[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC] certfp for rcirc
From: |
Omar Polo |
Subject: |
Re: [RFC] certfp for rcirc |
Date: |
Mon, 15 Nov 2021 22:49:57 +0100 |
User-agent: |
mu4e 1.6.9; emacs 29.0.50 |
Omar Polo <op@omarpolo.com> writes:
> Philip Kaludercic <philipk@posteo.net> writes:
>
>> Omar Polo <op@omarpolo.com> writes:
>>
>>> For some reason I don't know yet, the NickServ still says that I've got
>>> 30 seconds to identify myself, but in reality I'm already logged in. I
>>> don't know basically anything about how the irc protocol works, so I'm
>>> probably missing something incredibly obvious.
>>
>> Have you experienced any issues since? It might also be that this is a
>> server side issue? What do other clients say?
>>
>>> What do you think?
>>
>> I think this would be a good addition. One might even want to go
>> further and add functions to automate the certfp authentication. But
>> that might be a too much for rcirc.
>>
>> Also, the manual should be updated to explain how this works.
>
> here's another try.
>
> The first diff is something I noticed while trying to document the cerfp
> option in the rcirc documentation: the sasl section seems to split the
> bitlbee paragraph, so I move that.
>
> The second diff is the certfp implementation revised after your
> comments.
>
> The third diff reworks some function to avoid the manual lookup with
> dolist and use assoc instead.
>
> I'm not sure if/how should I edit the etc/NEWS file and if the commit
> messages are fine. Additionally, should the paragraph explaining certfp
> in the manual also tell the user how to create a certificate and how to
> activate it?
>
> Thanks,
>
> Omar Polo
I messed up with the third diff, here's another try :)
>From f96474342caca8aa1df4f5df66ce1a2c0e4ed976 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:33:51 +0000
Subject: [PATCH 1/3] Move the sasl section after the bitlbee text
---
doc/misc/rcirc.texi | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index a4ca54a8b0..696983dc77 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -609,12 +609,6 @@ Use this symbol if you need to identify yourself in the
Bitlbee channel
as follows: @code{identify secret}. The necessary arguments are the
nickname you want to use this for, and the password to use.
-@item sasl
-@cindex sasl authentication
-Use this symbol if you want to use @acronym{SASL} authentication. The
-necessary arguments are the nickname you want to use this for, and the
-password to use.
-
@cindex gateway to other IM services
@cindex instant messaging, other services
@cindex Jabber
@@ -633,6 +627,12 @@ the other instant messaging services, and Bitlbee will log
you in. All
@code{rcirc} needs to know, is the login to your Bitlbee account. Don't
confuse the Bitlbee account with all the other accounts.
+@item sasl
+@cindex sasl authentication
+Use this symbol if you want to use @acronym{SASL} authentication. The
+necessary arguments are the nickname you want to use this for, and the
+password to use.
+
@end table
@end table
--
2.33.1
>From 6fda9317fbe496c36d1e5be4fa15dd3569a26aa1 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 17:40:58 +0000
Subject: [PATCH 2/3] implement certfp authentication to rcirc
* lisp/net/rcirc.el (rcirc-connect): Use the provided client certs
* doc/misc/rcirc.texi (Configuration): Document the change
---
doc/misc/rcirc.texi | 7 +++++++
lisp/net/rcirc.el | 26 ++++++++++++++++++++++----
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/doc/misc/rcirc.texi b/doc/misc/rcirc.texi
index 696983dc77..58ca045e78 100644
--- a/doc/misc/rcirc.texi
+++ b/doc/misc/rcirc.texi
@@ -633,6 +633,13 @@ Use this symbol if you want to use @acronym{SASL}
authentication. The
necessary arguments are the nickname you want to use this for, and the
password to use.
+@item certfp
+@cindex certfp authentication
+Use this symbol if you want to use CertFP authentication. The
+necessary arguments are the path to the client certificate key and
+password. The CertFP authentication requires a @acronym{TLS}
+connection.
+
@end table
@end table
diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 5c92c60eda..6030db9dae 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -262,6 +262,7 @@ The ARGUMENTS for each METHOD symbol are:
`bitlbee': NICK PASSWORD
`quakenet': ACCOUNT PASSWORD
`sasl': NICK PASSWORD
+ `certfp': KEY CERT
Examples:
((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\")
@@ -291,7 +292,11 @@ Examples:
(list :tag "SASL"
(const sasl)
(string :tag "Nick")
- (string :tag "Password")))))
+ (string :tag "Password"))
+ (list :tag "CertFP"
+ (const certfp)
+ (string :tag "Key")
+ (string :tag "Certificate")))))
(defcustom rcirc-auto-authenticate-flag t
"Non-nil means automatically send authentication string to server.
@@ -547,6 +552,9 @@ If ARG is non-nil, instead prompt for connection
parameters."
(password (plist-get (cdr c) :password))
(encryption (plist-get (cdr c) :encryption))
(server-alias (plist-get (cdr c) :server-alias))
+ (client-cert (when (eq (rcirc-get-server-method (car c))
+ 'certfp)
+ (rcirc-get-server-cert (car c))))
contact)
(when-let (((not password))
(auth (auth-source-search :host server
@@ -563,7 +571,7 @@ If ARG is non-nil, instead prompt for connection
parameters."
(condition-case nil
(let ((process (rcirc-connect server port nick user-name
full-name channels
password encryption
- server-alias)))
+ client-cert server-alias)))
(when rcirc-display-server-buffer
(pop-to-buffer-same-window (process-buffer
process))))
(quit (message "Quit connecting to %s"
@@ -662,13 +670,22 @@ See `rcirc-connect' for more details on these variables.")
(when (string-match server-i server)
(throw 'pass (car args)))))))
+(defun rcirc-get-server-cert (server)
+ "Return a list of key and certificate for SERVER."
+ (catch 'cert
+ (dolist (i rcirc-authinfo)
+ (let ((server-i (car i))
+ (args (cddr i)))
+ (when (string-match server-i server)
+ (throw 'cert args))))))
+
;;;###autoload
(defun rcirc-connect (server &optional port nick user-name
full-name startup-channels password encryption
- server-alias)
+ certfp server-alias)
"Connect to SERVER.
The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD,
-ENCRYPTION, SERVER-ALIAS are interpreted as in
+ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in
`rcirc-server-alist'. STARTUP-CHANNELS is a list of channels
that are joined after authentication."
(save-excursion
@@ -695,6 +712,7 @@ that are joined after authentication."
(setq process (open-network-stream
(or server-alias server) nil server port-number
:type (or encryption 'plain)
+ :client-certificate certfp
:nowait t))
(set-process-coding-system process 'raw-text 'raw-text)
(with-current-buffer (get-buffer-create (rcirc-generate-new-buffer-name
process nil))
--
2.33.1
>From a21962b6213cef558ae9294d41e14d42035495fc Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Mon, 15 Nov 2021 21:49:23 +0000
Subject: [PATCH 3/3] ; Simplify rcirc authentication querying functions
---
lisp/net/rcirc.el | 21 +++------------------
1 file changed, 3 insertions(+), 18 deletions(-)
diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
index 6030db9dae..b4e9031e0d 100644
--- a/lisp/net/rcirc.el
+++ b/lisp/net/rcirc.el
@@ -654,30 +654,15 @@ See `rcirc-connect' for more details on these variables.")
(defun rcirc-get-server-method (server)
"Return authentication method for SERVER."
- (catch 'method
- (dolist (i rcirc-authinfo)
- (let ((server-i (car i))
- (method (cadr i)))
- (when (string-match server-i server)
- (throw 'method method))))))
+ (cadr (assoc server rcirc-authinfo #'string-match)))
(defun rcirc-get-server-password (server)
"Return password for SERVER."
- (catch 'pass
- (dolist (i rcirc-authinfo)
- (let ((server-i (car i))
- (args (cdddr i)))
- (when (string-match server-i server)
- (throw 'pass (car args)))))))
+ (cadddr (assoc server rcirc-authinfo #'string-match)))
(defun rcirc-get-server-cert (server)
"Return a list of key and certificate for SERVER."
- (catch 'cert
- (dolist (i rcirc-authinfo)
- (let ((server-i (car i))
- (args (cddr i)))
- (when (string-match server-i server)
- (throw 'cert args))))))
+ (cddr (assoc server rcirc-authinfo #'string-match)))
;;;###autoload
(defun rcirc-connect (server &optional port nick user-name
--
2.33.1