go > further and add functions to automate the certfp authentication. But > that might be a too much for rcirc. > > Also, the manual should be updated to explain how this works. here's another try. The first diff is something I noticed while trying to document the cerfp option in the rcirc documentation: the sasl section seems to split the bitlbee paragraph, so I move that. The second diff is the certfp implementation revised after your comments. The third diff reworks some function to avoid the manual lookup with dolist and use assoc instead. I'm not sure if/how should I edit the etc/NEWS file and if the commit messages are fine. Additionally, should the paragraph explaining certfp in the manual also tell the user how to create a certificate and how to activate it? Thanks, Omar Polo --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Move-the-sasl-section-after-the-bitlbee-text.patch >From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Mon, 15 Nov 2021 17:33:51 +0000 Subject: [PATCH 1/3] Move the sasl section after the bitlbee text --- doc/misc/rcirc.texi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index a4ca54a8b0..696983dc77 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the Bitlbee channel as follows: @code{identify secret}. The necessary arguments are the nickname you want to use this for, and the password to use. -@item sasl -@cindex sasl authentication -Use this symbol if you want to use @acronym{SASL} authentication. The -necessary arguments are the nickname you want to use this for, and the -password to use. - @cindex gateway to other IM services @cindex instant messaging, other services @cindex Jabber @@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log you in. All @code{rcirc} needs to know, is the login to your Bitlbee account. Don't confuse the Bitlbee account with all the other accounts. +@item sasl +@cindex sasl authentication +Use this symbol if you want to use @acronym{SASL} authentication. The +necessary arguments are the nickname you want to use this for, and the +password to use. + @end table @end table -- 2.33.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-implement-certfp-authentication-to-rcirc.patch >From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Mon, 15 Nov 2021 17:40:58 +0000 Subject: [PATCH 2/3] implement certfp authentication to rcirc * lisp/net/rcirc.el (rcirc-connect): Use the provided client certs * doc/misc/rcirc.texi (Configuration): Document the change --- doc/misc/rcirc.texi | 7 +++++++ lisp/net/rcirc.el | 26 ++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi index 696983dc77..58ca045e78 100644 --- a/doc/misc/rcirc.texi +++ b/doc/misc/rcirc.texi @@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} authentication. The necessary arguments are the nickname you want to use this for, and the password to use. +@item certfp +@cindex certfp authentication +Use this symbol if you want to use CertFP authentication. The +necessary arguments are the path to the client certificate key and +password. The CertFP authentication requires a @acronym{TLS} +connection. + @end table @end table diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 5c92c60eda..6030db9dae 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are: `bitlbee': NICK PASSWORD `quakenet': ACCOUNT PASSWORD `sasl': NICK PASSWORD + `certfp': KEY CERT Examples: ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") @@ -291,7 +292,11 @@ Examples: (list :tag "SASL" (const sasl) (string :tag "Nick") - (string :tag "Password"))))) + (string :tag "Password")) + (list :tag "CertFP" + (const certfp) + (string :tag "Key") + (string :tag "Certificate"))))) (defcustom rcirc-auto-authenticate-flag t "Non-nil means automatically send authentication string to server. @@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection parameters." (password (plist-get (cdr c) :password)) (encryption (plist-get (cdr c) :encryption)) (server-alias (plist-get (cdr c) :server-alias)) + (client-cert (when (eq (rcirc-get-server-method (car c)) + 'certfp) + (rcirc-get-server-cert (car c)))) contact) (when-let (((not password)) (auth (auth-source-search :host server @@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection parameters." (condition-case nil (let ((process (rcirc-connect server port nick user-name full-name channels password encryption - server-alias))) + client-cert server-alias))) (when rcirc-display-server-buffer (pop-to-buffer-same-window (process-buffer process)))) (quit (message "Quit connecting to %s" @@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.") (when (string-match server-i server) (throw 'pass (car args))))))) +(defun rcirc-get-server-cert (server) + "Return a list of key and certificate for SERVER." + (catch 'cert + (dolist (i rcirc-authinfo) + (let ((server-i (car i)) + (args (cddr i))) + (when (string-match server-i server) + (throw 'cert args)))))) + ;;;###autoload (defun rcirc-connect (server &optional port nick user-name full-name startup-channels password encryption - server-alias) + certfp server-alias) "Connect to SERVER. The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, -ENCRYPTION, SERVER-ALIAS are interpreted as in +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels that are joined after authentication." (save-excursion @@ -695,6 +712,7 @@ that are joined after authentication." (setq process (open-network-stream (or server-alias server) nil server port-number :type (or encryption 'plain) + :client-certificate certfp :nowait t)) (set-process-coding-system process 'raw-text 'raw-text) (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) -- 2.33.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0003-Simplify-rcirc-authentication-querying-functions.patch >From f8bcf03d4f98467e30b112664e9bfe7e42f40d6d Mon Sep 17 00:00:00 2001 From: Omar Polo Date: Mon, 15 Nov 2021 18:00:58 +0000 Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions --- lisp/net/rcirc.el | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el index 6030db9dae..b69b7ca4cc 100644 --- a/lisp/net/rcirc.el +++ b/lisp/net/rcirc.el @@ -654,30 +654,18 @@ See `rcirc-connect' for more details on these variables.") (defun rcirc-get-server-method (server) "Return authentication method for SERVER." - (catch 'method - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (method (cadr i))) - (when (string-match server-i server) - (throw 'method method)))))) + (cadr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) (defun rcirc-get-server-password (server) "Return password for SERVER." - (catch 'pass - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cdddr i))) - (when (string-match server-i server) - (throw 'pass (car args))))))) + (cadddr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) (defun rcirc-get-server-cert (server) "Return a list of key and certificate for SERVER." - (catch 'cert - (dolist (i rcirc-authinfo) - (let ((server-i (car i)) - (args (cddr i))) - (when (string-match server-i server) - (throw 'cert args)))))) + (cddr (assoc server rcirc-authinfo (lambda (s server) + (string-match server s))))) ;;;###autoload (defun rcirc-connect (server &optional port nick user-name -- 2.33.1 --=-=-=--