mIRC Home    About    Download    Register    News    Help

Topic Options
#259764 - 24/01/17 02:55 AM SASL Authentication Built-In
daemhan Offline
Mostly harmless

Registered: 24/01/17
Posts: 1
Hello,

Are there any plans to include a built-in SASL functionality? We had been directing people to use the SASL script that was created years ago for this purpose, but it's clunky and finicky. As a solution, we've been recommending that our users switch to AdiIRC or HexChat as desktop alternatives in order to use the SASL Auth feature easily -- most elect to switch clients rather than fight with the script.

This would probably have to go hand in hand with providing better network and password management per-network for identifying to various nick authentication services, since the current 'perform' function is rather outdated in comparison to pretty much every other client -- even the non-GUI clients many of my opers use have these things built into them.

At any rate, we'd like to know if there are plans to build this in or if it's a matter of use the old SASL script add-on because there is no intention of doing so.

Thanks!

Top
#259958 - 14/02/17 02:30 PM Re: SASL Authentication Built-In [Re: daemhan]
Raccoon Online
Hoopy frood

Registered: 18/02/03
Posts: 2059
Loc: New Mexico Tech
I can write a very short, quality SASL script, that transparently utilizes information from mIRC's server management UI. (Thanks to the new On PARSELINE event). I will need to see a set of SASL client/server interactions to emulate from, though.

I also think a collection of SASL auth interactions posted here would give Khaled a better understanding of all the different scenarios to code for.
_________________________
doiní things a particle can

Top
#259964 - 14/02/17 06:28 PM Re: SASL Authentication Built-In [Re: Raccoon]
BhaaL Offline
Babel fish

Registered: 23/03/08
Posts: 71
Loc: Austria
I don't think this is an issue of not having a robust script (in fact, I rolled my own which is less than a hundred lines; and that includes some very specific stuff that I just put in there for teh lulz), but for integrating it better into the Client application itself (since others do so, and many servers support it as standard feature).
Plus, it requires changing the CAP request, which is pretty much the first thing that goes out, and requires on LOGON or perhaps on PARSELINE to do so.

SASL authentication should be as "easy" as

  • Ask for the servers capabilities to see if they even support it (CAP LS, before USER/NICK)
    • In case the server does not support CAP, ignore
    • In case the CAP LS response includes SASL, continue with authentication by requesting it (CAP REQ :sasl, optionally including other capabilities such as multi-prefix)
    • In case it doesn't, end the capabilities dance (CAP END)
  • Once the server acknowleges the sasl request (CAP ACK), start the authentication with a given/preferred method (AUTHENTICATE)
  • The server should then accept the authentication by replying with a +, not sure what it returns otherwise
  • After that, send the encrypted payload (AUTHENTICATE). Note that this should be chunked to 400 characters, for (hopefully) obvious reasons.
  • If we're still here, end the capabilities dance (CAP END)

Used to have some documentation somewhere, but I can't find it atm...so here's a log of my script:
Code:
-> irc.domain.tld CAP LS
-> irc.domain.tld USER bhaal 0 * :BhaaL
-> irc.domain.tld NICK BhaaL
<- :irc.domain.tld NOTICE * :*** Looking up your hostname...
<- :irc.domain.tld NOTICE * :*** Found your hostname
<- :irc.domain.tld CAP * LS :userhost-in-names multi-prefix away-notify account-notify sasl tls
-> irc.domain.tld CAP REQ :multi-prefix sasl
<- PING :D59F9447
-> irc.domain.tld PONG :D59F9447
<- :irc.domain.tld CAP BhaaL ACK :multi-prefix sasl 
-> irc.domain.tld AUTHENTICATE PLAIN
<- AUTHENTICATE +
-> irc.domain.tld AUTHENTICATE <auth digest/hash/whatever>
<- :irc.domain.tld 900 BhaaL BhaaL!bhaal@home.tld BhaaL :You are now logged in as BhaaL.
<- :irc.domain.tld 903 BhaaL :SASL authentication successful
-> irc.domain.tld CAP END
<- :irc.domain.tld 001 BhaaL :Welcome to the IRC Network BhaaL!bhaal@home.tld
<- :irc.domain.tld 002 BhaaL :Your host is irc.domain.tld, running version UnrealIRCd-4.0.6

My script just overrides on LOGIN, then raw CAP and raw AUTHENTICATE to do the job (plus some numerics for fun)

Top
#259966 - 15/02/17 04:58 AM Re: SASL Authentication Built-In [Re: BhaaL]
Raccoon Online
Hoopy frood

Registered: 18/02/03
Posts: 2059
Loc: New Mexico Tech
At last! laugh
http://hawkee.com/snippet/17983/

Code:
; r_shitty_sasl.mrc                           http://hawkee.com/snippet/17983/
; ----------------------------------------------------------------------------
;  SUPER SHITTY SASL Script by Raccoon 2017-Feb-14 for mIRC 6.10 or greater.
;  FIRST RELEASE. SUPER SHITTY. VALENTINE'S DAY EDITION. 2/14/2017 -- ENJOY!
; ----------------------------------------------------------------------------
;
; Q. Can I have other SASL scripts loaded?
; A. NO! No, no no. Uninstall all other SASL scripts!
;
; Q. How do I work it?
; A. Just edit your Server settings, plugging your
;    nickname:password into the Password field.
;
; /------------------------------------------------------------\  ==========
; | Edit Server                                          [ X ] |  ATTENTION!
; | +--------------------------------------------------------+ |  ==========
; | |                                                        | |
; | |  Description:  [ chat.freenode.net               ]     | |   PUT YOUR
; | |                                                        | |
; | |   IRC Server:  [ chat.freenode.net               ]     | |   NICKNAME
; | |                                                        | |
; | |        Ports:  [ +6697,+7000,+7070               ]     | |     AND
; | |                                                        | |
; | |        Group:  [ Freenode                   ]          | |   PASSWORD
; | |                                                        | |
; | |  -> Password:  [ Raccoon:MySeKrItPaSsWoRd   ] <-------------- HERE!! <-
; | |                                                        | |
; | |     *------------*  *------------*  *------------*     | |   SEPARATED
; | |     |     OK     |  |   Cancel   |  |    Help    |     | |
; | |     *------------*  *------------*  *------------*     | |    WITH A 
; | +-rac----------------------------------------------------+ |
; \------------------------------------------------------------/   COLON ':'
;
; This script will utilize your nickname:password information that
; is supplied by the PASS command to initiate the SASL handshake.
; The PASS command will still be sent, and acts as a fallback.
;
; This script is SUPER SHITTY because it gives no shits about the proper
; back-and-forth exchange of CAP negotiation.  It just fires off commands.
; It works almost all the time. Your results may vary. No warranty.
;
; If you have any questions, ask for help in ##mIRC on freenode. -- Raccoon
;
; Advice: Always connect to IRC via encrypted SSL port. eg: +6697 (not 6667)
;
; ----------------------------------------------------------------------------

On ^*:LOGON:*: {
  if ($version < 7.42) {
    debug -ip $iif($debug,$v1,on) SHITTY_SASL
} }

ALIAS SHITTY_SASL {
  if ($regex($1-,/^-> \S+ PASS (\S+?):(\S+)$/)) {
    noop $SUPER_SHITTY_SASL_AUTH($regml(1),$regml(2))
    debug $iif($window($debug),$v1,off)
  }
  return $1-
}

On $*:PARSELINE:out:/^PASS (\S+):(\S+)$/: { 
  noop $SUPER_SHITTY_SASL_AUTH($regml(1),$regml(2))
}

ALIAS -l SUPER_SHITTY_SASL_AUTH {
  var %u = $1, %p = $2
  .raw CAP REQ :sasl
  .raw AUTHENTICATE PLAIN
  bset -t &auth 1 %u $+ $lf $+ %u $+ $lf $+ %p
  breplace &auth 10 00
  noop $encode(&auth,mb)
  .raw AUTHENTICATE $bvar(&auth,1-).text
  .raw CAP END
} ; by Raccoon 2017

; Footnote.  This script is intentionally the shittiest way to implement SASL.
; HOWEVER! It is the smallest SASL script, and works with all versions of mIRC v6.1+ (2003).
; So, eat it. The cake is real. -- Raccoon

; End of script.
_________________________
doiní things a particle can

Top
#259970 - 15/02/17 04:37 PM Re: SASL Authentication Built-In [Re: Raccoon]
Raccoon Online
Hoopy frood

Registered: 18/02/03
Posts: 2059
Loc: New Mexico Tech
Added a minor change. Shuts off /debug upon first server reply.
Also changed instances of $v1 to $debug ($v1 did not exist in 6.10).
Also silenced /debug commands with '.debug'.
http://hawkee.com/snippet/17983/

Code:
; 2/15/2017 http://hawkee.com/snippet/17983/
On ^*:LOGON:*: {
  if ($version < 7.42) {
    .debug -ip $iif($debug,$debug,on) SHITTY_SASL
} }

ALIAS SHITTY_SASL {
  if ($regex($1-,/^-> \S+ PASS (\S+?):(\S+)$/)) {
    noop $SUPER_SHITTY_SASL_AUTH($regml(1),$regml(2))
    .debug $iif($window($debug),$debug,off)
  }
  if ($1 == <-) { .debug $iif($window($debug),$debug,off) }
  return $1-
}

On $*:PARSELINE:out:/^PASS (\S+):(\S+)$/: {
  ; versions >= 7.42 (2015)
  noop $SUPER_SHITTY_SASL_AUTH($regml(1),$regml(2))
}

ALIAS -l SUPER_SHITTY_SASL_AUTH {
  var %u = $1, %p = $2
  .raw CAP REQ :sasl
  .raw AUTHENTICATE PLAIN
  bset -t &auth 1 %u $+ $lf $+ %u $+ $lf $+ %p
  breplace &auth 10 00
  noop $encode(&auth,mb)
  .raw AUTHENTICATE $bvar(&auth,1-).text
  .raw CAP END
} ; by Raccoon 2017
_________________________
doiní things a particle can

Top