emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC] certfp for rcirc

From: Omar Polo
Subject: Re: [RFC] certfp for rcirc
Date: Mon, 15 Nov 2021 22:49:57 +0100
User-agent: mu4e 1.6.9; emacs 29.0.50 
Omar Polo <op@omarpolo.com> writes:

> Philip Kaludercic <philipk@posteo.net> writes:
>
>> Omar Polo <op@omarpolo.com> writes:
>>
>>> For some reason I don't know yet, the NickServ still says that I've got
>>> 30 seconds to identify myself, but in reality I'm already logged in.  I
>>> don't know basically anything about how the irc protocol works, so I'm
>>> probably missing something incredibly obvious.
>>
>> Have you experienced any issues since? It might also be that this is a
>> server side issue?  What do other clients say?
>>
>>> What do you think?
>>
>> I think this would be a good addition.  One might even want to go
>> further and add functions to automate the certfp authentication.  But
>> that might be a too much for rcirc.
>>
>> Also, the manual should be updated to explain how this works.
>
> here's another try.
>
> The first diff is something I noticed while trying to document the cerfp
> option in the rcirc documentation: the sasl section seems to split the
> bitlbee paragraph, so I move that.
>
> The second diff is the certfp implementation revised after your
> comments.
>
> The third diff reworks some function to avoid the manual lookup with
> dolist and use assoc instead.
>
> I'm not sure if/how should I edit the etc/NEWS file and if the commit
> messages are fine.  Additionally, should the paragraph explaining certfp
> in the manual also tell the user how to create a certificate and how to
> activate it?
>
> Thanks,
>
> Omar Polo

I messed up with the third diff, here's another try :)


>From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:33:51 +0000
Subject: [PATCH 1/3] Move the sasl section after the bitlbee text

---
 doc/misc/rcirc.texi | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index a4ca54a8b0..696983dc77 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the 
Bitlbee channel
 as follows: @code{identify secret}.  The necessary arguments are the
 nickname you want to use this for, and the password to use.
 
-@item sasl
-@cindex sasl authentication
-Use this symbol if you want to use @acronym{SASL} authentication.  The
-necessary arguments are the nickname you want to use this for, and the
-password to use.
-
 @cindex gateway to other IM services
 @cindex instant messaging, other services
 @cindex Jabber
@@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log 
you in.  All
 @code{rcirc} needs to know, is the login to your Bitlbee account.  Don't
 confuse the Bitlbee account with all the other accounts.
 
+@item sasl
+@cindex sasl authentication
+Use this symbol if you want to use @acronym{SASL} authentication.  The
+necessary arguments are the nickname you want to use this for, and the
+password to use.
+
 @end table
 
 @end table
-- 
2.33.1


>From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:40:58 +0000
Subject: [PATCH 2/3] implement certfp authentication to rcirc

* lisp/net/rcirc.el (rcirc-connect): Use the provided client certs
* doc/misc/rcirc.texi (Configuration): Document the change
---
 doc/misc/rcirc.texi |  7 +++++++
 lisp/net/rcirc.el   | 26 ++++++++++++++++++++++----
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index 696983dc77..58ca045e78 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL} 
authentication.  The
 necessary arguments are the nickname you want to use this for, and the
 password to use.
 
+@item certfp
+@cindex certfp authentication
+Use this symbol if you want to use CertFP authentication.  The
+necessary arguments are the path to the client certificate key and
+password.  The CertFP authentication requires a @acronym{TLS}
+connection.
+
 @end table
 
 @end table
diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 5c92c60eda..6030db9dae 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are:
   `bitlbee': NICK PASSWORD
   `quakenet': ACCOUNT PASSWORD
   `sasl': NICK PASSWORD
+  `certfp': KEY CERT
 
 Examples:
  ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\")
@@ -291,7 +292,11 @@ Examples:
                                     (list :tag "SASL"
                                           (const sasl)
                                           (string :tag "Nick")
-                                          (string :tag "Password")))))
+                                          (string :tag "Password"))
+                                    (list :tag "CertFP"
+                                          (const certfp)
+                                          (string :tag "Key")
+                                          (string :tag "Certificate")))))
 
 (defcustom rcirc-auto-authenticate-flag t
   "Non-nil means automatically send authentication string to server.
@@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection 
parameters."
               (password (plist-get (cdr c) :password))
               (encryption (plist-get (cdr c) :encryption))
               (server-alias (plist-get (cdr c) :server-alias))
+              (client-cert (when (eq (rcirc-get-server-method (car c))
+                                     'certfp)
+                             (rcirc-get-server-cert (car c))))
               contact)
           (when-let (((not password))
                      (auth (auth-source-search :host server
@@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection 
parameters."
                  (condition-case nil
                      (let ((process (rcirc-connect server port nick user-name
                                                     full-name channels 
password encryption
-                                                    server-alias)))
+                                                    client-cert server-alias)))
                         (when rcirc-display-server-buffer
                           (pop-to-buffer-same-window (process-buffer 
process))))
                    (quit (message "Quit connecting to %s"
@@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.")
        (when (string-match server-i server)
           (throw 'pass (car args)))))))
 
+(defun rcirc-get-server-cert (server)
+  "Return a list of key and certificate for SERVER."
+  (catch 'cert
+    (dolist (i rcirc-authinfo)
+      (let ((server-i (car i))
+            (args (cddr i)))
+        (when (string-match server-i server)
+          (throw 'cert args))))))
+
 ;;;###autoload
 (defun rcirc-connect (server &optional port nick user-name
                              full-name startup-channels password encryption
-                             server-alias)
+                             certfp server-alias)
   "Connect to SERVER.
 The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD,
-ENCRYPTION, SERVER-ALIAS are interpreted as in
+ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in
 `rcirc-server-alist'.  STARTUP-CHANNELS is a list of channels
 that are joined after authentication."
   (save-excursion
@@ -695,6 +712,7 @@ that are joined after authentication."
       (setq process (open-network-stream
                      (or server-alias server) nil server port-number
                      :type (or encryption 'plain)
+                     :client-certificate certfp
                      :nowait t))
       (set-process-coding-system process 'raw-text 'raw-text)
       (with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name 
process nil))
-- 
2.33.1


>From a21962b6213cef558ae9294d41e14d42035495fc Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 21:49:23 +0000
Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions

---
 lisp/net/rcirc.el | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 6030db9dae..b4e9031e0d 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -654,30 +654,15 @@ See `rcirc-connect' for more details on these variables.")
 
 (defun rcirc-get-server-method (server)
   "Return authentication method for SERVER."
-  (catch 'method
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-           (method (cadr i)))
-       (when (string-match server-i server)
-          (throw 'method method))))))
+  (cadr (assoc server rcirc-authinfo #'string-match)))
 
 (defun rcirc-get-server-password (server)
   "Return password for SERVER."
-  (catch 'pass
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-           (args (cdddr i)))
-       (when (string-match server-i server)
-          (throw 'pass (car args)))))))
+  (cadddr (assoc server rcirc-authinfo #'string-match)))
 
 (defun rcirc-get-server-cert (server)
   "Return a list of key and certificate for SERVER."
-  (catch 'cert
-    (dolist (i rcirc-authinfo)
-      (let ((server-i (car i))
-            (args (cddr i)))
-        (when (string-match server-i server)
-          (throw 'cert args))))))
+  (cddr (assoc server rcirc-authinfo #'string-match)))
 
 ;;;###autoload
 (defun rcirc-connect (server &optional port nick user-name
-- 
2.33.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]