[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC] certfp for rcirc
From: |
Philip Kaludercic |
Subject: |
Re: [RFC] certfp for rcirc |
Date: |
Sun, 14 Nov 2021 18:25:57 +0000 |
Omar Polo <op@omarpolo.com> writes:
> For some reason I don't know yet, the NickServ still says that I've got
> 30 seconds to identify myself, but in reality I'm already logged in. I
> don't know basically anything about how the irc protocol works, so I'm
> probably missing something incredibly obvious.
Have you experienced any issues since? It might also be that this is a
server side issue? What do other clients say?
> What do you think?
I think this would be a good addition. One might even want to go
further and add functions to automate the certfp authentication. But
that might be a too much for rcirc.
Also, the manual should be updated to explain how this works.
> Cheers,
>
> Omar Polo
>
>
> diff --git a/lisp/net/rcirc.el b/lisp/net/rcirc.el
> index 52d74a3394..070218ef0a 100644
> --- a/lisp/net/rcirc.el
> +++ b/lisp/net/rcirc.el
> @@ -262,10 +262,12 @@ The ARGUMENTS for each METHOD symbol are:
> `bitlbee': NICK PASSWORD
> `quakenet': ACCOUNT PASSWORD
> `sasl': NICK PASSWORD
> + `certfp': KEY CERT
>
> Examples:
> ((\"Libera.Chat\" nickserv \"bob\" \"p455w0rd\")
> (\"Libera.Chat\" chanserv \"bob\" \"#bobland\" \"passwd99\")
> + (\"Libera.Chat\" certfp \"/path/to/key.pem\" \"/path/to/cert.pem\")
> (\"bitlbee\" bitlbee \"robert\" \"sekrit\")
> (\"dal.net\" nickserv \"bob\" \"sekrit\" \"NickServ@services.dal.net\")
> (\"quakenet.org\" quakenet \"bobby\" \"sekrit\")
> @@ -291,7 +293,11 @@ Examples:
> (list :tag "SASL"
> (const sasl)
> (string :tag "Nick")
> - (string :tag "Password")))))
> + (string :tag "Password"))
> + (list :tag "CertFP"
> + (const certfp)
> + (string :tag "Key")
> + (string :tag "Certificate")))))
>
> (defcustom rcirc-auto-authenticate-flag t
> "Non-nil means automatically send authentication string to server.
> @@ -547,6 +553,9 @@ If ARG is non-nil, instead prompt for connection
> parameters."
> (password (plist-get (cdr c) :password))
> (encryption (plist-get (cdr c) :encryption))
> (server-alias (plist-get (cdr c) :server-alias))
> + (client-cert (when (eq (rcirc-get-server-method (car c))
> + 'certfp)
> + (rcirc-get-server-cert (car c))))
> contact)
> (when-let (((not password))
> (auth (auth-source-search :host server
> @@ -563,7 +572,7 @@ If ARG is non-nil, instead prompt for connection
> parameters."
> (condition-case nil
> (let ((process (rcirc-connect server port nick user-name
> full-name channels
> password encryption
> - server-alias)))
> + client-cert
> server-alias)))
> (when rcirc-display-server-buffer
> (pop-to-buffer-same-window (process-buffer
> process))))
> (quit (message "Quit connecting to %s"
> @@ -662,13 +671,22 @@ See `rcirc-connect' for more details on these
> variables.")
> (when (string-match server-i server)
> (throw 'pass (car args)))))))
>
> +(defun rcirc-get-server-cert (server)
> + "Return a list of key and certificate for SERVER."
> + (catch 'pass
> + (dolist (i rcirc-authinfo)
> + (let ((server-i (car i))
> + (args (cddr i)))
> + (when (string-match server-i server)
> + (throw 'pass args))))))
Why not use alist-get with a test function?
> ;;;###autoload
> (defun rcirc-connect (server &optional port nick user-name
> full-name startup-channels password encryption
> - server-alias)
> + certfp server-alias)
> "Connect to SERVER.
> The arguments PORT, NICK, USER-NAME, FULL-NAME, PASSWORD,
> -ENCRYPTION, SERVER-ALIAS are interpreted as in
> +ENCRYPTION, CERTFP, SERVER-ALIAS are interpreted as in
> `rcirc-server-alist'. STARTUP-CHANNELS is a list of channels
> that are joined after authentication."
> (save-excursion
> @@ -692,10 +710,16 @@ that are joined after authentication."
> (delete-process process))
>
> ;; Set up process
> - (setq process (open-network-stream
> - (or server-alias server) nil server port-number
> - :type (or encryption 'plain)
> - :nowait t))
> + (setq process (if certfp
> + (open-network-stream
> + (or server-alias server) nil server port-number
> + :type 'tls
> + :nowait t
> + :client-certificate certfp)
Is this case-distinction necessary? If `certfp' is nil, then
open-network-stream should just ignore the argument if I am not
mistaken.
> + (open-network-stream
> + (or server-alias server) nil server port-number
> + :type (or encryption 'plain)
> + :nowait t)))
> (set-process-coding-system process 'raw-text 'raw-text)
> (with-current-buffer (get-buffer-create
> (rcirc-generate-new-buffer-name process nil))
> (set-process-buffer process (current-buffer))
>
>
--
Philip Kaludercic