Page MenuHomeDevCentral
Create Task
Maniphest T1739

Add SASL capability to Darkbot
Closed, ResolvedPublic
Actions

Description

When connecting to Libera from OVH or Iliad/Scaleway/Online IPv4 networks:

:iridium.libera.chat NOTICE Darkbot :*** Notice -- SASL authentication to a NickServ account with a verified email address is required to connect from your current network. Please see https://libera.chat/guides/sasl for configuration assistance.

To satisfy SASL requirement, there are two solutions:

  • prepare manually the SASL authentication messages and add them to source code
  • link to a SASL library for a proper implementation

Known SASL libraries in C

Code doesn't need to be written from scratch deciphering the RFCs. Libraries in C are available for that work:

Revisions and Commits

rDARKBOT Darkbot
D3096rDARKBOTd812e6e73fa0 Add SASL capability
rOPS Nasqueron Operations
D3155rOPS2112fc5c9b5d Configure Odderon

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedNoneT1721 Move IRC bots from Freenode to Libera
 ResolvedderecksonT1739 Add SASL capability to Darkbot
 ResolvedderecksonT1890 Deploy Vault on Eglide

Event Timeline

dereckson triaged this task as Normal priority.Jun 25 2022, 00:55
dereckson created this task.
dereckson moved this task from Backlog to Migration to Libera on the IRC board.Jun 25 2022, 01:04
dereckson added a comment.May 14 2023, 08:34

Simple SASL implementation does NOT require a library.

It's defined by https://www.rfc-editor.org/rfc/rfc4616 and doesn't provide any security.

It's just a string to send to the server, with a base64 representation of user and password.

dereckson added a comment.May 14 2023, 12:40

Secrets stored in Vault

  • nickserv username and password: secrets/nasqueron/odderon/nickserv
  • direct SASL plain base64 of those: secrets/nasqueron/odderon/sasl

SASL authentication

I've a functional proof of concept:

  • C function to concatenate username, NUL, username, NUL, password (don't use strcpy, but memcpy to avoid NUL-termination C strings)
  • session with openssl s_client -connect sodium.libera.chat:6697

C source code is available at P331.

SASL authentication workflow:

  • ask capability to the server
  • announce the SASL mechanism used
  • send authentication payload

This is to do before the NICK and USER commands.

Quick connection test

$ CAP REQ :SASL
:sodium.libera.chat CAP * ACK :SASL
CAP END
AUTHENTICATE PLAIN
AUTHENTICATE <base64 payload>
:sodium.libera.chat 900 * *!unknown@host-85-26-29-78.dynamic.voo.be odderon :You are now logged in as odderon
:sodium.libera.chat 903 * :SASL authentication successful

Note Nickserv confirmation at 900, and confirmation at 903. Those are RAW code an IRC client should handle.

Darkbot implementation

Nickserv authentication was done by running perform.ini content at init time.

Similarly, we could provide a preinit (chmod 400) file with the CAP and AUTHENTICATE commands.

Another solution is to provide a correct configuration file and add the P331 code to darkbot source code.

We can avoid to link against OpenSSL using P332: it's the wpa supplicant base64 methods, from the FreeBSD source code.

dereckson claimed this task.May 14 2023, 12:40
dereckson moved this task from Backlog to Darkbot bugs on the Odderon board.
dereckson added a comment.May 14 2023, 18:37

Blocked by T1870 to test correctly this.

dereckson added a comment.May 15 2023, 00:32

I don't know what's happen with darkbot 7, but with 6f6 it works like a charm:

00:30:43 -!- odderon [dereckson@windriver.nasqueron.org]
00:30:43 -!-  ircname  : Download me from http://darkbot.net 1
00:30:43 -!-  channels : #pentacle
00:30:43 -!-  server   : erbium.libera.chat [Frankfurt, DE]
00:30:43 -!-  hostname : 51.159.18.59
00:30:43 -!-  idle     : 0 days 0 hours 0 mins 56 secs [signon: Mon May 15 00:29:47 2023]
00:30:43 -!-  account  : odderon

So solution is rollback to 6f6 and publish SASL patch against that version.

dereckson mentioned this in T1870: Can't end network registration on Freenode .May 15 2023, 00:32
dereckson added a revision: D3096: Add SASL capability.May 15 2023, 17:27
dereckson added a commit: rDARKBOTd812e6e73fa0: Add SASL capability.May 15 2023, 17:30
dereckson added a comment.May 15 2023, 17:35

Next step is to actually deploy the SASL credential from secrets/nasqueron/odderon/nickserv

An issue is we don't currently have Eglide on the Nasqueron private network, and so Vault isn't available there.

As such, a local Vault on Eglide could be useful.

dereckson moved this task from Darkbot bugs to Next to deploy on the Odderon board.May 23 2023, 18:55
dereckson added a subtask: T1890: Deploy Vault on Eglide.May 29 2023, 02:29
dereckson closed subtask T1890: Deploy Vault on Eglide as Resolved.May 29 2023, 17:18
dereckson added a comment.May 29 2023, 17:22

Credentials. Secrets provisioned to Eglide Vault under kv/service/odderon/nickserv.

Nexts steps.

  • Rebuild darkbot with SASL change on Eglide
  • Add configuration file provisioning in roles/shellserver/odderon
dereckson closed this task as Resolved.May 29 2023, 17:59

Works like a charm.

17:57:46 -!- Odderon [odderon@eglide.org]
17:57:46 -!- ircname : https://agora.nasqueron.org/Odderon 1
17:57:46 -!- server : copper.libera.chat [Sofia, BG]
17:57:46 -!- hostname : 51.159.150.221
17:57:46 -!- idle : 0 days 0 hours 0 mins 2 secs [signon: Mon May 29 17:57:44 2023]
17:57:47 -!- account : odderon

dereckson added a revision: D3155: Configure Odderon.May 29 2023, 18:17
dereckson added a commit: rOPS2112fc5c9b5d: Configure Odderon.May 29 2023, 18:17
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator