From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Re: [RFC] certfp for rcirc Date: Sun, 14 Nov 2021 18:25:57 +0000 Message-ID: <877ddaegqy.fsf@posteo.net> References: <87mtmb2hg4.fsf@omarpolo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26392"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Emacs developers To: Omar Polo Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Nov 14 19:27:31 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mmKDy-0006cx-5z for ged-emacs-devel@m.gmane-mx.org; Sun, 14 Nov 2021 19:27:30 +0100 Original-Received: from localhost ([::1]:43966 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mmKDw-0005kW-Us for ged-emacs-devel@m.gmane-mx.org; Sun, 14 Nov 2021 13:27:28 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:56340) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmKCb-0004fV-G7 for emacs-devel@gnu.org; Sun, 14 Nov 2021 13:26:05 -0500 Original-Received: from mout01.posteo.de ([185.67.36.65]:59191) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmKCX-0007tx-GO for emacs-devel@gnu.org; Sun, 14 Nov 2021 13:26:05 -0500 Original-Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id 8F895240027 for ; Sun, 14 Nov 2021 19:25:59 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1636914359; bh=oUsCs89K3DmYemJLJHx5Rv33TFmBpU6P1EhZBv8hzsM=; h=From:To:Cc:Subject:Autocrypt:Date:From; b=GrjmUcM40nFgBXmBr7DCT5h6S1NlSz7fXnI+aGsRY/O6eoPwtOiQenmDtARm2I5yN 1azYkLNASNriyppmMZPzlZ4/dvTX5Zgpg68qcYYKcBfVE92Q5CURz2UxJDzXZI6mCG Rtj8sYI8H/vqeAs9NWEM0oo6xXqXND+agm1mElxfoVOj1rRqDGzRvEcpFCmYa6eO14 pjhGS3CCOkVO9LfWQYTCZfk+ItyVNl9fRc8uSnrTrgMZUSKHLHNEypt38lzW6KmyKy khMr6w066O9QJ2PPApW2JjHJNsB5IYroCB814FRi/DnoY5kw7YTigZ7PYcSwAU0IPO 9fRKhtWtHm0sg== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4HsgkG468Cz6tn1; Sun, 14 Nov 2021 19:25:58 +0100 (CET) Autocrypt: addr=philipk@posteo.net; prefer-encrypt=nopreference; keydata= mDMEYHHqUhYJKwYBBAHaRw8BAQdAp3GdmYJ6tm5McweY6dEvIYIiry+Oz9rU4MH6NHWK0Ee0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiQBBMWCAA4FiEEDM2H44ZoPt9Ms0eHtVrAHPRh1FwFAmBx6lICGwMFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQtVrAHPRh1FyTkgEAjlbGPxFchvMbxzAES3r8QLuZgCxeAXunM9gh io0ePtUBALVhh9G6wIoZhl0gUCbQpoN/UJHI08Gm1qDob5zDxnIHuDgEYHHqUhIKKwYBBAGXVQEF AQEHQNcRB+MUimTMqoxxMMUERpOR+Q4b1KgncDZkhrO2ql1tAwEIB4h4BBgWCAAgFiEEDM2H44Zo Pt9Ms0eHtVrAHPRh1FwFAmBx6lICGwwACgkQtVrAHPRh1Fw1JwD/Qo7kvtib8jy7puyWrSv0MeTS g8qIxgoRWJE/KKdkCLEA/jb9b9/g8nnX+UcwHf/4VfKsjExlnND3FrBviXUW6NcB In-Reply-To: <87mtmb2hg4.fsf@omarpolo.com> (Omar Polo's message of "Wed, 11 Nov 2021 10:02:27 +0100") Received-SPF: pass client-ip=185.67.36.65; envelope-from=philipk@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:279435 Archived-At: Omar Polo writes: > For some reason I don't know yet, the NickServ still says that I've got > 30 seconds to identify myself, but in reality I'm already logged in. I > don't know basically anything about how the irc protocol works, so I'm > probably missing something incredibly obvious. Have you experienced any issues since? It might also be that this is a server side issue? What do other clients say? > What do you think? I think this would be a good addition. One might even want to go further and add functions to automate the certfp authentication. But that might be a too much for rcirc. Also, the manual should be updated to explain how this works. > Cheers, > > Omar Polo > > > diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el > index 52d74a3394..070218ef0a 100644 > --- a/lisp/net/rcirc.el > +++ b/lisp/net/rcirc.el > @@ -262,10 +262,12 @@ The ARGUMENTS for each METHOD symbol are: > `bitlbee': NICK PASSWORD > `quakenet': ACCOUNT PASSWORD > `sasl': NICK PASSWORD > + `certfp': KEY CERT > > Examples: > ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\") > (\"Libera.Chat\" chanserv \"bob\" \"#bobland\" \"passwd99\") > + (\"Libera.Chat\" certfp \"/path/to/key.pem\" \"/path/to/cert.pem\") > (\"bitlbee\" bitlbee \"robert\" \"sekrit\") > (\"dal.net\" nickserv \"bob\" \"sekrit\" \"NickServ@services.dal.net\") > (\"quakenet.org\" quakenet \"bobby\" \"sekrit\") > @@ -291,7 +293,11 @@ Examples: > (list :tag "SASL" > (const sasl) > (string :tag "Nick") > - (string :tag "Password"))))) > + (string :tag "Password")) > + (list :tag "CertFP" > + (const certfp) > + (string :tag "Key") > + (string :tag "Certificate"))))) > > (defcustom rcirc-auto-authenticate-flag t > "Non-nil means automatically send authentication string to server. > @@ -547,6 +553,9 @@ If ARG is non-nil, instead prompt for connection parameters." > (password (plist-get (cdr c) :password)) > (encryption (plist-get (cdr c) :encryption)) > (server-alias (plist-get (cdr c) :server-alias)) > + (client-cert (when (eq (rcirc-get-server-method (car c)) > + 'certfp) > + (rcirc-get-server-cert (car c)))) > contact) > (when-let (((not password)) > (auth (auth-source-search :host server > @@ -563,7 +572,7 @@ If ARG is non-nil, instead prompt for connection parameters." > (condition-case nil > (let ((process (rcirc-connect server port nick user-name > full-name channels password encryption > - server-alias))) > + client-cert server-alias))) > (when rcirc-display-server-buffer > (pop-to-buffer-same-window (process-buffer process)))) > (quit (message "Quit connecting to %s" > @@ -662,13 +671,22 @@ See `rcirc-connect' for more details on these variables.") > (when (string-match server-i server) > (throw 'pass (car args))))))) > > +(defun rcirc-get-server-cert (server) > + "Return a list of key and certificate for SERVER." > + (catch 'pass > + (dolist (i rcirc-authinfo) > + (let ((server-i (car i)) > + (args (cddr i))) > + (when (string-match server-i server) > + (throw 'pass args)))))) Why not use alist-get with a test function? > ;;;###autoload > (defun rcirc-connect (server &optional port nick user-name > full-name startup-channels password encryption > - server-alias) > + certfp server-alias) > "Connect to SERVER. > The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD, > -ENCRYPTION, SERVER-ALIAS are interpreted as in > +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in > `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels > that are joined after authentication." > (save-excursion > @@ -692,10 +710,16 @@ that are joined after authentication." > (delete-process process)) > > ;; Set up process > - (setq process (open-network-stream > - (or server-alias server) nil server port-number > - :type (or encryption 'plain) > - :nowait t)) > + (setq process (if certfp > + (open-network-stream > + (or server-alias server) nil server port-number > + :type 'tls > + :nowait t > + :client-certificate certfp) Is this case-distinction necessary? If `certfp' is nil, then open-network-stream should just ignore the argument if I am not mistaken. > + (open-network-stream > + (or server-alias server) nil server port-number > + :type (or encryption 'plain) > + :nowait t))) > (set-process-coding-system process 'raw-text 'raw-text) > (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name process nil)) > (set-process-buffer process (current-buffer)) > > -- Philip Kaludercic