Opened 6 years ago

Closed 4 years ago

Last modified 4 years ago

#13270 closed patch (fixed)

SASL support on IRC Protocol

Reported by: Gaming4JC Owned by: elb
Milestone: 2.10.7 Component: IRC
Version: 2.7.9 Keywords:
Cc: StrangeCharm

Description

With the recent requirement that all users from known bad networks (which apparently includes my ISP) get SASL authentication on freenode, it is impossible for me to use Pidgin for IRC. I have been using KVIrc for a temporary work-around until this gets resolved.

Attachments (4)

pidgin-sasl.patch (5.1 KB) - added by andy753421 5 years ago.
Add SASL PLAIN authentication to irc plugin
13270.patch (6.4 KB) - added by xnyhps 4 years ago.
Updated version, without the hack around the parsing of AUTHENTICATE messages
irc-sasl-final.patch (15.4 KB) - added by xnyhps 4 years ago.
Updated patch, uses Cyrus, against release-2.x.y.
irc-sasl-final-2.patch (15.9 KB) - added by xnyhps 4 years ago.
Updated patch: fix unnecessary strdups, check the user for supported SASL mechanisms instead of hard-coding them.

Download all attachments as: .zip

Change History (41)

comment:1 Changed 5 years ago by darkrain42

  • Milestone set to Patches welcome
  • Type changed from defect to enhancement

comment:2 Changed 5 years ago by WACOMalt

Why is this marked as an request for an "enhancement"? the IRC system is fundamentally broken if it does not support the primary authentication method used by many IRC servers (including freenode.. the largest, and the default server chosen when adding a new IRC account)

SASL authentication support needs to be added.

To add some detail, apparantly while using my tethering plan on Verizon, my IP range is in a group freenode REQUIRES SASL authentication on. and so I am completely unable to use freenode.

comment:3 Changed 5 years ago by darkrain42

  • Summary changed from No SASL support on IRC Protocol to SASL support on IRC Protocol

It's marked as an enhancement because this is a new feature; SASL is not part of the core IRC protocol and is a (relatively) new addition to IRC.

Changed 5 years ago by andy753421

Add SASL PLAIN authentication to irc plugin

comment:4 follow-ups: Changed 5 years ago by andy753421

I got hit by the same issue on freenode using a tethering plan (T-Mobile oddly enough though). Anyway, I wrote a patch for sasl authentication and attached it, it works for me using pidgin 2.7.11 (patch is against 2.9.0 though).

Note: freenode doesn't prefix the AUTHENTICATE message with :whatever.freenode.net so the message fails to parse. There's a lame work-around in irc_msg_cap; it seems that you can send AUTHENTICATE PLAIN' and AUTHENTICATE <password data>' both at the same time without waiting for a reply from the first message.

I'm not really a pidgin developer so feel free to fix or point out any coding conventions that I violated. Also, if one of the devs wants to suggest a proper way to fix the above mentioned lame workaround, feel free to do so and I'll fix that as well.

Per TipsForPatchSubmissions, if you want to put some log files:

  • Name: Andy Spencer
  • Email: andy753421 at gmail.com

comment:5 Changed 5 years ago by darkrain42

  • Milestone changed from Patches welcome to Patches Needing Review
  • Type changed from enhancement to patch

comment:6 in reply to: ↑ 4 Changed 5 years ago by nenolod

Replying to andy753421:

I got hit by the same issue on freenode using a tethering plan (T-Mobile oddly enough though). Anyway, I wrote a patch for sasl authentication and attached it, it works for me using pidgin 2.7.11 (patch is against 2.9.0 though).

Note: freenode doesn't prefix the AUTHENTICATE message with :whatever.freenode.net so the message fails to parse. There's a lame work-around in irc_msg_cap; it seems that you can send AUTHENTICATE PLAIN' and AUTHENTICATE <password data>' both at the same time without waiting

for a reply from the first message.

Yes, this will work, but you should wait for the challenge because other mechanisms like DH-BLOWFISH are bidirectionally interactive.

The IRC parser should be more relaxed. Messages from the server are not explicitly required to have an origin.

There are some comments in the patch which are related to IRCv3 capability negotiation that are incorrectly attributed to being related to SASL. Those should probably be changed.

I'm not really a pidgin developer so feel free to fix or point out any coding conventions that I violated. Also, if one of the devs wants to suggest a proper way to fix the above mentioned lame workaround, feel free to do so and I'll fix that as well.

The solution regarding the workaround is to refactor the IRC parser to accept messages without origin prefix, as such messages are valid. In the event of no specified origin, the origin is assumed to be the hostname of the server the socket is connected to, either user-specified or server-provided (from 001 numeric).

Per TipsForPatchSubmissions, if you want to put some log files:

  • Name: Andy Spencer
  • Email: andy753421 at gmail.com

comment:7 Changed 5 years ago by nenolod

Hmm, actually, that won't work because if there is no SASL target available which supports the mechanism, you should wait for an error to try a new mechanism.

comment:8 in reply to: ↑ 4 Changed 5 years ago by elb

Disclaimer: I still haven't looked at this closely, it's on my list of things to do (and implement). This is based on my best understanding.

Replying to andy753421:

I got hit by the same issue on freenode using a tethering plan (T-Mobile oddly enough though). Anyway, I wrote a patch for sasl authentication and attached it, it works for me using pidgin 2.7.11 (patch is against 2.9.0 though).

Note: freenode doesn't prefix the AUTHENTICATE message with :whatever.freenode.net so the message fails to parse. There's a lame work-around in irc_msg_cap; it seems that you can send AUTHENTICATE PLAIN' and AUTHENTICATE <password data>' both at the same time without waiting for a reply from the first message.

This is normal for certain classes of messages from the server which are not routed. The correct way to handle this is with a strncmp() in the irc_parse_msg() function, alongside PING and ERROR. The list of messages which can be sent without routing is strictly enumerated, and there are few of them, so there's no elaborate parsing mechanism to handle this as there is for numerics/etc.

I will try to look at this patch and either integrate it or implement SASL however I think it is best implemented in the relatively near future; however, I am very busy and I can make no promises. Sorry. :-/

comment:9 Changed 5 years ago by kermit

In the meantime, you can do something like: ssh -L 7000:chat.us.freenode.net:7000 you@some_host_freenode_trusts and put 127.0.01 chat.us.freenode.org in /etc/hosts

comment:10 Changed 5 years ago by jcaimbridge

Just want to say that I was very frustrated with this for quite a while. Then I saw andy's patch. I applied it to pidgin 2.10.1 without an issue, compiled, and it worked.

I'm guessing there are a lot of people in the same situation as me but don't have basic source compilation knowledge (and, understandably, don't desire to invest the time to learn it). With this in mind, here is a basic outline of how to download the source, apply the patch, compile the source, install the application, and take advantage of SASL:

1) download the source from here http://sourceforge.net/projects/pidgin/files/Pidgin/ (see "Looking for the latest version?"), and andy's patch from a few posts above mine

2) extract source to a local directory:

bzip2 -cd pidgin-2.10.1.tar.bz2 | tar xvf -

3) cd into root directory of source folder and apply the patch as follows:

mv pidgin-sasl.patch ./pidgin-2.10.1

cd pidgin-2.10.1

patch -p1 -i pidgin-sasl.patch


4) configure with: ./configure --prefix=/usr/local

note1: the --prefix argument indicates the root directory where the application will be installed. I use /usr/local here because most linux distributions install their application files in /usr/ (you may not want to remove your existing installation). just make sure that when you start up pidgin after the install, you run pidgin from "/usr/local/bin/pidgin"

note2: you may need to add additional arguments to the configure command, enabling or disabling different features. for instance, dbus support was failing to compile on mine, so i also provided the argument "--disable-dbus". you can list all arguments provided by the configure script with "./configure --help"

5) compile the source: make

6) install the compiled binaries and application files:

sudo make install

7) start pidgin:

/usr/local/bin/pidgin

8) create an account for freenode as usual, but take note of two things: first, ensure that you enter your nickserv login and password on the "basic" tab (sasl won't work otherwise); it does not suffice to enter your username/pass in the extra options on the "Advanced" tab that appear with plugins like IRCMore and IRCHelper. second, on the "Advanced" tab, check "authenticate with SASL"

9) try connecting. if i doesn't, you might as well stick with your original installation, so uninstall the version of the application you compiled from the sources with:

sudo make uninstall

comment:11 Changed 4 years ago by haba713

Hi! Is this patch going to be included in the next version of Pidgin?

comment:12 Changed 4 years ago by xnyhps

I'm attaching an updated version of andy753421's patch, which does use the parser changes elb suggested. It's still mostly his work, except for looking for "AUTHENTICATE", a couple of debug messages and extra comments.

And, fwiw, I think the rest of the patch is good and should be accepted.

Changed 4 years ago by xnyhps

Updated version, without the hack around the parsing of AUTHENTICATE messages

comment:13 Changed 4 years ago by BuellerIsNotHere

Will you guys be updating the Windows (or Linux) builds here? It took me, like, three days to figure out how to compile this from scratch. You all can have my source code for the fix, but it doesn't seem like a big deal to add...

Anyway here's Pidgin with SASL for Windows users. http://db.tt/OwByoxJj

comment:14 Changed 4 years ago by teleshoes

this patch works perfectly, is written well {especially with xnyhps cleanup}, and adds a critical {often required} authentication method for one of the most popular protocols. this is hitting a wide range of users, and the fix has been tested cross platform.

guys. come ON.

comment:15 follow-ups: Changed 4 years ago by elb

The patch is not "written well", and it's been discussed in the XMPP chat. It is still a hack. I'll put the details here for the benefit of those who missed it.

  • This patch hand-implements SASL PLAIN, which is a bad idea for both security and flexibility reasons. Other protocols use Cyrus SASL, as this should.
  • The strncmp() check is wrong (it should use len 5).
  • There is no indication to the client that the authentication succeeded or failed.

comment:16 in reply to: ↑ 15 Changed 4 years ago by BuellerIsNotHere

Replying to elb:

The patch is not "written well", and it's been discussed in the XMPP chat. It is still a hack. I'll put the details here for the benefit of those who missed it.

  • This patch hand-implements SASL PLAIN, which is a bad idea for both security and flexibility reasons. Other protocols use Cyrus SASL, as this should.
  • The strncmp() check is wrong (it should use len 5).
  • There is no indication to the client that the authentication succeeded or failed.

I'm not saying you're wrong (not even a C/C++ developer), but for me at least this patch works "well enough"... I tether my phone to the Internet, and SASL plain is a requirement just to get into several IRC networks.

Thank you devs for not forgetting about it!

comment:17 Changed 4 years ago by llamahunter

So, is there no published solution for this? I would like to be able connect to freenode.net on my mac via Adium

comment:18 in reply to: ↑ 15 Changed 4 years ago by teleshoes

Replying to elb:

The patch is not "written well", and it's been discussed in the XMPP chat. It is still a hack. I'll put the details here for the benefit of those who missed it.

in terms of understandability and clarity, this code is reasonable => it is unlikely to introduce weird regressions.

  • This patch hand-implements SASL PLAIN, which is a bad idea for both security and flexibility reasons. Other protocols use Cyrus SASL, as this should.
  • The strncmp() check is wrong (it should use len 5).
  • There is no indication to the client that the authentication succeeded or failed.

yes, code review and a few tweaks would be nice. this is not a permanent soln, but as an interim until someone gets around to properly implementing cyrus sasl, it should do fine and not break everything. folks would get the critical functionality they need, and the real fix could come later.

comment:19 Changed 4 years ago by rekkanoryo

The problem with "solutions" that users think are "good enough" and will work "until someone gets around to properly implementing" is that no one ever bothers to go back and do a proper implementation. I'm in complete agreement with elb here; this patch will never be shipped as-is in libpurple. If Adium's developers wish to patch their libpurple build with something we refuse to accept, they're free to do so; they've done it before.

comment:20 Changed 4 years ago by xnyhps

I'm attaching a new patch which uses Cyrus for SASL support, so if in the future servers start to support more mechanisms, or if someone writes a DH-BLOWFISH plugin for Cyrus, that should start working automatically. If Cyrus is not installed, the code will not change at all.

The only thing to note, that I'm not 100% sure of, is that it completely replaces the PASS message, and uses the password from the same field for SASL authentication. If there are servers out there that require both a server-password and SASL authentication, then they won't work currently. The lack of a proper specification of this protocol makes it hard to rule out if this is possible...

Changed 4 years ago by xnyhps

Updated patch, uses Cyrus, against release-2.x.y.

Changed 4 years ago by xnyhps

Updated patch: fix unnecessary strdups, check the user for supported SASL mechanisms instead of hard-coding them.

comment:21 follow-up: Changed 4 years ago by Thijs Alkemade <thijsalkemade@…>

  • Milestone changed from Patches Needing Review to 2.10.7
  • Resolution set to fixed
  • Status changed from new to closed

(In [bbd52f93184e]):
Implement SASL support for IRC, using Cyrus.

This is compatible with Freenode etc. That means only PLAIN currently works, as Freenode only offers PLAIN and DH-BLOWFISH, but we try a number of others (as we can't query what the server supports...) in case a server adds them.

Credit goes to Andy Spencer for the original patch.

Fixes #13270

comment:22 Changed 4 years ago by teleshoes

<3

comment:23 in reply to: ↑ 21 ; follow-up: Changed 4 years ago by Elijah Lynn

Replying to Thijs Alkemade <thijsalkemade@…>:

(In [bbd52f93184e]):
Implement SASL support for IRC, using Cyrus.

This is compatible with Freenode etc. That means only PLAIN currently works, as Freenode only offers PLAIN and DH-BLOWFISH, but we try a number of others (as we can't query what the server supports...) in case a server adds them.

Credit goes to Andy Spencer for the original patch.

Fixes #13270

I applied this patch against against 2.10.6 from source and am still getting SASL connection authentication messages and cannot connect. Was I supposed to apply this against tip?

comment:24 in reply to: ↑ 23 Changed 4 years ago by datallah

Replying to Elijah Lynn:

I applied this patch against against 2.10.6 from source and am still getting SASL connection authentication messages and cannot connect. Was I supposed to apply this against tip?

Did you enable SASL support for your IRC account using the checkbox in your account settings?

comment:25 follow-up: Changed 4 years ago by Elijah Lynn

I did not, but I just checked and I don't see a checkbox anywhere in my account settings. Applying the patch went well, along with make. I did verify that 2.10.6 is running vs the version in Ubuntu 2.10.3. Any other ideas?

comment:26 follow-up: Changed 4 years ago by datallah

It sounds likely that you're using the plugins from the package installed version.

Did you make install and run ldconfig as root?

comment:27 Changed 4 years ago by BuellerIsNotHere

Congratulations on passing this through as a silent update. It seems big enough to mention on the front page, even if it does only use plain authentication.

I don't know if I can speak for everybody, but personally I was just looking for a hack that would let me use Freenode etc when tethering with my phone. Security wasn't the concern as much as managing a connection; for that, this patch is more than enough.

comment:28 in reply to: ↑ 26 Changed 4 years ago by Elijah Lynn

Replying to datallah:

It sounds likely that you're using the plugins from the package installed version.

Did you make install and run ldconfig as root?

I did do a make install but did not do a ldconfig. At what stage would I do a ldconfig?

comment:29 Changed 4 years ago by teleshoes

hey, buellerisnothere. quick question; what are you talking about? are you saying 2.10.7 was released? there is no changelog, nor any downloads posted for that release.

this ticket will likely be in the changelog, but it will definitely be in the link thats in every changelog. https://developer.pidgin.im/query?status=closed&group=resolution&milestone=2.10.7

comment:30 in reply to: ↑ 25 ; follow-ups: Changed 4 years ago by elb

Replying to Elijah Lynn:

I did not, but I just checked and I don't see a checkbox anywhere in my account settings. Applying the patch went well, along with make. I did verify that 2.10.6 is running vs the version in Ubuntu 2.10.3. Any other ideas?

You need to make sure you uninstall the Ubuntu-installed version, as well.

Replying to BuellerIsNotHere:

Congratulations on passing this through as a silent update. It seems big enough to mention on the front page, even if it does only use plain authentication.

First off, it's not a mtter of "even if it does only use plain authentication". Pidgin is fully capable of using any authentication method available to SASL. The limitation is on the IRC server side.

Second, this has not been shipped in any release. When 2.10.7 is released, the ChangeLog will certainly mention this feature. It may or may not make the announcement on the front page of pidgin.im, it's not really that big a deal.

comment:31 in reply to: ↑ 30 Changed 4 years ago by Elijah Lynn

Replying to elb:

Replying to Elijah Lynn:

I did not, but I just checked and I don't see a checkbox anywhere in my account settings. Applying the patch went well, along with make. I did verify that 2.10.6 is running vs the version in Ubuntu 2.10.3. Any other ideas?

You need to make sure you uninstall the Ubuntu-installed version, as well.

Replying to BuellerIsNotHere:

Congratulations on passing this through as a silent update. It seems big enough to mention on the front page, even if it does only use plain authentication.

First off, it's not a mtter of "even if it does only use plain authentication". Pidgin is fully capable of using any authentication method available to SASL. The limitation is on the IRC server side.

Second, this has not been shipped in any release. When 2.10.7 is released, the ChangeLog will certainly mention this feature. It may or may not make the announcement on the front page of pidgin.im, it's not really that big a deal.

Thanks Elb. I will try that. Is there a very rough timeline when 2.10.7 will be released? Like 2 months, 1 year?

comment:32 follow-up: Changed 4 years ago by Robby

The recent 2.10.x release dates will give you an idea. :)

comment:33 in reply to: ↑ 32 Changed 4 years ago by Elijah Lynn

Replying to Robby:

The recent 2.10.x release dates will give you an idea. :)

This page does not give any release dates - https://developer.pidgin.im/roadmap

Can you link me to the source you are referring to?

comment:35 Changed 4 years ago by teleshoes

pidgin 2.10.7 it will be released some time last month.

2.10.0 took 55.00 days {since 2.9} 2.10.1 took 114.04 days {since 2.10.0} 2.10.2 took 95.10 days {since 2.10.1} 2.10.3 took 12.43 days {since 2.10.2} 2.10.4 took 40.43 days {since 2.10.3} 2.10.5 took 60.50 days {since 2.10.4} 2.10.6 took 1.10 days {since 2.10.5"

avg: 54.09 days

comment:36 Changed 4 years ago by Elijah Lynn

Thanks Robby and Teleshoes!

comment:37 in reply to: ↑ 30 Changed 4 years ago by BuellerIsNotHere

Replying to elb:

Replying to BuellerIsNotHere:

Congratulations on passing this through as a silent update. It seems big enough to mention on the front page, even if it does only use plain authentication.

First off, it's not a mtter of "even if it does only use plain authentication". Pidgin is fully capable of using any authentication method available to SASL. The limitation is on the IRC server side.

Second, this has not been shipped in any release. When 2.10.7 is released, the ChangeLog will certainly mention this feature. It may or may not make the announcement on the front page of pidgin.im, it's not really that big a deal.

My bad, I thought this was one of the features that had been added in the most recent version of Pidgin. I tend to read these things wrong.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!